pkinit_crypto.h revision 159d09a20817016f09b3ea28d1bdada4a336bb91
/*
* COPYRIGHT (C) 2007
* THE REGENTS OF THE UNIVERSITY OF MICHIGAN
* ALL RIGHTS RESERVED
*
* Permission is granted to use, copy, create derivative works
* and redistribute this software and such derivative works
* for any purpose, so long as the name of The University of
* Michigan is not used in any advertising or publicity
* pertaining to the use of distribution of this software
* without specific, written prior authorization. If the
* above copyright notice or any other identification of the
* University of Michigan is included in any copy of any
* portion of this software, then the disclaimer below must
* also be included.
*
* THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
* FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
* PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
* MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
* WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
* REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
* FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
* CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
* OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
* IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGES.
*/
/*
* This header defines the cryptographic interface
*/
#ifndef _PKINIT_CRYPTO_H
#define _PKINIT_CRYPTO_H
/* Solaris Kerberos */
#include <krb5.h>
#include <preauth_plugin.h>
#include <k5-int-pkinit.h>
#include <profile.h>
#include "pkinit_accessor.h"
/*
* these describe the CMS message types
*/
enum cms_msg_types {
};
/*
* storage types for identity information
*/
#define IDTYPE_FILE 1
#define IDTYPE_DIR 2
#define IDTYPE_PKCS11 3
#define IDTYPE_ENVVAR 4
#define IDTYPE_PKCS12 5
/*
*/
#define CATYPE_ANCHORS 1
#define CATYPE_INTERMEDIATES 2
#define CATYPE_CRLS 3
/*
* The following represent Key Usage values that we
* may care about in a certificate
*/
#define PKINIT_KU_DIGITALSIGNATURE 0x80000000
#define PKINIT_KU_KEYENCIPHERMENT 0x40000000
/*
* The following represent Extended Key Usage oid values
* that we may care about in a certificate
*/
#define PKINIT_EKU_PKINIT 0x80000000
#define PKINIT_EKU_MSSCLOGIN 0x40000000
#define PKINIT_EKU_CLIENTAUTH 0x20000000
#define PKINIT_EKU_EMAILPROTECTION 0x10000000
/* Handle to cert, opaque above crypto interface */
typedef struct _pkinit_cert_info *pkinit_cert_handle;
/* Handle to cert iteration information, opaque above crypto interface */
typedef struct _pkinit_cert_iter_info *pkinit_cert_iter_handle;
typedef struct _pkinit_cert_matching_data {
char *subject_dn; /* rfc2253-style subject name string */
char *issuer_dn; /* rfc2253-style issuer name string */
unsigned int ku_bits; /* key usage information */
unsigned int eku_bits; /* extended key usage information */
name info (pkinit and ms-upn) */
/*
* Functions to initialize and cleanup crypto contexts
*/
/*
* this function creates a CMS message where eContentType is SignedData
*/
int cms_msg_type, /* IN
specifies CMS_SIGN_CLIENT for client-side CMS message
and CMS_SIGN_SERVER for kdc-side */
int include_certchain, /* IN
specifies where certificates field in SignedData
should contain certificate path */
unsigned char *auth_pack, /* IN
contains DER encoded AuthPack (CMS_SIGN_CLIENT)
or DER encoded DHRepInfo (CMS_SIGN_SERVER) */
unsigned int auth_pack_len, /* IN
contains length of auth_pack */
unsigned char **signed_data, /* OUT
for CMS_SIGN_CLIENT receives DER encoded
SignedAuthPack (CMS_SIGN_CLIENT) or DER
encoded DHInfo (CMS_SIGN_SERVER) */
unsigned int *signed_data_len); /* OUT
receives length of signed_data */
/*
* this function verifies a CMS message where eContentType is SignedData
*/
int cms_msg_type, /* IN
specifies CMS_SIGN_CLIENT for client-side
CMS message and CMS_SIGN_SERVER for kdc-side */
int require_crl_checking, /* IN
specifies whether CRL checking should be
strictly enforced, i.e. if no CRLs available
for the CA then fail verification.
note, if the value is 0, crls are still
checked if present */
unsigned char *signed_data, /* IN
contains DER encoded SignedAuthPack (CMS_SIGN_CLIENT)
or DER encoded DHInfo (CMS_SIGN_SERVER) */
unsigned int signed_data_len, /* IN
contains length of signed_data*/
unsigned char **auth_pack, /* OUT
receives DER encoded AuthPack (CMS_SIGN_CLIENT)
or DER encoded DHRepInfo (CMS_SIGN_SERVER)*/
unsigned int *auth_pack_len, /* OUT
receives length of auth_pack */
unsigned char **authz_data, /* OUT
receives required authorization data that
contains the verified certificate chain
(only used by the KDC) */
unsigned int *authz_data_len); /* OUT
receives length of authz_data */
/*
* this function creates a CMS message where eContentType is EnvelopedData
*/
int include_certchain, /* IN
specifies whether the certificates field in
SignedData should contain certificate path */
unsigned char *key_pack, /* IN
contains DER encoded ReplyKeyPack */
unsigned int key_pack_len, /* IN
contains length of key_pack */
unsigned char **envel_data, /* OUT
receives DER encoded encKeyPack */
unsigned int *envel_data_len); /* OUT
receives length of envel_data */
/*
* this function creates a CMS message where eContentType is EnvelopedData
*/
int require_crl_checking, /* IN
specifies whether CRL checking should be
strictly enforced */
unsigned char *envel_data, /* IN
contains DER encoded encKeyPack */
unsigned int envel_data_len, /* IN
contains length of envel_data */
unsigned char **signed_data, /* OUT
receives ReplyKeyPack */
unsigned int *signed_data_len); /* OUT
receives length of signed_data */
/*
* this function returns SAN information found in the
* received certificate. at least one of pkinit_sans,
* upn_sans, or kdc_hostnames must be non-NULL.
*/
if non-NULL, a null-terminated array of
id-pkinit-san values found in the certificate
are returned */
if non-NULL, a null-terminated array of
id-ms-upn-san values found in the certificate
are returned */
unsigned char ***kdc_hostname); /* OUT
if non-NULL, a null-terminated array of
dNSName (hostname) SAN values found in the
certificate are returned */
/*
* this function checks for acceptable key usage values
* in the received certificate.
*
* when checking a received kdc certificate, it looks for
* the kpKdc key usage. if allow_secondary_usage is
* non-zero, it will also accept kpServerAuth.
*
* when checking a received user certificate, it looks for
* kpClientAuth key usage. if allow_secondary_usage is
* non-zero, it will also accept id-ms-sc-logon EKU.
*
* this function must also assert that the digitalSignature
* key usage is consistent.
*/
int checking_kdc_cert, /* IN
specifies if the received certificate is
a KDC certificate (non-zero),
or a user certificate (zero) */
int allow_secondary_usage, /* IN
specifies if the secondary key usage
should be accepted or not (see above) */
int *eku_valid); /* OUT
receives non-zero if an acceptable EKU was found */
/*
* this functions takes in generated DH secret key and converts
* it in to a kerberos session key. it takes into the account the
* enc type and then follows the procedure specified in the RFC p 22.
*/
specifies the enc type */
unsigned char *key, /* IN
contains the DH secret key */
unsigned int key_len, /* IN
contains length of key */
receives kerberos session key */
/*
* this function implements clients first part of the DH protocol.
* client selects its DH parameters and pub key
*/
int dh_size, /* IN
specifies the DH modulous, eg 1024, 2048, or 4096 */
unsigned char **dh_paramas, /* OUT
contains DER encoded DH params */
unsigned int *dh_params_len, /* OUT
contains length of dh_parmas */
unsigned char **dh_pubkey, /* OUT
receives DER encoded DH pub key */
unsigned int *dh_pubkey_len); /* OUT
receives length of dh_pubkey */
/*
* this function completes client's the DH protocol. client
* processes received DH pub key from the KDC and computes
* the DH secret key
*/
unsigned char *dh_pubkey, /* IN
contains client's DER encoded DH pub key */
unsigned int dh_pubkey_len, /* IN
contains length of dh_pubkey */
unsigned char **dh_session_key, /* OUT
receives DH secret key */
unsigned int *dh_session_key_len); /* OUT
receives length of dh_session_key */
/*
* this function implements the KDC first part of the DH protocol.
* it decodes the client's DH parameters and pub key and checks
* if they are acceptable.
*/
???? */
int minbits); /* IN
the mininum number of key bits acceptable */
/*
* this function completes the KDC's DH protocol. The KDC generates
* its DH pub key and computes the DH secret key
*/
unsigned char *received_pubkey, /* IN
contains client's DER encoded DH pub key */
unsigned int received_pub_len, /* IN
contains length of received_pubkey */
unsigned char **dh_pubkey, /* OUT
receives KDC's DER encoded DH pub key */
unsigned int *dh_pubkey_len, /* OUT
receives length of dh_pubkey */
unsigned char **server_key, /* OUT
receives DH secret key */
unsigned int *server_key_len); /* OUT
receives length of server_key */
/*
* this functions takes in crypto specific representation of
* supportedCMSTypes and creates a list of
* krb5_algorithm_identifier
*/
/*
* this functions takes in crypto specific representation of
* trustedCertifiers and creates a list of
* krb5_external_principal_identifier
*/
/*
* this functions takes in crypto specific representation of
* trustedCas (draft9) and creates a list of krb5_trusted_ca (draft9).
* draft9 trustedCAs is a CHOICE. we only support choices for
* [1] caName and [2] issuerAndSerial. there is no config
* option available to select the choice yet. default = 1.
*/
int flag, /* IN
specifies the tag of the CHOICE */
/*
* this functions takes in crypto specific representation of the
* KDC's certificate and creates a DER encoded kdcPKId
*/
unsigned char **kdcId_buf, /* OUT
receives DER encoded kdcPKId */
unsigned int *kdcId_len); /* OUT
receives length of encoded kdcPKId */
/*
* process the values from idopts and obtain the cert(s)
* specified by those options, populating the id_cryptoctx.
*/
/*
* Free up information held from crypto_load_certs()
*/
/*
* Get number of certificates available after crypto_load_certs()
*/
int *cert_count); /* OUT */
/*
* Begin iteration over the certs loaded in crypto_load_certs()
*/
/*
* End iteration over the certs loaded in crypto_load_certs()
*/
/*
* Get next certificate handle
*/
/*
* Release cert handle
*/
/*
* Get certificate matching information
*/
/*
* Free certificate information
*/
/*
* Make the given certificate "the chosen one"
*/
/*
* Select the default certificate as "the chosen one"
*/
/*
* process the values from idopts and obtain the anchor or
* intermediate certificates, or crls specified by idtype,
* catype, and id
*/
int idtype, /* IN
defines the storage type (file, directory, etc) */
int catype, /* IN
defines the ca type (anchor, intermediate, crls) */
char *id); /* IN
defines the location (filename, directory name, etc) */
/*
* on the client, obtain the kdc's certificate to include
* in a request
*/
/*
* this function creates edata that contains TD-DH-PARAMETERS
*/
/*
* this function processes edata that contains TD-DH-PARAMETERS.
* the client processes the received acceptable by KDC DH
* parameters and picks the first acceptable to it. it matches
* them against the known DH parameters.
*/
int *new_dh_size); /* OUT
receives the new DH modulus to use in the new AS-REQ */
/*
* this function creates edata that contains TD-INVALID-CERTIFICATES
*/
/*
* this function creates edata that contains TD-TRUSTED-CERTIFIERS
*/
/*
* this function processes edata that contains either
* TD-TRUSTED-CERTIFICATES or TD-INVALID-CERTIFICATES.
* current implementation only decodes the received message
* but does not act on it
*/
int td_type); /* IN */
/*
* this function checks if the received kdcPKId matches
* the KDC's certificate
*/
unsigned char *pdid_buf, /* IN
contains DER encoded kdcPKId */
unsigned int pkid_len, /* IN
contains length of pdid_buf */
int *valid_kdcPkId); /* OUT
1 if kdcPKId matches, otherwise 0 */
void *prompter_data); /* IN */
#endif /* _PKINIT_CRYPTO_H */