1 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
4 * THE REGENTS OF THE UNIVERSITY OF MICHIGAN
7 * Permission is granted to use, copy, create derivative works
8 * and redistribute this software and such derivative works
9 * for any purpose, so long as the name of The University of
10 * Michigan is not used in any advertising or publicity
11 * pertaining to the use of distribution of this software
12 * without specific, written prior authorization. If the
13 * above copyright notice or any other identification of the
14 * University of Michigan is included in any copy of any
15 * portion of this software, then the disclaimer below must
18 * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
19 * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
20 * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
21 * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
22 * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
23 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
24 * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
25 * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
26 * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
27 * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
28 * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
32 #ifndef _KRB5_INT_PKINIT_H
33 #define _KRB5_INT_PKINIT_H
40 typedef struct _krb5_pk_authenticator {
41 krb5_int32 cusec; /* (0..999999) */
43 krb5_int32 nonce; /* (0..4294967295) */
44 krb5_checksum paChecksum;
45 } krb5_pk_authenticator;
47 /* PKAuthenticator draft9 */
48 typedef struct _krb5_pk_authenticator_draft9 {
49 krb5_principal kdcName;
50 krb5_octet_data kdcRealm;
51 krb5_int32 cusec; /* (0..999999) */
53 krb5_int32 nonce; /* (0..4294967295) */
54 } krb5_pk_authenticator_draft9;
56 /* AlgorithmIdentifier */
57 typedef struct _krb5_algorithm_identifier {
58 krb5_octet_data algorithm; /* OID */
59 krb5_octet_data parameters; /* Optional */
60 } krb5_algorithm_identifier;
62 /* SubjectPublicKeyInfo */
63 typedef struct _krb5_subject_pk_info {
64 krb5_algorithm_identifier algorithm;
65 krb5_octet_data subjectPublicKey; /* BIT STRING */
66 } krb5_subject_pk_info;
68 /** AuthPack from RFC 4556*/
69 typedef struct _krb5_auth_pack {
70 krb5_pk_authenticator pkAuthenticator;
71 krb5_subject_pk_info *clientPublicValue; /* Optional */
72 krb5_algorithm_identifier **supportedCMSTypes; /* Optional */
73 krb5_octet_data clientDHNonce; /* Optional */
74 krb5_octet_data **supportedKDFs; /* OIDs of KDFs; OPTIONAL */
78 typedef struct _krb5_auth_pack_draft9 {
79 krb5_pk_authenticator_draft9 pkAuthenticator;
80 krb5_subject_pk_info *clientPublicValue; /* Optional */
81 } krb5_auth_pack_draft9;
83 /* ExternalPrincipalIdentifier */
84 typedef struct _krb5_external_principal_identifier {
85 krb5_octet_data subjectName; /* Optional */
86 krb5_octet_data issuerAndSerialNumber; /* Optional */
87 krb5_octet_data subjectKeyIdentifier; /* Optional */
88 } krb5_external_principal_identifier;
91 typedef struct _krb5_trusted_ca {
93 choice_trusted_cas_UNKNOWN = -1,
94 choice_trusted_cas_principalName = 0,
95 choice_trusted_cas_caName = 1,
96 choice_trusted_cas_issuerAndSerial = 2
99 krb5_principal principalName;
100 krb5_octet_data caName; /* fully-qualified X.500 "Name" as defined by X.509 (der-encoded) */
101 krb5_octet_data issuerAndSerial; /* Optional -- IssuerAndSerialNumber (der-encoded) */
105 /* PA-PK-AS-REQ (Draft 9 -- PA TYPE 14) */
106 typedef struct _krb5_pa_pk_as_req_draft9 {
107 krb5_octet_data signedAuthPack;
108 krb5_trusted_ca **trustedCertifiers; /* Optional array */
109 krb5_octet_data kdcCert; /* Optional */
110 krb5_octet_data encryptionCert;
111 } krb5_pa_pk_as_req_draft9;
113 /* PA-PK-AS-REQ (rfc4556 -- PA TYPE 16) */
114 typedef struct _krb5_pa_pk_as_req {
115 krb5_octet_data signedAuthPack;
116 krb5_external_principal_identifier **trustedCertifiers; /* Optional array */
117 krb5_octet_data kdcPkId; /* Optional */
120 /** Pkinit DHRepInfo */
121 typedef struct _krb5_dh_rep_info {
122 krb5_octet_data dhSignedData;
123 krb5_octet_data serverDHNonce; /* Optional */
124 krb5_octet_data *kdfID; /* OID of selected KDF OPTIONAL */
128 typedef struct _krb5_kdc_dh_key_info {
129 krb5_octet_data subjectPublicKey; /* BIT STRING */
130 krb5_int32 nonce; /* (0..4294967295) */
131 krb5_timestamp dhKeyExpiration; /* Optional */
132 } krb5_kdc_dh_key_info;
134 /* KDCDHKeyInfo draft9*/
135 typedef struct _krb5_kdc_dh_key_info_draft9 {
136 krb5_octet_data subjectPublicKey; /* BIT STRING */
137 krb5_int32 nonce; /* (0..4294967295) */
138 } krb5_kdc_dh_key_info_draft9;
141 typedef struct _krb5_reply_key_pack {
142 krb5_keyblock replyKey;
143 krb5_checksum asChecksum;
144 } krb5_reply_key_pack;
147 typedef struct _krb5_reply_key_pack_draft9 {
148 krb5_keyblock replyKey;
150 } krb5_reply_key_pack_draft9;
152 /* PA-PK-AS-REP (Draft 9 -- PA TYPE 15) */
153 typedef struct _krb5_pa_pk_as_rep_draft9 {
155 choice_pa_pk_as_rep_draft9_UNKNOWN = -1,
156 choice_pa_pk_as_rep_draft9_dhSignedData = 0,
157 choice_pa_pk_as_rep_draft9_encKeyPack = 1
160 krb5_octet_data dhSignedData;
161 krb5_octet_data encKeyPack;
163 } krb5_pa_pk_as_rep_draft9;
165 /* PA-PK-AS-REP (rfc4556 -- PA TYPE 17) */
166 typedef struct _krb5_pa_pk_as_rep {
168 choice_pa_pk_as_rep_UNKNOWN = -1,
169 choice_pa_pk_as_rep_dhInfo = 0,
170 choice_pa_pk_as_rep_encKeyPack = 1
173 krb5_dh_rep_info dh_Info;
174 krb5_octet_data encKeyPack;
178 /* SP80056A OtherInfo, for pkinit algorithm agility */
179 typedef struct _krb5_sp80056a_other_info {
180 krb5_algorithm_identifier algorithm_identifier;
181 krb5_principal party_u_info;
182 krb5_principal party_v_info;
183 krb5_data supp_pub_info;
184 } krb5_sp80056a_other_info;
186 /* PkinitSuppPubInfo, for pkinit algorithm agility */
187 typedef struct _krb5_pkinit_supp_pub_info {
188 krb5_enctype enctype;
189 krb5_octet_data as_req;
190 krb5_octet_data pk_as_rep;
191 } krb5_pkinit_supp_pub_info;
197 /*************************************************************************
198 * Prototypes for pkinit asn.1 encode routines
199 *************************************************************************/
202 encode_krb5_pa_pk_as_req(const krb5_pa_pk_as_req *rep, krb5_data **code);
205 encode_krb5_pa_pk_as_req_draft9(const krb5_pa_pk_as_req_draft9 *rep,
209 encode_krb5_pa_pk_as_rep(const krb5_pa_pk_as_rep *rep, krb5_data **code);
212 encode_krb5_pa_pk_as_rep_draft9(const krb5_pa_pk_as_rep_draft9 *rep,
216 encode_krb5_auth_pack(const krb5_auth_pack *rep, krb5_data **code);
219 encode_krb5_auth_pack_draft9(const krb5_auth_pack_draft9 *rep,
223 encode_krb5_kdc_dh_key_info(const krb5_kdc_dh_key_info *rep, krb5_data **code);
226 encode_krb5_reply_key_pack(const krb5_reply_key_pack *, krb5_data **code);
229 encode_krb5_reply_key_pack_draft9(const krb5_reply_key_pack_draft9 *,
233 encode_krb5_typed_data(const krb5_typed_data **, krb5_data **code);
236 encode_krb5_td_trusted_certifiers(const krb5_external_principal_identifier **,
240 encode_krb5_td_dh_parameters(const krb5_algorithm_identifier **,
244 encode_krb5_sp80056a_other_info(const krb5_sp80056a_other_info *,
248 encode_krb5_pkinit_supp_pub_info(const krb5_pkinit_supp_pub_info *,
251 /*************************************************************************
252 * Prototypes for pkinit asn.1 decode routines
253 *************************************************************************/
256 decode_krb5_pa_pk_as_req(const krb5_data *, krb5_pa_pk_as_req **);
259 decode_krb5_pa_pk_as_req_draft9(const krb5_data *,
260 krb5_pa_pk_as_req_draft9 **);
263 decode_krb5_pa_pk_as_rep(const krb5_data *, krb5_pa_pk_as_rep **);
266 decode_krb5_pa_pk_as_rep_draft9(const krb5_data *,
267 krb5_pa_pk_as_rep_draft9 **);
270 decode_krb5_auth_pack(const krb5_data *, krb5_auth_pack **);
273 decode_krb5_auth_pack_draft9(const krb5_data *, krb5_auth_pack_draft9 **);
276 decode_krb5_kdc_dh_key_info(const krb5_data *, krb5_kdc_dh_key_info **);
279 decode_krb5_principal_name(const krb5_data *, krb5_principal_data **);
282 decode_krb5_reply_key_pack(const krb5_data *, krb5_reply_key_pack **);
285 decode_krb5_reply_key_pack_draft9(const krb5_data *,
286 krb5_reply_key_pack_draft9 **);
289 decode_krb5_typed_data(const krb5_data *, krb5_typed_data ***);
292 decode_krb5_td_trusted_certifiers(const krb5_data *,
293 krb5_external_principal_identifier ***);
296 decode_krb5_td_dh_parameters(const krb5_data *, krb5_algorithm_identifier ***);
298 void krb5_free_typed_data(krb5_context, krb5_typed_data **);
301 encode_krb5_enc_data(const krb5_enc_data *, krb5_data **);
304 encode_krb5_encryption_key(const krb5_keyblock *rep, krb5_data **code);
307 krb5_encrypt_helper(krb5_context context, const krb5_keyblock *key,
308 krb5_keyusage keyusage, const krb5_data *plain,
309 krb5_enc_data *cipher);
311 #endif /* _KRB5_INT_PKINIT_H */