2009-01-03 21:22:43 +00:00
/**
* \ file x509 . h
2009-01-04 16:27:10 +00:00
*
2011-01-06 12:28:03 +00:00
* \ brief X .509 certificate and private key decoding
*
2013-06-27 12:29:21 +00:00
* Copyright ( C ) 2006 - 2013 , Brainspark B . V .
2010-07-18 20:36:00 +00:00
*
* This file is part of PolarSSL ( http : //www.polarssl.org)
2010-07-18 10:13:04 +00:00
* Lead Maintainer : Paul Bakker < polarssl_maintainer at polarssl . org >
2010-07-18 20:36:00 +00:00
*
2009-07-28 17:23:11 +00:00
* All rights reserved .
2009-01-04 16:27:10 +00:00
*
* This program is free software ; you can redistribute it and / or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation ; either version 2 of the License , or
* ( at your option ) any later version .
*
* This program is distributed in the hope that it will be useful ,
* but WITHOUT ANY WARRANTY ; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
* GNU General Public License for more details .
*
* You should have received a copy of the GNU General Public License along
* with this program ; if not , write to the Free Software Foundation , Inc . ,
* 51 Franklin Street , Fifth Floor , Boston , MA 02110 - 1301 USA .
2009-01-03 21:22:43 +00:00
*/
2009-01-03 21:51:57 +00:00
# ifndef POLARSSL_X509_H
# define POLARSSL_X509_H
2009-01-03 21:22:43 +00:00
2013-04-18 20:46:23 +00:00
# include "config.h"
# if defined(POLARSSL_X509_PARSE_C) || defined(POLARSSL_X509_WRITE_C)
2011-11-10 14:43:23 +00:00
# include "asn1.h"
2011-08-15 09:07:52 +00:00
# include "rsa.h"
2013-06-27 09:27:58 +00:00
# include "ecp.h"
2011-08-15 09:07:52 +00:00
# include "dhm.h"
2013-04-07 20:00:46 +00:00
# include "md.h"
2013-04-18 20:46:23 +00:00
# include "pk.h"
2009-01-03 21:22:43 +00:00
2011-01-06 12:28:03 +00:00
/**
2011-01-18 14:58:55 +00:00
* \ addtogroup x509_module
* \ {
2009-07-28 07:18:38 +00:00
*/
2011-01-06 12:28:03 +00:00
/**
2011-01-18 14:58:55 +00:00
* \ name X509 Error codes
* \ {
2011-01-06 12:28:03 +00:00
*/
2011-05-09 16:17:09 +00:00
# define POLARSSL_ERR_X509_FEATURE_UNAVAILABLE -0x2080 /**< Unavailable feature, e.g. RSA hashing/encryption combination. */
# define POLARSSL_ERR_X509_CERT_INVALID_PEM -0x2100 /**< The PEM-encoded certificate contains invalid elements, e.g. invalid character. */
# define POLARSSL_ERR_X509_CERT_INVALID_FORMAT -0x2180 /**< The certificate format is invalid, e.g. different type expected. */
# define POLARSSL_ERR_X509_CERT_INVALID_VERSION -0x2200 /**< The certificate version element is invalid. */
# define POLARSSL_ERR_X509_CERT_INVALID_SERIAL -0x2280 /**< The serial tag or value is invalid. */
# define POLARSSL_ERR_X509_CERT_INVALID_ALG -0x2300 /**< The algorithm tag or value is invalid. */
# define POLARSSL_ERR_X509_CERT_INVALID_NAME -0x2380 /**< The name tag or value is invalid. */
# define POLARSSL_ERR_X509_CERT_INVALID_DATE -0x2400 /**< The date tag or value is invalid. */
# define POLARSSL_ERR_X509_CERT_INVALID_PUBKEY -0x2480 /**< The pubkey tag or value is invalid (only RSA is supported). */
# define POLARSSL_ERR_X509_CERT_INVALID_SIGNATURE -0x2500 /**< The signature tag or value invalid. */
# define POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS -0x2580 /**< The extension tag or value is invalid. */
# define POLARSSL_ERR_X509_CERT_UNKNOWN_VERSION -0x2600 /**< Certificate or CRL has an unsupported version number. */
# define POLARSSL_ERR_X509_CERT_UNKNOWN_SIG_ALG -0x2680 /**< Signature algorithm (oid) is unsupported. */
2013-07-01 14:57:44 +00:00
# define POLARSSL_ERR_X509_UNKNOWN_PK_ALG -0x2700 /**< Key algorithm is unsupported (only RSA and EC are supported). */
2011-05-09 16:17:09 +00:00
# define POLARSSL_ERR_X509_CERT_SIG_MISMATCH -0x2780 /**< Certificate signature algorithms do not match. (see \c ::x509_cert sig_oid) */
# define POLARSSL_ERR_X509_CERT_VERIFY_FAILED -0x2800 /**< Certificate verification failed, e.g. CRL, CA or signature check failed. */
# define POLARSSL_ERR_X509_KEY_INVALID_VERSION -0x2880 /**< Unsupported RSA key version */
# define POLARSSL_ERR_X509_KEY_INVALID_FORMAT -0x2900 /**< Invalid RSA key tag or value. */
2011-12-04 12:24:18 +00:00
# define POLARSSL_ERR_X509_CERT_UNKNOWN_FORMAT -0x2980 /**< Format not recognized as DER or PEM. */
2011-12-10 21:55:01 +00:00
# define POLARSSL_ERR_X509_INVALID_INPUT -0x2A00 /**< Input invalid. */
# define POLARSSL_ERR_X509_MALLOC_FAILED -0x2A80 /**< Allocation of memory failed. */
# define POLARSSL_ERR_X509_FILE_IO_ERROR -0x2B00 /**< Read/write of file failed. */
2013-06-24 17:28:55 +00:00
# define POLARSSL_ERR_X509_PASSWORD_REQUIRED -0x2B80 /**< Private key password can't be empty. */
# define POLARSSL_ERR_X509_PASSWORD_MISMATCH -0x2C00 /**< Given private key password does not allow for correct decryption. */
2013-07-02 12:56:43 +00:00
# define POLARSSL_ERR_X509_UNKNOWN_NAMED_CURVE -0x2C80 /**< Elliptic curve is unsupported (only NIST curves are supported). */
2011-01-18 14:58:55 +00:00
/* \} name */
2009-01-03 21:22:43 +00:00
2011-01-06 12:28:03 +00:00
/**
2011-01-18 14:58:55 +00:00
* \ name X509 Verify codes
* \ {
2009-07-28 07:18:38 +00:00
*/
2011-01-30 17:05:13 +00:00
# define BADCERT_EXPIRED 0x01 /**< The certificate validity has expired. */
# define BADCERT_REVOKED 0x02 /**< The certificate has been revoked (is on a CRL). */
# define BADCERT_CN_MISMATCH 0x04 /**< The certificate Common Name (CN) does not match with the expected CN. */
# define BADCERT_NOT_TRUSTED 0x08 /**< The certificate is not correctly signed by the trusted CA. */
# define BADCRL_NOT_TRUSTED 0x10 /**< CRL is not correctly signed by the trusted CA. */
# define BADCRL_EXPIRED 0x20 /**< CRL is expired. */
# define BADCERT_MISSING 0x40 /**< Certificate was missing. */
# define BADCERT_SKIP_VERIFY 0x80 /**< Certificate verification was skipped. */
2012-09-28 07:10:55 +00:00
# define BADCERT_OTHER 0x0100 /**< Other reason (can be used by verify callback) */
2011-01-18 14:58:55 +00:00
/* \} name */
/* \} addtogroup x509_module */
2009-01-03 21:22:43 +00:00
2011-01-15 16:57:55 +00:00
/*
* X .509 v3 Key Usage Extension flags
*/
# define KU_DIGITAL_SIGNATURE (0x80) /* bit 0 */
# define KU_NON_REPUDIATION (0x40) /* bit 1 */
# define KU_KEY_ENCIPHERMENT (0x20) /* bit 2 */
# define KU_DATA_ENCIPHERMENT (0x10) /* bit 3 */
# define KU_KEY_AGREEMENT (0x08) /* bit 4 */
# define KU_KEY_CERT_SIGN (0x04) /* bit 5 */
# define KU_CRL_SIGN (0x02) /* bit 6 */
/*
* Netscape certificate types
* ( http : //www.mozilla.org/projects/security/pki/nss/tech-notes/tn3.html)
*/
# define NS_CERT_TYPE_SSL_CLIENT (0x80) /* bit 0 */
# define NS_CERT_TYPE_SSL_SERVER (0x40) /* bit 1 */
# define NS_CERT_TYPE_EMAIL (0x20) /* bit 2 */
# define NS_CERT_TYPE_OBJECT_SIGNING (0x10) /* bit 3 */
# define NS_CERT_TYPE_RESERVED (0x08) /* bit 4 */
# define NS_CERT_TYPE_SSL_CA (0x04) /* bit 5 */
# define NS_CERT_TYPE_EMAIL_CA (0x02) /* bit 6 */
# define NS_CERT_TYPE_OBJECT_SIGNING_CA (0x01) /* bit 7 */
2013-04-07 20:00:46 +00:00
/*
* X .509 extension types
*/
2011-01-15 16:57:55 +00:00
# define EXT_AUTHORITY_KEY_IDENTIFIER (1 << 0)
# define EXT_SUBJECT_KEY_IDENTIFIER (1 << 1)
# define EXT_KEY_USAGE (1 << 2)
# define EXT_CERTIFICATE_POLICIES (1 << 3)
# define EXT_POLICY_MAPPINGS (1 << 4)
# define EXT_SUBJECT_ALT_NAME (1 << 5)
# define EXT_ISSUER_ALT_NAME (1 << 6)
# define EXT_SUBJECT_DIRECTORY_ATTRS (1 << 7)
# define EXT_BASIC_CONSTRAINTS (1 << 8)
# define EXT_NAME_CONSTRAINTS (1 << 9)
# define EXT_POLICY_CONSTRAINTS (1 << 10)
# define EXT_EXTENDED_KEY_USAGE (1 << 11)
# define EXT_CRL_DISTRIBUTION_POINTS (1 << 12)
# define EXT_INIHIBIT_ANYPOLICY (1 << 13)
# define EXT_FRESHEST_CRL (1 << 14)
# define EXT_NS_CERT_TYPE (1 << 16)
2009-01-03 21:22:43 +00:00
2011-12-04 12:24:18 +00:00
/*
* Storage format identifiers
* Recognized formats : PEM and DER
*/
# define X509_FORMAT_DER 1
# define X509_FORMAT_PEM 2
2013-06-27 12:29:21 +00:00
# ifdef __cplusplus
extern " C " {
# endif
2011-01-06 12:28:03 +00:00
/**
2011-01-18 14:58:55 +00:00
* \ addtogroup x509_module
* \ { */
2011-01-06 12:28:03 +00:00
/**
2011-01-18 14:58:55 +00:00
* \ name Structures for parsing X .509 certificates and CRLs
* \ {
2011-01-06 12:28:03 +00:00
*/
/**
* Type - length - value structure that allows for ASN1 using DER .
2009-01-03 21:22:43 +00:00
*/
2011-11-10 14:43:23 +00:00
typedef asn1_buf x509_buf ;
2009-01-03 21:22:43 +00:00
2011-01-15 16:57:55 +00:00
/**
* Container for ASN1 bit strings .
*/
2011-11-10 14:43:23 +00:00
typedef asn1_bitstring x509_bitstring ;
2011-01-15 16:57:55 +00:00
2011-01-06 12:28:03 +00:00
/**
* Container for ASN1 named information objects .
* It allows for Relative Distinguished Names ( e . g . cn = polarssl , ou = code , etc . ) .
*/
2009-01-03 21:22:43 +00:00
typedef struct _x509_name
{
2011-01-06 12:28:03 +00:00
x509_buf oid ; /**< The object identifier. */
x509_buf val ; /**< The named value. */
struct _x509_name * next ; /**< The next named information object. */
2009-01-03 21:22:43 +00:00
}
x509_name ;
2011-01-15 16:57:55 +00:00
/**
* Container for a sequence of ASN .1 items
*/
2011-11-10 14:43:23 +00:00
typedef asn1_sequence x509_sequence ;
2011-01-15 16:57:55 +00:00
2011-01-06 12:28:03 +00:00
/** Container for date and time (precision in seconds). */
2009-01-03 21:22:43 +00:00
typedef struct _x509_time
{
2011-01-06 12:28:03 +00:00
int year , mon , day ; /**< Date. */
int hour , min , sec ; /**< Time. */
2009-01-03 21:22:43 +00:00
}
x509_time ;
2011-01-06 12:28:03 +00:00
/**
* Container for an X .509 certificate . The certificate may be chained .
*/
2009-01-03 21:22:43 +00:00
typedef struct _x509_cert
{
2011-01-06 12:28:03 +00:00
x509_buf raw ; /**< The raw certificate data (DER). */
x509_buf tbs ; /**< The raw certificate body (DER). The part that is To Be Signed. */
2009-01-03 21:22:43 +00:00
2011-01-06 12:28:03 +00:00
int version ; /**< The X.509 version. (0=v1, 1=v2, 2=v3) */
x509_buf serial ; /**< Unique id for certificate issued by a specific CA. */
x509_buf sig_oid1 ; /**< Signature algorithm, e.g. sha1RSA */
2009-01-03 21:22:43 +00:00
2011-01-06 12:28:03 +00:00
x509_buf issuer_raw ; /**< The raw issuer data (DER). Used for quick comparison. */
x509_buf subject_raw ; /**< The raw subject data (DER). Used for quick comparison. */
2009-01-03 21:22:43 +00:00
2011-01-06 12:28:03 +00:00
x509_name issuer ; /**< The parsed issuer data (named information object). */
x509_name subject ; /**< The parsed subject data (named information object). */
2009-01-03 21:22:43 +00:00
2011-01-06 12:28:03 +00:00
x509_time valid_from ; /**< Start time of certificate validity. */
x509_time valid_to ; /**< End time of certificate validity. */
2009-01-03 21:22:43 +00:00
2011-01-06 12:28:03 +00:00
x509_buf pk_oid ; /**< Subject public key info. Includes the public key algorithm and the key itself. */
rsa_context rsa ; /**< Container for the RSA context. Only RSA is supported for public keys at this time. */
2009-01-03 21:22:43 +00:00
2011-01-06 12:28:03 +00:00
x509_buf issuer_id ; /**< Optional X.509 v2/v3 issuer unique identifier. */
x509_buf subject_id ; /**< Optional X.509 v2/v3 subject unique identifier. */
x509_buf v3_ext ; /**< Optional X.509 v3 extensions. Only Basic Contraints are supported at this time. */
2012-02-11 16:09:32 +00:00
x509_sequence subject_alt_names ; /**< Optional list of Subject Alternative Names (Only dNSName supported). */
2009-01-03 21:22:43 +00:00
2011-01-15 16:57:55 +00:00
int ext_types ; /**< Bit string containing detected and parsed extensions */
2011-01-06 12:28:03 +00:00
int ca_istrue ; /**< Optional Basic Constraint extension value: 1 if this certificate belongs to a CA, 0 otherwise. */
2012-09-28 07:10:55 +00:00
int max_pathlen ; /**< Optional Basic Constraint extension value: The maximum path length to the root certificate. Path length is 1 higher than RFC 5280 'meaning', so 1+ */
2009-01-03 21:22:43 +00:00
2011-01-15 16:57:55 +00:00
unsigned char key_usage ; /**< Optional key usage extension value: See the values below */
x509_sequence ext_key_usage ; /**< Optional list of extended key usage OIDs. */
unsigned char ns_cert_type ; /**< Optional Netscape certificate type extension value: See the values below */
2011-01-06 12:28:03 +00:00
x509_buf sig_oid2 ; /**< Signature algorithm. Must match sig_oid1. */
x509_buf sig ; /**< Signature: hash of the tbs part signed with the private key. */
2013-04-07 20:00:46 +00:00
md_type_t sig_md ; /**< Internal representation of the MD algorithm of the signature algorithm, e.g. POLARSSL_MD_SHA256 */
pk_type_t sig_pk /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. POLARSSL_PK_RSA */ ;
2009-01-03 21:22:43 +00:00
2011-01-06 12:28:03 +00:00
struct _x509_cert * next ; /**< Next certificate in the CA-chain. */
2009-01-03 21:22:43 +00:00
}
x509_cert ;
2011-01-06 12:28:03 +00:00
/**
* Certificate revocation list entry .
* Contains the CA - specific serial numbers and revocation dates .
*/
2009-05-02 15:13:40 +00:00
typedef struct _x509_crl_entry
{
x509_buf raw ;
x509_buf serial ;
x509_time revocation_date ;
x509_buf entry_ext ;
struct _x509_crl_entry * next ;
}
x509_crl_entry ;
2011-01-06 12:28:03 +00:00
/**
* Certificate revocation list structure .
* Every CRL may have multiple entries .
*/
2009-05-02 15:13:40 +00:00
typedef struct _x509_crl
{
2011-01-06 12:28:03 +00:00
x509_buf raw ; /**< The raw certificate data (DER). */
x509_buf tbs ; /**< The raw certificate body (DER). The part that is To Be Signed. */
2009-05-02 15:13:40 +00:00
int version ;
x509_buf sig_oid1 ;
2011-01-06 12:28:03 +00:00
x509_buf issuer_raw ; /**< The raw issuer data (DER). */
2009-05-02 15:13:40 +00:00
2011-01-06 12:28:03 +00:00
x509_name issuer ; /**< The parsed issuer data (named information object). */
2009-05-02 15:13:40 +00:00
2011-01-06 12:28:03 +00:00
x509_time this_update ;
2009-05-02 15:13:40 +00:00
x509_time next_update ;
2011-01-06 12:28:03 +00:00
x509_crl_entry entry ; /**< The CRL entries containing the certificate revocation times for this CA. */
2009-05-02 15:13:40 +00:00
x509_buf crl_ext ;
x509_buf sig_oid2 ;
x509_buf sig ;
2013-04-07 20:00:46 +00:00
md_type_t sig_md ; /**< Internal representation of the MD algorithm of the signature algorithm, e.g. POLARSSL_MD_SHA256 */
pk_type_t sig_pk /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. POLARSSL_PK_RSA */ ;
2009-05-02 15:13:40 +00:00
struct _x509_crl * next ;
}
x509_crl ;
2011-01-18 14:58:55 +00:00
/** \} name Structures for parsing X.509 certificates and CRLs */
/** \} addtogroup x509_module */
2009-05-02 15:13:40 +00:00
2011-01-06 12:28:03 +00:00
/**
2011-01-18 14:58:55 +00:00
* \ name Structures for writing X .509 certificates .
2011-01-06 12:28:03 +00:00
* XvP : commented out as they are not used .
* - < tt > typedef struct _x509_node x509_node ; < / tt >
* - < tt > typedef struct _x509_raw x509_raw ; < / tt >
2009-01-03 21:22:43 +00:00
*/
2011-01-06 12:28:03 +00:00
/*
2009-01-03 21:22:43 +00:00
typedef struct _x509_node
{
unsigned char * data ;
unsigned char * p ;
unsigned char * end ;
size_t len ;
}
x509_node ;
typedef struct _x509_raw
{
x509_node raw ;
x509_node tbs ;
x509_node version ;
x509_node serial ;
x509_node tbs_signalg ;
x509_node issuer ;
x509_node validity ;
x509_node subject ;
x509_node subpubkey ;
x509_node signalg ;
x509_node sign ;
}
x509_raw ;
2011-01-06 12:28:03 +00:00
*/
2009-01-03 21:22:43 +00:00
2011-01-06 12:28:03 +00:00
/**
2011-01-18 14:58:55 +00:00
* \ name Functions to read in DHM parameters , a certificate , CRL or private RSA key
* \ {
2011-01-06 12:28:03 +00:00
*/
2011-01-18 14:58:55 +00:00
/** \ingroup x509_module */
2013-06-24 17:06:15 +00:00
/**
* \ brief Parse a single DER formatted certificate and add it
* to the chained list .
*
* \ param chain points to the start of the chain
* \ param buf buffer holding the certificate DER data
* \ param buflen size of the buffer
*
* \ return 0 if successful , or a specific X509 or PEM error code
*/
int x509parse_crt_der ( x509_cert * chain , const unsigned char * buf , size_t buflen ) ;
2009-01-03 21:22:43 +00:00
/**
* \ brief Parse one or more certificates and add them
2011-12-10 21:55:01 +00:00
* to the chained list . Parses permissively . If some
* certificates can be parsed , the result is the number
* of failed certificates it encountered . If none complete
* correctly , the first error is returned .
2009-01-03 21:22:43 +00:00
*
* \ param chain points to the start of the chain
* \ param buf buffer holding the certificate data
* \ param buflen size of the buffer
*
2011-12-10 21:55:01 +00:00
* \ return 0 if all certificates parsed successfully , a positive number
* if partly successful or a specific X509 or PEM error code
2009-01-03 21:22:43 +00:00
*/
2011-12-10 21:55:01 +00:00
int x509parse_crt ( x509_cert * chain , const unsigned char * buf , size_t buflen ) ;
2009-01-03 21:22:43 +00:00
2011-01-18 14:58:55 +00:00
/** \ingroup x509_module */
2009-01-03 21:22:43 +00:00
/**
* \ brief Load one or more certificates and add them
2011-12-10 21:55:01 +00:00
* to the chained list . Parses permissively . If some
* certificates can be parsed , the result is the number
* of failed certificates it encountered . If none complete
* correctly , the first error is returned .
2009-01-03 21:22:43 +00:00
*
* \ param chain points to the start of the chain
* \ param path filename to read the certificates from
*
2011-12-10 21:55:01 +00:00
* \ return 0 if all certificates parsed successfully , a positive number
* if partly successful or a specific X509 or PEM error code
2009-01-03 21:22:43 +00:00
*/
2011-12-10 21:55:01 +00:00
int x509parse_crtfile ( x509_cert * chain , const char * path ) ;
2009-01-03 21:22:43 +00:00
2012-06-04 12:46:42 +00:00
/** \ingroup x509_module */
/**
* \ brief Load one or more certificate files from a path and add them
* to the chained list . Parses permissively . If some
* certificates can be parsed , the result is the number
* of failed certificates it encountered . If none complete
* correctly , the first error is returned .
*
* \ param chain points to the start of the chain
* \ param path directory / folder to read the certificate files from
*
* \ return 0 if all certificates parsed successfully , a positive number
* if partly successful or a specific X509 or PEM error code
*/
int x509parse_crtpath ( x509_cert * chain , const char * path ) ;
2011-01-18 14:58:55 +00:00
/** \ingroup x509_module */
2009-05-02 15:13:40 +00:00
/**
* \ brief Parse one or more CRLs and add them
* to the chained list
*
* \ param chain points to the start of the chain
* \ param buf buffer holding the CRL data
* \ param buflen size of the buffer
*
2011-02-12 14:30:57 +00:00
* \ return 0 if successful , or a specific X509 or PEM error code
2009-05-02 15:13:40 +00:00
*/
2011-04-24 08:57:21 +00:00
int x509parse_crl ( x509_crl * chain , const unsigned char * buf , size_t buflen ) ;
2009-05-02 15:13:40 +00:00
2011-01-18 14:58:55 +00:00
/** \ingroup x509_module */
2009-05-02 15:13:40 +00:00
/**
* \ brief Load one or more CRLs and add them
* to the chained list
*
* \ param chain points to the start of the chain
* \ param path filename to read the CRLs from
*
2011-02-12 14:30:57 +00:00
* \ return 0 if successful , or a specific X509 or PEM error code
2009-05-02 15:13:40 +00:00
*/
2010-03-16 21:09:09 +00:00
int x509parse_crlfile ( x509_crl * chain , const char * path ) ;
2009-05-02 15:13:40 +00:00
2011-01-18 14:58:55 +00:00
/** \ingroup x509_module */
2009-01-03 21:22:43 +00:00
/**
* \ brief Parse a private RSA key
*
* \ param rsa RSA context to be initialized
2010-03-16 21:09:09 +00:00
* \ param key input buffer
* \ param keylen size of the buffer
2009-01-03 21:22:43 +00:00
* \ param pwd password for decryption ( optional )
* \ param pwdlen size of the password
*
2011-02-12 14:30:57 +00:00
* \ return 0 if successful , or a specific X509 or PEM error code
2009-01-03 21:22:43 +00:00
*/
2013-06-27 08:51:01 +00:00
int x509parse_key_rsa ( rsa_context * rsa ,
const unsigned char * key , size_t keylen ,
const unsigned char * pwd , size_t pwdlen ) ;
2009-01-03 21:22:43 +00:00
2011-01-18 14:58:55 +00:00
/** \ingroup x509_module */
2009-01-03 21:22:43 +00:00
/**
* \ brief Load and parse a private RSA key
*
* \ param rsa RSA context to be initialized
* \ param path filename to read the private key from
2011-01-06 12:28:03 +00:00
* \ param password password to decrypt the file ( can be NULL )
2009-01-03 21:22:43 +00:00
*
2011-02-12 14:30:57 +00:00
* \ return 0 if successful , or a specific X509 or PEM error code
2009-01-03 21:22:43 +00:00
*/
2013-06-27 08:51:01 +00:00
int x509parse_keyfile_rsa ( rsa_context * rsa , const char * path ,
const char * password ) ;
2011-01-06 15:48:19 +00:00
2011-03-25 14:23:36 +00:00
/** \ingroup x509_module */
/**
* \ brief Parse a public RSA key
*
* \ param rsa RSA context to be initialized
* \ param key input buffer
* \ param keylen size of the buffer
*
* \ return 0 if successful , or a specific X509 or PEM error code
*/
2013-06-27 08:51:01 +00:00
int x509parse_public_key_rsa ( rsa_context * rsa ,
const unsigned char * key , size_t keylen ) ;
2011-03-25 14:23:36 +00:00
/** \ingroup x509_module */
/**
* \ brief Load and parse a public RSA key
*
* \ param rsa RSA context to be initialized
* \ param path filename to read the private key from
*
* \ return 0 if successful , or a specific X509 or PEM error code
*/
2013-06-27 08:51:01 +00:00
int x509parse_public_keyfile_rsa ( rsa_context * rsa , const char * path ) ;
2011-03-25 14:23:36 +00:00
2013-06-27 09:27:58 +00:00
/** \ingroup x509_module */
/**
* \ brief Parse a private EC key
*
* \ param eckey EC key to be initialized
* \ param key input buffer
* \ param keylen size of the buffer
* \ param pwd password for decryption ( optional )
* \ param pwdlen size of the password
*
* \ return 0 if successful , or a specific X509 or PEM error code
*/
int x509parse_key_ec ( ecp_keypair * eckey ,
const unsigned char * key , size_t keylen ,
const unsigned char * pwd , size_t pwdlen ) ;
/** \ingroup x509_module */
/**
* \ brief Load and parse a private EC key
*
* \ param eckey EC key to be initialized
* \ param path filename to read the private key from
* \ param password password to decrypt the file ( can be NULL )
*
* \ return 0 if successful , or a specific X509 or PEM error code
*/
int x509parse_keyfile_ec ( ecp_keypair * eckey ,
const char * path , const char * password ) ;
/** \ingroup x509_module */
/**
* \ brief Parse a public EC key
*
* \ param eckey EC key to be initialized
* \ param key input buffer
* \ param keylen size of the buffer
*
* \ return 0 if successful , or a specific X509 or PEM error code
*/
int x509parse_public_key_ec ( ecp_keypair * eckey ,
const unsigned char * key , size_t keylen ) ;
/** \ingroup x509_module */
/**
* \ brief Load and parse a public EC key
*
* \ param eckey EC key to be initialized
* \ param path filename to read the private key from
*
* \ return 0 if successful , or a specific X509 or PEM error code
*/
int x509parse_public_keyfile_ec ( ecp_keypair * eckey , const char * path ) ;
2011-01-18 14:58:55 +00:00
/** \ingroup x509_module */
2011-01-06 15:48:19 +00:00
/**
* \ brief Parse DHM parameters
*
* \ param dhm DHM context to be initialized
* \ param dhmin input buffer
* \ param dhminlen size of the buffer
*
2011-02-12 14:30:57 +00:00
* \ return 0 if successful , or a specific X509 or PEM error code
2011-01-06 15:48:19 +00:00
*/
2011-04-24 08:57:21 +00:00
int x509parse_dhm ( dhm_context * dhm , const unsigned char * dhmin , size_t dhminlen ) ;
2011-01-06 15:48:19 +00:00
2011-01-18 14:58:55 +00:00
/** \ingroup x509_module */
2011-01-06 15:48:19 +00:00
/**
* \ brief Load and parse DHM parameters
*
* \ param dhm DHM context to be initialized
* \ param path filename to read the DHM Parameters from
*
2011-02-12 14:30:57 +00:00
* \ return 0 if successful , or a specific X509 or PEM error code
2011-01-06 15:48:19 +00:00
*/
2011-01-27 15:24:17 +00:00
int x509parse_dhmfile ( dhm_context * dhm , const char * path ) ;
2011-01-06 15:48:19 +00:00
2011-01-18 14:58:55 +00:00
/** \} name Functions to read in DHM parameters, a certificate, CRL or private RSA key */
2011-01-06 12:28:03 +00:00
2009-01-03 21:22:43 +00:00
/**
* \ brief Store the certificate DN in printable form into buf ;
2009-05-02 15:13:40 +00:00
* no more than size characters will be written .
2009-07-28 07:18:38 +00:00
*
* \ param buf Buffer to write to
* \ param size Maximum size of buffer
* \ param dn The X509 name to represent
*
* \ return The amount of data written to the buffer , or - 1 in
* case of an error .
2009-01-03 21:22:43 +00:00
*/
2010-03-16 21:09:09 +00:00
int x509parse_dn_gets ( char * buf , size_t size , const x509_name * dn ) ;
2009-01-03 21:22:43 +00:00
2011-01-16 21:34:59 +00:00
/**
* \ brief Store the certificate serial in printable form into buf ;
* no more than size characters will be written .
*
* \ param buf Buffer to write to
* \ param size Maximum size of buffer
* \ param serial The X509 serial to represent
*
* \ return The amount of data written to the buffer , or - 1 in
* case of an error .
*/
int x509parse_serial_gets ( char * buf , size_t size , const x509_buf * serial ) ;
2009-01-03 21:22:43 +00:00
/**
* \ brief Returns an informational string about the
* certificate .
2009-07-28 07:18:38 +00:00
*
* \ param buf Buffer to write to
* \ param size Maximum size of buffer
* \ param prefix A line prefix
* \ param crt The X509 certificate to represent
*
* \ return The amount of data written to the buffer , or - 1 in
* case of an error .
2009-01-03 21:22:43 +00:00
*/
2010-03-16 21:09:09 +00:00
int x509parse_cert_info ( char * buf , size_t size , const char * prefix ,
const x509_cert * crt ) ;
2009-05-02 15:13:40 +00:00
/**
* \ brief Returns an informational string about the
* CRL .
2009-07-28 07:18:38 +00:00
*
* \ param buf Buffer to write to
* \ param size Maximum size of buffer
* \ param prefix A line prefix
2011-01-06 12:28:03 +00:00
* \ param crl The X509 CRL to represent
2009-07-28 07:18:38 +00:00
*
* \ return The amount of data written to the buffer , or - 1 in
* case of an error .
2009-05-02 15:13:40 +00:00
*/
2010-03-16 21:09:09 +00:00
int x509parse_crl_info ( char * buf , size_t size , const char * prefix ,
const x509_crl * crl ) ;
2009-01-03 21:22:43 +00:00
2011-01-15 16:57:55 +00:00
/**
* \ brief Give an known OID , return its descriptive string .
*
* \ param oid buffer containing the oid
*
* \ return Return a string if the OID is known ,
* or NULL otherwise .
*/
const char * x509_oid_get_description ( x509_buf * oid ) ;
2012-11-14 12:39:52 +00:00
/**
2011-01-15 16:57:55 +00:00
* \ brief Give an OID , return a string version of its OID number .
2013-04-07 20:34:26 +00:00
* ( Deprecated . Use oid_get_numeric_string ( ) instead )
2011-01-15 16:57:55 +00:00
*
* \ param buf Buffer to write to
* \ param size Maximum size of buffer
* \ param oid Buffer containing the OID
*
* \ return The amount of data written to the buffer , or - 1 in
* case of an error .
*/
int x509_oid_get_numeric_string ( char * buf , size_t size , x509_buf * oid ) ;
2009-01-03 21:22:43 +00:00
/**
2009-07-28 07:18:38 +00:00
* \ brief Check a given x509_time against the system time and check
* if it is valid .
*
* \ param time x509_time to check
*
* \ return Return 0 if the x509_time is still valid ,
2009-05-03 10:18:48 +00:00
* or 1 otherwise .
2009-01-03 21:22:43 +00:00
*/
2010-03-16 21:09:09 +00:00
int x509parse_time_expired ( const x509_time * time ) ;
2009-01-03 21:22:43 +00:00
2011-01-06 12:28:03 +00:00
/**
2011-01-18 14:58:55 +00:00
* \ name Functions to verify a certificate
* \ {
2011-01-06 12:28:03 +00:00
*/
2011-01-18 14:58:55 +00:00
/** \ingroup x509_module */
2009-01-03 21:22:43 +00:00
/**
* \ brief Verify the certificate signature
*
2012-09-28 07:10:55 +00:00
* The verify callback is a user - supplied callback that
* can clear / modify / add flags for a certificate . If set ,
* the verification callback is called for each
* certificate in the chain ( from the trust - ca down to the
* presented crt ) . The parameters for the callback are :
* ( void * parameter , x509_cert * crt , int certificate_depth ,
* int * flags ) . With the flags representing current flags for
* that specific certificate and the certificate depth from
2012-11-14 12:39:52 +00:00
* the bottom ( Peer cert depth = 0 ) .
2012-09-28 07:10:55 +00:00
*
* All flags left after returning from the callback
* are also returned to the application . The function should
* return 0 for anything but a fatal error .
*
2009-01-03 21:22:43 +00:00
* \ param crt a certificate to be verified
* \ param trust_ca the trusted CA chain
2009-05-03 10:18:48 +00:00
* \ param ca_crl the CRL chain for trusted CA ' s
2009-01-03 21:22:43 +00:00
* \ param cn expected Common Name ( can be set to
* NULL if the CN must not be verified )
* \ param flags result of the verification
2011-01-13 17:54:59 +00:00
* \ param f_vrfy verification function
* \ param p_vrfy verification parameter
2009-01-03 21:22:43 +00:00
*
2009-01-03 21:51:57 +00:00
* \ return 0 if successful or POLARSSL_ERR_X509_SIG_VERIFY_FAILED ,
2009-01-03 21:22:43 +00:00
* in which case * flags will have one or more of
* the following values set :
* BADCERT_EXPIRED - -
* BADCERT_REVOKED - -
* BADCERT_CN_MISMATCH - -
* BADCERT_NOT_TRUSTED
2012-09-28 07:10:55 +00:00
* or another error in case of a fatal error encountered
* during the verification process .
2009-01-03 21:22:43 +00:00
*/
int x509parse_verify ( x509_cert * crt ,
x509_cert * trust_ca ,
2009-05-03 10:18:48 +00:00
x509_crl * ca_crl ,
2011-01-13 17:54:59 +00:00
const char * cn , int * flags ,
2012-09-28 07:10:55 +00:00
int ( * f_vrfy ) ( void * , x509_cert * , int , int * ) ,
2011-01-13 17:54:59 +00:00
void * p_vrfy ) ;
2009-01-03 21:22:43 +00:00
2011-01-15 16:57:55 +00:00
/**
* \ brief Verify the certificate signature
*
* \ param crt a certificate to be verified
* \ param crl the CRL to verify against
*
* \ return 1 if the certificate is revoked , 0 otherwise
*
*/
int x509parse_revoked ( const x509_cert * crt , const x509_crl * crl ) ;
2011-01-18 14:58:55 +00:00
/** \} name Functions to verify a certificate */
2011-01-06 12:28:03 +00:00
/**
2011-01-18 14:58:55 +00:00
* \ name Functions to clear a certificate , CRL or private RSA key
* \ {
2011-01-06 12:28:03 +00:00
*/
2011-01-18 14:58:55 +00:00
/** \ingroup x509_module */
2009-01-03 21:22:43 +00:00
/**
* \ brief Unallocate all certificate data
2009-07-28 07:18:38 +00:00
*
* \ param crt Certificate chain to free
2009-01-03 21:22:43 +00:00
*/
void x509_free ( x509_cert * crt ) ;
2011-01-18 14:58:55 +00:00
/** \ingroup x509_module */
2009-05-02 15:13:40 +00:00
/**
* \ brief Unallocate all CRL data
2009-07-28 07:18:38 +00:00
*
2011-01-06 12:28:03 +00:00
* \ param crl CRL chain to free
2009-05-02 15:13:40 +00:00
*/
void x509_crl_free ( x509_crl * crl ) ;
2011-01-18 14:58:55 +00:00
/** \} name Functions to clear a certificate, CRL or private RSA key */
2011-01-06 12:28:03 +00:00
2009-01-03 21:22:43 +00:00
/**
* \ brief Checkup routine
*
* \ return 0 if successful , or 1 if the test failed
*/
int x509_self_test ( int verbose ) ;
# ifdef __cplusplus
}
# endif
2013-04-18 20:46:23 +00:00
# endif /* POLARSSL_X509_PARSE_C || POLARSSL_X509_WRITE_C */
2009-01-03 21:22:43 +00:00
# endif /* x509.h */