1 /* 2 * COPYRIGHT (C) 2007 3 * THE REGENTS OF THE UNIVERSITY OF MICHIGAN 4 * ALL RIGHTS RESERVED 5 * 6 * Permission is granted to use, copy, create derivative works 7 * and redistribute this software and such derivative works 8 * for any purpose, so long as the name of The University of 9 * Michigan is not used in any advertising or publicity 10 * pertaining to the use of distribution of this software 11 * without specific, written prior authorization. If the 12 * above copyright notice or any other identification of the 13 * University of Michigan is included in any copy of any 14 * portion of this software, then the disclaimer below must 15 * also be included. 16 * 17 * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION 18 * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY 19 * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF 20 * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING 21 * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF 22 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE 23 * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE 24 * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR 25 * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING 26 * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN 27 * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF 28 * SUCH DAMAGES. 29 */ 30 31 /* 32 * This header defines the cryptographic interface 33 */ 34 35 #ifndef _PKINIT_CRYPTO_H 36 #define _PKINIT_CRYPTO_H 37 38 #include <krb5/krb5.h> 39 #include <krb5/preauth_plugin.h> 40 #include <k5-int-pkinit.h> 41 #include <profile.h> 42 #include "pkinit_accessor.h" 43 44 /* 45 * these describe the CMS message types 46 */ 47 enum cms_msg_types { 48 CMS_SIGN_CLIENT, 49 CMS_SIGN_SERVER, 50 CMS_ENVEL_SERVER 51 }; 52 53 /* 54 * storage types for identity information 55 */ 56 #define IDTYPE_FILE 1 57 #define IDTYPE_DIR 2 58 #define IDTYPE_PKCS11 3 59 #define IDTYPE_ENVVAR 4 60 #define IDTYPE_PKCS12 5 61 62 /* 63 * ca/crl types 64 */ 65 #define CATYPE_ANCHORS 1 66 #define CATYPE_INTERMEDIATES 2 67 #define CATYPE_CRLS 3 68 69 /* 70 * The following represent Key Usage values that we 71 * may care about in a certificate 72 */ 73 #define PKINIT_KU_DIGITALSIGNATURE 0x80000000 74 #define PKINIT_KU_KEYENCIPHERMENT 0x40000000 75 76 /* 77 * The following represent Extended Key Usage oid values 78 * that we may care about in a certificate 79 */ 80 #define PKINIT_EKU_PKINIT 0x80000000 81 #define PKINIT_EKU_MSSCLOGIN 0x40000000 82 #define PKINIT_EKU_CLIENTAUTH 0x20000000 83 #define PKINIT_EKU_EMAILPROTECTION 0x10000000 84 85 86 /* Handle to cert, opaque above crypto interface */ 87 typedef struct _pkinit_cert_info *pkinit_cert_handle; 88 89 /* Handle to cert iteration information, opaque above crypto interface */ 90 typedef struct _pkinit_cert_iter_info *pkinit_cert_iter_handle; 91 92 #define PKINIT_ITER_NO_MORE 0x11111111 /* XXX */ 93 94 typedef struct _pkinit_cert_matching_data { 95 char *subject_dn; /* rfc2253-style subject name string */ 96 char *issuer_dn; /* rfc2253-style issuer name string */ 97 unsigned int ku_bits; /* key usage information */ 98 unsigned int eku_bits; /* extended key usage information */ 99 krb5_principal *sans; /* Null-terminated array of PKINIT SANs */ 100 char **upns; /* Null-terimnated array of UPN SANs */ 101 } pkinit_cert_matching_data; 102 103 /* 104 * Functions to initialize and cleanup crypto contexts 105 */ 106 krb5_error_code pkinit_init_plg_crypto(krb5_context, 107 pkinit_plg_crypto_context *); 108 void pkinit_fini_plg_crypto(pkinit_plg_crypto_context); 109 110 krb5_error_code pkinit_init_req_crypto(pkinit_req_crypto_context *); 111 void pkinit_fini_req_crypto(pkinit_req_crypto_context); 112 113 krb5_error_code pkinit_init_identity_crypto(pkinit_identity_crypto_context *); 114 void pkinit_fini_identity_crypto(pkinit_identity_crypto_context); 115 /**Create a pkinit ContentInfo*/ 116 krb5_error_code cms_contentinfo_create 117 (krb5_context context, /* IN */ 118 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 119 pkinit_req_crypto_context req_cryptoctx, /* IN */ 120 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 121 int cms_msg_type, 122 unsigned char *in_data, unsigned int in_length, 123 unsigned char **out_data, unsigned int *out_data_len); 124 125 /* 126 * this function creates a CMS message where eContentType is SignedData 127 */ 128 krb5_error_code cms_signeddata_create 129 (krb5_context context, /* IN */ 130 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 131 pkinit_req_crypto_context req_cryptoctx, /* IN */ 132 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 133 int cms_msg_type, /* IN 134 specifies CMS_SIGN_CLIENT for client-side CMS message 135 and CMS_SIGN_SERVER for kdc-side */ 136 unsigned char *auth_pack, /* IN 137 contains DER encoded AuthPack (CMS_SIGN_CLIENT) 138 or DER encoded DHRepInfo (CMS_SIGN_SERVER) */ 139 unsigned int auth_pack_len, /* IN 140 contains length of auth_pack */ 141 unsigned char **signed_data, /* OUT 142 for CMS_SIGN_CLIENT receives DER encoded 143 SignedAuthPack (CMS_SIGN_CLIENT) or DER 144 encoded DHInfo (CMS_SIGN_SERVER) */ 145 unsigned int *signed_data_len); /* OUT 146 receives length of signed_data */ 147 148 /* 149 * this function verifies a CMS message where eContentType is SignedData 150 */ 151 krb5_error_code cms_signeddata_verify 152 (krb5_context context, /* IN */ 153 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 154 pkinit_req_crypto_context req_cryptoctx, /* IN */ 155 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 156 int cms_msg_type, /* IN 157 specifies CMS_SIGN_CLIENT for client-side 158 CMS message and CMS_SIGN_SERVER for kdc-side */ 159 int require_crl_checking, /* IN 160 specifies whether CRL checking should be 161 strictly enforced, i.e. if no CRLs available 162 for the CA then fail verification. 163 note, if the value is 0, crls are still 164 checked if present */ 165 unsigned char *signed_data, /* IN 166 contains DER encoded SignedAuthPack (CMS_SIGN_CLIENT) 167 or DER encoded DHInfo (CMS_SIGN_SERVER) */ 168 unsigned int signed_data_len, /* IN 169 contains length of signed_data*/ 170 unsigned char **auth_pack, /* OUT 171 receives DER encoded AuthPack (CMS_SIGN_CLIENT) 172 or DER encoded DHRepInfo (CMS_SIGN_SERVER)*/ 173 unsigned int *auth_pack_len, /* OUT 174 receives length of auth_pack */ 175 unsigned char **authz_data, /* OUT 176 receives required authorization data that 177 contains the verified certificate chain 178 (only used by the KDC) */ 179 unsigned int *authz_data_len, /* OUT 180 receives length of authz_data */ 181 int *is_signed); /* OUT 182 receives whether message is signed */ 183 184 /* 185 * This function retrieves the signer's identity, in a form that could 186 * be passed back in to a future invocation of this module as a candidate 187 * client identity location. 188 */ 189 krb5_error_code crypto_retrieve_signer_identity 190 (krb5_context context, /* IN */ 191 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 192 const char **identity); /* OUT */ 193 194 /* 195 * this function returns SAN information found in the 196 * received certificate. at least one of pkinit_sans, 197 * upn_sans, or kdc_hostnames must be non-NULL. 198 */ 199 krb5_error_code crypto_retrieve_cert_sans 200 (krb5_context context, /* IN */ 201 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 202 pkinit_req_crypto_context req_cryptoctx, /* IN */ 203 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 204 krb5_principal **pkinit_sans, /* OUT 205 if non-NULL, a null-terminated array of 206 id-pkinit-san values found in the certificate 207 are returned */ 208 char ***upn_sans, /* OUT 209 if non-NULL, a null-terminated array of 210 id-ms-upn-san values found in the certificate 211 are returned */ 212 unsigned char ***kdc_hostname); /* OUT 213 if non-NULL, a null-terminated array of 214 dNSName (hostname) SAN values found in the 215 certificate are returned */ 216 217 /* 218 * this function checks for acceptable key usage values 219 * in the received certificate. 220 * 221 * when checking a received kdc certificate, it looks for 222 * the kpKdc key usage. if allow_secondary_usage is 223 * non-zero, it will also accept kpServerAuth. 224 * 225 * when checking a received user certificate, it looks for 226 * kpClientAuth key usage. if allow_secondary_usage is 227 * non-zero, it will also accept id-ms-sc-logon EKU. 228 * 229 * this function must also assert that the digitalSignature 230 * key usage is consistent. 231 */ 232 krb5_error_code crypto_check_cert_eku 233 (krb5_context context, /* IN */ 234 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 235 pkinit_req_crypto_context req_cryptoctx, /* IN */ 236 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 237 int checking_kdc_cert, /* IN 238 specifies if the received certificate is 239 a KDC certificate (non-zero), 240 or a user certificate (zero) */ 241 int allow_secondary_usage, /* IN 242 specifies if the secondary key usage 243 should be accepted or not (see above) */ 244 int *eku_valid); /* OUT 245 receives non-zero if an acceptable EKU was found */ 246 247 /* 248 * this function implements clients first part of the DH protocol. 249 * client selects its DH parameters and pub key 250 */ 251 krb5_error_code client_create_dh 252 (krb5_context context, /* IN */ 253 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 254 pkinit_req_crypto_context req_cryptoctx, /* IN */ 255 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 256 int dh_size, /* IN 257 specifies the DH modulous, eg 1024, 2048, or 4096 */ 258 krb5_data *spki_out); /* OUT 259 receives SubjectPublicKeyInfo encoding */ 260 261 /* 262 * this function completes client's the DH protocol. client 263 * processes received DH pub key from the KDC and computes 264 * the DH secret key 265 */ 266 krb5_error_code client_process_dh 267 (krb5_context context, /* IN */ 268 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 269 pkinit_req_crypto_context req_cryptoctx, /* IN */ 270 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 271 unsigned char *dh_pubkey, /* IN 272 contains client's DER encoded DH pub key */ 273 unsigned int dh_pubkey_len, /* IN 274 contains length of dh_pubkey */ 275 unsigned char **client_key_out, /* OUT 276 receives DH secret key */ 277 unsigned int *client_key_len_out); /* OUT 278 receives length of DH secret key */ 279 280 /* 281 * this function implements the KDC first part of the DH protocol. 282 * it decodes the client's DH parameters and pub key and checks 283 * if they are acceptable. 284 */ 285 krb5_error_code server_check_dh 286 (krb5_context context, /* IN */ 287 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 288 pkinit_req_crypto_context req_cryptoctx, /* IN */ 289 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 290 const krb5_data *client_spki, /* IN 291 SubjectPublicKeyInfo encoding from client */ 292 int minbits); /* IN 293 the minimum number of key bits acceptable */ 294 295 /* 296 * this function completes the KDC's DH protocol. The KDC generates 297 * its DH pub key and computes the DH secret key 298 */ 299 krb5_error_code server_process_dh 300 (krb5_context context, /* IN */ 301 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 302 pkinit_req_crypto_context req_cryptoctx, /* IN */ 303 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 304 unsigned char **dh_pubkey_out, /* OUT 305 receives KDC's DER encoded DH pub key */ 306 unsigned int *dh_pubkey_len_out, /* OUT 307 receives length of dh_pubkey */ 308 unsigned char **server_key_out, /* OUT 309 receives DH secret key */ 310 unsigned int *server_key_len_out); /* OUT 311 receives length of DH secret key */ 312 313 /* 314 * this functions takes in crypto specific representation of 315 * supportedCMSTypes and creates a list of 316 * krb5_algorithm_identifier 317 */ 318 krb5_error_code create_krb5_supportedCMSTypes 319 (krb5_context context, /* IN */ 320 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 321 pkinit_req_crypto_context req_cryptoctx, /* IN */ 322 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 323 krb5_algorithm_identifier ***supportedCMSTypes); /* OUT */ 324 325 /* 326 * this functions takes in crypto specific representation of 327 * trustedCertifiers and creates a list of 328 * krb5_external_principal_identifier 329 */ 330 krb5_error_code create_krb5_trustedCertifiers 331 (krb5_context context, /* IN */ 332 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 333 pkinit_req_crypto_context req_cryptoctx, /* IN */ 334 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 335 krb5_external_principal_identifier ***trustedCertifiers); /* OUT */ 336 337 /* 338 * this functions takes in crypto specific representation of the 339 * KDC's certificate and creates a DER encoded kdcPKId 340 */ 341 krb5_error_code create_issuerAndSerial 342 (krb5_context context, /* IN */ 343 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 344 pkinit_req_crypto_context req_cryptoctx, /* IN */ 345 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 346 unsigned char **kdcId_buf, /* OUT 347 receives DER encoded kdcPKId */ 348 unsigned int *kdcId_len); /* OUT 349 receives length of encoded kdcPKId */ 350 351 /* 352 * These functions manipulate the deferred-identities list in the identity 353 * context, which is opaque outside of the crypto-specific bits. 354 */ 355 const pkinit_deferred_id * crypto_get_deferred_ids 356 (krb5_context context, pkinit_identity_crypto_context id_cryptoctx); 357 krb5_error_code crypto_set_deferred_id 358 (krb5_context context, 359 pkinit_identity_crypto_context id_cryptoctx, 360 const char *identity, const char *password); 361 362 /* 363 * process the values from idopts and obtain the cert(s) 364 * specified by those options, populating the id_cryptoctx. 365 */ 366 krb5_error_code crypto_load_certs 367 (krb5_context context, /* IN */ 368 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 369 pkinit_req_crypto_context req_cryptoctx, /* IN */ 370 pkinit_identity_opts *idopts, /* IN */ 371 pkinit_identity_crypto_context id_cryptoctx, /* IN/OUT */ 372 krb5_principal princ, /* IN */ 373 krb5_boolean defer_id_prompts); /* IN */ 374 375 /* 376 * Free up information held from crypto_load_certs() 377 */ 378 krb5_error_code crypto_free_cert_info 379 (krb5_context context, 380 pkinit_plg_crypto_context plg_cryptoctx, 381 pkinit_req_crypto_context req_cryptoctx, 382 pkinit_identity_crypto_context id_cryptoctx); 383 384 385 /* 386 * Get a null-terminated list of certificate matching data objects for the 387 * certificates loaded in id_cryptoctx. 388 */ 389 krb5_error_code 390 crypto_cert_get_matching_data(krb5_context context, 391 pkinit_plg_crypto_context plg_cryptoctx, 392 pkinit_req_crypto_context req_cryptoctx, 393 pkinit_identity_crypto_context id_cryptoctx, 394 pkinit_cert_matching_data ***md_out); 395 396 /* 397 * Free a matching data object. 398 */ 399 void 400 crypto_cert_free_matching_data(krb5_context context, 401 pkinit_cert_matching_data *md); 402 403 /* 404 * Free a list of matching data objects. 405 */ 406 void 407 crypto_cert_free_matching_data_list(krb5_context context, 408 pkinit_cert_matching_data **matchdata); 409 410 /* 411 * Choose one of the certificates loaded in idctx to use for PKINIT client 412 * operations. cred_index must be an index into the array of matching objects 413 * returned by crypto_cert_get_matching_data(). 414 */ 415 krb5_error_code 416 crypto_cert_select(krb5_context context, pkinit_identity_crypto_context idctx, 417 size_t cred_index); 418 419 /* 420 * Select the default certificate as "the chosen one" 421 */ 422 krb5_error_code crypto_cert_select_default 423 (krb5_context context, /* IN */ 424 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 425 pkinit_req_crypto_context req_cryptoctx, /* IN */ 426 pkinit_identity_crypto_context id_cryptoctx); /* IN */ 427 428 /* 429 * process the values from idopts and obtain the anchor or 430 * intermediate certificates, or crls specified by idtype, 431 * catype, and id 432 */ 433 krb5_error_code crypto_load_cas_and_crls 434 (krb5_context context, /* IN */ 435 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 436 pkinit_req_crypto_context req_cryptoctx, /* IN */ 437 pkinit_identity_opts *idopts, /* IN */ 438 pkinit_identity_crypto_context id_cryptoctx, /* IN/OUT */ 439 int idtype, /* IN 440 defines the storage type (file, directory, etc) */ 441 int catype, /* IN 442 defines the ca type (anchor, intermediate, crls) */ 443 char *id); /* IN 444 defines the location (filename, directory name, etc) */ 445 446 /* 447 * on the client, obtain the kdc's certificate to include 448 * in a request 449 */ 450 krb5_error_code pkinit_get_kdc_cert 451 (krb5_context context, /* IN */ 452 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 453 pkinit_req_crypto_context req_cryptoctx, /* IN */ 454 pkinit_identity_crypto_context id_cryptoctx, /* IN/OUT */ 455 krb5_principal princ); /* IN */ 456 457 /* 458 * this function creates edata that contains TD-DH-PARAMETERS 459 */ 460 krb5_error_code pkinit_create_td_dh_parameters 461 (krb5_context context, /* IN */ 462 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 463 pkinit_req_crypto_context req_cryptoctx, /* IN */ 464 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 465 pkinit_plg_opts *opts, /* IN */ 466 krb5_pa_data ***e_data_out); /* OUT */ 467 468 /* 469 * this function processes edata that contains TD-DH-PARAMETERS. 470 * the client processes the received acceptable by KDC DH 471 * parameters and picks the first acceptable to it. it matches 472 * them against the known DH parameters. 473 */ 474 krb5_error_code pkinit_process_td_dh_params 475 (krb5_context context, /* IN */ 476 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 477 pkinit_req_crypto_context req_cryptoctx, /* IN */ 478 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 479 krb5_algorithm_identifier **algId, /* IN */ 480 int *new_dh_size); /* OUT 481 receives the new DH modulus to use in the new AS-REQ */ 482 483 /* 484 * this function creates edata that contains TD-INVALID-CERTIFICATES 485 */ 486 krb5_error_code pkinit_create_td_invalid_certificate 487 (krb5_context context, /* IN */ 488 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 489 pkinit_req_crypto_context req_cryptoctx, /* IN */ 490 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 491 krb5_pa_data ***e_data_out); /* OUT */ 492 493 /* 494 * this function creates edata that contains TD-TRUSTED-CERTIFIERS 495 */ 496 krb5_error_code pkinit_create_td_trusted_certifiers 497 (krb5_context context, /* IN */ 498 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 499 pkinit_req_crypto_context req_cryptoctx, /* IN */ 500 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 501 krb5_pa_data ***e_data_out); /* OUT */ 502 503 /* 504 * this function processes edata that contains either 505 * TD-TRUSTED-CERTIFICATES or TD-INVALID-CERTIFICATES. 506 * current implementation only decodes the received message 507 * but does not act on it 508 */ 509 krb5_error_code pkinit_process_td_trusted_certifiers 510 (krb5_context context, /* IN */ 511 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 512 pkinit_req_crypto_context req_cryptoctx, /* IN */ 513 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 514 krb5_external_principal_identifier **trustedCertifiers, /* IN */ 515 int td_type); /* IN */ 516 517 /* 518 * this function checks if the received kdcPKId matches 519 * the KDC's certificate 520 */ 521 krb5_error_code pkinit_check_kdc_pkid 522 (krb5_context context, /* IN */ 523 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 524 pkinit_req_crypto_context req_cryptoctx, /* IN */ 525 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 526 unsigned char *pdid_buf, /* IN 527 contains DER encoded kdcPKId */ 528 unsigned int pkid_len, /* IN 529 contains length of pdid_buf */ 530 int *valid_kdcPkId); /* OUT 531 1 if kdcPKId matches, otherwise 0 */ 532 533 krb5_error_code pkinit_identity_set_prompter 534 (pkinit_identity_crypto_context id_cryptoctx, /* IN */ 535 krb5_prompter_fct prompter, /* IN */ 536 void *prompter_data); /* IN */ 537 538 krb5_error_code 539 pkinit_kdf(krb5_context context, krb5_data *secret, const krb5_data *alg_oid, 540 krb5_const_principal party_u_info, 541 krb5_const_principal party_v_info, krb5_enctype enctype, 542 const krb5_data *as_req, const krb5_data *pk_as_rep, 543 krb5_keyblock *key_block); 544 545 extern const krb5_data kdf_sha1_id; 546 extern const krb5_data kdf_sha256_id; 547 extern const krb5_data kdf_sha512_id; 548 extern const krb5_data cms_sha1_id; 549 extern const krb5_data cms_sha256_id; 550 extern const krb5_data cms_sha384_id; 551 extern const krb5_data cms_sha512_id; 552 extern const krb5_data oakley_1024; 553 extern const krb5_data oakley_2048; 554 extern const krb5_data oakley_4096; 555 extern const krb5_data ec_p256; 556 extern const krb5_data ec_p384; 557 extern const krb5_data ec_p521; 558 extern const krb5_data dh_oid; 559 extern const krb5_data ec_oid; 560 561 /** 562 * An ordered set of OIDs, stored as krb5_data, of KDF algorithms 563 * supported by this implementation. The order of this array controls 564 * the order in which the server will pick. 565 */ 566 extern krb5_data const * const supported_kdf_alg_ids[]; 567 568 /* CMS signature algorithms supported by this implementation, in order of 569 * decreasing preference. */ 570 extern krb5_data const * const supported_cms_algs[]; 571 572 krb5_error_code 573 crypto_encode_der_cert(krb5_context context, pkinit_req_crypto_context reqctx, 574 uint8_t **der_out, size_t *der_len); 575 576 krb5_error_code 577 crypto_req_cert_matching_data(krb5_context context, 578 pkinit_plg_crypto_context plgctx, 579 pkinit_req_crypto_context reqctx, 580 pkinit_cert_matching_data **md_out); 581 582 int parse_dh_min_bits(krb5_context context, const char *str); 583 584 /* Generate a SHA-1 checksum over body in *cksum1_out and a SHA-256 checksum 585 * over body in *cksum2_out with appropriate metadata. */ 586 krb5_error_code 587 crypto_generate_checksums(krb5_context context, const krb5_data *body, 588 krb5_data *cksum1_out, 589 krb5_pachecksum2 **cksum2_out); 590 591 /* Verify the SHA-1 checksum in cksum1 and the tagged checksum in cksum2. 592 * cksum2 may be NULL, in which case only cksum1 is verified. */ 593 krb5_error_code 594 crypto_verify_checksums(krb5_context context, krb5_data *body, 595 const krb5_data *cksum1, 596 const krb5_pachecksum2 *cksum2); 597 598 #endif /* _PKINIT_CRYPTO_H */ 599