Coverage Report

Created: 2023-06-08 06:41

/src/openssl30/crypto/crmf/crmf_local.h
Line
Count
Source
1
/*-
2
 * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved.
3
 * Copyright Nokia 2007-2019
4
 * Copyright Siemens AG 2015-2019
5
 *
6
 * Licensed under the Apache License 2.0 (the "License").  You may not use
7
 * this file except in compliance with the License.  You can obtain a copy
8
 * in the file LICENSE in the source distribution or at
9
 * https://www.openssl.org/source/license.html
10
 *
11
 * CRMF implementation by Martin Peylo, Miikka Viljanen, and David von Oheimb.
12
 */
13
14
#ifndef OSSL_CRYPTO_CRMF_LOCAL_H
15
# define OSSL_CRYPTO_CRMF_LOCAL_H
16
17
# include <openssl/crmf.h>
18
# include <openssl/err.h>
19
20
/* explicit #includes not strictly needed since implied by the above: */
21
# include <openssl/types.h>
22
# include <openssl/safestack.h>
23
# include <openssl/x509.h>
24
# include <openssl/x509v3.h>
25
26
/*-
27
 * EncryptedValue ::= SEQUENCE {
28
 * intendedAlg   [0] AlgorithmIdentifier  OPTIONAL,
29
 *                  -- the intended algorithm for which the value will be used
30
 * symmAlg       [1] AlgorithmIdentifier  OPTIONAL,
31
 *                  -- the symmetric algorithm used to encrypt the value
32
 * encSymmKey    [2] BIT STRING           OPTIONAL,
33
 *                  -- the (encrypted) symmetric key used to encrypt the value
34
 * keyAlg        [3] AlgorithmIdentifier  OPTIONAL,
35
 *                  -- algorithm used to encrypt the symmetric key
36
 * valueHint     [4] OCTET STRING         OPTIONAL,
37
 *                  -- a brief description or identifier of the encValue content
38
 *                  -- (may be meaningful only to the sending entity, and
39
 *                  --  used only if EncryptedValue might be re-examined
40
 *                  --  by the sending entity in the future)
41
 * encValue      BIT STRING
42
 *                  -- the encrypted value itself
43
 * }
44
 */
45
struct ossl_crmf_encryptedvalue_st {
46
    X509_ALGOR *intendedAlg;      /* 0 */
47
    X509_ALGOR *symmAlg;          /* 1 */
48
    ASN1_BIT_STRING *encSymmKey;  /* 2 */
49
    X509_ALGOR *keyAlg;           /* 3 */
50
    ASN1_OCTET_STRING *valueHint; /* 4 */
51
    ASN1_BIT_STRING *encValue;
52
} /* OSSL_CRMF_ENCRYPTEDVALUE */;
53
54
/*-
55
 *  Attributes ::= SET OF Attribute
56
 *  => X509_ATTRIBUTE
57
 *
58
 *  PrivateKeyInfo ::= SEQUENCE {
59
 *     version                       INTEGER,
60
 *     privateKeyAlgorithm           AlgorithmIdentifier,
61
 *     privateKey                    OCTET STRING,
62
 *     attributes                    [0] IMPLICIT Attributes OPTIONAL
63
 *  }
64
 */
65
typedef struct ossl_crmf_privatekeyinfo_st {
66
    ASN1_INTEGER *version;
67
    X509_ALGOR *privateKeyAlgorithm;
68
    ASN1_OCTET_STRING *privateKey;
69
    STACK_OF(X509_ATTRIBUTE) *attributes; /* [ 0 ] */
70
} OSSL_CRMF_PRIVATEKEYINFO;
71
DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_PRIVATEKEYINFO)
72
73
/*-
74
 * section 4.2.1 Private Key Info Content Type
75
 * id-ct-encKeyWithID OBJECT IDENTIFIER ::= {id-ct 21}
76
 *
77
 * EncKeyWithID ::= SEQUENCE {
78
 * privateKey     PrivateKeyInfo,
79
 * identifier     CHOICE {
80
 *                      string         UTF8String,
81
 *                      generalName    GeneralName
82
 *                } OPTIONAL
83
 * }
84
 */
85
typedef struct ossl_crmf_enckeywithid_identifier_st {
86
    int type;
87
    union {
88
        ASN1_UTF8STRING *string;
89
        GENERAL_NAME *generalName;
90
    } value;
91
} OSSL_CRMF_ENCKEYWITHID_IDENTIFIER;
92
DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_ENCKEYWITHID_IDENTIFIER)
93
94
typedef struct ossl_crmf_enckeywithid_st {
95
    OSSL_CRMF_PRIVATEKEYINFO *privateKey;
96
    /* [0] */
97
    OSSL_CRMF_ENCKEYWITHID_IDENTIFIER *identifier;
98
} OSSL_CRMF_ENCKEYWITHID;
99
DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_ENCKEYWITHID)
100
101
/*-
102
 * CertId ::= SEQUENCE {
103
 *      issuer           GeneralName,
104
 *      serialNumber     INTEGER
105
 * }
106
 */
107
struct ossl_crmf_certid_st {
108
    GENERAL_NAME *issuer;
109
    ASN1_INTEGER *serialNumber;
110
} /* OSSL_CRMF_CERTID */;
111
112
/*-
113
 * SinglePubInfo ::= SEQUENCE {
114
 *  pubMethod        INTEGER {
115
 *      dontCare        (0),
116
 *      x500            (1),
117
 *      web             (2),
118
 *      ldap            (3) },
119
 *  pubLocation  GeneralName OPTIONAL
120
 * }
121
 */
122
struct ossl_crmf_singlepubinfo_st {
123
    ASN1_INTEGER *pubMethod;
124
    GENERAL_NAME *pubLocation;
125
} /* OSSL_CRMF_SINGLEPUBINFO */;
126
DEFINE_STACK_OF(OSSL_CRMF_SINGLEPUBINFO)
127
typedef STACK_OF(OSSL_CRMF_SINGLEPUBINFO) OSSL_CRMF_PUBINFOS;
128
129
130
/*-
131
 * PKIPublicationInfo ::= SEQUENCE {
132
 *      action     INTEGER {
133
 *                   dontPublish (0),
134
 *                   pleasePublish (1) },
135
 *      pubInfos   SEQUENCE SIZE (1..MAX) OF SinglePubInfo OPTIONAL
136
 *      -- pubInfos MUST NOT be present if action is "dontPublish"
137
 *      -- (if action is "pleasePublish" and pubInfos is omitted,
138
 *      -- "dontCare" is assumed)
139
 * }
140
 */
141
struct ossl_crmf_pkipublicationinfo_st {
142
    ASN1_INTEGER *action;
143
    OSSL_CRMF_PUBINFOS *pubInfos;
144
} /* OSSL_CRMF_PKIPUBLICATIONINFO */;
145
DECLARE_ASN1_DUP_FUNCTION(OSSL_CRMF_PKIPUBLICATIONINFO)
146
147
/*-
148
 * PKMACValue ::= SEQUENCE {
149
 * algId  AlgorithmIdentifier,
150
 * -- algorithm value shall be PasswordBasedMac {1 2 840 113533 7 66 13}
151
 * -- parameter value is PBMParameter
152
 * value  BIT STRING
153
 * }
154
 */
155
typedef struct ossl_crmf_pkmacvalue_st {
156
    X509_ALGOR *algId;
157
    ASN1_BIT_STRING *value;
158
} OSSL_CRMF_PKMACVALUE;
159
DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_PKMACVALUE)
160
161
/*-
162
 * SubsequentMessage ::= INTEGER {
163
 * encrCert (0),
164
 * -- requests that resulting certificate be encrypted for the
165
 * -- end entity (following which, POP will be proven in a
166
 * -- confirmation message)
167
 * challengeResp (1)
168
 * -- requests that CA engage in challenge-response exchange with
169
 * -- end entity in order to prove private key possession
170
 * }
171
 *
172
 * POPOPrivKey ::= CHOICE {
173
 * thisMessage       [0] BIT STRING,                 -- Deprecated
174
 * -- possession is proven in this message (which contains the private
175
 * -- key itself (encrypted for the CA))
176
 * subsequentMessage [1] SubsequentMessage,
177
 * -- possession will be proven in a subsequent message
178
 * dhMAC             [2] BIT STRING,                 -- Deprecated
179
 * agreeMAC          [3] PKMACValue,
180
 * encryptedKey      [4] EnvelopedData
181
 * }
182
 */
183
184
typedef struct ossl_crmf_popoprivkey_st {
185
    int type;
186
    union {
187
        ASN1_BIT_STRING *thisMessage; /* 0 */ /* Deprecated */
188
        ASN1_INTEGER *subsequentMessage; /* 1 */
189
        ASN1_BIT_STRING *dhMAC; /* 2 */ /* Deprecated */
190
        OSSL_CRMF_PKMACVALUE *agreeMAC; /* 3 */
191
        ASN1_NULL *encryptedKey; /* 4 */
192
    } value;
193
} OSSL_CRMF_POPOPRIVKEY;
194
DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPOPRIVKEY)
195
196
/*-
197
 * PBMParameter ::= SEQUENCE {
198
 *    salt                    OCTET STRING,
199
 *    owf                     AlgorithmIdentifier,
200
 *    -- AlgId for a One-Way Function (SHA-1 recommended)
201
 *    iterationCount          INTEGER,
202
 *    -- number of times the OWF is applied
203
 *    mac                     AlgorithmIdentifier
204
 *    -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11],
205
 *    -- or HMAC [HMAC, RFC2202])
206
 * }
207
 */
208
struct ossl_crmf_pbmparameter_st {
209
    ASN1_OCTET_STRING *salt;
210
    X509_ALGOR *owf;
211
    ASN1_INTEGER *iterationCount;
212
    X509_ALGOR *mac;
213
} /* OSSL_CRMF_PBMPARAMETER */;
214
156
# define OSSL_CRMF_PBM_MAX_ITERATION_COUNT 100000 /* if too large allows DoS */
215
216
/*-
217
 * POPOSigningKeyInput ::= SEQUENCE {
218
 * authInfo       CHOICE {
219
 *     sender                 [0] GeneralName,
220
 *   -- used only if an authenticated identity has been
221
 *   -- established for the sender (e.g., a DN from a
222
 *   -- previously-issued and currently-valid certificate)
223
 *     publicKeyMAC           PKMACValue },
224
 *   -- used if no authenticated GeneralName currently exists for
225
 *   -- the sender; publicKeyMAC contains a password-based MAC
226
 *   -- on the DER-encoded value of publicKey
227
 * publicKey      SubjectPublicKeyInfo  -- from CertTemplate
228
 * }
229
 */
230
typedef struct ossl_crmf_poposigningkeyinput_authinfo_st {
231
    int type;
232
    union {
233
        /* 0 */ GENERAL_NAME *sender;
234
        /* 1 */ OSSL_CRMF_PKMACVALUE *publicKeyMAC;
235
    } value;
236
} OSSL_CRMF_POPOSIGNINGKEYINPUT_AUTHINFO;
237
DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPOSIGNINGKEYINPUT_AUTHINFO)
238
239
typedef struct ossl_crmf_poposigningkeyinput_st {
240
    OSSL_CRMF_POPOSIGNINGKEYINPUT_AUTHINFO *authInfo;
241
    X509_PUBKEY *publicKey;
242
} OSSL_CRMF_POPOSIGNINGKEYINPUT;
243
DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPOSIGNINGKEYINPUT)
244
245
/*-
246
 * POPOSigningKey ::= SEQUENCE {
247
 *  poposkInput           [0] POPOSigningKeyInput OPTIONAL,
248
 *  algorithmIdentifier   AlgorithmIdentifier,
249
 *  signature             BIT STRING
250
 * }
251
 */
252
struct ossl_crmf_poposigningkey_st {
253
    OSSL_CRMF_POPOSIGNINGKEYINPUT *poposkInput;
254
    X509_ALGOR *algorithmIdentifier;
255
    ASN1_BIT_STRING *signature;
256
} /* OSSL_CRMF_POPOSIGNINGKEY */;
257
DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPOSIGNINGKEY)
258
259
/*-
260
 * ProofOfPossession ::= CHOICE {
261
 *  raVerified        [0] NULL,
262
 *  -- used if the RA has already verified that the requester is in
263
 *  -- possession of the private key
264
 *  signature         [1] POPOSigningKey,
265
 *  keyEncipherment   [2] POPOPrivKey,
266
 *  keyAgreement      [3] POPOPrivKey
267
 * }
268
 */
269
typedef struct ossl_crmf_popo_st {
270
    int type;
271
    union {
272
        ASN1_NULL *raVerified; /* 0 */
273
        OSSL_CRMF_POPOSIGNINGKEY *signature; /* 1 */
274
        OSSL_CRMF_POPOPRIVKEY *keyEncipherment; /* 2 */
275
        OSSL_CRMF_POPOPRIVKEY *keyAgreement; /* 3 */
276
    } value;
277
} OSSL_CRMF_POPO;
278
DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPO)
279
280
/*-
281
 * OptionalValidity ::= SEQUENCE {
282
 *  notBefore      [0] Time OPTIONAL,
283
 *  notAfter       [1] Time OPTIONAL  -- at least one MUST be present
284
 * }
285
 */
286
struct ossl_crmf_optionalvalidity_st {
287
    /* 0 */ ASN1_TIME *notBefore;
288
    /* 1 */ ASN1_TIME *notAfter;
289
} /* OSSL_CRMF_OPTIONALVALIDITY */;
290
DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_OPTIONALVALIDITY)
291
292
/*-
293
 * CertTemplate ::= SEQUENCE {
294
 * version          [0] Version                   OPTIONAL,
295
 * serialNumber     [1] INTEGER                   OPTIONAL,
296
 * signingAlg       [2] AlgorithmIdentifier       OPTIONAL,
297
 * issuer           [3] Name                      OPTIONAL,
298
 * validity         [4] OptionalValidity          OPTIONAL,
299
 * subject          [5] Name                      OPTIONAL,
300
 * publicKey        [6] SubjectPublicKeyInfo      OPTIONAL,
301
 * issuerUID        [7] UniqueIdentifier          OPTIONAL,
302
 * subjectUID       [8] UniqueIdentifier          OPTIONAL,
303
 * extensions       [9] Extensions                OPTIONAL
304
 * }
305
 */
306
struct ossl_crmf_certtemplate_st {
307
    ASN1_INTEGER *version;
308
    ASN1_INTEGER *serialNumber; /* serialNumber MUST be omitted */
309
    /* This field is assigned by the CA during certificate creation */
310
    X509_ALGOR *signingAlg; /* signingAlg MUST be omitted */
311
    /* This field is assigned by the CA during certificate creation */
312
    const X509_NAME *issuer;
313
    OSSL_CRMF_OPTIONALVALIDITY *validity;
314
    const X509_NAME *subject;
315
    X509_PUBKEY *publicKey;
316
    ASN1_BIT_STRING *issuerUID; /* deprecated in version 2 */
317
    /* According to rfc 3280: UniqueIdentifier ::= BIT STRING */
318
    ASN1_BIT_STRING *subjectUID; /* deprecated in version 2 */
319
    /* Could be X509_EXTENSION*S*, but that's only cosmetic */
320
    STACK_OF(X509_EXTENSION) *extensions;
321
} /* OSSL_CRMF_CERTTEMPLATE */;
322
323
/*-
324
 * CertRequest ::= SEQUENCE {
325
 *  certReqId        INTEGER,          -- ID for matching request and reply
326
 *  certTemplate     CertTemplate,     -- Selected fields of cert to be issued
327
 *  controls         Controls OPTIONAL -- Attributes affecting issuance
328
 * }
329
 */
330
struct ossl_crmf_certrequest_st {
331
    ASN1_INTEGER *certReqId;
332
    OSSL_CRMF_CERTTEMPLATE *certTemplate;
333
    STACK_OF(OSSL_CRMF_ATTRIBUTETYPEANDVALUE) *controls;
334
} /* OSSL_CRMF_CERTREQUEST */;
335
DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_CERTREQUEST)
336
DECLARE_ASN1_DUP_FUNCTION(OSSL_CRMF_CERTREQUEST)
337
338
struct ossl_crmf_attributetypeandvalue_st {
339
    ASN1_OBJECT *type;
340
    union {
341
        /* NID_id_regCtrl_regToken */
342
        ASN1_UTF8STRING *regToken;
343
344
        /* NID_id_regCtrl_authenticator */
345
        ASN1_UTF8STRING *authenticator;
346
347
        /* NID_id_regCtrl_pkiPublicationInfo */
348
        OSSL_CRMF_PKIPUBLICATIONINFO *pkiPublicationInfo;
349
350
        /* NID_id_regCtrl_oldCertID */
351
        OSSL_CRMF_CERTID *oldCertID;
352
353
        /* NID_id_regCtrl_protocolEncrKey */
354
        X509_PUBKEY *protocolEncrKey;
355
356
        /* NID_id_regInfo_utf8Pairs */
357
        ASN1_UTF8STRING *utf8Pairs;
358
359
        /* NID_id_regInfo_certReq */
360
        OSSL_CRMF_CERTREQUEST *certReq;
361
362
        ASN1_TYPE *other;
363
    } value;
364
} /* OSSL_CRMF_ATTRIBUTETYPEANDVALUE */;
365
DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_ATTRIBUTETYPEANDVALUE)
366
DEFINE_STACK_OF(OSSL_CRMF_ATTRIBUTETYPEANDVALUE)
367
DECLARE_ASN1_DUP_FUNCTION(OSSL_CRMF_ATTRIBUTETYPEANDVALUE)
368
369
/*-
370
 * CertReqMessages ::= SEQUENCE SIZE (1..MAX) OF CertReqMsg
371
 * CertReqMsg ::= SEQUENCE {
372
 *  certReq        CertRequest,
373
 *  popo           ProofOfPossession  OPTIONAL,
374
 * -- content depends upon key type
375
 *  regInfo   SEQUENCE SIZE(1..MAX) OF AttributeTypeAndValue OPTIONAL
376
 * }
377
 */
378
struct ossl_crmf_msg_st {
379
    OSSL_CRMF_CERTREQUEST *certReq;
380
    /* 0 */
381
    OSSL_CRMF_POPO *popo;
382
    /* 1 */
383
    STACK_OF(OSSL_CRMF_ATTRIBUTETYPEANDVALUE) *regInfo;
384
} /* OSSL_CRMF_MSG */;
385
#endif