441 lines
12 KiB
C
441 lines
12 KiB
C
/**
|
|
* \file x509.h
|
|
*
|
|
* Copyright (C) 2006-2009, Paul Bakker <polarssl_maintainer at polarssl.org>
|
|
* All rights reserved.
|
|
*
|
|
* Joined copyright on original XySSL code with: Christophe Devine
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation; either version 2 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License along
|
|
* with this program; if not, write to the Free Software Foundation, Inc.,
|
|
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
*/
|
|
#ifndef POLARSSL_X509_H
|
|
#define POLARSSL_X509_H
|
|
|
|
#include "polarssl/rsa.h"
|
|
|
|
/*
|
|
* ASN1 Error codes
|
|
*
|
|
* These error codes will be OR'ed to X509 error codes for
|
|
* higher error granularity.
|
|
*/
|
|
#define POLARSSL_ERR_ASN1_OUT_OF_DATA 0x0014
|
|
#define POLARSSL_ERR_ASN1_UNEXPECTED_TAG 0x0016
|
|
#define POLARSSL_ERR_ASN1_INVALID_LENGTH 0x0018
|
|
#define POLARSSL_ERR_ASN1_LENGTH_MISMATCH 0x001A
|
|
#define POLARSSL_ERR_ASN1_INVALID_DATA 0x001C
|
|
|
|
/*
|
|
* X509 Error codes
|
|
*/
|
|
#define POLARSSL_ERR_X509_FEATURE_UNAVAILABLE -0x0020
|
|
#define POLARSSL_ERR_X509_CERT_INVALID_PEM -0x0040
|
|
#define POLARSSL_ERR_X509_CERT_INVALID_FORMAT -0x0060
|
|
#define POLARSSL_ERR_X509_CERT_INVALID_VERSION -0x0080
|
|
#define POLARSSL_ERR_X509_CERT_INVALID_SERIAL -0x00A0
|
|
#define POLARSSL_ERR_X509_CERT_INVALID_ALG -0x00C0
|
|
#define POLARSSL_ERR_X509_CERT_INVALID_NAME -0x00E0
|
|
#define POLARSSL_ERR_X509_CERT_INVALID_DATE -0x0100
|
|
#define POLARSSL_ERR_X509_CERT_INVALID_PUBKEY -0x0120
|
|
#define POLARSSL_ERR_X509_CERT_INVALID_SIGNATURE -0x0140
|
|
#define POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS -0x0160
|
|
#define POLARSSL_ERR_X509_CERT_UNKNOWN_VERSION -0x0180
|
|
#define POLARSSL_ERR_X509_CERT_UNKNOWN_SIG_ALG -0x01A0
|
|
#define POLARSSL_ERR_X509_CERT_UNKNOWN_PK_ALG -0x01C0
|
|
#define POLARSSL_ERR_X509_CERT_SIG_MISMATCH -0x01E0
|
|
#define POLARSSL_ERR_X509_CERT_VERIFY_FAILED -0x0200
|
|
#define POLARSSL_ERR_X509_KEY_INVALID_PEM -0x0220
|
|
#define POLARSSL_ERR_X509_KEY_INVALID_VERSION -0x0240
|
|
#define POLARSSL_ERR_X509_KEY_INVALID_FORMAT -0x0260
|
|
#define POLARSSL_ERR_X509_KEY_INVALID_ENC_IV -0x0280
|
|
#define POLARSSL_ERR_X509_KEY_UNKNOWN_ENC_ALG -0x02A0
|
|
#define POLARSSL_ERR_X509_KEY_PASSWORD_REQUIRED -0x02C0
|
|
#define POLARSSL_ERR_X509_KEY_PASSWORD_MISMATCH -0x02E0
|
|
#define POLARSSL_ERR_X509_POINT_ERROR -0x0300
|
|
#define POLARSSL_ERR_X509_VALUE_TO_LENGTH -0x0320
|
|
|
|
/*
|
|
* X509 Verify codes
|
|
*/
|
|
#define BADCERT_EXPIRED 1
|
|
#define BADCERT_REVOKED 2
|
|
#define BADCERT_CN_MISMATCH 4
|
|
#define BADCERT_NOT_TRUSTED 8
|
|
#define BADCRL_NOT_TRUSTED 16
|
|
#define BADCRL_EXPIRED 32
|
|
|
|
/*
|
|
* DER constants
|
|
*/
|
|
#define ASN1_BOOLEAN 0x01
|
|
#define ASN1_INTEGER 0x02
|
|
#define ASN1_BIT_STRING 0x03
|
|
#define ASN1_OCTET_STRING 0x04
|
|
#define ASN1_NULL 0x05
|
|
#define ASN1_OID 0x06
|
|
#define ASN1_UTF8_STRING 0x0C
|
|
#define ASN1_SEQUENCE 0x10
|
|
#define ASN1_SET 0x11
|
|
#define ASN1_PRINTABLE_STRING 0x13
|
|
#define ASN1_T61_STRING 0x14
|
|
#define ASN1_IA5_STRING 0x16
|
|
#define ASN1_UTC_TIME 0x17
|
|
#define ASN1_GENERALIZED_TIME 0x18
|
|
#define ASN1_UNIVERSAL_STRING 0x1C
|
|
#define ASN1_BMP_STRING 0x1E
|
|
#define ASN1_PRIMITIVE 0x00
|
|
#define ASN1_CONSTRUCTED 0x20
|
|
#define ASN1_CONTEXT_SPECIFIC 0x80
|
|
|
|
/*
|
|
* various object identifiers
|
|
*/
|
|
#define X520_COMMON_NAME 3
|
|
#define X520_COUNTRY 6
|
|
#define X520_LOCALITY 7
|
|
#define X520_STATE 8
|
|
#define X520_ORGANIZATION 10
|
|
#define X520_ORG_UNIT 11
|
|
#define PKCS9_EMAIL 1
|
|
|
|
#define X509_OUTPUT_DER 0x01
|
|
#define X509_OUTPUT_PEM 0x02
|
|
#define PEM_LINE_LENGTH 72
|
|
#define X509_ISSUER 0x01
|
|
#define X509_SUBJECT 0x02
|
|
|
|
#define OID_X520 "\x55\x04"
|
|
#define OID_CN "\x55\x04\x03"
|
|
#define OID_PKCS1 "\x2A\x86\x48\x86\xF7\x0D\x01\x01"
|
|
#define OID_PKCS1_RSA "\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01"
|
|
#define OID_PKCS1_RSA_SHA "\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05"
|
|
#define OID_PKCS9 "\x2A\x86\x48\x86\xF7\x0D\x01\x09"
|
|
#define OID_PKCS9_EMAIL "\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01"
|
|
|
|
/*
|
|
* Structures for parsing X.509 certificates
|
|
*/
|
|
typedef struct _x509_buf
|
|
{
|
|
int tag;
|
|
int len;
|
|
unsigned char *p;
|
|
}
|
|
x509_buf;
|
|
|
|
typedef struct _x509_name
|
|
{
|
|
x509_buf oid;
|
|
x509_buf val;
|
|
struct _x509_name *next;
|
|
}
|
|
x509_name;
|
|
|
|
typedef struct _x509_time
|
|
{
|
|
int year, mon, day;
|
|
int hour, min, sec;
|
|
}
|
|
x509_time;
|
|
|
|
typedef struct _x509_cert
|
|
{
|
|
x509_buf raw;
|
|
x509_buf tbs;
|
|
|
|
int version;
|
|
x509_buf serial;
|
|
x509_buf sig_oid1;
|
|
|
|
x509_buf issuer_raw;
|
|
x509_buf subject_raw;
|
|
|
|
x509_name issuer;
|
|
x509_name subject;
|
|
|
|
x509_time valid_from;
|
|
x509_time valid_to;
|
|
|
|
x509_buf pk_oid;
|
|
rsa_context rsa;
|
|
|
|
x509_buf issuer_id;
|
|
x509_buf subject_id;
|
|
x509_buf v3_ext;
|
|
|
|
int ca_istrue;
|
|
int max_pathlen;
|
|
|
|
x509_buf sig_oid2;
|
|
x509_buf sig;
|
|
|
|
struct _x509_cert *next;
|
|
}
|
|
x509_cert;
|
|
|
|
typedef struct _x509_crl_entry
|
|
{
|
|
x509_buf raw;
|
|
|
|
x509_buf serial;
|
|
|
|
x509_time revocation_date;
|
|
|
|
x509_buf entry_ext;
|
|
|
|
struct _x509_crl_entry *next;
|
|
}
|
|
x509_crl_entry;
|
|
|
|
typedef struct _x509_crl
|
|
{
|
|
x509_buf raw;
|
|
x509_buf tbs;
|
|
|
|
int version;
|
|
x509_buf sig_oid1;
|
|
|
|
x509_buf issuer_raw;
|
|
|
|
x509_name issuer;
|
|
|
|
x509_time this_update;
|
|
x509_time next_update;
|
|
|
|
x509_crl_entry entry;
|
|
|
|
x509_buf crl_ext;
|
|
|
|
x509_buf sig_oid2;
|
|
x509_buf sig;
|
|
|
|
struct _x509_crl *next;
|
|
}
|
|
x509_crl;
|
|
|
|
/*
|
|
* Structures for writing X.509 certificates
|
|
*/
|
|
typedef struct _x509_node
|
|
{
|
|
unsigned char *data;
|
|
unsigned char *p;
|
|
unsigned char *end;
|
|
|
|
size_t len;
|
|
}
|
|
x509_node;
|
|
|
|
typedef struct _x509_raw
|
|
{
|
|
x509_node raw;
|
|
x509_node tbs;
|
|
|
|
x509_node version;
|
|
x509_node serial;
|
|
x509_node tbs_signalg;
|
|
x509_node issuer;
|
|
x509_node validity;
|
|
x509_node subject;
|
|
x509_node subpubkey;
|
|
|
|
x509_node signalg;
|
|
x509_node sign;
|
|
}
|
|
x509_raw;
|
|
|
|
#ifdef __cplusplus
|
|
extern "C" {
|
|
#endif
|
|
|
|
/**
|
|
* \brief Parse one or more certificates and add them
|
|
* to the chained list
|
|
*
|
|
* \param chain points to the start of the chain
|
|
* \param buf buffer holding the certificate data
|
|
* \param buflen size of the buffer
|
|
*
|
|
* \return 0 if successful, or a specific X509 error code
|
|
*/
|
|
int x509parse_crt( x509_cert *chain, const unsigned char *buf, int buflen );
|
|
|
|
/**
|
|
* \brief Load one or more certificates and add them
|
|
* to the chained list
|
|
*
|
|
* \param chain points to the start of the chain
|
|
* \param path filename to read the certificates from
|
|
*
|
|
* \return 0 if successful, or a specific X509 error code
|
|
*/
|
|
int x509parse_crtfile( x509_cert *chain, const char *path );
|
|
|
|
/**
|
|
* \brief Parse one or more CRLs and add them
|
|
* to the chained list
|
|
*
|
|
* \param chain points to the start of the chain
|
|
* \param buf buffer holding the CRL data
|
|
* \param buflen size of the buffer
|
|
*
|
|
* \return 0 if successful, or a specific X509 error code
|
|
*/
|
|
int x509parse_crl( x509_crl *chain, const unsigned char *buf, int buflen );
|
|
|
|
/**
|
|
* \brief Load one or more CRLs and add them
|
|
* to the chained list
|
|
*
|
|
* \param chain points to the start of the chain
|
|
* \param path filename to read the CRLs from
|
|
*
|
|
* \return 0 if successful, or a specific X509 error code
|
|
*/
|
|
int x509parse_crlfile( x509_crl *chain, const char *path );
|
|
|
|
/**
|
|
* \brief Parse a private RSA key
|
|
*
|
|
* \param rsa RSA context to be initialized
|
|
* \param key input buffer
|
|
* \param keylen size of the buffer
|
|
* \param pwd password for decryption (optional)
|
|
* \param pwdlen size of the password
|
|
*
|
|
* \return 0 if successful, or a specific X509 error code
|
|
*/
|
|
int x509parse_key( rsa_context *rsa,
|
|
const unsigned char *key, int keylen,
|
|
const unsigned char *pwd, int pwdlen );
|
|
|
|
/**
|
|
* \brief Load and parse a private RSA key
|
|
*
|
|
* \param rsa RSA context to be initialized
|
|
* \param path filename to read the private key from
|
|
* \param pwd password to decrypt the file (can be NULL)
|
|
*
|
|
* \return 0 if successful, or a specific X509 error code
|
|
*/
|
|
int x509parse_keyfile( rsa_context *rsa, const char *path,
|
|
const char *password );
|
|
|
|
/**
|
|
* \brief Store the certificate DN in printable form into buf;
|
|
* no more than size characters will be written.
|
|
*
|
|
* \param buf Buffer to write to
|
|
* \param size Maximum size of buffer
|
|
* \param dn The X509 name to represent
|
|
*
|
|
* \return The amount of data written to the buffer, or -1 in
|
|
* case of an error.
|
|
*/
|
|
int x509parse_dn_gets( char *buf, size_t size, const x509_name *dn );
|
|
|
|
/**
|
|
* \brief Returns an informational string about the
|
|
* certificate.
|
|
*
|
|
* \param buf Buffer to write to
|
|
* \param size Maximum size of buffer
|
|
* \param prefix A line prefix
|
|
* \param crt The X509 certificate to represent
|
|
*
|
|
* \return The amount of data written to the buffer, or -1 in
|
|
* case of an error.
|
|
*/
|
|
int x509parse_cert_info( char *buf, size_t size, const char *prefix,
|
|
const x509_cert *crt );
|
|
|
|
/**
|
|
* \brief Returns an informational string about the
|
|
* CRL.
|
|
*
|
|
* \param buf Buffer to write to
|
|
* \param size Maximum size of buffer
|
|
* \param prefix A line prefix
|
|
* \param crt The X509 CRL to represent
|
|
*
|
|
* \return The amount of data written to the buffer, or -1 in
|
|
* case of an error.
|
|
*/
|
|
int x509parse_crl_info( char *buf, size_t size, const char *prefix,
|
|
const x509_crl *crl );
|
|
|
|
/**
|
|
* \brief Check a given x509_time against the system time and check
|
|
* if it is valid.
|
|
*
|
|
* \param time x509_time to check
|
|
*
|
|
* \return Return 0 if the x509_time is still valid,
|
|
* or 1 otherwise.
|
|
*/
|
|
int x509parse_time_expired( const x509_time *time );
|
|
|
|
/**
|
|
* \brief Verify the certificate signature
|
|
*
|
|
* \param crt a certificate to be verified
|
|
* \param trust_ca the trusted CA chain
|
|
* \param ca_crl the CRL chain for trusted CA's
|
|
* \param cn expected Common Name (can be set to
|
|
* NULL if the CN must not be verified)
|
|
* \param flags result of the verification
|
|
*
|
|
* \return 0 if successful or POLARSSL_ERR_X509_SIG_VERIFY_FAILED,
|
|
* in which case *flags will have one or more of
|
|
* the following values set:
|
|
* BADCERT_EXPIRED --
|
|
* BADCERT_REVOKED --
|
|
* BADCERT_CN_MISMATCH --
|
|
* BADCERT_NOT_TRUSTED
|
|
*
|
|
* \note TODO: add two arguments, depth and crl
|
|
*/
|
|
int x509parse_verify( x509_cert *crt,
|
|
x509_cert *trust_ca,
|
|
x509_crl *ca_crl,
|
|
const char *cn, int *flags );
|
|
|
|
/**
|
|
* \brief Unallocate all certificate data
|
|
*
|
|
* \param crt Certificate chain to free
|
|
*/
|
|
void x509_free( x509_cert *crt );
|
|
|
|
/**
|
|
* \brief Unallocate all CRL data
|
|
*
|
|
* \param crt CRL chain to free
|
|
*/
|
|
void x509_crl_free( x509_crl *crl );
|
|
|
|
/**
|
|
* \brief Checkup routine
|
|
*
|
|
* \return 0 if successful, or 1 if the test failed
|
|
*/
|
|
int x509_self_test( int verbose );
|
|
|
|
#ifdef __cplusplus
|
|
}
|
|
#endif
|
|
|
|
#endif /* x509.h */
|