159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * COPYRIGHT (C) 2007
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * THE REGENTS OF THE UNIVERSITY OF MICHIGAN
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * ALL RIGHTS RESERVED
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * Permission is granted to use, copy, create derivative works
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * and redistribute this software and such derivative works
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * for any purpose, so long as the name of The University of
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * Michigan is not used in any advertising or publicity
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * pertaining to the use of distribution of this software
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * without specific, written prior authorization. If the
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * above copyright notice or any other identification of the
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * University of Michigan is included in any copy of any
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * portion of this software, then the disclaimer below must
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * also be included.
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * SUCH DAMAGES.
9e11d51c0ad2b26ad2cd7f23707e4fb3005fd5b4Will Fiveash * Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved.
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * This header defines the cryptographic interface
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan/* Solaris Kerberos */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * these describe the CMS message types
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * storage types for identity information
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * The following represent Key Usage values that we
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * may care about in a certificate
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * The following represent Extended Key Usage oid values
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * that we may care about in a certificate
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan/* Handle to cert, opaque above crypto interface */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalantypedef struct _pkinit_cert_info *pkinit_cert_handle;
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan/* Handle to cert iteration information, opaque above crypto interface */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalantypedef struct _pkinit_cert_iter_info *pkinit_cert_iter_handle;
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_cert_handle ch; /* cert handle for this certificate */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan char *subject_dn; /* rfc2253-style subject name string */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan char *issuer_dn; /* rfc2253-style issuer name string */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan unsigned int ku_bits; /* key usage information */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan unsigned int eku_bits; /* extended key usage information */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan krb5_principal *sans; /* Null-terminated array of subject alternative
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan name info (pkinit and ms-upn) */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * Functions to initialize and cleanup crypto contexts
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalankrb5_error_code pkinit_init_plg_crypto(pkinit_plg_crypto_context *);
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalanvoid pkinit_fini_plg_crypto(pkinit_plg_crypto_context);
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalankrb5_error_code pkinit_init_req_crypto(pkinit_req_crypto_context *);
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalanvoid pkinit_fini_req_crypto(pkinit_req_crypto_context);
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalankrb5_error_code pkinit_init_identity_crypto(pkinit_identity_crypto_context *);
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalanvoid pkinit_fini_identity_crypto(pkinit_identity_crypto_context);
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * this function creates a CMS message where eContentType is SignedData
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_plg_crypto_context plg_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_req_crypto_context req_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_identity_crypto_context id_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan specifies CMS_SIGN_CLIENT for client-side CMS message
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan and CMS_SIGN_SERVER for kdc-side */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan specifies where certificates field in SignedData
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan should contain certificate path */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan contains DER encoded AuthPack (CMS_SIGN_CLIENT)
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan or DER encoded DHRepInfo (CMS_SIGN_SERVER) */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan contains length of auth_pack */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan for CMS_SIGN_CLIENT receives DER encoded
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan SignedAuthPack (CMS_SIGN_CLIENT) or DER
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan encoded DHInfo (CMS_SIGN_SERVER) */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan receives length of signed_data */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * this function verifies a CMS message where eContentType is SignedData
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_plg_crypto_context plg_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_req_crypto_context req_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_identity_crypto_context id_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan specifies CMS_SIGN_CLIENT for client-side
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan CMS message and CMS_SIGN_SERVER for kdc-side */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan specifies whether CRL checking should be
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan strictly enforced, i.e. if no CRLs available
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan for the CA then fail verification.
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan note, if the value is 0, crls are still
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan checked if present */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan contains DER encoded SignedAuthPack (CMS_SIGN_CLIENT)
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan or DER encoded DHInfo (CMS_SIGN_SERVER) */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan contains length of signed_data*/
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan receives DER encoded AuthPack (CMS_SIGN_CLIENT)
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan or DER encoded DHRepInfo (CMS_SIGN_SERVER)*/
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan receives length of auth_pack */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan receives required authorization data that
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan contains the verified certificate chain
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan (only used by the KDC) */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan receives length of authz_data */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * this function creates a CMS message where eContentType is EnvelopedData
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_plg_crypto_context plg_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_req_crypto_context req_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_identity_crypto_context id_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan specifies whether the certificates field in
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan SignedData should contain certificate path */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan contains DER encoded ReplyKeyPack */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan contains length of key_pack */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan receives DER encoded encKeyPack */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan receives length of envel_data */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * this function creates a CMS message where eContentType is EnvelopedData
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_plg_crypto_context plg_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_req_crypto_context req_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_identity_crypto_context id_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan specifies whether CRL checking should be
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan strictly enforced */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan contains DER encoded encKeyPack */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan contains length of envel_data */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan receives ReplyKeyPack */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan receives length of signed_data */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * this function returns SAN information found in the
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * received certificate. at least one of pkinit_sans,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * upn_sans, or kdc_hostnames must be non-NULL.
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_plg_crypto_context plg_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_req_crypto_context req_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_identity_crypto_context id_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan if non-NULL, a null-terminated array of
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan id-pkinit-san values found in the certificate
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan are returned */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan if non-NULL, a null-terminated array of
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan id-ms-upn-san values found in the certificate
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan are returned */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan if non-NULL, a null-terminated array of
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan dNSName (hostname) SAN values found in the
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan certificate are returned */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * this function checks for acceptable key usage values
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * in the received certificate.
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * when checking a received kdc certificate, it looks for
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * the kpKdc key usage. if allow_secondary_usage is
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * non-zero, it will also accept kpServerAuth.
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * when checking a received user certificate, it looks for
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * kpClientAuth key usage. if allow_secondary_usage is
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * non-zero, it will also accept id-ms-sc-logon EKU.
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * this function must also assert that the digitalSignature
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * key usage is consistent.
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_plg_crypto_context plg_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_req_crypto_context req_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_identity_crypto_context id_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan specifies if the received certificate is
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan a KDC certificate (non-zero),
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan or a user certificate (zero) */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan specifies if the secondary key usage
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan should be accepted or not (see above) */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan receives non-zero if an acceptable EKU was found */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * this functions takes in generated DH secret key and converts
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * it in to a kerberos session key. it takes into the account the
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * enc type and then follows the procedure specified in the RFC p 22.
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan specifies the enc type */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan contains the DH secret key */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan contains length of key */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan receives kerberos session key */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * this function implements clients first part of the DH protocol.
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * client selects its DH parameters and pub key
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_plg_crypto_context plg_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_req_crypto_context req_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_identity_crypto_context id_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan specifies the DH modulous, eg 1024, 2048, or 4096 */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan contains DER encoded DH params */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan contains length of dh_parmas */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan receives DER encoded DH pub key */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan receives length of dh_pubkey */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * this function completes client's the DH protocol. client
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * processes received DH pub key from the KDC and computes
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * the DH secret key
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_plg_crypto_context plg_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_req_crypto_context req_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_identity_crypto_context id_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan contains client's DER encoded DH pub key */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan contains length of dh_pubkey */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan receives DH secret key */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan receives length of dh_session_key */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * this function implements the KDC first part of the DH protocol.
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * it decodes the client's DH parameters and pub key and checks
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * if they are acceptable.
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_plg_crypto_context plg_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_req_crypto_context req_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_identity_crypto_context id_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan the mininum number of key bits acceptable */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * this function completes the KDC's DH protocol. The KDC generates
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * its DH pub key and computes the DH secret key
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_plg_crypto_context plg_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_req_crypto_context req_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_identity_crypto_context id_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan contains client's DER encoded DH pub key */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan contains length of received_pubkey */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan receives KDC's DER encoded DH pub key */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan receives length of dh_pubkey */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan receives DH secret key */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan receives length of server_key */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * this functions takes in crypto specific representation of
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * supportedCMSTypes and creates a list of
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * krb5_algorithm_identifier
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_plg_crypto_context plg_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_req_crypto_context req_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_identity_crypto_context id_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan krb5_algorithm_identifier ***supportedCMSTypes); /* OUT */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * this functions takes in crypto specific representation of
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * trustedCertifiers and creates a list of
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * krb5_external_principal_identifier
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_plg_crypto_context plg_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_req_crypto_context req_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_identity_crypto_context id_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan krb5_external_principal_identifier ***trustedCertifiers); /* OUT */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * this functions takes in crypto specific representation of
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * trustedCas (draft9) and creates a list of krb5_trusted_ca (draft9).
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * draft9 trustedCAs is a CHOICE. we only support choices for
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * [1] caName and [2] issuerAndSerial. there is no config
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * option available to select the choice yet. default = 1.
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_plg_crypto_context plg_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_req_crypto_context req_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_identity_crypto_context id_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan specifies the tag of the CHOICE */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * this functions takes in crypto specific representation of the
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * KDC's certificate and creates a DER encoded kdcPKId
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_plg_crypto_context plg_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_req_crypto_context req_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_identity_crypto_context id_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan receives DER encoded kdcPKId */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan receives length of encoded kdcPKId */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * process the values from idopts and obtain the cert(s)
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * specified by those options, populating the id_cryptoctx.
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_plg_crypto_context plg_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_req_crypto_context req_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_identity_crypto_context id_cryptoctx, /* IN/OUT */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * Free up information held from crypto_load_certs()
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * Get number of certificates available after crypto_load_certs()
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_plg_crypto_context plg_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_req_crypto_context req_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_identity_crypto_context id_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * Begin iteration over the certs loaded in crypto_load_certs()
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_plg_crypto_context plg_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_req_crypto_context req_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_identity_crypto_context id_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_cert_iter_handle *iter_handle); /* OUT */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * End iteration over the certs loaded in crypto_load_certs()
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * Get next certificate handle
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * Release cert handle
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * Get certificate matching information
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_cert_matching_data **ret_data); /* OUT */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * Free certificate information
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * Make the given certificate "the chosen one"
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * Select the default certificate as "the chosen one"
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_plg_crypto_context plg_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_req_crypto_context req_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_identity_crypto_context id_cryptoctx); /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * process the values from idopts and obtain the anchor or
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * intermediate certificates, or crls specified by idtype,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * catype, and id
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_plg_crypto_context plg_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_req_crypto_context req_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_identity_crypto_context id_cryptoctx, /* IN/OUT */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan defines the storage type (file, directory, etc) */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan defines the ca type (anchor, intermediate, crls) */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan defines the location (filename, directory name, etc) */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * on the client, obtain the kdc's certificate to include
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * in a request
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_plg_crypto_context plg_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_req_crypto_context req_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_identity_crypto_context id_cryptoctx, /* IN/OUT */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * this function creates edata that contains TD-DH-PARAMETERS
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_plg_crypto_context plg_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_req_crypto_context req_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_identity_crypto_context id_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * this function processes edata that contains TD-DH-PARAMETERS.
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * the client processes the received acceptable by KDC DH
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * parameters and picks the first acceptable to it. it matches
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * them against the known DH parameters.
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_plg_crypto_context plg_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_req_crypto_context req_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_identity_crypto_context id_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan receives the new DH modulus to use in the new AS-REQ */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * this function creates edata that contains TD-INVALID-CERTIFICATES
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalankrb5_error_code pkinit_create_td_invalid_certificate
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_plg_crypto_context plg_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_req_crypto_context req_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_identity_crypto_context id_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * this function creates edata that contains TD-TRUSTED-CERTIFIERS
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalankrb5_error_code pkinit_create_td_trusted_certifiers
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_plg_crypto_context plg_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_req_crypto_context req_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_identity_crypto_context id_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * this function processes edata that contains either
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * TD-TRUSTED-CERTIFICATES or TD-INVALID-CERTIFICATES.
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * current implementation only decodes the received message
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * but does not act on it
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalankrb5_error_code pkinit_process_td_trusted_certifiers
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_plg_crypto_context plg_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_req_crypto_context req_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_identity_crypto_context id_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan krb5_external_principal_identifier **trustedCertifiers, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * this function checks if the received kdcPKId matches
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * the KDC's certificate
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_plg_crypto_context plg_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_req_crypto_context req_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan pkinit_identity_crypto_context id_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan contains DER encoded kdcPKId */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan contains length of pdid_buf */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan 1 if kdcPKId matches, otherwise 0 */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan (pkinit_identity_crypto_context id_cryptoctx, /* IN */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan#endif /* _PKINIT_CRYPTO_H */