/src/openssl30/crypto/crmf/crmf_local.h
Line | Count | Source |
1 | | /*- |
2 | | * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * Copyright Nokia 2007-2019 |
4 | | * Copyright Siemens AG 2015-2019 |
5 | | * |
6 | | * Licensed under the Apache License 2.0 (the "License"). You may not use |
7 | | * this file except in compliance with the License. You can obtain a copy |
8 | | * in the file LICENSE in the source distribution or at |
9 | | * https://www.openssl.org/source/license.html |
10 | | * |
11 | | * CRMF implementation by Martin Peylo, Miikka Viljanen, and David von Oheimb. |
12 | | */ |
13 | | |
14 | | #ifndef OSSL_CRYPTO_CRMF_LOCAL_H |
15 | | # define OSSL_CRYPTO_CRMF_LOCAL_H |
16 | | |
17 | | # include <openssl/crmf.h> |
18 | | # include <openssl/err.h> |
19 | | |
20 | | /* explicit #includes not strictly needed since implied by the above: */ |
21 | | # include <openssl/types.h> |
22 | | # include <openssl/safestack.h> |
23 | | # include <openssl/x509.h> |
24 | | # include <openssl/x509v3.h> |
25 | | |
26 | | /*- |
27 | | * EncryptedValue ::= SEQUENCE { |
28 | | * intendedAlg [0] AlgorithmIdentifier OPTIONAL, |
29 | | * -- the intended algorithm for which the value will be used |
30 | | * symmAlg [1] AlgorithmIdentifier OPTIONAL, |
31 | | * -- the symmetric algorithm used to encrypt the value |
32 | | * encSymmKey [2] BIT STRING OPTIONAL, |
33 | | * -- the (encrypted) symmetric key used to encrypt the value |
34 | | * keyAlg [3] AlgorithmIdentifier OPTIONAL, |
35 | | * -- algorithm used to encrypt the symmetric key |
36 | | * valueHint [4] OCTET STRING OPTIONAL, |
37 | | * -- a brief description or identifier of the encValue content |
38 | | * -- (may be meaningful only to the sending entity, and |
39 | | * -- used only if EncryptedValue might be re-examined |
40 | | * -- by the sending entity in the future) |
41 | | * encValue BIT STRING |
42 | | * -- the encrypted value itself |
43 | | * } |
44 | | */ |
45 | | struct ossl_crmf_encryptedvalue_st { |
46 | | X509_ALGOR *intendedAlg; /* 0 */ |
47 | | X509_ALGOR *symmAlg; /* 1 */ |
48 | | ASN1_BIT_STRING *encSymmKey; /* 2 */ |
49 | | X509_ALGOR *keyAlg; /* 3 */ |
50 | | ASN1_OCTET_STRING *valueHint; /* 4 */ |
51 | | ASN1_BIT_STRING *encValue; |
52 | | } /* OSSL_CRMF_ENCRYPTEDVALUE */; |
53 | | |
54 | | /*- |
55 | | * Attributes ::= SET OF Attribute |
56 | | * => X509_ATTRIBUTE |
57 | | * |
58 | | * PrivateKeyInfo ::= SEQUENCE { |
59 | | * version INTEGER, |
60 | | * privateKeyAlgorithm AlgorithmIdentifier, |
61 | | * privateKey OCTET STRING, |
62 | | * attributes [0] IMPLICIT Attributes OPTIONAL |
63 | | * } |
64 | | */ |
65 | | typedef struct ossl_crmf_privatekeyinfo_st { |
66 | | ASN1_INTEGER *version; |
67 | | X509_ALGOR *privateKeyAlgorithm; |
68 | | ASN1_OCTET_STRING *privateKey; |
69 | | STACK_OF(X509_ATTRIBUTE) *attributes; /* [ 0 ] */ |
70 | | } OSSL_CRMF_PRIVATEKEYINFO; |
71 | | DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_PRIVATEKEYINFO) |
72 | | |
73 | | /*- |
74 | | * section 4.2.1 Private Key Info Content Type |
75 | | * id-ct-encKeyWithID OBJECT IDENTIFIER ::= {id-ct 21} |
76 | | * |
77 | | * EncKeyWithID ::= SEQUENCE { |
78 | | * privateKey PrivateKeyInfo, |
79 | | * identifier CHOICE { |
80 | | * string UTF8String, |
81 | | * generalName GeneralName |
82 | | * } OPTIONAL |
83 | | * } |
84 | | */ |
85 | | typedef struct ossl_crmf_enckeywithid_identifier_st { |
86 | | int type; |
87 | | union { |
88 | | ASN1_UTF8STRING *string; |
89 | | GENERAL_NAME *generalName; |
90 | | } value; |
91 | | } OSSL_CRMF_ENCKEYWITHID_IDENTIFIER; |
92 | | DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_ENCKEYWITHID_IDENTIFIER) |
93 | | |
94 | | typedef struct ossl_crmf_enckeywithid_st { |
95 | | OSSL_CRMF_PRIVATEKEYINFO *privateKey; |
96 | | /* [0] */ |
97 | | OSSL_CRMF_ENCKEYWITHID_IDENTIFIER *identifier; |
98 | | } OSSL_CRMF_ENCKEYWITHID; |
99 | | DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_ENCKEYWITHID) |
100 | | |
101 | | /*- |
102 | | * CertId ::= SEQUENCE { |
103 | | * issuer GeneralName, |
104 | | * serialNumber INTEGER |
105 | | * } |
106 | | */ |
107 | | struct ossl_crmf_certid_st { |
108 | | GENERAL_NAME *issuer; |
109 | | ASN1_INTEGER *serialNumber; |
110 | | } /* OSSL_CRMF_CERTID */; |
111 | | |
112 | | /*- |
113 | | * SinglePubInfo ::= SEQUENCE { |
114 | | * pubMethod INTEGER { |
115 | | * dontCare (0), |
116 | | * x500 (1), |
117 | | * web (2), |
118 | | * ldap (3) }, |
119 | | * pubLocation GeneralName OPTIONAL |
120 | | * } |
121 | | */ |
122 | | struct ossl_crmf_singlepubinfo_st { |
123 | | ASN1_INTEGER *pubMethod; |
124 | | GENERAL_NAME *pubLocation; |
125 | | } /* OSSL_CRMF_SINGLEPUBINFO */; |
126 | | DEFINE_STACK_OF(OSSL_CRMF_SINGLEPUBINFO) |
127 | | typedef STACK_OF(OSSL_CRMF_SINGLEPUBINFO) OSSL_CRMF_PUBINFOS; |
128 | | |
129 | | |
130 | | /*- |
131 | | * PKIPublicationInfo ::= SEQUENCE { |
132 | | * action INTEGER { |
133 | | * dontPublish (0), |
134 | | * pleasePublish (1) }, |
135 | | * pubInfos SEQUENCE SIZE (1..MAX) OF SinglePubInfo OPTIONAL |
136 | | * -- pubInfos MUST NOT be present if action is "dontPublish" |
137 | | * -- (if action is "pleasePublish" and pubInfos is omitted, |
138 | | * -- "dontCare" is assumed) |
139 | | * } |
140 | | */ |
141 | | struct ossl_crmf_pkipublicationinfo_st { |
142 | | ASN1_INTEGER *action; |
143 | | OSSL_CRMF_PUBINFOS *pubInfos; |
144 | | } /* OSSL_CRMF_PKIPUBLICATIONINFO */; |
145 | | DECLARE_ASN1_DUP_FUNCTION(OSSL_CRMF_PKIPUBLICATIONINFO) |
146 | | |
147 | | /*- |
148 | | * PKMACValue ::= SEQUENCE { |
149 | | * algId AlgorithmIdentifier, |
150 | | * -- algorithm value shall be PasswordBasedMac {1 2 840 113533 7 66 13} |
151 | | * -- parameter value is PBMParameter |
152 | | * value BIT STRING |
153 | | * } |
154 | | */ |
155 | | typedef struct ossl_crmf_pkmacvalue_st { |
156 | | X509_ALGOR *algId; |
157 | | ASN1_BIT_STRING *value; |
158 | | } OSSL_CRMF_PKMACVALUE; |
159 | | DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_PKMACVALUE) |
160 | | |
161 | | /*- |
162 | | * SubsequentMessage ::= INTEGER { |
163 | | * encrCert (0), |
164 | | * -- requests that resulting certificate be encrypted for the |
165 | | * -- end entity (following which, POP will be proven in a |
166 | | * -- confirmation message) |
167 | | * challengeResp (1) |
168 | | * -- requests that CA engage in challenge-response exchange with |
169 | | * -- end entity in order to prove private key possession |
170 | | * } |
171 | | * |
172 | | * POPOPrivKey ::= CHOICE { |
173 | | * thisMessage [0] BIT STRING, -- Deprecated |
174 | | * -- possession is proven in this message (which contains the private |
175 | | * -- key itself (encrypted for the CA)) |
176 | | * subsequentMessage [1] SubsequentMessage, |
177 | | * -- possession will be proven in a subsequent message |
178 | | * dhMAC [2] BIT STRING, -- Deprecated |
179 | | * agreeMAC [3] PKMACValue, |
180 | | * encryptedKey [4] EnvelopedData |
181 | | * } |
182 | | */ |
183 | | |
184 | | typedef struct ossl_crmf_popoprivkey_st { |
185 | | int type; |
186 | | union { |
187 | | ASN1_BIT_STRING *thisMessage; /* 0 */ /* Deprecated */ |
188 | | ASN1_INTEGER *subsequentMessage; /* 1 */ |
189 | | ASN1_BIT_STRING *dhMAC; /* 2 */ /* Deprecated */ |
190 | | OSSL_CRMF_PKMACVALUE *agreeMAC; /* 3 */ |
191 | | ASN1_NULL *encryptedKey; /* 4 */ |
192 | | } value; |
193 | | } OSSL_CRMF_POPOPRIVKEY; |
194 | | DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPOPRIVKEY) |
195 | | |
196 | | /*- |
197 | | * PBMParameter ::= SEQUENCE { |
198 | | * salt OCTET STRING, |
199 | | * owf AlgorithmIdentifier, |
200 | | * -- AlgId for a One-Way Function (SHA-1 recommended) |
201 | | * iterationCount INTEGER, |
202 | | * -- number of times the OWF is applied |
203 | | * mac AlgorithmIdentifier |
204 | | * -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11], |
205 | | * -- or HMAC [HMAC, RFC2202]) |
206 | | * } |
207 | | */ |
208 | | struct ossl_crmf_pbmparameter_st { |
209 | | ASN1_OCTET_STRING *salt; |
210 | | X509_ALGOR *owf; |
211 | | ASN1_INTEGER *iterationCount; |
212 | | X509_ALGOR *mac; |
213 | | } /* OSSL_CRMF_PBMPARAMETER */; |
214 | 156 | # define OSSL_CRMF_PBM_MAX_ITERATION_COUNT 100000 /* if too large allows DoS */ |
215 | | |
216 | | /*- |
217 | | * POPOSigningKeyInput ::= SEQUENCE { |
218 | | * authInfo CHOICE { |
219 | | * sender [0] GeneralName, |
220 | | * -- used only if an authenticated identity has been |
221 | | * -- established for the sender (e.g., a DN from a |
222 | | * -- previously-issued and currently-valid certificate) |
223 | | * publicKeyMAC PKMACValue }, |
224 | | * -- used if no authenticated GeneralName currently exists for |
225 | | * -- the sender; publicKeyMAC contains a password-based MAC |
226 | | * -- on the DER-encoded value of publicKey |
227 | | * publicKey SubjectPublicKeyInfo -- from CertTemplate |
228 | | * } |
229 | | */ |
230 | | typedef struct ossl_crmf_poposigningkeyinput_authinfo_st { |
231 | | int type; |
232 | | union { |
233 | | /* 0 */ GENERAL_NAME *sender; |
234 | | /* 1 */ OSSL_CRMF_PKMACVALUE *publicKeyMAC; |
235 | | } value; |
236 | | } OSSL_CRMF_POPOSIGNINGKEYINPUT_AUTHINFO; |
237 | | DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPOSIGNINGKEYINPUT_AUTHINFO) |
238 | | |
239 | | typedef struct ossl_crmf_poposigningkeyinput_st { |
240 | | OSSL_CRMF_POPOSIGNINGKEYINPUT_AUTHINFO *authInfo; |
241 | | X509_PUBKEY *publicKey; |
242 | | } OSSL_CRMF_POPOSIGNINGKEYINPUT; |
243 | | DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPOSIGNINGKEYINPUT) |
244 | | |
245 | | /*- |
246 | | * POPOSigningKey ::= SEQUENCE { |
247 | | * poposkInput [0] POPOSigningKeyInput OPTIONAL, |
248 | | * algorithmIdentifier AlgorithmIdentifier, |
249 | | * signature BIT STRING |
250 | | * } |
251 | | */ |
252 | | struct ossl_crmf_poposigningkey_st { |
253 | | OSSL_CRMF_POPOSIGNINGKEYINPUT *poposkInput; |
254 | | X509_ALGOR *algorithmIdentifier; |
255 | | ASN1_BIT_STRING *signature; |
256 | | } /* OSSL_CRMF_POPOSIGNINGKEY */; |
257 | | DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPOSIGNINGKEY) |
258 | | |
259 | | /*- |
260 | | * ProofOfPossession ::= CHOICE { |
261 | | * raVerified [0] NULL, |
262 | | * -- used if the RA has already verified that the requester is in |
263 | | * -- possession of the private key |
264 | | * signature [1] POPOSigningKey, |
265 | | * keyEncipherment [2] POPOPrivKey, |
266 | | * keyAgreement [3] POPOPrivKey |
267 | | * } |
268 | | */ |
269 | | typedef struct ossl_crmf_popo_st { |
270 | | int type; |
271 | | union { |
272 | | ASN1_NULL *raVerified; /* 0 */ |
273 | | OSSL_CRMF_POPOSIGNINGKEY *signature; /* 1 */ |
274 | | OSSL_CRMF_POPOPRIVKEY *keyEncipherment; /* 2 */ |
275 | | OSSL_CRMF_POPOPRIVKEY *keyAgreement; /* 3 */ |
276 | | } value; |
277 | | } OSSL_CRMF_POPO; |
278 | | DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPO) |
279 | | |
280 | | /*- |
281 | | * OptionalValidity ::= SEQUENCE { |
282 | | * notBefore [0] Time OPTIONAL, |
283 | | * notAfter [1] Time OPTIONAL -- at least one MUST be present |
284 | | * } |
285 | | */ |
286 | | struct ossl_crmf_optionalvalidity_st { |
287 | | /* 0 */ ASN1_TIME *notBefore; |
288 | | /* 1 */ ASN1_TIME *notAfter; |
289 | | } /* OSSL_CRMF_OPTIONALVALIDITY */; |
290 | | DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_OPTIONALVALIDITY) |
291 | | |
292 | | /*- |
293 | | * CertTemplate ::= SEQUENCE { |
294 | | * version [0] Version OPTIONAL, |
295 | | * serialNumber [1] INTEGER OPTIONAL, |
296 | | * signingAlg [2] AlgorithmIdentifier OPTIONAL, |
297 | | * issuer [3] Name OPTIONAL, |
298 | | * validity [4] OptionalValidity OPTIONAL, |
299 | | * subject [5] Name OPTIONAL, |
300 | | * publicKey [6] SubjectPublicKeyInfo OPTIONAL, |
301 | | * issuerUID [7] UniqueIdentifier OPTIONAL, |
302 | | * subjectUID [8] UniqueIdentifier OPTIONAL, |
303 | | * extensions [9] Extensions OPTIONAL |
304 | | * } |
305 | | */ |
306 | | struct ossl_crmf_certtemplate_st { |
307 | | ASN1_INTEGER *version; |
308 | | ASN1_INTEGER *serialNumber; /* serialNumber MUST be omitted */ |
309 | | /* This field is assigned by the CA during certificate creation */ |
310 | | X509_ALGOR *signingAlg; /* signingAlg MUST be omitted */ |
311 | | /* This field is assigned by the CA during certificate creation */ |
312 | | const X509_NAME *issuer; |
313 | | OSSL_CRMF_OPTIONALVALIDITY *validity; |
314 | | const X509_NAME *subject; |
315 | | X509_PUBKEY *publicKey; |
316 | | ASN1_BIT_STRING *issuerUID; /* deprecated in version 2 */ |
317 | | /* According to rfc 3280: UniqueIdentifier ::= BIT STRING */ |
318 | | ASN1_BIT_STRING *subjectUID; /* deprecated in version 2 */ |
319 | | /* Could be X509_EXTENSION*S*, but that's only cosmetic */ |
320 | | STACK_OF(X509_EXTENSION) *extensions; |
321 | | } /* OSSL_CRMF_CERTTEMPLATE */; |
322 | | |
323 | | /*- |
324 | | * CertRequest ::= SEQUENCE { |
325 | | * certReqId INTEGER, -- ID for matching request and reply |
326 | | * certTemplate CertTemplate, -- Selected fields of cert to be issued |
327 | | * controls Controls OPTIONAL -- Attributes affecting issuance |
328 | | * } |
329 | | */ |
330 | | struct ossl_crmf_certrequest_st { |
331 | | ASN1_INTEGER *certReqId; |
332 | | OSSL_CRMF_CERTTEMPLATE *certTemplate; |
333 | | STACK_OF(OSSL_CRMF_ATTRIBUTETYPEANDVALUE) *controls; |
334 | | } /* OSSL_CRMF_CERTREQUEST */; |
335 | | DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_CERTREQUEST) |
336 | | DECLARE_ASN1_DUP_FUNCTION(OSSL_CRMF_CERTREQUEST) |
337 | | |
338 | | struct ossl_crmf_attributetypeandvalue_st { |
339 | | ASN1_OBJECT *type; |
340 | | union { |
341 | | /* NID_id_regCtrl_regToken */ |
342 | | ASN1_UTF8STRING *regToken; |
343 | | |
344 | | /* NID_id_regCtrl_authenticator */ |
345 | | ASN1_UTF8STRING *authenticator; |
346 | | |
347 | | /* NID_id_regCtrl_pkiPublicationInfo */ |
348 | | OSSL_CRMF_PKIPUBLICATIONINFO *pkiPublicationInfo; |
349 | | |
350 | | /* NID_id_regCtrl_oldCertID */ |
351 | | OSSL_CRMF_CERTID *oldCertID; |
352 | | |
353 | | /* NID_id_regCtrl_protocolEncrKey */ |
354 | | X509_PUBKEY *protocolEncrKey; |
355 | | |
356 | | /* NID_id_regInfo_utf8Pairs */ |
357 | | ASN1_UTF8STRING *utf8Pairs; |
358 | | |
359 | | /* NID_id_regInfo_certReq */ |
360 | | OSSL_CRMF_CERTREQUEST *certReq; |
361 | | |
362 | | ASN1_TYPE *other; |
363 | | } value; |
364 | | } /* OSSL_CRMF_ATTRIBUTETYPEANDVALUE */; |
365 | | DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_ATTRIBUTETYPEANDVALUE) |
366 | | DEFINE_STACK_OF(OSSL_CRMF_ATTRIBUTETYPEANDVALUE) |
367 | | DECLARE_ASN1_DUP_FUNCTION(OSSL_CRMF_ATTRIBUTETYPEANDVALUE) |
368 | | |
369 | | /*- |
370 | | * CertReqMessages ::= SEQUENCE SIZE (1..MAX) OF CertReqMsg |
371 | | * CertReqMsg ::= SEQUENCE { |
372 | | * certReq CertRequest, |
373 | | * popo ProofOfPossession OPTIONAL, |
374 | | * -- content depends upon key type |
375 | | * regInfo SEQUENCE SIZE(1..MAX) OF AttributeTypeAndValue OPTIONAL |
376 | | * } |
377 | | */ |
378 | | struct ossl_crmf_msg_st { |
379 | | OSSL_CRMF_CERTREQUEST *certReq; |
380 | | /* 0 */ |
381 | | OSSL_CRMF_POPO *popo; |
382 | | /* 1 */ |
383 | | STACK_OF(OSSL_CRMF_ATTRIBUTETYPEANDVALUE) *regInfo; |
384 | | } /* OSSL_CRMF_MSG */; |
385 | | #endif |