PolarSSL v1.1.4
|
00001 00027 #ifndef POLARSSL_X509_H 00028 #define POLARSSL_X509_H 00029 00030 #include "asn1.h" 00031 #include "rsa.h" 00032 #include "dhm.h" 00033 00043 #define POLARSSL_ERR_X509_FEATURE_UNAVAILABLE -0x2080 00044 #define POLARSSL_ERR_X509_CERT_INVALID_PEM -0x2100 00045 #define POLARSSL_ERR_X509_CERT_INVALID_FORMAT -0x2180 00046 #define POLARSSL_ERR_X509_CERT_INVALID_VERSION -0x2200 00047 #define POLARSSL_ERR_X509_CERT_INVALID_SERIAL -0x2280 00048 #define POLARSSL_ERR_X509_CERT_INVALID_ALG -0x2300 00049 #define POLARSSL_ERR_X509_CERT_INVALID_NAME -0x2380 00050 #define POLARSSL_ERR_X509_CERT_INVALID_DATE -0x2400 00051 #define POLARSSL_ERR_X509_CERT_INVALID_PUBKEY -0x2480 00052 #define POLARSSL_ERR_X509_CERT_INVALID_SIGNATURE -0x2500 00053 #define POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS -0x2580 00054 #define POLARSSL_ERR_X509_CERT_UNKNOWN_VERSION -0x2600 00055 #define POLARSSL_ERR_X509_CERT_UNKNOWN_SIG_ALG -0x2680 00056 #define POLARSSL_ERR_X509_UNKNOWN_PK_ALG -0x2700 00057 #define POLARSSL_ERR_X509_CERT_SIG_MISMATCH -0x2780 00058 #define POLARSSL_ERR_X509_CERT_VERIFY_FAILED -0x2800 00059 #define POLARSSL_ERR_X509_KEY_INVALID_VERSION -0x2880 00060 #define POLARSSL_ERR_X509_KEY_INVALID_FORMAT -0x2900 00061 #define POLARSSL_ERR_X509_CERT_UNKNOWN_FORMAT -0x2980 00062 #define POLARSSL_ERR_X509_INVALID_INPUT -0x2A00 00063 #define POLARSSL_ERR_X509_MALLOC_FAILED -0x2A80 00064 #define POLARSSL_ERR_X509_FILE_IO_ERROR -0x2B00 00065 /* \} name */ 00066 00067 00072 #define BADCERT_EXPIRED 0x01 00073 #define BADCERT_REVOKED 0x02 00074 #define BADCERT_CN_MISMATCH 0x04 00075 #define BADCERT_NOT_TRUSTED 0x08 00076 #define BADCRL_NOT_TRUSTED 0x10 00077 #define BADCRL_EXPIRED 0x20 00078 #define BADCERT_MISSING 0x40 00079 #define BADCERT_SKIP_VERIFY 0x80 00080 /* \} name */ 00081 /* \} addtogroup x509_module */ 00082 00083 /* 00084 * various object identifiers 00085 */ 00086 #define X520_COMMON_NAME 3 00087 #define X520_COUNTRY 6 00088 #define X520_LOCALITY 7 00089 #define X520_STATE 8 00090 #define X520_ORGANIZATION 10 00091 #define X520_ORG_UNIT 11 00092 #define PKCS9_EMAIL 1 00093 00094 #define X509_OUTPUT_DER 0x01 00095 #define X509_OUTPUT_PEM 0x02 00096 #define PEM_LINE_LENGTH 72 00097 #define X509_ISSUER 0x01 00098 #define X509_SUBJECT 0x02 00099 00100 #define OID_X520 "\x55\x04" 00101 #define OID_CN OID_X520 "\x03" 00102 00103 #define OID_PKCS1 "\x2A\x86\x48\x86\xF7\x0D\x01\x01" 00104 #define OID_PKCS1_RSA OID_PKCS1 "\x01" 00105 00106 #define OID_RSA_SHA_OBS "\x2B\x0E\x03\x02\x1D" 00107 00108 #define OID_PKCS9 "\x2A\x86\x48\x86\xF7\x0D\x01\x09" 00109 #define OID_PKCS9_EMAIL OID_PKCS9 "\x01" 00110 00112 #define OID_ID_CE "\x55\x1D" 00119 #define OID_PKIX "\x2B\x06\x01\x05\x05\x07" 00120 00121 /* 00122 * OIDs for standard certificate extensions 00123 */ 00124 #define OID_AUTHORITY_KEY_IDENTIFIER OID_ID_CE "\x23" 00125 #define OID_SUBJECT_KEY_IDENTIFIER OID_ID_CE "\x0E" 00126 #define OID_KEY_USAGE OID_ID_CE "\x0F" 00127 #define OID_CERTIFICATE_POLICIES OID_ID_CE "\x20" 00128 #define OID_POLICY_MAPPINGS OID_ID_CE "\x21" 00129 #define OID_SUBJECT_ALT_NAME OID_ID_CE "\x11" 00130 #define OID_ISSUER_ALT_NAME OID_ID_CE "\x12" 00131 #define OID_SUBJECT_DIRECTORY_ATTRS OID_ID_CE "\x09" 00132 #define OID_BASIC_CONSTRAINTS OID_ID_CE "\x13" 00133 #define OID_NAME_CONSTRAINTS OID_ID_CE "\x1E" 00134 #define OID_POLICY_CONSTRAINTS OID_ID_CE "\x24" 00135 #define OID_EXTENDED_KEY_USAGE OID_ID_CE "\x25" 00136 #define OID_CRL_DISTRIBUTION_POINTS OID_ID_CE "\x1F" 00137 #define OID_INIHIBIT_ANYPOLICY OID_ID_CE "\x36" 00138 #define OID_FRESHEST_CRL OID_ID_CE "\x2E" 00140 /* 00141 * X.509 v3 Key Usage Extension flags 00142 */ 00143 #define KU_DIGITAL_SIGNATURE (0x80) /* bit 0 */ 00144 #define KU_NON_REPUDIATION (0x40) /* bit 1 */ 00145 #define KU_KEY_ENCIPHERMENT (0x20) /* bit 2 */ 00146 #define KU_DATA_ENCIPHERMENT (0x10) /* bit 3 */ 00147 #define KU_KEY_AGREEMENT (0x08) /* bit 4 */ 00148 #define KU_KEY_CERT_SIGN (0x04) /* bit 5 */ 00149 #define KU_CRL_SIGN (0x02) /* bit 6 */ 00150 00151 /* 00152 * X.509 v3 Extended key usage OIDs 00153 */ 00154 #define OID_ANY_EXTENDED_KEY_USAGE OID_EXTENDED_KEY_USAGE "\x00" 00156 #define OID_KP OID_PKIX "\x03" 00157 #define OID_SERVER_AUTH OID_KP "\x01" 00158 #define OID_CLIENT_AUTH OID_KP "\x02" 00159 #define OID_CODE_SIGNING OID_KP "\x03" 00160 #define OID_EMAIL_PROTECTION OID_KP "\x04" 00161 #define OID_TIME_STAMPING OID_KP "\x08" 00162 #define OID_OCSP_SIGNING OID_KP "\x09" 00164 #define STRING_SERVER_AUTH "TLS Web Server Authentication" 00165 #define STRING_CLIENT_AUTH "TLS Web Client Authentication" 00166 #define STRING_CODE_SIGNING "Code Signing" 00167 #define STRING_EMAIL_PROTECTION "E-mail Protection" 00168 #define STRING_TIME_STAMPING "Time Stamping" 00169 #define STRING_OCSP_SIGNING "OCSP Signing" 00170 00171 /* 00172 * OIDs for CRL extensions 00173 */ 00174 #define OID_PRIVATE_KEY_USAGE_PERIOD OID_ID_CE "\x10" 00175 #define OID_CRL_NUMBER OID_ID_CE "\x14" 00177 /* 00178 * Netscape certificate extensions 00179 */ 00180 #define OID_NETSCAPE "\x60\x86\x48\x01\x86\xF8\x42" 00181 #define OID_NS_CERT OID_NETSCAPE "\x01" 00182 #define OID_NS_CERT_TYPE OID_NS_CERT "\x01" 00183 #define OID_NS_BASE_URL OID_NS_CERT "\x02" 00184 #define OID_NS_REVOCATION_URL OID_NS_CERT "\x03" 00185 #define OID_NS_CA_REVOCATION_URL OID_NS_CERT "\x04" 00186 #define OID_NS_RENEWAL_URL OID_NS_CERT "\x07" 00187 #define OID_NS_CA_POLICY_URL OID_NS_CERT "\x08" 00188 #define OID_NS_SSL_SERVER_NAME OID_NS_CERT "\x0C" 00189 #define OID_NS_COMMENT OID_NS_CERT "\x0D" 00190 #define OID_NS_DATA_TYPE OID_NETSCAPE "\x02" 00191 #define OID_NS_CERT_SEQUENCE OID_NS_DATA_TYPE "\x05" 00192 00193 /* 00194 * Netscape certificate types 00195 * (http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn3.html) 00196 */ 00197 00198 #define NS_CERT_TYPE_SSL_CLIENT (0x80) /* bit 0 */ 00199 #define NS_CERT_TYPE_SSL_SERVER (0x40) /* bit 1 */ 00200 #define NS_CERT_TYPE_EMAIL (0x20) /* bit 2 */ 00201 #define NS_CERT_TYPE_OBJECT_SIGNING (0x10) /* bit 3 */ 00202 #define NS_CERT_TYPE_RESERVED (0x08) /* bit 4 */ 00203 #define NS_CERT_TYPE_SSL_CA (0x04) /* bit 5 */ 00204 #define NS_CERT_TYPE_EMAIL_CA (0x02) /* bit 6 */ 00205 #define NS_CERT_TYPE_OBJECT_SIGNING_CA (0x01) /* bit 7 */ 00206 00207 #define EXT_AUTHORITY_KEY_IDENTIFIER (1 << 0) 00208 #define EXT_SUBJECT_KEY_IDENTIFIER (1 << 1) 00209 #define EXT_KEY_USAGE (1 << 2) 00210 #define EXT_CERTIFICATE_POLICIES (1 << 3) 00211 #define EXT_POLICY_MAPPINGS (1 << 4) 00212 #define EXT_SUBJECT_ALT_NAME (1 << 5) 00213 #define EXT_ISSUER_ALT_NAME (1 << 6) 00214 #define EXT_SUBJECT_DIRECTORY_ATTRS (1 << 7) 00215 #define EXT_BASIC_CONSTRAINTS (1 << 8) 00216 #define EXT_NAME_CONSTRAINTS (1 << 9) 00217 #define EXT_POLICY_CONSTRAINTS (1 << 10) 00218 #define EXT_EXTENDED_KEY_USAGE (1 << 11) 00219 #define EXT_CRL_DISTRIBUTION_POINTS (1 << 12) 00220 #define EXT_INIHIBIT_ANYPOLICY (1 << 13) 00221 #define EXT_FRESHEST_CRL (1 << 14) 00222 00223 #define EXT_NS_CERT_TYPE (1 << 16) 00224 00225 /* 00226 * Storage format identifiers 00227 * Recognized formats: PEM and DER 00228 */ 00229 #define X509_FORMAT_DER 1 00230 #define X509_FORMAT_PEM 2 00231 00244 typedef asn1_buf x509_buf; 00245 00249 typedef asn1_bitstring x509_bitstring; 00250 00255 typedef struct _x509_name 00256 { 00257 x509_buf oid; 00258 x509_buf val; 00259 struct _x509_name *next; 00260 } 00261 x509_name; 00262 00266 typedef asn1_sequence x509_sequence; 00267 00269 typedef struct _x509_time 00270 { 00271 int year, mon, day; 00272 int hour, min, sec; 00273 } 00274 x509_time; 00275 00279 typedef struct _x509_cert 00280 { 00281 x509_buf raw; 00282 x509_buf tbs; 00284 int version; 00285 x509_buf serial; 00286 x509_buf sig_oid1; 00288 x509_buf issuer_raw; 00289 x509_buf subject_raw; 00291 x509_name issuer; 00292 x509_name subject; 00294 x509_time valid_from; 00295 x509_time valid_to; 00297 x509_buf pk_oid; 00298 rsa_context rsa; 00300 x509_buf issuer_id; 00301 x509_buf subject_id; 00302 x509_buf v3_ext; 00304 int ext_types; 00305 int ca_istrue; 00306 int max_pathlen; 00308 unsigned char key_usage; 00310 x509_sequence ext_key_usage; 00312 unsigned char ns_cert_type; 00314 x509_buf sig_oid2; 00315 x509_buf sig; 00316 int sig_alg; 00318 struct _x509_cert *next; 00319 } 00320 x509_cert; 00321 00326 typedef struct _x509_crl_entry 00327 { 00328 x509_buf raw; 00329 00330 x509_buf serial; 00331 00332 x509_time revocation_date; 00333 00334 x509_buf entry_ext; 00335 00336 struct _x509_crl_entry *next; 00337 } 00338 x509_crl_entry; 00339 00344 typedef struct _x509_crl 00345 { 00346 x509_buf raw; 00347 x509_buf tbs; 00349 int version; 00350 x509_buf sig_oid1; 00351 00352 x509_buf issuer_raw; 00354 x509_name issuer; 00356 x509_time this_update; 00357 x509_time next_update; 00358 00359 x509_crl_entry entry; 00361 x509_buf crl_ext; 00362 00363 x509_buf sig_oid2; 00364 x509_buf sig; 00365 int sig_alg; 00366 00367 struct _x509_crl *next; 00368 } 00369 x509_crl; 00379 /* 00380 typedef struct _x509_node 00381 { 00382 unsigned char *data; 00383 unsigned char *p; 00384 unsigned char *end; 00385 00386 size_t len; 00387 } 00388 x509_node; 00389 00390 typedef struct _x509_raw 00391 { 00392 x509_node raw; 00393 x509_node tbs; 00394 00395 x509_node version; 00396 x509_node serial; 00397 x509_node tbs_signalg; 00398 x509_node issuer; 00399 x509_node validity; 00400 x509_node subject; 00401 x509_node subpubkey; 00402 00403 x509_node signalg; 00404 x509_node sign; 00405 } 00406 x509_raw; 00407 */ 00408 00409 #ifdef __cplusplus 00410 extern "C" { 00411 #endif 00412 00433 int x509parse_crt( x509_cert *chain, const unsigned char *buf, size_t buflen ); 00434 00449 int x509parse_crtfile( x509_cert *chain, const char *path ); 00450 00462 int x509parse_crl( x509_crl *chain, const unsigned char *buf, size_t buflen ); 00463 00474 int x509parse_crlfile( x509_crl *chain, const char *path ); 00475 00488 int x509parse_key( rsa_context *rsa, 00489 const unsigned char *key, size_t keylen, 00490 const unsigned char *pwd, size_t pwdlen ); 00491 00502 int x509parse_keyfile( rsa_context *rsa, const char *path, 00503 const char *password ); 00504 00515 int x509parse_public_key( rsa_context *rsa, 00516 const unsigned char *key, size_t keylen ); 00517 00527 int x509parse_public_keyfile( rsa_context *rsa, const char *path ); 00528 00539 int x509parse_dhm( dhm_context *dhm, const unsigned char *dhmin, size_t dhminlen ); 00540 00550 int x509parse_dhmfile( dhm_context *dhm, const char *path ); 00551 00565 int x509parse_dn_gets( char *buf, size_t size, const x509_name *dn ); 00566 00578 int x509parse_serial_gets( char *buf, size_t size, const x509_buf *serial ); 00579 00592 int x509parse_cert_info( char *buf, size_t size, const char *prefix, 00593 const x509_cert *crt ); 00594 00607 int x509parse_crl_info( char *buf, size_t size, const char *prefix, 00608 const x509_crl *crl ); 00609 00618 const char *x509_oid_get_description( x509_buf *oid ); 00619 00620 /* 00621 * \brief Give an OID, return a string version of its OID number. 00622 * 00623 * \param buf Buffer to write to 00624 * \param size Maximum size of buffer 00625 * \param oid Buffer containing the OID 00626 * 00627 * \return The amount of data written to the buffer, or -1 in 00628 * case of an error. 00629 */ 00630 int x509_oid_get_numeric_string( char *buf, size_t size, x509_buf *oid ); 00631 00641 int x509parse_time_expired( const x509_time *time ); 00642 00670 int x509parse_verify( x509_cert *crt, 00671 x509_cert *trust_ca, 00672 x509_crl *ca_crl, 00673 const char *cn, int *flags, 00674 int (*f_vrfy)(void *, x509_cert *, int, int), 00675 void *p_vrfy ); 00676 00686 int x509parse_revoked( const x509_cert *crt, const x509_crl *crl ); 00687 00702 void x509_free( x509_cert *crt ); 00703 00710 void x509_crl_free( x509_crl *crl ); 00711 00720 int x509_self_test( int verbose ); 00721 00722 #ifdef __cplusplus 00723 } 00724 #endif 00725 00726 #endif /* x509.h */