CoCalc -- pkinit

GitHub Repository: freebsd/freebsd-src
Path: blob/main/crypto/krb5/src/plugins/preauth/pkinit/pkinit_crypto.h
³⁴⁹²³ views
1
/*
2
 * COPYRIGHT (C) 2007
3
 * THE REGENTS OF THE UNIVERSITY OF MICHIGAN
4
 * ALL RIGHTS RESERVED
5
 *
6
 * Permission is granted to use, copy, create derivative works
7
 * and redistribute this software and such derivative works
8
 * for any purpose, so long as the name of The University of
9
 * Michigan is not used in any advertising or publicity
10
 * pertaining to the use of distribution of this software
11
 * without specific, written prior authorization.  If the
12
 * above copyright notice or any other identification of the
13
 * University of Michigan is included in any copy of any
14
 * portion of this software, then the disclaimer below must
15
 * also be included.
16
 *
17
 * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
18
 * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
19
 * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
20
 * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
21
 * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
22
 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
23
 * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
24
 * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
25
 * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
26
 * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
27
 * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
28
 * SUCH DAMAGES.
29
 */
30

31
/*
32
 * This header defines the cryptographic interface
33
 */
34

35
#ifndef _PKINIT_CRYPTO_H
36
#define _PKINIT_CRYPTO_H
37

38
#include <krb5/krb5.h>
39
#include <krb5/preauth_plugin.h>
40
#include <k5-int-pkinit.h>
41
#include <profile.h>
42
#include "pkinit_accessor.h"
43

44
/*
45
 * these describe the CMS message types
46
 */
47
enum cms_msg_types {
48
    CMS_SIGN_CLIENT,
49
    CMS_SIGN_SERVER,
50
    CMS_ENVEL_SERVER
51
};
52

53
/*
54
 * storage types for identity information
55
 */
56
#define IDTYPE_FILE     1
57
#define IDTYPE_DIR      2
58
#define IDTYPE_PKCS11   3
59
#define IDTYPE_ENVVAR   4
60
#define IDTYPE_PKCS12   5
61

62
/*
63
 * ca/crl types
64
 */
65
#define CATYPE_ANCHORS          1
66
#define CATYPE_INTERMEDIATES    2
67
#define CATYPE_CRLS             3
68

69
/*
70
 * The following represent Key Usage values that we
71
 * may care about in a certificate
72
 */
73
#define PKINIT_KU_DIGITALSIGNATURE      0x80000000
74
#define PKINIT_KU_KEYENCIPHERMENT       0x40000000
75

76
/*
77
 * The following represent Extended Key Usage oid values
78
 * that we may care about in a certificate
79
 */
80
#define PKINIT_EKU_PKINIT               0x80000000
81
#define PKINIT_EKU_MSSCLOGIN            0x40000000
82
#define PKINIT_EKU_CLIENTAUTH           0x20000000
83
#define PKINIT_EKU_EMAILPROTECTION      0x10000000
84

85

86
/* Handle to cert, opaque above crypto interface */
87
typedef struct _pkinit_cert_info *pkinit_cert_handle;
88

89
/* Handle to cert iteration information, opaque above crypto interface */
90
typedef struct _pkinit_cert_iter_info *pkinit_cert_iter_handle;
91

92
#define PKINIT_ITER_NO_MORE	0x11111111  /* XXX */
93

94
typedef struct _pkinit_cert_matching_data {
95
    char *subject_dn;	    /* rfc2253-style subject name string */
96
    char *issuer_dn;	    /* rfc2253-style issuer name string */
97
    unsigned int ku_bits;   /* key usage information */
98
    unsigned int eku_bits;  /* extended key usage information */
99
    krb5_principal *sans;   /* Null-terminated array of PKINIT SANs */
100
    char **upns;	    /* Null-terimnated array of UPN SANs */
101
} pkinit_cert_matching_data;
102

103
/*
104
 * Functions to initialize and cleanup crypto contexts
105
 */
106
krb5_error_code pkinit_init_plg_crypto(krb5_context,
107
				       pkinit_plg_crypto_context *);
108
void pkinit_fini_plg_crypto(pkinit_plg_crypto_context);
109

110
krb5_error_code pkinit_init_req_crypto(pkinit_req_crypto_context *);
111
void pkinit_fini_req_crypto(pkinit_req_crypto_context);
112

113
krb5_error_code pkinit_init_identity_crypto(pkinit_identity_crypto_context *);
114
void pkinit_fini_identity_crypto(pkinit_identity_crypto_context);
115
/**Create a pkinit ContentInfo*/
116
krb5_error_code cms_contentinfo_create
117
	(krb5_context context,				/* IN */
118
	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
119
	pkinit_req_crypto_context req_cryptoctx,	/* IN */
120
	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
121
	int cms_msg_type,
122
	unsigned char *in_data, unsigned int in_length,
123
	unsigned char **out_data, unsigned int *out_data_len);
124

125
/*
126
 * this function creates a CMS message where eContentType is SignedData
127
 */
128
krb5_error_code cms_signeddata_create
129
	(krb5_context context,				/* IN */
130
	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
131
	pkinit_req_crypto_context req_cryptoctx,	/* IN */
132
	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
133
	int cms_msg_type,				/* IN
134
		    specifies CMS_SIGN_CLIENT for client-side CMS message
135
		    and CMS_SIGN_SERVER for kdc-side */
136
	unsigned char *auth_pack,			/* IN
137
		    contains DER encoded AuthPack (CMS_SIGN_CLIENT)
138
		    or DER encoded DHRepInfo (CMS_SIGN_SERVER) */
139
	unsigned int auth_pack_len,			/* IN
140
		    contains length of auth_pack */
141
	unsigned char **signed_data,			/* OUT
142
		    for CMS_SIGN_CLIENT receives DER encoded
143
		    SignedAuthPack (CMS_SIGN_CLIENT) or DER
144
		    encoded DHInfo (CMS_SIGN_SERVER) */
145
	unsigned int *signed_data_len);			/* OUT
146
		    receives length of signed_data */
147

148
/*
149
 * this function verifies a CMS message where eContentType is SignedData
150
 */
151
krb5_error_code cms_signeddata_verify
152
	(krb5_context context,				/* IN */
153
	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
154
	pkinit_req_crypto_context req_cryptoctx,	/* IN */
155
	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
156
	int cms_msg_type,				/* IN
157
		    specifies CMS_SIGN_CLIENT for client-side
158
		    CMS message and CMS_SIGN_SERVER for kdc-side */
159
	int require_crl_checking,			/* IN
160
		    specifies whether CRL checking should be
161
		    strictly enforced, i.e. if no CRLs available
162
		    for the CA then fail verification.
163
		    note, if the value is 0, crls are still
164
		    checked if present */
165
	unsigned char *signed_data,			/* IN
166
		    contains DER encoded SignedAuthPack (CMS_SIGN_CLIENT)
167
		    or DER encoded DHInfo (CMS_SIGN_SERVER) */
168
	unsigned int signed_data_len,			/* IN
169
		    contains length of signed_data*/
170
	unsigned char **auth_pack,			/* OUT
171
		    receives DER encoded AuthPack (CMS_SIGN_CLIENT)
172
		    or DER encoded DHRepInfo (CMS_SIGN_SERVER)*/
173
	unsigned int *auth_pack_len,			/* OUT
174
		    receives length of auth_pack */
175
	unsigned char **authz_data,			/* OUT
176
		    receives required authorization data that
177
		    contains the verified certificate chain
178
		    (only used by the KDC) */
179
	unsigned int *authz_data_len,			/* OUT
180
		    receives length of authz_data */
181
	int *is_signed);                                /* OUT
182
		    receives whether message is signed */
183

184
/*
185
 * This function retrieves the signer's identity, in a form that could
186
 * be passed back in to a future invocation of this module as a candidate
187
 * client identity location.
188
 */
189
krb5_error_code crypto_retrieve_signer_identity
190
	(krb5_context context,				/* IN */
191
	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
192
	const char **identity);				/* OUT */
193

194
/*
195
 * this function returns SAN information found in the
196
 * received certificate.  at least one of pkinit_sans,
197
 * upn_sans, or kdc_hostnames must be non-NULL.
198
 */
199
krb5_error_code crypto_retrieve_cert_sans
200
	(krb5_context context,				/* IN */
201
	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
202
	pkinit_req_crypto_context req_cryptoctx,	/* IN */
203
	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
204
	krb5_principal **pkinit_sans,			/* OUT
205
		    if non-NULL, a null-terminated array of
206
		    id-pkinit-san values found in the certificate
207
		    are returned */
208
	char ***upn_sans,				/* OUT
209
		    if non-NULL, a null-terminated array of
210
		    id-ms-upn-san values found in the certificate
211
		    are returned */
212
	unsigned char ***kdc_hostname);			/* OUT
213
		    if non-NULL, a null-terminated array of
214
		    dNSName (hostname) SAN values found in the
215
		    certificate are returned */
216

217
/*
218
 * this function checks for acceptable key usage values
219
 * in the received certificate.
220
 *
221
 * when checking a received kdc certificate, it looks for
222
 * the kpKdc key usage.  if allow_secondary_usage is
223
 * non-zero, it will also accept kpServerAuth.
224
 *
225
 * when checking a received user certificate, it looks for
226
 * kpClientAuth key usage.  if allow_secondary_usage is
227
 * non-zero, it will also accept id-ms-sc-logon EKU.
228
 *
229
 * this function must also assert that the digitalSignature
230
 * key usage is consistent.
231
 */
232
krb5_error_code crypto_check_cert_eku
233
	(krb5_context context,				/* IN */
234
	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
235
	pkinit_req_crypto_context req_cryptoctx,	/* IN */
236
	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
237
	int checking_kdc_cert,				/* IN
238
		    specifies if the received certificate is
239
		    a KDC certificate (non-zero),
240
		    or a user certificate (zero) */
241
	int allow_secondary_usage,			/* IN
242
		    specifies if the secondary key usage
243
		    should be accepted or not (see above) */
244
	int *eku_valid);				/* OUT
245
		    receives non-zero if an acceptable EKU was found */
246

247
/*
248
 * this function implements clients first part of the DH protocol.
249
 * client selects its DH parameters and pub key
250
 */
251
krb5_error_code client_create_dh
252
	(krb5_context context,				/* IN */
253
	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
254
	pkinit_req_crypto_context req_cryptoctx,	/* IN */
255
	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
256
	int dh_size,					/* IN
257
		    specifies the DH modulous, eg 1024, 2048, or 4096 */
258
	krb5_data *spki_out);				/* OUT
259
		    receives SubjectPublicKeyInfo encoding */
260

261
/*
262
 * this function completes client's the DH protocol. client
263
 * processes received DH pub key from the KDC and computes
264
 * the DH secret key
265
 */
266
krb5_error_code client_process_dh
267
	(krb5_context context,				/* IN */
268
	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
269
	pkinit_req_crypto_context req_cryptoctx,	/* IN */
270
	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
271
	unsigned char *dh_pubkey,			/* IN
272
		    contains client's DER encoded DH pub key */
273
	unsigned int dh_pubkey_len,			/* IN
274
		    contains length of dh_pubkey */
275
	unsigned char **client_key_out,			/* OUT
276
		    receives DH secret key */
277
	unsigned int *client_key_len_out);		/* OUT
278
		    receives length of DH secret key */
279

280
/*
281
 * this function implements the KDC first part of the DH protocol.
282
 * it decodes the client's DH parameters and pub key and checks
283
 * if they are acceptable.
284
 */
285
krb5_error_code server_check_dh
286
	(krb5_context context,				/* IN */
287
	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
288
	pkinit_req_crypto_context req_cryptoctx,	/* IN */
289
	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
290
	const krb5_data *client_spki,			/* IN
291
		    SubjectPublicKeyInfo encoding from client */
292
	int minbits);					/* IN
293
		    the minimum number of key bits acceptable */
294

295
/*
296
 * this function completes the KDC's DH protocol. The KDC generates
297
 * its DH pub key and computes the DH secret key
298
 */
299
krb5_error_code server_process_dh
300
	(krb5_context context,				/* IN */
301
	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
302
	pkinit_req_crypto_context req_cryptoctx,	/* IN */
303
	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
304
	unsigned char **dh_pubkey_out,			/* OUT
305
		    receives KDC's DER encoded DH pub key */
306
	unsigned int *dh_pubkey_len_out,		/* OUT
307
		    receives length of dh_pubkey */
308
	unsigned char **server_key_out,			/* OUT
309
		    receives DH secret key */
310
	unsigned int *server_key_len_out);		/* OUT
311
		    receives length of DH secret key */
312

313
/*
314
 * this functions takes in crypto specific representation of
315
 * supportedCMSTypes and creates a list of
316
 * krb5_algorithm_identifier
317
 */
318
krb5_error_code create_krb5_supportedCMSTypes
319
	(krb5_context context,				/* IN */
320
	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
321
	pkinit_req_crypto_context req_cryptoctx,	/* IN */
322
	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
323
	krb5_algorithm_identifier ***supportedCMSTypes); /* OUT */
324

325
/*
326
 * this functions takes in crypto specific representation of
327
 * trustedCertifiers and creates a list of
328
 * krb5_external_principal_identifier
329
 */
330
krb5_error_code create_krb5_trustedCertifiers
331
	(krb5_context context,				/* IN */
332
	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
333
	pkinit_req_crypto_context req_cryptoctx,	/* IN */
334
	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
335
	krb5_external_principal_identifier ***trustedCertifiers); /* OUT */
336

337
/*
338
 * this functions takes in crypto specific representation of the
339
 * KDC's certificate and creates a DER encoded kdcPKId
340
 */
341
krb5_error_code create_issuerAndSerial
342
	(krb5_context context,				/* IN */
343
	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
344
	pkinit_req_crypto_context req_cryptoctx,	/* IN */
345
	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
346
	unsigned char **kdcId_buf,			/* OUT
347
		    receives DER encoded kdcPKId */
348
	unsigned int *kdcId_len);			/* OUT
349
		    receives length of encoded kdcPKId */
350

351
/*
352
 * These functions manipulate the deferred-identities list in the identity
353
 * context, which is opaque outside of the crypto-specific bits.
354
 */
355
const pkinit_deferred_id * crypto_get_deferred_ids
356
	(krb5_context context, pkinit_identity_crypto_context id_cryptoctx);
357
krb5_error_code crypto_set_deferred_id
358
	(krb5_context context,
359
	 pkinit_identity_crypto_context id_cryptoctx,
360
	 const char *identity, const char *password);
361

362
/*
363
 * process the values from idopts and obtain the cert(s)
364
 * specified by those options, populating the id_cryptoctx.
365
 */
366
krb5_error_code crypto_load_certs
367
	(krb5_context context,				/* IN */
368
	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
369
	pkinit_req_crypto_context req_cryptoctx,	/* IN */
370
	pkinit_identity_opts *idopts,			/* IN */
371
	pkinit_identity_crypto_context id_cryptoctx,	/* IN/OUT */
372
	krb5_principal princ,				/* IN */
373
	krb5_boolean defer_id_prompts);			/* IN */
374

375
/*
376
 * Free up information held from crypto_load_certs()
377
 */
378
krb5_error_code crypto_free_cert_info
379
	(krb5_context context,
380
	pkinit_plg_crypto_context plg_cryptoctx,
381
	pkinit_req_crypto_context req_cryptoctx,
382
	pkinit_identity_crypto_context id_cryptoctx);
383

384

385
/*
386
 * Get a null-terminated list of certificate matching data objects for the
387
 * certificates loaded in id_cryptoctx.
388
 */
389
krb5_error_code
390
crypto_cert_get_matching_data(krb5_context context,
391
			      pkinit_plg_crypto_context plg_cryptoctx,
392
			      pkinit_req_crypto_context req_cryptoctx,
393
			      pkinit_identity_crypto_context id_cryptoctx,
394
			      pkinit_cert_matching_data ***md_out);
395

396
/*
397
 * Free a matching data object.
398
 */
399
void
400
crypto_cert_free_matching_data(krb5_context context,
401
			       pkinit_cert_matching_data *md);
402

403
/*
404
 * Free a list of matching data objects.
405
 */
406
void
407
crypto_cert_free_matching_data_list(krb5_context context,
408
				    pkinit_cert_matching_data **matchdata);
409

410
/*
411
 * Choose one of the certificates loaded in idctx to use for PKINIT client
412
 * operations.  cred_index must be an index into the array of matching objects
413
 * returned by crypto_cert_get_matching_data().
414
 */
415
krb5_error_code
416
crypto_cert_select(krb5_context context, pkinit_identity_crypto_context idctx,
417
		   size_t cred_index);
418

419
/*
420
 * Select the default certificate as "the chosen one"
421
 */
422
krb5_error_code crypto_cert_select_default
423
	(krb5_context context,				/* IN */
424
	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
425
	pkinit_req_crypto_context req_cryptoctx,	/* IN */
426
	pkinit_identity_crypto_context id_cryptoctx);	/* IN */
427

428
/*
429
 * process the values from idopts and obtain the anchor or
430
 * intermediate certificates, or crls specified by idtype,
431
 * catype, and id
432
 */
433
krb5_error_code crypto_load_cas_and_crls
434
	(krb5_context context,				/* IN */
435
	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
436
	pkinit_req_crypto_context req_cryptoctx,	/* IN */
437
	pkinit_identity_opts *idopts,			/* IN */
438
	pkinit_identity_crypto_context id_cryptoctx,	/* IN/OUT */
439
	int idtype,					/* IN
440
		    defines the storage type (file, directory, etc) */
441
	int catype,					/* IN
442
		    defines the ca type (anchor, intermediate, crls) */
443
	char *id);					/* IN
444
		    defines the location (filename, directory name, etc) */
445

446
/*
447
 * on the client, obtain the kdc's certificate to include
448
 * in a request
449
 */
450
krb5_error_code pkinit_get_kdc_cert
451
	(krb5_context context,				/* IN */
452
	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
453
	pkinit_req_crypto_context req_cryptoctx,	/* IN */
454
	pkinit_identity_crypto_context id_cryptoctx,	/* IN/OUT */
455
	krb5_principal princ);				/* IN */
456

457
/*
458
 * this function creates edata that contains TD-DH-PARAMETERS
459
 */
460
krb5_error_code pkinit_create_td_dh_parameters
461
	(krb5_context context,				/* IN */
462
	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
463
	pkinit_req_crypto_context req_cryptoctx,	/* IN */
464
	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
465
	pkinit_plg_opts *opts,				/* IN */
466
	krb5_pa_data ***e_data_out);			/* OUT */
467

468
/*
469
 * this function processes edata that contains TD-DH-PARAMETERS.
470
 * the client processes the received acceptable by KDC DH
471
 * parameters and picks the first acceptable to it. it matches
472
 * them against the known DH parameters.
473
 */
474
krb5_error_code pkinit_process_td_dh_params
475
	(krb5_context context,				/* IN */
476
	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
477
	pkinit_req_crypto_context req_cryptoctx,	/* IN */
478
	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
479
	krb5_algorithm_identifier **algId,		/* IN */
480
	int *new_dh_size);				/* OUT
481
		    receives the new DH modulus to use in the new AS-REQ */
482

483
/*
484
 * this function creates edata that contains TD-INVALID-CERTIFICATES
485
 */
486
krb5_error_code pkinit_create_td_invalid_certificate
487
	(krb5_context context,				/* IN */
488
	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
489
	pkinit_req_crypto_context req_cryptoctx,	/* IN */
490
	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
491
	krb5_pa_data ***e_data_out);			/* OUT */
492

493
/*
494
 * this function creates edata that contains TD-TRUSTED-CERTIFIERS
495
 */
496
krb5_error_code pkinit_create_td_trusted_certifiers
497
	(krb5_context context,				/* IN */
498
	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
499
	pkinit_req_crypto_context req_cryptoctx,	/* IN */
500
	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
501
	krb5_pa_data ***e_data_out);			/* OUT */
502

503
/*
504
 * this function processes edata that contains either
505
 * TD-TRUSTED-CERTIFICATES or TD-INVALID-CERTIFICATES.
506
 * current implementation only decodes the received message
507
 * but does not act on it
508
 */
509
krb5_error_code pkinit_process_td_trusted_certifiers
510
	(krb5_context context,				/* IN */
511
	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
512
	pkinit_req_crypto_context req_cryptoctx,	/* IN */
513
	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
514
	krb5_external_principal_identifier **trustedCertifiers, /* IN */
515
	int td_type);					/* IN */
516

517
/*
518
 * this function checks if the received kdcPKId matches
519
 * the KDC's certificate
520
 */
521
krb5_error_code pkinit_check_kdc_pkid
522
	(krb5_context context,				/* IN */
523
	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
524
	pkinit_req_crypto_context req_cryptoctx,	/* IN */
525
	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
526
	unsigned char *pdid_buf,			/* IN
527
		    contains DER encoded kdcPKId */
528
	unsigned int pkid_len,				/* IN
529
		    contains length of pdid_buf */
530
	int *valid_kdcPkId);				/* OUT
531
		    1 if kdcPKId matches, otherwise 0 */
532

533
krb5_error_code pkinit_identity_set_prompter
534
	(pkinit_identity_crypto_context id_cryptoctx,	/* IN */
535
	krb5_prompter_fct prompter,			/* IN */
536
	void *prompter_data);				/* IN */
537

538
krb5_error_code
539
pkinit_kdf(krb5_context context, krb5_data *secret, const krb5_data *alg_oid,
540
	   krb5_const_principal party_u_info,
541
	   krb5_const_principal party_v_info, krb5_enctype enctype,
542
	   const krb5_data *as_req, const krb5_data *pk_as_rep,
543
	   krb5_keyblock *key_block);
544

545
extern const krb5_data kdf_sha1_id;
546
extern const krb5_data kdf_sha256_id;
547
extern const krb5_data kdf_sha512_id;
548
extern const krb5_data cms_sha1_id;
549
extern const krb5_data cms_sha256_id;
550
extern const krb5_data cms_sha384_id;
551
extern const krb5_data cms_sha512_id;
552
extern const krb5_data oakley_1024;
553
extern const krb5_data oakley_2048;
554
extern const krb5_data oakley_4096;
555
extern const krb5_data ec_p256;
556
extern const krb5_data ec_p384;
557
extern const krb5_data ec_p521;
558
extern const krb5_data dh_oid;
559
extern const krb5_data ec_oid;
560

561
/**
562
 * An ordered set of OIDs, stored as krb5_data, of KDF algorithms
563
 * supported by this implementation. The order of this array controls
564
 * the order in which the server will pick.
565
 */
566
extern krb5_data const * const supported_kdf_alg_ids[];
567

568
/* CMS signature algorithms supported by this implementation, in order of
569
 * decreasing preference. */
570
extern krb5_data const * const supported_cms_algs[];
571

572
krb5_error_code
573
crypto_encode_der_cert(krb5_context context, pkinit_req_crypto_context reqctx,
574
		       uint8_t **der_out, size_t *der_len);
575

576
krb5_error_code
577
crypto_req_cert_matching_data(krb5_context context,
578
			      pkinit_plg_crypto_context plgctx,
579
			      pkinit_req_crypto_context reqctx,
580
			      pkinit_cert_matching_data **md_out);
581

582
int parse_dh_min_bits(krb5_context context, const char *str);
583

584
/* Generate a SHA-1 checksum over body in *cksum1_out and a SHA-256 checksum
585
 * over body in *cksum2_out with appropriate metadata. */
586
krb5_error_code
587
crypto_generate_checksums(krb5_context context, const krb5_data *body,
588
			  krb5_data *cksum1_out,
589
			  krb5_pachecksum2 **cksum2_out);
590

591
/* Verify the SHA-1 checksum in cksum1 and the tagged checksum in cksum2.
592
 * cksum2 may be NULL, in which case only cksum1 is verified. */
593
krb5_error_code
594
crypto_verify_checksums(krb5_context context, krb5_data *body,
595
			const krb5_data *cksum1,
596
			const krb5_pachecksum2 *cksum2);
597

598
#endif	/* _PKINIT_CRYPTO_H */
599

600
Product

Resources

Company
