summaryrefslogtreecommitdiff
path: root/vendor/github.com/miekg
diff options
context:
space:
mode:
authorOpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com>2021-02-09 18:35:09 +0100
committerGitHub <noreply@github.com>2021-02-09 18:35:09 +0100
commit763d522983b819ecd38689c9c0840069d1e2b530 (patch)
treec4d469f69a056e2058dc1530df7e2b6ac3f3eafa /vendor/github.com/miekg
parentf98605e0e4f25c148b27cc617976357ff5b9d96e (diff)
parent08d8290f1d65a254b6794f7fe87a6f769b2ca792 (diff)
downloadpodman-763d522983b819ecd38689c9c0840069d1e2b530.tar.gz
podman-763d522983b819ecd38689c9c0840069d1e2b530.tar.bz2
podman-763d522983b819ecd38689c9c0840069d1e2b530.zip
Merge pull request #9281 from containers/dependabot/go_modules/github.com/containers/ocicrypt-1.1.0
Bump github.com/containers/ocicrypt from 1.0.3 to 1.1.0
Diffstat (limited to 'vendor/github.com/miekg')
-rw-r--r--vendor/github.com/miekg/pkcs11/.gitignore3
-rw-r--r--vendor/github.com/miekg/pkcs11/.travis.yml14
-rw-r--r--vendor/github.com/miekg/pkcs11/LICENSE27
-rw-r--r--vendor/github.com/miekg/pkcs11/Makefile.release57
-rw-r--r--vendor/github.com/miekg/pkcs11/README.md68
-rw-r--r--vendor/github.com/miekg/pkcs11/const.go736
-rw-r--r--vendor/github.com/miekg/pkcs11/error.go98
-rw-r--r--vendor/github.com/miekg/pkcs11/go.mod3
-rw-r--r--vendor/github.com/miekg/pkcs11/hsm.dbbin0 -> 10240 bytes
-rw-r--r--vendor/github.com/miekg/pkcs11/params.go190
-rw-r--r--vendor/github.com/miekg/pkcs11/pkcs11.go1606
-rw-r--r--vendor/github.com/miekg/pkcs11/pkcs11.h265
-rw-r--r--vendor/github.com/miekg/pkcs11/pkcs11f.h939
-rw-r--r--vendor/github.com/miekg/pkcs11/pkcs11go.h33
-rw-r--r--vendor/github.com/miekg/pkcs11/pkcs11t.h2047
-rw-r--r--vendor/github.com/miekg/pkcs11/release.go17
-rw-r--r--vendor/github.com/miekg/pkcs11/softhsm.conf1
-rw-r--r--vendor/github.com/miekg/pkcs11/softhsm2.conf4
-rw-r--r--vendor/github.com/miekg/pkcs11/types.go303
-rw-r--r--vendor/github.com/miekg/pkcs11/vendor.go127
20 files changed, 6538 insertions, 0 deletions
diff --git a/vendor/github.com/miekg/pkcs11/.gitignore b/vendor/github.com/miekg/pkcs11/.gitignore
new file mode 100644
index 000000000..5fde17f99
--- /dev/null
+++ b/vendor/github.com/miekg/pkcs11/.gitignore
@@ -0,0 +1,3 @@
+tags
+test_db/*/generation
+test_db/*/*.lock
diff --git a/vendor/github.com/miekg/pkcs11/.travis.yml b/vendor/github.com/miekg/pkcs11/.travis.yml
new file mode 100644
index 000000000..687044d83
--- /dev/null
+++ b/vendor/github.com/miekg/pkcs11/.travis.yml
@@ -0,0 +1,14 @@
+language: go
+sudo: required
+dist: trusty
+
+go:
+ - 1.9
+ - tip
+
+script:
+ - go test -v ./...
+
+before_script:
+ - sudo apt-get update
+ - sudo apt-get -y install libsofthsm
diff --git a/vendor/github.com/miekg/pkcs11/LICENSE b/vendor/github.com/miekg/pkcs11/LICENSE
new file mode 100644
index 000000000..ce25d13ab
--- /dev/null
+++ b/vendor/github.com/miekg/pkcs11/LICENSE
@@ -0,0 +1,27 @@
+Copyright (c) 2013 Miek Gieben. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+ * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+ * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+ * Neither the name of Miek Gieben nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/vendor/github.com/miekg/pkcs11/Makefile.release b/vendor/github.com/miekg/pkcs11/Makefile.release
new file mode 100644
index 000000000..4f58165f9
--- /dev/null
+++ b/vendor/github.com/miekg/pkcs11/Makefile.release
@@ -0,0 +1,57 @@
+# Makefile for releasing.
+#
+# The release is controlled from version.go. The version found there is
+# used to tag the git repo, we're not building any artifects so there is nothing
+# to upload to github.
+#
+# * Up the version in version.go
+# * Run: make -f Makefile.release release
+# * will *commit* your change with 'Release $VERSION'
+# * push to github
+#
+
+define GO
+//+build ignore
+
+package main
+
+import (
+ "fmt"
+
+ "github.com/miekg/pkcs11"
+)
+
+func main() {
+ fmt.Println(pkcs11.Release.String())
+}
+endef
+
+$(file > version_release.go,$(GO))
+VERSION:=$(shell go run -tags release version_release.go)
+TAG="v$(VERSION)"
+
+all:
+ rm -f version_release.go
+ @echo Use the \'release\' target to start a release $(VERSION)
+
+.PHONY: run
+run:
+ rm -f version_release.go
+ @echo $(VERSION)
+
+.PHONY: release
+release: commit push
+ @echo Released $(VERSION)
+
+.PHONY: commit
+commit:
+ rm -f version_release.go
+ @echo Committing release $(VERSION)
+ git commit -am"Release $(VERSION)"
+ git tag $(TAG)
+
+.PHONY: push
+push:
+ @echo Pushing release $(VERSION) to master
+ git push --tags
+ git push
diff --git a/vendor/github.com/miekg/pkcs11/README.md b/vendor/github.com/miekg/pkcs11/README.md
new file mode 100644
index 000000000..0a5c1b7b6
--- /dev/null
+++ b/vendor/github.com/miekg/pkcs11/README.md
@@ -0,0 +1,68 @@
+# PKCS#11 [![Build Status](https://travis-ci.org/miekg/pkcs11.png?branch=master)](https://travis-ci.org/miekg/pkcs11) [![GoDoc](https://img.shields.io/badge/godoc-reference-blue.svg)](http://godoc.org/github.com/miekg/pkcs11)
+
+This is a Go implementation of the PKCS#11 API. It wraps the library closely, but uses Go idiom were
+it makes sense. It has been tested with SoftHSM.
+
+## SoftHSM
+
+ * Make it use a custom configuration file `export SOFTHSM_CONF=$PWD/softhsm.conf`
+
+ * Then use `softhsm` to init it
+
+ ~~~
+ softhsm --init-token --slot 0 --label test --pin 1234
+ ~~~
+
+ * Then use `libsofthsm.so` as the pkcs11 module:
+
+ ~~~ go
+ p := pkcs11.New("/usr/lib/softhsm/libsofthsm.so")
+ ~~~
+
+## Examples
+
+A skeleton program would look somewhat like this (yes, pkcs#11 is verbose):
+
+~~~ go
+p := pkcs11.New("/usr/lib/softhsm/libsofthsm.so")
+err := p.Initialize()
+if err != nil {
+ panic(err)
+}
+
+defer p.Destroy()
+defer p.Finalize()
+
+slots, err := p.GetSlotList(true)
+if err != nil {
+ panic(err)
+}
+
+session, err := p.OpenSession(slots[0], pkcs11.CKF_SERIAL_SESSION|pkcs11.CKF_RW_SESSION)
+if err != nil {
+ panic(err)
+}
+defer p.CloseSession(session)
+
+err = p.Login(session, pkcs11.CKU_USER, "1234")
+if err != nil {
+ panic(err)
+}
+defer p.Logout(session)
+
+p.DigestInit(session, []*pkcs11.Mechanism{pkcs11.NewMechanism(pkcs11.CKM_SHA_1, nil)})
+hash, err := p.Digest(session, []byte("this is a string"))
+if err != nil {
+ panic(err)
+}
+
+for _, d := range hash {
+ fmt.Printf("%x", d)
+}
+fmt.Println()
+~~~
+
+Further examples are included in the tests.
+
+To expose PKCS#11 keys using the [crypto.Signer interface](https://golang.org/pkg/crypto/#Signer),
+please see [github.com/thalesignite/crypto11](https://github.com/thalesignite/crypto11).
diff --git a/vendor/github.com/miekg/pkcs11/const.go b/vendor/github.com/miekg/pkcs11/const.go
new file mode 100644
index 000000000..408856146
--- /dev/null
+++ b/vendor/github.com/miekg/pkcs11/const.go
@@ -0,0 +1,736 @@
+// Copyright 2013 Miek Gieben. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package pkcs11
+
+const (
+ CKU_SO uint = 0
+ CKU_USER uint = 1
+ CKU_CONTEXT_SPECIFIC uint = 2
+)
+
+const (
+ CKO_DATA uint = 0x00000000
+ CKO_CERTIFICATE uint = 0x00000001
+ CKO_PUBLIC_KEY uint = 0x00000002
+ CKO_PRIVATE_KEY uint = 0x00000003
+ CKO_SECRET_KEY uint = 0x00000004
+ CKO_HW_FEATURE uint = 0x00000005
+ CKO_DOMAIN_PARAMETERS uint = 0x00000006
+ CKO_MECHANISM uint = 0x00000007
+ CKO_OTP_KEY uint = 0x00000008
+ CKO_VENDOR_DEFINED uint = 0x80000000
+)
+
+const (
+ CKG_MGF1_SHA1 uint = 0x00000001
+ CKG_MGF1_SHA224 uint = 0x00000005
+ CKG_MGF1_SHA256 uint = 0x00000002
+ CKG_MGF1_SHA384 uint = 0x00000003
+ CKG_MGF1_SHA512 uint = 0x00000004
+ CKG_MGF1_SHA3_224 uint = 0x00000006
+ CKG_MGF1_SHA3_256 uint = 0x00000007
+ CKG_MGF1_SHA3_384 uint = 0x00000008
+ CKG_MGF1_SHA3_512 uint = 0x00000009
+)
+
+const (
+ CKZ_DATA_SPECIFIED uint = 0x00000001
+)
+
+// Generated with: awk '/#define CK[AFKMRC]/{ print $2 " = " $3 }' pkcs11t.h | sed -e 's/UL$//g' -e 's/UL)$/)/g'
+
+// All the flag (CKF_), attribute (CKA_), error code (CKR_), key type (CKK_), certificate type (CKC_) and
+// mechanism (CKM_) constants as defined in PKCS#11.
+const (
+ CKF_TOKEN_PRESENT = 0x00000001
+ CKF_REMOVABLE_DEVICE = 0x00000002
+ CKF_HW_SLOT = 0x00000004
+ CKF_RNG = 0x00000001
+ CKF_WRITE_PROTECTED = 0x00000002
+ CKF_LOGIN_REQUIRED = 0x00000004
+ CKF_USER_PIN_INITIALIZED = 0x00000008
+ CKF_RESTORE_KEY_NOT_NEEDED = 0x00000020
+ CKF_CLOCK_ON_TOKEN = 0x00000040
+ CKF_PROTECTED_AUTHENTICATION_PATH = 0x00000100
+ CKF_DUAL_CRYPTO_OPERATIONS = 0x00000200
+ CKF_TOKEN_INITIALIZED = 0x00000400
+ CKF_SECONDARY_AUTHENTICATION = 0x00000800
+ CKF_USER_PIN_COUNT_LOW = 0x00010000
+ CKF_USER_PIN_FINAL_TRY = 0x00020000
+ CKF_USER_PIN_LOCKED = 0x00040000
+ CKF_USER_PIN_TO_BE_CHANGED = 0x00080000
+ CKF_SO_PIN_COUNT_LOW = 0x00100000
+ CKF_SO_PIN_FINAL_TRY = 0x00200000
+ CKF_SO_PIN_LOCKED = 0x00400000
+ CKF_SO_PIN_TO_BE_CHANGED = 0x00800000
+ CKF_ERROR_STATE = 0x01000000
+ CKF_RW_SESSION = 0x00000002
+ CKF_SERIAL_SESSION = 0x00000004
+ CKK_RSA = 0x00000000
+ CKK_DSA = 0x00000001
+ CKK_DH = 0x00000002
+ CKK_ECDSA = 0x00000003
+ CKK_EC = 0x00000003
+ CKK_X9_42_DH = 0x00000004
+ CKK_KEA = 0x00000005
+ CKK_GENERIC_SECRET = 0x00000010
+ CKK_RC2 = 0x00000011
+ CKK_RC4 = 0x00000012
+ CKK_DES = 0x00000013
+ CKK_DES2 = 0x00000014
+ CKK_DES3 = 0x00000015
+ CKK_CAST = 0x00000016
+ CKK_CAST3 = 0x00000017
+ CKK_CAST5 = 0x00000018
+ CKK_CAST128 = 0x00000018
+ CKK_RC5 = 0x00000019
+ CKK_IDEA = 0x0000001A
+ CKK_SKIPJACK = 0x0000001B
+ CKK_BATON = 0x0000001C
+ CKK_JUNIPER = 0x0000001D
+ CKK_CDMF = 0x0000001E
+ CKK_AES = 0x0000001F
+ CKK_BLOWFISH = 0x00000020
+ CKK_TWOFISH = 0x00000021
+ CKK_SECURID = 0x00000022
+ CKK_HOTP = 0x00000023
+ CKK_ACTI = 0x00000024
+ CKK_CAMELLIA = 0x00000025
+ CKK_ARIA = 0x00000026
+ CKK_SHA512_224_HMAC = 0x00000027
+ CKK_SHA512_256_HMAC = 0x00000028
+ CKK_SHA512_T_HMAC = 0x00000029
+ CKK_SHA_1_HMAC = 0x00000028
+ CKK_SHA224_HMAC = 0x0000002E
+ CKK_SHA256_HMAC = 0x0000002B
+ CKK_SHA384_HMAC = 0x0000002C
+ CKK_SHA512_HMAC = 0x0000002D
+ CKK_SEED = 0x0000002F
+ CKK_GOSTR3410 = 0x00000030
+ CKK_GOSTR3411 = 0x00000031
+ CKK_GOST28147 = 0x00000032
+ CKK_SHA3_224_HMAC = 0x00000033
+ CKK_SHA3_256_HMAC = 0x00000034
+ CKK_SHA3_384_HMAC = 0x00000035
+ CKK_SHA3_512_HMAC = 0x00000036
+ CKK_VENDOR_DEFINED = 0x80000000
+ CKC_X_509 = 0x00000000
+ CKC_X_509_ATTR_CERT = 0x00000001
+ CKC_WTLS = 0x00000002
+ CKC_VENDOR_DEFINED = 0x80000000
+ CKF_ARRAY_ATTRIBUTE = 0x40000000
+ CKA_CLASS = 0x00000000
+ CKA_TOKEN = 0x00000001
+ CKA_PRIVATE = 0x00000002
+ CKA_LABEL = 0x00000003
+ CKA_APPLICATION = 0x00000010
+ CKA_VALUE = 0x00000011
+ CKA_OBJECT_ID = 0x00000012
+ CKA_CERTIFICATE_TYPE = 0x00000080
+ CKA_ISSUER = 0x00000081
+ CKA_SERIAL_NUMBER = 0x00000082
+ CKA_AC_ISSUER = 0x00000083
+ CKA_OWNER = 0x00000084
+ CKA_ATTR_TYPES = 0x00000085
+ CKA_TRUSTED = 0x00000086
+ CKA_CERTIFICATE_CATEGORY = 0x00000087
+ CKA_JAVA_MIDP_SECURITY_DOMAIN = 0x00000088
+ CKA_URL = 0x00000089
+ CKA_HASH_OF_SUBJECT_PUBLIC_KEY = 0x0000008A
+ CKA_HASH_OF_ISSUER_PUBLIC_KEY = 0x0000008B
+ CKA_NAME_HASH_ALGORITHM = 0x0000008C
+ CKA_CHECK_VALUE = 0x00000090
+ CKA_KEY_TYPE = 0x00000100
+ CKA_SUBJECT = 0x00000101
+ CKA_ID = 0x00000102
+ CKA_SENSITIVE = 0x00000103
+ CKA_ENCRYPT = 0x00000104
+ CKA_DECRYPT = 0x00000105
+ CKA_WRAP = 0x00000106
+ CKA_UNWRAP = 0x00000107
+ CKA_SIGN = 0x00000108
+ CKA_SIGN_RECOVER = 0x00000109
+ CKA_VERIFY = 0x0000010A
+ CKA_VERIFY_RECOVER = 0x0000010B
+ CKA_DERIVE = 0x0000010C
+ CKA_START_DATE = 0x00000110
+ CKA_END_DATE = 0x00000111
+ CKA_MODULUS = 0x00000120
+ CKA_MODULUS_BITS = 0x00000121
+ CKA_PUBLIC_EXPONENT = 0x00000122
+ CKA_PRIVATE_EXPONENT = 0x00000123
+ CKA_PRIME_1 = 0x00000124
+ CKA_PRIME_2 = 0x00000125
+ CKA_EXPONENT_1 = 0x00000126
+ CKA_EXPONENT_2 = 0x00000127
+ CKA_COEFFICIENT = 0x00000128
+ CKA_PUBLIC_KEY_INFO = 0x00000129
+ CKA_PRIME = 0x00000130
+ CKA_SUBPRIME = 0x00000131
+ CKA_BASE = 0x00000132
+ CKA_PRIME_BITS = 0x00000133
+ CKA_SUBPRIME_BITS = 0x00000134
+ CKA_SUB_PRIME_BITS = CKA_SUBPRIME_BITS
+ CKA_VALUE_BITS = 0x00000160
+ CKA_VALUE_LEN = 0x00000161
+ CKA_EXTRACTABLE = 0x00000162
+ CKA_LOCAL = 0x00000163
+ CKA_NEVER_EXTRACTABLE = 0x00000164
+ CKA_ALWAYS_SENSITIVE = 0x00000165
+ CKA_KEY_GEN_MECHANISM = 0x00000166
+ CKA_MODIFIABLE = 0x00000170
+ CKA_COPYABLE = 0x00000171
+ CKA_DESTROYABLE = 0x00000172
+ CKA_ECDSA_PARAMS = 0x00000180
+ CKA_EC_PARAMS = 0x00000180
+ CKA_EC_POINT = 0x00000181
+ CKA_SECONDARY_AUTH = 0x00000200
+ CKA_AUTH_PIN_FLAGS = 0x00000201
+ CKA_ALWAYS_AUTHENTICATE = 0x00000202
+ CKA_WRAP_WITH_TRUSTED = 0x00000210
+ CKA_WRAP_TEMPLATE = CKF_ARRAY_ATTRIBUTE | 0x00000211
+ CKA_UNWRAP_TEMPLATE = CKF_ARRAY_ATTRIBUTE | 0x00000212
+ CKA_OTP_FORMAT = 0x00000220
+ CKA_OTP_LENGTH = 0x00000221
+ CKA_OTP_TIME_INTERVAL = 0x00000222
+ CKA_OTP_USER_FRIENDLY_MODE = 0x00000223
+ CKA_OTP_CHALLENGE_REQUIREMENT = 0x00000224
+ CKA_OTP_TIME_REQUIREMENT = 0x00000225
+ CKA_OTP_COUNTER_REQUIREMENT = 0x00000226
+ CKA_OTP_PIN_REQUIREMENT = 0x00000227
+ CKA_OTP_COUNTER = 0x0000022E
+ CKA_OTP_TIME = 0x0000022F
+ CKA_OTP_USER_IDENTIFIER = 0x0000022A
+ CKA_OTP_SERVICE_IDENTIFIER = 0x0000022B
+ CKA_OTP_SERVICE_LOGO = 0x0000022C
+ CKA_OTP_SERVICE_LOGO_TYPE = 0x0000022D
+ CKA_GOSTR3410_PARAMS = 0x00000250
+ CKA_GOSTR3411_PARAMS = 0x00000251
+ CKA_GOST28147_PARAMS = 0x00000252
+ CKA_HW_FEATURE_TYPE = 0x00000300
+ CKA_RESET_ON_INIT = 0x00000301
+ CKA_HAS_RESET = 0x00000302
+ CKA_PIXEL_X = 0x00000400
+ CKA_PIXEL_Y = 0x00000401
+ CKA_RESOLUTION = 0x00000402
+ CKA_CHAR_ROWS = 0x00000403
+ CKA_CHAR_COLUMNS = 0x00000404
+ CKA_COLOR = 0x00000405
+ CKA_BITS_PER_PIXEL = 0x00000406
+ CKA_CHAR_SETS = 0x00000480
+ CKA_ENCODING_METHODS = 0x00000481
+ CKA_MIME_TYPES = 0x00000482
+ CKA_MECHANISM_TYPE = 0x00000500
+ CKA_REQUIRED_CMS_ATTRIBUTES = 0x00000501
+ CKA_DEFAULT_CMS_ATTRIBUTES = 0x00000502
+ CKA_SUPPORTED_CMS_ATTRIBUTES = 0x00000503
+ CKA_ALLOWED_MECHANISMS = CKF_ARRAY_ATTRIBUTE | 0x00000600
+ CKA_VENDOR_DEFINED = 0x80000000
+ CKM_RSA_PKCS_KEY_PAIR_GEN = 0x00000000
+ CKM_RSA_PKCS = 0x00000001
+ CKM_RSA_9796 = 0x00000002
+ CKM_RSA_X_509 = 0x00000003
+ CKM_MD2_RSA_PKCS = 0x00000004
+ CKM_MD5_RSA_PKCS = 0x00000005
+ CKM_SHA1_RSA_PKCS = 0x00000006
+ CKM_RIPEMD128_RSA_PKCS = 0x00000007
+ CKM_RIPEMD160_RSA_PKCS = 0x00000008
+ CKM_RSA_PKCS_OAEP = 0x00000009
+ CKM_RSA_X9_31_KEY_PAIR_GEN = 0x0000000A
+ CKM_RSA_X9_31 = 0x0000000B
+ CKM_SHA1_RSA_X9_31 = 0x0000000C
+ CKM_RSA_PKCS_PSS = 0x0000000D
+ CKM_SHA1_RSA_PKCS_PSS = 0x0000000E
+ CKM_DSA_KEY_PAIR_GEN = 0x00000010
+ CKM_DSA = 0x00000011
+ CKM_DSA_SHA1 = 0x00000012
+ CKM_DSA_FIPS_G_GEN = 0x00000013
+ CKM_DSA_SHA224 = 0x00000014
+ CKM_DSA_SHA256 = 0x00000015
+ CKM_DSA_SHA384 = 0x00000016
+ CKM_DSA_SHA512 = 0x00000017
+ CKM_DSA_SHA3_224 = 0x00000018
+ CKM_DSA_SHA3_256 = 0x00000019
+ CKM_DSA_SHA3_384 = 0x0000001A
+ CKM_DSA_SHA3_512 = 0x0000001B
+ CKM_DH_PKCS_KEY_PAIR_GEN = 0x00000020
+ CKM_DH_PKCS_DERIVE = 0x00000021
+ CKM_X9_42_DH_KEY_PAIR_GEN = 0x00000030
+ CKM_X9_42_DH_DERIVE = 0x00000031
+ CKM_X9_42_DH_HYBRID_DERIVE = 0x00000032
+ CKM_X9_42_MQV_DERIVE = 0x00000033
+ CKM_SHA256_RSA_PKCS = 0x00000040
+ CKM_SHA384_RSA_PKCS = 0x00000041
+ CKM_SHA512_RSA_PKCS = 0x00000042
+ CKM_SHA256_RSA_PKCS_PSS = 0x00000043
+ CKM_SHA384_RSA_PKCS_PSS = 0x00000044
+ CKM_SHA512_RSA_PKCS_PSS = 0x00000045
+ CKM_SHA224_RSA_PKCS = 0x00000046
+ CKM_SHA224_RSA_PKCS_PSS = 0x00000047
+ CKM_SHA512_224 = 0x00000048
+ CKM_SHA512_224_HMAC = 0x00000049
+ CKM_SHA512_224_HMAC_GENERAL = 0x0000004A
+ CKM_SHA512_224_KEY_DERIVATION = 0x0000004B
+ CKM_SHA512_256 = 0x0000004C
+ CKM_SHA512_256_HMAC = 0x0000004D
+ CKM_SHA512_256_HMAC_GENERAL = 0x0000004E
+ CKM_SHA512_256_KEY_DERIVATION = 0x0000004F
+ CKM_SHA512_T = 0x00000050
+ CKM_SHA512_T_HMAC = 0x00000051
+ CKM_SHA512_T_HMAC_GENERAL = 0x00000052
+ CKM_SHA512_T_KEY_DERIVATION = 0x00000053
+ CKM_SHA3_256_RSA_PKCS = 0x00000060
+ CKM_SHA3_384_RSA_PKCS = 0x00000061
+ CKM_SHA3_512_RSA_PKCS = 0x00000062
+ CKM_SHA3_256_RSA_PKCS_PSS = 0x00000063
+ CKM_SHA3_384_RSA_PKCS_PSS = 0x00000064
+ CKM_SHA3_512_RSA_PKCS_PSS = 0x00000065
+ CKM_SHA3_224_RSA_PKCS = 0x00000066
+ CKM_SHA3_224_RSA_PKCS_PSS = 0x00000067
+ CKM_RC2_KEY_GEN = 0x00000100
+ CKM_RC2_ECB = 0x00000101
+ CKM_RC2_CBC = 0x00000102
+ CKM_RC2_MAC = 0x00000103
+ CKM_RC2_MAC_GENERAL = 0x00000104
+ CKM_RC2_CBC_PAD = 0x00000105
+ CKM_RC4_KEY_GEN = 0x00000110
+ CKM_RC4 = 0x00000111
+ CKM_DES_KEY_GEN = 0x00000120
+ CKM_DES_ECB = 0x00000121
+ CKM_DES_CBC = 0x00000122
+ CKM_DES_MAC = 0x00000123
+ CKM_DES_MAC_GENERAL = 0x00000124
+ CKM_DES_CBC_PAD = 0x00000125
+ CKM_DES2_KEY_GEN = 0x00000130
+ CKM_DES3_KEY_GEN = 0x00000131
+ CKM_DES3_ECB = 0x00000132
+ CKM_DES3_CBC = 0x00000133
+ CKM_DES3_MAC = 0x00000134
+ CKM_DES3_MAC_GENERAL = 0x00000135
+ CKM_DES3_CBC_PAD = 0x00000136
+ CKM_DES3_CMAC_GENERAL = 0x00000137
+ CKM_DES3_CMAC = 0x00000138
+ CKM_CDMF_KEY_GEN = 0x00000140
+ CKM_CDMF_ECB = 0x00000141
+ CKM_CDMF_CBC = 0x00000142
+ CKM_CDMF_MAC = 0x00000143
+ CKM_CDMF_MAC_GENERAL = 0x00000144
+ CKM_CDMF_CBC_PAD = 0x00000145
+ CKM_DES_OFB64 = 0x00000150
+ CKM_DES_OFB8 = 0x00000151
+ CKM_DES_CFB64 = 0x00000152
+ CKM_DES_CFB8 = 0x00000153
+ CKM_MD2 = 0x00000200
+ CKM_MD2_HMAC = 0x00000201
+ CKM_MD2_HMAC_GENERAL = 0x00000202
+ CKM_MD5 = 0x00000210
+ CKM_MD5_HMAC = 0x00000211
+ CKM_MD5_HMAC_GENERAL = 0x00000212
+ CKM_SHA_1 = 0x00000220
+ CKM_SHA_1_HMAC = 0x00000221
+ CKM_SHA_1_HMAC_GENERAL = 0x00000222
+ CKM_RIPEMD128 = 0x00000230
+ CKM_RIPEMD128_HMAC = 0x00000231
+ CKM_RIPEMD128_HMAC_GENERAL = 0x00000232
+ CKM_RIPEMD160 = 0x00000240
+ CKM_RIPEMD160_HMAC = 0x00000241
+ CKM_RIPEMD160_HMAC_GENERAL = 0x00000242
+ CKM_SHA256 = 0x00000250
+ CKM_SHA256_HMAC = 0x00000251
+ CKM_SHA256_HMAC_GENERAL = 0x00000252
+ CKM_SHA224 = 0x00000255
+ CKM_SHA224_HMAC = 0x00000256
+ CKM_SHA224_HMAC_GENERAL = 0x00000257
+ CKM_SHA384 = 0x00000260
+ CKM_SHA384_HMAC = 0x00000261
+ CKM_SHA384_HMAC_GENERAL = 0x00000262
+ CKM_SHA512 = 0x00000270
+ CKM_SHA512_HMAC = 0x00000271
+ CKM_SHA512_HMAC_GENERAL = 0x00000272
+ CKM_SECURID_KEY_GEN = 0x00000280
+ CKM_SECURID = 0x00000282
+ CKM_HOTP_KEY_GEN = 0x00000290
+ CKM_HOTP = 0x00000291
+ CKM_ACTI = 0x000002A0
+ CKM_ACTI_KEY_GEN = 0x000002A1
+ CKM_SHA3_256 = 0x000002B0
+ CKM_SHA3_256_HMAC = 0x000002B1
+ CKM_SHA3_256_HMAC_GENERAL = 0x000002B2
+ CKM_SHA3_256_KEY_GEN = 0x000002B3
+ CKM_SHA3_224 = 0x000002B5
+ CKM_SHA3_224_HMAC = 0x000002B6
+ CKM_SHA3_224_HMAC_GENERAL = 0x000002B7
+ CKM_SHA3_224_KEY_GEN = 0x000002B8
+ CKM_SHA3_384 = 0x000002C0
+ CKM_SHA3_384_HMAC = 0x000002C1
+ CKM_SHA3_384_HMAC_GENERAL = 0x000002C2
+ CKM_SHA3_384_KEY_GEN = 0x000002C3
+ CKM_SHA3_512 = 0x000002D0
+ CKM_SHA3_512_HMAC = 0x000002D1
+ CKM_SHA3_512_HMAC_GENERAL = 0x000002D2
+ CKM_SHA3_512_KEY_GEN = 0x000002D3
+ CKM_CAST_KEY_GEN = 0x00000300
+ CKM_CAST_ECB = 0x00000301
+ CKM_CAST_CBC = 0x00000302
+ CKM_CAST_MAC = 0x00000303
+ CKM_CAST_MAC_GENERAL = 0x00000304
+ CKM_CAST_CBC_PAD = 0x00000305
+ CKM_CAST3_KEY_GEN = 0x00000310
+ CKM_CAST3_ECB = 0x00000311
+ CKM_CAST3_CBC = 0x00000312
+ CKM_CAST3_MAC = 0x00000313
+ CKM_CAST3_MAC_GENERAL = 0x00000314
+ CKM_CAST3_CBC_PAD = 0x00000315
+ CKM_CAST5_KEY_GEN = 0x00000320
+ CKM_CAST128_KEY_GEN = 0x00000320
+ CKM_CAST5_ECB = 0x00000321
+ CKM_CAST128_ECB = 0x00000321
+ CKM_CAST5_CBC = 0x00000322
+ CKM_CAST128_CBC = 0x00000322
+ CKM_CAST5_MAC = 0x00000323
+ CKM_CAST128_MAC = 0x00000323
+ CKM_CAST5_MAC_GENERAL = 0x00000324
+ CKM_CAST128_MAC_GENERAL = 0x00000324
+ CKM_CAST5_CBC_PAD = 0x00000325
+ CKM_CAST128_CBC_PAD = 0x00000325
+ CKM_RC5_KEY_GEN = 0x00000330
+ CKM_RC5_ECB = 0x00000331
+ CKM_RC5_CBC = 0x00000332
+ CKM_RC5_MAC = 0x00000333
+ CKM_RC5_MAC_GENERAL = 0x00000334
+ CKM_RC5_CBC_PAD = 0x00000335
+ CKM_IDEA_KEY_GEN = 0x00000340
+ CKM_IDEA_ECB = 0x00000341
+ CKM_IDEA_CBC = 0x00000342
+ CKM_IDEA_MAC = 0x00000343
+ CKM_IDEA_MAC_GENERAL = 0x00000344
+ CKM_IDEA_CBC_PAD = 0x00000345
+ CKM_GENERIC_SECRET_KEY_GEN = 0x00000350
+ CKM_CONCATENATE_BASE_AND_KEY = 0x00000360
+ CKM_CONCATENATE_BASE_AND_DATA = 0x00000362
+ CKM_CONCATENATE_DATA_AND_BASE = 0x00000363
+ CKM_XOR_BASE_AND_DATA = 0x00000364
+ CKM_EXTRACT_KEY_FROM_KEY = 0x00000365
+ CKM_SSL3_PRE_MASTER_KEY_GEN = 0x00000370
+ CKM_SSL3_MASTER_KEY_DERIVE = 0x00000371
+ CKM_SSL3_KEY_AND_MAC_DERIVE = 0x00000372
+ CKM_SSL3_MASTER_KEY_DERIVE_DH = 0x00000373
+ CKM_TLS_PRE_MASTER_KEY_GEN = 0x00000374
+ CKM_TLS_MASTER_KEY_DERIVE = 0x00000375
+ CKM_TLS_KEY_AND_MAC_DERIVE = 0x00000376
+ CKM_TLS_MASTER_KEY_DERIVE_DH = 0x00000377
+ CKM_TLS_PRF = 0x00000378
+ CKM_SSL3_MD5_MAC = 0x00000380
+ CKM_SSL3_SHA1_MAC = 0x00000381
+ CKM_MD5_KEY_DERIVATION = 0x00000390
+ CKM_MD2_KEY_DERIVATION = 0x00000391
+ CKM_SHA1_KEY_DERIVATION = 0x00000392
+ CKM_SHA256_KEY_DERIVATION = 0x00000393
+ CKM_SHA384_KEY_DERIVATION = 0x00000394
+ CKM_SHA512_KEY_DERIVATION = 0x00000395
+ CKM_SHA224_KEY_DERIVATION = 0x00000396
+ CKM_SHA3_256_KEY_DERIVE = 0x00000397
+ CKM_SHA3_224_KEY_DERIVE = 0x00000398
+ CKM_SHA3_384_KEY_DERIVE = 0x00000399
+ CKM_SHA3_512_KEY_DERIVE = 0x0000039A
+ CKM_SHAKE_128_KEY_DERIVE = 0x0000039B
+ CKM_SHAKE_256_KEY_DERIVE = 0x0000039C
+ CKM_PBE_MD2_DES_CBC = 0x000003A0
+ CKM_PBE_MD5_DES_CBC = 0x000003A1
+ CKM_PBE_MD5_CAST_CBC = 0x000003A2
+ CKM_PBE_MD5_CAST3_CBC = 0x000003A3
+ CKM_PBE_MD5_CAST5_CBC = 0x000003A4
+ CKM_PBE_MD5_CAST128_CBC = 0x000003A4
+ CKM_PBE_SHA1_CAST5_CBC = 0x000003A5
+ CKM_PBE_SHA1_CAST128_CBC = 0x000003A5
+ CKM_PBE_SHA1_RC4_128 = 0x000003A6
+ CKM_PBE_SHA1_RC4_40 = 0x000003A7
+ CKM_PBE_SHA1_DES3_EDE_CBC = 0x000003A8
+ CKM_PBE_SHA1_DES2_EDE_CBC = 0x000003A9
+ CKM_PBE_SHA1_RC2_128_CBC = 0x000003AA
+ CKM_PBE_SHA1_RC2_40_CBC = 0x000003AB
+ CKM_PKCS5_PBKD2 = 0x000003B0
+ CKM_PBA_SHA1_WITH_SHA1_HMAC = 0x000003C0
+ CKM_WTLS_PRE_MASTER_KEY_GEN = 0x000003D0
+ CKM_WTLS_MASTER_KEY_DERIVE = 0x000003D1
+ CKM_WTLS_MASTER_KEY_DERIVE_DH_ECC = 0x000003D2
+ CKM_WTLS_PRF = 0x000003D3
+ CKM_WTLS_SERVER_KEY_AND_MAC_DERIVE = 0x000003D4
+ CKM_WTLS_CLIENT_KEY_AND_MAC_DERIVE = 0x000003D5
+ CKM_TLS10_MAC_SERVER = 0x000003D6
+ CKM_TLS10_MAC_CLIENT = 0x000003D7
+ CKM_TLS12_MAC = 0x000003D8
+ CKM_TLS12_KDF = 0x000003D9
+ CKM_TLS12_MASTER_KEY_DERIVE = 0x000003E0
+ CKM_TLS12_KEY_AND_MAC_DERIVE = 0x000003E1
+ CKM_TLS12_MASTER_KEY_DERIVE_DH = 0x000003E2
+ CKM_TLS12_KEY_SAFE_DERIVE = 0x000003E3
+ CKM_TLS_MAC = 0x000003E4
+ CKM_TLS_KDF = 0x000003E5
+ CKM_KEY_WRAP_LYNKS = 0x00000400
+ CKM_KEY_WRAP_SET_OAEP = 0x00000401
+ CKM_CMS_SIG = 0x00000500
+ CKM_KIP_DERIVE = 0x00000510
+ CKM_KIP_WRAP = 0x00000511
+ CKM_KIP_MAC = 0x00000512
+ CKM_CAMELLIA_KEY_GEN = 0x00000550
+ CKM_CAMELLIA_ECB = 0x00000551
+ CKM_CAMELLIA_CBC = 0x00000552
+ CKM_CAMELLIA_MAC = 0x00000553
+ CKM_CAMELLIA_MAC_GENERAL = 0x00000554
+ CKM_CAMELLIA_CBC_PAD = 0x00000555
+ CKM_CAMELLIA_ECB_ENCRYPT_DATA = 0x00000556
+ CKM_CAMELLIA_CBC_ENCRYPT_DATA = 0x00000557
+ CKM_CAMELLIA_CTR = 0x00000558
+ CKM_ARIA_KEY_GEN = 0x00000560
+ CKM_ARIA_ECB = 0x00000561
+ CKM_ARIA_CBC = 0x00000562
+ CKM_ARIA_MAC = 0x00000563
+ CKM_ARIA_MAC_GENERAL = 0x00000564
+ CKM_ARIA_CBC_PAD = 0x00000565
+ CKM_ARIA_ECB_ENCRYPT_DATA = 0x00000566
+ CKM_ARIA_CBC_ENCRYPT_DATA = 0x00000567
+ CKM_SEED_KEY_GEN = 0x00000650
+ CKM_SEED_ECB = 0x00000651
+ CKM_SEED_CBC = 0x00000652
+ CKM_SEED_MAC = 0x00000653
+ CKM_SEED_MAC_GENERAL = 0x00000654
+ CKM_SEED_CBC_PAD = 0x00000655
+ CKM_SEED_ECB_ENCRYPT_DATA = 0x00000656
+ CKM_SEED_CBC_ENCRYPT_DATA = 0x00000657
+ CKM_SKIPJACK_KEY_GEN = 0x00001000
+ CKM_SKIPJACK_ECB64 = 0x00001001
+ CKM_SKIPJACK_CBC64 = 0x00001002
+ CKM_SKIPJACK_OFB64 = 0x00001003
+ CKM_SKIPJACK_CFB64 = 0x00001004
+ CKM_SKIPJACK_CFB32 = 0x00001005
+ CKM_SKIPJACK_CFB16 = 0x00001006
+ CKM_SKIPJACK_CFB8 = 0x00001007
+ CKM_SKIPJACK_WRAP = 0x00001008
+ CKM_SKIPJACK_PRIVATE_WRAP = 0x00001009
+ CKM_SKIPJACK_RELAYX = 0x0000100a
+ CKM_KEA_KEY_PAIR_GEN = 0x00001010
+ CKM_KEA_KEY_DERIVE = 0x00001011
+ CKM_KEA_DERIVE = 0x00001012
+ CKM_FORTEZZA_TIMESTAMP = 0x00001020
+ CKM_BATON_KEY_GEN = 0x00001030
+ CKM_BATON_ECB128 = 0x00001031
+ CKM_BATON_ECB96 = 0x00001032
+ CKM_BATON_CBC128 = 0x00001033
+ CKM_BATON_COUNTER = 0x00001034
+ CKM_BATON_SHUFFLE = 0x00001035
+ CKM_BATON_WRAP = 0x00001036
+ CKM_ECDSA_KEY_PAIR_GEN = 0x00001040
+ CKM_EC_KEY_PAIR_GEN = 0x00001040
+ CKM_ECDSA = 0x00001041
+ CKM_ECDSA_SHA1 = 0x00001042
+ CKM_ECDSA_SHA224 = 0x00001043
+ CKM_ECDSA_SHA256 = 0x00001044
+ CKM_ECDSA_SHA384 = 0x00001045
+ CKM_ECDSA_SHA512 = 0x00001046
+ CKM_ECDH1_DERIVE = 0x00001050
+ CKM_ECDH1_COFACTOR_DERIVE = 0x00001051
+ CKM_ECMQV_DERIVE = 0x00001052
+ CKM_ECDH_AES_KEY_WRAP = 0x00001053
+ CKM_RSA_AES_KEY_WRAP = 0x00001054
+ CKM_JUNIPER_KEY_GEN = 0x00001060
+ CKM_JUNIPER_ECB128 = 0x00001061
+ CKM_JUNIPER_CBC128 = 0x00001062
+ CKM_JUNIPER_COUNTER = 0x00001063
+ CKM_JUNIPER_SHUFFLE = 0x00001064
+ CKM_JUNIPER_WRAP = 0x00001065
+ CKM_FASTHASH = 0x00001070
+ CKM_AES_KEY_GEN = 0x00001080
+ CKM_AES_ECB = 0x00001081
+ CKM_AES_CBC = 0x00001082
+ CKM_AES_MAC = 0x00001083
+ CKM_AES_MAC_GENERAL = 0x00001084
+ CKM_AES_CBC_PAD = 0x00001085
+ CKM_AES_CTR = 0x00001086
+ CKM_AES_GCM = 0x00001087
+ CKM_AES_CCM = 0x00001088
+ CKM_AES_CMAC_GENERAL = 0x00001089
+ CKM_AES_CMAC = 0x0000108A
+ CKM_AES_CTS = 0x0000108B
+ CKM_AES_XCBC_MAC = 0x0000108C
+ CKM_AES_XCBC_MAC_96 = 0x0000108D
+ CKM_AES_GMAC = 0x0000108E
+ CKM_BLOWFISH_KEY_GEN = 0x00001090
+ CKM_BLOWFISH_CBC = 0x00001091
+ CKM_TWOFISH_KEY_GEN = 0x00001092
+ CKM_TWOFISH_CBC = 0x00001093
+ CKM_BLOWFISH_CBC_PAD = 0x00001094
+ CKM_TWOFISH_CBC_PAD = 0x00001095
+ CKM_DES_ECB_ENCRYPT_DATA = 0x00001100
+ CKM_DES_CBC_ENCRYPT_DATA = 0x00001101
+ CKM_DES3_ECB_ENCRYPT_DATA = 0x00001102
+ CKM_DES3_CBC_ENCRYPT_DATA = 0x00001103
+ CKM_AES_ECB_ENCRYPT_DATA = 0x00001104
+ CKM_AES_CBC_ENCRYPT_DATA = 0x00001105
+ CKM_GOSTR3410_KEY_PAIR_GEN = 0x00001200
+ CKM_GOSTR3410 = 0x00001201
+ CKM_GOSTR3410_WITH_GOSTR3411 = 0x00001202
+ CKM_GOSTR3410_KEY_WRAP = 0x00001203
+ CKM_GOSTR3410_DERIVE = 0x00001204
+ CKM_GOSTR3411 = 0x00001210
+ CKM_GOSTR3411_HMAC = 0x00001211
+ CKM_GOST28147_KEY_GEN = 0x00001220
+ CKM_GOST28147_ECB = 0x00001221
+ CKM_GOST28147 = 0x00001222
+ CKM_GOST28147_MAC = 0x00001223
+ CKM_GOST28147_KEY_WRAP = 0x00001224
+ CKM_DSA_PARAMETER_GEN = 0x00002000
+ CKM_DH_PKCS_PARAMETER_GEN = 0x00002001
+ CKM_X9_42_DH_PARAMETER_GEN = 0x00002002
+ CKM_DSA_PROBABLISTIC_PARAMETER_GEN = 0x00002003
+ CKM_DSA_SHAWE_TAYLOR_PARAMETER_GEN = 0x00002004
+ CKM_AES_OFB = 0x00002104
+ CKM_AES_CFB64 = 0x00002105
+ CKM_AES_CFB8 = 0x00002106
+ CKM_AES_CFB128 = 0x00002107
+ CKM_AES_CFB1 = 0x00002108
+ CKM_AES_KEY_WRAP = 0x00002109
+ CKM_AES_KEY_WRAP_PAD = 0x0000210A
+ CKM_RSA_PKCS_TPM_1_1 = 0x00004001
+ CKM_RSA_PKCS_OAEP_TPM_1_1 = 0x00004002
+ CKM_VENDOR_DEFINED = 0x80000000
+ CKF_HW = 0x00000001
+ CKF_ENCRYPT = 0x00000100
+ CKF_DECRYPT = 0x00000200
+ CKF_DIGEST = 0x00000400
+ CKF_SIGN = 0x00000800
+ CKF_SIGN_RECOVER = 0x00001000
+ CKF_VERIFY = 0x00002000
+ CKF_VERIFY_RECOVER = 0x00004000
+ CKF_GENERATE = 0x00008000
+ CKF_GENERATE_KEY_PAIR = 0x00010000
+ CKF_WRAP = 0x00020000
+ CKF_UNWRAP = 0x00040000
+ CKF_DERIVE = 0x00080000
+ CKF_EC_F_P = 0x00100000
+ CKF_EC_F_2M = 0x00200000
+ CKF_EC_ECPARAMETERS = 0x00400000
+ CKF_EC_NAMEDCURVE = 0x00800000
+ CKF_EC_UNCOMPRESS = 0x01000000
+ CKF_EC_COMPRESS = 0x02000000
+ CKF_EXTENSION = 0x80000000
+ CKR_OK = 0x00000000
+ CKR_CANCEL = 0x00000001
+ CKR_HOST_MEMORY = 0x00000002
+ CKR_SLOT_ID_INVALID = 0x00000003
+ CKR_GENERAL_ERROR = 0x00000005
+ CKR_FUNCTION_FAILED = 0x00000006
+ CKR_ARGUMENTS_BAD = 0x00000007
+ CKR_NO_EVENT = 0x00000008
+ CKR_NEED_TO_CREATE_THREADS = 0x00000009
+ CKR_CANT_LOCK = 0x0000000A
+ CKR_ATTRIBUTE_READ_ONLY = 0x00000010
+ CKR_ATTRIBUTE_SENSITIVE = 0x00000011
+ CKR_ATTRIBUTE_TYPE_INVALID = 0x00000012
+ CKR_ATTRIBUTE_VALUE_INVALID = 0x00000013
+ CKR_ACTION_PROHIBITED = 0x0000001B
+ CKR_DATA_INVALID = 0x00000020
+ CKR_DATA_LEN_RANGE = 0x00000021
+ CKR_DEVICE_ERROR = 0x00000030
+ CKR_DEVICE_MEMORY = 0x00000031
+ CKR_DEVICE_REMOVED = 0x00000032
+ CKR_ENCRYPTED_DATA_INVALID = 0x00000040
+ CKR_ENCRYPTED_DATA_LEN_RANGE = 0x00000041
+ CKR_FUNCTION_CANCELED = 0x00000050
+ CKR_FUNCTION_NOT_PARALLEL = 0x00000051
+ CKR_FUNCTION_NOT_SUPPORTED = 0x00000054
+ CKR_KEY_HANDLE_INVALID = 0x00000060
+ CKR_KEY_SIZE_RANGE = 0x00000062
+ CKR_KEY_TYPE_INCONSISTENT = 0x00000063
+ CKR_KEY_NOT_NEEDED = 0x00000064
+ CKR_KEY_CHANGED = 0x00000065
+ CKR_KEY_NEEDED = 0x00000066
+ CKR_KEY_INDIGESTIBLE = 0x00000067
+ CKR_KEY_FUNCTION_NOT_PERMITTED = 0x00000068
+ CKR_KEY_NOT_WRAPPABLE = 0x00000069
+ CKR_KEY_UNEXTRACTABLE = 0x0000006A
+ CKR_MECHANISM_INVALID = 0x00000070
+ CKR_MECHANISM_PARAM_INVALID = 0x00000071
+ CKR_OBJECT_HANDLE_INVALID = 0x00000082
+ CKR_OPERATION_ACTIVE = 0x00000090
+ CKR_OPERATION_NOT_INITIALIZED = 0x00000091
+ CKR_PIN_INCORRECT = 0x000000A0
+ CKR_PIN_INVALID = 0x000000A1
+ CKR_PIN_LEN_RANGE = 0x000000A2
+ CKR_PIN_EXPIRED = 0x000000A3
+ CKR_PIN_LOCKED = 0x000000A4
+ CKR_SESSION_CLOSED = 0x000000B0
+ CKR_SESSION_COUNT = 0x000000B1
+ CKR_SESSION_HANDLE_INVALID = 0x000000B3
+ CKR_SESSION_PARALLEL_NOT_SUPPORTED = 0x000000B4
+ CKR_SESSION_READ_ONLY = 0x000000B5
+ CKR_SESSION_EXISTS = 0x000000B6
+ CKR_SESSION_READ_ONLY_EXISTS = 0x000000B7
+ CKR_SESSION_READ_WRITE_SO_EXISTS = 0x000000B8
+ CKR_SIGNATURE_INVALID = 0x000000C0
+ CKR_SIGNATURE_LEN_RANGE = 0x000000C1
+ CKR_TEMPLATE_INCOMPLETE = 0x000000D0
+ CKR_TEMPLATE_INCONSISTENT = 0x000000D1
+ CKR_TOKEN_NOT_PRESENT = 0x000000E0
+ CKR_TOKEN_NOT_RECOGNIZED = 0x000000E1
+ CKR_TOKEN_WRITE_PROTECTED = 0x000000E2
+ CKR_UNWRAPPING_KEY_HANDLE_INVALID = 0x000000F0
+ CKR_UNWRAPPING_KEY_SIZE_RANGE = 0x000000F1
+ CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT = 0x000000F2
+ CKR_USER_ALREADY_LOGGED_IN = 0x00000100
+ CKR_USER_NOT_LOGGED_IN = 0x00000101
+ CKR_USER_PIN_NOT_INITIALIZED = 0x00000102
+ CKR_USER_TYPE_INVALID = 0x00000103
+ CKR_USER_ANOTHER_ALREADY_LOGGED_IN = 0x00000104
+ CKR_USER_TOO_MANY_TYPES = 0x00000105
+ CKR_WRAPPED_KEY_INVALID = 0x00000110
+ CKR_WRAPPED_KEY_LEN_RANGE = 0x00000112
+ CKR_WRAPPING_KEY_HANDLE_INVALID = 0x00000113
+ CKR_WRAPPING_KEY_SIZE_RANGE = 0x00000114
+ CKR_WRAPPING_KEY_TYPE_INCONSISTENT = 0x00000115
+ CKR_RANDOM_SEED_NOT_SUPPORTED = 0x00000120
+ CKR_RANDOM_NO_RNG = 0x00000121
+ CKR_DOMAIN_PARAMS_INVALID = 0x00000130
+ CKR_CURVE_NOT_SUPPORTED = 0x00000140
+ CKR_BUFFER_TOO_SMALL = 0x00000150
+ CKR_SAVED_STATE_INVALID = 0x00000160
+ CKR_INFORMATION_SENSITIVE = 0x00000170
+ CKR_STATE_UNSAVEABLE = 0x00000180
+ CKR_CRYPTOKI_NOT_INITIALIZED = 0x00000190
+ CKR_CRYPTOKI_ALREADY_INITIALIZED = 0x00000191
+ CKR_MUTEX_BAD = 0x000001A0
+ CKR_MUTEX_NOT_LOCKED = 0x000001A1
+ CKR_NEW_PIN_MODE = 0x000001B0
+ CKR_NEXT_OTP = 0x000001B1
+ CKR_EXCEEDED_MAX_ITERATIONS = 0x000001C0
+ CKR_FIPS_SELF_TEST_FAILED = 0x000001C1
+ CKR_LIBRARY_LOAD_FAILED = 0x000001C2
+ CKR_PIN_TOO_WEAK = 0x000001C3
+ CKR_PUBLIC_KEY_INVALID = 0x000001C4
+ CKR_FUNCTION_REJECTED = 0x00000200
+ CKR_VENDOR_DEFINED = 0x80000000
+ CKF_LIBRARY_CANT_CREATE_OS_THREADS = 0x00000001
+ CKF_OS_LOCKING_OK = 0x00000002
+ CKF_DONT_BLOCK = 1
+ CKF_NEXT_OTP = 0x00000001
+ CKF_EXCLUDE_TIME = 0x00000002
+ CKF_EXCLUDE_COUNTER = 0x00000004
+ CKF_EXCLUDE_CHALLENGE = 0x00000008
+ CKF_EXCLUDE_PIN = 0x00000010
+ CKF_USER_FRIENDLY_OTP = 0x00000020
+ CKD_NULL = 0x00000001
+ CKD_SHA1_KDF = 0x00000002
+)
+
+// Special return values defined in PKCS#11 v2.40 section 3.2.
+const (
+ // CK_EFFECTIVELY_INFINITE may be returned in the CK_TOKEN_INFO fields ulMaxSessionCount and ulMaxRwSessionCount.
+ // It indicates there is no practical limit on the number of sessions.
+ CK_EFFECTIVELY_INFINITE = 0
+
+ // CK_UNAVAILABLE_INFORMATION may be returned for several fields within CK_TOKEN_INFO. It indicates
+ // the token is unable or unwilling to provide the requested information.
+ CK_UNAVAILABLE_INFORMATION = ^uint(0)
+)
diff --git a/vendor/github.com/miekg/pkcs11/error.go b/vendor/github.com/miekg/pkcs11/error.go
new file mode 100644
index 000000000..7df0e93a6
--- /dev/null
+++ b/vendor/github.com/miekg/pkcs11/error.go
@@ -0,0 +1,98 @@
+// Copyright 2013 Miek Gieben. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package pkcs11
+
+// awk '/#define CKR_/{ print $3":\""$2"\"," }' pkcs11t.h
+
+var strerror = map[uint]string{
+ 0x00000000: "CKR_OK",
+ 0x00000001: "CKR_CANCEL",
+ 0x00000002: "CKR_HOST_MEMORY",
+ 0x00000003: "CKR_SLOT_ID_INVALID",
+ 0x00000005: "CKR_GENERAL_ERROR",
+ 0x00000006: "CKR_FUNCTION_FAILED",
+ 0x00000007: "CKR_ARGUMENTS_BAD",
+ 0x00000008: "CKR_NO_EVENT",
+ 0x00000009: "CKR_NEED_TO_CREATE_THREADS",
+ 0x0000000A: "CKR_CANT_LOCK",
+ 0x00000010: "CKR_ATTRIBUTE_READ_ONLY",
+ 0x00000011: "CKR_ATTRIBUTE_SENSITIVE",
+ 0x00000012: "CKR_ATTRIBUTE_TYPE_INVALID",
+ 0x00000013: "CKR_ATTRIBUTE_VALUE_INVALID",
+ 0x00000020: "CKR_DATA_INVALID",
+ 0x00000021: "CKR_DATA_LEN_RANGE",
+ 0x00000030: "CKR_DEVICE_ERROR",
+ 0x00000031: "CKR_DEVICE_MEMORY",
+ 0x00000032: "CKR_DEVICE_REMOVED",
+ 0x00000040: "CKR_ENCRYPTED_DATA_INVALID",
+ 0x00000041: "CKR_ENCRYPTED_DATA_LEN_RANGE",
+ 0x00000050: "CKR_FUNCTION_CANCELED",
+ 0x00000051: "CKR_FUNCTION_NOT_PARALLEL",
+ 0x00000054: "CKR_FUNCTION_NOT_SUPPORTED",
+ 0x00000060: "CKR_KEY_HANDLE_INVALID",
+ 0x00000062: "CKR_KEY_SIZE_RANGE",
+ 0x00000063: "CKR_KEY_TYPE_INCONSISTENT",
+ 0x00000064: "CKR_KEY_NOT_NEEDED",
+ 0x00000065: "CKR_KEY_CHANGED",
+ 0x00000066: "CKR_KEY_NEEDED",
+ 0x00000067: "CKR_KEY_INDIGESTIBLE",
+ 0x00000068: "CKR_KEY_FUNCTION_NOT_PERMITTED",
+ 0x00000069: "CKR_KEY_NOT_WRAPPABLE",
+ 0x0000006A: "CKR_KEY_UNEXTRACTABLE",
+ 0x00000070: "CKR_MECHANISM_INVALID",
+ 0x00000071: "CKR_MECHANISM_PARAM_INVALID",
+ 0x00000082: "CKR_OBJECT_HANDLE_INVALID",
+ 0x00000090: "CKR_OPERATION_ACTIVE",
+ 0x00000091: "CKR_OPERATION_NOT_INITIALIZED",
+ 0x000000A0: "CKR_PIN_INCORRECT",
+ 0x000000A1: "CKR_PIN_INVALID",
+ 0x000000A2: "CKR_PIN_LEN_RANGE",
+ 0x000000A3: "CKR_PIN_EXPIRED",
+ 0x000000A4: "CKR_PIN_LOCKED",
+ 0x000000B0: "CKR_SESSION_CLOSED",
+ 0x000000B1: "CKR_SESSION_COUNT",
+ 0x000000B3: "CKR_SESSION_HANDLE_INVALID",
+ 0x000000B4: "CKR_SESSION_PARALLEL_NOT_SUPPORTED",
+ 0x000000B5: "CKR_SESSION_READ_ONLY",
+ 0x000000B6: "CKR_SESSION_EXISTS",
+ 0x000000B7: "CKR_SESSION_READ_ONLY_EXISTS",
+ 0x000000B8: "CKR_SESSION_READ_WRITE_SO_EXISTS",
+ 0x000000C0: "CKR_SIGNATURE_INVALID",
+ 0x000000C1: "CKR_SIGNATURE_LEN_RANGE",
+ 0x000000D0: "CKR_TEMPLATE_INCOMPLETE",
+ 0x000000D1: "CKR_TEMPLATE_INCONSISTENT",
+ 0x000000E0: "CKR_TOKEN_NOT_PRESENT",
+ 0x000000E1: "CKR_TOKEN_NOT_RECOGNIZED",
+ 0x000000E2: "CKR_TOKEN_WRITE_PROTECTED",
+ 0x000000F0: "CKR_UNWRAPPING_KEY_HANDLE_INVALID",
+ 0x000000F1: "CKR_UNWRAPPING_KEY_SIZE_RANGE",
+ 0x000000F2: "CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT",
+ 0x00000100: "CKR_USER_ALREADY_LOGGED_IN",
+ 0x00000101: "CKR_USER_NOT_LOGGED_IN",
+ 0x00000102: "CKR_USER_PIN_NOT_INITIALIZED",
+ 0x00000103: "CKR_USER_TYPE_INVALID",
+ 0x00000104: "CKR_USER_ANOTHER_ALREADY_LOGGED_IN",
+ 0x00000105: "CKR_USER_TOO_MANY_TYPES",
+ 0x00000110: "CKR_WRAPPED_KEY_INVALID",
+ 0x00000112: "CKR_WRAPPED_KEY_LEN_RANGE",
+ 0x00000113: "CKR_WRAPPING_KEY_HANDLE_INVALID",
+ 0x00000114: "CKR_WRAPPING_KEY_SIZE_RANGE",
+ 0x00000115: "CKR_WRAPPING_KEY_TYPE_INCONSISTENT",
+ 0x00000120: "CKR_RANDOM_SEED_NOT_SUPPORTED",
+ 0x00000121: "CKR_RANDOM_NO_RNG",
+ 0x00000130: "CKR_DOMAIN_PARAMS_INVALID",
+ 0x00000150: "CKR_BUFFER_TOO_SMALL",
+ 0x00000160: "CKR_SAVED_STATE_INVALID",
+ 0x00000170: "CKR_INFORMATION_SENSITIVE",
+ 0x00000180: "CKR_STATE_UNSAVEABLE",
+ 0x00000190: "CKR_CRYPTOKI_NOT_INITIALIZED",
+ 0x00000191: "CKR_CRYPTOKI_ALREADY_INITIALIZED",
+ 0x000001A0: "CKR_MUTEX_BAD",
+ 0x000001A1: "CKR_MUTEX_NOT_LOCKED",
+ 0x000001B0: "CKR_NEW_PIN_MODE",
+ 0x000001B1: "CKR_NEXT_OTP",
+ 0x00000200: "CKR_FUNCTION_REJECTED",
+ 0x80000000: "CKR_VENDOR_DEFINED",
+}
diff --git a/vendor/github.com/miekg/pkcs11/go.mod b/vendor/github.com/miekg/pkcs11/go.mod
new file mode 100644
index 000000000..704296fc9
--- /dev/null
+++ b/vendor/github.com/miekg/pkcs11/go.mod
@@ -0,0 +1,3 @@
+module github.com/miekg/pkcs11
+
+go 1.12
diff --git a/vendor/github.com/miekg/pkcs11/hsm.db b/vendor/github.com/miekg/pkcs11/hsm.db
new file mode 100644
index 000000000..eb3f10dad
--- /dev/null
+++ b/vendor/github.com/miekg/pkcs11/hsm.db
Binary files differ
diff --git a/vendor/github.com/miekg/pkcs11/params.go b/vendor/github.com/miekg/pkcs11/params.go
new file mode 100644
index 000000000..6d9ce96ae
--- /dev/null
+++ b/vendor/github.com/miekg/pkcs11/params.go
@@ -0,0 +1,190 @@
+// Copyright 2013 Miek Gieben. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package pkcs11
+
+/*
+#include <stdlib.h>
+#include <string.h>
+#include "pkcs11go.h"
+
+static inline void putOAEPParams(CK_RSA_PKCS_OAEP_PARAMS_PTR params, CK_VOID_PTR pSourceData, CK_ULONG ulSourceDataLen)
+{
+ params->pSourceData = pSourceData;
+ params->ulSourceDataLen = ulSourceDataLen;
+}
+
+static inline void putECDH1SharedParams(CK_ECDH1_DERIVE_PARAMS_PTR params, CK_VOID_PTR pSharedData, CK_ULONG ulSharedDataLen)
+{
+ params->pSharedData = pSharedData;
+ params->ulSharedDataLen = ulSharedDataLen;
+}
+
+static inline void putECDH1PublicParams(CK_ECDH1_DERIVE_PARAMS_PTR params, CK_VOID_PTR pPublicData, CK_ULONG ulPublicDataLen)
+{
+ params->pPublicData = pPublicData;
+ params->ulPublicDataLen = ulPublicDataLen;
+}
+*/
+import "C"
+import "unsafe"
+
+// GCMParams represents the parameters for the AES-GCM mechanism.
+type GCMParams struct {
+ arena
+ params *C.CK_GCM_PARAMS
+ iv []byte
+ aad []byte
+ tagSize int
+}
+
+// NewGCMParams returns a pointer to AES-GCM parameters that can be used with the CKM_AES_GCM mechanism.
+// The Free() method must be called after the operation is complete.
+//
+// Note that some HSMs, like CloudHSM, will ignore the IV you pass in and write their
+// own. As a result, to support all libraries, memory is not freed
+// automatically, so that after the EncryptInit/Encrypt operation the HSM's IV
+// can be read back out. It is up to the caller to ensure that Free() is called
+// on the GCMParams object at an appropriate time, which is after
+//
+// Encrypt/Decrypt. As an example:
+//
+// gcmParams := pkcs11.NewGCMParams(make([]byte, 12), nil, 128)
+// p.ctx.EncryptInit(session, []*pkcs11.Mechanism{pkcs11.NewMechanism(pkcs11.CKM_AES_GCM, gcmParams)},
+// aesObjHandle)
+// ct, _ := p.ctx.Encrypt(session, pt)
+// iv := gcmParams.IV()
+// gcmParams.Free()
+//
+func NewGCMParams(iv, aad []byte, tagSize int) *GCMParams {
+ return &GCMParams{
+ iv: iv,
+ aad: aad,
+ tagSize: tagSize,
+ }
+}
+
+func cGCMParams(p *GCMParams) []byte {
+ params := C.CK_GCM_PARAMS{
+ ulTagBits: C.CK_ULONG(p.tagSize),
+ }
+ var arena arena
+ if len(p.iv) > 0 {
+ iv, ivLen := arena.Allocate(p.iv)
+ params.pIv = C.CK_BYTE_PTR(iv)
+ params.ulIvLen = ivLen
+ params.ulIvBits = ivLen * 8
+ }
+ if len(p.aad) > 0 {
+ aad, aadLen := arena.Allocate(p.aad)
+ params.pAAD = C.CK_BYTE_PTR(aad)
+ params.ulAADLen = aadLen
+ }
+ p.Free()
+ p.arena = arena
+ p.params = &params
+ return C.GoBytes(unsafe.Pointer(&params), C.int(unsafe.Sizeof(params)))
+}
+
+// IV returns a copy of the actual IV used for the operation.
+//
+// Some HSMs may ignore the user-specified IV and write their own at the end of
+// the encryption operation; this method allows you to retrieve it.
+func (p *GCMParams) IV() []byte {
+ if p == nil || p.params == nil {
+ return nil
+ }
+ newIv := C.GoBytes(unsafe.Pointer(p.params.pIv), C.int(p.params.ulIvLen))
+ iv := make([]byte, len(newIv))
+ copy(iv, newIv)
+ return iv
+}
+
+// Free deallocates the memory reserved for the HSM to write back the actual IV.
+//
+// This must be called after the entire operation is complete, i.e. after
+// Encrypt or EncryptFinal. It is safe to call Free multiple times.
+func (p *GCMParams) Free() {
+ if p == nil || p.arena == nil {
+ return
+ }
+ p.arena.Free()
+ p.params = nil
+ p.arena = nil
+}
+
+// NewPSSParams creates a CK_RSA_PKCS_PSS_PARAMS structure and returns it as a byte array for use with the CKM_RSA_PKCS_PSS mechanism.
+func NewPSSParams(hashAlg, mgf, saltLength uint) []byte {
+ p := C.CK_RSA_PKCS_PSS_PARAMS{
+ hashAlg: C.CK_MECHANISM_TYPE(hashAlg),
+ mgf: C.CK_RSA_PKCS_MGF_TYPE(mgf),
+ sLen: C.CK_ULONG(saltLength),
+ }
+ return C.GoBytes(unsafe.Pointer(&p), C.int(unsafe.Sizeof(p)))
+}
+
+// OAEPParams can be passed to NewMechanism to implement CKM_RSA_PKCS_OAEP.
+type OAEPParams struct {
+ HashAlg uint
+ MGF uint
+ SourceType uint
+ SourceData []byte
+}
+
+// NewOAEPParams creates a CK_RSA_PKCS_OAEP_PARAMS structure suitable for use with the CKM_RSA_PKCS_OAEP mechanism.
+func NewOAEPParams(hashAlg, mgf, sourceType uint, sourceData []byte) *OAEPParams {
+ return &OAEPParams{
+ HashAlg: hashAlg,
+ MGF: mgf,
+ SourceType: sourceType,
+ SourceData: sourceData,
+ }
+}
+
+func cOAEPParams(p *OAEPParams, arena arena) ([]byte, arena) {
+ params := C.CK_RSA_PKCS_OAEP_PARAMS{
+ hashAlg: C.CK_MECHANISM_TYPE(p.HashAlg),
+ mgf: C.CK_RSA_PKCS_MGF_TYPE(p.MGF),
+ source: C.CK_RSA_PKCS_OAEP_SOURCE_TYPE(p.SourceType),
+ }
+ if len(p.SourceData) != 0 {
+ buf, len := arena.Allocate(p.SourceData)
+ // field is unaligned on windows so this has to call into C
+ C.putOAEPParams(&params, buf, len)
+ }
+ return C.GoBytes(unsafe.Pointer(&params), C.int(unsafe.Sizeof(params))), arena
+}
+
+// ECDH1DeriveParams can be passed to NewMechanism to implement CK_ECDH1_DERIVE_PARAMS.
+type ECDH1DeriveParams struct {
+ KDF uint
+ SharedData []byte
+ PublicKeyData []byte
+}
+
+// NewECDH1DeriveParams creates a CK_ECDH1_DERIVE_PARAMS structure suitable for use with the CKM_ECDH1_DERIVE mechanism.
+func NewECDH1DeriveParams(kdf uint, sharedData []byte, publicKeyData []byte) *ECDH1DeriveParams {
+ return &ECDH1DeriveParams{
+ KDF: kdf,
+ SharedData: sharedData,
+ PublicKeyData: publicKeyData,
+ }
+}
+
+func cECDH1DeriveParams(p *ECDH1DeriveParams, arena arena) ([]byte, arena) {
+ params := C.CK_ECDH1_DERIVE_PARAMS{
+ kdf: C.CK_EC_KDF_TYPE(p.KDF),
+ }
+
+ // SharedData MUST be null if key derivation function (KDF) is CKD_NULL
+ if len(p.SharedData) != 0 {
+ sharedData, sharedDataLen := arena.Allocate(p.SharedData)
+ C.putECDH1SharedParams(&params, sharedData, sharedDataLen)
+ }
+
+ publicKeyData, publicKeyDataLen := arena.Allocate(p.PublicKeyData)
+ C.putECDH1PublicParams(&params, publicKeyData, publicKeyDataLen)
+
+ return C.GoBytes(unsafe.Pointer(&params), C.int(unsafe.Sizeof(params))), arena
+}
diff --git a/vendor/github.com/miekg/pkcs11/pkcs11.go b/vendor/github.com/miekg/pkcs11/pkcs11.go
new file mode 100644
index 000000000..e21d23b73
--- /dev/null
+++ b/vendor/github.com/miekg/pkcs11/pkcs11.go
@@ -0,0 +1,1606 @@
+// Copyright 2013 Miek Gieben. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package pkcs11 is a wrapper around the PKCS#11 cryptographic library.
+package pkcs11
+
+// It is *assumed*, that:
+//
+// * Go's uint size == PKCS11's CK_ULONG size
+// * CK_ULONG never overflows an Go int
+
+/*
+#cgo windows CFLAGS: -DPACKED_STRUCTURES
+#cgo linux LDFLAGS: -ldl
+#cgo darwin LDFLAGS: -ldl
+#cgo openbsd LDFLAGS: -ldl
+#cgo freebsd LDFLAGS: -ldl
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "pkcs11go.h"
+
+#ifdef _WIN32
+#include <windows.h>
+
+struct ctx {
+ HMODULE handle;
+ CK_FUNCTION_LIST_PTR sym;
+};
+
+// New initializes a ctx and fills the symbol table.
+struct ctx *New(const char *module)
+{
+ CK_C_GetFunctionList list;
+ struct ctx *c = calloc(1, sizeof(struct ctx));
+ c->handle = LoadLibrary(module);
+ if (c->handle == NULL) {
+ free(c);
+ return NULL;
+ }
+ list = (CK_C_GetFunctionList) GetProcAddress(c->handle, "C_GetFunctionList");
+ if (list == NULL) {
+ free(c);
+ return NULL;
+ }
+ list(&c->sym);
+ return c;
+}
+
+// Destroy cleans up a ctx.
+void Destroy(struct ctx *c)
+{
+ if (!c) {
+ return;
+ }
+ free(c);
+}
+#else
+#include <dlfcn.h>
+
+struct ctx {
+ void *handle;
+ CK_FUNCTION_LIST_PTR sym;
+};
+
+// New initializes a ctx and fills the symbol table.
+struct ctx *New(const char *module)
+{
+ CK_C_GetFunctionList list;
+ struct ctx *c = calloc(1, sizeof(struct ctx));
+ c->handle = dlopen(module, RTLD_LAZY);
+ if (c->handle == NULL) {
+ free(c);
+ return NULL;
+ }
+ list = (CK_C_GetFunctionList) dlsym(c->handle, "C_GetFunctionList");
+ if (list == NULL) {
+ free(c);
+ return NULL;
+ }
+ list(&c->sym);
+ return c;
+}
+
+// Destroy cleans up a ctx.
+void Destroy(struct ctx *c)
+{
+ if (!c) {
+ return;
+ }
+ if (c->handle == NULL) {
+ return;
+ }
+ if (dlclose(c->handle) < 0) {
+ return;
+ }
+ free(c);
+}
+#endif
+
+CK_RV Initialize(struct ctx * c)
+{
+ CK_C_INITIALIZE_ARGS args;
+ memset(&args, 0, sizeof(args));
+ args.flags = CKF_OS_LOCKING_OK;
+ return c->sym->C_Initialize(&args);
+}
+
+CK_RV Finalize(struct ctx * c)
+{
+ return c->sym->C_Finalize(NULL);
+}
+
+CK_RV GetInfo(struct ctx * c, ckInfoPtr info)
+{
+ CK_INFO p;
+ CK_RV e = c->sym->C_GetInfo(&p);
+ if (e != CKR_OK) {
+ return e;
+ }
+ info->cryptokiVersion = p.cryptokiVersion;
+ memcpy(info->manufacturerID, p.manufacturerID, sizeof(p.manufacturerID));
+ info->flags = p.flags;
+ memcpy(info->libraryDescription, p.libraryDescription, sizeof(p.libraryDescription));
+ info->libraryVersion = p.libraryVersion;
+ return e;
+}
+
+CK_RV GetSlotList(struct ctx * c, CK_BBOOL tokenPresent,
+ CK_ULONG_PTR * slotList, CK_ULONG_PTR ulCount)
+{
+ CK_RV e = c->sym->C_GetSlotList(tokenPresent, NULL, ulCount);
+ if (e != CKR_OK) {
+ return e;
+ }
+ *slotList = calloc(*ulCount, sizeof(CK_SLOT_ID));
+ e = c->sym->C_GetSlotList(tokenPresent, *slotList, ulCount);
+ return e;
+}
+
+CK_RV GetSlotInfo(struct ctx * c, CK_ULONG slotID, CK_SLOT_INFO_PTR info)
+{
+ CK_RV e = c->sym->C_GetSlotInfo((CK_SLOT_ID) slotID, info);
+ return e;
+}
+
+CK_RV GetTokenInfo(struct ctx * c, CK_ULONG slotID, CK_TOKEN_INFO_PTR info)
+{
+ CK_RV e = c->sym->C_GetTokenInfo((CK_SLOT_ID) slotID, info);
+ return e;
+}
+
+CK_RV GetMechanismList(struct ctx * c, CK_ULONG slotID,
+ CK_ULONG_PTR * mech, CK_ULONG_PTR mechlen)
+{
+ CK_RV e =
+ c->sym->C_GetMechanismList((CK_SLOT_ID) slotID, NULL, mechlen);
+ // Gemaltos PKCS11 implementation returns CKR_BUFFER_TOO_SMALL on a NULL ptr instad of CKR_OK as the spec states.
+ if (e != CKR_OK && e != CKR_BUFFER_TOO_SMALL) {
+ return e;
+ }
+ *mech = calloc(*mechlen, sizeof(CK_MECHANISM_TYPE));
+ e = c->sym->C_GetMechanismList((CK_SLOT_ID) slotID,
+ (CK_MECHANISM_TYPE_PTR) * mech, mechlen);
+ return e;
+}
+
+CK_RV GetMechanismInfo(struct ctx * c, CK_ULONG slotID, CK_MECHANISM_TYPE mech,
+ CK_MECHANISM_INFO_PTR info)
+{
+ CK_RV e = c->sym->C_GetMechanismInfo((CK_SLOT_ID) slotID, mech, info);
+ return e;
+}
+
+CK_RV InitToken(struct ctx * c, CK_ULONG slotID, char *pin, CK_ULONG pinlen,
+ char *label)
+{
+ CK_RV e =
+ c->sym->C_InitToken((CK_SLOT_ID) slotID, (CK_UTF8CHAR_PTR) pin,
+ pinlen, (CK_UTF8CHAR_PTR) label);
+ return e;
+}
+
+CK_RV InitPIN(struct ctx * c, CK_SESSION_HANDLE sh, char *pin, CK_ULONG pinlen)
+{
+ CK_RV e = c->sym->C_InitPIN(sh, (CK_UTF8CHAR_PTR) pin, pinlen);
+ return e;
+}
+
+CK_RV SetPIN(struct ctx * c, CK_SESSION_HANDLE sh, char *oldpin,
+ CK_ULONG oldpinlen, char *newpin, CK_ULONG newpinlen)
+{
+ CK_RV e = c->sym->C_SetPIN(sh, (CK_UTF8CHAR_PTR) oldpin, oldpinlen,
+ (CK_UTF8CHAR_PTR) newpin, newpinlen);
+ return e;
+}
+
+CK_RV OpenSession(struct ctx * c, CK_ULONG slotID, CK_ULONG flags,
+ CK_SESSION_HANDLE_PTR session)
+{
+ CK_RV e =
+ c->sym->C_OpenSession((CK_SLOT_ID) slotID, (CK_FLAGS) flags, NULL,
+ NULL, session);
+ return e;
+}
+
+CK_RV CloseSession(struct ctx * c, CK_SESSION_HANDLE session)
+{
+ CK_RV e = c->sym->C_CloseSession(session);
+ return e;
+}
+
+CK_RV CloseAllSessions(struct ctx * c, CK_ULONG slotID)
+{
+ CK_RV e = c->sym->C_CloseAllSessions(slotID);
+ return e;
+}
+
+CK_RV GetSessionInfo(struct ctx * c, CK_SESSION_HANDLE session,
+ CK_SESSION_INFO_PTR info)
+{
+ CK_RV e = c->sym->C_GetSessionInfo(session, info);
+ return e;
+}
+
+CK_RV GetOperationState(struct ctx * c, CK_SESSION_HANDLE session,
+ CK_BYTE_PTR * state, CK_ULONG_PTR statelen)
+{
+ CK_RV rv = c->sym->C_GetOperationState(session, NULL, statelen);
+ if (rv != CKR_OK) {
+ return rv;
+ }
+ *state = calloc(*statelen, sizeof(CK_BYTE));
+ if (*state == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+ rv = c->sym->C_GetOperationState(session, *state, statelen);
+ return rv;
+}
+
+CK_RV SetOperationState(struct ctx * c, CK_SESSION_HANDLE session,
+ CK_BYTE_PTR state, CK_ULONG statelen,
+ CK_OBJECT_HANDLE encryptkey, CK_OBJECT_HANDLE authkey)
+{
+ return c->sym->C_SetOperationState(session, state, statelen, encryptkey,
+ authkey);
+}
+
+CK_RV Login(struct ctx *c, CK_SESSION_HANDLE session, CK_USER_TYPE userType,
+ char *pin, CK_ULONG pinLen)
+{
+ if (pinLen == 0) {
+ pin = NULL;
+ }
+ CK_RV e =
+ c->sym->C_Login(session, userType, (CK_UTF8CHAR_PTR) pin, pinLen);
+ return e;
+}
+
+CK_RV Logout(struct ctx * c, CK_SESSION_HANDLE session)
+{
+ CK_RV e = c->sym->C_Logout(session);
+ return e;
+}
+
+CK_RV CreateObject(struct ctx * c, CK_SESSION_HANDLE session,
+ CK_ATTRIBUTE_PTR temp, CK_ULONG tempCount,
+ CK_OBJECT_HANDLE_PTR obj)
+{
+ return c->sym->C_CreateObject(session, temp, tempCount, obj);
+}
+
+CK_RV CopyObject(struct ctx * c, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE o,
+ CK_ATTRIBUTE_PTR temp, CK_ULONG tempCount,
+ CK_OBJECT_HANDLE_PTR obj)
+{
+ return c->sym->C_CopyObject(session, o, temp, tempCount, obj);
+}
+
+CK_RV DestroyObject(struct ctx * c, CK_SESSION_HANDLE session,
+ CK_OBJECT_HANDLE object)
+{
+ CK_RV e = c->sym->C_DestroyObject(session, object);
+ return e;
+}
+
+CK_RV GetObjectSize(struct ctx * c, CK_SESSION_HANDLE session,
+ CK_OBJECT_HANDLE object, CK_ULONG_PTR size)
+{
+ CK_RV e = c->sym->C_GetObjectSize(session, object, size);
+ return e;
+}
+
+CK_RV GetAttributeValue(struct ctx * c, CK_SESSION_HANDLE session,
+ CK_OBJECT_HANDLE object, CK_ATTRIBUTE_PTR temp,
+ CK_ULONG templen)
+{
+ // Call for the first time, check the returned ulValue in the attributes, then
+ // allocate enough space and try again.
+ CK_RV e = c->sym->C_GetAttributeValue(session, object, temp, templen);
+ if (e != CKR_OK) {
+ return e;
+ }
+ CK_ULONG i;
+ for (i = 0; i < templen; i++) {
+ if ((CK_LONG) temp[i].ulValueLen == -1) {
+ // either access denied or no such object
+ continue;
+ }
+ temp[i].pValue = calloc(temp[i].ulValueLen, sizeof(CK_BYTE));
+ }
+ return c->sym->C_GetAttributeValue(session, object, temp, templen);
+}
+
+CK_RV SetAttributeValue(struct ctx * c, CK_SESSION_HANDLE session,
+ CK_OBJECT_HANDLE object, CK_ATTRIBUTE_PTR temp,
+ CK_ULONG templen)
+{
+ return c->sym->C_SetAttributeValue(session, object, temp, templen);
+}
+
+CK_RV FindObjectsInit(struct ctx * c, CK_SESSION_HANDLE session,
+ CK_ATTRIBUTE_PTR temp, CK_ULONG tempCount)
+{
+ return c->sym->C_FindObjectsInit(session, temp, tempCount);
+}
+
+CK_RV FindObjects(struct ctx * c, CK_SESSION_HANDLE session,
+ CK_OBJECT_HANDLE_PTR * obj, CK_ULONG max,
+ CK_ULONG_PTR objCount)
+{
+ *obj = calloc(max, sizeof(CK_OBJECT_HANDLE));
+ CK_RV e = c->sym->C_FindObjects(session, *obj, max, objCount);
+ return e;
+}
+
+CK_RV FindObjectsFinal(struct ctx * c, CK_SESSION_HANDLE session)
+{
+ CK_RV e = c->sym->C_FindObjectsFinal(session);
+ return e;
+}
+
+CK_RV EncryptInit(struct ctx * c, CK_SESSION_HANDLE session,
+ CK_MECHANISM_PTR mechanism, CK_OBJECT_HANDLE key)
+{
+ return c->sym->C_EncryptInit(session, mechanism, key);
+}
+
+CK_RV Encrypt(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR message,
+ CK_ULONG mlen, CK_BYTE_PTR * enc, CK_ULONG_PTR enclen)
+{
+ CK_RV rv = c->sym->C_Encrypt(session, message, mlen, NULL, enclen);
+ if (rv != CKR_OK) {
+ return rv;
+ }
+ *enc = calloc(*enclen, sizeof(CK_BYTE));
+ if (*enc == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+ rv = c->sym->C_Encrypt(session, message, mlen, *enc, enclen);
+ return rv;
+}
+
+CK_RV EncryptUpdate(struct ctx * c, CK_SESSION_HANDLE session,
+ CK_BYTE_PTR plain, CK_ULONG plainlen, CK_BYTE_PTR * cipher,
+ CK_ULONG_PTR cipherlen)
+{
+ CK_RV rv =
+ c->sym->C_EncryptUpdate(session, plain, plainlen, NULL, cipherlen);
+ if (rv != CKR_OK) {
+ return rv;
+ }
+ *cipher = calloc(*cipherlen, sizeof(CK_BYTE));
+ if (*cipher == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+ rv = c->sym->C_EncryptUpdate(session, plain, plainlen, *cipher,
+ cipherlen);
+ return rv;
+}
+
+CK_RV EncryptFinal(struct ctx * c, CK_SESSION_HANDLE session,
+ CK_BYTE_PTR * cipher, CK_ULONG_PTR cipherlen)
+{
+ CK_RV rv = c->sym->C_EncryptFinal(session, NULL, cipherlen);
+ if (rv != CKR_OK) {
+ return rv;
+ }
+ *cipher = calloc(*cipherlen, sizeof(CK_BYTE));
+ if (*cipher == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+ rv = c->sym->C_EncryptFinal(session, *cipher, cipherlen);
+ return rv;
+}
+
+CK_RV DecryptInit(struct ctx * c, CK_SESSION_HANDLE session,
+ CK_MECHANISM_PTR mechanism, CK_OBJECT_HANDLE key)
+{
+ return c->sym->C_DecryptInit(session, mechanism, key);
+}
+
+CK_RV Decrypt(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR cipher,
+ CK_ULONG clen, CK_BYTE_PTR * plain, CK_ULONG_PTR plainlen)
+{
+ CK_RV e = c->sym->C_Decrypt(session, cipher, clen, NULL, plainlen);
+ if (e != CKR_OK) {
+ return e;
+ }
+ *plain = calloc(*plainlen, sizeof(CK_BYTE));
+ if (*plain == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+ e = c->sym->C_Decrypt(session, cipher, clen, *plain, plainlen);
+ return e;
+}
+
+CK_RV DecryptUpdate(struct ctx * c, CK_SESSION_HANDLE session,
+ CK_BYTE_PTR cipher, CK_ULONG cipherlen, CK_BYTE_PTR * part,
+ CK_ULONG_PTR partlen)
+{
+ CK_RV rv =
+ c->sym->C_DecryptUpdate(session, cipher, cipherlen, NULL, partlen);
+ if (rv != CKR_OK) {
+ return rv;
+ }
+ *part = calloc(*partlen, sizeof(CK_BYTE));
+ if (*part == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+ rv = c->sym->C_DecryptUpdate(session, cipher, cipherlen, *part,
+ partlen);
+ return rv;
+}
+
+CK_RV DecryptFinal(struct ctx * c, CK_SESSION_HANDLE session,
+ CK_BYTE_PTR * plain, CK_ULONG_PTR plainlen)
+{
+ CK_RV rv = c->sym->C_DecryptFinal(session, NULL, plainlen);
+ if (rv != CKR_OK) {
+ return rv;
+ }
+ *plain = calloc(*plainlen, sizeof(CK_BYTE));
+ if (*plain == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+ rv = c->sym->C_DecryptFinal(session, *plain, plainlen);
+ return rv;
+}
+
+CK_RV DigestInit(struct ctx * c, CK_SESSION_HANDLE session,
+ CK_MECHANISM_PTR mechanism)
+{
+ return c->sym->C_DigestInit(session, mechanism);
+}
+
+CK_RV Digest(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR message,
+ CK_ULONG mlen, CK_BYTE_PTR * hash, CK_ULONG_PTR hashlen)
+{
+ CK_RV rv = c->sym->C_Digest(session, message, mlen, NULL, hashlen);
+ if (rv != CKR_OK) {
+ return rv;
+ }
+ *hash = calloc(*hashlen, sizeof(CK_BYTE));
+ if (*hash == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+ rv = c->sym->C_Digest(session, message, mlen, *hash, hashlen);
+ return rv;
+}
+
+CK_RV DigestUpdate(struct ctx * c, CK_SESSION_HANDLE session,
+ CK_BYTE_PTR message, CK_ULONG mlen)
+{
+ CK_RV rv = c->sym->C_DigestUpdate(session, message, mlen);
+ return rv;
+}
+
+CK_RV DigestKey(struct ctx * c, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE key)
+{
+ CK_RV rv = c->sym->C_DigestKey(session, key);
+ return rv;
+}
+
+CK_RV DigestFinal(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR * hash,
+ CK_ULONG_PTR hashlen)
+{
+ CK_RV rv = c->sym->C_DigestFinal(session, NULL, hashlen);
+ if (rv != CKR_OK) {
+ return rv;
+ }
+ *hash = calloc(*hashlen, sizeof(CK_BYTE));
+ if (*hash == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+ rv = c->sym->C_DigestFinal(session, *hash, hashlen);
+ return rv;
+}
+
+CK_RV SignInit(struct ctx * c, CK_SESSION_HANDLE session,
+ CK_MECHANISM_PTR mechanism, CK_OBJECT_HANDLE key)
+{
+ return c->sym->C_SignInit(session, mechanism, key);
+}
+
+CK_RV Sign(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR message,
+ CK_ULONG mlen, CK_BYTE_PTR * sig, CK_ULONG_PTR siglen)
+{
+ CK_RV rv = c->sym->C_Sign(session, message, mlen, NULL, siglen);
+ if (rv != CKR_OK) {
+ return rv;
+ }
+ *sig = calloc(*siglen, sizeof(CK_BYTE));
+ if (*sig == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+ rv = c->sym->C_Sign(session, message, mlen, *sig, siglen);
+ return rv;
+}
+
+CK_RV SignUpdate(struct ctx * c, CK_SESSION_HANDLE session,
+ CK_BYTE_PTR message, CK_ULONG mlen)
+{
+ CK_RV rv = c->sym->C_SignUpdate(session, message, mlen);
+ return rv;
+}
+
+CK_RV SignFinal(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR * sig,
+ CK_ULONG_PTR siglen)
+{
+ CK_RV rv = c->sym->C_SignFinal(session, NULL, siglen);
+ if (rv != CKR_OK) {
+ return rv;
+ }
+ *sig = calloc(*siglen, sizeof(CK_BYTE));
+ if (*sig == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+ rv = c->sym->C_SignFinal(session, *sig, siglen);
+ return rv;
+}
+
+CK_RV SignRecoverInit(struct ctx * c, CK_SESSION_HANDLE session,
+ CK_MECHANISM_PTR mechanism, CK_OBJECT_HANDLE key)
+{
+ return c->sym->C_SignRecoverInit(session, mechanism, key);
+}
+
+CK_RV SignRecover(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR data,
+ CK_ULONG datalen, CK_BYTE_PTR * sig, CK_ULONG_PTR siglen)
+{
+ CK_RV rv = c->sym->C_SignRecover(session, data, datalen, NULL, siglen);
+ if (rv != CKR_OK) {
+ return rv;
+ }
+ *sig = calloc(*siglen, sizeof(CK_BYTE));
+ if (*sig == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+ rv = c->sym->C_SignRecover(session, data, datalen, *sig, siglen);
+ return rv;
+}
+
+CK_RV VerifyInit(struct ctx * c, CK_SESSION_HANDLE session,
+ CK_MECHANISM_PTR mechanism, CK_OBJECT_HANDLE key)
+{
+ return c->sym->C_VerifyInit(session, mechanism, key);
+}
+
+CK_RV Verify(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR message,
+ CK_ULONG mesglen, CK_BYTE_PTR sig, CK_ULONG siglen)
+{
+ CK_RV rv = c->sym->C_Verify(session, message, mesglen, sig, siglen);
+ return rv;
+}
+
+CK_RV VerifyUpdate(struct ctx * c, CK_SESSION_HANDLE session,
+ CK_BYTE_PTR part, CK_ULONG partlen)
+{
+ CK_RV rv = c->sym->C_VerifyUpdate(session, part, partlen);
+ return rv;
+}
+
+CK_RV VerifyFinal(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR sig,
+ CK_ULONG siglen)
+{
+ CK_RV rv = c->sym->C_VerifyFinal(session, sig, siglen);
+ return rv;
+}
+
+CK_RV VerifyRecoverInit(struct ctx * c, CK_SESSION_HANDLE session,
+ CK_MECHANISM_PTR mechanism, CK_OBJECT_HANDLE key)
+{
+ return c->sym->C_VerifyRecoverInit(session, mechanism, key);
+}
+
+CK_RV VerifyRecover(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR sig,
+ CK_ULONG siglen, CK_BYTE_PTR * data, CK_ULONG_PTR datalen)
+{
+ CK_RV rv = c->sym->C_VerifyRecover(session, sig, siglen, NULL, datalen);
+ if (rv != CKR_OK) {
+ return rv;
+ }
+ *data = calloc(*datalen, sizeof(CK_BYTE));
+ if (*data == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+ rv = c->sym->C_VerifyRecover(session, sig, siglen, *data, datalen);
+ return rv;
+}
+
+CK_RV DigestEncryptUpdate(struct ctx * c, CK_SESSION_HANDLE session,
+ CK_BYTE_PTR part, CK_ULONG partlen, CK_BYTE_PTR * enc,
+ CK_ULONG_PTR enclen)
+{
+ CK_RV rv =
+ c->sym->C_DigestEncryptUpdate(session, part, partlen, NULL, enclen);
+ if (rv != CKR_OK) {
+ return rv;
+ }
+ *enc = calloc(*enclen, sizeof(CK_BYTE));
+ if (*enc == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+ rv = c->sym->C_DigestEncryptUpdate(session, part, partlen, *enc,
+ enclen);
+ return rv;
+}
+
+CK_RV DecryptDigestUpdate(struct ctx * c, CK_SESSION_HANDLE session,
+ CK_BYTE_PTR cipher, CK_ULONG cipherlen,
+ CK_BYTE_PTR * part, CK_ULONG_PTR partlen)
+{
+ CK_RV rv =
+ c->sym->C_DecryptDigestUpdate(session, cipher, cipherlen, NULL,
+ partlen);
+ if (rv != CKR_OK) {
+ return rv;
+ }
+ *part = calloc(*partlen, sizeof(CK_BYTE));
+ if (*part == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+ rv = c->sym->C_DecryptDigestUpdate(session, cipher, cipherlen, *part,
+ partlen);
+ return rv;
+}
+
+CK_RV SignEncryptUpdate(struct ctx * c, CK_SESSION_HANDLE session,
+ CK_BYTE_PTR part, CK_ULONG partlen, CK_BYTE_PTR * enc,
+ CK_ULONG_PTR enclen)
+{
+ CK_RV rv =
+ c->sym->C_SignEncryptUpdate(session, part, partlen, NULL, enclen);
+ if (rv != CKR_OK) {
+ return rv;
+ }
+ *enc = calloc(*enclen, sizeof(CK_BYTE));
+ if (*enc == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+ rv = c->sym->C_SignEncryptUpdate(session, part, partlen, *enc, enclen);
+ return rv;
+}
+
+CK_RV DecryptVerifyUpdate(struct ctx * c, CK_SESSION_HANDLE session,
+ CK_BYTE_PTR cipher, CK_ULONG cipherlen,
+ CK_BYTE_PTR * part, CK_ULONG_PTR partlen)
+{
+ CK_RV rv =
+ c->sym->C_DecryptVerifyUpdate(session, cipher, cipherlen, NULL,
+ partlen);
+ if (rv != CKR_OK) {
+ return rv;
+ }
+ *part = calloc(*partlen, sizeof(CK_BYTE));
+ if (*part == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+ rv = c->sym->C_DecryptVerifyUpdate(session, cipher, cipherlen, *part,
+ partlen);
+ return rv;
+}
+
+CK_RV GenerateKey(struct ctx * c, CK_SESSION_HANDLE session,
+ CK_MECHANISM_PTR mechanism, CK_ATTRIBUTE_PTR temp,
+ CK_ULONG tempCount, CK_OBJECT_HANDLE_PTR key)
+{
+ return c->sym->C_GenerateKey(session, mechanism, temp, tempCount, key);
+}
+
+CK_RV GenerateKeyPair(struct ctx * c, CK_SESSION_HANDLE session,
+ CK_MECHANISM_PTR mechanism, CK_ATTRIBUTE_PTR pub,
+ CK_ULONG pubCount, CK_ATTRIBUTE_PTR priv,
+ CK_ULONG privCount, CK_OBJECT_HANDLE_PTR pubkey,
+ CK_OBJECT_HANDLE_PTR privkey)
+{
+ return c->sym->C_GenerateKeyPair(session, mechanism, pub, pubCount,
+ priv, privCount, pubkey, privkey);
+}
+
+CK_RV WrapKey(struct ctx * c, CK_SESSION_HANDLE session,
+ CK_MECHANISM_PTR mechanism, CK_OBJECT_HANDLE wrappingkey,
+ CK_OBJECT_HANDLE key, CK_BYTE_PTR * wrapped,
+ CK_ULONG_PTR wrappedlen)
+{
+ CK_RV rv = c->sym->C_WrapKey(session, mechanism, wrappingkey, key, NULL,
+ wrappedlen);
+ if (rv != CKR_OK) {
+ return rv;
+ }
+ *wrapped = calloc(*wrappedlen, sizeof(CK_BYTE));
+ if (*wrapped == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+ rv = c->sym->C_WrapKey(session, mechanism, wrappingkey, key, *wrapped,
+ wrappedlen);
+ return rv;
+}
+
+CK_RV DeriveKey(struct ctx * c, CK_SESSION_HANDLE session,
+ CK_MECHANISM_PTR mechanism, CK_OBJECT_HANDLE basekey,
+ CK_ATTRIBUTE_PTR a, CK_ULONG alen, CK_OBJECT_HANDLE_PTR key)
+{
+ return c->sym->C_DeriveKey(session, mechanism, basekey, a, alen, key);
+}
+
+CK_RV UnwrapKey(struct ctx * c, CK_SESSION_HANDLE session,
+ CK_MECHANISM_PTR mechanism, CK_OBJECT_HANDLE unwrappingkey,
+ CK_BYTE_PTR wrappedkey, CK_ULONG wrappedkeylen,
+ CK_ATTRIBUTE_PTR a, CK_ULONG alen, CK_OBJECT_HANDLE_PTR key)
+{
+ return c->sym->C_UnwrapKey(session, mechanism, unwrappingkey, wrappedkey,
+ wrappedkeylen, a, alen, key);
+}
+
+CK_RV SeedRandom(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR seed,
+ CK_ULONG seedlen)
+{
+ CK_RV e = c->sym->C_SeedRandom(session, seed, seedlen);
+ return e;
+}
+
+CK_RV GenerateRandom(struct ctx * c, CK_SESSION_HANDLE session,
+ CK_BYTE_PTR * rand, CK_ULONG length)
+{
+ *rand = calloc(length, sizeof(CK_BYTE));
+ if (*rand == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+ CK_RV e = c->sym->C_GenerateRandom(session, *rand, length);
+ return e;
+}
+
+CK_RV WaitForSlotEvent(struct ctx * c, CK_FLAGS flags, CK_ULONG_PTR slot)
+{
+ CK_RV e =
+ c->sym->C_WaitForSlotEvent(flags, (CK_SLOT_ID_PTR) slot, NULL);
+ return e;
+}
+
+static inline CK_VOID_PTR getAttributePval(CK_ATTRIBUTE_PTR a)
+{
+ return a->pValue;
+}
+
+*/
+import "C"
+import "strings"
+
+import "unsafe"
+
+// Ctx contains the current pkcs11 context.
+type Ctx struct {
+ ctx *C.struct_ctx
+}
+
+// New creates a new context and initializes the module/library for use.
+func New(module string) *Ctx {
+ c := new(Ctx)
+ mod := C.CString(module)
+ defer C.free(unsafe.Pointer(mod))
+ c.ctx = C.New(mod)
+ if c.ctx == nil {
+ return nil
+ }
+ return c
+}
+
+// Destroy unloads the module/library and frees any remaining memory.
+func (c *Ctx) Destroy() {
+ if c == nil || c.ctx == nil {
+ return
+ }
+ C.Destroy(c.ctx)
+ c.ctx = nil
+}
+
+// Initialize initializes the Cryptoki library.
+func (c *Ctx) Initialize() error {
+ e := C.Initialize(c.ctx)
+ return toError(e)
+}
+
+// Finalize indicates that an application is done with the Cryptoki library.
+func (c *Ctx) Finalize() error {
+ if c.ctx == nil {
+ return toError(CKR_CRYPTOKI_NOT_INITIALIZED)
+ }
+ e := C.Finalize(c.ctx)
+ return toError(e)
+}
+
+// GetInfo returns general information about Cryptoki.
+func (c *Ctx) GetInfo() (Info, error) {
+ var p C.ckInfo
+ e := C.GetInfo(c.ctx, &p)
+ i := Info{
+ CryptokiVersion: toVersion(p.cryptokiVersion),
+ ManufacturerID: strings.TrimRight(string(C.GoBytes(unsafe.Pointer(&p.manufacturerID[0]), 32)), " "),
+ Flags: uint(p.flags),
+ LibraryDescription: strings.TrimRight(string(C.GoBytes(unsafe.Pointer(&p.libraryDescription[0]), 32)), " "),
+ LibraryVersion: toVersion(p.libraryVersion),
+ }
+ return i, toError(e)
+}
+
+// GetSlotList obtains a list of slots in the system.
+func (c *Ctx) GetSlotList(tokenPresent bool) ([]uint, error) {
+ var (
+ slotList C.CK_ULONG_PTR
+ ulCount C.CK_ULONG
+ )
+ e := C.GetSlotList(c.ctx, cBBool(tokenPresent), &slotList, &ulCount)
+ if toError(e) != nil {
+ return nil, toError(e)
+ }
+ l := toList(slotList, ulCount)
+ return l, nil
+}
+
+// GetSlotInfo obtains information about a particular slot in the system.
+func (c *Ctx) GetSlotInfo(slotID uint) (SlotInfo, error) {
+ var csi C.CK_SLOT_INFO
+ e := C.GetSlotInfo(c.ctx, C.CK_ULONG(slotID), &csi)
+ s := SlotInfo{
+ SlotDescription: strings.TrimRight(string(C.GoBytes(unsafe.Pointer(&csi.slotDescription[0]), 64)), " "),
+ ManufacturerID: strings.TrimRight(string(C.GoBytes(unsafe.Pointer(&csi.manufacturerID[0]), 32)), " "),
+ Flags: uint(csi.flags),
+ HardwareVersion: toVersion(csi.hardwareVersion),
+ FirmwareVersion: toVersion(csi.firmwareVersion),
+ }
+ return s, toError(e)
+}
+
+// GetTokenInfo obtains information about a particular token
+// in the system.
+func (c *Ctx) GetTokenInfo(slotID uint) (TokenInfo, error) {
+ var cti C.CK_TOKEN_INFO
+ e := C.GetTokenInfo(c.ctx, C.CK_ULONG(slotID), &cti)
+ s := TokenInfo{
+ Label: strings.TrimRight(string(C.GoBytes(unsafe.Pointer(&cti.label[0]), 32)), " "),
+ ManufacturerID: strings.TrimRight(string(C.GoBytes(unsafe.Pointer(&cti.manufacturerID[0]), 32)), " "),
+ Model: strings.TrimRight(string(C.GoBytes(unsafe.Pointer(&cti.model[0]), 16)), " "),
+ SerialNumber: strings.TrimRight(string(C.GoBytes(unsafe.Pointer(&cti.serialNumber[0]), 16)), " "),
+ Flags: uint(cti.flags),
+ MaxSessionCount: uint(cti.ulMaxSessionCount),
+ SessionCount: uint(cti.ulSessionCount),
+ MaxRwSessionCount: uint(cti.ulMaxRwSessionCount),
+ RwSessionCount: uint(cti.ulRwSessionCount),
+ MaxPinLen: uint(cti.ulMaxPinLen),
+ MinPinLen: uint(cti.ulMinPinLen),
+ TotalPublicMemory: uint(cti.ulTotalPublicMemory),
+ FreePublicMemory: uint(cti.ulFreePublicMemory),
+ TotalPrivateMemory: uint(cti.ulTotalPrivateMemory),
+ FreePrivateMemory: uint(cti.ulFreePrivateMemory),
+ HardwareVersion: toVersion(cti.hardwareVersion),
+ FirmwareVersion: toVersion(cti.firmwareVersion),
+ UTCTime: strings.TrimRight(string(C.GoBytes(unsafe.Pointer(&cti.utcTime[0]), 16)), " "),
+ }
+ return s, toError(e)
+}
+
+// GetMechanismList obtains a list of mechanism types supported by a token.
+func (c *Ctx) GetMechanismList(slotID uint) ([]*Mechanism, error) {
+ var (
+ mech C.CK_ULONG_PTR // in pkcs#11 we're all CK_ULONGs \o/
+ mechlen C.CK_ULONG
+ )
+ e := C.GetMechanismList(c.ctx, C.CK_ULONG(slotID), &mech, &mechlen)
+ if toError(e) != nil {
+ return nil, toError(e)
+ }
+ // Although the function returns only type, cast them back into real
+ // attributes as this is used in other functions.
+ m := make([]*Mechanism, int(mechlen))
+ for i, typ := range toList(mech, mechlen) {
+ m[i] = NewMechanism(typ, nil)
+ }
+ return m, nil
+}
+
+// GetMechanismInfo obtains information about a particular
+// mechanism possibly supported by a token.
+func (c *Ctx) GetMechanismInfo(slotID uint, m []*Mechanism) (MechanismInfo, error) {
+ var cm C.CK_MECHANISM_INFO
+ e := C.GetMechanismInfo(c.ctx, C.CK_ULONG(slotID), C.CK_MECHANISM_TYPE(m[0].Mechanism),
+ C.CK_MECHANISM_INFO_PTR(&cm))
+ mi := MechanismInfo{
+ MinKeySize: uint(cm.ulMinKeySize),
+ MaxKeySize: uint(cm.ulMaxKeySize),
+ Flags: uint(cm.flags),
+ }
+ return mi, toError(e)
+}
+
+// InitToken initializes a token. The label must be 32 characters
+// long, it is blank padded if it is not. If it is longer it is capped
+// to 32 characters.
+func (c *Ctx) InitToken(slotID uint, pin string, label string) error {
+ p := C.CString(pin)
+ defer C.free(unsafe.Pointer(p))
+ ll := len(label)
+ for ll < 32 {
+ label += " "
+ ll++
+ }
+ l := C.CString(label[:32])
+ defer C.free(unsafe.Pointer(l))
+ e := C.InitToken(c.ctx, C.CK_ULONG(slotID), p, C.CK_ULONG(len(pin)), l)
+ return toError(e)
+}
+
+// InitPIN initializes the normal user's PIN.
+func (c *Ctx) InitPIN(sh SessionHandle, pin string) error {
+ p := C.CString(pin)
+ defer C.free(unsafe.Pointer(p))
+ e := C.InitPIN(c.ctx, C.CK_SESSION_HANDLE(sh), p, C.CK_ULONG(len(pin)))
+ return toError(e)
+}
+
+// SetPIN modifies the PIN of the user who is logged in.
+func (c *Ctx) SetPIN(sh SessionHandle, oldpin string, newpin string) error {
+ old := C.CString(oldpin)
+ defer C.free(unsafe.Pointer(old))
+ new := C.CString(newpin)
+ defer C.free(unsafe.Pointer(new))
+ e := C.SetPIN(c.ctx, C.CK_SESSION_HANDLE(sh), old, C.CK_ULONG(len(oldpin)), new, C.CK_ULONG(len(newpin)))
+ return toError(e)
+}
+
+// OpenSession opens a session between an application and a token.
+func (c *Ctx) OpenSession(slotID uint, flags uint) (SessionHandle, error) {
+ var s C.CK_SESSION_HANDLE
+ e := C.OpenSession(c.ctx, C.CK_ULONG(slotID), C.CK_ULONG(flags), C.CK_SESSION_HANDLE_PTR(&s))
+ return SessionHandle(s), toError(e)
+}
+
+// CloseSession closes a session between an application and a token.
+func (c *Ctx) CloseSession(sh SessionHandle) error {
+ if c.ctx == nil {
+ return toError(CKR_CRYPTOKI_NOT_INITIALIZED)
+ }
+ e := C.CloseSession(c.ctx, C.CK_SESSION_HANDLE(sh))
+ return toError(e)
+}
+
+// CloseAllSessions closes all sessions with a token.
+func (c *Ctx) CloseAllSessions(slotID uint) error {
+ if c.ctx == nil {
+ return toError(CKR_CRYPTOKI_NOT_INITIALIZED)
+ }
+ e := C.CloseAllSessions(c.ctx, C.CK_ULONG(slotID))
+ return toError(e)
+}
+
+// GetSessionInfo obtains information about the session.
+func (c *Ctx) GetSessionInfo(sh SessionHandle) (SessionInfo, error) {
+ var csi C.CK_SESSION_INFO
+ e := C.GetSessionInfo(c.ctx, C.CK_SESSION_HANDLE(sh), &csi)
+ s := SessionInfo{SlotID: uint(csi.slotID),
+ State: uint(csi.state),
+ Flags: uint(csi.flags),
+ DeviceError: uint(csi.ulDeviceError),
+ }
+ return s, toError(e)
+}
+
+// GetOperationState obtains the state of the cryptographic operation in a session.
+func (c *Ctx) GetOperationState(sh SessionHandle) ([]byte, error) {
+ var (
+ state C.CK_BYTE_PTR
+ statelen C.CK_ULONG
+ )
+ e := C.GetOperationState(c.ctx, C.CK_SESSION_HANDLE(sh), &state, &statelen)
+ defer C.free(unsafe.Pointer(state))
+ if toError(e) != nil {
+ return nil, toError(e)
+ }
+ b := C.GoBytes(unsafe.Pointer(state), C.int(statelen))
+ return b, nil
+}
+
+// SetOperationState restores the state of the cryptographic operation in a session.
+func (c *Ctx) SetOperationState(sh SessionHandle, state []byte, encryptKey, authKey ObjectHandle) error {
+ e := C.SetOperationState(c.ctx, C.CK_SESSION_HANDLE(sh), C.CK_BYTE_PTR(unsafe.Pointer(&state[0])),
+ C.CK_ULONG(len(state)), C.CK_OBJECT_HANDLE(encryptKey), C.CK_OBJECT_HANDLE(authKey))
+ return toError(e)
+}
+
+// Login logs a user into a token.
+func (c *Ctx) Login(sh SessionHandle, userType uint, pin string) error {
+ p := C.CString(pin)
+ defer C.free(unsafe.Pointer(p))
+ e := C.Login(c.ctx, C.CK_SESSION_HANDLE(sh), C.CK_USER_TYPE(userType), p, C.CK_ULONG(len(pin)))
+ return toError(e)
+}
+
+// Logout logs a user out from a token.
+func (c *Ctx) Logout(sh SessionHandle) error {
+ if c.ctx == nil {
+ return toError(CKR_CRYPTOKI_NOT_INITIALIZED)
+ }
+ e := C.Logout(c.ctx, C.CK_SESSION_HANDLE(sh))
+ return toError(e)
+}
+
+// CreateObject creates a new object.
+func (c *Ctx) CreateObject(sh SessionHandle, temp []*Attribute) (ObjectHandle, error) {
+ var obj C.CK_OBJECT_HANDLE
+ arena, t, tcount := cAttributeList(temp)
+ defer arena.Free()
+ e := C.CreateObject(c.ctx, C.CK_SESSION_HANDLE(sh), t, tcount, C.CK_OBJECT_HANDLE_PTR(&obj))
+ e1 := toError(e)
+ if e1 == nil {
+ return ObjectHandle(obj), nil
+ }
+ return 0, e1
+}
+
+// CopyObject copies an object, creating a new object for the copy.
+func (c *Ctx) CopyObject(sh SessionHandle, o ObjectHandle, temp []*Attribute) (ObjectHandle, error) {
+ var obj C.CK_OBJECT_HANDLE
+ arena, t, tcount := cAttributeList(temp)
+ defer arena.Free()
+
+ e := C.CopyObject(c.ctx, C.CK_SESSION_HANDLE(sh), C.CK_OBJECT_HANDLE(o), t, tcount, C.CK_OBJECT_HANDLE_PTR(&obj))
+ e1 := toError(e)
+ if e1 == nil {
+ return ObjectHandle(obj), nil
+ }
+ return 0, e1
+}
+
+// DestroyObject destroys an object.
+func (c *Ctx) DestroyObject(sh SessionHandle, oh ObjectHandle) error {
+ e := C.DestroyObject(c.ctx, C.CK_SESSION_HANDLE(sh), C.CK_OBJECT_HANDLE(oh))
+ return toError(e)
+}
+
+// GetObjectSize gets the size of an object in bytes.
+func (c *Ctx) GetObjectSize(sh SessionHandle, oh ObjectHandle) (uint, error) {
+ var size C.CK_ULONG
+ e := C.GetObjectSize(c.ctx, C.CK_SESSION_HANDLE(sh), C.CK_OBJECT_HANDLE(oh), &size)
+ return uint(size), toError(e)
+}
+
+// GetAttributeValue obtains the value of one or more object attributes.
+func (c *Ctx) GetAttributeValue(sh SessionHandle, o ObjectHandle, a []*Attribute) ([]*Attribute, error) {
+ // copy the attribute list and make all the values nil, so that
+ // the C function can (allocate) fill them in
+ pa := make([]C.CK_ATTRIBUTE, len(a))
+ for i := 0; i < len(a); i++ {
+ pa[i]._type = C.CK_ATTRIBUTE_TYPE(a[i].Type)
+ }
+ e := C.GetAttributeValue(c.ctx, C.CK_SESSION_HANDLE(sh), C.CK_OBJECT_HANDLE(o), &pa[0], C.CK_ULONG(len(a)))
+ if err := toError(e); err != nil {
+ return nil, err
+ }
+ a1 := make([]*Attribute, len(a))
+ for i, c := range pa {
+ x := new(Attribute)
+ x.Type = uint(c._type)
+ if int(c.ulValueLen) != -1 {
+ buf := unsafe.Pointer(C.getAttributePval(&c))
+ x.Value = C.GoBytes(buf, C.int(c.ulValueLen))
+ C.free(buf)
+ }
+ a1[i] = x
+ }
+ return a1, nil
+}
+
+// SetAttributeValue modifies the value of one or more object attributes
+func (c *Ctx) SetAttributeValue(sh SessionHandle, o ObjectHandle, a []*Attribute) error {
+ arena, pa, palen := cAttributeList(a)
+ defer arena.Free()
+ e := C.SetAttributeValue(c.ctx, C.CK_SESSION_HANDLE(sh), C.CK_OBJECT_HANDLE(o), pa, palen)
+ return toError(e)
+}
+
+// FindObjectsInit initializes a search for token and session
+// objects that match a template.
+func (c *Ctx) FindObjectsInit(sh SessionHandle, temp []*Attribute) error {
+ arena, t, tcount := cAttributeList(temp)
+ defer arena.Free()
+ e := C.FindObjectsInit(c.ctx, C.CK_SESSION_HANDLE(sh), t, tcount)
+ return toError(e)
+}
+
+// FindObjects continues a search for token and session
+// objects that match a template, obtaining additional object
+// handles. Calling the function repeatedly may yield additional results until
+// an empty slice is returned.
+//
+// The returned boolean value is deprecated and should be ignored.
+func (c *Ctx) FindObjects(sh SessionHandle, max int) ([]ObjectHandle, bool, error) {
+ var (
+ objectList C.CK_OBJECT_HANDLE_PTR
+ ulCount C.CK_ULONG
+ )
+ e := C.FindObjects(c.ctx, C.CK_SESSION_HANDLE(sh), &objectList, C.CK_ULONG(max), &ulCount)
+ if toError(e) != nil {
+ return nil, false, toError(e)
+ }
+ l := toList(C.CK_ULONG_PTR(unsafe.Pointer(objectList)), ulCount)
+ // Make again a new list of the correct type.
+ // This is copying data, but this is not an often used function.
+ o := make([]ObjectHandle, len(l))
+ for i, v := range l {
+ o[i] = ObjectHandle(v)
+ }
+ return o, ulCount > C.CK_ULONG(max), nil
+}
+
+// FindObjectsFinal finishes a search for token and session objects.
+func (c *Ctx) FindObjectsFinal(sh SessionHandle) error {
+ e := C.FindObjectsFinal(c.ctx, C.CK_SESSION_HANDLE(sh))
+ return toError(e)
+}
+
+// EncryptInit initializes an encryption operation.
+func (c *Ctx) EncryptInit(sh SessionHandle, m []*Mechanism, o ObjectHandle) error {
+ arena, mech := cMechanism(m)
+ defer arena.Free()
+ e := C.EncryptInit(c.ctx, C.CK_SESSION_HANDLE(sh), mech, C.CK_OBJECT_HANDLE(o))
+ return toError(e)
+}
+
+// Encrypt encrypts single-part data.
+func (c *Ctx) Encrypt(sh SessionHandle, message []byte) ([]byte, error) {
+ var (
+ enc C.CK_BYTE_PTR
+ enclen C.CK_ULONG
+ )
+ e := C.Encrypt(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(message), C.CK_ULONG(len(message)), &enc, &enclen)
+ if toError(e) != nil {
+ return nil, toError(e)
+ }
+ s := C.GoBytes(unsafe.Pointer(enc), C.int(enclen))
+ C.free(unsafe.Pointer(enc))
+ return s, nil
+}
+
+// EncryptUpdate continues a multiple-part encryption operation.
+func (c *Ctx) EncryptUpdate(sh SessionHandle, plain []byte) ([]byte, error) {
+ var (
+ part C.CK_BYTE_PTR
+ partlen C.CK_ULONG
+ )
+ e := C.EncryptUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(plain), C.CK_ULONG(len(plain)), &part, &partlen)
+ if toError(e) != nil {
+ return nil, toError(e)
+ }
+ h := C.GoBytes(unsafe.Pointer(part), C.int(partlen))
+ C.free(unsafe.Pointer(part))
+ return h, nil
+}
+
+// EncryptFinal finishes a multiple-part encryption operation.
+func (c *Ctx) EncryptFinal(sh SessionHandle) ([]byte, error) {
+ var (
+ enc C.CK_BYTE_PTR
+ enclen C.CK_ULONG
+ )
+ e := C.EncryptFinal(c.ctx, C.CK_SESSION_HANDLE(sh), &enc, &enclen)
+ if toError(e) != nil {
+ return nil, toError(e)
+ }
+ h := C.GoBytes(unsafe.Pointer(enc), C.int(enclen))
+ C.free(unsafe.Pointer(enc))
+ return h, nil
+}
+
+// DecryptInit initializes a decryption operation.
+func (c *Ctx) DecryptInit(sh SessionHandle, m []*Mechanism, o ObjectHandle) error {
+ arena, mech := cMechanism(m)
+ defer arena.Free()
+ e := C.DecryptInit(c.ctx, C.CK_SESSION_HANDLE(sh), mech, C.CK_OBJECT_HANDLE(o))
+ return toError(e)
+}
+
+// Decrypt decrypts encrypted data in a single part.
+func (c *Ctx) Decrypt(sh SessionHandle, cipher []byte) ([]byte, error) {
+ var (
+ plain C.CK_BYTE_PTR
+ plainlen C.CK_ULONG
+ )
+ e := C.Decrypt(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(cipher), C.CK_ULONG(len(cipher)), &plain, &plainlen)
+ if toError(e) != nil {
+ return nil, toError(e)
+ }
+ s := C.GoBytes(unsafe.Pointer(plain), C.int(plainlen))
+ C.free(unsafe.Pointer(plain))
+ return s, nil
+}
+
+// DecryptUpdate continues a multiple-part decryption operation.
+func (c *Ctx) DecryptUpdate(sh SessionHandle, cipher []byte) ([]byte, error) {
+ var (
+ part C.CK_BYTE_PTR
+ partlen C.CK_ULONG
+ )
+ e := C.DecryptUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(cipher), C.CK_ULONG(len(cipher)), &part, &partlen)
+ if toError(e) != nil {
+ return nil, toError(e)
+ }
+ h := C.GoBytes(unsafe.Pointer(part), C.int(partlen))
+ C.free(unsafe.Pointer(part))
+ return h, nil
+}
+
+// DecryptFinal finishes a multiple-part decryption operation.
+func (c *Ctx) DecryptFinal(sh SessionHandle) ([]byte, error) {
+ var (
+ plain C.CK_BYTE_PTR
+ plainlen C.CK_ULONG
+ )
+ e := C.DecryptFinal(c.ctx, C.CK_SESSION_HANDLE(sh), &plain, &plainlen)
+ if toError(e) != nil {
+ return nil, toError(e)
+ }
+ h := C.GoBytes(unsafe.Pointer(plain), C.int(plainlen))
+ C.free(unsafe.Pointer(plain))
+ return h, nil
+}
+
+// DigestInit initializes a message-digesting operation.
+func (c *Ctx) DigestInit(sh SessionHandle, m []*Mechanism) error {
+ arena, mech := cMechanism(m)
+ defer arena.Free()
+ e := C.DigestInit(c.ctx, C.CK_SESSION_HANDLE(sh), mech)
+ return toError(e)
+}
+
+// Digest digests message in a single part.
+func (c *Ctx) Digest(sh SessionHandle, message []byte) ([]byte, error) {
+ var (
+ hash C.CK_BYTE_PTR
+ hashlen C.CK_ULONG
+ )
+ e := C.Digest(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(message), C.CK_ULONG(len(message)), &hash, &hashlen)
+ if toError(e) != nil {
+ return nil, toError(e)
+ }
+ h := C.GoBytes(unsafe.Pointer(hash), C.int(hashlen))
+ C.free(unsafe.Pointer(hash))
+ return h, nil
+}
+
+// DigestUpdate continues a multiple-part message-digesting operation.
+func (c *Ctx) DigestUpdate(sh SessionHandle, message []byte) error {
+ e := C.DigestUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(message), C.CK_ULONG(len(message)))
+ if toError(e) != nil {
+ return toError(e)
+ }
+ return nil
+}
+
+// DigestKey continues a multi-part message-digesting
+// operation, by digesting the value of a secret key as part of
+// the data already digested.
+func (c *Ctx) DigestKey(sh SessionHandle, key ObjectHandle) error {
+ e := C.DigestKey(c.ctx, C.CK_SESSION_HANDLE(sh), C.CK_OBJECT_HANDLE(key))
+ if toError(e) != nil {
+ return toError(e)
+ }
+ return nil
+}
+
+// DigestFinal finishes a multiple-part message-digesting operation.
+func (c *Ctx) DigestFinal(sh SessionHandle) ([]byte, error) {
+ var (
+ hash C.CK_BYTE_PTR
+ hashlen C.CK_ULONG
+ )
+ e := C.DigestFinal(c.ctx, C.CK_SESSION_HANDLE(sh), &hash, &hashlen)
+ if toError(e) != nil {
+ return nil, toError(e)
+ }
+ h := C.GoBytes(unsafe.Pointer(hash), C.int(hashlen))
+ C.free(unsafe.Pointer(hash))
+ return h, nil
+}
+
+// SignInit initializes a signature (private key encryption)
+// operation, where the signature is (will be) an appendix to
+// the data, and plaintext cannot be recovered from the signature.
+func (c *Ctx) SignInit(sh SessionHandle, m []*Mechanism, o ObjectHandle) error {
+ arena, mech := cMechanism(m)
+ defer arena.Free()
+ e := C.SignInit(c.ctx, C.CK_SESSION_HANDLE(sh), mech, C.CK_OBJECT_HANDLE(o))
+ return toError(e)
+}
+
+// Sign signs (encrypts with private key) data in a single part, where the signature
+// is (will be) an appendix to the data, and plaintext cannot be recovered from the signature.
+func (c *Ctx) Sign(sh SessionHandle, message []byte) ([]byte, error) {
+ var (
+ sig C.CK_BYTE_PTR
+ siglen C.CK_ULONG
+ )
+ e := C.Sign(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(message), C.CK_ULONG(len(message)), &sig, &siglen)
+ if toError(e) != nil {
+ return nil, toError(e)
+ }
+ s := C.GoBytes(unsafe.Pointer(sig), C.int(siglen))
+ C.free(unsafe.Pointer(sig))
+ return s, nil
+}
+
+// SignUpdate continues a multiple-part signature operation,
+// where the signature is (will be) an appendix to the data,
+// and plaintext cannot be recovered from the signature.
+func (c *Ctx) SignUpdate(sh SessionHandle, message []byte) error {
+ e := C.SignUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(message), C.CK_ULONG(len(message)))
+ return toError(e)
+}
+
+// SignFinal finishes a multiple-part signature operation returning the signature.
+func (c *Ctx) SignFinal(sh SessionHandle) ([]byte, error) {
+ var (
+ sig C.CK_BYTE_PTR
+ siglen C.CK_ULONG
+ )
+ e := C.SignFinal(c.ctx, C.CK_SESSION_HANDLE(sh), &sig, &siglen)
+ if toError(e) != nil {
+ return nil, toError(e)
+ }
+ h := C.GoBytes(unsafe.Pointer(sig), C.int(siglen))
+ C.free(unsafe.Pointer(sig))
+ return h, nil
+}
+
+// SignRecoverInit initializes a signature operation, where the data can be recovered from the signature.
+func (c *Ctx) SignRecoverInit(sh SessionHandle, m []*Mechanism, key ObjectHandle) error {
+ arena, mech := cMechanism(m)
+ defer arena.Free()
+ e := C.SignRecoverInit(c.ctx, C.CK_SESSION_HANDLE(sh), mech, C.CK_OBJECT_HANDLE(key))
+ return toError(e)
+}
+
+// SignRecover signs data in a single operation, where the data can be recovered from the signature.
+func (c *Ctx) SignRecover(sh SessionHandle, data []byte) ([]byte, error) {
+ var (
+ sig C.CK_BYTE_PTR
+ siglen C.CK_ULONG
+ )
+ e := C.SignRecover(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(data), C.CK_ULONG(len(data)), &sig, &siglen)
+ if toError(e) != nil {
+ return nil, toError(e)
+ }
+ h := C.GoBytes(unsafe.Pointer(sig), C.int(siglen))
+ C.free(unsafe.Pointer(sig))
+ return h, nil
+}
+
+// VerifyInit initializes a verification operation, where the
+// signature is an appendix to the data, and plaintext cannot
+// be recovered from the signature (e.g. DSA).
+func (c *Ctx) VerifyInit(sh SessionHandle, m []*Mechanism, key ObjectHandle) error {
+ arena, mech := cMechanism(m)
+ defer arena.Free()
+ e := C.VerifyInit(c.ctx, C.CK_SESSION_HANDLE(sh), mech, C.CK_OBJECT_HANDLE(key))
+ return toError(e)
+}
+
+// Verify verifies a signature in a single-part operation,
+// where the signature is an appendix to the data, and plaintext
+// cannot be recovered from the signature.
+func (c *Ctx) Verify(sh SessionHandle, data []byte, signature []byte) error {
+ e := C.Verify(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(data), C.CK_ULONG(len(data)), cMessage(signature), C.CK_ULONG(len(signature)))
+ return toError(e)
+}
+
+// VerifyUpdate continues a multiple-part verification
+// operation, where the signature is an appendix to the data,
+// and plaintext cannot be recovered from the signature.
+func (c *Ctx) VerifyUpdate(sh SessionHandle, part []byte) error {
+ e := C.VerifyUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(part), C.CK_ULONG(len(part)))
+ return toError(e)
+}
+
+// VerifyFinal finishes a multiple-part verification
+// operation, checking the signature.
+func (c *Ctx) VerifyFinal(sh SessionHandle, signature []byte) error {
+ e := C.VerifyFinal(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(signature), C.CK_ULONG(len(signature)))
+ return toError(e)
+}
+
+// VerifyRecoverInit initializes a signature verification
+// operation, where the data is recovered from the signature.
+func (c *Ctx) VerifyRecoverInit(sh SessionHandle, m []*Mechanism, key ObjectHandle) error {
+ arena, mech := cMechanism(m)
+ defer arena.Free()
+ e := C.VerifyRecoverInit(c.ctx, C.CK_SESSION_HANDLE(sh), mech, C.CK_OBJECT_HANDLE(key))
+ return toError(e)
+}
+
+// VerifyRecover verifies a signature in a single-part
+// operation, where the data is recovered from the signature.
+func (c *Ctx) VerifyRecover(sh SessionHandle, signature []byte) ([]byte, error) {
+ var (
+ data C.CK_BYTE_PTR
+ datalen C.CK_ULONG
+ )
+ e := C.DecryptVerifyUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(signature), C.CK_ULONG(len(signature)), &data, &datalen)
+ if toError(e) != nil {
+ return nil, toError(e)
+ }
+ h := C.GoBytes(unsafe.Pointer(data), C.int(datalen))
+ C.free(unsafe.Pointer(data))
+ return h, nil
+}
+
+// DigestEncryptUpdate continues a multiple-part digesting and encryption operation.
+func (c *Ctx) DigestEncryptUpdate(sh SessionHandle, part []byte) ([]byte, error) {
+ var (
+ enc C.CK_BYTE_PTR
+ enclen C.CK_ULONG
+ )
+ e := C.DigestEncryptUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(part), C.CK_ULONG(len(part)), &enc, &enclen)
+ if toError(e) != nil {
+ return nil, toError(e)
+ }
+ h := C.GoBytes(unsafe.Pointer(enc), C.int(enclen))
+ C.free(unsafe.Pointer(enc))
+ return h, nil
+}
+
+// DecryptDigestUpdate continues a multiple-part decryption and digesting operation.
+func (c *Ctx) DecryptDigestUpdate(sh SessionHandle, cipher []byte) ([]byte, error) {
+ var (
+ part C.CK_BYTE_PTR
+ partlen C.CK_ULONG
+ )
+ e := C.DecryptDigestUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(cipher), C.CK_ULONG(len(cipher)), &part, &partlen)
+ if toError(e) != nil {
+ return nil, toError(e)
+ }
+ h := C.GoBytes(unsafe.Pointer(part), C.int(partlen))
+ C.free(unsafe.Pointer(part))
+ return h, nil
+}
+
+// SignEncryptUpdate continues a multiple-part signing and encryption operation.
+func (c *Ctx) SignEncryptUpdate(sh SessionHandle, part []byte) ([]byte, error) {
+ var (
+ enc C.CK_BYTE_PTR
+ enclen C.CK_ULONG
+ )
+ e := C.SignEncryptUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(part), C.CK_ULONG(len(part)), &enc, &enclen)
+ if toError(e) != nil {
+ return nil, toError(e)
+ }
+ h := C.GoBytes(unsafe.Pointer(enc), C.int(enclen))
+ C.free(unsafe.Pointer(enc))
+ return h, nil
+}
+
+// DecryptVerifyUpdate continues a multiple-part decryption and verify operation.
+func (c *Ctx) DecryptVerifyUpdate(sh SessionHandle, cipher []byte) ([]byte, error) {
+ var (
+ part C.CK_BYTE_PTR
+ partlen C.CK_ULONG
+ )
+ e := C.DecryptVerifyUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(cipher), C.CK_ULONG(len(cipher)), &part, &partlen)
+ if toError(e) != nil {
+ return nil, toError(e)
+ }
+ h := C.GoBytes(unsafe.Pointer(part), C.int(partlen))
+ C.free(unsafe.Pointer(part))
+ return h, nil
+}
+
+// GenerateKey generates a secret key, creating a new key object.
+func (c *Ctx) GenerateKey(sh SessionHandle, m []*Mechanism, temp []*Attribute) (ObjectHandle, error) {
+ var key C.CK_OBJECT_HANDLE
+ attrarena, t, tcount := cAttributeList(temp)
+ defer attrarena.Free()
+ mecharena, mech := cMechanism(m)
+ defer mecharena.Free()
+ e := C.GenerateKey(c.ctx, C.CK_SESSION_HANDLE(sh), mech, t, tcount, C.CK_OBJECT_HANDLE_PTR(&key))
+ e1 := toError(e)
+ if e1 == nil {
+ return ObjectHandle(key), nil
+ }
+ return 0, e1
+}
+
+// GenerateKeyPair generates a public-key/private-key pair creating new key objects.
+func (c *Ctx) GenerateKeyPair(sh SessionHandle, m []*Mechanism, public, private []*Attribute) (ObjectHandle, ObjectHandle, error) {
+ var (
+ pubkey C.CK_OBJECT_HANDLE
+ privkey C.CK_OBJECT_HANDLE
+ )
+ pubarena, pub, pubcount := cAttributeList(public)
+ defer pubarena.Free()
+ privarena, priv, privcount := cAttributeList(private)
+ defer privarena.Free()
+ mecharena, mech := cMechanism(m)
+ defer mecharena.Free()
+ e := C.GenerateKeyPair(c.ctx, C.CK_SESSION_HANDLE(sh), mech, pub, pubcount, priv, privcount, C.CK_OBJECT_HANDLE_PTR(&pubkey), C.CK_OBJECT_HANDLE_PTR(&privkey))
+ e1 := toError(e)
+ if e1 == nil {
+ return ObjectHandle(pubkey), ObjectHandle(privkey), nil
+ }
+ return 0, 0, e1
+}
+
+// WrapKey wraps (i.e., encrypts) a key.
+func (c *Ctx) WrapKey(sh SessionHandle, m []*Mechanism, wrappingkey, key ObjectHandle) ([]byte, error) {
+ var (
+ wrappedkey C.CK_BYTE_PTR
+ wrappedkeylen C.CK_ULONG
+ )
+ arena, mech := cMechanism(m)
+ defer arena.Free()
+ e := C.WrapKey(c.ctx, C.CK_SESSION_HANDLE(sh), mech, C.CK_OBJECT_HANDLE(wrappingkey), C.CK_OBJECT_HANDLE(key), &wrappedkey, &wrappedkeylen)
+ if toError(e) != nil {
+ return nil, toError(e)
+ }
+ h := C.GoBytes(unsafe.Pointer(wrappedkey), C.int(wrappedkeylen))
+ C.free(unsafe.Pointer(wrappedkey))
+ return h, nil
+}
+
+// UnwrapKey unwraps (decrypts) a wrapped key, creating a new key object.
+func (c *Ctx) UnwrapKey(sh SessionHandle, m []*Mechanism, unwrappingkey ObjectHandle, wrappedkey []byte, a []*Attribute) (ObjectHandle, error) {
+ var key C.CK_OBJECT_HANDLE
+ attrarena, ac, aclen := cAttributeList(a)
+ defer attrarena.Free()
+ mecharena, mech := cMechanism(m)
+ defer mecharena.Free()
+ e := C.UnwrapKey(c.ctx, C.CK_SESSION_HANDLE(sh), mech, C.CK_OBJECT_HANDLE(unwrappingkey), C.CK_BYTE_PTR(unsafe.Pointer(&wrappedkey[0])), C.CK_ULONG(len(wrappedkey)), ac, aclen, &key)
+ return ObjectHandle(key), toError(e)
+}
+
+// DeriveKey derives a key from a base key, creating a new key object.
+func (c *Ctx) DeriveKey(sh SessionHandle, m []*Mechanism, basekey ObjectHandle, a []*Attribute) (ObjectHandle, error) {
+ var key C.CK_OBJECT_HANDLE
+ attrarena, ac, aclen := cAttributeList(a)
+ defer attrarena.Free()
+ mecharena, mech := cMechanism(m)
+ defer mecharena.Free()
+ e := C.DeriveKey(c.ctx, C.CK_SESSION_HANDLE(sh), mech, C.CK_OBJECT_HANDLE(basekey), ac, aclen, &key)
+ return ObjectHandle(key), toError(e)
+}
+
+// SeedRandom mixes additional seed material into the token's
+// random number generator.
+func (c *Ctx) SeedRandom(sh SessionHandle, seed []byte) error {
+ e := C.SeedRandom(c.ctx, C.CK_SESSION_HANDLE(sh), C.CK_BYTE_PTR(unsafe.Pointer(&seed[0])), C.CK_ULONG(len(seed)))
+ return toError(e)
+}
+
+// GenerateRandom generates random data.
+func (c *Ctx) GenerateRandom(sh SessionHandle, length int) ([]byte, error) {
+ var rand C.CK_BYTE_PTR
+ e := C.GenerateRandom(c.ctx, C.CK_SESSION_HANDLE(sh), &rand, C.CK_ULONG(length))
+ if toError(e) != nil {
+ return nil, toError(e)
+ }
+ h := C.GoBytes(unsafe.Pointer(rand), C.int(length))
+ C.free(unsafe.Pointer(rand))
+ return h, nil
+}
+
+// WaitForSlotEvent returns a channel which returns a slot event
+// (token insertion, removal, etc.) when it occurs.
+func (c *Ctx) WaitForSlotEvent(flags uint) chan SlotEvent {
+ sl := make(chan SlotEvent, 1) // hold one element
+ go c.waitForSlotEventHelper(flags, sl)
+ return sl
+}
+
+func (c *Ctx) waitForSlotEventHelper(f uint, sl chan SlotEvent) {
+ var slotID C.CK_ULONG
+ C.WaitForSlotEvent(c.ctx, C.CK_FLAGS(f), &slotID)
+ sl <- SlotEvent{uint(slotID)}
+ close(sl) // TODO(miek): Sending and then closing ...?
+}
diff --git a/vendor/github.com/miekg/pkcs11/pkcs11.h b/vendor/github.com/miekg/pkcs11/pkcs11.h
new file mode 100644
index 000000000..0d78dd711
--- /dev/null
+++ b/vendor/github.com/miekg/pkcs11/pkcs11.h
@@ -0,0 +1,265 @@
+/* Copyright (c) OASIS Open 2016. All Rights Reserved./
+ * /Distributed under the terms of the OASIS IPR Policy,
+ * [http://www.oasis-open.org/policies-guidelines/ipr], AS-IS, WITHOUT ANY
+ * IMPLIED OR EXPRESS WARRANTY; there is no warranty of MERCHANTABILITY, FITNESS FOR A
+ * PARTICULAR PURPOSE or NONINFRINGEMENT of the rights of others.
+ */
+
+/* Latest version of the specification:
+ * http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/pkcs11-base-v2.40.html
+ */
+
+#ifndef _PKCS11_H_
+#define _PKCS11_H_ 1
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Before including this file (pkcs11.h) (or pkcs11t.h by
+ * itself), 5 platform-specific macros must be defined. These
+ * macros are described below, and typical definitions for them
+ * are also given. Be advised that these definitions can depend
+ * on both the platform and the compiler used (and possibly also
+ * on whether a Cryptoki library is linked statically or
+ * dynamically).
+ *
+ * In addition to defining these 5 macros, the packing convention
+ * for Cryptoki structures should be set. The Cryptoki
+ * convention on packing is that structures should be 1-byte
+ * aligned.
+ *
+ * If you're using Microsoft Developer Studio 5.0 to produce
+ * Win32 stuff, this might be done by using the following
+ * preprocessor directive before including pkcs11.h or pkcs11t.h:
+ *
+ * #pragma pack(push, cryptoki, 1)
+ *
+ * and using the following preprocessor directive after including
+ * pkcs11.h or pkcs11t.h:
+ *
+ * #pragma pack(pop, cryptoki)
+ *
+ * If you're using an earlier version of Microsoft Developer
+ * Studio to produce Win16 stuff, this might be done by using
+ * the following preprocessor directive before including
+ * pkcs11.h or pkcs11t.h:
+ *
+ * #pragma pack(1)
+ *
+ * In a UNIX environment, you're on your own for this. You might
+ * not need to do (or be able to do!) anything.
+ *
+ *
+ * Now for the macros:
+ *
+ *
+ * 1. CK_PTR: The indirection string for making a pointer to an
+ * object. It can be used like this:
+ *
+ * typedef CK_BYTE CK_PTR CK_BYTE_PTR;
+ *
+ * If you're using Microsoft Developer Studio 5.0 to produce
+ * Win32 stuff, it might be defined by:
+ *
+ * #define CK_PTR *
+ *
+ * If you're using an earlier version of Microsoft Developer
+ * Studio to produce Win16 stuff, it might be defined by:
+ *
+ * #define CK_PTR far *
+ *
+ * In a typical UNIX environment, it might be defined by:
+ *
+ * #define CK_PTR *
+ *
+ *
+ * 2. CK_DECLARE_FUNCTION(returnType, name): A macro which makes
+ * an importable Cryptoki library function declaration out of a
+ * return type and a function name. It should be used in the
+ * following fashion:
+ *
+ * extern CK_DECLARE_FUNCTION(CK_RV, C_Initialize)(
+ * CK_VOID_PTR pReserved
+ * );
+ *
+ * If you're using Microsoft Developer Studio 5.0 to declare a
+ * function in a Win32 Cryptoki .dll, it might be defined by:
+ *
+ * #define CK_DECLARE_FUNCTION(returnType, name) \
+ * returnType __declspec(dllimport) name
+ *
+ * If you're using an earlier version of Microsoft Developer
+ * Studio to declare a function in a Win16 Cryptoki .dll, it
+ * might be defined by:
+ *
+ * #define CK_DECLARE_FUNCTION(returnType, name) \
+ * returnType __export _far _pascal name
+ *
+ * In a UNIX environment, it might be defined by:
+ *
+ * #define CK_DECLARE_FUNCTION(returnType, name) \
+ * returnType name
+ *
+ *
+ * 3. CK_DECLARE_FUNCTION_POINTER(returnType, name): A macro
+ * which makes a Cryptoki API function pointer declaration or
+ * function pointer type declaration out of a return type and a
+ * function name. It should be used in the following fashion:
+ *
+ * // Define funcPtr to be a pointer to a Cryptoki API function
+ * // taking arguments args and returning CK_RV.
+ * CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtr)(args);
+ *
+ * or
+ *
+ * // Define funcPtrType to be the type of a pointer to a
+ * // Cryptoki API function taking arguments args and returning
+ * // CK_RV, and then define funcPtr to be a variable of type
+ * // funcPtrType.
+ * typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtrType)(args);
+ * funcPtrType funcPtr;
+ *
+ * If you're using Microsoft Developer Studio 5.0 to access
+ * functions in a Win32 Cryptoki .dll, in might be defined by:
+ *
+ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
+ * returnType __declspec(dllimport) (* name)
+ *
+ * If you're using an earlier version of Microsoft Developer
+ * Studio to access functions in a Win16 Cryptoki .dll, it might
+ * be defined by:
+ *
+ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
+ * returnType __export _far _pascal (* name)
+ *
+ * In a UNIX environment, it might be defined by:
+ *
+ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
+ * returnType (* name)
+ *
+ *
+ * 4. CK_CALLBACK_FUNCTION(returnType, name): A macro which makes
+ * a function pointer type for an application callback out of
+ * a return type for the callback and a name for the callback.
+ * It should be used in the following fashion:
+ *
+ * CK_CALLBACK_FUNCTION(CK_RV, myCallback)(args);
+ *
+ * to declare a function pointer, myCallback, to a callback
+ * which takes arguments args and returns a CK_RV. It can also
+ * be used like this:
+ *
+ * typedef CK_CALLBACK_FUNCTION(CK_RV, myCallbackType)(args);
+ * myCallbackType myCallback;
+ *
+ * If you're using Microsoft Developer Studio 5.0 to do Win32
+ * Cryptoki development, it might be defined by:
+ *
+ * #define CK_CALLBACK_FUNCTION(returnType, name) \
+ * returnType (* name)
+ *
+ * If you're using an earlier version of Microsoft Developer
+ * Studio to do Win16 development, it might be defined by:
+ *
+ * #define CK_CALLBACK_FUNCTION(returnType, name) \
+ * returnType _far _pascal (* name)
+ *
+ * In a UNIX environment, it might be defined by:
+ *
+ * #define CK_CALLBACK_FUNCTION(returnType, name) \
+ * returnType (* name)
+ *
+ *
+ * 5. NULL_PTR: This macro is the value of a NULL pointer.
+ *
+ * In any ANSI/ISO C environment (and in many others as well),
+ * this should best be defined by
+ *
+ * #ifndef NULL_PTR
+ * #define NULL_PTR 0
+ * #endif
+ */
+
+
+/* All the various Cryptoki types and #define'd values are in the
+ * file pkcs11t.h.
+ */
+#include "pkcs11t.h"
+
+#define __PASTE(x,y) x##y
+
+
+/* ==============================================================
+ * Define the "extern" form of all the entry points.
+ * ==============================================================
+ */
+
+#define CK_NEED_ARG_LIST 1
+#define CK_PKCS11_FUNCTION_INFO(name) \
+ extern CK_DECLARE_FUNCTION(CK_RV, name)
+
+/* pkcs11f.h has all the information about the Cryptoki
+ * function prototypes.
+ */
+#include "pkcs11f.h"
+
+#undef CK_NEED_ARG_LIST
+#undef CK_PKCS11_FUNCTION_INFO
+
+
+/* ==============================================================
+ * Define the typedef form of all the entry points. That is, for
+ * each Cryptoki function C_XXX, define a type CK_C_XXX which is
+ * a pointer to that kind of function.
+ * ==============================================================
+ */
+
+#define CK_NEED_ARG_LIST 1
+#define CK_PKCS11_FUNCTION_INFO(name) \
+ typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, __PASTE(CK_,name))
+
+/* pkcs11f.h has all the information about the Cryptoki
+ * function prototypes.
+ */
+#include "pkcs11f.h"
+
+#undef CK_NEED_ARG_LIST
+#undef CK_PKCS11_FUNCTION_INFO
+
+
+/* ==============================================================
+ * Define structed vector of entry points. A CK_FUNCTION_LIST
+ * contains a CK_VERSION indicating a library's Cryptoki version
+ * and then a whole slew of function pointers to the routines in
+ * the library. This type was declared, but not defined, in
+ * pkcs11t.h.
+ * ==============================================================
+ */
+
+#define CK_PKCS11_FUNCTION_INFO(name) \
+ __PASTE(CK_,name) name;
+
+struct CK_FUNCTION_LIST {
+
+ CK_VERSION version; /* Cryptoki version */
+
+/* Pile all the function pointers into the CK_FUNCTION_LIST. */
+/* pkcs11f.h has all the information about the Cryptoki
+ * function prototypes.
+ */
+#include "pkcs11f.h"
+
+};
+
+#undef CK_PKCS11_FUNCTION_INFO
+
+
+#undef __PASTE
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKCS11_H_ */
+
diff --git a/vendor/github.com/miekg/pkcs11/pkcs11f.h b/vendor/github.com/miekg/pkcs11/pkcs11f.h
new file mode 100644
index 000000000..ed90affc5
--- /dev/null
+++ b/vendor/github.com/miekg/pkcs11/pkcs11f.h
@@ -0,0 +1,939 @@
+/* Copyright (c) OASIS Open 2016. All Rights Reserved./
+ * /Distributed under the terms of the OASIS IPR Policy,
+ * [http://www.oasis-open.org/policies-guidelines/ipr], AS-IS, WITHOUT ANY
+ * IMPLIED OR EXPRESS WARRANTY; there is no warranty of MERCHANTABILITY, FITNESS FOR A
+ * PARTICULAR PURPOSE or NONINFRINGEMENT of the rights of others.
+ */
+
+/* Latest version of the specification:
+ * http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/pkcs11-base-v2.40.html
+ */
+
+/* This header file contains pretty much everything about all the
+ * Cryptoki function prototypes. Because this information is
+ * used for more than just declaring function prototypes, the
+ * order of the functions appearing herein is important, and
+ * should not be altered.
+ */
+
+/* General-purpose */
+
+/* C_Initialize initializes the Cryptoki library. */
+CK_PKCS11_FUNCTION_INFO(C_Initialize)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_VOID_PTR pInitArgs /* if this is not NULL_PTR, it gets
+ * cast to CK_C_INITIALIZE_ARGS_PTR
+ * and dereferenced
+ */
+);
+#endif
+
+
+/* C_Finalize indicates that an application is done with the
+ * Cryptoki library.
+ */
+CK_PKCS11_FUNCTION_INFO(C_Finalize)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_VOID_PTR pReserved /* reserved. Should be NULL_PTR */
+);
+#endif
+
+
+/* C_GetInfo returns general information about Cryptoki. */
+CK_PKCS11_FUNCTION_INFO(C_GetInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_INFO_PTR pInfo /* location that receives information */
+);
+#endif
+
+
+/* C_GetFunctionList returns the function list. */
+CK_PKCS11_FUNCTION_INFO(C_GetFunctionList)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_FUNCTION_LIST_PTR_PTR ppFunctionList /* receives pointer to
+ * function list
+ */
+);
+#endif
+
+
+
+/* Slot and token management */
+
+/* C_GetSlotList obtains a list of slots in the system. */
+CK_PKCS11_FUNCTION_INFO(C_GetSlotList)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_BBOOL tokenPresent, /* only slots with tokens */
+ CK_SLOT_ID_PTR pSlotList, /* receives array of slot IDs */
+ CK_ULONG_PTR pulCount /* receives number of slots */
+);
+#endif
+
+
+/* C_GetSlotInfo obtains information about a particular slot in
+ * the system.
+ */
+CK_PKCS11_FUNCTION_INFO(C_GetSlotInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SLOT_ID slotID, /* the ID of the slot */
+ CK_SLOT_INFO_PTR pInfo /* receives the slot information */
+);
+#endif
+
+
+/* C_GetTokenInfo obtains information about a particular token
+ * in the system.
+ */
+CK_PKCS11_FUNCTION_INFO(C_GetTokenInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SLOT_ID slotID, /* ID of the token's slot */
+ CK_TOKEN_INFO_PTR pInfo /* receives the token information */
+);
+#endif
+
+
+/* C_GetMechanismList obtains a list of mechanism types
+ * supported by a token.
+ */
+CK_PKCS11_FUNCTION_INFO(C_GetMechanismList)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SLOT_ID slotID, /* ID of token's slot */
+ CK_MECHANISM_TYPE_PTR pMechanismList, /* gets mech. array */
+ CK_ULONG_PTR pulCount /* gets # of mechs. */
+);
+#endif
+
+
+/* C_GetMechanismInfo obtains information about a particular
+ * mechanism possibly supported by a token.
+ */
+CK_PKCS11_FUNCTION_INFO(C_GetMechanismInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SLOT_ID slotID, /* ID of the token's slot */
+ CK_MECHANISM_TYPE type, /* type of mechanism */
+ CK_MECHANISM_INFO_PTR pInfo /* receives mechanism info */
+);
+#endif
+
+
+/* C_InitToken initializes a token. */
+CK_PKCS11_FUNCTION_INFO(C_InitToken)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SLOT_ID slotID, /* ID of the token's slot */
+ CK_UTF8CHAR_PTR pPin, /* the SO's initial PIN */
+ CK_ULONG ulPinLen, /* length in bytes of the PIN */
+ CK_UTF8CHAR_PTR pLabel /* 32-byte token label (blank padded) */
+);
+#endif
+
+
+/* C_InitPIN initializes the normal user's PIN. */
+CK_PKCS11_FUNCTION_INFO(C_InitPIN)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_UTF8CHAR_PTR pPin, /* the normal user's PIN */
+ CK_ULONG ulPinLen /* length in bytes of the PIN */
+);
+#endif
+
+
+/* C_SetPIN modifies the PIN of the user who is logged in. */
+CK_PKCS11_FUNCTION_INFO(C_SetPIN)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_UTF8CHAR_PTR pOldPin, /* the old PIN */
+ CK_ULONG ulOldLen, /* length of the old PIN */
+ CK_UTF8CHAR_PTR pNewPin, /* the new PIN */
+ CK_ULONG ulNewLen /* length of the new PIN */
+);
+#endif
+
+
+
+/* Session management */
+
+/* C_OpenSession opens a session between an application and a
+ * token.
+ */
+CK_PKCS11_FUNCTION_INFO(C_OpenSession)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SLOT_ID slotID, /* the slot's ID */
+ CK_FLAGS flags, /* from CK_SESSION_INFO */
+ CK_VOID_PTR pApplication, /* passed to callback */
+ CK_NOTIFY Notify, /* callback function */
+ CK_SESSION_HANDLE_PTR phSession /* gets session handle */
+);
+#endif
+
+
+/* C_CloseSession closes a session between an application and a
+ * token.
+ */
+CK_PKCS11_FUNCTION_INFO(C_CloseSession)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession /* the session's handle */
+);
+#endif
+
+
+/* C_CloseAllSessions closes all sessions with a token. */
+CK_PKCS11_FUNCTION_INFO(C_CloseAllSessions)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SLOT_ID slotID /* the token's slot */
+);
+#endif
+
+
+/* C_GetSessionInfo obtains information about the session. */
+CK_PKCS11_FUNCTION_INFO(C_GetSessionInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_SESSION_INFO_PTR pInfo /* receives session info */
+);
+#endif
+
+
+/* C_GetOperationState obtains the state of the cryptographic operation
+ * in a session.
+ */
+CK_PKCS11_FUNCTION_INFO(C_GetOperationState)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session's handle */
+ CK_BYTE_PTR pOperationState, /* gets state */
+ CK_ULONG_PTR pulOperationStateLen /* gets state length */
+);
+#endif
+
+
+/* C_SetOperationState restores the state of the cryptographic
+ * operation in a session.
+ */
+CK_PKCS11_FUNCTION_INFO(C_SetOperationState)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session's handle */
+ CK_BYTE_PTR pOperationState, /* holds state */
+ CK_ULONG ulOperationStateLen, /* holds state length */
+ CK_OBJECT_HANDLE hEncryptionKey, /* en/decryption key */
+ CK_OBJECT_HANDLE hAuthenticationKey /* sign/verify key */
+);
+#endif
+
+
+/* C_Login logs a user into a token. */
+CK_PKCS11_FUNCTION_INFO(C_Login)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_USER_TYPE userType, /* the user type */
+ CK_UTF8CHAR_PTR pPin, /* the user's PIN */
+ CK_ULONG ulPinLen /* the length of the PIN */
+);
+#endif
+
+
+/* C_Logout logs a user out from a token. */
+CK_PKCS11_FUNCTION_INFO(C_Logout)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession /* the session's handle */
+);
+#endif
+
+
+
+/* Object management */
+
+/* C_CreateObject creates a new object. */
+CK_PKCS11_FUNCTION_INFO(C_CreateObject)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_ATTRIBUTE_PTR pTemplate, /* the object's template */
+ CK_ULONG ulCount, /* attributes in template */
+ CK_OBJECT_HANDLE_PTR phObject /* gets new object's handle. */
+);
+#endif
+
+
+/* C_CopyObject copies an object, creating a new object for the
+ * copy.
+ */
+CK_PKCS11_FUNCTION_INFO(C_CopyObject)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_OBJECT_HANDLE hObject, /* the object's handle */
+ CK_ATTRIBUTE_PTR pTemplate, /* template for new object */
+ CK_ULONG ulCount, /* attributes in template */
+ CK_OBJECT_HANDLE_PTR phNewObject /* receives handle of copy */
+);
+#endif
+
+
+/* C_DestroyObject destroys an object. */
+CK_PKCS11_FUNCTION_INFO(C_DestroyObject)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_OBJECT_HANDLE hObject /* the object's handle */
+);
+#endif
+
+
+/* C_GetObjectSize gets the size of an object in bytes. */
+CK_PKCS11_FUNCTION_INFO(C_GetObjectSize)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_OBJECT_HANDLE hObject, /* the object's handle */
+ CK_ULONG_PTR pulSize /* receives size of object */
+);
+#endif
+
+
+/* C_GetAttributeValue obtains the value of one or more object
+ * attributes.
+ */
+CK_PKCS11_FUNCTION_INFO(C_GetAttributeValue)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_OBJECT_HANDLE hObject, /* the object's handle */
+ CK_ATTRIBUTE_PTR pTemplate, /* specifies attrs; gets vals */
+ CK_ULONG ulCount /* attributes in template */
+);
+#endif
+
+
+/* C_SetAttributeValue modifies the value of one or more object
+ * attributes.
+ */
+CK_PKCS11_FUNCTION_INFO(C_SetAttributeValue)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_OBJECT_HANDLE hObject, /* the object's handle */
+ CK_ATTRIBUTE_PTR pTemplate, /* specifies attrs and values */
+ CK_ULONG ulCount /* attributes in template */
+);
+#endif
+
+
+/* C_FindObjectsInit initializes a search for token and session
+ * objects that match a template.
+ */
+CK_PKCS11_FUNCTION_INFO(C_FindObjectsInit)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_ATTRIBUTE_PTR pTemplate, /* attribute values to match */
+ CK_ULONG ulCount /* attrs in search template */
+);
+#endif
+
+
+/* C_FindObjects continues a search for token and session
+ * objects that match a template, obtaining additional object
+ * handles.
+ */
+CK_PKCS11_FUNCTION_INFO(C_FindObjects)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session's handle */
+ CK_OBJECT_HANDLE_PTR phObject, /* gets obj. handles */
+ CK_ULONG ulMaxObjectCount, /* max handles to get */
+ CK_ULONG_PTR pulObjectCount /* actual # returned */
+);
+#endif
+
+
+/* C_FindObjectsFinal finishes a search for token and session
+ * objects.
+ */
+CK_PKCS11_FUNCTION_INFO(C_FindObjectsFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession /* the session's handle */
+);
+#endif
+
+
+
+/* Encryption and decryption */
+
+/* C_EncryptInit initializes an encryption operation. */
+CK_PKCS11_FUNCTION_INFO(C_EncryptInit)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_MECHANISM_PTR pMechanism, /* the encryption mechanism */
+ CK_OBJECT_HANDLE hKey /* handle of encryption key */
+);
+#endif
+
+
+/* C_Encrypt encrypts single-part data. */
+CK_PKCS11_FUNCTION_INFO(C_Encrypt)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session's handle */
+ CK_BYTE_PTR pData, /* the plaintext data */
+ CK_ULONG ulDataLen, /* bytes of plaintext */
+ CK_BYTE_PTR pEncryptedData, /* gets ciphertext */
+ CK_ULONG_PTR pulEncryptedDataLen /* gets c-text size */
+);
+#endif
+
+
+/* C_EncryptUpdate continues a multiple-part encryption
+ * operation.
+ */
+CK_PKCS11_FUNCTION_INFO(C_EncryptUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session's handle */
+ CK_BYTE_PTR pPart, /* the plaintext data */
+ CK_ULONG ulPartLen, /* plaintext data len */
+ CK_BYTE_PTR pEncryptedPart, /* gets ciphertext */
+ CK_ULONG_PTR pulEncryptedPartLen /* gets c-text size */
+);
+#endif
+
+
+/* C_EncryptFinal finishes a multiple-part encryption
+ * operation.
+ */
+CK_PKCS11_FUNCTION_INFO(C_EncryptFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session handle */
+ CK_BYTE_PTR pLastEncryptedPart, /* last c-text */
+ CK_ULONG_PTR pulLastEncryptedPartLen /* gets last size */
+);
+#endif
+
+
+/* C_DecryptInit initializes a decryption operation. */
+CK_PKCS11_FUNCTION_INFO(C_DecryptInit)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_MECHANISM_PTR pMechanism, /* the decryption mechanism */
+ CK_OBJECT_HANDLE hKey /* handle of decryption key */
+);
+#endif
+
+
+/* C_Decrypt decrypts encrypted data in a single part. */
+CK_PKCS11_FUNCTION_INFO(C_Decrypt)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session's handle */
+ CK_BYTE_PTR pEncryptedData, /* ciphertext */
+ CK_ULONG ulEncryptedDataLen, /* ciphertext length */
+ CK_BYTE_PTR pData, /* gets plaintext */
+ CK_ULONG_PTR pulDataLen /* gets p-text size */
+);
+#endif
+
+
+/* C_DecryptUpdate continues a multiple-part decryption
+ * operation.
+ */
+CK_PKCS11_FUNCTION_INFO(C_DecryptUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session's handle */
+ CK_BYTE_PTR pEncryptedPart, /* encrypted data */
+ CK_ULONG ulEncryptedPartLen, /* input length */
+ CK_BYTE_PTR pPart, /* gets plaintext */
+ CK_ULONG_PTR pulPartLen /* p-text size */
+);
+#endif
+
+
+/* C_DecryptFinal finishes a multiple-part decryption
+ * operation.
+ */
+CK_PKCS11_FUNCTION_INFO(C_DecryptFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_BYTE_PTR pLastPart, /* gets plaintext */
+ CK_ULONG_PTR pulLastPartLen /* p-text size */
+);
+#endif
+
+
+
+/* Message digesting */
+
+/* C_DigestInit initializes a message-digesting operation. */
+CK_PKCS11_FUNCTION_INFO(C_DigestInit)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_MECHANISM_PTR pMechanism /* the digesting mechanism */
+);
+#endif
+
+
+/* C_Digest digests data in a single part. */
+CK_PKCS11_FUNCTION_INFO(C_Digest)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_BYTE_PTR pData, /* data to be digested */
+ CK_ULONG ulDataLen, /* bytes of data to digest */
+ CK_BYTE_PTR pDigest, /* gets the message digest */
+ CK_ULONG_PTR pulDigestLen /* gets digest length */
+);
+#endif
+
+
+/* C_DigestUpdate continues a multiple-part message-digesting
+ * operation.
+ */
+CK_PKCS11_FUNCTION_INFO(C_DigestUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_BYTE_PTR pPart, /* data to be digested */
+ CK_ULONG ulPartLen /* bytes of data to be digested */
+);
+#endif
+
+
+/* C_DigestKey continues a multi-part message-digesting
+ * operation, by digesting the value of a secret key as part of
+ * the data already digested.
+ */
+CK_PKCS11_FUNCTION_INFO(C_DigestKey)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_OBJECT_HANDLE hKey /* secret key to digest */
+);
+#endif
+
+
+/* C_DigestFinal finishes a multiple-part message-digesting
+ * operation.
+ */
+CK_PKCS11_FUNCTION_INFO(C_DigestFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_BYTE_PTR pDigest, /* gets the message digest */
+ CK_ULONG_PTR pulDigestLen /* gets byte count of digest */
+);
+#endif
+
+
+
+/* Signing and MACing */
+
+/* C_SignInit initializes a signature (private key encryption)
+ * operation, where the signature is (will be) an appendix to
+ * the data, and plaintext cannot be recovered from the
+ * signature.
+ */
+CK_PKCS11_FUNCTION_INFO(C_SignInit)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_MECHANISM_PTR pMechanism, /* the signature mechanism */
+ CK_OBJECT_HANDLE hKey /* handle of signature key */
+);
+#endif
+
+
+/* C_Sign signs (encrypts with private key) data in a single
+ * part, where the signature is (will be) an appendix to the
+ * data, and plaintext cannot be recovered from the signature.
+ */
+CK_PKCS11_FUNCTION_INFO(C_Sign)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_BYTE_PTR pData, /* the data to sign */
+ CK_ULONG ulDataLen, /* count of bytes to sign */
+ CK_BYTE_PTR pSignature, /* gets the signature */
+ CK_ULONG_PTR pulSignatureLen /* gets signature length */
+);
+#endif
+
+
+/* C_SignUpdate continues a multiple-part signature operation,
+ * where the signature is (will be) an appendix to the data,
+ * and plaintext cannot be recovered from the signature.
+ */
+CK_PKCS11_FUNCTION_INFO(C_SignUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_BYTE_PTR pPart, /* the data to sign */
+ CK_ULONG ulPartLen /* count of bytes to sign */
+);
+#endif
+
+
+/* C_SignFinal finishes a multiple-part signature operation,
+ * returning the signature.
+ */
+CK_PKCS11_FUNCTION_INFO(C_SignFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_BYTE_PTR pSignature, /* gets the signature */
+ CK_ULONG_PTR pulSignatureLen /* gets signature length */
+);
+#endif
+
+
+/* C_SignRecoverInit initializes a signature operation, where
+ * the data can be recovered from the signature.
+ */
+CK_PKCS11_FUNCTION_INFO(C_SignRecoverInit)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_MECHANISM_PTR pMechanism, /* the signature mechanism */
+ CK_OBJECT_HANDLE hKey /* handle of the signature key */
+);
+#endif
+
+
+/* C_SignRecover signs data in a single operation, where the
+ * data can be recovered from the signature.
+ */
+CK_PKCS11_FUNCTION_INFO(C_SignRecover)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_BYTE_PTR pData, /* the data to sign */
+ CK_ULONG ulDataLen, /* count of bytes to sign */
+ CK_BYTE_PTR pSignature, /* gets the signature */
+ CK_ULONG_PTR pulSignatureLen /* gets signature length */
+);
+#endif
+
+
+
+/* Verifying signatures and MACs */
+
+/* C_VerifyInit initializes a verification operation, where the
+ * signature is an appendix to the data, and plaintext cannot
+ * cannot be recovered from the signature (e.g. DSA).
+ */
+CK_PKCS11_FUNCTION_INFO(C_VerifyInit)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_MECHANISM_PTR pMechanism, /* the verification mechanism */
+ CK_OBJECT_HANDLE hKey /* verification key */
+);
+#endif
+
+
+/* C_Verify verifies a signature in a single-part operation,
+ * where the signature is an appendix to the data, and plaintext
+ * cannot be recovered from the signature.
+ */
+CK_PKCS11_FUNCTION_INFO(C_Verify)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_BYTE_PTR pData, /* signed data */
+ CK_ULONG ulDataLen, /* length of signed data */
+ CK_BYTE_PTR pSignature, /* signature */
+ CK_ULONG ulSignatureLen /* signature length*/
+);
+#endif
+
+
+/* C_VerifyUpdate continues a multiple-part verification
+ * operation, where the signature is an appendix to the data,
+ * and plaintext cannot be recovered from the signature.
+ */
+CK_PKCS11_FUNCTION_INFO(C_VerifyUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_BYTE_PTR pPart, /* signed data */
+ CK_ULONG ulPartLen /* length of signed data */
+);
+#endif
+
+
+/* C_VerifyFinal finishes a multiple-part verification
+ * operation, checking the signature.
+ */
+CK_PKCS11_FUNCTION_INFO(C_VerifyFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_BYTE_PTR pSignature, /* signature to verify */
+ CK_ULONG ulSignatureLen /* signature length */
+);
+#endif
+
+
+/* C_VerifyRecoverInit initializes a signature verification
+ * operation, where the data is recovered from the signature.
+ */
+CK_PKCS11_FUNCTION_INFO(C_VerifyRecoverInit)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_MECHANISM_PTR pMechanism, /* the verification mechanism */
+ CK_OBJECT_HANDLE hKey /* verification key */
+);
+#endif
+
+
+/* C_VerifyRecover verifies a signature in a single-part
+ * operation, where the data is recovered from the signature.
+ */
+CK_PKCS11_FUNCTION_INFO(C_VerifyRecover)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_BYTE_PTR pSignature, /* signature to verify */
+ CK_ULONG ulSignatureLen, /* signature length */
+ CK_BYTE_PTR pData, /* gets signed data */
+ CK_ULONG_PTR pulDataLen /* gets signed data len */
+);
+#endif
+
+
+
+/* Dual-function cryptographic operations */
+
+/* C_DigestEncryptUpdate continues a multiple-part digesting
+ * and encryption operation.
+ */
+CK_PKCS11_FUNCTION_INFO(C_DigestEncryptUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session's handle */
+ CK_BYTE_PTR pPart, /* the plaintext data */
+ CK_ULONG ulPartLen, /* plaintext length */
+ CK_BYTE_PTR pEncryptedPart, /* gets ciphertext */
+ CK_ULONG_PTR pulEncryptedPartLen /* gets c-text length */
+);
+#endif
+
+
+/* C_DecryptDigestUpdate continues a multiple-part decryption and
+ * digesting operation.
+ */
+CK_PKCS11_FUNCTION_INFO(C_DecryptDigestUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session's handle */
+ CK_BYTE_PTR pEncryptedPart, /* ciphertext */
+ CK_ULONG ulEncryptedPartLen, /* ciphertext length */
+ CK_BYTE_PTR pPart, /* gets plaintext */
+ CK_ULONG_PTR pulPartLen /* gets plaintext len */
+);
+#endif
+
+
+/* C_SignEncryptUpdate continues a multiple-part signing and
+ * encryption operation.
+ */
+CK_PKCS11_FUNCTION_INFO(C_SignEncryptUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session's handle */
+ CK_BYTE_PTR pPart, /* the plaintext data */
+ CK_ULONG ulPartLen, /* plaintext length */
+ CK_BYTE_PTR pEncryptedPart, /* gets ciphertext */
+ CK_ULONG_PTR pulEncryptedPartLen /* gets c-text length */
+);
+#endif
+
+
+/* C_DecryptVerifyUpdate continues a multiple-part decryption and
+ * verify operation.
+ */
+CK_PKCS11_FUNCTION_INFO(C_DecryptVerifyUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session's handle */
+ CK_BYTE_PTR pEncryptedPart, /* ciphertext */
+ CK_ULONG ulEncryptedPartLen, /* ciphertext length */
+ CK_BYTE_PTR pPart, /* gets plaintext */
+ CK_ULONG_PTR pulPartLen /* gets p-text length */
+);
+#endif
+
+
+
+/* Key management */
+
+/* C_GenerateKey generates a secret key, creating a new key
+ * object.
+ */
+CK_PKCS11_FUNCTION_INFO(C_GenerateKey)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_MECHANISM_PTR pMechanism, /* key generation mech. */
+ CK_ATTRIBUTE_PTR pTemplate, /* template for new key */
+ CK_ULONG ulCount, /* # of attrs in template */
+ CK_OBJECT_HANDLE_PTR phKey /* gets handle of new key */
+);
+#endif
+
+
+/* C_GenerateKeyPair generates a public-key/private-key pair,
+ * creating new key objects.
+ */
+CK_PKCS11_FUNCTION_INFO(C_GenerateKeyPair)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session handle */
+ CK_MECHANISM_PTR pMechanism, /* key-gen mech. */
+ CK_ATTRIBUTE_PTR pPublicKeyTemplate, /* template for pub. key */
+ CK_ULONG ulPublicKeyAttributeCount, /* # pub. attrs. */
+ CK_ATTRIBUTE_PTR pPrivateKeyTemplate, /* template for priv. key */
+ CK_ULONG ulPrivateKeyAttributeCount, /* # priv. attrs. */
+ CK_OBJECT_HANDLE_PTR phPublicKey, /* gets pub. key handle */
+ CK_OBJECT_HANDLE_PTR phPrivateKey /* gets priv. key handle */
+);
+#endif
+
+
+/* C_WrapKey wraps (i.e., encrypts) a key. */
+CK_PKCS11_FUNCTION_INFO(C_WrapKey)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_MECHANISM_PTR pMechanism, /* the wrapping mechanism */
+ CK_OBJECT_HANDLE hWrappingKey, /* wrapping key */
+ CK_OBJECT_HANDLE hKey, /* key to be wrapped */
+ CK_BYTE_PTR pWrappedKey, /* gets wrapped key */
+ CK_ULONG_PTR pulWrappedKeyLen /* gets wrapped key size */
+);
+#endif
+
+
+/* C_UnwrapKey unwraps (decrypts) a wrapped key, creating a new
+ * key object.
+ */
+CK_PKCS11_FUNCTION_INFO(C_UnwrapKey)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session's handle */
+ CK_MECHANISM_PTR pMechanism, /* unwrapping mech. */
+ CK_OBJECT_HANDLE hUnwrappingKey, /* unwrapping key */
+ CK_BYTE_PTR pWrappedKey, /* the wrapped key */
+ CK_ULONG ulWrappedKeyLen, /* wrapped key len */
+ CK_ATTRIBUTE_PTR pTemplate, /* new key template */
+ CK_ULONG ulAttributeCount, /* template length */
+ CK_OBJECT_HANDLE_PTR phKey /* gets new handle */
+);
+#endif
+
+
+/* C_DeriveKey derives a key from a base key, creating a new key
+ * object.
+ */
+CK_PKCS11_FUNCTION_INFO(C_DeriveKey)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session's handle */
+ CK_MECHANISM_PTR pMechanism, /* key deriv. mech. */
+ CK_OBJECT_HANDLE hBaseKey, /* base key */
+ CK_ATTRIBUTE_PTR pTemplate, /* new key template */
+ CK_ULONG ulAttributeCount, /* template length */
+ CK_OBJECT_HANDLE_PTR phKey /* gets new handle */
+);
+#endif
+
+
+
+/* Random number generation */
+
+/* C_SeedRandom mixes additional seed material into the token's
+ * random number generator.
+ */
+CK_PKCS11_FUNCTION_INFO(C_SeedRandom)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_BYTE_PTR pSeed, /* the seed material */
+ CK_ULONG ulSeedLen /* length of seed material */
+);
+#endif
+
+
+/* C_GenerateRandom generates random data. */
+CK_PKCS11_FUNCTION_INFO(C_GenerateRandom)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_BYTE_PTR RandomData, /* receives the random data */
+ CK_ULONG ulRandomLen /* # of bytes to generate */
+);
+#endif
+
+
+
+/* Parallel function management */
+
+/* C_GetFunctionStatus is a legacy function; it obtains an
+ * updated status of a function running in parallel with an
+ * application.
+ */
+CK_PKCS11_FUNCTION_INFO(C_GetFunctionStatus)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession /* the session's handle */
+);
+#endif
+
+
+/* C_CancelFunction is a legacy function; it cancels a function
+ * running in parallel.
+ */
+CK_PKCS11_FUNCTION_INFO(C_CancelFunction)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession /* the session's handle */
+);
+#endif
+
+
+/* C_WaitForSlotEvent waits for a slot event (token insertion,
+ * removal, etc.) to occur.
+ */
+CK_PKCS11_FUNCTION_INFO(C_WaitForSlotEvent)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_FLAGS flags, /* blocking/nonblocking flag */
+ CK_SLOT_ID_PTR pSlot, /* location that receives the slot ID */
+ CK_VOID_PTR pRserved /* reserved. Should be NULL_PTR */
+);
+#endif
+
diff --git a/vendor/github.com/miekg/pkcs11/pkcs11go.h b/vendor/github.com/miekg/pkcs11/pkcs11go.h
new file mode 100644
index 000000000..1b98bad21
--- /dev/null
+++ b/vendor/github.com/miekg/pkcs11/pkcs11go.h
@@ -0,0 +1,33 @@
+//
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+//
+
+#define CK_PTR *
+#ifndef NULL_PTR
+#define NULL_PTR 0
+#endif
+#define CK_DEFINE_FUNCTION(returnType, name) returnType name
+#define CK_DECLARE_FUNCTION(returnType, name) returnType name
+#define CK_DECLARE_FUNCTION_POINTER(returnType, name) returnType (* name)
+#define CK_CALLBACK_FUNCTION(returnType, name) returnType (* name)
+
+#include <unistd.h>
+#ifdef PACKED_STRUCTURES
+# pragma pack(push, 1)
+# include "pkcs11.h"
+# pragma pack(pop)
+#else
+# include "pkcs11.h"
+#endif
+
+// Copy of CK_INFO but with default alignment (not packed). Go hides unaligned
+// struct fields so copying to an aligned struct is necessary to read CK_INFO
+// from Go on Windows where packing is required.
+typedef struct ckInfo {
+ CK_VERSION cryptokiVersion;
+ CK_UTF8CHAR manufacturerID[32];
+ CK_FLAGS flags;
+ CK_UTF8CHAR libraryDescription[32];
+ CK_VERSION libraryVersion;
+} ckInfo, *ckInfoPtr;
diff --git a/vendor/github.com/miekg/pkcs11/pkcs11t.h b/vendor/github.com/miekg/pkcs11/pkcs11t.h
new file mode 100644
index 000000000..321c3075a
--- /dev/null
+++ b/vendor/github.com/miekg/pkcs11/pkcs11t.h
@@ -0,0 +1,2047 @@
+/* Copyright (c) OASIS Open 2016. All Rights Reserved./
+ * /Distributed under the terms of the OASIS IPR Policy,
+ * [http://www.oasis-open.org/policies-guidelines/ipr], AS-IS, WITHOUT ANY
+ * IMPLIED OR EXPRESS WARRANTY; there is no warranty of MERCHANTABILITY, FITNESS FOR A
+ * PARTICULAR PURPOSE or NONINFRINGEMENT of the rights of others.
+ */
+
+/* Latest version of the specification:
+ * http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/pkcs11-base-v2.40.html
+ */
+
+/* See top of pkcs11.h for information about the macros that
+ * must be defined and the structure-packing conventions that
+ * must be set before including this file.
+ */
+
+#ifndef _PKCS11T_H_
+#define _PKCS11T_H_ 1
+
+#define CRYPTOKI_VERSION_MAJOR 2
+#define CRYPTOKI_VERSION_MINOR 40
+#define CRYPTOKI_VERSION_AMENDMENT 0
+
+#define CK_TRUE 1
+#define CK_FALSE 0
+
+#ifndef CK_DISABLE_TRUE_FALSE
+#ifndef FALSE
+#define FALSE CK_FALSE
+#endif
+#ifndef TRUE
+#define TRUE CK_TRUE
+#endif
+#endif
+
+/* an unsigned 8-bit value */
+typedef unsigned char CK_BYTE;
+
+/* an unsigned 8-bit character */
+typedef CK_BYTE CK_CHAR;
+
+/* an 8-bit UTF-8 character */
+typedef CK_BYTE CK_UTF8CHAR;
+
+/* a BYTE-sized Boolean flag */
+typedef CK_BYTE CK_BBOOL;
+
+/* an unsigned value, at least 32 bits long */
+typedef unsigned long int CK_ULONG;
+
+/* a signed value, the same size as a CK_ULONG */
+typedef long int CK_LONG;
+
+/* at least 32 bits; each bit is a Boolean flag */
+typedef CK_ULONG CK_FLAGS;
+
+
+/* some special values for certain CK_ULONG variables */
+#define CK_UNAVAILABLE_INFORMATION (~0UL)
+#define CK_EFFECTIVELY_INFINITE 0UL
+
+
+typedef CK_BYTE CK_PTR CK_BYTE_PTR;
+typedef CK_CHAR CK_PTR CK_CHAR_PTR;
+typedef CK_UTF8CHAR CK_PTR CK_UTF8CHAR_PTR;
+typedef CK_ULONG CK_PTR CK_ULONG_PTR;
+typedef void CK_PTR CK_VOID_PTR;
+
+/* Pointer to a CK_VOID_PTR-- i.e., pointer to pointer to void */
+typedef CK_VOID_PTR CK_PTR CK_VOID_PTR_PTR;
+
+
+/* The following value is always invalid if used as a session
+ * handle or object handle
+ */
+#define CK_INVALID_HANDLE 0UL
+
+
+typedef struct CK_VERSION {
+ CK_BYTE major; /* integer portion of version number */
+ CK_BYTE minor; /* 1/100ths portion of version number */
+} CK_VERSION;
+
+typedef CK_VERSION CK_PTR CK_VERSION_PTR;
+
+
+typedef struct CK_INFO {
+ CK_VERSION cryptokiVersion; /* Cryptoki interface ver */
+ CK_UTF8CHAR manufacturerID[32]; /* blank padded */
+ CK_FLAGS flags; /* must be zero */
+ CK_UTF8CHAR libraryDescription[32]; /* blank padded */
+ CK_VERSION libraryVersion; /* version of library */
+} CK_INFO;
+
+typedef CK_INFO CK_PTR CK_INFO_PTR;
+
+
+/* CK_NOTIFICATION enumerates the types of notifications that
+ * Cryptoki provides to an application
+ */
+typedef CK_ULONG CK_NOTIFICATION;
+#define CKN_SURRENDER 0UL
+#define CKN_OTP_CHANGED 1UL
+
+typedef CK_ULONG CK_SLOT_ID;
+
+typedef CK_SLOT_ID CK_PTR CK_SLOT_ID_PTR;
+
+
+/* CK_SLOT_INFO provides information about a slot */
+typedef struct CK_SLOT_INFO {
+ CK_UTF8CHAR slotDescription[64]; /* blank padded */
+ CK_UTF8CHAR manufacturerID[32]; /* blank padded */
+ CK_FLAGS flags;
+
+ CK_VERSION hardwareVersion; /* version of hardware */
+ CK_VERSION firmwareVersion; /* version of firmware */
+} CK_SLOT_INFO;
+
+/* flags: bit flags that provide capabilities of the slot
+ * Bit Flag Mask Meaning
+ */
+#define CKF_TOKEN_PRESENT 0x00000001UL /* a token is there */
+#define CKF_REMOVABLE_DEVICE 0x00000002UL /* removable devices*/
+#define CKF_HW_SLOT 0x00000004UL /* hardware slot */
+
+typedef CK_SLOT_INFO CK_PTR CK_SLOT_INFO_PTR;
+
+
+/* CK_TOKEN_INFO provides information about a token */
+typedef struct CK_TOKEN_INFO {
+ CK_UTF8CHAR label[32]; /* blank padded */
+ CK_UTF8CHAR manufacturerID[32]; /* blank padded */
+ CK_UTF8CHAR model[16]; /* blank padded */
+ CK_CHAR serialNumber[16]; /* blank padded */
+ CK_FLAGS flags; /* see below */
+
+ CK_ULONG ulMaxSessionCount; /* max open sessions */
+ CK_ULONG ulSessionCount; /* sess. now open */
+ CK_ULONG ulMaxRwSessionCount; /* max R/W sessions */
+ CK_ULONG ulRwSessionCount; /* R/W sess. now open */
+ CK_ULONG ulMaxPinLen; /* in bytes */
+ CK_ULONG ulMinPinLen; /* in bytes */
+ CK_ULONG ulTotalPublicMemory; /* in bytes */
+ CK_ULONG ulFreePublicMemory; /* in bytes */
+ CK_ULONG ulTotalPrivateMemory; /* in bytes */
+ CK_ULONG ulFreePrivateMemory; /* in bytes */
+ CK_VERSION hardwareVersion; /* version of hardware */
+ CK_VERSION firmwareVersion; /* version of firmware */
+ CK_CHAR utcTime[16]; /* time */
+} CK_TOKEN_INFO;
+
+/* The flags parameter is defined as follows:
+ * Bit Flag Mask Meaning
+ */
+#define CKF_RNG 0x00000001UL /* has random # generator */
+#define CKF_WRITE_PROTECTED 0x00000002UL /* token is write-protected */
+#define CKF_LOGIN_REQUIRED 0x00000004UL /* user must login */
+#define CKF_USER_PIN_INITIALIZED 0x00000008UL /* normal user's PIN is set */
+
+/* CKF_RESTORE_KEY_NOT_NEEDED. If it is set,
+ * that means that *every* time the state of cryptographic
+ * operations of a session is successfully saved, all keys
+ * needed to continue those operations are stored in the state
+ */
+#define CKF_RESTORE_KEY_NOT_NEEDED 0x00000020UL
+
+/* CKF_CLOCK_ON_TOKEN. If it is set, that means
+ * that the token has some sort of clock. The time on that
+ * clock is returned in the token info structure
+ */
+#define CKF_CLOCK_ON_TOKEN 0x00000040UL
+
+/* CKF_PROTECTED_AUTHENTICATION_PATH. If it is
+ * set, that means that there is some way for the user to login
+ * without sending a PIN through the Cryptoki library itself
+ */
+#define CKF_PROTECTED_AUTHENTICATION_PATH 0x00000100UL
+
+/* CKF_DUAL_CRYPTO_OPERATIONS. If it is true,
+ * that means that a single session with the token can perform
+ * dual simultaneous cryptographic operations (digest and
+ * encrypt; decrypt and digest; sign and encrypt; and decrypt
+ * and sign)
+ */
+#define CKF_DUAL_CRYPTO_OPERATIONS 0x00000200UL
+
+/* CKF_TOKEN_INITIALIZED. If it is true, the
+ * token has been initialized using C_InitializeToken or an
+ * equivalent mechanism outside the scope of PKCS #11.
+ * Calling C_InitializeToken when this flag is set will cause
+ * the token to be reinitialized.
+ */
+#define CKF_TOKEN_INITIALIZED 0x00000400UL
+
+/* CKF_SECONDARY_AUTHENTICATION. If it is
+ * true, the token supports secondary authentication for
+ * private key objects.
+ */
+#define CKF_SECONDARY_AUTHENTICATION 0x00000800UL
+
+/* CKF_USER_PIN_COUNT_LOW. If it is true, an
+ * incorrect user login PIN has been entered at least once
+ * since the last successful authentication.
+ */
+#define CKF_USER_PIN_COUNT_LOW 0x00010000UL
+
+/* CKF_USER_PIN_FINAL_TRY. If it is true,
+ * supplying an incorrect user PIN will it to become locked.
+ */
+#define CKF_USER_PIN_FINAL_TRY 0x00020000UL
+
+/* CKF_USER_PIN_LOCKED. If it is true, the
+ * user PIN has been locked. User login to the token is not
+ * possible.
+ */
+#define CKF_USER_PIN_LOCKED 0x00040000UL
+
+/* CKF_USER_PIN_TO_BE_CHANGED. If it is true,
+ * the user PIN value is the default value set by token
+ * initialization or manufacturing, or the PIN has been
+ * expired by the card.
+ */
+#define CKF_USER_PIN_TO_BE_CHANGED 0x00080000UL
+
+/* CKF_SO_PIN_COUNT_LOW. If it is true, an
+ * incorrect SO login PIN has been entered at least once since
+ * the last successful authentication.
+ */
+#define CKF_SO_PIN_COUNT_LOW 0x00100000UL
+
+/* CKF_SO_PIN_FINAL_TRY. If it is true,
+ * supplying an incorrect SO PIN will it to become locked.
+ */
+#define CKF_SO_PIN_FINAL_TRY 0x00200000UL
+
+/* CKF_SO_PIN_LOCKED. If it is true, the SO
+ * PIN has been locked. SO login to the token is not possible.
+ */
+#define CKF_SO_PIN_LOCKED 0x00400000UL
+
+/* CKF_SO_PIN_TO_BE_CHANGED. If it is true,
+ * the SO PIN value is the default value set by token
+ * initialization or manufacturing, or the PIN has been
+ * expired by the card.
+ */
+#define CKF_SO_PIN_TO_BE_CHANGED 0x00800000UL
+
+#define CKF_ERROR_STATE 0x01000000UL
+
+typedef CK_TOKEN_INFO CK_PTR CK_TOKEN_INFO_PTR;
+
+
+/* CK_SESSION_HANDLE is a Cryptoki-assigned value that
+ * identifies a session
+ */
+typedef CK_ULONG CK_SESSION_HANDLE;
+
+typedef CK_SESSION_HANDLE CK_PTR CK_SESSION_HANDLE_PTR;
+
+
+/* CK_USER_TYPE enumerates the types of Cryptoki users */
+typedef CK_ULONG CK_USER_TYPE;
+/* Security Officer */
+#define CKU_SO 0UL
+/* Normal user */
+#define CKU_USER 1UL
+/* Context specific */
+#define CKU_CONTEXT_SPECIFIC 2UL
+
+/* CK_STATE enumerates the session states */
+typedef CK_ULONG CK_STATE;
+#define CKS_RO_PUBLIC_SESSION 0UL
+#define CKS_RO_USER_FUNCTIONS 1UL
+#define CKS_RW_PUBLIC_SESSION 2UL
+#define CKS_RW_USER_FUNCTIONS 3UL
+#define CKS_RW_SO_FUNCTIONS 4UL
+
+/* CK_SESSION_INFO provides information about a session */
+typedef struct CK_SESSION_INFO {
+ CK_SLOT_ID slotID;
+ CK_STATE state;
+ CK_FLAGS flags; /* see below */
+ CK_ULONG ulDeviceError; /* device-dependent error code */
+} CK_SESSION_INFO;
+
+/* The flags are defined in the following table:
+ * Bit Flag Mask Meaning
+ */
+#define CKF_RW_SESSION 0x00000002UL /* session is r/w */
+#define CKF_SERIAL_SESSION 0x00000004UL /* no parallel */
+
+typedef CK_SESSION_INFO CK_PTR CK_SESSION_INFO_PTR;
+
+
+/* CK_OBJECT_HANDLE is a token-specific identifier for an
+ * object
+ */
+typedef CK_ULONG CK_OBJECT_HANDLE;
+
+typedef CK_OBJECT_HANDLE CK_PTR CK_OBJECT_HANDLE_PTR;
+
+
+/* CK_OBJECT_CLASS is a value that identifies the classes (or
+ * types) of objects that Cryptoki recognizes. It is defined
+ * as follows:
+ */
+typedef CK_ULONG CK_OBJECT_CLASS;
+
+/* The following classes of objects are defined: */
+#define CKO_DATA 0x00000000UL
+#define CKO_CERTIFICATE 0x00000001UL
+#define CKO_PUBLIC_KEY 0x00000002UL
+#define CKO_PRIVATE_KEY 0x00000003UL
+#define CKO_SECRET_KEY 0x00000004UL
+#define CKO_HW_FEATURE 0x00000005UL
+#define CKO_DOMAIN_PARAMETERS 0x00000006UL
+#define CKO_MECHANISM 0x00000007UL
+#define CKO_OTP_KEY 0x00000008UL
+
+#define CKO_VENDOR_DEFINED 0x80000000UL
+
+typedef CK_OBJECT_CLASS CK_PTR CK_OBJECT_CLASS_PTR;
+
+/* CK_HW_FEATURE_TYPE is a value that identifies the hardware feature type
+ * of an object with CK_OBJECT_CLASS equal to CKO_HW_FEATURE.
+ */
+typedef CK_ULONG CK_HW_FEATURE_TYPE;
+
+/* The following hardware feature types are defined */
+#define CKH_MONOTONIC_COUNTER 0x00000001UL
+#define CKH_CLOCK 0x00000002UL
+#define CKH_USER_INTERFACE 0x00000003UL
+#define CKH_VENDOR_DEFINED 0x80000000UL
+
+/* CK_KEY_TYPE is a value that identifies a key type */
+typedef CK_ULONG CK_KEY_TYPE;
+
+/* the following key types are defined: */
+#define CKK_RSA 0x00000000UL
+#define CKK_DSA 0x00000001UL
+#define CKK_DH 0x00000002UL
+#define CKK_ECDSA 0x00000003UL /* Deprecated */
+#define CKK_EC 0x00000003UL
+#define CKK_X9_42_DH 0x00000004UL
+#define CKK_KEA 0x00000005UL
+#define CKK_GENERIC_SECRET 0x00000010UL
+#define CKK_RC2 0x00000011UL
+#define CKK_RC4 0x00000012UL
+#define CKK_DES 0x00000013UL
+#define CKK_DES2 0x00000014UL
+#define CKK_DES3 0x00000015UL
+#define CKK_CAST 0x00000016UL
+#define CKK_CAST3 0x00000017UL
+#define CKK_CAST5 0x00000018UL /* Deprecated */
+#define CKK_CAST128 0x00000018UL
+#define CKK_RC5 0x00000019UL
+#define CKK_IDEA 0x0000001AUL
+#define CKK_SKIPJACK 0x0000001BUL
+#define CKK_BATON 0x0000001CUL
+#define CKK_JUNIPER 0x0000001DUL
+#define CKK_CDMF 0x0000001EUL
+#define CKK_AES 0x0000001FUL
+#define CKK_BLOWFISH 0x00000020UL
+#define CKK_TWOFISH 0x00000021UL
+#define CKK_SECURID 0x00000022UL
+#define CKK_HOTP 0x00000023UL
+#define CKK_ACTI 0x00000024UL
+#define CKK_CAMELLIA 0x00000025UL
+#define CKK_ARIA 0x00000026UL
+
+#define CKK_MD5_HMAC 0x00000027UL
+#define CKK_SHA_1_HMAC 0x00000028UL
+#define CKK_RIPEMD128_HMAC 0x00000029UL
+#define CKK_RIPEMD160_HMAC 0x0000002AUL
+#define CKK_SHA256_HMAC 0x0000002BUL
+#define CKK_SHA384_HMAC 0x0000002CUL
+#define CKK_SHA512_HMAC 0x0000002DUL
+#define CKK_SHA224_HMAC 0x0000002EUL
+
+#define CKK_SEED 0x0000002FUL
+#define CKK_GOSTR3410 0x00000030UL
+#define CKK_GOSTR3411 0x00000031UL
+#define CKK_GOST28147 0x00000032UL
+
+#define CKK_SHA3_224_HMAC 0x00000033UL
+#define CKK_SHA3_256_HMAC 0x00000034UL
+#define CKK_SHA3_384_HMAC 0x00000035UL
+#define CKK_SHA3_512_HMAC 0x00000036UL
+
+
+
+#define CKK_VENDOR_DEFINED 0x80000000UL
+
+
+/* CK_CERTIFICATE_TYPE is a value that identifies a certificate
+ * type
+ */
+typedef CK_ULONG CK_CERTIFICATE_TYPE;
+
+#define CK_CERTIFICATE_CATEGORY_UNSPECIFIED 0UL
+#define CK_CERTIFICATE_CATEGORY_TOKEN_USER 1UL
+#define CK_CERTIFICATE_CATEGORY_AUTHORITY 2UL
+#define CK_CERTIFICATE_CATEGORY_OTHER_ENTITY 3UL
+
+#define CK_SECURITY_DOMAIN_UNSPECIFIED 0UL
+#define CK_SECURITY_DOMAIN_MANUFACTURER 1UL
+#define CK_SECURITY_DOMAIN_OPERATOR 2UL
+#define CK_SECURITY_DOMAIN_THIRD_PARTY 3UL
+
+
+/* The following certificate types are defined: */
+#define CKC_X_509 0x00000000UL
+#define CKC_X_509_ATTR_CERT 0x00000001UL
+#define CKC_WTLS 0x00000002UL
+#define CKC_VENDOR_DEFINED 0x80000000UL
+
+
+/* CK_ATTRIBUTE_TYPE is a value that identifies an attribute
+ * type
+ */
+typedef CK_ULONG CK_ATTRIBUTE_TYPE;
+
+/* The CKF_ARRAY_ATTRIBUTE flag identifies an attribute which
+ * consists of an array of values.
+ */
+#define CKF_ARRAY_ATTRIBUTE 0x40000000UL
+
+/* The following OTP-related defines relate to the CKA_OTP_FORMAT attribute */
+#define CK_OTP_FORMAT_DECIMAL 0UL
+#define CK_OTP_FORMAT_HEXADECIMAL 1UL
+#define CK_OTP_FORMAT_ALPHANUMERIC 2UL
+#define CK_OTP_FORMAT_BINARY 3UL
+
+/* The following OTP-related defines relate to the CKA_OTP_..._REQUIREMENT
+ * attributes
+ */
+#define CK_OTP_PARAM_IGNORED 0UL
+#define CK_OTP_PARAM_OPTIONAL 1UL
+#define CK_OTP_PARAM_MANDATORY 2UL
+
+/* The following attribute types are defined: */
+#define CKA_CLASS 0x00000000UL
+#define CKA_TOKEN 0x00000001UL
+#define CKA_PRIVATE 0x00000002UL
+#define CKA_LABEL 0x00000003UL
+#define CKA_APPLICATION 0x00000010UL
+#define CKA_VALUE 0x00000011UL
+#define CKA_OBJECT_ID 0x00000012UL
+#define CKA_CERTIFICATE_TYPE 0x00000080UL
+#define CKA_ISSUER 0x00000081UL
+#define CKA_SERIAL_NUMBER 0x00000082UL
+#define CKA_AC_ISSUER 0x00000083UL
+#define CKA_OWNER 0x00000084UL
+#define CKA_ATTR_TYPES 0x00000085UL
+#define CKA_TRUSTED 0x00000086UL
+#define CKA_CERTIFICATE_CATEGORY 0x00000087UL
+#define CKA_JAVA_MIDP_SECURITY_DOMAIN 0x00000088UL
+#define CKA_URL 0x00000089UL
+#define CKA_HASH_OF_SUBJECT_PUBLIC_KEY 0x0000008AUL
+#define CKA_HASH_OF_ISSUER_PUBLIC_KEY 0x0000008BUL
+#define CKA_NAME_HASH_ALGORITHM 0x0000008CUL
+#define CKA_CHECK_VALUE 0x00000090UL
+
+#define CKA_KEY_TYPE 0x00000100UL
+#define CKA_SUBJECT 0x00000101UL
+#define CKA_ID 0x00000102UL
+#define CKA_SENSITIVE 0x00000103UL
+#define CKA_ENCRYPT 0x00000104UL
+#define CKA_DECRYPT 0x00000105UL
+#define CKA_WRAP 0x00000106UL
+#define CKA_UNWRAP 0x00000107UL
+#define CKA_SIGN 0x00000108UL
+#define CKA_SIGN_RECOVER 0x00000109UL
+#define CKA_VERIFY 0x0000010AUL
+#define CKA_VERIFY_RECOVER 0x0000010BUL
+#define CKA_DERIVE 0x0000010CUL
+#define CKA_START_DATE 0x00000110UL
+#define CKA_END_DATE 0x00000111UL
+#define CKA_MODULUS 0x00000120UL
+#define CKA_MODULUS_BITS 0x00000121UL
+#define CKA_PUBLIC_EXPONENT 0x00000122UL
+#define CKA_PRIVATE_EXPONENT 0x00000123UL
+#define CKA_PRIME_1 0x00000124UL
+#define CKA_PRIME_2 0x00000125UL
+#define CKA_EXPONENT_1 0x00000126UL
+#define CKA_EXPONENT_2 0x00000127UL
+#define CKA_COEFFICIENT 0x00000128UL
+#define CKA_PUBLIC_KEY_INFO 0x00000129UL
+#define CKA_PRIME 0x00000130UL
+#define CKA_SUBPRIME 0x00000131UL
+#define CKA_BASE 0x00000132UL
+
+#define CKA_PRIME_BITS 0x00000133UL
+#define CKA_SUBPRIME_BITS 0x00000134UL
+#define CKA_SUB_PRIME_BITS CKA_SUBPRIME_BITS
+
+#define CKA_VALUE_BITS 0x00000160UL
+#define CKA_VALUE_LEN 0x00000161UL
+#define CKA_EXTRACTABLE 0x00000162UL
+#define CKA_LOCAL 0x00000163UL
+#define CKA_NEVER_EXTRACTABLE 0x00000164UL
+#define CKA_ALWAYS_SENSITIVE 0x00000165UL
+#define CKA_KEY_GEN_MECHANISM 0x00000166UL
+
+#define CKA_MODIFIABLE 0x00000170UL
+#define CKA_COPYABLE 0x00000171UL
+
+#define CKA_DESTROYABLE 0x00000172UL
+
+#define CKA_ECDSA_PARAMS 0x00000180UL /* Deprecated */
+#define CKA_EC_PARAMS 0x00000180UL
+
+#define CKA_EC_POINT 0x00000181UL
+
+#define CKA_SECONDARY_AUTH 0x00000200UL /* Deprecated */
+#define CKA_AUTH_PIN_FLAGS 0x00000201UL /* Deprecated */
+
+#define CKA_ALWAYS_AUTHENTICATE 0x00000202UL
+
+#define CKA_WRAP_WITH_TRUSTED 0x00000210UL
+#define CKA_WRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE|0x00000211UL)
+#define CKA_UNWRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE|0x00000212UL)
+#define CKA_DERIVE_TEMPLATE (CKF_ARRAY_ATTRIBUTE|0x00000213UL)
+
+#define CKA_OTP_FORMAT 0x00000220UL
+#define CKA_OTP_LENGTH 0x00000221UL
+#define CKA_OTP_TIME_INTERVAL 0x00000222UL
+#define CKA_OTP_USER_FRIENDLY_MODE 0x00000223UL
+#define CKA_OTP_CHALLENGE_REQUIREMENT 0x00000224UL
+#define CKA_OTP_TIME_REQUIREMENT 0x00000225UL
+#define CKA_OTP_COUNTER_REQUIREMENT 0x00000226UL
+#define CKA_OTP_PIN_REQUIREMENT 0x00000227UL
+#define CKA_OTP_COUNTER 0x0000022EUL
+#define CKA_OTP_TIME 0x0000022FUL
+#define CKA_OTP_USER_IDENTIFIER 0x0000022AUL
+#define CKA_OTP_SERVICE_IDENTIFIER 0x0000022BUL
+#define CKA_OTP_SERVICE_LOGO 0x0000022CUL
+#define CKA_OTP_SERVICE_LOGO_TYPE 0x0000022DUL
+
+#define CKA_GOSTR3410_PARAMS 0x00000250UL
+#define CKA_GOSTR3411_PARAMS 0x00000251UL
+#define CKA_GOST28147_PARAMS 0x00000252UL
+
+#define CKA_HW_FEATURE_TYPE 0x00000300UL
+#define CKA_RESET_ON_INIT 0x00000301UL
+#define CKA_HAS_RESET 0x00000302UL
+
+#define CKA_PIXEL_X 0x00000400UL
+#define CKA_PIXEL_Y 0x00000401UL
+#define CKA_RESOLUTION 0x00000402UL
+#define CKA_CHAR_ROWS 0x00000403UL
+#define CKA_CHAR_COLUMNS 0x00000404UL
+#define CKA_COLOR 0x00000405UL
+#define CKA_BITS_PER_PIXEL 0x00000406UL
+#define CKA_CHAR_SETS 0x00000480UL
+#define CKA_ENCODING_METHODS 0x00000481UL
+#define CKA_MIME_TYPES 0x00000482UL
+#define CKA_MECHANISM_TYPE 0x00000500UL
+#define CKA_REQUIRED_CMS_ATTRIBUTES 0x00000501UL
+#define CKA_DEFAULT_CMS_ATTRIBUTES 0x00000502UL
+#define CKA_SUPPORTED_CMS_ATTRIBUTES 0x00000503UL
+#define CKA_ALLOWED_MECHANISMS (CKF_ARRAY_ATTRIBUTE|0x00000600UL)
+
+#define CKA_VENDOR_DEFINED 0x80000000UL
+
+/* CK_ATTRIBUTE is a structure that includes the type, length
+ * and value of an attribute
+ */
+typedef struct CK_ATTRIBUTE {
+ CK_ATTRIBUTE_TYPE type;
+ CK_VOID_PTR pValue;
+ CK_ULONG ulValueLen; /* in bytes */
+} CK_ATTRIBUTE;
+
+typedef CK_ATTRIBUTE CK_PTR CK_ATTRIBUTE_PTR;
+
+/* CK_DATE is a structure that defines a date */
+typedef struct CK_DATE{
+ CK_CHAR year[4]; /* the year ("1900" - "9999") */
+ CK_CHAR month[2]; /* the month ("01" - "12") */
+ CK_CHAR day[2]; /* the day ("01" - "31") */
+} CK_DATE;
+
+
+/* CK_MECHANISM_TYPE is a value that identifies a mechanism
+ * type
+ */
+typedef CK_ULONG CK_MECHANISM_TYPE;
+
+/* the following mechanism types are defined: */
+#define CKM_RSA_PKCS_KEY_PAIR_GEN 0x00000000UL
+#define CKM_RSA_PKCS 0x00000001UL
+#define CKM_RSA_9796 0x00000002UL
+#define CKM_RSA_X_509 0x00000003UL
+
+#define CKM_MD2_RSA_PKCS 0x00000004UL
+#define CKM_MD5_RSA_PKCS 0x00000005UL
+#define CKM_SHA1_RSA_PKCS 0x00000006UL
+
+#define CKM_RIPEMD128_RSA_PKCS 0x00000007UL
+#define CKM_RIPEMD160_RSA_PKCS 0x00000008UL
+#define CKM_RSA_PKCS_OAEP 0x00000009UL
+
+#define CKM_RSA_X9_31_KEY_PAIR_GEN 0x0000000AUL
+#define CKM_RSA_X9_31 0x0000000BUL
+#define CKM_SHA1_RSA_X9_31 0x0000000CUL
+#define CKM_RSA_PKCS_PSS 0x0000000DUL
+#define CKM_SHA1_RSA_PKCS_PSS 0x0000000EUL
+
+#define CKM_DSA_KEY_PAIR_GEN 0x00000010UL
+#define CKM_DSA 0x00000011UL
+#define CKM_DSA_SHA1 0x00000012UL
+#define CKM_DSA_SHA224 0x00000013UL
+#define CKM_DSA_SHA256 0x00000014UL
+#define CKM_DSA_SHA384 0x00000015UL
+#define CKM_DSA_SHA512 0x00000016UL
+#define CKM_DSA_SHA3_224 0x00000018UL
+#define CKM_DSA_SHA3_256 0x00000019UL
+#define CKM_DSA_SHA3_384 0x0000001AUL
+#define CKM_DSA_SHA3_512 0x0000001BUL
+
+#define CKM_DH_PKCS_KEY_PAIR_GEN 0x00000020UL
+#define CKM_DH_PKCS_DERIVE 0x00000021UL
+
+#define CKM_X9_42_DH_KEY_PAIR_GEN 0x00000030UL
+#define CKM_X9_42_DH_DERIVE 0x00000031UL
+#define CKM_X9_42_DH_HYBRID_DERIVE 0x00000032UL
+#define CKM_X9_42_MQV_DERIVE 0x00000033UL
+
+#define CKM_SHA256_RSA_PKCS 0x00000040UL
+#define CKM_SHA384_RSA_PKCS 0x00000041UL
+#define CKM_SHA512_RSA_PKCS 0x00000042UL
+#define CKM_SHA256_RSA_PKCS_PSS 0x00000043UL
+#define CKM_SHA384_RSA_PKCS_PSS 0x00000044UL
+#define CKM_SHA512_RSA_PKCS_PSS 0x00000045UL
+
+#define CKM_SHA224_RSA_PKCS 0x00000046UL
+#define CKM_SHA224_RSA_PKCS_PSS 0x00000047UL
+
+#define CKM_SHA512_224 0x00000048UL
+#define CKM_SHA512_224_HMAC 0x00000049UL
+#define CKM_SHA512_224_HMAC_GENERAL 0x0000004AUL
+#define CKM_SHA512_224_KEY_DERIVATION 0x0000004BUL
+#define CKM_SHA512_256 0x0000004CUL
+#define CKM_SHA512_256_HMAC 0x0000004DUL
+#define CKM_SHA512_256_HMAC_GENERAL 0x0000004EUL
+#define CKM_SHA512_256_KEY_DERIVATION 0x0000004FUL
+
+#define CKM_SHA512_T 0x00000050UL
+#define CKM_SHA512_T_HMAC 0x00000051UL
+#define CKM_SHA512_T_HMAC_GENERAL 0x00000052UL
+#define CKM_SHA512_T_KEY_DERIVATION 0x00000053UL
+
+#define CKM_SHA3_256_RSA_PKCS 0x00000060UL
+#define CKM_SHA3_384_RSA_PKCS 0x00000061UL
+#define CKM_SHA3_512_RSA_PKCS 0x00000062UL
+#define CKM_SHA3_256_RSA_PKCS_PSS 0x00000063UL
+#define CKM_SHA3_384_RSA_PKCS_PSS 0x00000064UL
+#define CKM_SHA3_512_RSA_PKCS_PSS 0x00000065UL
+#define CKM_SHA3_224_RSA_PKCS 0x00000066UL
+#define CKM_SHA3_224_RSA_PKCS_PSS 0x00000067UL
+
+#define CKM_RC2_KEY_GEN 0x00000100UL
+#define CKM_RC2_ECB 0x00000101UL
+#define CKM_RC2_CBC 0x00000102UL
+#define CKM_RC2_MAC 0x00000103UL
+
+#define CKM_RC2_MAC_GENERAL 0x00000104UL
+#define CKM_RC2_CBC_PAD 0x00000105UL
+
+#define CKM_RC4_KEY_GEN 0x00000110UL
+#define CKM_RC4 0x00000111UL
+#define CKM_DES_KEY_GEN 0x00000120UL
+#define CKM_DES_ECB 0x00000121UL
+#define CKM_DES_CBC 0x00000122UL
+#define CKM_DES_MAC 0x00000123UL
+
+#define CKM_DES_MAC_GENERAL 0x00000124UL
+#define CKM_DES_CBC_PAD 0x00000125UL
+
+#define CKM_DES2_KEY_GEN 0x00000130UL
+#define CKM_DES3_KEY_GEN 0x00000131UL
+#define CKM_DES3_ECB 0x00000132UL
+#define CKM_DES3_CBC 0x00000133UL
+#define CKM_DES3_MAC 0x00000134UL
+
+#define CKM_DES3_MAC_GENERAL 0x00000135UL
+#define CKM_DES3_CBC_PAD 0x00000136UL
+#define CKM_DES3_CMAC_GENERAL 0x00000137UL
+#define CKM_DES3_CMAC 0x00000138UL
+#define CKM_CDMF_KEY_GEN 0x00000140UL
+#define CKM_CDMF_ECB 0x00000141UL
+#define CKM_CDMF_CBC 0x00000142UL
+#define CKM_CDMF_MAC 0x00000143UL
+#define CKM_CDMF_MAC_GENERAL 0x00000144UL
+#define CKM_CDMF_CBC_PAD 0x00000145UL
+
+#define CKM_DES_OFB64 0x00000150UL
+#define CKM_DES_OFB8 0x00000151UL
+#define CKM_DES_CFB64 0x00000152UL
+#define CKM_DES_CFB8 0x00000153UL
+
+#define CKM_MD2 0x00000200UL
+
+#define CKM_MD2_HMAC 0x00000201UL
+#define CKM_MD2_HMAC_GENERAL 0x00000202UL
+
+#define CKM_MD5 0x00000210UL
+
+#define CKM_MD5_HMAC 0x00000211UL
+#define CKM_MD5_HMAC_GENERAL 0x00000212UL
+
+#define CKM_SHA_1 0x00000220UL
+
+#define CKM_SHA_1_HMAC 0x00000221UL
+#define CKM_SHA_1_HMAC_GENERAL 0x00000222UL
+
+#define CKM_RIPEMD128 0x00000230UL
+#define CKM_RIPEMD128_HMAC 0x00000231UL
+#define CKM_RIPEMD128_HMAC_GENERAL 0x00000232UL
+#define CKM_RIPEMD160 0x00000240UL
+#define CKM_RIPEMD160_HMAC 0x00000241UL
+#define CKM_RIPEMD160_HMAC_GENERAL 0x00000242UL
+
+#define CKM_SHA256 0x00000250UL
+#define CKM_SHA256_HMAC 0x00000251UL
+#define CKM_SHA256_HMAC_GENERAL 0x00000252UL
+#define CKM_SHA224 0x00000255UL
+#define CKM_SHA224_HMAC 0x00000256UL
+#define CKM_SHA224_HMAC_GENERAL 0x00000257UL
+#define CKM_SHA384 0x00000260UL
+#define CKM_SHA384_HMAC 0x00000261UL
+#define CKM_SHA384_HMAC_GENERAL 0x00000262UL
+#define CKM_SHA512 0x00000270UL
+#define CKM_SHA512_HMAC 0x00000271UL
+#define CKM_SHA512_HMAC_GENERAL 0x00000272UL
+#define CKM_SECURID_KEY_GEN 0x00000280UL
+#define CKM_SECURID 0x00000282UL
+#define CKM_HOTP_KEY_GEN 0x00000290UL
+#define CKM_HOTP 0x00000291UL
+#define CKM_ACTI 0x000002A0UL
+#define CKM_ACTI_KEY_GEN 0x000002A1UL
+
+#define CKM_SHA3_256 0x000002B0UL
+#define CKM_SHA3_256_HMAC 0x000002B1UL
+#define CKM_SHA3_256_HMAC_GENERAL 0x000002B2UL
+#define CKM_SHA3_256_KEY_GEN 0x000002B3UL
+#define CKM_SHA3_224 0x000002B5UL
+#define CKM_SHA3_224_HMAC 0x000002B6UL
+#define CKM_SHA3_224_HMAC_GENERAL 0x000002B7UL
+#define CKM_SHA3_224_KEY_GEN 0x000002B8UL
+#define CKM_SHA3_384 0x000002C0UL
+#define CKM_SHA3_384_HMAC 0x000002C1UL
+#define CKM_SHA3_384_HMAC_GENERAL 0x000002C2UL
+#define CKM_SHA3_384_KEY_GEN 0x000002C3UL
+#define CKM_SHA3_512 0x000002D0UL
+#define CKM_SHA3_512_HMAC 0x000002D1UL
+#define CKM_SHA3_512_HMAC_GENERAL 0x000002D2UL
+#define CKM_SHA3_512_KEY_GEN 0x000002D3UL
+
+#define CKM_CAST_KEY_GEN 0x00000300UL
+#define CKM_CAST_ECB 0x00000301UL
+#define CKM_CAST_CBC 0x00000302UL
+#define CKM_CAST_MAC 0x00000303UL
+#define CKM_CAST_MAC_GENERAL 0x00000304UL
+#define CKM_CAST_CBC_PAD 0x00000305UL
+#define CKM_CAST3_KEY_GEN 0x00000310UL
+#define CKM_CAST3_ECB 0x00000311UL
+#define CKM_CAST3_CBC 0x00000312UL
+#define CKM_CAST3_MAC 0x00000313UL
+#define CKM_CAST3_MAC_GENERAL 0x00000314UL
+#define CKM_CAST3_CBC_PAD 0x00000315UL
+/* Note that CAST128 and CAST5 are the same algorithm */
+#define CKM_CAST5_KEY_GEN 0x00000320UL
+#define CKM_CAST128_KEY_GEN 0x00000320UL
+#define CKM_CAST5_ECB 0x00000321UL
+#define CKM_CAST128_ECB 0x00000321UL
+#define CKM_CAST5_CBC 0x00000322UL /* Deprecated */
+#define CKM_CAST128_CBC 0x00000322UL
+#define CKM_CAST5_MAC 0x00000323UL /* Deprecated */
+#define CKM_CAST128_MAC 0x00000323UL
+#define CKM_CAST5_MAC_GENERAL 0x00000324UL /* Deprecated */
+#define CKM_CAST128_MAC_GENERAL 0x00000324UL
+#define CKM_CAST5_CBC_PAD 0x00000325UL /* Deprecated */
+#define CKM_CAST128_CBC_PAD 0x00000325UL
+#define CKM_RC5_KEY_GEN 0x00000330UL
+#define CKM_RC5_ECB 0x00000331UL
+#define CKM_RC5_CBC 0x00000332UL
+#define CKM_RC5_MAC 0x00000333UL
+#define CKM_RC5_MAC_GENERAL 0x00000334UL
+#define CKM_RC5_CBC_PAD 0x00000335UL
+#define CKM_IDEA_KEY_GEN 0x00000340UL
+#define CKM_IDEA_ECB 0x00000341UL
+#define CKM_IDEA_CBC 0x00000342UL
+#define CKM_IDEA_MAC 0x00000343UL
+#define CKM_IDEA_MAC_GENERAL 0x00000344UL
+#define CKM_IDEA_CBC_PAD 0x00000345UL
+#define CKM_GENERIC_SECRET_KEY_GEN 0x00000350UL
+#define CKM_CONCATENATE_BASE_AND_KEY 0x00000360UL
+#define CKM_CONCATENATE_BASE_AND_DATA 0x00000362UL
+#define CKM_CONCATENATE_DATA_AND_BASE 0x00000363UL
+#define CKM_XOR_BASE_AND_DATA 0x00000364UL
+#define CKM_EXTRACT_KEY_FROM_KEY 0x00000365UL
+#define CKM_SSL3_PRE_MASTER_KEY_GEN 0x00000370UL
+#define CKM_SSL3_MASTER_KEY_DERIVE 0x00000371UL
+#define CKM_SSL3_KEY_AND_MAC_DERIVE 0x00000372UL
+
+#define CKM_SSL3_MASTER_KEY_DERIVE_DH 0x00000373UL
+#define CKM_TLS_PRE_MASTER_KEY_GEN 0x00000374UL
+#define CKM_TLS_MASTER_KEY_DERIVE 0x00000375UL
+#define CKM_TLS_KEY_AND_MAC_DERIVE 0x00000376UL
+#define CKM_TLS_MASTER_KEY_DERIVE_DH 0x00000377UL
+
+#define CKM_TLS_PRF 0x00000378UL
+
+#define CKM_SSL3_MD5_MAC 0x00000380UL
+#define CKM_SSL3_SHA1_MAC 0x00000381UL
+#define CKM_MD5_KEY_DERIVATION 0x00000390UL
+#define CKM_MD2_KEY_DERIVATION 0x00000391UL
+#define CKM_SHA1_KEY_DERIVATION 0x00000392UL
+
+#define CKM_SHA256_KEY_DERIVATION 0x00000393UL
+#define CKM_SHA384_KEY_DERIVATION 0x00000394UL
+#define CKM_SHA512_KEY_DERIVATION 0x00000395UL
+#define CKM_SHA224_KEY_DERIVATION 0x00000396UL
+#define CKM_SHA3_256_KEY_DERIVE 0x00000397UL
+#define CKM_SHA3_224_KEY_DERIVE 0x00000398UL
+#define CKM_SHA3_384_KEY_DERIVE 0x00000399UL
+#define CKM_SHA3_512_KEY_DERIVE 0x0000039AUL
+#define CKM_SHAKE_128_KEY_DERIVE 0x0000039BUL
+#define CKM_SHAKE_256_KEY_DERIVE 0x0000039CUL
+
+#define CKM_PBE_MD2_DES_CBC 0x000003A0UL
+#define CKM_PBE_MD5_DES_CBC 0x000003A1UL
+#define CKM_PBE_MD5_CAST_CBC 0x000003A2UL
+#define CKM_PBE_MD5_CAST3_CBC 0x000003A3UL
+#define CKM_PBE_MD5_CAST5_CBC 0x000003A4UL /* Deprecated */
+#define CKM_PBE_MD5_CAST128_CBC 0x000003A4UL
+#define CKM_PBE_SHA1_CAST5_CBC 0x000003A5UL /* Deprecated */
+#define CKM_PBE_SHA1_CAST128_CBC 0x000003A5UL
+#define CKM_PBE_SHA1_RC4_128 0x000003A6UL
+#define CKM_PBE_SHA1_RC4_40 0x000003A7UL
+#define CKM_PBE_SHA1_DES3_EDE_CBC 0x000003A8UL
+#define CKM_PBE_SHA1_DES2_EDE_CBC 0x000003A9UL
+#define CKM_PBE_SHA1_RC2_128_CBC 0x000003AAUL
+#define CKM_PBE_SHA1_RC2_40_CBC 0x000003ABUL
+
+#define CKM_PKCS5_PBKD2 0x000003B0UL
+
+#define CKM_PBA_SHA1_WITH_SHA1_HMAC 0x000003C0UL
+
+#define CKM_WTLS_PRE_MASTER_KEY_GEN 0x000003D0UL
+#define CKM_WTLS_MASTER_KEY_DERIVE 0x000003D1UL
+#define CKM_WTLS_MASTER_KEY_DERIVE_DH_ECC 0x000003D2UL
+#define CKM_WTLS_PRF 0x000003D3UL
+#define CKM_WTLS_SERVER_KEY_AND_MAC_DERIVE 0x000003D4UL
+#define CKM_WTLS_CLIENT_KEY_AND_MAC_DERIVE 0x000003D5UL
+
+#define CKM_TLS10_MAC_SERVER 0x000003D6UL
+#define CKM_TLS10_MAC_CLIENT 0x000003D7UL
+#define CKM_TLS12_MAC 0x000003D8UL
+#define CKM_TLS12_KDF 0x000003D9UL
+#define CKM_TLS12_MASTER_KEY_DERIVE 0x000003E0UL
+#define CKM_TLS12_KEY_AND_MAC_DERIVE 0x000003E1UL
+#define CKM_TLS12_MASTER_KEY_DERIVE_DH 0x000003E2UL
+#define CKM_TLS12_KEY_SAFE_DERIVE 0x000003E3UL
+#define CKM_TLS_MAC 0x000003E4UL
+#define CKM_TLS_KDF 0x000003E5UL
+
+#define CKM_KEY_WRAP_LYNKS 0x00000400UL
+#define CKM_KEY_WRAP_SET_OAEP 0x00000401UL
+
+#define CKM_CMS_SIG 0x00000500UL
+#define CKM_KIP_DERIVE 0x00000510UL
+#define CKM_KIP_WRAP 0x00000511UL
+#define CKM_KIP_MAC 0x00000512UL
+
+#define CKM_CAMELLIA_KEY_GEN 0x00000550UL
+#define CKM_CAMELLIA_ECB 0x00000551UL
+#define CKM_CAMELLIA_CBC 0x00000552UL
+#define CKM_CAMELLIA_MAC 0x00000553UL
+#define CKM_CAMELLIA_MAC_GENERAL 0x00000554UL
+#define CKM_CAMELLIA_CBC_PAD 0x00000555UL
+#define CKM_CAMELLIA_ECB_ENCRYPT_DATA 0x00000556UL
+#define CKM_CAMELLIA_CBC_ENCRYPT_DATA 0x00000557UL
+#define CKM_CAMELLIA_CTR 0x00000558UL
+
+#define CKM_ARIA_KEY_GEN 0x00000560UL
+#define CKM_ARIA_ECB 0x00000561UL
+#define CKM_ARIA_CBC 0x00000562UL
+#define CKM_ARIA_MAC 0x00000563UL
+#define CKM_ARIA_MAC_GENERAL 0x00000564UL
+#define CKM_ARIA_CBC_PAD 0x00000565UL
+#define CKM_ARIA_ECB_ENCRYPT_DATA 0x00000566UL
+#define CKM_ARIA_CBC_ENCRYPT_DATA 0x00000567UL
+
+#define CKM_SEED_KEY_GEN 0x00000650UL
+#define CKM_SEED_ECB 0x00000651UL
+#define CKM_SEED_CBC 0x00000652UL
+#define CKM_SEED_MAC 0x00000653UL
+#define CKM_SEED_MAC_GENERAL 0x00000654UL
+#define CKM_SEED_CBC_PAD 0x00000655UL
+#define CKM_SEED_ECB_ENCRYPT_DATA 0x00000656UL
+#define CKM_SEED_CBC_ENCRYPT_DATA 0x00000657UL
+
+#define CKM_SKIPJACK_KEY_GEN 0x00001000UL
+#define CKM_SKIPJACK_ECB64 0x00001001UL
+#define CKM_SKIPJACK_CBC64 0x00001002UL
+#define CKM_SKIPJACK_OFB64 0x00001003UL
+#define CKM_SKIPJACK_CFB64 0x00001004UL
+#define CKM_SKIPJACK_CFB32 0x00001005UL
+#define CKM_SKIPJACK_CFB16 0x00001006UL
+#define CKM_SKIPJACK_CFB8 0x00001007UL
+#define CKM_SKIPJACK_WRAP 0x00001008UL
+#define CKM_SKIPJACK_PRIVATE_WRAP 0x00001009UL
+#define CKM_SKIPJACK_RELAYX 0x0000100aUL
+#define CKM_KEA_KEY_PAIR_GEN 0x00001010UL
+#define CKM_KEA_KEY_DERIVE 0x00001011UL
+#define CKM_KEA_DERIVE 0x00001012UL
+#define CKM_FORTEZZA_TIMESTAMP 0x00001020UL
+#define CKM_BATON_KEY_GEN 0x00001030UL
+#define CKM_BATON_ECB128 0x00001031UL
+#define CKM_BATON_ECB96 0x00001032UL
+#define CKM_BATON_CBC128 0x00001033UL
+#define CKM_BATON_COUNTER 0x00001034UL
+#define CKM_BATON_SHUFFLE 0x00001035UL
+#define CKM_BATON_WRAP 0x00001036UL
+
+#define CKM_ECDSA_KEY_PAIR_GEN 0x00001040UL /* Deprecated */
+#define CKM_EC_KEY_PAIR_GEN 0x00001040UL
+
+#define CKM_ECDSA 0x00001041UL
+#define CKM_ECDSA_SHA1 0x00001042UL
+#define CKM_ECDSA_SHA224 0x00001043UL
+#define CKM_ECDSA_SHA256 0x00001044UL
+#define CKM_ECDSA_SHA384 0x00001045UL
+#define CKM_ECDSA_SHA512 0x00001046UL
+
+#define CKM_ECDH1_DERIVE 0x00001050UL
+#define CKM_ECDH1_COFACTOR_DERIVE 0x00001051UL
+#define CKM_ECMQV_DERIVE 0x00001052UL
+
+#define CKM_ECDH_AES_KEY_WRAP 0x00001053UL
+#define CKM_RSA_AES_KEY_WRAP 0x00001054UL
+
+#define CKM_JUNIPER_KEY_GEN 0x00001060UL
+#define CKM_JUNIPER_ECB128 0x00001061UL
+#define CKM_JUNIPER_CBC128 0x00001062UL
+#define CKM_JUNIPER_COUNTER 0x00001063UL
+#define CKM_JUNIPER_SHUFFLE 0x00001064UL
+#define CKM_JUNIPER_WRAP 0x00001065UL
+#define CKM_FASTHASH 0x00001070UL
+
+#define CKM_AES_KEY_GEN 0x00001080UL
+#define CKM_AES_ECB 0x00001081UL
+#define CKM_AES_CBC 0x00001082UL
+#define CKM_AES_MAC 0x00001083UL
+#define CKM_AES_MAC_GENERAL 0x00001084UL
+#define CKM_AES_CBC_PAD 0x00001085UL
+#define CKM_AES_CTR 0x00001086UL
+#define CKM_AES_GCM 0x00001087UL
+#define CKM_AES_CCM 0x00001088UL
+#define CKM_AES_CTS 0x00001089UL
+#define CKM_AES_CMAC 0x0000108AUL
+#define CKM_AES_CMAC_GENERAL 0x0000108BUL
+
+#define CKM_AES_XCBC_MAC 0x0000108CUL
+#define CKM_AES_XCBC_MAC_96 0x0000108DUL
+#define CKM_AES_GMAC 0x0000108EUL
+
+#define CKM_BLOWFISH_KEY_GEN 0x00001090UL
+#define CKM_BLOWFISH_CBC 0x00001091UL
+#define CKM_TWOFISH_KEY_GEN 0x00001092UL
+#define CKM_TWOFISH_CBC 0x00001093UL
+#define CKM_BLOWFISH_CBC_PAD 0x00001094UL
+#define CKM_TWOFISH_CBC_PAD 0x00001095UL
+
+#define CKM_DES_ECB_ENCRYPT_DATA 0x00001100UL
+#define CKM_DES_CBC_ENCRYPT_DATA 0x00001101UL
+#define CKM_DES3_ECB_ENCRYPT_DATA 0x00001102UL
+#define CKM_DES3_CBC_ENCRYPT_DATA 0x00001103UL
+#define CKM_AES_ECB_ENCRYPT_DATA 0x00001104UL
+#define CKM_AES_CBC_ENCRYPT_DATA 0x00001105UL
+
+#define CKM_GOSTR3410_KEY_PAIR_GEN 0x00001200UL
+#define CKM_GOSTR3410 0x00001201UL
+#define CKM_GOSTR3410_WITH_GOSTR3411 0x00001202UL
+#define CKM_GOSTR3410_KEY_WRAP 0x00001203UL
+#define CKM_GOSTR3410_DERIVE 0x00001204UL
+#define CKM_GOSTR3411 0x00001210UL
+#define CKM_GOSTR3411_HMAC 0x00001211UL
+#define CKM_GOST28147_KEY_GEN 0x00001220UL
+#define CKM_GOST28147_ECB 0x00001221UL
+#define CKM_GOST28147 0x00001222UL
+#define CKM_GOST28147_MAC 0x00001223UL
+#define CKM_GOST28147_KEY_WRAP 0x00001224UL
+
+#define CKM_DSA_PARAMETER_GEN 0x00002000UL
+#define CKM_DH_PKCS_PARAMETER_GEN 0x00002001UL
+#define CKM_X9_42_DH_PARAMETER_GEN 0x00002002UL
+#define CKM_DSA_PROBABLISTIC_PARAMETER_GEN 0x00002003UL
+#define CKM_DSA_SHAWE_TAYLOR_PARAMETER_GEN 0x00002004UL
+
+#define CKM_AES_OFB 0x00002104UL
+#define CKM_AES_CFB64 0x00002105UL
+#define CKM_AES_CFB8 0x00002106UL
+#define CKM_AES_CFB128 0x00002107UL
+
+#define CKM_AES_CFB1 0x00002108UL
+#define CKM_AES_KEY_WRAP 0x00002109UL /* WAS: 0x00001090 */
+#define CKM_AES_KEY_WRAP_PAD 0x0000210AUL /* WAS: 0x00001091 */
+
+#define CKM_RSA_PKCS_TPM_1_1 0x00004001UL
+#define CKM_RSA_PKCS_OAEP_TPM_1_1 0x00004002UL
+
+#define CKM_VENDOR_DEFINED 0x80000000UL
+
+typedef CK_MECHANISM_TYPE CK_PTR CK_MECHANISM_TYPE_PTR;
+
+
+/* CK_MECHANISM is a structure that specifies a particular
+ * mechanism
+ */
+typedef struct CK_MECHANISM {
+ CK_MECHANISM_TYPE mechanism;
+ CK_VOID_PTR pParameter;
+ CK_ULONG ulParameterLen; /* in bytes */
+} CK_MECHANISM;
+
+typedef CK_MECHANISM CK_PTR CK_MECHANISM_PTR;
+
+
+/* CK_MECHANISM_INFO provides information about a particular
+ * mechanism
+ */
+typedef struct CK_MECHANISM_INFO {
+ CK_ULONG ulMinKeySize;
+ CK_ULONG ulMaxKeySize;
+ CK_FLAGS flags;
+} CK_MECHANISM_INFO;
+
+/* The flags are defined as follows:
+ * Bit Flag Mask Meaning */
+#define CKF_HW 0x00000001UL /* performed by HW */
+
+/* Specify whether or not a mechanism can be used for a particular task */
+#define CKF_ENCRYPT 0x00000100UL
+#define CKF_DECRYPT 0x00000200UL
+#define CKF_DIGEST 0x00000400UL
+#define CKF_SIGN 0x00000800UL
+#define CKF_SIGN_RECOVER 0x00001000UL
+#define CKF_VERIFY 0x00002000UL
+#define CKF_VERIFY_RECOVER 0x00004000UL
+#define CKF_GENERATE 0x00008000UL
+#define CKF_GENERATE_KEY_PAIR 0x00010000UL
+#define CKF_WRAP 0x00020000UL
+#define CKF_UNWRAP 0x00040000UL
+#define CKF_DERIVE 0x00080000UL
+
+/* Describe a token's EC capabilities not available in mechanism
+ * information.
+ */
+#define CKF_EC_F_P 0x00100000UL
+#define CKF_EC_F_2M 0x00200000UL
+#define CKF_EC_ECPARAMETERS 0x00400000UL
+#define CKF_EC_NAMEDCURVE 0x00800000UL
+#define CKF_EC_UNCOMPRESS 0x01000000UL
+#define CKF_EC_COMPRESS 0x02000000UL
+
+#define CKF_EXTENSION 0x80000000UL
+
+typedef CK_MECHANISM_INFO CK_PTR CK_MECHANISM_INFO_PTR;
+
+/* CK_RV is a value that identifies the return value of a
+ * Cryptoki function
+ */
+typedef CK_ULONG CK_RV;
+
+#define CKR_OK 0x00000000UL
+#define CKR_CANCEL 0x00000001UL
+#define CKR_HOST_MEMORY 0x00000002UL
+#define CKR_SLOT_ID_INVALID 0x00000003UL
+
+#define CKR_GENERAL_ERROR 0x00000005UL
+#define CKR_FUNCTION_FAILED 0x00000006UL
+
+#define CKR_ARGUMENTS_BAD 0x00000007UL
+#define CKR_NO_EVENT 0x00000008UL
+#define CKR_NEED_TO_CREATE_THREADS 0x00000009UL
+#define CKR_CANT_LOCK 0x0000000AUL
+
+#define CKR_ATTRIBUTE_READ_ONLY 0x00000010UL
+#define CKR_ATTRIBUTE_SENSITIVE 0x00000011UL
+#define CKR_ATTRIBUTE_TYPE_INVALID 0x00000012UL
+#define CKR_ATTRIBUTE_VALUE_INVALID 0x00000013UL
+
+#define CKR_ACTION_PROHIBITED 0x0000001BUL
+
+#define CKR_DATA_INVALID 0x00000020UL
+#define CKR_DATA_LEN_RANGE 0x00000021UL
+#define CKR_DEVICE_ERROR 0x00000030UL
+#define CKR_DEVICE_MEMORY 0x00000031UL
+#define CKR_DEVICE_REMOVED 0x00000032UL
+#define CKR_ENCRYPTED_DATA_INVALID 0x00000040UL
+#define CKR_ENCRYPTED_DATA_LEN_RANGE 0x00000041UL
+#define CKR_FUNCTION_CANCELED 0x00000050UL
+#define CKR_FUNCTION_NOT_PARALLEL 0x00000051UL
+
+#define CKR_FUNCTION_NOT_SUPPORTED 0x00000054UL
+
+#define CKR_KEY_HANDLE_INVALID 0x00000060UL
+
+#define CKR_KEY_SIZE_RANGE 0x00000062UL
+#define CKR_KEY_TYPE_INCONSISTENT 0x00000063UL
+
+#define CKR_KEY_NOT_NEEDED 0x00000064UL
+#define CKR_KEY_CHANGED 0x00000065UL
+#define CKR_KEY_NEEDED 0x00000066UL
+#define CKR_KEY_INDIGESTIBLE 0x00000067UL
+#define CKR_KEY_FUNCTION_NOT_PERMITTED 0x00000068UL
+#define CKR_KEY_NOT_WRAPPABLE 0x00000069UL
+#define CKR_KEY_UNEXTRACTABLE 0x0000006AUL
+
+#define CKR_MECHANISM_INVALID 0x00000070UL
+#define CKR_MECHANISM_PARAM_INVALID 0x00000071UL
+
+#define CKR_OBJECT_HANDLE_INVALID 0x00000082UL
+#define CKR_OPERATION_ACTIVE 0x00000090UL
+#define CKR_OPERATION_NOT_INITIALIZED 0x00000091UL
+#define CKR_PIN_INCORRECT 0x000000A0UL
+#define CKR_PIN_INVALID 0x000000A1UL
+#define CKR_PIN_LEN_RANGE 0x000000A2UL
+
+#define CKR_PIN_EXPIRED 0x000000A3UL
+#define CKR_PIN_LOCKED 0x000000A4UL
+
+#define CKR_SESSION_CLOSED 0x000000B0UL
+#define CKR_SESSION_COUNT 0x000000B1UL
+#define CKR_SESSION_HANDLE_INVALID 0x000000B3UL
+#define CKR_SESSION_PARALLEL_NOT_SUPPORTED 0x000000B4UL
+#define CKR_SESSION_READ_ONLY 0x000000B5UL
+#define CKR_SESSION_EXISTS 0x000000B6UL
+
+#define CKR_SESSION_READ_ONLY_EXISTS 0x000000B7UL
+#define CKR_SESSION_READ_WRITE_SO_EXISTS 0x000000B8UL
+
+#define CKR_SIGNATURE_INVALID 0x000000C0UL
+#define CKR_SIGNATURE_LEN_RANGE 0x000000C1UL
+#define CKR_TEMPLATE_INCOMPLETE 0x000000D0UL
+#define CKR_TEMPLATE_INCONSISTENT 0x000000D1UL
+#define CKR_TOKEN_NOT_PRESENT 0x000000E0UL
+#define CKR_TOKEN_NOT_RECOGNIZED 0x000000E1UL
+#define CKR_TOKEN_WRITE_PROTECTED 0x000000E2UL
+#define CKR_UNWRAPPING_KEY_HANDLE_INVALID 0x000000F0UL
+#define CKR_UNWRAPPING_KEY_SIZE_RANGE 0x000000F1UL
+#define CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT 0x000000F2UL
+#define CKR_USER_ALREADY_LOGGED_IN 0x00000100UL
+#define CKR_USER_NOT_LOGGED_IN 0x00000101UL
+#define CKR_USER_PIN_NOT_INITIALIZED 0x00000102UL
+#define CKR_USER_TYPE_INVALID 0x00000103UL
+
+#define CKR_USER_ANOTHER_ALREADY_LOGGED_IN 0x00000104UL
+#define CKR_USER_TOO_MANY_TYPES 0x00000105UL
+
+#define CKR_WRAPPED_KEY_INVALID 0x00000110UL
+#define CKR_WRAPPED_KEY_LEN_RANGE 0x00000112UL
+#define CKR_WRAPPING_KEY_HANDLE_INVALID 0x00000113UL
+#define CKR_WRAPPING_KEY_SIZE_RANGE 0x00000114UL
+#define CKR_WRAPPING_KEY_TYPE_INCONSISTENT 0x00000115UL
+#define CKR_RANDOM_SEED_NOT_SUPPORTED 0x00000120UL
+
+#define CKR_RANDOM_NO_RNG 0x00000121UL
+
+#define CKR_DOMAIN_PARAMS_INVALID 0x00000130UL
+
+#define CKR_CURVE_NOT_SUPPORTED 0x00000140UL
+
+#define CKR_BUFFER_TOO_SMALL 0x00000150UL
+#define CKR_SAVED_STATE_INVALID 0x00000160UL
+#define CKR_INFORMATION_SENSITIVE 0x00000170UL
+#define CKR_STATE_UNSAVEABLE 0x00000180UL
+
+#define CKR_CRYPTOKI_NOT_INITIALIZED 0x00000190UL
+#define CKR_CRYPTOKI_ALREADY_INITIALIZED 0x00000191UL
+#define CKR_MUTEX_BAD 0x000001A0UL
+#define CKR_MUTEX_NOT_LOCKED 0x000001A1UL
+
+#define CKR_NEW_PIN_MODE 0x000001B0UL
+#define CKR_NEXT_OTP 0x000001B1UL
+
+#define CKR_EXCEEDED_MAX_ITERATIONS 0x000001B5UL
+#define CKR_FIPS_SELF_TEST_FAILED 0x000001B6UL
+#define CKR_LIBRARY_LOAD_FAILED 0x000001B7UL
+#define CKR_PIN_TOO_WEAK 0x000001B8UL
+#define CKR_PUBLIC_KEY_INVALID 0x000001B9UL
+
+#define CKR_FUNCTION_REJECTED 0x00000200UL
+
+#define CKR_VENDOR_DEFINED 0x80000000UL
+
+
+/* CK_NOTIFY is an application callback that processes events */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_NOTIFY)(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_NOTIFICATION event,
+ CK_VOID_PTR pApplication /* passed to C_OpenSession */
+);
+
+
+/* CK_FUNCTION_LIST is a structure holding a Cryptoki spec
+ * version and pointers of appropriate types to all the
+ * Cryptoki functions
+ */
+typedef struct CK_FUNCTION_LIST CK_FUNCTION_LIST;
+
+typedef CK_FUNCTION_LIST CK_PTR CK_FUNCTION_LIST_PTR;
+
+typedef CK_FUNCTION_LIST_PTR CK_PTR CK_FUNCTION_LIST_PTR_PTR;
+
+
+/* CK_CREATEMUTEX is an application callback for creating a
+ * mutex object
+ */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_CREATEMUTEX)(
+ CK_VOID_PTR_PTR ppMutex /* location to receive ptr to mutex */
+);
+
+
+/* CK_DESTROYMUTEX is an application callback for destroying a
+ * mutex object
+ */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_DESTROYMUTEX)(
+ CK_VOID_PTR pMutex /* pointer to mutex */
+);
+
+
+/* CK_LOCKMUTEX is an application callback for locking a mutex */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_LOCKMUTEX)(
+ CK_VOID_PTR pMutex /* pointer to mutex */
+);
+
+
+/* CK_UNLOCKMUTEX is an application callback for unlocking a
+ * mutex
+ */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_UNLOCKMUTEX)(
+ CK_VOID_PTR pMutex /* pointer to mutex */
+);
+
+
+/* CK_C_INITIALIZE_ARGS provides the optional arguments to
+ * C_Initialize
+ */
+typedef struct CK_C_INITIALIZE_ARGS {
+ CK_CREATEMUTEX CreateMutex;
+ CK_DESTROYMUTEX DestroyMutex;
+ CK_LOCKMUTEX LockMutex;
+ CK_UNLOCKMUTEX UnlockMutex;
+ CK_FLAGS flags;
+ CK_VOID_PTR pReserved;
+} CK_C_INITIALIZE_ARGS;
+
+/* flags: bit flags that provide capabilities of the slot
+ * Bit Flag Mask Meaning
+ */
+#define CKF_LIBRARY_CANT_CREATE_OS_THREADS 0x00000001UL
+#define CKF_OS_LOCKING_OK 0x00000002UL
+
+typedef CK_C_INITIALIZE_ARGS CK_PTR CK_C_INITIALIZE_ARGS_PTR;
+
+
+/* additional flags for parameters to functions */
+
+/* CKF_DONT_BLOCK is for the function C_WaitForSlotEvent */
+#define CKF_DONT_BLOCK 1
+
+/* CK_RSA_PKCS_MGF_TYPE is used to indicate the Message
+ * Generation Function (MGF) applied to a message block when
+ * formatting a message block for the PKCS #1 OAEP encryption
+ * scheme.
+ */
+typedef CK_ULONG CK_RSA_PKCS_MGF_TYPE;
+
+typedef CK_RSA_PKCS_MGF_TYPE CK_PTR CK_RSA_PKCS_MGF_TYPE_PTR;
+
+/* The following MGFs are defined */
+#define CKG_MGF1_SHA1 0x00000001UL
+#define CKG_MGF1_SHA256 0x00000002UL
+#define CKG_MGF1_SHA384 0x00000003UL
+#define CKG_MGF1_SHA512 0x00000004UL
+#define CKG_MGF1_SHA224 0x00000005UL
+
+/* CK_RSA_PKCS_OAEP_SOURCE_TYPE is used to indicate the source
+ * of the encoding parameter when formatting a message block
+ * for the PKCS #1 OAEP encryption scheme.
+ */
+typedef CK_ULONG CK_RSA_PKCS_OAEP_SOURCE_TYPE;
+
+typedef CK_RSA_PKCS_OAEP_SOURCE_TYPE CK_PTR CK_RSA_PKCS_OAEP_SOURCE_TYPE_PTR;
+
+/* The following encoding parameter sources are defined */
+#define CKZ_DATA_SPECIFIED 0x00000001UL
+
+/* CK_RSA_PKCS_OAEP_PARAMS provides the parameters to the
+ * CKM_RSA_PKCS_OAEP mechanism.
+ */
+typedef struct CK_RSA_PKCS_OAEP_PARAMS {
+ CK_MECHANISM_TYPE hashAlg;
+ CK_RSA_PKCS_MGF_TYPE mgf;
+ CK_RSA_PKCS_OAEP_SOURCE_TYPE source;
+ CK_VOID_PTR pSourceData;
+ CK_ULONG ulSourceDataLen;
+} CK_RSA_PKCS_OAEP_PARAMS;
+
+typedef CK_RSA_PKCS_OAEP_PARAMS CK_PTR CK_RSA_PKCS_OAEP_PARAMS_PTR;
+
+/* CK_RSA_PKCS_PSS_PARAMS provides the parameters to the
+ * CKM_RSA_PKCS_PSS mechanism(s).
+ */
+typedef struct CK_RSA_PKCS_PSS_PARAMS {
+ CK_MECHANISM_TYPE hashAlg;
+ CK_RSA_PKCS_MGF_TYPE mgf;
+ CK_ULONG sLen;
+} CK_RSA_PKCS_PSS_PARAMS;
+
+typedef CK_RSA_PKCS_PSS_PARAMS CK_PTR CK_RSA_PKCS_PSS_PARAMS_PTR;
+
+typedef CK_ULONG CK_EC_KDF_TYPE;
+
+/* The following EC Key Derivation Functions are defined */
+#define CKD_NULL 0x00000001UL
+#define CKD_SHA1_KDF 0x00000002UL
+
+/* The following X9.42 DH key derivation functions are defined */
+#define CKD_SHA1_KDF_ASN1 0x00000003UL
+#define CKD_SHA1_KDF_CONCATENATE 0x00000004UL
+#define CKD_SHA224_KDF 0x00000005UL
+#define CKD_SHA256_KDF 0x00000006UL
+#define CKD_SHA384_KDF 0x00000007UL
+#define CKD_SHA512_KDF 0x00000008UL
+#define CKD_CPDIVERSIFY_KDF 0x00000009UL
+#define CKD_SHA3_224_KDF 0x0000000AUL
+#define CKD_SHA3_256_KDF 0x0000000BUL
+#define CKD_SHA3_384_KDF 0x0000000CUL
+#define CKD_SHA3_512_KDF 0x0000000DUL
+
+/* CK_ECDH1_DERIVE_PARAMS provides the parameters to the
+ * CKM_ECDH1_DERIVE and CKM_ECDH1_COFACTOR_DERIVE mechanisms,
+ * where each party contributes one key pair.
+ */
+typedef struct CK_ECDH1_DERIVE_PARAMS {
+ CK_EC_KDF_TYPE kdf;
+ CK_ULONG ulSharedDataLen;
+ CK_BYTE_PTR pSharedData;
+ CK_ULONG ulPublicDataLen;
+ CK_BYTE_PTR pPublicData;
+} CK_ECDH1_DERIVE_PARAMS;
+
+typedef CK_ECDH1_DERIVE_PARAMS CK_PTR CK_ECDH1_DERIVE_PARAMS_PTR;
+
+/*
+ * CK_ECDH2_DERIVE_PARAMS provides the parameters to the
+ * CKM_ECMQV_DERIVE mechanism, where each party contributes two key pairs.
+ */
+typedef struct CK_ECDH2_DERIVE_PARAMS {
+ CK_EC_KDF_TYPE kdf;
+ CK_ULONG ulSharedDataLen;
+ CK_BYTE_PTR pSharedData;
+ CK_ULONG ulPublicDataLen;
+ CK_BYTE_PTR pPublicData;
+ CK_ULONG ulPrivateDataLen;
+ CK_OBJECT_HANDLE hPrivateData;
+ CK_ULONG ulPublicDataLen2;
+ CK_BYTE_PTR pPublicData2;
+} CK_ECDH2_DERIVE_PARAMS;
+
+typedef CK_ECDH2_DERIVE_PARAMS CK_PTR CK_ECDH2_DERIVE_PARAMS_PTR;
+
+typedef struct CK_ECMQV_DERIVE_PARAMS {
+ CK_EC_KDF_TYPE kdf;
+ CK_ULONG ulSharedDataLen;
+ CK_BYTE_PTR pSharedData;
+ CK_ULONG ulPublicDataLen;
+ CK_BYTE_PTR pPublicData;
+ CK_ULONG ulPrivateDataLen;
+ CK_OBJECT_HANDLE hPrivateData;
+ CK_ULONG ulPublicDataLen2;
+ CK_BYTE_PTR pPublicData2;
+ CK_OBJECT_HANDLE publicKey;
+} CK_ECMQV_DERIVE_PARAMS;
+
+typedef CK_ECMQV_DERIVE_PARAMS CK_PTR CK_ECMQV_DERIVE_PARAMS_PTR;
+
+/* Typedefs and defines for the CKM_X9_42_DH_KEY_PAIR_GEN and the
+ * CKM_X9_42_DH_PARAMETER_GEN mechanisms
+ */
+typedef CK_ULONG CK_X9_42_DH_KDF_TYPE;
+typedef CK_X9_42_DH_KDF_TYPE CK_PTR CK_X9_42_DH_KDF_TYPE_PTR;
+
+/* CK_X9_42_DH1_DERIVE_PARAMS provides the parameters to the
+ * CKM_X9_42_DH_DERIVE key derivation mechanism, where each party
+ * contributes one key pair
+ */
+typedef struct CK_X9_42_DH1_DERIVE_PARAMS {
+ CK_X9_42_DH_KDF_TYPE kdf;
+ CK_ULONG ulOtherInfoLen;
+ CK_BYTE_PTR pOtherInfo;
+ CK_ULONG ulPublicDataLen;
+ CK_BYTE_PTR pPublicData;
+} CK_X9_42_DH1_DERIVE_PARAMS;
+
+typedef struct CK_X9_42_DH1_DERIVE_PARAMS CK_PTR CK_X9_42_DH1_DERIVE_PARAMS_PTR;
+
+/* CK_X9_42_DH2_DERIVE_PARAMS provides the parameters to the
+ * CKM_X9_42_DH_HYBRID_DERIVE and CKM_X9_42_MQV_DERIVE key derivation
+ * mechanisms, where each party contributes two key pairs
+ */
+typedef struct CK_X9_42_DH2_DERIVE_PARAMS {
+ CK_X9_42_DH_KDF_TYPE kdf;
+ CK_ULONG ulOtherInfoLen;
+ CK_BYTE_PTR pOtherInfo;
+ CK_ULONG ulPublicDataLen;
+ CK_BYTE_PTR pPublicData;
+ CK_ULONG ulPrivateDataLen;
+ CK_OBJECT_HANDLE hPrivateData;
+ CK_ULONG ulPublicDataLen2;
+ CK_BYTE_PTR pPublicData2;
+} CK_X9_42_DH2_DERIVE_PARAMS;
+
+typedef CK_X9_42_DH2_DERIVE_PARAMS CK_PTR CK_X9_42_DH2_DERIVE_PARAMS_PTR;
+
+typedef struct CK_X9_42_MQV_DERIVE_PARAMS {
+ CK_X9_42_DH_KDF_TYPE kdf;
+ CK_ULONG ulOtherInfoLen;
+ CK_BYTE_PTR pOtherInfo;
+ CK_ULONG ulPublicDataLen;
+ CK_BYTE_PTR pPublicData;
+ CK_ULONG ulPrivateDataLen;
+ CK_OBJECT_HANDLE hPrivateData;
+ CK_ULONG ulPublicDataLen2;
+ CK_BYTE_PTR pPublicData2;
+ CK_OBJECT_HANDLE publicKey;
+} CK_X9_42_MQV_DERIVE_PARAMS;
+
+typedef CK_X9_42_MQV_DERIVE_PARAMS CK_PTR CK_X9_42_MQV_DERIVE_PARAMS_PTR;
+
+/* CK_KEA_DERIVE_PARAMS provides the parameters to the
+ * CKM_KEA_DERIVE mechanism
+ */
+typedef struct CK_KEA_DERIVE_PARAMS {
+ CK_BBOOL isSender;
+ CK_ULONG ulRandomLen;
+ CK_BYTE_PTR pRandomA;
+ CK_BYTE_PTR pRandomB;
+ CK_ULONG ulPublicDataLen;
+ CK_BYTE_PTR pPublicData;
+} CK_KEA_DERIVE_PARAMS;
+
+typedef CK_KEA_DERIVE_PARAMS CK_PTR CK_KEA_DERIVE_PARAMS_PTR;
+
+
+/* CK_RC2_PARAMS provides the parameters to the CKM_RC2_ECB and
+ * CKM_RC2_MAC mechanisms. An instance of CK_RC2_PARAMS just
+ * holds the effective keysize
+ */
+typedef CK_ULONG CK_RC2_PARAMS;
+
+typedef CK_RC2_PARAMS CK_PTR CK_RC2_PARAMS_PTR;
+
+
+/* CK_RC2_CBC_PARAMS provides the parameters to the CKM_RC2_CBC
+ * mechanism
+ */
+typedef struct CK_RC2_CBC_PARAMS {
+ CK_ULONG ulEffectiveBits; /* effective bits (1-1024) */
+ CK_BYTE iv[8]; /* IV for CBC mode */
+} CK_RC2_CBC_PARAMS;
+
+typedef CK_RC2_CBC_PARAMS CK_PTR CK_RC2_CBC_PARAMS_PTR;
+
+
+/* CK_RC2_MAC_GENERAL_PARAMS provides the parameters for the
+ * CKM_RC2_MAC_GENERAL mechanism
+ */
+typedef struct CK_RC2_MAC_GENERAL_PARAMS {
+ CK_ULONG ulEffectiveBits; /* effective bits (1-1024) */
+ CK_ULONG ulMacLength; /* Length of MAC in bytes */
+} CK_RC2_MAC_GENERAL_PARAMS;
+
+typedef CK_RC2_MAC_GENERAL_PARAMS CK_PTR \
+ CK_RC2_MAC_GENERAL_PARAMS_PTR;
+
+
+/* CK_RC5_PARAMS provides the parameters to the CKM_RC5_ECB and
+ * CKM_RC5_MAC mechanisms
+ */
+typedef struct CK_RC5_PARAMS {
+ CK_ULONG ulWordsize; /* wordsize in bits */
+ CK_ULONG ulRounds; /* number of rounds */
+} CK_RC5_PARAMS;
+
+typedef CK_RC5_PARAMS CK_PTR CK_RC5_PARAMS_PTR;
+
+
+/* CK_RC5_CBC_PARAMS provides the parameters to the CKM_RC5_CBC
+ * mechanism
+ */
+typedef struct CK_RC5_CBC_PARAMS {
+ CK_ULONG ulWordsize; /* wordsize in bits */
+ CK_ULONG ulRounds; /* number of rounds */
+ CK_BYTE_PTR pIv; /* pointer to IV */
+ CK_ULONG ulIvLen; /* length of IV in bytes */
+} CK_RC5_CBC_PARAMS;
+
+typedef CK_RC5_CBC_PARAMS CK_PTR CK_RC5_CBC_PARAMS_PTR;
+
+
+/* CK_RC5_MAC_GENERAL_PARAMS provides the parameters for the
+ * CKM_RC5_MAC_GENERAL mechanism
+ */
+typedef struct CK_RC5_MAC_GENERAL_PARAMS {
+ CK_ULONG ulWordsize; /* wordsize in bits */
+ CK_ULONG ulRounds; /* number of rounds */
+ CK_ULONG ulMacLength; /* Length of MAC in bytes */
+} CK_RC5_MAC_GENERAL_PARAMS;
+
+typedef CK_RC5_MAC_GENERAL_PARAMS CK_PTR \
+ CK_RC5_MAC_GENERAL_PARAMS_PTR;
+
+/* CK_MAC_GENERAL_PARAMS provides the parameters to most block
+ * ciphers' MAC_GENERAL mechanisms. Its value is the length of
+ * the MAC
+ */
+typedef CK_ULONG CK_MAC_GENERAL_PARAMS;
+
+typedef CK_MAC_GENERAL_PARAMS CK_PTR CK_MAC_GENERAL_PARAMS_PTR;
+
+typedef struct CK_DES_CBC_ENCRYPT_DATA_PARAMS {
+ CK_BYTE iv[8];
+ CK_BYTE_PTR pData;
+ CK_ULONG length;
+} CK_DES_CBC_ENCRYPT_DATA_PARAMS;
+
+typedef CK_DES_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_DES_CBC_ENCRYPT_DATA_PARAMS_PTR;
+
+typedef struct CK_AES_CBC_ENCRYPT_DATA_PARAMS {
+ CK_BYTE iv[16];
+ CK_BYTE_PTR pData;
+ CK_ULONG length;
+} CK_AES_CBC_ENCRYPT_DATA_PARAMS;
+
+typedef CK_AES_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_AES_CBC_ENCRYPT_DATA_PARAMS_PTR;
+
+/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS provides the parameters to the
+ * CKM_SKIPJACK_PRIVATE_WRAP mechanism
+ */
+typedef struct CK_SKIPJACK_PRIVATE_WRAP_PARAMS {
+ CK_ULONG ulPasswordLen;
+ CK_BYTE_PTR pPassword;
+ CK_ULONG ulPublicDataLen;
+ CK_BYTE_PTR pPublicData;
+ CK_ULONG ulPAndGLen;
+ CK_ULONG ulQLen;
+ CK_ULONG ulRandomLen;
+ CK_BYTE_PTR pRandomA;
+ CK_BYTE_PTR pPrimeP;
+ CK_BYTE_PTR pBaseG;
+ CK_BYTE_PTR pSubprimeQ;
+} CK_SKIPJACK_PRIVATE_WRAP_PARAMS;
+
+typedef CK_SKIPJACK_PRIVATE_WRAP_PARAMS CK_PTR \
+ CK_SKIPJACK_PRIVATE_WRAP_PARAMS_PTR;
+
+
+/* CK_SKIPJACK_RELAYX_PARAMS provides the parameters to the
+ * CKM_SKIPJACK_RELAYX mechanism
+ */
+typedef struct CK_SKIPJACK_RELAYX_PARAMS {
+ CK_ULONG ulOldWrappedXLen;
+ CK_BYTE_PTR pOldWrappedX;
+ CK_ULONG ulOldPasswordLen;
+ CK_BYTE_PTR pOldPassword;
+ CK_ULONG ulOldPublicDataLen;
+ CK_BYTE_PTR pOldPublicData;
+ CK_ULONG ulOldRandomLen;
+ CK_BYTE_PTR pOldRandomA;
+ CK_ULONG ulNewPasswordLen;
+ CK_BYTE_PTR pNewPassword;
+ CK_ULONG ulNewPublicDataLen;
+ CK_BYTE_PTR pNewPublicData;
+ CK_ULONG ulNewRandomLen;
+ CK_BYTE_PTR pNewRandomA;
+} CK_SKIPJACK_RELAYX_PARAMS;
+
+typedef CK_SKIPJACK_RELAYX_PARAMS CK_PTR \
+ CK_SKIPJACK_RELAYX_PARAMS_PTR;
+
+
+typedef struct CK_PBE_PARAMS {
+ CK_BYTE_PTR pInitVector;
+ CK_UTF8CHAR_PTR pPassword;
+ CK_ULONG ulPasswordLen;
+ CK_BYTE_PTR pSalt;
+ CK_ULONG ulSaltLen;
+ CK_ULONG ulIteration;
+} CK_PBE_PARAMS;
+
+typedef CK_PBE_PARAMS CK_PTR CK_PBE_PARAMS_PTR;
+
+
+/* CK_KEY_WRAP_SET_OAEP_PARAMS provides the parameters to the
+ * CKM_KEY_WRAP_SET_OAEP mechanism
+ */
+typedef struct CK_KEY_WRAP_SET_OAEP_PARAMS {
+ CK_BYTE bBC; /* block contents byte */
+ CK_BYTE_PTR pX; /* extra data */
+ CK_ULONG ulXLen; /* length of extra data in bytes */
+} CK_KEY_WRAP_SET_OAEP_PARAMS;
+
+typedef CK_KEY_WRAP_SET_OAEP_PARAMS CK_PTR CK_KEY_WRAP_SET_OAEP_PARAMS_PTR;
+
+typedef struct CK_SSL3_RANDOM_DATA {
+ CK_BYTE_PTR pClientRandom;
+ CK_ULONG ulClientRandomLen;
+ CK_BYTE_PTR pServerRandom;
+ CK_ULONG ulServerRandomLen;
+} CK_SSL3_RANDOM_DATA;
+
+
+typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS {
+ CK_SSL3_RANDOM_DATA RandomInfo;
+ CK_VERSION_PTR pVersion;
+} CK_SSL3_MASTER_KEY_DERIVE_PARAMS;
+
+typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS CK_PTR \
+ CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR;
+
+typedef struct CK_SSL3_KEY_MAT_OUT {
+ CK_OBJECT_HANDLE hClientMacSecret;
+ CK_OBJECT_HANDLE hServerMacSecret;
+ CK_OBJECT_HANDLE hClientKey;
+ CK_OBJECT_HANDLE hServerKey;
+ CK_BYTE_PTR pIVClient;
+ CK_BYTE_PTR pIVServer;
+} CK_SSL3_KEY_MAT_OUT;
+
+typedef CK_SSL3_KEY_MAT_OUT CK_PTR CK_SSL3_KEY_MAT_OUT_PTR;
+
+
+typedef struct CK_SSL3_KEY_MAT_PARAMS {
+ CK_ULONG ulMacSizeInBits;
+ CK_ULONG ulKeySizeInBits;
+ CK_ULONG ulIVSizeInBits;
+ CK_BBOOL bIsExport;
+ CK_SSL3_RANDOM_DATA RandomInfo;
+ CK_SSL3_KEY_MAT_OUT_PTR pReturnedKeyMaterial;
+} CK_SSL3_KEY_MAT_PARAMS;
+
+typedef CK_SSL3_KEY_MAT_PARAMS CK_PTR CK_SSL3_KEY_MAT_PARAMS_PTR;
+
+typedef struct CK_TLS_PRF_PARAMS {
+ CK_BYTE_PTR pSeed;
+ CK_ULONG ulSeedLen;
+ CK_BYTE_PTR pLabel;
+ CK_ULONG ulLabelLen;
+ CK_BYTE_PTR pOutput;
+ CK_ULONG_PTR pulOutputLen;
+} CK_TLS_PRF_PARAMS;
+
+typedef CK_TLS_PRF_PARAMS CK_PTR CK_TLS_PRF_PARAMS_PTR;
+
+typedef struct CK_WTLS_RANDOM_DATA {
+ CK_BYTE_PTR pClientRandom;
+ CK_ULONG ulClientRandomLen;
+ CK_BYTE_PTR pServerRandom;
+ CK_ULONG ulServerRandomLen;
+} CK_WTLS_RANDOM_DATA;
+
+typedef CK_WTLS_RANDOM_DATA CK_PTR CK_WTLS_RANDOM_DATA_PTR;
+
+typedef struct CK_WTLS_MASTER_KEY_DERIVE_PARAMS {
+ CK_MECHANISM_TYPE DigestMechanism;
+ CK_WTLS_RANDOM_DATA RandomInfo;
+ CK_BYTE_PTR pVersion;
+} CK_WTLS_MASTER_KEY_DERIVE_PARAMS;
+
+typedef CK_WTLS_MASTER_KEY_DERIVE_PARAMS CK_PTR \
+ CK_WTLS_MASTER_KEY_DERIVE_PARAMS_PTR;
+
+typedef struct CK_WTLS_PRF_PARAMS {
+ CK_MECHANISM_TYPE DigestMechanism;
+ CK_BYTE_PTR pSeed;
+ CK_ULONG ulSeedLen;
+ CK_BYTE_PTR pLabel;
+ CK_ULONG ulLabelLen;
+ CK_BYTE_PTR pOutput;
+ CK_ULONG_PTR pulOutputLen;
+} CK_WTLS_PRF_PARAMS;
+
+typedef CK_WTLS_PRF_PARAMS CK_PTR CK_WTLS_PRF_PARAMS_PTR;
+
+typedef struct CK_WTLS_KEY_MAT_OUT {
+ CK_OBJECT_HANDLE hMacSecret;
+ CK_OBJECT_HANDLE hKey;
+ CK_BYTE_PTR pIV;
+} CK_WTLS_KEY_MAT_OUT;
+
+typedef CK_WTLS_KEY_MAT_OUT CK_PTR CK_WTLS_KEY_MAT_OUT_PTR;
+
+typedef struct CK_WTLS_KEY_MAT_PARAMS {
+ CK_MECHANISM_TYPE DigestMechanism;
+ CK_ULONG ulMacSizeInBits;
+ CK_ULONG ulKeySizeInBits;
+ CK_ULONG ulIVSizeInBits;
+ CK_ULONG ulSequenceNumber;
+ CK_BBOOL bIsExport;
+ CK_WTLS_RANDOM_DATA RandomInfo;
+ CK_WTLS_KEY_MAT_OUT_PTR pReturnedKeyMaterial;
+} CK_WTLS_KEY_MAT_PARAMS;
+
+typedef CK_WTLS_KEY_MAT_PARAMS CK_PTR CK_WTLS_KEY_MAT_PARAMS_PTR;
+
+typedef struct CK_CMS_SIG_PARAMS {
+ CK_OBJECT_HANDLE certificateHandle;
+ CK_MECHANISM_PTR pSigningMechanism;
+ CK_MECHANISM_PTR pDigestMechanism;
+ CK_UTF8CHAR_PTR pContentType;
+ CK_BYTE_PTR pRequestedAttributes;
+ CK_ULONG ulRequestedAttributesLen;
+ CK_BYTE_PTR pRequiredAttributes;
+ CK_ULONG ulRequiredAttributesLen;
+} CK_CMS_SIG_PARAMS;
+
+typedef CK_CMS_SIG_PARAMS CK_PTR CK_CMS_SIG_PARAMS_PTR;
+
+typedef struct CK_KEY_DERIVATION_STRING_DATA {
+ CK_BYTE_PTR pData;
+ CK_ULONG ulLen;
+} CK_KEY_DERIVATION_STRING_DATA;
+
+typedef CK_KEY_DERIVATION_STRING_DATA CK_PTR \
+ CK_KEY_DERIVATION_STRING_DATA_PTR;
+
+
+/* The CK_EXTRACT_PARAMS is used for the
+ * CKM_EXTRACT_KEY_FROM_KEY mechanism. It specifies which bit
+ * of the base key should be used as the first bit of the
+ * derived key
+ */
+typedef CK_ULONG CK_EXTRACT_PARAMS;
+
+typedef CK_EXTRACT_PARAMS CK_PTR CK_EXTRACT_PARAMS_PTR;
+
+/* CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE is used to
+ * indicate the Pseudo-Random Function (PRF) used to generate
+ * key bits using PKCS #5 PBKDF2.
+ */
+typedef CK_ULONG CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE;
+
+typedef CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE CK_PTR \
+ CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE_PTR;
+
+#define CKP_PKCS5_PBKD2_HMAC_SHA1 0x00000001UL
+#define CKP_PKCS5_PBKD2_HMAC_GOSTR3411 0x00000002UL
+#define CKP_PKCS5_PBKD2_HMAC_SHA224 0x00000003UL
+#define CKP_PKCS5_PBKD2_HMAC_SHA256 0x00000004UL
+#define CKP_PKCS5_PBKD2_HMAC_SHA384 0x00000005UL
+#define CKP_PKCS5_PBKD2_HMAC_SHA512 0x00000006UL
+#define CKP_PKCS5_PBKD2_HMAC_SHA512_224 0x00000007UL
+#define CKP_PKCS5_PBKD2_HMAC_SHA512_256 0x00000008UL
+
+/* CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE is used to indicate the
+ * source of the salt value when deriving a key using PKCS #5
+ * PBKDF2.
+ */
+typedef CK_ULONG CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE;
+
+typedef CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE CK_PTR \
+ CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE_PTR;
+
+/* The following salt value sources are defined in PKCS #5 v2.0. */
+#define CKZ_SALT_SPECIFIED 0x00000001UL
+
+/* CK_PKCS5_PBKD2_PARAMS is a structure that provides the
+ * parameters to the CKM_PKCS5_PBKD2 mechanism.
+ */
+typedef struct CK_PKCS5_PBKD2_PARAMS {
+ CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource;
+ CK_VOID_PTR pSaltSourceData;
+ CK_ULONG ulSaltSourceDataLen;
+ CK_ULONG iterations;
+ CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
+ CK_VOID_PTR pPrfData;
+ CK_ULONG ulPrfDataLen;
+ CK_UTF8CHAR_PTR pPassword;
+ CK_ULONG_PTR ulPasswordLen;
+} CK_PKCS5_PBKD2_PARAMS;
+
+typedef CK_PKCS5_PBKD2_PARAMS CK_PTR CK_PKCS5_PBKD2_PARAMS_PTR;
+
+/* CK_PKCS5_PBKD2_PARAMS2 is a corrected version of the CK_PKCS5_PBKD2_PARAMS
+ * structure that provides the parameters to the CKM_PKCS5_PBKD2 mechanism
+ * noting that the ulPasswordLen field is a CK_ULONG and not a CK_ULONG_PTR.
+ */
+typedef struct CK_PKCS5_PBKD2_PARAMS2 {
+ CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource;
+ CK_VOID_PTR pSaltSourceData;
+ CK_ULONG ulSaltSourceDataLen;
+ CK_ULONG iterations;
+ CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
+ CK_VOID_PTR pPrfData;
+ CK_ULONG ulPrfDataLen;
+ CK_UTF8CHAR_PTR pPassword;
+ CK_ULONG ulPasswordLen;
+} CK_PKCS5_PBKD2_PARAMS2;
+
+typedef CK_PKCS5_PBKD2_PARAMS2 CK_PTR CK_PKCS5_PBKD2_PARAMS2_PTR;
+
+typedef CK_ULONG CK_OTP_PARAM_TYPE;
+typedef CK_OTP_PARAM_TYPE CK_PARAM_TYPE; /* backward compatibility */
+
+typedef struct CK_OTP_PARAM {
+ CK_OTP_PARAM_TYPE type;
+ CK_VOID_PTR pValue;
+ CK_ULONG ulValueLen;
+} CK_OTP_PARAM;
+
+typedef CK_OTP_PARAM CK_PTR CK_OTP_PARAM_PTR;
+
+typedef struct CK_OTP_PARAMS {
+ CK_OTP_PARAM_PTR pParams;
+ CK_ULONG ulCount;
+} CK_OTP_PARAMS;
+
+typedef CK_OTP_PARAMS CK_PTR CK_OTP_PARAMS_PTR;
+
+typedef struct CK_OTP_SIGNATURE_INFO {
+ CK_OTP_PARAM_PTR pParams;
+ CK_ULONG ulCount;
+} CK_OTP_SIGNATURE_INFO;
+
+typedef CK_OTP_SIGNATURE_INFO CK_PTR CK_OTP_SIGNATURE_INFO_PTR;
+
+#define CK_OTP_VALUE 0UL
+#define CK_OTP_PIN 1UL
+#define CK_OTP_CHALLENGE 2UL
+#define CK_OTP_TIME 3UL
+#define CK_OTP_COUNTER 4UL
+#define CK_OTP_FLAGS 5UL
+#define CK_OTP_OUTPUT_LENGTH 6UL
+#define CK_OTP_OUTPUT_FORMAT 7UL
+
+#define CKF_NEXT_OTP 0x00000001UL
+#define CKF_EXCLUDE_TIME 0x00000002UL
+#define CKF_EXCLUDE_COUNTER 0x00000004UL
+#define CKF_EXCLUDE_CHALLENGE 0x00000008UL
+#define CKF_EXCLUDE_PIN 0x00000010UL
+#define CKF_USER_FRIENDLY_OTP 0x00000020UL
+
+typedef struct CK_KIP_PARAMS {
+ CK_MECHANISM_PTR pMechanism;
+ CK_OBJECT_HANDLE hKey;
+ CK_BYTE_PTR pSeed;
+ CK_ULONG ulSeedLen;
+} CK_KIP_PARAMS;
+
+typedef CK_KIP_PARAMS CK_PTR CK_KIP_PARAMS_PTR;
+
+typedef struct CK_AES_CTR_PARAMS {
+ CK_ULONG ulCounterBits;
+ CK_BYTE cb[16];
+} CK_AES_CTR_PARAMS;
+
+typedef CK_AES_CTR_PARAMS CK_PTR CK_AES_CTR_PARAMS_PTR;
+
+typedef struct CK_GCM_PARAMS {
+ CK_BYTE_PTR pIv;
+ CK_ULONG ulIvLen;
+ CK_ULONG ulIvBits;
+ CK_BYTE_PTR pAAD;
+ CK_ULONG ulAADLen;
+ CK_ULONG ulTagBits;
+} CK_GCM_PARAMS;
+
+typedef CK_GCM_PARAMS CK_PTR CK_GCM_PARAMS_PTR;
+
+typedef struct CK_CCM_PARAMS {
+ CK_ULONG ulDataLen;
+ CK_BYTE_PTR pNonce;
+ CK_ULONG ulNonceLen;
+ CK_BYTE_PTR pAAD;
+ CK_ULONG ulAADLen;
+ CK_ULONG ulMACLen;
+} CK_CCM_PARAMS;
+
+typedef CK_CCM_PARAMS CK_PTR CK_CCM_PARAMS_PTR;
+
+/* Deprecated. Use CK_GCM_PARAMS */
+typedef struct CK_AES_GCM_PARAMS {
+ CK_BYTE_PTR pIv;
+ CK_ULONG ulIvLen;
+ CK_ULONG ulIvBits;
+ CK_BYTE_PTR pAAD;
+ CK_ULONG ulAADLen;
+ CK_ULONG ulTagBits;
+} CK_AES_GCM_PARAMS;
+
+typedef CK_AES_GCM_PARAMS CK_PTR CK_AES_GCM_PARAMS_PTR;
+
+/* Deprecated. Use CK_CCM_PARAMS */
+typedef struct CK_AES_CCM_PARAMS {
+ CK_ULONG ulDataLen;
+ CK_BYTE_PTR pNonce;
+ CK_ULONG ulNonceLen;
+ CK_BYTE_PTR pAAD;
+ CK_ULONG ulAADLen;
+ CK_ULONG ulMACLen;
+} CK_AES_CCM_PARAMS;
+
+typedef CK_AES_CCM_PARAMS CK_PTR CK_AES_CCM_PARAMS_PTR;
+
+typedef struct CK_CAMELLIA_CTR_PARAMS {
+ CK_ULONG ulCounterBits;
+ CK_BYTE cb[16];
+} CK_CAMELLIA_CTR_PARAMS;
+
+typedef CK_CAMELLIA_CTR_PARAMS CK_PTR CK_CAMELLIA_CTR_PARAMS_PTR;
+
+typedef struct CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS {
+ CK_BYTE iv[16];
+ CK_BYTE_PTR pData;
+ CK_ULONG length;
+} CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS;
+
+typedef CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS CK_PTR \
+ CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS_PTR;
+
+typedef struct CK_ARIA_CBC_ENCRYPT_DATA_PARAMS {
+ CK_BYTE iv[16];
+ CK_BYTE_PTR pData;
+ CK_ULONG length;
+} CK_ARIA_CBC_ENCRYPT_DATA_PARAMS;
+
+typedef CK_ARIA_CBC_ENCRYPT_DATA_PARAMS CK_PTR \
+ CK_ARIA_CBC_ENCRYPT_DATA_PARAMS_PTR;
+
+typedef struct CK_DSA_PARAMETER_GEN_PARAM {
+ CK_MECHANISM_TYPE hash;
+ CK_BYTE_PTR pSeed;
+ CK_ULONG ulSeedLen;
+ CK_ULONG ulIndex;
+} CK_DSA_PARAMETER_GEN_PARAM;
+
+typedef CK_DSA_PARAMETER_GEN_PARAM CK_PTR CK_DSA_PARAMETER_GEN_PARAM_PTR;
+
+typedef struct CK_ECDH_AES_KEY_WRAP_PARAMS {
+ CK_ULONG ulAESKeyBits;
+ CK_EC_KDF_TYPE kdf;
+ CK_ULONG ulSharedDataLen;
+ CK_BYTE_PTR pSharedData;
+} CK_ECDH_AES_KEY_WRAP_PARAMS;
+
+typedef CK_ECDH_AES_KEY_WRAP_PARAMS CK_PTR CK_ECDH_AES_KEY_WRAP_PARAMS_PTR;
+
+typedef CK_ULONG CK_JAVA_MIDP_SECURITY_DOMAIN;
+
+typedef CK_ULONG CK_CERTIFICATE_CATEGORY;
+
+typedef struct CK_RSA_AES_KEY_WRAP_PARAMS {
+ CK_ULONG ulAESKeyBits;
+ CK_RSA_PKCS_OAEP_PARAMS_PTR pOAEPParams;
+} CK_RSA_AES_KEY_WRAP_PARAMS;
+
+typedef CK_RSA_AES_KEY_WRAP_PARAMS CK_PTR CK_RSA_AES_KEY_WRAP_PARAMS_PTR;
+
+typedef struct CK_TLS12_MASTER_KEY_DERIVE_PARAMS {
+ CK_SSL3_RANDOM_DATA RandomInfo;
+ CK_VERSION_PTR pVersion;
+ CK_MECHANISM_TYPE prfHashMechanism;
+} CK_TLS12_MASTER_KEY_DERIVE_PARAMS;
+
+typedef CK_TLS12_MASTER_KEY_DERIVE_PARAMS CK_PTR \
+ CK_TLS12_MASTER_KEY_DERIVE_PARAMS_PTR;
+
+typedef struct CK_TLS12_KEY_MAT_PARAMS {
+ CK_ULONG ulMacSizeInBits;
+ CK_ULONG ulKeySizeInBits;
+ CK_ULONG ulIVSizeInBits;
+ CK_BBOOL bIsExport;
+ CK_SSL3_RANDOM_DATA RandomInfo;
+ CK_SSL3_KEY_MAT_OUT_PTR pReturnedKeyMaterial;
+ CK_MECHANISM_TYPE prfHashMechanism;
+} CK_TLS12_KEY_MAT_PARAMS;
+
+typedef CK_TLS12_KEY_MAT_PARAMS CK_PTR CK_TLS12_KEY_MAT_PARAMS_PTR;
+
+typedef struct CK_TLS_KDF_PARAMS {
+ CK_MECHANISM_TYPE prfMechanism;
+ CK_BYTE_PTR pLabel;
+ CK_ULONG ulLabelLength;
+ CK_SSL3_RANDOM_DATA RandomInfo;
+ CK_BYTE_PTR pContextData;
+ CK_ULONG ulContextDataLength;
+} CK_TLS_KDF_PARAMS;
+
+typedef CK_TLS_KDF_PARAMS CK_PTR CK_TLS_KDF_PARAMS_PTR;
+
+typedef struct CK_TLS_MAC_PARAMS {
+ CK_MECHANISM_TYPE prfHashMechanism;
+ CK_ULONG ulMacLength;
+ CK_ULONG ulServerOrClient;
+} CK_TLS_MAC_PARAMS;
+
+typedef CK_TLS_MAC_PARAMS CK_PTR CK_TLS_MAC_PARAMS_PTR;
+
+typedef struct CK_GOSTR3410_DERIVE_PARAMS {
+ CK_EC_KDF_TYPE kdf;
+ CK_BYTE_PTR pPublicData;
+ CK_ULONG ulPublicDataLen;
+ CK_BYTE_PTR pUKM;
+ CK_ULONG ulUKMLen;
+} CK_GOSTR3410_DERIVE_PARAMS;
+
+typedef CK_GOSTR3410_DERIVE_PARAMS CK_PTR CK_GOSTR3410_DERIVE_PARAMS_PTR;
+
+typedef struct CK_GOSTR3410_KEY_WRAP_PARAMS {
+ CK_BYTE_PTR pWrapOID;
+ CK_ULONG ulWrapOIDLen;
+ CK_BYTE_PTR pUKM;
+ CK_ULONG ulUKMLen;
+ CK_OBJECT_HANDLE hKey;
+} CK_GOSTR3410_KEY_WRAP_PARAMS;
+
+typedef CK_GOSTR3410_KEY_WRAP_PARAMS CK_PTR CK_GOSTR3410_KEY_WRAP_PARAMS_PTR;
+
+typedef struct CK_SEED_CBC_ENCRYPT_DATA_PARAMS {
+ CK_BYTE iv[16];
+ CK_BYTE_PTR pData;
+ CK_ULONG length;
+} CK_SEED_CBC_ENCRYPT_DATA_PARAMS;
+
+typedef CK_SEED_CBC_ENCRYPT_DATA_PARAMS CK_PTR \
+ CK_SEED_CBC_ENCRYPT_DATA_PARAMS_PTR;
+
+#endif /* _PKCS11T_H_ */
+
diff --git a/vendor/github.com/miekg/pkcs11/release.go b/vendor/github.com/miekg/pkcs11/release.go
new file mode 100644
index 000000000..4380f374d
--- /dev/null
+++ b/vendor/github.com/miekg/pkcs11/release.go
@@ -0,0 +1,17 @@
+// +build release
+
+package pkcs11
+
+import "fmt"
+
+// Release is current version of the pkcs11 library.
+var Release = R{1, 0, 3}
+
+// R holds the version of this library.
+type R struct {
+ Major, Minor, Patch int
+}
+
+func (r R) String() string {
+ return fmt.Sprintf("%d.%d.%d", r.Major, r.Minor, r.Patch)
+}
diff --git a/vendor/github.com/miekg/pkcs11/softhsm.conf b/vendor/github.com/miekg/pkcs11/softhsm.conf
new file mode 100644
index 000000000..f95862b10
--- /dev/null
+++ b/vendor/github.com/miekg/pkcs11/softhsm.conf
@@ -0,0 +1 @@
+0:hsm.db
diff --git a/vendor/github.com/miekg/pkcs11/softhsm2.conf b/vendor/github.com/miekg/pkcs11/softhsm2.conf
new file mode 100644
index 000000000..876990cdd
--- /dev/null
+++ b/vendor/github.com/miekg/pkcs11/softhsm2.conf
@@ -0,0 +1,4 @@
+log.level = INFO
+objectstore.backend = file
+directories.tokendir = test_data
+slots.removable = false
diff --git a/vendor/github.com/miekg/pkcs11/types.go b/vendor/github.com/miekg/pkcs11/types.go
new file mode 100644
index 000000000..970db9061
--- /dev/null
+++ b/vendor/github.com/miekg/pkcs11/types.go
@@ -0,0 +1,303 @@
+// Copyright 2013 Miek Gieben. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package pkcs11
+
+/*
+#include <stdlib.h>
+#include <string.h>
+#include "pkcs11go.h"
+
+CK_ULONG Index(CK_ULONG_PTR array, CK_ULONG i)
+{
+ return array[i];
+}
+
+static inline void putAttributePval(CK_ATTRIBUTE_PTR a, CK_VOID_PTR pValue)
+{
+ a->pValue = pValue;
+}
+
+static inline void putMechanismParam(CK_MECHANISM_PTR m, CK_VOID_PTR pParameter)
+{
+ m->pParameter = pParameter;
+}
+*/
+import "C"
+
+import (
+ "fmt"
+ "time"
+ "unsafe"
+)
+
+type arena []unsafe.Pointer
+
+func (a *arena) Allocate(obj []byte) (C.CK_VOID_PTR, C.CK_ULONG) {
+ cobj := C.calloc(C.size_t(len(obj)), 1)
+ *a = append(*a, cobj)
+ C.memmove(cobj, unsafe.Pointer(&obj[0]), C.size_t(len(obj)))
+ return C.CK_VOID_PTR(cobj), C.CK_ULONG(len(obj))
+}
+
+func (a arena) Free() {
+ for _, p := range a {
+ C.free(p)
+ }
+}
+
+// toList converts from a C style array to a []uint.
+func toList(clist C.CK_ULONG_PTR, size C.CK_ULONG) []uint {
+ l := make([]uint, int(size))
+ for i := 0; i < len(l); i++ {
+ l[i] = uint(C.Index(clist, C.CK_ULONG(i)))
+ }
+ defer C.free(unsafe.Pointer(clist))
+ return l
+}
+
+// cBBool converts a bool to a CK_BBOOL.
+func cBBool(x bool) C.CK_BBOOL {
+ if x {
+ return C.CK_BBOOL(C.CK_TRUE)
+ }
+ return C.CK_BBOOL(C.CK_FALSE)
+}
+
+func uintToBytes(x uint64) []byte {
+ ul := C.CK_ULONG(x)
+ return C.GoBytes(unsafe.Pointer(&ul), C.int(unsafe.Sizeof(ul)))
+}
+
+// Error represents an PKCS#11 error.
+type Error uint
+
+func (e Error) Error() string {
+ return fmt.Sprintf("pkcs11: 0x%X: %s", uint(e), strerror[uint(e)])
+}
+
+func toError(e C.CK_RV) error {
+ if e == C.CKR_OK {
+ return nil
+ }
+ return Error(e)
+}
+
+// SessionHandle is a Cryptoki-assigned value that identifies a session.
+type SessionHandle uint
+
+// ObjectHandle is a token-specific identifier for an object.
+type ObjectHandle uint
+
+// Version represents any version information from the library.
+type Version struct {
+ Major byte
+ Minor byte
+}
+
+func toVersion(version C.CK_VERSION) Version {
+ return Version{byte(version.major), byte(version.minor)}
+}
+
+// SlotEvent holds the SlotID which for which an slot event (token insertion,
+// removal, etc.) occurred.
+type SlotEvent struct {
+ SlotID uint
+}
+
+// Info provides information about the library and hardware used.
+type Info struct {
+ CryptokiVersion Version
+ ManufacturerID string
+ Flags uint
+ LibraryDescription string
+ LibraryVersion Version
+}
+
+// SlotInfo provides information about a slot.
+type SlotInfo struct {
+ SlotDescription string // 64 bytes.
+ ManufacturerID string // 32 bytes.
+ Flags uint
+ HardwareVersion Version
+ FirmwareVersion Version
+}
+
+// TokenInfo provides information about a token.
+type TokenInfo struct {
+ Label string
+ ManufacturerID string
+ Model string
+ SerialNumber string
+ Flags uint
+ MaxSessionCount uint
+ SessionCount uint
+ MaxRwSessionCount uint
+ RwSessionCount uint
+ MaxPinLen uint
+ MinPinLen uint
+ TotalPublicMemory uint
+ FreePublicMemory uint
+ TotalPrivateMemory uint
+ FreePrivateMemory uint
+ HardwareVersion Version
+ FirmwareVersion Version
+ UTCTime string
+}
+
+// SessionInfo provides information about a session.
+type SessionInfo struct {
+ SlotID uint
+ State uint
+ Flags uint
+ DeviceError uint
+}
+
+// Attribute holds an attribute type/value combination.
+type Attribute struct {
+ Type uint
+ Value []byte
+}
+
+// NewAttribute allocates a Attribute and returns a pointer to it.
+// Note that this is merely a convenience function, as values returned
+// from the HSM are not converted back to Go values, those are just raw
+// byte slices.
+func NewAttribute(typ uint, x interface{}) *Attribute {
+ // This function nicely transforms *to* an attribute, but there is
+ // no corresponding function that transform back *from* an attribute,
+ // which in PKCS#11 is just an byte array.
+ a := new(Attribute)
+ a.Type = typ
+ if x == nil {
+ return a
+ }
+ switch v := x.(type) {
+ case bool:
+ if v {
+ a.Value = []byte{1}
+ } else {
+ a.Value = []byte{0}
+ }
+ case int:
+ a.Value = uintToBytes(uint64(v))
+ case uint:
+ a.Value = uintToBytes(uint64(v))
+ case string:
+ a.Value = []byte(v)
+ case []byte:
+ a.Value = v
+ case time.Time: // for CKA_DATE
+ a.Value = cDate(v)
+ default:
+ panic("pkcs11: unhandled attribute type")
+ }
+ return a
+}
+
+// cAttribute returns the start address and the length of an attribute list.
+func cAttributeList(a []*Attribute) (arena, C.CK_ATTRIBUTE_PTR, C.CK_ULONG) {
+ var arena arena
+ if len(a) == 0 {
+ return nil, nil, 0
+ }
+ pa := make([]C.CK_ATTRIBUTE, len(a))
+ for i, attr := range a {
+ pa[i]._type = C.CK_ATTRIBUTE_TYPE(attr.Type)
+ if len(attr.Value) != 0 {
+ buf, len := arena.Allocate(attr.Value)
+ // field is unaligned on windows so this has to call into C
+ C.putAttributePval(&pa[i], buf)
+ pa[i].ulValueLen = len
+ }
+ }
+ return arena, &pa[0], C.CK_ULONG(len(a))
+}
+
+func cDate(t time.Time) []byte {
+ b := make([]byte, 8)
+ year, month, day := t.Date()
+ y := fmt.Sprintf("%4d", year)
+ m := fmt.Sprintf("%02d", month)
+ d1 := fmt.Sprintf("%02d", day)
+ b[0], b[1], b[2], b[3] = y[0], y[1], y[2], y[3]
+ b[4], b[5] = m[0], m[1]
+ b[6], b[7] = d1[0], d1[1]
+ return b
+}
+
+// Mechanism holds an mechanism type/value combination.
+type Mechanism struct {
+ Mechanism uint
+ Parameter []byte
+ generator interface{}
+}
+
+// NewMechanism returns a pointer to an initialized Mechanism.
+func NewMechanism(mech uint, x interface{}) *Mechanism {
+ m := new(Mechanism)
+ m.Mechanism = mech
+ if x == nil {
+ return m
+ }
+
+ switch p := x.(type) {
+ case *GCMParams, *OAEPParams, *ECDH1DeriveParams:
+ // contains pointers; defer serialization until cMechanism
+ m.generator = p
+ case []byte:
+ m.Parameter = p
+ default:
+ panic("parameter must be one of type: []byte, *GCMParams, *OAEPParams, *ECDH1DeriveParams")
+ }
+
+ return m
+}
+
+func cMechanism(mechList []*Mechanism) (arena, *C.CK_MECHANISM) {
+ if len(mechList) != 1 {
+ panic("expected exactly one mechanism")
+ }
+ mech := mechList[0]
+ cmech := &C.CK_MECHANISM{mechanism: C.CK_MECHANISM_TYPE(mech.Mechanism)}
+ // params that contain pointers are allocated here
+ param := mech.Parameter
+ var arena arena
+ switch p := mech.generator.(type) {
+ case *GCMParams:
+ // uses its own arena because it has to outlive this function call (yuck)
+ param = cGCMParams(p)
+ case *OAEPParams:
+ param, arena = cOAEPParams(p, arena)
+ case *ECDH1DeriveParams:
+ param, arena = cECDH1DeriveParams(p, arena)
+ }
+ if len(param) != 0 {
+ buf, len := arena.Allocate(param)
+ // field is unaligned on windows so this has to call into C
+ C.putMechanismParam(cmech, buf)
+ cmech.ulParameterLen = len
+ }
+ return arena, cmech
+}
+
+// MechanismInfo provides information about a particular mechanism.
+type MechanismInfo struct {
+ MinKeySize uint
+ MaxKeySize uint
+ Flags uint
+}
+
+// stubData is a persistent nonempty byte array used by cMessage.
+var stubData = []byte{0}
+
+// cMessage returns the pointer/length pair corresponding to data.
+func cMessage(data []byte) (dataPtr C.CK_BYTE_PTR) {
+ l := len(data)
+ if l == 0 {
+ // &data[0] is forbidden in this case, so use a nontrivial array instead.
+ data = stubData
+ }
+ return C.CK_BYTE_PTR(unsafe.Pointer(&data[0]))
+}
diff --git a/vendor/github.com/miekg/pkcs11/vendor.go b/vendor/github.com/miekg/pkcs11/vendor.go
new file mode 100644
index 000000000..83188e500
--- /dev/null
+++ b/vendor/github.com/miekg/pkcs11/vendor.go
@@ -0,0 +1,127 @@
+package pkcs11
+
+// Vendor specific range for Ncipher network HSM.
+const (
+ NFCK_VENDOR_NCIPHER = 0xde436972
+ CKA_NCIPHER = NFCK_VENDOR_NCIPHER
+ CKM_NCIPHER = NFCK_VENDOR_NCIPHER
+ CKK_NCIPHER = NFCK_VENDOR_NCIPHER
+)
+
+// Vendor specific mechanisms for HMAC on Ncipher HSMs where Ncipher does not allow use of generic_secret keys.
+const (
+ CKM_NC_SHA_1_HMAC_KEY_GEN = CKM_NCIPHER + 0x3 /* no params */
+ CKM_NC_MD5_HMAC_KEY_GEN = CKM_NCIPHER + 0x6 /* no params */
+ CKM_NC_SHA224_HMAC_KEY_GEN = CKM_NCIPHER + 0x24 /* no params */
+ CKM_NC_SHA256_HMAC_KEY_GEN = CKM_NCIPHER + 0x25 /* no params */
+ CKM_NC_SHA384_HMAC_KEY_GEN = CKM_NCIPHER + 0x26 /* no params */
+ CKM_NC_SHA512_HMAC_KEY_GEN = CKM_NCIPHER + 0x27 /* no params */
+)
+
+// Vendor specific range for Mozilla NSS.
+const (
+ NSSCK_VENDOR_NSS = 0x4E534350
+ CKO_NSS = CKO_VENDOR_DEFINED | NSSCK_VENDOR_NSS
+ CKK_NSS = CKK_VENDOR_DEFINED | NSSCK_VENDOR_NSS
+ CKC_NSS = CKC_VENDOR_DEFINED | NSSCK_VENDOR_NSS
+ CKA_NSS = CKA_VENDOR_DEFINED | NSSCK_VENDOR_NSS
+ CKA_TRUST = CKA_NSS + 0x2000
+ CKM_NSS = CKM_VENDOR_DEFINED | NSSCK_VENDOR_NSS
+ CKR_NSS = CKM_VENDOR_DEFINED | NSSCK_VENDOR_NSS
+ CKT_VENDOR_DEFINED = 0x80000000
+ CKT_NSS = CKT_VENDOR_DEFINED | NSSCK_VENDOR_NSS
+)
+
+// Vendor specific values for Mozilla NSS.
+const (
+ CKO_NSS_CRL = CKO_NSS + 1
+ CKO_NSS_SMIME = CKO_NSS + 2
+ CKO_NSS_TRUST = CKO_NSS + 3
+ CKO_NSS_BUILTIN_ROOT_LIST = CKO_NSS + 4
+ CKO_NSS_NEWSLOT = CKO_NSS + 5
+ CKO_NSS_DELSLOT = CKO_NSS + 6
+ CKK_NSS_PKCS8 = CKK_NSS + 1
+ CKK_NSS_JPAKE_ROUND1 = CKK_NSS + 2
+ CKK_NSS_JPAKE_ROUND2 = CKK_NSS + 3
+ CKK_NSS_CHACHA20 = CKK_NSS + 4
+ CKA_NSS_URL = CKA_NSS + 1
+ CKA_NSS_EMAIL = CKA_NSS + 2
+ CKA_NSS_SMIME_INFO = CKA_NSS + 3
+ CKA_NSS_SMIME_TIMESTAMP = CKA_NSS + 4
+ CKA_NSS_PKCS8_SALT = CKA_NSS + 5
+ CKA_NSS_PASSWORD_CHECK = CKA_NSS + 6
+ CKA_NSS_EXPIRES = CKA_NSS + 7
+ CKA_NSS_KRL = CKA_NSS + 8
+ CKA_NSS_PQG_COUNTER = CKA_NSS + 20
+ CKA_NSS_PQG_SEED = CKA_NSS + 21
+ CKA_NSS_PQG_H = CKA_NSS + 22
+ CKA_NSS_PQG_SEED_BITS = CKA_NSS + 23
+ CKA_NSS_MODULE_SPEC = CKA_NSS + 24
+ CKA_NSS_OVERRIDE_EXTENSIONS = CKA_NSS + 25
+ CKA_NSS_JPAKE_SIGNERID = CKA_NSS + 26
+ CKA_NSS_JPAKE_PEERID = CKA_NSS + 27
+ CKA_NSS_JPAKE_GX1 = CKA_NSS + 28
+ CKA_NSS_JPAKE_GX2 = CKA_NSS + 29
+ CKA_NSS_JPAKE_GX3 = CKA_NSS + 30
+ CKA_NSS_JPAKE_GX4 = CKA_NSS + 31
+ CKA_NSS_JPAKE_X2 = CKA_NSS + 32
+ CKA_NSS_JPAKE_X2S = CKA_NSS + 33
+ CKA_NSS_MOZILLA_CA_POLICY = CKA_NSS + 34
+ CKA_TRUST_DIGITAL_SIGNATURE = CKA_TRUST + 1
+ CKA_TRUST_NON_REPUDIATION = CKA_TRUST + 2
+ CKA_TRUST_KEY_ENCIPHERMENT = CKA_TRUST + 3
+ CKA_TRUST_DATA_ENCIPHERMENT = CKA_TRUST + 4
+ CKA_TRUST_KEY_AGREEMENT = CKA_TRUST + 5
+ CKA_TRUST_KEY_CERT_SIGN = CKA_TRUST + 6
+ CKA_TRUST_CRL_SIGN = CKA_TRUST + 7
+ CKA_TRUST_SERVER_AUTH = CKA_TRUST + 8
+ CKA_TRUST_CLIENT_AUTH = CKA_TRUST + 9
+ CKA_TRUST_CODE_SIGNING = CKA_TRUST + 10
+ CKA_TRUST_EMAIL_PROTECTION = CKA_TRUST + 11
+ CKA_TRUST_IPSEC_END_SYSTEM = CKA_TRUST + 12
+ CKA_TRUST_IPSEC_TUNNEL = CKA_TRUST + 13
+ CKA_TRUST_IPSEC_USER = CKA_TRUST + 14
+ CKA_TRUST_TIME_STAMPING = CKA_TRUST + 15
+ CKA_TRUST_STEP_UP_APPROVED = CKA_TRUST + 16
+ CKA_CERT_SHA1_HASH = CKA_TRUST + 100
+ CKA_CERT_MD5_HASH = CKA_TRUST + 101
+ CKM_NSS_AES_KEY_WRAP = CKM_NSS + 1
+ CKM_NSS_AES_KEY_WRAP_PAD = CKM_NSS + 2
+ CKM_NSS_HKDF_SHA1 = CKM_NSS + 3
+ CKM_NSS_HKDF_SHA256 = CKM_NSS + 4
+ CKM_NSS_HKDF_SHA384 = CKM_NSS + 5
+ CKM_NSS_HKDF_SHA512 = CKM_NSS + 6
+ CKM_NSS_JPAKE_ROUND1_SHA1 = CKM_NSS + 7
+ CKM_NSS_JPAKE_ROUND1_SHA256 = CKM_NSS + 8
+ CKM_NSS_JPAKE_ROUND1_SHA384 = CKM_NSS + 9
+ CKM_NSS_JPAKE_ROUND1_SHA512 = CKM_NSS + 10
+ CKM_NSS_JPAKE_ROUND2_SHA1 = CKM_NSS + 11
+ CKM_NSS_JPAKE_ROUND2_SHA256 = CKM_NSS + 12
+ CKM_NSS_JPAKE_ROUND2_SHA384 = CKM_NSS + 13
+ CKM_NSS_JPAKE_ROUND2_SHA512 = CKM_NSS + 14
+ CKM_NSS_JPAKE_FINAL_SHA1 = CKM_NSS + 15
+ CKM_NSS_JPAKE_FINAL_SHA256 = CKM_NSS + 16
+ CKM_NSS_JPAKE_FINAL_SHA384 = CKM_NSS + 17
+ CKM_NSS_JPAKE_FINAL_SHA512 = CKM_NSS + 18
+ CKM_NSS_HMAC_CONSTANT_TIME = CKM_NSS + 19
+ CKM_NSS_SSL3_MAC_CONSTANT_TIME = CKM_NSS + 20
+ CKM_NSS_TLS_PRF_GENERAL_SHA256 = CKM_NSS + 21
+ CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256 = CKM_NSS + 22
+ CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256 = CKM_NSS + 23
+ CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 = CKM_NSS + 24
+ CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE = CKM_NSS + 25
+ CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH = CKM_NSS + 26
+ CKM_NSS_CHACHA20_KEY_GEN = CKM_NSS + 27
+ CKM_NSS_CHACHA20_POLY1305 = CKM_NSS + 28
+ CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN = CKM_NSS + 29
+ CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN = CKM_NSS + 30
+ CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN = CKM_NSS + 31
+ CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN = CKM_NSS + 32
+ CKR_NSS_CERTDB_FAILED = CKR_NSS + 1
+ CKR_NSS_KEYDB_FAILED = CKR_NSS + 2
+ CKT_NSS_TRUSTED = CKT_NSS + 1
+ CKT_NSS_TRUSTED_DELEGATOR = CKT_NSS + 2
+ CKT_NSS_MUST_VERIFY_TRUST = CKT_NSS + 3
+ CKT_NSS_NOT_TRUSTED = CKT_NSS + 10
+ CKT_NSS_TRUST_UNKNOWN = CKT_NSS + 5
+)