1 /* 2 * COPYRIGHT (C) 2007 3 * THE REGENTS OF THE UNIVERSITY OF MICHIGAN 4 * ALL RIGHTS RESERVED 5 * 6 * Permission is granted to use, copy, create derivative works 7 * and redistribute this software and such derivative works 8 * for any purpose, so long as the name of The University of 9 * Michigan is not used in any advertising or publicity 10 * pertaining to the use of distribution of this software 11 * without specific, written prior authorization. If the 12 * above copyright notice or any other identification of the 13 * University of Michigan is included in any copy of any 14 * portion of this software, then the disclaimer below must 15 * also be included. 16 * 17 * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION 18 * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY 19 * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF 20 * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING 21 * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF 22 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE 23 * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE 24 * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR 25 * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING 26 * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN 27 * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF 28 * SUCH DAMAGES. 29 */ 30 31 /* 32 * This header defines the cryptographic interface 33 */ 34 35 #ifndef _PKINIT_CRYPTO_H 36 #define _PKINIT_CRYPTO_H 37 38 #include <krb5/krb5.h> 39 #include <krb5/preauth_plugin.h> 40 #include <k5-int-pkinit.h> 41 #include <profile.h> 42 #include "pkinit_accessor.h" 43 44 /* 45 * these describe the CMS message types 46 */ 47 enum cms_msg_types { 48 CMS_SIGN_CLIENT, 49 CMS_SIGN_SERVER, 50 CMS_ENVEL_SERVER 51 }; 52 53 /* 54 * storage types for identity information 55 */ 56 #define IDTYPE_FILE 1 57 #define IDTYPE_DIR 2 58 #define IDTYPE_PKCS11 3 59 #define IDTYPE_ENVVAR 4 60 #define IDTYPE_PKCS12 5 61 62 /* 63 * ca/crl types 64 */ 65 #define CATYPE_ANCHORS 1 66 #define CATYPE_INTERMEDIATES 2 67 #define CATYPE_CRLS 3 68 69 /* 70 * The following represent Key Usage values that we 71 * may care about in a certificate 72 */ 73 #define PKINIT_KU_DIGITALSIGNATURE 0x80000000 74 #define PKINIT_KU_KEYENCIPHERMENT 0x40000000 75 76 /* 77 * The following represent Extended Key Usage oid values 78 * that we may care about in a certificate 79 */ 80 #define PKINIT_EKU_PKINIT 0x80000000 81 #define PKINIT_EKU_MSSCLOGIN 0x40000000 82 #define PKINIT_EKU_CLIENTAUTH 0x20000000 83 #define PKINIT_EKU_EMAILPROTECTION 0x10000000 84 85 86 /* Handle to cert, opaque above crypto interface */ 87 typedef struct _pkinit_cert_info *pkinit_cert_handle; 88 89 /* Handle to cert iteration information, opaque above crypto interface */ 90 typedef struct _pkinit_cert_iter_info *pkinit_cert_iter_handle; 91 92 #define PKINIT_ITER_NO_MORE 0x11111111 /* XXX */ 93 94 typedef struct _pkinit_cert_matching_data { 95 char *subject_dn; /* rfc2253-style subject name string */ 96 char *issuer_dn; /* rfc2253-style issuer name string */ 97 unsigned int ku_bits; /* key usage information */ 98 unsigned int eku_bits; /* extended key usage information */ 99 krb5_principal *sans; /* Null-terminated array of PKINIT SANs */ 100 char **upns; /* Null-terimnated array of UPN SANs */ 101 } pkinit_cert_matching_data; 102 103 /* 104 * Functions to initialize and cleanup crypto contexts 105 */ 106 krb5_error_code pkinit_init_plg_crypto(pkinit_plg_crypto_context *); 107 void pkinit_fini_plg_crypto(pkinit_plg_crypto_context); 108 109 krb5_error_code pkinit_init_req_crypto(pkinit_req_crypto_context *); 110 void pkinit_fini_req_crypto(pkinit_req_crypto_context); 111 112 krb5_error_code pkinit_init_identity_crypto(pkinit_identity_crypto_context *); 113 void pkinit_fini_identity_crypto(pkinit_identity_crypto_context); 114 /**Create a pkinit ContentInfo*/ 115 krb5_error_code cms_contentinfo_create 116 (krb5_context context, /* IN */ 117 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 118 pkinit_req_crypto_context req_cryptoctx, /* IN */ 119 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 120 int cms_msg_type, 121 unsigned char *in_data, unsigned int in_length, 122 unsigned char **out_data, unsigned int *out_data_len); 123 124 /* 125 * this function creates a CMS message where eContentType is SignedData 126 */ 127 krb5_error_code cms_signeddata_create 128 (krb5_context context, /* IN */ 129 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 130 pkinit_req_crypto_context req_cryptoctx, /* IN */ 131 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 132 int cms_msg_type, /* IN 133 specifies CMS_SIGN_CLIENT for client-side CMS message 134 and CMS_SIGN_SERVER for kdc-side */ 135 unsigned char *auth_pack, /* IN 136 contains DER encoded AuthPack (CMS_SIGN_CLIENT) 137 or DER encoded DHRepInfo (CMS_SIGN_SERVER) */ 138 unsigned int auth_pack_len, /* IN 139 contains length of auth_pack */ 140 unsigned char **signed_data, /* OUT 141 for CMS_SIGN_CLIENT receives DER encoded 142 SignedAuthPack (CMS_SIGN_CLIENT) or DER 143 encoded DHInfo (CMS_SIGN_SERVER) */ 144 unsigned int *signed_data_len); /* OUT 145 receives length of signed_data */ 146 147 /* 148 * this function verifies a CMS message where eContentType is SignedData 149 */ 150 krb5_error_code cms_signeddata_verify 151 (krb5_context context, /* IN */ 152 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 153 pkinit_req_crypto_context req_cryptoctx, /* IN */ 154 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 155 int cms_msg_type, /* IN 156 specifies CMS_SIGN_CLIENT for client-side 157 CMS message and CMS_SIGN_SERVER for kdc-side */ 158 int require_crl_checking, /* IN 159 specifies whether CRL checking should be 160 strictly enforced, i.e. if no CRLs available 161 for the CA then fail verification. 162 note, if the value is 0, crls are still 163 checked if present */ 164 unsigned char *signed_data, /* IN 165 contains DER encoded SignedAuthPack (CMS_SIGN_CLIENT) 166 or DER encoded DHInfo (CMS_SIGN_SERVER) */ 167 unsigned int signed_data_len, /* IN 168 contains length of signed_data*/ 169 unsigned char **auth_pack, /* OUT 170 receives DER encoded AuthPack (CMS_SIGN_CLIENT) 171 or DER encoded DHRepInfo (CMS_SIGN_SERVER)*/ 172 unsigned int *auth_pack_len, /* OUT 173 receives length of auth_pack */ 174 unsigned char **authz_data, /* OUT 175 receives required authorization data that 176 contains the verified certificate chain 177 (only used by the KDC) */ 178 unsigned int *authz_data_len, /* OUT 179 receives length of authz_data */ 180 int *is_signed); /* OUT 181 receives whether message is signed */ 182 183 /* 184 * this function creates a CMS message where eContentType is EnvelopedData 185 */ 186 krb5_error_code cms_envelopeddata_create 187 (krb5_context context, /* IN */ 188 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 189 pkinit_req_crypto_context req_cryptoctx, /* IN */ 190 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 191 krb5_preauthtype pa_type, /* IN */ 192 unsigned char *key_pack, /* IN 193 contains DER encoded ReplyKeyPack */ 194 unsigned int key_pack_len, /* IN 195 contains length of key_pack */ 196 unsigned char **envel_data, /* OUT 197 receives DER encoded encKeyPack */ 198 unsigned int *envel_data_len); /* OUT 199 receives length of envel_data */ 200 201 /* 202 * this function creates a CMS message where eContentType is EnvelopedData 203 */ 204 krb5_error_code cms_envelopeddata_verify 205 (krb5_context context, /* IN */ 206 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 207 pkinit_req_crypto_context req_cryptoctx, /* IN */ 208 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 209 krb5_preauthtype pa_type, /* IN */ 210 int require_crl_checking, /* IN 211 specifies whether CRL checking should be 212 strictly enforced */ 213 unsigned char *envel_data, /* IN 214 contains DER encoded encKeyPack */ 215 unsigned int envel_data_len, /* IN 216 contains length of envel_data */ 217 unsigned char **signed_data, /* OUT 218 receives ReplyKeyPack */ 219 unsigned int *signed_data_len); /* OUT 220 receives length of signed_data */ 221 222 /* 223 * This function retrieves the signer's identity, in a form that could 224 * be passed back in to a future invocation of this module as a candidate 225 * client identity location. 226 */ 227 krb5_error_code crypto_retrieve_signer_identity 228 (krb5_context context, /* IN */ 229 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 230 const char **identity); /* OUT */ 231 232 /* 233 * this function returns SAN information found in the 234 * received certificate. at least one of pkinit_sans, 235 * upn_sans, or kdc_hostnames must be non-NULL. 236 */ 237 krb5_error_code crypto_retrieve_cert_sans 238 (krb5_context context, /* IN */ 239 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 240 pkinit_req_crypto_context req_cryptoctx, /* IN */ 241 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 242 krb5_principal **pkinit_sans, /* OUT 243 if non-NULL, a null-terminated array of 244 id-pkinit-san values found in the certificate 245 are returned */ 246 char ***upn_sans, /* OUT 247 if non-NULL, a null-terminated array of 248 id-ms-upn-san values found in the certificate 249 are returned */ 250 unsigned char ***kdc_hostname); /* OUT 251 if non-NULL, a null-terminated array of 252 dNSName (hostname) SAN values found in the 253 certificate are returned */ 254 255 /* 256 * this function checks for acceptable key usage values 257 * in the received certificate. 258 * 259 * when checking a received kdc certificate, it looks for 260 * the kpKdc key usage. if allow_secondary_usage is 261 * non-zero, it will also accept kpServerAuth. 262 * 263 * when checking a received user certificate, it looks for 264 * kpClientAuth key usage. if allow_secondary_usage is 265 * non-zero, it will also accept id-ms-sc-logon EKU. 266 * 267 * this function must also assert that the digitalSignature 268 * key usage is consistent. 269 */ 270 krb5_error_code crypto_check_cert_eku 271 (krb5_context context, /* IN */ 272 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 273 pkinit_req_crypto_context req_cryptoctx, /* IN */ 274 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 275 int checking_kdc_cert, /* IN 276 specifies if the received certificate is 277 a KDC certificate (non-zero), 278 or a user certificate (zero) */ 279 int allow_secondary_usage, /* IN 280 specifies if the secondary key usage 281 should be accepted or not (see above) */ 282 int *eku_valid); /* OUT 283 receives non-zero if an acceptable EKU was found */ 284 285 /* 286 * this functions takes in generated DH secret key and converts 287 * it in to a kerberos session key. it takes into the account the 288 * enc type and then follows the procedure specified in the RFC p 22. 289 */ 290 krb5_error_code pkinit_octetstring2key 291 (krb5_context context, /* IN */ 292 krb5_enctype etype, /* IN 293 specifies the enc type */ 294 unsigned char *key, /* IN 295 contains the DH secret key */ 296 unsigned int key_len, /* IN 297 contains length of key */ 298 krb5_keyblock * krb5key); /* OUT 299 receives kerberos session key */ 300 301 /* 302 * this function implements clients first part of the DH protocol. 303 * client selects its DH parameters and pub key 304 */ 305 krb5_error_code client_create_dh 306 (krb5_context context, /* IN */ 307 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 308 pkinit_req_crypto_context req_cryptoctx, /* IN */ 309 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 310 int dh_size, /* IN 311 specifies the DH modulous, eg 1024, 2048, or 4096 */ 312 krb5_data *spki_out); /* OUT 313 receives SubjectPublicKeyInfo encoding */ 314 315 /* 316 * this function completes client's the DH protocol. client 317 * processes received DH pub key from the KDC and computes 318 * the DH secret key 319 */ 320 krb5_error_code client_process_dh 321 (krb5_context context, /* IN */ 322 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 323 pkinit_req_crypto_context req_cryptoctx, /* IN */ 324 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 325 unsigned char *dh_pubkey, /* IN 326 contains client's DER encoded DH pub key */ 327 unsigned int dh_pubkey_len, /* IN 328 contains length of dh_pubkey */ 329 unsigned char **client_key_out, /* OUT 330 receives DH secret key */ 331 unsigned int *client_key_len_out); /* OUT 332 receives length of DH secret key */ 333 334 /* 335 * this function implements the KDC first part of the DH protocol. 336 * it decodes the client's DH parameters and pub key and checks 337 * if they are acceptable. 338 */ 339 krb5_error_code server_check_dh 340 (krb5_context context, /* IN */ 341 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 342 pkinit_req_crypto_context req_cryptoctx, /* IN */ 343 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 344 const krb5_data *client_spki, /* IN 345 SubjectPublicKeyInfo encoding from client */ 346 int minbits); /* IN 347 the minimum number of key bits acceptable */ 348 349 /* 350 * this function completes the KDC's DH protocol. The KDC generates 351 * its DH pub key and computes the DH secret key 352 */ 353 krb5_error_code server_process_dh 354 (krb5_context context, /* IN */ 355 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 356 pkinit_req_crypto_context req_cryptoctx, /* IN */ 357 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 358 unsigned char **dh_pubkey_out, /* OUT 359 receives KDC's DER encoded DH pub key */ 360 unsigned int *dh_pubkey_len_out, /* OUT 361 receives length of dh_pubkey */ 362 unsigned char **server_key_out, /* OUT 363 receives DH secret key */ 364 unsigned int *server_key_len_out); /* OUT 365 receives length of DH secret key */ 366 367 /* 368 * this functions takes in crypto specific representation of 369 * supportedCMSTypes and creates a list of 370 * krb5_algorithm_identifier 371 */ 372 krb5_error_code create_krb5_supportedCMSTypes 373 (krb5_context context, /* IN */ 374 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 375 pkinit_req_crypto_context req_cryptoctx, /* IN */ 376 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 377 krb5_algorithm_identifier ***supportedCMSTypes); /* OUT */ 378 379 /* 380 * this functions takes in crypto specific representation of 381 * trustedCertifiers and creates a list of 382 * krb5_external_principal_identifier 383 */ 384 krb5_error_code create_krb5_trustedCertifiers 385 (krb5_context context, /* IN */ 386 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 387 pkinit_req_crypto_context req_cryptoctx, /* IN */ 388 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 389 krb5_external_principal_identifier ***trustedCertifiers); /* OUT */ 390 391 /* 392 * this functions takes in crypto specific representation of the 393 * KDC's certificate and creates a DER encoded kdcPKId 394 */ 395 krb5_error_code create_issuerAndSerial 396 (krb5_context context, /* IN */ 397 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 398 pkinit_req_crypto_context req_cryptoctx, /* IN */ 399 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 400 unsigned char **kdcId_buf, /* OUT 401 receives DER encoded kdcPKId */ 402 unsigned int *kdcId_len); /* OUT 403 receives length of encoded kdcPKId */ 404 405 /* 406 * These functions manipulate the deferred-identities list in the identity 407 * context, which is opaque outside of the crypto-specific bits. 408 */ 409 const pkinit_deferred_id * crypto_get_deferred_ids 410 (krb5_context context, pkinit_identity_crypto_context id_cryptoctx); 411 krb5_error_code crypto_set_deferred_id 412 (krb5_context context, 413 pkinit_identity_crypto_context id_cryptoctx, 414 const char *identity, const char *password); 415 416 /* 417 * process the values from idopts and obtain the cert(s) 418 * specified by those options, populating the id_cryptoctx. 419 */ 420 krb5_error_code crypto_load_certs 421 (krb5_context context, /* IN */ 422 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 423 pkinit_req_crypto_context req_cryptoctx, /* IN */ 424 pkinit_identity_opts *idopts, /* IN */ 425 pkinit_identity_crypto_context id_cryptoctx, /* IN/OUT */ 426 krb5_principal princ, /* IN */ 427 krb5_boolean defer_id_prompts); /* IN */ 428 429 /* 430 * Free up information held from crypto_load_certs() 431 */ 432 krb5_error_code crypto_free_cert_info 433 (krb5_context context, 434 pkinit_plg_crypto_context plg_cryptoctx, 435 pkinit_req_crypto_context req_cryptoctx, 436 pkinit_identity_crypto_context id_cryptoctx); 437 438 439 /* 440 * Get a null-terminated list of certificate matching data objects for the 441 * certificates loaded in id_cryptoctx. 442 */ 443 krb5_error_code 444 crypto_cert_get_matching_data(krb5_context context, 445 pkinit_plg_crypto_context plg_cryptoctx, 446 pkinit_req_crypto_context req_cryptoctx, 447 pkinit_identity_crypto_context id_cryptoctx, 448 pkinit_cert_matching_data ***md_out); 449 450 /* 451 * Free a matching data object. 452 */ 453 void 454 crypto_cert_free_matching_data(krb5_context context, 455 pkinit_cert_matching_data *md); 456 457 /* 458 * Free a list of matching data objects. 459 */ 460 void 461 crypto_cert_free_matching_data_list(krb5_context context, 462 pkinit_cert_matching_data **matchdata); 463 464 /* 465 * Choose one of the certificates loaded in idctx to use for PKINIT client 466 * operations. cred_index must be an index into the array of matching objects 467 * returned by crypto_cert_get_matching_data(). 468 */ 469 krb5_error_code 470 crypto_cert_select(krb5_context context, pkinit_identity_crypto_context idctx, 471 size_t cred_index); 472 473 /* 474 * Select the default certificate as "the chosen one" 475 */ 476 krb5_error_code crypto_cert_select_default 477 (krb5_context context, /* IN */ 478 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 479 pkinit_req_crypto_context req_cryptoctx, /* IN */ 480 pkinit_identity_crypto_context id_cryptoctx); /* IN */ 481 482 /* 483 * process the values from idopts and obtain the anchor or 484 * intermediate certificates, or crls specified by idtype, 485 * catype, and id 486 */ 487 krb5_error_code crypto_load_cas_and_crls 488 (krb5_context context, /* IN */ 489 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 490 pkinit_req_crypto_context req_cryptoctx, /* IN */ 491 pkinit_identity_opts *idopts, /* IN */ 492 pkinit_identity_crypto_context id_cryptoctx, /* IN/OUT */ 493 int idtype, /* IN 494 defines the storage type (file, directory, etc) */ 495 int catype, /* IN 496 defines the ca type (anchor, intermediate, crls) */ 497 char *id); /* IN 498 defines the location (filename, directory name, etc) */ 499 500 /* 501 * on the client, obtain the kdc's certificate to include 502 * in a request 503 */ 504 krb5_error_code pkinit_get_kdc_cert 505 (krb5_context context, /* IN */ 506 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 507 pkinit_req_crypto_context req_cryptoctx, /* IN */ 508 pkinit_identity_crypto_context id_cryptoctx, /* IN/OUT */ 509 krb5_principal princ); /* IN */ 510 511 /* 512 * this function creates edata that contains TD-DH-PARAMETERS 513 */ 514 krb5_error_code pkinit_create_td_dh_parameters 515 (krb5_context context, /* IN */ 516 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 517 pkinit_req_crypto_context req_cryptoctx, /* IN */ 518 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 519 pkinit_plg_opts *opts, /* IN */ 520 krb5_pa_data ***e_data_out); /* OUT */ 521 522 /* 523 * this function processes edata that contains TD-DH-PARAMETERS. 524 * the client processes the received acceptable by KDC DH 525 * parameters and picks the first acceptable to it. it matches 526 * them against the known DH parameters. 527 */ 528 krb5_error_code pkinit_process_td_dh_params 529 (krb5_context context, /* IN */ 530 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 531 pkinit_req_crypto_context req_cryptoctx, /* IN */ 532 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 533 krb5_algorithm_identifier **algId, /* IN */ 534 int *new_dh_size); /* OUT 535 receives the new DH modulus to use in the new AS-REQ */ 536 537 /* 538 * this function creates edata that contains TD-INVALID-CERTIFICATES 539 */ 540 krb5_error_code pkinit_create_td_invalid_certificate 541 (krb5_context context, /* IN */ 542 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 543 pkinit_req_crypto_context req_cryptoctx, /* IN */ 544 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 545 krb5_pa_data ***e_data_out); /* OUT */ 546 547 /* 548 * this function creates edata that contains TD-TRUSTED-CERTIFIERS 549 */ 550 krb5_error_code pkinit_create_td_trusted_certifiers 551 (krb5_context context, /* IN */ 552 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 553 pkinit_req_crypto_context req_cryptoctx, /* IN */ 554 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 555 krb5_pa_data ***e_data_out); /* OUT */ 556 557 /* 558 * this function processes edata that contains either 559 * TD-TRUSTED-CERTIFICATES or TD-INVALID-CERTIFICATES. 560 * current implementation only decodes the received message 561 * but does not act on it 562 */ 563 krb5_error_code pkinit_process_td_trusted_certifiers 564 (krb5_context context, /* IN */ 565 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 566 pkinit_req_crypto_context req_cryptoctx, /* IN */ 567 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 568 krb5_external_principal_identifier **trustedCertifiers, /* IN */ 569 int td_type); /* IN */ 570 571 /* 572 * this function checks if the received kdcPKId matches 573 * the KDC's certificate 574 */ 575 krb5_error_code pkinit_check_kdc_pkid 576 (krb5_context context, /* IN */ 577 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 578 pkinit_req_crypto_context req_cryptoctx, /* IN */ 579 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 580 unsigned char *pdid_buf, /* IN 581 contains DER encoded kdcPKId */ 582 unsigned int pkid_len, /* IN 583 contains length of pdid_buf */ 584 int *valid_kdcPkId); /* OUT 585 1 if kdcPKId matches, otherwise 0 */ 586 587 krb5_error_code pkinit_identity_set_prompter 588 (pkinit_identity_crypto_context id_cryptoctx, /* IN */ 589 krb5_prompter_fct prompter, /* IN */ 590 void *prompter_data); /* IN */ 591 592 krb5_error_code 593 pkinit_alg_agility_kdf(krb5_context context, 594 krb5_data *secret, 595 krb5_data *alg_oid, 596 krb5_const_principal party_u_info, 597 krb5_const_principal party_v_info, 598 krb5_enctype enctype, 599 krb5_data *as_req, 600 krb5_data *pk_as_rep, 601 krb5_keyblock *key_block); 602 603 extern const krb5_data sha1_id; 604 extern const krb5_data sha256_id; 605 extern const krb5_data sha512_id; 606 extern const krb5_data oakley_1024; 607 extern const krb5_data oakley_2048; 608 extern const krb5_data oakley_4096; 609 610 /** 611 * An ordered set of OIDs, stored as krb5_data, of KDF algorithms 612 * supported by this implementation. The order of this array controls 613 * the order in which the server will pick. 614 */ 615 extern krb5_data const * const supported_kdf_alg_ids[]; 616 617 /* CMS signature algorithms supported by this implementation, in order of 618 * decreasing preference. */ 619 extern krb5_data const * const supported_cms_algs[]; 620 621 krb5_error_code 622 crypto_encode_der_cert(krb5_context context, pkinit_req_crypto_context reqctx, 623 uint8_t **der_out, size_t *der_len); 624 625 krb5_error_code 626 crypto_req_cert_matching_data(krb5_context context, 627 pkinit_plg_crypto_context plgctx, 628 pkinit_req_crypto_context reqctx, 629 pkinit_cert_matching_data **md_out); 630 631 #endif /* _PKINIT_CRYPTO_H */ 632