1
/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
2
/*
3
 * COPYRIGHT (C) 2006
4
 * THE REGENTS OF THE UNIVERSITY OF MICHIGAN
5
 * ALL RIGHTS RESERVED
6
 *
7
 * Permission is granted to use, copy, create derivative works
8
 * and redistribute this software and such derivative works
9
 * for any purpose, so long as the name of The University of
10
 * Michigan is not used in any advertising or publicity
11
 * pertaining to the use of distribution of this software
12
 * without specific, written prior authorization.  If the
13
 * above copyright notice or any other identification of the
14
 * University of Michigan is included in any copy of any
15
 * portion of this software, then the disclaimer below must
16
 * also be included.
17
 *
18
 * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
19
 * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
20
 * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
21
 * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
22
 * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
23
 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
24
 * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
25
 * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
26
 * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
27
 * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
28
 * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
29
 * SUCH DAMAGES.
30
 */
31

32
#ifndef _KRB5_INT_PKINIT_H
33
#define _KRB5_INT_PKINIT_H
34

35
/*
36
 * pkinit structures
37
 */
38

39
/* AlgorithmIdentifier */
40
typedef struct _krb5_algorithm_identifier {
41
    krb5_data algorithm;      /* OID */
42
    krb5_data parameters; /* Optional */
43
} krb5_algorithm_identifier;
44

45
/* PAChecksum2 */
46
typedef struct _krb5_pachecksum2 {
47
    krb5_data checksum;
48
    krb5_algorithm_identifier algorithmIdentifier;
49
} krb5_pachecksum2;
50

51
/* PKAuthenticator */
52
typedef struct _krb5_pk_authenticator {
53
    krb5_int32        cusec;  /* (0..999999) */
54
    krb5_timestamp    ctime;
55
    krb5_int32        nonce;  /* (0..4294967295) */
56
    krb5_data         paChecksum;
57
    krb5_data        *freshnessToken; /* Optional */
58
    krb5_pachecksum2 *paChecksum2; /* Optional */
59
} krb5_pk_authenticator;
60

61
/** AuthPack from RFC 4556*/
62
typedef struct _krb5_auth_pack {
63
    krb5_pk_authenticator       pkAuthenticator;
64
    krb5_data                   clientPublicValue; /* Optional */
65
    krb5_algorithm_identifier   **supportedCMSTypes; /* Optional */
66
    krb5_data                   clientDHNonce; /* Optional */
67
    krb5_data                   **supportedKDFs; /* OIDs of KDFs; OPTIONAL */
68
} krb5_auth_pack;
69

70
/* ExternalPrincipalIdentifier */
71
typedef struct _krb5_external_principal_identifier {
72
    krb5_data subjectName; /* Optional */
73
    krb5_data issuerAndSerialNumber; /* Optional */
74
    krb5_data subjectKeyIdentifier; /* Optional */
75
} krb5_external_principal_identifier;
76

77
/* PA-PK-AS-REQ (rfc4556 -- PA TYPE 16) */
78
typedef struct _krb5_pa_pk_as_req {
79
    krb5_data signedAuthPack;
80
    krb5_external_principal_identifier **trustedCertifiers; /* Optional array */
81
    krb5_data kdcPkId; /* Optional */
82
} krb5_pa_pk_as_req;
83

84
/** Pkinit DHRepInfo */
85
typedef struct _krb5_dh_rep_info {
86
    krb5_data dhSignedData;
87
    krb5_data serverDHNonce; /* Optional */
88
    krb5_data *kdfID; /* OID of selected KDF OPTIONAL */
89
} krb5_dh_rep_info;
90

91
/* KDCDHKeyInfo */
92
typedef struct _krb5_kdc_dh_key_info {
93
    krb5_data       subjectPublicKey; /* BIT STRING */
94
    krb5_int32      nonce;  /* (0..4294967295) */
95
    krb5_timestamp  dhKeyExpiration; /* Optional */
96
} krb5_kdc_dh_key_info;
97

98
/* ReplyKeyPack */
99
typedef struct _krb5_reply_key_pack {
100
    krb5_keyblock   replyKey;
101
    krb5_checksum   asChecksum;
102
} krb5_reply_key_pack;
103

104
/* PA-PK-AS-REP (rfc4556 -- PA TYPE 17) */
105
typedef struct _krb5_pa_pk_as_rep {
106
    enum krb5_pa_pk_as_rep_selection {
107
        choice_pa_pk_as_rep_UNKNOWN = -1,
108
        choice_pa_pk_as_rep_dhInfo = 0,
109
        choice_pa_pk_as_rep_encKeyPack = 1
110
    } choice;
111
    union krb5_pa_pk_as_rep_choices {
112
        krb5_dh_rep_info    dh_Info;
113
        krb5_data           encKeyPack;
114
    } u;
115
} krb5_pa_pk_as_rep;
116

117
/* SP80056A OtherInfo, for pkinit algorithm agility */
118
typedef struct _krb5_sp80056a_other_info {
119
    krb5_algorithm_identifier algorithm_identifier;
120
    krb5_principal  party_u_info;
121
    krb5_principal  party_v_info;
122
    krb5_data supp_pub_info;
123
} krb5_sp80056a_other_info;
124

125
/* PkinitSuppPubInfo, for pkinit algorithm agility */
126
typedef struct _krb5_pkinit_supp_pub_info {
127
    krb5_enctype      enctype;
128
    krb5_data         as_req;
129
    krb5_data         pk_as_rep;
130
} krb5_pkinit_supp_pub_info;
131

132
/*
133
 * Begin "asn1.h"
134
 */
135

136
/*************************************************************************
137
 * Prototypes for pkinit asn.1 encode routines
138
 *************************************************************************/
139

140
krb5_error_code
141
encode_krb5_pa_pk_as_req(const krb5_pa_pk_as_req *rep, krb5_data **code);
142

143
krb5_error_code
144
encode_krb5_pa_pk_as_rep(const krb5_pa_pk_as_rep *rep, krb5_data **code);
145

146
krb5_error_code
147
encode_krb5_auth_pack(const krb5_auth_pack *rep, krb5_data **code);
148

149
krb5_error_code
150
encode_krb5_kdc_dh_key_info(const krb5_kdc_dh_key_info *rep, krb5_data **code);
151

152
krb5_error_code
153
encode_krb5_reply_key_pack(const krb5_reply_key_pack *, krb5_data **code);
154

155
krb5_error_code
156
encode_krb5_td_trusted_certifiers(krb5_external_principal_identifier *const *,
157
                                  krb5_data **code);
158

159
krb5_error_code
160
encode_krb5_td_dh_parameters(krb5_algorithm_identifier *const *,
161
                             krb5_data **code);
162

163
krb5_error_code
164
encode_krb5_sp80056a_other_info(const krb5_sp80056a_other_info *,
165
                                krb5_data **);
166

167
krb5_error_code
168
encode_krb5_pkinit_supp_pub_info(const krb5_pkinit_supp_pub_info *,
169
                                 krb5_data **);
170

171
/*************************************************************************
172
 * Prototypes for pkinit asn.1 decode routines
173
 *************************************************************************/
174

175
krb5_error_code
176
decode_krb5_pa_pk_as_req(const krb5_data *, krb5_pa_pk_as_req **);
177

178
krb5_error_code
179
decode_krb5_pa_pk_as_rep(const krb5_data *, krb5_pa_pk_as_rep **);
180

181
krb5_error_code
182
decode_krb5_auth_pack(const krb5_data *, krb5_auth_pack **);
183

184
krb5_error_code
185
decode_krb5_kdc_dh_key_info(const krb5_data *, krb5_kdc_dh_key_info **);
186

187
krb5_error_code
188
decode_krb5_principal_name(const krb5_data *, krb5_principal_data **);
189

190
krb5_error_code
191
decode_krb5_reply_key_pack(const krb5_data *, krb5_reply_key_pack **);
192

193
krb5_error_code
194
decode_krb5_td_trusted_certifiers(const krb5_data *,
195
                                  krb5_external_principal_identifier ***);
196

197
krb5_error_code
198
decode_krb5_td_dh_parameters(const krb5_data *, krb5_algorithm_identifier ***);
199

200
krb5_error_code
201
encode_krb5_enc_data(const krb5_enc_data *, krb5_data **);
202

203
krb5_error_code
204
encode_krb5_encryption_key(const krb5_keyblock *rep, krb5_data **code);
205

206
krb5_error_code
207
krb5_encrypt_helper(krb5_context context, const krb5_keyblock *key,
208
                    krb5_keyusage keyusage, const krb5_data *plain,
209
                    krb5_enc_data *cipher);
210

211
#endif /* _KRB5_INT_PKINIT_H */
212

213