Go to most recent revision | Details | Last modification | View Log | RSS feed
Rev | Author | Line No. | Line |
---|---|---|---|
5496 | leency | 1 | /** |
2 | * \file x509.h |
||
3 | * |
||
4 | * \brief X.509 certificate and private key decoding |
||
5 | * |
||
6 | * Copyright (C) 2006-2011, Brainspark B.V. |
||
7 | * |
||
8 | * This file is part of PolarSSL (http://www.polarssl.org) |
||
9 | * Lead Maintainer: Paul Bakker |
||
10 | * |
||
11 | * All rights reserved. |
||
12 | * |
||
13 | * This program is free software; you can redistribute it and/or modify |
||
14 | * it under the terms of the GNU General Public License as published by |
||
15 | * the Free Software Foundation; either version 2 of the License, or |
||
16 | * (at your option) any later version. |
||
17 | * |
||
18 | * This program is distributed in the hope that it will be useful, |
||
19 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
||
20 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
||
21 | * GNU General Public License for more details. |
||
22 | * |
||
23 | * You should have received a copy of the GNU General Public License along |
||
24 | * with this program; if not, write to the Free Software Foundation, Inc., |
||
25 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
||
26 | */ |
||
27 | #ifndef POLARSSL_X509_H |
||
28 | #define POLARSSL_X509_H |
||
29 | |||
30 | #include "asn1.h" |
||
31 | #include "rsa.h" |
||
32 | #include "dhm.h" |
||
33 | |||
34 | /** |
||
35 | * \addtogroup x509_module |
||
36 | * \{ |
||
37 | */ |
||
38 | |||
39 | /** |
||
40 | * \name X509 Error codes |
||
41 | * \{ |
||
42 | */ |
||
43 | #define POLARSSL_ERR_X509_FEATURE_UNAVAILABLE -0x2080 /**< Unavailable feature, e.g. RSA hashing/encryption combination. */ |
||
44 | #define POLARSSL_ERR_X509_CERT_INVALID_PEM -0x2100 /**< The PEM-encoded certificate contains invalid elements, e.g. invalid character. */ |
||
45 | #define POLARSSL_ERR_X509_CERT_INVALID_FORMAT -0x2180 /**< The certificate format is invalid, e.g. different type expected. */ |
||
46 | #define POLARSSL_ERR_X509_CERT_INVALID_VERSION -0x2200 /**< The certificate version element is invalid. */ |
||
47 | #define POLARSSL_ERR_X509_CERT_INVALID_SERIAL -0x2280 /**< The serial tag or value is invalid. */ |
||
48 | #define POLARSSL_ERR_X509_CERT_INVALID_ALG -0x2300 /**< The algorithm tag or value is invalid. */ |
||
49 | #define POLARSSL_ERR_X509_CERT_INVALID_NAME -0x2380 /**< The name tag or value is invalid. */ |
||
50 | #define POLARSSL_ERR_X509_CERT_INVALID_DATE -0x2400 /**< The date tag or value is invalid. */ |
||
51 | #define POLARSSL_ERR_X509_CERT_INVALID_PUBKEY -0x2480 /**< The pubkey tag or value is invalid (only RSA is supported). */ |
||
52 | #define POLARSSL_ERR_X509_CERT_INVALID_SIGNATURE -0x2500 /**< The signature tag or value invalid. */ |
||
53 | #define POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS -0x2580 /**< The extension tag or value is invalid. */ |
||
54 | #define POLARSSL_ERR_X509_CERT_UNKNOWN_VERSION -0x2600 /**< Certificate or CRL has an unsupported version number. */ |
||
55 | #define POLARSSL_ERR_X509_CERT_UNKNOWN_SIG_ALG -0x2680 /**< Signature algorithm (oid) is unsupported. */ |
||
56 | #define POLARSSL_ERR_X509_UNKNOWN_PK_ALG -0x2700 /**< Key algorithm is unsupported (only RSA is supported). */ |
||
57 | #define POLARSSL_ERR_X509_CERT_SIG_MISMATCH -0x2780 /**< Certificate signature algorithms do not match. (see \c ::x509_cert sig_oid) */ |
||
58 | #define POLARSSL_ERR_X509_CERT_VERIFY_FAILED -0x2800 /**< Certificate verification failed, e.g. CRL, CA or signature check failed. */ |
||
59 | #define POLARSSL_ERR_X509_KEY_INVALID_VERSION -0x2880 /**< Unsupported RSA key version */ |
||
60 | #define POLARSSL_ERR_X509_KEY_INVALID_FORMAT -0x2900 /**< Invalid RSA key tag or value. */ |
||
61 | #define POLARSSL_ERR_X509_CERT_UNKNOWN_FORMAT -0x2980 /**< Format not recognized as DER or PEM. */ |
||
62 | #define POLARSSL_ERR_X509_INVALID_INPUT -0x2A00 /**< Input invalid. */ |
||
63 | #define POLARSSL_ERR_X509_MALLOC_FAILED -0x2A80 /**< Allocation of memory failed. */ |
||
64 | #define POLARSSL_ERR_X509_FILE_IO_ERROR -0x2B00 /**< Read/write of file failed. */ |
||
65 | /* \} name */ |
||
66 | |||
67 | |||
68 | /** |
||
69 | * \name X509 Verify codes |
||
70 | * \{ |
||
71 | */ |
||
72 | #define BADCERT_EXPIRED 0x01 /**< The certificate validity has expired. */ |
||
73 | #define BADCERT_REVOKED 0x02 /**< The certificate has been revoked (is on a CRL). */ |
||
74 | #define BADCERT_CN_MISMATCH 0x04 /**< The certificate Common Name (CN) does not match with the expected CN. */ |
||
75 | #define BADCERT_NOT_TRUSTED 0x08 /**< The certificate is not correctly signed by the trusted CA. */ |
||
76 | #define BADCRL_NOT_TRUSTED 0x10 /**< CRL is not correctly signed by the trusted CA. */ |
||
77 | #define BADCRL_EXPIRED 0x20 /**< CRL is expired. */ |
||
78 | #define BADCERT_MISSING 0x40 /**< Certificate was missing. */ |
||
79 | #define BADCERT_SKIP_VERIFY 0x80 /**< Certificate verification was skipped. */ |
||
80 | #define BADCERT_OTHER 0x0100 /**< Other reason (can be used by verify callback) */ |
||
81 | /* \} name */ |
||
82 | /* \} addtogroup x509_module */ |
||
83 | |||
84 | /* |
||
85 | * various object identifiers |
||
86 | */ |
||
87 | #define X520_COMMON_NAME 3 |
||
88 | #define X520_COUNTRY 6 |
||
89 | #define X520_LOCALITY 7 |
||
90 | #define X520_STATE 8 |
||
91 | #define X520_ORGANIZATION 10 |
||
92 | #define X520_ORG_UNIT 11 |
||
93 | #define PKCS9_EMAIL 1 |
||
94 | |||
95 | #define X509_OUTPUT_DER 0x01 |
||
96 | #define X509_OUTPUT_PEM 0x02 |
||
97 | #define PEM_LINE_LENGTH 72 |
||
98 | #define X509_ISSUER 0x01 |
||
99 | #define X509_SUBJECT 0x02 |
||
100 | |||
101 | #define OID_X520 "\x55\x04" |
||
102 | #define OID_CN OID_X520 "\x03" |
||
103 | #define OID_COUNTRY OID_X520 "\x06" |
||
104 | #define OID_LOCALITY OID_X520 "\x07" |
||
105 | #define OID_STATE OID_X520 "\x08" |
||
106 | #define OID_ORGANIZATION OID_X520 "\x0A" |
||
107 | #define OID_ORG_UNIT OID_X520 "\x0B" |
||
108 | |||
109 | #define OID_PKCS1 "\x2A\x86\x48\x86\xF7\x0D\x01\x01" |
||
110 | #define OID_PKCS1_RSA OID_PKCS1 "\x01" |
||
111 | #define OID_PKCS1_SHA1 OID_PKCS1 "\x05" |
||
112 | |||
113 | #define OID_RSA_SHA_OBS "\x2B\x0E\x03\x02\x1D" |
||
114 | |||
115 | #define OID_PKCS9 "\x2A\x86\x48\x86\xF7\x0D\x01\x09" |
||
116 | #define OID_PKCS9_EMAIL OID_PKCS9 "\x01" |
||
117 | |||
118 | /** ISO arc for standard certificate and CRL extensions */ |
||
119 | #define OID_ID_CE "\x55\x1D" /**< id-ce OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 29} */ |
||
120 | |||
121 | /** |
||
122 | * Private Internet Extensions |
||
123 | * { iso(1) identified-organization(3) dod(6) internet(1) |
||
124 | * security(5) mechanisms(5) pkix(7) } |
||
125 | */ |
||
126 | #define OID_PKIX "\x2B\x06\x01\x05\x05\x07" |
||
127 | |||
128 | /* |
||
129 | * OIDs for standard certificate extensions |
||
130 | */ |
||
131 | #define OID_AUTHORITY_KEY_IDENTIFIER OID_ID_CE "\x23" /**< id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 35 } */ |
||
132 | #define OID_SUBJECT_KEY_IDENTIFIER OID_ID_CE "\x0E" /**< id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 14 } */ |
||
133 | #define OID_KEY_USAGE OID_ID_CE "\x0F" /**< id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 } */ |
||
134 | #define OID_CERTIFICATE_POLICIES OID_ID_CE "\x20" /**< id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 } */ |
||
135 | #define OID_POLICY_MAPPINGS OID_ID_CE "\x21" /**< id-ce-policyMappings OBJECT IDENTIFIER ::= { id-ce 33 } */ |
||
136 | #define OID_SUBJECT_ALT_NAME OID_ID_CE "\x11" /**< id-ce-subjectAltName OBJECT IDENTIFIER ::= { id-ce 17 } */ |
||
137 | #define OID_ISSUER_ALT_NAME OID_ID_CE "\x12" /**< id-ce-issuerAltName OBJECT IDENTIFIER ::= { id-ce 18 } */ |
||
138 | #define OID_SUBJECT_DIRECTORY_ATTRS OID_ID_CE "\x09" /**< id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::= { id-ce 9 } */ |
||
139 | #define OID_BASIC_CONSTRAINTS OID_ID_CE "\x13" /**< id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 } */ |
||
140 | #define OID_NAME_CONSTRAINTS OID_ID_CE "\x1E" /**< id-ce-nameConstraints OBJECT IDENTIFIER ::= { id-ce 30 } */ |
||
141 | #define OID_POLICY_CONSTRAINTS OID_ID_CE "\x24" /**< id-ce-policyConstraints OBJECT IDENTIFIER ::= { id-ce 36 } */ |
||
142 | #define OID_EXTENDED_KEY_USAGE OID_ID_CE "\x25" /**< id-ce-extKeyUsage OBJECT IDENTIFIER ::= { id-ce 37 } */ |
||
143 | #define OID_CRL_DISTRIBUTION_POINTS OID_ID_CE "\x1F" /**< id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= { id-ce 31 } */ |
||
144 | #define OID_INIHIBIT_ANYPOLICY OID_ID_CE "\x36" /**< id-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::= { id-ce 54 } */ |
||
145 | #define OID_FRESHEST_CRL OID_ID_CE "\x2E" /**< id-ce-freshestCRL OBJECT IDENTIFIER ::= { id-ce 46 } */ |
||
146 | |||
147 | /* |
||
148 | * X.509 v3 Key Usage Extension flags |
||
149 | */ |
||
150 | #define KU_DIGITAL_SIGNATURE (0x80) /* bit 0 */ |
||
151 | #define KU_NON_REPUDIATION (0x40) /* bit 1 */ |
||
152 | #define KU_KEY_ENCIPHERMENT (0x20) /* bit 2 */ |
||
153 | #define KU_DATA_ENCIPHERMENT (0x10) /* bit 3 */ |
||
154 | #define KU_KEY_AGREEMENT (0x08) /* bit 4 */ |
||
155 | #define KU_KEY_CERT_SIGN (0x04) /* bit 5 */ |
||
156 | #define KU_CRL_SIGN (0x02) /* bit 6 */ |
||
157 | |||
158 | /* |
||
159 | * X.509 v3 Extended key usage OIDs |
||
160 | */ |
||
161 | #define OID_ANY_EXTENDED_KEY_USAGE OID_EXTENDED_KEY_USAGE "\x00" /**< anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 } */ |
||
162 | |||
163 | #define OID_KP OID_PKIX "\x03" /**< id-kp OBJECT IDENTIFIER ::= { id-pkix 3 } */ |
||
164 | #define OID_SERVER_AUTH OID_KP "\x01" /**< id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 } */ |
||
165 | #define OID_CLIENT_AUTH OID_KP "\x02" /**< id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 } */ |
||
166 | #define OID_CODE_SIGNING OID_KP "\x03" /**< id-kp-codeSigning OBJECT IDENTIFIER ::= { id-kp 3 } */ |
||
167 | #define OID_EMAIL_PROTECTION OID_KP "\x04" /**< id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 } */ |
||
168 | #define OID_TIME_STAMPING OID_KP "\x08" /**< id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 } */ |
||
169 | #define OID_OCSP_SIGNING OID_KP "\x09" /**< id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } */ |
||
170 | |||
171 | #define STRING_SERVER_AUTH "TLS Web Server Authentication" |
||
172 | #define STRING_CLIENT_AUTH "TLS Web Client Authentication" |
||
173 | #define STRING_CODE_SIGNING "Code Signing" |
||
174 | #define STRING_EMAIL_PROTECTION "E-mail Protection" |
||
175 | #define STRING_TIME_STAMPING "Time Stamping" |
||
176 | #define STRING_OCSP_SIGNING "OCSP Signing" |
||
177 | |||
178 | /* |
||
179 | * OIDs for CRL extensions |
||
180 | */ |
||
181 | #define OID_PRIVATE_KEY_USAGE_PERIOD OID_ID_CE "\x10" |
||
182 | #define OID_CRL_NUMBER OID_ID_CE "\x14" /**< id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 } */ |
||
183 | |||
184 | /* |
||
185 | * Netscape certificate extensions |
||
186 | */ |
||
187 | #define OID_NETSCAPE "\x60\x86\x48\x01\x86\xF8\x42" /**< Netscape OID */ |
||
188 | #define OID_NS_CERT OID_NETSCAPE "\x01" |
||
189 | #define OID_NS_CERT_TYPE OID_NS_CERT "\x01" |
||
190 | #define OID_NS_BASE_URL OID_NS_CERT "\x02" |
||
191 | #define OID_NS_REVOCATION_URL OID_NS_CERT "\x03" |
||
192 | #define OID_NS_CA_REVOCATION_URL OID_NS_CERT "\x04" |
||
193 | #define OID_NS_RENEWAL_URL OID_NS_CERT "\x07" |
||
194 | #define OID_NS_CA_POLICY_URL OID_NS_CERT "\x08" |
||
195 | #define OID_NS_SSL_SERVER_NAME OID_NS_CERT "\x0C" |
||
196 | #define OID_NS_COMMENT OID_NS_CERT "\x0D" |
||
197 | #define OID_NS_DATA_TYPE OID_NETSCAPE "\x02" |
||
198 | #define OID_NS_CERT_SEQUENCE OID_NS_DATA_TYPE "\x05" |
||
199 | |||
200 | /* |
||
201 | * Netscape certificate types |
||
202 | * (http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn3.html) |
||
203 | */ |
||
204 | |||
205 | #define NS_CERT_TYPE_SSL_CLIENT (0x80) /* bit 0 */ |
||
206 | #define NS_CERT_TYPE_SSL_SERVER (0x40) /* bit 1 */ |
||
207 | #define NS_CERT_TYPE_EMAIL (0x20) /* bit 2 */ |
||
208 | #define NS_CERT_TYPE_OBJECT_SIGNING (0x10) /* bit 3 */ |
||
209 | #define NS_CERT_TYPE_RESERVED (0x08) /* bit 4 */ |
||
210 | #define NS_CERT_TYPE_SSL_CA (0x04) /* bit 5 */ |
||
211 | #define NS_CERT_TYPE_EMAIL_CA (0x02) /* bit 6 */ |
||
212 | #define NS_CERT_TYPE_OBJECT_SIGNING_CA (0x01) /* bit 7 */ |
||
213 | |||
214 | #define EXT_AUTHORITY_KEY_IDENTIFIER (1 << 0) |
||
215 | #define EXT_SUBJECT_KEY_IDENTIFIER (1 << 1) |
||
216 | #define EXT_KEY_USAGE (1 << 2) |
||
217 | #define EXT_CERTIFICATE_POLICIES (1 << 3) |
||
218 | #define EXT_POLICY_MAPPINGS (1 << 4) |
||
219 | #define EXT_SUBJECT_ALT_NAME (1 << 5) |
||
220 | #define EXT_ISSUER_ALT_NAME (1 << 6) |
||
221 | #define EXT_SUBJECT_DIRECTORY_ATTRS (1 << 7) |
||
222 | #define EXT_BASIC_CONSTRAINTS (1 << 8) |
||
223 | #define EXT_NAME_CONSTRAINTS (1 << 9) |
||
224 | #define EXT_POLICY_CONSTRAINTS (1 << 10) |
||
225 | #define EXT_EXTENDED_KEY_USAGE (1 << 11) |
||
226 | #define EXT_CRL_DISTRIBUTION_POINTS (1 << 12) |
||
227 | #define EXT_INIHIBIT_ANYPOLICY (1 << 13) |
||
228 | #define EXT_FRESHEST_CRL (1 << 14) |
||
229 | |||
230 | #define EXT_NS_CERT_TYPE (1 << 16) |
||
231 | |||
232 | /* |
||
233 | * Storage format identifiers |
||
234 | * Recognized formats: PEM and DER |
||
235 | */ |
||
236 | #define X509_FORMAT_DER 1 |
||
237 | #define X509_FORMAT_PEM 2 |
||
238 | |||
239 | /** |
||
240 | * \addtogroup x509_module |
||
241 | * \{ */ |
||
242 | |||
243 | /** |
||
244 | * \name Structures for parsing X.509 certificates and CRLs |
||
245 | * \{ |
||
246 | */ |
||
247 | |||
248 | /** |
||
249 | * Type-length-value structure that allows for ASN1 using DER. |
||
250 | */ |
||
251 | typedef asn1_buf x509_buf; |
||
252 | |||
253 | /** |
||
254 | * Container for ASN1 bit strings. |
||
255 | */ |
||
256 | typedef asn1_bitstring x509_bitstring; |
||
257 | |||
258 | /** |
||
259 | * Container for ASN1 named information objects. |
||
260 | * It allows for Relative Distinguished Names (e.g. cn=polarssl,ou=code,etc.). |
||
261 | */ |
||
262 | typedef struct _x509_name |
||
263 | { |
||
264 | x509_buf oid; /**< The object identifier. */ |
||
265 | x509_buf val; /**< The named value. */ |
||
266 | struct _x509_name *next; /**< The next named information object. */ |
||
267 | } |
||
268 | x509_name; |
||
269 | |||
270 | /** |
||
271 | * Container for a sequence of ASN.1 items |
||
272 | */ |
||
273 | typedef asn1_sequence x509_sequence; |
||
274 | |||
275 | /** Container for date and time (precision in seconds). */ |
||
276 | typedef struct _x509_time |
||
277 | { |
||
278 | int year, mon, day; /**< Date. */ |
||
279 | int hour, min, sec; /**< Time. */ |
||
280 | } |
||
281 | x509_time; |
||
282 | |||
283 | /** |
||
284 | * Container for an X.509 certificate. The certificate may be chained. |
||
285 | */ |
||
286 | typedef struct _x509_cert |
||
287 | { |
||
288 | x509_buf raw; /**< The raw certificate data (DER). */ |
||
289 | x509_buf tbs; /**< The raw certificate body (DER). The part that is To Be Signed. */ |
||
290 | |||
291 | int version; /**< The X.509 version. (0=v1, 1=v2, 2=v3) */ |
||
292 | x509_buf serial; /**< Unique id for certificate issued by a specific CA. */ |
||
293 | x509_buf sig_oid1; /**< Signature algorithm, e.g. sha1RSA */ |
||
294 | |||
295 | x509_buf issuer_raw; /**< The raw issuer data (DER). Used for quick comparison. */ |
||
296 | x509_buf subject_raw; /**< The raw subject data (DER). Used for quick comparison. */ |
||
297 | |||
298 | x509_name issuer; /**< The parsed issuer data (named information object). */ |
||
299 | x509_name subject; /**< The parsed subject data (named information object). */ |
||
300 | |||
301 | x509_time valid_from; /**< Start time of certificate validity. */ |
||
302 | x509_time valid_to; /**< End time of certificate validity. */ |
||
303 | |||
304 | x509_buf pk_oid; /**< Subject public key info. Includes the public key algorithm and the key itself. */ |
||
305 | rsa_context rsa; /**< Container for the RSA context. Only RSA is supported for public keys at this time. */ |
||
306 | |||
307 | x509_buf issuer_id; /**< Optional X.509 v2/v3 issuer unique identifier. */ |
||
308 | x509_buf subject_id; /**< Optional X.509 v2/v3 subject unique identifier. */ |
||
309 | x509_buf v3_ext; /**< Optional X.509 v3 extensions. Only Basic Contraints are supported at this time. */ |
||
310 | x509_sequence subject_alt_names; /**< Optional list of Subject Alternative Names (Only dNSName supported). */ |
||
311 | |||
312 | int ext_types; /**< Bit string containing detected and parsed extensions */ |
||
313 | int ca_istrue; /**< Optional Basic Constraint extension value: 1 if this certificate belongs to a CA, 0 otherwise. */ |
||
314 | int max_pathlen; /**< Optional Basic Constraint extension value: The maximum path length to the root certificate. Path length is 1 higher than RFC 5280 'meaning', so 1+ */ |
||
315 | |||
316 | unsigned char key_usage; /**< Optional key usage extension value: See the values below */ |
||
317 | |||
318 | x509_sequence ext_key_usage; /**< Optional list of extended key usage OIDs. */ |
||
319 | |||
320 | unsigned char ns_cert_type; /**< Optional Netscape certificate type extension value: See the values below */ |
||
321 | |||
322 | x509_buf sig_oid2; /**< Signature algorithm. Must match sig_oid1. */ |
||
323 | x509_buf sig; /**< Signature: hash of the tbs part signed with the private key. */ |
||
324 | int sig_alg; /**< Internal representation of the signature algorithm, e.g. SIG_RSA_MD2 */ |
||
325 | |||
326 | struct _x509_cert *next; /**< Next certificate in the CA-chain. */ |
||
327 | } |
||
328 | x509_cert; |
||
329 | |||
330 | /** |
||
331 | * Certificate revocation list entry. |
||
332 | * Contains the CA-specific serial numbers and revocation dates. |
||
333 | */ |
||
334 | typedef struct _x509_crl_entry |
||
335 | { |
||
336 | x509_buf raw; |
||
337 | |||
338 | x509_buf serial; |
||
339 | |||
340 | x509_time revocation_date; |
||
341 | |||
342 | x509_buf entry_ext; |
||
343 | |||
344 | struct _x509_crl_entry *next; |
||
345 | } |
||
346 | x509_crl_entry; |
||
347 | |||
348 | /** |
||
349 | * Certificate revocation list structure. |
||
350 | * Every CRL may have multiple entries. |
||
351 | */ |
||
352 | typedef struct _x509_crl |
||
353 | { |
||
354 | x509_buf raw; /**< The raw certificate data (DER). */ |
||
355 | x509_buf tbs; /**< The raw certificate body (DER). The part that is To Be Signed. */ |
||
356 | |||
357 | int version; |
||
358 | x509_buf sig_oid1; |
||
359 | |||
360 | x509_buf issuer_raw; /**< The raw issuer data (DER). */ |
||
361 | |||
362 | x509_name issuer; /**< The parsed issuer data (named information object). */ |
||
363 | |||
364 | x509_time this_update; |
||
365 | x509_time next_update; |
||
366 | |||
367 | x509_crl_entry entry; /**< The CRL entries containing the certificate revocation times for this CA. */ |
||
368 | |||
369 | x509_buf crl_ext; |
||
370 | |||
371 | x509_buf sig_oid2; |
||
372 | x509_buf sig; |
||
373 | int sig_alg; |
||
374 | |||
375 | struct _x509_crl *next; |
||
376 | } |
||
377 | x509_crl; |
||
378 | /** \} name Structures for parsing X.509 certificates and CRLs */ |
||
379 | /** \} addtogroup x509_module */ |
||
380 | |||
381 | /** |
||
382 | * \name Structures for writing X.509 certificates. |
||
383 | * XvP: commented out as they are not used. |
||
384 | * - typedef struct _x509_node x509_node; |
||
385 | * - typedef struct _x509_raw x509_raw; |
||
386 | */ |
||
387 | /* |
||
388 | typedef struct _x509_node |
||
389 | { |
||
390 | unsigned char *data; |
||
391 | unsigned char *p; |
||
392 | unsigned char *end; |
||
393 | |||
394 | size_t len; |
||
395 | } |
||
396 | x509_node; |
||
397 | |||
398 | typedef struct _x509_raw |
||
399 | { |
||
400 | x509_node raw; |
||
401 | x509_node tbs; |
||
402 | |||
403 | x509_node version; |
||
404 | x509_node serial; |
||
405 | x509_node tbs_signalg; |
||
406 | x509_node issuer; |
||
407 | x509_node validity; |
||
408 | x509_node subject; |
||
409 | x509_node subpubkey; |
||
410 | |||
411 | x509_node signalg; |
||
412 | x509_node sign; |
||
413 | } |
||
414 | x509_raw; |
||
415 | */ |
||
416 | |||
417 | #ifdef __cplusplus |
||
418 | extern "C" { |
||
419 | #endif |
||
420 | |||
421 | /** |
||
422 | * \name Functions to read in DHM parameters, a certificate, CRL or private RSA key |
||
423 | * \{ |
||
424 | */ |
||
425 | |||
426 | /** \ingroup x509_module */ |
||
427 | /** |
||
428 | * \brief Parse one or more certificates and add them |
||
429 | * to the chained list. Parses permissively. If some |
||
430 | * certificates can be parsed, the result is the number |
||
431 | * of failed certificates it encountered. If none complete |
||
432 | * correctly, the first error is returned. |
||
433 | * |
||
434 | * \param chain points to the start of the chain |
||
435 | * \param buf buffer holding the certificate data |
||
436 | * \param buflen size of the buffer |
||
437 | * |
||
438 | * \return 0 if all certificates parsed successfully, a positive number |
||
439 | * if partly successful or a specific X509 or PEM error code |
||
440 | */ |
||
441 | int x509parse_crt( x509_cert *chain, const unsigned char *buf, size_t buflen ); |
||
442 | |||
443 | /** \ingroup x509_module */ |
||
444 | /** |
||
445 | * \brief Load one or more certificates and add them |
||
446 | * to the chained list. Parses permissively. If some |
||
447 | * certificates can be parsed, the result is the number |
||
448 | * of failed certificates it encountered. If none complete |
||
449 | * correctly, the first error is returned. |
||
450 | * |
||
451 | * \param chain points to the start of the chain |
||
452 | * \param path filename to read the certificates from |
||
453 | * |
||
454 | * \return 0 if all certificates parsed successfully, a positive number |
||
455 | * if partly successful or a specific X509 or PEM error code |
||
456 | */ |
||
457 | int x509parse_crtfile( x509_cert *chain, const char *path ); |
||
458 | |||
459 | /** \ingroup x509_module */ |
||
460 | /** |
||
461 | * \brief Load one or more certificate files from a path and add them |
||
462 | * to the chained list. Parses permissively. If some |
||
463 | * certificates can be parsed, the result is the number |
||
464 | * of failed certificates it encountered. If none complete |
||
465 | * correctly, the first error is returned. |
||
466 | * |
||
467 | * \param chain points to the start of the chain |
||
468 | * \param path directory / folder to read the certificate files from |
||
469 | * |
||
470 | * \return 0 if all certificates parsed successfully, a positive number |
||
471 | * if partly successful or a specific X509 or PEM error code |
||
472 | */ |
||
473 | int x509parse_crtpath( x509_cert *chain, const char *path ); |
||
474 | |||
475 | /** \ingroup x509_module */ |
||
476 | /** |
||
477 | * \brief Parse one or more CRLs and add them |
||
478 | * to the chained list |
||
479 | * |
||
480 | * \param chain points to the start of the chain |
||
481 | * \param buf buffer holding the CRL data |
||
482 | * \param buflen size of the buffer |
||
483 | * |
||
484 | * \return 0 if successful, or a specific X509 or PEM error code |
||
485 | */ |
||
486 | int x509parse_crl( x509_crl *chain, const unsigned char *buf, size_t buflen ); |
||
487 | |||
488 | /** \ingroup x509_module */ |
||
489 | /** |
||
490 | * \brief Load one or more CRLs and add them |
||
491 | * to the chained list |
||
492 | * |
||
493 | * \param chain points to the start of the chain |
||
494 | * \param path filename to read the CRLs from |
||
495 | * |
||
496 | * \return 0 if successful, or a specific X509 or PEM error code |
||
497 | */ |
||
498 | int x509parse_crlfile( x509_crl *chain, const char *path ); |
||
499 | |||
500 | /** \ingroup x509_module */ |
||
501 | /** |
||
502 | * \brief Parse a private RSA key |
||
503 | * |
||
504 | * \param rsa RSA context to be initialized |
||
505 | * \param key input buffer |
||
506 | * \param keylen size of the buffer |
||
507 | * \param pwd password for decryption (optional) |
||
508 | * \param pwdlen size of the password |
||
509 | * |
||
510 | * \return 0 if successful, or a specific X509 or PEM error code |
||
511 | */ |
||
512 | int x509parse_key( rsa_context *rsa, |
||
513 | const unsigned char *key, size_t keylen, |
||
514 | const unsigned char *pwd, size_t pwdlen ); |
||
515 | |||
516 | /** \ingroup x509_module */ |
||
517 | /** |
||
518 | * \brief Load and parse a private RSA key |
||
519 | * |
||
520 | * \param rsa RSA context to be initialized |
||
521 | * \param path filename to read the private key from |
||
522 | * \param password password to decrypt the file (can be NULL) |
||
523 | * |
||
524 | * \return 0 if successful, or a specific X509 or PEM error code |
||
525 | */ |
||
526 | int x509parse_keyfile( rsa_context *rsa, const char *path, |
||
527 | const char *password ); |
||
528 | |||
529 | /** \ingroup x509_module */ |
||
530 | /** |
||
531 | * \brief Parse a public RSA key |
||
532 | * |
||
533 | * \param rsa RSA context to be initialized |
||
534 | * \param key input buffer |
||
535 | * \param keylen size of the buffer |
||
536 | * |
||
537 | * \return 0 if successful, or a specific X509 or PEM error code |
||
538 | */ |
||
539 | int x509parse_public_key( rsa_context *rsa, |
||
540 | const unsigned char *key, size_t keylen ); |
||
541 | |||
542 | /** \ingroup x509_module */ |
||
543 | /** |
||
544 | * \brief Load and parse a public RSA key |
||
545 | * |
||
546 | * \param rsa RSA context to be initialized |
||
547 | * \param path filename to read the private key from |
||
548 | * |
||
549 | * \return 0 if successful, or a specific X509 or PEM error code |
||
550 | */ |
||
551 | int x509parse_public_keyfile( rsa_context *rsa, const char *path ); |
||
552 | |||
553 | /** \ingroup x509_module */ |
||
554 | /** |
||
555 | * \brief Parse DHM parameters |
||
556 | * |
||
557 | * \param dhm DHM context to be initialized |
||
558 | * \param dhmin input buffer |
||
559 | * \param dhminlen size of the buffer |
||
560 | * |
||
561 | * \return 0 if successful, or a specific X509 or PEM error code |
||
562 | */ |
||
563 | int x509parse_dhm( dhm_context *dhm, const unsigned char *dhmin, size_t dhminlen ); |
||
564 | |||
565 | /** \ingroup x509_module */ |
||
566 | /** |
||
567 | * \brief Load and parse DHM parameters |
||
568 | * |
||
569 | * \param dhm DHM context to be initialized |
||
570 | * \param path filename to read the DHM Parameters from |
||
571 | * |
||
572 | * \return 0 if successful, or a specific X509 or PEM error code |
||
573 | */ |
||
574 | int x509parse_dhmfile( dhm_context *dhm, const char *path ); |
||
575 | |||
576 | /** \} name Functions to read in DHM parameters, a certificate, CRL or private RSA key */ |
||
577 | |||
578 | /** |
||
579 | * \brief Store the certificate DN in printable form into buf; |
||
580 | * no more than size characters will be written. |
||
581 | * |
||
582 | * \param buf Buffer to write to |
||
583 | * \param size Maximum size of buffer |
||
584 | * \param dn The X509 name to represent |
||
585 | * |
||
586 | * \return The amount of data written to the buffer, or -1 in |
||
587 | * case of an error. |
||
588 | */ |
||
589 | int x509parse_dn_gets( char *buf, size_t size, const x509_name *dn ); |
||
590 | |||
591 | /** |
||
592 | * \brief Store the certificate serial in printable form into buf; |
||
593 | * no more than size characters will be written. |
||
594 | * |
||
595 | * \param buf Buffer to write to |
||
596 | * \param size Maximum size of buffer |
||
597 | * \param serial The X509 serial to represent |
||
598 | * |
||
599 | * \return The amount of data written to the buffer, or -1 in |
||
600 | * case of an error. |
||
601 | */ |
||
602 | int x509parse_serial_gets( char *buf, size_t size, const x509_buf *serial ); |
||
603 | |||
604 | /** |
||
605 | * \brief Returns an informational string about the |
||
606 | * certificate. |
||
607 | * |
||
608 | * \param buf Buffer to write to |
||
609 | * \param size Maximum size of buffer |
||
610 | * \param prefix A line prefix |
||
611 | * \param crt The X509 certificate to represent |
||
612 | * |
||
613 | * \return The amount of data written to the buffer, or -1 in |
||
614 | * case of an error. |
||
615 | */ |
||
616 | int x509parse_cert_info( char *buf, size_t size, const char *prefix, |
||
617 | const x509_cert *crt ); |
||
618 | |||
619 | /** |
||
620 | * \brief Returns an informational string about the |
||
621 | * CRL. |
||
622 | * |
||
623 | * \param buf Buffer to write to |
||
624 | * \param size Maximum size of buffer |
||
625 | * \param prefix A line prefix |
||
626 | * \param crl The X509 CRL to represent |
||
627 | * |
||
628 | * \return The amount of data written to the buffer, or -1 in |
||
629 | * case of an error. |
||
630 | */ |
||
631 | int x509parse_crl_info( char *buf, size_t size, const char *prefix, |
||
632 | const x509_crl *crl ); |
||
633 | |||
634 | /** |
||
635 | * \brief Give an known OID, return its descriptive string. |
||
636 | * |
||
637 | * \param oid buffer containing the oid |
||
638 | * |
||
639 | * \return Return a string if the OID is known, |
||
640 | * or NULL otherwise. |
||
641 | */ |
||
642 | const char *x509_oid_get_description( x509_buf *oid ); |
||
643 | |||
644 | /** |
||
645 | * \brief Give an OID, return a string version of its OID number. |
||
646 | * |
||
647 | * \param buf Buffer to write to |
||
648 | * \param size Maximum size of buffer |
||
649 | * \param oid Buffer containing the OID |
||
650 | * |
||
651 | * \return The amount of data written to the buffer, or -1 in |
||
652 | * case of an error. |
||
653 | */ |
||
654 | int x509_oid_get_numeric_string( char *buf, size_t size, x509_buf *oid ); |
||
655 | |||
656 | /** |
||
657 | * \brief Check a given x509_time against the system time and check |
||
658 | * if it is valid. |
||
659 | * |
||
660 | * \param time x509_time to check |
||
661 | * |
||
662 | * \return Return 0 if the x509_time is still valid, |
||
663 | * or 1 otherwise. |
||
664 | */ |
||
665 | int x509parse_time_expired( const x509_time *time ); |
||
666 | |||
667 | /** |
||
668 | * \name Functions to verify a certificate |
||
669 | * \{ |
||
670 | */ |
||
671 | /** \ingroup x509_module */ |
||
672 | /** |
||
673 | * \brief Verify the certificate signature |
||
674 | * |
||
675 | * The verify callback is a user-supplied callback that |
||
676 | * can clear / modify / add flags for a certificate. If set, |
||
677 | * the verification callback is called for each |
||
678 | * certificate in the chain (from the trust-ca down to the |
||
679 | * presented crt). The parameters for the callback are: |
||
680 | * (void *parameter, x509_cert *crt, int certificate_depth, |
||
681 | * int *flags). With the flags representing current flags for |
||
682 | * that specific certificate and the certificate depth from |
||
683 | * the bottom (Peer cert depth = 0). |
||
684 | * |
||
685 | * All flags left after returning from the callback |
||
686 | * are also returned to the application. The function should |
||
687 | * return 0 for anything but a fatal error. |
||
688 | * |
||
689 | * \param crt a certificate to be verified |
||
690 | * \param trust_ca the trusted CA chain |
||
691 | * \param ca_crl the CRL chain for trusted CA's |
||
692 | * \param cn expected Common Name (can be set to |
||
693 | * NULL if the CN must not be verified) |
||
694 | * \param flags result of the verification |
||
695 | * \param f_vrfy verification function |
||
696 | * \param p_vrfy verification parameter |
||
697 | * |
||
698 | * \return 0 if successful or POLARSSL_ERR_X509_SIG_VERIFY_FAILED, |
||
699 | * in which case *flags will have one or more of |
||
700 | * the following values set: |
||
701 | * BADCERT_EXPIRED -- |
||
702 | * BADCERT_REVOKED -- |
||
703 | * BADCERT_CN_MISMATCH -- |
||
704 | * BADCERT_NOT_TRUSTED |
||
705 | * or another error in case of a fatal error encountered |
||
706 | * during the verification process. |
||
707 | */ |
||
708 | int x509parse_verify( x509_cert *crt, |
||
709 | x509_cert *trust_ca, |
||
710 | x509_crl *ca_crl, |
||
711 | const char *cn, int *flags, |
||
712 | int (*f_vrfy)(void *, x509_cert *, int, int *), |
||
713 | void *p_vrfy ); |
||
714 | |||
715 | /** |
||
716 | * \brief Verify the certificate signature |
||
717 | * |
||
718 | * \param crt a certificate to be verified |
||
719 | * \param crl the CRL to verify against |
||
720 | * |
||
721 | * \return 1 if the certificate is revoked, 0 otherwise |
||
722 | * |
||
723 | */ |
||
724 | int x509parse_revoked( const x509_cert *crt, const x509_crl *crl ); |
||
725 | |||
726 | /** \} name Functions to verify a certificate */ |
||
727 | |||
728 | |||
729 | |||
730 | /** |
||
731 | * \name Functions to clear a certificate, CRL or private RSA key |
||
732 | * \{ |
||
733 | */ |
||
734 | /** \ingroup x509_module */ |
||
735 | /** |
||
736 | * \brief Unallocate all certificate data |
||
737 | * |
||
738 | * \param crt Certificate chain to free |
||
739 | */ |
||
740 | void x509_free( x509_cert *crt ); |
||
741 | |||
742 | /** \ingroup x509_module */ |
||
743 | /** |
||
744 | * \brief Unallocate all CRL data |
||
745 | * |
||
746 | * \param crl CRL chain to free |
||
747 | */ |
||
748 | void x509_crl_free( x509_crl *crl ); |
||
749 | |||
750 | /** \} name Functions to clear a certificate, CRL or private RSA key */ |
||
751 | |||
752 | |||
753 | /** |
||
754 | * \brief Checkup routine |
||
755 | * |
||
756 | * \return 0 if successful, or 1 if the test failed |
||
757 | */ |
||
758 | int x509_self_test( int verbose ); |
||
759 | |||
760 | #ifdef __cplusplus |
||
761 | } |
||
762 | #endif |
||
763 | |||
764 | #endif /* x509.h */>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><>><>><>><>><>><>><>><>><>><>><>><>><>><>><>><>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> |