lib/x509/x509_int.h

   1 /*
   2  * Copyright (C) 2003-2012 Free Software Foundation, Inc.
   3  *
   4  * Author: Nikos Mavrogiannopoulos
   5  *
   6  * This file is part of GnuTLS.
   7  *
   8  * The GnuTLS is free software; you can redistribute it and/or
   9  * modify it under the terms of the GNU Lesser General Public License
  10  * as published by the Free Software Foundation; either version 2.1 of
  11  * the License, or (at your option) any later version.
  12  *
  13  * This library is distributed in the hope that it will be useful, but
  14  * WITHOUT ANY WARRANTY; without even the implied warranty of
  15  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  16  * Lesser General Public License for more details.
  17  *
  18  * You should have received a copy of the GNU Lesser General Public License
  19  * along with this program.  If not, see <http://www.gnu.org/licenses/>
  20  *
  21  */
  22
  23 #ifndef X509_H
  24 #define X509_H
  25
  26 #include <gnutls/x509.h>
  27 #include <gnutls/x509-ext.h>
  28 #include <gnutls/abstract.h>
  29
  30 #include <libtasn1.h>
  31
  32 #define MAX_CRQ_EXTENSIONS_SIZE 8*1024
  33 #define MAX_OID_SIZE 128
  34 #define MAX_KEY_ID_SIZE 128
  35
  36 #define HASH_OID_SHA1 "1.3.14.3.2.26"
  37 #define HASH_OID_MD5 "1.2.840.113549.2.5"
  38 #define HASH_OID_MD2 "1.2.840.113549.2.2"
  39 #define HASH_OID_RMD160 "1.3.36.3.2.1"
  40 #define HASH_OID_SHA224 "2.16.840.1.101.3.4.2.4"
  41 #define HASH_OID_SHA256 "2.16.840.1.101.3.4.2.1"
  42 #define HASH_OID_SHA384 "2.16.840.1.101.3.4.2.2"
  43 #define HASH_OID_SHA512 "2.16.840.1.101.3.4.2.3"
  44
  45 struct gnutls_x509_crl_iter {
  46         /* This is used to optimize reads by gnutls_x509_crl_iter_crt_serial() */
  47         ASN1_TYPE rcache;
  48         unsigned rcache_idx;
  49 };
  50
  51 typedef struct gnutls_x509_crl_int {
  52         ASN1_TYPE crl;
  53
  54         /* This is used to optimize reads by gnutls_x509_crl_get_crt_serial2() */
  55         ASN1_TYPE rcache;
  56         unsigned rcache_idx;
  57         int use_extensions;
  58         gnutls_datum_t raw_issuer_dn;
  59 } gnutls_x509_crl_int;
  60
  61 typedef struct gnutls_x509_crt_int {
  62         ASN1_TYPE cert;
  63         int use_extensions;
  64         int expanded;           /* a certificate has been expanded */
  65
  66         /* These two cached values allow fast calls to
  67          * get_raw_*_dn(). */
  68         gnutls_datum_t raw_dn;
  69         gnutls_datum_t raw_issuer_dn;
  70
  71         struct pin_info_st pin;
  72 } gnutls_x509_crt_int;
  73
  74 typedef struct gnutls_x509_crq_int {
  75         ASN1_TYPE crq;
  76 } gnutls_x509_crq_int;
  77
  78 typedef struct gnutls_pkcs7_int {
  79         ASN1_TYPE pkcs7;
  80 } gnutls_pkcs7_int;
  81
  82 typedef struct gnutls_x509_privkey_int {
  83         /* the size of params depends on the public
  84          * key algorithm
  85          */
  86         gnutls_pk_params_st params;
  87
  88         gnutls_pk_algorithm_t pk_algorithm;
  89
  90         ASN1_TYPE key;
  91 } gnutls_x509_privkey_int;
  92
  93 int _gnutls_x509_crt_cpy(gnutls_x509_crt_t dest, gnutls_x509_crt_t src);
  94
  95 int _gnutls_x509_compare_raw_dn(const gnutls_datum_t * dn1,
  96                                 const gnutls_datum_t * dn2);
  97
  98 int _gnutls_x509_crl_cpy(gnutls_x509_crl_t dest, gnutls_x509_crl_t src);
  99 int _gnutls_x509_crl_get_raw_issuer_dn(gnutls_x509_crl_t crl,
 100                                        gnutls_datum_t * dn);
 101
 102 /* sign.c */
 103 int _gnutls_x509_get_tbs(ASN1_TYPE cert, const char *tbs_name,
 104                          gnutls_datum_t * tbs);
 105 int _gnutls_x509_pkix_sign(ASN1_TYPE src, const char *src_name,
 106                            gnutls_digest_algorithm_t,
 107                            gnutls_x509_crt_t issuer,
 108                            gnutls_privkey_t issuer_key);
 109
 110 /* dn.c */
 111 #define OID_X520_COUNTRY_NAME           "2.5.4.6"
 112 #define OID_X520_ORGANIZATION_NAME      "2.5.4.10"
 113 #define OID_X520_ORGANIZATIONAL_UNIT_NAME "2.5.4.11"
 114 #define OID_X520_COMMON_NAME            "2.5.4.3"
 115 #define OID_X520_LOCALITY_NAME          "2.5.4.7"
 116 #define OID_X520_STATE_OR_PROVINCE_NAME "2.5.4.8"
 117 #define OID_LDAP_DC                     "0.9.2342.19200300.100.1.25"
 118 #define OID_LDAP_UID                    "0.9.2342.19200300.100.1.1"
 119 #define OID_PKCS9_EMAIL                 "1.2.840.113549.1.9.1"
 120
 121 int _gnutls_x509_parse_dn(ASN1_TYPE asn1_struct,
 122                           const char *asn1_rdn_name, char *buf,
 123                           size_t * sizeof_buf);
 124
 125 int
 126 _gnutls_x509_get_dn(ASN1_TYPE asn1_struct,
 127                     const char *asn1_rdn_name, gnutls_datum_t * dn);
 128
 129 int
 130 _gnutls_x509_parse_dn_oid(ASN1_TYPE asn1_struct,
 131                           const char *asn1_rdn_name,
 132                           const char *given_oid, int indx,
 133                           unsigned int raw_flag, gnutls_datum_t * out);
 134
 135 int _gnutls_x509_set_dn_oid(ASN1_TYPE asn1_struct,
 136                             const char *asn1_rdn_name, const char *oid,
 137                             int raw_flag, const char *name,
 138                             int sizeof_name);
 139
 140 int _gnutls_x509_get_dn_oid(ASN1_TYPE asn1_struct,
 141                             const char *asn1_rdn_name,
 142                             int indx, void *_oid, size_t * sizeof_oid);
 143
 144 int _gnutls_parse_general_name(ASN1_TYPE src, const char *src_name,
 145                                int seq, void *name, size_t * name_size,
 146                                unsigned int *ret_type, int othername_oid);
 147
 148 int
 149 _gnutls_parse_general_name2(ASN1_TYPE src, const char *src_name,
 150                            int seq, gnutls_datum_t *dname,
 151                            unsigned int *ret_type, int othername_oid);
 152
 153 int
 154 _gnutls_write_new_general_name(ASN1_TYPE ext, const char *ext_name,
 155                        gnutls_x509_subject_alt_name_t type,
 156                        const void *data, unsigned int data_size);
 157
 158 /* dsa.c */
 159
 160
 161 /* verify.c */
 162 int gnutls_x509_crt_is_issuer(gnutls_x509_crt_t cert,
 163                               gnutls_x509_crt_t issuer);
 164
 165 int
 166 _gnutls_x509_verify_algorithm(gnutls_digest_algorithm_t * hash,
 167                               const gnutls_datum_t * signature,
 168                               gnutls_pk_algorithm_t pk,
 169                               gnutls_pk_params_st * issuer_params);
 170
 171 int _gnutls_x509_verify_data(const mac_entry_st * me,
 172                              const gnutls_datum_t * data,
 173                              const gnutls_datum_t * signature,
 174                              gnutls_x509_crt_t issuer);
 175
 176 /* privkey.h */
 177 ASN1_TYPE _gnutls_privkey_decode_pkcs1_rsa_key(const gnutls_datum_t *
 178                                                raw_key,
 179                                                gnutls_x509_privkey_t pkey);
 180 int _gnutls_privkey_decode_ecc_key(ASN1_TYPE* pkey_asn, const gnutls_datum_t *
 181                                          raw_key,
 182                                          gnutls_x509_privkey_t pkey,
 183                                          gnutls_ecc_curve_t curve);
 184
 185 int
 186 _gnutls_x509_read_ecc_params(uint8_t * der, int dersize,
 187                              unsigned int *curve);
 188
 189 int _gnutls_asn1_encode_privkey(gnutls_pk_algorithm_t pk, ASN1_TYPE * c2,
 190                                 gnutls_pk_params_st * params);
 191
 192 /* extensions.c */
 193 int _gnutls_x509_crl_get_extension_oid(gnutls_x509_crl_t crl,
 194                                        int indx, void *oid,
 195                                        size_t * sizeof_oid);
 196
 197 int _gnutls_x509_crl_set_extension(gnutls_x509_crl_t crl,
 198                                    const char *ext_id,
 199                                    const gnutls_datum_t * ext_data,
 200                                    unsigned int critical);
 201
 202 int
 203 _gnutls_x509_crl_get_extension(gnutls_x509_crl_t crl,
 204                                const char *extension_id, int indx,
 205                                gnutls_datum_t * data,
 206                                unsigned int *critical);
 207
 208 int
 209 _gnutls_x509_crt_get_extension(gnutls_x509_crt_t cert,
 210                                const char *extension_id, int indx,
 211                                gnutls_datum_t * data, unsigned int *critical);
 212
 213 int _gnutls_x509_crt_get_extension_oid(gnutls_x509_crt_t cert,
 214                                        int indx, void *ret,
 215                                        size_t * ret_size);
 216 int _gnutls_x509_crt_set_extension(gnutls_x509_crt_t cert,
 217                                    const char *extension_id,
 218                                    const gnutls_datum_t * ext_data,
 219                                    unsigned int critical);
 220
 221 int
 222 _gnutls_x509_ext_extract_number(uint8_t * number,
 223                                 size_t * nr_size,
 224                                 uint8_t * extnValue, int extnValueLen);
 225 int
 226 _gnutls_x509_ext_gen_number(const uint8_t * nuber, size_t nr_size,
 227                             gnutls_datum_t * der_ext);
 228
 229
 230 int
 231 _gnutls_write_general_name(ASN1_TYPE ext, const char *ext_name,
 232                        gnutls_x509_subject_alt_name_t type,
 233                        const void *data, unsigned int data_size);
 234
 235 int _gnutls_x509_ext_gen_subject_alt_name(gnutls_x509_subject_alt_name_t
 236                                           type, const void *data,
 237                                           unsigned int data_size,
 238                                           const gnutls_datum_t * prev_der_ext,
 239                                           gnutls_datum_t * der_ext);
 240 int _gnutls_x509_ext_gen_auth_key_id(const void *id, size_t id_size,
 241                                      gnutls_datum_t * der_data);
 242
 243 /* mpi.c */
 244 int _gnutls_x509_crq_get_mpis(gnutls_x509_crq_t cert,
 245                               gnutls_pk_params_st *);
 246
 247 int _gnutls_x509_crt_get_mpis(gnutls_x509_crt_t cert,
 248                               gnutls_pk_params_st * params);
 249
 250 int _gnutls_x509_read_pubkey_params(gnutls_pk_algorithm_t, uint8_t * der,
 251                                     int dersize,
 252                                     gnutls_pk_params_st * params);
 253
 254 int _gnutls_x509_read_pubkey(gnutls_pk_algorithm_t, uint8_t * der,
 255                              int dersize, gnutls_pk_params_st * params);
 256
 257 int _gnutls_x509_write_ecc_params(gnutls_pk_params_st * params,
 258                                   gnutls_datum_t * der);
 259 int _gnutls_x509_write_ecc_pubkey(gnutls_pk_params_st * params,
 260                                   gnutls_datum_t * der);
 261
 262 int
 263 _gnutls_x509_write_pubkey_params(gnutls_pk_algorithm_t algo,
 264                                  gnutls_pk_params_st * params,
 265                                  gnutls_datum_t * der);
 266 int _gnutls_x509_write_pubkey(gnutls_pk_algorithm_t,
 267                               gnutls_pk_params_st * params,
 268                               gnutls_datum_t * der);
 269
 270 int _gnutls_x509_read_uint(ASN1_TYPE node, const char *value,
 271                            unsigned int *ret);
 272
 273 int _gnutls_x509_read_der_int(uint8_t * der, int dersize, bigint_t * out);
 274
 275 int _gnutls_x509_read_int(ASN1_TYPE node, const char *value,
 276                           bigint_t * ret_mpi);
 277 int _gnutls_x509_write_int(ASN1_TYPE node, const char *value, bigint_t mpi,
 278                            int lz);
 279
 280 int _gnutls_x509_read_key_int(ASN1_TYPE node, const char *value,
 281                           bigint_t * ret_mpi);
 282 int _gnutls_x509_write_key_int(ASN1_TYPE node, const char *value, bigint_t mpi,
 283                            int lz);
 284
 285 int _gnutls_x509_write_uint32(ASN1_TYPE node, const char *value,
 286                               uint32_t num);
 287
 288 int _gnutls_x509_write_sig_params(ASN1_TYPE dst, const char *dst_name,
 289                                   gnutls_pk_algorithm_t pk_algorithm,
 290                                   gnutls_digest_algorithm_t);
 291
 292 /* pkcs12.h */
 293 #include <gnutls/pkcs12.h>
 294
 295 typedef struct gnutls_pkcs12_int {
 296         ASN1_TYPE pkcs12;
 297 } gnutls_pkcs12_int;
 298
 299 #define MAX_BAG_ELEMENTS 32
 300
 301 struct bag_element {
 302         gnutls_datum_t data;
 303         gnutls_pkcs12_bag_type_t type;
 304         gnutls_datum_t local_key_id;
 305         char *friendly_name;
 306 };
 307
 308 typedef struct gnutls_pkcs12_bag_int {
 309         struct bag_element element[MAX_BAG_ELEMENTS];
 310         int bag_elements;
 311 } gnutls_pkcs12_bag_int;
 312
 313 #define BAG_PKCS8_KEY "1.2.840.113549.1.12.10.1.1"
 314 #define BAG_PKCS8_ENCRYPTED_KEY "1.2.840.113549.1.12.10.1.2"
 315 #define BAG_CERTIFICATE "1.2.840.113549.1.12.10.1.3"
 316 #define BAG_CRL "1.2.840.113549.1.12.10.1.4"
 317 #define BAG_SECRET "1.2.840.113549.1.12.10.1.5"
 318
 319 /* PKCS #7
 320  */
 321 #define DATA_OID "1.2.840.113549.1.7.1"
 322 #define ENC_DATA_OID "1.2.840.113549.1.7.6"
 323
 324 /* Bag attributes
 325  */
 326 #define FRIENDLY_NAME_OID "1.2.840.113549.1.9.20"
 327 #define KEY_ID_OID "1.2.840.113549.1.9.21"
 328
 329 int
 330 _gnutls_pkcs12_string_to_key(unsigned int id, const uint8_t * salt,
 331                              unsigned int salt_size, unsigned int iter,
 332                              const char *pw, unsigned int req_keylen,
 333                              uint8_t * keybuf);
 334
 335 int _gnutls_pkcs7_decrypt_data(const gnutls_datum_t * data,
 336                                const char *password, gnutls_datum_t * dec);
 337
 338 typedef enum schema_id {
 339         PBES2_GENERIC,          /* when the algorithm is unknown, temporal use when reading only */
 340         PBES2_3DES,             /* the stuff in PKCS #5 */
 341         PBES2_AES_128,
 342         PBES2_AES_192,
 343         PBES2_AES_256,
 344         PKCS12_3DES_SHA1,       /* the stuff in PKCS #12 */
 345         PKCS12_ARCFOUR_SHA1,
 346         PKCS12_RC2_40_SHA1
 347 } schema_id;
 348
 349 int _gnutls_pkcs_flags_to_schema(unsigned int flags);
 350 int _gnutls_pkcs7_encrypt_data(schema_id schema,
 351                                const gnutls_datum_t * data,
 352                                const char *password, gnutls_datum_t * enc);
 353 int _pkcs12_decode_safe_contents(const gnutls_datum_t * content,
 354                                  gnutls_pkcs12_bag_t bag);
 355
 356 int
 357 _pkcs12_encode_safe_contents(gnutls_pkcs12_bag_t bag, ASN1_TYPE * content,
 358                              int *enc);
 359
 360 int _pkcs12_decode_crt_bag(gnutls_pkcs12_bag_type_t type,
 361                            const gnutls_datum_t * in,
 362                            gnutls_datum_t * out);
 363 int _pkcs12_encode_crt_bag(gnutls_pkcs12_bag_type_t type,
 364                            const gnutls_datum_t * raw,
 365                            gnutls_datum_t * out);
 366
 367 /* crq */
 368 int _gnutls_x509_crq_set_extension(gnutls_x509_crq_t crq,
 369                                    const char *ext_id,
 370                                    const gnutls_datum_t * ext_data,
 371                                    unsigned int critical);
 372
 373 unsigned int
 374 _gnutls_verify_crt_status(const gnutls_x509_crt_t * certificate_list,
 375                                 int clist_size,
 376                                 const gnutls_x509_crt_t * trusted_cas,
 377                                 int tcas_size,
 378                                 unsigned int flags,
 379                                 gnutls_verify_output_function func);
 380
 381 #ifdef ENABLE_PKCS11
 382 unsigned int
 383 _gnutls_pkcs11_verify_crt_status(const char* url,
 384                                 const gnutls_x509_crt_t * certificate_list,
 385                                 unsigned clist_size,
 386                                 unsigned int flags,
 387                                 gnutls_verify_output_function func);
 388 #endif
 389
 390 int
 391 _gnutls_x509_crt_check_revocation(gnutls_x509_crt_t cert,
 392                                   const gnutls_x509_crl_t * crl_list,
 393                                   int crl_list_length,
 394                                   gnutls_verify_output_function func);
 395
 396 typedef struct gnutls_name_constraints_st {
 397         struct name_constraints_node_st * permitted;
 398         struct name_constraints_node_st * excluded;
 399 } gnutls_name_constraints_st;
 400
 401 typedef struct name_constraints_node_st {
 402         unsigned type;
 403         gnutls_datum_t name;
 404         struct name_constraints_node_st *next;
 405 } name_constraints_node_st;
 406
 407 int _gnutls_extract_name_constraints(ASN1_TYPE c2, const char *vstr,
 408                                     name_constraints_node_st ** _nc);
 409
 410 void _gnutls_x509_policies_erase(gnutls_x509_policies_t policies, unsigned int seq);
 411
 412 #endif