123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394 |
- /*-
- * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
- * Copyright Nokia 2007-2019
- * Copyright Siemens AG 2015-2019
- *
- * Licensed under the Apache License 2.0 (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- *
- * CRMF implementation by Martin Peylo, Miikka Viljanen, and David von Oheimb.
- */
- #ifndef OSSL_CRYPTO_CRMF_LOCAL_H
- # define OSSL_CRYPTO_CRMF_LOCAL_H
- # include <openssl/crmf.h>
- # include <openssl/err.h>
- /* explicit #includes not strictly needed since implied by the above: */
- # include <openssl/types.h>
- # include <openssl/safestack.h>
- # include <openssl/x509.h>
- # include <openssl/x509v3.h>
- /*-
- * EncryptedValue ::= SEQUENCE {
- * intendedAlg [0] AlgorithmIdentifier OPTIONAL,
- * -- the intended algorithm for which the value will be used
- * symmAlg [1] AlgorithmIdentifier OPTIONAL,
- * -- the symmetric algorithm used to encrypt the value
- * encSymmKey [2] BIT STRING OPTIONAL,
- * -- the (encrypted) symmetric key used to encrypt the value
- * keyAlg [3] AlgorithmIdentifier OPTIONAL,
- * -- algorithm used to encrypt the symmetric key
- * valueHint [4] OCTET STRING OPTIONAL,
- * -- a brief description or identifier of the encValue content
- * -- (may be meaningful only to the sending entity, and
- * -- used only if EncryptedValue might be re-examined
- * -- by the sending entity in the future)
- * encValue BIT STRING
- * -- the encrypted value itself
- * }
- */
- struct ossl_crmf_encryptedvalue_st {
- X509_ALGOR *intendedAlg; /* 0 */
- X509_ALGOR *symmAlg; /* 1 */
- ASN1_BIT_STRING *encSymmKey; /* 2 */
- X509_ALGOR *keyAlg; /* 3 */
- ASN1_OCTET_STRING *valueHint; /* 4 */
- ASN1_BIT_STRING *encValue;
- } /* OSSL_CRMF_ENCRYPTEDVALUE */;
- /*-
- * Attributes ::= SET OF Attribute
- * => X509_ATTRIBUTE
- *
- * PrivateKeyInfo ::= SEQUENCE {
- * version INTEGER,
- * privateKeyAlgorithm AlgorithmIdentifier,
- * privateKey OCTET STRING,
- * attributes [0] IMPLICIT Attributes OPTIONAL
- * }
- */
- typedef struct ossl_crmf_privatekeyinfo_st {
- ASN1_INTEGER *version;
- X509_ALGOR *privateKeyAlgorithm;
- ASN1_OCTET_STRING *privateKey;
- STACK_OF(X509_ATTRIBUTE) *attributes; /* [ 0 ] */
- } OSSL_CRMF_PRIVATEKEYINFO;
- DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_PRIVATEKEYINFO)
- /*-
- * section 4.2.1 Private Key Info Content Type
- * id-ct-encKeyWithID OBJECT IDENTIFIER ::= {id-ct 21}
- *
- * EncKeyWithID ::= SEQUENCE {
- * privateKey PrivateKeyInfo,
- * identifier CHOICE {
- * string UTF8String,
- * generalName GeneralName
- * } OPTIONAL
- * }
- */
- typedef struct ossl_crmf_enckeywithid_identifier_st {
- int type;
- union {
- ASN1_UTF8STRING *string;
- GENERAL_NAME *generalName;
- } value;
- } OSSL_CRMF_ENCKEYWITHID_IDENTIFIER;
- DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_ENCKEYWITHID_IDENTIFIER)
- typedef struct ossl_crmf_enckeywithid_st {
- OSSL_CRMF_PRIVATEKEYINFO *privateKey;
- /* [0] */
- OSSL_CRMF_ENCKEYWITHID_IDENTIFIER *identifier;
- } OSSL_CRMF_ENCKEYWITHID;
- DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_ENCKEYWITHID)
- /*-
- * CertId ::= SEQUENCE {
- * issuer GeneralName,
- * serialNumber INTEGER
- * }
- */
- struct ossl_crmf_certid_st {
- GENERAL_NAME *issuer;
- ASN1_INTEGER *serialNumber;
- } /* OSSL_CRMF_CERTID */;
- DECLARE_ASN1_DUP_FUNCTION(OSSL_CRMF_CERTID)
- /*-
- * SinglePubInfo ::= SEQUENCE {
- * pubMethod INTEGER {
- * dontCare (0),
- * x500 (1),
- * web (2),
- * ldap (3) },
- * pubLocation GeneralName OPTIONAL
- * }
- */
- struct ossl_crmf_singlepubinfo_st {
- ASN1_INTEGER *pubMethod;
- GENERAL_NAME *pubLocation;
- } /* OSSL_CRMF_SINGLEPUBINFO */;
- DEFINE_STACK_OF(OSSL_CRMF_SINGLEPUBINFO)
- typedef STACK_OF(OSSL_CRMF_SINGLEPUBINFO) OSSL_CRMF_PUBINFOS;
- /*-
- * PKIPublicationInfo ::= SEQUENCE {
- * action INTEGER {
- * dontPublish (0),
- * pleasePublish (1) },
- * pubInfos SEQUENCE SIZE (1..MAX) OF SinglePubInfo OPTIONAL
- * -- pubInfos MUST NOT be present if action is "dontPublish"
- * -- (if action is "pleasePublish" and pubInfos is omitted,
- * -- "dontCare" is assumed)
- * }
- */
- struct ossl_crmf_pkipublicationinfo_st {
- ASN1_INTEGER *action;
- OSSL_CRMF_PUBINFOS *pubInfos;
- } /* OSSL_CRMF_PKIPUBLICATIONINFO */;
- DECLARE_ASN1_DUP_FUNCTION(OSSL_CRMF_PKIPUBLICATIONINFO)
- /*-
- * PKMACValue ::= SEQUENCE {
- * algId AlgorithmIdentifier,
- * -- algorithm value shall be PasswordBasedMac {1 2 840 113533 7 66 13}
- * -- parameter value is PBMParameter
- * value BIT STRING
- * }
- */
- typedef struct ossl_crmf_pkmacvalue_st {
- X509_ALGOR *algId;
- ASN1_BIT_STRING *value;
- } OSSL_CRMF_PKMACVALUE;
- DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_PKMACVALUE)
- /*-
- * SubsequentMessage ::= INTEGER {
- * encrCert (0),
- * -- requests that resulting certificate be encrypted for the
- * -- end entity (following which, POP will be proven in a
- * -- confirmation message)
- * challengeResp (1)
- * -- requests that CA engage in challenge-response exchange with
- * -- end entity in order to prove private key possession
- * }
- *
- * POPOPrivKey ::= CHOICE {
- * thisMessage [0] BIT STRING, -- Deprecated
- * -- possession is proven in this message (which contains the private
- * -- key itself (encrypted for the CA))
- * subsequentMessage [1] SubsequentMessage,
- * -- possession will be proven in a subsequent message
- * dhMAC [2] BIT STRING, -- Deprecated
- * agreeMAC [3] PKMACValue,
- * encryptedKey [4] EnvelopedData
- * }
- */
- typedef struct ossl_crmf_popoprivkey_st {
- int type;
- union {
- ASN1_BIT_STRING *thisMessage; /* 0 */ /* Deprecated */
- ASN1_INTEGER *subsequentMessage; /* 1 */
- ASN1_BIT_STRING *dhMAC; /* 2 */ /* Deprecated */
- OSSL_CRMF_PKMACVALUE *agreeMAC; /* 3 */
- /*
- * TODO: This is not ASN1_NULL but CMS_ENVELOPEDDATA which should be
- * somehow taken from crypto/cms which exists now
- * - this is not used anywhere so far
- */
- ASN1_NULL *encryptedKey; /* 4 */
- } value;
- } OSSL_CRMF_POPOPRIVKEY;
- DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPOPRIVKEY)
- /*-
- * PBMParameter ::= SEQUENCE {
- * salt OCTET STRING,
- * owf AlgorithmIdentifier,
- * -- AlgId for a One-Way Function (SHA-1 recommended)
- * iterationCount INTEGER,
- * -- number of times the OWF is applied
- * mac AlgorithmIdentifier
- * -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11],
- * -- or HMAC [HMAC, RFC2202])
- * }
- */
- struct ossl_crmf_pbmparameter_st {
- ASN1_OCTET_STRING *salt;
- X509_ALGOR *owf;
- ASN1_INTEGER *iterationCount;
- X509_ALGOR *mac;
- } /* OSSL_CRMF_PBMPARAMETER */;
- #define OSSL_CRMF_PBM_MAX_ITERATION_COUNT 100000 /* if too large allows DoS */
- /*-
- * POPOSigningKeyInput ::= SEQUENCE {
- * authInfo CHOICE {
- * sender [0] GeneralName,
- * -- used only if an authenticated identity has been
- * -- established for the sender (e.g., a DN from a
- * -- previously-issued and currently-valid certificate)
- * publicKeyMAC PKMACValue },
- * -- used if no authenticated GeneralName currently exists for
- * -- the sender; publicKeyMAC contains a password-based MAC
- * -- on the DER-encoded value of publicKey
- * publicKey SubjectPublicKeyInfo -- from CertTemplate
- * }
- */
- typedef struct ossl_crmf_poposigningkeyinput_authinfo_st {
- int type;
- union {
- /* 0 */ GENERAL_NAME *sender;
- /* 1 */ OSSL_CRMF_PKMACVALUE *publicKeyMAC;
- } value;
- } OSSL_CRMF_POPOSIGNINGKEYINPUT_AUTHINFO;
- DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPOSIGNINGKEYINPUT_AUTHINFO)
- typedef struct ossl_crmf_poposigningkeyinput_st {
- OSSL_CRMF_POPOSIGNINGKEYINPUT_AUTHINFO *authInfo;
- X509_PUBKEY *publicKey;
- } OSSL_CRMF_POPOSIGNINGKEYINPUT;
- DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPOSIGNINGKEYINPUT)
- /*-
- * POPOSigningKey ::= SEQUENCE {
- * poposkInput [0] POPOSigningKeyInput OPTIONAL,
- * algorithmIdentifier AlgorithmIdentifier,
- * signature BIT STRING
- * }
- */
- struct ossl_crmf_poposigningkey_st {
- OSSL_CRMF_POPOSIGNINGKEYINPUT *poposkInput;
- X509_ALGOR *algorithmIdentifier;
- ASN1_BIT_STRING *signature;
- } /* OSSL_CRMF_POPOSIGNINGKEY */;
- DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPOSIGNINGKEY)
- /*-
- * ProofOfPossession ::= CHOICE {
- * raVerified [0] NULL,
- * -- used if the RA has already verified that the requester is in
- * -- possession of the private key
- * signature [1] POPOSigningKey,
- * keyEncipherment [2] POPOPrivKey,
- * keyAgreement [3] POPOPrivKey
- * }
- */
- typedef struct ossl_crmf_popo_st {
- int type;
- union {
- ASN1_NULL *raVerified; /* 0 */
- OSSL_CRMF_POPOSIGNINGKEY *signature; /* 1 */
- OSSL_CRMF_POPOPRIVKEY *keyEncipherment; /* 2 */
- OSSL_CRMF_POPOPRIVKEY *keyAgreement; /* 3 */
- } value;
- } OSSL_CRMF_POPO;
- DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPO)
- /*-
- * OptionalValidity ::= SEQUENCE {
- * notBefore [0] Time OPTIONAL,
- * notAfter [1] Time OPTIONAL -- at least one MUST be present
- * }
- */
- struct ossl_crmf_optionalvalidity_st {
- /* 0 */ ASN1_TIME *notBefore;
- /* 1 */ ASN1_TIME *notAfter;
- } /* OSSL_CRMF_OPTIONALVALIDITY */;
- DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_OPTIONALVALIDITY)
- /*-
- * CertTemplate ::= SEQUENCE {
- * version [0] Version OPTIONAL,
- * serialNumber [1] INTEGER OPTIONAL,
- * signingAlg [2] AlgorithmIdentifier OPTIONAL,
- * issuer [3] Name OPTIONAL,
- * validity [4] OptionalValidity OPTIONAL,
- * subject [5] Name OPTIONAL,
- * publicKey [6] SubjectPublicKeyInfo OPTIONAL,
- * issuerUID [7] UniqueIdentifier OPTIONAL,
- * subjectUID [8] UniqueIdentifier OPTIONAL,
- * extensions [9] Extensions OPTIONAL
- * }
- */
- struct ossl_crmf_certtemplate_st {
- ASN1_INTEGER *version; /* 0 */
- ASN1_INTEGER *serialNumber; /* 1 */ /* serialNumber MUST be omitted */
- /* This field is assigned by the CA during certificate creation */
- X509_ALGOR *signingAlg; /* 2 */ /* signingAlg MUST be omitted */
- /* This field is assigned by the CA during certificate creation */
- X509_NAME *issuer; /* 3 */
- OSSL_CRMF_OPTIONALVALIDITY *validity; /* 4 */
- X509_NAME *subject; /* 5 */
- X509_PUBKEY *publicKey; /* 6 */
- ASN1_BIT_STRING *issuerUID; /* 7 */ /* deprecated in version 2 */
- /* According to rfc 3280: UniqueIdentifier ::= BIT STRING */
- ASN1_BIT_STRING *subjectUID; /* 8 */ /* deprecated in version 2 */
- /* Could be X509_EXTENSION*S*, but that's only cosmetic */
- STACK_OF(X509_EXTENSION) *extensions; /* 9 */
- } /* OSSL_CRMF_CERTTEMPLATE */;
- /*-
- * CertRequest ::= SEQUENCE {
- * certReqId INTEGER, -- ID for matching request and reply
- * certTemplate CertTemplate, -- Selected fields of cert to be issued
- * controls Controls OPTIONAL -- Attributes affecting issuance
- * }
- */
- struct ossl_crmf_certrequest_st {
- ASN1_INTEGER *certReqId;
- OSSL_CRMF_CERTTEMPLATE *certTemplate;
- /* TODO: make OSSL_CRMF_CONTROLS out of that - but only cosmetical */
- STACK_OF(OSSL_CRMF_ATTRIBUTETYPEANDVALUE) *controls;
- } /* OSSL_CRMF_CERTREQUEST */;
- DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_CERTREQUEST)
- DECLARE_ASN1_DUP_FUNCTION(OSSL_CRMF_CERTREQUEST)
- /* TODO: isn't there a better way to have this for ANY type? */
- struct ossl_crmf_attributetypeandvalue_st {
- ASN1_OBJECT *type;
- union {
- /* NID_id_regCtrl_regToken */
- ASN1_UTF8STRING *regToken;
- /* NID_id_regCtrl_authenticator */
- ASN1_UTF8STRING *authenticator;
- /* NID_id_regCtrl_pkiPublicationInfo */
- OSSL_CRMF_PKIPUBLICATIONINFO *pkiPublicationInfo;
- /* NID_id_regCtrl_oldCertID */
- OSSL_CRMF_CERTID *oldCertID;
- /* NID_id_regCtrl_protocolEncrKey */
- X509_PUBKEY *protocolEncrKey;
- /* NID_id_regInfo_utf8Pairs */
- ASN1_UTF8STRING *utf8Pairs;
- /* NID_id_regInfo_certReq */
- OSSL_CRMF_CERTREQUEST *certReq;
- ASN1_TYPE *other;
- } value;
- } /* OSSL_CRMF_ATTRIBUTETYPEANDVALUE */;
- DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_ATTRIBUTETYPEANDVALUE)
- DEFINE_STACK_OF(OSSL_CRMF_ATTRIBUTETYPEANDVALUE)
- DECLARE_ASN1_DUP_FUNCTION(OSSL_CRMF_ATTRIBUTETYPEANDVALUE)
- /*-
- * CertReqMessages ::= SEQUENCE SIZE (1..MAX) OF CertReqMsg
- * CertReqMsg ::= SEQUENCE {
- * certReq CertRequest,
- * popo ProofOfPossession OPTIONAL,
- * -- content depends upon key type
- * regInfo SEQUENCE SIZE(1..MAX) OF AttributeTypeAndValue OPTIONAL
- * }
- */
- struct ossl_crmf_msg_st {
- OSSL_CRMF_CERTREQUEST *certReq;
- /* 0 */
- OSSL_CRMF_POPO *popo;
- /* 1 */
- STACK_OF(OSSL_CRMF_ATTRIBUTETYPEANDVALUE) *regInfo;
- } /* OSSL_CRMF_MSG */;
- /* DEFINE_STACK_OF(OSSL_CRMF_MSG) */
- #endif
|