1# This file is dual licensed under the terms of the Apache License, Version 2# 2.0, and the BSD License. See the LICENSE file in the root of this repository 3# for complete details. 4 5from __future__ import absolute_import, division, print_function 6 7INCLUDES = """ 8#include <openssl/x509_vfy.h> 9 10/* 11 * This is part of a work-around for the difficulty cffi has in dealing with 12 * `STACK_OF(foo)` as the name of a type. We invent a new, simpler name that 13 * will be an alias for this type and use the alias throughout. This works 14 * together with another opaque typedef for the same name in the TYPES section. 15 * Note that the result is an opaque type. 16 */ 17typedef STACK_OF(ASN1_OBJECT) Cryptography_STACK_OF_ASN1_OBJECT; 18typedef STACK_OF(X509_OBJECT) Cryptography_STACK_OF_X509_OBJECT; 19""" 20 21TYPES = """ 22static const long Cryptography_HAS_102_VERIFICATION; 23static const long Cryptography_HAS_110_VERIFICATION_PARAMS; 24static const long Cryptography_HAS_X509_STORE_CTX_GET_ISSUER; 25 26typedef ... Cryptography_STACK_OF_ASN1_OBJECT; 27typedef ... Cryptography_STACK_OF_X509_OBJECT; 28 29typedef ... X509_OBJECT; 30typedef ... X509_STORE; 31typedef ... X509_VERIFY_PARAM; 32typedef ... X509_STORE_CTX; 33 34typedef int (*X509_STORE_CTX_get_issuer_fn)(X509 **, X509_STORE_CTX *, X509 *); 35 36/* While these are defined in the source as ints, they're tagged here 37 as longs, just in case they ever grow to large, such as what we saw 38 with OP_ALL. */ 39 40/* Verification error codes */ 41static const int X509_V_OK; 42static const int X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT; 43static const int X509_V_ERR_UNABLE_TO_GET_CRL; 44static const int X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE; 45static const int X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE; 46static const int X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; 47static const int X509_V_ERR_CERT_SIGNATURE_FAILURE; 48static const int X509_V_ERR_CRL_SIGNATURE_FAILURE; 49static const int X509_V_ERR_CERT_NOT_YET_VALID; 50static const int X509_V_ERR_CERT_HAS_EXPIRED; 51static const int X509_V_ERR_CRL_NOT_YET_VALID; 52static const int X509_V_ERR_CRL_HAS_EXPIRED; 53static const int X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; 54static const int X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD; 55static const int X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD; 56static const int X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD; 57static const int X509_V_ERR_OUT_OF_MEM; 58static const int X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT; 59static const int X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN; 60static const int X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; 61static const int X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE; 62static const int X509_V_ERR_CERT_CHAIN_TOO_LONG; 63static const int X509_V_ERR_CERT_REVOKED; 64static const int X509_V_ERR_INVALID_CA; 65static const int X509_V_ERR_PATH_LENGTH_EXCEEDED; 66static const int X509_V_ERR_INVALID_PURPOSE; 67static const int X509_V_ERR_CERT_UNTRUSTED; 68static const int X509_V_ERR_CERT_REJECTED; 69static const int X509_V_ERR_SUBJECT_ISSUER_MISMATCH; 70static const int X509_V_ERR_AKID_SKID_MISMATCH; 71static const int X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH; 72static const int X509_V_ERR_KEYUSAGE_NO_CERTSIGN; 73static const int X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER; 74static const int X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION; 75static const int X509_V_ERR_KEYUSAGE_NO_CRL_SIGN; 76static const int X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION; 77static const int X509_V_ERR_INVALID_NON_CA; 78static const int X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED; 79static const int X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE; 80static const int X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED; 81static const int X509_V_ERR_INVALID_EXTENSION; 82static const int X509_V_ERR_INVALID_POLICY_EXTENSION; 83static const int X509_V_ERR_NO_EXPLICIT_POLICY; 84static const int X509_V_ERR_DIFFERENT_CRL_SCOPE; 85static const int X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE; 86static const int X509_V_ERR_UNNESTED_RESOURCE; 87static const int X509_V_ERR_PERMITTED_VIOLATION; 88static const int X509_V_ERR_EXCLUDED_VIOLATION; 89static const int X509_V_ERR_SUBTREE_MINMAX; 90static const int X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE; 91static const int X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX; 92static const int X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; 93static const int X509_V_ERR_CRL_PATH_VALIDATION_ERROR; 94static const int X509_V_ERR_SUITE_B_INVALID_VERSION; 95static const int X509_V_ERR_SUITE_B_INVALID_ALGORITHM; 96static const int X509_V_ERR_SUITE_B_INVALID_CURVE; 97static const int X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM; 98static const int X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED; 99static const int X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256; 100static const int X509_V_ERR_HOSTNAME_MISMATCH; 101static const int X509_V_ERR_EMAIL_MISMATCH; 102static const int X509_V_ERR_IP_ADDRESS_MISMATCH; 103static const int X509_V_ERR_APPLICATION_VERIFICATION; 104 105/* Verification parameters */ 106static const long X509_V_FLAG_CB_ISSUER_CHECK; 107static const long X509_V_FLAG_USE_CHECK_TIME; 108static const long X509_V_FLAG_CRL_CHECK; 109static const long X509_V_FLAG_CRL_CHECK_ALL; 110static const long X509_V_FLAG_IGNORE_CRITICAL; 111static const long X509_V_FLAG_X509_STRICT; 112static const long X509_V_FLAG_ALLOW_PROXY_CERTS; 113static const long X509_V_FLAG_POLICY_CHECK; 114static const long X509_V_FLAG_EXPLICIT_POLICY; 115static const long X509_V_FLAG_INHIBIT_ANY; 116static const long X509_V_FLAG_INHIBIT_MAP; 117static const long X509_V_FLAG_NOTIFY_POLICY; 118static const long X509_V_FLAG_EXTENDED_CRL_SUPPORT; 119static const long X509_V_FLAG_USE_DELTAS; 120static const long X509_V_FLAG_CHECK_SS_SIGNATURE; 121static const long X509_V_FLAG_TRUSTED_FIRST; 122static const long X509_V_FLAG_SUITEB_128_LOS_ONLY; 123static const long X509_V_FLAG_SUITEB_192_LOS; 124static const long X509_V_FLAG_SUITEB_128_LOS; 125static const long X509_V_FLAG_PARTIAL_CHAIN; 126 127static const long X509_LU_X509; 128static const long X509_LU_CRL; 129 130static const long X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT; 131static const long X509_CHECK_FLAG_NO_WILDCARDS; 132static const long X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS; 133static const long X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS; 134static const long X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS; 135static const long X509_CHECK_FLAG_NEVER_CHECK_SUBJECT; 136""" 137 138FUNCTIONS = """ 139int X509_verify_cert(X509_STORE_CTX *); 140 141/* X509_STORE */ 142X509_STORE *X509_STORE_new(void); 143int X509_STORE_add_cert(X509_STORE *, X509 *); 144int X509_STORE_add_crl(X509_STORE *, X509_CRL *); 145int X509_STORE_load_locations(X509_STORE *, const char *, const char *); 146int X509_STORE_set1_param(X509_STORE *, X509_VERIFY_PARAM *); 147int X509_STORE_set_default_paths(X509_STORE *); 148int X509_STORE_set_flags(X509_STORE *, unsigned long); 149void X509_STORE_free(X509_STORE *); 150 151/* X509_STORE_CTX */ 152X509_STORE_CTX *X509_STORE_CTX_new(void); 153void X509_STORE_CTX_cleanup(X509_STORE_CTX *); 154void X509_STORE_CTX_free(X509_STORE_CTX *); 155int X509_STORE_CTX_init(X509_STORE_CTX *, X509_STORE *, X509 *, 156 Cryptography_STACK_OF_X509 *); 157void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *, 158 Cryptography_STACK_OF_X509 *); 159void X509_STORE_CTX_set_cert(X509_STORE_CTX *, X509 *); 160void X509_STORE_CTX_set_chain(X509_STORE_CTX *,Cryptography_STACK_OF_X509 *); 161X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *); 162void X509_STORE_CTX_set0_param(X509_STORE_CTX *, X509_VERIFY_PARAM *); 163int X509_STORE_CTX_set_default(X509_STORE_CTX *, const char *); 164void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *, 165 int (*)(int, X509_STORE_CTX *)); 166Cryptography_STACK_OF_X509 *X509_STORE_CTX_get_chain(X509_STORE_CTX *); 167Cryptography_STACK_OF_X509 *X509_STORE_CTX_get1_chain(X509_STORE_CTX *); 168int X509_STORE_CTX_get_error(X509_STORE_CTX *); 169void X509_STORE_CTX_set_error(X509_STORE_CTX *, int); 170int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *); 171X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *); 172int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *, int, void *); 173void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *, int); 174int X509_STORE_CTX_get1_issuer(X509 **, X509_STORE_CTX *, X509 *); 175 176/* X509_VERIFY_PARAM */ 177X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void); 178int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *, unsigned long); 179int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *, unsigned long); 180unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *); 181int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *, int); 182int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *, int); 183void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *, time_t); 184int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *, ASN1_OBJECT *); 185int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *, 186 Cryptography_STACK_OF_ASN1_OBJECT *); 187void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *, int); 188int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *); 189void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *); 190/* this CRYPTO_EX_DATA function became a macro in 1.1.0 */ 191int X509_STORE_CTX_get_ex_new_index(long, void *, CRYPTO_EX_new *, 192 CRYPTO_EX_dup *, CRYPTO_EX_free *); 193 194/* X509_STORE_CTX */ 195void X509_STORE_CTX_set0_crls(X509_STORE_CTX *, 196 Cryptography_STACK_OF_X509_CRL *); 197 198/* X509_VERIFY_PARAM */ 199int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *, const char *, 200 size_t); 201void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *, unsigned int); 202int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *, const char *, 203 size_t); 204int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *, const unsigned char *, 205 size_t); 206int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *, const char *); 207 208int sk_X509_OBJECT_num(Cryptography_STACK_OF_X509_OBJECT *); 209X509_OBJECT *sk_X509_OBJECT_value(Cryptography_STACK_OF_X509_OBJECT *, int); 210X509_VERIFY_PARAM *X509_STORE_get0_param(X509_STORE *); 211Cryptography_STACK_OF_X509_OBJECT *X509_STORE_get0_objects(X509_STORE *); 212X509 *X509_OBJECT_get0_X509(X509_OBJECT *); 213int X509_OBJECT_get_type(const X509_OBJECT *); 214 215/* added in 1.1.0 */ 216X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *); 217X509_STORE_CTX_get_issuer_fn X509_STORE_get_get_issuer(X509_STORE *); 218void X509_STORE_set_get_issuer(X509_STORE *, X509_STORE_CTX_get_issuer_fn); 219""" 220 221CUSTOMIZATIONS = """ 222#if !CRYPTOGRAPHY_IS_LIBRESSL 223static const long Cryptography_HAS_102_VERIFICATION = 1; 224#else 225static const long Cryptography_HAS_102_VERIFICATION = 0; 226static const long X509_V_ERR_SUITE_B_INVALID_VERSION = 0; 227static const long X509_V_ERR_SUITE_B_INVALID_ALGORITHM = 0; 228static const long X509_V_ERR_SUITE_B_INVALID_CURVE = 0; 229static const long X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM = 0; 230static const long X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED = 0; 231static const long X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256 = 0; 232static const long X509_V_FLAG_SUITEB_128_LOS_ONLY = 0; 233static const long X509_V_FLAG_SUITEB_192_LOS = 0; 234static const long X509_V_FLAG_SUITEB_128_LOS = 0; 235#endif 236 237#if CRYPTOGRAPHY_IS_LIBRESSL 238static const long Cryptography_HAS_110_VERIFICATION_PARAMS = 0; 239#ifndef X509_CHECK_FLAG_NEVER_CHECK_SUBJECT 240static const long X509_CHECK_FLAG_NEVER_CHECK_SUBJECT = 0; 241#endif 242#else 243static const long Cryptography_HAS_110_VERIFICATION_PARAMS = 1; 244#endif 245 246#if CRYPTOGRAPHY_IS_LIBRESSL 247static const long Cryptography_HAS_X509_STORE_CTX_GET_ISSUER = 0; 248typedef void *X509_STORE_CTX_get_issuer_fn; 249X509_STORE_CTX_get_issuer_fn (*X509_STORE_get_get_issuer)(X509_STORE *) = NULL; 250void (*X509_STORE_set_get_issuer)(X509_STORE *, 251 X509_STORE_CTX_get_issuer_fn) = NULL; 252#else 253static const long Cryptography_HAS_X509_STORE_CTX_GET_ISSUER = 1; 254#endif 255""" 256