1/*
2 * X.509v3 certificate parsing and processing
3 * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9#ifndef X509V3_H
10#define X509V3_H
11
12#include "asn1.h"
13
14struct x509_algorithm_identifier {
15	struct asn1_oid oid;
16};
17
18struct x509_name_attr {
19	enum x509_name_attr_type {
20		X509_NAME_ATTR_NOT_USED,
21		X509_NAME_ATTR_DC,
22		X509_NAME_ATTR_CN,
23		X509_NAME_ATTR_C,
24		X509_NAME_ATTR_L,
25		X509_NAME_ATTR_ST,
26		X509_NAME_ATTR_O,
27		X509_NAME_ATTR_OU
28	} type;
29	char *value;
30};
31
32#define X509_MAX_NAME_ATTRIBUTES 20
33
34struct x509_name {
35	struct x509_name_attr attr[X509_MAX_NAME_ATTRIBUTES];
36	size_t num_attr;
37	char *email; /* emailAddress */
38
39	/* from alternative name extension */
40	char *alt_email; /* rfc822Name */
41	char *dns; /* dNSName */
42	char *uri; /* uniformResourceIdentifier */
43	u8 *ip; /* iPAddress */
44	size_t ip_len; /* IPv4: 4, IPv6: 16 */
45	struct asn1_oid rid; /* registeredID */
46};
47
48#define X509_MAX_SERIAL_NUM_LEN 20
49
50struct x509_certificate {
51	struct x509_certificate *next;
52	enum { X509_CERT_V1 = 0, X509_CERT_V2 = 1, X509_CERT_V3 = 2 } version;
53	u8 serial_number[X509_MAX_SERIAL_NUM_LEN];
54	size_t serial_number_len;
55	struct x509_algorithm_identifier signature;
56	struct x509_name issuer;
57	struct x509_name subject;
58	u8 *subject_dn;
59	size_t subject_dn_len;
60	os_time_t not_before;
61	os_time_t not_after;
62	struct x509_algorithm_identifier public_key_alg;
63	u8 *public_key;
64	size_t public_key_len;
65	struct x509_algorithm_identifier signature_alg;
66	u8 *sign_value;
67	size_t sign_value_len;
68
69	/* Extensions */
70	unsigned int extensions_present;
71#define X509_EXT_BASIC_CONSTRAINTS		(1 << 0)
72#define X509_EXT_PATH_LEN_CONSTRAINT		(1 << 1)
73#define X509_EXT_KEY_USAGE			(1 << 2)
74#define X509_EXT_SUBJECT_ALT_NAME		(1 << 3)
75#define X509_EXT_ISSUER_ALT_NAME		(1 << 4)
76#define X509_EXT_EXT_KEY_USAGE			(1 << 5)
77
78	/* BasicConstraints */
79	int ca; /* cA */
80	unsigned long path_len_constraint; /* pathLenConstraint */
81
82	/* KeyUsage */
83	unsigned long key_usage;
84#define X509_KEY_USAGE_DIGITAL_SIGNATURE	(1 << 0)
85#define X509_KEY_USAGE_NON_REPUDIATION		(1 << 1)
86#define X509_KEY_USAGE_KEY_ENCIPHERMENT		(1 << 2)
87#define X509_KEY_USAGE_DATA_ENCIPHERMENT	(1 << 3)
88#define X509_KEY_USAGE_KEY_AGREEMENT		(1 << 4)
89#define X509_KEY_USAGE_KEY_CERT_SIGN		(1 << 5)
90#define X509_KEY_USAGE_CRL_SIGN			(1 << 6)
91#define X509_KEY_USAGE_ENCIPHER_ONLY		(1 << 7)
92#define X509_KEY_USAGE_DECIPHER_ONLY		(1 << 8)
93
94	/* ExtKeyUsage */
95	unsigned long ext_key_usage;
96#define X509_EXT_KEY_USAGE_ANY			(1 << 0)
97#define X509_EXT_KEY_USAGE_SERVER_AUTH		(1 << 1)
98#define X509_EXT_KEY_USAGE_CLIENT_AUTH		(1 << 2)
99#define X509_EXT_KEY_USAGE_OCSP			(1 << 3)
100
101	/*
102	 * The DER format certificate follows struct x509_certificate. These
103	 * pointers point to that buffer.
104	 */
105	const u8 *cert_start;
106	size_t cert_len;
107	const u8 *tbs_cert_start;
108	size_t tbs_cert_len;
109
110	/* Meta data used for certificate validation */
111	unsigned int ocsp_good:1;
112	unsigned int ocsp_revoked:1;
113	unsigned int issuer_trusted:1;
114};
115
116enum {
117	X509_VALIDATE_OK,
118	X509_VALIDATE_BAD_CERTIFICATE,
119	X509_VALIDATE_UNSUPPORTED_CERTIFICATE,
120	X509_VALIDATE_CERTIFICATE_REVOKED,
121	X509_VALIDATE_CERTIFICATE_EXPIRED,
122	X509_VALIDATE_CERTIFICATE_UNKNOWN,
123	X509_VALIDATE_UNKNOWN_CA
124};
125
126void x509_certificate_free(struct x509_certificate *cert);
127int x509_parse_algorithm_identifier(const u8 *buf, size_t len,
128				    struct x509_algorithm_identifier *id,
129				    const u8 **next);
130int x509_parse_name(const u8 *buf, size_t len, struct x509_name *name,
131		    const u8 **next);
132int x509_parse_time(const u8 *buf, size_t len, u8 asn1_tag, os_time_t *val);
133struct x509_certificate * x509_certificate_parse(const u8 *buf, size_t len);
134void x509_free_name(struct x509_name *name);
135void x509_name_string(struct x509_name *name, char *buf, size_t len);
136int x509_name_compare(struct x509_name *a, struct x509_name *b);
137void x509_certificate_chain_free(struct x509_certificate *cert);
138int x509_check_signature(struct x509_certificate *issuer,
139			 struct x509_algorithm_identifier *signature,
140			 const u8 *sign_value, size_t sign_value_len,
141			 const u8 *signed_data, size_t signed_data_len);
142int x509_certificate_check_signature(struct x509_certificate *issuer,
143				     struct x509_certificate *cert);
144int x509_certificate_chain_validate(struct x509_certificate *trusted,
145				    struct x509_certificate *chain,
146				    int *reason, int disable_time_checks);
147struct x509_certificate *
148x509_certificate_get_subject(struct x509_certificate *chain,
149			     struct x509_name *name);
150int x509_certificate_self_signed(struct x509_certificate *cert);
151
152int x509_sha1_oid(struct asn1_oid *oid);
153int x509_sha256_oid(struct asn1_oid *oid);
154int x509_sha384_oid(struct asn1_oid *oid);
155int x509_sha512_oid(struct asn1_oid *oid);
156
157#endif /* X509V3_H */
158