]>
Commit | Line | Data |
---|---|---|
a61b7f2f | 1 | /*- |
38fc02a7 | 2 | * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. |
8869ad4a AK |
3 | * Copyright Nokia 2007-2019 |
4 | * Copyright Siemens AG 2015-2019 | |
a61b7f2f | 5 | * |
ce9b9964 | 6 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
a61b7f2f DO |
7 | * this file except in compliance with the License. You can obtain a copy |
8 | * in the file LICENSE in the source distribution or at | |
9 | * https://www.openssl.org/source/license.html | |
10 | * | |
11 | * CRMF implementation by Martin Peylo, Miikka Viljanen, and David von Oheimb. | |
12 | */ | |
13 | ||
ae4186b0 DMSP |
14 | #ifndef OSSL_CRYPTO_CRMF_LOCAL_H |
15 | # define OSSL_CRYPTO_CRMF_LOCAL_H | |
a61b7f2f DO |
16 | |
17 | # include <openssl/crmf.h> | |
18 | # include <openssl/err.h> | |
19 | ||
20 | /* explicit #includes not strictly needed since implied by the above: */ | |
50cd4768 | 21 | # include <openssl/types.h> |
a61b7f2f DO |
22 | # include <openssl/safestack.h> |
23 | # include <openssl/x509.h> | |
24 | # include <openssl/x509v3.h> | |
25 | ||
26 | /*- | |
27 | * EncryptedValue ::= SEQUENCE { | |
28 | * intendedAlg [0] AlgorithmIdentifier OPTIONAL, | |
29 | * -- the intended algorithm for which the value will be used | |
30 | * symmAlg [1] AlgorithmIdentifier OPTIONAL, | |
31 | * -- the symmetric algorithm used to encrypt the value | |
32 | * encSymmKey [2] BIT STRING OPTIONAL, | |
33 | * -- the (encrypted) symmetric key used to encrypt the value | |
34 | * keyAlg [3] AlgorithmIdentifier OPTIONAL, | |
35 | * -- algorithm used to encrypt the symmetric key | |
36 | * valueHint [4] OCTET STRING OPTIONAL, | |
37 | * -- a brief description or identifier of the encValue content | |
38 | * -- (may be meaningful only to the sending entity, and | |
39 | * -- used only if EncryptedValue might be re-examined | |
40 | * -- by the sending entity in the future) | |
41 | * encValue BIT STRING | |
42 | * -- the encrypted value itself | |
43 | * } | |
44 | */ | |
7960dbec | 45 | struct ossl_crmf_encryptedvalue_st { |
a61b7f2f DO |
46 | X509_ALGOR *intendedAlg; /* 0 */ |
47 | X509_ALGOR *symmAlg; /* 1 */ | |
48 | ASN1_BIT_STRING *encSymmKey; /* 2 */ | |
49 | X509_ALGOR *keyAlg; /* 3 */ | |
50 | ASN1_OCTET_STRING *valueHint; /* 4 */ | |
51 | ASN1_BIT_STRING *encValue; | |
52 | } /* OSSL_CRMF_ENCRYPTEDVALUE */; | |
53 | ||
54 | /*- | |
55 | * Attributes ::= SET OF Attribute | |
56 | * => X509_ATTRIBUTE | |
57 | * | |
58 | * PrivateKeyInfo ::= SEQUENCE { | |
59 | * version INTEGER, | |
60 | * privateKeyAlgorithm AlgorithmIdentifier, | |
61 | * privateKey OCTET STRING, | |
62 | * attributes [0] IMPLICIT Attributes OPTIONAL | |
63 | * } | |
64 | */ | |
7960dbec | 65 | typedef struct ossl_crmf_privatekeyinfo_st { |
a61b7f2f DO |
66 | ASN1_INTEGER *version; |
67 | X509_ALGOR *privateKeyAlgorithm; | |
68 | ASN1_OCTET_STRING *privateKey; | |
69 | STACK_OF(X509_ATTRIBUTE) *attributes; /* [ 0 ] */ | |
70 | } OSSL_CRMF_PRIVATEKEYINFO; | |
71 | DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_PRIVATEKEYINFO) | |
72 | ||
73 | /*- | |
74 | * section 4.2.1 Private Key Info Content Type | |
75 | * id-ct-encKeyWithID OBJECT IDENTIFIER ::= {id-ct 21} | |
76 | * | |
77 | * EncKeyWithID ::= SEQUENCE { | |
78 | * privateKey PrivateKeyInfo, | |
79 | * identifier CHOICE { | |
80 | * string UTF8String, | |
81 | * generalName GeneralName | |
82 | * } OPTIONAL | |
83 | * } | |
84 | */ | |
7960dbec | 85 | typedef struct ossl_crmf_enckeywithid_identifier_st { |
a61b7f2f DO |
86 | int type; |
87 | union { | |
88 | ASN1_UTF8STRING *string; | |
89 | GENERAL_NAME *generalName; | |
90 | } value; | |
91 | } OSSL_CRMF_ENCKEYWITHID_IDENTIFIER; | |
92 | DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_ENCKEYWITHID_IDENTIFIER) | |
93 | ||
7960dbec | 94 | typedef struct ossl_crmf_enckeywithid_st { |
a61b7f2f DO |
95 | OSSL_CRMF_PRIVATEKEYINFO *privateKey; |
96 | /* [0] */ | |
97 | OSSL_CRMF_ENCKEYWITHID_IDENTIFIER *identifier; | |
98 | } OSSL_CRMF_ENCKEYWITHID; | |
99 | DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_ENCKEYWITHID) | |
100 | ||
101 | /*- | |
102 | * CertId ::= SEQUENCE { | |
103 | * issuer GeneralName, | |
104 | * serialNumber INTEGER | |
105 | * } | |
106 | */ | |
7960dbec | 107 | struct ossl_crmf_certid_st { |
a61b7f2f DO |
108 | GENERAL_NAME *issuer; |
109 | ASN1_INTEGER *serialNumber; | |
110 | } /* OSSL_CRMF_CERTID */; | |
a61b7f2f DO |
111 | |
112 | /*- | |
113 | * SinglePubInfo ::= SEQUENCE { | |
114 | * pubMethod INTEGER { | |
115 | * dontCare (0), | |
116 | * x500 (1), | |
117 | * web (2), | |
118 | * ldap (3) }, | |
119 | * pubLocation GeneralName OPTIONAL | |
120 | * } | |
121 | */ | |
7960dbec | 122 | struct ossl_crmf_singlepubinfo_st { |
a61b7f2f DO |
123 | ASN1_INTEGER *pubMethod; |
124 | GENERAL_NAME *pubLocation; | |
125 | } /* OSSL_CRMF_SINGLEPUBINFO */; | |
126 | DEFINE_STACK_OF(OSSL_CRMF_SINGLEPUBINFO) | |
127 | typedef STACK_OF(OSSL_CRMF_SINGLEPUBINFO) OSSL_CRMF_PUBINFOS; | |
128 | ||
a61b7f2f DO |
129 | /*- |
130 | * PKIPublicationInfo ::= SEQUENCE { | |
131 | * action INTEGER { | |
132 | * dontPublish (0), | |
133 | * pleasePublish (1) }, | |
134 | * pubInfos SEQUENCE SIZE (1..MAX) OF SinglePubInfo OPTIONAL | |
135 | * -- pubInfos MUST NOT be present if action is "dontPublish" | |
136 | * -- (if action is "pleasePublish" and pubInfos is omitted, | |
137 | * -- "dontCare" is assumed) | |
138 | * } | |
139 | */ | |
7960dbec | 140 | struct ossl_crmf_pkipublicationinfo_st { |
a61b7f2f DO |
141 | ASN1_INTEGER *action; |
142 | OSSL_CRMF_PUBINFOS *pubInfos; | |
143 | } /* OSSL_CRMF_PKIPUBLICATIONINFO */; | |
144 | DECLARE_ASN1_DUP_FUNCTION(OSSL_CRMF_PKIPUBLICATIONINFO) | |
145 | ||
146 | /*- | |
147 | * PKMACValue ::= SEQUENCE { | |
148 | * algId AlgorithmIdentifier, | |
149 | * -- algorithm value shall be PasswordBasedMac {1 2 840 113533 7 66 13} | |
150 | * -- parameter value is PBMParameter | |
151 | * value BIT STRING | |
152 | * } | |
153 | */ | |
7960dbec | 154 | typedef struct ossl_crmf_pkmacvalue_st { |
a61b7f2f DO |
155 | X509_ALGOR *algId; |
156 | ASN1_BIT_STRING *value; | |
157 | } OSSL_CRMF_PKMACVALUE; | |
158 | DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_PKMACVALUE) | |
159 | ||
160 | /*- | |
161 | * SubsequentMessage ::= INTEGER { | |
162 | * encrCert (0), | |
163 | * -- requests that resulting certificate be encrypted for the | |
164 | * -- end entity (following which, POP will be proven in a | |
165 | * -- confirmation message) | |
166 | * challengeResp (1) | |
167 | * -- requests that CA engage in challenge-response exchange with | |
168 | * -- end entity in order to prove private key possession | |
169 | * } | |
170 | * | |
171 | * POPOPrivKey ::= CHOICE { | |
172 | * thisMessage [0] BIT STRING, -- Deprecated | |
173 | * -- possession is proven in this message (which contains the private | |
174 | * -- key itself (encrypted for the CA)) | |
175 | * subsequentMessage [1] SubsequentMessage, | |
176 | * -- possession will be proven in a subsequent message | |
177 | * dhMAC [2] BIT STRING, -- Deprecated | |
178 | * agreeMAC [3] PKMACValue, | |
179 | * encryptedKey [4] EnvelopedData | |
180 | * } | |
181 | */ | |
182 | ||
7960dbec | 183 | typedef struct ossl_crmf_popoprivkey_st { |
a61b7f2f DO |
184 | int type; |
185 | union { | |
235595c4 | 186 | ASN1_BIT_STRING *thisMessage; /* 0 */ /* Deprecated */ |
a61b7f2f | 187 | ASN1_INTEGER *subsequentMessage; /* 1 */ |
235595c4 | 188 | ASN1_BIT_STRING *dhMAC; /* 2 */ /* Deprecated */ |
a61b7f2f | 189 | OSSL_CRMF_PKMACVALUE *agreeMAC; /* 3 */ |
a61b7f2f | 190 | ASN1_NULL *encryptedKey; /* 4 */ |
084d3afd | 191 | /* When supported, ASN1_NULL needs to be replaced by CMS_ENVELOPEDDATA */ |
a61b7f2f DO |
192 | } value; |
193 | } OSSL_CRMF_POPOPRIVKEY; | |
194 | DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPOPRIVKEY) | |
195 | ||
196 | /*- | |
197 | * PBMParameter ::= SEQUENCE { | |
198 | * salt OCTET STRING, | |
199 | * owf AlgorithmIdentifier, | |
200 | * -- AlgId for a One-Way Function (SHA-1 recommended) | |
201 | * iterationCount INTEGER, | |
202 | * -- number of times the OWF is applied | |
203 | * mac AlgorithmIdentifier | |
204 | * -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11], | |
205 | * -- or HMAC [HMAC, RFC2202]) | |
206 | * } | |
207 | */ | |
7960dbec | 208 | struct ossl_crmf_pbmparameter_st { |
a61b7f2f DO |
209 | ASN1_OCTET_STRING *salt; |
210 | X509_ALGOR *owf; | |
211 | ASN1_INTEGER *iterationCount; | |
212 | X509_ALGOR *mac; | |
213 | } /* OSSL_CRMF_PBMPARAMETER */; | |
3dbc5156 | 214 | # define OSSL_CRMF_PBM_MAX_ITERATION_COUNT 100000 /* if too large allows DoS */ |
a61b7f2f DO |
215 | |
216 | /*- | |
217 | * POPOSigningKeyInput ::= SEQUENCE { | |
218 | * authInfo CHOICE { | |
219 | * sender [0] GeneralName, | |
220 | * -- used only if an authenticated identity has been | |
221 | * -- established for the sender (e.g., a DN from a | |
222 | * -- previously-issued and currently-valid certificate) | |
223 | * publicKeyMAC PKMACValue }, | |
224 | * -- used if no authenticated GeneralName currently exists for | |
225 | * -- the sender; publicKeyMAC contains a password-based MAC | |
226 | * -- on the DER-encoded value of publicKey | |
227 | * publicKey SubjectPublicKeyInfo -- from CertTemplate | |
228 | * } | |
3dbc5156 | 229 | */ |
7960dbec | 230 | typedef struct ossl_crmf_poposigningkeyinput_authinfo_st { |
a61b7f2f DO |
231 | int type; |
232 | union { | |
233 | /* 0 */ GENERAL_NAME *sender; | |
234 | /* 1 */ OSSL_CRMF_PKMACVALUE *publicKeyMAC; | |
235 | } value; | |
236 | } OSSL_CRMF_POPOSIGNINGKEYINPUT_AUTHINFO; | |
237 | DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPOSIGNINGKEYINPUT_AUTHINFO) | |
238 | ||
7960dbec | 239 | typedef struct ossl_crmf_poposigningkeyinput_st { |
a61b7f2f DO |
240 | OSSL_CRMF_POPOSIGNINGKEYINPUT_AUTHINFO *authInfo; |
241 | X509_PUBKEY *publicKey; | |
242 | } OSSL_CRMF_POPOSIGNINGKEYINPUT; | |
243 | DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPOSIGNINGKEYINPUT) | |
244 | ||
245 | /*- | |
246 | * POPOSigningKey ::= SEQUENCE { | |
247 | * poposkInput [0] POPOSigningKeyInput OPTIONAL, | |
248 | * algorithmIdentifier AlgorithmIdentifier, | |
249 | * signature BIT STRING | |
250 | * } | |
251 | */ | |
7960dbec | 252 | struct ossl_crmf_poposigningkey_st { |
a61b7f2f DO |
253 | OSSL_CRMF_POPOSIGNINGKEYINPUT *poposkInput; |
254 | X509_ALGOR *algorithmIdentifier; | |
255 | ASN1_BIT_STRING *signature; | |
256 | } /* OSSL_CRMF_POPOSIGNINGKEY */; | |
257 | DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPOSIGNINGKEY) | |
258 | ||
259 | /*- | |
260 | * ProofOfPossession ::= CHOICE { | |
261 | * raVerified [0] NULL, | |
262 | * -- used if the RA has already verified that the requester is in | |
263 | * -- possession of the private key | |
264 | * signature [1] POPOSigningKey, | |
265 | * keyEncipherment [2] POPOPrivKey, | |
266 | * keyAgreement [3] POPOPrivKey | |
267 | * } | |
268 | */ | |
7960dbec | 269 | typedef struct ossl_crmf_popo_st { |
a61b7f2f DO |
270 | int type; |
271 | union { | |
272 | ASN1_NULL *raVerified; /* 0 */ | |
273 | OSSL_CRMF_POPOSIGNINGKEY *signature; /* 1 */ | |
274 | OSSL_CRMF_POPOPRIVKEY *keyEncipherment; /* 2 */ | |
275 | OSSL_CRMF_POPOPRIVKEY *keyAgreement; /* 3 */ | |
276 | } value; | |
277 | } OSSL_CRMF_POPO; | |
278 | DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPO) | |
279 | ||
280 | /*- | |
281 | * OptionalValidity ::= SEQUENCE { | |
282 | * notBefore [0] Time OPTIONAL, | |
283 | * notAfter [1] Time OPTIONAL -- at least one MUST be present | |
284 | * } | |
285 | */ | |
7960dbec | 286 | struct ossl_crmf_optionalvalidity_st { |
a61b7f2f DO |
287 | /* 0 */ ASN1_TIME *notBefore; |
288 | /* 1 */ ASN1_TIME *notAfter; | |
289 | } /* OSSL_CRMF_OPTIONALVALIDITY */; | |
290 | DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_OPTIONALVALIDITY) | |
291 | ||
292 | /*- | |
293 | * CertTemplate ::= SEQUENCE { | |
294 | * version [0] Version OPTIONAL, | |
295 | * serialNumber [1] INTEGER OPTIONAL, | |
296 | * signingAlg [2] AlgorithmIdentifier OPTIONAL, | |
297 | * issuer [3] Name OPTIONAL, | |
298 | * validity [4] OptionalValidity OPTIONAL, | |
299 | * subject [5] Name OPTIONAL, | |
300 | * publicKey [6] SubjectPublicKeyInfo OPTIONAL, | |
301 | * issuerUID [7] UniqueIdentifier OPTIONAL, | |
302 | * subjectUID [8] UniqueIdentifier OPTIONAL, | |
303 | * extensions [9] Extensions OPTIONAL | |
304 | * } | |
305 | */ | |
7960dbec | 306 | struct ossl_crmf_certtemplate_st { |
235595c4 DDO |
307 | ASN1_INTEGER *version; |
308 | ASN1_INTEGER *serialNumber; /* serialNumber MUST be omitted */ | |
309 | /* This field is assigned by the CA during certificate creation */ | |
310 | X509_ALGOR *signingAlg; /* signingAlg MUST be omitted */ | |
311 | /* This field is assigned by the CA during certificate creation */ | |
8cc86b81 | 312 | const X509_NAME *issuer; |
235595c4 | 313 | OSSL_CRMF_OPTIONALVALIDITY *validity; |
8cc86b81 | 314 | const X509_NAME *subject; |
235595c4 DDO |
315 | X509_PUBKEY *publicKey; |
316 | ASN1_BIT_STRING *issuerUID; /* deprecated in version 2 */ | |
317 | /* According to rfc 3280: UniqueIdentifier ::= BIT STRING */ | |
318 | ASN1_BIT_STRING *subjectUID; /* deprecated in version 2 */ | |
319 | /* Could be X509_EXTENSION*S*, but that's only cosmetic */ | |
320 | STACK_OF(X509_EXTENSION) *extensions; | |
a61b7f2f DO |
321 | } /* OSSL_CRMF_CERTTEMPLATE */; |
322 | ||
323 | /*- | |
324 | * CertRequest ::= SEQUENCE { | |
325 | * certReqId INTEGER, -- ID for matching request and reply | |
326 | * certTemplate CertTemplate, -- Selected fields of cert to be issued | |
327 | * controls Controls OPTIONAL -- Attributes affecting issuance | |
328 | * } | |
329 | */ | |
7960dbec | 330 | struct ossl_crmf_certrequest_st { |
a61b7f2f DO |
331 | ASN1_INTEGER *certReqId; |
332 | OSSL_CRMF_CERTTEMPLATE *certTemplate; | |
084d3afd | 333 | STACK_OF(OSSL_CRMF_ATTRIBUTETYPEANDVALUE /* Controls expanded */) *controls; |
a61b7f2f DO |
334 | } /* OSSL_CRMF_CERTREQUEST */; |
335 | DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_CERTREQUEST) | |
336 | DECLARE_ASN1_DUP_FUNCTION(OSSL_CRMF_CERTREQUEST) | |
337 | ||
7960dbec | 338 | struct ossl_crmf_attributetypeandvalue_st { |
a61b7f2f DO |
339 | ASN1_OBJECT *type; |
340 | union { | |
341 | /* NID_id_regCtrl_regToken */ | |
342 | ASN1_UTF8STRING *regToken; | |
343 | ||
344 | /* NID_id_regCtrl_authenticator */ | |
345 | ASN1_UTF8STRING *authenticator; | |
346 | ||
347 | /* NID_id_regCtrl_pkiPublicationInfo */ | |
348 | OSSL_CRMF_PKIPUBLICATIONINFO *pkiPublicationInfo; | |
349 | ||
350 | /* NID_id_regCtrl_oldCertID */ | |
351 | OSSL_CRMF_CERTID *oldCertID; | |
352 | ||
353 | /* NID_id_regCtrl_protocolEncrKey */ | |
354 | X509_PUBKEY *protocolEncrKey; | |
355 | ||
356 | /* NID_id_regInfo_utf8Pairs */ | |
357 | ASN1_UTF8STRING *utf8Pairs; | |
358 | ||
359 | /* NID_id_regInfo_certReq */ | |
360 | OSSL_CRMF_CERTREQUEST *certReq; | |
361 | ||
362 | ASN1_TYPE *other; | |
363 | } value; | |
364 | } /* OSSL_CRMF_ATTRIBUTETYPEANDVALUE */; | |
365 | DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_ATTRIBUTETYPEANDVALUE) | |
366 | DEFINE_STACK_OF(OSSL_CRMF_ATTRIBUTETYPEANDVALUE) | |
367 | DECLARE_ASN1_DUP_FUNCTION(OSSL_CRMF_ATTRIBUTETYPEANDVALUE) | |
368 | ||
369 | /*- | |
370 | * CertReqMessages ::= SEQUENCE SIZE (1..MAX) OF CertReqMsg | |
371 | * CertReqMsg ::= SEQUENCE { | |
372 | * certReq CertRequest, | |
373 | * popo ProofOfPossession OPTIONAL, | |
374 | * -- content depends upon key type | |
375 | * regInfo SEQUENCE SIZE(1..MAX) OF AttributeTypeAndValue OPTIONAL | |
376 | * } | |
377 | */ | |
7960dbec | 378 | struct ossl_crmf_msg_st { |
a61b7f2f DO |
379 | OSSL_CRMF_CERTREQUEST *certReq; |
380 | /* 0 */ | |
381 | OSSL_CRMF_POPO *popo; | |
382 | /* 1 */ | |
383 | STACK_OF(OSSL_CRMF_ATTRIBUTETYPEANDVALUE) *regInfo; | |
384 | } /* OSSL_CRMF_MSG */; | |
a61b7f2f | 385 | #endif |