1 /* 2 * Copyright 2014-2022 The GmSSL Project. All Rights Reserved. 3 * 4 * Licensed under the Apache License, Version 2.0 (the License); you may 5 * not use this file except in compliance with the License. 6 * 7 * http://www.apache.org/licenses/LICENSE-2.0 8 */ 9 10 11 #ifndef GMSSL_X509_H 12 #define GMSSL_X509_H 13 14 15 #include <time.h> 16 #include <string.h> 17 #include <stdint.h> 18 #include <stdlib.h> 19 #include <gmssl/sm2.h> 20 #include <gmssl/oid.h> 21 #include <gmssl/asn1.h> 22 23 #ifdef __cplusplus 24 extern "C" { 25 #endif 26 27 /* 28 X509 Public API 29 30 x509_name_add_rdn 31 x509_name_add_country_name 32 x509_name_add_state_or_province_name 33 x509_name_add_locality_name 34 x509_name_add_organization_name 35 x509_name_add_organizational_unit_name 36 x509_name_add_common_name 37 x509_name_add_domain_component 38 x509_name_to_der 39 x509_name_from_der 40 x509_name_print 41 x509_name_get_value_by_type 42 x509_name_get_common_name 43 44 x509_cert_sign 45 x509_cert_verify 46 x509_cert_verify_by_ca_cert 47 x509_cert_get_issuer_and_serial_number 48 x509_cert_get_issuer 49 x509_cert_get_subject 50 x509_cert_get_subject_public_key 51 x509_cert_to_der 52 x509_cert_from_der 53 x509_cert_to_pem 54 x509_cert_from_pem 55 x509_cert_print 56 */ 57 58 enum X509_Version { 59 X509_version_v1 = 0, 60 X509_version_v2 = 1, 61 X509_version_v3 = 2, 62 }; 63 64 const char *x509_version_name(int version); 65 int x509_explicit_version_to_der(int index, int version, uint8_t **out, size_t *outlen); 66 int x509_explicit_version_from_der(int index, int *version, const uint8_t **in, size_t *inlen); 67 68 /* 69 Time ::= CHOICE { 70 utcTime UTCTime, 71 generalTime GeneralizedTime } 72 */ 73 int x509_time_to_der(time_t a, uint8_t **out, size_t *outlen); 74 int x509_time_from_der(time_t *a, const uint8_t **in, size_t *inlen); 75 76 /* 77 Validity ::= SEQUENCE { 78 notBefore Time, 79 notAfter Time } 80 */ 81 #define X509_VALIDITY_MIN_DAYS 1 82 #define X509_VALIDITY_MAX_DAYS (365 * 10) // ROOTCA, CA需要更长的时间! 83 int x509_validity_add_days(time_t *not_after, time_t not_before, int days); 84 int x509_validity_to_der(time_t not_before, time_t not_after, uint8_t **out, size_t *outlen); 85 int x509_validity_from_der(time_t *not_before, time_t *not_after, const uint8_t **in, size_t *inlen); 86 int x509_validity_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); 87 88 /* 89 AttributeTypeAndValue ::= SEQUENCE { 90 type OBJECT IDENTIFIER, 91 value ANY -- DEFINED BY AttributeType } 92 93 id-at 94 name DirectoryName 1..ub-name 95 surname DirectoryName 1..ub-name 96 givenName DirectoryName 1..ub-name 97 initials DirectoryName 1..ub-name 98 generationQualifier DirectoryName 1..ub-name 99 commonName DirectoryName 1..ub-common-name 100 localityName DirectoryName 1..ub-locality-name 101 stateOrProvinceName DirectoryName 1..ub-state-name 102 organizationName DirectoryName 1..ub-organization-name 103 organizationalUnitName DirectoryName 1..ub-organizational-unit-name 104 title DirectoryName 1..ub-title 105 dnQualifier PrintableString N/A 106 countryName PrintableString 2..2 107 serialNumber PrintableString 1..ub-serial-number 108 pseudonym DirectoryName 1..ub-pseudonym 109 domainComponent IA5String N/A 110 */ 111 #define X509_ub_name 32768 112 #define X509_ub_common_name 64 113 #define X509_ub_locality_name 128 114 #define X509_ub_state_name 128 115 #define X509_ub_organization_name 64 116 #define X509_ub_organizational_unit_name 64 117 #define X509_ub_title 64 118 #define X509_ub_serial_number 64 119 #define X509_ub_pseudonym 128 120 121 int x509_attr_type_and_value_check(int oid, int tag, const uint8_t *val, size_t vlen); 122 int x509_attr_type_and_value_to_der(int oid, int tag, const uint8_t *val, size_t vlen, uint8_t **out, size_t *outlen); 123 int x509_attr_type_and_value_from_der(int *oid, int *tag, const uint8_t **val, size_t *vlen, const uint8_t **in, size_t *inlen); 124 int x509_attr_type_and_value_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); 125 126 /* 127 RelativeDistinguishedName ::= SET SIZE (1..MAX) OF AttributeTypeAndValue 128 */ 129 int x509_rdn_to_der(int oid, int tag, const uint8_t *val, size_t vlen, const uint8_t *more, size_t mlen, uint8_t **out, size_t *outlen); 130 int x509_rdn_from_der(int *oid, int *tag, const uint8_t **val, size_t *vlen, const uint8_t **more, size_t *mlen, const uint8_t **in, size_t *inlen); 131 int x509_rdn_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); 132 133 /* 134 Name ::= SEQUENCE OF RelativeDistinguishedName 135 136 Example: 137 SEQUENCE LEN 138 SET LEN 139 SEQUENCE LEN OID=countryName, String=CN 140 SET LEN 141 SEQUENCE LEN OID=stateName, String=CN 142 SEQUENCE LEN OID=unknown, String=ABC 143 SET LEN 144 SEQUENCE LEN OID=commonNmame, String=ABC 145 */ 146 int x509_name_add_rdn(uint8_t *d, size_t *dlen, size_t maxlen, int oid, int tag, const uint8_t *val, size_t vlen, const uint8_t *more, size_t mlen); 147 int x509_name_add_country_name(uint8_t *d, size_t *dlen, int maxlen, const char val[2] ); // val: PrintableString SIZE(2) 148 int x509_name_add_state_or_province_name(uint8_t *d, size_t *dlen, int maxlen, int tag, const uint8_t *val, size_t vlen); 149 int x509_name_add_locality_name(uint8_t *d, size_t *dlen, int maxlen, int tag, const uint8_t *val, size_t vlen); 150 int x509_name_add_organization_name(uint8_t *d, size_t *dlen, int maxlen, int tag, const uint8_t *val, size_t vlen); 151 int x509_name_add_organizational_unit_name(uint8_t *d, size_t *dlen, int maxlen, int tag, const uint8_t *val, size_t vlen); 152 int x509_name_add_common_name(uint8_t *d, size_t *dlen, int maxlen, int tag, const uint8_t *val, size_t vlen); 153 int x509_name_add_domain_component(uint8_t *d, size_t *dlen, int maxlen, const char *val, size_t vlen); // val: IA5String 154 155 int x509_name_set(uint8_t *d, size_t *dlen, size_t maxlen, 156 const char *country, const char *state, const char *locality, 157 const char *org, const char *org_unit, const char *common_name); 158 159 #define x509_name_to_der(d,dlen,out,outlen) asn1_sequence_to_der(d,dlen,out,outlen) 160 #define x509_name_from_der(d,dlen,in,inlen) asn1_sequence_from_der(d,dlen,in,inlen) 161 int x509_name_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); 162 int x509_name_get_value_by_type(const uint8_t *d, size_t dlen, int oid, int *tag, const uint8_t **val, size_t *vlen); 163 int x509_name_get_common_name(const uint8_t *d, size_t dlen, int *tag, const uint8_t **val, size_t *vlen); 164 int x509_name_equ(const uint8_t *a, size_t alen, const uint8_t *b, size_t blen); 165 166 int x509_names_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); 167 168 /* 169 SubjectPublicKeyInfo ::= SEQUENCE { 170 algorithm AlgorithmIdentifier, 171 subjectPublicKey BIT STRING } 172 173 algorithm.algorithm = OID_ec_public_key; 174 algorithm.parameters = OID_sm2; 175 subjectPublicKey = ECPoint 176 */ 177 #define x509_public_key_info_to_der(key,out,outlen) sm2_public_key_info_to_der(key,out,outlen) 178 #define x509_public_key_info_from_der(key,in,inlen) sm2_public_key_info_from_der(key,in,inlen) 179 int x509_public_key_info_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); 180 181 /* 182 Extension ::= SEQUENCE { 183 extnID OBJECT IDENTIFIER, 184 critical BOOLEAN DEFAULT FALSE, 185 extnValue OCTET STRING -- contains the DER encoding of an ASN.1 value 186 */ 187 int x509_ext_to_der(int oid, int critical, const uint8_t *val, size_t vlen, uint8_t **out, size_t *outlen); 188 int x509_ext_from_der(int *oid, uint32_t *nodes, size_t *nodes_cnt, int *critical, const uint8_t **val, size_t *vlen, const uint8_t **in, size_t *inlen); 189 int x509_ext_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); 190 191 /* 192 [3] EXPLICIT SEQUENCE OF Extension 193 */ 194 int x509_explicit_exts_to_der(int index, const uint8_t *d, size_t dlen, uint8_t **out, size_t *outlen); 195 int x509_explicit_exts_from_der(int index, const uint8_t **d, size_t *dlen, const uint8_t **in, size_t *inlen); 196 #define x509_exts_to_der(d,dlen,out,outlen) x509_explicit_exts_to_der(3,d,dlen,out,outlen) 197 #define x509_exts_from_der(d,dlen,in,inlen) x509_explicit_exts_from_der(3,d,dlen,in,inlen) 198 199 int x509_exts_get_count(const uint8_t *d, size_t dlen, size_t *cnt); 200 int x509_exts_get_ext_by_index(const uint8_t *d, size_t dlen, int index, 201 int *oid, uint32_t *nodes, size_t *nodes_cnt, int *critical, 202 const uint8_t **val, size_t *vlen); 203 int x509_exts_get_ext_by_oid(const uint8_t *d, size_t dlen, int oid, 204 int *critical, const uint8_t **val, size_t *vlen); 205 int x509_exts_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); 206 207 /* 208 TBSCertificate ::= SEQUENCE { 209 version [0] EXPLICIT INTEGER DEFAULT v1, 210 serialNumber INTEGER, 211 siganture AlgorithmIdentifier, 212 issuer Name, 213 validity Validity, 214 subject Name, 215 subjectPulbicKeyInfo SubjectPublicKeyInfo, 216 issuerUniqueID [1] IMPLICIT BIT STRING OPTIONAL, -- If present, must be v2,v3 217 subjectUniqueID [2] IMPLICIT BIT STRING OPTIONAL, -- If present, must be v2,v3 218 extensions [3] EXPLICIT Extensions OPTIONAL -- If present, must be v3 } 219 */ 220 #define X509_SERIAL_NUMBER_MIN_LEN 1 221 #define X509_SERIAL_NUMBER_MAX_LEN 20 222 #define X509_UNIQUE_ID_MIN_LEN 32 223 #define X509_UNIQUE_ID_MAX_LEN 32 224 225 int x509_tbs_cert_to_der( 226 int version, 227 const uint8_t *serial, size_t serial_len, 228 int signature_algor, 229 const uint8_t *issuer, size_t issuer_len, 230 time_t not_before, time_t not_after, 231 const uint8_t *subject, size_t subject_len, 232 const SM2_KEY *subject_public_key, 233 const uint8_t *issuer_unique_id, size_t issuer_unique_id_len, 234 const uint8_t *subject_unique_id, size_t subject_unique_id_len, 235 const uint8_t *exts, size_t exts_len, 236 uint8_t **out, size_t *outlen); 237 int x509_tbs_cert_from_der( 238 int *version, 239 const uint8_t **serial, size_t *serial_len, 240 int *signature_algor, 241 const uint8_t **issuer, size_t *issuer_len, 242 time_t *not_before, time_t *not_after, 243 const uint8_t **subject, size_t *subject_len, 244 SM2_KEY *subject_public_key, 245 const uint8_t **issuer_unique_id, size_t *issuer_unique_id_len, 246 const uint8_t **subject_unique_id, size_t *subject_unique_id_len, 247 const uint8_t **exts, size_t *exts_len, 248 const uint8_t **in, size_t *inlen); 249 int x509_tbs_cert_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); 250 251 /* 252 Certificate ::= SEQUENCE { 253 tbsCertificate TBSCertificate, 254 signatureAlgorithm AlgorithmIdentifier, 255 signatureValue BIT STRING } 256 */ 257 int x509_certificate_to_der( 258 const uint8_t *tbs, size_t tbslen, 259 int signature_algor, 260 const uint8_t *sig, size_t siglen, 261 uint8_t **out, size_t *outlen); 262 int x509_certificate_from_der( 263 const uint8_t **tbs, size_t *tbslen, 264 int *signature_algor, 265 const uint8_t **sig, size_t *siglen, 266 const uint8_t **in, size_t *inlen); 267 int x509_certificate_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); 268 269 // x509_cert functions 270 int x509_cert_sign( 271 uint8_t *cert, size_t *certlen, size_t maxlen, 272 int version, 273 const uint8_t *serial, size_t serial_len, 274 int signature_algor, 275 const uint8_t *issuer, size_t issuer_len, 276 time_t not_before, time_t not_after, 277 const uint8_t *subject, size_t subject_len, 278 const SM2_KEY *subject_public_key, 279 const uint8_t *issuer_unique_id, size_t issuer_unique_id_len, 280 const uint8_t *subject_unique_id, size_t subject_unique_id_len, 281 const uint8_t *exts, size_t exts_len, 282 const SM2_KEY *sign_key, 283 const char *signer_id, size_t signer_id_len); 284 int x509_cert_verify(const uint8_t *a, size_t alen, const SM2_KEY *pub_key, 285 const char *signer_id, size_t signer_id_len); 286 int x509_cert_verify_by_ca_cert(const uint8_t *a, size_t alen, const uint8_t *cacert, size_t cacertlen, 287 const char *signer_id, size_t signer_id_len); 288 289 int x509_cert_to_der(const uint8_t *a, size_t alen, uint8_t **out, size_t *outlen); 290 int x509_cert_from_der(const uint8_t **a, size_t *alen, const uint8_t **in, size_t *inlen); 291 int x509_cert_to_pem(const uint8_t *a, size_t alen, FILE *fp); 292 int x509_cert_from_pem(uint8_t *a, size_t *alen, size_t maxlen, FILE *fp); 293 int x509_cert_from_pem_by_index(uint8_t *a, size_t *alen, size_t maxlen, int index, FILE *fp); 294 int x509_cert_from_pem_by_subject(uint8_t *a, size_t *alen, size_t maxlen, const uint8_t *name, size_t namelen, FILE *fp); 295 int x509_cert_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *a, size_t alen); 296 297 int x509_cert_get_details(const uint8_t *a, size_t alen, 298 int *version, 299 const uint8_t **serial_number, size_t *serial_number_len, 300 int *inner_signature_algor, 301 const uint8_t **issuer, size_t *issuer_len, 302 time_t *not_before, time_t *not_after, 303 const uint8_t **subject, size_t *subject_len, 304 SM2_KEY *subject_public_key, 305 const uint8_t **issuer_unique_id, size_t *issuer_unique_id_len, 306 const uint8_t **subject_unique_id, size_t *subject_unique_id_len, 307 const uint8_t **extensions, size_t *extensions_len, 308 int *signature_algor, 309 const uint8_t **signature, size_t *signature_len); 310 311 /* 312 IssuerAndSerialNumber ::= SEQUENCE { 313 isser Name, 314 serialNumber INTEGER } 315 */ 316 int x509_cert_get_issuer_and_serial_number(const uint8_t *a, size_t alen, 317 const uint8_t **issuer, size_t *issuer_len, 318 const uint8_t **serial_number, size_t *serial_number_len); 319 int x509_cert_get_issuer(const uint8_t *a, size_t alen, const uint8_t **name, size_t *namelen); 320 int x509_cert_get_subject(const uint8_t *a, size_t alen, const uint8_t **subj, size_t *subj_len); 321 int x509_cert_get_subject_public_key(const uint8_t *a, size_t alen, SM2_KEY *public_key); 322 323 int x509_certs_to_pem(const uint8_t *d, size_t dlen, FILE *fp); 324 int x509_certs_from_pem(uint8_t *d, size_t *dlen, size_t maxlen, FILE *fp); 325 int x509_certs_get_count(const uint8_t *d, size_t dlen, size_t *cnt); 326 int x509_certs_get_cert_by_index(const uint8_t *d, size_t dlen, int index, const uint8_t **cert, size_t *certlen); 327 int x509_certs_get_cert_by_subject(const uint8_t *d, size_t dlen, const uint8_t *subject, size_t subject_len, const uint8_t **cert, size_t *certlen); 328 int x509_certs_get_last(const uint8_t *d, size_t dlen, const uint8_t **cert, size_t *certlen); 329 330 int x509_certs_get_cert_by_issuer_and_serial_number( 331 const uint8_t *certs, size_t certs_len, 332 const uint8_t *issuer, size_t issuer_len, 333 const uint8_t *serial, size_t serial_len, 334 const uint8_t **cert, size_t *cert_len); 335 336 337 typedef enum { 338 X509_verify_err_cert_revoked = -2, 339 X509_verify_err_cert_not_yet_valid = -3, 340 X509_verify_err_cert_has_expired = -4, 341 X509_verify_err_cert_chain_too_long = -5, 342 } X509_VERIFY_ERR; 343 344 int x509_certs_verify(const uint8_t *certs, size_t certslen, 345 const uint8_t *rootcerts, size_t rootcertslen, int depth, int *verify_result); 346 int x509_certs_verify_tlcp(const uint8_t *certs, size_t certslen, 347 const uint8_t *rootcerts, size_t rootcertslen, int depth, int *verify_result); 348 int x509_certs_get_subjects(const uint8_t *certs, size_t certslen, uint8_t *names, size_t *nameslen); 349 int x509_certs_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); 350 351 352 int x509_cert_new_from_file(uint8_t **out, size_t *outlen, const char *file); 353 int x509_certs_new_from_file(uint8_t **out, size_t *outlen, const char *file); 354 355 356 357 358 #ifdef __cplusplus 359 } 360 #endif 361 #endif 362