2009-01-03 22:22:43 +01:00
/**
* \ file x509 . h
2009-01-04 17:27:10 +01:00
*
2011-01-06 13:28:03 +01:00
* \ brief X .509 certificate and private key decoding
*
2011-11-10 15:43:23 +01:00
* Copyright ( C ) 2006 - 2011 , Brainspark B . V .
2010-07-18 22:36:00 +02:00
*
* This file is part of PolarSSL ( http : //www.polarssl.org)
2010-07-18 12:13:04 +02:00
* Lead Maintainer : Paul Bakker < polarssl_maintainer at polarssl . org >
2010-07-18 22:36:00 +02:00
*
2009-07-28 19:23:11 +02:00
* All rights reserved .
2009-01-04 17:27:10 +01:00
*
* This program is free software ; you can redistribute it and / or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation ; either version 2 of the License , or
* ( at your option ) any later version .
*
* This program is distributed in the hope that it will be useful ,
* but WITHOUT ANY WARRANTY ; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
* GNU General Public License for more details .
*
* You should have received a copy of the GNU General Public License along
* with this program ; if not , write to the Free Software Foundation , Inc . ,
* 51 Franklin Street , Fifth Floor , Boston , MA 02110 - 1301 USA .
2009-01-03 22:22:43 +01:00
*/
2009-01-03 22:51:57 +01:00
# ifndef POLARSSL_X509_H
# define POLARSSL_X509_H
2009-01-03 22:22:43 +01:00
2011-11-10 15:43:23 +01:00
# include "asn1.h"
2011-08-15 11:07:52 +02:00
# include "rsa.h"
# include "dhm.h"
2009-01-03 22:22:43 +01:00
2011-01-06 13:28:03 +01:00
/**
2011-01-18 15:58:55 +01:00
* \ addtogroup x509_module
* \ {
2009-07-28 09:18:38 +02:00
*/
2011-01-06 13:28:03 +01:00
/**
2011-01-18 15:58:55 +01:00
* \ name X509 Error codes
* \ {
2011-01-06 13:28:03 +01:00
*/
2011-05-09 18:17:09 +02:00
# define POLARSSL_ERR_X509_FEATURE_UNAVAILABLE -0x2080 /**< Unavailable feature, e.g. RSA hashing/encryption combination. */
# define POLARSSL_ERR_X509_CERT_INVALID_PEM -0x2100 /**< The PEM-encoded certificate contains invalid elements, e.g. invalid character. */
# define POLARSSL_ERR_X509_CERT_INVALID_FORMAT -0x2180 /**< The certificate format is invalid, e.g. different type expected. */
# define POLARSSL_ERR_X509_CERT_INVALID_VERSION -0x2200 /**< The certificate version element is invalid. */
# define POLARSSL_ERR_X509_CERT_INVALID_SERIAL -0x2280 /**< The serial tag or value is invalid. */
# define POLARSSL_ERR_X509_CERT_INVALID_ALG -0x2300 /**< The algorithm tag or value is invalid. */
# define POLARSSL_ERR_X509_CERT_INVALID_NAME -0x2380 /**< The name tag or value is invalid. */
# define POLARSSL_ERR_X509_CERT_INVALID_DATE -0x2400 /**< The date tag or value is invalid. */
# define POLARSSL_ERR_X509_CERT_INVALID_PUBKEY -0x2480 /**< The pubkey tag or value is invalid (only RSA is supported). */
# define POLARSSL_ERR_X509_CERT_INVALID_SIGNATURE -0x2500 /**< The signature tag or value invalid. */
# define POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS -0x2580 /**< The extension tag or value is invalid. */
# define POLARSSL_ERR_X509_CERT_UNKNOWN_VERSION -0x2600 /**< Certificate or CRL has an unsupported version number. */
# define POLARSSL_ERR_X509_CERT_UNKNOWN_SIG_ALG -0x2680 /**< Signature algorithm (oid) is unsupported. */
2011-07-13 13:26:43 +02:00
# define POLARSSL_ERR_X509_UNKNOWN_PK_ALG -0x2700 /**< Key algorithm is unsupported (only RSA is supported). */
2011-05-09 18:17:09 +02:00
# define POLARSSL_ERR_X509_CERT_SIG_MISMATCH -0x2780 /**< Certificate signature algorithms do not match. (see \c ::x509_cert sig_oid) */
# define POLARSSL_ERR_X509_CERT_VERIFY_FAILED -0x2800 /**< Certificate verification failed, e.g. CRL, CA or signature check failed. */
# define POLARSSL_ERR_X509_KEY_INVALID_VERSION -0x2880 /**< Unsupported RSA key version */
# define POLARSSL_ERR_X509_KEY_INVALID_FORMAT -0x2900 /**< Invalid RSA key tag or value. */
2011-12-04 13:24:18 +01:00
# define POLARSSL_ERR_X509_CERT_UNKNOWN_FORMAT -0x2980 /**< Format not recognized as DER or PEM. */
2011-12-10 22:55:01 +01:00
# define POLARSSL_ERR_X509_INVALID_INPUT -0x2A00 /**< Input invalid. */
# define POLARSSL_ERR_X509_MALLOC_FAILED -0x2A80 /**< Allocation of memory failed. */
# define POLARSSL_ERR_X509_FILE_IO_ERROR -0x2B00 /**< Read/write of file failed. */
2013-06-17 15:14:42 +02:00
# define POLARSSL_ERR_X509_PASSWORD_REQUIRED -0x2B80 /**< Private key password can't be empty. */
# define POLARSSL_ERR_X509_PASSWORD_MISMATCH -0x2C00 /**< Given private key password does not allow for correct decryption. */
2011-01-18 15:58:55 +01:00
/* \} name */
2009-01-03 22:22:43 +01:00
2011-01-06 13:28:03 +01:00
/**
2011-01-18 15:58:55 +01:00
* \ name X509 Verify codes
* \ {
2009-07-28 09:18:38 +02:00
*/
2011-01-30 18:05:13 +01:00
# define BADCERT_EXPIRED 0x01 /**< The certificate validity has expired. */
# define BADCERT_REVOKED 0x02 /**< The certificate has been revoked (is on a CRL). */
# define BADCERT_CN_MISMATCH 0x04 /**< The certificate Common Name (CN) does not match with the expected CN. */
# define BADCERT_NOT_TRUSTED 0x08 /**< The certificate is not correctly signed by the trusted CA. */
# define BADCRL_NOT_TRUSTED 0x10 /**< CRL is not correctly signed by the trusted CA. */
# define BADCRL_EXPIRED 0x20 /**< CRL is expired. */
# define BADCERT_MISSING 0x40 /**< Certificate was missing. */
# define BADCERT_SKIP_VERIFY 0x80 /**< Certificate verification was skipped. */
2012-09-28 09:10:55 +02:00
# define BADCERT_OTHER 0x0100 /**< Other reason (can be used by verify callback) */
2011-01-18 15:58:55 +01:00
/* \} name */
/* \} addtogroup x509_module */
2009-01-03 22:22:43 +01:00
/*
* various object identifiers
*/
# define X520_COMMON_NAME 3
# define X520_COUNTRY 6
# define X520_LOCALITY 7
# define X520_STATE 8
# define X520_ORGANIZATION 10
# define X520_ORG_UNIT 11
# define PKCS9_EMAIL 1
# define X509_OUTPUT_DER 0x01
# define X509_OUTPUT_PEM 0x02
# define PEM_LINE_LENGTH 72
# define X509_ISSUER 0x01
# define X509_SUBJECT 0x02
# define OID_X520 "\x55\x04"
2011-01-15 17:57:55 +01:00
# define OID_CN OID_X520 "\x03"
2012-02-14 00:11:30 +01:00
# define OID_COUNTRY OID_X520 "\x06"
# define OID_LOCALITY OID_X520 "\x07"
# define OID_STATE OID_X520 "\x08"
# define OID_ORGANIZATION OID_X520 "\x0A"
# define OID_ORG_UNIT OID_X520 "\x0B"
2011-01-15 17:57:55 +01:00
2009-01-03 22:22:43 +01:00
# define OID_PKCS1 "\x2A\x86\x48\x86\xF7\x0D\x01\x01"
2011-01-15 17:57:55 +01:00
# define OID_PKCS1_RSA OID_PKCS1 "\x01"
2012-02-14 00:11:30 +01:00
# define OID_PKCS1_SHA1 OID_PKCS1 "\x05"
2011-02-20 11:40:16 +01:00
# define OID_RSA_SHA_OBS "\x2B\x0E\x03\x02\x1D"
2011-01-15 17:57:55 +01:00
2009-01-03 22:22:43 +01:00
# define OID_PKCS9 "\x2A\x86\x48\x86\xF7\x0D\x01\x09"
2011-01-15 17:57:55 +01:00
# define OID_PKCS9_EMAIL OID_PKCS9 "\x01"
/** ISO arc for standard certificate and CRL extensions */
# define OID_ID_CE "\x55\x1D" /**< id-ce OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 29} */
/**
* Private Internet Extensions
* { iso ( 1 ) identified - organization ( 3 ) dod ( 6 ) internet ( 1 )
* security ( 5 ) mechanisms ( 5 ) pkix ( 7 ) }
*/
# define OID_PKIX "\x2B\x06\x01\x05\x05\x07"
/*
* OIDs for standard certificate extensions
*/
# define OID_AUTHORITY_KEY_IDENTIFIER OID_ID_CE "\x23" /**< id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 35 } */
# define OID_SUBJECT_KEY_IDENTIFIER OID_ID_CE "\x0E" /**< id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 14 } */
# define OID_KEY_USAGE OID_ID_CE "\x0F" /**< id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 } */
# define OID_CERTIFICATE_POLICIES OID_ID_CE "\x20" /**< id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 } */
# define OID_POLICY_MAPPINGS OID_ID_CE "\x21" /**< id-ce-policyMappings OBJECT IDENTIFIER ::= { id-ce 33 } */
# define OID_SUBJECT_ALT_NAME OID_ID_CE "\x11" /**< id-ce-subjectAltName OBJECT IDENTIFIER ::= { id-ce 17 } */
# define OID_ISSUER_ALT_NAME OID_ID_CE "\x12" /**< id-ce-issuerAltName OBJECT IDENTIFIER ::= { id-ce 18 } */
# define OID_SUBJECT_DIRECTORY_ATTRS OID_ID_CE "\x09" /**< id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::= { id-ce 9 } */
# define OID_BASIC_CONSTRAINTS OID_ID_CE "\x13" /**< id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 } */
# define OID_NAME_CONSTRAINTS OID_ID_CE "\x1E" /**< id-ce-nameConstraints OBJECT IDENTIFIER ::= { id-ce 30 } */
# define OID_POLICY_CONSTRAINTS OID_ID_CE "\x24" /**< id-ce-policyConstraints OBJECT IDENTIFIER ::= { id-ce 36 } */
# define OID_EXTENDED_KEY_USAGE OID_ID_CE "\x25" /**< id-ce-extKeyUsage OBJECT IDENTIFIER ::= { id-ce 37 } */
# define OID_CRL_DISTRIBUTION_POINTS OID_ID_CE "\x1F" /**< id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= { id-ce 31 } */
# define OID_INIHIBIT_ANYPOLICY OID_ID_CE "\x36" /**< id-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::= { id-ce 54 } */
# define OID_FRESHEST_CRL OID_ID_CE "\x2E" /**< id-ce-freshestCRL OBJECT IDENTIFIER ::= { id-ce 46 } */
/*
* X .509 v3 Key Usage Extension flags
*/
# define KU_DIGITAL_SIGNATURE (0x80) /* bit 0 */
# define KU_NON_REPUDIATION (0x40) /* bit 1 */
# define KU_KEY_ENCIPHERMENT (0x20) /* bit 2 */
# define KU_DATA_ENCIPHERMENT (0x10) /* bit 3 */
# define KU_KEY_AGREEMENT (0x08) /* bit 4 */
# define KU_KEY_CERT_SIGN (0x04) /* bit 5 */
# define KU_CRL_SIGN (0x02) /* bit 6 */
/*
* X .509 v3 Extended key usage OIDs
*/
# define OID_ANY_EXTENDED_KEY_USAGE OID_EXTENDED_KEY_USAGE "\x00" /**< anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 } */
# define OID_KP OID_PKIX "\x03" /**< id-kp OBJECT IDENTIFIER ::= { id-pkix 3 } */
# define OID_SERVER_AUTH OID_KP "\x01" /**< id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 } */
# define OID_CLIENT_AUTH OID_KP "\x02" /**< id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 } */
# define OID_CODE_SIGNING OID_KP "\x03" /**< id-kp-codeSigning OBJECT IDENTIFIER ::= { id-kp 3 } */
# define OID_EMAIL_PROTECTION OID_KP "\x04" /**< id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 } */
# define OID_TIME_STAMPING OID_KP "\x08" /**< id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 } */
# define OID_OCSP_SIGNING OID_KP "\x09" /**< id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } */
# define STRING_SERVER_AUTH "TLS Web Server Authentication"
# define STRING_CLIENT_AUTH "TLS Web Client Authentication"
# define STRING_CODE_SIGNING "Code Signing"
# define STRING_EMAIL_PROTECTION "E-mail Protection"
# define STRING_TIME_STAMPING "Time Stamping"
# define STRING_OCSP_SIGNING "OCSP Signing"
/*
* OIDs for CRL extensions
*/
# define OID_PRIVATE_KEY_USAGE_PERIOD OID_ID_CE "\x10"
# define OID_CRL_NUMBER OID_ID_CE "\x14" /**< id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 } */
/*
* Netscape certificate extensions
*/
# define OID_NETSCAPE "\x60\x86\x48\x01\x86\xF8\x42" /**< Netscape OID */
# define OID_NS_CERT OID_NETSCAPE "\x01"
# define OID_NS_CERT_TYPE OID_NS_CERT "\x01"
# define OID_NS_BASE_URL OID_NS_CERT "\x02"
# define OID_NS_REVOCATION_URL OID_NS_CERT "\x03"
# define OID_NS_CA_REVOCATION_URL OID_NS_CERT "\x04"
# define OID_NS_RENEWAL_URL OID_NS_CERT "\x07"
# define OID_NS_CA_POLICY_URL OID_NS_CERT "\x08"
# define OID_NS_SSL_SERVER_NAME OID_NS_CERT "\x0C"
# define OID_NS_COMMENT OID_NS_CERT "\x0D"
# define OID_NS_DATA_TYPE OID_NETSCAPE "\x02"
# define OID_NS_CERT_SEQUENCE OID_NS_DATA_TYPE "\x05"
/*
* Netscape certificate types
* ( http : //www.mozilla.org/projects/security/pki/nss/tech-notes/tn3.html)
*/
# define NS_CERT_TYPE_SSL_CLIENT (0x80) /* bit 0 */
# define NS_CERT_TYPE_SSL_SERVER (0x40) /* bit 1 */
# define NS_CERT_TYPE_EMAIL (0x20) /* bit 2 */
# define NS_CERT_TYPE_OBJECT_SIGNING (0x10) /* bit 3 */
# define NS_CERT_TYPE_RESERVED (0x08) /* bit 4 */
# define NS_CERT_TYPE_SSL_CA (0x04) /* bit 5 */
# define NS_CERT_TYPE_EMAIL_CA (0x02) /* bit 6 */
# define NS_CERT_TYPE_OBJECT_SIGNING_CA (0x01) /* bit 7 */
# define EXT_AUTHORITY_KEY_IDENTIFIER (1 << 0)
# define EXT_SUBJECT_KEY_IDENTIFIER (1 << 1)
# define EXT_KEY_USAGE (1 << 2)
# define EXT_CERTIFICATE_POLICIES (1 << 3)
# define EXT_POLICY_MAPPINGS (1 << 4)
# define EXT_SUBJECT_ALT_NAME (1 << 5)
# define EXT_ISSUER_ALT_NAME (1 << 6)
# define EXT_SUBJECT_DIRECTORY_ATTRS (1 << 7)
# define EXT_BASIC_CONSTRAINTS (1 << 8)
# define EXT_NAME_CONSTRAINTS (1 << 9)
# define EXT_POLICY_CONSTRAINTS (1 << 10)
# define EXT_EXTENDED_KEY_USAGE (1 << 11)
# define EXT_CRL_DISTRIBUTION_POINTS (1 << 12)
# define EXT_INIHIBIT_ANYPOLICY (1 << 13)
# define EXT_FRESHEST_CRL (1 << 14)
# define EXT_NS_CERT_TYPE (1 << 16)
2009-01-03 22:22:43 +01:00
2011-12-04 13:24:18 +01:00
/*
* Storage format identifiers
* Recognized formats : PEM and DER
*/
# define X509_FORMAT_DER 1
# define X509_FORMAT_PEM 2
2011-01-06 13:28:03 +01:00
/**
2011-01-18 15:58:55 +01:00
* \ addtogroup x509_module
* \ { */
2011-01-06 13:28:03 +01:00
/**
2011-01-18 15:58:55 +01:00
* \ name Structures for parsing X .509 certificates and CRLs
* \ {
2011-01-06 13:28:03 +01:00
*/
/**
* Type - length - value structure that allows for ASN1 using DER .
2009-01-03 22:22:43 +01:00
*/
2011-11-10 15:43:23 +01:00
typedef asn1_buf x509_buf ;
2009-01-03 22:22:43 +01:00
2011-01-15 17:57:55 +01:00
/**
* Container for ASN1 bit strings .
*/
2011-11-10 15:43:23 +01:00
typedef asn1_bitstring x509_bitstring ;
2011-01-15 17:57:55 +01:00
2011-01-06 13:28:03 +01:00
/**
* Container for ASN1 named information objects .
* It allows for Relative Distinguished Names ( e . g . cn = polarssl , ou = code , etc . ) .
*/
2009-01-03 22:22:43 +01:00
typedef struct _x509_name
{
2011-01-06 13:28:03 +01:00
x509_buf oid ; /**< The object identifier. */
x509_buf val ; /**< The named value. */
struct _x509_name * next ; /**< The next named information object. */
2009-01-03 22:22:43 +01:00
}
x509_name ;
2011-01-15 17:57:55 +01:00
/**
* Container for a sequence of ASN .1 items
*/
2011-11-10 15:43:23 +01:00
typedef asn1_sequence x509_sequence ;
2011-01-15 17:57:55 +01:00
2011-01-06 13:28:03 +01:00
/** Container for date and time (precision in seconds). */
2009-01-03 22:22:43 +01:00
typedef struct _x509_time
{
2011-01-06 13:28:03 +01:00
int year , mon , day ; /**< Date. */
int hour , min , sec ; /**< Time. */
2009-01-03 22:22:43 +01:00
}
x509_time ;
2011-01-06 13:28:03 +01:00
/**
* Container for an X .509 certificate . The certificate may be chained .
*/
2009-01-03 22:22:43 +01:00
typedef struct _x509_cert
{
2011-01-06 13:28:03 +01:00
x509_buf raw ; /**< The raw certificate data (DER). */
x509_buf tbs ; /**< The raw certificate body (DER). The part that is To Be Signed. */
2009-01-03 22:22:43 +01:00
2011-01-06 13:28:03 +01:00
int version ; /**< The X.509 version. (0=v1, 1=v2, 2=v3) */
x509_buf serial ; /**< Unique id for certificate issued by a specific CA. */
x509_buf sig_oid1 ; /**< Signature algorithm, e.g. sha1RSA */
2009-01-03 22:22:43 +01:00
2011-01-06 13:28:03 +01:00
x509_buf issuer_raw ; /**< The raw issuer data (DER). Used for quick comparison. */
x509_buf subject_raw ; /**< The raw subject data (DER). Used for quick comparison. */
2009-01-03 22:22:43 +01:00
2011-01-06 13:28:03 +01:00
x509_name issuer ; /**< The parsed issuer data (named information object). */
x509_name subject ; /**< The parsed subject data (named information object). */
2009-01-03 22:22:43 +01:00
2011-01-06 13:28:03 +01:00
x509_time valid_from ; /**< Start time of certificate validity. */
x509_time valid_to ; /**< End time of certificate validity. */
2009-01-03 22:22:43 +01:00
2011-01-06 13:28:03 +01:00
x509_buf pk_oid ; /**< Subject public key info. Includes the public key algorithm and the key itself. */
rsa_context rsa ; /**< Container for the RSA context. Only RSA is supported for public keys at this time. */
2009-01-03 22:22:43 +01:00
2011-01-06 13:28:03 +01:00
x509_buf issuer_id ; /**< Optional X.509 v2/v3 issuer unique identifier. */
x509_buf subject_id ; /**< Optional X.509 v2/v3 subject unique identifier. */
x509_buf v3_ext ; /**< Optional X.509 v3 extensions. Only Basic Contraints are supported at this time. */
2012-02-11 17:09:32 +01:00
x509_sequence subject_alt_names ; /**< Optional list of Subject Alternative Names (Only dNSName supported). */
2009-01-03 22:22:43 +01:00
2011-01-15 17:57:55 +01:00
int ext_types ; /**< Bit string containing detected and parsed extensions */
2011-01-06 13:28:03 +01:00
int ca_istrue ; /**< Optional Basic Constraint extension value: 1 if this certificate belongs to a CA, 0 otherwise. */
2012-09-28 09:10:55 +02:00
int max_pathlen ; /**< Optional Basic Constraint extension value: The maximum path length to the root certificate. Path length is 1 higher than RFC 5280 'meaning', so 1+ */
2009-01-03 22:22:43 +01:00
2011-01-15 17:57:55 +01:00
unsigned char key_usage ; /**< Optional key usage extension value: See the values below */
x509_sequence ext_key_usage ; /**< Optional list of extended key usage OIDs. */
unsigned char ns_cert_type ; /**< Optional Netscape certificate type extension value: See the values below */
2011-01-06 13:28:03 +01:00
x509_buf sig_oid2 ; /**< Signature algorithm. Must match sig_oid1. */
x509_buf sig ; /**< Signature: hash of the tbs part signed with the private key. */
int sig_alg ; /**< Internal representation of the signature algorithm, e.g. SIG_RSA_MD2 */
2009-01-03 22:22:43 +01:00
2011-01-06 13:28:03 +01:00
struct _x509_cert * next ; /**< Next certificate in the CA-chain. */
2009-01-03 22:22:43 +01:00
}
x509_cert ;
2011-01-06 13:28:03 +01:00
/**
* Certificate revocation list entry .
* Contains the CA - specific serial numbers and revocation dates .
*/
2009-05-02 17:13:40 +02:00
typedef struct _x509_crl_entry
{
x509_buf raw ;
x509_buf serial ;
x509_time revocation_date ;
x509_buf entry_ext ;
struct _x509_crl_entry * next ;
}
x509_crl_entry ;
2011-01-06 13:28:03 +01:00
/**
* Certificate revocation list structure .
* Every CRL may have multiple entries .
*/
2009-05-02 17:13:40 +02:00
typedef struct _x509_crl
{
2011-01-06 13:28:03 +01:00
x509_buf raw ; /**< The raw certificate data (DER). */
x509_buf tbs ; /**< The raw certificate body (DER). The part that is To Be Signed. */
2009-05-02 17:13:40 +02:00
int version ;
x509_buf sig_oid1 ;
2011-01-06 13:28:03 +01:00
x509_buf issuer_raw ; /**< The raw issuer data (DER). */
2009-05-02 17:13:40 +02:00
2011-01-06 13:28:03 +01:00
x509_name issuer ; /**< The parsed issuer data (named information object). */
2009-05-02 17:13:40 +02:00
2011-01-06 13:28:03 +01:00
x509_time this_update ;
2009-05-02 17:13:40 +02:00
x509_time next_update ;
2011-01-06 13:28:03 +01:00
x509_crl_entry entry ; /**< The CRL entries containing the certificate revocation times for this CA. */
2009-05-02 17:13:40 +02:00
x509_buf crl_ext ;
x509_buf sig_oid2 ;
x509_buf sig ;
2010-03-17 07:56:01 +01:00
int sig_alg ;
2009-05-02 17:13:40 +02:00
struct _x509_crl * next ;
}
x509_crl ;
2011-01-18 15:58:55 +01:00
/** \} name Structures for parsing X.509 certificates and CRLs */
/** \} addtogroup x509_module */
2009-05-02 17:13:40 +02:00
2011-01-06 13:28:03 +01:00
/**
2011-01-18 15:58:55 +01:00
* \ name Structures for writing X .509 certificates .
2011-01-06 13:28:03 +01:00
* XvP : commented out as they are not used .
* - < tt > typedef struct _x509_node x509_node ; < / tt >
* - < tt > typedef struct _x509_raw x509_raw ; < / tt >
2009-01-03 22:22:43 +01:00
*/
2011-01-06 13:28:03 +01:00
/*
2009-01-03 22:22:43 +01:00
typedef struct _x509_node
{
unsigned char * data ;
unsigned char * p ;
unsigned char * end ;
size_t len ;
}
x509_node ;
typedef struct _x509_raw
{
x509_node raw ;
x509_node tbs ;
x509_node version ;
x509_node serial ;
x509_node tbs_signalg ;
x509_node issuer ;
x509_node validity ;
x509_node subject ;
x509_node subpubkey ;
x509_node signalg ;
x509_node sign ;
}
x509_raw ;
2011-01-06 13:28:03 +01:00
*/
2009-01-03 22:22:43 +01:00
# ifdef __cplusplus
extern " C " {
# endif
2011-01-06 13:28:03 +01:00
/**
2011-01-18 15:58:55 +01:00
* \ name Functions to read in DHM parameters , a certificate , CRL or private RSA key
* \ {
2011-01-06 13:28:03 +01:00
*/
2011-01-18 15:58:55 +01:00
/** \ingroup x509_module */
2013-06-06 15:11:16 +02:00
/**
* \ brief Parse a single DER formatted certificate and add it
* to the chained list .
*
* \ param chain points to the start of the chain
* \ param buf buffer holding the certificate DER data
* \ param buflen size of the buffer
*
* \ return 0 if successful , or a specific X509 or PEM error code
*/
int x509parse_crt_der ( x509_cert * chain , const unsigned char * buf , size_t buflen ) ;
2009-01-03 22:22:43 +01:00
/**
* \ brief Parse one or more certificates and add them
2011-12-10 22:55:01 +01:00
* to the chained list . Parses permissively . If some
* certificates can be parsed , the result is the number
* of failed certificates it encountered . If none complete
* correctly , the first error is returned .
2009-01-03 22:22:43 +01:00
*
* \ param chain points to the start of the chain
* \ param buf buffer holding the certificate data
* \ param buflen size of the buffer
*
2011-12-10 22:55:01 +01:00
* \ return 0 if all certificates parsed successfully , a positive number
* if partly successful or a specific X509 or PEM error code
2009-01-03 22:22:43 +01:00
*/
2011-12-10 22:55:01 +01:00
int x509parse_crt ( x509_cert * chain , const unsigned char * buf , size_t buflen ) ;
2009-01-03 22:22:43 +01:00
2011-01-18 15:58:55 +01:00
/** \ingroup x509_module */
2009-01-03 22:22:43 +01:00
/**
* \ brief Load one or more certificates and add them
2011-12-10 22:55:01 +01:00
* to the chained list . Parses permissively . If some
* certificates can be parsed , the result is the number
* of failed certificates it encountered . If none complete
* correctly , the first error is returned .
2009-01-03 22:22:43 +01:00
*
* \ param chain points to the start of the chain
* \ param path filename to read the certificates from
*
2011-12-10 22:55:01 +01:00
* \ return 0 if all certificates parsed successfully , a positive number
* if partly successful or a specific X509 or PEM error code
2009-01-03 22:22:43 +01:00
*/
2011-12-10 22:55:01 +01:00
int x509parse_crtfile ( x509_cert * chain , const char * path ) ;
2009-01-03 22:22:43 +01:00
2012-06-04 14:46:42 +02:00
/** \ingroup x509_module */
/**
* \ brief Load one or more certificate files from a path and add them
* to the chained list . Parses permissively . If some
* certificates can be parsed , the result is the number
* of failed certificates it encountered . If none complete
* correctly , the first error is returned .
*
* \ param chain points to the start of the chain
* \ param path directory / folder to read the certificate files from
*
* \ return 0 if all certificates parsed successfully , a positive number
* if partly successful or a specific X509 or PEM error code
*/
int x509parse_crtpath ( x509_cert * chain , const char * path ) ;
2011-01-18 15:58:55 +01:00
/** \ingroup x509_module */
2009-05-02 17:13:40 +02:00
/**
* \ brief Parse one or more CRLs and add them
* to the chained list
*
* \ param chain points to the start of the chain
* \ param buf buffer holding the CRL data
* \ param buflen size of the buffer
*
2011-02-12 15:30:57 +01:00
* \ return 0 if successful , or a specific X509 or PEM error code
2009-05-02 17:13:40 +02:00
*/
2011-04-24 10:57:21 +02:00
int x509parse_crl ( x509_crl * chain , const unsigned char * buf , size_t buflen ) ;
2009-05-02 17:13:40 +02:00
2011-01-18 15:58:55 +01:00
/** \ingroup x509_module */
2009-05-02 17:13:40 +02:00
/**
* \ brief Load one or more CRLs and add them
* to the chained list
*
* \ param chain points to the start of the chain
* \ param path filename to read the CRLs from
*
2011-02-12 15:30:57 +01:00
* \ return 0 if successful , or a specific X509 or PEM error code
2009-05-02 17:13:40 +02:00
*/
2010-03-16 22:09:09 +01:00
int x509parse_crlfile ( x509_crl * chain , const char * path ) ;
2009-05-02 17:13:40 +02:00
2011-01-18 15:58:55 +01:00
/** \ingroup x509_module */
2009-01-03 22:22:43 +01:00
/**
* \ brief Parse a private RSA key
*
* \ param rsa RSA context to be initialized
2010-03-16 22:09:09 +01:00
* \ param key input buffer
* \ param keylen size of the buffer
2009-01-03 22:22:43 +01:00
* \ param pwd password for decryption ( optional )
* \ param pwdlen size of the password
*
2011-02-12 15:30:57 +01:00
* \ return 0 if successful , or a specific X509 or PEM error code
2009-01-03 22:22:43 +01:00
*/
int x509parse_key ( rsa_context * rsa ,
2011-04-24 10:57:21 +02:00
const unsigned char * key , size_t keylen ,
const unsigned char * pwd , size_t pwdlen ) ;
2009-01-03 22:22:43 +01:00
2011-01-18 15:58:55 +01:00
/** \ingroup x509_module */
2009-01-03 22:22:43 +01:00
/**
* \ brief Load and parse a private RSA key
*
* \ param rsa RSA context to be initialized
* \ param path filename to read the private key from
2011-01-06 13:28:03 +01:00
* \ param password password to decrypt the file ( can be NULL )
2009-01-03 22:22:43 +01:00
*
2011-02-12 15:30:57 +01:00
* \ return 0 if successful , or a specific X509 or PEM error code
2009-01-03 22:22:43 +01:00
*/
2010-03-16 22:09:09 +01:00
int x509parse_keyfile ( rsa_context * rsa , const char * path ,
const char * password ) ;
2011-01-06 16:48:19 +01:00
2011-03-25 15:23:36 +01:00
/** \ingroup x509_module */
/**
* \ brief Parse a public RSA key
*
* \ param rsa RSA context to be initialized
* \ param key input buffer
* \ param keylen size of the buffer
*
* \ return 0 if successful , or a specific X509 or PEM error code
*/
int x509parse_public_key ( rsa_context * rsa ,
2011-04-24 10:57:21 +02:00
const unsigned char * key , size_t keylen ) ;
2011-03-25 15:23:36 +01:00
/** \ingroup x509_module */
/**
* \ brief Load and parse a public RSA key
*
* \ param rsa RSA context to be initialized
* \ param path filename to read the private key from
*
* \ return 0 if successful , or a specific X509 or PEM error code
*/
int x509parse_public_keyfile ( rsa_context * rsa , const char * path ) ;
2011-01-18 15:58:55 +01:00
/** \ingroup x509_module */
2011-01-06 16:48:19 +01:00
/**
* \ brief Parse DHM parameters
*
* \ param dhm DHM context to be initialized
* \ param dhmin input buffer
* \ param dhminlen size of the buffer
*
2011-02-12 15:30:57 +01:00
* \ return 0 if successful , or a specific X509 or PEM error code
2011-01-06 16:48:19 +01:00
*/
2011-04-24 10:57:21 +02:00
int x509parse_dhm ( dhm_context * dhm , const unsigned char * dhmin , size_t dhminlen ) ;
2011-01-06 16:48:19 +01:00
2011-01-18 15:58:55 +01:00
/** \ingroup x509_module */
2011-01-06 16:48:19 +01:00
/**
* \ brief Load and parse DHM parameters
*
* \ param dhm DHM context to be initialized
* \ param path filename to read the DHM Parameters from
*
2011-02-12 15:30:57 +01:00
* \ return 0 if successful , or a specific X509 or PEM error code
2011-01-06 16:48:19 +01:00
*/
2011-01-27 16:24:17 +01:00
int x509parse_dhmfile ( dhm_context * dhm , const char * path ) ;
2011-01-06 16:48:19 +01:00
2011-01-18 15:58:55 +01:00
/** \} name Functions to read in DHM parameters, a certificate, CRL or private RSA key */
2011-01-06 13:28:03 +01:00
2009-01-03 22:22:43 +01:00
/**
* \ brief Store the certificate DN in printable form into buf ;
2009-05-02 17:13:40 +02:00
* no more than size characters will be written .
2009-07-28 09:18:38 +02:00
*
* \ param buf Buffer to write to
* \ param size Maximum size of buffer
* \ param dn The X509 name to represent
*
* \ return The amount of data written to the buffer , or - 1 in
* case of an error .
2009-01-03 22:22:43 +01:00
*/
2010-03-16 22:09:09 +01:00
int x509parse_dn_gets ( char * buf , size_t size , const x509_name * dn ) ;
2009-01-03 22:22:43 +01:00
2011-01-16 22:34:59 +01:00
/**
* \ brief Store the certificate serial in printable form into buf ;
* no more than size characters will be written .
*
* \ param buf Buffer to write to
* \ param size Maximum size of buffer
* \ param serial The X509 serial to represent
*
* \ return The amount of data written to the buffer , or - 1 in
* case of an error .
*/
int x509parse_serial_gets ( char * buf , size_t size , const x509_buf * serial ) ;
2009-01-03 22:22:43 +01:00
/**
* \ brief Returns an informational string about the
* certificate .
2009-07-28 09:18:38 +02:00
*
* \ param buf Buffer to write to
* \ param size Maximum size of buffer
* \ param prefix A line prefix
* \ param crt The X509 certificate to represent
*
* \ return The amount of data written to the buffer , or - 1 in
* case of an error .
2009-01-03 22:22:43 +01:00
*/
2010-03-16 22:09:09 +01:00
int x509parse_cert_info ( char * buf , size_t size , const char * prefix ,
const x509_cert * crt ) ;
2009-05-02 17:13:40 +02:00
/**
* \ brief Returns an informational string about the
* CRL .
2009-07-28 09:18:38 +02:00
*
* \ param buf Buffer to write to
* \ param size Maximum size of buffer
* \ param prefix A line prefix
2011-01-06 13:28:03 +01:00
* \ param crl The X509 CRL to represent
2009-07-28 09:18:38 +02:00
*
* \ return The amount of data written to the buffer , or - 1 in
* case of an error .
2009-05-02 17:13:40 +02:00
*/
2010-03-16 22:09:09 +01:00
int x509parse_crl_info ( char * buf , size_t size , const char * prefix ,
const x509_crl * crl ) ;
2009-01-03 22:22:43 +01:00
2011-01-15 17:57:55 +01:00
/**
* \ brief Give an known OID , return its descriptive string .
*
* \ param oid buffer containing the oid
*
* \ return Return a string if the OID is known ,
* or NULL otherwise .
*/
const char * x509_oid_get_description ( x509_buf * oid ) ;
2012-11-14 13:39:52 +01:00
/**
2011-01-15 17:57:55 +01:00
* \ brief Give an OID , return a string version of its OID number .
*
* \ param buf Buffer to write to
* \ param size Maximum size of buffer
* \ param oid Buffer containing the OID
*
* \ return The amount of data written to the buffer , or - 1 in
* case of an error .
*/
int x509_oid_get_numeric_string ( char * buf , size_t size , x509_buf * oid ) ;
2009-01-03 22:22:43 +01:00
/**
2009-07-28 09:18:38 +02:00
* \ brief Check a given x509_time against the system time and check
2014-07-07 17:44:14 +02:00
* if it is not expired .
2009-07-28 09:18:38 +02:00
*
* \ param time x509_time to check
*
2014-07-07 17:44:14 +02:00
* \ return 0 if the x509_time is still valid ,
2009-05-03 12:18:48 +02:00
* or 1 otherwise .
2009-01-03 22:22:43 +01:00
*/
2010-03-16 22:09:09 +01:00
int x509parse_time_expired ( const x509_time * time ) ;
2009-01-03 22:22:43 +01:00
2014-07-07 17:44:14 +02:00
/**
* \ brief Check a given x509_time against the system time and check
* if it is not from the future .
*
* \ param time x509_time to check
*
* \ return 0 if the x509_time is already valid ,
* or 1 otherwise .
*/
int x509parse_time_future ( const x509_time * time ) ;
2011-01-06 13:28:03 +01:00
/**
2011-01-18 15:58:55 +01:00
* \ name Functions to verify a certificate
* \ {
2011-01-06 13:28:03 +01:00
*/
2011-01-18 15:58:55 +01:00
/** \ingroup x509_module */
2009-01-03 22:22:43 +01:00
/**
* \ brief Verify the certificate signature
*
2012-09-28 09:10:55 +02:00
* The verify callback is a user - supplied callback that
* can clear / modify / add flags for a certificate . If set ,
* the verification callback is called for each
* certificate in the chain ( from the trust - ca down to the
* presented crt ) . The parameters for the callback are :
* ( void * parameter , x509_cert * crt , int certificate_depth ,
* int * flags ) . With the flags representing current flags for
* that specific certificate and the certificate depth from
2012-11-14 13:39:52 +01:00
* the bottom ( Peer cert depth = 0 ) .
2012-09-28 09:10:55 +02:00
*
* All flags left after returning from the callback
* are also returned to the application . The function should
* return 0 for anything but a fatal error .
*
2009-01-03 22:22:43 +01:00
* \ param crt a certificate to be verified
* \ param trust_ca the trusted CA chain
2009-05-03 12:18:48 +02:00
* \ param ca_crl the CRL chain for trusted CA ' s
2009-01-03 22:22:43 +01:00
* \ param cn expected Common Name ( can be set to
* NULL if the CN must not be verified )
* \ param flags result of the verification
2011-01-13 18:54:59 +01:00
* \ param f_vrfy verification function
* \ param p_vrfy verification parameter
2009-01-03 22:22:43 +01:00
*
2009-01-03 22:51:57 +01:00
* \ return 0 if successful or POLARSSL_ERR_X509_SIG_VERIFY_FAILED ,
2009-01-03 22:22:43 +01:00
* in which case * flags will have one or more of
* the following values set :
* BADCERT_EXPIRED - -
* BADCERT_REVOKED - -
* BADCERT_CN_MISMATCH - -
* BADCERT_NOT_TRUSTED
2012-09-28 09:10:55 +02:00
* or another error in case of a fatal error encountered
* during the verification process .
2009-01-03 22:22:43 +01:00
*/
int x509parse_verify ( x509_cert * crt ,
x509_cert * trust_ca ,
2009-05-03 12:18:48 +02:00
x509_crl * ca_crl ,
2011-01-13 18:54:59 +01:00
const char * cn , int * flags ,
2012-09-28 09:10:55 +02:00
int ( * f_vrfy ) ( void * , x509_cert * , int , int * ) ,
2011-01-13 18:54:59 +01:00
void * p_vrfy ) ;
2009-01-03 22:22:43 +01:00
2011-01-15 17:57:55 +01:00
/**
* \ brief Verify the certificate signature
*
* \ param crt a certificate to be verified
* \ param crl the CRL to verify against
*
* \ return 1 if the certificate is revoked , 0 otherwise
*
*/
int x509parse_revoked ( const x509_cert * crt , const x509_crl * crl ) ;
2011-01-18 15:58:55 +01:00
/** \} name Functions to verify a certificate */
2011-01-06 13:28:03 +01:00
/**
2011-01-18 15:58:55 +01:00
* \ name Functions to clear a certificate , CRL or private RSA key
* \ {
2011-01-06 13:28:03 +01:00
*/
2011-01-18 15:58:55 +01:00
/** \ingroup x509_module */
2009-01-03 22:22:43 +01:00
/**
* \ brief Unallocate all certificate data
2009-07-28 09:18:38 +02:00
*
* \ param crt Certificate chain to free
2009-01-03 22:22:43 +01:00
*/
void x509_free ( x509_cert * crt ) ;
2011-01-18 15:58:55 +01:00
/** \ingroup x509_module */
2009-05-02 17:13:40 +02:00
/**
* \ brief Unallocate all CRL data
2009-07-28 09:18:38 +02:00
*
2011-01-06 13:28:03 +01:00
* \ param crl CRL chain to free
2009-05-02 17:13:40 +02:00
*/
void x509_crl_free ( x509_crl * crl ) ;
2011-01-18 15:58:55 +01:00
/** \} name Functions to clear a certificate, CRL or private RSA key */
2011-01-06 13:28:03 +01:00
2009-01-03 22:22:43 +01:00
/**
* \ brief Checkup routine
*
* \ return 0 if successful , or 1 if the test failed
*/
int x509_self_test ( int verbose ) ;
# ifdef __cplusplus
}
# endif
# endif /* x509.h */