1 /* 2 * This file is part of the openHiTLS project. 3 * 4 * openHiTLS is licensed under the Mulan PSL v2. 5 * You can use this software according to the terms and conditions of the Mulan PSL v2. 6 * You may obtain a copy of Mulan PSL v2 at: 7 * 8 * http://license.coscl.org.cn/MulanPSL2 9 * 10 * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, 11 * EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, 12 * MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE. 13 * See the Mulan PSL v2 for more details. 14 */ 15 16 #ifndef CERT_H 17 #define CERT_H 18 19 #include <stdint.h> 20 #include "hitls_type.h" 21 #include "hitls_cert_type.h" 22 #include "cipher_suite.h" 23 #include "cert_mgr.h" 24 25 #ifdef __cplusplus 26 extern "C" { 27 #endif 28 29 #define MAX_PASS_LEN 256 30 31 /* tls.handshake.certificate_length Length of a label */ 32 #define CERT_LEN_TAG_SIZE 3u 33 34 /* Used to transfer certificate data in ASN.1 DER format. */ 35 typedef struct CertItem { 36 uint32_t dataSize; /* Data length */ 37 uint8_t *data; /* Data content */ 38 struct CertItem *next; 39 } CERT_Item; 40 41 /* Information used to describe the expected certificate */ 42 typedef struct { 43 /* The server must select the certificate matching the cipher suite. The client has no such restriction. */ 44 CERT_Type certType; 45 uint16_t *signSchemeList; /* certificate signature algorithm list */ 46 uint32_t signSchemeNum; /* number of certificate signature algorithms */ 47 uint16_t *ellipticCurveList; /* EC curve ID list */ 48 uint32_t ellipticCurveNum; /* number of EC curve IDs */ 49 uint8_t *ecPointFormatList; /* EC point format list */ 50 uint32_t ecPointFormatNum; /* number of EC point formats */ 51 HITLS_TrustedCAList *caList; /* trusted CA list */ 52 } CERT_ExpectInfo; 53 54 /** 55 * @ingroup hitls_cert_type 56 * @brief used to transfer the signature parameter 57 */ 58 typedef struct { 59 HITLS_SignAlgo signAlgo; /* signature algorithm */ 60 HITLS_HashAlgo hashAlgo; /* hash algorithm */ 61 const uint8_t *data; /* signed data */ 62 uint32_t dataLen; /* length of the signed data */ 63 uint8_t *sign; /* sign */ 64 uint32_t signLen; /* signature length */ 65 } CERT_SignParam; 66 67 /** 68 * @brief Check the certificate information. 69 * 70 * @param ctx [IN] TLS context 71 * @param expectCertInfo [IN] Expected certificate information 72 * @param cert [IN] Certificate 73 * @param isNegotiateSignAlgo [IN] Indicates whether to select the signature algorithm used in handshake messages. 74 * @param signCheck [IN] Indicates whether to check the certificate signature information. 75 * 76 * @retval HITLS_SUCCESS succeeded. 77 * @retval HITLS_UNREGISTERED_CALLBACK No callback is set. 78 * @retval HITLS_CERT_CTRL_ERR_GET_PUB_KEY Failed to obtain the public key. 79 * @retval HITLS_CERT_KEY_CTRL_ERR_GET_TYPE Failed to obtain the public key type. 80 * @retval HITLS_CERT_ERR_UNSUPPORT_CERT_TYPE The certificate type does not match. 81 * @retval HITLS_CERT_ERR_NO_SIGN_SCHEME_MATCH signature algorithm mismatch 82 * @retval HITLS_CERT_ERR_NO_CURVE_MATCH elliptic curve mismatch 83 * @retval HITLS_CERT_ERR_NO_POINT_FORMAT_MATCH Point format mismatch 84 */ 85 int32_t SAL_CERT_CheckCertInfo(HITLS_Ctx *ctx, const CERT_ExpectInfo *expectCertInfo, HITLS_CERT_X509 *cert, 86 bool isNegotiateSignAlgo, bool signCheck); 87 88 /** 89 * @brief Select the certificate chain to be sent to the peer end. 90 * 91 * @param ctx [IN] tls Context 92 * @param info [IN] Expected certificate information 93 * 94 * @retval HITLS_SUCCESS succeeded. 95 * @retval HITLS_UNREGISTERED_CALLBACK No callback is set. 96 * @retval HITLS_CERT_ERR_SELECT_CERTIFICATE Failed to select the certificate. 97 */ 98 int32_t SAL_CERT_SelectCertByInfo(HITLS_Ctx *ctx, CERT_ExpectInfo *info); 99 100 /** 101 * @brief Encode the certificate chain in ASN.1 DER format. 102 * 103 * @param ctx [IN] tls Context 104 * @param buf [OUT] Certificate encoding data 105 * @param bufLen [OUT] Maximum length of data padding. 106 * @param usedLen [OUT] Data length 107 * 108 * @retval HITLS_SUCCESS succeeded. 109 * @retval HITLS_UNREGISTERED_CALLBACK No callback is set. 110 * @retval HITLS_CERT_ERR_BUILD_CHAIN Failed to assemble the certificate chain. 111 * @retval HITLS_CERT_CTRL_ERR_GET_ENCODE_LEN Failed to obtain the encoding length. 112 * @retval HITLS_CERT_ERR_ENCODE_CERT Certificate encoding failed. 113 */ 114 int32_t SAL_CERT_EncodeCertChain(HITLS_Ctx *ctx, uint8_t *buf, uint32_t bufLen, uint32_t *usedLen); 115 116 /** 117 * @brief Decode the certificate in ASN.1 DER format. 118 * 119 * @param ctx [IN] tls Context 120 * @param item [IN] Original certificate data, which is a linked list. Each node indicates a certificate. 121 * @param certPair [OUT] Certificate chain 122 * 123 * @retval HITLS_SUCCESS succeeded. 124 * @retval HITLS_UNREGISTERED_CALLBACK No callback is set. 125 * @retval HITLS_MEMALLOC_FAIL Insufficient Memory 126 * @retval HITLS_CERT_ERR_PARSE_MSG Failed to parse the certificate data. 127 */ 128 int32_t SAL_CERT_ParseCertChain(HITLS_Ctx *ctx, CERT_Item *item, CERT_Pair **certPair); 129 130 /** 131 * @brief Verify the certificate chain. 132 * 133 * @param ctx [IN] tls Context 134 * @param certPair [IN] Certificate chain 135 * @param isGmEncCert [IN] Indicates whether to verify the certificate chain of the encrypted certificate 136 * of the TLCP. The value is always false 137 * when the TLCP protocol is not used. 138 * 139 * @retval HITLS_SUCCESS succeeded. 140 * @retval HITLS_UNREGISTERED_CALLBACK No callback is set. 141 * @retval HITLS_MEMALLOC_FAIL Insufficient Memory 142 * @retval HITLS_CERT_ERR_VERIFY_CERT_CHAIN Failed to verify the certificate chain. 143 */ 144 int32_t SAL_CERT_VerifyCertChain(HITLS_Ctx *ctx, CERT_Pair *certPair, bool isTlcpEncCert); 145 146 /** 147 * @brief Obtain the maximum signature length. 148 * 149 * @param config [IN] TLS link configuration 150 * @param key [IN] Certificate private key 151 * 152 * @return Signature length 153 */ 154 uint32_t SAL_CERT_GetSignMaxLen(HITLS_Config *config, HITLS_CERT_Key *key); 155 156 /** 157 * @brief Sign with the certificate private key. 158 * 159 * @param ctx [IN] tls Context 160 * @param key [IN] Certificate private key 161 * @param signParam [IN/OUT] Signature information 162 * 163 * @retval HITLS_SUCCESS succeeded. 164 * @retval HITLS_UNREGISTERED_CALLBACK No callback is set. 165 * @retval HITLS_CERT_ERR_CREATE_SIGN Signing failed. 166 */ 167 int32_t SAL_CERT_CreateSign(HITLS_Ctx *ctx, HITLS_CERT_Key *key, CERT_SignParam *signParam); 168 169 /** 170 * @brief Use the certificate public key to verify the signature. 171 * 172 * @param ctx [IN] tls Context 173 * @param key [IN] Certificate public key 174 * @param signParam [IN] Signature information 175 * 176 * @retval HITLS_SUCCESS succeeded. 177 * @retval HITLS_UNREGISTERED_CALLBACK No callback is set. 178 * @retval HITLS_CERT_ERR_VERIFY_SIGN Failed to verify the signature. 179 */ 180 int32_t SAL_CERT_VerifySign(HITLS_Ctx *ctx, HITLS_CERT_Key *key, CERT_SignParam *signParam); 181 182 /** 183 * @ingroup hitls_cert_reg 184 * @brief Encrypted by the certificate public key, which is used for the RSA cipher suite. 185 * 186 * @param ctx [IN] tls Context 187 * @param key [IN] Certificate public key 188 * @param in [IN] Plaintext 189 * @param inLen [IN] length of plaintext 190 * @param out [IN] Ciphertext 191 * @param outLen [IN/OUT] IN: Maximum length of the ciphertext padding. OUT: Length of the ciphertext 192 * 193 * @retval HITLS_SUCCESS succeeded 194 */ 195 int32_t SAL_CERT_KeyEncrypt(HITLS_Ctx *ctx, HITLS_CERT_Key *key, const uint8_t *in, uint32_t inLen, 196 uint8_t *out, uint32_t *outLen); 197 198 /** 199 * @ingroup hitls_cert_reg 200 * @brief Use the certificate private key to decrypt, which is used for the RSA cipher suite. 201 * 202 * @param ctx [IN] tls Context 203 * @param key [IN] Certificate private key 204 * @param in [IN] Ciphertext 205 * @param inLen [IN] length of ciphertext 206 * @param out [IN] Plaintext 207 * @param outLen [IN/OUT] IN: Maximum length of plaintext padding. OUT: Plaintext length 208 * 209 * @retval HITLS_SUCCESS succeeded 210 */ 211 int32_t SAL_CERT_KeyDecrypt(HITLS_Ctx *ctx, HITLS_CERT_Key *key, const uint8_t *in, uint32_t inLen, 212 uint8_t *out, uint32_t *outLen); 213 214 /** 215 * @brief Obtain the default signature hash algorithm based on the certificate public key type. 216 * 217 * @param keyType [IN] Certificate public key type 218 * 219 * @retval Default signature hash algorithm 220 */ 221 HITLS_SignHashAlgo SAL_CERT_GetDefaultSignHashAlgo(HITLS_CERT_KeyType keyType); 222 223 /** 224 * @ingroup hitls_cert_reg 225 * @brief Encoded content of the TLCP encryption certificate obtained by the server. 226 * 227 * @param ctx [IN] tls Context 228 * @param outLen [OUT] OUT: length after encoding 229 * 230 * @retval Encoded content 231 */ 232 uint8_t *SAL_CERT_SrvrGmEncodeEncCert(HITLS_Ctx *ctx, uint32_t *useLen); 233 234 /** 235 * @ingroup hitls_cert_reg 236 * @brief The client obtains the encoded content of the TLCP encryption certificate. 237 * 238 * @param ctx [IN] tls Context 239 * @param peerCert [IN] Peer certificate information 240 * @param outLen [OUT] OUT: length after encoding 241 * 242 * @retval Encoded content 243 */ 244 uint8_t *SAL_CERT_ClntGmEncodeEncCert(HITLS_Ctx *ctx, CERT_Pair *peerCert, uint32_t *useLen); 245 246 /** 247 * @ingroup hitls_cert_reg 248 * @brief Check whether the certificate is an encrypted certificate, a digital signature, 249 * or a permission to issue the certificate. 250 * 251 * @param ctx [IN] tls Context 252 * @param cert [IN] Certificate to be verified 253 * 254 * @retval true indicates that is the encryption certificate. 255 */ 256 257 bool SAL_CERT_CheckCertKeyUsage(HITLS_Ctx *ctx, HITLS_CERT_X509 *cert, HITLS_CERT_CtrlCmd keyusage); 258 259 /** 260 * @brief get cert key type based on signScheme 261 * 262 * @param signScheme [IN] signature algorithm 263 * 264 * @retval cert key type 265 */ 266 HITLS_CERT_KeyType SAL_CERT_SignScheme2CertKeyType(const HITLS_Ctx *ctx, HITLS_SignHashAlgo signScheme); 267 268 #ifdef __cplusplus 269 } 270 #endif 271 #endif