1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
|
/**
* \file x509.h
*
* Based on XySSL: Copyright (C) 2006-2008 Christophe Devine
*
* Copyright (C) 2009 Paul Bakker <polarssl_maintainer at polarssl dot org>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, write to the Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifndef POLARSSL_X509_H
#define POLARSSL_X509_H
#include "polarssl/rsa.h"
#define POLARSSL_ERR_ASN1_OUT_OF_DATA -0x0014
#define POLARSSL_ERR_ASN1_UNEXPECTED_TAG -0x0016
#define POLARSSL_ERR_ASN1_INVALID_LENGTH -0x0018
#define POLARSSL_ERR_ASN1_LENGTH_MISMATCH -0x001A
#define POLARSSL_ERR_ASN1_INVALID_DATA -0x001C
#define POLARSSL_ERR_X509_FEATURE_UNAVAILABLE -0x0020
#define POLARSSL_ERR_X509_CERT_INVALID_PEM -0x0040
#define POLARSSL_ERR_X509_CERT_INVALID_FORMAT -0x0060
#define POLARSSL_ERR_X509_CERT_INVALID_VERSION -0x0080
#define POLARSSL_ERR_X509_CERT_INVALID_SERIAL -0x00A0
#define POLARSSL_ERR_X509_CERT_INVALID_ALG -0x00C0
#define POLARSSL_ERR_X509_CERT_INVALID_NAME -0x00E0
#define POLARSSL_ERR_X509_CERT_INVALID_DATE -0x0100
#define POLARSSL_ERR_X509_CERT_INVALID_PUBKEY -0x0120
#define POLARSSL_ERR_X509_CERT_INVALID_SIGNATURE -0x0140
#define POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS -0x0160
#define POLARSSL_ERR_X509_CERT_UNKNOWN_VERSION -0x0180
#define POLARSSL_ERR_X509_CERT_UNKNOWN_SIG_ALG -0x01A0
#define POLARSSL_ERR_X509_CERT_UNKNOWN_PK_ALG -0x01C0
#define POLARSSL_ERR_X509_CERT_SIG_MISMATCH -0x01E0
#define POLARSSL_ERR_X509_CERT_VERIFY_FAILED -0x0200
#define POLARSSL_ERR_X509_KEY_INVALID_PEM -0x0220
#define POLARSSL_ERR_X509_KEY_INVALID_VERSION -0x0240
#define POLARSSL_ERR_X509_KEY_INVALID_FORMAT -0x0260
#define POLARSSL_ERR_X509_KEY_INVALID_ENC_IV -0x0280
#define POLARSSL_ERR_X509_KEY_UNKNOWN_ENC_ALG -0x02A0
#define POLARSSL_ERR_X509_KEY_PASSWORD_REQUIRED -0x02C0
#define POLARSSL_ERR_X509_KEY_PASSWORD_MISMATCH -0x02E0
#define POLARSSL_ERR_X509_POINT_ERROR -0x0300
#define POLARSSL_ERR_X509_VALUE_TO_LENGTH -0x0320
#define BADCERT_EXPIRED 1
#define BADCERT_REVOKED 2
#define BADCERT_CN_MISMATCH 4
#define BADCERT_NOT_TRUSTED 8
#define BADCRL_NOT_TRUSTED 16
#define BADCRL_EXPIRED 32
/*
* DER constants
*/
#define ASN1_BOOLEAN 0x01
#define ASN1_INTEGER 0x02
#define ASN1_BIT_STRING 0x03
#define ASN1_OCTET_STRING 0x04
#define ASN1_NULL 0x05
#define ASN1_OID 0x06
#define ASN1_UTF8_STRING 0x0C
#define ASN1_SEQUENCE 0x10
#define ASN1_SET 0x11
#define ASN1_PRINTABLE_STRING 0x13
#define ASN1_T61_STRING 0x14
#define ASN1_IA5_STRING 0x16
#define ASN1_UTC_TIME 0x17
#define ASN1_UNIVERSAL_STRING 0x1C
#define ASN1_BMP_STRING 0x1E
#define ASN1_PRIMITIVE 0x00
#define ASN1_CONSTRUCTED 0x20
#define ASN1_CONTEXT_SPECIFIC 0x80
/*
* various object identifiers
*/
#define X520_COMMON_NAME 3
#define X520_COUNTRY 6
#define X520_LOCALITY 7
#define X520_STATE 8
#define X520_ORGANIZATION 10
#define X520_ORG_UNIT 11
#define PKCS9_EMAIL 1
#define X509_OUTPUT_DER 0x01
#define X509_OUTPUT_PEM 0x02
#define PEM_LINE_LENGTH 72
#define X509_ISSUER 0x01
#define X509_SUBJECT 0x02
#define OID_X520 "\x55\x04"
#define OID_CN "\x55\x04\x03"
#define OID_PKCS1 "\x2A\x86\x48\x86\xF7\x0D\x01\x01"
#define OID_PKCS1_RSA "\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01"
#define OID_PKCS1_RSA_SHA "\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05"
#define OID_PKCS9 "\x2A\x86\x48\x86\xF7\x0D\x01\x09"
#define OID_PKCS9_EMAIL "\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01"
/*
* Structures for parsing X.509 certificates
*/
typedef struct _x509_buf
{
int tag;
int len;
unsigned char *p;
}
x509_buf;
typedef struct _x509_name
{
x509_buf oid;
x509_buf val;
struct _x509_name *next;
}
x509_name;
typedef struct _x509_time
{
int year, mon, day;
int hour, min, sec;
}
x509_time;
typedef struct _x509_cert
{
x509_buf raw;
x509_buf tbs;
int version;
x509_buf serial;
x509_buf sig_oid1;
x509_buf issuer_raw;
x509_buf subject_raw;
x509_name issuer;
x509_name subject;
x509_time valid_from;
x509_time valid_to;
x509_buf pk_oid;
rsa_context rsa;
x509_buf issuer_id;
x509_buf subject_id;
x509_buf v3_ext;
int ca_istrue;
int max_pathlen;
x509_buf sig_oid2;
x509_buf sig;
struct _x509_cert *next;
}
x509_cert;
typedef struct _x509_crl_entry
{
x509_buf raw;
x509_buf serial;
x509_time revocation_date;
x509_buf entry_ext;
struct _x509_crl_entry *next;
}
x509_crl_entry;
typedef struct _x509_crl
{
x509_buf raw;
x509_buf tbs;
int version;
x509_buf sig_oid1;
x509_buf issuer_raw;
x509_name issuer;
x509_time this_update;
x509_time next_update;
x509_crl_entry entry;
x509_buf crl_ext;
x509_buf sig_oid2;
x509_buf sig;
struct _x509_crl *next;
}
x509_crl;
/*
* Structures for writing X.509 certificates
*/
typedef struct _x509_node
{
unsigned char *data;
unsigned char *p;
unsigned char *end;
size_t len;
}
x509_node;
typedef struct _x509_raw
{
x509_node raw;
x509_node tbs;
x509_node version;
x509_node serial;
x509_node tbs_signalg;
x509_node issuer;
x509_node validity;
x509_node subject;
x509_node subpubkey;
x509_node signalg;
x509_node sign;
}
x509_raw;
#ifdef __cplusplus
extern "C" {
#endif
/**
* \brief Parse one or more certificates and add them
* to the chained list
*
* \param chain points to the start of the chain
* \param buf buffer holding the certificate data
* \param buflen size of the buffer
*
* \return 0 if successful, or a specific X509 error code
*/
int x509parse_crt( x509_cert *chain, unsigned char *buf, int buflen );
/**
* \brief Load one or more certificates and add them
* to the chained list
*
* \param chain points to the start of the chain
* \param path filename to read the certificates from
*
* \return 0 if successful, or a specific X509 error code
*/
int x509parse_crtfile( x509_cert *chain, char *path );
/**
* \brief Parse one or more CRLs and add them
* to the chained list
*
* \param chain points to the start of the chain
* \param buf buffer holding the CRL data
* \param buflen size of the buffer
*
* \return 0 if successful, or a specific X509 error code
*/
int x509parse_crl( x509_crl *chain, unsigned char *buf, int buflen );
/**
* \brief Load one or more CRLs and add them
* to the chained list
*
* \param chain points to the start of the chain
* \param path filename to read the CRLs from
*
* \return 0 if successful, or a specific X509 error code
*/
int x509parse_crlfile( x509_crl *chain, char *path );
/**
* \brief Parse a private RSA key
*
* \param rsa RSA context to be initialized
* \param buf input buffer
* \param buflen size of the buffer
* \param pwd password for decryption (optional)
* \param pwdlen size of the password
*
* \return 0 if successful, or a specific X509 error code
*/
int x509parse_key( rsa_context *rsa,
unsigned char *buf, int buflen,
unsigned char *pwd, int pwdlen );
/**
* \brief Load and parse a private RSA key
*
* \param rsa RSA context to be initialized
* \param path filename to read the private key from
* \param pwd password to decrypt the file (can be NULL)
*
* \return 0 if successful, or a specific X509 error code
*/
int x509parse_keyfile( rsa_context *rsa, char *path, char *password );
/**
* \brief Store the certificate DN in printable form into buf;
* no more than size characters will be written.
*/
int x509parse_dn_gets( char *buf, size_t size, x509_name *dn );
/**
* \brief Returns an informational string about the
* certificate.
*/
int x509parse_cert_info( char *buf, size_t size, char *prefix, x509_cert *crt );
/**
* \brief Returns an informational string about the
* CRL.
*/
int x509parse_crl_info( char *buf, size_t size, char *prefix, x509_crl *crl );
/**
* \brief Return 0 if the x509_time is still valid,
* or 1 otherwise.
*/
int x509parse_time_expired( x509_time *time );
/**
* \brief Verify the certificate signature
*
* \param crt a certificate to be verified
* \param trust_ca the trusted CA chain
* \param ca_crl the CRL chain for trusted CA's
* \param cn expected Common Name (can be set to
* NULL if the CN must not be verified)
* \param flags result of the verification
*
* \return 0 if successful or POLARSSL_ERR_X509_SIG_VERIFY_FAILED,
* in which case *flags will have one or more of
* the following values set:
* BADCERT_EXPIRED --
* BADCERT_REVOKED --
* BADCERT_CN_MISMATCH --
* BADCERT_NOT_TRUSTED
*
* \note TODO: add two arguments, depth and crl
*/
int x509parse_verify( x509_cert *crt,
x509_cert *trust_ca,
x509_crl *ca_crl,
char *cn, int *flags );
/**
* \brief Unallocate all certificate data
*/
void x509_free( x509_cert *crt );
/**
* \brief Unallocate all CRL data
*/
void x509_crl_free( x509_crl *crl );
/**
* \brief Checkup routine
*
* \return 0 if successful, or 1 if the test failed
*/
int x509_self_test( int verbose );
#ifdef __cplusplus
}
#endif
#endif /* x509.h */
|