PolarSSL v1.2.11
x509.h
Go to the documentation of this file.
1 
27 #ifndef POLARSSL_X509_H
28 #define POLARSSL_X509_H
29 
30 #include "asn1.h"
31 #include "rsa.h"
32 #include "dhm.h"
33 
43 #define POLARSSL_ERR_X509_FEATURE_UNAVAILABLE -0x2080
44 #define POLARSSL_ERR_X509_CERT_INVALID_PEM -0x2100
45 #define POLARSSL_ERR_X509_CERT_INVALID_FORMAT -0x2180
46 #define POLARSSL_ERR_X509_CERT_INVALID_VERSION -0x2200
47 #define POLARSSL_ERR_X509_CERT_INVALID_SERIAL -0x2280
48 #define POLARSSL_ERR_X509_CERT_INVALID_ALG -0x2300
49 #define POLARSSL_ERR_X509_CERT_INVALID_NAME -0x2380
50 #define POLARSSL_ERR_X509_CERT_INVALID_DATE -0x2400
51 #define POLARSSL_ERR_X509_CERT_INVALID_PUBKEY -0x2480
52 #define POLARSSL_ERR_X509_CERT_INVALID_SIGNATURE -0x2500
53 #define POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS -0x2580
54 #define POLARSSL_ERR_X509_CERT_UNKNOWN_VERSION -0x2600
55 #define POLARSSL_ERR_X509_CERT_UNKNOWN_SIG_ALG -0x2680
56 #define POLARSSL_ERR_X509_UNKNOWN_PK_ALG -0x2700
57 #define POLARSSL_ERR_X509_CERT_SIG_MISMATCH -0x2780
58 #define POLARSSL_ERR_X509_CERT_VERIFY_FAILED -0x2800
59 #define POLARSSL_ERR_X509_KEY_INVALID_VERSION -0x2880
60 #define POLARSSL_ERR_X509_KEY_INVALID_FORMAT -0x2900
61 #define POLARSSL_ERR_X509_CERT_UNKNOWN_FORMAT -0x2980
62 #define POLARSSL_ERR_X509_INVALID_INPUT -0x2A00
63 #define POLARSSL_ERR_X509_MALLOC_FAILED -0x2A80
64 #define POLARSSL_ERR_X509_FILE_IO_ERROR -0x2B00
65 #define POLARSSL_ERR_X509_PASSWORD_REQUIRED -0x2B80
66 #define POLARSSL_ERR_X509_PASSWORD_MISMATCH -0x2C00
67 /* \} name */
68 
69 
74 #define BADCERT_EXPIRED 0x01
75 #define BADCERT_REVOKED 0x02
76 #define BADCERT_CN_MISMATCH 0x04
77 #define BADCERT_NOT_TRUSTED 0x08
78 #define BADCRL_NOT_TRUSTED 0x10
79 #define BADCRL_EXPIRED 0x20
80 #define BADCERT_MISSING 0x40
81 #define BADCERT_SKIP_VERIFY 0x80
82 #define BADCERT_OTHER 0x0100
83 #define BADCERT_FUTURE 0x0200
84 #define BADCRL_FUTURE 0x0400
86 /* \} name */
87 /* \} addtogroup x509_module */
88 
89 /*
90  * various object identifiers
91  */
92 #define X520_COMMON_NAME 3
93 #define X520_COUNTRY 6
94 #define X520_LOCALITY 7
95 #define X520_STATE 8
96 #define X520_ORGANIZATION 10
97 #define X520_ORG_UNIT 11
98 #define PKCS9_EMAIL 1
99 
100 #define X509_OUTPUT_DER 0x01
101 #define X509_OUTPUT_PEM 0x02
102 #define PEM_LINE_LENGTH 72
103 #define X509_ISSUER 0x01
104 #define X509_SUBJECT 0x02
105 
106 #define OID_X520 "\x55\x04"
107 #define OID_CN OID_X520 "\x03"
108 #define OID_COUNTRY OID_X520 "\x06"
109 #define OID_LOCALITY OID_X520 "\x07"
110 #define OID_STATE OID_X520 "\x08"
111 #define OID_ORGANIZATION OID_X520 "\x0A"
112 #define OID_ORG_UNIT OID_X520 "\x0B"
113 
114 #define OID_PKCS1 "\x2A\x86\x48\x86\xF7\x0D\x01\x01"
115 #define OID_PKCS1_RSA OID_PKCS1 "\x01"
116 #define OID_PKCS1_SHA1 OID_PKCS1 "\x05"
117 
118 #define OID_RSA_SHA_OBS "\x2B\x0E\x03\x02\x1D"
119 
120 #define OID_PKCS9 "\x2A\x86\x48\x86\xF7\x0D\x01\x09"
121 #define OID_PKCS9_EMAIL OID_PKCS9 "\x01"
122 
124 #define OID_ID_CE "\x55\x1D"
131 #define OID_PKIX "\x2B\x06\x01\x05\x05\x07"
132 
133 /*
134  * OIDs for standard certificate extensions
135  */
136 #define OID_AUTHORITY_KEY_IDENTIFIER OID_ID_CE "\x23"
137 #define OID_SUBJECT_KEY_IDENTIFIER OID_ID_CE "\x0E"
138 #define OID_KEY_USAGE OID_ID_CE "\x0F"
139 #define OID_CERTIFICATE_POLICIES OID_ID_CE "\x20"
140 #define OID_POLICY_MAPPINGS OID_ID_CE "\x21"
141 #define OID_SUBJECT_ALT_NAME OID_ID_CE "\x11"
142 #define OID_ISSUER_ALT_NAME OID_ID_CE "\x12"
143 #define OID_SUBJECT_DIRECTORY_ATTRS OID_ID_CE "\x09"
144 #define OID_BASIC_CONSTRAINTS OID_ID_CE "\x13"
145 #define OID_NAME_CONSTRAINTS OID_ID_CE "\x1E"
146 #define OID_POLICY_CONSTRAINTS OID_ID_CE "\x24"
147 #define OID_EXTENDED_KEY_USAGE OID_ID_CE "\x25"
148 #define OID_CRL_DISTRIBUTION_POINTS OID_ID_CE "\x1F"
149 #define OID_INIHIBIT_ANYPOLICY OID_ID_CE "\x36"
150 #define OID_FRESHEST_CRL OID_ID_CE "\x2E"
152 /*
153  * X.509 v3 Key Usage Extension flags
154  */
155 #define KU_DIGITAL_SIGNATURE (0x80) /* bit 0 */
156 #define KU_NON_REPUDIATION (0x40) /* bit 1 */
157 #define KU_KEY_ENCIPHERMENT (0x20) /* bit 2 */
158 #define KU_DATA_ENCIPHERMENT (0x10) /* bit 3 */
159 #define KU_KEY_AGREEMENT (0x08) /* bit 4 */
160 #define KU_KEY_CERT_SIGN (0x04) /* bit 5 */
161 #define KU_CRL_SIGN (0x02) /* bit 6 */
162 
163 /*
164  * X.509 v3 Extended key usage OIDs
165  */
166 #define OID_ANY_EXTENDED_KEY_USAGE OID_EXTENDED_KEY_USAGE "\x00"
168 #define OID_KP OID_PKIX "\x03"
169 #define OID_SERVER_AUTH OID_KP "\x01"
170 #define OID_CLIENT_AUTH OID_KP "\x02"
171 #define OID_CODE_SIGNING OID_KP "\x03"
172 #define OID_EMAIL_PROTECTION OID_KP "\x04"
173 #define OID_TIME_STAMPING OID_KP "\x08"
174 #define OID_OCSP_SIGNING OID_KP "\x09"
176 #define STRING_SERVER_AUTH "TLS Web Server Authentication"
177 #define STRING_CLIENT_AUTH "TLS Web Client Authentication"
178 #define STRING_CODE_SIGNING "Code Signing"
179 #define STRING_EMAIL_PROTECTION "E-mail Protection"
180 #define STRING_TIME_STAMPING "Time Stamping"
181 #define STRING_OCSP_SIGNING "OCSP Signing"
182 
183 /*
184  * OIDs for CRL extensions
185  */
186 #define OID_PRIVATE_KEY_USAGE_PERIOD OID_ID_CE "\x10"
187 #define OID_CRL_NUMBER OID_ID_CE "\x14"
189 /*
190  * Netscape certificate extensions
191  */
192 #define OID_NETSCAPE "\x60\x86\x48\x01\x86\xF8\x42"
193 #define OID_NS_CERT OID_NETSCAPE "\x01"
194 #define OID_NS_CERT_TYPE OID_NS_CERT "\x01"
195 #define OID_NS_BASE_URL OID_NS_CERT "\x02"
196 #define OID_NS_REVOCATION_URL OID_NS_CERT "\x03"
197 #define OID_NS_CA_REVOCATION_URL OID_NS_CERT "\x04"
198 #define OID_NS_RENEWAL_URL OID_NS_CERT "\x07"
199 #define OID_NS_CA_POLICY_URL OID_NS_CERT "\x08"
200 #define OID_NS_SSL_SERVER_NAME OID_NS_CERT "\x0C"
201 #define OID_NS_COMMENT OID_NS_CERT "\x0D"
202 #define OID_NS_DATA_TYPE OID_NETSCAPE "\x02"
203 #define OID_NS_CERT_SEQUENCE OID_NS_DATA_TYPE "\x05"
204 
205 /*
206  * Netscape certificate types
207  * (http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn3.html)
208  */
209 
210 #define NS_CERT_TYPE_SSL_CLIENT (0x80) /* bit 0 */
211 #define NS_CERT_TYPE_SSL_SERVER (0x40) /* bit 1 */
212 #define NS_CERT_TYPE_EMAIL (0x20) /* bit 2 */
213 #define NS_CERT_TYPE_OBJECT_SIGNING (0x10) /* bit 3 */
214 #define NS_CERT_TYPE_RESERVED (0x08) /* bit 4 */
215 #define NS_CERT_TYPE_SSL_CA (0x04) /* bit 5 */
216 #define NS_CERT_TYPE_EMAIL_CA (0x02) /* bit 6 */
217 #define NS_CERT_TYPE_OBJECT_SIGNING_CA (0x01) /* bit 7 */
218 
219 #define EXT_AUTHORITY_KEY_IDENTIFIER (1 << 0)
220 #define EXT_SUBJECT_KEY_IDENTIFIER (1 << 1)
221 #define EXT_KEY_USAGE (1 << 2)
222 #define EXT_CERTIFICATE_POLICIES (1 << 3)
223 #define EXT_POLICY_MAPPINGS (1 << 4)
224 #define EXT_SUBJECT_ALT_NAME (1 << 5)
225 #define EXT_ISSUER_ALT_NAME (1 << 6)
226 #define EXT_SUBJECT_DIRECTORY_ATTRS (1 << 7)
227 #define EXT_BASIC_CONSTRAINTS (1 << 8)
228 #define EXT_NAME_CONSTRAINTS (1 << 9)
229 #define EXT_POLICY_CONSTRAINTS (1 << 10)
230 #define EXT_EXTENDED_KEY_USAGE (1 << 11)
231 #define EXT_CRL_DISTRIBUTION_POINTS (1 << 12)
232 #define EXT_INIHIBIT_ANYPOLICY (1 << 13)
233 #define EXT_FRESHEST_CRL (1 << 14)
234 
235 #define EXT_NS_CERT_TYPE (1 << 16)
236 
237 /*
238  * Storage format identifiers
239  * Recognized formats: PEM and DER
240  */
241 #define X509_FORMAT_DER 1
242 #define X509_FORMAT_PEM 2
243 
257 
262 
267 typedef struct _x509_name
268 {
271  struct _x509_name *next;
272 }
273 x509_name;
274 
279 
281 typedef struct _x509_time
282 {
283  int year, mon, day;
284  int hour, min, sec;
285 }
286 x509_time;
287 
291 typedef struct _x509_cert
292 {
296  int version;
317  int ext_types;
318  int ca_istrue;
321  unsigned char key_usage;
325  unsigned char ns_cert_type;
329  int sig_alg;
331  struct _x509_cert *next;
332 }
333 x509_cert;
334 
339 typedef struct _x509_crl_entry
340 {
342 
344 
346 
348 
350 }
352 
357 typedef struct _x509_crl
358 {
362  int version;
364 
371 
375 
378  int sig_alg;
379 
380  struct _x509_crl *next;
381 }
382 x509_crl;
392 /*
393 typedef struct _x509_node
394 {
395  unsigned char *data;
396  unsigned char *p;
397  unsigned char *end;
398 
399  size_t len;
400 }
401 x509_node;
402 
403 typedef struct _x509_raw
404 {
405  x509_node raw;
406  x509_node tbs;
407 
408  x509_node version;
409  x509_node serial;
410  x509_node tbs_signalg;
411  x509_node issuer;
412  x509_node validity;
413  x509_node subject;
414  x509_node subpubkey;
415 
416  x509_node signalg;
417  x509_node sign;
418 }
419 x509_raw;
420 */
421 
422 #ifdef __cplusplus
423 extern "C" {
424 #endif
425 
442 int x509parse_crt_der( x509_cert *chain, const unsigned char *buf, size_t buflen );
443 
458 int x509parse_crt( x509_cert *chain, const unsigned char *buf, size_t buflen );
459 
474 int x509parse_crtfile( x509_cert *chain, const char *path );
475 
490 int x509parse_crtpath( x509_cert *chain, const char *path );
491 
503 int x509parse_crl( x509_crl *chain, const unsigned char *buf, size_t buflen );
504 
515 int x509parse_crlfile( x509_crl *chain, const char *path );
516 
529 int x509parse_key( rsa_context *rsa,
530  const unsigned char *key, size_t keylen,
531  const unsigned char *pwd, size_t pwdlen );
532 
543 int x509parse_keyfile( rsa_context *rsa, const char *path,
544  const char *password );
545 
557  const unsigned char *key, size_t keylen );
558 
568 int x509parse_public_keyfile( rsa_context *rsa, const char *path );
569 
580 int x509parse_dhm( dhm_context *dhm, const unsigned char *dhmin, size_t dhminlen );
581 
591 int x509parse_dhmfile( dhm_context *dhm, const char *path );
592 
606 int x509parse_dn_gets( char *buf, size_t size, const x509_name *dn );
607 
619 int x509parse_serial_gets( char *buf, size_t size, const x509_buf *serial );
620 
633 int x509parse_cert_info( char *buf, size_t size, const char *prefix,
634  const x509_cert *crt );
635 
648 int x509parse_crl_info( char *buf, size_t size, const char *prefix,
649  const x509_crl *crl );
650 
659 const char *x509_oid_get_description( x509_buf *oid );
660 
671 int x509_oid_get_numeric_string( char *buf, size_t size, x509_buf *oid );
672 
682 int x509parse_time_expired( const x509_time *time );
683 
693 int x509parse_time_future( const x509_time *time );
694 
736 int x509parse_verify( x509_cert *crt,
737  x509_cert *trust_ca,
738  x509_crl *ca_crl,
739  const char *cn, int *flags,
740  int (*f_vrfy)(void *, x509_cert *, int, int *),
741  void *p_vrfy );
742 
752 int x509parse_revoked( const x509_cert *crt, const x509_crl *crl );
753 
768 void x509_free( x509_cert *crt );
769 
776 void x509_crl_free( x509_crl *crl );
777 
786 int x509_self_test( int verbose );
787 
788 #ifdef __cplusplus
789 }
790 #endif
791 
792 #endif /* x509.h */
x509_time valid_to
End time of certificate validity.
Definition: x509.h:307
x509_buf sig
Definition: x509.h:377
x509_buf issuer_raw
The raw issuer data (DER).
Definition: x509.h:300
int x509parse_crt_der(x509_cert *chain, const unsigned char *buf, size_t buflen)
Parse a single DER formatted certificate and add it to the chained list.
struct _x509_name x509_name
Container for ASN1 named information objects.
x509_name issuer
The parsed issuer data (named information object).
Definition: x509.h:303
struct _x509_crl_entry x509_crl_entry
Certificate revocation list entry.
x509_buf tbs
The raw certificate body (DER).
Definition: x509.h:294
x509_buf val
The named value.
Definition: x509.h:270
int max_pathlen
Optional Basic Constraint extension value: The maximum path length to the root certificate.
Definition: x509.h:319
struct _x509_time x509_time
Container for date and time (precision in seconds).
unsigned char ns_cert_type
Optional Netscape certificate type extension value: See the values below.
Definition: x509.h:325
int sec
Time.
Definition: x509.h:284
int version
Definition: x509.h:362
x509_time next_update
Definition: x509.h:370
int x509parse_crtfile(x509_cert *chain, const char *path)
Load one or more certificates and add them to the chained list.
DHM context structure.
Definition: dhm.h:136
Certificate revocation list entry.
Definition: x509.h:339
x509_buf sig
Signature: hash of the tbs part signed with the private key.
Definition: x509.h:328
x509_name subject
The parsed subject data (named information object).
Definition: x509.h:304
struct _x509_crl * next
Definition: x509.h:380
x509_buf raw
The raw certificate data (DER).
Definition: x509.h:293
const char * x509_oid_get_description(x509_buf *oid)
Give an known OID, return its descriptive string.
Container for date and time (precision in seconds).
Definition: x509.h:281
struct _x509_cert x509_cert
Container for an X.509 certificate.
void x509_free(x509_cert *crt)
Unallocate all certificate data.
x509_sequence ext_key_usage
Optional list of extended key usage OIDs.
Definition: x509.h:323
Container for ASN1 named information objects.
Definition: x509.h:267
int x509parse_cert_info(char *buf, size_t size, const char *prefix, const x509_cert *crt)
Returns an informational string about the certificate.
x509_buf sig_oid2
Definition: x509.h:376
Container for an X.509 certificate.
Definition: x509.h:291
int x509parse_dhmfile(dhm_context *dhm, const char *path)
Load and parse DHM parameters.
Container for ASN1 bit strings.
Definition: asn1.h:119
x509_name issuer
The parsed issuer data (named information object).
Definition: x509.h:367
x509_buf serial
Definition: x509.h:343
struct _x509_crl x509_crl
Certificate revocation list structure.
int x509parse_time_future(const x509_time *time)
Check a given x509_time against the system time and check if it is not from the future.
x509_crl_entry entry
The CRL entries containing the certificate revocation times for this CA.
Definition: x509.h:372
x509_buf sig_oid2
Signature algorithm.
Definition: x509.h:327
int hour
Definition: x509.h:284
int mon
Definition: x509.h:283
Container for a sequence of ASN.1 items.
Definition: asn1.h:130
x509_buf sig_oid1
Definition: x509.h:363
int sig_alg
Internal representation of the signature algorithm, e.g.
Definition: x509.h:329
RSA context structure.
Definition: rsa.h:135
int x509parse_crt(x509_cert *chain, const unsigned char *buf, size_t buflen)
Parse one or more certificates and add them to the chained list.
Generic ASN.1 parsing.
int x509parse_time_expired(const x509_time *time)
Check a given x509_time against the system time and check if it is not expired.
void x509_crl_free(x509_crl *crl)
Unallocate all CRL data.
int x509parse_dhm(dhm_context *dhm, const unsigned char *dhmin, size_t dhminlen)
Parse DHM parameters.
int x509parse_crtpath(x509_cert *chain, const char *path)
Load one or more certificate files from a path and add them to the chained list.
int x509parse_crl(x509_crl *chain, const unsigned char *buf, size_t buflen)
Parse one or more CRLs and add them to the chained list.
int x509parse_dn_gets(char *buf, size_t size, const x509_name *dn)
Store the certificate DN in printable form into buf; no more than size characters will be written...
int x509parse_key(rsa_context *rsa, const unsigned char *key, size_t keylen, const unsigned char *pwd, size_t pwdlen)
Parse a private RSA key.
int x509_oid_get_numeric_string(char *buf, size_t size, x509_buf *oid)
Give an OID, return a string version of its OID number.
x509_buf tbs
The raw certificate body (DER).
Definition: x509.h:360
int x509parse_public_keyfile(rsa_context *rsa, const char *path)
Load and parse a public RSA key.
x509_buf serial
Unique id for certificate issued by a specific CA.
Definition: x509.h:297
struct _x509_crl_entry * next
Definition: x509.h:349
x509_buf subject_id
Optional X.509 v2/v3 subject unique identifier.
Definition: x509.h:313
Diffie-Hellman-Merkle key exchange.
int day
Date.
Definition: x509.h:283
x509_time valid_from
Start time of certificate validity.
Definition: x509.h:306
x509_buf issuer_id
Optional X.509 v2/v3 issuer unique identifier.
Definition: x509.h:312
unsigned char key_usage
Optional key usage extension value: See the values below.
Definition: x509.h:321
int x509parse_crl_info(char *buf, size_t size, const char *prefix, const x509_crl *crl)
Returns an informational string about the CRL.
int x509parse_public_key(rsa_context *rsa, const unsigned char *key, size_t keylen)
Parse a public RSA key.
struct _x509_cert * next
Next certificate in the CA-chain.
Definition: x509.h:331
x509_time this_update
Definition: x509.h:369
Type-length-value structure that allows for ASN1 using DER.
Definition: asn1.h:108
The RSA public-key cryptosystem.
x509_buf entry_ext
Definition: x509.h:347
int year
Definition: x509.h:283
int x509parse_revoked(const x509_cert *crt, const x509_crl *crl)
Verify the certificate signature.
x509_buf raw
Definition: x509.h:341
x509_buf subject_raw
The raw subject data (DER).
Definition: x509.h:301
Certificate revocation list structure.
Definition: x509.h:357
int min
Definition: x509.h:284
x509_sequence subject_alt_names
Optional list of Subject Alternative Names (Only dNSName supported).
Definition: x509.h:315
x509_buf v3_ext
Optional X.509 v3 extensions.
Definition: x509.h:314
x509_buf pk_oid
Subject public key info.
Definition: x509.h:309
x509_buf raw
The raw certificate data (DER).
Definition: x509.h:359
asn1_buf x509_buf
Type-length-value structure that allows for ASN1 using DER.
Definition: x509.h:256
int x509_self_test(int verbose)
Checkup routine.
asn1_sequence x509_sequence
Container for a sequence of ASN.1 items.
Definition: x509.h:278
x509_time revocation_date
Definition: x509.h:345
int x509parse_verify(x509_cert *crt, x509_cert *trust_ca, x509_crl *ca_crl, const char *cn, int *flags, int(*f_vrfy)(void *, x509_cert *, int, int *), void *p_vrfy)
Verify the certificate signature.
asn1_bitstring x509_bitstring
Container for ASN1 bit strings.
Definition: x509.h:261
x509_buf issuer_raw
The raw issuer data (DER).
Definition: x509.h:365
int version
The X.509 version.
Definition: x509.h:296
rsa_context rsa
Container for the RSA context.
Definition: x509.h:310
x509_buf crl_ext
Definition: x509.h:374
int x509parse_keyfile(rsa_context *rsa, const char *path, const char *password)
Load and parse a private RSA key.
int x509parse_serial_gets(char *buf, size_t size, const x509_buf *serial)
Store the certificate serial in printable form into buf; no more than size characters will be written...
int x509parse_crlfile(x509_crl *chain, const char *path)
Load one or more CRLs and add them to the chained list.
int sig_alg
Definition: x509.h:378
x509_buf sig_oid1
Signature algorithm, e.g.
Definition: x509.h:298
int ca_istrue
Optional Basic Constraint extension value: 1 if this certificate belongs to a CA, 0 otherwise...
Definition: x509.h:318
struct _x509_name * next
The next named information object.
Definition: x509.h:271
x509_buf oid
The object identifier.
Definition: x509.h:269
int ext_types
Bit string containing detected and parsed extensions.
Definition: x509.h:317