xref: /illumos-gate/usr/src/lib/krb5/plugins/preauth/pkinit/pkinit_crypto.h (revision 46b592853d0f4f11781b6b0a7533f267c6aee132)
1 /*
2  * COPYRIGHT (C) 2007
3  * THE REGENTS OF THE UNIVERSITY OF MICHIGAN
4  * ALL RIGHTS RESERVED
5  *
6  * Permission is granted to use, copy, create derivative works
7  * and redistribute this software and such derivative works
8  * for any purpose, so long as the name of The University of
9  * Michigan is not used in any advertising or publicity
10  * pertaining to the use of distribution of this software
11  * without specific, written prior authorization.  If the
12  * above copyright notice or any other identification of the
13  * University of Michigan is included in any copy of any
14  * portion of this software, then the disclaimer below must
15  * also be included.
16  *
17  * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
18  * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
19  * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
20  * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
21  * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
22  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
23  * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
24  * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
25  * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
26  * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
27  * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
28  * SUCH DAMAGES.
29  */
30 
31 /*
32  * This header defines the cryptographic interface
33  */
34 
35 #ifndef _PKINIT_CRYPTO_H
36 #define _PKINIT_CRYPTO_H
37 
38 /* Solaris Kerberos */
39 #include <krb5.h>
40 #include <preauth_plugin.h>
41 #include <k5-int-pkinit.h>
42 #include <profile.h>
43 #include "pkinit_accessor.h"
44 
45 /*
46  * these describe the CMS message types
47  */
48 enum cms_msg_types {
49     CMS_SIGN_CLIENT,
50     CMS_SIGN_DRAFT9,
51     CMS_SIGN_SERVER,
52     CMS_ENVEL_SERVER
53 };
54 
55 /*
56  * storage types for identity information
57  */
58 #define IDTYPE_FILE     1
59 #define IDTYPE_DIR      2
60 #define IDTYPE_PKCS11   3
61 #define IDTYPE_ENVVAR   4
62 #define IDTYPE_PKCS12   5
63 
64 /*
65  * ca/crl types
66  */
67 #define CATYPE_ANCHORS          1
68 #define CATYPE_INTERMEDIATES    2
69 #define CATYPE_CRLS             3
70 
71 /*
72  * The following represent Key Usage values that we
73  * may care about in a certificate
74  */
75 #define PKINIT_KU_DIGITALSIGNATURE      0x80000000
76 #define PKINIT_KU_KEYENCIPHERMENT       0x40000000
77 
78 /*
79  * The following represent Extended Key Usage oid values
80  * that we may care about in a certificate
81  */
82 #define PKINIT_EKU_PKINIT               0x80000000
83 #define PKINIT_EKU_MSSCLOGIN            0x40000000
84 #define PKINIT_EKU_CLIENTAUTH           0x20000000
85 #define PKINIT_EKU_EMAILPROTECTION      0x10000000
86 
87 
88 /* Handle to cert, opaque above crypto interface */
89 typedef struct _pkinit_cert_info *pkinit_cert_handle;
90 
91 /* Handle to cert iteration information, opaque above crypto interface */
92 typedef struct _pkinit_cert_iter_info *pkinit_cert_iter_handle;
93 
94 #define PKINIT_ITER_NO_MORE	0x11111111  /* XXX */
95 
96 typedef struct _pkinit_cert_matching_data {
97     pkinit_cert_handle ch;  /* cert handle for this certificate */
98     char *subject_dn;	    /* rfc2253-style subject name string */
99     char *issuer_dn;	    /* rfc2253-style issuer name string */
100     unsigned int ku_bits;   /* key usage information */
101     unsigned int eku_bits;  /* extended key usage information */
102     krb5_principal *sans;   /* Null-terminated array of subject alternative
103 			       name info (pkinit and ms-upn) */
104 } pkinit_cert_matching_data;
105 
106 /*
107  * Functions to initialize and cleanup crypto contexts
108  */
109 krb5_error_code pkinit_init_plg_crypto(pkinit_plg_crypto_context *);
110 void pkinit_fini_plg_crypto(pkinit_plg_crypto_context);
111 
112 krb5_error_code pkinit_init_req_crypto(pkinit_req_crypto_context *);
113 void pkinit_fini_req_crypto(pkinit_req_crypto_context);
114 
115 krb5_error_code pkinit_init_identity_crypto(pkinit_identity_crypto_context *);
116 void pkinit_fini_identity_crypto(pkinit_identity_crypto_context);
117 
118 /*
119  * this function creates a CMS message where eContentType is SignedData
120  */
121 krb5_error_code cms_signeddata_create
122 	(krb5_context context,				/* IN */
123 	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
124 	pkinit_req_crypto_context req_cryptoctx,	/* IN */
125 	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
126 	int cms_msg_type,				/* IN
127 		    specifies CMS_SIGN_CLIENT for client-side CMS message
128 		    and CMS_SIGN_SERVER for kdc-side */
129 	int include_certchain,				/* IN
130 		    specifies where certificates field in SignedData
131 		    should contain certificate path */
132 	unsigned char *auth_pack,			/* IN
133 		    contains DER encoded AuthPack (CMS_SIGN_CLIENT)
134 		    or DER encoded DHRepInfo (CMS_SIGN_SERVER) */
135 	unsigned int auth_pack_len,			/* IN
136 		    contains length of auth_pack */
137 	unsigned char **signed_data,			/* OUT
138 		    for CMS_SIGN_CLIENT receives DER encoded
139 		    SignedAuthPack (CMS_SIGN_CLIENT) or DER
140 		    encoded DHInfo (CMS_SIGN_SERVER) */
141 	unsigned int *signed_data_len);			/* OUT
142 		    receives length of signed_data */
143 
144 /*
145  * this function verifies a CMS message where eContentType is SignedData
146  */
147 krb5_error_code cms_signeddata_verify
148 	(krb5_context context,				/* IN */
149 	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
150 	pkinit_req_crypto_context req_cryptoctx,	/* IN */
151 	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
152 	int cms_msg_type,				/* IN
153 		    specifies CMS_SIGN_CLIENT for client-side
154 		    CMS message and CMS_SIGN_SERVER for kdc-side */
155 	int require_crl_checking,			/* IN
156 		    specifies whether CRL checking should be
157 		    strictly enforced, i.e. if no CRLs available
158 		    for the CA then fail verification.
159 		    note, if the value is 0, crls are still
160 		    checked if present */
161 	unsigned char *signed_data,			/* IN
162 		    contains DER encoded SignedAuthPack (CMS_SIGN_CLIENT)
163 		    or DER encoded DHInfo (CMS_SIGN_SERVER) */
164 	unsigned int signed_data_len,			/* IN
165 		    contains length of signed_data*/
166 	unsigned char **auth_pack,			/* OUT
167 		    receives DER encoded AuthPack (CMS_SIGN_CLIENT)
168 		    or DER encoded DHRepInfo (CMS_SIGN_SERVER)*/
169 	unsigned int *auth_pack_len,			/* OUT
170 		    receives length of auth_pack */
171 	unsigned char **authz_data,			/* OUT
172 		    receives required authorization data that
173 		    contains the verified certificate chain
174 		    (only used by the KDC) */
175 	unsigned int *authz_data_len);			/* OUT
176 		    receives length of authz_data */
177 
178 /*
179  * this function creates a CMS message where eContentType is EnvelopedData
180  */
181 krb5_error_code cms_envelopeddata_create
182 	(krb5_context context,				/* IN */
183 	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
184 	pkinit_req_crypto_context req_cryptoctx,	/* IN */
185 	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
186 	krb5_preauthtype pa_type,			/* IN */
187 	int include_certchain,				/* IN
188 		    specifies whether the certificates field in
189 		    SignedData should contain certificate path */
190 	unsigned char *key_pack,			/* IN
191 		    contains DER encoded ReplyKeyPack */
192 	unsigned int key_pack_len,			/* IN
193 		    contains length of key_pack */
194 	unsigned char **envel_data,			/* OUT
195 		    receives DER encoded encKeyPack */
196 	unsigned int *envel_data_len);			/* OUT
197 		    receives length of envel_data */
198 
199 /*
200  * this function creates a CMS message where eContentType is EnvelopedData
201  */
202 krb5_error_code cms_envelopeddata_verify
203 	(krb5_context context,				/* IN */
204 	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
205 	pkinit_req_crypto_context req_cryptoctx,	/* IN */
206 	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
207 	krb5_preauthtype pa_type,			/* IN */
208 	int require_crl_checking,			/* IN
209 		    specifies whether CRL checking should be
210 		    strictly enforced */
211 	unsigned char *envel_data,			/* IN
212 		    contains DER encoded encKeyPack */
213 	unsigned int envel_data_len,			/* IN
214 		    contains length of envel_data */
215 	unsigned char **signed_data,			/* OUT
216 		    receives ReplyKeyPack */
217 	unsigned int *signed_data_len);			/* OUT
218 		    receives length of signed_data */
219 
220 /*
221  * this function returns SAN information found in the
222  * received certificate.  at least one of pkinit_sans,
223  * upn_sans, or kdc_hostnames must be non-NULL.
224  */
225 krb5_error_code crypto_retrieve_cert_sans
226 	(krb5_context context,				/* IN */
227 	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
228 	pkinit_req_crypto_context req_cryptoctx,	/* IN */
229 	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
230 	krb5_principal **pkinit_sans,			/* OUT
231 		    if non-NULL, a null-terminated array of
232 		    id-pkinit-san values found in the certificate
233 		    are returned */
234 	krb5_principal **upn_sans,			/* OUT
235 		    if non-NULL, a null-terminated array of
236 		    id-ms-upn-san values found in the certificate
237 		    are returned */
238 	unsigned char ***kdc_hostname);			/* OUT
239 		    if non-NULL, a null-terminated array of
240 		    dNSName (hostname) SAN values found in the
241 		    certificate are returned */
242 
243 /*
244  * this function checks for acceptable key usage values
245  * in the received certificate.
246  *
247  * when checking a received kdc certificate, it looks for
248  * the kpKdc key usage.  if allow_secondary_usage is
249  * non-zero, it will also accept kpServerAuth.
250  *
251  * when checking a received user certificate, it looks for
252  * kpClientAuth key usage.  if allow_secondary_usage is
253  * non-zero, it will also accept id-ms-sc-logon EKU.
254  *
255  * this function must also assert that the digitalSignature
256  * key usage is consistent.
257  */
258 krb5_error_code crypto_check_cert_eku
259 	(krb5_context context,				/* IN */
260 	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
261 	pkinit_req_crypto_context req_cryptoctx,	/* IN */
262 	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
263 	int checking_kdc_cert,				/* IN
264 		    specifies if the received certificate is
265 		    a KDC certificate (non-zero),
266 		    or a user certificate (zero) */
267 	int allow_secondary_usage,			/* IN
268 		    specifies if the secondary key usage
269 		    should be accepted or not (see above) */
270 	int *eku_valid);				/* OUT
271 		    receives non-zero if an acceptable EKU was found */
272 
273 /*
274  * this functions takes in generated DH secret key and converts
275  * it in to a kerberos session key. it takes into the account the
276  * enc type and then follows the procedure specified in the RFC p 22.
277  */
278 krb5_error_code pkinit_octetstring2key
279 	(krb5_context context,				/* IN */
280 	krb5_enctype etype,				/* IN
281 		    specifies the enc type */
282 	unsigned char *key,				/* IN
283 		    contains the DH secret key */
284 	unsigned int key_len,				/* IN
285 		    contains length of key */
286 	krb5_keyblock * krb5key);			/* OUT
287 		    receives kerberos session key */
288 
289 /*
290  * this function implements clients first part of the DH protocol.
291  * client selects its DH parameters and pub key
292  */
293 krb5_error_code client_create_dh
294 	(krb5_context context,				/* IN */
295 	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
296 	pkinit_req_crypto_context req_cryptoctx,	/* IN */
297 	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
298 	int dh_size,					/* IN
299 		    specifies the DH modulous, eg 1024, 2048, or 4096 */
300 	unsigned char **dh_paramas,			/* OUT
301 		    contains DER encoded DH params */
302 	unsigned int *dh_params_len,			/* OUT
303 		    contains length of dh_parmas */
304 	unsigned char **dh_pubkey,			/* OUT
305 		    receives DER encoded DH pub key */
306 	unsigned int *dh_pubkey_len);			/* OUT
307 		    receives length of dh_pubkey */
308 
309 /*
310  * this function completes client's the DH protocol. client
311  * processes received DH pub key from the KDC and computes
312  * the DH secret key
313  */
314 krb5_error_code client_process_dh
315 	(krb5_context context,				/* IN */
316 	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
317 	pkinit_req_crypto_context req_cryptoctx,	/* IN */
318 	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
319 	unsigned char *dh_pubkey,			/* IN
320 		    contains client's DER encoded DH pub key */
321 	unsigned int dh_pubkey_len,			/* IN
322 		    contains length of dh_pubkey */
323 	unsigned char **dh_session_key,			/* OUT
324 		    receives DH secret key */
325 	unsigned int *dh_session_key_len);		/* OUT
326 		    receives length of dh_session_key */
327 
328 /*
329  * this function implements the KDC first part of the DH protocol.
330  * it decodes the client's DH parameters and pub key and checks
331  * if they are acceptable.
332  */
333 krb5_error_code server_check_dh
334 	(krb5_context context,				/* IN */
335 	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
336 	pkinit_req_crypto_context req_cryptoctx,	/* IN */
337 	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
338 	krb5_octet_data *dh_params,			/* IN
339 		    ???? */
340 	int minbits);					/* IN
341 		    the mininum number of key bits acceptable */
342 
343 /*
344  * this function completes the KDC's DH protocol. The KDC generates
345  * its DH pub key and computes the DH secret key
346  */
347 krb5_error_code server_process_dh
348 	(krb5_context context,				/* IN */
349 	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
350 	pkinit_req_crypto_context req_cryptoctx,	/* IN */
351 	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
352 	unsigned char *received_pubkey,			/* IN
353 		    contains client's DER encoded DH pub key */
354 	unsigned int received_pub_len,			/* IN
355 		    contains length of received_pubkey */
356 	unsigned char **dh_pubkey,			/* OUT
357 		    receives KDC's DER encoded DH pub key */
358 	unsigned int *dh_pubkey_len,			/* OUT
359 		    receives length of dh_pubkey */
360 	unsigned char **server_key,			/* OUT
361 		    receives DH secret key */
362 	unsigned int *server_key_len);			/* OUT
363 		    receives length of server_key */
364 
365 /*
366  * this functions takes in crypto specific representation of
367  * supportedCMSTypes and creates a list of
368  * krb5_algorithm_identifier
369  */
370 krb5_error_code create_krb5_supportedCMSTypes
371 	(krb5_context context,				/* IN */
372 	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
373 	pkinit_req_crypto_context req_cryptoctx,	/* IN */
374 	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
375 	krb5_algorithm_identifier ***supportedCMSTypes); /* OUT */
376 
377 /*
378  * this functions takes in crypto specific representation of
379  * trustedCertifiers and creates a list of
380  * krb5_external_principal_identifier
381  */
382 krb5_error_code create_krb5_trustedCertifiers
383 	(krb5_context context,				/* IN */
384 	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
385 	pkinit_req_crypto_context req_cryptoctx,	/* IN */
386 	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
387 	krb5_external_principal_identifier ***trustedCertifiers); /* OUT */
388 
389 /*
390  * this functions takes in crypto specific representation of
391  * trustedCas (draft9) and creates a list of krb5_trusted_ca (draft9).
392  * draft9 trustedCAs is a CHOICE. we only support choices for
393  * [1] caName and [2] issuerAndSerial.  there is no config
394  * option available to select the choice yet. default = 1.
395  */
396 krb5_error_code create_krb5_trustedCas
397 	(krb5_context context,				/* IN */
398 	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
399 	pkinit_req_crypto_context req_cryptoctx,	/* IN */
400 	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
401 	int flag,					/* IN
402 		    specifies the tag of the CHOICE */
403 	krb5_trusted_ca ***trustedCas);			/* OUT */
404 
405 /*
406  * this functions takes in crypto specific representation of the
407  * KDC's certificate and creates a DER encoded kdcPKId
408  */
409 krb5_error_code create_issuerAndSerial
410 	(krb5_context context,				/* IN */
411 	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
412 	pkinit_req_crypto_context req_cryptoctx,	/* IN */
413 	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
414 	unsigned char **kdcId_buf,			/* OUT
415 		    receives DER encoded kdcPKId */
416 	unsigned int *kdcId_len);			/* OUT
417 		    receives length of encoded kdcPKId */
418 
419 /*
420  * process the values from idopts and obtain the cert(s)
421  * specified by those options, populating the id_cryptoctx.
422  */
423 krb5_error_code crypto_load_certs
424 	(krb5_context context,				/* IN */
425 	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
426 	pkinit_req_crypto_context req_cryptoctx,	/* IN */
427 	pkinit_identity_opts *idopts,			/* IN */
428 	pkinit_identity_crypto_context id_cryptoctx,	/* IN/OUT */
429 	krb5_principal princ);				/* IN */
430 
431 /*
432  * Free up information held from crypto_load_certs()
433  */
434 krb5_error_code crypto_free_cert_info
435 	(krb5_context context,
436 	pkinit_plg_crypto_context plg_cryptoctx,
437 	pkinit_req_crypto_context req_cryptoctx,
438 	pkinit_identity_crypto_context id_cryptoctx);
439 
440 
441 /*
442  * Get number of certificates available after crypto_load_certs()
443  */
444 krb5_error_code crypto_cert_get_count
445 	(krb5_context context,				/* IN */
446 	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
447 	pkinit_req_crypto_context req_cryptoctx,	/* IN */
448 	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
449 	int *cert_count);				/* OUT */
450 
451 /*
452  * Begin iteration over the certs loaded in crypto_load_certs()
453  */
454 krb5_error_code crypto_cert_iteration_begin
455 	(krb5_context context,				/* IN */
456 	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
457 	pkinit_req_crypto_context req_cryptoctx,	/* IN */
458 	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
459 	pkinit_cert_iter_handle *iter_handle);		/* OUT */
460 
461 /*
462  * End iteration over the certs loaded in crypto_load_certs()
463  */
464 krb5_error_code crypto_cert_iteration_end
465 	(krb5_context context,				/* IN */
466 	pkinit_cert_iter_handle iter_handle);		/* IN */
467 
468 /*
469  * Get next certificate handle
470  */
471 krb5_error_code crypto_cert_iteration_next
472 	(krb5_context context,				/* IN */
473 	pkinit_cert_iter_handle iter_handle,		/* IN */
474 	pkinit_cert_handle *cert_handle);		/* OUT */
475 
476 /*
477  * Release cert handle
478  */
479 krb5_error_code crypto_cert_release
480 	(krb5_context context,				/* IN */
481 	pkinit_cert_handle cert_handle);		/* IN */
482 
483 /*
484  * Get certificate matching information
485  */
486 krb5_error_code crypto_cert_get_matching_data
487 	(krb5_context context,				/* IN */
488 	pkinit_cert_handle cert_handle,			/* IN */
489 	pkinit_cert_matching_data **ret_data);		/* OUT */
490 
491 /*
492  * Free certificate information
493  */
494 krb5_error_code crypto_cert_free_matching_data
495 	(krb5_context context,				/* IN */
496 	pkinit_cert_matching_data *data);		/* IN */
497 
498 /*
499  * Make the given certificate "the chosen one"
500  */
501 krb5_error_code crypto_cert_select
502 	(krb5_context context,				/* IN */
503 	pkinit_cert_matching_data *data);		/* IN */
504 
505 /*
506  * Select the default certificate as "the chosen one"
507  */
508 krb5_error_code crypto_cert_select_default
509 	(krb5_context context,				/* IN */
510 	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
511 	pkinit_req_crypto_context req_cryptoctx,	/* IN */
512 	pkinit_identity_crypto_context id_cryptoctx);	/* IN */
513 
514 /*
515  * process the values from idopts and obtain the anchor or
516  * intermediate certificates, or crls specified by idtype,
517  * catype, and id
518  */
519 krb5_error_code crypto_load_cas_and_crls
520 	(krb5_context context,				/* IN */
521 	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
522 	pkinit_req_crypto_context req_cryptoctx,	/* IN */
523 	pkinit_identity_opts *idopts,			/* IN */
524 	pkinit_identity_crypto_context id_cryptoctx,	/* IN/OUT */
525 	int idtype,					/* IN
526 		    defines the storage type (file, directory, etc) */
527 	int catype,					/* IN
528 		    defines the ca type (anchor, intermediate, crls) */
529 	char *id);					/* IN
530 		    defines the location (filename, directory name, etc) */
531 
532 /*
533  * on the client, obtain the kdc's certificate to include
534  * in a request
535  */
536 krb5_error_code pkinit_get_kdc_cert
537 	(krb5_context context,				/* IN */
538 	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
539 	pkinit_req_crypto_context req_cryptoctx,	/* IN */
540 	pkinit_identity_crypto_context id_cryptoctx,	/* IN/OUT */
541 	krb5_principal princ);				/* IN */
542 
543 /*
544  * this function creates edata that contains TD-DH-PARAMETERS
545  */
546 krb5_error_code pkinit_create_td_dh_parameters
547 	(krb5_context context,				/* IN */
548 	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
549 	pkinit_req_crypto_context req_cryptoctx,	/* IN */
550 	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
551 	pkinit_plg_opts *opts,				/* IN */
552 	krb5_data **edata);				/* OUT */
553 
554 /*
555  * this function processes edata that contains TD-DH-PARAMETERS.
556  * the client processes the received acceptable by KDC DH
557  * parameters and picks the first acceptable to it. it matches
558  * them against the known DH parameters.
559  */
560 krb5_error_code pkinit_process_td_dh_params
561 	(krb5_context context,				/* IN */
562 	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
563 	pkinit_req_crypto_context req_cryptoctx,	/* IN */
564 	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
565 	krb5_algorithm_identifier **algId,		/* IN */
566 	int *new_dh_size);				/* OUT
567 		    receives the new DH modulus to use in the new AS-REQ */
568 
569 /*
570  * this function creates edata that contains TD-INVALID-CERTIFICATES
571  */
572 krb5_error_code pkinit_create_td_invalid_certificate
573 	(krb5_context context,				/* IN */
574 	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
575 	pkinit_req_crypto_context req_cryptoctx,	/* IN */
576 	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
577 	krb5_data **edata);				/* OUT */
578 
579 /*
580  * this function creates edata that contains TD-TRUSTED-CERTIFIERS
581  */
582 krb5_error_code pkinit_create_td_trusted_certifiers
583 	(krb5_context context,				/* IN */
584 	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
585 	pkinit_req_crypto_context req_cryptoctx,	/* IN */
586 	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
587 	krb5_data **edata);				/* OUT */
588 
589 /*
590  * this function processes edata that contains either
591  * TD-TRUSTED-CERTIFICATES or TD-INVALID-CERTIFICATES.
592  * current implementation only decodes the received message
593  * but does not act on it
594  */
595 krb5_error_code pkinit_process_td_trusted_certifiers
596 	(krb5_context context,				/* IN */
597 	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
598 	pkinit_req_crypto_context req_cryptoctx,	/* IN */
599 	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
600 	krb5_external_principal_identifier **trustedCertifiers, /* IN */
601 	int td_type);					/* IN */
602 
603 /*
604  * this function checks if the received kdcPKId matches
605  * the KDC's certificate
606  */
607 krb5_error_code pkinit_check_kdc_pkid
608 	(krb5_context context,				/* IN */
609 	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
610 	pkinit_req_crypto_context req_cryptoctx,	/* IN */
611 	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
612 	unsigned char *pdid_buf,			/* IN
613 		    contains DER encoded kdcPKId */
614 	unsigned int pkid_len,				/* IN
615 		    contains length of pdid_buf */
616 	int *valid_kdcPkId);				/* OUT
617 		    1 if kdcPKId matches, otherwise 0 */
618 
619 krb5_error_code pkinit_identity_set_prompter
620 	(pkinit_identity_crypto_context id_cryptoctx,	/* IN */
621 	krb5_prompter_fct prompter,			/* IN */
622 	void *prompter_data);				/* IN */
623 
624 #endif	/* _PKINIT_CRYPTO_H */
625