PolarSSL v1.1.4
x509.h
Go to the documentation of this file.
1 
27 #ifndef POLARSSL_X509_H
28 #define POLARSSL_X509_H
29 
30 #include "asn1.h"
31 #include "rsa.h"
32 #include "dhm.h"
33 
43 #define POLARSSL_ERR_X509_FEATURE_UNAVAILABLE -0x2080
44 #define POLARSSL_ERR_X509_CERT_INVALID_PEM -0x2100
45 #define POLARSSL_ERR_X509_CERT_INVALID_FORMAT -0x2180
46 #define POLARSSL_ERR_X509_CERT_INVALID_VERSION -0x2200
47 #define POLARSSL_ERR_X509_CERT_INVALID_SERIAL -0x2280
48 #define POLARSSL_ERR_X509_CERT_INVALID_ALG -0x2300
49 #define POLARSSL_ERR_X509_CERT_INVALID_NAME -0x2380
50 #define POLARSSL_ERR_X509_CERT_INVALID_DATE -0x2400
51 #define POLARSSL_ERR_X509_CERT_INVALID_PUBKEY -0x2480
52 #define POLARSSL_ERR_X509_CERT_INVALID_SIGNATURE -0x2500
53 #define POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS -0x2580
54 #define POLARSSL_ERR_X509_CERT_UNKNOWN_VERSION -0x2600
55 #define POLARSSL_ERR_X509_CERT_UNKNOWN_SIG_ALG -0x2680
56 #define POLARSSL_ERR_X509_UNKNOWN_PK_ALG -0x2700
57 #define POLARSSL_ERR_X509_CERT_SIG_MISMATCH -0x2780
58 #define POLARSSL_ERR_X509_CERT_VERIFY_FAILED -0x2800
59 #define POLARSSL_ERR_X509_KEY_INVALID_VERSION -0x2880
60 #define POLARSSL_ERR_X509_KEY_INVALID_FORMAT -0x2900
61 #define POLARSSL_ERR_X509_CERT_UNKNOWN_FORMAT -0x2980
62 #define POLARSSL_ERR_X509_INVALID_INPUT -0x2A00
63 #define POLARSSL_ERR_X509_MALLOC_FAILED -0x2A80
64 #define POLARSSL_ERR_X509_FILE_IO_ERROR -0x2B00
65 /* \} name */
66 
67 
72 #define BADCERT_EXPIRED 0x01
73 #define BADCERT_REVOKED 0x02
74 #define BADCERT_CN_MISMATCH 0x04
75 #define BADCERT_NOT_TRUSTED 0x08
76 #define BADCRL_NOT_TRUSTED 0x10
77 #define BADCRL_EXPIRED 0x20
78 #define BADCERT_MISSING 0x40
79 #define BADCERT_SKIP_VERIFY 0x80
80 /* \} name */
81 /* \} addtogroup x509_module */
82 
83 /*
84  * various object identifiers
85  */
86 #define X520_COMMON_NAME 3
87 #define X520_COUNTRY 6
88 #define X520_LOCALITY 7
89 #define X520_STATE 8
90 #define X520_ORGANIZATION 10
91 #define X520_ORG_UNIT 11
92 #define PKCS9_EMAIL 1
93 
94 #define X509_OUTPUT_DER 0x01
95 #define X509_OUTPUT_PEM 0x02
96 #define PEM_LINE_LENGTH 72
97 #define X509_ISSUER 0x01
98 #define X509_SUBJECT 0x02
99 
100 #define OID_X520 "\x55\x04"
101 #define OID_CN OID_X520 "\x03"
102 
103 #define OID_PKCS1 "\x2A\x86\x48\x86\xF7\x0D\x01\x01"
104 #define OID_PKCS1_RSA OID_PKCS1 "\x01"
105 
106 #define OID_RSA_SHA_OBS "\x2B\x0E\x03\x02\x1D"
107 
108 #define OID_PKCS9 "\x2A\x86\x48\x86\xF7\x0D\x01\x09"
109 #define OID_PKCS9_EMAIL OID_PKCS9 "\x01"
110 
112 #define OID_ID_CE "\x55\x1D"
119 #define OID_PKIX "\x2B\x06\x01\x05\x05\x07"
120 
121 /*
122  * OIDs for standard certificate extensions
123  */
124 #define OID_AUTHORITY_KEY_IDENTIFIER OID_ID_CE "\x23"
125 #define OID_SUBJECT_KEY_IDENTIFIER OID_ID_CE "\x0E"
126 #define OID_KEY_USAGE OID_ID_CE "\x0F"
127 #define OID_CERTIFICATE_POLICIES OID_ID_CE "\x20"
128 #define OID_POLICY_MAPPINGS OID_ID_CE "\x21"
129 #define OID_SUBJECT_ALT_NAME OID_ID_CE "\x11"
130 #define OID_ISSUER_ALT_NAME OID_ID_CE "\x12"
131 #define OID_SUBJECT_DIRECTORY_ATTRS OID_ID_CE "\x09"
132 #define OID_BASIC_CONSTRAINTS OID_ID_CE "\x13"
133 #define OID_NAME_CONSTRAINTS OID_ID_CE "\x1E"
134 #define OID_POLICY_CONSTRAINTS OID_ID_CE "\x24"
135 #define OID_EXTENDED_KEY_USAGE OID_ID_CE "\x25"
136 #define OID_CRL_DISTRIBUTION_POINTS OID_ID_CE "\x1F"
137 #define OID_INIHIBIT_ANYPOLICY OID_ID_CE "\x36"
138 #define OID_FRESHEST_CRL OID_ID_CE "\x2E"
140 /*
141  * X.509 v3 Key Usage Extension flags
142  */
143 #define KU_DIGITAL_SIGNATURE (0x80) /* bit 0 */
144 #define KU_NON_REPUDIATION (0x40) /* bit 1 */
145 #define KU_KEY_ENCIPHERMENT (0x20) /* bit 2 */
146 #define KU_DATA_ENCIPHERMENT (0x10) /* bit 3 */
147 #define KU_KEY_AGREEMENT (0x08) /* bit 4 */
148 #define KU_KEY_CERT_SIGN (0x04) /* bit 5 */
149 #define KU_CRL_SIGN (0x02) /* bit 6 */
150 
151 /*
152  * X.509 v3 Extended key usage OIDs
153  */
154 #define OID_ANY_EXTENDED_KEY_USAGE OID_EXTENDED_KEY_USAGE "\x00"
156 #define OID_KP OID_PKIX "\x03"
157 #define OID_SERVER_AUTH OID_KP "\x01"
158 #define OID_CLIENT_AUTH OID_KP "\x02"
159 #define OID_CODE_SIGNING OID_KP "\x03"
160 #define OID_EMAIL_PROTECTION OID_KP "\x04"
161 #define OID_TIME_STAMPING OID_KP "\x08"
162 #define OID_OCSP_SIGNING OID_KP "\x09"
164 #define STRING_SERVER_AUTH "TLS Web Server Authentication"
165 #define STRING_CLIENT_AUTH "TLS Web Client Authentication"
166 #define STRING_CODE_SIGNING "Code Signing"
167 #define STRING_EMAIL_PROTECTION "E-mail Protection"
168 #define STRING_TIME_STAMPING "Time Stamping"
169 #define STRING_OCSP_SIGNING "OCSP Signing"
170 
171 /*
172  * OIDs for CRL extensions
173  */
174 #define OID_PRIVATE_KEY_USAGE_PERIOD OID_ID_CE "\x10"
175 #define OID_CRL_NUMBER OID_ID_CE "\x14"
177 /*
178  * Netscape certificate extensions
179  */
180 #define OID_NETSCAPE "\x60\x86\x48\x01\x86\xF8\x42"
181 #define OID_NS_CERT OID_NETSCAPE "\x01"
182 #define OID_NS_CERT_TYPE OID_NS_CERT "\x01"
183 #define OID_NS_BASE_URL OID_NS_CERT "\x02"
184 #define OID_NS_REVOCATION_URL OID_NS_CERT "\x03"
185 #define OID_NS_CA_REVOCATION_URL OID_NS_CERT "\x04"
186 #define OID_NS_RENEWAL_URL OID_NS_CERT "\x07"
187 #define OID_NS_CA_POLICY_URL OID_NS_CERT "\x08"
188 #define OID_NS_SSL_SERVER_NAME OID_NS_CERT "\x0C"
189 #define OID_NS_COMMENT OID_NS_CERT "\x0D"
190 #define OID_NS_DATA_TYPE OID_NETSCAPE "\x02"
191 #define OID_NS_CERT_SEQUENCE OID_NS_DATA_TYPE "\x05"
192 
193 /*
194  * Netscape certificate types
195  * (http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn3.html)
196  */
197 
198 #define NS_CERT_TYPE_SSL_CLIENT (0x80) /* bit 0 */
199 #define NS_CERT_TYPE_SSL_SERVER (0x40) /* bit 1 */
200 #define NS_CERT_TYPE_EMAIL (0x20) /* bit 2 */
201 #define NS_CERT_TYPE_OBJECT_SIGNING (0x10) /* bit 3 */
202 #define NS_CERT_TYPE_RESERVED (0x08) /* bit 4 */
203 #define NS_CERT_TYPE_SSL_CA (0x04) /* bit 5 */
204 #define NS_CERT_TYPE_EMAIL_CA (0x02) /* bit 6 */
205 #define NS_CERT_TYPE_OBJECT_SIGNING_CA (0x01) /* bit 7 */
206 
207 #define EXT_AUTHORITY_KEY_IDENTIFIER (1 << 0)
208 #define EXT_SUBJECT_KEY_IDENTIFIER (1 << 1)
209 #define EXT_KEY_USAGE (1 << 2)
210 #define EXT_CERTIFICATE_POLICIES (1 << 3)
211 #define EXT_POLICY_MAPPINGS (1 << 4)
212 #define EXT_SUBJECT_ALT_NAME (1 << 5)
213 #define EXT_ISSUER_ALT_NAME (1 << 6)
214 #define EXT_SUBJECT_DIRECTORY_ATTRS (1 << 7)
215 #define EXT_BASIC_CONSTRAINTS (1 << 8)
216 #define EXT_NAME_CONSTRAINTS (1 << 9)
217 #define EXT_POLICY_CONSTRAINTS (1 << 10)
218 #define EXT_EXTENDED_KEY_USAGE (1 << 11)
219 #define EXT_CRL_DISTRIBUTION_POINTS (1 << 12)
220 #define EXT_INIHIBIT_ANYPOLICY (1 << 13)
221 #define EXT_FRESHEST_CRL (1 << 14)
222 
223 #define EXT_NS_CERT_TYPE (1 << 16)
224 
225 /*
226  * Storage format identifiers
227  * Recognized formats: PEM and DER
228  */
229 #define X509_FORMAT_DER 1
230 #define X509_FORMAT_PEM 2
231 
245 
250 
255 typedef struct _x509_name
256 {
259  struct _x509_name *next;
260 }
261 x509_name;
262 
267 
269 typedef struct _x509_time
270 {
271  int year, mon, day;
272  int hour, min, sec;
273 }
274 x509_time;
275 
279 typedef struct _x509_cert
280 {
284  int version;
304  int ext_types;
305  int ca_istrue;
308  unsigned char key_usage;
312  unsigned char ns_cert_type;
316  int sig_alg;
318  struct _x509_cert *next;
319 }
320 x509_cert;
321 
326 typedef struct _x509_crl_entry
327 {
329 
331 
333 
335 
337 }
339 
344 typedef struct _x509_crl
345 {
349  int version;
351 
358 
362 
365  int sig_alg;
366 
367  struct _x509_crl *next;
368 }
369 x509_crl;
379 /*
380 typedef struct _x509_node
381 {
382  unsigned char *data;
383  unsigned char *p;
384  unsigned char *end;
385 
386  size_t len;
387 }
388 x509_node;
389 
390 typedef struct _x509_raw
391 {
392  x509_node raw;
393  x509_node tbs;
394 
395  x509_node version;
396  x509_node serial;
397  x509_node tbs_signalg;
398  x509_node issuer;
399  x509_node validity;
400  x509_node subject;
401  x509_node subpubkey;
402 
403  x509_node signalg;
404  x509_node sign;
405 }
406 x509_raw;
407 */
408 
409 #ifdef __cplusplus
410 extern "C" {
411 #endif
412 
433 int x509parse_crt( x509_cert *chain, const unsigned char *buf, size_t buflen );
434 
449 int x509parse_crtfile( x509_cert *chain, const char *path );
450 
462 int x509parse_crl( x509_crl *chain, const unsigned char *buf, size_t buflen );
463 
474 int x509parse_crlfile( x509_crl *chain, const char *path );
475 
488 int x509parse_key( rsa_context *rsa,
489  const unsigned char *key, size_t keylen,
490  const unsigned char *pwd, size_t pwdlen );
491 
502 int x509parse_keyfile( rsa_context *rsa, const char *path,
503  const char *password );
504 
516  const unsigned char *key, size_t keylen );
517 
527 int x509parse_public_keyfile( rsa_context *rsa, const char *path );
528 
539 int x509parse_dhm( dhm_context *dhm, const unsigned char *dhmin, size_t dhminlen );
540 
550 int x509parse_dhmfile( dhm_context *dhm, const char *path );
551 
565 int x509parse_dn_gets( char *buf, size_t size, const x509_name *dn );
566 
578 int x509parse_serial_gets( char *buf, size_t size, const x509_buf *serial );
579 
592 int x509parse_cert_info( char *buf, size_t size, const char *prefix,
593  const x509_cert *crt );
594 
607 int x509parse_crl_info( char *buf, size_t size, const char *prefix,
608  const x509_crl *crl );
609 
618 const char *x509_oid_get_description( x509_buf *oid );
619 
620 /*
621  * \brief Give an OID, return a string version of its OID number.
622  *
623  * \param buf Buffer to write to
624  * \param size Maximum size of buffer
625  * \param oid Buffer containing the OID
626  *
627  * \return The amount of data written to the buffer, or -1 in
628  * case of an error.
629  */
630 int x509_oid_get_numeric_string( char *buf, size_t size, x509_buf *oid );
631 
641 int x509parse_time_expired( const x509_time *time );
642 
670 int x509parse_verify( x509_cert *crt,
671  x509_cert *trust_ca,
672  x509_crl *ca_crl,
673  const char *cn, int *flags,
674  int (*f_vrfy)(void *, x509_cert *, int, int),
675  void *p_vrfy );
676 
686 int x509parse_revoked( const x509_cert *crt, const x509_crl *crl );
687 
702 void x509_free( x509_cert *crt );
703 
710 void x509_crl_free( x509_crl *crl );
711 
720 int x509_self_test( int verbose );
721 
722 #ifdef __cplusplus
723 }
724 #endif
725 
726 #endif /* x509.h */