1# This file is dual licensed under the terms of the Apache License, Version 2# 2.0, and the BSD License. See the LICENSE file in the root of this repository 3# for complete details. 4 5from __future__ import absolute_import, division, print_function 6 7INCLUDES = """ 8#include <openssl/x509_vfy.h> 9 10/* 11 * This is part of a work-around for the difficulty cffi has in dealing with 12 * `STACK_OF(foo)` as the name of a type. We invent a new, simpler name that 13 * will be an alias for this type and use the alias throughout. This works 14 * together with another opaque typedef for the same name in the TYPES section. 15 * Note that the result is an opaque type. 16 */ 17typedef STACK_OF(ASN1_OBJECT) Cryptography_STACK_OF_ASN1_OBJECT; 18typedef STACK_OF(X509_OBJECT) Cryptography_STACK_OF_X509_OBJECT; 19""" 20 21TYPES = """ 22static const long Cryptography_HAS_102_VERIFICATION_ERROR_CODES; 23static const long Cryptography_HAS_102_VERIFICATION_PARAMS; 24static const long Cryptography_HAS_110_VERIFICATION_PARAMS; 25static const long Cryptography_HAS_X509_V_FLAG_TRUSTED_FIRST; 26static const long Cryptography_HAS_X509_V_FLAG_PARTIAL_CHAIN; 27static const long Cryptography_HAS_X509_STORE_CTX_GET_ISSUER; 28 29typedef ... Cryptography_STACK_OF_ASN1_OBJECT; 30typedef ... Cryptography_STACK_OF_X509_OBJECT; 31 32typedef ... X509_OBJECT; 33typedef ... X509_STORE; 34typedef ... X509_VERIFY_PARAM; 35typedef ... X509_STORE_CTX; 36 37typedef int (*X509_STORE_CTX_get_issuer_fn)(X509 **, X509_STORE_CTX *, X509 *); 38 39/* While these are defined in the source as ints, they're tagged here 40 as longs, just in case they ever grow to large, such as what we saw 41 with OP_ALL. */ 42 43/* Verification error codes */ 44static const int X509_V_OK; 45static const int X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT; 46static const int X509_V_ERR_UNABLE_TO_GET_CRL; 47static const int X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE; 48static const int X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE; 49static const int X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; 50static const int X509_V_ERR_CERT_SIGNATURE_FAILURE; 51static const int X509_V_ERR_CRL_SIGNATURE_FAILURE; 52static const int X509_V_ERR_CERT_NOT_YET_VALID; 53static const int X509_V_ERR_CERT_HAS_EXPIRED; 54static const int X509_V_ERR_CRL_NOT_YET_VALID; 55static const int X509_V_ERR_CRL_HAS_EXPIRED; 56static const int X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; 57static const int X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD; 58static const int X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD; 59static const int X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD; 60static const int X509_V_ERR_OUT_OF_MEM; 61static const int X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT; 62static const int X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN; 63static const int X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; 64static const int X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE; 65static const int X509_V_ERR_CERT_CHAIN_TOO_LONG; 66static const int X509_V_ERR_CERT_REVOKED; 67static const int X509_V_ERR_INVALID_CA; 68static const int X509_V_ERR_PATH_LENGTH_EXCEEDED; 69static const int X509_V_ERR_INVALID_PURPOSE; 70static const int X509_V_ERR_CERT_UNTRUSTED; 71static const int X509_V_ERR_CERT_REJECTED; 72static const int X509_V_ERR_SUBJECT_ISSUER_MISMATCH; 73static const int X509_V_ERR_AKID_SKID_MISMATCH; 74static const int X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH; 75static const int X509_V_ERR_KEYUSAGE_NO_CERTSIGN; 76static const int X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER; 77static const int X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION; 78static const int X509_V_ERR_KEYUSAGE_NO_CRL_SIGN; 79static const int X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION; 80static const int X509_V_ERR_INVALID_NON_CA; 81static const int X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED; 82static const int X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE; 83static const int X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED; 84static const int X509_V_ERR_INVALID_EXTENSION; 85static const int X509_V_ERR_INVALID_POLICY_EXTENSION; 86static const int X509_V_ERR_NO_EXPLICIT_POLICY; 87static const int X509_V_ERR_DIFFERENT_CRL_SCOPE; 88static const int X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE; 89static const int X509_V_ERR_UNNESTED_RESOURCE; 90static const int X509_V_ERR_PERMITTED_VIOLATION; 91static const int X509_V_ERR_EXCLUDED_VIOLATION; 92static const int X509_V_ERR_SUBTREE_MINMAX; 93static const int X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE; 94static const int X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX; 95static const int X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; 96static const int X509_V_ERR_CRL_PATH_VALIDATION_ERROR; 97static const int X509_V_ERR_SUITE_B_INVALID_VERSION; 98static const int X509_V_ERR_SUITE_B_INVALID_ALGORITHM; 99static const int X509_V_ERR_SUITE_B_INVALID_CURVE; 100static const int X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM; 101static const int X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED; 102static const int X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256; 103static const int X509_V_ERR_HOSTNAME_MISMATCH; 104static const int X509_V_ERR_EMAIL_MISMATCH; 105static const int X509_V_ERR_IP_ADDRESS_MISMATCH; 106static const int X509_V_ERR_APPLICATION_VERIFICATION; 107 108/* Verification parameters */ 109static const long X509_V_FLAG_CB_ISSUER_CHECK; 110static const long X509_V_FLAG_USE_CHECK_TIME; 111static const long X509_V_FLAG_CRL_CHECK; 112static const long X509_V_FLAG_CRL_CHECK_ALL; 113static const long X509_V_FLAG_IGNORE_CRITICAL; 114static const long X509_V_FLAG_X509_STRICT; 115static const long X509_V_FLAG_ALLOW_PROXY_CERTS; 116static const long X509_V_FLAG_POLICY_CHECK; 117static const long X509_V_FLAG_EXPLICIT_POLICY; 118static const long X509_V_FLAG_INHIBIT_ANY; 119static const long X509_V_FLAG_INHIBIT_MAP; 120static const long X509_V_FLAG_NOTIFY_POLICY; 121static const long X509_V_FLAG_EXTENDED_CRL_SUPPORT; 122static const long X509_V_FLAG_USE_DELTAS; 123static const long X509_V_FLAG_CHECK_SS_SIGNATURE; 124static const long X509_V_FLAG_TRUSTED_FIRST; 125static const long X509_V_FLAG_SUITEB_128_LOS_ONLY; 126static const long X509_V_FLAG_SUITEB_192_LOS; 127static const long X509_V_FLAG_SUITEB_128_LOS; 128static const long X509_V_FLAG_PARTIAL_CHAIN; 129 130static const long X509_LU_X509; 131static const long X509_LU_CRL; 132 133static const long X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT; 134static const long X509_CHECK_FLAG_NO_WILDCARDS; 135static const long X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS; 136static const long X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS; 137static const long X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS; 138static const long X509_CHECK_FLAG_NEVER_CHECK_SUBJECT; 139""" 140 141FUNCTIONS = """ 142int X509_verify_cert(X509_STORE_CTX *); 143 144/* X509_STORE */ 145X509_STORE *X509_STORE_new(void); 146int X509_STORE_add_cert(X509_STORE *, X509 *); 147int X509_STORE_add_crl(X509_STORE *, X509_CRL *); 148int X509_STORE_load_locations(X509_STORE *, const char *, const char *); 149int X509_STORE_set1_param(X509_STORE *, X509_VERIFY_PARAM *); 150int X509_STORE_set_default_paths(X509_STORE *); 151int X509_STORE_set_flags(X509_STORE *, unsigned long); 152void X509_STORE_free(X509_STORE *); 153 154/* X509_STORE_CTX */ 155X509_STORE_CTX *X509_STORE_CTX_new(void); 156void X509_STORE_CTX_cleanup(X509_STORE_CTX *); 157void X509_STORE_CTX_free(X509_STORE_CTX *); 158int X509_STORE_CTX_init(X509_STORE_CTX *, X509_STORE *, X509 *, 159 Cryptography_STACK_OF_X509 *); 160void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *, 161 Cryptography_STACK_OF_X509 *); 162void X509_STORE_CTX_set_cert(X509_STORE_CTX *, X509 *); 163void X509_STORE_CTX_set_chain(X509_STORE_CTX *,Cryptography_STACK_OF_X509 *); 164X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *); 165void X509_STORE_CTX_set0_param(X509_STORE_CTX *, X509_VERIFY_PARAM *); 166int X509_STORE_CTX_set_default(X509_STORE_CTX *, const char *); 167void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *, 168 int (*)(int, X509_STORE_CTX *)); 169Cryptography_STACK_OF_X509 *X509_STORE_CTX_get_chain(X509_STORE_CTX *); 170Cryptography_STACK_OF_X509 *X509_STORE_CTX_get1_chain(X509_STORE_CTX *); 171int X509_STORE_CTX_get_error(X509_STORE_CTX *); 172void X509_STORE_CTX_set_error(X509_STORE_CTX *, int); 173int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *); 174X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *); 175int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *, int, void *); 176void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *, int); 177int X509_STORE_CTX_get1_issuer(X509 **, X509_STORE_CTX *, X509 *); 178 179/* X509_VERIFY_PARAM */ 180X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void); 181int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *, unsigned long); 182int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *, unsigned long); 183unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *); 184int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *, int); 185int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *, int); 186void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *, time_t); 187int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *, ASN1_OBJECT *); 188int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *, 189 Cryptography_STACK_OF_ASN1_OBJECT *); 190void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *, int); 191int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *); 192void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *); 193/* this CRYPTO_EX_DATA function became a macro in 1.1.0 */ 194int X509_STORE_CTX_get_ex_new_index(long, void *, CRYPTO_EX_new *, 195 CRYPTO_EX_dup *, CRYPTO_EX_free *); 196 197/* X509_STORE_CTX */ 198void X509_STORE_CTX_set0_crls(X509_STORE_CTX *, 199 Cryptography_STACK_OF_X509_CRL *); 200 201/* X509_VERIFY_PARAM */ 202int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *, const char *, 203 size_t); 204void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *, unsigned int); 205int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *, const char *, 206 size_t); 207int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *, const unsigned char *, 208 size_t); 209int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *, const char *); 210 211int sk_X509_OBJECT_num(Cryptography_STACK_OF_X509_OBJECT *); 212X509_OBJECT *sk_X509_OBJECT_value(Cryptography_STACK_OF_X509_OBJECT *, int); 213X509_VERIFY_PARAM *X509_STORE_get0_param(X509_STORE *); 214Cryptography_STACK_OF_X509_OBJECT *X509_STORE_get0_objects(X509_STORE *); 215X509 *X509_OBJECT_get0_X509(X509_OBJECT *); 216int X509_OBJECT_get_type(const X509_OBJECT *); 217 218/* added in 1.1.0 */ 219X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *); 220X509_STORE_CTX_get_issuer_fn X509_STORE_get_get_issuer(X509_STORE *); 221void X509_STORE_set_get_issuer(X509_STORE *, X509_STORE_CTX_get_issuer_fn); 222""" 223 224CUSTOMIZATIONS = """ 225/* OpenSSL 1.0.2+ verification parameters and error codes */ 226#if CRYPTOGRAPHY_OPENSSL_102_OR_GREATER 227static const long Cryptography_HAS_102_VERIFICATION_ERROR_CODES = 1; 228static const long Cryptography_HAS_102_VERIFICATION_PARAMS = 1; 229#else 230static const long Cryptography_HAS_102_VERIFICATION_ERROR_CODES = 0; 231static const long Cryptography_HAS_102_VERIFICATION_PARAMS = 0; 232 233static const long X509_V_ERR_SUITE_B_INVALID_VERSION = 0; 234static const long X509_V_ERR_SUITE_B_INVALID_ALGORITHM = 0; 235static const long X509_V_ERR_SUITE_B_INVALID_CURVE = 0; 236static const long X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM = 0; 237static const long X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED = 0; 238static const long X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256 = 0; 239/* These 3 defines are unavailable in LibreSSL 2.5.x, but may be added 240 in the future... */ 241#ifndef X509_V_ERR_HOSTNAME_MISMATCH 242static const long X509_V_ERR_HOSTNAME_MISMATCH = 0; 243#endif 244#ifndef X509_V_ERR_EMAIL_MISMATCH 245static const long X509_V_ERR_EMAIL_MISMATCH = 0; 246#endif 247#ifndef X509_V_ERR_IP_ADDRESS_MISMATCH 248static const long X509_V_ERR_IP_ADDRESS_MISMATCH = 0; 249#endif 250#ifndef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT 251static const long X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT = 0; 252#endif 253#ifndef X509_CHECK_FLAG_NO_WILDCARDS 254static const long X509_CHECK_FLAG_NO_WILDCARDS = 0; 255#endif 256#ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 257static const long X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS = 0; 258#endif 259#ifndef X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS 260static const long X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS = 0; 261#endif 262#ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 263static const long X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS = 0; 264#endif 265 266/* X509_V_FLAG_TRUSTED_FIRST is also new in 1.0.2+, but it is added separately 267 below because it shows up in some earlier 3rd party OpenSSL packages. */ 268static const long X509_V_FLAG_SUITEB_128_LOS_ONLY = 0; 269static const long X509_V_FLAG_SUITEB_192_LOS = 0; 270static const long X509_V_FLAG_SUITEB_128_LOS = 0; 271 272#if !CRYPTOGRAPHY_LIBRESSL_27_OR_GREATER 273int (*X509_VERIFY_PARAM_set1_host)(X509_VERIFY_PARAM *, const char *, 274 size_t) = NULL; 275int (*X509_VERIFY_PARAM_set1_email)(X509_VERIFY_PARAM *, const char *, 276 size_t) = NULL; 277int (*X509_VERIFY_PARAM_set1_ip)(X509_VERIFY_PARAM *, const unsigned char *, 278 size_t) = NULL; 279int (*X509_VERIFY_PARAM_set1_ip_asc)(X509_VERIFY_PARAM *, const char *) = NULL; 280void (*X509_VERIFY_PARAM_set_hostflags)(X509_VERIFY_PARAM *, 281 unsigned int) = NULL; 282#endif 283#endif 284 285#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 || CRYPTOGRAPHY_IS_LIBRESSL 286static const long Cryptography_HAS_110_VERIFICATION_PARAMS = 0; 287#ifndef X509_CHECK_FLAG_NEVER_CHECK_SUBJECT 288static const long X509_CHECK_FLAG_NEVER_CHECK_SUBJECT = 0; 289#endif 290#else 291static const long Cryptography_HAS_110_VERIFICATION_PARAMS = 1; 292#endif 293 294/* OpenSSL 1.0.2+ or Solaris's backport */ 295#ifdef X509_V_FLAG_PARTIAL_CHAIN 296static const long Cryptography_HAS_X509_V_FLAG_PARTIAL_CHAIN = 1; 297#else 298static const long Cryptography_HAS_X509_V_FLAG_PARTIAL_CHAIN = 0; 299static const long X509_V_FLAG_PARTIAL_CHAIN = 0; 300#endif 301 302/* OpenSSL 1.0.2+, *or* Fedora 20's flavor of OpenSSL 1.0.1e... */ 303#ifdef X509_V_FLAG_TRUSTED_FIRST 304static const long Cryptography_HAS_X509_V_FLAG_TRUSTED_FIRST = 1; 305#else 306static const long Cryptography_HAS_X509_V_FLAG_TRUSTED_FIRST = 0; 307static const long X509_V_FLAG_TRUSTED_FIRST = 0; 308#endif 309 310#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 && !CRYPTOGRAPHY_LIBRESSL_27_OR_GREATER 311Cryptography_STACK_OF_X509_OBJECT *X509_STORE_get0_objects(X509_STORE *ctx) { 312 return ctx->objs; 313} 314X509_VERIFY_PARAM *X509_STORE_get0_param(X509_STORE *store) { 315 return store->param; 316} 317int X509_OBJECT_get_type(const X509_OBJECT *x) { 318 return x->type; 319} 320 321/* from x509/x509_vfy.c */ 322X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx) 323{ 324 return ctx->cert; 325} 326 327X509 *X509_OBJECT_get0_X509(X509_OBJECT *x) { 328 return x->data.x509; 329} 330#endif 331 332#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 333static const long Cryptography_HAS_X509_STORE_CTX_GET_ISSUER = 0; 334typedef void *X509_STORE_CTX_get_issuer_fn; 335X509_STORE_CTX_get_issuer_fn (*X509_STORE_get_get_issuer)(X509_STORE *) = NULL; 336void (*X509_STORE_set_get_issuer)(X509_STORE *, 337 X509_STORE_CTX_get_issuer_fn) = NULL; 338#else 339static const long Cryptography_HAS_X509_STORE_CTX_GET_ISSUER = 1; 340#endif 341""" 342