1 /* 2 * COPYRIGHT (C) 2007 3 * THE REGENTS OF THE UNIVERSITY OF MICHIGAN 4 * ALL RIGHTS RESERVED 5 * 6 * Permission is granted to use, copy, create derivative works 7 * and redistribute this software and such derivative works 8 * for any purpose, so long as the name of The University of 9 * Michigan is not used in any advertising or publicity 10 * pertaining to the use of distribution of this software 11 * without specific, written prior authorization. If the 12 * above copyright notice or any other identification of the 13 * University of Michigan is included in any copy of any 14 * portion of this software, then the disclaimer below must 15 * also be included. 16 * 17 * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION 18 * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY 19 * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF 20 * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING 21 * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF 22 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE 23 * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE 24 * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR 25 * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING 26 * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN 27 * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF 28 * SUCH DAMAGES. 29 */ 30 31 /* 32 * Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved. 33 */ 34 35 /* 36 * This header defines the cryptographic interface 37 */ 38 39 #ifndef _PKINIT_CRYPTO_H 40 #define _PKINIT_CRYPTO_H 41 42 /* Solaris Kerberos */ 43 #include <krb5.h> 44 #include <preauth_plugin.h> 45 #include <k5-int-pkinit.h> 46 #include <profile.h> 47 #include "pkinit_accessor.h" 48 49 /* 50 * these describe the CMS message types 51 */ 52 enum cms_msg_types { 53 CMS_SIGN_CLIENT, 54 CMS_SIGN_DRAFT9, 55 CMS_SIGN_SERVER, 56 CMS_ENVEL_SERVER 57 }; 58 59 /* 60 * storage types for identity information 61 */ 62 #define IDTYPE_FILE 1 63 #define IDTYPE_DIR 2 64 #define IDTYPE_PKCS11 3 65 #define IDTYPE_ENVVAR 4 66 #define IDTYPE_PKCS12 5 67 68 /* 69 * ca/crl types 70 */ 71 #define CATYPE_ANCHORS 1 72 #define CATYPE_INTERMEDIATES 2 73 #define CATYPE_CRLS 3 74 75 /* 76 * The following represent Key Usage values that we 77 * may care about in a certificate 78 */ 79 #define PKINIT_KU_DIGITALSIGNATURE 0x80000000 80 #define PKINIT_KU_KEYENCIPHERMENT 0x40000000 81 82 /* 83 * The following represent Extended Key Usage oid values 84 * that we may care about in a certificate 85 */ 86 #define PKINIT_EKU_PKINIT 0x80000000 87 #define PKINIT_EKU_MSSCLOGIN 0x40000000 88 #define PKINIT_EKU_CLIENTAUTH 0x20000000 89 #define PKINIT_EKU_EMAILPROTECTION 0x10000000 90 91 92 /* Handle to cert, opaque above crypto interface */ 93 typedef struct _pkinit_cert_info *pkinit_cert_handle; 94 95 /* Handle to cert iteration information, opaque above crypto interface */ 96 typedef struct _pkinit_cert_iter_info *pkinit_cert_iter_handle; 97 98 #define PKINIT_ITER_NO_MORE 0x11111111 /* XXX */ 99 100 typedef struct _pkinit_cert_matching_data { 101 pkinit_cert_handle ch; /* cert handle for this certificate */ 102 char *subject_dn; /* rfc2253-style subject name string */ 103 char *issuer_dn; /* rfc2253-style issuer name string */ 104 unsigned int ku_bits; /* key usage information */ 105 unsigned int eku_bits; /* extended key usage information */ 106 krb5_principal *sans; /* Null-terminated array of subject alternative 107 name info (pkinit and ms-upn) */ 108 } pkinit_cert_matching_data; 109 110 /* 111 * Functions to initialize and cleanup crypto contexts 112 */ 113 krb5_error_code pkinit_init_plg_crypto(pkinit_plg_crypto_context *); 114 void pkinit_fini_plg_crypto(pkinit_plg_crypto_context); 115 116 krb5_error_code pkinit_init_req_crypto(pkinit_req_crypto_context *); 117 void pkinit_fini_req_crypto(pkinit_req_crypto_context); 118 119 krb5_error_code pkinit_init_identity_crypto(pkinit_identity_crypto_context *); 120 void pkinit_fini_identity_crypto(pkinit_identity_crypto_context); 121 122 /* 123 * this function creates a CMS message where eContentType is SignedData 124 */ 125 krb5_error_code cms_signeddata_create 126 (krb5_context context, /* IN */ 127 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 128 pkinit_req_crypto_context req_cryptoctx, /* IN */ 129 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 130 int cms_msg_type, /* IN 131 specifies CMS_SIGN_CLIENT for client-side CMS message 132 and CMS_SIGN_SERVER for kdc-side */ 133 int include_certchain, /* IN 134 specifies where certificates field in SignedData 135 should contain certificate path */ 136 unsigned char *auth_pack, /* IN 137 contains DER encoded AuthPack (CMS_SIGN_CLIENT) 138 or DER encoded DHRepInfo (CMS_SIGN_SERVER) */ 139 unsigned int auth_pack_len, /* IN 140 contains length of auth_pack */ 141 unsigned char **signed_data, /* OUT 142 for CMS_SIGN_CLIENT receives DER encoded 143 SignedAuthPack (CMS_SIGN_CLIENT) or DER 144 encoded DHInfo (CMS_SIGN_SERVER) */ 145 unsigned int *signed_data_len); /* OUT 146 receives length of signed_data */ 147 148 /* 149 * this function verifies a CMS message where eContentType is SignedData 150 */ 151 krb5_error_code cms_signeddata_verify 152 (krb5_context context, /* IN */ 153 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 154 pkinit_req_crypto_context req_cryptoctx, /* IN */ 155 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 156 int cms_msg_type, /* IN 157 specifies CMS_SIGN_CLIENT for client-side 158 CMS message and CMS_SIGN_SERVER for kdc-side */ 159 int require_crl_checking, /* IN 160 specifies whether CRL checking should be 161 strictly enforced, i.e. if no CRLs available 162 for the CA then fail verification. 163 note, if the value is 0, crls are still 164 checked if present */ 165 unsigned char *signed_data, /* IN 166 contains DER encoded SignedAuthPack (CMS_SIGN_CLIENT) 167 or DER encoded DHInfo (CMS_SIGN_SERVER) */ 168 unsigned int signed_data_len, /* IN 169 contains length of signed_data*/ 170 unsigned char **auth_pack, /* OUT 171 receives DER encoded AuthPack (CMS_SIGN_CLIENT) 172 or DER encoded DHRepInfo (CMS_SIGN_SERVER)*/ 173 unsigned int *auth_pack_len, /* OUT 174 receives length of auth_pack */ 175 unsigned char **authz_data, /* OUT 176 receives required authorization data that 177 contains the verified certificate chain 178 (only used by the KDC) */ 179 unsigned int *authz_data_len); /* OUT 180 receives length of authz_data */ 181 182 /* 183 * this function creates a CMS message where eContentType is EnvelopedData 184 */ 185 krb5_error_code cms_envelopeddata_create 186 (krb5_context context, /* IN */ 187 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 188 pkinit_req_crypto_context req_cryptoctx, /* IN */ 189 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 190 krb5_preauthtype pa_type, /* IN */ 191 int include_certchain, /* IN 192 specifies whether the certificates field in 193 SignedData should contain certificate path */ 194 unsigned char *key_pack, /* IN 195 contains DER encoded ReplyKeyPack */ 196 unsigned int key_pack_len, /* IN 197 contains length of key_pack */ 198 unsigned char **envel_data, /* OUT 199 receives DER encoded encKeyPack */ 200 unsigned int *envel_data_len); /* OUT 201 receives length of envel_data */ 202 203 /* 204 * this function creates a CMS message where eContentType is EnvelopedData 205 */ 206 krb5_error_code cms_envelopeddata_verify 207 (krb5_context context, /* IN */ 208 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 209 pkinit_req_crypto_context req_cryptoctx, /* IN */ 210 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 211 krb5_preauthtype pa_type, /* IN */ 212 int require_crl_checking, /* IN 213 specifies whether CRL checking should be 214 strictly enforced */ 215 unsigned char *envel_data, /* IN 216 contains DER encoded encKeyPack */ 217 unsigned int envel_data_len, /* IN 218 contains length of envel_data */ 219 unsigned char **signed_data, /* OUT 220 receives ReplyKeyPack */ 221 unsigned int *signed_data_len); /* OUT 222 receives length of signed_data */ 223 224 /* 225 * this function returns SAN information found in the 226 * received certificate. at least one of pkinit_sans, 227 * upn_sans, or kdc_hostnames must be non-NULL. 228 */ 229 krb5_error_code crypto_retrieve_cert_sans 230 (krb5_context context, /* IN */ 231 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 232 pkinit_req_crypto_context req_cryptoctx, /* IN */ 233 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 234 krb5_principal **pkinit_sans, /* OUT 235 if non-NULL, a null-terminated array of 236 id-pkinit-san values found in the certificate 237 are returned */ 238 krb5_principal **upn_sans, /* OUT 239 if non-NULL, a null-terminated array of 240 id-ms-upn-san values found in the certificate 241 are returned */ 242 unsigned char ***kdc_hostname); /* OUT 243 if non-NULL, a null-terminated array of 244 dNSName (hostname) SAN values found in the 245 certificate are returned */ 246 247 /* 248 * this function checks for acceptable key usage values 249 * in the received certificate. 250 * 251 * when checking a received kdc certificate, it looks for 252 * the kpKdc key usage. if allow_secondary_usage is 253 * non-zero, it will also accept kpServerAuth. 254 * 255 * when checking a received user certificate, it looks for 256 * kpClientAuth key usage. if allow_secondary_usage is 257 * non-zero, it will also accept id-ms-sc-logon EKU. 258 * 259 * this function must also assert that the digitalSignature 260 * key usage is consistent. 261 */ 262 krb5_error_code crypto_check_cert_eku 263 (krb5_context context, /* IN */ 264 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 265 pkinit_req_crypto_context req_cryptoctx, /* IN */ 266 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 267 int checking_kdc_cert, /* IN 268 specifies if the received certificate is 269 a KDC certificate (non-zero), 270 or a user certificate (zero) */ 271 int allow_secondary_usage, /* IN 272 specifies if the secondary key usage 273 should be accepted or not (see above) */ 274 int *eku_valid); /* OUT 275 receives non-zero if an acceptable EKU was found */ 276 277 /* 278 * this functions takes in generated DH secret key and converts 279 * it in to a kerberos session key. it takes into the account the 280 * enc type and then follows the procedure specified in the RFC p 22. 281 */ 282 krb5_error_code pkinit_octetstring2key 283 (krb5_context context, /* IN */ 284 krb5_enctype etype, /* IN 285 specifies the enc type */ 286 unsigned char *key, /* IN 287 contains the DH secret key */ 288 unsigned int key_len, /* IN 289 contains length of key */ 290 krb5_keyblock * krb5key); /* OUT 291 receives kerberos session key */ 292 293 /* 294 * this function implements clients first part of the DH protocol. 295 * client selects its DH parameters and pub key 296 */ 297 krb5_error_code client_create_dh 298 (krb5_context context, /* IN */ 299 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 300 pkinit_req_crypto_context req_cryptoctx, /* IN */ 301 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 302 int dh_size, /* IN 303 specifies the DH modulous, eg 1024, 2048, or 4096 */ 304 unsigned char **dh_paramas, /* OUT 305 contains DER encoded DH params */ 306 unsigned int *dh_params_len, /* OUT 307 contains length of dh_parmas */ 308 unsigned char **dh_pubkey, /* OUT 309 receives DER encoded DH pub key */ 310 unsigned int *dh_pubkey_len); /* OUT 311 receives length of dh_pubkey */ 312 313 /* 314 * this function completes client's the DH protocol. client 315 * processes received DH pub key from the KDC and computes 316 * the DH secret key 317 */ 318 krb5_error_code client_process_dh 319 (krb5_context context, /* IN */ 320 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 321 pkinit_req_crypto_context req_cryptoctx, /* IN */ 322 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 323 unsigned char *dh_pubkey, /* IN 324 contains client's DER encoded DH pub key */ 325 unsigned int dh_pubkey_len, /* IN 326 contains length of dh_pubkey */ 327 unsigned char **dh_session_key, /* OUT 328 receives DH secret key */ 329 unsigned int *dh_session_key_len); /* OUT 330 receives length of dh_session_key */ 331 332 /* 333 * this function implements the KDC first part of the DH protocol. 334 * it decodes the client's DH parameters and pub key and checks 335 * if they are acceptable. 336 */ 337 krb5_error_code server_check_dh 338 (krb5_context context, /* IN */ 339 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 340 pkinit_req_crypto_context req_cryptoctx, /* IN */ 341 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 342 krb5_octet_data *dh_params, /* IN 343 ???? */ 344 int minbits); /* IN 345 the mininum number of key bits acceptable */ 346 347 /* 348 * this function completes the KDC's DH protocol. The KDC generates 349 * its DH pub key and computes the DH secret key 350 */ 351 krb5_error_code server_process_dh 352 (krb5_context context, /* IN */ 353 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 354 pkinit_req_crypto_context req_cryptoctx, /* IN */ 355 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 356 unsigned char *received_pubkey, /* IN 357 contains client's DER encoded DH pub key */ 358 unsigned int received_pub_len, /* IN 359 contains length of received_pubkey */ 360 unsigned char **dh_pubkey, /* OUT 361 receives KDC's DER encoded DH pub key */ 362 unsigned int *dh_pubkey_len, /* OUT 363 receives length of dh_pubkey */ 364 unsigned char **server_key, /* OUT 365 receives DH secret key */ 366 unsigned int *server_key_len); /* OUT 367 receives length of server_key */ 368 369 /* 370 * this functions takes in crypto specific representation of 371 * supportedCMSTypes and creates a list of 372 * krb5_algorithm_identifier 373 */ 374 krb5_error_code create_krb5_supportedCMSTypes 375 (krb5_context context, /* IN */ 376 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 377 pkinit_req_crypto_context req_cryptoctx, /* IN */ 378 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 379 krb5_algorithm_identifier ***supportedCMSTypes); /* OUT */ 380 381 /* 382 * this functions takes in crypto specific representation of 383 * trustedCertifiers and creates a list of 384 * krb5_external_principal_identifier 385 */ 386 krb5_error_code create_krb5_trustedCertifiers 387 (krb5_context context, /* IN */ 388 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 389 pkinit_req_crypto_context req_cryptoctx, /* IN */ 390 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 391 krb5_external_principal_identifier ***trustedCertifiers); /* OUT */ 392 393 /* 394 * this functions takes in crypto specific representation of 395 * trustedCas (draft9) and creates a list of krb5_trusted_ca (draft9). 396 * draft9 trustedCAs is a CHOICE. we only support choices for 397 * [1] caName and [2] issuerAndSerial. there is no config 398 * option available to select the choice yet. default = 1. 399 */ 400 krb5_error_code create_krb5_trustedCas 401 (krb5_context context, /* IN */ 402 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 403 pkinit_req_crypto_context req_cryptoctx, /* IN */ 404 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 405 int flag, /* IN 406 specifies the tag of the CHOICE */ 407 krb5_trusted_ca ***trustedCas); /* OUT */ 408 409 /* 410 * this functions takes in crypto specific representation of the 411 * KDC's certificate and creates a DER encoded kdcPKId 412 */ 413 krb5_error_code create_issuerAndSerial 414 (krb5_context context, /* IN */ 415 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 416 pkinit_req_crypto_context req_cryptoctx, /* IN */ 417 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 418 unsigned char **kdcId_buf, /* OUT 419 receives DER encoded kdcPKId */ 420 unsigned int *kdcId_len); /* OUT 421 receives length of encoded kdcPKId */ 422 423 /* 424 * process the values from idopts and obtain the cert(s) 425 * specified by those options, populating the id_cryptoctx. 426 */ 427 krb5_error_code crypto_load_certs 428 (krb5_context context, /* IN */ 429 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 430 pkinit_req_crypto_context req_cryptoctx, /* IN */ 431 pkinit_identity_opts *idopts, /* IN */ 432 pkinit_identity_crypto_context id_cryptoctx, /* IN/OUT */ 433 krb5_principal princ, /* IN */ 434 int do_matching); /* IN */ 435 436 /* 437 * Free up information held from crypto_load_certs() 438 */ 439 krb5_error_code crypto_free_cert_info 440 (krb5_context context, 441 pkinit_plg_crypto_context plg_cryptoctx, 442 pkinit_req_crypto_context req_cryptoctx, 443 pkinit_identity_crypto_context id_cryptoctx); 444 445 446 /* 447 * Get number of certificates available after crypto_load_certs() 448 */ 449 krb5_error_code crypto_cert_get_count 450 (krb5_context context, /* IN */ 451 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 452 pkinit_req_crypto_context req_cryptoctx, /* IN */ 453 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 454 int *cert_count); /* OUT */ 455 456 /* 457 * Begin iteration over the certs loaded in crypto_load_certs() 458 */ 459 krb5_error_code crypto_cert_iteration_begin 460 (krb5_context context, /* IN */ 461 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 462 pkinit_req_crypto_context req_cryptoctx, /* IN */ 463 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 464 pkinit_cert_iter_handle *iter_handle); /* OUT */ 465 466 /* 467 * End iteration over the certs loaded in crypto_load_certs() 468 */ 469 krb5_error_code crypto_cert_iteration_end 470 (krb5_context context, /* IN */ 471 pkinit_cert_iter_handle iter_handle); /* IN */ 472 473 /* 474 * Get next certificate handle 475 */ 476 krb5_error_code crypto_cert_iteration_next 477 (krb5_context context, /* IN */ 478 pkinit_cert_iter_handle iter_handle, /* IN */ 479 pkinit_cert_handle *cert_handle); /* OUT */ 480 481 /* 482 * Release cert handle 483 */ 484 krb5_error_code crypto_cert_release 485 (krb5_context context, /* IN */ 486 pkinit_cert_handle cert_handle); /* IN */ 487 488 /* 489 * Get certificate matching information 490 */ 491 krb5_error_code crypto_cert_get_matching_data 492 (krb5_context context, /* IN */ 493 pkinit_cert_handle cert_handle, /* IN */ 494 pkinit_cert_matching_data **ret_data); /* OUT */ 495 496 /* 497 * Free certificate information 498 */ 499 krb5_error_code crypto_cert_free_matching_data 500 (krb5_context context, /* IN */ 501 pkinit_cert_matching_data *data); /* IN */ 502 503 /* 504 * Make the given certificate "the chosen one" 505 */ 506 krb5_error_code crypto_cert_select 507 (krb5_context context, /* IN */ 508 pkinit_cert_matching_data *data); /* IN */ 509 510 /* 511 * Select the default certificate as "the chosen one" 512 */ 513 krb5_error_code crypto_cert_select_default 514 (krb5_context context, /* IN */ 515 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 516 pkinit_req_crypto_context req_cryptoctx, /* IN */ 517 pkinit_identity_crypto_context id_cryptoctx); /* IN */ 518 519 /* 520 * process the values from idopts and obtain the anchor or 521 * intermediate certificates, or crls specified by idtype, 522 * catype, and id 523 */ 524 krb5_error_code crypto_load_cas_and_crls 525 (krb5_context context, /* IN */ 526 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 527 pkinit_req_crypto_context req_cryptoctx, /* IN */ 528 pkinit_identity_opts *idopts, /* IN */ 529 pkinit_identity_crypto_context id_cryptoctx, /* IN/OUT */ 530 int idtype, /* IN 531 defines the storage type (file, directory, etc) */ 532 int catype, /* IN 533 defines the ca type (anchor, intermediate, crls) */ 534 char *id); /* IN 535 defines the location (filename, directory name, etc) */ 536 537 /* 538 * on the client, obtain the kdc's certificate to include 539 * in a request 540 */ 541 krb5_error_code pkinit_get_kdc_cert 542 (krb5_context context, /* IN */ 543 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 544 pkinit_req_crypto_context req_cryptoctx, /* IN */ 545 pkinit_identity_crypto_context id_cryptoctx, /* IN/OUT */ 546 krb5_principal princ); /* IN */ 547 548 /* 549 * this function creates edata that contains TD-DH-PARAMETERS 550 */ 551 krb5_error_code pkinit_create_td_dh_parameters 552 (krb5_context context, /* IN */ 553 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 554 pkinit_req_crypto_context req_cryptoctx, /* IN */ 555 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 556 pkinit_plg_opts *opts, /* IN */ 557 krb5_data **edata); /* OUT */ 558 559 /* 560 * this function processes edata that contains TD-DH-PARAMETERS. 561 * the client processes the received acceptable by KDC DH 562 * parameters and picks the first acceptable to it. it matches 563 * them against the known DH parameters. 564 */ 565 krb5_error_code pkinit_process_td_dh_params 566 (krb5_context context, /* IN */ 567 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 568 pkinit_req_crypto_context req_cryptoctx, /* IN */ 569 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 570 krb5_algorithm_identifier **algId, /* IN */ 571 int *new_dh_size); /* OUT 572 receives the new DH modulus to use in the new AS-REQ */ 573 574 /* 575 * this function creates edata that contains TD-INVALID-CERTIFICATES 576 */ 577 krb5_error_code pkinit_create_td_invalid_certificate 578 (krb5_context context, /* IN */ 579 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 580 pkinit_req_crypto_context req_cryptoctx, /* IN */ 581 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 582 krb5_data **edata); /* OUT */ 583 584 /* 585 * this function creates edata that contains TD-TRUSTED-CERTIFIERS 586 */ 587 krb5_error_code pkinit_create_td_trusted_certifiers 588 (krb5_context context, /* IN */ 589 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 590 pkinit_req_crypto_context req_cryptoctx, /* IN */ 591 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 592 krb5_data **edata); /* OUT */ 593 594 /* 595 * this function processes edata that contains either 596 * TD-TRUSTED-CERTIFICATES or TD-INVALID-CERTIFICATES. 597 * current implementation only decodes the received message 598 * but does not act on it 599 */ 600 krb5_error_code pkinit_process_td_trusted_certifiers 601 (krb5_context context, /* IN */ 602 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 603 pkinit_req_crypto_context req_cryptoctx, /* IN */ 604 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 605 krb5_external_principal_identifier **trustedCertifiers, /* IN */ 606 int td_type); /* IN */ 607 608 /* 609 * this function checks if the received kdcPKId matches 610 * the KDC's certificate 611 */ 612 krb5_error_code pkinit_check_kdc_pkid 613 (krb5_context context, /* IN */ 614 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 615 pkinit_req_crypto_context req_cryptoctx, /* IN */ 616 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 617 unsigned char *pdid_buf, /* IN 618 contains DER encoded kdcPKId */ 619 unsigned int pkid_len, /* IN 620 contains length of pdid_buf */ 621 int *valid_kdcPkId); /* OUT 622 1 if kdcPKId matches, otherwise 0 */ 623 624 krb5_error_code pkinit_identity_set_prompter 625 (pkinit_identity_crypto_context id_cryptoctx, /* IN */ 626 krb5_prompter_fct prompter, /* IN */ 627 void *prompter_data); /* IN */ 628 629 #endif /* _PKINIT_CRYPTO_H */ 630