PolarSSL v1.1.4
x509.h
Go to the documentation of this file.
00001 
00027 #ifndef POLARSSL_X509_H
00028 #define POLARSSL_X509_H
00029 
00030 #include "asn1.h"
00031 #include "rsa.h"
00032 #include "dhm.h"
00033 
00043 #define POLARSSL_ERR_X509_FEATURE_UNAVAILABLE              -0x2080  
00044 #define POLARSSL_ERR_X509_CERT_INVALID_PEM                 -0x2100  
00045 #define POLARSSL_ERR_X509_CERT_INVALID_FORMAT              -0x2180  
00046 #define POLARSSL_ERR_X509_CERT_INVALID_VERSION             -0x2200  
00047 #define POLARSSL_ERR_X509_CERT_INVALID_SERIAL              -0x2280  
00048 #define POLARSSL_ERR_X509_CERT_INVALID_ALG                 -0x2300  
00049 #define POLARSSL_ERR_X509_CERT_INVALID_NAME                -0x2380  
00050 #define POLARSSL_ERR_X509_CERT_INVALID_DATE                -0x2400  
00051 #define POLARSSL_ERR_X509_CERT_INVALID_PUBKEY              -0x2480  
00052 #define POLARSSL_ERR_X509_CERT_INVALID_SIGNATURE           -0x2500  
00053 #define POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS          -0x2580  
00054 #define POLARSSL_ERR_X509_CERT_UNKNOWN_VERSION             -0x2600  
00055 #define POLARSSL_ERR_X509_CERT_UNKNOWN_SIG_ALG             -0x2680  
00056 #define POLARSSL_ERR_X509_UNKNOWN_PK_ALG                   -0x2700  
00057 #define POLARSSL_ERR_X509_CERT_SIG_MISMATCH                -0x2780  
00058 #define POLARSSL_ERR_X509_CERT_VERIFY_FAILED               -0x2800  
00059 #define POLARSSL_ERR_X509_KEY_INVALID_VERSION              -0x2880  
00060 #define POLARSSL_ERR_X509_KEY_INVALID_FORMAT               -0x2900  
00061 #define POLARSSL_ERR_X509_CERT_UNKNOWN_FORMAT              -0x2980  
00062 #define POLARSSL_ERR_X509_INVALID_INPUT                    -0x2A00  
00063 #define POLARSSL_ERR_X509_MALLOC_FAILED                    -0x2A80  
00064 #define POLARSSL_ERR_X509_FILE_IO_ERROR                    -0x2B00  
00065 /* \} name */
00066 
00067 
00072 #define BADCERT_EXPIRED             0x01  
00073 #define BADCERT_REVOKED             0x02  
00074 #define BADCERT_CN_MISMATCH         0x04  
00075 #define BADCERT_NOT_TRUSTED         0x08  
00076 #define BADCRL_NOT_TRUSTED          0x10  
00077 #define BADCRL_EXPIRED              0x20  
00078 #define BADCERT_MISSING             0x40  
00079 #define BADCERT_SKIP_VERIFY         0x80  
00080 /* \} name */
00081 /* \} addtogroup x509_module */
00082 
00083 /*
00084  * various object identifiers
00085  */
00086 #define X520_COMMON_NAME                3
00087 #define X520_COUNTRY                    6
00088 #define X520_LOCALITY                   7
00089 #define X520_STATE                      8
00090 #define X520_ORGANIZATION              10
00091 #define X520_ORG_UNIT                  11
00092 #define PKCS9_EMAIL                     1
00093 
00094 #define X509_OUTPUT_DER              0x01
00095 #define X509_OUTPUT_PEM              0x02
00096 #define PEM_LINE_LENGTH                72
00097 #define X509_ISSUER                  0x01
00098 #define X509_SUBJECT                 0x02
00099 
00100 #define OID_X520                "\x55\x04"
00101 #define OID_CN                  OID_X520 "\x03"
00102 
00103 #define OID_PKCS1               "\x2A\x86\x48\x86\xF7\x0D\x01\x01"
00104 #define OID_PKCS1_RSA           OID_PKCS1 "\x01"
00105 
00106 #define OID_RSA_SHA_OBS         "\x2B\x0E\x03\x02\x1D"
00107 
00108 #define OID_PKCS9               "\x2A\x86\x48\x86\xF7\x0D\x01\x09"
00109 #define OID_PKCS9_EMAIL         OID_PKCS9 "\x01"
00110 
00112 #define OID_ID_CE               "\x55\x1D" 
00119 #define OID_PKIX                "\x2B\x06\x01\x05\x05\x07"
00120 
00121 /*
00122  * OIDs for standard certificate extensions
00123  */
00124 #define OID_AUTHORITY_KEY_IDENTIFIER    OID_ID_CE "\x23" 
00125 #define OID_SUBJECT_KEY_IDENTIFIER      OID_ID_CE "\x0E" 
00126 #define OID_KEY_USAGE                   OID_ID_CE "\x0F" 
00127 #define OID_CERTIFICATE_POLICIES        OID_ID_CE "\x20" 
00128 #define OID_POLICY_MAPPINGS             OID_ID_CE "\x21" 
00129 #define OID_SUBJECT_ALT_NAME            OID_ID_CE "\x11" 
00130 #define OID_ISSUER_ALT_NAME             OID_ID_CE "\x12" 
00131 #define OID_SUBJECT_DIRECTORY_ATTRS     OID_ID_CE "\x09" 
00132 #define OID_BASIC_CONSTRAINTS           OID_ID_CE "\x13" 
00133 #define OID_NAME_CONSTRAINTS            OID_ID_CE "\x1E" 
00134 #define OID_POLICY_CONSTRAINTS          OID_ID_CE "\x24" 
00135 #define OID_EXTENDED_KEY_USAGE          OID_ID_CE "\x25" 
00136 #define OID_CRL_DISTRIBUTION_POINTS     OID_ID_CE "\x1F" 
00137 #define OID_INIHIBIT_ANYPOLICY          OID_ID_CE "\x36" 
00138 #define OID_FRESHEST_CRL                OID_ID_CE "\x2E" 
00140 /*
00141  * X.509 v3 Key Usage Extension flags
00142  */
00143 #define KU_DIGITAL_SIGNATURE            (0x80)  /* bit 0 */
00144 #define KU_NON_REPUDIATION              (0x40)  /* bit 1 */
00145 #define KU_KEY_ENCIPHERMENT             (0x20)  /* bit 2 */
00146 #define KU_DATA_ENCIPHERMENT            (0x10)  /* bit 3 */
00147 #define KU_KEY_AGREEMENT                (0x08)  /* bit 4 */
00148 #define KU_KEY_CERT_SIGN                (0x04)  /* bit 5 */
00149 #define KU_CRL_SIGN                     (0x02)  /* bit 6 */
00150 
00151 /*
00152  * X.509 v3 Extended key usage OIDs
00153  */
00154 #define OID_ANY_EXTENDED_KEY_USAGE      OID_EXTENDED_KEY_USAGE "\x00" 
00156 #define OID_KP                          OID_PKIX "\x03" 
00157 #define OID_SERVER_AUTH                 OID_KP "\x01" 
00158 #define OID_CLIENT_AUTH                 OID_KP "\x02" 
00159 #define OID_CODE_SIGNING                OID_KP "\x03" 
00160 #define OID_EMAIL_PROTECTION            OID_KP "\x04" 
00161 #define OID_TIME_STAMPING               OID_KP "\x08" 
00162 #define OID_OCSP_SIGNING                OID_KP "\x09" 
00164 #define STRING_SERVER_AUTH              "TLS Web Server Authentication"
00165 #define STRING_CLIENT_AUTH              "TLS Web Client Authentication"
00166 #define STRING_CODE_SIGNING             "Code Signing"
00167 #define STRING_EMAIL_PROTECTION         "E-mail Protection"
00168 #define STRING_TIME_STAMPING            "Time Stamping"
00169 #define STRING_OCSP_SIGNING             "OCSP Signing"
00170 
00171 /*
00172  * OIDs for CRL extensions
00173  */
00174 #define OID_PRIVATE_KEY_USAGE_PERIOD    OID_ID_CE "\x10"
00175 #define OID_CRL_NUMBER                  OID_ID_CE "\x14" 
00177 /*
00178  * Netscape certificate extensions
00179  */
00180 #define OID_NETSCAPE                "\x60\x86\x48\x01\x86\xF8\x42" 
00181 #define OID_NS_CERT                 OID_NETSCAPE "\x01"
00182 #define OID_NS_CERT_TYPE            OID_NS_CERT  "\x01"
00183 #define OID_NS_BASE_URL             OID_NS_CERT  "\x02"
00184 #define OID_NS_REVOCATION_URL       OID_NS_CERT  "\x03"
00185 #define OID_NS_CA_REVOCATION_URL    OID_NS_CERT  "\x04"
00186 #define OID_NS_RENEWAL_URL          OID_NS_CERT  "\x07"
00187 #define OID_NS_CA_POLICY_URL        OID_NS_CERT  "\x08"
00188 #define OID_NS_SSL_SERVER_NAME      OID_NS_CERT  "\x0C"
00189 #define OID_NS_COMMENT              OID_NS_CERT  "\x0D"
00190 #define OID_NS_DATA_TYPE            OID_NETSCAPE "\x02"
00191 #define OID_NS_CERT_SEQUENCE        OID_NS_DATA_TYPE "\x05"
00192 
00193 /*
00194  * Netscape certificate types
00195  * (http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn3.html)
00196  */
00197 
00198 #define NS_CERT_TYPE_SSL_CLIENT         (0x80)  /* bit 0 */
00199 #define NS_CERT_TYPE_SSL_SERVER         (0x40)  /* bit 1 */
00200 #define NS_CERT_TYPE_EMAIL              (0x20)  /* bit 2 */
00201 #define NS_CERT_TYPE_OBJECT_SIGNING     (0x10)  /* bit 3 */
00202 #define NS_CERT_TYPE_RESERVED           (0x08)  /* bit 4 */
00203 #define NS_CERT_TYPE_SSL_CA             (0x04)  /* bit 5 */
00204 #define NS_CERT_TYPE_EMAIL_CA           (0x02)  /* bit 6 */
00205 #define NS_CERT_TYPE_OBJECT_SIGNING_CA  (0x01)  /* bit 7 */
00206 
00207 #define EXT_AUTHORITY_KEY_IDENTIFIER    (1 << 0)
00208 #define EXT_SUBJECT_KEY_IDENTIFIER      (1 << 1)
00209 #define EXT_KEY_USAGE                   (1 << 2)
00210 #define EXT_CERTIFICATE_POLICIES        (1 << 3)
00211 #define EXT_POLICY_MAPPINGS             (1 << 4)
00212 #define EXT_SUBJECT_ALT_NAME            (1 << 5)
00213 #define EXT_ISSUER_ALT_NAME             (1 << 6)
00214 #define EXT_SUBJECT_DIRECTORY_ATTRS     (1 << 7)
00215 #define EXT_BASIC_CONSTRAINTS           (1 << 8)
00216 #define EXT_NAME_CONSTRAINTS            (1 << 9)
00217 #define EXT_POLICY_CONSTRAINTS          (1 << 10)
00218 #define EXT_EXTENDED_KEY_USAGE          (1 << 11)
00219 #define EXT_CRL_DISTRIBUTION_POINTS     (1 << 12)
00220 #define EXT_INIHIBIT_ANYPOLICY          (1 << 13)
00221 #define EXT_FRESHEST_CRL                (1 << 14)
00222 
00223 #define EXT_NS_CERT_TYPE                (1 << 16)
00224 
00225 /*
00226  * Storage format identifiers
00227  * Recognized formats: PEM and DER
00228  */
00229 #define X509_FORMAT_DER                 1
00230 #define X509_FORMAT_PEM                 2
00231 
00244 typedef asn1_buf x509_buf;
00245 
00249 typedef asn1_bitstring x509_bitstring;
00250 
00255 typedef struct _x509_name
00256 {
00257     x509_buf oid;               
00258     x509_buf val;               
00259     struct _x509_name *next;    
00260 }
00261 x509_name;
00262 
00266 typedef asn1_sequence x509_sequence;
00267 
00269 typedef struct _x509_time
00270 {
00271     int year, mon, day;         
00272     int hour, min, sec;         
00273 }
00274 x509_time;
00275 
00279 typedef struct _x509_cert
00280 {
00281     x509_buf raw;               
00282     x509_buf tbs;               
00284     int version;                
00285     x509_buf serial;            
00286     x509_buf sig_oid1;          
00288     x509_buf issuer_raw;        
00289     x509_buf subject_raw;       
00291     x509_name issuer;           
00292     x509_name subject;          
00294     x509_time valid_from;       
00295     x509_time valid_to;         
00297     x509_buf pk_oid;            
00298     rsa_context rsa;            
00300     x509_buf issuer_id;         
00301     x509_buf subject_id;        
00302     x509_buf v3_ext;            
00304     int ext_types;              
00305     int ca_istrue;              
00306     int max_pathlen;            
00308     unsigned char key_usage;    
00310     x509_sequence ext_key_usage; 
00312     unsigned char ns_cert_type; 
00314     x509_buf sig_oid2;          
00315     x509_buf sig;               
00316     int sig_alg;                
00318     struct _x509_cert *next;    
00319 }
00320 x509_cert;
00321 
00326 typedef struct _x509_crl_entry
00327 {
00328     x509_buf raw;
00329 
00330     x509_buf serial;
00331 
00332     x509_time revocation_date;
00333 
00334     x509_buf entry_ext;
00335 
00336     struct _x509_crl_entry *next;
00337 }
00338 x509_crl_entry;
00339 
00344 typedef struct _x509_crl
00345 {
00346     x509_buf raw;           
00347     x509_buf tbs;           
00349     int version;
00350     x509_buf sig_oid1;
00351 
00352     x509_buf issuer_raw;    
00354     x509_name issuer;       
00356     x509_time this_update;  
00357     x509_time next_update;
00358 
00359     x509_crl_entry entry;   
00361     x509_buf crl_ext;
00362 
00363     x509_buf sig_oid2;
00364     x509_buf sig;
00365     int sig_alg;
00366 
00367     struct _x509_crl *next; 
00368 }
00369 x509_crl;
00379 /*
00380 typedef struct _x509_node
00381 {
00382     unsigned char *data;
00383     unsigned char *p;
00384     unsigned char *end;
00385 
00386     size_t len;
00387 }
00388 x509_node;
00389 
00390 typedef struct _x509_raw
00391 {
00392     x509_node raw;
00393     x509_node tbs;
00394 
00395     x509_node version;
00396     x509_node serial;
00397     x509_node tbs_signalg;
00398     x509_node issuer;
00399     x509_node validity;
00400     x509_node subject;
00401     x509_node subpubkey;
00402 
00403     x509_node signalg;
00404     x509_node sign;
00405 }
00406 x509_raw;
00407 */
00408 
00409 #ifdef __cplusplus
00410 extern "C" {
00411 #endif
00412 
00433 int x509parse_crt( x509_cert *chain, const unsigned char *buf, size_t buflen );
00434 
00449 int x509parse_crtfile( x509_cert *chain, const char *path );
00450 
00462 int x509parse_crl( x509_crl *chain, const unsigned char *buf, size_t buflen );
00463 
00474 int x509parse_crlfile( x509_crl *chain, const char *path );
00475 
00488 int x509parse_key( rsa_context *rsa,
00489                    const unsigned char *key, size_t keylen,
00490                    const unsigned char *pwd, size_t pwdlen );
00491 
00502 int x509parse_keyfile( rsa_context *rsa, const char *path,
00503                        const char *password );
00504 
00515 int x509parse_public_key( rsa_context *rsa,
00516                    const unsigned char *key, size_t keylen );
00517 
00527 int x509parse_public_keyfile( rsa_context *rsa, const char *path );
00528 
00539 int x509parse_dhm( dhm_context *dhm, const unsigned char *dhmin, size_t dhminlen );
00540 
00550 int x509parse_dhmfile( dhm_context *dhm, const char *path );
00551 
00565 int x509parse_dn_gets( char *buf, size_t size, const x509_name *dn );
00566 
00578 int x509parse_serial_gets( char *buf, size_t size, const x509_buf *serial );
00579 
00592 int x509parse_cert_info( char *buf, size_t size, const char *prefix,
00593                          const x509_cert *crt );
00594 
00607 int x509parse_crl_info( char *buf, size_t size, const char *prefix,
00608                         const x509_crl *crl );
00609 
00618 const char *x509_oid_get_description( x509_buf *oid );
00619 
00620 /*
00621  * \brief          Give an OID, return a string version of its OID number.
00622  *
00623  * \param buf      Buffer to write to
00624  * \param size     Maximum size of buffer
00625  * \param oid      Buffer containing the OID
00626  *
00627  * \return         The amount of data written to the buffer, or -1 in
00628  *                 case of an error.
00629  */
00630 int x509_oid_get_numeric_string( char *buf, size_t size, x509_buf *oid );
00631 
00641 int x509parse_time_expired( const x509_time *time );
00642 
00670 int x509parse_verify( x509_cert *crt,
00671                       x509_cert *trust_ca,
00672                       x509_crl *ca_crl,
00673                       const char *cn, int *flags,
00674                       int (*f_vrfy)(void *, x509_cert *, int, int),
00675                       void *p_vrfy );
00676 
00686 int x509parse_revoked( const x509_cert *crt, const x509_crl *crl );
00687 
00702 void x509_free( x509_cert *crt );
00703 
00710 void x509_crl_free( x509_crl *crl );
00711 
00720 int x509_self_test( int verbose );
00721 
00722 #ifdef __cplusplus
00723 }
00724 #endif
00725 
00726 #endif /* x509.h */