]>
Commit | Line | Data |
---|---|---|
1 | /** | |
2 | * \file x509.h | |
3 | * | |
4 | * \brief X.509 generic defines and structures | |
5 | */ | |
6 | /* | |
7 | * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved | |
8 | * SPDX-License-Identifier: GPL-2.0 | |
9 | * | |
10 | * This program is free software; you can redistribute it and/or modify | |
11 | * it under the terms of the GNU General Public License as published by | |
12 | * the Free Software Foundation; either version 2 of the License, or | |
13 | * (at your option) any later version. | |
14 | * | |
15 | * This program is distributed in the hope that it will be useful, | |
16 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
18 | * GNU General Public License for more details. | |
19 | * | |
20 | * You should have received a copy of the GNU General Public License along | |
21 | * with this program; if not, write to the Free Software Foundation, Inc., | |
22 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | |
23 | * | |
24 | * This file is part of mbed TLS (https://tls.mbed.org) | |
25 | */ | |
26 | #ifndef MBEDTLS_X509_H | |
27 | #define MBEDTLS_X509_H | |
28 | ||
29 | #if !defined(MBEDTLS_CONFIG_FILE) | |
30 | #include "config.h" | |
31 | #else | |
32 | #include MBEDTLS_CONFIG_FILE | |
33 | #endif | |
34 | ||
35 | #include "asn1.h" | |
36 | #include "pk.h" | |
37 | ||
38 | #if defined(MBEDTLS_RSA_C) | |
39 | #include "rsa.h" | |
40 | #endif | |
41 | ||
42 | /** | |
43 | * \addtogroup x509_module | |
44 | * \{ | |
45 | */ | |
46 | ||
47 | #if !defined(MBEDTLS_X509_MAX_INTERMEDIATE_CA) | |
48 | /** | |
49 | * Maximum number of intermediate CAs in a verification chain. | |
50 | * That is, maximum length of the chain, excluding the end-entity certificate | |
51 | * and the trusted root certificate. | |
52 | * | |
53 | * Set this to a low value to prevent an adversary from making you waste | |
54 | * resources verifying an overlong certificate chain. | |
55 | */ | |
56 | #define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 | |
57 | #endif | |
58 | ||
59 | /** | |
60 | * \name X509 Error codes | |
61 | * \{ | |
62 | */ | |
63 | #define MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE -0x2080 /**< Unavailable feature, e.g. RSA hashing/encryption combination. */ | |
64 | #define MBEDTLS_ERR_X509_UNKNOWN_OID -0x2100 /**< Requested OID is unknown. */ | |
65 | #define MBEDTLS_ERR_X509_INVALID_FORMAT -0x2180 /**< The CRT/CRL/CSR format is invalid, e.g. different type expected. */ | |
66 | #define MBEDTLS_ERR_X509_INVALID_VERSION -0x2200 /**< The CRT/CRL/CSR version element is invalid. */ | |
67 | #define MBEDTLS_ERR_X509_INVALID_SERIAL -0x2280 /**< The serial tag or value is invalid. */ | |
68 | #define MBEDTLS_ERR_X509_INVALID_ALG -0x2300 /**< The algorithm tag or value is invalid. */ | |
69 | #define MBEDTLS_ERR_X509_INVALID_NAME -0x2380 /**< The name tag or value is invalid. */ | |
70 | #define MBEDTLS_ERR_X509_INVALID_DATE -0x2400 /**< The date tag or value is invalid. */ | |
71 | #define MBEDTLS_ERR_X509_INVALID_SIGNATURE -0x2480 /**< The signature tag or value invalid. */ | |
72 | #define MBEDTLS_ERR_X509_INVALID_EXTENSIONS -0x2500 /**< The extension tag or value is invalid. */ | |
73 | #define MBEDTLS_ERR_X509_UNKNOWN_VERSION -0x2580 /**< CRT/CRL/CSR has an unsupported version number. */ | |
74 | #define MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG -0x2600 /**< Signature algorithm (oid) is unsupported. */ | |
75 | #define MBEDTLS_ERR_X509_SIG_MISMATCH -0x2680 /**< Signature algorithms do not match. (see \c ::mbedtls_x509_crt sig_oid) */ | |
76 | #define MBEDTLS_ERR_X509_CERT_VERIFY_FAILED -0x2700 /**< Certificate verification failed, e.g. CRL, CA or signature check failed. */ | |
77 | #define MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT -0x2780 /**< Format not recognized as DER or PEM. */ | |
78 | #define MBEDTLS_ERR_X509_BAD_INPUT_DATA -0x2800 /**< Input invalid. */ | |
79 | #define MBEDTLS_ERR_X509_ALLOC_FAILED -0x2880 /**< Allocation of memory failed. */ | |
80 | #define MBEDTLS_ERR_X509_FILE_IO_ERROR -0x2900 /**< Read/write of file failed. */ | |
81 | #define MBEDTLS_ERR_X509_BUFFER_TOO_SMALL -0x2980 /**< Destination buffer is too small. */ | |
82 | #define MBEDTLS_ERR_X509_FATAL_ERROR -0x3000 /**< A fatal error occured, eg the chain is too long or the vrfy callback failed. */ | |
83 | /* \} name */ | |
84 | ||
85 | /** | |
86 | * \name X509 Verify codes | |
87 | * \{ | |
88 | */ | |
89 | /* Reminder: update x509_crt_verify_strings[] in library/x509_crt.c */ | |
90 | #define MBEDTLS_X509_BADCERT_EXPIRED 0x01 /**< The certificate validity has expired. */ | |
91 | #define MBEDTLS_X509_BADCERT_REVOKED 0x02 /**< The certificate has been revoked (is on a CRL). */ | |
92 | #define MBEDTLS_X509_BADCERT_CN_MISMATCH 0x04 /**< The certificate Common Name (CN) does not match with the expected CN. */ | |
93 | #define MBEDTLS_X509_BADCERT_NOT_TRUSTED 0x08 /**< The certificate is not correctly signed by the trusted CA. */ | |
94 | #define MBEDTLS_X509_BADCRL_NOT_TRUSTED 0x10 /**< The CRL is not correctly signed by the trusted CA. */ | |
95 | #define MBEDTLS_X509_BADCRL_EXPIRED 0x20 /**< The CRL is expired. */ | |
96 | #define MBEDTLS_X509_BADCERT_MISSING 0x40 /**< Certificate was missing. */ | |
97 | #define MBEDTLS_X509_BADCERT_SKIP_VERIFY 0x80 /**< Certificate verification was skipped. */ | |
98 | #define MBEDTLS_X509_BADCERT_OTHER 0x0100 /**< Other reason (can be used by verify callback) */ | |
99 | #define MBEDTLS_X509_BADCERT_FUTURE 0x0200 /**< The certificate validity starts in the future. */ | |
100 | #define MBEDTLS_X509_BADCRL_FUTURE 0x0400 /**< The CRL is from the future */ | |
101 | #define MBEDTLS_X509_BADCERT_KEY_USAGE 0x0800 /**< Usage does not match the keyUsage extension. */ | |
102 | #define MBEDTLS_X509_BADCERT_EXT_KEY_USAGE 0x1000 /**< Usage does not match the extendedKeyUsage extension. */ | |
103 | #define MBEDTLS_X509_BADCERT_NS_CERT_TYPE 0x2000 /**< Usage does not match the nsCertType extension. */ | |
104 | #define MBEDTLS_X509_BADCERT_BAD_MD 0x4000 /**< The certificate is signed with an unacceptable hash. */ | |
105 | #define MBEDTLS_X509_BADCERT_BAD_PK 0x8000 /**< The certificate is signed with an unacceptable PK alg (eg RSA vs ECDSA). */ | |
106 | #define MBEDTLS_X509_BADCERT_BAD_KEY 0x010000 /**< The certificate is signed with an unacceptable key (eg bad curve, RSA too short). */ | |
107 | #define MBEDTLS_X509_BADCRL_BAD_MD 0x020000 /**< The CRL is signed with an unacceptable hash. */ | |
108 | #define MBEDTLS_X509_BADCRL_BAD_PK 0x040000 /**< The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA). */ | |
109 | #define MBEDTLS_X509_BADCRL_BAD_KEY 0x080000 /**< The CRL is signed with an unacceptable key (eg bad curve, RSA too short). */ | |
110 | ||
111 | /* \} name */ | |
112 | /* \} addtogroup x509_module */ | |
113 | ||
114 | /* | |
115 | * X.509 v3 Key Usage Extension flags | |
116 | * Reminder: update x509_info_key_usage() when adding new flags. | |
117 | */ | |
118 | #define MBEDTLS_X509_KU_DIGITAL_SIGNATURE (0x80) /* bit 0 */ | |
119 | #define MBEDTLS_X509_KU_NON_REPUDIATION (0x40) /* bit 1 */ | |
120 | #define MBEDTLS_X509_KU_KEY_ENCIPHERMENT (0x20) /* bit 2 */ | |
121 | #define MBEDTLS_X509_KU_DATA_ENCIPHERMENT (0x10) /* bit 3 */ | |
122 | #define MBEDTLS_X509_KU_KEY_AGREEMENT (0x08) /* bit 4 */ | |
123 | #define MBEDTLS_X509_KU_KEY_CERT_SIGN (0x04) /* bit 5 */ | |
124 | #define MBEDTLS_X509_KU_CRL_SIGN (0x02) /* bit 6 */ | |
125 | #define MBEDTLS_X509_KU_ENCIPHER_ONLY (0x01) /* bit 7 */ | |
126 | #define MBEDTLS_X509_KU_DECIPHER_ONLY (0x8000) /* bit 8 */ | |
127 | ||
128 | /* | |
129 | * Netscape certificate types | |
130 | * (http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn3.html) | |
131 | */ | |
132 | ||
133 | #define MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT (0x80) /* bit 0 */ | |
134 | #define MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER (0x40) /* bit 1 */ | |
135 | #define MBEDTLS_X509_NS_CERT_TYPE_EMAIL (0x20) /* bit 2 */ | |
136 | #define MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING (0x10) /* bit 3 */ | |
137 | #define MBEDTLS_X509_NS_CERT_TYPE_RESERVED (0x08) /* bit 4 */ | |
138 | #define MBEDTLS_X509_NS_CERT_TYPE_SSL_CA (0x04) /* bit 5 */ | |
139 | #define MBEDTLS_X509_NS_CERT_TYPE_EMAIL_CA (0x02) /* bit 6 */ | |
140 | #define MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA (0x01) /* bit 7 */ | |
141 | ||
142 | /* | |
143 | * X.509 extension types | |
144 | * | |
145 | * Comments refer to the status for using certificates. Status can be | |
146 | * different for writing certificates or reading CRLs or CSRs. | |
147 | */ | |
148 | #define MBEDTLS_X509_EXT_AUTHORITY_KEY_IDENTIFIER (1 << 0) | |
149 | #define MBEDTLS_X509_EXT_SUBJECT_KEY_IDENTIFIER (1 << 1) | |
150 | #define MBEDTLS_X509_EXT_KEY_USAGE (1 << 2) | |
151 | #define MBEDTLS_X509_EXT_CERTIFICATE_POLICIES (1 << 3) | |
152 | #define MBEDTLS_X509_EXT_POLICY_MAPPINGS (1 << 4) | |
153 | #define MBEDTLS_X509_EXT_SUBJECT_ALT_NAME (1 << 5) /* Supported (DNS) */ | |
154 | #define MBEDTLS_X509_EXT_ISSUER_ALT_NAME (1 << 6) | |
155 | #define MBEDTLS_X509_EXT_SUBJECT_DIRECTORY_ATTRS (1 << 7) | |
156 | #define MBEDTLS_X509_EXT_BASIC_CONSTRAINTS (1 << 8) /* Supported */ | |
157 | #define MBEDTLS_X509_EXT_NAME_CONSTRAINTS (1 << 9) | |
158 | #define MBEDTLS_X509_EXT_POLICY_CONSTRAINTS (1 << 10) | |
159 | #define MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE (1 << 11) | |
160 | #define MBEDTLS_X509_EXT_CRL_DISTRIBUTION_POINTS (1 << 12) | |
161 | #define MBEDTLS_X509_EXT_INIHIBIT_ANYPOLICY (1 << 13) | |
162 | #define MBEDTLS_X509_EXT_FRESHEST_CRL (1 << 14) | |
163 | ||
164 | #define MBEDTLS_X509_EXT_NS_CERT_TYPE (1 << 16) | |
165 | ||
166 | /* | |
167 | * Storage format identifiers | |
168 | * Recognized formats: PEM and DER | |
169 | */ | |
170 | #define MBEDTLS_X509_FORMAT_DER 1 | |
171 | #define MBEDTLS_X509_FORMAT_PEM 2 | |
172 | ||
173 | #define MBEDTLS_X509_MAX_DN_NAME_SIZE 256 /**< Maximum value size of a DN entry */ | |
174 | ||
175 | #ifdef __cplusplus | |
176 | extern "C" { | |
177 | #endif | |
178 | ||
179 | /** | |
180 | * \addtogroup x509_module | |
181 | * \{ */ | |
182 | ||
183 | /** | |
184 | * \name Structures for parsing X.509 certificates, CRLs and CSRs | |
185 | * \{ | |
186 | */ | |
187 | ||
188 | /** | |
189 | * Type-length-value structure that allows for ASN1 using DER. | |
190 | */ | |
191 | typedef mbedtls_asn1_buf mbedtls_x509_buf; | |
192 | ||
193 | /** | |
194 | * Container for ASN1 bit strings. | |
195 | */ | |
196 | typedef mbedtls_asn1_bitstring mbedtls_x509_bitstring; | |
197 | ||
198 | /** | |
199 | * Container for ASN1 named information objects. | |
200 | * It allows for Relative Distinguished Names (e.g. cn=localhost,ou=code,etc.). | |
201 | */ | |
202 | typedef mbedtls_asn1_named_data mbedtls_x509_name; | |
203 | ||
204 | /** | |
205 | * Container for a sequence of ASN.1 items | |
206 | */ | |
207 | typedef mbedtls_asn1_sequence mbedtls_x509_sequence; | |
208 | ||
209 | /** Container for date and time (precision in seconds). */ | |
210 | typedef struct mbedtls_x509_time | |
211 | { | |
212 | int year, mon, day; /**< Date. */ | |
213 | int hour, min, sec; /**< Time. */ | |
214 | } | |
215 | mbedtls_x509_time; | |
216 | ||
217 | /** \} name Structures for parsing X.509 certificates, CRLs and CSRs */ | |
218 | /** \} addtogroup x509_module */ | |
219 | ||
220 | /** | |
221 | * \brief Store the certificate DN in printable form into buf; | |
222 | * no more than size characters will be written. | |
223 | * | |
224 | * \param buf Buffer to write to | |
225 | * \param size Maximum size of buffer | |
226 | * \param dn The X509 name to represent | |
227 | * | |
228 | * \return The length of the string written (not including the | |
229 | * terminated nul byte), or a negative error code. | |
230 | */ | |
231 | int mbedtls_x509_dn_gets( char *buf, size_t size, const mbedtls_x509_name *dn ); | |
232 | ||
233 | /** | |
234 | * \brief Store the certificate serial in printable form into buf; | |
235 | * no more than size characters will be written. | |
236 | * | |
237 | * \param buf Buffer to write to | |
238 | * \param size Maximum size of buffer | |
239 | * \param serial The X509 serial to represent | |
240 | * | |
241 | * \return The length of the string written (not including the | |
242 | * terminated nul byte), or a negative error code. | |
243 | */ | |
244 | int mbedtls_x509_serial_gets( char *buf, size_t size, const mbedtls_x509_buf *serial ); | |
245 | ||
246 | /** | |
247 | * \brief Check a given mbedtls_x509_time against the system time | |
248 | * and tell if it's in the past. | |
249 | * | |
250 | * \note Intended usage is "if( is_past( valid_to ) ) ERROR". | |
251 | * Hence the return value of 1 if on internal errors. | |
252 | * | |
253 | * \param to mbedtls_x509_time to check | |
254 | * | |
255 | * \return 1 if the given time is in the past or an error occured, | |
256 | * 0 otherwise. | |
257 | */ | |
258 | int mbedtls_x509_time_is_past( const mbedtls_x509_time *to ); | |
259 | ||
260 | /** | |
261 | * \brief Check a given mbedtls_x509_time against the system time | |
262 | * and tell if it's in the future. | |
263 | * | |
264 | * \note Intended usage is "if( is_future( valid_from ) ) ERROR". | |
265 | * Hence the return value of 1 if on internal errors. | |
266 | * | |
267 | * \param from mbedtls_x509_time to check | |
268 | * | |
269 | * \return 1 if the given time is in the future or an error occured, | |
270 | * 0 otherwise. | |
271 | */ | |
272 | int mbedtls_x509_time_is_future( const mbedtls_x509_time *from ); | |
273 | ||
274 | /** | |
275 | * \brief Checkup routine | |
276 | * | |
277 | * \return 0 if successful, or 1 if the test failed | |
278 | */ | |
279 | int mbedtls_x509_self_test( int verbose ); | |
280 | ||
281 | /* | |
282 | * Internal module functions. You probably do not want to use these unless you | |
283 | * know you do. | |
284 | */ | |
285 | int mbedtls_x509_get_name( unsigned char **p, const unsigned char *end, | |
286 | mbedtls_x509_name *cur ); | |
287 | int mbedtls_x509_get_alg_null( unsigned char **p, const unsigned char *end, | |
288 | mbedtls_x509_buf *alg ); | |
289 | int mbedtls_x509_get_alg( unsigned char **p, const unsigned char *end, | |
290 | mbedtls_x509_buf *alg, mbedtls_x509_buf *params ); | |
291 | #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) | |
292 | int mbedtls_x509_get_rsassa_pss_params( const mbedtls_x509_buf *params, | |
293 | mbedtls_md_type_t *md_alg, mbedtls_md_type_t *mgf_md, | |
294 | int *salt_len ); | |
295 | #endif | |
296 | int mbedtls_x509_get_sig( unsigned char **p, const unsigned char *end, mbedtls_x509_buf *sig ); | |
297 | int mbedtls_x509_get_sig_alg( const mbedtls_x509_buf *sig_oid, const mbedtls_x509_buf *sig_params, | |
298 | mbedtls_md_type_t *md_alg, mbedtls_pk_type_t *pk_alg, | |
299 | void **sig_opts ); | |
300 | int mbedtls_x509_get_time( unsigned char **p, const unsigned char *end, | |
301 | mbedtls_x509_time *t ); | |
302 | int mbedtls_x509_get_serial( unsigned char **p, const unsigned char *end, | |
303 | mbedtls_x509_buf *serial ); | |
304 | int mbedtls_x509_get_ext( unsigned char **p, const unsigned char *end, | |
305 | mbedtls_x509_buf *ext, int tag ); | |
306 | int mbedtls_x509_sig_alg_gets( char *buf, size_t size, const mbedtls_x509_buf *sig_oid, | |
307 | mbedtls_pk_type_t pk_alg, mbedtls_md_type_t md_alg, | |
308 | const void *sig_opts ); | |
309 | int mbedtls_x509_key_size_helper( char *buf, size_t buf_size, const char *name ); | |
310 | int mbedtls_x509_string_to_names( mbedtls_asn1_named_data **head, const char *name ); | |
311 | int mbedtls_x509_set_extension( mbedtls_asn1_named_data **head, const char *oid, size_t oid_len, | |
312 | int critical, const unsigned char *val, | |
313 | size_t val_len ); | |
314 | int mbedtls_x509_write_extensions( unsigned char **p, unsigned char *start, | |
315 | mbedtls_asn1_named_data *first ); | |
316 | int mbedtls_x509_write_names( unsigned char **p, unsigned char *start, | |
317 | mbedtls_asn1_named_data *first ); | |
318 | int mbedtls_x509_write_sig( unsigned char **p, unsigned char *start, | |
319 | const char *oid, size_t oid_len, | |
320 | unsigned char *sig, size_t size ); | |
321 | ||
322 | #define MBEDTLS_X509_SAFE_SNPRINTF \ | |
323 | do { \ | |
324 | if( ret < 0 || (size_t) ret >= n ) \ | |
325 | return( MBEDTLS_ERR_X509_BUFFER_TOO_SMALL ); \ | |
326 | \ | |
327 | n -= (size_t) ret; \ | |
328 | p += (size_t) ret; \ | |
329 | } while( 0 ) | |
330 | ||
331 | #ifdef __cplusplus | |
332 | } | |
333 | #endif | |
334 | ||
335 | #endif /* x509.h */ |