pkinit_crypto_openssl.h revision 488060a6285c53d78d4e5360e7db00d6d544d960
/*
* COPYRIGHT (C) 2006,2007
* THE REGENTS OF THE UNIVERSITY OF MICHIGAN
* ALL RIGHTS RESERVED
*
* Permission is granted to use, copy, create derivative works
* and redistribute this software and such derivative works
* for any purpose, so long as the name of The University of
* Michigan is not used in any advertising or publicity
* pertaining to the use of distribution of this software
* without specific, written prior authorization. If the
* above copyright notice or any other identification of the
* University of Michigan is included in any copy of any
* portion of this software, then the disclaimer below must
* also be included.
*
* THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
* FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
* PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
* MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
* WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
* REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
* FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
* CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
* OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
* IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGES.
*/
/*
*/
#ifndef _PKINIT_CRYPTO_OPENSSL_H
#define _PKINIT_CRYPTO_OPENSSL_H
#include <openssl/asn1_mac.h>
#include "pkinit.h"
#define DN_BUF_LEN 256
#define MAX_CREDS_ALLOWED 20
struct _pkinit_cred_info {
#ifndef WITHOUT_PKCS11
int cert_id_len;
#endif
};
typedef struct _pkinit_cred_info * pkinit_cred_info;
struct _pkinit_identity_crypto_context {
int cert_index; /* cert to use out of available certs*/
int pkcs11_method;
void *prompter_data;
#ifndef WITHOUT_PKCS11
char *p11_module_name;
char *token_label;
char *cert_label;
char *PIN; /* Solaris Kerberos: */
/* These are crypto-specific */
void *p11_module;
int cert_id_len;
/* Solaris Kerberos: need to keep some state */
/*
* Solaris Kerberos:
* If PKCS#11 is already being used by the process then C_Finalize should
* not be called by pkinit as it would invalidate any PKCS#11 sessions the
* process was using prior to loading the pkinit plugin. "finalize_pkcs11"
* indicates whether or not C_Finalize should be called by pkinit.
*/
#endif
};
/* Solaris Kerberos: need to know if login was done */
struct _pkinit_plg_crypto_context {
};
struct _pkinit_req_crypto_context {
};
#define CERT_MAGIC 0x53534c43
struct _pkinit_cert_data {
unsigned int magic;
unsigned int index; /* Index of this cred in the creds[] array */
};
#define ITER_MAGIC 0x53534c49
struct _pkinit_cert_iter_data {
unsigned int magic;
unsigned int index;
};
/* Solaris Kerberos */
static krb5_error_code openssl_init(void);
static void pkinit_fini_pkinit_oids(pkinit_plg_crypto_context );
static void pkinit_fini_dh_params(pkinit_plg_crypto_context );
static DH *pkinit_decode_dh_params
(DH **, unsigned char **, unsigned int );
static int pkinit_check_dh_params
static krb5_error_code pkinit_sign_data
static krb5_error_code create_signature
(unsigned char **, unsigned int *, unsigned char *, unsigned int,
unsigned char **decoded, unsigned int *decoded_len);
static krb5_error_code decode_data
(unsigned char **, unsigned int *, unsigned char *, unsigned int,
#ifdef DEBUG_DH
static void print_pubkey(BIGNUM *, char *);
#endif
static int prepare_enc_data
int *outdata_len);
static int openssl_callback (int, X509_STORE_CTX *);
static int openssl_callback_ignore_crls (int, X509_STORE_CTX *);
static int pkcs7_decrypt
static BIO * pkcs7_dataDecode
static ASN1_OBJECT * pkinit_pkcs7type2oid
#ifndef WITHOUT_PKCS11
static krb5_error_code pkinit_login
CK_TOKEN_INFO *tip);
#ifdef SILLYDECRYPT
#endif
unsigned char **decoded_data, unsigned int *decoded_data_len);
#endif /* WITHOUT_PKCS11 */
unsigned char **decoded_data, unsigned int *decoded_data_len);
static krb5_error_code der_decode_data
(unsigned char *, long, unsigned char **, long *);
static krb5_error_code
static krb5_error_code
#ifdef LONGHORN_BETA_COMPAT
static int
int is_longhorn_server);
#else
static int
#endif
static char *
#endif /* _PKINIT_CRYPTO_OPENSSL_H */