TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / d98030e7d6c91fadfd0055340cb8946d1ecd7adc / . / include / polarssl / x509.h
blob: c0a50b772d5889bd550b1da84035e78ff634b22e [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/**
2 * \file x509.h
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]3 *
4 * Based on XySSL: Copyright (C) 2006-2008 Christophe Devine
5 *
Paul Bakker785a9ee2009-01-25 14:15:10 +0000[diff] [blame]6 * Copyright (C) 2009 Paul Bakker <polarssl_maintainer at polarssl dot org>
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License along
19 * with this program; if not, write to the Free Software Foundation, Inc.,
20 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]21 */
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]22#ifndef POLARSSL_X509_H
23#define POLARSSL_X509_H
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]24
Paul Bakker8e831ed2009-01-03 21:24:11 +0000[diff] [blame]25#include "polarssl/rsa.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]26
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]27#define POLARSSL_ERR_ASN1_OUT_OF_DATA -0x0014
28#define POLARSSL_ERR_ASN1_UNEXPECTED_TAG -0x0016
29#define POLARSSL_ERR_ASN1_INVALID_LENGTH -0x0018
30#define POLARSSL_ERR_ASN1_LENGTH_MISMATCH -0x001A
31#define POLARSSL_ERR_ASN1_INVALID_DATA -0x001C
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]32
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]33#define POLARSSL_ERR_X509_FEATURE_UNAVAILABLE -0x0020
34#define POLARSSL_ERR_X509_CERT_INVALID_PEM -0x0040
35#define POLARSSL_ERR_X509_CERT_INVALID_FORMAT -0x0060
36#define POLARSSL_ERR_X509_CERT_INVALID_VERSION -0x0080
37#define POLARSSL_ERR_X509_CERT_INVALID_SERIAL -0x00A0
38#define POLARSSL_ERR_X509_CERT_INVALID_ALG -0x00C0
39#define POLARSSL_ERR_X509_CERT_INVALID_NAME -0x00E0
40#define POLARSSL_ERR_X509_CERT_INVALID_DATE -0x0100
41#define POLARSSL_ERR_X509_CERT_INVALID_PUBKEY -0x0120
42#define POLARSSL_ERR_X509_CERT_INVALID_SIGNATURE -0x0140
43#define POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS -0x0160
44#define POLARSSL_ERR_X509_CERT_UNKNOWN_VERSION -0x0180
45#define POLARSSL_ERR_X509_CERT_UNKNOWN_SIG_ALG -0x01A0
46#define POLARSSL_ERR_X509_CERT_UNKNOWN_PK_ALG -0x01C0
47#define POLARSSL_ERR_X509_CERT_SIG_MISMATCH -0x01E0
48#define POLARSSL_ERR_X509_CERT_VERIFY_FAILED -0x0200
49#define POLARSSL_ERR_X509_KEY_INVALID_PEM -0x0220
50#define POLARSSL_ERR_X509_KEY_INVALID_VERSION -0x0240
51#define POLARSSL_ERR_X509_KEY_INVALID_FORMAT -0x0260
52#define POLARSSL_ERR_X509_KEY_INVALID_ENC_IV -0x0280
53#define POLARSSL_ERR_X509_KEY_UNKNOWN_ENC_ALG -0x02A0
54#define POLARSSL_ERR_X509_KEY_PASSWORD_REQUIRED -0x02C0
55#define POLARSSL_ERR_X509_KEY_PASSWORD_MISMATCH -0x02E0
56#define POLARSSL_ERR_X509_POINT_ERROR -0x0300
57#define POLARSSL_ERR_X509_VALUE_TO_LENGTH -0x0320
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]58
59#define BADCERT_EXPIRED 1
60#define BADCERT_REVOKED 2
61#define BADCERT_CN_MISMATCH 4
62#define BADCERT_NOT_TRUSTED 8
63
64/*
65 * DER constants
66 */
67#define ASN1_BOOLEAN 0x01
68#define ASN1_INTEGER 0x02
69#define ASN1_BIT_STRING 0x03
70#define ASN1_OCTET_STRING 0x04
71#define ASN1_NULL 0x05
72#define ASN1_OID 0x06
73#define ASN1_UTF8_STRING 0x0C
74#define ASN1_SEQUENCE 0x10
75#define ASN1_SET 0x11
76#define ASN1_PRINTABLE_STRING 0x13
77#define ASN1_T61_STRING 0x14
78#define ASN1_IA5_STRING 0x16
79#define ASN1_UTC_TIME 0x17
80#define ASN1_UNIVERSAL_STRING 0x1C
81#define ASN1_BMP_STRING 0x1E
82#define ASN1_PRIMITIVE 0x00
83#define ASN1_CONSTRUCTED 0x20
84#define ASN1_CONTEXT_SPECIFIC 0x80
85
86/*
87 * various object identifiers
88 */
89#define X520_COMMON_NAME 3
90#define X520_COUNTRY 6
91#define X520_LOCALITY 7
92#define X520_STATE 8
93#define X520_ORGANIZATION 10
94#define X520_ORG_UNIT 11
95#define PKCS9_EMAIL 1
96
97#define X509_OUTPUT_DER 0x01
98#define X509_OUTPUT_PEM 0x02
99#define PEM_LINE_LENGTH 72
100#define X509_ISSUER 0x01
101#define X509_SUBJECT 0x02
102
103#define OID_X520 "\x55\x04"
104#define OID_CN "\x55\x04\x03"
105#define OID_PKCS1 "\x2A\x86\x48\x86\xF7\x0D\x01\x01"
106#define OID_PKCS1_RSA "\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01"
107#define OID_PKCS1_RSA_SHA "\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05"
108#define OID_PKCS9 "\x2A\x86\x48\x86\xF7\x0D\x01\x09"
109#define OID_PKCS9_EMAIL "\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01"
110
111/*
112 * Structures for parsing X.509 certificates
113 */
114typedef struct _x509_buf
115{
116 int tag;
117 int len;
118 unsigned char *p;
119}
120x509_buf;
121
122typedef struct _x509_name
123{
124 x509_buf oid;
125 x509_buf val;
126 struct _x509_name *next;
127}
128x509_name;
129
130typedef struct _x509_time
131{
132 int year, mon, day;
133 int hour, min, sec;
134}
135x509_time;
136
137typedef struct _x509_cert
138{
139 x509_buf raw;
140 x509_buf tbs;
141
142 int version;
143 x509_buf serial;
144 x509_buf sig_oid1;
145
146 x509_buf issuer_raw;
147 x509_buf subject_raw;
148
149 x509_name issuer;
150 x509_name subject;
151
152 x509_time valid_from;
153 x509_time valid_to;
154
155 x509_buf pk_oid;
156 rsa_context rsa;
157
158 x509_buf issuer_id;
159 x509_buf subject_id;
160 x509_buf v3_ext;
161
162 int ca_istrue;
163 int max_pathlen;
164
165 x509_buf sig_oid2;
166 x509_buf sig;
167
168 struct _x509_cert *next;
169}
170x509_cert;
171
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame^]172typedef struct _x509_crl_entry
173{
174 x509_buf raw;
175
176 x509_buf serial;
177
178 x509_time revocation_date;
179
180 x509_buf entry_ext;
181
182 struct _x509_crl_entry *next;
183}
184x509_crl_entry;
185
186typedef struct _x509_crl
187{
188 x509_buf raw;
189 x509_buf tbs;
190
191 int version;
192 x509_buf sig_oid1;
193
194 x509_buf issuer_raw;
195
196 x509_name issuer;
197
198 x509_time this_update;
199 x509_time next_update;
200
201 x509_crl_entry entry;
202
203 x509_buf crl_ext;
204
205 x509_buf sig_oid2;
206 x509_buf sig;
207
208 struct _x509_crl *next;
209}
210x509_crl;
211
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]212/*
213 * Structures for writing X.509 certificates
214 */
215typedef struct _x509_node
216{
217 unsigned char *data;
218 unsigned char *p;
219 unsigned char *end;
220
221 size_t len;
222}
223x509_node;
224
225typedef struct _x509_raw
226{
227 x509_node raw;
228 x509_node tbs;
229
230 x509_node version;
231 x509_node serial;
232 x509_node tbs_signalg;
233 x509_node issuer;
234 x509_node validity;
235 x509_node subject;
236 x509_node subpubkey;
237
238 x509_node signalg;
239 x509_node sign;
240}
241x509_raw;
242
243#ifdef __cplusplus
244extern "C" {
245#endif
246
247/**
248 * \brief Parse one or more certificates and add them
249 * to the chained list
250 *
251 * \param chain points to the start of the chain
252 * \param buf buffer holding the certificate data
253 * \param buflen size of the buffer
254 *
255 * \return 0 if successful, or a specific X509 error code
256 */
Paul Bakker592457c2009-04-01 19:01:43 +0000[diff] [blame]257int x509parse_crt( x509_cert *chain, unsigned char *buf, int buflen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]258
259/**
260 * \brief Load one or more certificates and add them
261 * to the chained list
262 *
263 * \param chain points to the start of the chain
264 * \param path filename to read the certificates from
265 *
266 * \return 0 if successful, or a specific X509 error code
267 */
Paul Bakker592457c2009-04-01 19:01:43 +0000[diff] [blame]268int x509parse_crtfile( x509_cert *chain, char *path );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]269
270/**
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame^]271 * \brief Parse one or more CRLs and add them
272 * to the chained list
273 *
274 * \param chain points to the start of the chain
275 * \param buf buffer holding the CRL data
276 * \param buflen size of the buffer
277 *
278 * \return 0 if successful, or a specific X509 error code
279 */
280int x509parse_crl( x509_crl *chain, unsigned char *buf, int buflen );
281
282/**
283 * \brief Load one or more CRLs and add them
284 * to the chained list
285 *
286 * \param chain points to the start of the chain
287 * \param path filename to read the CRLs from
288 *
289 * \return 0 if successful, or a specific X509 error code
290 */
291int x509parse_crlfile( x509_crl *chain, char *path );
292
293/**
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]294 * \brief Parse a private RSA key
295 *
296 * \param rsa RSA context to be initialized
297 * \param buf input buffer
298 * \param buflen size of the buffer
299 * \param pwd password for decryption (optional)
300 * \param pwdlen size of the password
301 *
302 * \return 0 if successful, or a specific X509 error code
303 */
304int x509parse_key( rsa_context *rsa,
305 unsigned char *buf, int buflen,
306 unsigned char *pwd, int pwdlen );
307
308/**
309 * \brief Load and parse a private RSA key
310 *
311 * \param rsa RSA context to be initialized
312 * \param path filename to read the private key from
313 * \param pwd password to decrypt the file (can be NULL)
314 *
315 * \return 0 if successful, or a specific X509 error code
316 */
317int x509parse_keyfile( rsa_context *rsa, char *path, char *password );
318
319/**
320 * \brief Store the certificate DN in printable form into buf;
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame^]321 * no more than size characters will be written.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]322 */
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame^]323int x509parse_dn_gets( char *buf, size_t size, x509_name *dn );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]324
325/**
326 * \brief Returns an informational string about the
327 * certificate.
328 */
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame^]329int x509parse_cert_info( char *buf, size_t size, char *prefix, x509_cert *crt );
330
331/**
332 * \brief Returns an informational string about the
333 * CRL.
334 */
335int x509parse_crl_info( char *buf, size_t size, char *prefix, x509_crl *crl );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]336
337/**
338 * \brief Return 0 if the certificate is still valid,
339 * or BADCERT_EXPIRED
340 */
341int x509parse_expired( x509_cert *crt );
342
343/**
344 * \brief Verify the certificate signature
345 *
346 * \param crt a certificate to be verified
347 * \param trust_ca the trusted CA chain
348 * \param cn expected Common Name (can be set to
349 * NULL if the CN must not be verified)
350 * \param flags result of the verification
351 *
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]352 * \return 0 if successful or POLARSSL_ERR_X509_SIG_VERIFY_FAILED,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]353 * in which case *flags will have one or more of
354 * the following values set:
355 * BADCERT_EXPIRED --
356 * BADCERT_REVOKED --
357 * BADCERT_CN_MISMATCH --
358 * BADCERT_NOT_TRUSTED
359 *
360 * \note TODO: add two arguments, depth and crl
361 */
362int x509parse_verify( x509_cert *crt,
363 x509_cert *trust_ca,
364 char *cn, int *flags );
365
366/**
367 * \brief Unallocate all certificate data
368 */
369void x509_free( x509_cert *crt );
370
371/**
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame^]372 * \brief Unallocate all CRL data
373 */
374void x509_crl_free( x509_crl *crl );
375
376/**
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]377 * \brief Checkup routine
378 *
379 * \return 0 if successful, or 1 if the test failed
380 */
381int x509_self_test( int verbose );
382
383#ifdef __cplusplus
384}
385#endif
386
387#endif /* x509.h */