Apple PKINIT patch commit

Commit of Apple PKINIT patches under "APPLE_PKINIT" preprocessor symbol.

Long term goal is to merge these patches with the pkinit preauth plugin which
does not currently have support for Mac OS X crypto libraries or the exported
functions used by Back To My Mac.

ticket: new
status: open

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20346 dc483132-0cff-0310-8789-dd5450dbe970

7 files changed, 760 insertions, 0 deletions

diff --git a/src/include/kdb.h b/src/include/kdb.h
index e8a58787c4..66e8d0698b 100644
--- a/src/include/kdb.h
+++ b/src/include/kdb.h
@@ -63,6 +63,7 @@
 #define KRB5_KDB_SALTTYPE_ONLYREALM	3
 #define KRB5_KDB_SALTTYPE_SPECIAL	4
 #define KRB5_KDB_SALTTYPE_AFS3		5
+#define KRB5_KDB_SALTTYPE_CERTHASH	6
 
 /* Attributes */
 #define	KRB5_KDB_DISALLOW_POSTDATED	0x00000001
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index 279304edfb..4192362c2d 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -368,6 +368,15 @@ typedef struct _krb5_enc_data {
 #define	ENCTYPE_DES3_CBC_SHA	0x0005	/* DES-3 cbc mode with NIST-SHA */
 #define	ENCTYPE_DES3_CBC_RAW	0x0006	/* DES-3 cbc mode raw */
 #define ENCTYPE_DES_HMAC_SHA1	0x0008
+/* PKINIT */
+#define ENCTYPE_DSA_SHA1_CMS	0x0009	/* DSA with SHA1, CMS signature */
+#define ENCTYPE_MD5_RSA_CMS	0x000a	/* MD5 with RSA, CMS signature */
+#define ENCTYPE_SHA1_RSA_CMS	0x000b	/* SHA1 with RSA, CMS signature */
+#define ENCTYPE_RC2_CBC_ENV	0x000c	/* RC2 cbc mode, CMS enveloped data */
+#define ENCTYPE_RSA_ENV		0x000d	/* RSA encryption, CMS enveloped data */
+#define ENCTYPE_RSA_ES_OAEP_ENV	0x000e	/* RSA w/OEAP encryption, CMS enveloped data */
+#define ENCTYPE_DES3_CBC_ENV	0x000f	/* DES-3 cbc mode, CMS enveloped data */
+
 #define ENCTYPE_DES3_CBC_SHA1	0x0010
 #define ENCTYPE_AES128_CTS_HMAC_SHA1_96	0x0011
 #define ENCTYPE_AES256_CTS_HMAC_SHA1_96	0x0012
diff --git a/src/include/pkinit_apple_utils.h b/src/include/pkinit_apple_utils.h
new file mode 100644
index 0000000000..313955f395
--- /dev/null
+++ b/src/include/pkinit_apple_utils.h
@@ -0,0 +1,151 @@
+/*
+ * Copyright (c) 2004-2008 Apple Inc.  All Rights Reserved.
+ *
+ * Export of this software from the United States of America may require
+ * a specific license from the United States Government.  It is the
+ * responsibility of any person or organization contemplating export to
+ * obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of Apple Inc. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Apple Inc. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ *
+ */
+
+/*
+ * pkinit_apple_utils.h - PKINIT utilities, Mac OS X version
+ *
+ * Created 19 May 2004 by Doug Mitchell.
+ */
+ 
+#ifndef	_PKINIT_APPLE_UTILS_H_
+#define _PKINIT_APPLE_UTILS_H_
+
+#include <krb5/krb5.h>
+#include <Security/SecAsn1Coder.h>
+#include <Security/cssmapple.h>
+#include <CoreFoundation/CoreFoundation.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#ifndef PKI_DEBUG
+#define PKI_DEBUG   0
+#endif
+
+#if	PKI_DEBUG
+
+#include <stdio.h>
+
+#define pkiDebug(args...)       printf(args)
+#define pkiCssmErr(str, rtn)    cssmPerror(str, rtn)
+#else
+#define pkiDebug(args...)
+#define pkiCssmErr(str, rtn)
+#endif	/* PKI_DEBUG */
+
+/*
+ * Macros used to initialize a declared CSSM_DATA and krb5_data to zero/NULL values.
+ */
+#define INIT_CDATA(cd)  cd = {0, NULL}
+#define INIT_KDATA(kd)  kd = {0, 0, NULL}
+
+/* attach/detach to/from CL */
+CSSM_RETURN pkiClDetachUnload(CSSM_CL_HANDLE  clHand);
+CSSM_CL_HANDLE pkiClStartup(void);
+
+/*
+ * CSSM_DATA <--> krb5_ui_4
+ */
+krb5_error_code pkiDataToInt(
+    const CSSM_DATA *cdata, 
+    krb5_int32       *i);	/* RETURNED */
+
+krb5_error_code pkiIntToData(
+    krb5_int32	    num,
+    CSSM_DATA       *cdata,     /* allocated in coder space and RETURNED */
+    SecAsn1CoderRef coder);
+
+/*
+ * raw data --> krb5_data
+ */
+krb5_error_code pkiDataToKrb5Data(
+    const void *data,
+    unsigned dataLen,
+    krb5_data *kd);		/* content mallocd and RETURNED */
+
+/* 
+ * CSSM_DATA <--> krb5_data
+ *
+ * CSSM_DATA data is managed by a SecAsn1CoderRef; krb5_data.data is mallocd.
+ */
+krb5_error_code pkiCssmDataToKrb5Data(
+    const CSSM_DATA *cd, 
+    krb5_data *kd);		/* content mallocd and RETURNED */
+
+
+krb5_error_code pkiKrb5DataToCssm(
+    const krb5_data *kd,
+    CSSM_DATA       *cdata,     /* allocated in coder space and RETURNED */
+    SecAsn1CoderRef coder);
+
+/* 
+ * CFDataRef --> krb5_data, mallocing the destination contents.
+ */
+krb5_error_code pkiCfDataToKrb5Data(
+    CFDataRef	    cfData,
+    krb5_data	    *kd);	/* content mallocd and RETURNED */
+    
+/*
+ * Non-mallocing conversion between CSSM_DATA and krb5_data
+ */
+#define PKI_CSSM_TO_KRB_DATA(cd, kd)    \
+    (kd)->data = (char *)(cd)->Data;	\
+    (kd)->length = (cd)->Length;
+
+#define PKI_KRB_TO_CSSM_DATA(kd, cd)    \
+    (cd)->Data = (uint8 *)(kd)->data;	\
+    (cd)->Length = (kd)->length;
+
+/*
+ * Compare to CSSM_DATAs. Return TRUE if they're the same else FALSE.
+ */
+krb5_boolean pkiCompareCssmData(
+    const CSSM_DATA *d1,
+    const CSSM_DATA *d2);
+
+/* 
+ * krb5_timestamp <--> a mallocd string in generalized format
+ */
+krb5_error_code pkiKrbTimestampToStr(
+    krb5_timestamp      kts,
+    char		**str);		/* mallocd and RETURNED */
+
+krb5_error_code pkiTimeStrToKrbTimestamp(
+    const char		*str,
+    unsigned		len,
+    krb5_timestamp      *kts);		/* RETURNED */
+
+/*
+ * How many items in a NULL-terminated array of pointers?
+ */
+unsigned pkiNssArraySize(
+    const void **array);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif  /* _PKINIT_APPLE_UTILS_H_ */
diff --git a/src/include/pkinit_asn1.h b/src/include/pkinit_asn1.h
new file mode 100644
index 0000000000..b90ae59607
--- /dev/null
+++ b/src/include/pkinit_asn1.h
@@ -0,0 +1,172 @@
+/*
+ * Copyright (c) 2004-2008 Apple Inc.  All Rights Reserved.
+ *
+ * Export of this software from the United States of America may require
+ * a specific license from the United States Government.  It is the
+ * responsibility of any person or organization contemplating export to
+ * obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of Apple Inc. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Apple Inc. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ *
+ */
+
+/*
+ * pkinit_asn1.h - ASN.1 encode/decode routines for PKINIT
+ *
+ * Created 18 May 2004 by Doug Mitchell.
+ */
+ 
+#ifndef	_PKINIT_ASN1_H_
+#define _PKINIT_ASN1_H_
+
+#include <krb5/krb5.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* RFC 3280 AlgorithmIdentifier */
+typedef struct {
+    krb5_data	algorithm;	/* OID */
+    krb5_data	parameters;	/* ASN_ANY, defined by algorithm */
+} krb5int_algorithm_id;
+
+/* 
+ * Encode and decode AuthPack, public key version (no Diffie-Hellman components).
+ */
+krb5_error_code krb5int_pkinit_auth_pack_encode(
+    krb5_timestamp		kctime,      
+    krb5_int32			cusec,		    /* microseconds */
+    krb5_ui_4			nonce,
+    const krb5_checksum		*pa_checksum,
+    const krb5int_algorithm_id	*cms_types,	    /* optional */
+    krb5_ui_4			num_cms_types,
+    krb5_data			*auth_pack);	    /* mallocd and RETURNED */
+    
+/* all returned values are optional - pass NULL if you don't want them */
+krb5_error_code krb5int_pkinit_auth_pack_decode(
+    const krb5_data	*auth_pack,	    /* DER encoded */
+    krb5_timestamp      *kctime,	    /* RETURNED */
+    krb5_ui_4		*cusec,		    /* microseconds, RETURNED */
+    krb5_ui_4		*nonce,		    /* RETURNED */
+    krb5_checksum       *pa_checksum,	    /* contents mallocd and RETURNED */
+    krb5int_algorithm_id **cms_types,	    /* mallocd and RETURNED */
+    krb5_ui_4		*num_cms_types);    /* RETURNED */
+    
+    
+/*
+ * Given DER-encoded issuer and serial number, create an encoded 
+ * IssuerAndSerialNumber.
+ */
+krb5_error_code krb5int_pkinit_issuer_serial_encode(
+    const krb5_data *issuer,		    /* DER encoded */
+    const krb5_data *serial_num,
+    krb5_data       *issuer_and_serial);    /* content mallocd and RETURNED */
+
+/*
+ * Decode IssuerAndSerialNumber.
+ */
+krb5_error_code krb5int_pkinit_issuer_serial_decode(
+    const krb5_data *issuer_and_serial,     /* DER encoded */
+    krb5_data       *issuer,		    /* DER encoded, RETURNED */
+    krb5_data       *serial_num);	    /* RETURNED */
+
+/*
+ * Top-level encode for PA-PK-AS-REQ.  
+ * The signed_auth_pack field is wrapped in an OCTET STRING, content
+ * specific tag 0, during encode. 
+ */
+krb5_error_code krb5int_pkinit_pa_pk_as_req_encode(
+    const krb5_data *signed_auth_pack,	/* DER encoded ContentInfo */
+    const krb5_data *trusted_CAs,	/* optional: trustedCertifiers. Contents are
+					 * DER-encoded issuer/serialNumbers. */
+    krb5_ui_4	    num_trusted_CAs,
+    const krb5_data *kdc_cert,		/* optional kdcPkId, DER encoded issuer/serial */
+    krb5_data       *pa_pk_as_req);	/* mallocd and RETURNED */
+
+/*
+ * Top-level decode for PA-PK-AS-REQ. Does not perform cert verification on the 
+ * ContentInfo; that is returned in BER-encoded form and processed elsewhere.
+ * The OCTET STRING wrapping the signed_auth_pack field is removed during the 
+ * decode.
+ */
+krb5_error_code krb5int_pkinit_pa_pk_as_req_decode(
+    const krb5_data *pa_pk_as_req,
+    krb5_data *signed_auth_pack,	/* DER encoded ContentInfo, RETURNED */
+    /* 
+     * Remainder are optionally RETURNED (specify NULL for pointers to 
+     * items you're not interested in).
+     */
+    krb5_ui_4 *num_trusted_CAs,		/* sizeof trusted_CAs */
+    krb5_data **trusted_CAs,		/* mallocd array of DER-encoded TrustedCAs 
+					 *   issuer/serial */
+    krb5_data *kdc_cert);		/* DER encoded issuer/serial */
+
+/* 
+ * Encode a ReplyKeyPack. The result is used as the Content of a SignedData.
+ */
+krb5_error_code krb5int_pkinit_reply_key_pack_encode(
+    const krb5_keyblock *key_block,
+    const krb5_checksum *checksum,
+    krb5_data		*reply_key_pack);   /* mallocd and RETURNED */
+
+/* 
+ * Decode a ReplyKeyPack.
+ */
+krb5_error_code krb5int_pkinit_reply_key_pack_decode(
+    const krb5_data	*reply_key_pack,
+    krb5_keyblock       *key_block,	    /* RETURNED */
+    krb5_checksum	*checksum);	    /* contents mallocd and RETURNED */
+
+/* 
+ * Encode a PA-PK-AS-REP.
+ * Exactly one of {dh_signed_data, enc_key_pack} is non-NULL on entry;
+ * each is a previously encoded item. 
+ *
+ * dh_signed_data, if specified, is an encoded DHRepInfo.
+ * enc_key_pack, if specified, is EnvelopedData(signedData(ReplyKeyPack)
+ */
+krb5_error_code krb5int_pkinit_pa_pk_as_rep_encode(
+    const krb5_data     *dh_signed_data, 
+    const krb5_data     *enc_key_pack,	    /* EnvelopedData(signedData(ReplyKeyPack) */
+    krb5_data		*pa_pk_as_rep);	    /* mallocd and RETURNED */
+
+/* 
+ * Decode a PA-PK-AS-REP.
+ * On successful return, exactly one of {dh_signed_data, enc_key_pack}
+ * will be non-NULL, each of which is mallocd and must be freed by
+ * caller. 
+ *
+ * dh_signed_data, if returned, is an encoded DHRepInfo.
+ * enc_key_pack, if specified, is EnvelopedData(signedData(ReplyKeyPack)
+ */
+krb5_error_code krb5int_pkinit_pa_pk_as_rep_decode(
+    const krb5_data     *pa_pk_as_rep,
+    krb5_data		*dh_signed_data, 
+    krb5_data		*enc_key_pack);
+
+/*
+ * Given a DER encoded certificate, obtain the associated IssuerAndSerialNumber.
+ */
+krb5_error_code krb5int_pkinit_get_issuer_serial(
+    const krb5_data	*cert,
+    krb5_data		*issuer_and_serial);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* _PKINIT_ASN1_H_ */
diff --git a/src/include/pkinit_cert_store.h b/src/include/pkinit_cert_store.h
new file mode 100644
index 0000000000..1e848d7b50
--- /dev/null
+++ b/src/include/pkinit_cert_store.h
@@ -0,0 +1,154 @@
+/*
+ * Copyright (c) 2004-2008 Apple Inc.  All Rights Reserved.
+ *
+ * Export of this software from the United States of America may require
+ * a specific license from the United States Government.  It is the
+ * responsibility of any person or organization contemplating export to
+ * obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of Apple Inc. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Apple Inc. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ *
+ */
+
+/*
+ * pkinit_cert_store.h - PKINIT certificate storage/retrieval utilities
+ *
+ * Created 26 May 2004 by Doug Mitchell at Apple.
+ */
+ 
+#ifndef	_PKINIT_CERT_STORE_H_
+#define _PKINIT_CERT_STORE_H_
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#include <krb5/krb5.h>
+
+/*
+ * Opaque reference to a machine-dependent representation of a certificate
+ * which is capable of signing. On Mac OS X this is actually a SecIdentityRef.
+ */
+typedef void *krb5_pkinit_signing_cert_t;
+
+/* 
+ * Opaque reference to a database in which PKINIT-related certificates are stored. 
+ */
+typedef void *krb5_pkinit_cert_db_t;
+
+/*
+ * Obtain signing cert for specified principal. On successful return, 
+ * caller must eventually release the cert with krb5_pkinit_release_cert().
+ *
+ * Returns KRB5_PRINC_NOMATCH if client cert not found.
+ */
+krb5_error_code krb5_pkinit_get_client_cert(
+    const char			*principal,     /* full principal string */
+    krb5_pkinit_signing_cert_t	*client_cert);  /* RETURNED */
+    
+/* 
+ * Determine if the specified client has a signing cert. Returns TRUE
+ * if so, else returns FALSE.
+ */
+krb5_boolean krb5_pkinit_have_client_cert(
+    const char			*principal);    /* full principal string */
+
+/*
+ * Store the specified certificate (or, more likely, some platform-dependent
+ * reference to it) as the specified principal's signing cert. Passing
+ * in NULL for the client_cert has the effect of deleting the relevant entry
+ * in the cert storage.
+ */
+krb5_error_code krb5_pkinit_set_client_cert(
+    const char			*principal,     /* full principal string */
+    krb5_pkinit_signing_cert_t	client_cert);
+
+/* 
+ * Obtain a reference to the client's cert database. Specify either principal
+ * name or client_cert as obtained from krb5_pkinit_get_client_cert().
+ */
+krb5_error_code krb5_pkinit_get_client_cert_db(
+    const char			*principal,	    /* optional, full principal string */
+    krb5_pkinit_signing_cert_t	client_cert,	    /* optional, from krb5_pkinit_get_client_cert() */
+    krb5_pkinit_cert_db_t	*client_cert_db);   /* RETURNED */
+
+/*
+ * Obtain the KDC signing cert, with optional CA and specific cert specifiers.
+ * CAs and cert specifiers are in the form of DER-encoded issuerAndSerialNumbers.
+ *
+ * The client_spec argument is typically provided by the client as kdcPkId.
+ *
+ * If trusted_CAs and client_spec are NULL, a platform-dependent preferred 
+ * KDC signing cert is returned, if one exists. 
+ *
+ * On successful return, caller must eventually release the cert with 
+ * krb5_pkinit_release_cert(). Outside of an unusual test configuration this =
+ *
+ * Returns KRB5_PRINC_NOMATCH if KDC cert not found.
+ *
+ */
+krb5_error_code krb5_pkinit_get_kdc_cert(
+    krb5_ui_4			num_trusted_CAs,    /* sizeof *trusted_CAs */
+    krb5_data			*trusted_CAs,	    /* optional */
+    krb5_data			*client_spec,	    /* optional */
+    krb5_pkinit_signing_cert_t	*kdc_cert);	    /* RETURNED */
+
+/* 
+ * Obtain a reference to the KDC's cert database.
+ */
+krb5_error_code krb5_pkinit_get_kdc_cert_db(
+    krb5_pkinit_cert_db_t	*kdc_cert_db);	/* RETURNED */
+
+/*
+ * Release certificate references obtained via krb5_pkinit_get_client_cert() and
+ * krb5_pkinit_get_kdc_cert().
+ */
+extern void krb5_pkinit_release_cert(
+    krb5_pkinit_signing_cert_t   cert);
+    
+/*
+ * Release database references obtained via krb5_pkinit_get_client_cert_db() and
+ * krb5_pkinit_get_kdc_cert_db().
+ */
+extern void krb5_pkinit_release_cert_db(
+    krb5_pkinit_cert_db_t	cert_db);
+    
+/* 
+ * Obtain a mallocd C-string representation of a certificate's SHA1 digest. 
+ * Only error is a NULL return indicating memory failure. 
+ * Caller must free the returned string.
+ */
+char *krb5_pkinit_cert_hash_str(
+    const krb5_data *cert);
+    
+/* 
+ * Obtain a client's optional list of trusted KDC CA certs (trustedCertifiers)
+ * and/or trusted KDC cert (kdcPkId) for a given client and server. 
+ * All returned values are mallocd and must be freed by caller; the contents 
+ * of the krb5_datas are DER-encoded certificates. 
+ */
+krb5_error_code krb5_pkinit_get_server_certs(
+    const char *client_principal,
+    const char *server_principal,
+    krb5_data **trusted_CAs,	    /* RETURNED, though return value may be NULL */
+    krb5_ui_4 *num_trusted_CAs,	    /* RETURNED */
+    krb5_data *kdc_cert);	    /* RETURNED, though may be 0/NULL */
+
+#ifdef  __cplusplus
+}
+#endif
+
+#endif  /* _PKINIT_CERT_STORE_H_ */
diff --git a/src/include/pkinit_client.h b/src/include/pkinit_client.h
new file mode 100644
index 0000000000..31951caaf1
--- /dev/null
+++ b/src/include/pkinit_client.h
@@ -0,0 +1,94 @@
+/*
+ * Copyright (c) 2004-2008 Apple Inc.  All Rights Reserved.
+ *
+ * Export of this software from the United States of America may require
+ * a specific license from the United States Government.  It is the
+ * responsibility of any person or organization contemplating export to
+ * obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of Apple Inc. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Apple Inc. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ *
+ */
+
+/*
+ * pkinit_client.h - Client side routines for PKINIT
+ *
+ * Created 20 May 2004 by Doug Mitchell at Apple.
+ */
+
+#ifndef _PKINIT_CLIENT_H_
+#define _PKINIT_CLIENT_H_
+
+#include <krb5/krb5.h>
+#include "pkinit_cms.h"
+#include "pkinit_cert_store.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * Create a PA-PK-AS-REQ message.
+ */
+krb5_error_code krb5int_pkinit_as_req_create(
+    krb5_context		context,
+    krb5_timestamp		kctime,      
+    krb5_int32			cusec,		/* microseconds */
+    krb5_ui_4			nonce,
+    const krb5_checksum		*cksum,
+    krb5_pkinit_signing_cert_t	client_cert,	/* required! */
+    
+    /* 
+     * trusted_CAs correponds to PA-PK-AS-REQ.trustedCertifiers.
+     * Expressed here as an optional list of DER-encoded certs. 
+     */
+    const krb5_data		*trusted_CAs,	
+    krb5_ui_4			num_trusted_CAs,
+    
+    /* optional PA-PK-AS-REQ.kdcPkId, expressed here as a 
+     * DER-encoded cert */
+    const krb5_data		*kdc_cert,	
+    krb5_data			*as_req);	/* mallocd and RETURNED */
+
+/*
+ * Parse PA-PK-AS-REP message. Optionally evaluates the message's certificate chain. 
+ * Optionally returns various components. 
+ */
+krb5_error_code krb5int_pkinit_as_rep_parse(
+    krb5_context		context,
+    const krb5_data		*as_rep,
+    krb5_pkinit_signing_cert_t   client_cert,	/* required for decryption */
+    krb5_keyblock		*key_block,     /* RETURNED */
+    krb5_checksum		*checksum,	/* checksum of corresponding AS-REQ */
+						/*   contents mallocd and RETURNED */
+    krb5int_cert_sig_status	*cert_status,   /* RETURNED */
+
+    /*
+     * Cert fields, all optionally RETURNED.
+     *
+     * signer_cert is the DER-encoded leaf cert from the incoming SignedData.
+     * all_certs is an array of all of the certs in the incoming SignedData,
+     *    in full DER-encoded form. 
+     */
+    krb5_data		    *signer_cert,   /* content mallocd */
+    unsigned		    *num_all_certs, /* sizeof *all_certs */
+    krb5_data		    **all_certs);   /* krb5_data's and their content mallocd */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif  /* _PKINIT_CLIENT_H_ */
diff --git a/src/include/pkinit_cms.h b/src/include/pkinit_cms.h
new file mode 100644
index 0000000000..6e5fb96ce5
--- /dev/null
+++ b/src/include/pkinit_cms.h
@@ -0,0 +1,179 @@
+/*
+ * Copyright (c) 2004-2008 Apple Inc.  All Rights Reserved.
+ *
+ * Export of this software from the United States of America may require
+ * a specific license from the United States Government.  It is the
+ * responsibility of any person or organization contemplating export to
+ * obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of Apple Inc. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Apple Inc. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ *
+ */
+
+/*
+ * pkinit_apple_cms.h - CMS encode/decode routines, Mac OS X version
+ *
+ * Created 19 May 2004 by Doug Mitchell at Apple.
+ */
+
+#ifndef _PKINIT_CMS_H_
+#define _PKINIT_CMS_H_
+
+#include <krb5/krb5.h>
+#include "pkinit_cert_store.h"   /* for krb5_pkinit_signing_cert_t */
+#include "pkinit_asn1.h"         /* for krb5int_algorithm_id */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * Define ContentType for a SignedData and EnvelopedData.
+ */
+enum {
+    /* normal CMS ContentTypes */
+    ECT_Data,	
+    ECT_SignedData,
+    ECT_EnvelopedData,
+    ECT_EncryptedData,
+    
+    /*
+     * For SignedAuthPack
+     * pkauthdata: { iso (1) org (3) dod (6) internet (1)
+     *               security (5) kerberosv5 (2) pkinit (3) pkauthdata (1)}
+     */
+    ECT_PkAuthData,
+    
+    /*
+     * For ReplyKeyPack
+     * pkrkeydata: { iso (1) org (3) dod (6) internet (1)
+     *               security (5) kerberosv5 (2) pkinit (3) pkrkeydata (3) }
+     */
+    ECT_PkReplyKeyKata,
+    
+    /*
+     * Other - i.e., unrecognized ContentType on decode. 
+     */
+    ECT_Other
+};
+typedef krb5_int32 krb5int_cms_content_type;
+
+/*
+ * Result of certificate and signature verification.
+ */
+enum {
+    pki_cs_good = 0,
+    pki_not_signed,	    /* message not signed */
+    pki_not_evaluated,	    /* signed, but not evaluated per caller request */
+    /* remainder imply good signature on the message proper, i.e., these
+     * are all certificate errors. */
+    pki_cs_sig_verify_fail, /* signature verification failed */
+    pki_cs_bad_leaf,	    /* leaf/subject cert itself is plain bad */
+    pki_cs_no_root,	    /* looks good but not verifiable to any root */
+    pki_cs_unknown_root,    /* verified to root we don't recognize */
+    pki_cs_expired,	    /* expired */
+    pki_cs_not_valid_yet,   /* cert not valid yet */
+    pki_cs_revoked,	    /* revoked via CRL or OCSP */
+    pki_cs_untrusted,	    /* marked by user as untrusted */
+    pki_bad_cms,	    /* CMS Format precluded verification */
+    pki_bad_key_use,	    /* Bad ExtendedKeyUse or KeyUsage extension */
+    pki_bad_digest,	    /* unacceptable CMS digest algorithm */
+    pki_cs_other_err	    /* other cert verify error */
+};
+typedef krb5_int32 krb5int_cert_sig_status;
+
+/*
+ * Create a CMS message: either encrypted (EnvelopedData), signed 
+ * (SignedData), or both (EnvelopedData(SignedData(content)).
+ *
+ * The message is signed iff signing_cert is non-NULL.
+ * The message is encrypted iff recip_cert is non-NULL.
+ *
+ * The content_type argument specifies to the eContentType
+ * for a SignedData's EncapsulatedContentInfo; it's ignored
+ * if the message is not to be signed.
+ *
+ * The cms_types argument optionally specifies a list, in order
+ * of decreasing preference, of CMS algorithms to use in the 
+ * creation of the CMS message. 
+ */
+krb5_error_code krb5int_pkinit_create_cms_msg(
+    const krb5_data		*content,	/* Content */
+    krb5_pkinit_signing_cert_t	signing_cert,	/* optional: signed by this cert */
+    const krb5_data		*recip_cert,	/* optional: encrypted with this cert */
+    krb5int_cms_content_type	content_type,   /* OID for EncapsulatedData */
+    krb5_ui_4			num_cms_types,	/* optional */
+    const krb5int_algorithm_id	*cms_types,	/* optional */
+    krb5_data			*content_info); /* contents mallocd and RETURNED */
+
+/*
+ * Parse a ContentInfo as best we can. All returned fields are optional - 
+ * pass NULL for values you don't need. 
+ *
+ * If signer_cert_status is NULL on entry, NO signature or cert evaluation 
+ * will be performed. 
+ *
+ * The is_client_msg argument indicates whether the CMS message originated
+ * from the client (TRUE) or server (FALSE) and may be used in platform-
+ * dependent certificate evaluation. 
+ *
+ * Note that signature and certificate verification errors do NOT cause
+ * this routine itself to return an error; caller is reponsible for 
+ * handling such errors per the signer_cert_status out parameter. 
+ */
+krb5_error_code krb5int_pkinit_parse_cms_msg(
+    const krb5_data     *content_info,
+    krb5_pkinit_cert_db_t cert_db,		/* may be required for SignedData */
+    krb5_boolean	is_client_msg,		/* TRUE : msg is from client */
+    krb5_boolean	*is_signed,		/* RETURNED */
+    krb5_boolean	*is_encrypted,		/* RETURNED */
+    krb5_data		*raw_data,		/* RETURNED */
+    krb5int_cms_content_type *inner_content_type,/* Returned, ContentType of */
+						/*    EncapsulatedData if */
+						/*    *is_signed true */
+    /* returned for type SignedData only */
+    krb5_data		*signer_cert,		/* RETURNED */
+    krb5int_cert_sig_status *signer_cert_status,/* RETURNED */
+    unsigned		*num_all_certs,		/* size of *all_certs RETURNED */
+    krb5_data		**all_certs);		/* entire cert chain RETURNED */
+
+/* 
+ * An AuthPack contains an optional set of AlgorithmIdentifiers 
+ * which define the CMS algorithms supported by the client, in 
+ * order of decreasing preference. 
+ *
+ * krb5int_pkinit_get_cms_types() is a CMS-implementation-dependent
+ * function returning supported CMS algorithms in the form of a
+ * pointer and a length suitable for passing to 
+ * krb5int_pkinit_auth_pack_encode. If no preference is to be expressed,
+ * this function returns NULL/0 (without returning a nonzero krb5_error_code).
+ *
+ * krb5int_pkinit_free_cms_types() frees the pointer obtained
+ * from krb5int_pkinit_get_cms_types() as necessary.
+ */
+krb5_error_code krb5int_pkinit_get_cms_types(
+    krb5int_algorithm_id    **supported_cms_types,	/* RETURNED */
+    krb5_ui_4		    *num_supported_cms_types);	/* RETURNED */
+    
+krb5_error_code krb5int_pkinit_free_cms_types(
+    krb5int_algorithm_id    *supported_cms_types,
+    krb5_ui_4		    num_supported_cms_types);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif  /* _PKINIT_CMS_H_ */