Remove orphaned Apple PKINIT support

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25830 dc483132-0cff-0310-8789-dd5450dbe970

5 files changed, 0 insertions, 763 deletions

diff --git a/src/include/pkinit_apple_utils.h b/src/include/pkinit_apple_utils.h
deleted file mode 100644
index 77ed9a0d9..000000000
--- a/src/include/pkinit_apple_utils.h
+++ /dev/null
@@ -1,155 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/*
- * Copyright (c) 2004-2008 Apple Inc.  All Rights Reserved.
- *
- * Export of this software from the United States of America may require
- * a specific license from the United States Government.  It is the
- * responsibility of any person or organization contemplating export to
- * obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of Apple Inc. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission.  Apple Inc. makes no representations about the suitability of
- * this software for any purpose.  It is provided "as is" without express
- * or implied warranty.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
- * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
- */
-
-/*
- * pkinit_apple_utils.h - PKINIT utilities, Mac OS X version
- *
- * Created 19 May 2004 by Doug Mitchell.
- */
-
-#ifndef _PKINIT_APPLE_UTILS_H_
-#define _PKINIT_APPLE_UTILS_H_
-
-#include <krb5/krb5.h>
-#include <Security/SecAsn1Coder.h>
-#include <Security/cssmapple.h>
-#include <CoreFoundation/CoreFoundation.h>
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#ifndef PKI_DEBUG
-#define PKI_DEBUG   0
-#endif
-
-#if     PKI_DEBUG
-
-#include <stdio.h>
-
-#define pkiDebug(args...)       printf(args)
-#define pkiCssmErr(str, rtn)    cssmPerror(str, rtn)
-#else
-#define pkiDebug(args...)
-#define pkiCssmErr(str, rtn)
-#endif  /* PKI_DEBUG */
-
-/*
- * Macros used to initialize a declared CSSM_DATA and krb5_data to zero/NULL values.
- */
-#define INIT_CDATA(cd)  cd = {0, NULL}
-#define INIT_KDATA(kd)  kd = {0, 0, NULL}
-
-/* attach/detach to/from CL */
-CSSM_RETURN pkiClDetachUnload(CSSM_CL_HANDLE  clHand);
-CSSM_CL_HANDLE pkiClStartup(void);
-
-/*
- * CSSM_DATA <--> krb5_ui_4
- */
-krb5_error_code pkiDataToInt(
-    const CSSM_DATA *cdata,
-    krb5_int32       *i);       /* RETURNED */
-
-krb5_error_code pkiIntToData(
-    krb5_int32      num,
-    CSSM_DATA       *cdata,     /* allocated in coder space and RETURNED */
-    SecAsn1CoderRef coder);
-
-/*
- * raw data --> krb5_data
- */
-krb5_error_code pkiDataToKrb5Data(
-    const void *data,
-    unsigned dataLen,
-    krb5_data *kd);             /* content mallocd and RETURNED */
-
-/*
- * CSSM_DATA <--> krb5_data
- *
- * CSSM_DATA data is managed by a SecAsn1CoderRef; krb5_data.data is mallocd.
- */
-krb5_error_code pkiCssmDataToKrb5Data(
-    const CSSM_DATA *cd,
-    krb5_data *kd);             /* content mallocd and RETURNED */
-
-
-krb5_error_code pkiKrb5DataToCssm(
-    const krb5_data *kd,
-    CSSM_DATA       *cdata,     /* allocated in coder space and RETURNED */
-    SecAsn1CoderRef coder);
-
-/*
- * CFDataRef --> krb5_data, mallocing the destination contents.
- */
-krb5_error_code pkiCfDataToKrb5Data(
-    CFDataRef       cfData,
-    krb5_data       *kd);       /* content mallocd and RETURNED */
-
-/*
- * Non-mallocing conversion between CSSM_DATA and krb5_data
- */
-#define PKI_CSSM_TO_KRB_DATA(cd, kd)            \
-    do {                                        \
-        (kd)->data = (char *)(cd)->Data;        \
-        (kd)->length = (cd)->Length;            \
-    } while (0)
-
-#define PKI_KRB_TO_CSSM_DATA(kd, cd)            \
-    do {                                        \
-        (cd)->Data = (uint8 *)(kd)->data;       \
-        (cd)->Length = (kd)->length;            \
-    } while (0)
-
-/*
- * Compare to CSSM_DATAs. Return TRUE if they're the same else FALSE.
- */
-krb5_boolean pkiCompareCssmData(
-    const CSSM_DATA *d1,
-    const CSSM_DATA *d2);
-
-/*
- * krb5_timestamp <--> a mallocd string in generalized format
- */
-krb5_error_code pkiKrbTimestampToStr(
-    krb5_timestamp      kts,
-    char                **str);         /* mallocd and RETURNED */
-
-krb5_error_code pkiTimeStrToKrbTimestamp(
-    const char          *str,
-    unsigned            len,
-    krb5_timestamp      *kts);          /* RETURNED */
-
-/*
- * How many items in a NULL-terminated array of pointers?
- */
-unsigned pkiNssArraySize(
-    const void **array);
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif  /* _PKINIT_APPLE_UTILS_H_ */
diff --git a/src/include/pkinit_asn1.h b/src/include/pkinit_asn1.h
deleted file mode 100644
index a1c4fe88e..000000000
--- a/src/include/pkinit_asn1.h
+++ /dev/null
@@ -1,172 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/*
- * Copyright (c) 2004-2008 Apple Inc.  All Rights Reserved.
- *
- * Export of this software from the United States of America may require
- * a specific license from the United States Government.  It is the
- * responsibility of any person or organization contemplating export to
- * obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of Apple Inc. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission.  Apple Inc. makes no representations about the suitability of
- * this software for any purpose.  It is provided "as is" without express
- * or implied warranty.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
- * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
- */
-
-/*
- * pkinit_asn1.h - ASN.1 encode/decode routines for PKINIT
- *
- * Created 18 May 2004 by Doug Mitchell.
- */
-
-#ifndef _PKINIT_ASN1_H_
-#define _PKINIT_ASN1_H_
-
-#include <krb5/krb5.h>
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/* RFC 3280 AlgorithmIdentifier */
-typedef struct {
-    krb5_data   algorithm;      /* OID */
-    krb5_data   parameters;     /* ASN_ANY, defined by algorithm */
-} krb5int_algorithm_id;
-
-/*
- * Encode and decode AuthPack, public key version (no Diffie-Hellman components).
- */
-krb5_error_code krb5int_pkinit_auth_pack_encode(
-    krb5_timestamp              kctime,
-    krb5_int32                  cusec,              /* microseconds */
-    krb5_ui_4                   nonce,
-    const krb5_checksum         *pa_checksum,
-    const krb5int_algorithm_id  *cms_types,         /* optional */
-    krb5_ui_4                   num_cms_types,
-    krb5_data                   *auth_pack);        /* mallocd and RETURNED */
-
-/* all returned values are optional - pass NULL if you don't want them */
-krb5_error_code krb5int_pkinit_auth_pack_decode(
-    const krb5_data     *auth_pack,         /* DER encoded */
-    krb5_timestamp      *kctime,            /* RETURNED */
-    krb5_ui_4           *cusec,             /* microseconds, RETURNED */
-    krb5_ui_4           *nonce,             /* RETURNED */
-    krb5_checksum       *pa_checksum,       /* contents mallocd and RETURNED */
-    krb5int_algorithm_id **cms_types,       /* mallocd and RETURNED */
-    krb5_ui_4           *num_cms_types);    /* RETURNED */
-
-
-/*
- * Given DER-encoded issuer and serial number, create an encoded
- * IssuerAndSerialNumber.
- */
-krb5_error_code krb5int_pkinit_issuer_serial_encode(
-    const krb5_data *issuer,                /* DER encoded */
-    const krb5_data *serial_num,
-    krb5_data       *issuer_and_serial);    /* content mallocd and RETURNED */
-
-/*
- * Decode IssuerAndSerialNumber.
- */
-krb5_error_code krb5int_pkinit_issuer_serial_decode(
-    const krb5_data *issuer_and_serial,     /* DER encoded */
-    krb5_data       *issuer,                /* DER encoded, RETURNED */
-    krb5_data       *serial_num);           /* RETURNED */
-
-/*
- * Top-level encode for PA-PK-AS-REQ.
- * The signed_auth_pack field is wrapped in an OCTET STRING, content
- * specific tag 0, during encode.
- */
-krb5_error_code krb5int_pkinit_pa_pk_as_req_encode(
-    const krb5_data *signed_auth_pack,  /* DER encoded ContentInfo */
-    const krb5_data *trusted_CAs,       /* optional: trustedCertifiers. Contents are
-                                         * DER-encoded issuer/serialNumbers. */
-    krb5_ui_4       num_trusted_CAs,
-    const krb5_data *kdc_cert,          /* optional kdcPkId, DER encoded issuer/serial */
-    krb5_data       *pa_pk_as_req);     /* mallocd and RETURNED */
-
-/*
- * Top-level decode for PA-PK-AS-REQ. Does not perform cert verification on the
- * ContentInfo; that is returned in BER-encoded form and processed elsewhere.
- * The OCTET STRING wrapping the signed_auth_pack field is removed during the
- * decode.
- */
-krb5_error_code krb5int_pkinit_pa_pk_as_req_decode(
-    const krb5_data *pa_pk_as_req,
-    krb5_data *signed_auth_pack,        /* DER encoded ContentInfo, RETURNED */
-    /*
-     * Remainder are optionally RETURNED (specify NULL for pointers to
-     * items you're not interested in).
-     */
-    krb5_ui_4 *num_trusted_CAs,         /* sizeof trusted_CAs */
-    krb5_data **trusted_CAs,            /* mallocd array of DER-encoded TrustedCAs
-                                         *   issuer/serial */
-    krb5_data *kdc_cert);               /* DER encoded issuer/serial */
-
-/*
- * Encode a ReplyKeyPack. The result is used as the Content of a SignedData.
- */
-krb5_error_code krb5int_pkinit_reply_key_pack_encode(
-    const krb5_keyblock *key_block,
-    const krb5_checksum *checksum,
-    krb5_data           *reply_key_pack);   /* mallocd and RETURNED */
-
-/*
- * Decode a ReplyKeyPack.
- */
-krb5_error_code krb5int_pkinit_reply_key_pack_decode(
-    const krb5_data     *reply_key_pack,
-    krb5_keyblock       *key_block,         /* RETURNED */
-    krb5_checksum       *checksum);         /* contents mallocd and RETURNED */
-
-/*
- * Encode a PA-PK-AS-REP.
- * Exactly one of {dh_signed_data, enc_key_pack} is non-NULL on entry;
- * each is a previously encoded item.
- *
- * dh_signed_data, if specified, is an encoded DHRepInfo.
- * enc_key_pack, if specified, is EnvelopedData(signedData(ReplyKeyPack)
- */
-krb5_error_code krb5int_pkinit_pa_pk_as_rep_encode(
-    const krb5_data     *dh_signed_data,
-    const krb5_data     *enc_key_pack,      /* EnvelopedData(signedData(ReplyKeyPack) */
-    krb5_data           *pa_pk_as_rep);     /* mallocd and RETURNED */
-
-/*
- * Decode a PA-PK-AS-REP.
- * On successful return, exactly one of {dh_signed_data, enc_key_pack}
- * will be non-NULL, each of which is mallocd and must be freed by
- * caller.
- *
- * dh_signed_data, if returned, is an encoded DHRepInfo.
- * enc_key_pack, if specified, is EnvelopedData(signedData(ReplyKeyPack)
- */
-krb5_error_code krb5int_pkinit_pa_pk_as_rep_decode(
-    const krb5_data     *pa_pk_as_rep,
-    krb5_data           *dh_signed_data,
-    krb5_data           *enc_key_pack);
-
-/*
- * Given a DER encoded certificate, obtain the associated IssuerAndSerialNumber.
- */
-krb5_error_code krb5int_pkinit_get_issuer_serial(
-    const krb5_data     *cert,
-    krb5_data           *issuer_and_serial);
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif  /* _PKINIT_ASN1_H_ */
diff --git a/src/include/pkinit_cert_store.h b/src/include/pkinit_cert_store.h
deleted file mode 100644
index 3bec81e37..000000000
--- a/src/include/pkinit_cert_store.h
+++ /dev/null
@@ -1,163 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/*
- * Copyright (c) 2004-2008 Apple Inc.  All Rights Reserved.
- *
- * Export of this software from the United States of America may require
- * a specific license from the United States Government.  It is the
- * responsibility of any person or organization contemplating export to
- * obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of Apple Inc. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission.  Apple Inc. makes no representations about the suitability of
- * this software for any purpose.  It is provided "as is" without express
- * or implied warranty.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
- * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
- */
-
-/*
- * pkinit_cert_store.h - PKINIT certificate storage/retrieval utilities
- *
- * Created 26 May 2004 by Doug Mitchell at Apple.
- */
-
-#ifndef _PKINIT_CERT_STORE_H_
-#define _PKINIT_CERT_STORE_H_
-
-#ifdef  __cplusplus
-extern "C" {
-#endif
-
-#include <krb5/krb5.h>
-
-/*
- * Opaque reference to a machine-dependent representation of a certificate
- * which is capable of signing. On Mac OS X this is actually a SecIdentityRef.
- */
-typedef void *krb5_pkinit_signing_cert_t;
-
-/*
- * Opaque reference to a machine-dependent representation of a certificate.
- * On Mac OS X this is actually a SecCertificateRef.
- */
-typedef void *krb5_pkinit_cert_t;
-
-/*
- * Opaque reference to a database in which PKINIT-related certificates are stored.
- */
-typedef void *krb5_pkinit_cert_db_t;
-
-/*
- * Obtain signing cert for specified principal. On successful return,
- * caller must eventually release the cert with krb5_pkinit_release_cert().
- *
- * Returns KRB5_PRINC_NOMATCH if client cert not found.
- */
-krb5_error_code krb5_pkinit_get_client_cert(
-    const char                  *principal,     /* full principal string */
-    krb5_pkinit_signing_cert_t  *client_cert);  /* RETURNED */
-
-/*
- * Determine if the specified client has a signing cert. Returns TRUE
- * if so, else returns FALSE.
- */
-krb5_boolean krb5_pkinit_have_client_cert(
-    const char                  *principal);    /* full principal string */
-
-/*
- * Store the specified certificate (or, more likely, some platform-dependent
- * reference to it) as the specified principal's signing cert. Passing
- * in NULL for the client_cert has the effect of deleting the relevant entry
- * in the cert storage.
- */
-krb5_error_code krb5_pkinit_set_client_cert_from_signing_cert(
-    const char                  *principal,     /* full principal string */
-    krb5_pkinit_signing_cert_t  client_cert);
-krb5_error_code krb5_pkinit_set_client_cert(
-    const char                  *principal,     /* full principal string */
-    krb5_pkinit_cert_t  client_cert);
-
-/*
- * Obtain a reference to the client's cert database. Specify either principal
- * name or client_cert as obtained from krb5_pkinit_get_client_cert().
- */
-krb5_error_code krb5_pkinit_get_client_cert_db(
-    const char                  *principal,         /* optional, full principal string */
-    krb5_pkinit_signing_cert_t  client_cert,        /* optional, from krb5_pkinit_get_client_cert() */
-    krb5_pkinit_cert_db_t       *client_cert_db);   /* RETURNED */
-
-/*
- * Obtain the KDC signing cert, with optional CA and specific cert specifiers.
- * CAs and cert specifiers are in the form of DER-encoded issuerAndSerialNumbers.
- *
- * The client_spec argument is typically provided by the client as kdcPkId.
- *
- * If trusted_CAs and client_spec are NULL, a platform-dependent preferred
- * KDC signing cert is returned, if one exists.
- *
- * On successful return, caller must eventually release the cert with
- * krb5_pkinit_release_cert(). Outside of an unusual test configuration this =
- *
- * Returns KRB5_PRINC_NOMATCH if KDC cert not found.
- *
- */
-krb5_error_code krb5_pkinit_get_kdc_cert(
-    krb5_ui_4                   num_trusted_CAs,    /* sizeof *trusted_CAs */
-    krb5_data                   *trusted_CAs,       /* optional */
-    krb5_data                   *client_spec,       /* optional */
-    krb5_pkinit_signing_cert_t  *kdc_cert);         /* RETURNED */
-
-/*
- * Obtain a reference to the KDC's cert database.
- */
-krb5_error_code krb5_pkinit_get_kdc_cert_db(
-    krb5_pkinit_cert_db_t       *kdc_cert_db);  /* RETURNED */
-
-/*
- * Release certificate references obtained via krb5_pkinit_get_client_cert() and
- * krb5_pkinit_get_kdc_cert().
- */
-extern void krb5_pkinit_release_cert(
-    krb5_pkinit_signing_cert_t   cert);
-
-/*
- * Release database references obtained via krb5_pkinit_get_client_cert_db() and
- * krb5_pkinit_get_kdc_cert_db().
- */
-extern void krb5_pkinit_release_cert_db(
-    krb5_pkinit_cert_db_t       cert_db);
-
-/*
- * Obtain a mallocd C-string representation of a certificate's SHA1 digest.
- * Only error is a NULL return indicating memory failure.
- * Caller must free the returned string.
- */
-char *krb5_pkinit_cert_hash_str(
-    const krb5_data *cert);
-
-/*
- * Obtain a client's optional list of trusted KDC CA certs (trustedCertifiers)
- * and/or trusted KDC cert (kdcPkId) for a given client and server.
- * All returned values are mallocd and must be freed by caller; the contents
- * of the krb5_datas are DER-encoded certificates.
- */
-krb5_error_code krb5_pkinit_get_server_certs(
-    const char *client_principal,
-    const char *server_principal,
-    krb5_data **trusted_CAs,        /* RETURNED, though return value may be NULL */
-    krb5_ui_4 *num_trusted_CAs,     /* RETURNED */
-    krb5_data *kdc_cert);           /* RETURNED, though may be 0/NULL */
-
-#ifdef  __cplusplus
-}
-#endif
-
-#endif  /* _PKINIT_CERT_STORE_H_ */
diff --git a/src/include/pkinit_client.h b/src/include/pkinit_client.h
deleted file mode 100644
index ed8e6e4da..000000000
--- a/src/include/pkinit_client.h
+++ /dev/null
@@ -1,94 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/*
- * Copyright (c) 2004-2008 Apple Inc.  All Rights Reserved.
- *
- * Export of this software from the United States of America may require
- * a specific license from the United States Government.  It is the
- * responsibility of any person or organization contemplating export to
- * obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of Apple Inc. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission.  Apple Inc. makes no representations about the suitability of
- * this software for any purpose.  It is provided "as is" without express
- * or implied warranty.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
- * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
- */
-
-/*
- * pkinit_client.h - Client side routines for PKINIT
- *
- * Created 20 May 2004 by Doug Mitchell at Apple.
- */
-
-#ifndef _PKINIT_CLIENT_H_
-#define _PKINIT_CLIENT_H_
-
-#include <krb5/krb5.h>
-#include "pkinit_cms.h"
-#include "pkinit_cert_store.h"
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/*
- * Create a PA-PK-AS-REQ message.
- */
-krb5_error_code krb5int_pkinit_as_req_create(
-    krb5_context                context,
-    krb5_timestamp              kctime,
-    krb5_int32                  cusec,          /* microseconds */
-    krb5_ui_4                   nonce,
-    const krb5_checksum         *cksum,
-    krb5_pkinit_signing_cert_t  client_cert,    /* required! */
-
-    /*
-     * trusted_CAs correponds to PA-PK-AS-REQ.trustedCertifiers.
-     * Expressed here as an optional list of DER-encoded certs.
-     */
-    const krb5_data             *trusted_CAs,
-    krb5_ui_4                   num_trusted_CAs,
-
-    /* optional PA-PK-AS-REQ.kdcPkId, expressed here as a
-     * DER-encoded cert */
-    const krb5_data             *kdc_cert,
-    krb5_data                   *as_req);       /* mallocd and RETURNED */
-
-/*
- * Parse PA-PK-AS-REP message. Optionally evaluates the message's certificate chain.
- * Optionally returns various components.
- */
-krb5_error_code krb5int_pkinit_as_rep_parse(
-    krb5_context                context,
-    const krb5_data             *as_rep,
-    krb5_pkinit_signing_cert_t   client_cert,   /* required for decryption */
-    krb5_keyblock               *key_block,     /* RETURNED */
-    krb5_checksum               *checksum,      /* checksum of corresponding AS-REQ */
-                                                /*   contents mallocd and RETURNED */
-    krb5int_cert_sig_status     *cert_status,   /* RETURNED */
-
-    /*
-     * Cert fields, all optionally RETURNED.
-     *
-     * signer_cert is the DER-encoded leaf cert from the incoming SignedData.
-     * all_certs is an array of all of the certs in the incoming SignedData,
-     *    in full DER-encoded form.
-     */
-    krb5_data               *signer_cert,   /* content mallocd */
-    unsigned                *num_all_certs, /* sizeof *all_certs */
-    krb5_data               **all_certs);   /* krb5_data's and their content mallocd */
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif  /* _PKINIT_CLIENT_H_ */
diff --git a/src/include/pkinit_cms.h b/src/include/pkinit_cms.h
deleted file mode 100644
index 832e00d5b..000000000
--- a/src/include/pkinit_cms.h
+++ /dev/null
@@ -1,179 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/*
- * Copyright (c) 2004-2008 Apple Inc.  All Rights Reserved.
- *
- * Export of this software from the United States of America may require
- * a specific license from the United States Government.  It is the
- * responsibility of any person or organization contemplating export to
- * obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of Apple Inc. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission.  Apple Inc. makes no representations about the suitability of
- * this software for any purpose.  It is provided "as is" without express
- * or implied warranty.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
- * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
- */
-
-/*
- * pkinit_apple_cms.h - CMS encode/decode routines, Mac OS X version
- *
- * Created 19 May 2004 by Doug Mitchell at Apple.
- */
-
-#ifndef _PKINIT_CMS_H_
-#define _PKINIT_CMS_H_
-
-#include <krb5/krb5.h>
-#include "pkinit_cert_store.h"   /* for krb5_pkinit_signing_cert_t */
-#include "pkinit_asn1.h"         /* for krb5int_algorithm_id */
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/*
- * Define ContentType for a SignedData and EnvelopedData.
- */
-enum {
-    /* normal CMS ContentTypes */
-    ECT_Data,
-    ECT_SignedData,
-    ECT_EnvelopedData,
-    ECT_EncryptedData,
-
-    /*
-     * For SignedAuthPack
-     * pkauthdata: { iso (1) org (3) dod (6) internet (1)
-     *               security (5) kerberosv5 (2) pkinit (3) pkauthdata (1)}
-     */
-    ECT_PkAuthData,
-
-    /*
-     * For ReplyKeyPack
-     * pkrkeydata: { iso (1) org (3) dod (6) internet (1)
-     *               security (5) kerberosv5 (2) pkinit (3) pkrkeydata (3) }
-     */
-    ECT_PkReplyKeyKata,
-
-    /*
-     * Other - i.e., unrecognized ContentType on decode.
-     */
-    ECT_Other
-};
-typedef krb5_int32 krb5int_cms_content_type;
-
-/*
- * Result of certificate and signature verification.
- */
-enum {
-    pki_cs_good = 0,
-    pki_not_signed,         /* message not signed */
-    pki_not_evaluated,      /* signed, but not evaluated per caller request */
-    /* remainder imply good signature on the message proper, i.e., these
-     * are all certificate errors. */
-    pki_cs_sig_verify_fail, /* signature verification failed */
-    pki_cs_bad_leaf,        /* leaf/subject cert itself is plain bad */
-    pki_cs_no_root,         /* looks good but not verifiable to any root */
-    pki_cs_unknown_root,    /* verified to root we don't recognize */
-    pki_cs_expired,         /* expired */
-    pki_cs_not_valid_yet,   /* cert not valid yet */
-    pki_cs_revoked,         /* revoked via CRL or OCSP */
-    pki_cs_untrusted,       /* marked by user as untrusted */
-    pki_bad_cms,            /* CMS Format precluded verification */
-    pki_bad_key_use,        /* Bad ExtendedKeyUse or KeyUsage extension */
-    pki_bad_digest,         /* unacceptable CMS digest algorithm */
-    pki_cs_other_err        /* other cert verify error */
-};
-typedef krb5_int32 krb5int_cert_sig_status;
-
-/*
- * Create a CMS message: either encrypted (EnvelopedData), signed
- * (SignedData), or both (EnvelopedData(SignedData(content)).
- *
- * The message is signed iff signing_cert is non-NULL.
- * The message is encrypted iff recip_cert is non-NULL.
- *
- * The content_type argument specifies to the eContentType
- * for a SignedData's EncapsulatedContentInfo; it's ignored
- * if the message is not to be signed.
- *
- * The cms_types argument optionally specifies a list, in order
- * of decreasing preference, of CMS algorithms to use in the
- * creation of the CMS message.
- */
-krb5_error_code krb5int_pkinit_create_cms_msg(
-    const krb5_data             *content,       /* Content */
-    krb5_pkinit_signing_cert_t  signing_cert,   /* optional: signed by this cert */
-    const krb5_data             *recip_cert,    /* optional: encrypted with this cert */
-    krb5int_cms_content_type    content_type,   /* OID for EncapsulatedData */
-    krb5_ui_4                   num_cms_types,  /* optional */
-    const krb5int_algorithm_id  *cms_types,     /* optional */
-    krb5_data                   *content_info); /* contents mallocd and RETURNED */
-
-/*
- * Parse a ContentInfo as best we can. All returned fields are optional -
- * pass NULL for values you don't need.
- *
- * If signer_cert_status is NULL on entry, NO signature or cert evaluation
- * will be performed.
- *
- * The is_client_msg argument indicates whether the CMS message originated
- * from the client (TRUE) or server (FALSE) and may be used in platform-
- * dependent certificate evaluation.
- *
- * Note that signature and certificate verification errors do NOT cause
- * this routine itself to return an error; caller is reponsible for
- * handling such errors per the signer_cert_status out parameter.
- */
-krb5_error_code krb5int_pkinit_parse_cms_msg(
-    const krb5_data     *content_info,
-    krb5_pkinit_cert_db_t cert_db,              /* may be required for SignedData */
-    krb5_boolean        is_client_msg,          /* TRUE : msg is from client */
-    krb5_boolean        *is_signed,             /* RETURNED */
-    krb5_boolean        *is_encrypted,          /* RETURNED */
-    krb5_data           *raw_data,              /* RETURNED */
-    krb5int_cms_content_type *inner_content_type,/* Returned, ContentType of
-                                                  *   EncapsulatedData if
-                                                  *   *is_signed true */
-    /* returned for type SignedData only */
-    krb5_data           *signer_cert,           /* RETURNED */
-    krb5int_cert_sig_status *signer_cert_status,/* RETURNED */
-    unsigned            *num_all_certs,         /* size of *all_certs RETURNED */
-    krb5_data           **all_certs);           /* entire cert chain RETURNED */
-
-/*
- * An AuthPack contains an optional set of AlgorithmIdentifiers
- * which define the CMS algorithms supported by the client, in
- * order of decreasing preference.
- *
- * krb5int_pkinit_get_cms_types() is a CMS-implementation-dependent
- * function returning supported CMS algorithms in the form of a
- * pointer and a length suitable for passing to
- * krb5int_pkinit_auth_pack_encode. If no preference is to be expressed,
- * this function returns NULL/0 (without returning a nonzero krb5_error_code).
- *
- * krb5int_pkinit_free_cms_types() frees the pointer obtained
- * from krb5int_pkinit_get_cms_types() as necessary.
- */
-krb5_error_code krb5int_pkinit_get_cms_types(
-    krb5int_algorithm_id    **supported_cms_types,      /* RETURNED */
-    krb5_ui_4               *num_supported_cms_types);  /* RETURNED */
-
-krb5_error_code krb5int_pkinit_free_cms_types(
-    krb5int_algorithm_id    *supported_cms_types,
-    krb5_ui_4               num_supported_cms_types);
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif  /* _PKINIT_CMS_H_ */