Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1 | /** |
| 2 | * \file x509.h |
Paul Bakker | e0ccd0a | 2009-01-04 16:27:10 +0000 | [diff] [blame] | 3 | * |
Paul Bakker | 37ca75d | 2011-01-06 12:28:03 +0000 | [diff] [blame] | 4 | * \brief X.509 certificate and private key decoding |
| 5 | * |
Paul Bakker | efc3029 | 2011-11-10 14:43:23 +0000 | [diff] [blame] | 6 | * Copyright (C) 2006-2011, Brainspark B.V. |
Paul Bakker | b96f154 | 2010-07-18 20:36:00 +0000 | [diff] [blame] | 7 | * |
| 8 | * This file is part of PolarSSL (http://www.polarssl.org) |
Paul Bakker | 84f12b7 | 2010-07-18 10:13:04 +0000 | [diff] [blame] | 9 | * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org> |
Paul Bakker | b96f154 | 2010-07-18 20:36:00 +0000 | [diff] [blame] | 10 | * |
Paul Bakker | 77b385e | 2009-07-28 17:23:11 +0000 | [diff] [blame] | 11 | * All rights reserved. |
Paul Bakker | e0ccd0a | 2009-01-04 16:27:10 +0000 | [diff] [blame] | 12 | * |
Paul Bakker | e0ccd0a | 2009-01-04 16:27:10 +0000 | [diff] [blame] | 13 | * This program is free software; you can redistribute it and/or modify |
| 14 | * it under the terms of the GNU General Public License as published by |
| 15 | * the Free Software Foundation; either version 2 of the License, or |
| 16 | * (at your option) any later version. |
| 17 | * |
| 18 | * This program is distributed in the hope that it will be useful, |
| 19 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 20 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 21 | * GNU General Public License for more details. |
| 22 | * |
| 23 | * You should have received a copy of the GNU General Public License along |
| 24 | * with this program; if not, write to the Free Software Foundation, Inc., |
| 25 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 26 | */ |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 27 | #ifndef POLARSSL_X509_H |
| 28 | #define POLARSSL_X509_H |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 29 | |
Paul Bakker | efc3029 | 2011-11-10 14:43:23 +0000 | [diff] [blame] | 30 | #include "asn1.h" |
Paul Bakker | 314052f | 2011-08-15 09:07:52 +0000 | [diff] [blame] | 31 | #include "rsa.h" |
| 32 | #include "dhm.h" |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 33 | |
Paul Bakker | 37ca75d | 2011-01-06 12:28:03 +0000 | [diff] [blame] | 34 | /** |
Paul Bakker | 0f5f72e | 2011-01-18 14:58:55 +0000 | [diff] [blame] | 35 | * \addtogroup x509_module |
| 36 | * \{ |
Paul Bakker | 13e2dfe | 2009-07-28 07:18:38 +0000 | [diff] [blame] | 37 | */ |
Paul Bakker | 37ca75d | 2011-01-06 12:28:03 +0000 | [diff] [blame] | 38 | |
Paul Bakker | 37ca75d | 2011-01-06 12:28:03 +0000 | [diff] [blame] | 39 | /** |
Paul Bakker | 0f5f72e | 2011-01-18 14:58:55 +0000 | [diff] [blame] | 40 | * \name X509 Error codes |
| 41 | * \{ |
Paul Bakker | 13e2dfe | 2009-07-28 07:18:38 +0000 | [diff] [blame] | 42 | */ |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 43 | #define POLARSSL_ERR_X509_FEATURE_UNAVAILABLE -0x2080 /**< Unavailable feature, e.g. RSA hashing/encryption combination. */ |
| 44 | #define POLARSSL_ERR_X509_CERT_INVALID_PEM -0x2100 /**< The PEM-encoded certificate contains invalid elements, e.g. invalid character. */ |
| 45 | #define POLARSSL_ERR_X509_CERT_INVALID_FORMAT -0x2180 /**< The certificate format is invalid, e.g. different type expected. */ |
| 46 | #define POLARSSL_ERR_X509_CERT_INVALID_VERSION -0x2200 /**< The certificate version element is invalid. */ |
| 47 | #define POLARSSL_ERR_X509_CERT_INVALID_SERIAL -0x2280 /**< The serial tag or value is invalid. */ |
| 48 | #define POLARSSL_ERR_X509_CERT_INVALID_ALG -0x2300 /**< The algorithm tag or value is invalid. */ |
| 49 | #define POLARSSL_ERR_X509_CERT_INVALID_NAME -0x2380 /**< The name tag or value is invalid. */ |
| 50 | #define POLARSSL_ERR_X509_CERT_INVALID_DATE -0x2400 /**< The date tag or value is invalid. */ |
| 51 | #define POLARSSL_ERR_X509_CERT_INVALID_PUBKEY -0x2480 /**< The pubkey tag or value is invalid (only RSA is supported). */ |
| 52 | #define POLARSSL_ERR_X509_CERT_INVALID_SIGNATURE -0x2500 /**< The signature tag or value invalid. */ |
| 53 | #define POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS -0x2580 /**< The extension tag or value is invalid. */ |
| 54 | #define POLARSSL_ERR_X509_CERT_UNKNOWN_VERSION -0x2600 /**< Certificate or CRL has an unsupported version number. */ |
| 55 | #define POLARSSL_ERR_X509_CERT_UNKNOWN_SIG_ALG -0x2680 /**< Signature algorithm (oid) is unsupported. */ |
Paul Bakker | ed56b22 | 2011-07-13 11:26:43 +0000 | [diff] [blame] | 56 | #define POLARSSL_ERR_X509_UNKNOWN_PK_ALG -0x2700 /**< Key algorithm is unsupported (only RSA is supported). */ |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 57 | #define POLARSSL_ERR_X509_CERT_SIG_MISMATCH -0x2780 /**< Certificate signature algorithms do not match. (see \c ::x509_cert sig_oid) */ |
| 58 | #define POLARSSL_ERR_X509_CERT_VERIFY_FAILED -0x2800 /**< Certificate verification failed, e.g. CRL, CA or signature check failed. */ |
| 59 | #define POLARSSL_ERR_X509_KEY_INVALID_VERSION -0x2880 /**< Unsupported RSA key version */ |
| 60 | #define POLARSSL_ERR_X509_KEY_INVALID_FORMAT -0x2900 /**< Invalid RSA key tag or value. */ |
Paul Bakker | 6c0ceb3 | 2011-12-04 12:24:18 +0000 | [diff] [blame] | 61 | #define POLARSSL_ERR_X509_CERT_UNKNOWN_FORMAT -0x2980 /**< Format not recognized as DER or PEM. */ |
Paul Bakker | 69e095c | 2011-12-10 21:55:01 +0000 | [diff] [blame] | 62 | #define POLARSSL_ERR_X509_INVALID_INPUT -0x2A00 /**< Input invalid. */ |
| 63 | #define POLARSSL_ERR_X509_MALLOC_FAILED -0x2A80 /**< Allocation of memory failed. */ |
| 64 | #define POLARSSL_ERR_X509_FILE_IO_ERROR -0x2B00 /**< Read/write of file failed. */ |
Paul Bakker | 0f5f72e | 2011-01-18 14:58:55 +0000 | [diff] [blame] | 65 | /* \} name */ |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 66 | |
Paul Bakker | 37ca75d | 2011-01-06 12:28:03 +0000 | [diff] [blame] | 67 | |
| 68 | /** |
Paul Bakker | 0f5f72e | 2011-01-18 14:58:55 +0000 | [diff] [blame] | 69 | * \name X509 Verify codes |
| 70 | * \{ |
Paul Bakker | 37ca75d | 2011-01-06 12:28:03 +0000 | [diff] [blame] | 71 | */ |
Paul Bakker | cdf07e9 | 2011-01-30 17:05:13 +0000 | [diff] [blame] | 72 | #define BADCERT_EXPIRED 0x01 /**< The certificate validity has expired. */ |
| 73 | #define BADCERT_REVOKED 0x02 /**< The certificate has been revoked (is on a CRL). */ |
| 74 | #define BADCERT_CN_MISMATCH 0x04 /**< The certificate Common Name (CN) does not match with the expected CN. */ |
| 75 | #define BADCERT_NOT_TRUSTED 0x08 /**< The certificate is not correctly signed by the trusted CA. */ |
| 76 | #define BADCRL_NOT_TRUSTED 0x10 /**< CRL is not correctly signed by the trusted CA. */ |
| 77 | #define BADCRL_EXPIRED 0x20 /**< CRL is expired. */ |
| 78 | #define BADCERT_MISSING 0x40 /**< Certificate was missing. */ |
| 79 | #define BADCERT_SKIP_VERIFY 0x80 /**< Certificate verification was skipped. */ |
Paul Bakker | 0f5f72e | 2011-01-18 14:58:55 +0000 | [diff] [blame] | 80 | /* \} name */ |
Paul Bakker | 0f5f72e | 2011-01-18 14:58:55 +0000 | [diff] [blame] | 81 | /* \} addtogroup x509_module */ |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 82 | |
| 83 | /* |
| 84 | * various object identifiers |
| 85 | */ |
| 86 | #define X520_COMMON_NAME 3 |
| 87 | #define X520_COUNTRY 6 |
| 88 | #define X520_LOCALITY 7 |
| 89 | #define X520_STATE 8 |
| 90 | #define X520_ORGANIZATION 10 |
| 91 | #define X520_ORG_UNIT 11 |
| 92 | #define PKCS9_EMAIL 1 |
| 93 | |
| 94 | #define X509_OUTPUT_DER 0x01 |
| 95 | #define X509_OUTPUT_PEM 0x02 |
| 96 | #define PEM_LINE_LENGTH 72 |
| 97 | #define X509_ISSUER 0x01 |
| 98 | #define X509_SUBJECT 0x02 |
| 99 | |
| 100 | #define OID_X520 "\x55\x04" |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 101 | #define OID_CN OID_X520 "\x03" |
Paul Bakker | bdb912d | 2012-02-13 23:11:30 +0000 | [diff] [blame] | 102 | #define OID_COUNTRY OID_X520 "\x06" |
| 103 | #define OID_LOCALITY OID_X520 "\x07" |
| 104 | #define OID_STATE OID_X520 "\x08" |
| 105 | #define OID_ORGANIZATION OID_X520 "\x0A" |
| 106 | #define OID_ORG_UNIT OID_X520 "\x0B" |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 107 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 108 | #define OID_PKCS1 "\x2A\x86\x48\x86\xF7\x0D\x01\x01" |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 109 | #define OID_PKCS1_RSA OID_PKCS1 "\x01" |
Paul Bakker | bdb912d | 2012-02-13 23:11:30 +0000 | [diff] [blame] | 110 | #define OID_PKCS1_SHA1 OID_PKCS1 "\x05" |
Paul Bakker | 400ff6f | 2011-02-20 10:40:16 +0000 | [diff] [blame] | 111 | |
| 112 | #define OID_RSA_SHA_OBS "\x2B\x0E\x03\x02\x1D" |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 113 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 114 | #define OID_PKCS9 "\x2A\x86\x48\x86\xF7\x0D\x01\x09" |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 115 | #define OID_PKCS9_EMAIL OID_PKCS9 "\x01" |
| 116 | |
| 117 | /** ISO arc for standard certificate and CRL extensions */ |
| 118 | #define OID_ID_CE "\x55\x1D" /**< id-ce OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 29} */ |
| 119 | |
| 120 | /** |
| 121 | * Private Internet Extensions |
| 122 | * { iso(1) identified-organization(3) dod(6) internet(1) |
| 123 | * security(5) mechanisms(5) pkix(7) } |
| 124 | */ |
| 125 | #define OID_PKIX "\x2B\x06\x01\x05\x05\x07" |
| 126 | |
| 127 | /* |
| 128 | * OIDs for standard certificate extensions |
| 129 | */ |
| 130 | #define OID_AUTHORITY_KEY_IDENTIFIER OID_ID_CE "\x23" /**< id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 35 } */ |
| 131 | #define OID_SUBJECT_KEY_IDENTIFIER OID_ID_CE "\x0E" /**< id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 14 } */ |
| 132 | #define OID_KEY_USAGE OID_ID_CE "\x0F" /**< id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 } */ |
| 133 | #define OID_CERTIFICATE_POLICIES OID_ID_CE "\x20" /**< id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 } */ |
| 134 | #define OID_POLICY_MAPPINGS OID_ID_CE "\x21" /**< id-ce-policyMappings OBJECT IDENTIFIER ::= { id-ce 33 } */ |
| 135 | #define OID_SUBJECT_ALT_NAME OID_ID_CE "\x11" /**< id-ce-subjectAltName OBJECT IDENTIFIER ::= { id-ce 17 } */ |
| 136 | #define OID_ISSUER_ALT_NAME OID_ID_CE "\x12" /**< id-ce-issuerAltName OBJECT IDENTIFIER ::= { id-ce 18 } */ |
| 137 | #define OID_SUBJECT_DIRECTORY_ATTRS OID_ID_CE "\x09" /**< id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::= { id-ce 9 } */ |
| 138 | #define OID_BASIC_CONSTRAINTS OID_ID_CE "\x13" /**< id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 } */ |
| 139 | #define OID_NAME_CONSTRAINTS OID_ID_CE "\x1E" /**< id-ce-nameConstraints OBJECT IDENTIFIER ::= { id-ce 30 } */ |
| 140 | #define OID_POLICY_CONSTRAINTS OID_ID_CE "\x24" /**< id-ce-policyConstraints OBJECT IDENTIFIER ::= { id-ce 36 } */ |
| 141 | #define OID_EXTENDED_KEY_USAGE OID_ID_CE "\x25" /**< id-ce-extKeyUsage OBJECT IDENTIFIER ::= { id-ce 37 } */ |
| 142 | #define OID_CRL_DISTRIBUTION_POINTS OID_ID_CE "\x1F" /**< id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= { id-ce 31 } */ |
| 143 | #define OID_INIHIBIT_ANYPOLICY OID_ID_CE "\x36" /**< id-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::= { id-ce 54 } */ |
| 144 | #define OID_FRESHEST_CRL OID_ID_CE "\x2E" /**< id-ce-freshestCRL OBJECT IDENTIFIER ::= { id-ce 46 } */ |
| 145 | |
| 146 | /* |
| 147 | * X.509 v3 Key Usage Extension flags |
| 148 | */ |
| 149 | #define KU_DIGITAL_SIGNATURE (0x80) /* bit 0 */ |
| 150 | #define KU_NON_REPUDIATION (0x40) /* bit 1 */ |
| 151 | #define KU_KEY_ENCIPHERMENT (0x20) /* bit 2 */ |
| 152 | #define KU_DATA_ENCIPHERMENT (0x10) /* bit 3 */ |
| 153 | #define KU_KEY_AGREEMENT (0x08) /* bit 4 */ |
| 154 | #define KU_KEY_CERT_SIGN (0x04) /* bit 5 */ |
| 155 | #define KU_CRL_SIGN (0x02) /* bit 6 */ |
| 156 | |
| 157 | /* |
| 158 | * X.509 v3 Extended key usage OIDs |
| 159 | */ |
| 160 | #define OID_ANY_EXTENDED_KEY_USAGE OID_EXTENDED_KEY_USAGE "\x00" /**< anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 } */ |
| 161 | |
| 162 | #define OID_KP OID_PKIX "\x03" /**< id-kp OBJECT IDENTIFIER ::= { id-pkix 3 } */ |
| 163 | #define OID_SERVER_AUTH OID_KP "\x01" /**< id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 } */ |
| 164 | #define OID_CLIENT_AUTH OID_KP "\x02" /**< id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 } */ |
| 165 | #define OID_CODE_SIGNING OID_KP "\x03" /**< id-kp-codeSigning OBJECT IDENTIFIER ::= { id-kp 3 } */ |
| 166 | #define OID_EMAIL_PROTECTION OID_KP "\x04" /**< id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 } */ |
| 167 | #define OID_TIME_STAMPING OID_KP "\x08" /**< id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 } */ |
| 168 | #define OID_OCSP_SIGNING OID_KP "\x09" /**< id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } */ |
| 169 | |
| 170 | #define STRING_SERVER_AUTH "TLS Web Server Authentication" |
| 171 | #define STRING_CLIENT_AUTH "TLS Web Client Authentication" |
| 172 | #define STRING_CODE_SIGNING "Code Signing" |
| 173 | #define STRING_EMAIL_PROTECTION "E-mail Protection" |
| 174 | #define STRING_TIME_STAMPING "Time Stamping" |
| 175 | #define STRING_OCSP_SIGNING "OCSP Signing" |
| 176 | |
| 177 | /* |
| 178 | * OIDs for CRL extensions |
| 179 | */ |
| 180 | #define OID_PRIVATE_KEY_USAGE_PERIOD OID_ID_CE "\x10" |
| 181 | #define OID_CRL_NUMBER OID_ID_CE "\x14" /**< id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 } */ |
| 182 | |
| 183 | /* |
| 184 | * Netscape certificate extensions |
| 185 | */ |
| 186 | #define OID_NETSCAPE "\x60\x86\x48\x01\x86\xF8\x42" /**< Netscape OID */ |
| 187 | #define OID_NS_CERT OID_NETSCAPE "\x01" |
| 188 | #define OID_NS_CERT_TYPE OID_NS_CERT "\x01" |
| 189 | #define OID_NS_BASE_URL OID_NS_CERT "\x02" |
| 190 | #define OID_NS_REVOCATION_URL OID_NS_CERT "\x03" |
| 191 | #define OID_NS_CA_REVOCATION_URL OID_NS_CERT "\x04" |
| 192 | #define OID_NS_RENEWAL_URL OID_NS_CERT "\x07" |
| 193 | #define OID_NS_CA_POLICY_URL OID_NS_CERT "\x08" |
| 194 | #define OID_NS_SSL_SERVER_NAME OID_NS_CERT "\x0C" |
| 195 | #define OID_NS_COMMENT OID_NS_CERT "\x0D" |
| 196 | #define OID_NS_DATA_TYPE OID_NETSCAPE "\x02" |
| 197 | #define OID_NS_CERT_SEQUENCE OID_NS_DATA_TYPE "\x05" |
| 198 | |
| 199 | /* |
| 200 | * Netscape certificate types |
| 201 | * (http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn3.html) |
| 202 | */ |
| 203 | |
| 204 | #define NS_CERT_TYPE_SSL_CLIENT (0x80) /* bit 0 */ |
| 205 | #define NS_CERT_TYPE_SSL_SERVER (0x40) /* bit 1 */ |
| 206 | #define NS_CERT_TYPE_EMAIL (0x20) /* bit 2 */ |
| 207 | #define NS_CERT_TYPE_OBJECT_SIGNING (0x10) /* bit 3 */ |
| 208 | #define NS_CERT_TYPE_RESERVED (0x08) /* bit 4 */ |
| 209 | #define NS_CERT_TYPE_SSL_CA (0x04) /* bit 5 */ |
| 210 | #define NS_CERT_TYPE_EMAIL_CA (0x02) /* bit 6 */ |
| 211 | #define NS_CERT_TYPE_OBJECT_SIGNING_CA (0x01) /* bit 7 */ |
| 212 | |
| 213 | #define EXT_AUTHORITY_KEY_IDENTIFIER (1 << 0) |
| 214 | #define EXT_SUBJECT_KEY_IDENTIFIER (1 << 1) |
| 215 | #define EXT_KEY_USAGE (1 << 2) |
| 216 | #define EXT_CERTIFICATE_POLICIES (1 << 3) |
| 217 | #define EXT_POLICY_MAPPINGS (1 << 4) |
| 218 | #define EXT_SUBJECT_ALT_NAME (1 << 5) |
| 219 | #define EXT_ISSUER_ALT_NAME (1 << 6) |
| 220 | #define EXT_SUBJECT_DIRECTORY_ATTRS (1 << 7) |
| 221 | #define EXT_BASIC_CONSTRAINTS (1 << 8) |
| 222 | #define EXT_NAME_CONSTRAINTS (1 << 9) |
| 223 | #define EXT_POLICY_CONSTRAINTS (1 << 10) |
| 224 | #define EXT_EXTENDED_KEY_USAGE (1 << 11) |
| 225 | #define EXT_CRL_DISTRIBUTION_POINTS (1 << 12) |
| 226 | #define EXT_INIHIBIT_ANYPOLICY (1 << 13) |
| 227 | #define EXT_FRESHEST_CRL (1 << 14) |
| 228 | |
| 229 | #define EXT_NS_CERT_TYPE (1 << 16) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 230 | |
Paul Bakker | 6c0ceb3 | 2011-12-04 12:24:18 +0000 | [diff] [blame] | 231 | /* |
| 232 | * Storage format identifiers |
| 233 | * Recognized formats: PEM and DER |
| 234 | */ |
| 235 | #define X509_FORMAT_DER 1 |
| 236 | #define X509_FORMAT_PEM 2 |
| 237 | |
Paul Bakker | 37ca75d | 2011-01-06 12:28:03 +0000 | [diff] [blame] | 238 | /** |
Paul Bakker | 0f5f72e | 2011-01-18 14:58:55 +0000 | [diff] [blame] | 239 | * \addtogroup x509_module |
| 240 | * \{ */ |
Paul Bakker | 37ca75d | 2011-01-06 12:28:03 +0000 | [diff] [blame] | 241 | |
| 242 | /** |
Paul Bakker | 0f5f72e | 2011-01-18 14:58:55 +0000 | [diff] [blame] | 243 | * \name Structures for parsing X.509 certificates and CRLs |
| 244 | * \{ |
Paul Bakker | 37ca75d | 2011-01-06 12:28:03 +0000 | [diff] [blame] | 245 | */ |
| 246 | |
| 247 | /** |
| 248 | * Type-length-value structure that allows for ASN1 using DER. |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 249 | */ |
Paul Bakker | efc3029 | 2011-11-10 14:43:23 +0000 | [diff] [blame] | 250 | typedef asn1_buf x509_buf; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 251 | |
Paul Bakker | 37ca75d | 2011-01-06 12:28:03 +0000 | [diff] [blame] | 252 | /** |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 253 | * Container for ASN1 bit strings. |
| 254 | */ |
Paul Bakker | efc3029 | 2011-11-10 14:43:23 +0000 | [diff] [blame] | 255 | typedef asn1_bitstring x509_bitstring; |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 256 | |
| 257 | /** |
Paul Bakker | 37ca75d | 2011-01-06 12:28:03 +0000 | [diff] [blame] | 258 | * Container for ASN1 named information objects. |
| 259 | * It allows for Relative Distinguished Names (e.g. cn=polarssl,ou=code,etc.). |
| 260 | */ |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 261 | typedef struct _x509_name |
| 262 | { |
Paul Bakker | 37ca75d | 2011-01-06 12:28:03 +0000 | [diff] [blame] | 263 | x509_buf oid; /**< The object identifier. */ |
| 264 | x509_buf val; /**< The named value. */ |
| 265 | struct _x509_name *next; /**< The next named information object. */ |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 266 | } |
| 267 | x509_name; |
| 268 | |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 269 | /** |
| 270 | * Container for a sequence of ASN.1 items |
| 271 | */ |
Paul Bakker | efc3029 | 2011-11-10 14:43:23 +0000 | [diff] [blame] | 272 | typedef asn1_sequence x509_sequence; |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 273 | |
Paul Bakker | 37ca75d | 2011-01-06 12:28:03 +0000 | [diff] [blame] | 274 | /** Container for date and time (precision in seconds). */ |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 275 | typedef struct _x509_time |
| 276 | { |
Paul Bakker | 37ca75d | 2011-01-06 12:28:03 +0000 | [diff] [blame] | 277 | int year, mon, day; /**< Date. */ |
| 278 | int hour, min, sec; /**< Time. */ |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 279 | } |
| 280 | x509_time; |
| 281 | |
Paul Bakker | 37ca75d | 2011-01-06 12:28:03 +0000 | [diff] [blame] | 282 | /** |
| 283 | * Container for an X.509 certificate. The certificate may be chained. |
| 284 | */ |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 285 | typedef struct _x509_cert |
| 286 | { |
Paul Bakker | 37ca75d | 2011-01-06 12:28:03 +0000 | [diff] [blame] | 287 | x509_buf raw; /**< The raw certificate data (DER). */ |
| 288 | x509_buf tbs; /**< The raw certificate body (DER). The part that is To Be Signed. */ |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 289 | |
Paul Bakker | 37ca75d | 2011-01-06 12:28:03 +0000 | [diff] [blame] | 290 | int version; /**< The X.509 version. (0=v1, 1=v2, 2=v3) */ |
| 291 | x509_buf serial; /**< Unique id for certificate issued by a specific CA. */ |
| 292 | x509_buf sig_oid1; /**< Signature algorithm, e.g. sha1RSA */ |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 293 | |
Paul Bakker | 37ca75d | 2011-01-06 12:28:03 +0000 | [diff] [blame] | 294 | x509_buf issuer_raw; /**< The raw issuer data (DER). Used for quick comparison. */ |
| 295 | x509_buf subject_raw; /**< The raw subject data (DER). Used for quick comparison. */ |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 296 | |
Paul Bakker | 37ca75d | 2011-01-06 12:28:03 +0000 | [diff] [blame] | 297 | x509_name issuer; /**< The parsed issuer data (named information object). */ |
| 298 | x509_name subject; /**< The parsed subject data (named information object). */ |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 299 | |
Paul Bakker | 37ca75d | 2011-01-06 12:28:03 +0000 | [diff] [blame] | 300 | x509_time valid_from; /**< Start time of certificate validity. */ |
| 301 | x509_time valid_to; /**< End time of certificate validity. */ |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 302 | |
Paul Bakker | 37ca75d | 2011-01-06 12:28:03 +0000 | [diff] [blame] | 303 | x509_buf pk_oid; /**< Subject public key info. Includes the public key algorithm and the key itself. */ |
| 304 | rsa_context rsa; /**< Container for the RSA context. Only RSA is supported for public keys at this time. */ |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 305 | |
Paul Bakker | 37ca75d | 2011-01-06 12:28:03 +0000 | [diff] [blame] | 306 | x509_buf issuer_id; /**< Optional X.509 v2/v3 issuer unique identifier. */ |
| 307 | x509_buf subject_id; /**< Optional X.509 v2/v3 subject unique identifier. */ |
| 308 | x509_buf v3_ext; /**< Optional X.509 v3 extensions. Only Basic Contraints are supported at this time. */ |
Paul Bakker | a8cd239 | 2012-02-11 16:09:32 +0000 | [diff] [blame] | 309 | x509_sequence subject_alt_names; /**< Optional list of Subject Alternative Names (Only dNSName supported). */ |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 310 | |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 311 | int ext_types; /**< Bit string containing detected and parsed extensions */ |
Paul Bakker | 37ca75d | 2011-01-06 12:28:03 +0000 | [diff] [blame] | 312 | int ca_istrue; /**< Optional Basic Constraint extension value: 1 if this certificate belongs to a CA, 0 otherwise. */ |
| 313 | int max_pathlen; /**< Optional Basic Constraint extension value: The maximum path length to the root certificate. */ |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 314 | |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 315 | unsigned char key_usage; /**< Optional key usage extension value: See the values below */ |
| 316 | |
| 317 | x509_sequence ext_key_usage; /**< Optional list of extended key usage OIDs. */ |
| 318 | |
| 319 | unsigned char ns_cert_type; /**< Optional Netscape certificate type extension value: See the values below */ |
| 320 | |
Paul Bakker | 37ca75d | 2011-01-06 12:28:03 +0000 | [diff] [blame] | 321 | x509_buf sig_oid2; /**< Signature algorithm. Must match sig_oid1. */ |
| 322 | x509_buf sig; /**< Signature: hash of the tbs part signed with the private key. */ |
| 323 | int sig_alg; /**< Internal representation of the signature algorithm, e.g. SIG_RSA_MD2 */ |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 324 | |
Paul Bakker | 37ca75d | 2011-01-06 12:28:03 +0000 | [diff] [blame] | 325 | struct _x509_cert *next; /**< Next certificate in the CA-chain. */ |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 326 | } |
| 327 | x509_cert; |
| 328 | |
Paul Bakker | 37ca75d | 2011-01-06 12:28:03 +0000 | [diff] [blame] | 329 | /** |
| 330 | * Certificate revocation list entry. |
| 331 | * Contains the CA-specific serial numbers and revocation dates. |
| 332 | */ |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 333 | typedef struct _x509_crl_entry |
| 334 | { |
| 335 | x509_buf raw; |
| 336 | |
| 337 | x509_buf serial; |
| 338 | |
| 339 | x509_time revocation_date; |
| 340 | |
| 341 | x509_buf entry_ext; |
| 342 | |
| 343 | struct _x509_crl_entry *next; |
| 344 | } |
| 345 | x509_crl_entry; |
| 346 | |
Paul Bakker | 37ca75d | 2011-01-06 12:28:03 +0000 | [diff] [blame] | 347 | /** |
| 348 | * Certificate revocation list structure. |
| 349 | * Every CRL may have multiple entries. |
| 350 | */ |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 351 | typedef struct _x509_crl |
| 352 | { |
Paul Bakker | 37ca75d | 2011-01-06 12:28:03 +0000 | [diff] [blame] | 353 | x509_buf raw; /**< The raw certificate data (DER). */ |
| 354 | x509_buf tbs; /**< The raw certificate body (DER). The part that is To Be Signed. */ |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 355 | |
| 356 | int version; |
| 357 | x509_buf sig_oid1; |
| 358 | |
Paul Bakker | 37ca75d | 2011-01-06 12:28:03 +0000 | [diff] [blame] | 359 | x509_buf issuer_raw; /**< The raw issuer data (DER). */ |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 360 | |
Paul Bakker | 37ca75d | 2011-01-06 12:28:03 +0000 | [diff] [blame] | 361 | x509_name issuer; /**< The parsed issuer data (named information object). */ |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 362 | |
Paul Bakker | 37ca75d | 2011-01-06 12:28:03 +0000 | [diff] [blame] | 363 | x509_time this_update; |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 364 | x509_time next_update; |
| 365 | |
Paul Bakker | 37ca75d | 2011-01-06 12:28:03 +0000 | [diff] [blame] | 366 | x509_crl_entry entry; /**< The CRL entries containing the certificate revocation times for this CA. */ |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 367 | |
| 368 | x509_buf crl_ext; |
| 369 | |
| 370 | x509_buf sig_oid2; |
| 371 | x509_buf sig; |
Paul Bakker | 27d6616 | 2010-03-17 06:56:01 +0000 | [diff] [blame] | 372 | int sig_alg; |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 373 | |
| 374 | struct _x509_crl *next; |
| 375 | } |
| 376 | x509_crl; |
Paul Bakker | 0f5f72e | 2011-01-18 14:58:55 +0000 | [diff] [blame] | 377 | /** \} name Structures for parsing X.509 certificates and CRLs */ |
| 378 | /** \} addtogroup x509_module */ |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 379 | |
Paul Bakker | 37ca75d | 2011-01-06 12:28:03 +0000 | [diff] [blame] | 380 | /** |
Paul Bakker | 0f5f72e | 2011-01-18 14:58:55 +0000 | [diff] [blame] | 381 | * \name Structures for writing X.509 certificates. |
Paul Bakker | 37ca75d | 2011-01-06 12:28:03 +0000 | [diff] [blame] | 382 | * XvP: commented out as they are not used. |
| 383 | * - <tt>typedef struct _x509_node x509_node;</tt> |
| 384 | * - <tt>typedef struct _x509_raw x509_raw;</tt> |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 385 | */ |
Paul Bakker | 37ca75d | 2011-01-06 12:28:03 +0000 | [diff] [blame] | 386 | /* |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 387 | typedef struct _x509_node |
| 388 | { |
| 389 | unsigned char *data; |
| 390 | unsigned char *p; |
| 391 | unsigned char *end; |
| 392 | |
| 393 | size_t len; |
| 394 | } |
| 395 | x509_node; |
| 396 | |
| 397 | typedef struct _x509_raw |
| 398 | { |
| 399 | x509_node raw; |
| 400 | x509_node tbs; |
| 401 | |
| 402 | x509_node version; |
| 403 | x509_node serial; |
| 404 | x509_node tbs_signalg; |
| 405 | x509_node issuer; |
| 406 | x509_node validity; |
| 407 | x509_node subject; |
| 408 | x509_node subpubkey; |
| 409 | |
| 410 | x509_node signalg; |
| 411 | x509_node sign; |
| 412 | } |
| 413 | x509_raw; |
Paul Bakker | 37ca75d | 2011-01-06 12:28:03 +0000 | [diff] [blame] | 414 | */ |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 415 | |
| 416 | #ifdef __cplusplus |
| 417 | extern "C" { |
| 418 | #endif |
| 419 | |
| 420 | /** |
Paul Bakker | 0f5f72e | 2011-01-18 14:58:55 +0000 | [diff] [blame] | 421 | * \name Functions to read in DHM parameters, a certificate, CRL or private RSA key |
| 422 | * \{ |
Paul Bakker | 37ca75d | 2011-01-06 12:28:03 +0000 | [diff] [blame] | 423 | */ |
| 424 | |
Paul Bakker | 0f5f72e | 2011-01-18 14:58:55 +0000 | [diff] [blame] | 425 | /** \ingroup x509_module */ |
Paul Bakker | 37ca75d | 2011-01-06 12:28:03 +0000 | [diff] [blame] | 426 | /** |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 427 | * \brief Parse one or more certificates and add them |
Paul Bakker | 69e095c | 2011-12-10 21:55:01 +0000 | [diff] [blame] | 428 | * to the chained list. Parses permissively. If some |
| 429 | * certificates can be parsed, the result is the number |
| 430 | * of failed certificates it encountered. If none complete |
| 431 | * correctly, the first error is returned. |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 432 | * |
| 433 | * \param chain points to the start of the chain |
| 434 | * \param buf buffer holding the certificate data |
| 435 | * \param buflen size of the buffer |
| 436 | * |
Paul Bakker | 69e095c | 2011-12-10 21:55:01 +0000 | [diff] [blame] | 437 | * \return 0 if all certificates parsed successfully, a positive number |
| 438 | * if partly successful or a specific X509 or PEM error code |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 439 | */ |
Paul Bakker | 69e095c | 2011-12-10 21:55:01 +0000 | [diff] [blame] | 440 | int x509parse_crt( x509_cert *chain, const unsigned char *buf, size_t buflen ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 441 | |
Paul Bakker | 0f5f72e | 2011-01-18 14:58:55 +0000 | [diff] [blame] | 442 | /** \ingroup x509_module */ |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 443 | /** |
| 444 | * \brief Load one or more certificates and add them |
Paul Bakker | 69e095c | 2011-12-10 21:55:01 +0000 | [diff] [blame] | 445 | * to the chained list. Parses permissively. If some |
| 446 | * certificates can be parsed, the result is the number |
| 447 | * of failed certificates it encountered. If none complete |
| 448 | * correctly, the first error is returned. |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 449 | * |
| 450 | * \param chain points to the start of the chain |
| 451 | * \param path filename to read the certificates from |
| 452 | * |
Paul Bakker | 69e095c | 2011-12-10 21:55:01 +0000 | [diff] [blame] | 453 | * \return 0 if all certificates parsed successfully, a positive number |
| 454 | * if partly successful or a specific X509 or PEM error code |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 455 | */ |
Paul Bakker | 69e095c | 2011-12-10 21:55:01 +0000 | [diff] [blame] | 456 | int x509parse_crtfile( x509_cert *chain, const char *path ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 457 | |
Paul Bakker | 0f5f72e | 2011-01-18 14:58:55 +0000 | [diff] [blame] | 458 | /** \ingroup x509_module */ |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 459 | /** |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 460 | * \brief Parse one or more CRLs and add them |
| 461 | * to the chained list |
| 462 | * |
| 463 | * \param chain points to the start of the chain |
| 464 | * \param buf buffer holding the CRL data |
| 465 | * \param buflen size of the buffer |
| 466 | * |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 467 | * \return 0 if successful, or a specific X509 or PEM error code |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 468 | */ |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 469 | int x509parse_crl( x509_crl *chain, const unsigned char *buf, size_t buflen ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 470 | |
Paul Bakker | 0f5f72e | 2011-01-18 14:58:55 +0000 | [diff] [blame] | 471 | /** \ingroup x509_module */ |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 472 | /** |
| 473 | * \brief Load one or more CRLs and add them |
| 474 | * to the chained list |
| 475 | * |
| 476 | * \param chain points to the start of the chain |
| 477 | * \param path filename to read the CRLs from |
| 478 | * |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 479 | * \return 0 if successful, or a specific X509 or PEM error code |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 480 | */ |
Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 481 | int x509parse_crlfile( x509_crl *chain, const char *path ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 482 | |
Paul Bakker | 0f5f72e | 2011-01-18 14:58:55 +0000 | [diff] [blame] | 483 | /** \ingroup x509_module */ |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 484 | /** |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 485 | * \brief Parse a private RSA key |
| 486 | * |
| 487 | * \param rsa RSA context to be initialized |
Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 488 | * \param key input buffer |
| 489 | * \param keylen size of the buffer |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 490 | * \param pwd password for decryption (optional) |
| 491 | * \param pwdlen size of the password |
| 492 | * |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 493 | * \return 0 if successful, or a specific X509 or PEM error code |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 494 | */ |
| 495 | int x509parse_key( rsa_context *rsa, |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 496 | const unsigned char *key, size_t keylen, |
| 497 | const unsigned char *pwd, size_t pwdlen ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 498 | |
Paul Bakker | 0f5f72e | 2011-01-18 14:58:55 +0000 | [diff] [blame] | 499 | /** \ingroup x509_module */ |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 500 | /** |
| 501 | * \brief Load and parse a private RSA key |
| 502 | * |
| 503 | * \param rsa RSA context to be initialized |
| 504 | * \param path filename to read the private key from |
Paul Bakker | 37ca75d | 2011-01-06 12:28:03 +0000 | [diff] [blame] | 505 | * \param password password to decrypt the file (can be NULL) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 506 | * |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 507 | * \return 0 if successful, or a specific X509 or PEM error code |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 508 | */ |
Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 509 | int x509parse_keyfile( rsa_context *rsa, const char *path, |
| 510 | const char *password ); |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 511 | |
Paul Bakker | 0f5f72e | 2011-01-18 14:58:55 +0000 | [diff] [blame] | 512 | /** \ingroup x509_module */ |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 513 | /** |
Paul Bakker | 917e754 | 2011-03-25 14:23:36 +0000 | [diff] [blame] | 514 | * \brief Parse a public RSA key |
| 515 | * |
| 516 | * \param rsa RSA context to be initialized |
| 517 | * \param key input buffer |
| 518 | * \param keylen size of the buffer |
| 519 | * |
| 520 | * \return 0 if successful, or a specific X509 or PEM error code |
| 521 | */ |
| 522 | int x509parse_public_key( rsa_context *rsa, |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 523 | const unsigned char *key, size_t keylen ); |
Paul Bakker | 917e754 | 2011-03-25 14:23:36 +0000 | [diff] [blame] | 524 | |
| 525 | /** \ingroup x509_module */ |
| 526 | /** |
| 527 | * \brief Load and parse a public RSA key |
| 528 | * |
| 529 | * \param rsa RSA context to be initialized |
| 530 | * \param path filename to read the private key from |
| 531 | * |
| 532 | * \return 0 if successful, or a specific X509 or PEM error code |
| 533 | */ |
| 534 | int x509parse_public_keyfile( rsa_context *rsa, const char *path ); |
| 535 | |
| 536 | /** \ingroup x509_module */ |
| 537 | /** |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 538 | * \brief Parse DHM parameters |
| 539 | * |
| 540 | * \param dhm DHM context to be initialized |
| 541 | * \param dhmin input buffer |
| 542 | * \param dhminlen size of the buffer |
| 543 | * |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 544 | * \return 0 if successful, or a specific X509 or PEM error code |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 545 | */ |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 546 | int x509parse_dhm( dhm_context *dhm, const unsigned char *dhmin, size_t dhminlen ); |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 547 | |
Paul Bakker | 0f5f72e | 2011-01-18 14:58:55 +0000 | [diff] [blame] | 548 | /** \ingroup x509_module */ |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 549 | /** |
| 550 | * \brief Load and parse DHM parameters |
| 551 | * |
| 552 | * \param dhm DHM context to be initialized |
| 553 | * \param path filename to read the DHM Parameters from |
| 554 | * |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 555 | * \return 0 if successful, or a specific X509 or PEM error code |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 556 | */ |
Paul Bakker | f3b86c1 | 2011-01-27 15:24:17 +0000 | [diff] [blame] | 557 | int x509parse_dhmfile( dhm_context *dhm, const char *path ); |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 558 | |
Paul Bakker | 0f5f72e | 2011-01-18 14:58:55 +0000 | [diff] [blame] | 559 | /** \} name Functions to read in DHM parameters, a certificate, CRL or private RSA key */ |
Paul Bakker | 37ca75d | 2011-01-06 12:28:03 +0000 | [diff] [blame] | 560 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 561 | /** |
| 562 | * \brief Store the certificate DN in printable form into buf; |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 563 | * no more than size characters will be written. |
Paul Bakker | 13e2dfe | 2009-07-28 07:18:38 +0000 | [diff] [blame] | 564 | * |
| 565 | * \param buf Buffer to write to |
| 566 | * \param size Maximum size of buffer |
| 567 | * \param dn The X509 name to represent |
| 568 | * |
| 569 | * \return The amount of data written to the buffer, or -1 in |
| 570 | * case of an error. |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 571 | */ |
Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 572 | int x509parse_dn_gets( char *buf, size_t size, const x509_name *dn ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 573 | |
| 574 | /** |
Paul Bakker | dd47699 | 2011-01-16 21:34:59 +0000 | [diff] [blame] | 575 | * \brief Store the certificate serial in printable form into buf; |
| 576 | * no more than size characters will be written. |
| 577 | * |
| 578 | * \param buf Buffer to write to |
| 579 | * \param size Maximum size of buffer |
| 580 | * \param serial The X509 serial to represent |
| 581 | * |
| 582 | * \return The amount of data written to the buffer, or -1 in |
| 583 | * case of an error. |
| 584 | */ |
| 585 | int x509parse_serial_gets( char *buf, size_t size, const x509_buf *serial ); |
| 586 | |
| 587 | /** |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 588 | * \brief Returns an informational string about the |
| 589 | * certificate. |
Paul Bakker | 13e2dfe | 2009-07-28 07:18:38 +0000 | [diff] [blame] | 590 | * |
| 591 | * \param buf Buffer to write to |
| 592 | * \param size Maximum size of buffer |
| 593 | * \param prefix A line prefix |
| 594 | * \param crt The X509 certificate to represent |
| 595 | * |
| 596 | * \return The amount of data written to the buffer, or -1 in |
| 597 | * case of an error. |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 598 | */ |
Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 599 | int x509parse_cert_info( char *buf, size_t size, const char *prefix, |
| 600 | const x509_cert *crt ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 601 | |
| 602 | /** |
| 603 | * \brief Returns an informational string about the |
| 604 | * CRL. |
Paul Bakker | 13e2dfe | 2009-07-28 07:18:38 +0000 | [diff] [blame] | 605 | * |
| 606 | * \param buf Buffer to write to |
| 607 | * \param size Maximum size of buffer |
| 608 | * \param prefix A line prefix |
Paul Bakker | 37ca75d | 2011-01-06 12:28:03 +0000 | [diff] [blame] | 609 | * \param crl The X509 CRL to represent |
Paul Bakker | 13e2dfe | 2009-07-28 07:18:38 +0000 | [diff] [blame] | 610 | * |
| 611 | * \return The amount of data written to the buffer, or -1 in |
| 612 | * case of an error. |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 613 | */ |
Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 614 | int x509parse_crl_info( char *buf, size_t size, const char *prefix, |
| 615 | const x509_crl *crl ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 616 | |
| 617 | /** |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 618 | * \brief Give an known OID, return its descriptive string. |
| 619 | * |
| 620 | * \param oid buffer containing the oid |
| 621 | * |
| 622 | * \return Return a string if the OID is known, |
| 623 | * or NULL otherwise. |
| 624 | */ |
| 625 | const char *x509_oid_get_description( x509_buf *oid ); |
| 626 | |
| 627 | /* |
| 628 | * \brief Give an OID, return a string version of its OID number. |
| 629 | * |
| 630 | * \param buf Buffer to write to |
| 631 | * \param size Maximum size of buffer |
| 632 | * \param oid Buffer containing the OID |
| 633 | * |
| 634 | * \return The amount of data written to the buffer, or -1 in |
| 635 | * case of an error. |
| 636 | */ |
| 637 | int x509_oid_get_numeric_string( char *buf, size_t size, x509_buf *oid ); |
| 638 | |
| 639 | /** |
Paul Bakker | 13e2dfe | 2009-07-28 07:18:38 +0000 | [diff] [blame] | 640 | * \brief Check a given x509_time against the system time and check |
| 641 | * if it is valid. |
| 642 | * |
| 643 | * \param time x509_time to check |
| 644 | * |
| 645 | * \return Return 0 if the x509_time is still valid, |
Paul Bakker | 40ea7de | 2009-05-03 10:18:48 +0000 | [diff] [blame] | 646 | * or 1 otherwise. |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 647 | */ |
Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 648 | int x509parse_time_expired( const x509_time *time ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 649 | |
| 650 | /** |
Paul Bakker | 0f5f72e | 2011-01-18 14:58:55 +0000 | [diff] [blame] | 651 | * \name Functions to verify a certificate |
| 652 | * \{ |
Paul Bakker | 37ca75d | 2011-01-06 12:28:03 +0000 | [diff] [blame] | 653 | */ |
Paul Bakker | 0f5f72e | 2011-01-18 14:58:55 +0000 | [diff] [blame] | 654 | /** \ingroup x509_module */ |
Paul Bakker | 37ca75d | 2011-01-06 12:28:03 +0000 | [diff] [blame] | 655 | /** |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 656 | * \brief Verify the certificate signature |
| 657 | * |
| 658 | * \param crt a certificate to be verified |
| 659 | * \param trust_ca the trusted CA chain |
Paul Bakker | 40ea7de | 2009-05-03 10:18:48 +0000 | [diff] [blame] | 660 | * \param ca_crl the CRL chain for trusted CA's |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 661 | * \param cn expected Common Name (can be set to |
| 662 | * NULL if the CN must not be verified) |
| 663 | * \param flags result of the verification |
Paul Bakker | b63b0af | 2011-01-13 17:54:59 +0000 | [diff] [blame] | 664 | * \param f_vrfy verification function |
| 665 | * \param p_vrfy verification parameter |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 666 | * |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 667 | * \return 0 if successful or POLARSSL_ERR_X509_SIG_VERIFY_FAILED, |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 668 | * in which case *flags will have one or more of |
| 669 | * the following values set: |
| 670 | * BADCERT_EXPIRED -- |
| 671 | * BADCERT_REVOKED -- |
| 672 | * BADCERT_CN_MISMATCH -- |
| 673 | * BADCERT_NOT_TRUSTED |
| 674 | * |
| 675 | * \note TODO: add two arguments, depth and crl |
| 676 | */ |
| 677 | int x509parse_verify( x509_cert *crt, |
| 678 | x509_cert *trust_ca, |
Paul Bakker | 40ea7de | 2009-05-03 10:18:48 +0000 | [diff] [blame] | 679 | x509_crl *ca_crl, |
Paul Bakker | b63b0af | 2011-01-13 17:54:59 +0000 | [diff] [blame] | 680 | const char *cn, int *flags, |
| 681 | int (*f_vrfy)(void *, x509_cert *, int, int), |
| 682 | void *p_vrfy ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 683 | |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 684 | /** |
| 685 | * \brief Verify the certificate signature |
| 686 | * |
| 687 | * \param crt a certificate to be verified |
| 688 | * \param crl the CRL to verify against |
| 689 | * |
| 690 | * \return 1 if the certificate is revoked, 0 otherwise |
| 691 | * |
| 692 | */ |
| 693 | int x509parse_revoked( const x509_cert *crt, const x509_crl *crl ); |
| 694 | |
Paul Bakker | 0f5f72e | 2011-01-18 14:58:55 +0000 | [diff] [blame] | 695 | /** \} name Functions to verify a certificate */ |
Paul Bakker | 37ca75d | 2011-01-06 12:28:03 +0000 | [diff] [blame] | 696 | |
| 697 | |
| 698 | |
| 699 | /** |
Paul Bakker | 0f5f72e | 2011-01-18 14:58:55 +0000 | [diff] [blame] | 700 | * \name Functions to clear a certificate, CRL or private RSA key |
| 701 | * \{ |
Paul Bakker | 37ca75d | 2011-01-06 12:28:03 +0000 | [diff] [blame] | 702 | */ |
Paul Bakker | 0f5f72e | 2011-01-18 14:58:55 +0000 | [diff] [blame] | 703 | /** \ingroup x509_module */ |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 704 | /** |
| 705 | * \brief Unallocate all certificate data |
Paul Bakker | 13e2dfe | 2009-07-28 07:18:38 +0000 | [diff] [blame] | 706 | * |
| 707 | * \param crt Certificate chain to free |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 708 | */ |
| 709 | void x509_free( x509_cert *crt ); |
| 710 | |
Paul Bakker | 0f5f72e | 2011-01-18 14:58:55 +0000 | [diff] [blame] | 711 | /** \ingroup x509_module */ |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 712 | /** |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 713 | * \brief Unallocate all CRL data |
Paul Bakker | 13e2dfe | 2009-07-28 07:18:38 +0000 | [diff] [blame] | 714 | * |
Paul Bakker | 37ca75d | 2011-01-06 12:28:03 +0000 | [diff] [blame] | 715 | * \param crl CRL chain to free |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 716 | */ |
| 717 | void x509_crl_free( x509_crl *crl ); |
| 718 | |
Paul Bakker | 0f5f72e | 2011-01-18 14:58:55 +0000 | [diff] [blame] | 719 | /** \} name Functions to clear a certificate, CRL or private RSA key */ |
Paul Bakker | 37ca75d | 2011-01-06 12:28:03 +0000 | [diff] [blame] | 720 | |
| 721 | |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 722 | /** |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 723 | * \brief Checkup routine |
| 724 | * |
| 725 | * \return 0 if successful, or 1 if the test failed |
| 726 | */ |
| 727 | int x509_self_test( int verbose ); |
| 728 | |
| 729 | #ifdef __cplusplus |
| 730 | } |
| 731 | #endif |
| 732 | |
| 733 | #endif /* x509.h */ |