13 * University of Michigan is included in any copy of any
14 * portion of this software, then the disclaimer below must
15 * also be included.
16 *
17 * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
18 * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
19 * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
20 * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
21 * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
22 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
23 * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
24 * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
25 * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
26 * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
27 * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
28 * SUCH DAMAGES.
29 */
30
31 /*
32 * Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved.
33 */
34
35 #ifndef _PKINIT_CRYPTO_OPENSSL_H
36 #define _PKINIT_CRYPTO_OPENSSL_H
37
38 #include <openssl/bn.h>
39 #include <openssl/dh.h>
40 #include <openssl/x509.h>
41 #include <openssl/pkcs7.h>
42 #include <openssl/pkcs12.h>
43 #include <openssl/obj_mac.h>
44 #include <openssl/x509v3.h>
45 #include <openssl/err.h>
46 #include <openssl/evp.h>
47 #include <openssl/asn1_mac.h>
48 #include <openssl/sha.h>
49 #include <openssl/asn1.h>
50 #include <openssl/pem.h>
51
52 #include "pkinit.h"
53
54 #define DN_BUF_LEN 256
55 #define MAX_CREDS_ALLOWED 20
56
57 struct _pkinit_cred_info {
58 X509 *cert;
59 EVP_PKEY *key;
60 #ifndef WITHOUT_PKCS11
61 CK_BYTE_PTR cert_id;
62 int cert_id_len;
63 #endif
64 };
65 typedef struct _pkinit_cred_info * pkinit_cred_info;
66
67 struct _pkinit_identity_crypto_context {
68 pkinit_cred_info creds[MAX_CREDS_ALLOWED+1];
69 STACK_OF(X509) *my_certs; /* available user certs */
70 int cert_index; /* cert to use out of available certs*/
71 EVP_PKEY *my_key; /* available user keys if in filesystem */
145 pkinit_identity_crypto_context idctx;
146 unsigned int index;
147 };
148
149 /* Solaris Kerberos */
150 static krb5_error_code openssl_init(void);
151
152 static krb5_error_code pkinit_init_pkinit_oids(pkinit_plg_crypto_context );
153 static void pkinit_fini_pkinit_oids(pkinit_plg_crypto_context );
154
155 static krb5_error_code pkinit_init_dh_params(pkinit_plg_crypto_context );
156 static void pkinit_fini_dh_params(pkinit_plg_crypto_context );
157
158 static krb5_error_code pkinit_init_certs(pkinit_identity_crypto_context ctx);
159 static void pkinit_fini_certs(pkinit_identity_crypto_context ctx);
160
161 static krb5_error_code pkinit_init_pkcs11(pkinit_identity_crypto_context ctx);
162 static void pkinit_fini_pkcs11(pkinit_identity_crypto_context ctx);
163
164 static krb5_error_code pkinit_encode_dh_params
165 (BIGNUM *, BIGNUM *, BIGNUM *, unsigned char **, unsigned int *);
166 static DH *pkinit_decode_dh_params
167 (DH **, unsigned char **, unsigned int );
168 static int pkinit_check_dh_params
169 (BIGNUM * p1, BIGNUM * p2, BIGNUM * g1, BIGNUM * q1);
170
171 static krb5_error_code pkinit_sign_data
172 (krb5_context context, pkinit_identity_crypto_context cryptoctx,
173 unsigned char *data, unsigned int data_len,
174 unsigned char **sig, unsigned int *sig_len);
175
176 static krb5_error_code create_signature
177 (unsigned char **, unsigned int *, unsigned char *, unsigned int,
178 EVP_PKEY *pkey);
179
180 static krb5_error_code pkinit_decode_data
181 (krb5_context context, pkinit_identity_crypto_context cryptoctx,
182 unsigned char *data, unsigned int data_len,
183 unsigned char **decoded, unsigned int *decoded_len);
184
185 static krb5_error_code decode_data
186 (unsigned char **, unsigned int *, unsigned char *, unsigned int,
187 EVP_PKEY *pkey, X509 *cert);
188
189 #ifdef DEBUG_DH
258 pkinit_plg_crypto_context plg_cryptoctx,
259 pkinit_req_crypto_context req_cryptoctx,
260 pkinit_identity_crypto_context id_cryptoctx,
261 krb5_external_principal_identifier *** ids);
262
263 static krb5_error_code
264 create_identifiers_from_stack(STACK_OF(X509) *sk,
265 krb5_external_principal_identifier *** ids);
266 #ifdef LONGHORN_BETA_COMPAT
267 static int
268 wrap_signeddata(unsigned char *data, unsigned int data_len,
269 unsigned char **out, unsigned int *out_len,
270 int is_longhorn_server);
271 #else
272 static int
273 wrap_signeddata(unsigned char *data, unsigned int data_len,
274 unsigned char **out, unsigned int *out_len);
275 #endif
276
277 /* This handy macro borrowed from crypto/x509v3/v3_purp.c */
278 #define ku_reject(x, usage) \
279 (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
280
281 static char *
282 pkinit_pkcs11_code_to_text(int err);
283
284 #endif /* _PKINIT_CRYPTO_OPENSSL_H */
|
13 * University of Michigan is included in any copy of any
14 * portion of this software, then the disclaimer below must
15 * also be included.
16 *
17 * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
18 * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
19 * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
20 * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
21 * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
22 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
23 * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
24 * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
25 * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
26 * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
27 * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
28 * SUCH DAMAGES.
29 */
30
31 /*
32 * Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved.
33 * Copyright 2018 OmniOS Community Edition (OmniOSce) Association.
34 */
35
36 #ifndef _PKINIT_CRYPTO_OPENSSL_H
37 #define _PKINIT_CRYPTO_OPENSSL_H
38
39 #include <openssl/bn.h>
40 #include <openssl/dh.h>
41 #include <openssl/x509.h>
42 #include <openssl/pkcs7.h>
43 #include <openssl/pkcs12.h>
44 #include <openssl/obj_mac.h>
45 #include <openssl/x509v3.h>
46 #include <openssl/err.h>
47 #include <openssl/evp.h>
48 #include <openssl/sha.h>
49 #include <openssl/asn1.h>
50 #include <openssl/pem.h>
51 #include <openssl/rsa.h>
52
53 #if OPENSSL_VERSION_NUMBER < 0x10100000L
54 #include <openssl/asn1_mac.h>
55 #else
56 #include <openssl/asn1t.h>
57 #endif
58
59 #include "pkinit.h"
60
61 #define DN_BUF_LEN 256
62 #define MAX_CREDS_ALLOWED 20
63
64 struct _pkinit_cred_info {
65 X509 *cert;
66 EVP_PKEY *key;
67 #ifndef WITHOUT_PKCS11
68 CK_BYTE_PTR cert_id;
69 int cert_id_len;
70 #endif
71 };
72 typedef struct _pkinit_cred_info * pkinit_cred_info;
73
74 struct _pkinit_identity_crypto_context {
75 pkinit_cred_info creds[MAX_CREDS_ALLOWED+1];
76 STACK_OF(X509) *my_certs; /* available user certs */
77 int cert_index; /* cert to use out of available certs*/
78 EVP_PKEY *my_key; /* available user keys if in filesystem */
152 pkinit_identity_crypto_context idctx;
153 unsigned int index;
154 };
155
156 /* Solaris Kerberos */
157 static krb5_error_code openssl_init(void);
158
159 static krb5_error_code pkinit_init_pkinit_oids(pkinit_plg_crypto_context );
160 static void pkinit_fini_pkinit_oids(pkinit_plg_crypto_context );
161
162 static krb5_error_code pkinit_init_dh_params(pkinit_plg_crypto_context );
163 static void pkinit_fini_dh_params(pkinit_plg_crypto_context );
164
165 static krb5_error_code pkinit_init_certs(pkinit_identity_crypto_context ctx);
166 static void pkinit_fini_certs(pkinit_identity_crypto_context ctx);
167
168 static krb5_error_code pkinit_init_pkcs11(pkinit_identity_crypto_context ctx);
169 static void pkinit_fini_pkcs11(pkinit_identity_crypto_context ctx);
170
171 static krb5_error_code pkinit_encode_dh_params
172 (const BIGNUM *, const BIGNUM *, const BIGNUM *,
173 unsigned char **, unsigned int *);
174 static DH *pkinit_decode_dh_params
175 (DH **, unsigned char **, unsigned int );
176 static int pkinit_check_dh_params
177 (const BIGNUM *p1, const BIGNUM *p2, const BIGNUM *g1,
178 const BIGNUM *q1);
179
180 static krb5_error_code pkinit_sign_data
181 (krb5_context context, pkinit_identity_crypto_context cryptoctx,
182 unsigned char *data, unsigned int data_len,
183 unsigned char **sig, unsigned int *sig_len);
184
185 static krb5_error_code create_signature
186 (unsigned char **, unsigned int *, unsigned char *, unsigned int,
187 EVP_PKEY *pkey);
188
189 static krb5_error_code pkinit_decode_data
190 (krb5_context context, pkinit_identity_crypto_context cryptoctx,
191 unsigned char *data, unsigned int data_len,
192 unsigned char **decoded, unsigned int *decoded_len);
193
194 static krb5_error_code decode_data
195 (unsigned char **, unsigned int *, unsigned char *, unsigned int,
196 EVP_PKEY *pkey, X509 *cert);
197
198 #ifdef DEBUG_DH
267 pkinit_plg_crypto_context plg_cryptoctx,
268 pkinit_req_crypto_context req_cryptoctx,
269 pkinit_identity_crypto_context id_cryptoctx,
270 krb5_external_principal_identifier *** ids);
271
272 static krb5_error_code
273 create_identifiers_from_stack(STACK_OF(X509) *sk,
274 krb5_external_principal_identifier *** ids);
275 #ifdef LONGHORN_BETA_COMPAT
276 static int
277 wrap_signeddata(unsigned char *data, unsigned int data_len,
278 unsigned char **out, unsigned int *out_len,
279 int is_longhorn_server);
280 #else
281 static int
282 wrap_signeddata(unsigned char *data, unsigned int data_len,
283 unsigned char **out, unsigned int *out_len);
284 #endif
285
286 /* This handy macro borrowed from crypto/x509v3/v3_purp.c */
287
288 #if OPENSSL_VERSION_NUMBER < 0x10100000L
289 #define ku_reject(x, usage) \
290 (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
291 #else
292 #define ku_reject(x, usage) \
293 ((X509_get_extension_flags(x) & EXFLAG_KUSAGE) && \
294 !(X509_get_key_usage(x) & (usage)))
295 #endif
296
297 static char *
298 pkinit_pkcs11_code_to_text(int err);
299
300 #endif /* _PKINIT_CRYPTO_OPENSSL_H */
|