1 /* 2 * Copyright 2014-2022 The GmSSL Project. All Rights Reserved. 3 * 4 * Licensed under the Apache License, Version 2.0 (the License); you may 5 * not use this file except in compliance with the License. 6 * 7 * http://www.apache.org/licenses/LICENSE-2.0 8 */ 9 10 11 12 #ifndef GMSSL_X509_CRL_H 13 #define GMSSL_X509_CRL_H 14 15 16 #ifdef __cplusplus 17 extern "C" { 18 #endif 19 20 /* 21 X509 CRL Public API 22 23 24 */ 25 26 27 28 /* 29 CRLReason ::= ENUMERATED 30 */ 31 typedef enum { 32 X509_cr_unspecified = 0, 33 X509_cr_key_compromise = 1, 34 X509_cr_ca_compromise = 2 , 35 X509_cr_affiliation_changed = 3, 36 X509_cr_superseded = 4, 37 X509_cr_cessation_of_operation = 5, 38 X509_cr_certificate_hold = 6, 39 X509_cr_not_assigned = 7, 40 X509_cr_remove_from_crl = 8, 41 X509_cr_privilege_withdrawn = 9, 42 X509_cr_aa_compromise = 10, 43 } X509_CRL_REASON; 44 45 const char *x509_crl_reason_name(int reason); 46 int x509_crl_reason_from_name(int *reason, const char *name); 47 int x509_crl_reason_to_der(int reason, uint8_t **out, size_t *outlen); 48 int x509_crl_reason_from_der(int *reason, const uint8_t **in, size_t *inlen); 49 50 /* 51 CRL Entry Extensions: 52 OID_ce_crl_reasons ENUMERATED 53 OID_ce_invalidity_date GeneralizedTime 54 OID_ce_certificate_issuer SEQUENCE GeneralNames 55 */ 56 const char *x509_crl_entry_ext_id_name(int oid); 57 int x509_crl_entry_ext_id_from_name(const char *name); 58 int x509_crl_entry_ext_id_to_der(int oid, uint8_t **out, size_t *outlen); 59 int x509_crl_entry_ext_id_from_der(int *oid, const uint8_t **in, size_t *inlen); 60 61 int x509_crl_entry_exts_add_reason( 62 uint8_t *exts, size_t *extslen, size_t maxlen, 63 int critical, 64 int reason); 65 int x509_crl_entry_exts_add_invalidity_date( 66 uint8_t *exts, size_t *extslen, size_t maxlen, 67 int critical, 68 time_t tv); 69 int x509_crl_entry_exts_add_certificate_issuer( 70 uint8_t *exts, size_t *extslen, size_t maxlen, 71 int critical, 72 const uint8_t *d, size_t dlen); 73 #define x509_crl_entry_exts_to_der(d,dlen,out,outlen) asn1_sequence_to_der(d,dlen,out,outlen) 74 #define x509_crl_entry_exts_from_der(d,dlen,in,inlen) asn1_sequence_from_der(d,dlen,in,inlen) 75 int x509_crl_entry_exts_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); 76 77 /* 78 RevokedCertificate ::= SEQUENCE { 79 userCertificate CertificateSerialNumber, 80 revocationDate Time, 81 crlEntryExtensions Extensions OPTIONAL } 82 */ 83 int x509_revoked_cert_to_der( 84 const uint8_t *serial, size_t serial_len, 85 time_t revoke_date, 86 const uint8_t *entry_exts, size_t entry_exts_len, 87 uint8_t **out, size_t *outlen); 88 int x509_revoked_cert_from_der( 89 const uint8_t **serial, size_t *serial_len, 90 time_t *revoke_date, 91 const uint8_t **entry_exts, size_t *entry_exts_len, 92 const uint8_t **in, size_t *inlen); 93 int x509_revoked_cert_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); 94 95 /* 96 RevokedCertificates ::= SEQUENCE OF RevokedCertificate 97 */ 98 int x509_revoked_certs_add_revoked_cert(uint8_t *d, size_t *dlen, size_t maxlen, 99 const uint8_t *serial, size_t serial_len, 100 time_t revoke_date, 101 const uint8_t *entry_exts, size_t entry_exts_len); 102 int x509_revoked_certs_get_revoked_cert_by_serial_number(const uint8_t *d, size_t dlen, 103 const uint8_t *serial, size_t serial_len, 104 time_t *revoke_date, 105 const uint8_t **entry_exts, size_t *entry_exts_len); 106 #define x509_revoked_certs_to_der(d,dlen,out,outlen) asn1_sequence_to_der(d,dlen,out,outlen) 107 #define x509_revoked_certs_from_der(d,dlen,in,inlen) asn1_sequence_from_der(d,dlen,in,inlen) 108 int x509_revoked_certs_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); 109 110 /* 111 CRL Extensions: 112 OID_ce_authority_key_identifier SEQUENCE AuthorityKeyIdentifier 113 OID_ce_issuer_alt_name SEQUENCE GeneralNames 114 OID_ce_crl_number INTEGER 115 OID_ce_delta_crl_indicator INTEGER 116 OID_ce_issuing_distribution_point SEQUENCE IssuingDistributionPoint 117 */ 118 const char *x509_crl_ext_id_name(int oid); 119 int x509_crl_ext_id_from_name(const char *name); 120 int x509_crl_ext_id_to_der(int oid, uint8_t **out, size_t *outlen); 121 int x509_crl_ext_id_from_der(int *oid, const uint8_t **in, size_t *inlen); 122 123 124 /* 125 IssuingDistributionPoint ::= SEQUENCE { 126 distributionPoint [0] EXPLICIT DistributionPointName OPTIONAL, 127 onlyContainsUserCerts [1] IMPLICIT BOOLEAN DEFAULT FALSE, 128 onlyContainsCACerts [2] IMPLICIT BOOLEAN DEFAULT FALSE, 129 onlySomeReasons [3] IMPLICIT ReasonFlags OPTIONAL, 130 indirectCRL [4] IMPLICIT BOOLEAN DEFAULT FALSE, 131 onlyContainsAttributeCerts [5] IMPLICIT BOOLEAN DEFAULT FALSE } 132 */ 133 134 int x509_issuing_distribution_point_to_der( 135 int dist_point_choice, const uint8_t *dist_point, size_t dist_point_len, 136 int only_contains_user_certs, 137 int only_contains_ca_certs, 138 int only_some_reasons, 139 int indirect_crl, 140 int only_contains_attr_certs, 141 uint8_t **out, size_t *outlen); 142 int x509_issuing_distribution_point_from_der( 143 int *dist_point_choice, const uint8_t **dist_point, size_t *dist_point_len, 144 int *only_contains_user_certs, 145 int *only_contains_ca_certs, 146 int *only_some_reasons, 147 int *indirect_crl, 148 int *only_contains_attr_certs, 149 const uint8_t **in, size_t *inlen); 150 151 int x509_crl_exts_add_authority_key_identifier( 152 uint8_t *exts, size_t *extslen, size_t maxlen, 153 int critical, 154 const uint8_t *keyid, size_t keyid_len, 155 const uint8_t *issuer, size_t issuer_len, 156 const uint8_t *serial, size_t serial_len); 157 int x509_crl_exts_add_issuer_alt_name( 158 uint8_t *exts, size_t *extslen, size_t maxlen, 159 int critical, 160 const uint8_t *d, size_t dlen); 161 int x509_crl_exts_add_crl_number( 162 uint8_t *exts, size_t *extslen, size_t maxlen, 163 int critical, 164 int num); 165 int x509_crl_exts_add_delta_crl_indicator( 166 uint8_t *exts, size_t *extslen, size_t maxlen, 167 int critical, 168 int num); 169 int x509_crl_exts_add_issuing_distribution_point( 170 uint8_t *exts, size_t *extslen, size_t maxlen, 171 int critical, 172 const uint8_t *dist_point, size_t dist_point_len, 173 int only_contains_user_certs, 174 int only_contains_ca_certs, 175 int only_some_reasons, 176 int indirect_crl, 177 int only_contains_attr_certs); 178 179 #define x509_crl_exts_to_der(d,dlen,out,outlen) x509_explicit_exts_to_der(0,d,dlen,out,outlen) 180 #define x509_crl_exts_from_der(d,dlen,in,inlen) x509_explicit_exts_from_der(0,d,dlen,in,inlen) 181 int x509_crl_exts_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); 182 183 184 /* 185 TBSCertList ::= SEQUENCE { 186 version INTEGER OPTIONAL, -- if present, MUST be v2 187 signature AlgorithmIdentifier, 188 issuer Name, 189 thisUpdate Time, 190 nextUpdate Time OPTIONAL, 191 revokedCertificates RevokedCertificates OPTIONAL, 192 crlExtensions [0] EXPLICIT Extensions OPTIONAL, -- if present, MUST be v2 } 193 */ 194 int x509_tbs_crl_to_der( 195 int version, 196 int signature_algor, 197 const uint8_t *issuer, size_t issuer_len, 198 time_t this_update, 199 time_t next_update, 200 const uint8_t *revoked_certs, size_t revoked_certs_len, 201 const uint8_t *exts, size_t exts_len, 202 uint8_t **out, size_t *outlen); 203 int x509_tbs_crl_from_der( 204 int *version, 205 int *signature_algor, 206 const uint8_t **issuer, size_t *issuer_len, 207 time_t *this_update, 208 time_t *next_update, 209 const uint8_t **revoked_certs, size_t *revoked_certs_len, 210 const uint8_t **exts, size_t *exts_len, 211 const uint8_t **in, size_t *inlen); 212 int x509_tbs_crl_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); 213 214 /* 215 CertificateList ::= SEQUENCE { 216 tbsCertList TBSCertList, 217 signatureAlgorithm AlgorithmIdentifier, 218 signatureValue BIT STRING } 219 */ 220 int x509_cert_list_to_der(const uint8_t *tbs_crl, size_t tbs_crl_len, 221 int signature_algor, const uint8_t *sig, size_t siglen, 222 uint8_t **out, size_t *outlen); 223 int x509_cert_list_from_der(const uint8_t **tbs_crl, size_t *tbs_crl_len, 224 int *signature_algor, const uint8_t **sig, size_t *siglen, 225 const uint8_t **in, size_t *inlen); 226 int x509_cert_list_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); 227 228 // x509_crl_ functions 229 int x509_crl_to_der(const uint8_t *a, size_t alen, uint8_t **out, size_t *outlen); 230 int x509_crl_from_der(const uint8_t **a, size_t *alen, const uint8_t **in, size_t *inlen); 231 int x509_crl_to_pem(const uint8_t *a, size_t alen, FILE *fp); 232 int x509_crl_from_pem(uint8_t *a, size_t *alen, size_t maxlen, FILE *fp); 233 int x509_crl_to_fp(const uint8_t *a, size_t alen, FILE *fp); // 去掉这个函数 234 int x509_crl_from_fp(uint8_t *a, size_t *alen, size_t maxlen, FILE *fp); // 去掉这个函数 235 236 237 int x509_crl_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *a, size_t alen); 238 239 int x509_crl_sign(uint8_t *crl, size_t *crl_len, 240 int version, 241 int signature_algor, 242 const uint8_t *issuer, size_t issuer_len, 243 time_t this_update, 244 time_t next_update, 245 const uint8_t *revoked_certs, size_t revoked_certs_len, 246 const uint8_t *exts, size_t exts_len, 247 const SM2_KEY *sign_key, const char *signer_id, size_t signer_id_len); 248 int x509_crl_verify(const uint8_t *a, size_t alen, 249 const SM2_KEY *sign_pub_key, const char *signer_id, size_t signer_id_len); 250 int x509_crl_verify_by_ca_cert(const uint8_t *a, size_t alen, const uint8_t *cacert, size_t cacertlen, 251 const char *signer_id, size_t signer_id_len); 252 253 int x509_crl_get_details(const uint8_t *crl, size_t crl_len, 254 int *version, 255 const uint8_t **issuer, size_t *issuer_len, 256 time_t *this_update, 257 time_t *next_update, 258 const uint8_t **revoked_certs, size_t *revoked_certs_len, 259 const uint8_t **exts, size_t *exts_len, 260 int *signature_algor, 261 const uint8_t **sig, size_t *siglen); 262 int x509_crl_get_issuer(const uint8_t *crl, size_t crl_len, 263 const uint8_t **issuer, size_t *issuer_len); 264 265 int x509_crl_find_revoked_cert_by_serial_number(const uint8_t *a, size_t alen, 266 const uint8_t *serial, size_t serial_len, time_t *revoke_date, 267 const uint8_t **entry_exts, size_t *entry_exts_len); 268 269 270 271 int x509_crls_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); 272 273 #ifdef __cplusplus 274 } 275 #endif 276 #endif 277