Google Git
Sign in
pigweed / third_party / github / ARMmbed / mbedtls / 8e831edc2467e7b97e6dba109e46adec632925d0 / . / include / polarssl / x509.h
blob: 9d9ef99a5b564e085abca54f0f7f30e2c1f5513d [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/**
2 * \file x509.h
3 */
4#ifndef XYSSL_X509_H
5#define XYSSL_X509_H
6
Paul Bakker8e831ed2009-01-03 21:24:11 +0000[diff] [blame^]7#include "polarssl/rsa.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8
9#define XYSSL_ERR_ASN1_OUT_OF_DATA -0x0014
10#define XYSSL_ERR_ASN1_UNEXPECTED_TAG -0x0016
11#define XYSSL_ERR_ASN1_INVALID_LENGTH -0x0018
12#define XYSSL_ERR_ASN1_LENGTH_MISMATCH -0x001A
13#define XYSSL_ERR_ASN1_INVALID_DATA -0x001C
14
15#define XYSSL_ERR_X509_FEATURE_UNAVAILABLE -0x0020
16#define XYSSL_ERR_X509_CERT_INVALID_PEM -0x0040
17#define XYSSL_ERR_X509_CERT_INVALID_FORMAT -0x0060
18#define XYSSL_ERR_X509_CERT_INVALID_VERSION -0x0080
19#define XYSSL_ERR_X509_CERT_INVALID_SERIAL -0x00A0
20#define XYSSL_ERR_X509_CERT_INVALID_ALG -0x00C0
21#define XYSSL_ERR_X509_CERT_INVALID_NAME -0x00E0
22#define XYSSL_ERR_X509_CERT_INVALID_DATE -0x0100
23#define XYSSL_ERR_X509_CERT_INVALID_PUBKEY -0x0120
24#define XYSSL_ERR_X509_CERT_INVALID_SIGNATURE -0x0140
25#define XYSSL_ERR_X509_CERT_INVALID_EXTENSIONS -0x0160
26#define XYSSL_ERR_X509_CERT_UNKNOWN_VERSION -0x0180
27#define XYSSL_ERR_X509_CERT_UNKNOWN_SIG_ALG -0x01A0
28#define XYSSL_ERR_X509_CERT_UNKNOWN_PK_ALG -0x01C0
29#define XYSSL_ERR_X509_CERT_SIG_MISMATCH -0x01E0
30#define XYSSL_ERR_X509_CERT_VERIFY_FAILED -0x0200
31#define XYSSL_ERR_X509_KEY_INVALID_PEM -0x0220
32#define XYSSL_ERR_X509_KEY_INVALID_VERSION -0x0240
33#define XYSSL_ERR_X509_KEY_INVALID_FORMAT -0x0260
34#define XYSSL_ERR_X509_KEY_INVALID_ENC_IV -0x0280
35#define XYSSL_ERR_X509_KEY_UNKNOWN_ENC_ALG -0x02A0
36#define XYSSL_ERR_X509_KEY_PASSWORD_REQUIRED -0x02C0
37#define XYSSL_ERR_X509_KEY_PASSWORD_MISMATCH -0x02E0
38#define XYSSL_ERR_X509_POINT_ERROR -0x0300
39#define XYSSL_ERR_X509_VALUE_TO_LENGTH -0x0320
40
41#define BADCERT_EXPIRED 1
42#define BADCERT_REVOKED 2
43#define BADCERT_CN_MISMATCH 4
44#define BADCERT_NOT_TRUSTED 8
45
46/*
47 * DER constants
48 */
49#define ASN1_BOOLEAN 0x01
50#define ASN1_INTEGER 0x02
51#define ASN1_BIT_STRING 0x03
52#define ASN1_OCTET_STRING 0x04
53#define ASN1_NULL 0x05
54#define ASN1_OID 0x06
55#define ASN1_UTF8_STRING 0x0C
56#define ASN1_SEQUENCE 0x10
57#define ASN1_SET 0x11
58#define ASN1_PRINTABLE_STRING 0x13
59#define ASN1_T61_STRING 0x14
60#define ASN1_IA5_STRING 0x16
61#define ASN1_UTC_TIME 0x17
62#define ASN1_UNIVERSAL_STRING 0x1C
63#define ASN1_BMP_STRING 0x1E
64#define ASN1_PRIMITIVE 0x00
65#define ASN1_CONSTRUCTED 0x20
66#define ASN1_CONTEXT_SPECIFIC 0x80
67
68/*
69 * various object identifiers
70 */
71#define X520_COMMON_NAME 3
72#define X520_COUNTRY 6
73#define X520_LOCALITY 7
74#define X520_STATE 8
75#define X520_ORGANIZATION 10
76#define X520_ORG_UNIT 11
77#define PKCS9_EMAIL 1
78
79#define X509_OUTPUT_DER 0x01
80#define X509_OUTPUT_PEM 0x02
81#define PEM_LINE_LENGTH 72
82#define X509_ISSUER 0x01
83#define X509_SUBJECT 0x02
84
85#define OID_X520 "\x55\x04"
86#define OID_CN "\x55\x04\x03"
87#define OID_PKCS1 "\x2A\x86\x48\x86\xF7\x0D\x01\x01"
88#define OID_PKCS1_RSA "\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01"
89#define OID_PKCS1_RSA_SHA "\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05"
90#define OID_PKCS9 "\x2A\x86\x48\x86\xF7\x0D\x01\x09"
91#define OID_PKCS9_EMAIL "\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01"
92
93/*
94 * Structures for parsing X.509 certificates
95 */
96typedef struct _x509_buf
97{
98 int tag;
99 int len;
100 unsigned char *p;
101}
102x509_buf;
103
104typedef struct _x509_name
105{
106 x509_buf oid;
107 x509_buf val;
108 struct _x509_name *next;
109}
110x509_name;
111
112typedef struct _x509_time
113{
114 int year, mon, day;
115 int hour, min, sec;
116}
117x509_time;
118
119typedef struct _x509_cert
120{
121 x509_buf raw;
122 x509_buf tbs;
123
124 int version;
125 x509_buf serial;
126 x509_buf sig_oid1;
127
128 x509_buf issuer_raw;
129 x509_buf subject_raw;
130
131 x509_name issuer;
132 x509_name subject;
133
134 x509_time valid_from;
135 x509_time valid_to;
136
137 x509_buf pk_oid;
138 rsa_context rsa;
139
140 x509_buf issuer_id;
141 x509_buf subject_id;
142 x509_buf v3_ext;
143
144 int ca_istrue;
145 int max_pathlen;
146
147 x509_buf sig_oid2;
148 x509_buf sig;
149
150 struct _x509_cert *next;
151}
152x509_cert;
153
154/*
155 * Structures for writing X.509 certificates
156 */
157typedef struct _x509_node
158{
159 unsigned char *data;
160 unsigned char *p;
161 unsigned char *end;
162
163 size_t len;
164}
165x509_node;
166
167typedef struct _x509_raw
168{
169 x509_node raw;
170 x509_node tbs;
171
172 x509_node version;
173 x509_node serial;
174 x509_node tbs_signalg;
175 x509_node issuer;
176 x509_node validity;
177 x509_node subject;
178 x509_node subpubkey;
179
180 x509_node signalg;
181 x509_node sign;
182}
183x509_raw;
184
185#ifdef __cplusplus
186extern "C" {
187#endif
188
189/**
190 * \brief Parse one or more certificates and add them
191 * to the chained list
192 *
193 * \param chain points to the start of the chain
194 * \param buf buffer holding the certificate data
195 * \param buflen size of the buffer
196 *
197 * \return 0 if successful, or a specific X509 error code
198 */
199int x509parse_crt( x509_cert *crt, unsigned char *buf, int buflen );
200
201/**
202 * \brief Load one or more certificates and add them
203 * to the chained list
204 *
205 * \param chain points to the start of the chain
206 * \param path filename to read the certificates from
207 *
208 * \return 0 if successful, or a specific X509 error code
209 */
210int x509parse_crtfile( x509_cert *crt, char *path );
211
212/**
213 * \brief Parse a private RSA key
214 *
215 * \param rsa RSA context to be initialized
216 * \param buf input buffer
217 * \param buflen size of the buffer
218 * \param pwd password for decryption (optional)
219 * \param pwdlen size of the password
220 *
221 * \return 0 if successful, or a specific X509 error code
222 */
223int x509parse_key( rsa_context *rsa,
224 unsigned char *buf, int buflen,
225 unsigned char *pwd, int pwdlen );
226
227/**
228 * \brief Load and parse a private RSA key
229 *
230 * \param rsa RSA context to be initialized
231 * \param path filename to read the private key from
232 * \param pwd password to decrypt the file (can be NULL)
233 *
234 * \return 0 if successful, or a specific X509 error code
235 */
236int x509parse_keyfile( rsa_context *rsa, char *path, char *password );
237
238/**
239 * \brief Store the certificate DN in printable form into buf;
240 * no more than (end - buf) characters will be written.
241 */
242int x509parse_dn_gets( char *buf, char *end, x509_name *dn );
243
244/**
245 * \brief Returns an informational string about the
246 * certificate.
247 */
248char *x509parse_cert_info( char *prefix, x509_cert *crt );
249
250/**
251 * \brief Return 0 if the certificate is still valid,
252 * or BADCERT_EXPIRED
253 */
254int x509parse_expired( x509_cert *crt );
255
256/**
257 * \brief Verify the certificate signature
258 *
259 * \param crt a certificate to be verified
260 * \param trust_ca the trusted CA chain
261 * \param cn expected Common Name (can be set to
262 * NULL if the CN must not be verified)
263 * \param flags result of the verification
264 *
265 * \return 0 if successful or XYSSL_ERR_X509_SIG_VERIFY_FAILED,
266 * in which case *flags will have one or more of
267 * the following values set:
268 * BADCERT_EXPIRED --
269 * BADCERT_REVOKED --
270 * BADCERT_CN_MISMATCH --
271 * BADCERT_NOT_TRUSTED
272 *
273 * \note TODO: add two arguments, depth and crl
274 */
275int x509parse_verify( x509_cert *crt,
276 x509_cert *trust_ca,
277 char *cn, int *flags );
278
279/**
280 * \brief Unallocate all certificate data
281 */
282void x509_free( x509_cert *crt );
283
284/**
285 * \brief Checkup routine
286 *
287 * \return 0 if successful, or 1 if the test failed
288 */
289int x509_self_test( int verbose );
290
291#ifdef __cplusplus
292}
293#endif
294
295#endif /* x509.h */