/usr/include/neon/ne_pkcs11.h is in libneon27-dev 0.30.0-1ubuntu1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 | /*
PKCS#11 support for neon
Copyright (C) 2008, Joe Orton <joe@manyfish.co.uk>
This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Library General Public
License as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Library General Public License for more details.
You should have received a copy of the GNU Library General Public
License along with this library; if not, write to the Free
Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
MA 02111-1307, USA
*/
#ifndef NE_PKCS11_H
#define NE_PKCS11_H 1
#include "ne_defs.h"
#include "ne_session.h"
NE_BEGIN_DECLS
typedef struct ne_ssl_pkcs11_provider_s ne_ssl_pkcs11_provider;
#define NE_PK11_OK (0)
#define NE_PK11_NOTIMPL (-1)
#define NE_PK11_FAILED (-2)
/* Initialize a PKCS#11 provider of given name. Returns NE_OK on
* success, NE_PK11_FAILED if the provider could not be
* loaded/initialized, and NE_PK11_NOTIMPL if PKCS#11 is not
* supported. On success, *provider is set to non-NULL. */
int ne_ssl_pkcs11_provider_init(ne_ssl_pkcs11_provider **provider,
const char *name);
/* Initialize a NSS softoken pseudo-PKCS#11 provider of given name
* (e.g. "softokn3") to supply a client certificate if requested,
* using database in given directory name; the other parameters may be
* NULL. Returns NE_OK on success, NE_PK11_FAILED if the provider
* could not be loaded/initialized, and NE_PK11_NOTIMPL if PKCS#11 is
* not supported. On success, *provider is set to non-NULL. */
int ne_ssl_pkcs11_nss_provider_init(ne_ssl_pkcs11_provider **provider,
const char *name, const char *directory,
const char *cert_prefix,
const char *key_prefix,
const char *secmod_db);
/* Destroy a PKCS#11 provider object. */
void ne_ssl_pkcs11_provider_destroy(ne_ssl_pkcs11_provider *provider);
/* Flags passed to PIN entry callback: */
#define NE_SSL_P11PIN_COUNT_LOW (0x01) /* an incorrect PIN has been
* entered. */
#define NE_SSL_P11PIN_FINAL_TRY (0x02) /* token will become locked if
* entered PIN is incorrect */
/* Size of buffer passed to PIN entry callback: */
#define NE_SSL_P11PINLEN (256)
/* Callback for PKCS#11 PIN entry. The callback provides the PIN code
* to unlock the token with label 'token_label' in the slot described
* by 'slot_descr'.
*
* The PIN code, as a NUL-terminated ASCII string, should be copied
* into the 'pin' buffer (of fixed length NE_SSL_P11PINLEN), and
* return 0 to indicate success. Alternatively, the callback may
* return -1 to indicate failure and cancel PIN entry (in which case,
* the contents of the 'pin' parameter are ignored).
*
* When a PIN is required, the callback will be invoked repeatedly
* (and indefinitely) until either the returned PIN code is correct,
* the callback returns failure, or the token refuses login (e.g. when
* the token is locked due to too many incorrect PINs!). For the
* first such invocation, the 'attempt' counter will have value zero;
* it will increase by one for each subsequent attempt.
*
* The NE_SSL_P11PIN_COUNT_LOW and/or NE_SSL_P11PIN_FINAL_TRY hints
* may be set in the 'flags' argument, if these hints are made
* available by the token; not all tokens expose these hints. */
typedef int (*ne_ssl_pkcs11_pin_fn)(void *userdata, int attempt,
const char *slot_descr,
const char *token_label,
unsigned int flags,
char *pin);
/* Set the PIN entry callback for the given provider. This is
* necessary for some (but not all) types of token. For tokens which
* implement an out-of-band ("protected") authentication path, the PIN
* entry callback will not be invoked. */
void ne_ssl_pkcs11_provider_pin(ne_ssl_pkcs11_provider *provider,
ne_ssl_pkcs11_pin_fn fn,
void *userdata);
/* Set up a given PKCS#11 provider to supply an appropriate client
* certificate if requested by the server. A provider may be
* configured for use in multiple sessions. */
void ne_ssl_set_pkcs11_provider(ne_session *sess,
ne_ssl_pkcs11_provider *provider);
NE_END_DECLS
#endif /* NE_PKCS11_H */
|