1 /* 2 * COPYRIGHT (C) 2007 3 * THE REGENTS OF THE UNIVERSITY OF MICHIGAN 4 * ALL RIGHTS RESERVED 5 * 6 * Permission is granted to use, copy, create derivative works 7 * and redistribute this software and such derivative works 8 * for any purpose, so long as the name of The University of 9 * Michigan is not used in any advertising or publicity 10 * pertaining to the use of distribution of this software 11 * without specific, written prior authorization. If the 12 * above copyright notice or any other identification of the 13 * University of Michigan is included in any copy of any 14 * portion of this software, then the disclaimer below must 15 * also be included. 16 * 17 * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION 18 * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY 19 * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF 20 * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING 21 * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF 22 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE 23 * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE 24 * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR 25 * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING 26 * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN 27 * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF 28 * SUCH DAMAGES. 29 */ 30 31 /* 32 * This header defines the cryptographic interface 33 */ 34 35 #ifndef _PKINIT_CRYPTO_H 36 #define _PKINIT_CRYPTO_H 37 38 /* Solaris Kerberos */ 39 #include <krb5.h> 40 #include <preauth_plugin.h> 41 #include <k5-int-pkinit.h> 42 #include <profile.h> 43 #include "pkinit_accessor.h" 44 45 /* 46 * these describe the CMS message types 47 */ 48 enum cms_msg_types { 49 CMS_SIGN_CLIENT, 50 CMS_SIGN_DRAFT9, 51 CMS_SIGN_SERVER, 52 CMS_ENVEL_SERVER 53 }; 54 55 /* 56 * storage types for identity information 57 */ 58 #define IDTYPE_FILE 1 59 #define IDTYPE_DIR 2 60 #define IDTYPE_PKCS11 3 61 #define IDTYPE_ENVVAR 4 62 #define IDTYPE_PKCS12 5 63 64 /* 65 * ca/crl types 66 */ 67 #define CATYPE_ANCHORS 1 68 #define CATYPE_INTERMEDIATES 2 69 #define CATYPE_CRLS 3 70 71 /* 72 * The following represent Key Usage values that we 73 * may care about in a certificate 74 */ 75 #define PKINIT_KU_DIGITALSIGNATURE 0x80000000 76 #define PKINIT_KU_KEYENCIPHERMENT 0x40000000 77 78 /* 79 * The following represent Extended Key Usage oid values 80 * that we may care about in a certificate 81 */ 82 #define PKINIT_EKU_PKINIT 0x80000000 83 #define PKINIT_EKU_MSSCLOGIN 0x40000000 84 #define PKINIT_EKU_CLIENTAUTH 0x20000000 85 #define PKINIT_EKU_EMAILPROTECTION 0x10000000 86 87 88 /* Handle to cert, opaque above crypto interface */ 89 typedef struct _pkinit_cert_info *pkinit_cert_handle; 90 91 /* Handle to cert iteration information, opaque above crypto interface */ 92 typedef struct _pkinit_cert_iter_info *pkinit_cert_iter_handle; 93 94 #define PKINIT_ITER_NO_MORE 0x11111111 /* XXX */ 95 96 typedef struct _pkinit_cert_matching_data { 97 pkinit_cert_handle ch; /* cert handle for this certificate */ 98 char *subject_dn; /* rfc2253-style subject name string */ 99 char *issuer_dn; /* rfc2253-style issuer name string */ 100 unsigned int ku_bits; /* key usage information */ 101 unsigned int eku_bits; /* extended key usage information */ 102 krb5_principal *sans; /* Null-terminated array of subject alternative 103 name info (pkinit and ms-upn) */ 104 } pkinit_cert_matching_data; 105 106 /* 107 * Functions to initialize and cleanup crypto contexts 108 */ 109 krb5_error_code pkinit_init_plg_crypto(pkinit_plg_crypto_context *); 110 void pkinit_fini_plg_crypto(pkinit_plg_crypto_context); 111 112 krb5_error_code pkinit_init_req_crypto(pkinit_req_crypto_context *); 113 void pkinit_fini_req_crypto(pkinit_req_crypto_context); 114 115 krb5_error_code pkinit_init_identity_crypto(pkinit_identity_crypto_context *); 116 void pkinit_fini_identity_crypto(pkinit_identity_crypto_context); 117 118 /* 119 * this function creates a CMS message where eContentType is SignedData 120 */ 121 krb5_error_code cms_signeddata_create 122 (krb5_context context, /* IN */ 123 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 124 pkinit_req_crypto_context req_cryptoctx, /* IN */ 125 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 126 int cms_msg_type, /* IN 127 specifies CMS_SIGN_CLIENT for client-side CMS message 128 and CMS_SIGN_SERVER for kdc-side */ 129 int include_certchain, /* IN 130 specifies where certificates field in SignedData 131 should contain certificate path */ 132 unsigned char *auth_pack, /* IN 133 contains DER encoded AuthPack (CMS_SIGN_CLIENT) 134 or DER encoded DHRepInfo (CMS_SIGN_SERVER) */ 135 unsigned int auth_pack_len, /* IN 136 contains length of auth_pack */ 137 unsigned char **signed_data, /* OUT 138 for CMS_SIGN_CLIENT receives DER encoded 139 SignedAuthPack (CMS_SIGN_CLIENT) or DER 140 encoded DHInfo (CMS_SIGN_SERVER) */ 141 unsigned int *signed_data_len); /* OUT 142 receives length of signed_data */ 143 144 /* 145 * this function verifies a CMS message where eContentType is SignedData 146 */ 147 krb5_error_code cms_signeddata_verify 148 (krb5_context context, /* IN */ 149 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 150 pkinit_req_crypto_context req_cryptoctx, /* IN */ 151 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 152 int cms_msg_type, /* IN 153 specifies CMS_SIGN_CLIENT for client-side 154 CMS message and CMS_SIGN_SERVER for kdc-side */ 155 int require_crl_checking, /* IN 156 specifies whether CRL checking should be 157 strictly enforced, i.e. if no CRLs available 158 for the CA then fail verification. 159 note, if the value is 0, crls are still 160 checked if present */ 161 unsigned char *signed_data, /* IN 162 contains DER encoded SignedAuthPack (CMS_SIGN_CLIENT) 163 or DER encoded DHInfo (CMS_SIGN_SERVER) */ 164 unsigned int signed_data_len, /* IN 165 contains length of signed_data*/ 166 unsigned char **auth_pack, /* OUT 167 receives DER encoded AuthPack (CMS_SIGN_CLIENT) 168 or DER encoded DHRepInfo (CMS_SIGN_SERVER)*/ 169 unsigned int *auth_pack_len, /* OUT 170 receives length of auth_pack */ 171 unsigned char **authz_data, /* OUT 172 receives required authorization data that 173 contains the verified certificate chain 174 (only used by the KDC) */ 175 unsigned int *authz_data_len); /* OUT 176 receives length of authz_data */ 177 178 /* 179 * this function creates a CMS message where eContentType is EnvelopedData 180 */ 181 krb5_error_code cms_envelopeddata_create 182 (krb5_context context, /* IN */ 183 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 184 pkinit_req_crypto_context req_cryptoctx, /* IN */ 185 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 186 krb5_preauthtype pa_type, /* IN */ 187 int include_certchain, /* IN 188 specifies whether the certificates field in 189 SignedData should contain certificate path */ 190 unsigned char *key_pack, /* IN 191 contains DER encoded ReplyKeyPack */ 192 unsigned int key_pack_len, /* IN 193 contains length of key_pack */ 194 unsigned char **envel_data, /* OUT 195 receives DER encoded encKeyPack */ 196 unsigned int *envel_data_len); /* OUT 197 receives length of envel_data */ 198 199 /* 200 * this function creates a CMS message where eContentType is EnvelopedData 201 */ 202 krb5_error_code cms_envelopeddata_verify 203 (krb5_context context, /* IN */ 204 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 205 pkinit_req_crypto_context req_cryptoctx, /* IN */ 206 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 207 krb5_preauthtype pa_type, /* IN */ 208 int require_crl_checking, /* IN 209 specifies whether CRL checking should be 210 strictly enforced */ 211 unsigned char *envel_data, /* IN 212 contains DER encoded encKeyPack */ 213 unsigned int envel_data_len, /* IN 214 contains length of envel_data */ 215 unsigned char **signed_data, /* OUT 216 receives ReplyKeyPack */ 217 unsigned int *signed_data_len); /* OUT 218 receives length of signed_data */ 219 220 /* 221 * this function returns SAN information found in the 222 * received certificate. at least one of pkinit_sans, 223 * upn_sans, or kdc_hostnames must be non-NULL. 224 */ 225 krb5_error_code crypto_retrieve_cert_sans 226 (krb5_context context, /* IN */ 227 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 228 pkinit_req_crypto_context req_cryptoctx, /* IN */ 229 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 230 krb5_principal **pkinit_sans, /* OUT 231 if non-NULL, a null-terminated array of 232 id-pkinit-san values found in the certificate 233 are returned */ 234 krb5_principal **upn_sans, /* OUT 235 if non-NULL, a null-terminated array of 236 id-ms-upn-san values found in the certificate 237 are returned */ 238 unsigned char ***kdc_hostname); /* OUT 239 if non-NULL, a null-terminated array of 240 dNSName (hostname) SAN values found in the 241 certificate are returned */ 242 243 /* 244 * this function checks for acceptable key usage values 245 * in the received certificate. 246 * 247 * when checking a received kdc certificate, it looks for 248 * the kpKdc key usage. if allow_secondary_usage is 249 * non-zero, it will also accept kpServerAuth. 250 * 251 * when checking a received user certificate, it looks for 252 * kpClientAuth key usage. if allow_secondary_usage is 253 * non-zero, it will also accept id-ms-sc-logon EKU. 254 * 255 * this function must also assert that the digitalSignature 256 * key usage is consistent. 257 */ 258 krb5_error_code crypto_check_cert_eku 259 (krb5_context context, /* IN */ 260 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 261 pkinit_req_crypto_context req_cryptoctx, /* IN */ 262 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 263 int checking_kdc_cert, /* IN 264 specifies if the received certificate is 265 a KDC certificate (non-zero), 266 or a user certificate (zero) */ 267 int allow_secondary_usage, /* IN 268 specifies if the secondary key usage 269 should be accepted or not (see above) */ 270 int *eku_valid); /* OUT 271 receives non-zero if an acceptable EKU was found */ 272 273 /* 274 * this functions takes in generated DH secret key and converts 275 * it in to a kerberos session key. it takes into the account the 276 * enc type and then follows the procedure specified in the RFC p 22. 277 */ 278 krb5_error_code pkinit_octetstring2key 279 (krb5_context context, /* IN */ 280 krb5_enctype etype, /* IN 281 specifies the enc type */ 282 unsigned char *key, /* IN 283 contains the DH secret key */ 284 unsigned int key_len, /* IN 285 contains length of key */ 286 krb5_keyblock * krb5key); /* OUT 287 receives kerberos session key */ 288 289 /* 290 * this function implements clients first part of the DH protocol. 291 * client selects its DH parameters and pub key 292 */ 293 krb5_error_code client_create_dh 294 (krb5_context context, /* IN */ 295 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 296 pkinit_req_crypto_context req_cryptoctx, /* IN */ 297 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 298 int dh_size, /* IN 299 specifies the DH modulous, eg 1024, 2048, or 4096 */ 300 unsigned char **dh_paramas, /* OUT 301 contains DER encoded DH params */ 302 unsigned int *dh_params_len, /* OUT 303 contains length of dh_parmas */ 304 unsigned char **dh_pubkey, /* OUT 305 receives DER encoded DH pub key */ 306 unsigned int *dh_pubkey_len); /* OUT 307 receives length of dh_pubkey */ 308 309 /* 310 * this function completes client's the DH protocol. client 311 * processes received DH pub key from the KDC and computes 312 * the DH secret key 313 */ 314 krb5_error_code client_process_dh 315 (krb5_context context, /* IN */ 316 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 317 pkinit_req_crypto_context req_cryptoctx, /* IN */ 318 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 319 unsigned char *dh_pubkey, /* IN 320 contains client's DER encoded DH pub key */ 321 unsigned int dh_pubkey_len, /* IN 322 contains length of dh_pubkey */ 323 unsigned char **dh_session_key, /* OUT 324 receives DH secret key */ 325 unsigned int *dh_session_key_len); /* OUT 326 receives length of dh_session_key */ 327 328 /* 329 * this function implements the KDC first part of the DH protocol. 330 * it decodes the client's DH parameters and pub key and checks 331 * if they are acceptable. 332 */ 333 krb5_error_code server_check_dh 334 (krb5_context context, /* IN */ 335 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 336 pkinit_req_crypto_context req_cryptoctx, /* IN */ 337 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 338 krb5_octet_data *dh_params, /* IN 339 ???? */ 340 int minbits); /* IN 341 the mininum number of key bits acceptable */ 342 343 /* 344 * this function completes the KDC's DH protocol. The KDC generates 345 * its DH pub key and computes the DH secret key 346 */ 347 krb5_error_code server_process_dh 348 (krb5_context context, /* IN */ 349 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 350 pkinit_req_crypto_context req_cryptoctx, /* IN */ 351 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 352 unsigned char *received_pubkey, /* IN 353 contains client's DER encoded DH pub key */ 354 unsigned int received_pub_len, /* IN 355 contains length of received_pubkey */ 356 unsigned char **dh_pubkey, /* OUT 357 receives KDC's DER encoded DH pub key */ 358 unsigned int *dh_pubkey_len, /* OUT 359 receives length of dh_pubkey */ 360 unsigned char **server_key, /* OUT 361 receives DH secret key */ 362 unsigned int *server_key_len); /* OUT 363 receives length of server_key */ 364 365 /* 366 * this functions takes in crypto specific representation of 367 * supportedCMSTypes and creates a list of 368 * krb5_algorithm_identifier 369 */ 370 krb5_error_code create_krb5_supportedCMSTypes 371 (krb5_context context, /* IN */ 372 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 373 pkinit_req_crypto_context req_cryptoctx, /* IN */ 374 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 375 krb5_algorithm_identifier ***supportedCMSTypes); /* OUT */ 376 377 /* 378 * this functions takes in crypto specific representation of 379 * trustedCertifiers and creates a list of 380 * krb5_external_principal_identifier 381 */ 382 krb5_error_code create_krb5_trustedCertifiers 383 (krb5_context context, /* IN */ 384 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 385 pkinit_req_crypto_context req_cryptoctx, /* IN */ 386 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 387 krb5_external_principal_identifier ***trustedCertifiers); /* OUT */ 388 389 /* 390 * this functions takes in crypto specific representation of 391 * trustedCas (draft9) and creates a list of krb5_trusted_ca (draft9). 392 * draft9 trustedCAs is a CHOICE. we only support choices for 393 * [1] caName and [2] issuerAndSerial. there is no config 394 * option available to select the choice yet. default = 1. 395 */ 396 krb5_error_code create_krb5_trustedCas 397 (krb5_context context, /* IN */ 398 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 399 pkinit_req_crypto_context req_cryptoctx, /* IN */ 400 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 401 int flag, /* IN 402 specifies the tag of the CHOICE */ 403 krb5_trusted_ca ***trustedCas); /* OUT */ 404 405 /* 406 * this functions takes in crypto specific representation of the 407 * KDC's certificate and creates a DER encoded kdcPKId 408 */ 409 krb5_error_code create_issuerAndSerial 410 (krb5_context context, /* IN */ 411 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 412 pkinit_req_crypto_context req_cryptoctx, /* IN */ 413 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 414 unsigned char **kdcId_buf, /* OUT 415 receives DER encoded kdcPKId */ 416 unsigned int *kdcId_len); /* OUT 417 receives length of encoded kdcPKId */ 418 419 /* 420 * process the values from idopts and obtain the cert(s) 421 * specified by those options, populating the id_cryptoctx. 422 */ 423 krb5_error_code crypto_load_certs 424 (krb5_context context, /* IN */ 425 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 426 pkinit_req_crypto_context req_cryptoctx, /* IN */ 427 pkinit_identity_opts *idopts, /* IN */ 428 pkinit_identity_crypto_context id_cryptoctx, /* IN/OUT */ 429 krb5_principal princ); /* IN */ 430 431 /* 432 * Free up information held from crypto_load_certs() 433 */ 434 krb5_error_code crypto_free_cert_info 435 (krb5_context context, 436 pkinit_plg_crypto_context plg_cryptoctx, 437 pkinit_req_crypto_context req_cryptoctx, 438 pkinit_identity_crypto_context id_cryptoctx); 439 440 441 /* 442 * Get number of certificates available after crypto_load_certs() 443 */ 444 krb5_error_code crypto_cert_get_count 445 (krb5_context context, /* IN */ 446 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 447 pkinit_req_crypto_context req_cryptoctx, /* IN */ 448 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 449 int *cert_count); /* OUT */ 450 451 /* 452 * Begin iteration over the certs loaded in crypto_load_certs() 453 */ 454 krb5_error_code crypto_cert_iteration_begin 455 (krb5_context context, /* IN */ 456 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 457 pkinit_req_crypto_context req_cryptoctx, /* IN */ 458 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 459 pkinit_cert_iter_handle *iter_handle); /* OUT */ 460 461 /* 462 * End iteration over the certs loaded in crypto_load_certs() 463 */ 464 krb5_error_code crypto_cert_iteration_end 465 (krb5_context context, /* IN */ 466 pkinit_cert_iter_handle iter_handle); /* IN */ 467 468 /* 469 * Get next certificate handle 470 */ 471 krb5_error_code crypto_cert_iteration_next 472 (krb5_context context, /* IN */ 473 pkinit_cert_iter_handle iter_handle, /* IN */ 474 pkinit_cert_handle *cert_handle); /* OUT */ 475 476 /* 477 * Release cert handle 478 */ 479 krb5_error_code crypto_cert_release 480 (krb5_context context, /* IN */ 481 pkinit_cert_handle cert_handle); /* IN */ 482 483 /* 484 * Get certificate matching information 485 */ 486 krb5_error_code crypto_cert_get_matching_data 487 (krb5_context context, /* IN */ 488 pkinit_cert_handle cert_handle, /* IN */ 489 pkinit_cert_matching_data **ret_data); /* OUT */ 490 491 /* 492 * Free certificate information 493 */ 494 krb5_error_code crypto_cert_free_matching_data 495 (krb5_context context, /* IN */ 496 pkinit_cert_matching_data *data); /* IN */ 497 498 /* 499 * Make the given certificate "the chosen one" 500 */ 501 krb5_error_code crypto_cert_select 502 (krb5_context context, /* IN */ 503 pkinit_cert_matching_data *data); /* IN */ 504 505 /* 506 * Select the default certificate as "the chosen one" 507 */ 508 krb5_error_code crypto_cert_select_default 509 (krb5_context context, /* IN */ 510 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 511 pkinit_req_crypto_context req_cryptoctx, /* IN */ 512 pkinit_identity_crypto_context id_cryptoctx); /* IN */ 513 514 /* 515 * process the values from idopts and obtain the anchor or 516 * intermediate certificates, or crls specified by idtype, 517 * catype, and id 518 */ 519 krb5_error_code crypto_load_cas_and_crls 520 (krb5_context context, /* IN */ 521 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 522 pkinit_req_crypto_context req_cryptoctx, /* IN */ 523 pkinit_identity_opts *idopts, /* IN */ 524 pkinit_identity_crypto_context id_cryptoctx, /* IN/OUT */ 525 int idtype, /* IN 526 defines the storage type (file, directory, etc) */ 527 int catype, /* IN 528 defines the ca type (anchor, intermediate, crls) */ 529 char *id); /* IN 530 defines the location (filename, directory name, etc) */ 531 532 /* 533 * on the client, obtain the kdc's certificate to include 534 * in a request 535 */ 536 krb5_error_code pkinit_get_kdc_cert 537 (krb5_context context, /* IN */ 538 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 539 pkinit_req_crypto_context req_cryptoctx, /* IN */ 540 pkinit_identity_crypto_context id_cryptoctx, /* IN/OUT */ 541 krb5_principal princ); /* IN */ 542 543 /* 544 * this function creates edata that contains TD-DH-PARAMETERS 545 */ 546 krb5_error_code pkinit_create_td_dh_parameters 547 (krb5_context context, /* IN */ 548 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 549 pkinit_req_crypto_context req_cryptoctx, /* IN */ 550 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 551 pkinit_plg_opts *opts, /* IN */ 552 krb5_data **edata); /* OUT */ 553 554 /* 555 * this function processes edata that contains TD-DH-PARAMETERS. 556 * the client processes the received acceptable by KDC DH 557 * parameters and picks the first acceptable to it. it matches 558 * them against the known DH parameters. 559 */ 560 krb5_error_code pkinit_process_td_dh_params 561 (krb5_context context, /* IN */ 562 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 563 pkinit_req_crypto_context req_cryptoctx, /* IN */ 564 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 565 krb5_algorithm_identifier **algId, /* IN */ 566 int *new_dh_size); /* OUT 567 receives the new DH modulus to use in the new AS-REQ */ 568 569 /* 570 * this function creates edata that contains TD-INVALID-CERTIFICATES 571 */ 572 krb5_error_code pkinit_create_td_invalid_certificate 573 (krb5_context context, /* IN */ 574 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 575 pkinit_req_crypto_context req_cryptoctx, /* IN */ 576 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 577 krb5_data **edata); /* OUT */ 578 579 /* 580 * this function creates edata that contains TD-TRUSTED-CERTIFIERS 581 */ 582 krb5_error_code pkinit_create_td_trusted_certifiers 583 (krb5_context context, /* IN */ 584 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 585 pkinit_req_crypto_context req_cryptoctx, /* IN */ 586 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 587 krb5_data **edata); /* OUT */ 588 589 /* 590 * this function processes edata that contains either 591 * TD-TRUSTED-CERTIFICATES or TD-INVALID-CERTIFICATES. 592 * current implementation only decodes the received message 593 * but does not act on it 594 */ 595 krb5_error_code pkinit_process_td_trusted_certifiers 596 (krb5_context context, /* IN */ 597 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 598 pkinit_req_crypto_context req_cryptoctx, /* IN */ 599 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 600 krb5_external_principal_identifier **trustedCertifiers, /* IN */ 601 int td_type); /* IN */ 602 603 /* 604 * this function checks if the received kdcPKId matches 605 * the KDC's certificate 606 */ 607 krb5_error_code pkinit_check_kdc_pkid 608 (krb5_context context, /* IN */ 609 pkinit_plg_crypto_context plg_cryptoctx, /* IN */ 610 pkinit_req_crypto_context req_cryptoctx, /* IN */ 611 pkinit_identity_crypto_context id_cryptoctx, /* IN */ 612 unsigned char *pdid_buf, /* IN 613 contains DER encoded kdcPKId */ 614 unsigned int pkid_len, /* IN 615 contains length of pdid_buf */ 616 int *valid_kdcPkId); /* OUT 617 1 if kdcPKId matches, otherwise 0 */ 618 619 krb5_error_code pkinit_identity_set_prompter 620 (pkinit_identity_crypto_context id_cryptoctx, /* IN */ 621 krb5_prompter_fct prompter, /* IN */ 622 void *prompter_data); /* IN */ 623 624 #endif /* _PKINIT_CRYPTO_H */ 625