1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
|
/*
* COPYRIGHT (C) 2007
* THE REGENTS OF THE UNIVERSITY OF MICHIGAN
* ALL RIGHTS RESERVED
*
* Permission is granted to use, copy, create derivative works
* and redistribute this software and such derivative works
* for any purpose, so long as the name of The University of
* Michigan is not used in any advertising or publicity
* pertaining to the use of distribution of this software
* without specific, written prior authorization. If the
* above copyright notice or any other identification of the
* University of Michigan is included in any copy of any
* portion of this software, then the disclaimer below must
* also be included.
*
* THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
* FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
* PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
* MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
* WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
* REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
* FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
* CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
* OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
* IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGES.
*/
/*
* This header defines the cryptographic interface
*/
#ifndef _PKINIT_CRYPTO_H
#define _PKINIT_CRYPTO_H
#include <krb5/krb5.h>
#include <krb5/preauth_plugin.h>
#include <k5-int-pkinit.h>
#include <profile.h>
#include "pkinit_accessor.h"
/*
* these describe the CMS message types
*/
enum cms_msg_types {
CMS_SIGN_CLIENT,
CMS_SIGN_DRAFT9,
CMS_SIGN_SERVER,
CMS_ENVEL_SERVER
};
/*
* storage types for identity information
*/
#define IDTYPE_FILE 1
#define IDTYPE_DIR 2
#define IDTYPE_PKCS11 3
#define IDTYPE_ENVVAR 4
#define IDTYPE_PKCS12 5
/*
* ca/crl types
*/
#define CATYPE_ANCHORS 1
#define CATYPE_INTERMEDIATES 2
#define CATYPE_CRLS 3
/*
* The following represent Key Usage values that we
* may care about in a certificate
*/
#define PKINIT_KU_DIGITALSIGNATURE 0x80000000
#define PKINIT_KU_KEYENCIPHERMENT 0x40000000
/*
* The following represent Extended Key Usage oid values
* that we may care about in a certificate
*/
#define PKINIT_EKU_PKINIT 0x80000000
#define PKINIT_EKU_MSSCLOGIN 0x40000000
#define PKINIT_EKU_CLIENTAUTH 0x20000000
#define PKINIT_EKU_EMAILPROTECTION 0x10000000
/* Handle to cert, opaque above crypto interface */
typedef struct _pkinit_cert_info *pkinit_cert_handle;
/* Handle to cert iteration information, opaque above crypto interface */
typedef struct _pkinit_cert_iter_info *pkinit_cert_iter_handle;
#define PKINIT_ITER_NO_MORE 0x11111111 /* XXX */
typedef struct _pkinit_cert_matching_data {
pkinit_cert_handle ch; /* cert handle for this certificate */
char *subject_dn; /* rfc2253-style subject name string */
char *issuer_dn; /* rfc2253-style issuer name string */
unsigned int ku_bits; /* key usage information */
unsigned int eku_bits; /* extended key usage information */
krb5_principal *sans; /* Null-terminated array of subject alternative
name info (pkinit and ms-upn) */
} pkinit_cert_matching_data;
/*
* Functions to initialize and cleanup crypto contexts
*/
krb5_error_code pkinit_init_plg_crypto(pkinit_plg_crypto_context *);
void pkinit_fini_plg_crypto(pkinit_plg_crypto_context);
krb5_error_code pkinit_init_req_crypto(pkinit_req_crypto_context *);
void pkinit_fini_req_crypto(pkinit_req_crypto_context);
krb5_error_code pkinit_init_identity_crypto(pkinit_identity_crypto_context *);
void pkinit_fini_identity_crypto(pkinit_identity_crypto_context);
/**Create a pkinit ContentInfo*/
krb5_error_code cms_contentinfo_create
(krb5_context context, /* IN */
pkinit_plg_crypto_context plg_cryptoctx, /* IN */
pkinit_req_crypto_context req_cryptoctx, /* IN */
pkinit_identity_crypto_context id_cryptoctx, /* IN */
int cms_msg_type,
unsigned char *in_data, unsigned int in_length,
unsigned char **out_data, unsigned int *out_data_len);
/*
* this function creates a CMS message where eContentType is SignedData
*/
krb5_error_code cms_signeddata_create
(krb5_context context, /* IN */
pkinit_plg_crypto_context plg_cryptoctx, /* IN */
pkinit_req_crypto_context req_cryptoctx, /* IN */
pkinit_identity_crypto_context id_cryptoctx, /* IN */
int cms_msg_type, /* IN
specifies CMS_SIGN_CLIENT for client-side CMS message
and CMS_SIGN_SERVER for kdc-side */
int include_certchain, /* IN
specifies where certificates field in SignedData
should contain certificate path */
unsigned char *auth_pack, /* IN
contains DER encoded AuthPack (CMS_SIGN_CLIENT)
or DER encoded DHRepInfo (CMS_SIGN_SERVER) */
unsigned int auth_pack_len, /* IN
contains length of auth_pack */
unsigned char **signed_data, /* OUT
for CMS_SIGN_CLIENT receives DER encoded
SignedAuthPack (CMS_SIGN_CLIENT) or DER
encoded DHInfo (CMS_SIGN_SERVER) */
unsigned int *signed_data_len); /* OUT
receives length of signed_data */
/*
* this function verifies a CMS message where eContentType is SignedData
*/
krb5_error_code cms_signeddata_verify
(krb5_context context, /* IN */
pkinit_plg_crypto_context plg_cryptoctx, /* IN */
pkinit_req_crypto_context req_cryptoctx, /* IN */
pkinit_identity_crypto_context id_cryptoctx, /* IN */
int cms_msg_type, /* IN
specifies CMS_SIGN_CLIENT for client-side
CMS message and CMS_SIGN_SERVER for kdc-side */
int require_crl_checking, /* IN
specifies whether CRL checking should be
strictly enforced, i.e. if no CRLs available
for the CA then fail verification.
note, if the value is 0, crls are still
checked if present */
unsigned char *signed_data, /* IN
contains DER encoded SignedAuthPack (CMS_SIGN_CLIENT)
or DER encoded DHInfo (CMS_SIGN_SERVER) */
unsigned int signed_data_len, /* IN
contains length of signed_data*/
unsigned char **auth_pack, /* OUT
receives DER encoded AuthPack (CMS_SIGN_CLIENT)
or DER encoded DHRepInfo (CMS_SIGN_SERVER)*/
unsigned int *auth_pack_len, /* OUT
receives length of auth_pack */
unsigned char **authz_data, /* OUT
receives required authorization data that
contains the verified certificate chain
(only used by the KDC) */
unsigned int *authz_data_len, /* OUT
receives length of authz_data */
int *is_signed); /* OUT
receives whether message is signed */
/*
* this function creates a CMS message where eContentType is EnvelopedData
*/
krb5_error_code cms_envelopeddata_create
(krb5_context context, /* IN */
pkinit_plg_crypto_context plg_cryptoctx, /* IN */
pkinit_req_crypto_context req_cryptoctx, /* IN */
pkinit_identity_crypto_context id_cryptoctx, /* IN */
krb5_preauthtype pa_type, /* IN */
int include_certchain, /* IN
specifies whether the certificates field in
SignedData should contain certificate path */
unsigned char *key_pack, /* IN
contains DER encoded ReplyKeyPack */
unsigned int key_pack_len, /* IN
contains length of key_pack */
unsigned char **envel_data, /* OUT
receives DER encoded encKeyPack */
unsigned int *envel_data_len); /* OUT
receives length of envel_data */
/*
* this function creates a CMS message where eContentType is EnvelopedData
*/
krb5_error_code cms_envelopeddata_verify
(krb5_context context, /* IN */
pkinit_plg_crypto_context plg_cryptoctx, /* IN */
pkinit_req_crypto_context req_cryptoctx, /* IN */
pkinit_identity_crypto_context id_cryptoctx, /* IN */
krb5_preauthtype pa_type, /* IN */
int require_crl_checking, /* IN
specifies whether CRL checking should be
strictly enforced */
unsigned char *envel_data, /* IN
contains DER encoded encKeyPack */
unsigned int envel_data_len, /* IN
contains length of envel_data */
unsigned char **signed_data, /* OUT
receives ReplyKeyPack */
unsigned int *signed_data_len); /* OUT
receives length of signed_data */
/*
* this function returns SAN information found in the
* received certificate. at least one of pkinit_sans,
* upn_sans, or kdc_hostnames must be non-NULL.
*/
krb5_error_code crypto_retrieve_cert_sans
(krb5_context context, /* IN */
pkinit_plg_crypto_context plg_cryptoctx, /* IN */
pkinit_req_crypto_context req_cryptoctx, /* IN */
pkinit_identity_crypto_context id_cryptoctx, /* IN */
krb5_principal **pkinit_sans, /* OUT
if non-NULL, a null-terminated array of
id-pkinit-san values found in the certificate
are returned */
krb5_principal **upn_sans, /* OUT
if non-NULL, a null-terminated array of
id-ms-upn-san values found in the certificate
are returned */
unsigned char ***kdc_hostname); /* OUT
if non-NULL, a null-terminated array of
dNSName (hostname) SAN values found in the
certificate are returned */
/*
* this function checks for acceptable key usage values
* in the received certificate.
*
* when checking a received kdc certificate, it looks for
* the kpKdc key usage. if allow_secondary_usage is
* non-zero, it will also accept kpServerAuth.
*
* when checking a received user certificate, it looks for
* kpClientAuth key usage. if allow_secondary_usage is
* non-zero, it will also accept id-ms-sc-logon EKU.
*
* this function must also assert that the digitalSignature
* key usage is consistent.
*/
krb5_error_code crypto_check_cert_eku
(krb5_context context, /* IN */
pkinit_plg_crypto_context plg_cryptoctx, /* IN */
pkinit_req_crypto_context req_cryptoctx, /* IN */
pkinit_identity_crypto_context id_cryptoctx, /* IN */
int checking_kdc_cert, /* IN
specifies if the received certificate is
a KDC certificate (non-zero),
or a user certificate (zero) */
int allow_secondary_usage, /* IN
specifies if the secondary key usage
should be accepted or not (see above) */
int *eku_valid); /* OUT
receives non-zero if an acceptable EKU was found */
/*
* this functions takes in generated DH secret key and converts
* it in to a kerberos session key. it takes into the account the
* enc type and then follows the procedure specified in the RFC p 22.
*/
krb5_error_code pkinit_octetstring2key
(krb5_context context, /* IN */
krb5_enctype etype, /* IN
specifies the enc type */
unsigned char *key, /* IN
contains the DH secret key */
unsigned int key_len, /* IN
contains length of key */
krb5_keyblock * krb5key); /* OUT
receives kerberos session key */
/*
* this function implements clients first part of the DH protocol.
* client selects its DH parameters and pub key
*/
krb5_error_code client_create_dh
(krb5_context context, /* IN */
pkinit_plg_crypto_context plg_cryptoctx, /* IN */
pkinit_req_crypto_context req_cryptoctx, /* IN */
pkinit_identity_crypto_context id_cryptoctx, /* IN */
int dh_size, /* IN
specifies the DH modulous, eg 1024, 2048, or 4096 */
unsigned char **dh_paramas, /* OUT
contains DER encoded DH params */
unsigned int *dh_params_len, /* OUT
contains length of dh_parmas */
unsigned char **dh_pubkey, /* OUT
receives DER encoded DH pub key */
unsigned int *dh_pubkey_len); /* OUT
receives length of dh_pubkey */
/*
* this function completes client's the DH protocol. client
* processes received DH pub key from the KDC and computes
* the DH secret key
*/
krb5_error_code client_process_dh
(krb5_context context, /* IN */
pkinit_plg_crypto_context plg_cryptoctx, /* IN */
pkinit_req_crypto_context req_cryptoctx, /* IN */
pkinit_identity_crypto_context id_cryptoctx, /* IN */
unsigned char *dh_pubkey, /* IN
contains client's DER encoded DH pub key */
unsigned int dh_pubkey_len, /* IN
contains length of dh_pubkey */
unsigned char **dh_session_key, /* OUT
receives DH secret key */
unsigned int *dh_session_key_len); /* OUT
receives length of dh_session_key */
/*
* this function implements the KDC first part of the DH protocol.
* it decodes the client's DH parameters and pub key and checks
* if they are acceptable.
*/
krb5_error_code server_check_dh
(krb5_context context, /* IN */
pkinit_plg_crypto_context plg_cryptoctx, /* IN */
pkinit_req_crypto_context req_cryptoctx, /* IN */
pkinit_identity_crypto_context id_cryptoctx, /* IN */
krb5_octet_data *dh_params, /* IN
???? */
int minbits); /* IN
the mininum number of key bits acceptable */
/*
* this function completes the KDC's DH protocol. The KDC generates
* its DH pub key and computes the DH secret key
*/
krb5_error_code server_process_dh
(krb5_context context, /* IN */
pkinit_plg_crypto_context plg_cryptoctx, /* IN */
pkinit_req_crypto_context req_cryptoctx, /* IN */
pkinit_identity_crypto_context id_cryptoctx, /* IN */
unsigned char *received_pubkey, /* IN
contains client's DER encoded DH pub key */
unsigned int received_pub_len, /* IN
contains length of received_pubkey */
unsigned char **dh_pubkey, /* OUT
receives KDC's DER encoded DH pub key */
unsigned int *dh_pubkey_len, /* OUT
receives length of dh_pubkey */
unsigned char **server_key, /* OUT
receives DH secret key */
unsigned int *server_key_len); /* OUT
receives length of server_key */
/*
* this functions takes in crypto specific representation of
* supportedCMSTypes and creates a list of
* krb5_algorithm_identifier
*/
krb5_error_code create_krb5_supportedCMSTypes
(krb5_context context, /* IN */
pkinit_plg_crypto_context plg_cryptoctx, /* IN */
pkinit_req_crypto_context req_cryptoctx, /* IN */
pkinit_identity_crypto_context id_cryptoctx, /* IN */
krb5_algorithm_identifier ***supportedCMSTypes); /* OUT */
/*
* this functions takes in crypto specific representation of
* trustedCertifiers and creates a list of
* krb5_external_principal_identifier
*/
krb5_error_code create_krb5_trustedCertifiers
(krb5_context context, /* IN */
pkinit_plg_crypto_context plg_cryptoctx, /* IN */
pkinit_req_crypto_context req_cryptoctx, /* IN */
pkinit_identity_crypto_context id_cryptoctx, /* IN */
krb5_external_principal_identifier ***trustedCertifiers); /* OUT */
/*
* this functions takes in crypto specific representation of
* trustedCas (draft9) and creates a list of krb5_trusted_ca (draft9).
* draft9 trustedCAs is a CHOICE. we only support choices for
* [1] caName and [2] issuerAndSerial. there is no config
* option available to select the choice yet. default = 1.
*/
krb5_error_code create_krb5_trustedCas
(krb5_context context, /* IN */
pkinit_plg_crypto_context plg_cryptoctx, /* IN */
pkinit_req_crypto_context req_cryptoctx, /* IN */
pkinit_identity_crypto_context id_cryptoctx, /* IN */
int flag, /* IN
specifies the tag of the CHOICE */
krb5_trusted_ca ***trustedCas); /* OUT */
/*
* this functions takes in crypto specific representation of the
* KDC's certificate and creates a DER encoded kdcPKId
*/
krb5_error_code create_issuerAndSerial
(krb5_context context, /* IN */
pkinit_plg_crypto_context plg_cryptoctx, /* IN */
pkinit_req_crypto_context req_cryptoctx, /* IN */
pkinit_identity_crypto_context id_cryptoctx, /* IN */
unsigned char **kdcId_buf, /* OUT
receives DER encoded kdcPKId */
unsigned int *kdcId_len); /* OUT
receives length of encoded kdcPKId */
/*
* process the values from idopts and obtain the cert(s)
* specified by those options, populating the id_cryptoctx.
*/
krb5_error_code crypto_load_certs
(krb5_context context, /* IN */
pkinit_plg_crypto_context plg_cryptoctx, /* IN */
pkinit_req_crypto_context req_cryptoctx, /* IN */
pkinit_identity_opts *idopts, /* IN */
pkinit_identity_crypto_context id_cryptoctx, /* IN/OUT */
krb5_principal princ); /* IN */
/*
* Free up information held from crypto_load_certs()
*/
krb5_error_code crypto_free_cert_info
(krb5_context context,
pkinit_plg_crypto_context plg_cryptoctx,
pkinit_req_crypto_context req_cryptoctx,
pkinit_identity_crypto_context id_cryptoctx);
/*
* Get number of certificates available after crypto_load_certs()
*/
krb5_error_code crypto_cert_get_count
(krb5_context context, /* IN */
pkinit_plg_crypto_context plg_cryptoctx, /* IN */
pkinit_req_crypto_context req_cryptoctx, /* IN */
pkinit_identity_crypto_context id_cryptoctx, /* IN */
int *cert_count); /* OUT */
/*
* Begin iteration over the certs loaded in crypto_load_certs()
*/
krb5_error_code crypto_cert_iteration_begin
(krb5_context context, /* IN */
pkinit_plg_crypto_context plg_cryptoctx, /* IN */
pkinit_req_crypto_context req_cryptoctx, /* IN */
pkinit_identity_crypto_context id_cryptoctx, /* IN */
pkinit_cert_iter_handle *iter_handle); /* OUT */
/*
* End iteration over the certs loaded in crypto_load_certs()
*/
krb5_error_code crypto_cert_iteration_end
(krb5_context context, /* IN */
pkinit_cert_iter_handle iter_handle); /* IN */
/*
* Get next certificate handle
*/
krb5_error_code crypto_cert_iteration_next
(krb5_context context, /* IN */
pkinit_cert_iter_handle iter_handle, /* IN */
pkinit_cert_handle *cert_handle); /* OUT */
/*
* Release cert handle
*/
krb5_error_code crypto_cert_release
(krb5_context context, /* IN */
pkinit_cert_handle cert_handle); /* IN */
/*
* Get certificate matching information
*/
krb5_error_code crypto_cert_get_matching_data
(krb5_context context, /* IN */
pkinit_cert_handle cert_handle, /* IN */
pkinit_cert_matching_data **ret_data); /* OUT */
/*
* Free certificate information
*/
krb5_error_code crypto_cert_free_matching_data
(krb5_context context, /* IN */
pkinit_cert_matching_data *data); /* IN */
/*
* Make the given certificate "the chosen one"
*/
krb5_error_code crypto_cert_select
(krb5_context context, /* IN */
pkinit_cert_matching_data *data); /* IN */
/*
* Select the default certificate as "the chosen one"
*/
krb5_error_code crypto_cert_select_default
(krb5_context context, /* IN */
pkinit_plg_crypto_context plg_cryptoctx, /* IN */
pkinit_req_crypto_context req_cryptoctx, /* IN */
pkinit_identity_crypto_context id_cryptoctx); /* IN */
/*
* process the values from idopts and obtain the anchor or
* intermediate certificates, or crls specified by idtype,
* catype, and id
*/
krb5_error_code crypto_load_cas_and_crls
(krb5_context context, /* IN */
pkinit_plg_crypto_context plg_cryptoctx, /* IN */
pkinit_req_crypto_context req_cryptoctx, /* IN */
pkinit_identity_opts *idopts, /* IN */
pkinit_identity_crypto_context id_cryptoctx, /* IN/OUT */
int idtype, /* IN
defines the storage type (file, directory, etc) */
int catype, /* IN
defines the ca type (anchor, intermediate, crls) */
char *id); /* IN
defines the location (filename, directory name, etc) */
/*
* on the client, obtain the kdc's certificate to include
* in a request
*/
krb5_error_code pkinit_get_kdc_cert
(krb5_context context, /* IN */
pkinit_plg_crypto_context plg_cryptoctx, /* IN */
pkinit_req_crypto_context req_cryptoctx, /* IN */
pkinit_identity_crypto_context id_cryptoctx, /* IN/OUT */
krb5_principal princ); /* IN */
/*
* this function creates edata that contains TD-DH-PARAMETERS
*/
krb5_error_code pkinit_create_td_dh_parameters
(krb5_context context, /* IN */
pkinit_plg_crypto_context plg_cryptoctx, /* IN */
pkinit_req_crypto_context req_cryptoctx, /* IN */
pkinit_identity_crypto_context id_cryptoctx, /* IN */
pkinit_plg_opts *opts, /* IN */
krb5_pa_data ***e_data_out); /* OUT */
/*
* this function processes edata that contains TD-DH-PARAMETERS.
* the client processes the received acceptable by KDC DH
* parameters and picks the first acceptable to it. it matches
* them against the known DH parameters.
*/
krb5_error_code pkinit_process_td_dh_params
(krb5_context context, /* IN */
pkinit_plg_crypto_context plg_cryptoctx, /* IN */
pkinit_req_crypto_context req_cryptoctx, /* IN */
pkinit_identity_crypto_context id_cryptoctx, /* IN */
krb5_algorithm_identifier **algId, /* IN */
int *new_dh_size); /* OUT
receives the new DH modulus to use in the new AS-REQ */
/*
* this function creates edata that contains TD-INVALID-CERTIFICATES
*/
krb5_error_code pkinit_create_td_invalid_certificate
(krb5_context context, /* IN */
pkinit_plg_crypto_context plg_cryptoctx, /* IN */
pkinit_req_crypto_context req_cryptoctx, /* IN */
pkinit_identity_crypto_context id_cryptoctx, /* IN */
krb5_pa_data ***e_data_out); /* OUT */
/*
* this function creates edata that contains TD-TRUSTED-CERTIFIERS
*/
krb5_error_code pkinit_create_td_trusted_certifiers
(krb5_context context, /* IN */
pkinit_plg_crypto_context plg_cryptoctx, /* IN */
pkinit_req_crypto_context req_cryptoctx, /* IN */
pkinit_identity_crypto_context id_cryptoctx, /* IN */
krb5_pa_data ***e_data_out); /* OUT */
/*
* this function processes edata that contains either
* TD-TRUSTED-CERTIFICATES or TD-INVALID-CERTIFICATES.
* current implementation only decodes the received message
* but does not act on it
*/
krb5_error_code pkinit_process_td_trusted_certifiers
(krb5_context context, /* IN */
pkinit_plg_crypto_context plg_cryptoctx, /* IN */
pkinit_req_crypto_context req_cryptoctx, /* IN */
pkinit_identity_crypto_context id_cryptoctx, /* IN */
krb5_external_principal_identifier **trustedCertifiers, /* IN */
int td_type); /* IN */
/*
* this function checks if the received kdcPKId matches
* the KDC's certificate
*/
krb5_error_code pkinit_check_kdc_pkid
(krb5_context context, /* IN */
pkinit_plg_crypto_context plg_cryptoctx, /* IN */
pkinit_req_crypto_context req_cryptoctx, /* IN */
pkinit_identity_crypto_context id_cryptoctx, /* IN */
unsigned char *pdid_buf, /* IN
contains DER encoded kdcPKId */
unsigned int pkid_len, /* IN
contains length of pdid_buf */
int *valid_kdcPkId); /* OUT
1 if kdcPKId matches, otherwise 0 */
krb5_error_code pkinit_identity_set_prompter
(pkinit_identity_crypto_context id_cryptoctx, /* IN */
krb5_prompter_fct prompter, /* IN */
void *prompter_data); /* IN */
krb5_error_code
pkinit_alg_agility_kdf(krb5_context context,
krb5_octet_data *secret,
krb5_octet_data *alg_oid,
krb5_const_principal party_u_info,
krb5_const_principal party_v_info,
krb5_enctype enctype,
krb5_octet_data *as_req,
krb5_octet_data *pk_as_rep,
krb5_keyblock *key_block);
extern const krb5_octet krb5_pkinit_sha1_oid[];
extern const size_t krb5_pkinit_sha1_oid_len;
extern const krb5_octet krb5_pkinit_sha256_oid[];
extern const size_t krb5_pkinit_sha256_oid_len;
extern const krb5_octet krb5_pkinit_sha512_oid[];
extern const size_t krb5_pkinit_sha512_oid_len;
/**
* An ordered set of OIDs, stored as krb5_octet_data of KDF algorithms
* supported by this implementation. The order of this array controls
* the order in which the server will pick.
*/
extern const krb5_octet_data const *supported_kdf_alg_ids[] ;
#endif /* _PKINIT_CRYPTO_H */
|
