[thirdparty/openssl.git] / crypto / crmf / crmf_local.h

/*-
 * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved.
 * Copyright Nokia 2007-2019
 * Copyright Siemens AG 2015-2019
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 *
 * CRMF implementation by Martin Peylo, Miikka Viljanen, and David von Oheimb.
 */

#ifndef OSSL_CRYPTO_CRMF_LOCAL_H
# define OSSL_CRYPTO_CRMF_LOCAL_H

# include <openssl/crmf.h>
# include <openssl/err.h>

/* explicit #includes not strictly needed since implied by the above: */
# include <openssl/types.h>
# include <openssl/safestack.h>
# include <openssl/x509.h>
# include <openssl/x509v3.h>

/*-
 * EncryptedValue ::= SEQUENCE {
 * intendedAlg   [0] AlgorithmIdentifier  OPTIONAL,
 *                  -- the intended algorithm for which the value will be used
 * symmAlg       [1] AlgorithmIdentifier  OPTIONAL,
 *                  -- the symmetric algorithm used to encrypt the value
 * encSymmKey    [2] BIT STRING           OPTIONAL,
 *                  -- the (encrypted) symmetric key used to encrypt the value
 * keyAlg        [3] AlgorithmIdentifier  OPTIONAL,
 *                  -- algorithm used to encrypt the symmetric key
 * valueHint     [4] OCTET STRING         OPTIONAL,
 *                  -- a brief description or identifier of the encValue content
 *                  -- (may be meaningful only to the sending entity, and
 *                  --  used only if EncryptedValue might be re-examined
 *                  --  by the sending entity in the future)
 * encValue      BIT STRING
 *                  -- the encrypted value itself
 * }
 */
struct ossl_crmf_encryptedvalue_st {
    X509_ALGOR *intendedAlg;      /* 0 */
    X509_ALGOR *symmAlg;          /* 1 */
    ASN1_BIT_STRING *encSymmKey;  /* 2 */
    X509_ALGOR *keyAlg;           /* 3 */
    ASN1_OCTET_STRING *valueHint; /* 4 */
    ASN1_BIT_STRING *encValue;
} /* OSSL_CRMF_ENCRYPTEDVALUE */;

/*-
 *  Attributes ::= SET OF Attribute
 *  => X509_ATTRIBUTE
 *
 *  PrivateKeyInfo ::= SEQUENCE {
 *     version                       INTEGER,
 *     privateKeyAlgorithm           AlgorithmIdentifier,
 *     privateKey                    OCTET STRING,
 *     attributes                    [0] IMPLICIT Attributes OPTIONAL
 *  }
 */
typedef struct ossl_crmf_privatekeyinfo_st {
    ASN1_INTEGER *version;
    X509_ALGOR *privateKeyAlgorithm;
    ASN1_OCTET_STRING *privateKey;
    STACK_OF(X509_ATTRIBUTE) *attributes; /* [ 0 ] */
} OSSL_CRMF_PRIVATEKEYINFO;
DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_PRIVATEKEYINFO)

/*-
 * section 4.2.1 Private Key Info Content Type
 * id-ct-encKeyWithID OBJECT IDENTIFIER ::= {id-ct 21}
 *
 * EncKeyWithID ::= SEQUENCE {
 * privateKey     PrivateKeyInfo,
 * identifier     CHOICE {
 *                      string         UTF8String,
 *                      generalName    GeneralName
 *                } OPTIONAL
 * }
 */
typedef struct ossl_crmf_enckeywithid_identifier_st {
    int type;
    union {
        ASN1_UTF8STRING *string;
        GENERAL_NAME *generalName;
    } value;
} OSSL_CRMF_ENCKEYWITHID_IDENTIFIER;
DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_ENCKEYWITHID_IDENTIFIER)

typedef struct ossl_crmf_enckeywithid_st {
    OSSL_CRMF_PRIVATEKEYINFO *privateKey;
    /* [0] */
    OSSL_CRMF_ENCKEYWITHID_IDENTIFIER *identifier;
} OSSL_CRMF_ENCKEYWITHID;
DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_ENCKEYWITHID)

/*-
 * CertId ::= SEQUENCE {
 *      issuer           GeneralName,
 *      serialNumber     INTEGER
 * }
 */
struct ossl_crmf_certid_st {
    GENERAL_NAME *issuer;
    ASN1_INTEGER *serialNumber;
} /* OSSL_CRMF_CERTID */;

/*-
 * SinglePubInfo ::= SEQUENCE {
 *  pubMethod        INTEGER {
 *      dontCare        (0),
 *      x500            (1),
 *      web             (2),
 *      ldap            (3) },
 *  pubLocation  GeneralName OPTIONAL
 * }
 */
struct ossl_crmf_singlepubinfo_st {
    ASN1_INTEGER *pubMethod;
    GENERAL_NAME *pubLocation;
} /* OSSL_CRMF_SINGLEPUBINFO */;
DEFINE_STACK_OF(OSSL_CRMF_SINGLEPUBINFO)
typedef STACK_OF(OSSL_CRMF_SINGLEPUBINFO) OSSL_CRMF_PUBINFOS;

/*-
 * PKIPublicationInfo ::= SEQUENCE {
 *      action     INTEGER {
 *                   dontPublish (0),
 *                   pleasePublish (1) },
 *      pubInfos   SEQUENCE SIZE (1..MAX) OF SinglePubInfo OPTIONAL
 *      -- pubInfos MUST NOT be present if action is "dontPublish"
 *      -- (if action is "pleasePublish" and pubInfos is omitted,
 *      -- "dontCare" is assumed)
 * }
 */
struct ossl_crmf_pkipublicationinfo_st {
    ASN1_INTEGER *action;
    OSSL_CRMF_PUBINFOS *pubInfos;
} /* OSSL_CRMF_PKIPUBLICATIONINFO */;
DECLARE_ASN1_DUP_FUNCTION(OSSL_CRMF_PKIPUBLICATIONINFO)

/*-
 * PKMACValue ::= SEQUENCE {
 * algId  AlgorithmIdentifier,
 * -- algorithm value shall be PasswordBasedMac {1 2 840 113533 7 66 13}
 * -- parameter value is PBMParameter
 * value  BIT STRING
 * }
 */
typedef struct ossl_crmf_pkmacvalue_st {
    X509_ALGOR *algId;
    ASN1_BIT_STRING *value;
} OSSL_CRMF_PKMACVALUE;
DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_PKMACVALUE)

/*-
 * SubsequentMessage ::= INTEGER {
 * encrCert (0),
 * -- requests that resulting certificate be encrypted for the
 * -- end entity (following which, POP will be proven in a
 * -- confirmation message)
 * challengeResp (1)
 * -- requests that CA engage in challenge-response exchange with
 * -- end entity in order to prove private key possession
 * }
 *
 * POPOPrivKey ::= CHOICE {
 * thisMessage       [0] BIT STRING,                 -- Deprecated
 * -- possession is proven in this message (which contains the private
 * -- key itself (encrypted for the CA))
 * subsequentMessage [1] SubsequentMessage,
 * -- possession will be proven in a subsequent message
 * dhMAC             [2] BIT STRING,                 -- Deprecated
 * agreeMAC          [3] PKMACValue,
 * encryptedKey      [4] EnvelopedData
 * }
 */

typedef struct ossl_crmf_popoprivkey_st {
    int type;
    union {
        ASN1_BIT_STRING *thisMessage; /* 0 */ /* Deprecated */
        ASN1_INTEGER *subsequentMessage; /* 1 */
        ASN1_BIT_STRING *dhMAC; /* 2 */ /* Deprecated */
        OSSL_CRMF_PKMACVALUE *agreeMAC; /* 3 */
        ASN1_NULL *encryptedKey; /* 4 */
        /* When supported, ASN1_NULL needs to be replaced by CMS_ENVELOPEDDATA */
    } value;
} OSSL_CRMF_POPOPRIVKEY;
DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPOPRIVKEY)

/*-
 * PBMParameter ::= SEQUENCE {
 *    salt                    OCTET STRING,
 *    owf                     AlgorithmIdentifier,
 *    -- AlgId for a One-Way Function (SHA-1 recommended)
 *    iterationCount          INTEGER,
 *    -- number of times the OWF is applied
 *    mac                     AlgorithmIdentifier
 *    -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11],
 *    -- or HMAC [HMAC, RFC2202])
 * }
 */
struct ossl_crmf_pbmparameter_st {
    ASN1_OCTET_STRING *salt;
    X509_ALGOR *owf;
    ASN1_INTEGER *iterationCount;
    X509_ALGOR *mac;
} /* OSSL_CRMF_PBMPARAMETER */;
# define OSSL_CRMF_PBM_MAX_ITERATION_COUNT 100000 /* if too large allows DoS */

/*-
 * POPOSigningKeyInput ::= SEQUENCE {
 * authInfo       CHOICE {
 *     sender                 [0] GeneralName,
 *   -- used only if an authenticated identity has been
 *   -- established for the sender (e.g., a DN from a
 *   -- previously-issued and currently-valid certificate)
 *     publicKeyMAC           PKMACValue },
 *   -- used if no authenticated GeneralName currently exists for
 *   -- the sender; publicKeyMAC contains a password-based MAC
 *   -- on the DER-encoded value of publicKey
 * publicKey      SubjectPublicKeyInfo  -- from CertTemplate
 * }
 */
typedef struct ossl_crmf_poposigningkeyinput_authinfo_st {
    int type;
    union {
        /* 0 */ GENERAL_NAME *sender;
        /* 1 */ OSSL_CRMF_PKMACVALUE *publicKeyMAC;
    } value;
} OSSL_CRMF_POPOSIGNINGKEYINPUT_AUTHINFO;
DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPOSIGNINGKEYINPUT_AUTHINFO)

typedef struct ossl_crmf_poposigningkeyinput_st {
    OSSL_CRMF_POPOSIGNINGKEYINPUT_AUTHINFO *authInfo;
    X509_PUBKEY *publicKey;
} OSSL_CRMF_POPOSIGNINGKEYINPUT;
DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPOSIGNINGKEYINPUT)

/*-
 * POPOSigningKey ::= SEQUENCE {
 *  poposkInput           [0] POPOSigningKeyInput OPTIONAL,
 *  algorithmIdentifier   AlgorithmIdentifier,
 *  signature             BIT STRING
 * }
 */
struct ossl_crmf_poposigningkey_st {
    OSSL_CRMF_POPOSIGNINGKEYINPUT *poposkInput;
    X509_ALGOR *algorithmIdentifier;
    ASN1_BIT_STRING *signature;
} /* OSSL_CRMF_POPOSIGNINGKEY */;
DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPOSIGNINGKEY)

/*-
 * ProofOfPossession ::= CHOICE {
 *  raVerified        [0] NULL,
 *  -- used if the RA has already verified that the requester is in
 *  -- possession of the private key
 *  signature         [1] POPOSigningKey,
 *  keyEncipherment   [2] POPOPrivKey,
 *  keyAgreement      [3] POPOPrivKey
 * }
 */
typedef struct ossl_crmf_popo_st {
    int type;
    union {
        ASN1_NULL *raVerified; /* 0 */
        OSSL_CRMF_POPOSIGNINGKEY *signature; /* 1 */
        OSSL_CRMF_POPOPRIVKEY *keyEncipherment; /* 2 */
        OSSL_CRMF_POPOPRIVKEY *keyAgreement; /* 3 */
    } value;
} OSSL_CRMF_POPO;
DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPO)

/*-
 * OptionalValidity ::= SEQUENCE {
 *  notBefore      [0] Time OPTIONAL,
 *  notAfter       [1] Time OPTIONAL  -- at least one MUST be present
 * }
 */
struct ossl_crmf_optionalvalidity_st {
    /* 0 */ ASN1_TIME *notBefore;
    /* 1 */ ASN1_TIME *notAfter;
} /* OSSL_CRMF_OPTIONALVALIDITY */;
DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_OPTIONALVALIDITY)

/*-
 * CertTemplate ::= SEQUENCE {
 * version          [0] Version                   OPTIONAL,
 * serialNumber     [1] INTEGER                   OPTIONAL,
 * signingAlg       [2] AlgorithmIdentifier       OPTIONAL,
 * issuer           [3] Name                      OPTIONAL,
 * validity         [4] OptionalValidity          OPTIONAL,
 * subject          [5] Name                      OPTIONAL,
 * publicKey        [6] SubjectPublicKeyInfo      OPTIONAL,
 * issuerUID        [7] UniqueIdentifier          OPTIONAL,
 * subjectUID       [8] UniqueIdentifier          OPTIONAL,
 * extensions       [9] Extensions                OPTIONAL
 * }
 */
struct ossl_crmf_certtemplate_st {
    ASN1_INTEGER *version;
    ASN1_INTEGER *serialNumber; /* serialNumber MUST be omitted */
    /* This field is assigned by the CA during certificate creation */
    X509_ALGOR *signingAlg; /* signingAlg MUST be omitted */
    /* This field is assigned by the CA during certificate creation */
    const X509_NAME *issuer;
    OSSL_CRMF_OPTIONALVALIDITY *validity;
    const X509_NAME *subject;
    X509_PUBKEY *publicKey;
    ASN1_BIT_STRING *issuerUID; /* deprecated in version 2 */
    /* According to rfc 3280: UniqueIdentifier ::= BIT STRING */
    ASN1_BIT_STRING *subjectUID; /* deprecated in version 2 */
    /* Could be X509_EXTENSION*S*, but that's only cosmetic */
    STACK_OF(X509_EXTENSION) *extensions;
} /* OSSL_CRMF_CERTTEMPLATE */;

/*-
 * CertRequest ::= SEQUENCE {
 *  certReqId        INTEGER,          -- ID for matching request and reply
 *  certTemplate     CertTemplate,     -- Selected fields of cert to be issued
 *  controls         Controls OPTIONAL -- Attributes affecting issuance
 * }
 */
struct ossl_crmf_certrequest_st {
    ASN1_INTEGER *certReqId;
    OSSL_CRMF_CERTTEMPLATE *certTemplate;
    STACK_OF(OSSL_CRMF_ATTRIBUTETYPEANDVALUE /* Controls expanded */) *controls;
} /* OSSL_CRMF_CERTREQUEST */;
DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_CERTREQUEST)
DECLARE_ASN1_DUP_FUNCTION(OSSL_CRMF_CERTREQUEST)

struct ossl_crmf_attributetypeandvalue_st {
    ASN1_OBJECT *type;
    union {
        /* NID_id_regCtrl_regToken */
        ASN1_UTF8STRING *regToken;

        /* NID_id_regCtrl_authenticator */
        ASN1_UTF8STRING *authenticator;

        /* NID_id_regCtrl_pkiPublicationInfo */
        OSSL_CRMF_PKIPUBLICATIONINFO *pkiPublicationInfo;

        /* NID_id_regCtrl_oldCertID */
        OSSL_CRMF_CERTID *oldCertID;

        /* NID_id_regCtrl_protocolEncrKey */
        X509_PUBKEY *protocolEncrKey;

        /* NID_id_regInfo_utf8Pairs */
        ASN1_UTF8STRING *utf8Pairs;

        /* NID_id_regInfo_certReq */
        OSSL_CRMF_CERTREQUEST *certReq;

        ASN1_TYPE *other;
    } value;
} /* OSSL_CRMF_ATTRIBUTETYPEANDVALUE */;
DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_ATTRIBUTETYPEANDVALUE)
DEFINE_STACK_OF(OSSL_CRMF_ATTRIBUTETYPEANDVALUE)
DECLARE_ASN1_DUP_FUNCTION(OSSL_CRMF_ATTRIBUTETYPEANDVALUE)

/*-
 * CertReqMessages ::= SEQUENCE SIZE (1..MAX) OF CertReqMsg
 * CertReqMsg ::= SEQUENCE {
 *  certReq        CertRequest,
 *  popo           ProofOfPossession  OPTIONAL,
 * -- content depends upon key type
 *  regInfo   SEQUENCE SIZE(1..MAX) OF AttributeTypeAndValue OPTIONAL
 * }
 */
struct ossl_crmf_msg_st {
    OSSL_CRMF_CERTREQUEST *certReq;
    /* 0 */
    OSSL_CRMF_POPO *popo;
    /* 1 */
    STACK_OF(OSSL_CRMF_ATTRIBUTETYPEANDVALUE) *regInfo;
} /* OSSL_CRMF_MSG */;
#endif
Commit	Line	Data
a61b7f2f	1	/*-
38fc02a7	2	* Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved.
8869ad4a AK	3	* Copyright Nokia 2007-2019
8869ad4a AK	4	* Copyright Siemens AG 2015-2019
a61b7f2f	5	*
ce9b9964	6	* Licensed under the Apache License 2.0 (the "License"). You may not use
a61b7f2f DO	7	* this file except in compliance with the License. You can obtain a copy
	8	* in the file LICENSE in the source distribution or at
	9	* https://www.openssl.org/source/license.html
	10	*
	11	* CRMF implementation by Martin Peylo, Miikka Viljanen, and David von Oheimb.
	12	*/
	13
ae4186b0 DMSP	14	#ifndef OSSL_CRYPTO_CRMF_LOCAL_H
ae4186b0 DMSP	15	# define OSSL_CRYPTO_CRMF_LOCAL_H
a61b7f2f DO	16
	17	# include <openssl/crmf.h>
	18	# include <openssl/err.h>
	19
	20	/* explicit #includes not strictly needed since implied by the above: */
50cd4768	21	# include <openssl/types.h>
a61b7f2f DO	22	# include <openssl/safestack.h>
	23	# include <openssl/x509.h>
	24	# include <openssl/x509v3.h>
	25
	26	/*-
	27	* EncryptedValue ::= SEQUENCE {
	28	* intendedAlg [0] AlgorithmIdentifier OPTIONAL,
	29	* -- the intended algorithm for which the value will be used
	30	* symmAlg [1] AlgorithmIdentifier OPTIONAL,
	31	* -- the symmetric algorithm used to encrypt the value
	32	* encSymmKey [2] BIT STRING OPTIONAL,
	33	* -- the (encrypted) symmetric key used to encrypt the value
	34	* keyAlg [3] AlgorithmIdentifier OPTIONAL,
	35	* -- algorithm used to encrypt the symmetric key
	36	* valueHint [4] OCTET STRING OPTIONAL,
	37	* -- a brief description or identifier of the encValue content
	38	* -- (may be meaningful only to the sending entity, and
	39	* -- used only if EncryptedValue might be re-examined
	40	* -- by the sending entity in the future)
	41	* encValue BIT STRING
	42	* -- the encrypted value itself
	43	* }
	44	*/
7960dbec	45	struct ossl_crmf_encryptedvalue_st {
a61b7f2f DO	46	X509_ALGOR intendedAlg; / 0 */
	47	X509_ALGOR symmAlg; / 1 */
	48	ASN1_BIT_STRING encSymmKey; / 2 */
	49	X509_ALGOR keyAlg; / 3 */
	50	ASN1_OCTET_STRING valueHint; / 4 */
	51	ASN1_BIT_STRING *encValue;
	52	} /* OSSL_CRMF_ENCRYPTEDVALUE */;
	53
	54	/*-
	55	* Attributes ::= SET OF Attribute
	56	* => X509_ATTRIBUTE
	57	*
	58	* PrivateKeyInfo ::= SEQUENCE {
	59	* version INTEGER,
	60	* privateKeyAlgorithm AlgorithmIdentifier,
	61	* privateKey OCTET STRING,
	62	* attributes [0] IMPLICIT Attributes OPTIONAL
	63	* }
	64	*/
7960dbec	65	typedef struct ossl_crmf_privatekeyinfo_st {
a61b7f2f DO	66	ASN1_INTEGER *version;
	67	X509_ALGOR *privateKeyAlgorithm;
	68	ASN1_OCTET_STRING *privateKey;
	69	STACK_OF(X509_ATTRIBUTE) attributes; / [ 0 ] */
	70	} OSSL_CRMF_PRIVATEKEYINFO;
	71	DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_PRIVATEKEYINFO)
	72
	73	/*-
	74	* section 4.2.1 Private Key Info Content Type
	75	* id-ct-encKeyWithID OBJECT IDENTIFIER ::= {id-ct 21}
	76	*
	77	* EncKeyWithID ::= SEQUENCE {
	78	* privateKey PrivateKeyInfo,
	79	* identifier CHOICE {
	80	* string UTF8String,
	81	* generalName GeneralName
	82	* } OPTIONAL
	83	* }
	84	*/
7960dbec	85	typedef struct ossl_crmf_enckeywithid_identifier_st {
a61b7f2f DO	86	int type;
	87	union {
	88	ASN1_UTF8STRING *string;
	89	GENERAL_NAME *generalName;
	90	} value;
	91	} OSSL_CRMF_ENCKEYWITHID_IDENTIFIER;
	92	DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_ENCKEYWITHID_IDENTIFIER)
	93
7960dbec	94	typedef struct ossl_crmf_enckeywithid_st {
a61b7f2f DO	95	OSSL_CRMF_PRIVATEKEYINFO *privateKey;
	96	/* [0] */
	97	OSSL_CRMF_ENCKEYWITHID_IDENTIFIER *identifier;
	98	} OSSL_CRMF_ENCKEYWITHID;
	99	DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_ENCKEYWITHID)
	100
	101	/*-
	102	* CertId ::= SEQUENCE {
	103	* issuer GeneralName,
	104	* serialNumber INTEGER
	105	* }
	106	*/
7960dbec	107	struct ossl_crmf_certid_st {
a61b7f2f DO	108	GENERAL_NAME *issuer;
	109	ASN1_INTEGER *serialNumber;
	110	} /* OSSL_CRMF_CERTID */;
a61b7f2f DO	111
	112	/*-
	113	* SinglePubInfo ::= SEQUENCE {
	114	* pubMethod INTEGER {
	115	* dontCare (0),
	116	* x500 (1),
	117	* web (2),
	118	* ldap (3) },
	119	* pubLocation GeneralName OPTIONAL
	120	* }
	121	*/
7960dbec	122	struct ossl_crmf_singlepubinfo_st {
a61b7f2f DO	123	ASN1_INTEGER *pubMethod;
	124	GENERAL_NAME *pubLocation;
	125	} /* OSSL_CRMF_SINGLEPUBINFO */;
	126	DEFINE_STACK_OF(OSSL_CRMF_SINGLEPUBINFO)
	127	typedef STACK_OF(OSSL_CRMF_SINGLEPUBINFO) OSSL_CRMF_PUBINFOS;
	128
a61b7f2f DO	129	/*-
	130	* PKIPublicationInfo ::= SEQUENCE {
	131	* action INTEGER {
	132	* dontPublish (0),
	133	* pleasePublish (1) },
	134	* pubInfos SEQUENCE SIZE (1..MAX) OF SinglePubInfo OPTIONAL
	135	* -- pubInfos MUST NOT be present if action is "dontPublish"
	136	* -- (if action is "pleasePublish" and pubInfos is omitted,
	137	* -- "dontCare" is assumed)
	138	* }
	139	*/
7960dbec	140	struct ossl_crmf_pkipublicationinfo_st {
a61b7f2f DO	141	ASN1_INTEGER *action;
	142	OSSL_CRMF_PUBINFOS *pubInfos;
	143	} /* OSSL_CRMF_PKIPUBLICATIONINFO */;
	144	DECLARE_ASN1_DUP_FUNCTION(OSSL_CRMF_PKIPUBLICATIONINFO)
	145
	146	/*-
	147	* PKMACValue ::= SEQUENCE {
	148	* algId AlgorithmIdentifier,
	149	* -- algorithm value shall be PasswordBasedMac {1 2 840 113533 7 66 13}
	150	* -- parameter value is PBMParameter
	151	* value BIT STRING
	152	* }
	153	*/
7960dbec	154	typedef struct ossl_crmf_pkmacvalue_st {
a61b7f2f DO	155	X509_ALGOR *algId;
	156	ASN1_BIT_STRING *value;
	157	} OSSL_CRMF_PKMACVALUE;
	158	DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_PKMACVALUE)
	159
	160	/*-
	161	* SubsequentMessage ::= INTEGER {
	162	* encrCert (0),
	163	* -- requests that resulting certificate be encrypted for the
	164	* -- end entity (following which, POP will be proven in a
	165	* -- confirmation message)
	166	* challengeResp (1)
	167	* -- requests that CA engage in challenge-response exchange with
	168	* -- end entity in order to prove private key possession
	169	* }
	170	*
	171	* POPOPrivKey ::= CHOICE {
	172	* thisMessage [0] BIT STRING, -- Deprecated
	173	* -- possession is proven in this message (which contains the private
	174	* -- key itself (encrypted for the CA))
	175	* subsequentMessage [1] SubsequentMessage,
	176	* -- possession will be proven in a subsequent message
	177	* dhMAC [2] BIT STRING, -- Deprecated
	178	* agreeMAC [3] PKMACValue,
	179	* encryptedKey [4] EnvelopedData
	180	* }
	181	*/
	182
7960dbec	183	typedef struct ossl_crmf_popoprivkey_st {
a61b7f2f DO	184	int type;
a61b7f2f DO	185	union {
235595c4	186	ASN1_BIT_STRING thisMessage; / 0 / / Deprecated */
a61b7f2f	187	ASN1_INTEGER subsequentMessage; / 1 */
235595c4	188	ASN1_BIT_STRING dhMAC; / 2 / / Deprecated */
a61b7f2f	189	OSSL_CRMF_PKMACVALUE agreeMAC; / 3 */
a61b7f2f	190	ASN1_NULL encryptedKey; / 4 */
084d3afd	191	/* When supported, ASN1_NULL needs to be replaced by CMS_ENVELOPEDDATA */
a61b7f2f DO	192	} value;
	193	} OSSL_CRMF_POPOPRIVKEY;
	194	DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPOPRIVKEY)
	195
	196	/*-
	197	* PBMParameter ::= SEQUENCE {
	198	* salt OCTET STRING,
	199	* owf AlgorithmIdentifier,
	200	* -- AlgId for a One-Way Function (SHA-1 recommended)
	201	* iterationCount INTEGER,
	202	* -- number of times the OWF is applied
	203	* mac AlgorithmIdentifier
	204	* -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11],
	205	* -- or HMAC [HMAC, RFC2202])
	206	* }
	207	*/
7960dbec	208	struct ossl_crmf_pbmparameter_st {
a61b7f2f DO	209	ASN1_OCTET_STRING *salt;
	210	X509_ALGOR *owf;
	211	ASN1_INTEGER *iterationCount;
	212	X509_ALGOR *mac;
	213	} /* OSSL_CRMF_PBMPARAMETER */;
3dbc5156	214	# define OSSL_CRMF_PBM_MAX_ITERATION_COUNT 100000 /* if too large allows DoS */
a61b7f2f DO	215
	216	/*-
	217	* POPOSigningKeyInput ::= SEQUENCE {
	218	* authInfo CHOICE {
	219	* sender [0] GeneralName,
	220	* -- used only if an authenticated identity has been
	221	* -- established for the sender (e.g., a DN from a
	222	* -- previously-issued and currently-valid certificate)
	223	* publicKeyMAC PKMACValue },
	224	* -- used if no authenticated GeneralName currently exists for
	225	* -- the sender; publicKeyMAC contains a password-based MAC
	226	* -- on the DER-encoded value of publicKey
	227	* publicKey SubjectPublicKeyInfo -- from CertTemplate
	228	* }
3dbc5156	229	*/
7960dbec	230	typedef struct ossl_crmf_poposigningkeyinput_authinfo_st {
a61b7f2f DO	231	int type;
	232	union {
	233	/* 0 / GENERAL_NAME sender;
	234	/* 1 / OSSL_CRMF_PKMACVALUE publicKeyMAC;
	235	} value;
	236	} OSSL_CRMF_POPOSIGNINGKEYINPUT_AUTHINFO;
	237	DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPOSIGNINGKEYINPUT_AUTHINFO)
	238
7960dbec	239	typedef struct ossl_crmf_poposigningkeyinput_st {
a61b7f2f DO	240	OSSL_CRMF_POPOSIGNINGKEYINPUT_AUTHINFO *authInfo;
	241	X509_PUBKEY *publicKey;
	242	} OSSL_CRMF_POPOSIGNINGKEYINPUT;
	243	DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPOSIGNINGKEYINPUT)
	244
	245	/*-
	246	* POPOSigningKey ::= SEQUENCE {
	247	* poposkInput [0] POPOSigningKeyInput OPTIONAL,
	248	* algorithmIdentifier AlgorithmIdentifier,
	249	* signature BIT STRING
	250	* }
	251	*/
7960dbec	252	struct ossl_crmf_poposigningkey_st {
a61b7f2f DO	253	OSSL_CRMF_POPOSIGNINGKEYINPUT *poposkInput;
	254	X509_ALGOR *algorithmIdentifier;
	255	ASN1_BIT_STRING *signature;
	256	} /* OSSL_CRMF_POPOSIGNINGKEY */;
	257	DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPOSIGNINGKEY)
	258
	259	/*-
	260	* ProofOfPossession ::= CHOICE {
	261	* raVerified [0] NULL,
	262	* -- used if the RA has already verified that the requester is in
	263	* -- possession of the private key
	264	* signature [1] POPOSigningKey,
	265	* keyEncipherment [2] POPOPrivKey,
	266	* keyAgreement [3] POPOPrivKey
	267	* }
	268	*/
7960dbec	269	typedef struct ossl_crmf_popo_st {
a61b7f2f DO	270	int type;
	271	union {
	272	ASN1_NULL raVerified; / 0 */
	273	OSSL_CRMF_POPOSIGNINGKEY signature; / 1 */
	274	OSSL_CRMF_POPOPRIVKEY keyEncipherment; / 2 */
	275	OSSL_CRMF_POPOPRIVKEY keyAgreement; / 3 */
	276	} value;
	277	} OSSL_CRMF_POPO;
	278	DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPO)
	279
	280	/*-
	281	* OptionalValidity ::= SEQUENCE {
	282	* notBefore [0] Time OPTIONAL,
	283	* notAfter [1] Time OPTIONAL -- at least one MUST be present
	284	* }
	285	*/
7960dbec	286	struct ossl_crmf_optionalvalidity_st {
a61b7f2f DO	287	/* 0 / ASN1_TIME notBefore;
	288	/* 1 / ASN1_TIME notAfter;
	289	} /* OSSL_CRMF_OPTIONALVALIDITY */;
	290	DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_OPTIONALVALIDITY)
	291
	292	/*-
	293	* CertTemplate ::= SEQUENCE {
	294	* version [0] Version OPTIONAL,
	295	* serialNumber [1] INTEGER OPTIONAL,
	296	* signingAlg [2] AlgorithmIdentifier OPTIONAL,
	297	* issuer [3] Name OPTIONAL,
	298	* validity [4] OptionalValidity OPTIONAL,
	299	* subject [5] Name OPTIONAL,
	300	* publicKey [6] SubjectPublicKeyInfo OPTIONAL,
	301	* issuerUID [7] UniqueIdentifier OPTIONAL,
	302	* subjectUID [8] UniqueIdentifier OPTIONAL,
	303	* extensions [9] Extensions OPTIONAL
	304	* }
	305	*/
7960dbec	306	struct ossl_crmf_certtemplate_st {
235595c4 DDO	307	ASN1_INTEGER *version;
	308	ASN1_INTEGER serialNumber; / serialNumber MUST be omitted */
	309	/* This field is assigned by the CA during certificate creation */
	310	X509_ALGOR signingAlg; / signingAlg MUST be omitted */
	311	/* This field is assigned by the CA during certificate creation */
8cc86b81	312	const X509_NAME *issuer;
235595c4	313	OSSL_CRMF_OPTIONALVALIDITY *validity;
8cc86b81	314	const X509_NAME *subject;
235595c4 DDO	315	X509_PUBKEY *publicKey;
	316	ASN1_BIT_STRING issuerUID; / deprecated in version 2 */
	317	/* According to rfc 3280: UniqueIdentifier ::= BIT STRING */
	318	ASN1_BIT_STRING subjectUID; / deprecated in version 2 */
	319	/* Could be X509_EXTENSIONS, but that's only cosmetic */
	320	STACK_OF(X509_EXTENSION) *extensions;
a61b7f2f DO	321	} /* OSSL_CRMF_CERTTEMPLATE */;
	322
	323	/*-
	324	* CertRequest ::= SEQUENCE {
	325	* certReqId INTEGER, -- ID for matching request and reply
	326	* certTemplate CertTemplate, -- Selected fields of cert to be issued
	327	* controls Controls OPTIONAL -- Attributes affecting issuance
	328	* }
	329	*/
7960dbec	330	struct ossl_crmf_certrequest_st {
a61b7f2f DO	331	ASN1_INTEGER *certReqId;
a61b7f2f DO	332	OSSL_CRMF_CERTTEMPLATE *certTemplate;
084d3afd	333	STACK_OF(OSSL_CRMF_ATTRIBUTETYPEANDVALUE /* Controls expanded /) controls;
a61b7f2f DO	334	} /* OSSL_CRMF_CERTREQUEST */;
	335	DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_CERTREQUEST)
	336	DECLARE_ASN1_DUP_FUNCTION(OSSL_CRMF_CERTREQUEST)
	337
7960dbec	338	struct ossl_crmf_attributetypeandvalue_st {
a61b7f2f DO	339	ASN1_OBJECT *type;
	340	union {
	341	/* NID_id_regCtrl_regToken */
	342	ASN1_UTF8STRING *regToken;
	343
	344	/* NID_id_regCtrl_authenticator */
	345	ASN1_UTF8STRING *authenticator;
	346
	347	/* NID_id_regCtrl_pkiPublicationInfo */
	348	OSSL_CRMF_PKIPUBLICATIONINFO *pkiPublicationInfo;
	349
	350	/* NID_id_regCtrl_oldCertID */
	351	OSSL_CRMF_CERTID *oldCertID;
	352
	353	/* NID_id_regCtrl_protocolEncrKey */
	354	X509_PUBKEY *protocolEncrKey;
	355
	356	/* NID_id_regInfo_utf8Pairs */
	357	ASN1_UTF8STRING *utf8Pairs;
	358
	359	/* NID_id_regInfo_certReq */
	360	OSSL_CRMF_CERTREQUEST *certReq;
	361
	362	ASN1_TYPE *other;
	363	} value;
	364	} /* OSSL_CRMF_ATTRIBUTETYPEANDVALUE */;
	365	DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_ATTRIBUTETYPEANDVALUE)
	366	DEFINE_STACK_OF(OSSL_CRMF_ATTRIBUTETYPEANDVALUE)
	367	DECLARE_ASN1_DUP_FUNCTION(OSSL_CRMF_ATTRIBUTETYPEANDVALUE)
	368
	369	/*-
	370	* CertReqMessages ::= SEQUENCE SIZE (1..MAX) OF CertReqMsg
	371	* CertReqMsg ::= SEQUENCE {
	372	* certReq CertRequest,
	373	* popo ProofOfPossession OPTIONAL,
	374	* -- content depends upon key type
	375	* regInfo SEQUENCE SIZE(1..MAX) OF AttributeTypeAndValue OPTIONAL
	376	* }
	377	*/
7960dbec	378	struct ossl_crmf_msg_st {
a61b7f2f DO	379	OSSL_CRMF_CERTREQUEST *certReq;
	380	/* 0 */
	381	OSSL_CRMF_POPO *popo;
	382	/* 1 */
	383	STACK_OF(OSSL_CRMF_ATTRIBUTETYPEANDVALUE) *regInfo;
	384	} /* OSSL_CRMF_MSG */;
a61b7f2f	385	#endif