1 /*
2  * COPYRIGHT (C) 2007
3  * THE REGENTS OF THE UNIVERSITY OF MICHIGAN
4  * ALL RIGHTS RESERVED
5  *
6  * Permission is granted to use, copy, create derivative works
7  * and redistribute this software and such derivative works
8  * for any purpose, so long as the name of The University of
9  * Michigan is not used in any advertising or publicity
10  * pertaining to the use of distribution of this software
11  * without specific, written prior authorization.  If the
12  * above copyright notice or any other identification of the
13  * University of Michigan is included in any copy of any
14  * portion of this software, then the disclaimer below must
15  * also be included.
16  *
17  * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
18  * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
19  * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
20  * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
21  * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
22  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
23  * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
24  * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
25  * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
26  * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
27  * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
28  * SUCH DAMAGES.
29  */
30 
31 /*
32  * Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved.
33  */
34 
35 /*
36  * This header defines the cryptographic interface
37  */
38 
39 #ifndef _PKINIT_CRYPTO_H
40 #define _PKINIT_CRYPTO_H
41 
42 /* Solaris Kerberos */
43 #include <krb5.h>
44 #include <preauth_plugin.h>
45 #include <k5-int-pkinit.h>
46 #include <profile.h>
47 #include "pkinit_accessor.h"
48 
49 /*
50  * these describe the CMS message types
51  */
52 enum cms_msg_types {
53     CMS_SIGN_CLIENT,
54     CMS_SIGN_DRAFT9,
55     CMS_SIGN_SERVER,
56     CMS_ENVEL_SERVER
57 };
58 
59 /*
60  * storage types for identity information
61  */
62 #define IDTYPE_FILE     1
63 #define IDTYPE_DIR      2
64 #define IDTYPE_PKCS11   3
65 #define IDTYPE_ENVVAR   4
66 #define IDTYPE_PKCS12   5
67 
68 /*
69  * ca/crl types
70  */
71 #define CATYPE_ANCHORS          1
72 #define CATYPE_INTERMEDIATES    2
73 #define CATYPE_CRLS             3
74 
75 /*
76  * The following represent Key Usage values that we
77  * may care about in a certificate
78  */
79 #define PKINIT_KU_DIGITALSIGNATURE      0x80000000
80 #define PKINIT_KU_KEYENCIPHERMENT       0x40000000
81 
82 /*
83  * The following represent Extended Key Usage oid values
84  * that we may care about in a certificate
85  */
86 #define PKINIT_EKU_PKINIT               0x80000000
87 #define PKINIT_EKU_MSSCLOGIN            0x40000000
88 #define PKINIT_EKU_CLIENTAUTH           0x20000000
89 #define PKINIT_EKU_EMAILPROTECTION      0x10000000
90 
91 
92 /* Handle to cert, opaque above crypto interface */
93 typedef struct _pkinit_cert_info *pkinit_cert_handle;
94 
95 /* Handle to cert iteration information, opaque above crypto interface */
96 typedef struct _pkinit_cert_iter_info *pkinit_cert_iter_handle;
97 
98 #define PKINIT_ITER_NO_MORE	0x11111111  /* XXX */
99 
100 typedef struct _pkinit_cert_matching_data {
101     pkinit_cert_handle ch;  /* cert handle for this certificate */
102     char *subject_dn;	    /* rfc2253-style subject name string */
103     char *issuer_dn;	    /* rfc2253-style issuer name string */
104     unsigned int ku_bits;   /* key usage information */
105     unsigned int eku_bits;  /* extended key usage information */
106     krb5_principal *sans;   /* Null-terminated array of subject alternative
107 			       name info (pkinit and ms-upn) */
108 } pkinit_cert_matching_data;
109 
110 /*
111  * Functions to initialize and cleanup crypto contexts
112  */
113 krb5_error_code pkinit_init_plg_crypto(pkinit_plg_crypto_context *);
114 void pkinit_fini_plg_crypto(pkinit_plg_crypto_context);
115 
116 krb5_error_code pkinit_init_req_crypto(pkinit_req_crypto_context *);
117 void pkinit_fini_req_crypto(pkinit_req_crypto_context);
118 
119 krb5_error_code pkinit_init_identity_crypto(pkinit_identity_crypto_context *);
120 void pkinit_fini_identity_crypto(pkinit_identity_crypto_context);
121 
122 /*
123  * this function creates a CMS message where eContentType is SignedData
124  */
125 krb5_error_code cms_signeddata_create
126 	(krb5_context context,				/* IN */
127 	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
128 	pkinit_req_crypto_context req_cryptoctx,	/* IN */
129 	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
130 	int cms_msg_type,				/* IN
131 		    specifies CMS_SIGN_CLIENT for client-side CMS message
132 		    and CMS_SIGN_SERVER for kdc-side */
133 	int include_certchain,				/* IN
134 		    specifies where certificates field in SignedData
135 		    should contain certificate path */
136 	unsigned char *auth_pack,			/* IN
137 		    contains DER encoded AuthPack (CMS_SIGN_CLIENT)
138 		    or DER encoded DHRepInfo (CMS_SIGN_SERVER) */
139 	unsigned int auth_pack_len,			/* IN
140 		    contains length of auth_pack */
141 	unsigned char **signed_data,			/* OUT
142 		    for CMS_SIGN_CLIENT receives DER encoded
143 		    SignedAuthPack (CMS_SIGN_CLIENT) or DER
144 		    encoded DHInfo (CMS_SIGN_SERVER) */
145 	unsigned int *signed_data_len);			/* OUT
146 		    receives length of signed_data */
147 
148 /*
149  * this function verifies a CMS message where eContentType is SignedData
150  */
151 krb5_error_code cms_signeddata_verify
152 	(krb5_context context,				/* IN */
153 	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
154 	pkinit_req_crypto_context req_cryptoctx,	/* IN */
155 	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
156 	int cms_msg_type,				/* IN
157 		    specifies CMS_SIGN_CLIENT for client-side
158 		    CMS message and CMS_SIGN_SERVER for kdc-side */
159 	int require_crl_checking,			/* IN
160 		    specifies whether CRL checking should be
161 		    strictly enforced, i.e. if no CRLs available
162 		    for the CA then fail verification.
163 		    note, if the value is 0, crls are still
164 		    checked if present */
165 	unsigned char *signed_data,			/* IN
166 		    contains DER encoded SignedAuthPack (CMS_SIGN_CLIENT)
167 		    or DER encoded DHInfo (CMS_SIGN_SERVER) */
168 	unsigned int signed_data_len,			/* IN
169 		    contains length of signed_data*/
170 	unsigned char **auth_pack,			/* OUT
171 		    receives DER encoded AuthPack (CMS_SIGN_CLIENT)
172 		    or DER encoded DHRepInfo (CMS_SIGN_SERVER)*/
173 	unsigned int *auth_pack_len,			/* OUT
174 		    receives length of auth_pack */
175 	unsigned char **authz_data,			/* OUT
176 		    receives required authorization data that
177 		    contains the verified certificate chain
178 		    (only used by the KDC) */
179 	unsigned int *authz_data_len);			/* OUT
180 		    receives length of authz_data */
181 
182 /*
183  * this function creates a CMS message where eContentType is EnvelopedData
184  */
185 krb5_error_code cms_envelopeddata_create
186 	(krb5_context context,				/* IN */
187 	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
188 	pkinit_req_crypto_context req_cryptoctx,	/* IN */
189 	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
190 	krb5_preauthtype pa_type,			/* IN */
191 	int include_certchain,				/* IN
192 		    specifies whether the certificates field in
193 		    SignedData should contain certificate path */
194 	unsigned char *key_pack,			/* IN
195 		    contains DER encoded ReplyKeyPack */
196 	unsigned int key_pack_len,			/* IN
197 		    contains length of key_pack */
198 	unsigned char **envel_data,			/* OUT
199 		    receives DER encoded encKeyPack */
200 	unsigned int *envel_data_len);			/* OUT
201 		    receives length of envel_data */
202 
203 /*
204  * this function creates a CMS message where eContentType is EnvelopedData
205  */
206 krb5_error_code cms_envelopeddata_verify
207 	(krb5_context context,				/* IN */
208 	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
209 	pkinit_req_crypto_context req_cryptoctx,	/* IN */
210 	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
211 	krb5_preauthtype pa_type,			/* IN */
212 	int require_crl_checking,			/* IN
213 		    specifies whether CRL checking should be
214 		    strictly enforced */
215 	unsigned char *envel_data,			/* IN
216 		    contains DER encoded encKeyPack */
217 	unsigned int envel_data_len,			/* IN
218 		    contains length of envel_data */
219 	unsigned char **signed_data,			/* OUT
220 		    receives ReplyKeyPack */
221 	unsigned int *signed_data_len);			/* OUT
222 		    receives length of signed_data */
223 
224 /*
225  * this function returns SAN information found in the
226  * received certificate.  at least one of pkinit_sans,
227  * upn_sans, or kdc_hostnames must be non-NULL.
228  */
229 krb5_error_code crypto_retrieve_cert_sans
230 	(krb5_context context,				/* IN */
231 	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
232 	pkinit_req_crypto_context req_cryptoctx,	/* IN */
233 	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
234 	krb5_principal **pkinit_sans,			/* OUT
235 		    if non-NULL, a null-terminated array of
236 		    id-pkinit-san values found in the certificate
237 		    are returned */
238 	krb5_principal **upn_sans,			/* OUT
239 		    if non-NULL, a null-terminated array of
240 		    id-ms-upn-san values found in the certificate
241 		    are returned */
242 	unsigned char ***kdc_hostname);			/* OUT
243 		    if non-NULL, a null-terminated array of
244 		    dNSName (hostname) SAN values found in the
245 		    certificate are returned */
246 
247 /*
248  * this function checks for acceptable key usage values
249  * in the received certificate.
250  *
251  * when checking a received kdc certificate, it looks for
252  * the kpKdc key usage.  if allow_secondary_usage is
253  * non-zero, it will also accept kpServerAuth.
254  *
255  * when checking a received user certificate, it looks for
256  * kpClientAuth key usage.  if allow_secondary_usage is
257  * non-zero, it will also accept id-ms-sc-logon EKU.
258  *
259  * this function must also assert that the digitalSignature
260  * key usage is consistent.
261  */
262 krb5_error_code crypto_check_cert_eku
263 	(krb5_context context,				/* IN */
264 	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
265 	pkinit_req_crypto_context req_cryptoctx,	/* IN */
266 	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
267 	int checking_kdc_cert,				/* IN
268 		    specifies if the received certificate is
269 		    a KDC certificate (non-zero),
270 		    or a user certificate (zero) */
271 	int allow_secondary_usage,			/* IN
272 		    specifies if the secondary key usage
273 		    should be accepted or not (see above) */
274 	int *eku_valid);				/* OUT
275 		    receives non-zero if an acceptable EKU was found */
276 
277 /*
278  * this functions takes in generated DH secret key and converts
279  * it in to a kerberos session key. it takes into the account the
280  * enc type and then follows the procedure specified in the RFC p 22.
281  */
282 krb5_error_code pkinit_octetstring2key
283 	(krb5_context context,				/* IN */
284 	krb5_enctype etype,				/* IN
285 		    specifies the enc type */
286 	unsigned char *key,				/* IN
287 		    contains the DH secret key */
288 	unsigned int key_len,				/* IN
289 		    contains length of key */
290 	krb5_keyblock * krb5key);			/* OUT
291 		    receives kerberos session key */
292 
293 /*
294  * this function implements clients first part of the DH protocol.
295  * client selects its DH parameters and pub key
296  */
297 krb5_error_code client_create_dh
298 	(krb5_context context,				/* IN */
299 	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
300 	pkinit_req_crypto_context req_cryptoctx,	/* IN */
301 	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
302 	int dh_size,					/* IN
303 		    specifies the DH modulous, eg 1024, 2048, or 4096 */
304 	unsigned char **dh_paramas,			/* OUT
305 		    contains DER encoded DH params */
306 	unsigned int *dh_params_len,			/* OUT
307 		    contains length of dh_parmas */
308 	unsigned char **dh_pubkey,			/* OUT
309 		    receives DER encoded DH pub key */
310 	unsigned int *dh_pubkey_len);			/* OUT
311 		    receives length of dh_pubkey */
312 
313 /*
314  * this function completes client's the DH protocol. client
315  * processes received DH pub key from the KDC and computes
316  * the DH secret key
317  */
318 krb5_error_code client_process_dh
319 	(krb5_context context,				/* IN */
320 	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
321 	pkinit_req_crypto_context req_cryptoctx,	/* IN */
322 	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
323 	unsigned char *dh_pubkey,			/* IN
324 		    contains client's DER encoded DH pub key */
325 	unsigned int dh_pubkey_len,			/* IN
326 		    contains length of dh_pubkey */
327 	unsigned char **dh_session_key,			/* OUT
328 		    receives DH secret key */
329 	unsigned int *dh_session_key_len);		/* OUT
330 		    receives length of dh_session_key */
331 
332 /*
333  * this function implements the KDC first part of the DH protocol.
334  * it decodes the client's DH parameters and pub key and checks
335  * if they are acceptable.
336  */
337 krb5_error_code server_check_dh
338 	(krb5_context context,				/* IN */
339 	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
340 	pkinit_req_crypto_context req_cryptoctx,	/* IN */
341 	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
342 	krb5_octet_data *dh_params,			/* IN
343 		    ???? */
344 	int minbits);					/* IN
345 		    the mininum number of key bits acceptable */
346 
347 /*
348  * this function completes the KDC's DH protocol. The KDC generates
349  * its DH pub key and computes the DH secret key
350  */
351 krb5_error_code server_process_dh
352 	(krb5_context context,				/* IN */
353 	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
354 	pkinit_req_crypto_context req_cryptoctx,	/* IN */
355 	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
356 	unsigned char *received_pubkey,			/* IN
357 		    contains client's DER encoded DH pub key */
358 	unsigned int received_pub_len,			/* IN
359 		    contains length of received_pubkey */
360 	unsigned char **dh_pubkey,			/* OUT
361 		    receives KDC's DER encoded DH pub key */
362 	unsigned int *dh_pubkey_len,			/* OUT
363 		    receives length of dh_pubkey */
364 	unsigned char **server_key,			/* OUT
365 		    receives DH secret key */
366 	unsigned int *server_key_len);			/* OUT
367 		    receives length of server_key */
368 
369 /*
370  * this functions takes in crypto specific representation of
371  * supportedCMSTypes and creates a list of
372  * krb5_algorithm_identifier
373  */
374 krb5_error_code create_krb5_supportedCMSTypes
375 	(krb5_context context,				/* IN */
376 	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
377 	pkinit_req_crypto_context req_cryptoctx,	/* IN */
378 	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
379 	krb5_algorithm_identifier ***supportedCMSTypes); /* OUT */
380 
381 /*
382  * this functions takes in crypto specific representation of
383  * trustedCertifiers and creates a list of
384  * krb5_external_principal_identifier
385  */
386 krb5_error_code create_krb5_trustedCertifiers
387 	(krb5_context context,				/* IN */
388 	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
389 	pkinit_req_crypto_context req_cryptoctx,	/* IN */
390 	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
391 	krb5_external_principal_identifier ***trustedCertifiers); /* OUT */
392 
393 /*
394  * this functions takes in crypto specific representation of
395  * trustedCas (draft9) and creates a list of krb5_trusted_ca (draft9).
396  * draft9 trustedCAs is a CHOICE. we only support choices for
397  * [1] caName and [2] issuerAndSerial.  there is no config
398  * option available to select the choice yet. default = 1.
399  */
400 krb5_error_code create_krb5_trustedCas
401 	(krb5_context context,				/* IN */
402 	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
403 	pkinit_req_crypto_context req_cryptoctx,	/* IN */
404 	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
405 	int flag,					/* IN
406 		    specifies the tag of the CHOICE */
407 	krb5_trusted_ca ***trustedCas);			/* OUT */
408 
409 /*
410  * this functions takes in crypto specific representation of the
411  * KDC's certificate and creates a DER encoded kdcPKId
412  */
413 krb5_error_code create_issuerAndSerial
414 	(krb5_context context,				/* IN */
415 	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
416 	pkinit_req_crypto_context req_cryptoctx,	/* IN */
417 	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
418 	unsigned char **kdcId_buf,			/* OUT
419 		    receives DER encoded kdcPKId */
420 	unsigned int *kdcId_len);			/* OUT
421 		    receives length of encoded kdcPKId */
422 
423 /*
424  * process the values from idopts and obtain the cert(s)
425  * specified by those options, populating the id_cryptoctx.
426  */
427 krb5_error_code crypto_load_certs
428 	(krb5_context context,				/* IN */
429 	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
430 	pkinit_req_crypto_context req_cryptoctx,	/* IN */
431 	pkinit_identity_opts *idopts,			/* IN */
432 	pkinit_identity_crypto_context id_cryptoctx,	/* IN/OUT */
433 	krb5_principal princ,				/* IN */
434 	int do_matching);				/* IN */
435 
436 /*
437  * Free up information held from crypto_load_certs()
438  */
439 krb5_error_code crypto_free_cert_info
440 	(krb5_context context,
441 	pkinit_plg_crypto_context plg_cryptoctx,
442 	pkinit_req_crypto_context req_cryptoctx,
443 	pkinit_identity_crypto_context id_cryptoctx);
444 
445 
446 /*
447  * Get number of certificates available after crypto_load_certs()
448  */
449 krb5_error_code crypto_cert_get_count
450 	(krb5_context context,				/* IN */
451 	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
452 	pkinit_req_crypto_context req_cryptoctx,	/* IN */
453 	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
454 	int *cert_count);				/* OUT */
455 
456 /*
457  * Begin iteration over the certs loaded in crypto_load_certs()
458  */
459 krb5_error_code crypto_cert_iteration_begin
460 	(krb5_context context,				/* IN */
461 	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
462 	pkinit_req_crypto_context req_cryptoctx,	/* IN */
463 	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
464 	pkinit_cert_iter_handle *iter_handle);		/* OUT */
465 
466 /*
467  * End iteration over the certs loaded in crypto_load_certs()
468  */
469 krb5_error_code crypto_cert_iteration_end
470 	(krb5_context context,				/* IN */
471 	pkinit_cert_iter_handle iter_handle);		/* IN */
472 
473 /*
474  * Get next certificate handle
475  */
476 krb5_error_code crypto_cert_iteration_next
477 	(krb5_context context,				/* IN */
478 	pkinit_cert_iter_handle iter_handle,		/* IN */
479 	pkinit_cert_handle *cert_handle);		/* OUT */
480 
481 /*
482  * Release cert handle
483  */
484 krb5_error_code crypto_cert_release
485 	(krb5_context context,				/* IN */
486 	pkinit_cert_handle cert_handle);		/* IN */
487 
488 /*
489  * Get certificate matching information
490  */
491 krb5_error_code crypto_cert_get_matching_data
492 	(krb5_context context,				/* IN */
493 	pkinit_cert_handle cert_handle,			/* IN */
494 	pkinit_cert_matching_data **ret_data);		/* OUT */
495 
496 /*
497  * Free certificate information
498  */
499 krb5_error_code crypto_cert_free_matching_data
500 	(krb5_context context,				/* IN */
501 	pkinit_cert_matching_data *data);		/* IN */
502 
503 /*
504  * Make the given certificate "the chosen one"
505  */
506 krb5_error_code crypto_cert_select
507 	(krb5_context context,				/* IN */
508 	pkinit_cert_matching_data *data);		/* IN */
509 
510 /*
511  * Select the default certificate as "the chosen one"
512  */
513 krb5_error_code crypto_cert_select_default
514 	(krb5_context context,				/* IN */
515 	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
516 	pkinit_req_crypto_context req_cryptoctx,	/* IN */
517 	pkinit_identity_crypto_context id_cryptoctx);	/* IN */
518 
519 /*
520  * process the values from idopts and obtain the anchor or
521  * intermediate certificates, or crls specified by idtype,
522  * catype, and id
523  */
524 krb5_error_code crypto_load_cas_and_crls
525 	(krb5_context context,				/* IN */
526 	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
527 	pkinit_req_crypto_context req_cryptoctx,	/* IN */
528 	pkinit_identity_opts *idopts,			/* IN */
529 	pkinit_identity_crypto_context id_cryptoctx,	/* IN/OUT */
530 	int idtype,					/* IN
531 		    defines the storage type (file, directory, etc) */
532 	int catype,					/* IN
533 		    defines the ca type (anchor, intermediate, crls) */
534 	char *id);					/* IN
535 		    defines the location (filename, directory name, etc) */
536 
537 /*
538  * on the client, obtain the kdc's certificate to include
539  * in a request
540  */
541 krb5_error_code pkinit_get_kdc_cert
542 	(krb5_context context,				/* IN */
543 	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
544 	pkinit_req_crypto_context req_cryptoctx,	/* IN */
545 	pkinit_identity_crypto_context id_cryptoctx,	/* IN/OUT */
546 	krb5_principal princ);				/* IN */
547 
548 /*
549  * this function creates edata that contains TD-DH-PARAMETERS
550  */
551 krb5_error_code pkinit_create_td_dh_parameters
552 	(krb5_context context,				/* IN */
553 	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
554 	pkinit_req_crypto_context req_cryptoctx,	/* IN */
555 	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
556 	pkinit_plg_opts *opts,				/* IN */
557 	krb5_data **edata);				/* OUT */
558 
559 /*
560  * this function processes edata that contains TD-DH-PARAMETERS.
561  * the client processes the received acceptable by KDC DH
562  * parameters and picks the first acceptable to it. it matches
563  * them against the known DH parameters.
564  */
565 krb5_error_code pkinit_process_td_dh_params
566 	(krb5_context context,				/* IN */
567 	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
568 	pkinit_req_crypto_context req_cryptoctx,	/* IN */
569 	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
570 	krb5_algorithm_identifier **algId,		/* IN */
571 	int *new_dh_size);				/* OUT
572 		    receives the new DH modulus to use in the new AS-REQ */
573 
574 /*
575  * this function creates edata that contains TD-INVALID-CERTIFICATES
576  */
577 krb5_error_code pkinit_create_td_invalid_certificate
578 	(krb5_context context,				/* IN */
579 	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
580 	pkinit_req_crypto_context req_cryptoctx,	/* IN */
581 	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
582 	krb5_data **edata);				/* OUT */
583 
584 /*
585  * this function creates edata that contains TD-TRUSTED-CERTIFIERS
586  */
587 krb5_error_code pkinit_create_td_trusted_certifiers
588 	(krb5_context context,				/* IN */
589 	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
590 	pkinit_req_crypto_context req_cryptoctx,	/* IN */
591 	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
592 	krb5_data **edata);				/* OUT */
593 
594 /*
595  * this function processes edata that contains either
596  * TD-TRUSTED-CERTIFICATES or TD-INVALID-CERTIFICATES.
597  * current implementation only decodes the received message
598  * but does not act on it
599  */
600 krb5_error_code pkinit_process_td_trusted_certifiers
601 	(krb5_context context,				/* IN */
602 	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
603 	pkinit_req_crypto_context req_cryptoctx,	/* IN */
604 	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
605 	krb5_external_principal_identifier **trustedCertifiers, /* IN */
606 	int td_type);					/* IN */
607 
608 /*
609  * this function checks if the received kdcPKId matches
610  * the KDC's certificate
611  */
612 krb5_error_code pkinit_check_kdc_pkid
613 	(krb5_context context,				/* IN */
614 	pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
615 	pkinit_req_crypto_context req_cryptoctx,	/* IN */
616 	pkinit_identity_crypto_context id_cryptoctx,	/* IN */
617 	unsigned char *pdid_buf,			/* IN
618 		    contains DER encoded kdcPKId */
619 	unsigned int pkid_len,				/* IN
620 		    contains length of pdid_buf */
621 	int *valid_kdcPkId);				/* OUT
622 		    1 if kdcPKId matches, otherwise 0 */
623 
624 krb5_error_code pkinit_identity_set_prompter
625 	(pkinit_identity_crypto_context id_cryptoctx,	/* IN */
626 	krb5_prompter_fct prompter,			/* IN */
627 	void *prompter_data);				/* IN */
628 
629 #endif	/* _PKINIT_CRYPTO_H */
630