xref: /freebsd/crypto/krb5/src/include/k5-int-pkinit.h (revision f1c4c3daccbaf3820f0e2224de53df12fc952fcc) 
1 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
2 /*
3  * COPYRIGHT (C) 2006
4  * THE REGENTS OF THE UNIVERSITY OF MICHIGAN
5  * ALL RIGHTS RESERVED
6  *
7  * Permission is granted to use, copy, create derivative works
8  * and redistribute this software and such derivative works
9  * for any purpose, so long as the name of The University of
10  * Michigan is not used in any advertising or publicity
11  * pertaining to the use of distribution of this software
12  * without specific, written prior authorization.  If the
13  * above copyright notice or any other identification of the
14  * University of Michigan is included in any copy of any
15  * portion of this software, then the disclaimer below must
16  * also be included.
17  *
18  * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
19  * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
20  * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
21  * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
22  * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
23  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
24  * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
25  * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
26  * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
27  * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
28  * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
29  * SUCH DAMAGES.
30  */
31 
32 #ifndef _KRB5_INT_PKINIT_H
33 #define _KRB5_INT_PKINIT_H
34 
35 /*
36  * pkinit structures
37  */
38 
39 /* AlgorithmIdentifier */
40 typedef struct _krb5_algorithm_identifier {
41     krb5_data algorithm;      /* OID */
42     krb5_data parameters; /* Optional */
43 } krb5_algorithm_identifier;
44 
45 /* PAChecksum2 */
46 typedef struct _krb5_pachecksum2 {
47     krb5_data checksum;
48     krb5_algorithm_identifier algorithmIdentifier;
49 } krb5_pachecksum2;
50 
51 /* PKAuthenticator */
52 typedef struct _krb5_pk_authenticator {
53     krb5_int32        cusec;  /* (0..999999) */
54     krb5_timestamp    ctime;
55     krb5_int32        nonce;  /* (0..4294967295) */
56     krb5_data         paChecksum;
57     krb5_data        *freshnessToken; /* Optional */
58     krb5_pachecksum2 *paChecksum2; /* Optional */
59 } krb5_pk_authenticator;
60 
61 /** AuthPack from RFC 4556*/
62 typedef struct _krb5_auth_pack {
63     krb5_pk_authenticator       pkAuthenticator;
64     krb5_data                   clientPublicValue; /* Optional */
65     krb5_algorithm_identifier   **supportedCMSTypes; /* Optional */
66     krb5_data                   clientDHNonce; /* Optional */
67     krb5_data                   **supportedKDFs; /* OIDs of KDFs; OPTIONAL */
68 } krb5_auth_pack;
69 
70 /* ExternalPrincipalIdentifier */
71 typedef struct _krb5_external_principal_identifier {
72     krb5_data subjectName; /* Optional */
73     krb5_data issuerAndSerialNumber; /* Optional */
74     krb5_data subjectKeyIdentifier; /* Optional */
75 } krb5_external_principal_identifier;
76 
77 /* PA-PK-AS-REQ (rfc4556 -- PA TYPE 16) */
78 typedef struct _krb5_pa_pk_as_req {
79     krb5_data signedAuthPack;
80     krb5_external_principal_identifier **trustedCertifiers; /* Optional array */
81     krb5_data kdcPkId; /* Optional */
82 } krb5_pa_pk_as_req;
83 
84 /** Pkinit DHRepInfo */
85 typedef struct _krb5_dh_rep_info {
86     krb5_data dhSignedData;
87     krb5_data serverDHNonce; /* Optional */
88     krb5_data *kdfID; /* OID of selected KDF OPTIONAL */
89 } krb5_dh_rep_info;
90 
91 /* KDCDHKeyInfo */
92 typedef struct _krb5_kdc_dh_key_info {
93     krb5_data       subjectPublicKey; /* BIT STRING */
94     krb5_int32      nonce;  /* (0..4294967295) */
95     krb5_timestamp  dhKeyExpiration; /* Optional */
96 } krb5_kdc_dh_key_info;
97 
98 /* ReplyKeyPack */
99 typedef struct _krb5_reply_key_pack {
100     krb5_keyblock   replyKey;
101     krb5_checksum   asChecksum;
102 } krb5_reply_key_pack;
103 
104 /* PA-PK-AS-REP (rfc4556 -- PA TYPE 17) */
105 typedef struct _krb5_pa_pk_as_rep {
106     enum krb5_pa_pk_as_rep_selection {
107         choice_pa_pk_as_rep_UNKNOWN = -1,
108         choice_pa_pk_as_rep_dhInfo = 0,
109         choice_pa_pk_as_rep_encKeyPack = 1
110     } choice;
111     union krb5_pa_pk_as_rep_choices {
112         krb5_dh_rep_info    dh_Info;
113         krb5_data           encKeyPack;
114     } u;
115 } krb5_pa_pk_as_rep;
116 
117 /* SP80056A OtherInfo, for pkinit algorithm agility */
118 typedef struct _krb5_sp80056a_other_info {
119     krb5_algorithm_identifier algorithm_identifier;
120     krb5_principal  party_u_info;
121     krb5_principal  party_v_info;
122     krb5_data supp_pub_info;
123 } krb5_sp80056a_other_info;
124 
125 /* PkinitSuppPubInfo, for pkinit algorithm agility */
126 typedef struct _krb5_pkinit_supp_pub_info {
127     krb5_enctype      enctype;
128     krb5_data         as_req;
129     krb5_data         pk_as_rep;
130 } krb5_pkinit_supp_pub_info;
131 
132 /*
133  * Begin "asn1.h"
134  */
135 
136 /*************************************************************************
137  * Prototypes for pkinit asn.1 encode routines
138  *************************************************************************/
139 
140 krb5_error_code
141 encode_krb5_pa_pk_as_req(const krb5_pa_pk_as_req *rep, krb5_data **code);
142 
143 krb5_error_code
144 encode_krb5_pa_pk_as_rep(const krb5_pa_pk_as_rep *rep, krb5_data **code);
145 
146 krb5_error_code
147 encode_krb5_auth_pack(const krb5_auth_pack *rep, krb5_data **code);
148 
149 krb5_error_code
150 encode_krb5_kdc_dh_key_info(const krb5_kdc_dh_key_info *rep, krb5_data **code);
151 
152 krb5_error_code
153 encode_krb5_reply_key_pack(const krb5_reply_key_pack *, krb5_data **code);
154 
155 krb5_error_code
156 encode_krb5_td_trusted_certifiers(krb5_external_principal_identifier *const *,
157                                   krb5_data **code);
158 
159 krb5_error_code
160 encode_krb5_td_dh_parameters(krb5_algorithm_identifier *const *,
161                              krb5_data **code);
162 
163 krb5_error_code
164 encode_krb5_sp80056a_other_info(const krb5_sp80056a_other_info *,
165                                 krb5_data **);
166 
167 krb5_error_code
168 encode_krb5_pkinit_supp_pub_info(const krb5_pkinit_supp_pub_info *,
169                                  krb5_data **);
170 
171 /*************************************************************************
172  * Prototypes for pkinit asn.1 decode routines
173  *************************************************************************/
174 
175 krb5_error_code
176 decode_krb5_pa_pk_as_req(const krb5_data *, krb5_pa_pk_as_req **);
177 
178 krb5_error_code
179 decode_krb5_pa_pk_as_rep(const krb5_data *, krb5_pa_pk_as_rep **);
180 
181 krb5_error_code
182 decode_krb5_auth_pack(const krb5_data *, krb5_auth_pack **);
183 
184 krb5_error_code
185 decode_krb5_kdc_dh_key_info(const krb5_data *, krb5_kdc_dh_key_info **);
186 
187 krb5_error_code
188 decode_krb5_principal_name(const krb5_data *, krb5_principal_data **);
189 
190 krb5_error_code
191 decode_krb5_reply_key_pack(const krb5_data *, krb5_reply_key_pack **);
192 
193 krb5_error_code
194 decode_krb5_td_trusted_certifiers(const krb5_data *,
195                                   krb5_external_principal_identifier ***);
196 
197 krb5_error_code
198 decode_krb5_td_dh_parameters(const krb5_data *, krb5_algorithm_identifier ***);
199 
200 krb5_error_code
201 encode_krb5_enc_data(const krb5_enc_data *, krb5_data **);
202 
203 krb5_error_code
204 encode_krb5_encryption_key(const krb5_keyblock *rep, krb5_data **code);
205 
206 krb5_error_code
207 krb5_encrypt_helper(krb5_context context, const krb5_keyblock *key,
208                     krb5_keyusage keyusage, const krb5_data *plain,
209                     krb5_enc_data *cipher);
210 
211 #endif /* _KRB5_INT_PKINIT_H */
212