xref: /freebsd/crypto/krb5/src/include/k5-int-pkinit.h (revision 7f2fe78b9dd5f51c821d771b63d2e096f6fd49e9) 
1 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
2 /*
3  * COPYRIGHT (C) 2006
4  * THE REGENTS OF THE UNIVERSITY OF MICHIGAN
5  * ALL RIGHTS RESERVED
6  *
7  * Permission is granted to use, copy, create derivative works
8  * and redistribute this software and such derivative works
9  * for any purpose, so long as the name of The University of
10  * Michigan is not used in any advertising or publicity
11  * pertaining to the use of distribution of this software
12  * without specific, written prior authorization.  If the
13  * above copyright notice or any other identification of the
14  * University of Michigan is included in any copy of any
15  * portion of this software, then the disclaimer below must
16  * also be included.
17  *
18  * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
19  * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
20  * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
21  * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
22  * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
23  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
24  * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
25  * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
26  * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
27  * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
28  * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
29  * SUCH DAMAGES.
30  */
31 
32 #ifndef _KRB5_INT_PKINIT_H
33 #define _KRB5_INT_PKINIT_H
34 
35 /*
36  * pkinit structures
37  */
38 
39 /* PKAuthenticator */
40 typedef struct _krb5_pk_authenticator {
41     krb5_int32      cusec;  /* (0..999999) */
42     krb5_timestamp  ctime;
43     krb5_int32      nonce;  /* (0..4294967295) */
44     krb5_checksum   paChecksum;
45     krb5_data      *freshnessToken;
46 } krb5_pk_authenticator;
47 
48 /* AlgorithmIdentifier */
49 typedef struct _krb5_algorithm_identifier {
50     krb5_data algorithm;      /* OID */
51     krb5_data parameters; /* Optional */
52 } krb5_algorithm_identifier;
53 
54 /** AuthPack from RFC 4556*/
55 typedef struct _krb5_auth_pack {
56     krb5_pk_authenticator       pkAuthenticator;
57     krb5_data                   clientPublicValue; /* Optional */
58     krb5_algorithm_identifier   **supportedCMSTypes; /* Optional */
59     krb5_data                   clientDHNonce; /* Optional */
60     krb5_data                   **supportedKDFs; /* OIDs of KDFs; OPTIONAL */
61 } krb5_auth_pack;
62 
63 /* ExternalPrincipalIdentifier */
64 typedef struct _krb5_external_principal_identifier {
65     krb5_data subjectName; /* Optional */
66     krb5_data issuerAndSerialNumber; /* Optional */
67     krb5_data subjectKeyIdentifier; /* Optional */
68 } krb5_external_principal_identifier;
69 
70 /* PA-PK-AS-REQ (rfc4556 -- PA TYPE 16) */
71 typedef struct _krb5_pa_pk_as_req {
72     krb5_data signedAuthPack;
73     krb5_external_principal_identifier **trustedCertifiers; /* Optional array */
74     krb5_data kdcPkId; /* Optional */
75 } krb5_pa_pk_as_req;
76 
77 /** Pkinit DHRepInfo */
78 typedef struct _krb5_dh_rep_info {
79     krb5_data dhSignedData;
80     krb5_data serverDHNonce; /* Optional */
81     krb5_data *kdfID; /* OID of selected KDF OPTIONAL */
82 } krb5_dh_rep_info;
83 
84 /* KDCDHKeyInfo */
85 typedef struct _krb5_kdc_dh_key_info {
86     krb5_data       subjectPublicKey; /* BIT STRING */
87     krb5_int32      nonce;  /* (0..4294967295) */
88     krb5_timestamp  dhKeyExpiration; /* Optional */
89 } krb5_kdc_dh_key_info;
90 
91 /* ReplyKeyPack */
92 typedef struct _krb5_reply_key_pack {
93     krb5_keyblock   replyKey;
94     krb5_checksum   asChecksum;
95 } krb5_reply_key_pack;
96 
97 /* PA-PK-AS-REP (rfc4556 -- PA TYPE 17) */
98 typedef struct _krb5_pa_pk_as_rep {
99     enum krb5_pa_pk_as_rep_selection {
100         choice_pa_pk_as_rep_UNKNOWN = -1,
101         choice_pa_pk_as_rep_dhInfo = 0,
102         choice_pa_pk_as_rep_encKeyPack = 1
103     } choice;
104     union krb5_pa_pk_as_rep_choices {
105         krb5_dh_rep_info    dh_Info;
106         krb5_data           encKeyPack;
107     } u;
108 } krb5_pa_pk_as_rep;
109 
110 /* SP80056A OtherInfo, for pkinit algorithm agility */
111 typedef struct _krb5_sp80056a_other_info {
112     krb5_algorithm_identifier algorithm_identifier;
113     krb5_principal  party_u_info;
114     krb5_principal  party_v_info;
115     krb5_data supp_pub_info;
116 } krb5_sp80056a_other_info;
117 
118 /* PkinitSuppPubInfo, for pkinit algorithm agility */
119 typedef struct _krb5_pkinit_supp_pub_info {
120     krb5_enctype      enctype;
121     krb5_data         as_req;
122     krb5_data         pk_as_rep;
123 } krb5_pkinit_supp_pub_info;
124 
125 /*
126  * Begin "asn1.h"
127  */
128 
129 /*************************************************************************
130  * Prototypes for pkinit asn.1 encode routines
131  *************************************************************************/
132 
133 krb5_error_code
134 encode_krb5_pa_pk_as_req(const krb5_pa_pk_as_req *rep, krb5_data **code);
135 
136 krb5_error_code
137 encode_krb5_pa_pk_as_rep(const krb5_pa_pk_as_rep *rep, krb5_data **code);
138 
139 krb5_error_code
140 encode_krb5_auth_pack(const krb5_auth_pack *rep, krb5_data **code);
141 
142 krb5_error_code
143 encode_krb5_kdc_dh_key_info(const krb5_kdc_dh_key_info *rep, krb5_data **code);
144 
145 krb5_error_code
146 encode_krb5_reply_key_pack(const krb5_reply_key_pack *, krb5_data **code);
147 
148 krb5_error_code
149 encode_krb5_td_trusted_certifiers(krb5_external_principal_identifier *const *,
150                                   krb5_data **code);
151 
152 krb5_error_code
153 encode_krb5_td_dh_parameters(krb5_algorithm_identifier *const *,
154                              krb5_data **code);
155 
156 krb5_error_code
157 encode_krb5_sp80056a_other_info(const krb5_sp80056a_other_info *,
158                                 krb5_data **);
159 
160 krb5_error_code
161 encode_krb5_pkinit_supp_pub_info(const krb5_pkinit_supp_pub_info *,
162                                  krb5_data **);
163 
164 /*************************************************************************
165  * Prototypes for pkinit asn.1 decode routines
166  *************************************************************************/
167 
168 krb5_error_code
169 decode_krb5_pa_pk_as_req(const krb5_data *, krb5_pa_pk_as_req **);
170 
171 krb5_error_code
172 decode_krb5_pa_pk_as_rep(const krb5_data *, krb5_pa_pk_as_rep **);
173 
174 krb5_error_code
175 decode_krb5_auth_pack(const krb5_data *, krb5_auth_pack **);
176 
177 krb5_error_code
178 decode_krb5_kdc_dh_key_info(const krb5_data *, krb5_kdc_dh_key_info **);
179 
180 krb5_error_code
181 decode_krb5_principal_name(const krb5_data *, krb5_principal_data **);
182 
183 krb5_error_code
184 decode_krb5_reply_key_pack(const krb5_data *, krb5_reply_key_pack **);
185 
186 krb5_error_code
187 decode_krb5_td_trusted_certifiers(const krb5_data *,
188                                   krb5_external_principal_identifier ***);
189 
190 krb5_error_code
191 decode_krb5_td_dh_parameters(const krb5_data *, krb5_algorithm_identifier ***);
192 
193 krb5_error_code
194 encode_krb5_enc_data(const krb5_enc_data *, krb5_data **);
195 
196 krb5_error_code
197 encode_krb5_encryption_key(const krb5_keyblock *rep, krb5_data **code);
198 
199 krb5_error_code
200 krb5_encrypt_helper(krb5_context context, const krb5_keyblock *key,
201                     krb5_keyusage keyusage, const krb5_data *plain,
202                     krb5_enc_data *cipher);
203 
204 #endif /* _KRB5_INT_PKINIT_H */
205