1 /* 2 * Copyright 2014-2022 The GmSSL Project. All Rights Reserved. 3 * 4 * Licensed under the Apache License, Version 2.0 (the License); you may 5 * not use this file except in compliance with the License. 6 * 7 * http://www.apache.org/licenses/LICENSE-2.0 8 */ 9 10 11 #ifndef GMSSL_X509_EXT_H 12 #define GMSSL_X509_EXT_H 13 14 15 #include <time.h> 16 #include <string.h> 17 #include <stdint.h> 18 #include <stdlib.h> 19 #include <gmssl/sm2.h> 20 #include <gmssl/oid.h> 21 #include <gmssl/asn1.h> 22 23 #ifdef __cplusplus 24 extern "C" { 25 #endif 26 27 /* 28 Extensions: 29 30 1. AuthorityKeyIdentifier SEQUENCE AuthorityKeyIdentifier 31 2. SubjectKeyIdentifier OCTET STRING 32 3. KeyUsage BIT STRING 33 4. CertificatePolicies SEQUENCE OF SEQUENCE CertificatePolicies 34 5. PolicyMappings SEQUENCE OF SEQUENCE PolicyMappings 35 6. SubjectAltName SEQUENCE OF SEQUENCE GeneralNames 36 7. IssuerAltName SEQUENCE OF SEQUENCE GeneralNames 37 8. SubjectDirectoryAttributes SEQUENCE OF SEQUENCE Attributes 38 9. BasicConstraints SEQUENCE BasicConstraints 39 10. NameConstraints SEQUENCE NameConstraints 40 11. PolicyConstraints SEQUENCE PolicyConstraints 41 12. ExtKeyUsageSyntax SEQUENCE OF OBJECT IDENTIFIER 42 13. CRLDistributionPoints SEQUENCE OF SEQUENCE DistributionPoints 43 14. InhibitAnyPolicy INTEGER 44 15. FreshestCRL SEQUENCE OF SEQUENCE DistributionPoints 45 */ 46 47 int x509_exts_add_authority_key_identifier(uint8_t *exts, size_t *extslen, size_t maxlen, int critical, 48 const uint8_t *keyid, size_t keyid_len, 49 const uint8_t *issuer, size_t issuer_len, 50 const uint8_t *serial, size_t serial_len); 51 int x509_exts_add_default_authority_key_identifier(uint8_t *exts, size_t *extslen, size_t maxlen, 52 const SM2_KEY *public_key); 53 int x509_exts_add_subject_key_identifier(uint8_t *exts, size_t *extslen, size_t maxlen, int critical, const uint8_t *d, size_t dlen); 54 int x509_exts_add_key_usage(uint8_t *exts, size_t *extslen, size_t maxlen, int critical, int bits); 55 int x509_exts_add_certificate_policies(uint8_t *exts, size_t *extslen, size_t maxlen, int critical, const uint8_t *d, size_t dlen); 56 int x509_exts_add_policy_mappings(uint8_t *exts, size_t *extslen, size_t maxlen, int critical, const uint8_t *d, size_t dlen); 57 int x509_exts_add_subject_alt_name(uint8_t *exts, size_t *extslen, size_t maxlen, int critical, const uint8_t *d, size_t dlen); 58 int x509_exts_add_issuer_alt_name(uint8_t *exts, size_t *extslen, size_t maxlen, int critical, const uint8_t *d, size_t dlen); 59 int x509_exts_add_subject_directory_attributes(uint8_t *exts, size_t *extslen, size_t maxlen, int critical, const uint8_t *d, size_t dlen); 60 int x509_exts_add_name_constraints(uint8_t *exts, size_t *extslen, size_t maxlen, int critical, 61 const uint8_t *permitted_subtrees, size_t permitted_subtrees_len, 62 const uint8_t *excluded_subtrees, size_t excluded_subtrees_len); 63 int x509_exts_add_policy_constraints(uint8_t *exts, size_t *extslen, size_t maxlen, int critical, 64 int require_explicit_policy, int inhibit_policy_mapping); 65 int x509_exts_add_basic_constraints(uint8_t *exts, size_t *extslen, size_t maxlen, int critical, int ca, int path_len_constraint); 66 int x509_exts_add_ext_key_usage(uint8_t *exts, size_t *extslen, size_t maxlen, int critical, const int *key_purposes, size_t key_purposes_cnt); 67 int x509_exts_add_crl_distribution_points(uint8_t *exts, size_t *extslen, size_t maxlen, int critical, const uint8_t *d, size_t dlen); 68 int x509_exts_add_inhibit_any_policy(uint8_t *exts, size_t *extslen, size_t maxlen, int critical, int skip_certs); 69 int x509_exts_add_freshest_crl(uint8_t *exts, size_t *extslen, size_t maxlen, int critical, const uint8_t *d, size_t dlen); 70 71 int x509_exts_add_sequence(uint8_t *exts, size_t *extslen, size_t maxlen, 72 int oid, int critical, const uint8_t *d, size_t dlen); 73 74 /* 75 OtherName ::= SEQUENCE { 76 type-id OBJECT IDENTIFIER, -- known oid from x509_rdn_oid such as OID_at_common_name, or oid nodes 77 value [0] EXPLICIT ANY DEFINED BY type-id } 78 */ 79 int x509_other_name_to_der( 80 const uint32_t *nodes, size_t nodes_count, 81 const uint8_t *value, size_t value_len, 82 uint8_t **out, size_t *outlen); 83 int x509_other_name_from_der( 84 uint32_t *nodes, size_t *nodes_count, 85 const uint8_t **value, size_t *valuelen, 86 const uint8_t **in, size_t *inlen); 87 int x509_other_name_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); 88 89 /* 90 EDIPartyName ::= SEQUENCE { 91 nameAssigner [0] EXPLICIT DirectoryString OPTIONAL, 92 partyName [1] EXPLICIT DirectoryString } 93 */ 94 int x509_edi_party_name_to_der( 95 int assigner_tag, const uint8_t *assigner, size_t assigner_len, 96 int party_name_tag, const uint8_t *party_name, size_t party_name_len, 97 uint8_t **out, size_t *outlen); 98 int x509_edi_party_name_from_der( 99 int *assigner_tag, const uint8_t **assigner, size_t *assigner_len, 100 int *party_name_tag, const uint8_t **party_name, size_t *party_name_len, 101 const uint8_t **in, size_t *inlen); 102 int x509_edi_party_name_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); 103 104 /* 105 GeneralName ::= CHOICE { 106 otherName [0] IMPLICIT OtherName, -- 只在GeneralName中出现 107 rfc822Name [1] IMPLICIT IA5String, 108 dNSName [2] IMPLICIT IA5String, 109 x400Address [3] IMPLICIT ORAddress, 110 directoryName [4] IMPLICIT Name, -- SEQENCE OF,因此是d,dlen 111 ediPartyName [5] IMPLICIT EDIPartyName, -- 只在GeneralName中出现 112 uniformResourceIdentifier [6] IMPLICIT IA5String, 113 iPAddress [7] IMPLICIT OCTET STRING, -- 4 bytes or string? 114 registeredID [8] IMPLICIT OBJECT IDENTIFIER } 115 */ 116 typedef enum { 117 X509_gn_other_name = 0, 118 X509_gn_rfc822_name = 1, 119 X509_gn_dns_name = 2, 120 X509_gn_x400_address = 3, 121 X509_gn_directory_name = 4, 122 X509_gn_edi_party_name = 5, 123 X509_gn_uniform_resource_identifier = 6, 124 X509_gn_ip_address = 7, 125 X509_gn_registered_id = 8, 126 } X509_GENERAL_NAME_CHOICE; 127 128 int x509_general_name_to_der(int choice, const uint8_t *d, size_t dlen, uint8_t **out, size_t *outlen); 129 int x509_general_name_from_der(int *choice, const uint8_t **d, size_t *dlen, const uint8_t **in, size_t *inlen); 130 int x509_general_name_print(FILE *fp, int fmt, int ind, const char *label, int choice, const uint8_t *d, size_t dlen); 131 132 /* 133 GeneralNames ::= SEQUENCE OF GeneralName 134 */ 135 #define x509_general_names_to_der(d,dlen,out,outlen) asn1_sequence_to_der(d,dlen,out,outlen) 136 #define x509_general_names_from_der(d,dlen,in,inlen) asn1_sequence_from_der(d,dlen,in,inlen) 137 int x509_general_names_add_general_name(uint8_t *gns, size_t *gnslen, size_t maxlen, 138 int choice, const uint8_t *d, size_t dlen); 139 int x509_general_names_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); 140 141 int x509_general_names_add_other_name(uint8_t *gns, size_t *gnslen, size_t maxlen, 142 const uint32_t *nodes, size_t nodes_count, 143 const uint8_t *value, size_t value_len); 144 #define x509_general_names_add_rfc822_name(a,alen,maxlen,s) x509_general_names_add_general_name(a,alen,maxlen,X509_gn_rfc822_name,(uint8_t*)s,strlen(s)) 145 #define x509_general_names_add_dns_name(a,alen,maxlen,s) x509_general_names_add_general_name(a,alen,maxlen,X509_gn_dns_name,(uint8_t*)s,strlen(s)) 146 #define x509_general_names_add_x400_address(a,alen,maxlen,d,dlen) x509_general_names_add_general_name(a,alen,maxlen,X509_gn_x400_address,d,dlen) 147 #define x509_general_names_add_directory_name(a,alen,maxlen,d,dlen) x509_general_names_add_general_name(a,alen,maxlen,X509_gn_directory_name,d,dlen) 148 int x509_general_names_add_edi_party_name(uint8_t *gns, size_t *gnslen, size_t maxlen, 149 int assigner_tag, const uint8_t *assigner, size_t assigner_len, 150 int party_name_tag, const uint8_t *party_name, size_t party_name_len); 151 #define x509_general_names_add_uniform_resource_identifier(a,alen,maxlen,s) x509_general_names_add_general_name(a,alen,maxlen,X509_gn_uniform_resource_identifier,(uint8_t*)s,strlen(s)) 152 #define x509_general_names_add_ip_address(a,alen,maxlen,s) x509_general_names_add_general_name(a,alen,maxlen,X509_gn_ip_address,(uint8_t*)s,strlen(s)) 153 int x509_general_names_add_registered_id(uint8_t *gns, size_t *gnslen, size_t maxlen, 154 const uint32_t *nodes, size_t nodes_cnt); 155 156 /* 157 AuthorityKeyIdentifier ::= SEQUENCE { 158 keyIdentifier [0] IMPLICIT OCTET STRING OPTIONAL, 159 authorityCertIssuer [1] IMPLICIT GeneralNames OPTIONAL, 160 authorityCertSerialNumber [2] IMPLICIT INTEGER OPTIONAL } 161 */ 162 int x509_authority_key_identifier_to_der( 163 const uint8_t *keyid, size_t keyid_len, 164 const uint8_t *issuer, size_t issuer_len, 165 const uint8_t *serial, size_t serial_len, 166 uint8_t **out, size_t *outlen); 167 int x509_authority_key_identifier_from_der( 168 const uint8_t **keyid, size_t *keyid_len, 169 const uint8_t **issuer, size_t *issuer_len, 170 const uint8_t **serial, size_t *serial_len, 171 const uint8_t **in, size_t *inlen); 172 int x509_authority_key_identifier_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); 173 174 /* 175 SubjectKeyIdentifier ::= OCTET STRING 176 */ 177 #define X509_SUBJECT_KEY_IDENTIFIER_MIN_LEN 16 178 #define X509_SUBJECT_KEY_IDENTIFIER_MAX_LEN 64 179 180 /* 181 KeyUsage ::= BIT STRING { 182 digitalSignature (0), 183 nonRepudiation (1), -- recent renamed contentCommitment 184 keyEncipherment (2), 185 dataEncipherment (3), 186 keyAgreement (4), 187 keyCertSign (5), 188 cRLSign (6), 189 encipherOnly (7), 190 decipherOnly (8) } 191 */ 192 #define X509_KU_DIGITAL_SIGNATURE (1 << 0) 193 #define X509_KU_NON_REPUDIATION (1 << 1) 194 #define X509_KU_KEY_ENCIPHERMENT (1 << 2) 195 #define X509_KU_DATA_ENCIPHERMENT (1 << 3) 196 #define X509_KU_KEY_AGREEMENT (1 << 4) 197 #define X509_KU_KEY_CERT_SIGN (1 << 5) 198 #define X509_KU_CRL_SIGN (1 << 6) 199 #define X509_KU_ENCIPHER_ONLY (1 << 7) 200 #define X509_KU_DECIPHER_ONLY (1 << 8) 201 202 const char *x509_key_usage_name(int flag); 203 int x509_key_usage_from_name(int *flag, const char *name); 204 #define x509_key_usage_to_der(bits,out,outlen) asn1_bits_to_der(bits,out,outlen) 205 #define x509_key_usage_from_der(bits,in,inlen) asn1_bits_from_der(bits,in,inlen) 206 int x509_key_usage_print(FILE *fp, int fmt, int ind, const char *label, int bits); 207 208 /* 209 NoticeReference ::= SEQUENCE { 210 organization DisplayText, 211 noticeNumbers SEQUENCE OF INTEGER } 212 213 UserNotice ::= SEQUENCE { 214 noticeRef NoticeReference OPTIONAL, 215 explicitText DisplayText OPTIONAL } 216 */ 217 #define X509_MAX_NOTICE_NUMBERS 32 218 219 int x509_notice_reference_to_der( 220 int org_tag, const uint8_t *org, size_t org_len, 221 const int *notice_numbers, size_t notice_numbers_cnt, 222 uint8_t **out, size_t *outlen); 223 int x509_notice_reference_from_der( 224 int *org_tag, const uint8_t **org, size_t *org_len, 225 int *notice_numbers, size_t *notice_numbers_cnt, size_t max_notice_numbers, 226 const uint8_t **in, size_t *inlen); 227 int x509_notice_reference_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); 228 229 int x509_user_notice_to_der( 230 int notice_ref_org_tag, const uint8_t *notice_ref_org, size_t notice_ref_org_len, 231 const int *notice_ref_notice_numbers, size_t notice_ref_notice_numbers_cnt, 232 int explicit_text_tag, const uint8_t *explicit_text, size_t explicit_text_len, 233 uint8_t **out, size_t *outlen); 234 int x509_user_notice_from_der( 235 int *notice_ref_org_tag, const uint8_t **notice_ref_org, size_t *notice_ref_org_len, 236 int *notice_ref_notice_numbers, size_t *notice_ref_notice_numbers_cnt, size_t max_notice_ref_notice_numbers, 237 int *explicit_text_tag, const uint8_t **explicit_text, size_t *explicit_text_len, 238 const uint8_t **in, size_t *inlen); 239 int x509_user_notice_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); 240 241 /* 242 PolicyQualifierInfo ::= SEQUENCE { 243 policyQualifierId PolicyQualifierId, 244 qualifier ANY DEFINED BY policyQualifierId } 245 246 switch(policyQualifierId) 247 case id-qt-cps : qualifier ::= IA5String 248 case id-qt-unotice : qualifier ::= UserNotice 249 */ 250 int x509_policy_qualifier_info_to_der( 251 int oid, 252 const uint8_t *qualifier, size_t qualifier_len, 253 uint8_t **out, size_t *outlen); 254 int x509_policy_qualifier_info_from_der( 255 int *oid, 256 const uint8_t **qualifier, size_t *qualifier_len, 257 const uint8_t **in, size_t *inlen); 258 int x509_policy_qualifier_info_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); 259 260 #define x509_policy_qualifier_infos_to_der(d,dlen,out,outlen) asn1_sequence_to_der(d,dlen,out,outlen) 261 #define x509_policy_qualifier_infos_from_der(d,dlen,in,ineln) asn1_sequence_from_der(d,dlen,in,inlen) 262 int x509_policy_qualifier_infos_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); 263 264 /* 265 PolicyInformation ::= SEQUENCE { 266 policyIdentifier CertPolicyId, 267 policyQualifiers SEQUENCE SIZE (1..MAX) OF PolicyQualifierInfo OPTIONAL } 268 269 CertPolicyId ::= OBJECT IDENTIFIER -- undefined 270 */ 271 272 int x509_policy_information_to_der( 273 int policy_oid, const uint32_t *policy_nodes, size_t policy_nodes_cnt, 274 const uint8_t *qualifiers, size_t qualifiers_len, 275 uint8_t **out, size_t *outlen); 276 int x509_policy_information_from_der( 277 int *policy_oid, uint32_t *policy_nodes, size_t *policy_nodes_cnt, 278 const uint8_t **qualifiers, size_t *qualifiers_len, 279 const uint8_t **in, size_t *inlen); 280 int x509_policy_information_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); 281 282 /* 283 CertificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation 284 */ 285 int x509_certificate_policies_add_policy_information(uint8_t *d, size_t *dlen, size_t maxlen, 286 int policy_oid, const uint32_t *policy_nodes, size_t policy_nodes_cnt, 287 const uint8_t *qualifiers, size_t qualifiers_len); 288 int x509_certificate_policies_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); 289 #define x509_certificate_policies_to_der(d,dlen,out,outlen) asn1_sequence_to_der(d,dlen,out,outlen) 290 #define x509_certificate_policies_from_der(d,dlen,in,inlen) asn1_sequence_from_der(d,dlen,in,inlen) 291 292 /* 293 PolicyMapping ::= SEQUENCE { 294 issuerDomainPolicy CertPolicyId, -- id-anyPolicy or other undefined 295 subjectDomainPolicy CertPolicyId } 296 */ 297 int x509_policy_mapping_to_der( 298 int issuer_policy_oid, const uint32_t *issuer_policy_nodes, size_t issuer_policy_nodes_cnt, 299 int subject_policy_oid, const uint32_t *subject_policy_nodes, size_t subject_policy_nodes_cnt, 300 uint8_t **out, size_t *outlen); 301 int x509_policy_mapping_from_der( 302 int *issuer_policy_oid, uint32_t *issuer_policy_nodes, size_t *issuer_policy_nodes_cnt, 303 int *subject_policy_oid, uint32_t *subject_policy_nodes, size_t *subject_policy_nodes_cnt, 304 const uint8_t **in, size_t *inlen); 305 int x509_policy_mapping_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); 306 307 /* 308 PolicyMappings ::= SEQUENCE OF PolicyMapping 309 */ 310 int x509_policy_mappings_add_policy_mapping(uint8_t *d, size_t *dlen, size_t maxlen, 311 int issuer_policy_oid, const uint32_t *issuer_policy_nodes, size_t issuer_policy_nodes_cnt, 312 int subject_policy_oid, const uint32_t *subject_policy_nodes, size_t subject_policy_nodes_cnt); 313 int x509_policy_mappings_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); 314 #define x509_policy_mappings_to_der(d,dlen,out,outlen) asn1_sequence_to_der(d,dlen,out,outlen) 315 #define x509_policy_mappings_from_der(d,dlen,in,inlen) asn1_sequence_from_der(d,dlen,in,inlen) 316 317 /* 318 SubjectAltName ::= GeneralNames 319 */ 320 #define x509_subject_alt_name_print(fp,fmt,ind,label,d,dlen) x509_general_names_print(fp,fmt,ind,label,d,dlen) 321 322 /* 323 IssuerAltName ::= GeneralNames 324 */ 325 #define x509_issuer_alt_name_print(fp,fmt,ind,label,d,dlen) x509_general_names_print(fp,fmt,ind,label,d,dlen) 326 327 /* 328 SubjectDirectoryAttributes ::= SEQUENCE OF Attribute 329 330 Attribute ::= SEQUENCE { 331 type OBJECT IDENTIFIER, 332 values SET OF ANY } 333 */ 334 int x509_attribute_to_der( 335 const uint32_t *nodes, size_t nodes_cnt, 336 const uint8_t *values, size_t values_len, 337 uint8_t **out, size_t *outlen); 338 int x509_attribute_from_der( 339 int *oid, uint32_t *nodes, size_t *nodes_cnt, 340 const uint8_t **values, size_t *values_len, 341 const uint8_t **in, size_t *inlen); 342 int x509_attribute_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); 343 344 int x509_attributes_add_attribute(uint8_t *d, size_t *dlen, size_t maxlen, 345 const uint32_t *nodes, size_t nodes_cnt, 346 const uint8_t *values, size_t values_len); 347 int x509_attributes_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); 348 #define x509_attributes_to_der(d,dlen,out,outlen) asn1_sequence_to_der(d,dlen,out,outlen) 349 #define x509_attributes_from_der(d,dlen,in,inlen) asn1_sequence_from_der(d,dlen,in,inlen) 350 351 /* 352 BasicConstraints ::= SEQUENCE { 353 cA BOOLEAN DEFAULT FALSE, 354 pathLenConstraint INTEGER (0..MAX) OPTIONAL } 355 */ 356 int x509_basic_constraints_to_der(int ca, int path_len_cons, uint8_t **out, size_t *outlen); 357 int x509_basic_constraints_from_der(int *ca, int *path_len_cons, const uint8_t **in, size_t *inlen); 358 int x509_basic_constraints_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); 359 360 /* 361 GeneralSubtree ::= SEQUENCE { 362 base GeneralName, 363 minimum [0] IMPLICIT BaseDistance DEFAULT 0, 364 maximum [1] IMPLICIT BaseDistance OPTIONAL } 365 366 BaseDistance ::= INTEGER (0..MAX) 367 */ 368 int x509_general_subtree_to_der( 369 int base_choice, const uint8_t *base, size_t base_len, 370 int minimum, int maximum, 371 uint8_t **out, size_t *outlen); 372 int x509_general_subtree_from_der( 373 int *base_choice, const uint8_t **base, size_t *base_len, 374 int *minimum, int *maximum, 375 const uint8_t **in, size_t *inlen); 376 int x509_general_subtree_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); 377 378 /* 379 GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree 380 */ 381 // 应该参考general_names_add_xxx来改写这个函数,只是不知道这个函数用的多不多 382 int x509_general_subtrees_add_general_subtree(uint8_t *d, size_t *dlen, size_t maxlen, // 这个功能和general_names很类似,只是多了一点点内容 383 int base_choice, const uint8_t *base, size_t base_len, 384 int minimum, int maximum); 385 int x509_general_subtrees_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); 386 #define x509_general_subtrees_to_der(d,dlen,out,outlen) asn1_sequence_to_der(d,dlen,out,outlen) 387 #define x509_general_subtrees_from_der(d,dlen,in,inlen) asn1_sequence_from_der(d,dlen,in,inlen) 388 389 /* 390 NameConstraints ::= SEQUENCE { 391 permittedSubtrees [0] GeneralSubtrees OPTIONAL, 392 excludedSubtrees [1] GeneralSubtrees OPTIONAL } 393 */ 394 int x509_name_constraints_to_der( 395 const uint8_t *permitted_subtrees, size_t permitted_subtrees_len, 396 const uint8_t *excluded_subtrees, size_t excluded_subtrees_len, 397 uint8_t **out, size_t *outlen); 398 int x509_name_constraints_from_der( 399 const uint8_t **permitted_subtrees, size_t *permitted_subtrees_len, 400 const uint8_t **excluded_subtrees, size_t *excluded_subtrees_len, 401 const uint8_t **in, size_t *inlen); 402 int x509_name_constraints_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); 403 404 /* 405 PolicyConstraints ::= SEQUENCE { 406 requireExplicitPolicy [0] IMPLICIT SkipCerts OPTIONAL, 407 inhibitPolicyMapping [1] IMPLICIT SkipCerts OPTIONAL 408 } 409 410 SkipCerts ::= INTEGER (0..MAX) 411 */ 412 int x509_policy_constraints_to_der(int require_explicit_policy, int inhibit_policy_mapping, uint8_t **out, size_t *outlen); 413 int x509_policy_constraints_from_der(int *require_explicit_policy, int *inhibit_policy_mapping, const uint8_t **in, size_t *inlen); 414 int x509_policy_constraints_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); 415 416 /* 417 ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId 418 419 KeyPurposeId: 420 OID_kp_server_auth 421 OID_kp_client_auth 422 OID_kp_code_signing 423 OID_kp_email_protection 424 OID_kp_time_stamping 425 OID_kp_ocsp_signing 426 */ 427 #define X509_MAX_KEY_PURPOSES 6 428 int x509_ext_key_usage_to_der(const int *oids, size_t oids_cnt, uint8_t **out, size_t *outlen); 429 int x509_ext_key_usage_from_der(int *oids, size_t *oids_cnt, size_t max_cnt, const uint8_t **in, size_t *inlen); 430 int x509_ext_key_usage_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); 431 432 /* 433 ReasonFlags ::= BIT STRING { 434 unused (0), 435 keyCompromise (1), 436 cACompromise (2), 437 affiliationChanged (3), 438 superseded (4), 439 cessationOfOperation (5), 440 certificateHold (6), 441 privilegeWithdrawn (7), 442 aACompromise (8) } 443 */ 444 #define X509_RF_UNUSED (1 << 0) 445 #define X509_RF_KEY_COMPROMISE (1 << 1) 446 #define X509_RF_CA_COMPROMISE (1 << 2) 447 #define X509_RF_AFFILIATION_CHANGED (1 << 3) 448 #define X509_RF_SUPERSEDED (1 << 4) 449 #define X509_RF_CESSATION_OF_OPERATION (1 << 5) 450 #define X509_RF_CERTIFICATE_HOLD (1 << 6) 451 #define X509_RF_PRIVILEGE_WITHDRAWN (1 << 7) 452 #define X509_RF_AA_COMPROMISE (1 << 8) 453 454 const char *x509_revoke_reason_name(int flag); 455 int x509_revoke_reason_from_name(int *flag, const char *name); 456 #define x509_revoke_reasons_to_der(bits,out,outlen) asn1_bits_to_der(bits,out,outlen) 457 #define x509_revoke_reasons_from_der(bits,in,inlen) asn1_bits_from_der(bits,in,inlen) 458 int x509_revoke_reasons_print(FILE *fp, int fmt, int ind, const char *label, int bits); 459 460 /* 461 DistributionPointName ::= CHOICE { 462 fullName [0] IMPLICIT GeneralNames, -- SEQUENCE OF 463 nameRelativeToCRLIssuer [1] IMPLICIT RelativeDistinguishedName } -- SET OF 464 */ 465 int x509_distribution_point_name_to_der(int choice, const uint8_t *d, size_t dlen, uint8_t **out, size_t *outlen); 466 int x509_distribution_point_name_from_der(int *choice, const uint8_t **d, size_t *dlen, const uint8_t **in, size_t *inlen); 467 int x509_distribution_point_name_print(FILE *fp, int fmt, int ind, const char *label,const uint8_t *a, size_t alen); 468 469 int x509_explicit_distribution_point_name_to_der(int index, int choice, const uint8_t *d, size_t dlen, uint8_t **out, size_t *outlen); 470 int x509_explicit_distribution_point_name_from_der(int index, int *choice, const uint8_t **d, size_t *dlen, const uint8_t **in, size_t *inlen); 471 int x509_explicit_distribution_point_name_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); 472 473 /* 474 DistributionPoint ::= SEQUENCE { 475 distributionPoint [0] EXPLICIT DistributionPointName OPTIONAL, 476 reasons [1] IMPLICIT ReasonFlags OPTIONAL, 477 cRLIssuer [2] IMPLICIT GeneralNames OPTIONAL } 478 */ 479 int x509_distribution_point_to_der( 480 int dist_point_choice, const uint8_t *dist_point, size_t dist_point_len, 481 int reasons, const uint8_t *crl_issuer, size_t crl_issuer_len, 482 uint8_t **out, size_t *outlen); 483 int x509_distribution_point_from_der( 484 int *dist_point_choice, const uint8_t **dist_point, size_t *dist_point_len, 485 int *reasons, const uint8_t **crl_issuer, size_t *crl_issuer_len, 486 const uint8_t **in, size_t *inlen); 487 int x509_distribution_point_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); 488 489 /* 490 DistributionPoints ::= SEQUENCE OF DistributionPoint 491 */ 492 int x509_distribution_points_add_distribution_point(uint8_t *d, size_t *dlen, size_t maxlen, 493 int dist_point_choice, const uint8_t *dist_point, size_t dist_point_len, 494 int reasons, const uint8_t *crl_issuer, size_t crl_issuer_len); 495 int x509_distribution_points_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); 496 #define x509_distribution_points_to_der(d,dlen,out,outlen) asn1_sequence_to_der(d,dlen,out,outlen) 497 #define x509_distribution_points_from_der(d,dlen,in,inlen) asn1_sequence_from_der(d,dlen,in,inlen) 498 499 /* 500 CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint 501 */ 502 #define x509_crl_distribution_points_to_der(d,dlen,out,outlen) x509_distribution_points_to_der(d,dlen,out,outlen) 503 #define x509_crl_distribution_points_from_der(d,dlen,in,inlen) x509_distribution_points_from_der(d,dlen,in,inlen) 504 #define x509_crl_distribution_points_print(fp,fmt,ind,label,d,dlen) x509_distribution_points_print(fp,fmt,ind,label,d,dlen) 505 506 507 /* 508 InhibitAnyPolicy ::= SkipCerts 509 SkipCerts ::= INTEGER (0..MAX) 510 */ 511 #define x509_inhibit_any_policy_to_der(val,out,outlen) asn1_int_to_der(val,out,outlen) 512 #define x509_inhibit_any_policy_from_der(val,in,inlen) asn1_int_from_der(val,in,inlen) 513 514 /* 515 FreshestCRL ::= CRLDistributionPoints 516 */ 517 #define x509_freshest_crl_to_der(d,dlen,out,outlen) x509_crl_distribution_points_to_der(d,dlen,out,outlen) 518 #define x509_freshest_crl_from_der(d,dlen,in,inlen) x509_crl_distribution_points_from_der(d,dlen,in,inlen) 519 #define x509_freshest_crl_print(fp,fmt,ind,label,d,dlen) x509_crl_distribution_points_print(fp,fmt,ind,label,d,dlen) 520 521 /* 522 Netscape-Defined Certificate Extensions 523 https://docs.oracle.com/cd/E19957-01/816-5533-10/ext.htm#1023061 524 525 NetscapeCertType ::= BIT STRING 526 527 bit 0: SSL Client certificate 528 bit 1: SSL Server certificate 529 bit 2: S/MIME certificate 530 bit 3: Object-signing certificate 531 bit 4: Reserved for future use 532 bit 5: SSL CA certificate 533 bit 6: S/MIME CA certificate 534 bit 7: Object-signing CA certificate 535 536 NetscapeCertComment ::= IA5String 537 */ 538 int x509_netscape_cert_type_print(FILE *fp, int fmt, int ind, const char *label, int bits); 539 540 #ifdef __cplusplus 541 } 542 #endif 543 #endif 544 545