OID functionality moved to a separate module.
A new OID module has been created that contains the main OID searching
functionality based on type-dependent arrays. A base type is used to
contain the basic values (oid_descriptor_t) and that type is extended to
contain type specific information (like a pk_alg_t).
As a result the rsa sign and verify function prototypes have changed. They
now expect a md_type_t identifier instead of the removed RSA_SIG_XXX
defines.
All OID definitions have been moved to oid.h
All OID matching code is in the OID module.
The RSA PKCS#1 functions cleaned up as a result and adapted to use the
MD layer.
The SSL layer cleanup up as a result and adapted to use the MD layer.
The X509 parser cleaned up and matches OIDs in certificates with new
module and adapted to use the MD layer.
The X509 writer cleaned up and adapted to use the MD layer.
Apps and tests modified accordingly
diff --git a/include/polarssl/asn1.h b/include/polarssl/asn1.h
index 893292d..8c7579d 100644
--- a/include/polarssl/asn1.h
+++ b/include/polarssl/asn1.h
@@ -93,6 +93,11 @@
/** Returns the size of the binary string, without the trailing \\0 */
#define OID_SIZE(x) (sizeof(x) - 1)
+/** Compares two asn1_buf structures for the same OID */
+#define OID_CMP(oid_str, oid_buf) \
+ ( ( OID_SIZE(oid_str) == (oid_buf)->len ) && \
+ memcmp( (oid_str), (oid_buf)->p, (oid_buf)->len) == 0 )
+
#ifdef __cplusplus
extern "C" {
#endif
diff --git a/include/polarssl/config.h b/include/polarssl/config.h
index 40ea455..5d27db7 100644
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h
@@ -710,6 +710,20 @@
#define POLARSSL_NET_C
/**
+ * \def POLARSSL_OID_C
+ *
+ * Enable the OID database
+ *
+ * Module: library/oid.c
+ * Caller: library/rsa.c
+ * library/x509parse.c
+ * library/x509write.c
+ *
+ * This modules translates between OIDs and internal values.
+ */
+#define POLARSSL_OID_C
+
+/**
* \def POLARSSL_PADLOCK_C
*
* Enable VIA Padlock support on x86.
@@ -775,7 +789,7 @@
* library/ssl_tls.c
* library/x509.c
*
- * Requires: POLARSSL_BIGNUM_C
+ * Requires: POLARSSL_BIGNUM_C, POLARSSL_OID_C
*
* This module is required for SSL/TLS and MD5-signed certificates.
*/
@@ -911,7 +925,8 @@
* library/ssl_srv.c
* library/ssl_tls.c
*
- * Requires: POLARSSL_ASN1_PARSE_C, POLARSSL_BIGNUM_C, POLARSSL_RSA_C
+ * Requires: POLARSSL_ASN1_PARSE_C, POLARSSL_BIGNUM_C, POLARSSL_OID_C,
+ * POLARSSL_RSA_C
*
* This module is required for X.509 certificate parsing.
*/
@@ -924,7 +939,7 @@
*
* Module: library/x509write.c
*
- * Requires: POLARSSL_BIGNUM_C, POLARSSL_RSA_C
+ * Requires: POLARSSL_BIGNUM_C, POLARSSL_OID_C, POLARSSL_RSA_C
*
* This module is required for X.509 certificate request writing.
*/
diff --git a/include/polarssl/error.h b/include/polarssl/error.h
index 32dc0a7..a084243 100644
--- a/include/polarssl/error.h
+++ b/include/polarssl/error.h
@@ -55,6 +55,7 @@
* CAMELLIA 2 0x0024-0x0026
* XTEA 1 0x0028-0x0028
* BASE64 2 0x002A-0x002C
+ * OID 1 0x002E-0x002E
* PADLOCK 1 0x0030-0x0030
* DES 1 0x0032-0x0032
* CTR_DBRG 3 0x0034-0x003A
diff --git a/include/polarssl/oid.h b/include/polarssl/oid.h
new file mode 100644
index 0000000..8b45f4f
--- /dev/null
+++ b/include/polarssl/oid.h
@@ -0,0 +1,298 @@
+/**
+ * \file oid.h
+ *
+ * \brief Object Identifier (OID) database
+ *
+ * Copyright (C) 2006-2013, Brainspark B.V.
+ *
+ * This file is part of PolarSSL (http://www.polarssl.org)
+ * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
+ *
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+#ifndef POLARSSL_OID_H
+#define POLARSSL_OID_H
+
+#include <string.h>
+#include "asn1.h"
+#include "md.h"
+#include "x509.h"
+
+#define POLARSSL_ERR_OID_NOT_FOUND -0x002E /**< OID is not found. */
+
+/*
+ * Top level OID tuples
+ */
+#define OID_ISO_MEMBER_BODIES "\x2a" /* {iso(1) member-body(2)} */
+#define OID_ISO_IDENTIFIED_ORG "\x2b" /* {iso(1) identified-organization(3)} */
+#define OID_ISO_CCITT_DS "\x55" /* {joint-iso-ccitt(2) ds(5)} */
+#define OID_ISO_ITU_COUNTRY "\x60" /* {joint-iso-itu-t(2) country(16)} */
+
+/*
+ * ISO Member bodies OID parts
+ */
+#define OID_COUNTRY_US "\x86\x48" /* {us(840)} */
+#define OID_ORG_RSA_DATA_SECURITY "\x86\xf7\x0d" /* {rsadsi(113549)} */
+#define OID_RSA_COMPANY OID_ISO_MEMBER_BODIES OID_COUNTRY_US \
+ OID_ORG_RSA_DATA_SECURITY /* {iso(1) member-body(2) us(840) rsadsi(113549)} */
+
+/*
+ * ISO Identified organization OID parts
+ */
+#define OID_ORG_DOD "\x06" /* {dod(6)} */
+#define OID_OIW_SECSIG_SHA1 "\x0e\x03\x02\x1a"
+
+/*
+ * ISO ITU OID parts
+ */
+#define OID_ORGANIZATION "\x01" /* {organization(1)} */
+#define OID_ISO_ITU_US_ORG OID_ISO_ITU_COUNTRY OID_COUNTRY_US OID_ORGANIZATION /* {joint-iso-itu-t(2) country(16) us(840) organization(1)} */
+
+#define OID_ORG_GOV "\x65" /* {gov(101)} */
+#define OID_GOV OID_ISO_ITU_US_ORG OID_ORG_GOV /* {joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101)} */
+
+#define OID_ORG_NETSCAPE "\x86\xF8\x42" /* {netscape(113730)} */
+#define OID_NETSCAPE OID_ISO_ITU_US_ORG OID_ORG_NETSCAPE /* Netscape OID {joint-iso-itu-t(2) country(16) us(840) organization(1) netscape(113730)} */
+
+/* ISO arc for standard certificate and CRL extensions */
+#define OID_ID_CE OID_ISO_CCITT_DS "\x1D" /**< id-ce OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 29} */
+
+/**
+ * Private Internet Extensions
+ * { iso(1) identified-organization(3) dod(6) internet(1)
+ * security(5) mechanisms(5) pkix(7) }
+ */
+#define OID_PKIX OID_ISO_IDENTIFIED_ORG OID_ORG_DOD "\x01\x05\x05\x07"
+
+/*
+ * Arc for standard naming attributes
+ */
+#define OID_AT OID_ISO_CCITT_DS "\x04" /**< id-at OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 4} */
+#define OID_AT_CN OID_AT "\x03" /**< id-at-commonName AttributeType:= {id-at 3} */
+#define OID_AT_COUNTRY OID_AT "\x06" /**< id-at-countryName AttributeType:= {id-at 6} */
+#define OID_AT_LOCALITY OID_AT "\x07" /**< id-at-locality AttributeType:= {id-at 7} */
+#define OID_AT_STATE OID_AT "\x08" /**< id-at-state AttributeType:= {id-at 8} */
+#define OID_AT_ORGANIZATION OID_AT "\x0A" /**< id-at-organizationName AttributeType:= {id-at 10} */
+#define OID_AT_ORG_UNIT OID_AT "\x0B" /**< id-at-organizationalUnitName AttributeType:= {id-at 11} */
+
+/*
+ * OIDs for standard certificate extensions
+ */
+#define OID_AUTHORITY_KEY_IDENTIFIER OID_ID_CE "\x23" /**< id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 35 } */
+#define OID_SUBJECT_KEY_IDENTIFIER OID_ID_CE "\x0E" /**< id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 14 } */
+#define OID_KEY_USAGE OID_ID_CE "\x0F" /**< id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 } */
+#define OID_CERTIFICATE_POLICIES OID_ID_CE "\x20" /**< id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 } */
+#define OID_POLICY_MAPPINGS OID_ID_CE "\x21" /**< id-ce-policyMappings OBJECT IDENTIFIER ::= { id-ce 33 } */
+#define OID_SUBJECT_ALT_NAME OID_ID_CE "\x11" /**< id-ce-subjectAltName OBJECT IDENTIFIER ::= { id-ce 17 } */
+#define OID_ISSUER_ALT_NAME OID_ID_CE "\x12" /**< id-ce-issuerAltName OBJECT IDENTIFIER ::= { id-ce 18 } */
+#define OID_SUBJECT_DIRECTORY_ATTRS OID_ID_CE "\x09" /**< id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::= { id-ce 9 } */
+#define OID_BASIC_CONSTRAINTS OID_ID_CE "\x13" /**< id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 } */
+#define OID_NAME_CONSTRAINTS OID_ID_CE "\x1E" /**< id-ce-nameConstraints OBJECT IDENTIFIER ::= { id-ce 30 } */
+#define OID_POLICY_CONSTRAINTS OID_ID_CE "\x24" /**< id-ce-policyConstraints OBJECT IDENTIFIER ::= { id-ce 36 } */
+#define OID_EXTENDED_KEY_USAGE OID_ID_CE "\x25" /**< id-ce-extKeyUsage OBJECT IDENTIFIER ::= { id-ce 37 } */
+#define OID_CRL_DISTRIBUTION_POINTS OID_ID_CE "\x1F" /**< id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= { id-ce 31 } */
+#define OID_INIHIBIT_ANYPOLICY OID_ID_CE "\x36" /**< id-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::= { id-ce 54 } */
+#define OID_FRESHEST_CRL OID_ID_CE "\x2E" /**< id-ce-freshestCRL OBJECT IDENTIFIER ::= { id-ce 46 } */
+
+/*
+ * Netscape certificate extensions
+ */
+#define OID_NS_CERT OID_NETSCAPE "\x01"
+#define OID_NS_CERT_TYPE OID_NS_CERT "\x01"
+#define OID_NS_BASE_URL OID_NS_CERT "\x02"
+#define OID_NS_REVOCATION_URL OID_NS_CERT "\x03"
+#define OID_NS_CA_REVOCATION_URL OID_NS_CERT "\x04"
+#define OID_NS_RENEWAL_URL OID_NS_CERT "\x07"
+#define OID_NS_CA_POLICY_URL OID_NS_CERT "\x08"
+#define OID_NS_SSL_SERVER_NAME OID_NS_CERT "\x0C"
+#define OID_NS_COMMENT OID_NS_CERT "\x0D"
+#define OID_NS_DATA_TYPE OID_NETSCAPE "\x02"
+#define OID_NS_CERT_SEQUENCE OID_NS_DATA_TYPE "\x05"
+
+/*
+ * OIDs for CRL extensions
+ */
+#define OID_PRIVATE_KEY_USAGE_PERIOD OID_ID_CE "\x10"
+#define OID_CRL_NUMBER OID_ID_CE "\x14" /**< id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 } */
+
+/*
+ * X.509 v3 Extended key usage OIDs
+ */
+#define OID_ANY_EXTENDED_KEY_USAGE OID_EXTENDED_KEY_USAGE "\x00" /**< anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 } */
+
+#define OID_KP OID_PKIX "\x03" /**< id-kp OBJECT IDENTIFIER ::= { id-pkix 3 } */
+#define OID_SERVER_AUTH OID_KP "\x01" /**< id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 } */
+#define OID_CLIENT_AUTH OID_KP "\x02" /**< id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 } */
+#define OID_CODE_SIGNING OID_KP "\x03" /**< id-kp-codeSigning OBJECT IDENTIFIER ::= { id-kp 3 } */
+#define OID_EMAIL_PROTECTION OID_KP "\x04" /**< id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 } */
+#define OID_TIME_STAMPING OID_KP "\x08" /**< id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 } */
+#define OID_OCSP_SIGNING OID_KP "\x09" /**< id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } */
+
+#define OID_PKCS OID_RSA_COMPANY "\x01" /**< pkcs OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) 1 } */
+#define OID_PKCS1 OID_PKCS "\x01" /**< pkcs-1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 } */
+#define OID_PKCS9 OID_PKCS "\x09" /**< pkcs-9 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 } */
+
+#define OID_PKCS1_RSA OID_PKCS1 "\x01" /**< rsaEncryption OBJECT IDENTIFIER ::= { pkcs-1 1 } */
+#define OID_PKCS1_MD2 OID_PKCS1 "\x02" /**< md2WithRSAEncryption ::= { pkcs-1 2 } */
+#define OID_PKCS1_MD4 OID_PKCS1 "\x03" /**< md4WithRSAEncryption ::= { pkcs-1 3 } */
+#define OID_PKCS1_MD5 OID_PKCS1 "\x04" /**< md5WithRSAEncryption ::= { pkcs-1 4 } */
+#define OID_PKCS1_SHA1 OID_PKCS1 "\x05" /**< sha1WithRSAEncryption ::= { pkcs-1 5 } */
+#define OID_PKCS1_SHA224 OID_PKCS1 "\x0e" /**< sha224WithRSAEncryption ::= { pkcs-1 14 } */
+#define OID_PKCS1_SHA256 OID_PKCS1 "\x0b" /**< sha256WithRSAEncryption ::= { pkcs-1 11 } */
+#define OID_PKCS1_SHA384 OID_PKCS1 "\x0c" /**< sha384WithRSAEncryption ::= { pkcs-1 12 } */
+#define OID_PKCS1_SHA512 OID_PKCS1 "\x0d" /**< sha512WithRSAEncryption ::= { pkcs-1 13 } */
+
+#define OID_RSA_SHA_OBS "\x2B\x0E\x03\x02\x1D"
+
+#define OID_PKCS9_EMAIL OID_PKCS9 "\x01" /**< emailAddress AttributeType ::= { pkcs-9 1 } */
+
+#define OID_DIGEST_ALG_MD2 OID_RSA_COMPANY "\x02\x02" /**< id-md2 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 2 } */
+#define OID_DIGEST_ALG_MD4 OID_RSA_COMPANY "\x02\x04" /**< id-md4 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 4 } */
+#define OID_DIGEST_ALG_MD5 OID_RSA_COMPANY "\x02\x05" /**< id-md5 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 5 } */
+#define OID_DIGEST_ALG_SHA1 OID_ISO_IDENTIFIED_ORG OID_OIW_SECSIG_SHA1 /**< id-sha1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) oiw(14) secsig(3) algorithms(2) 26 } */
+#define OID_DIGEST_ALG_SHA224 OID_GOV "\x03\x04\x02\x04" /**< id-sha224 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 4 } */
+#define OID_DIGEST_ALG_SHA256 OID_GOV "\x03\x04\x02\x01" /**< id-sha256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 1 } */
+
+#define OID_DIGEST_ALG_SHA384 OID_GOV "\x03\x04\x02\x02" /**< id-sha384 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 2 } */
+
+#define OID_DIGEST_ALG_SHA512 OID_GOV "\x03\x04\x02\x03" /**< id-sha512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 3 } */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief Base OID descriptor structure
+ */
+typedef struct {
+ const char *asn1; /*!< OID ASN.1 representation */
+ const char *name; /*!< official name (e.g. from RFC) */
+ const char *description; /*!< human friendly description */
+} oid_descriptor_t;
+
+/**
+ * \brief Translate an ASN.1 OID into its numeric representation
+ * (e.g. "\x2A\x86\x48\x86\xF7\x0D" into "1.2.840.113549")
+ *
+ * \param buf buffer to put representation in
+ * \param size size of the buffer
+ * \param oid OID to translate
+ *
+ * \return POLARSSL_ERR_DEBUG_BUF_TOO_SMALL or actual length used
+ */
+int oid_get_numeric_string( char *buf, size_t size, const asn1_buf *oid );
+
+/**
+ * \brief Translate an X.509 extension OID into local values
+ *
+ * \param oid OID to use
+ * \param ext_type place to store the extension type
+ *
+ * \return 0 if successful, or POLARSSL_ERR_OID_NOT_FOUND
+ */
+int oid_get_x509_ext_type( const asn1_buf *oid, int *ext_type );
+
+/**
+ * \brief Translate an X.509 attribute type OID into the short name
+ * (e.g. the OID for an X520 Common Name into "CN")
+ *
+ * \param oid OID to use
+ * \param short_name place to store the string pointer
+ *
+ * \return 0 if successful, or POLARSSL_ERR_OID_NOT_FOUND
+ */
+int oid_get_attr_short_name( const asn1_buf *oid, const char **short_name );
+
+/**
+ * \brief Translate PublicKeyAlgorithm OID into pk_type
+ *
+ * \param oid OID to use
+ * \param pk_alg place to store public key algorithm
+ *
+ * \return 0 if successful, or POLARSSL_ERR_OID_NOT_FOUND
+ */
+int oid_get_pk_alg( const asn1_buf *oid, pk_type_t *pk_alg );
+
+/**
+ * \brief Translate SignatureAlgorithm OID into md_type and pk_type
+ *
+ * \param oid OID to use
+ * \param md_alg place to store message digest algorithm
+ * \param pk_alg place to store public key algorithm
+ *
+ * \return 0 if successful, or POLARSSL_ERR_OID_NOT_FOUND
+ */
+int oid_get_sig_alg( const asn1_buf *oid,
+ md_type_t *md_alg, pk_type_t *pk_alg );
+
+/**
+ * \brief Translate SignatureAlgorithm OID into description
+ *
+ * \param oid OID to use
+ * \param desc place to store string pointer
+ *
+ * \return 0 if successful, or POLARSSL_ERR_OID_NOT_FOUND
+ */
+int oid_get_sig_alg_desc( const asn1_buf *oid, const char **desc );
+
+/**
+ * \brief Translate md_type and pk_type into SignatureAlgorithm OID
+ *
+ * \param md_alg message digest algorithm
+ * \param pk_alg public key algorithm
+ * \param oid place to store ASN.1 OID string pointer
+ *
+ * \return 0 if successful, or POLARSSL_ERR_OID_NOT_FOUND
+ */
+int oid_get_oid_by_sig_alg( pk_type_t pk_alg, md_type_t md_alg,
+ const char **oid_str );
+
+/**
+ * \brief Translate hash algorithm OID into md_type
+ *
+ * \param oid OID to use
+ * \param md_alg place to store message digest algorithm
+ *
+ * \return 0 if successful, or POLARSSL_ERR_OID_NOT_FOUND
+ */
+int oid_get_md_alg( const asn1_buf *oid, md_type_t *md_alg );
+
+/**
+ * \brief Translate Extended Key Usage OID into description
+ *
+ * \param oid OID to use
+ * \param desc place to store string pointer
+ *
+ * \return 0 if successful, or POLARSSL_ERR_OID_NOT_FOUND
+ */
+int oid_get_extended_key_usage( const asn1_buf *oid, const char **desc );
+
+/**
+ * \brief Translate md_type into hash algorithm OID
+ *
+ * \param md_alg message digest algorithm
+ * \param oid place to store ASN.1 OID string pointer
+ *
+ * \return 0 if successful, or POLARSSL_ERR_OID_NOT_FOUND
+ */
+int oid_get_oid_by_md( md_type_t md_alg, const char **oid_str );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* oid.h */
diff --git a/include/polarssl/rsa.h b/include/polarssl/rsa.h
index f9a0220..8342eec 100644
--- a/include/polarssl/rsa.h
+++ b/include/polarssl/rsa.h
@@ -28,6 +28,7 @@
#define POLARSSL_RSA_H
#include "bignum.h"
+#include "md.h"
/*
* RSA Error codes
@@ -43,18 +44,8 @@
#define POLARSSL_ERR_RSA_RNG_FAILED -0x4480 /**< The random generator failed to generate non-zeros. */
/*
- * PKCS#1 constants
+ * RSA constants
*/
-#define SIG_RSA_RAW 0
-#define SIG_RSA_MD2 2
-#define SIG_RSA_MD4 3
-#define SIG_RSA_MD5 4
-#define SIG_RSA_SHA1 5
-#define SIG_RSA_SHA224 14
-#define SIG_RSA_SHA256 11
-#define SIG_RSA_SHA384 12
-#define SIG_RSA_SHA512 13
-
#define RSA_PUBLIC 0
#define RSA_PRIVATE 1
@@ -64,71 +55,6 @@
#define RSA_SIGN 1
#define RSA_CRYPT 2
-#define ASN1_STR_CONSTRUCTED_SEQUENCE "\x30"
-#define ASN1_STR_NULL "\x05"
-#define ASN1_STR_OID "\x06"
-#define ASN1_STR_OCTET_STRING "\x04"
-
-#define OID_DIGEST_ALG_MDX "\x2A\x86\x48\x86\xF7\x0D\x02\x00"
-#define OID_HASH_ALG_SHA1 "\x2b\x0e\x03\x02\x1a"
-#define OID_HASH_ALG_SHA2X "\x60\x86\x48\x01\x65\x03\x04\x02\x00"
-
-#define OID_ISO_MEMBER_BODIES "\x2a"
-#define OID_ISO_IDENTIFIED_ORG "\x2b"
-
-/*
- * ISO Member bodies OID parts
- */
-#define OID_COUNTRY_US "\x86\x48"
-#define OID_RSA_DATA_SECURITY "\x86\xf7\x0d"
-
-/*
- * ISO Identified organization OID parts
- */
-#define OID_OIW_SECSIG_SHA1 "\x0e\x03\x02\x1a"
-
-/*
- * DigestInfo ::= SEQUENCE {
- * digestAlgorithm DigestAlgorithmIdentifier,
- * digest Digest }
- *
- * DigestAlgorithmIdentifier ::= AlgorithmIdentifier
- *
- * Digest ::= OCTET STRING
- */
-#define ASN1_HASH_MDX \
-( \
- ASN1_STR_CONSTRUCTED_SEQUENCE "\x20" \
- ASN1_STR_CONSTRUCTED_SEQUENCE "\x0C" \
- ASN1_STR_OID "\x08" \
- OID_DIGEST_ALG_MDX \
- ASN1_STR_NULL "\x00" \
- ASN1_STR_OCTET_STRING "\x10" \
-)
-
-#define ASN1_HASH_SHA1 \
- ASN1_STR_CONSTRUCTED_SEQUENCE "\x21" \
- ASN1_STR_CONSTRUCTED_SEQUENCE "\x09" \
- ASN1_STR_OID "\x05" \
- OID_HASH_ALG_SHA1 \
- ASN1_STR_NULL "\x00" \
- ASN1_STR_OCTET_STRING "\x14"
-
-#define ASN1_HASH_SHA1_ALT \
- ASN1_STR_CONSTRUCTED_SEQUENCE "\x1F" \
- ASN1_STR_CONSTRUCTED_SEQUENCE "\x07" \
- ASN1_STR_OID "\x05" \
- OID_HASH_ALG_SHA1 \
- ASN1_STR_OCTET_STRING "\x14"
-
-#define ASN1_HASH_SHA2X \
- ASN1_STR_CONSTRUCTED_SEQUENCE "\x11" \
- ASN1_STR_CONSTRUCTED_SEQUENCE "\x0d" \
- ASN1_STR_OID "\x09" \
- OID_HASH_ALG_SHA2X \
- ASN1_STR_NULL "\x00" \
- ASN1_STR_OCTET_STRING "\x00"
-
/**
* \brief RSA context structure
*/
@@ -410,8 +336,8 @@
* \param f_rng RNG function (Needed for PKCS#1 v2.1 encoding)
* \param p_rng RNG parameter
* \param mode RSA_PUBLIC or RSA_PRIVATE
- * \param hash_id SIG_RSA_RAW, SIG_RSA_MD{2,4,5} or SIG_RSA_SHA{1,224,256,384,512}
- * \param hashlen message digest length (for SIG_RSA_RAW only)
+ * \param md_alg a POLARSSL_MD_* (use POLARSSL_MD_NONE for signing raw data)
+ * \param hashlen message digest length (for POLARSSL_MD_NONE only)
* \param hash buffer holding the message digest
* \param sig buffer that will hold the ciphertext
*
@@ -431,7 +357,7 @@
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng,
int mode,
- int hash_id,
+ md_type_t md_alg,
unsigned int hashlen,
const unsigned char *hash,
unsigned char *sig );
@@ -441,8 +367,8 @@
*
* \param ctx RSA context
* \param mode RSA_PUBLIC or RSA_PRIVATE
- * \param hash_id SIG_RSA_RAW, SIG_RSA_MD{2,4,5} or SIG_RSA_SHA{1,224,256,384,512}
- * \param hashlen message digest length (for SIG_RSA_RAW only)
+ * \param md_alg a POLARSSL_MD_* (use POLARSSL_MD_NONE for signing raw data)
+ * \param hashlen message digest length (for POLARSSL_MD_NONE only)
* \param hash buffer holding the message digest
* \param sig buffer that will hold the ciphertext
*
@@ -454,7 +380,7 @@
*/
int rsa_rsassa_pkcs1_v15_sign( rsa_context *ctx,
int mode,
- int hash_id,
+ md_type_t md_alg,
unsigned int hashlen,
const unsigned char *hash,
unsigned char *sig );
@@ -466,8 +392,8 @@
* \param f_rng RNG function (Needed for PKCS#1 v2.1 encoding)
* \param p_rng RNG parameter
* \param mode RSA_PUBLIC or RSA_PRIVATE
- * \param hash_id SIG_RSA_RAW, SIG_RSA_MD{2,4,5} or SIG_RSA_SHA{1,224,256,384,512}
- * \param hashlen message digest length (for SIG_RSA_RAW only)
+ * \param md_alg a POLARSSL_MD_* (use POLARSSL_MD_NONE for signing raw data)
+ * \param hashlen message digest length (for POLARSSL_MD_NONE only)
* \param hash buffer holding the message digest
* \param sig buffer that will hold the ciphertext
*
@@ -487,7 +413,7 @@
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng,
int mode,
- int hash_id,
+ md_type_t md_alg,
unsigned int hashlen,
const unsigned char *hash,
unsigned char *sig );
@@ -499,8 +425,8 @@
*
* \param ctx points to an RSA public key
* \param mode RSA_PUBLIC or RSA_PRIVATE
- * \param hash_id SIG_RSA_RAW, SIG_RSA_MD{2,4,5} or SIG_RSA_SHA{1,224,256,384,512}
- * \param hashlen message digest length (for SIG_RSA_RAW only)
+ * \param md_alg a POLARSSL_MD_* (use POLARSSL_MD_NONE for signing raw data)
+ * \param hashlen message digest length (for POLARSSL_MD_NONE only)
* \param hash buffer holding the message digest
* \param sig buffer holding the ciphertext
*
@@ -518,7 +444,7 @@
*/
int rsa_pkcs1_verify( rsa_context *ctx,
int mode,
- int hash_id,
+ md_type_t md_alg,
unsigned int hashlen,
const unsigned char *hash,
unsigned char *sig );
@@ -528,8 +454,8 @@
*
* \param ctx points to an RSA public key
* \param mode RSA_PUBLIC or RSA_PRIVATE
- * \param hash_id SIG_RSA_RAW, SIG_RSA_MD{2,4,5} or SIG_RSA_SHA{1,224,256,384,512}
- * \param hashlen message digest length (for SIG_RSA_RAW only)
+ * \param md_alg a POLARSSL_MD_* (use POLARSSL_MD_NONE for signing raw data)
+ * \param hashlen message digest length (for POLARSSL_MD_NONE only)
* \param hash buffer holding the message digest
* \param sig buffer holding the ciphertext
*
@@ -541,7 +467,7 @@
*/
int rsa_rsassa_pkcs1_v15_verify( rsa_context *ctx,
int mode,
- int hash_id,
+ md_type_t md_alg,
unsigned int hashlen,
const unsigned char *hash,
unsigned char *sig );
@@ -552,8 +478,8 @@
*
* \param ctx points to an RSA public key
* \param mode RSA_PUBLIC or RSA_PRIVATE
- * \param hash_id SIG_RSA_RAW, SIG_RSA_MD{2,4,5} or SIG_RSA_SHA{1,224,256,384,512}
- * \param hashlen message digest length (for SIG_RSA_RAW only)
+ * \param md_alg a POLARSSL_MD_* (use POLARSSL_MD_NONE for signing raw data)
+ * \param hashlen message digest length (for POLARSSL_MD_NONE only)
* \param hash buffer holding the message digest
* \param sig buffer holding the ciphertext
*
@@ -571,7 +497,7 @@
*/
int rsa_rsassa_pss_verify( rsa_context *ctx,
int mode,
- int hash_id,
+ md_type_t md_alg,
unsigned int hashlen,
const unsigned char *hash,
unsigned char *sig );
diff --git a/include/polarssl/x509.h b/include/polarssl/x509.h
index 87151c9..fe43795 100644
--- a/include/polarssl/x509.h
+++ b/include/polarssl/x509.h
@@ -30,6 +30,7 @@
#include "asn1.h"
#include "rsa.h"
#include "dhm.h"
+#include "md.h"
/**
* \addtogroup x509_module
@@ -64,7 +65,6 @@
#define POLARSSL_ERR_X509_FILE_IO_ERROR -0x2B00 /**< Read/write of file failed. */
/* \} name */
-
/**
* \name X509 Verify codes
* \{
@@ -82,69 +82,6 @@
/* \} addtogroup x509_module */
/*
- * various object identifiers
- */
-#define X520_COMMON_NAME 3
-#define X520_COUNTRY 6
-#define X520_LOCALITY 7
-#define X520_STATE 8
-#define X520_ORGANIZATION 10
-#define X520_ORG_UNIT 11
-#define PKCS9_EMAIL 1
-
-#define X509_OUTPUT_DER 0x01
-#define X509_OUTPUT_PEM 0x02
-#define PEM_LINE_LENGTH 72
-#define X509_ISSUER 0x01
-#define X509_SUBJECT 0x02
-
-#define OID_X520 "\x55\x04"
-#define OID_CN OID_X520 "\x03"
-#define OID_COUNTRY OID_X520 "\x06"
-#define OID_LOCALITY OID_X520 "\x07"
-#define OID_STATE OID_X520 "\x08"
-#define OID_ORGANIZATION OID_X520 "\x0A"
-#define OID_ORG_UNIT OID_X520 "\x0B"
-
-#define OID_PKCS1 "\x2A\x86\x48\x86\xF7\x0D\x01\x01"
-#define OID_PKCS1_RSA OID_PKCS1 "\x01"
-#define OID_PKCS1_SHA1 OID_PKCS1 "\x05"
-
-#define OID_RSA_SHA_OBS "\x2B\x0E\x03\x02\x1D"
-
-#define OID_PKCS9 "\x2A\x86\x48\x86\xF7\x0D\x01\x09"
-#define OID_PKCS9_EMAIL OID_PKCS9 "\x01"
-
-/** ISO arc for standard certificate and CRL extensions */
-#define OID_ID_CE "\x55\x1D" /**< id-ce OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 29} */
-
-/**
- * Private Internet Extensions
- * { iso(1) identified-organization(3) dod(6) internet(1)
- * security(5) mechanisms(5) pkix(7) }
- */
-#define OID_PKIX "\x2B\x06\x01\x05\x05\x07"
-
-/*
- * OIDs for standard certificate extensions
- */
-#define OID_AUTHORITY_KEY_IDENTIFIER OID_ID_CE "\x23" /**< id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 35 } */
-#define OID_SUBJECT_KEY_IDENTIFIER OID_ID_CE "\x0E" /**< id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 14 } */
-#define OID_KEY_USAGE OID_ID_CE "\x0F" /**< id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 } */
-#define OID_CERTIFICATE_POLICIES OID_ID_CE "\x20" /**< id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 } */
-#define OID_POLICY_MAPPINGS OID_ID_CE "\x21" /**< id-ce-policyMappings OBJECT IDENTIFIER ::= { id-ce 33 } */
-#define OID_SUBJECT_ALT_NAME OID_ID_CE "\x11" /**< id-ce-subjectAltName OBJECT IDENTIFIER ::= { id-ce 17 } */
-#define OID_ISSUER_ALT_NAME OID_ID_CE "\x12" /**< id-ce-issuerAltName OBJECT IDENTIFIER ::= { id-ce 18 } */
-#define OID_SUBJECT_DIRECTORY_ATTRS OID_ID_CE "\x09" /**< id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::= { id-ce 9 } */
-#define OID_BASIC_CONSTRAINTS OID_ID_CE "\x13" /**< id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 } */
-#define OID_NAME_CONSTRAINTS OID_ID_CE "\x1E" /**< id-ce-nameConstraints OBJECT IDENTIFIER ::= { id-ce 30 } */
-#define OID_POLICY_CONSTRAINTS OID_ID_CE "\x24" /**< id-ce-policyConstraints OBJECT IDENTIFIER ::= { id-ce 36 } */
-#define OID_EXTENDED_KEY_USAGE OID_ID_CE "\x25" /**< id-ce-extKeyUsage OBJECT IDENTIFIER ::= { id-ce 37 } */
-#define OID_CRL_DISTRIBUTION_POINTS OID_ID_CE "\x1F" /**< id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= { id-ce 31 } */
-#define OID_INIHIBIT_ANYPOLICY OID_ID_CE "\x36" /**< id-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::= { id-ce 54 } */
-#define OID_FRESHEST_CRL OID_ID_CE "\x2E" /**< id-ce-freshestCRL OBJECT IDENTIFIER ::= { id-ce 46 } */
-
-/*
* X.509 v3 Key Usage Extension flags
*/
#define KU_DIGITAL_SIGNATURE (0x80) /* bit 0 */
@@ -156,48 +93,6 @@
#define KU_CRL_SIGN (0x02) /* bit 6 */
/*
- * X.509 v3 Extended key usage OIDs
- */
-#define OID_ANY_EXTENDED_KEY_USAGE OID_EXTENDED_KEY_USAGE "\x00" /**< anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 } */
-
-#define OID_KP OID_PKIX "\x03" /**< id-kp OBJECT IDENTIFIER ::= { id-pkix 3 } */
-#define OID_SERVER_AUTH OID_KP "\x01" /**< id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 } */
-#define OID_CLIENT_AUTH OID_KP "\x02" /**< id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 } */
-#define OID_CODE_SIGNING OID_KP "\x03" /**< id-kp-codeSigning OBJECT IDENTIFIER ::= { id-kp 3 } */
-#define OID_EMAIL_PROTECTION OID_KP "\x04" /**< id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 } */
-#define OID_TIME_STAMPING OID_KP "\x08" /**< id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 } */
-#define OID_OCSP_SIGNING OID_KP "\x09" /**< id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } */
-
-#define STRING_SERVER_AUTH "TLS Web Server Authentication"
-#define STRING_CLIENT_AUTH "TLS Web Client Authentication"
-#define STRING_CODE_SIGNING "Code Signing"
-#define STRING_EMAIL_PROTECTION "E-mail Protection"
-#define STRING_TIME_STAMPING "Time Stamping"
-#define STRING_OCSP_SIGNING "OCSP Signing"
-
-/*
- * OIDs for CRL extensions
- */
-#define OID_PRIVATE_KEY_USAGE_PERIOD OID_ID_CE "\x10"
-#define OID_CRL_NUMBER OID_ID_CE "\x14" /**< id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 } */
-
-/*
- * Netscape certificate extensions
- */
-#define OID_NETSCAPE "\x60\x86\x48\x01\x86\xF8\x42" /**< Netscape OID */
-#define OID_NS_CERT OID_NETSCAPE "\x01"
-#define OID_NS_CERT_TYPE OID_NS_CERT "\x01"
-#define OID_NS_BASE_URL OID_NS_CERT "\x02"
-#define OID_NS_REVOCATION_URL OID_NS_CERT "\x03"
-#define OID_NS_CA_REVOCATION_URL OID_NS_CERT "\x04"
-#define OID_NS_RENEWAL_URL OID_NS_CERT "\x07"
-#define OID_NS_CA_POLICY_URL OID_NS_CERT "\x08"
-#define OID_NS_SSL_SERVER_NAME OID_NS_CERT "\x0C"
-#define OID_NS_COMMENT OID_NS_CERT "\x0D"
-#define OID_NS_DATA_TYPE OID_NETSCAPE "\x02"
-#define OID_NS_CERT_SEQUENCE OID_NS_DATA_TYPE "\x05"
-
-/*
* Netscape certificate types
* (http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn3.html)
*/
@@ -211,6 +106,9 @@
#define NS_CERT_TYPE_EMAIL_CA (0x02) /* bit 6 */
#define NS_CERT_TYPE_OBJECT_SIGNING_CA (0x01) /* bit 7 */
+/*
+ * X.509 extension types
+ */
#define EXT_AUTHORITY_KEY_IDENTIFIER (1 << 0)
#define EXT_SUBJECT_KEY_IDENTIFIER (1 << 1)
#define EXT_KEY_USAGE (1 << 2)
@@ -236,6 +134,12 @@
#define X509_FORMAT_DER 1
#define X509_FORMAT_PEM 2
+typedef enum {
+ POLARSSL_PK_NONE=0,
+ POLARSSL_PK_RSA,
+ POLARSSL_PK_ECDSA,
+} pk_type_t;
+
/**
* \addtogroup x509_module
* \{ */
@@ -321,7 +225,8 @@
x509_buf sig_oid2; /**< Signature algorithm. Must match sig_oid1. */
x509_buf sig; /**< Signature: hash of the tbs part signed with the private key. */
- int sig_alg; /**< Internal representation of the signature algorithm, e.g. SIG_RSA_MD2 */
+ md_type_t sig_md; /**< Internal representation of the MD algorithm of the signature algorithm, e.g. POLARSSL_MD_SHA256 */
+ pk_type_t sig_pk /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. POLARSSL_PK_RSA */;
struct _x509_cert *next; /**< Next certificate in the CA-chain. */
}
@@ -370,7 +275,8 @@
x509_buf sig_oid2;
x509_buf sig;
- int sig_alg;
+ md_type_t sig_md; /**< Internal representation of the MD algorithm of the signature algorithm, e.g. POLARSSL_MD_SHA256 */
+ pk_type_t sig_pk /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. POLARSSL_PK_RSA */;
struct _x509_crl *next;
}
diff --git a/include/polarssl/x509write.h b/include/polarssl/x509write.h
index 8ce3d86..9d43efb 100644
--- a/include/polarssl/x509write.h
+++ b/include/polarssl/x509write.h
@@ -41,6 +41,6 @@
int x509_write_pubkey_der( unsigned char *buf, size_t size, rsa_context *rsa );
int x509_write_key_der( unsigned char *buf, size_t size, rsa_context *rsa );
int x509_write_cert_req( unsigned char *buf, size_t size, rsa_context *rsa,
- x509_req_name *req_name, int hash_id );
+ x509_req_name *req_name, md_type_t md_alg );
#endif /* POLARSSL_X509_WRITE_H */