2 * Copyright (C) 2003-2012 Free Software Foundation, Inc.
4 * Author: Nikos Mavrogiannopoulos
6 * This file is part of GnuTLS.
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
26 #include <gnutls/x509.h>
27 #include <gnutls/x509-ext.h>
28 #include <gnutls/abstract.h>
32 #define MAX_CRQ_EXTENSIONS_SIZE 8*1024
33 #define MAX_OID_SIZE 128
34 #define MAX_KEY_ID_SIZE 128
36 #define HASH_OID_SHA1 "1.3.14.3.2.26"
37 #define HASH_OID_MD5 "1.2.840.113549.2.5"
38 #define HASH_OID_MD2 "1.2.840.113549.2.2"
39 #define HASH_OID_RMD160 "1.3.36.3.2.1"
40 #define HASH_OID_SHA224 "2.16.840.1.101.3.4.2.4"
41 #define HASH_OID_SHA256 "2.16.840.1.101.3.4.2.1"
42 #define HASH_OID_SHA384 "2.16.840.1.101.3.4.2.2"
43 #define HASH_OID_SHA512 "2.16.840.1.101.3.4.2.3"
45 struct gnutls_x509_crl_iter {
46 /* This is used to optimize reads by gnutls_x509_crl_iter_crt_serial() */
51 typedef struct gnutls_x509_crl_int {
54 /* This is used to optimize reads by gnutls_x509_crl_get_crt_serial2() */
58 gnutls_datum_t raw_issuer_dn;
59 } gnutls_x509_crl_int;
61 typedef struct gnutls_x509_crt_int {
64 int expanded; /* a certificate has been expanded */
66 /* These two cached values allow fast calls to
68 gnutls_datum_t raw_dn;
69 gnutls_datum_t raw_issuer_dn;
71 struct pin_info_st pin;
72 } gnutls_x509_crt_int;
74 typedef struct gnutls_x509_crq_int {
76 } gnutls_x509_crq_int;
78 typedef struct gnutls_pkcs7_int {
82 typedef struct gnutls_x509_privkey_int {
83 /* the size of params depends on the public
86 gnutls_pk_params_st params;
88 gnutls_pk_algorithm_t pk_algorithm;
91 } gnutls_x509_privkey_int;
93 int _gnutls_x509_crt_cpy(gnutls_x509_crt_t dest, gnutls_x509_crt_t src);
95 int _gnutls_x509_compare_raw_dn(const gnutls_datum_t * dn1,
96 const gnutls_datum_t * dn2);
98 int _gnutls_x509_crl_cpy(gnutls_x509_crl_t dest, gnutls_x509_crl_t src);
99 int _gnutls_x509_crl_get_raw_issuer_dn(gnutls_x509_crl_t crl,
100 gnutls_datum_t * dn);
103 int _gnutls_x509_get_tbs(ASN1_TYPE cert, const char *tbs_name,
104 gnutls_datum_t * tbs);
105 int _gnutls_x509_pkix_sign(ASN1_TYPE src, const char *src_name,
106 gnutls_digest_algorithm_t,
107 gnutls_x509_crt_t issuer,
108 gnutls_privkey_t issuer_key);
111 #define OID_X520_COUNTRY_NAME "2.5.4.6"
112 #define OID_X520_ORGANIZATION_NAME "2.5.4.10"
113 #define OID_X520_ORGANIZATIONAL_UNIT_NAME "2.5.4.11"
114 #define OID_X520_COMMON_NAME "2.5.4.3"
115 #define OID_X520_LOCALITY_NAME "2.5.4.7"
116 #define OID_X520_STATE_OR_PROVINCE_NAME "2.5.4.8"
117 #define OID_LDAP_DC "0.9.2342.19200300.100.1.25"
118 #define OID_LDAP_UID "0.9.2342.19200300.100.1.1"
119 #define OID_PKCS9_EMAIL "1.2.840.113549.1.9.1"
121 int _gnutls_x509_parse_dn(ASN1_TYPE asn1_struct,
122 const char *asn1_rdn_name, char *buf,
123 size_t * sizeof_buf);
126 _gnutls_x509_get_dn(ASN1_TYPE asn1_struct,
127 const char *asn1_rdn_name, gnutls_datum_t * dn);
130 _gnutls_x509_parse_dn_oid(ASN1_TYPE asn1_struct,
131 const char *asn1_rdn_name,
132 const char *given_oid, int indx,
133 unsigned int raw_flag, gnutls_datum_t * out);
135 int _gnutls_x509_set_dn_oid(ASN1_TYPE asn1_struct,
136 const char *asn1_rdn_name, const char *oid,
137 int raw_flag, const char *name,
140 int _gnutls_x509_get_dn_oid(ASN1_TYPE asn1_struct,
141 const char *asn1_rdn_name,
142 int indx, void *_oid, size_t * sizeof_oid);
144 int _gnutls_parse_general_name(ASN1_TYPE src, const char *src_name,
145 int seq, void *name, size_t * name_size,
146 unsigned int *ret_type, int othername_oid);
149 _gnutls_parse_general_name2(ASN1_TYPE src, const char *src_name,
150 int seq, gnutls_datum_t *dname,
151 unsigned int *ret_type, int othername_oid);
154 _gnutls_write_new_general_name(ASN1_TYPE ext, const char *ext_name,
155 gnutls_x509_subject_alt_name_t type,
156 const void *data, unsigned int data_size);
162 int gnutls_x509_crt_is_issuer(gnutls_x509_crt_t cert,
163 gnutls_x509_crt_t issuer);
166 _gnutls_x509_verify_algorithm(gnutls_digest_algorithm_t * hash,
167 const gnutls_datum_t * signature,
168 gnutls_pk_algorithm_t pk,
169 gnutls_pk_params_st * issuer_params);
171 int _gnutls_x509_verify_data(const mac_entry_st * me,
172 const gnutls_datum_t * data,
173 const gnutls_datum_t * signature,
174 gnutls_x509_crt_t issuer);
177 ASN1_TYPE _gnutls_privkey_decode_pkcs1_rsa_key(const gnutls_datum_t *
179 gnutls_x509_privkey_t pkey);
180 int _gnutls_privkey_decode_ecc_key(ASN1_TYPE* pkey_asn, const gnutls_datum_t *
182 gnutls_x509_privkey_t pkey,
183 gnutls_ecc_curve_t curve);
186 _gnutls_x509_read_ecc_params(uint8_t * der, int dersize,
187 unsigned int *curve);
189 int _gnutls_asn1_encode_privkey(gnutls_pk_algorithm_t pk, ASN1_TYPE * c2,
190 gnutls_pk_params_st * params);
193 int _gnutls_x509_crl_get_extension_oid(gnutls_x509_crl_t crl,
195 size_t * sizeof_oid);
197 int _gnutls_x509_crl_set_extension(gnutls_x509_crl_t crl,
199 const gnutls_datum_t * ext_data,
200 unsigned int critical);
203 _gnutls_x509_crl_get_extension(gnutls_x509_crl_t crl,
204 const char *extension_id, int indx,
205 gnutls_datum_t * data,
206 unsigned int *critical);
209 _gnutls_x509_crt_get_extension(gnutls_x509_crt_t cert,
210 const char *extension_id, int indx,
211 gnutls_datum_t * data, unsigned int *critical);
213 int _gnutls_x509_crt_get_extension_oid(gnutls_x509_crt_t cert,
216 int _gnutls_x509_crt_set_extension(gnutls_x509_crt_t cert,
217 const char *extension_id,
218 const gnutls_datum_t * ext_data,
219 unsigned int critical);
222 _gnutls_x509_ext_extract_number(uint8_t * number,
224 uint8_t * extnValue, int extnValueLen);
226 _gnutls_x509_ext_gen_number(const uint8_t * nuber, size_t nr_size,
227 gnutls_datum_t * der_ext);
231 _gnutls_write_general_name(ASN1_TYPE ext, const char *ext_name,
232 gnutls_x509_subject_alt_name_t type,
233 const void *data, unsigned int data_size);
235 int _gnutls_x509_ext_gen_subject_alt_name(gnutls_x509_subject_alt_name_t
236 type, const void *data,
237 unsigned int data_size,
238 const gnutls_datum_t * prev_der_ext,
239 gnutls_datum_t * der_ext);
240 int _gnutls_x509_ext_gen_auth_key_id(const void *id, size_t id_size,
241 gnutls_datum_t * der_data);
244 int _gnutls_x509_crq_get_mpis(gnutls_x509_crq_t cert,
245 gnutls_pk_params_st *);
247 int _gnutls_x509_crt_get_mpis(gnutls_x509_crt_t cert,
248 gnutls_pk_params_st * params);
250 int _gnutls_x509_read_pubkey_params(gnutls_pk_algorithm_t, uint8_t * der,
252 gnutls_pk_params_st * params);
254 int _gnutls_x509_read_pubkey(gnutls_pk_algorithm_t, uint8_t * der,
255 int dersize, gnutls_pk_params_st * params);
257 int _gnutls_x509_write_ecc_params(gnutls_pk_params_st * params,
258 gnutls_datum_t * der);
259 int _gnutls_x509_write_ecc_pubkey(gnutls_pk_params_st * params,
260 gnutls_datum_t * der);
263 _gnutls_x509_write_pubkey_params(gnutls_pk_algorithm_t algo,
264 gnutls_pk_params_st * params,
265 gnutls_datum_t * der);
266 int _gnutls_x509_write_pubkey(gnutls_pk_algorithm_t,
267 gnutls_pk_params_st * params,
268 gnutls_datum_t * der);
270 int _gnutls_x509_read_uint(ASN1_TYPE node, const char *value,
273 int _gnutls_x509_read_der_int(uint8_t * der, int dersize, bigint_t * out);
275 int _gnutls_x509_read_int(ASN1_TYPE node, const char *value,
277 int _gnutls_x509_write_int(ASN1_TYPE node, const char *value, bigint_t mpi,
280 int _gnutls_x509_read_key_int(ASN1_TYPE node, const char *value,
282 int _gnutls_x509_write_key_int(ASN1_TYPE node, const char *value, bigint_t mpi,
285 int _gnutls_x509_write_uint32(ASN1_TYPE node, const char *value,
288 int _gnutls_x509_write_sig_params(ASN1_TYPE dst, const char *dst_name,
289 gnutls_pk_algorithm_t pk_algorithm,
290 gnutls_digest_algorithm_t);
293 #include <gnutls/pkcs12.h>
295 typedef struct gnutls_pkcs12_int {
299 #define MAX_BAG_ELEMENTS 32
303 gnutls_pkcs12_bag_type_t type;
304 gnutls_datum_t local_key_id;
308 typedef struct gnutls_pkcs12_bag_int {
309 struct bag_element element[MAX_BAG_ELEMENTS];
311 } gnutls_pkcs12_bag_int;
313 #define BAG_PKCS8_KEY "1.2.840.113549.1.12.10.1.1"
314 #define BAG_PKCS8_ENCRYPTED_KEY "1.2.840.113549.1.12.10.1.2"
315 #define BAG_CERTIFICATE "1.2.840.113549.1.12.10.1.3"
316 #define BAG_CRL "1.2.840.113549.1.12.10.1.4"
317 #define BAG_SECRET "1.2.840.113549.1.12.10.1.5"
321 #define DATA_OID "1.2.840.113549.1.7.1"
322 #define ENC_DATA_OID "1.2.840.113549.1.7.6"
326 #define FRIENDLY_NAME_OID "1.2.840.113549.1.9.20"
327 #define KEY_ID_OID "1.2.840.113549.1.9.21"
330 _gnutls_pkcs12_string_to_key(unsigned int id, const uint8_t * salt,
331 unsigned int salt_size, unsigned int iter,
332 const char *pw, unsigned int req_keylen,
335 int _gnutls_pkcs7_decrypt_data(const gnutls_datum_t * data,
336 const char *password, gnutls_datum_t * dec);
338 typedef enum schema_id {
339 PBES2_GENERIC, /* when the algorithm is unknown, temporal use when reading only */
340 PBES2_3DES, /* the stuff in PKCS #5 */
344 PKCS12_3DES_SHA1, /* the stuff in PKCS #12 */
349 int _gnutls_pkcs_flags_to_schema(unsigned int flags);
350 int _gnutls_pkcs7_encrypt_data(schema_id schema,
351 const gnutls_datum_t * data,
352 const char *password, gnutls_datum_t * enc);
353 int _pkcs12_decode_safe_contents(const gnutls_datum_t * content,
354 gnutls_pkcs12_bag_t bag);
357 _pkcs12_encode_safe_contents(gnutls_pkcs12_bag_t bag, ASN1_TYPE * content,
360 int _pkcs12_decode_crt_bag(gnutls_pkcs12_bag_type_t type,
361 const gnutls_datum_t * in,
362 gnutls_datum_t * out);
363 int _pkcs12_encode_crt_bag(gnutls_pkcs12_bag_type_t type,
364 const gnutls_datum_t * raw,
365 gnutls_datum_t * out);
368 int _gnutls_x509_crq_set_extension(gnutls_x509_crq_t crq,
370 const gnutls_datum_t * ext_data,
371 unsigned int critical);
374 _gnutls_verify_crt_status(const gnutls_x509_crt_t * certificate_list,
376 const gnutls_x509_crt_t * trusted_cas,
379 gnutls_verify_output_function func);
383 _gnutls_pkcs11_verify_crt_status(const char* url,
384 const gnutls_x509_crt_t * certificate_list,
387 gnutls_verify_output_function func);
391 _gnutls_x509_crt_check_revocation(gnutls_x509_crt_t cert,
392 const gnutls_x509_crl_t * crl_list,
394 gnutls_verify_output_function func);
396 typedef struct gnutls_name_constraints_st {
397 struct name_constraints_node_st * permitted;
398 struct name_constraints_node_st * excluded;
399 } gnutls_name_constraints_st;
401 typedef struct name_constraints_node_st {
404 struct name_constraints_node_st *next;
405 } name_constraints_node_st;
407 int _gnutls_extract_name_constraints(ASN1_TYPE c2, const char *vstr,
408 name_constraints_node_st ** _nc);
410 void _gnutls_x509_policies_erase(gnutls_x509_policies_t policies, unsigned int seq);