| 1 | /*- |
|---|---|
| 2 | * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved. |
| 3 | * Copyright Nokia 2007-2019 |
| 4 | * Copyright Siemens AG 2015-2019 |
| 5 | * |
| 6 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
| 7 | * this file except in compliance with the License. You can obtain a copy |
| 8 | * in the file LICENSE in the source distribution or at |
| 9 | * https://www.openssl.org/source/license.html |
| 10 | * |
| 11 | * CRMF implementation by Martin Peylo, Miikka Viljanen, and David von Oheimb. |
| 12 | */ |
| 13 | |
| 14 | #ifndef OSSL_CRYPTO_CRMF_LOCAL_H |
| 15 | # define OSSL_CRYPTO_CRMF_LOCAL_H |
| 16 | |
| 17 | # include <openssl/crmf.h> |
| 18 | # include <openssl/err.h> |
| 19 | |
| 20 | /* explicit #includes not strictly needed since implied by the above: */ |
| 21 | # include <openssl/types.h> |
| 22 | # include <openssl/safestack.h> |
| 23 | # include <openssl/x509.h> |
| 24 | # include <openssl/x509v3.h> |
| 25 | |
| 26 | /*- |
| 27 | * EncryptedValue ::= SEQUENCE { |
| 28 | * intendedAlg [0] AlgorithmIdentifier OPTIONAL, |
| 29 | * -- the intended algorithm for which the value will be used |
| 30 | * symmAlg [1] AlgorithmIdentifier OPTIONAL, |
| 31 | * -- the symmetric algorithm used to encrypt the value |
| 32 | * encSymmKey [2] BIT STRING OPTIONAL, |
| 33 | * -- the (encrypted) symmetric key used to encrypt the value |
| 34 | * keyAlg [3] AlgorithmIdentifier OPTIONAL, |
| 35 | * -- algorithm used to encrypt the symmetric key |
| 36 | * valueHint [4] OCTET STRING OPTIONAL, |
| 37 | * -- a brief description or identifier of the encValue content |
| 38 | * -- (may be meaningful only to the sending entity, and |
| 39 | * -- used only if EncryptedValue might be re-examined |
| 40 | * -- by the sending entity in the future) |
| 41 | * encValue BIT STRING |
| 42 | * -- the encrypted value itself |
| 43 | * } |
| 44 | */ |
| 45 | struct ossl_crmf_encryptedvalue_st { |
| 46 | X509_ALGOR *intendedAlg; /* 0 */ |
| 47 | X509_ALGOR *symmAlg; /* 1 */ |
| 48 | ASN1_BIT_STRING *encSymmKey; /* 2 */ |
| 49 | X509_ALGOR *keyAlg; /* 3 */ |
| 50 | ASN1_OCTET_STRING *valueHint; /* 4 */ |
| 51 | ASN1_BIT_STRING *encValue; |
| 52 | } /* OSSL_CRMF_ENCRYPTEDVALUE */; |
| 53 | |
| 54 | /*- |
| 55 | * Attributes ::= SET OF Attribute |
| 56 | * => X509_ATTRIBUTE |
| 57 | * |
| 58 | * PrivateKeyInfo ::= SEQUENCE { |
| 59 | * version INTEGER, |
| 60 | * privateKeyAlgorithm AlgorithmIdentifier, |
| 61 | * privateKey OCTET STRING, |
| 62 | * attributes [0] IMPLICIT Attributes OPTIONAL |
| 63 | * } |
| 64 | */ |
| 65 | typedef struct ossl_crmf_privatekeyinfo_st { |
| 66 | ASN1_INTEGER *version; |
| 67 | X509_ALGOR *privateKeyAlgorithm; |
| 68 | ASN1_OCTET_STRING *privateKey; |
| 69 | STACK_OF(X509_ATTRIBUTE) *attributes; /* [ 0 ] */ |
| 70 | } OSSL_CRMF_PRIVATEKEYINFO; |
| 71 | DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_PRIVATEKEYINFO) |
| 72 | |
| 73 | /*- |
| 74 | * section 4.2.1 Private Key Info Content Type |
| 75 | * id-ct-encKeyWithID OBJECT IDENTIFIER ::= {id-ct 21} |
| 76 | * |
| 77 | * EncKeyWithID ::= SEQUENCE { |
| 78 | * privateKey PrivateKeyInfo, |
| 79 | * identifier CHOICE { |
| 80 | * string UTF8String, |
| 81 | * generalName GeneralName |
| 82 | * } OPTIONAL |
| 83 | * } |
| 84 | */ |
| 85 | typedef struct ossl_crmf_enckeywithid_identifier_st { |
| 86 | int type; |
| 87 | union { |
| 88 | ASN1_UTF8STRING *string; |
| 89 | GENERAL_NAME *generalName; |
| 90 | } value; |
| 91 | } OSSL_CRMF_ENCKEYWITHID_IDENTIFIER; |
| 92 | DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_ENCKEYWITHID_IDENTIFIER) |
| 93 | |
| 94 | typedef struct ossl_crmf_enckeywithid_st { |
| 95 | OSSL_CRMF_PRIVATEKEYINFO *privateKey; |
| 96 | /* [0] */ |
| 97 | OSSL_CRMF_ENCKEYWITHID_IDENTIFIER *identifier; |
| 98 | } OSSL_CRMF_ENCKEYWITHID; |
| 99 | DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_ENCKEYWITHID) |
| 100 | |
| 101 | /*- |
| 102 | * CertId ::= SEQUENCE { |
| 103 | * issuer GeneralName, |
| 104 | * serialNumber INTEGER |
| 105 | * } |
| 106 | */ |
| 107 | struct ossl_crmf_certid_st { |
| 108 | GENERAL_NAME *issuer; |
| 109 | ASN1_INTEGER *serialNumber; |
| 110 | } /* OSSL_CRMF_CERTID */; |
| 111 | DECLARE_ASN1_DUP_FUNCTION(OSSL_CRMF_CERTID) |
| 112 | |
| 113 | /*- |
| 114 | * SinglePubInfo ::= SEQUENCE { |
| 115 | * pubMethod INTEGER { |
| 116 | * dontCare (0), |
| 117 | * x500 (1), |
| 118 | * web (2), |
| 119 | * ldap (3) }, |
| 120 | * pubLocation GeneralName OPTIONAL |
| 121 | * } |
| 122 | */ |
| 123 | struct ossl_crmf_singlepubinfo_st { |
| 124 | ASN1_INTEGER *pubMethod; |
| 125 | GENERAL_NAME *pubLocation; |
| 126 | } /* OSSL_CRMF_SINGLEPUBINFO */; |
| 127 | DEFINE_STACK_OF(OSSL_CRMF_SINGLEPUBINFO) |
| 128 | typedef STACK_OF(OSSL_CRMF_SINGLEPUBINFO) OSSL_CRMF_PUBINFOS; |
| 129 | |
| 130 | |
| 131 | /*- |
| 132 | * PKIPublicationInfo ::= SEQUENCE { |
| 133 | * action INTEGER { |
| 134 | * dontPublish (0), |
| 135 | * pleasePublish (1) }, |
| 136 | * pubInfos SEQUENCE SIZE (1..MAX) OF SinglePubInfo OPTIONAL |
| 137 | * -- pubInfos MUST NOT be present if action is "dontPublish" |
| 138 | * -- (if action is "pleasePublish" and pubInfos is omitted, |
| 139 | * -- "dontCare" is assumed) |
| 140 | * } |
| 141 | */ |
| 142 | struct ossl_crmf_pkipublicationinfo_st { |
| 143 | ASN1_INTEGER *action; |
| 144 | OSSL_CRMF_PUBINFOS *pubInfos; |
| 145 | } /* OSSL_CRMF_PKIPUBLICATIONINFO */; |
| 146 | DECLARE_ASN1_DUP_FUNCTION(OSSL_CRMF_PKIPUBLICATIONINFO) |
| 147 | |
| 148 | /*- |
| 149 | * PKMACValue ::= SEQUENCE { |
| 150 | * algId AlgorithmIdentifier, |
| 151 | * -- algorithm value shall be PasswordBasedMac {1 2 840 113533 7 66 13} |
| 152 | * -- parameter value is PBMParameter |
| 153 | * value BIT STRING |
| 154 | * } |
| 155 | */ |
| 156 | typedef struct ossl_crmf_pkmacvalue_st { |
| 157 | X509_ALGOR *algId; |
| 158 | ASN1_BIT_STRING *value; |
| 159 | } OSSL_CRMF_PKMACVALUE; |
| 160 | DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_PKMACVALUE) |
| 161 | |
| 162 | /*- |
| 163 | * SubsequentMessage ::= INTEGER { |
| 164 | * encrCert (0), |
| 165 | * -- requests that resulting certificate be encrypted for the |
| 166 | * -- end entity (following which, POP will be proven in a |
| 167 | * -- confirmation message) |
| 168 | * challengeResp (1) |
| 169 | * -- requests that CA engage in challenge-response exchange with |
| 170 | * -- end entity in order to prove private key possession |
| 171 | * } |
| 172 | * |
| 173 | * POPOPrivKey ::= CHOICE { |
| 174 | * thisMessage [0] BIT STRING, -- Deprecated |
| 175 | * -- possession is proven in this message (which contains the private |
| 176 | * -- key itself (encrypted for the CA)) |
| 177 | * subsequentMessage [1] SubsequentMessage, |
| 178 | * -- possession will be proven in a subsequent message |
| 179 | * dhMAC [2] BIT STRING, -- Deprecated |
| 180 | * agreeMAC [3] PKMACValue, |
| 181 | * encryptedKey [4] EnvelopedData |
| 182 | * } |
| 183 | */ |
| 184 | |
| 185 | typedef struct ossl_crmf_popoprivkey_st { |
| 186 | int type; |
| 187 | union { |
| 188 | ASN1_BIT_STRING *thisMessage; /* 0 */ /* Deprecated */ |
| 189 | ASN1_INTEGER *subsequentMessage; /* 1 */ |
| 190 | ASN1_BIT_STRING *dhMAC; /* 2 */ /* Deprecated */ |
| 191 | OSSL_CRMF_PKMACVALUE *agreeMAC; /* 3 */ |
| 192 | /* |
| 193 | * TODO: This is not ASN1_NULL but CMS_ENVELOPEDDATA which should be |
| 194 | * somehow taken from crypto/cms which exists now |
| 195 | * - this is not used anywhere so far |
| 196 | */ |
| 197 | ASN1_NULL *encryptedKey; /* 4 */ |
| 198 | } value; |
| 199 | } OSSL_CRMF_POPOPRIVKEY; |
| 200 | DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPOPRIVKEY) |
| 201 | |
| 202 | /*- |
| 203 | * PBMParameter ::= SEQUENCE { |
| 204 | * salt OCTET STRING, |
| 205 | * owf AlgorithmIdentifier, |
| 206 | * -- AlgId for a One-Way Function (SHA-1 recommended) |
| 207 | * iterationCount INTEGER, |
| 208 | * -- number of times the OWF is applied |
| 209 | * mac AlgorithmIdentifier |
| 210 | * -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11], |
| 211 | * -- or HMAC [HMAC, RFC2202]) |
| 212 | * } |
| 213 | */ |
| 214 | struct ossl_crmf_pbmparameter_st { |
| 215 | ASN1_OCTET_STRING *salt; |
| 216 | X509_ALGOR *owf; |
| 217 | ASN1_INTEGER *iterationCount; |
| 218 | X509_ALGOR *mac; |
| 219 | } /* OSSL_CRMF_PBMPARAMETER */; |
| 220 | # define OSSL_CRMF_PBM_MAX_ITERATION_COUNT 100000 /* if too large allows DoS */ |
| 221 | |
| 222 | /*- |
| 223 | * POPOSigningKeyInput ::= SEQUENCE { |
| 224 | * authInfo CHOICE { |
| 225 | * sender [0] GeneralName, |
| 226 | * -- used only if an authenticated identity has been |
| 227 | * -- established for the sender (e.g., a DN from a |
| 228 | * -- previously-issued and currently-valid certificate) |
| 229 | * publicKeyMAC PKMACValue }, |
| 230 | * -- used if no authenticated GeneralName currently exists for |
| 231 | * -- the sender; publicKeyMAC contains a password-based MAC |
| 232 | * -- on the DER-encoded value of publicKey |
| 233 | * publicKey SubjectPublicKeyInfo -- from CertTemplate |
| 234 | * } |
| 235 | */ |
| 236 | typedef struct ossl_crmf_poposigningkeyinput_authinfo_st { |
| 237 | int type; |
| 238 | union { |
| 239 | /* 0 */ GENERAL_NAME *sender; |
| 240 | /* 1 */ OSSL_CRMF_PKMACVALUE *publicKeyMAC; |
| 241 | } value; |
| 242 | } OSSL_CRMF_POPOSIGNINGKEYINPUT_AUTHINFO; |
| 243 | DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPOSIGNINGKEYINPUT_AUTHINFO) |
| 244 | |
| 245 | typedef struct ossl_crmf_poposigningkeyinput_st { |
| 246 | OSSL_CRMF_POPOSIGNINGKEYINPUT_AUTHINFO *authInfo; |
| 247 | X509_PUBKEY *publicKey; |
| 248 | } OSSL_CRMF_POPOSIGNINGKEYINPUT; |
| 249 | DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPOSIGNINGKEYINPUT) |
| 250 | |
| 251 | /*- |
| 252 | * POPOSigningKey ::= SEQUENCE { |
| 253 | * poposkInput [0] POPOSigningKeyInput OPTIONAL, |
| 254 | * algorithmIdentifier AlgorithmIdentifier, |
| 255 | * signature BIT STRING |
| 256 | * } |
| 257 | */ |
| 258 | struct ossl_crmf_poposigningkey_st { |
| 259 | OSSL_CRMF_POPOSIGNINGKEYINPUT *poposkInput; |
| 260 | X509_ALGOR *algorithmIdentifier; |
| 261 | ASN1_BIT_STRING *signature; |
| 262 | } /* OSSL_CRMF_POPOSIGNINGKEY */; |
| 263 | DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPOSIGNINGKEY) |
| 264 | |
| 265 | /*- |
| 266 | * ProofOfPossession ::= CHOICE { |
| 267 | * raVerified [0] NULL, |
| 268 | * -- used if the RA has already verified that the requester is in |
| 269 | * -- possession of the private key |
| 270 | * signature [1] POPOSigningKey, |
| 271 | * keyEncipherment [2] POPOPrivKey, |
| 272 | * keyAgreement [3] POPOPrivKey |
| 273 | * } |
| 274 | */ |
| 275 | typedef struct ossl_crmf_popo_st { |
| 276 | int type; |
| 277 | union { |
| 278 | ASN1_NULL *raVerified; /* 0 */ |
| 279 | OSSL_CRMF_POPOSIGNINGKEY *signature; /* 1 */ |
| 280 | OSSL_CRMF_POPOPRIVKEY *keyEncipherment; /* 2 */ |
| 281 | OSSL_CRMF_POPOPRIVKEY *keyAgreement; /* 3 */ |
| 282 | } value; |
| 283 | } OSSL_CRMF_POPO; |
| 284 | DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPO) |
| 285 | |
| 286 | /*- |
| 287 | * OptionalValidity ::= SEQUENCE { |
| 288 | * notBefore [0] Time OPTIONAL, |
| 289 | * notAfter [1] Time OPTIONAL -- at least one MUST be present |
| 290 | * } |
| 291 | */ |
| 292 | struct ossl_crmf_optionalvalidity_st { |
| 293 | /* 0 */ ASN1_TIME *notBefore; |
| 294 | /* 1 */ ASN1_TIME *notAfter; |
| 295 | } /* OSSL_CRMF_OPTIONALVALIDITY */; |
| 296 | DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_OPTIONALVALIDITY) |
| 297 | |
| 298 | /*- |
| 299 | * CertTemplate ::= SEQUENCE { |
| 300 | * version [0] Version OPTIONAL, |
| 301 | * serialNumber [1] INTEGER OPTIONAL, |
| 302 | * signingAlg [2] AlgorithmIdentifier OPTIONAL, |
| 303 | * issuer [3] Name OPTIONAL, |
| 304 | * validity [4] OptionalValidity OPTIONAL, |
| 305 | * subject [5] Name OPTIONAL, |
| 306 | * publicKey [6] SubjectPublicKeyInfo OPTIONAL, |
| 307 | * issuerUID [7] UniqueIdentifier OPTIONAL, |
| 308 | * subjectUID [8] UniqueIdentifier OPTIONAL, |
| 309 | * extensions [9] Extensions OPTIONAL |
| 310 | * } |
| 311 | */ |
| 312 | struct ossl_crmf_certtemplate_st { |
| 313 | ASN1_INTEGER *version; /* 0 */ |
| 314 | ASN1_INTEGER *serialNumber; /* 1 */ /* serialNumber MUST be omitted */ |
| 315 | /* This field is assigned by the CA during certificate creation */ |
| 316 | X509_ALGOR *signingAlg; /* 2 */ /* signingAlg MUST be omitted */ |
| 317 | /* This field is assigned by the CA during certificate creation */ |
| 318 | X509_NAME *issuer; /* 3 */ |
| 319 | OSSL_CRMF_OPTIONALVALIDITY *validity; /* 4 */ |
| 320 | X509_NAME *subject; /* 5 */ |
| 321 | X509_PUBKEY *publicKey; /* 6 */ |
| 322 | ASN1_BIT_STRING *issuerUID; /* 7 */ /* deprecated in version 2 */ |
| 323 | /* According to rfc 3280: UniqueIdentifier ::= BIT STRING */ |
| 324 | ASN1_BIT_STRING *subjectUID; /* 8 */ /* deprecated in version 2 */ |
| 325 | /* Could be X509_EXTENSION*S*, but that's only cosmetic */ |
| 326 | STACK_OF(X509_EXTENSION) *extensions; /* 9 */ |
| 327 | } /* OSSL_CRMF_CERTTEMPLATE */; |
| 328 | |
| 329 | /*- |
| 330 | * CertRequest ::= SEQUENCE { |
| 331 | * certReqId INTEGER, -- ID for matching request and reply |
| 332 | * certTemplate CertTemplate, -- Selected fields of cert to be issued |
| 333 | * controls Controls OPTIONAL -- Attributes affecting issuance |
| 334 | * } |
| 335 | */ |
| 336 | struct ossl_crmf_certrequest_st { |
| 337 | ASN1_INTEGER *certReqId; |
| 338 | OSSL_CRMF_CERTTEMPLATE *certTemplate; |
| 339 | /* TODO: make OSSL_CRMF_CONTROLS out of that - but only cosmetical */ |
| 340 | STACK_OF(OSSL_CRMF_ATTRIBUTETYPEANDVALUE) *controls; |
| 341 | } /* OSSL_CRMF_CERTREQUEST */; |
| 342 | DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_CERTREQUEST) |
| 343 | DECLARE_ASN1_DUP_FUNCTION(OSSL_CRMF_CERTREQUEST) |
| 344 | |
| 345 | /* TODO: isn't there a better way to have this for ANY type? */ |
| 346 | struct ossl_crmf_attributetypeandvalue_st { |
| 347 | ASN1_OBJECT *type; |
| 348 | union { |
| 349 | /* NID_id_regCtrl_regToken */ |
| 350 | ASN1_UTF8STRING *regToken; |
| 351 | |
| 352 | /* NID_id_regCtrl_authenticator */ |
| 353 | ASN1_UTF8STRING *authenticator; |
| 354 | |
| 355 | /* NID_id_regCtrl_pkiPublicationInfo */ |
| 356 | OSSL_CRMF_PKIPUBLICATIONINFO *pkiPublicationInfo; |
| 357 | |
| 358 | /* NID_id_regCtrl_oldCertID */ |
| 359 | OSSL_CRMF_CERTID *oldCertID; |
| 360 | |
| 361 | /* NID_id_regCtrl_protocolEncrKey */ |
| 362 | X509_PUBKEY *protocolEncrKey; |
| 363 | |
| 364 | /* NID_id_regInfo_utf8Pairs */ |
| 365 | ASN1_UTF8STRING *utf8Pairs; |
| 366 | |
| 367 | /* NID_id_regInfo_certReq */ |
| 368 | OSSL_CRMF_CERTREQUEST *certReq; |
| 369 | |
| 370 | ASN1_TYPE *other; |
| 371 | } value; |
| 372 | } /* OSSL_CRMF_ATTRIBUTETYPEANDVALUE */; |
| 373 | DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_ATTRIBUTETYPEANDVALUE) |
| 374 | DEFINE_STACK_OF(OSSL_CRMF_ATTRIBUTETYPEANDVALUE) |
| 375 | DECLARE_ASN1_DUP_FUNCTION(OSSL_CRMF_ATTRIBUTETYPEANDVALUE) |
| 376 | |
| 377 | /*- |
| 378 | * CertReqMessages ::= SEQUENCE SIZE (1..MAX) OF CertReqMsg |
| 379 | * CertReqMsg ::= SEQUENCE { |
| 380 | * certReq CertRequest, |
| 381 | * popo ProofOfPossession OPTIONAL, |
| 382 | * -- content depends upon key type |
| 383 | * regInfo SEQUENCE SIZE(1..MAX) OF AttributeTypeAndValue OPTIONAL |
| 384 | * } |
| 385 | */ |
| 386 | struct ossl_crmf_msg_st { |
| 387 | OSSL_CRMF_CERTREQUEST *certReq; |
| 388 | /* 0 */ |
| 389 | OSSL_CRMF_POPO *popo; |
| 390 | /* 1 */ |
| 391 | STACK_OF(OSSL_CRMF_ATTRIBUTETYPEANDVALUE) *regInfo; |
| 392 | } /* OSSL_CRMF_MSG */; |
| 393 | /* DEFINE_STACK_OF(OSSL_CRMF_MSG) */ |
| 394 | #endif |
| 395 |
Generated while processing ClickHouse/contrib/openssl/crypto/crmf/crmf_asn.c
Generated on 2020-Jan-04 from project ClickHouse revision 19.17.6
Powered by 
Code Browser 2.1
Generator usage only permitted with license.