1 /* 2 * X.509v3 certificate parsing and processing 3 * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #ifndef X509V3_H 10 #define X509V3_H 11 12 #include "asn1.h" 13 14 struct x509_algorithm_identifier { 15 struct asn1_oid oid; 16 }; 17 18 struct x509_name_attr { 19 enum x509_name_attr_type { 20 X509_NAME_ATTR_NOT_USED, 21 X509_NAME_ATTR_DC, 22 X509_NAME_ATTR_CN, 23 X509_NAME_ATTR_C, 24 X509_NAME_ATTR_L, 25 X509_NAME_ATTR_ST, 26 X509_NAME_ATTR_O, 27 X509_NAME_ATTR_OU 28 } type; 29 char *value; 30 }; 31 32 #define X509_MAX_NAME_ATTRIBUTES 20 33 34 struct x509_name { 35 struct x509_name_attr attr[X509_MAX_NAME_ATTRIBUTES]; 36 size_t num_attr; 37 char *email; /* emailAddress */ 38 39 /* from alternative name extension */ 40 char *alt_email; /* rfc822Name */ 41 char *dns; /* dNSName */ 42 char *uri; /* uniformResourceIdentifier */ 43 u8 *ip; /* iPAddress */ 44 size_t ip_len; /* IPv4: 4, IPv6: 16 */ 45 struct asn1_oid rid; /* registeredID */ 46 }; 47 48 #define X509_MAX_SERIAL_NUM_LEN 20 49 50 struct x509_certificate { 51 struct x509_certificate *next; 52 enum { X509_CERT_V1 = 0, X509_CERT_V2 = 1, X509_CERT_V3 = 2 } version; 53 u8 serial_number[X509_MAX_SERIAL_NUM_LEN]; 54 size_t serial_number_len; 55 struct x509_algorithm_identifier signature; 56 struct x509_name issuer; 57 struct x509_name subject; 58 u8 *subject_dn; 59 size_t subject_dn_len; 60 os_time_t not_before; 61 os_time_t not_after; 62 struct x509_algorithm_identifier public_key_alg; 63 u8 *public_key; 64 size_t public_key_len; 65 struct x509_algorithm_identifier signature_alg; 66 u8 *sign_value; 67 size_t sign_value_len; 68 69 /* Extensions */ 70 unsigned int extensions_present; 71 #define X509_EXT_BASIC_CONSTRAINTS (1 << 0) 72 #define X509_EXT_PATH_LEN_CONSTRAINT (1 << 1) 73 #define X509_EXT_KEY_USAGE (1 << 2) 74 #define X509_EXT_SUBJECT_ALT_NAME (1 << 3) 75 #define X509_EXT_ISSUER_ALT_NAME (1 << 4) 76 #define X509_EXT_EXT_KEY_USAGE (1 << 5) 77 #define X509_EXT_CERTIFICATE_POLICY (1 << 6) 78 79 /* BasicConstraints */ 80 int ca; /* cA */ 81 unsigned long path_len_constraint; /* pathLenConstraint */ 82 83 /* KeyUsage */ 84 unsigned long key_usage; 85 #define X509_KEY_USAGE_DIGITAL_SIGNATURE (1 << 0) 86 #define X509_KEY_USAGE_NON_REPUDIATION (1 << 1) 87 #define X509_KEY_USAGE_KEY_ENCIPHERMENT (1 << 2) 88 #define X509_KEY_USAGE_DATA_ENCIPHERMENT (1 << 3) 89 #define X509_KEY_USAGE_KEY_AGREEMENT (1 << 4) 90 #define X509_KEY_USAGE_KEY_CERT_SIGN (1 << 5) 91 #define X509_KEY_USAGE_CRL_SIGN (1 << 6) 92 #define X509_KEY_USAGE_ENCIPHER_ONLY (1 << 7) 93 #define X509_KEY_USAGE_DECIPHER_ONLY (1 << 8) 94 95 /* ExtKeyUsage */ 96 unsigned long ext_key_usage; 97 #define X509_EXT_KEY_USAGE_ANY (1 << 0) 98 #define X509_EXT_KEY_USAGE_SERVER_AUTH (1 << 1) 99 #define X509_EXT_KEY_USAGE_CLIENT_AUTH (1 << 2) 100 #define X509_EXT_KEY_USAGE_OCSP (1 << 3) 101 102 /* CertificatePolicy */ 103 unsigned long certificate_policy; 104 #define X509_EXT_CERT_POLICY_ANY (1 << 0) 105 #define X509_EXT_CERT_POLICY_TOD_STRICT (1 << 1) 106 #define X509_EXT_CERT_POLICY_TOD_TOFU (1 << 2) 107 108 /* 109 * The DER format certificate follows struct x509_certificate. These 110 * pointers point to that buffer. 111 */ 112 const u8 *cert_start; 113 size_t cert_len; 114 const u8 *tbs_cert_start; 115 size_t tbs_cert_len; 116 117 /* Meta data used for certificate validation */ 118 unsigned int ocsp_good:1; 119 unsigned int ocsp_revoked:1; 120 unsigned int issuer_trusted:1; 121 }; 122 123 enum { 124 X509_VALIDATE_OK, 125 X509_VALIDATE_BAD_CERTIFICATE, 126 X509_VALIDATE_UNSUPPORTED_CERTIFICATE, 127 X509_VALIDATE_CERTIFICATE_REVOKED, 128 X509_VALIDATE_CERTIFICATE_EXPIRED, 129 X509_VALIDATE_CERTIFICATE_UNKNOWN, 130 X509_VALIDATE_UNKNOWN_CA 131 }; 132 133 void x509_certificate_free(struct x509_certificate *cert); 134 int x509_parse_algorithm_identifier(const u8 *buf, size_t len, 135 struct x509_algorithm_identifier *id, 136 const u8 **next); 137 int x509_parse_name(const u8 *buf, size_t len, struct x509_name *name, 138 const u8 **next); 139 int x509_parse_time(const u8 *buf, size_t len, u8 asn1_tag, os_time_t *val); 140 struct x509_certificate * x509_certificate_parse(const u8 *buf, size_t len); 141 void x509_free_name(struct x509_name *name); 142 void x509_name_string(struct x509_name *name, char *buf, size_t len); 143 int x509_name_compare(struct x509_name *a, struct x509_name *b); 144 void x509_certificate_chain_free(struct x509_certificate *cert); 145 int x509_check_signature(struct x509_certificate *issuer, 146 struct x509_algorithm_identifier *signature, 147 const u8 *sign_value, size_t sign_value_len, 148 const u8 *signed_data, size_t signed_data_len); 149 int x509_certificate_check_signature(struct x509_certificate *issuer, 150 struct x509_certificate *cert); 151 int x509_certificate_chain_validate(struct x509_certificate *trusted, 152 struct x509_certificate *chain, 153 int *reason, int disable_time_checks); 154 struct x509_certificate * 155 x509_certificate_get_subject(struct x509_certificate *chain, 156 struct x509_name *name); 157 int x509_certificate_self_signed(struct x509_certificate *cert); 158 159 int x509_sha1_oid(struct asn1_oid *oid); 160 int x509_sha256_oid(struct asn1_oid *oid); 161 int x509_sha384_oid(struct asn1_oid *oid); 162 int x509_sha512_oid(struct asn1_oid *oid); 163 164 #endif /* X509V3_H */ 165