src/include/pkinit_cms.h


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180

/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
 * Copyright (c) 2004-2008 Apple Inc.  All Rights Reserved.
 *
 * Export of this software from the United States of America may require
 * a specific license from the United States Government.  It is the
 * responsibility of any person or organization contemplating export to
 * obtain such a license before exporting.
 *
 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
 * distribute this software and its documentation for any purpose and
 * without fee is hereby granted, provided that the above copyright
 * notice appear in all copies and that both that copyright notice and
 * this permission notice appear in supporting documentation, and that
 * the name of Apple Inc. not be used in advertising or publicity pertaining
 * to distribution of the software without specific, written prior
 * permission.  Apple Inc. makes no representations about the suitability of
 * this software for any purpose.  It is provided "as is" without express
 * or implied warranty.
 *
 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
 *
 */

/*
 * pkinit_apple_cms.h - CMS encode/decode routines, Mac OS X version
 *
 * Created 19 May 2004 by Doug Mitchell at Apple.
 */

#ifndef _PKINIT_CMS_H_
#define _PKINIT_CMS_H_

#include <krb5/krb5.h>
#include "pkinit_cert_store.h"   /* for krb5_pkinit_signing_cert_t */
#include "pkinit_asn1.h"         /* for krb5int_algorithm_id */

#ifdef __cplusplus
extern "C" {
#endif

/*
 * Define ContentType for a SignedData and EnvelopedData.
 */
enum {
    /* normal CMS ContentTypes */
    ECT_Data,
    ECT_SignedData,
    ECT_EnvelopedData,
    ECT_EncryptedData,

    /*
     * For SignedAuthPack
     * pkauthdata: { iso (1) org (3) dod (6) internet (1)
     *               security (5) kerberosv5 (2) pkinit (3) pkauthdata (1)}
     */
    ECT_PkAuthData,

    /*
     * For ReplyKeyPack
     * pkrkeydata: { iso (1) org (3) dod (6) internet (1)
     *               security (5) kerberosv5 (2) pkinit (3) pkrkeydata (3) }
     */
    ECT_PkReplyKeyKata,

    /*
     * Other - i.e., unrecognized ContentType on decode.
     */
    ECT_Other
};
typedef krb5_int32 krb5int_cms_content_type;

/*
 * Result of certificate and signature verification.
 */
enum {
    pki_cs_good = 0,
    pki_not_signed,         /* message not signed */
    pki_not_evaluated,      /* signed, but not evaluated per caller request */
    /* remainder imply good signature on the message proper, i.e., these
     * are all certificate errors. */
    pki_cs_sig_verify_fail, /* signature verification failed */
    pki_cs_bad_leaf,        /* leaf/subject cert itself is plain bad */
    pki_cs_no_root,         /* looks good but not verifiable to any root */
    pki_cs_unknown_root,    /* verified to root we don't recognize */
    pki_cs_expired,         /* expired */
    pki_cs_not_valid_yet,   /* cert not valid yet */
    pki_cs_revoked,         /* revoked via CRL or OCSP */
    pki_cs_untrusted,       /* marked by user as untrusted */
    pki_bad_cms,            /* CMS Format precluded verification */
    pki_bad_key_use,        /* Bad ExtendedKeyUse or KeyUsage extension */
    pki_bad_digest,         /* unacceptable CMS digest algorithm */
    pki_cs_other_err        /* other cert verify error */
};
typedef krb5_int32 krb5int_cert_sig_status;

/*
 * Create a CMS message: either encrypted (EnvelopedData), signed
 * (SignedData), or both (EnvelopedData(SignedData(content)).
 *
 * The message is signed iff signing_cert is non-NULL.
 * The message is encrypted iff recip_cert is non-NULL.
 *
 * The content_type argument specifies to the eContentType
 * for a SignedData's EncapsulatedContentInfo; it's ignored
 * if the message is not to be signed.
 *
 * The cms_types argument optionally specifies a list, in order
 * of decreasing preference, of CMS algorithms to use in the
 * creation of the CMS message.
 */
krb5_error_code krb5int_pkinit_create_cms_msg(
    const krb5_data             *content,       /* Content */
    krb5_pkinit_signing_cert_t  signing_cert,   /* optional: signed by this cert */
    const krb5_data             *recip_cert,    /* optional: encrypted with this cert */
    krb5int_cms_content_type    content_type,   /* OID for EncapsulatedData */
    krb5_ui_4                   num_cms_types,  /* optional */
    const krb5int_algorithm_id  *cms_types,     /* optional */
    krb5_data                   *content_info); /* contents mallocd and RETURNED */

/*
 * Parse a ContentInfo as best we can. All returned fields are optional -
 * pass NULL for values you don't need.
 *
 * If signer_cert_status is NULL on entry, NO signature or cert evaluation
 * will be performed.
 *
 * The is_client_msg argument indicates whether the CMS message originated
 * from the client (TRUE) or server (FALSE) and may be used in platform-
 * dependent certificate evaluation.
 *
 * Note that signature and certificate verification errors do NOT cause
 * this routine itself to return an error; caller is reponsible for
 * handling such errors per the signer_cert_status out parameter.
 */
krb5_error_code krb5int_pkinit_parse_cms_msg(
    const krb5_data     *content_info,
    krb5_pkinit_cert_db_t cert_db,              /* may be required for SignedData */
    krb5_boolean        is_client_msg,          /* TRUE : msg is from client */
    krb5_boolean        *is_signed,             /* RETURNED */
    krb5_boolean        *is_encrypted,          /* RETURNED */
    krb5_data           *raw_data,              /* RETURNED */
    krb5int_cms_content_type *inner_content_type,/* Returned, ContentType of
                                                  *   EncapsulatedData if
                                                  *   *is_signed true */
    /* returned for type SignedData only */
    krb5_data           *signer_cert,           /* RETURNED */
    krb5int_cert_sig_status *signer_cert_status,/* RETURNED */
    unsigned            *num_all_certs,         /* size of *all_certs RETURNED */
    krb5_data           **all_certs);           /* entire cert chain RETURNED */

/*
 * An AuthPack contains an optional set of AlgorithmIdentifiers
 * which define the CMS algorithms supported by the client, in
 * order of decreasing preference.
 *
 * krb5int_pkinit_get_cms_types() is a CMS-implementation-dependent
 * function returning supported CMS algorithms in the form of a
 * pointer and a length suitable for passing to
 * krb5int_pkinit_auth_pack_encode. If no preference is to be expressed,
 * this function returns NULL/0 (without returning a nonzero krb5_error_code).
 *
 * krb5int_pkinit_free_cms_types() frees the pointer obtained
 * from krb5int_pkinit_get_cms_types() as necessary.
 */
krb5_error_code krb5int_pkinit_get_cms_types(
    krb5int_algorithm_id    **supported_cms_types,      /* RETURNED */
    krb5_ui_4               *num_supported_cms_types);  /* RETURNED */

krb5_error_code krb5int_pkinit_free_cms_types(
    krb5int_algorithm_id    *supported_cms_types,
    krb5_ui_4               num_supported_cms_types);

#ifdef __cplusplus
}
#endif

#endif  /* _PKINIT_CMS_H_ */