xref: /illumos-gate/usr/src/lib/gss_mechs/mech_krb5/include/k5-int-pkinit.h (revision 503609a9497e27f206d815a06ce90a747d2ce573)
1 
2 /*
3  * COPYRIGHT (C) 2006
4  * THE REGENTS OF THE UNIVERSITY OF MICHIGAN
5  * ALL RIGHTS RESERVED
6  *
7  * Permission is granted to use, copy, create derivative works
8  * and redistribute this software and such derivative works
9  * for any purpose, so long as the name of The University of
10  * Michigan is not used in any advertising or publicity
11  * pertaining to the use of distribution of this software
12  * without specific, written prior authorization.  If the
13  * above copyright notice or any other identification of the
14  * University of Michigan is included in any copy of any
15  * portion of this software, then the disclaimer below must
16  * also be included.
17  *
18  * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
19  * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
20  * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
21  * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
22  * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
23  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
24  * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
25  * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
26  * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
27  * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
28  * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
29  * SUCH DAMAGES.
30  */
31 
32 #ifndef _KRB5_INT_PKINIT_H
33 #define _KRB5_INT_PKINIT_H
34 
35 /*
36  * pkinit structures
37  */
38 
39 /* PKAuthenticator */
40 typedef struct _krb5_pk_authenticator {
41 	krb5_int32	cusec;	/* (0..999999) */
42 	krb5_timestamp	ctime;
43 	krb5_int32	nonce;	/* (0..4294967295) */
44 	krb5_checksum	paChecksum;
45 } krb5_pk_authenticator;
46 
47 /* PKAuthenticator draft9 */
48 typedef struct _krb5_pk_authenticator_draft9 {
49 	krb5_principal  kdcName;
50 	krb5_octet_data	kdcRealm;
51 	krb5_int32	cusec;	/* (0..999999) */
52 	krb5_timestamp	ctime;
53 	krb5_int32	nonce;	/* (0..4294967295) */
54 } krb5_pk_authenticator_draft9;
55 
56 /* AlgorithmIdentifier */
57 typedef struct _krb5_algorithm_identifier {
58 	krb5_octet_data	algorithm;	/* OID */
59 	krb5_octet_data	parameters; /* Optional */
60 } krb5_algorithm_identifier;
61 
62 /* SubjectPublicKeyInfo */
63 typedef struct _krb5_subject_pk_info {
64 	krb5_algorithm_identifier   algorithm;
65 	krb5_octet_data		    subjectPublicKey; /* BIT STRING */
66 } krb5_subject_pk_info;
67 
68 /* AuthPack */
69 typedef struct _krb5_auth_pack {
70 	krb5_pk_authenticator	    pkAuthenticator;
71 	krb5_subject_pk_info	    *clientPublicValue; /* Optional */
72 	krb5_algorithm_identifier   **supportedCMSTypes; /* Optional */
73 	krb5_octet_data		    clientDHNonce; /* Optional */
74 } krb5_auth_pack;
75 
76 /* AuthPack draft9 */
77 typedef struct _krb5_auth_pack_draft9 {
78 	krb5_pk_authenticator_draft9 pkAuthenticator;
79 	krb5_subject_pk_info	    *clientPublicValue; /* Optional */
80 } krb5_auth_pack_draft9;
81 
82 /* ExternalPrincipalIdentifier */
83 typedef struct _krb5_external_principal_identifier {
84 	krb5_octet_data	subjectName; /* Optional */
85 	krb5_octet_data	issuerAndSerialNumber; /* Optional */
86 	krb5_octet_data	subjectKeyIdentifier; /* Optional */
87 } krb5_external_principal_identifier;
88 
89 /* TrustedCas */
90 typedef struct _krb5_trusted_ca {
91 	enum {
92 		choice_trusted_cas_UNKNOWN = -1,
93 		choice_trusted_cas_principalName = 0,
94 		choice_trusted_cas_caName = 1,
95 		choice_trusted_cas_issuerAndSerial = 2
96 	} choice;
97 	union {
98 		krb5_principal	principalName;
99 		krb5_octet_data	caName;	/* fully-qualified X.500 "Name" as defined by X.509 (der-encoded) */
100 		krb5_octet_data	issuerAndSerial; /* Optional -- IssuerAndSerialNumber (der-encoded) */
101 	} u;
102 } krb5_trusted_ca;
103 
104 /* typed data */
105 typedef struct _krb5_typed_data {
106     krb5_magic magic;
107     krb5_int32  type;
108     unsigned int length;
109     krb5_octet *data;
110 } krb5_typed_data;
111 
112 /* PA-PK-AS-REQ (Draft 9 -- PA TYPE 14) */
113 typedef struct _krb5_pa_pk_as_req_draft9 {
114 	krb5_octet_data	signedAuthPack;
115 	krb5_trusted_ca **trustedCertifiers; /* Optional array */
116 	krb5_octet_data kdcCert; /* Optional */
117 	krb5_octet_data encryptionCert;
118 } krb5_pa_pk_as_req_draft9;
119 
120 /* PA-PK-AS-REQ (rfc4556 -- PA TYPE 16) */
121 typedef struct _krb5_pa_pk_as_req {
122 	krb5_octet_data	signedAuthPack;
123 	krb5_external_principal_identifier **trustedCertifiers; /* Optional array */
124 	krb5_octet_data	kdcPkId; /* Optional */
125 } krb5_pa_pk_as_req;
126 
127 /* DHRepInfo */
128 typedef struct _krb5_dh_rep_info {
129 	krb5_octet_data	dhSignedData;
130 	krb5_octet_data	serverDHNonce; /* Optional */
131 } krb5_dh_rep_info;
132 
133 /* KDCDHKeyInfo */
134 typedef struct _krb5_kdc_dh_key_info {
135 	krb5_octet_data	subjectPublicKey; /* BIT STRING */
136 	krb5_int32	nonce;	/* (0..4294967295) */
137 	krb5_timestamp	dhKeyExpiration; /* Optional */
138 } krb5_kdc_dh_key_info;
139 
140 /* KDCDHKeyInfo draft9*/
141 typedef struct _krb5_kdc_dh_key_info_draft9 {
142 	krb5_octet_data	subjectPublicKey; /* BIT STRING */
143 	krb5_int32	nonce;	/* (0..4294967295) */
144 } krb5_kdc_dh_key_info_draft9;
145 
146 /* ReplyKeyPack */
147 typedef struct _krb5_reply_key_pack {
148 	krb5_keyblock	replyKey;
149 	krb5_checksum	asChecksum;
150 } krb5_reply_key_pack;
151 
152 /* ReplyKeyPack */
153 typedef struct _krb5_reply_key_pack_draft9 {
154 	krb5_keyblock	replyKey;
155 	krb5_int32	nonce;
156 } krb5_reply_key_pack_draft9;
157 
158 /* PA-PK-AS-REP (Draft 9 -- PA TYPE 15) */
159 typedef struct _krb5_pa_pk_as_rep_draft9 {
160 	enum {
161 		choice_pa_pk_as_rep_draft9_UNKNOWN = -1,
162 		choice_pa_pk_as_rep_draft9_dhSignedData = 0,
163 		choice_pa_pk_as_rep_draft9_encKeyPack = 1
164 	} choice;
165 	union {
166 		krb5_octet_data dhSignedData;
167 		krb5_octet_data encKeyPack;
168 	} u;
169 } krb5_pa_pk_as_rep_draft9;
170 
171 /* PA-PK-AS-REP (rfc4556 -- PA TYPE 17) */
172 typedef struct _krb5_pa_pk_as_rep {
173 	enum {
174 		choice_pa_pk_as_rep_UNKNOWN = -1,
175 		choice_pa_pk_as_rep_dhInfo = 0,
176 		choice_pa_pk_as_rep_encKeyPack = 1
177 	} choice;
178 	union {
179 		krb5_dh_rep_info    dh_Info;
180 		krb5_octet_data	    encKeyPack;
181 	} u;
182 } krb5_pa_pk_as_rep;
183 
184 /*
185  * Begin "asn1.h"
186  */
187 
188 /*************************************************************************
189  * Prototypes for pkinit asn.1 encode routines
190  *************************************************************************/
191 
192 krb5_error_code encode_krb5_pa_pk_as_req
193 	(const krb5_pa_pk_as_req *rep, krb5_data **code);
194 
195 krb5_error_code encode_krb5_pa_pk_as_req_draft9
196 	(const krb5_pa_pk_as_req_draft9 *rep, krb5_data **code);
197 
198 krb5_error_code encode_krb5_pa_pk_as_rep
199 	(const krb5_pa_pk_as_rep *rep, krb5_data **code);
200 
201 krb5_error_code encode_krb5_pa_pk_as_rep_draft9
202 	(const krb5_pa_pk_as_rep_draft9 *rep, krb5_data **code);
203 
204 krb5_error_code encode_krb5_auth_pack
205 	(const krb5_auth_pack *rep, krb5_data **code);
206 
207 krb5_error_code encode_krb5_auth_pack_draft9
208 	(const krb5_auth_pack_draft9 *rep, krb5_data **code);
209 
210 krb5_error_code encode_krb5_kdc_dh_key_info
211 	(const krb5_kdc_dh_key_info *rep, krb5_data **code);
212 
213 krb5_error_code encode_krb5_reply_key_pack
214 	(const krb5_reply_key_pack *, krb5_data **code);
215 
216 krb5_error_code encode_krb5_reply_key_pack_draft9
217 	(const krb5_reply_key_pack_draft9 *, krb5_data **code);
218 
219 krb5_error_code encode_krb5_typed_data
220 	(const krb5_typed_data **, krb5_data **code);
221 
222 krb5_error_code encode_krb5_td_trusted_certifiers
223 	(const krb5_external_principal_identifier **, krb5_data **code);
224 
225 krb5_error_code encode_krb5_td_dh_parameters
226 	(const krb5_algorithm_identifier **, krb5_data **code);
227 
228 /*************************************************************************
229  * Prototypes for pkinit asn.1 decode routines
230  *************************************************************************/
231 
232 krb5_error_code decode_krb5_pa_pk_as_req
233 	(const krb5_data *, krb5_pa_pk_as_req **);
234 
235 krb5_error_code decode_krb5_pa_pk_as_req_draft9
236 	(const krb5_data *, krb5_pa_pk_as_req_draft9 **);
237 
238 krb5_error_code decode_krb5_pa_pk_as_rep
239 	(const krb5_data *, krb5_pa_pk_as_rep **);
240 
241 krb5_error_code decode_krb5_pa_pk_as_rep_draft9
242 	(const krb5_data *, krb5_pa_pk_as_rep_draft9 **);
243 
244 krb5_error_code decode_krb5_auth_pack
245 	(const krb5_data *, krb5_auth_pack **);
246 
247 krb5_error_code decode_krb5_auth_pack_draft9
248 	(const krb5_data *, krb5_auth_pack_draft9 **);
249 
250 krb5_error_code decode_krb5_kdc_dh_key_info
251 	(const krb5_data *, krb5_kdc_dh_key_info **);
252 
253 krb5_error_code decode_krb5_principal_name
254 	(const krb5_data *, krb5_principal_data **);
255 
256 krb5_error_code decode_krb5_reply_key_pack
257 	(const krb5_data *, krb5_reply_key_pack **);
258 
259 krb5_error_code decode_krb5_reply_key_pack_draft9
260 	(const krb5_data *, krb5_reply_key_pack_draft9 **);
261 
262 krb5_error_code decode_krb5_typed_data
263 	(const krb5_data *, krb5_typed_data ***);
264 
265 krb5_error_code decode_krb5_td_trusted_certifiers
266 	(const krb5_data *, krb5_external_principal_identifier ***);
267 
268 krb5_error_code decode_krb5_td_dh_parameters
269 	(const krb5_data *, krb5_algorithm_identifier ***);
270 
271 #endif /* _KRB5_INT_PKINIT_H */
272