/*
*/
/*
* COPYRIGHT (C) 2006,2007
* THE REGENTS OF THE UNIVERSITY OF MICHIGAN
* ALL RIGHTS RESERVED
*
* Permission is granted to use, copy, create derivative works
* and redistribute this software and such derivative works
* for any purpose, so long as the name of The University of
* Michigan is not used in any advertising or publicity
* pertaining to the use of distribution of this software
* without specific, written prior authorization. If the
* above copyright notice or any other identification of the
* University of Michigan is included in any copy of any
* portion of this software, then the disclaimer below must
* also be included.
*
* THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
* FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
* PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
* MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
* WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
* REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
* FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
* CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
* OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
* IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGES.
*/
/*
*/
#ifndef _PKINIT_H
#define _PKINIT_H
/* Solaris Kerberos */
#include <krb5.h>
#include <preauth_plugin.h>
#include <k5-int-pkinit.h>
#include <profile.h>
#include "pkinit_accessor.h"
/*
* It is anticipated that all the special checks currently
* required when talking to a Longhorn server will go away
* by the time it is officially released and all references
* to the longhorn global can be removed and any code
* #ifdef'd with LONGHORN_BETA_COMPAT can be removed.
* And this #define!
*/
#ifdef LONGHORN_BETA_COMPAT
extern int longhorn; /* XXX Talking to a Longhorn server? */
#endif
#ifndef WITHOUT_PKCS11
/* Solaris Kerberos */
#include <security/cryptoki.h>
/* Solaris Kerberos */
#endif
/* Make pkiDebug(fmt,...) print, or not. */
#ifdef DEBUG
#else
/* Still evaluates for side effects. */
/* This is better if the compiler doesn't inline variadic functions
well, but gcc will warn about "left-hand operand of comma
expression has no effect". Still evaluates for side effects. */
/* #define pkiDebug (void) */
#endif
/* Solaris compiler doesn't grok __FUNCTION__
* hack for now. Fix all the uses eventually. */
/* Macros to deal with converting between various data types... */
extern const krb5_octet_data dh_oid;
/*
* notes about crypto contexts:
*
* the basic idea is that there are crypto contexts that live at
* both the plugin level and request level. the identity context (that
* keeps info about your own certs and such) is separate because
* it is needed at different levels for the kdc and and the client.
* (the kdc's identity is at the plugin level, the client's identity
* information could change per-request.)
* the identity context is meant to have the entity's cert,
* a list of trusted and intermediate cas, a list of crls, and any
* pkcs11 information. the req context is meant to have the
* received certificate and the DH related information. the plugin
* context is meant to have global crypto information, i.e., OIDs
* and constant DH parameter information.
*/
/*
* plugin crypto context should keep plugin common information,
* eg., OIDs, known DHparams
*/
/*
* request crypto context should keep reqyest common information,
* eg., received credentials, DH parameters of this request
*/
/*
* identity context should keep information about credentials
* for the request, eg., my credentials, trusted ca certs,
* intermediate ca certs, crls, pkcs11 info
*/
/*
* this structure keeps information about the config options
*/
typedef struct _pkinit_plg_opts {
/*
* this structure keeps options used for a given request
*/
typedef struct _pkinit_req_opts {
int require_eku;
int accept_secondary_eku;
int allow_upn;
int dh_or_rsa;
int require_crl_checking;
int win2k_target;
int win2k_require_cksum;
/*
* information about identity from config file or command line
*/
typedef struct _pkinit_identity_opts {
char *identity;
char **identity_alt;
char **anchors;
char **intermediates;
char **crls;
char *ocsp;
char *dn_mapping_file;
int idtype;
char *cert_filename;
char *key_filename;
#ifndef WITHOUT_PKCS11
char *p11_module_name;
char *token_label;
char *cert_id_string;
char *cert_label;
#endif
/*
* Client's plugin context
*/
struct _pkinit_context {
int magic;
};
/*
* Client's per-request context
*/
struct _pkinit_req_context {
int magic;
};
/*
* KDC's (per-realm) plugin context
*/
struct _pkinit_kdc_context {
int magic;
char *realmname;
unsigned int realmname_len;
};
/*
* KDC's per-request context
*/
struct _pkinit_kdc_req_context {
int magic;
};
/*
* Functions in pkinit_lib.c
*/
void pkinit_fini_req_opts(pkinit_req_opts *);
void pkinit_fini_plg_opts(pkinit_plg_opts *);
/*
* Functions in pkinit_identity.c
*/
char * idtype2string(int idtype);
char * catype2string(int catype);
int do_matching, /* IN */
/*
* initialization and free functions
*/
/*
* Functions in pkinit_profile.c
*/
char ***ret_value);
char **ret_value);
int default_value, int *ret_value);
int default_value, int *ret_value);
int default_value, int *ret_value);
int default_value, int *ret_value);
/*
* debugging functions
*/
/* Solaris Kerberos - make const to work with openssl 1.0 */
void print_buffer(const unsigned char *, unsigned int);
void print_buffer_bin(const unsigned char *, unsigned int, char *);
/*
* Now get crypto function declarations
*/
#include "pkinit_crypto.h"
#endif /* _PKINIT_H */