mirror of
https://github.com/jart/cosmopolitan.git
synced 2025-01-31 11:37:35 +00:00
356 lines
17 KiB
C
356 lines
17 KiB
C
#ifndef MBEDTLS_X509_CRT_H_
|
|
#define MBEDTLS_X509_CRT_H_
|
|
#include "third_party/mbedtls/bignum.h"
|
|
#include "third_party/mbedtls/config.h"
|
|
#include "third_party/mbedtls/x509.h"
|
|
#include "third_party/mbedtls/x509_crl.h"
|
|
COSMOPOLITAN_C_START_
|
|
/* clang-format off */
|
|
|
|
/**
|
|
* Container for an X.509 certificate. The certificate may be chained.
|
|
*/
|
|
typedef struct mbedtls_x509_crt
|
|
{
|
|
int own_buffer; /*< Indicates if \c raw is owned
|
|
* by the structure or not. */
|
|
mbedtls_x509_buf raw; /*< The raw certificate data (DER). */
|
|
mbedtls_x509_buf tbs; /*< The raw certificate body (DER). The part that is To Be Signed. */
|
|
|
|
int version; /*< The X.509 version. (1=v1, 2=v2, 3=v3) */
|
|
mbedtls_x509_buf serial; /*< Unique id for certificate issued by a specific CA. */
|
|
mbedtls_x509_buf sig_oid; /*< Signature algorithm, e.g. sha1RSA */
|
|
|
|
mbedtls_x509_buf issuer_raw; /*< The raw issuer data (DER). Used for quick comparison. */
|
|
mbedtls_x509_buf subject_raw; /*< The raw subject data (DER). Used for quick comparison. */
|
|
|
|
mbedtls_x509_name issuer; /*< The parsed issuer data (named information object). */
|
|
mbedtls_x509_name subject; /*< The parsed subject data (named information object). */
|
|
|
|
mbedtls_x509_time valid_from; /*< Start time of certificate validity. */
|
|
mbedtls_x509_time valid_to; /*< End time of certificate validity. */
|
|
|
|
mbedtls_x509_buf pk_raw;
|
|
mbedtls_pk_context pk; /*< Container for the public key context. */
|
|
|
|
mbedtls_x509_buf issuer_id; /*< Optional X.509 v2/v3 issuer unique identifier. */
|
|
mbedtls_x509_buf subject_id; /*< Optional X.509 v2/v3 subject unique identifier. */
|
|
mbedtls_x509_buf v3_ext; /*< Optional X.509 v3 extensions. */
|
|
mbedtls_x509_sequence subject_alt_names; /*< Optional list of raw entries of Subject Alternative Names extension (currently only dNSName and OtherName are listed). */
|
|
|
|
mbedtls_x509_sequence certificate_policies; /*< Optional list of certificate policies (Only anyPolicy is printed and enforced, however the rest of the policies are still listed). */
|
|
|
|
int ext_types; /*< Bit string containing detected and parsed extensions */
|
|
int ca_istrue; /*< Optional Basic Constraint extension value: 1 if this certificate belongs to a CA, 0 otherwise. */
|
|
int max_pathlen; /*< Optional Basic Constraint extension value: The maximum path length to the root certificate. Path length is 1 higher than RFC 5280 'meaning', so 1+ */
|
|
|
|
unsigned int key_usage; /*< Optional key usage extension value: See the values in x509.h */
|
|
|
|
mbedtls_x509_sequence ext_key_usage; /*< Optional list of extended key usage OIDs. */
|
|
|
|
unsigned char ns_cert_type; /*< Optional Netscape certificate type extension value: See the values in x509.h */
|
|
|
|
mbedtls_x509_buf sig; /*< Signature: hash of the tbs part signed with the private key. */
|
|
mbedtls_md_type_t sig_md; /*< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */
|
|
mbedtls_pk_type_t sig_pk; /*< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */
|
|
void *sig_opts; /*< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */
|
|
|
|
struct mbedtls_x509_crt *next; /*< Next certificate in the CA-chain. */
|
|
}
|
|
mbedtls_x509_crt;
|
|
|
|
/**
|
|
* From RFC 5280 section 4.2.1.6:
|
|
* OtherName ::= SEQUENCE {
|
|
* type-id OBJECT IDENTIFIER,
|
|
* value [0] EXPLICIT ANY DEFINED BY type-id }
|
|
*/
|
|
typedef struct mbedtls_x509_san_other_name
|
|
{
|
|
/**
|
|
* The type_id is an OID as deifned in RFC 5280.
|
|
* To check the value of the type id, you should use
|
|
* \p MBEDTLS_OID_CMP with a known OID mbedtls_x509_buf.
|
|
*/
|
|
mbedtls_x509_buf type_id; /*< The type id. */
|
|
union
|
|
{
|
|
/**
|
|
* From RFC 4108 section 5:
|
|
* HardwareModuleName ::= SEQUENCE {
|
|
* hwType OBJECT IDENTIFIER,
|
|
* hwSerialNum OCTET STRING }
|
|
*/
|
|
struct
|
|
{
|
|
mbedtls_x509_buf oid; /*< The object identifier. */
|
|
mbedtls_x509_buf val; /*< The named value. */
|
|
}
|
|
hardware_module_name;
|
|
}
|
|
value;
|
|
}
|
|
mbedtls_x509_san_other_name;
|
|
|
|
/**
|
|
* A structure for holding the parsed Subject Alternative Name, according to type
|
|
*/
|
|
typedef struct mbedtls_x509_subject_alternative_name
|
|
{
|
|
int type; /*< The SAN type, value of MBEDTLS_X509_SAN_XXX. */
|
|
union {
|
|
mbedtls_x509_san_other_name other_name; /*< The otherName supported type. */
|
|
mbedtls_x509_buf unstructured_name; /*< The buffer for the un constructed types. Only dnsName currently supported */
|
|
uint32_t ip;
|
|
}
|
|
san; /*< A union of the supported SAN types */
|
|
}
|
|
mbedtls_x509_subject_alternative_name;
|
|
|
|
/**
|
|
* Build flag from an algorithm/curve identifier (pk, md, ecp)
|
|
* Since 0 is always XXX_NONE, ignore it.
|
|
*/
|
|
#define MBEDTLS_X509_ID_FLAG( id ) ( 1 << ( (id) - 1 ) )
|
|
|
|
/**
|
|
* Security profile for certificate verification.
|
|
*
|
|
* All lists are bitfields, built by ORing flags from MBEDTLS_X509_ID_FLAG().
|
|
*/
|
|
typedef struct mbedtls_x509_crt_profile
|
|
{
|
|
uint32_t allowed_mds; /*< MDs for signatures */
|
|
uint32_t allowed_pks; /*< PK algs for signatures */
|
|
uint32_t allowed_curves; /*< Elliptic curves for ECDSA */
|
|
uint32_t rsa_min_bitlen; /*< Minimum size for RSA keys */
|
|
}
|
|
mbedtls_x509_crt_profile;
|
|
|
|
#define MBEDTLS_X509_CRT_VERSION_1 0
|
|
#define MBEDTLS_X509_CRT_VERSION_2 1
|
|
#define MBEDTLS_X509_CRT_VERSION_3 2
|
|
|
|
#define MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN 32
|
|
#define MBEDTLS_X509_RFC5280_UTC_TIME_LEN 15
|
|
|
|
#if !defined( MBEDTLS_X509_MAX_FILE_PATH_LEN )
|
|
#define MBEDTLS_X509_MAX_FILE_PATH_LEN 512
|
|
#endif
|
|
|
|
/**
|
|
* Container for writing a certificate (CRT)
|
|
*/
|
|
typedef struct mbedtls_x509write_cert
|
|
{
|
|
int version;
|
|
mbedtls_mpi serial;
|
|
mbedtls_pk_context *subject_key;
|
|
mbedtls_pk_context *issuer_key;
|
|
mbedtls_asn1_named_data *subject;
|
|
mbedtls_asn1_named_data *issuer;
|
|
mbedtls_md_type_t md_alg;
|
|
char not_before[MBEDTLS_X509_RFC5280_UTC_TIME_LEN + 1];
|
|
char not_after[MBEDTLS_X509_RFC5280_UTC_TIME_LEN + 1];
|
|
mbedtls_asn1_named_data *extensions;
|
|
}
|
|
mbedtls_x509write_cert;
|
|
|
|
/**
|
|
* Item in a verification chain: cert and flags for it
|
|
*/
|
|
typedef struct {
|
|
mbedtls_x509_crt *crt;
|
|
uint32_t flags;
|
|
} mbedtls_x509_crt_verify_chain_item;
|
|
|
|
/**
|
|
* Max size of verification chain: end-entity + intermediates + trusted root
|
|
*/
|
|
#define MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE ( MBEDTLS_X509_MAX_INTERMEDIATE_CA + 2 )
|
|
|
|
/**
|
|
* Verification chain as built by \c mbedtls_crt_verify_chain()
|
|
*/
|
|
typedef struct
|
|
{
|
|
mbedtls_x509_crt_verify_chain_item items[MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE];
|
|
unsigned len;
|
|
|
|
#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
|
|
/* This stores the list of potential trusted signers obtained from
|
|
* the CA callback used for the CRT verification, if configured.
|
|
* We must track it somewhere because the callback passes its
|
|
* ownership to the caller. */
|
|
mbedtls_x509_crt *trust_ca_cb_result;
|
|
#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
|
|
} mbedtls_x509_crt_verify_chain;
|
|
|
|
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
|
|
|
|
/**
|
|
* \brief Context for resuming X.509 verify operations
|
|
*/
|
|
typedef struct
|
|
{
|
|
/* for check_signature() */
|
|
mbedtls_pk_restart_ctx pk;
|
|
|
|
/* for find_parent_in() */
|
|
mbedtls_x509_crt *parent; /* non-null iff parent_in in progress */
|
|
mbedtls_x509_crt *fallback_parent;
|
|
int fallback_signature_is_good;
|
|
|
|
/* for find_parent() */
|
|
int parent_is_trusted; /* -1 if find_parent is not in progress */
|
|
|
|
/* for verify_chain() */
|
|
enum {
|
|
x509_crt_rs_none,
|
|
x509_crt_rs_find_parent,
|
|
} in_progress; /* none if no operation is in progress */
|
|
int self_cnt;
|
|
mbedtls_x509_crt_verify_chain ver_chain;
|
|
|
|
} mbedtls_x509_crt_restart_ctx;
|
|
|
|
#else /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
|
|
|
|
/* Now we can declare functions that take a pointer to that */
|
|
typedef void mbedtls_x509_crt_restart_ctx;
|
|
|
|
#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
|
|
|
|
/**
|
|
* Default security profile. Should provide a good balance between security
|
|
* and compatibility with current deployments.
|
|
*/
|
|
extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default;
|
|
|
|
/**
|
|
* Expected next default profile. Recommended for new deployments.
|
|
* Currently targets a 128-bit security level, except for RSA-2048.
|
|
*/
|
|
extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next;
|
|
|
|
/**
|
|
* NSA Suite B profile.
|
|
*/
|
|
extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb;
|
|
|
|
/**
|
|
* \brief The type of certificate extension callbacks.
|
|
*
|
|
* Callbacks of this type are passed to and used by the
|
|
* mbedtls_x509_crt_parse_der_with_ext_cb() routine when
|
|
* it encounters either an unsupported extension or a
|
|
* "certificate policies" extension containing any
|
|
* unsupported certificate policies.
|
|
* Future versions of the library may invoke the callback
|
|
* in other cases, if and when the need arises.
|
|
*
|
|
* \param p_ctx An opaque context passed to the callback.
|
|
* \param crt The certificate being parsed.
|
|
* \param oid The OID of the extension.
|
|
* \param critical Whether the extension is critical.
|
|
* \param p Pointer to the start of the extension value
|
|
* (the content of the OCTET STRING).
|
|
* \param end End of extension value.
|
|
*
|
|
* \note The callback must fail and return a negative error code
|
|
* if it can not parse or does not support the extension.
|
|
* When the callback fails to parse a critical extension
|
|
* mbedtls_x509_crt_parse_der_with_ext_cb() also fails.
|
|
* When the callback fails to parse a non critical extension
|
|
* mbedtls_x509_crt_parse_der_with_ext_cb() simply skips
|
|
* the extension and continues parsing.
|
|
*
|
|
* \return \c 0 on success.
|
|
* \return A negative error code on failure.
|
|
*/
|
|
typedef int (*mbedtls_x509_crt_ext_cb_t)( void *p_ctx,
|
|
mbedtls_x509_crt const *crt,
|
|
mbedtls_x509_buf const *oid,
|
|
int critical,
|
|
const unsigned char *p,
|
|
const unsigned char *end );
|
|
|
|
/**
|
|
* \brief The type of trusted certificate callbacks.
|
|
*
|
|
* Callbacks of this type are passed to and used by the CRT
|
|
* verification routine mbedtls_x509_crt_verify_with_ca_cb()
|
|
* when looking for trusted signers of a given certificate.
|
|
*
|
|
* On success, the callback returns a list of trusted
|
|
* certificates to be considered as potential signers
|
|
* for the input certificate.
|
|
*
|
|
* \param p_ctx An opaque context passed to the callback.
|
|
* \param child The certificate for which to search a potential signer.
|
|
* This will point to a readable certificate.
|
|
* \param candidate_cas The address at which to store the address of the first
|
|
* entry in the generated linked list of candidate signers.
|
|
* This will not be \c NULL.
|
|
*
|
|
* \note The callback must only return a non-zero value on a
|
|
* fatal error. If, in contrast, the search for a potential
|
|
* signer completes without a single candidate, the
|
|
* callback must return \c 0 and set \c *candidate_cas
|
|
* to \c NULL.
|
|
*
|
|
* \return \c 0 on success. In this case, \c *candidate_cas points
|
|
* to a heap-allocated linked list of instances of
|
|
* ::mbedtls_x509_crt, and ownership of this list is passed
|
|
* to the caller.
|
|
* \return A negative error code on failure.
|
|
*/
|
|
typedef int (*mbedtls_x509_crt_ca_cb_t)( void *p_ctx,
|
|
mbedtls_x509_crt const *child,
|
|
mbedtls_x509_crt **candidate_cas );
|
|
|
|
int mbedtls_x509_crt_check_extended_key_usage( const mbedtls_x509_crt *, const char *, size_t );
|
|
int mbedtls_x509_crt_check_key_usage( const mbedtls_x509_crt *, unsigned int );
|
|
int mbedtls_x509_crt_check_parent( const mbedtls_x509_crt *, const mbedtls_x509_crt *, int );
|
|
int mbedtls_x509_crt_check_signature( const mbedtls_x509_crt *, mbedtls_x509_crt *, mbedtls_x509_crt_restart_ctx * );
|
|
int mbedtls_x509_crt_info( char *, size_t, const char *, const mbedtls_x509_crt * );
|
|
int mbedtls_x509_crt_is_revoked( const mbedtls_x509_crt *, const mbedtls_x509_crl * );
|
|
int mbedtls_x509_crt_parse( mbedtls_x509_crt *, const unsigned char *, size_t );
|
|
int mbedtls_x509_crt_parse_der( mbedtls_x509_crt *, const unsigned char *, size_t );
|
|
int mbedtls_x509_crt_parse_der_nocopy( mbedtls_x509_crt *, const unsigned char *, size_t );
|
|
int mbedtls_x509_crt_parse_der_with_ext_cb( mbedtls_x509_crt *, const unsigned char *, size_t, int, mbedtls_x509_crt_ext_cb_t, void * );
|
|
int mbedtls_x509_crt_parse_file( mbedtls_x509_crt *, const char * );
|
|
int mbedtls_x509_crt_parse_path( mbedtls_x509_crt *, const char * );
|
|
int mbedtls_x509_crt_verify( mbedtls_x509_crt *, mbedtls_x509_crt *, mbedtls_x509_crl *, const char *, uint32_t *, int (*)(void *, mbedtls_x509_crt *, int, uint32_t *), void * );
|
|
int mbedtls_x509_crt_verify_info( char *, size_t, const char *, uint32_t );
|
|
int mbedtls_x509_crt_verify_restartable( mbedtls_x509_crt *, mbedtls_x509_crt *, mbedtls_x509_crl *, const mbedtls_x509_crt_profile *, const char *, uint32_t *, int (*)(void *, mbedtls_x509_crt *, int, uint32_t *), void *, mbedtls_x509_crt_restart_ctx * );
|
|
int mbedtls_x509_crt_verify_with_ca_cb( mbedtls_x509_crt *, mbedtls_x509_crt_ca_cb_t, void *, const mbedtls_x509_crt_profile *, const char *, uint32_t *, int (*)(void *, mbedtls_x509_crt *, int, uint32_t *), void * );
|
|
int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *, mbedtls_x509_crt *, mbedtls_x509_crl *, const mbedtls_x509_crt_profile *, const char *, uint32_t *, int (*)(void *, mbedtls_x509_crt *, int, uint32_t *), void * );
|
|
int mbedtls_x509_name_cmp( const mbedtls_x509_name *, const mbedtls_x509_name * );
|
|
int mbedtls_x509_parse_subject_alt_name( const mbedtls_x509_buf *, mbedtls_x509_subject_alternative_name * );
|
|
int mbedtls_x509write_crt_der( mbedtls_x509write_cert *, unsigned char *, size_t, int (*)(void *, unsigned char *, size_t), void * );
|
|
int mbedtls_x509write_crt_pem( mbedtls_x509write_cert *, unsigned char *, size_t, int (*)(void *, unsigned char *, size_t), void * );
|
|
int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert * );
|
|
int mbedtls_x509write_crt_set_basic_constraints( mbedtls_x509write_cert *, int, int );
|
|
int mbedtls_x509write_crt_set_ext_key_usage(mbedtls_x509write_cert *, int);
|
|
int mbedtls_x509write_crt_set_extension( mbedtls_x509write_cert *, const char *, size_t, int, const unsigned char *, size_t );
|
|
int mbedtls_x509write_crt_set_issuer_name( mbedtls_x509write_cert *, const char * );
|
|
int mbedtls_x509write_crt_set_key_usage( mbedtls_x509write_cert *, unsigned int );
|
|
int mbedtls_x509write_crt_set_ns_cert_type( mbedtls_x509write_cert *, unsigned char );
|
|
int mbedtls_x509write_crt_set_serial( mbedtls_x509write_cert *, const mbedtls_mpi * );
|
|
int mbedtls_x509write_crt_set_subject_key_identifier( mbedtls_x509write_cert * );
|
|
int mbedtls_x509write_crt_set_subject_name( mbedtls_x509write_cert *, const char * );
|
|
int mbedtls_x509write_crt_set_validity( mbedtls_x509write_cert *, const char *, const char * );
|
|
void mbedtls_x509_crt_free( mbedtls_x509_crt * );
|
|
void mbedtls_x509_crt_init( mbedtls_x509_crt * );
|
|
void mbedtls_x509_crt_restart_free( mbedtls_x509_crt_restart_ctx * );
|
|
void mbedtls_x509_crt_restart_init( mbedtls_x509_crt_restart_ctx * );
|
|
void mbedtls_x509write_crt_free( mbedtls_x509write_cert * );
|
|
void mbedtls_x509write_crt_init( mbedtls_x509write_cert * );
|
|
void mbedtls_x509write_crt_set_issuer_key( mbedtls_x509write_cert *, mbedtls_pk_context * );
|
|
void mbedtls_x509write_crt_set_md_alg( mbedtls_x509write_cert *, mbedtls_md_type_t );
|
|
void mbedtls_x509write_crt_set_subject_key( mbedtls_x509write_cert *, mbedtls_pk_context * );
|
|
void mbedtls_x509write_crt_set_version( mbedtls_x509write_cert *, int );
|
|
|
|
COSMOPOLITAN_C_END_
|
|
#endif /* MBEDTLS_X509_CRT_H */
|