src/include/k5-int-pkinit.h

   1 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
   2 /*
   3  * COPYRIGHT (C) 2006
   4  * THE REGENTS OF THE UNIVERSITY OF MICHIGAN
   5  * ALL RIGHTS RESERVED
   6  *
   7  * Permission is granted to use, copy, create derivative works
   8  * and redistribute this software and such derivative works
   9  * for any purpose, so long as the name of The University of
  10  * Michigan is not used in any advertising or publicity
  11  * pertaining to the use of distribution of this software
  12  * without specific, written prior authorization.  If the
  13  * above copyright notice or any other identification of the
  14  * University of Michigan is included in any copy of any
  15  * portion of this software, then the disclaimer below must
  16  * also be included.
  17  *
  18  * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
  19  * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
  20  * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
  21  * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
  22  * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
  23  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
  24  * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
  25  * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
  26  * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
  27  * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
  28  * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
  29  * SUCH DAMAGES.
  30  */
  31
  32 #ifndef _KRB5_INT_PKINIT_H
  33 #define _KRB5_INT_PKINIT_H
  34
  35 /*
  36  * pkinit structures
  37  */
  38
  39 /* PKAuthenticator */
  40 typedef struct _krb5_pk_authenticator {
  41     krb5_int32      cusec;  /* (0..999999) */
  42     krb5_timestamp  ctime;
  43     krb5_int32      nonce;  /* (0..4294967295) */
  44     krb5_checksum   paChecksum;
  45 } krb5_pk_authenticator;
  46
  47 /* PKAuthenticator draft9 */
  48 typedef struct _krb5_pk_authenticator_draft9 {
  49     krb5_principal  kdcName;
  50     krb5_octet_data kdcRealm;
  51     krb5_int32      cusec;  /* (0..999999) */
  52     krb5_timestamp  ctime;
  53     krb5_int32      nonce;  /* (0..4294967295) */
  54 } krb5_pk_authenticator_draft9;
  55
  56 /* AlgorithmIdentifier */
  57 typedef struct _krb5_algorithm_identifier {
  58     krb5_octet_data algorithm;      /* OID */
  59     krb5_octet_data parameters; /* Optional */
  60 } krb5_algorithm_identifier;
  61
  62 /* SubjectPublicKeyInfo */
  63 typedef struct _krb5_subject_pk_info {
  64     krb5_algorithm_identifier   algorithm;
  65     krb5_octet_data             subjectPublicKey; /* BIT STRING */
  66 } krb5_subject_pk_info;
  67
  68 /** AuthPack from RFC 4556*/
  69 typedef struct _krb5_auth_pack {
  70     krb5_pk_authenticator       pkAuthenticator;
  71     krb5_subject_pk_info        *clientPublicValue; /* Optional */
  72     krb5_algorithm_identifier   **supportedCMSTypes; /* Optional */
  73     krb5_octet_data             clientDHNonce; /* Optional */
  74     krb5_octet_data             **supportedKDFs; /* OIDs of KDFs; OPTIONAL */
  75 } krb5_auth_pack;
  76
  77 /* AuthPack draft9 */
  78 typedef struct _krb5_auth_pack_draft9 {
  79     krb5_pk_authenticator_draft9 pkAuthenticator;
  80     krb5_subject_pk_info        *clientPublicValue; /* Optional */
  81 } krb5_auth_pack_draft9;
  82
  83 /* ExternalPrincipalIdentifier */
  84 typedef struct _krb5_external_principal_identifier {
  85     krb5_octet_data subjectName; /* Optional */
  86     krb5_octet_data issuerAndSerialNumber; /* Optional */
  87     krb5_octet_data subjectKeyIdentifier; /* Optional */
  88 } krb5_external_principal_identifier;
  89
  90 /* TrustedCas */
  91 typedef struct _krb5_trusted_ca {
  92     enum {
  93         choice_trusted_cas_UNKNOWN = -1,
  94         choice_trusted_cas_principalName = 0,
  95         choice_trusted_cas_caName = 1,
  96         choice_trusted_cas_issuerAndSerial = 2
  97     } choice;
  98     union {
  99         krb5_principal  principalName;
 100         krb5_octet_data caName; /* fully-qualified X.500 "Name" as defined by X.509 (der-encoded) */
 101         krb5_octet_data issuerAndSerial; /* Optional -- IssuerAndSerialNumber (der-encoded) */
 102     } u;
 103 } krb5_trusted_ca;
 104
 105 /* PA-PK-AS-REQ (Draft 9 -- PA TYPE 14) */
 106 typedef struct _krb5_pa_pk_as_req_draft9 {
 107     krb5_octet_data signedAuthPack;
 108     krb5_trusted_ca **trustedCertifiers; /* Optional array */
 109     krb5_octet_data kdcCert; /* Optional */
 110     krb5_octet_data encryptionCert;
 111 } krb5_pa_pk_as_req_draft9;
 112
 113 /* PA-PK-AS-REQ (rfc4556 -- PA TYPE 16) */
 114 typedef struct _krb5_pa_pk_as_req {
 115     krb5_octet_data signedAuthPack;
 116     krb5_external_principal_identifier **trustedCertifiers; /* Optional array */
 117     krb5_octet_data kdcPkId; /* Optional */
 118 } krb5_pa_pk_as_req;
 119
 120 /** Pkinit DHRepInfo */
 121 typedef struct _krb5_dh_rep_info {
 122     krb5_octet_data dhSignedData;
 123     krb5_octet_data serverDHNonce; /* Optional */
 124     krb5_octet_data *kdfID; /* OID of selected KDF OPTIONAL */
 125 } krb5_dh_rep_info;
 126
 127 /* KDCDHKeyInfo */
 128 typedef struct _krb5_kdc_dh_key_info {
 129     krb5_octet_data subjectPublicKey; /* BIT STRING */
 130     krb5_int32      nonce;  /* (0..4294967295) */
 131     krb5_timestamp  dhKeyExpiration; /* Optional */
 132 } krb5_kdc_dh_key_info;
 133
 134 /* KDCDHKeyInfo draft9*/
 135 typedef struct _krb5_kdc_dh_key_info_draft9 {
 136     krb5_octet_data subjectPublicKey; /* BIT STRING */
 137     krb5_int32      nonce;  /* (0..4294967295) */
 138 } krb5_kdc_dh_key_info_draft9;
 139
 140 /* ReplyKeyPack */
 141 typedef struct _krb5_reply_key_pack {
 142     krb5_keyblock   replyKey;
 143     krb5_checksum   asChecksum;
 144 } krb5_reply_key_pack;
 145
 146 /* ReplyKeyPack */
 147 typedef struct _krb5_reply_key_pack_draft9 {
 148     krb5_keyblock   replyKey;
 149     krb5_int32      nonce;
 150 } krb5_reply_key_pack_draft9;
 151
 152 /* PA-PK-AS-REP (Draft 9 -- PA TYPE 15) */
 153 typedef struct _krb5_pa_pk_as_rep_draft9 {
 154     enum {
 155         choice_pa_pk_as_rep_draft9_UNKNOWN = -1,
 156         choice_pa_pk_as_rep_draft9_dhSignedData = 0,
 157         choice_pa_pk_as_rep_draft9_encKeyPack = 1
 158     } choice;
 159     union {
 160         krb5_octet_data dhSignedData;
 161         krb5_octet_data encKeyPack;
 162     } u;
 163 } krb5_pa_pk_as_rep_draft9;
 164
 165 /* PA-PK-AS-REP (rfc4556 -- PA TYPE 17) */
 166 typedef struct _krb5_pa_pk_as_rep {
 167     enum {
 168         choice_pa_pk_as_rep_UNKNOWN = -1,
 169         choice_pa_pk_as_rep_dhInfo = 0,
 170         choice_pa_pk_as_rep_encKeyPack = 1
 171     } choice;
 172     union {
 173         krb5_dh_rep_info    dh_Info;
 174         krb5_octet_data     encKeyPack;
 175     } u;
 176 } krb5_pa_pk_as_rep;
 177
 178 /* SP80056A OtherInfo, for pkinit algorithm agility */
 179 typedef struct _krb5_sp80056a_other_info {
 180     krb5_algorithm_identifier algorithm_identifier;
 181     krb5_principal  party_u_info;
 182     krb5_principal  party_v_info;
 183     krb5_data supp_pub_info;
 184 } krb5_sp80056a_other_info;
 185
 186 /* PkinitSuppPubInfo, for pkinit algorithm agility */
 187 typedef struct _krb5_pkinit_supp_pub_info {
 188     krb5_enctype      enctype;
 189     krb5_octet_data   as_req;
 190     krb5_octet_data   pk_as_rep;
 191 } krb5_pkinit_supp_pub_info;
 192
 193 /*
 194  * Begin "asn1.h"
 195  */
 196
 197 /*************************************************************************
 198  * Prototypes for pkinit asn.1 encode routines
 199  *************************************************************************/
 200
 201 krb5_error_code
 202 encode_krb5_pa_pk_as_req(const krb5_pa_pk_as_req *rep, krb5_data **code);
 203
 204 krb5_error_code
 205 encode_krb5_pa_pk_as_req_draft9(const krb5_pa_pk_as_req_draft9 *rep,
 206                                 krb5_data **code);
 207
 208 krb5_error_code
 209 encode_krb5_pa_pk_as_rep(const krb5_pa_pk_as_rep *rep, krb5_data **code);
 210
 211 krb5_error_code
 212 encode_krb5_pa_pk_as_rep_draft9(const krb5_pa_pk_as_rep_draft9 *rep,
 213                                 krb5_data **code);
 214
 215 krb5_error_code
 216 encode_krb5_auth_pack(const krb5_auth_pack *rep, krb5_data **code);
 217
 218 krb5_error_code
 219 encode_krb5_auth_pack_draft9(const krb5_auth_pack_draft9 *rep,
 220                              krb5_data **code);
 221
 222 krb5_error_code
 223 encode_krb5_kdc_dh_key_info(const krb5_kdc_dh_key_info *rep, krb5_data **code);
 224
 225 krb5_error_code
 226 encode_krb5_reply_key_pack(const krb5_reply_key_pack *, krb5_data **code);
 227
 228 krb5_error_code
 229 encode_krb5_reply_key_pack_draft9(const krb5_reply_key_pack_draft9 *,
 230                                   krb5_data **code);
 231
 232 krb5_error_code
 233 encode_krb5_typed_data(const krb5_typed_data **, krb5_data **code);
 234
 235 krb5_error_code
 236 encode_krb5_td_trusted_certifiers(const krb5_external_principal_identifier **,
 237                                   krb5_data **code);
 238
 239 krb5_error_code
 240 encode_krb5_td_dh_parameters(const krb5_algorithm_identifier **,
 241                              krb5_data **code);
 242
 243 krb5_error_code
 244 encode_krb5_sp80056a_other_info(const krb5_sp80056a_other_info *,
 245                                 krb5_data **);
 246
 247 krb5_error_code
 248 encode_krb5_pkinit_supp_pub_info(const krb5_pkinit_supp_pub_info *,
 249                                  krb5_data **);
 250
 251 /*************************************************************************
 252  * Prototypes for pkinit asn.1 decode routines
 253  *************************************************************************/
 254
 255 krb5_error_code
 256 decode_krb5_pa_pk_as_req(const krb5_data *, krb5_pa_pk_as_req **);
 257
 258 krb5_error_code
 259 decode_krb5_pa_pk_as_req_draft9(const krb5_data *,
 260                                 krb5_pa_pk_as_req_draft9 **);
 261
 262 krb5_error_code
 263 decode_krb5_pa_pk_as_rep(const krb5_data *, krb5_pa_pk_as_rep **);
 264
 265 krb5_error_code
 266 decode_krb5_pa_pk_as_rep_draft9(const krb5_data *,
 267                                 krb5_pa_pk_as_rep_draft9 **);
 268
 269 krb5_error_code
 270 decode_krb5_auth_pack(const krb5_data *, krb5_auth_pack **);
 271
 272 krb5_error_code
 273 decode_krb5_auth_pack_draft9(const krb5_data *, krb5_auth_pack_draft9 **);
 274
 275 krb5_error_code
 276 decode_krb5_kdc_dh_key_info(const krb5_data *, krb5_kdc_dh_key_info **);
 277
 278 krb5_error_code
 279 decode_krb5_principal_name(const krb5_data *, krb5_principal_data **);
 280
 281 krb5_error_code
 282 decode_krb5_reply_key_pack(const krb5_data *, krb5_reply_key_pack **);
 283
 284 krb5_error_code
 285 decode_krb5_reply_key_pack_draft9(const krb5_data *,
 286                                   krb5_reply_key_pack_draft9 **);
 287
 288 krb5_error_code
 289 decode_krb5_typed_data(const krb5_data *, krb5_typed_data ***);
 290
 291 krb5_error_code
 292 decode_krb5_td_trusted_certifiers(const krb5_data *,
 293                                   krb5_external_principal_identifier ***);
 294
 295 krb5_error_code
 296 decode_krb5_td_dh_parameters(const krb5_data *, krb5_algorithm_identifier ***);
 297
 298 void krb5_free_typed_data(krb5_context, krb5_typed_data **);
 299
 300 krb5_error_code
 301 encode_krb5_enc_data(const krb5_enc_data *, krb5_data **);
 302
 303 krb5_error_code
 304 encode_krb5_encryption_key(const krb5_keyblock *rep, krb5_data **code);
 305
 306 krb5_error_code
 307 krb5_encrypt_helper(krb5_context context, const krb5_keyblock *key,
 308                     krb5_keyusage keyusage, const krb5_data *plain,
 309                     krb5_enc_data *cipher);
 310
 311 #endif /* _KRB5_INT_PKINIT_H */