TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / refs/heads/polarssl-0.10 / . / include / polarssl / x509.h
blob: 832752d6e7966b5f66bb15d74764141c856ad3c8 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/**
2 * \file x509.h
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]3 *
4 * Based on XySSL: Copyright (C) 2006-2008 Christophe Devine
5 *
Paul Bakker27db1f52009-01-25 15:27:00 +0000[diff] [blame]6 * Copyright (C) 2009 Paul Bakker <polarssl_maintainer at polarssl dot org>
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License along
19 * with this program; if not, write to the Free Software Foundation, Inc.,
20 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]21 */
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]22#ifndef POLARSSL_X509_H
23#define POLARSSL_X509_H
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]24
Paul Bakker8e831ed2009-01-03 21:24:11 +0000[diff] [blame]25#include "polarssl/rsa.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]26
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]27#define POLARSSL_ERR_ASN1_OUT_OF_DATA -0x0014
28#define POLARSSL_ERR_ASN1_UNEXPECTED_TAG -0x0016
29#define POLARSSL_ERR_ASN1_INVALID_LENGTH -0x0018
30#define POLARSSL_ERR_ASN1_LENGTH_MISMATCH -0x001A
31#define POLARSSL_ERR_ASN1_INVALID_DATA -0x001C
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]32
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]33#define POLARSSL_ERR_X509_FEATURE_UNAVAILABLE -0x0020
34#define POLARSSL_ERR_X509_CERT_INVALID_PEM -0x0040
35#define POLARSSL_ERR_X509_CERT_INVALID_FORMAT -0x0060
36#define POLARSSL_ERR_X509_CERT_INVALID_VERSION -0x0080
37#define POLARSSL_ERR_X509_CERT_INVALID_SERIAL -0x00A0
38#define POLARSSL_ERR_X509_CERT_INVALID_ALG -0x00C0
39#define POLARSSL_ERR_X509_CERT_INVALID_NAME -0x00E0
40#define POLARSSL_ERR_X509_CERT_INVALID_DATE -0x0100
41#define POLARSSL_ERR_X509_CERT_INVALID_PUBKEY -0x0120
42#define POLARSSL_ERR_X509_CERT_INVALID_SIGNATURE -0x0140
43#define POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS -0x0160
44#define POLARSSL_ERR_X509_CERT_UNKNOWN_VERSION -0x0180
45#define POLARSSL_ERR_X509_CERT_UNKNOWN_SIG_ALG -0x01A0
46#define POLARSSL_ERR_X509_CERT_UNKNOWN_PK_ALG -0x01C0
47#define POLARSSL_ERR_X509_CERT_SIG_MISMATCH -0x01E0
48#define POLARSSL_ERR_X509_CERT_VERIFY_FAILED -0x0200
49#define POLARSSL_ERR_X509_KEY_INVALID_PEM -0x0220
50#define POLARSSL_ERR_X509_KEY_INVALID_VERSION -0x0240
51#define POLARSSL_ERR_X509_KEY_INVALID_FORMAT -0x0260
52#define POLARSSL_ERR_X509_KEY_INVALID_ENC_IV -0x0280
53#define POLARSSL_ERR_X509_KEY_UNKNOWN_ENC_ALG -0x02A0
54#define POLARSSL_ERR_X509_KEY_PASSWORD_REQUIRED -0x02C0
55#define POLARSSL_ERR_X509_KEY_PASSWORD_MISMATCH -0x02E0
56#define POLARSSL_ERR_X509_POINT_ERROR -0x0300
57#define POLARSSL_ERR_X509_VALUE_TO_LENGTH -0x0320
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]58
59#define BADCERT_EXPIRED 1
60#define BADCERT_REVOKED 2
61#define BADCERT_CN_MISMATCH 4
62#define BADCERT_NOT_TRUSTED 8
63
64/*
65 * DER constants
66 */
67#define ASN1_BOOLEAN 0x01
68#define ASN1_INTEGER 0x02
69#define ASN1_BIT_STRING 0x03
70#define ASN1_OCTET_STRING 0x04
71#define ASN1_NULL 0x05
72#define ASN1_OID 0x06
73#define ASN1_UTF8_STRING 0x0C
74#define ASN1_SEQUENCE 0x10
75#define ASN1_SET 0x11
76#define ASN1_PRINTABLE_STRING 0x13
77#define ASN1_T61_STRING 0x14
78#define ASN1_IA5_STRING 0x16
79#define ASN1_UTC_TIME 0x17
80#define ASN1_UNIVERSAL_STRING 0x1C
81#define ASN1_BMP_STRING 0x1E
82#define ASN1_PRIMITIVE 0x00
83#define ASN1_CONSTRUCTED 0x20
84#define ASN1_CONTEXT_SPECIFIC 0x80
85
86/*
87 * various object identifiers
88 */
89#define X520_COMMON_NAME 3
90#define X520_COUNTRY 6
91#define X520_LOCALITY 7
92#define X520_STATE 8
93#define X520_ORGANIZATION 10
94#define X520_ORG_UNIT 11
95#define PKCS9_EMAIL 1
96
97#define X509_OUTPUT_DER 0x01
98#define X509_OUTPUT_PEM 0x02
99#define PEM_LINE_LENGTH 72
100#define X509_ISSUER 0x01
101#define X509_SUBJECT 0x02
102
103#define OID_X520 "\x55\x04"
104#define OID_CN "\x55\x04\x03"
105#define OID_PKCS1 "\x2A\x86\x48\x86\xF7\x0D\x01\x01"
106#define OID_PKCS1_RSA "\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01"
107#define OID_PKCS1_RSA_SHA "\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05"
108#define OID_PKCS9 "\x2A\x86\x48\x86\xF7\x0D\x01\x09"
109#define OID_PKCS9_EMAIL "\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01"
110
111/*
112 * Structures for parsing X.509 certificates
113 */
114typedef struct _x509_buf
115{
116 int tag;
117 int len;
118 unsigned char *p;
119}
120x509_buf;
121
122typedef struct _x509_name
123{
124 x509_buf oid;
125 x509_buf val;
126 struct _x509_name *next;
127}
128x509_name;
129
130typedef struct _x509_time
131{
132 int year, mon, day;
133 int hour, min, sec;
134}
135x509_time;
136
137typedef struct _x509_cert
138{
139 x509_buf raw;
140 x509_buf tbs;
141
142 int version;
143 x509_buf serial;
144 x509_buf sig_oid1;
145
146 x509_buf issuer_raw;
147 x509_buf subject_raw;
148
149 x509_name issuer;
150 x509_name subject;
151
152 x509_time valid_from;
153 x509_time valid_to;
154
155 x509_buf pk_oid;
156 rsa_context rsa;
157
158 x509_buf issuer_id;
159 x509_buf subject_id;
160 x509_buf v3_ext;
161
162 int ca_istrue;
163 int max_pathlen;
164
165 x509_buf sig_oid2;
166 x509_buf sig;
167
168 struct _x509_cert *next;
169}
170x509_cert;
171
172/*
173 * Structures for writing X.509 certificates
174 */
175typedef struct _x509_node
176{
177 unsigned char *data;
178 unsigned char *p;
179 unsigned char *end;
180
181 size_t len;
182}
183x509_node;
184
185typedef struct _x509_raw
186{
187 x509_node raw;
188 x509_node tbs;
189
190 x509_node version;
191 x509_node serial;
192 x509_node tbs_signalg;
193 x509_node issuer;
194 x509_node validity;
195 x509_node subject;
196 x509_node subpubkey;
197
198 x509_node signalg;
199 x509_node sign;
200}
201x509_raw;
202
203#ifdef __cplusplus
204extern "C" {
205#endif
206
207/**
208 * \brief Parse one or more certificates and add them
209 * to the chained list
210 *
211 * \param chain points to the start of the chain
212 * \param buf buffer holding the certificate data
213 * \param buflen size of the buffer
214 *
215 * \return 0 if successful, or a specific X509 error code
216 */
217int x509parse_crt( x509_cert *crt, unsigned char *buf, int buflen );
218
219/**
220 * \brief Load one or more certificates and add them
221 * to the chained list
222 *
223 * \param chain points to the start of the chain
224 * \param path filename to read the certificates from
225 *
226 * \return 0 if successful, or a specific X509 error code
227 */
228int x509parse_crtfile( x509_cert *crt, char *path );
229
230/**
231 * \brief Parse a private RSA key
232 *
233 * \param rsa RSA context to be initialized
234 * \param buf input buffer
235 * \param buflen size of the buffer
236 * \param pwd password for decryption (optional)
237 * \param pwdlen size of the password
238 *
239 * \return 0 if successful, or a specific X509 error code
240 */
241int x509parse_key( rsa_context *rsa,
242 unsigned char *buf, int buflen,
243 unsigned char *pwd, int pwdlen );
244
245/**
246 * \brief Load and parse a private RSA key
247 *
248 * \param rsa RSA context to be initialized
249 * \param path filename to read the private key from
250 * \param pwd password to decrypt the file (can be NULL)
251 *
252 * \return 0 if successful, or a specific X509 error code
253 */
254int x509parse_keyfile( rsa_context *rsa, char *path, char *password );
255
256/**
257 * \brief Store the certificate DN in printable form into buf;
258 * no more than (end - buf) characters will be written.
259 */
260int x509parse_dn_gets( char *buf, char *end, x509_name *dn );
261
262/**
263 * \brief Returns an informational string about the
264 * certificate.
265 */
266char *x509parse_cert_info( char *prefix, x509_cert *crt );
267
268/**
269 * \brief Return 0 if the certificate is still valid,
270 * or BADCERT_EXPIRED
271 */
272int x509parse_expired( x509_cert *crt );
273
274/**
275 * \brief Verify the certificate signature
276 *
277 * \param crt a certificate to be verified
278 * \param trust_ca the trusted CA chain
279 * \param cn expected Common Name (can be set to
280 * NULL if the CN must not be verified)
281 * \param flags result of the verification
282 *
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]283 * \return 0 if successful or POLARSSL_ERR_X509_SIG_VERIFY_FAILED,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]284 * in which case *flags will have one or more of
285 * the following values set:
286 * BADCERT_EXPIRED --
287 * BADCERT_REVOKED --
288 * BADCERT_CN_MISMATCH --
289 * BADCERT_NOT_TRUSTED
290 *
291 * \note TODO: add two arguments, depth and crl
292 */
293int x509parse_verify( x509_cert *crt,
294 x509_cert *trust_ca,
295 char *cn, int *flags );
296
297/**
298 * \brief Unallocate all certificate data
299 */
300void x509_free( x509_cert *crt );
301
302/**
303 * \brief Checkup routine
304 *
305 * \return 0 if successful, or 1 if the test failed
306 */
307int x509_self_test( int verbose );
308
309#ifdef __cplusplus
310}
311#endif
312
313#endif /* x509.h */