search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ssl_tls: fix format warning in ssl_parse_certificate() on x86_64
[tropicssl.git] / include / tropicssl / x509.h
blobf23a6fdcf79396eb7244dc5308cd0086eb61deab
1 /**
2 * \file x509.h
3 *
4 * Based on XySSL: Copyright (C) 2006-2008 Christophe Devine
5 *
6 * Copyright (C) 2009 Paul Bakker <polarssl_maintainer at polarssl dot org>
7 *
8 * All rights reserved.
9 *
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
12 * are met:
13 *
14 * * Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * * Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 * * Neither the names of PolarSSL or XySSL nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
26 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34 */
35 #ifndef TROPICSSL_X509_H
36 #define TROPICSSL_X509_H
37
38 #include "tropicssl/rsa.h"
39
40 #define TROPICSSL_ERR_ASN1_OUT_OF_DATA -0x0014
41 #define TROPICSSL_ERR_ASN1_UNEXPECTED_TAG -0x0016
42 #define TROPICSSL_ERR_ASN1_INVALID_LENGTH -0x0018
43 #define TROPICSSL_ERR_ASN1_LENGTH_MISMATCH -0x001A
44 #define TROPICSSL_ERR_ASN1_INVALID_DATA -0x001C
45
46 #define TROPICSSL_ERR_X509_FEATURE_UNAVAILABLE -0x0020
47 #define TROPICSSL_ERR_X509_CERT_INVALID_PEM -0x0040
48 #define TROPICSSL_ERR_X509_CERT_INVALID_FORMAT -0x0060
49 #define TROPICSSL_ERR_X509_CERT_INVALID_VERSION -0x0080
50 #define TROPICSSL_ERR_X509_CERT_INVALID_SERIAL -0x00A0
51 #define TROPICSSL_ERR_X509_CERT_INVALID_ALG -0x00C0
52 #define TROPICSSL_ERR_X509_CERT_INVALID_NAME -0x00E0
53 #define TROPICSSL_ERR_X509_CERT_INVALID_DATE -0x0100
54 #define TROPICSSL_ERR_X509_CERT_INVALID_PUBKEY -0x0120
55 #define TROPICSSL_ERR_X509_CERT_INVALID_SIGNATURE -0x0140
56 #define TROPICSSL_ERR_X509_CERT_INVALID_EXTENSIONS -0x0160
57 #define TROPICSSL_ERR_X509_CERT_UNKNOWN_VERSION -0x0180
58 #define TROPICSSL_ERR_X509_CERT_UNKNOWN_SIG_ALG -0x01A0
59 #define TROPICSSL_ERR_X509_CERT_UNKNOWN_PK_ALG -0x01C0
60 #define TROPICSSL_ERR_X509_CERT_SIG_MISMATCH -0x01E0
61 #define TROPICSSL_ERR_X509_CERT_VERIFY_FAILED -0x0200
62 #define TROPICSSL_ERR_X509_KEY_INVALID_PEM -0x0220
63 #define TROPICSSL_ERR_X509_KEY_INVALID_VERSION -0x0240
64 #define TROPICSSL_ERR_X509_KEY_INVALID_FORMAT -0x0260
65 #define TROPICSSL_ERR_X509_KEY_INVALID_ENC_IV -0x0280
66 #define TROPICSSL_ERR_X509_KEY_UNKNOWN_ENC_ALG -0x02A0
67 #define TROPICSSL_ERR_X509_KEY_PASSWORD_REQUIRED -0x02C0
68 #define TROPICSSL_ERR_X509_KEY_PASSWORD_MISMATCH -0x02E0
69 #define TROPICSSL_ERR_X509_POINT_ERROR -0x0300
70 #define TROPICSSL_ERR_X509_VALUE_TO_LENGTH -0x0320
71
72 #define BADCERT_EXPIRED 1
73 #define BADCERT_REVOKED 2
74 #define BADCERT_CN_MISMATCH 4
75 #define BADCERT_NOT_TRUSTED 8
76
77 /*
78 * DER constants
79 */
80 #define ASN1_BOOLEAN 0x01
81 #define ASN1_INTEGER 0x02
82 #define ASN1_BIT_STRING 0x03
83 #define ASN1_OCTET_STRING 0x04
84 #define ASN1_NULL 0x05
85 #define ASN1_OID 0x06
86 #define ASN1_UTF8_STRING 0x0C
87 #define ASN1_SEQUENCE 0x10
88 #define ASN1_SET 0x11
89 #define ASN1_PRINTABLE_STRING 0x13
90 #define ASN1_T61_STRING 0x14
91 #define ASN1_IA5_STRING 0x16
92 #define ASN1_UTC_TIME 0x17
93 #define ASN1_UNIVERSAL_STRING 0x1C
94 #define ASN1_BMP_STRING 0x1E
95 #define ASN1_PRIMITIVE 0x00
96 #define ASN1_CONSTRUCTED 0x20
97 #define ASN1_CONTEXT_SPECIFIC 0x80
98
99 /*
100 * various object identifiers
101 */
102 #define X520_COMMON_NAME 3
103 #define X520_COUNTRY 6
104 #define X520_LOCALITY 7
105 #define X520_STATE 8
106 #define X520_ORGANIZATION 10
107 #define X520_ORG_UNIT 11
108 #define PKCS9_EMAIL 1
109
110 #define X509_OUTPUT_DER 0x01
111 #define X509_OUTPUT_PEM 0x02
112 #define PEM_LINE_LENGTH 72
113 #define X509_ISSUER 0x01
114 #define X509_SUBJECT 0x02
115
116 #define OID_X520 "\x55\x04"
117 #define OID_CN "\x55\x04\x03"
118 #define OID_PKCS1 "\x2A\x86\x48\x86\xF7\x0D\x01\x01"
119 #define OID_PKCS1_RSA "\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01"
120 #define OID_PKCS1_RSA_SHA "\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05"
121 #define OID_PKCS9 "\x2A\x86\x48\x86\xF7\x0D\x01\x09"
122 #define OID_PKCS9_EMAIL "\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01"
123
124 /*
125 * Structures for parsing X.509 certificates
126 */
127 typedef struct _x509_buf {
128 int tag;
129 int len;
130 unsigned char *p;
131 } x509_buf;
132
133 typedef struct _x509_name {
134 x509_buf oid;
135 x509_buf val;
136 struct _x509_name *next;
137 } x509_name;
138
139 typedef struct _x509_time {
140 int year, mon, day;
141 int hour, min, sec;
142 } x509_time;
143
144 typedef struct _x509_cert {
145 x509_buf raw;
146 x509_buf tbs;
147
148 int version;
149 x509_buf serial;
150 x509_buf sig_oid1;
151
152 x509_buf issuer_raw;
153 x509_buf subject_raw;
154
155 x509_name issuer;
156 x509_name subject;
157
158 x509_time valid_from;
159 x509_time valid_to;
160
161 x509_buf pk_oid;
162 rsa_context rsa;
163
164 x509_buf issuer_id;
165 x509_buf subject_id;
166 x509_buf v3_ext;
167
168 int ca_istrue;
169 int max_pathlen;
170
171 x509_buf sig_oid2;
172 x509_buf sig;
173
174 struct _x509_cert *next;
175 } x509_cert;
176
177 /*
178 * Structures for writing X.509 certificates
179 */
180 typedef struct _x509_node {
181 unsigned char *data;
182 unsigned char *p;
183 unsigned char *end;
184
185 size_t len;
186 } x509_node;
187
188 typedef struct _x509_raw {
189 x509_node raw;
190 x509_node tbs;
191
192 x509_node version;
193 x509_node serial;
194 x509_node tbs_signalg;
195 x509_node issuer;
196 x509_node validity;
197 x509_node subject;
198 x509_node subpubkey;
199
200 x509_node signalg;
201 x509_node sign;
202 } x509_raw;
203
204 #ifdef __cplusplus
205 extern "C" {
206 #endif
207
208 /**
209 * \brief Parse one or more certificates and add them
210 * to the chained list
211 *
212 * \param chain points to the start of the chain
213 * \param buf buffer holding the certificate data
214 * \param buflen size of the buffer
215 *
216 * \return 0 if successful, or a specific X509 error code
217 */
218 int x509parse_crt(x509_cert * chain, const unsigned char *buf, int buflen);
219
220 /**
221 * \brief Load one or more certificates and add them
222 * to the chained list
223 *
224 * \param chain points to the start of the chain
225 * \param path filename to read the certificates from
226 *
227 * \return 0 if successful, or a specific X509 error code
228 */
229 int x509parse_crtfile(x509_cert * chain, const char *path);
230
231 /**
232 * \brief Parse a private RSA key
233 *
234 * \param rsa RSA context to be initialized
235 * \param key input buffer
236 * \param keylen size of the buffer
237 * \param pwd password for decryption (optional)
238 * \param pwdlen size of the password
239 *
240 * \return 0 if successful, or a specific X509 error code
241 */
242 int x509parse_key(rsa_context * rsa,
243 const unsigned char *key, int keylen,
244 const unsigned char *pwd, int pwdlen);
245
246 /**
247 * \brief Load and parse a private RSA key
248 *
249 * \param rsa RSA context to be initialized
250 * \param path filename to read the private key from
251 * \param pwd password to decrypt the file (can be NULL)
252 *
253 * \return 0 if successful, or a specific X509 error code
254 */
255 int x509parse_keyfile(rsa_context * rsa, const char *path, const char *password);
256
257 /**
258 * \brief Store the certificate DN in printable form into buf;
259 * no more than (end - buf) characters will be written.
260 */
261 int x509parse_dn_gets(char *buf, const char *end, const x509_name * dn);
262
263 /**
264 * \brief Returns an informational string about the
265 * certificate.
266 */
267 char *x509parse_cert_info(char *buf, size_t buf_size,
268 const char *prefix, const x509_cert * crt);
269 /**
270 * \brief Return 0 if the certificate is still valid,
271 * or BADCERT_EXPIRED
272 */
273 int x509parse_expired(const x509_cert * crt);
274
275 /**
276 * \brief Verify the certificate signature
277 *
278 * \param crt a certificate to be verified
279 * \param trust_ca the trusted CA chain
280 * \param cn expected Common Name (can be set to
281 * NULL if the CN must not be verified)
282 * \param flags result of the verification
283 *
284 * \return 0 if successful or TROPICSSL_ERR_X509_SIG_VERIFY_FAILED,
285 * in which case *flags will have one or more of
286 * the following values set:
287 * BADCERT_EXPIRED --
288 * BADCERT_REVOKED --
289 * BADCERT_CN_MISMATCH --
290 * BADCERT_NOT_TRUSTED
291 *
292 * \note TODO: add two arguments, depth and crl
293 */
294 int x509parse_verify(x509_cert * crt,
295 x509_cert * trust_ca,
296 const char *cn, int *flags);
297
298 /**
299 * \brief Unallocate all certificate data
300 */
301 void x509_free(x509_cert * crt);
302
303 /**
304 * \brief Checkup routine
305 *
306 * \return 0 if successful, or 1 if the test failed
307 */
308 int x509_self_test(int verbose);
309
310 #ifdef __cplusplus
311 }
312 #endif
313 #endif /* x509.h */
fork of last BSD polarssl