2
* Copyright (c) 2004-2008 Apple Inc. All Rights Reserved.
4
* Export of this software from the United States of America may require
5
* a specific license from the United States Government. It is the
6
* responsibility of any person or organization contemplating export to
7
* obtain such a license before exporting.
9
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
10
* distribute this software and its documentation for any purpose and
11
* without fee is hereby granted, provided that the above copyright
12
* notice appear in all copies and that both that copyright notice and
13
* this permission notice appear in supporting documentation, and that
14
* the name of Apple Inc. not be used in advertising or publicity pertaining
15
* to distribution of the software without specific, written prior
16
* permission. Apple Inc. makes no representations about the suitability of
17
* this software for any purpose. It is provided "as is" without express
18
* or implied warranty.
20
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
21
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
22
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
27
* pkinit_asn1.h - ASN.1 encode/decode routines for PKINIT
29
* Created 18 May 2004 by Doug Mitchell.
32
#ifndef _PKINIT_ASN1_H_
33
#define _PKINIT_ASN1_H_
35
#include <krb5/krb5.h>
41
/* RFC 3280 AlgorithmIdentifier */
43
krb5_data algorithm; /* OID */
44
krb5_data parameters; /* ASN_ANY, defined by algorithm */
45
} krb5int_algorithm_id;
48
* Encode and decode AuthPack, public key version (no Diffie-Hellman components).
50
krb5_error_code krb5int_pkinit_auth_pack_encode(
51
krb5_timestamp kctime,
52
krb5_int32 cusec, /* microseconds */
54
const krb5_checksum *pa_checksum,
55
const krb5int_algorithm_id *cms_types, /* optional */
56
krb5_ui_4 num_cms_types,
57
krb5_data *auth_pack); /* mallocd and RETURNED */
59
/* all returned values are optional - pass NULL if you don't want them */
60
krb5_error_code krb5int_pkinit_auth_pack_decode(
61
const krb5_data *auth_pack, /* DER encoded */
62
krb5_timestamp *kctime, /* RETURNED */
63
krb5_ui_4 *cusec, /* microseconds, RETURNED */
64
krb5_ui_4 *nonce, /* RETURNED */
65
krb5_checksum *pa_checksum, /* contents mallocd and RETURNED */
66
krb5int_algorithm_id **cms_types, /* mallocd and RETURNED */
67
krb5_ui_4 *num_cms_types); /* RETURNED */
71
* Given DER-encoded issuer and serial number, create an encoded
72
* IssuerAndSerialNumber.
74
krb5_error_code krb5int_pkinit_issuer_serial_encode(
75
const krb5_data *issuer, /* DER encoded */
76
const krb5_data *serial_num,
77
krb5_data *issuer_and_serial); /* content mallocd and RETURNED */
80
* Decode IssuerAndSerialNumber.
82
krb5_error_code krb5int_pkinit_issuer_serial_decode(
83
const krb5_data *issuer_and_serial, /* DER encoded */
84
krb5_data *issuer, /* DER encoded, RETURNED */
85
krb5_data *serial_num); /* RETURNED */
88
* Top-level encode for PA-PK-AS-REQ.
89
* The signed_auth_pack field is wrapped in an OCTET STRING, content
90
* specific tag 0, during encode.
92
krb5_error_code krb5int_pkinit_pa_pk_as_req_encode(
93
const krb5_data *signed_auth_pack, /* DER encoded ContentInfo */
94
const krb5_data *trusted_CAs, /* optional: trustedCertifiers. Contents are
95
* DER-encoded issuer/serialNumbers. */
96
krb5_ui_4 num_trusted_CAs,
97
const krb5_data *kdc_cert, /* optional kdcPkId, DER encoded issuer/serial */
98
krb5_data *pa_pk_as_req); /* mallocd and RETURNED */
101
* Top-level decode for PA-PK-AS-REQ. Does not perform cert verification on the
102
* ContentInfo; that is returned in BER-encoded form and processed elsewhere.
103
* The OCTET STRING wrapping the signed_auth_pack field is removed during the
106
krb5_error_code krb5int_pkinit_pa_pk_as_req_decode(
107
const krb5_data *pa_pk_as_req,
108
krb5_data *signed_auth_pack, /* DER encoded ContentInfo, RETURNED */
110
* Remainder are optionally RETURNED (specify NULL for pointers to
111
* items you're not interested in).
113
krb5_ui_4 *num_trusted_CAs, /* sizeof trusted_CAs */
114
krb5_data **trusted_CAs, /* mallocd array of DER-encoded TrustedCAs
116
krb5_data *kdc_cert); /* DER encoded issuer/serial */
119
* Encode a ReplyKeyPack. The result is used as the Content of a SignedData.
121
krb5_error_code krb5int_pkinit_reply_key_pack_encode(
122
const krb5_keyblock *key_block,
123
const krb5_checksum *checksum,
124
krb5_data *reply_key_pack); /* mallocd and RETURNED */
127
* Decode a ReplyKeyPack.
129
krb5_error_code krb5int_pkinit_reply_key_pack_decode(
130
const krb5_data *reply_key_pack,
131
krb5_keyblock *key_block, /* RETURNED */
132
krb5_checksum *checksum); /* contents mallocd and RETURNED */
135
* Encode a PA-PK-AS-REP.
136
* Exactly one of {dh_signed_data, enc_key_pack} is non-NULL on entry;
137
* each is a previously encoded item.
139
* dh_signed_data, if specified, is an encoded DHRepInfo.
140
* enc_key_pack, if specified, is EnvelopedData(signedData(ReplyKeyPack)
142
krb5_error_code krb5int_pkinit_pa_pk_as_rep_encode(
143
const krb5_data *dh_signed_data,
144
const krb5_data *enc_key_pack, /* EnvelopedData(signedData(ReplyKeyPack) */
145
krb5_data *pa_pk_as_rep); /* mallocd and RETURNED */
148
* Decode a PA-PK-AS-REP.
149
* On successful return, exactly one of {dh_signed_data, enc_key_pack}
150
* will be non-NULL, each of which is mallocd and must be freed by
153
* dh_signed_data, if returned, is an encoded DHRepInfo.
154
* enc_key_pack, if specified, is EnvelopedData(signedData(ReplyKeyPack)
156
krb5_error_code krb5int_pkinit_pa_pk_as_rep_decode(
157
const krb5_data *pa_pk_as_rep,
158
krb5_data *dh_signed_data,
159
krb5_data *enc_key_pack);
162
* Given a DER encoded certificate, obtain the associated IssuerAndSerialNumber.
164
krb5_error_code krb5int_pkinit_get_issuer_serial(
165
const krb5_data *cert,
166
krb5_data *issuer_and_serial);
172
#endif /* _PKINIT_ASN1_H_ */