1/* $NetBSD: hx509-protos.h,v 1.2 2019/12/15 22:50:50 christos Exp $ */ 2 3/* This is a generated file */ 4#ifndef __hx509_protos_h__ 5#define __hx509_protos_h__ 6#ifndef DOXY 7 8#include <stdarg.h> 9 10#ifdef __cplusplus 11extern "C" { 12#endif 13 14#ifndef HX509_LIB 15#ifndef HX509_LIB_FUNCTION 16#if defined(_WIN32) 17#define HX509_LIB_FUNCTION __declspec(dllimport) 18#define HX509_LIB_CALL __stdcall 19#define HX509_LIB_VARIABLE __declspec(dllimport) 20#else 21#define HX509_LIB_FUNCTION 22#define HX509_LIB_CALL 23#define HX509_LIB_VARIABLE 24#endif 25#endif 26#endif 27/** 28 * Print a bitstring using a hx509_vprint_func function. To print to 29 * stdout use hx509_print_stdout(). 30 * 31 * @param b bit string to print. 32 * @param func hx509_vprint_func to print with. 33 * @param ctx context variable to hx509_vprint_func function. 34 * 35 * @ingroup hx509_print 36 */ 37 38void 39hx509_bitstring_print ( 40 const heim_bit_string */*b*/, 41 hx509_vprint_func /*func*/, 42 void */*ctx*/); 43 44/** 45 * Sign a to-be-signed certificate object with a issuer certificate. 46 * 47 * The caller needs to at least have called the following functions on the 48 * to-be-signed certificate object: 49 * - hx509_ca_tbs_init() 50 * - hx509_ca_tbs_set_subject() 51 * - hx509_ca_tbs_set_spki() 52 * 53 * When done the to-be-signed certificate object should be freed with 54 * hx509_ca_tbs_free(). 55 * 56 * When creating self-signed certificate use hx509_ca_sign_self() instead. 57 * 58 * @param context A hx509 context. 59 * @param tbs object to be signed. 60 * @param signer the CA certificate object to sign with (need private key). 61 * @param certificate return cerificate, free with hx509_cert_free(). 62 * 63 * @return An hx509 error code, see hx509_get_error_string(). 64 * 65 * @ingroup hx509_ca 66 */ 67 68int 69hx509_ca_sign ( 70 hx509_context /*context*/, 71 hx509_ca_tbs /*tbs*/, 72 hx509_cert /*signer*/, 73 hx509_cert */*certificate*/); 74 75/** 76 * Work just like hx509_ca_sign() but signs it-self. 77 * 78 * @param context A hx509 context. 79 * @param tbs object to be signed. 80 * @param signer private key to sign with. 81 * @param certificate return cerificate, free with hx509_cert_free(). 82 * 83 * @return An hx509 error code, see hx509_get_error_string(). 84 * 85 * @ingroup hx509_ca 86 */ 87 88int 89hx509_ca_sign_self ( 90 hx509_context /*context*/, 91 hx509_ca_tbs /*tbs*/, 92 hx509_private_key /*signer*/, 93 hx509_cert */*certificate*/); 94 95/** 96 * Add CRL distribution point URI to the to-be-signed certificate 97 * object. 98 * 99 * @param context A hx509 context. 100 * @param tbs object to be signed. 101 * @param uri uri to the CRL. 102 * @param issuername name of the issuer. 103 * 104 * @return An hx509 error code, see hx509_get_error_string(). 105 * 106 * @ingroup hx509_ca 107 */ 108 109int 110hx509_ca_tbs_add_crl_dp_uri ( 111 hx509_context /*context*/, 112 hx509_ca_tbs /*tbs*/, 113 const char */*uri*/, 114 hx509_name /*issuername*/); 115 116/** 117 * An an extended key usage to the to-be-signed certificate object. 118 * Duplicates will detected and not added. 119 * 120 * @param context A hx509 context. 121 * @param tbs object to be signed. 122 * @param oid extended key usage to add. 123 * 124 * @return An hx509 error code, see hx509_get_error_string(). 125 * 126 * @ingroup hx509_ca 127 */ 128 129int 130hx509_ca_tbs_add_eku ( 131 hx509_context /*context*/, 132 hx509_ca_tbs /*tbs*/, 133 const heim_oid */*oid*/); 134 135/** 136 * Add a Subject Alternative Name hostname to to-be-signed certificate 137 * object. A domain match starts with ., an exact match does not. 138 * 139 * Example of a an domain match: .domain.se matches the hostname 140 * host.domain.se. 141 * 142 * @param context A hx509 context. 143 * @param tbs object to be signed. 144 * @param dnsname a hostame. 145 * 146 * @return An hx509 error code, see hx509_get_error_string(). 147 * 148 * @ingroup hx509_ca 149 */ 150 151int 152hx509_ca_tbs_add_san_hostname ( 153 hx509_context /*context*/, 154 hx509_ca_tbs /*tbs*/, 155 const char */*dnsname*/); 156 157/** 158 * Add a Jabber/XMPP jid Subject Alternative Name to the to-be-signed 159 * certificate object. The jid is an UTF8 string. 160 * 161 * @param context A hx509 context. 162 * @param tbs object to be signed. 163 * @param jid string of an a jabber id in UTF8. 164 * 165 * @return An hx509 error code, see hx509_get_error_string(). 166 * 167 * @ingroup hx509_ca 168 */ 169 170int 171hx509_ca_tbs_add_san_jid ( 172 hx509_context /*context*/, 173 hx509_ca_tbs /*tbs*/, 174 const char */*jid*/); 175 176/** 177 * Add Microsoft UPN Subject Alternative Name to the to-be-signed 178 * certificate object. The principal string is a UTF8 string. 179 * 180 * @param context A hx509 context. 181 * @param tbs object to be signed. 182 * @param principal Microsoft UPN string. 183 * 184 * @return An hx509 error code, see hx509_get_error_string(). 185 * 186 * @ingroup hx509_ca 187 */ 188 189int 190hx509_ca_tbs_add_san_ms_upn ( 191 hx509_context /*context*/, 192 hx509_ca_tbs /*tbs*/, 193 const char */*principal*/); 194 195/** 196 * Add Subject Alternative Name otherName to the to-be-signed 197 * certificate object. 198 * 199 * @param context A hx509 context. 200 * @param tbs object to be signed. 201 * @param oid the oid of the OtherName. 202 * @param os data in the other name. 203 * 204 * @return An hx509 error code, see hx509_get_error_string(). 205 * 206 * @ingroup hx509_ca 207 */ 208 209int 210hx509_ca_tbs_add_san_otherName ( 211 hx509_context /*context*/, 212 hx509_ca_tbs /*tbs*/, 213 const heim_oid */*oid*/, 214 const heim_octet_string */*os*/); 215 216/** 217 * Add Kerberos Subject Alternative Name to the to-be-signed 218 * certificate object. The principal string is a UTF8 string. 219 * 220 * @param context A hx509 context. 221 * @param tbs object to be signed. 222 * @param principal Kerberos principal to add to the certificate. 223 * 224 * @return An hx509 error code, see hx509_get_error_string(). 225 * 226 * @ingroup hx509_ca 227 */ 228 229int 230hx509_ca_tbs_add_san_pkinit ( 231 hx509_context /*context*/, 232 hx509_ca_tbs /*tbs*/, 233 const char */*principal*/); 234 235/** 236 * Add a Subject Alternative Name rfc822 (email address) to 237 * to-be-signed certificate object. 238 * 239 * @param context A hx509 context. 240 * @param tbs object to be signed. 241 * @param rfc822Name a string to a email address. 242 * 243 * @return An hx509 error code, see hx509_get_error_string(). 244 * 245 * @ingroup hx509_ca 246 */ 247 248int 249hx509_ca_tbs_add_san_rfc822name ( 250 hx509_context /*context*/, 251 hx509_ca_tbs /*tbs*/, 252 const char */*rfc822Name*/); 253 254/** 255 * Free an To Be Signed object. 256 * 257 * @param tbs object to free. 258 * 259 * @ingroup hx509_ca 260 */ 261 262void 263hx509_ca_tbs_free (hx509_ca_tbs */*tbs*/); 264 265/** 266 * Allocate an to-be-signed certificate object that will be converted 267 * into an certificate. 268 * 269 * @param context A hx509 context. 270 * @param tbs returned to-be-signed certicate object, free with 271 * hx509_ca_tbs_free(). 272 * 273 * @return An hx509 error code, see hx509_get_error_string(). 274 * 275 * @ingroup hx509_ca 276 */ 277 278int 279hx509_ca_tbs_init ( 280 hx509_context /*context*/, 281 hx509_ca_tbs */*tbs*/); 282 283/** 284 * Make the to-be-signed certificate object a CA certificate. If the 285 * pathLenConstraint is negative path length constraint is used. 286 * 287 * @param context A hx509 context. 288 * @param tbs object to be signed. 289 * @param pathLenConstraint path length constraint, negative, no 290 * constraint. 291 * 292 * @return An hx509 error code, see hx509_get_error_string(). 293 * 294 * @ingroup hx509_ca 295 */ 296 297int 298hx509_ca_tbs_set_ca ( 299 hx509_context /*context*/, 300 hx509_ca_tbs /*tbs*/, 301 int /*pathLenConstraint*/); 302 303/** 304 * Make the to-be-signed certificate object a windows domain controller certificate. 305 * 306 * @param context A hx509 context. 307 * @param tbs object to be signed. 308 * 309 * @return An hx509 error code, see hx509_get_error_string(). 310 * 311 * @ingroup hx509_ca 312 */ 313 314int 315hx509_ca_tbs_set_domaincontroller ( 316 hx509_context /*context*/, 317 hx509_ca_tbs /*tbs*/); 318 319/** 320 * Set the absolute time when the certificate is valid to. 321 * 322 * @param context A hx509 context. 323 * @param tbs object to be signed. 324 * @param t time when the certificate will expire 325 * 326 * @return An hx509 error code, see hx509_get_error_string(). 327 * 328 * @ingroup hx509_ca 329 */ 330 331int 332hx509_ca_tbs_set_notAfter ( 333 hx509_context /*context*/, 334 hx509_ca_tbs /*tbs*/, 335 time_t /*t*/); 336 337/** 338 * Set the relative time when the certificiate is going to expire. 339 * 340 * @param context A hx509 context. 341 * @param tbs object to be signed. 342 * @param delta seconds to the certificate is going to expire. 343 * 344 * @return An hx509 error code, see hx509_get_error_string(). 345 * 346 * @ingroup hx509_ca 347 */ 348 349int 350hx509_ca_tbs_set_notAfter_lifetime ( 351 hx509_context /*context*/, 352 hx509_ca_tbs /*tbs*/, 353 time_t /*delta*/); 354 355/** 356 * Set the absolute time when the certificate is valid from. If not 357 * set the current time will be used. 358 * 359 * @param context A hx509 context. 360 * @param tbs object to be signed. 361 * @param t time the certificated will start to be valid 362 * 363 * @return An hx509 error code, see hx509_get_error_string(). 364 * 365 * @ingroup hx509_ca 366 */ 367 368int 369hx509_ca_tbs_set_notBefore ( 370 hx509_context /*context*/, 371 hx509_ca_tbs /*tbs*/, 372 time_t /*t*/); 373 374/** 375 * Make the to-be-signed certificate object a proxy certificate. If the 376 * pathLenConstraint is negative path length constraint is used. 377 * 378 * @param context A hx509 context. 379 * @param tbs object to be signed. 380 * @param pathLenConstraint path length constraint, negative, no 381 * constraint. 382 * 383 * @return An hx509 error code, see hx509_get_error_string(). 384 * 385 * @ingroup hx509_ca 386 */ 387 388int 389hx509_ca_tbs_set_proxy ( 390 hx509_context /*context*/, 391 hx509_ca_tbs /*tbs*/, 392 int /*pathLenConstraint*/); 393 394/** 395 * Set the serial number to use for to-be-signed certificate object. 396 * 397 * @param context A hx509 context. 398 * @param tbs object to be signed. 399 * @param serialNumber serial number to use for the to-be-signed 400 * certificate object. 401 * 402 * @return An hx509 error code, see hx509_get_error_string(). 403 * 404 * @ingroup hx509_ca 405 */ 406 407int 408hx509_ca_tbs_set_serialnumber ( 409 hx509_context /*context*/, 410 hx509_ca_tbs /*tbs*/, 411 const heim_integer */*serialNumber*/); 412 413/** 414 * Set signature algorithm on the to be signed certificate 415 * 416 * @param context A hx509 context. 417 * @param tbs object to be signed. 418 * @param sigalg signature algorithm to use 419 * 420 * @return An hx509 error code, see hx509_get_error_string(). 421 * 422 * @ingroup hx509_ca 423 */ 424 425int 426hx509_ca_tbs_set_signature_algorithm ( 427 hx509_context /*context*/, 428 hx509_ca_tbs /*tbs*/, 429 const AlgorithmIdentifier */*sigalg*/); 430 431/** 432 * Set the subject public key info (SPKI) in the to-be-signed certificate 433 * object. SPKI is the public key and key related parameters in the 434 * certificate. 435 * 436 * @param context A hx509 context. 437 * @param tbs object to be signed. 438 * @param spki subject public key info to use for the to-be-signed certificate object. 439 * 440 * @return An hx509 error code, see hx509_get_error_string(). 441 * 442 * @ingroup hx509_ca 443 */ 444 445int 446hx509_ca_tbs_set_spki ( 447 hx509_context /*context*/, 448 hx509_ca_tbs /*tbs*/, 449 const SubjectPublicKeyInfo */*spki*/); 450 451/** 452 * Set the subject name of a to-be-signed certificate object. 453 * 454 * @param context A hx509 context. 455 * @param tbs object to be signed. 456 * @param subject the name to set a subject. 457 * 458 * @return An hx509 error code, see hx509_get_error_string(). 459 * 460 * @ingroup hx509_ca 461 */ 462 463int 464hx509_ca_tbs_set_subject ( 465 hx509_context /*context*/, 466 hx509_ca_tbs /*tbs*/, 467 hx509_name /*subject*/); 468 469/** 470 * Initialize the to-be-signed certificate object from a template certifiate. 471 * 472 * @param context A hx509 context. 473 * @param tbs object to be signed. 474 * @param flags bit field selecting what to copy from the template 475 * certifiate. 476 * @param cert template certificate. 477 * 478 * @return An hx509 error code, see hx509_get_error_string(). 479 * 480 * @ingroup hx509_ca 481 */ 482 483int 484hx509_ca_tbs_set_template ( 485 hx509_context /*context*/, 486 hx509_ca_tbs /*tbs*/, 487 int /*flags*/, 488 hx509_cert /*cert*/); 489 490/** 491 * Set the issuerUniqueID and subjectUniqueID 492 * 493 * These are only supposed to be used considered with version 2 494 * certificates, replaced by the two extensions SubjectKeyIdentifier 495 * and IssuerKeyIdentifier. This function is to allow application 496 * using legacy protocol to issue them. 497 * 498 * @param context A hx509 context. 499 * @param tbs object to be signed. 500 * @param issuerUniqueID to be set 501 * @param subjectUniqueID to be set 502 * 503 * @return An hx509 error code, see hx509_get_error_string(). 504 * 505 * @ingroup hx509_ca 506 */ 507 508int 509hx509_ca_tbs_set_unique ( 510 hx509_context /*context*/, 511 hx509_ca_tbs /*tbs*/, 512 const heim_bit_string */*subjectUniqueID*/, 513 const heim_bit_string */*issuerUniqueID*/); 514 515/** 516 * Expand the the subject name in the to-be-signed certificate object 517 * using hx509_name_expand(). 518 * 519 * @param context A hx509 context. 520 * @param tbs object to be signed. 521 * @param env environment variable to expand variables in the subject 522 * name, see hx509_env_init(). 523 * 524 * @return An hx509 error code, see hx509_get_error_string(). 525 * 526 * @ingroup hx509_ca 527 */ 528 529int 530hx509_ca_tbs_subject_expand ( 531 hx509_context /*context*/, 532 hx509_ca_tbs /*tbs*/, 533 hx509_env /*env*/); 534 535/** 536 * Make of template units, use to build flags argument to 537 * hx509_ca_tbs_set_template() with parse_units(). 538 * 539 * @return an units structure. 540 * 541 * @ingroup hx509_ca 542 */ 543 544const struct units * 545hx509_ca_tbs_template_units (void); 546 547/** 548 * Encodes the hx509 certificate as a DER encode binary. 549 * 550 * @param context A hx509 context. 551 * @param c the certificate to encode. 552 * @param os the encode certificate, set to NULL, 0 on case of 553 * error. Free the os->data with hx509_xfree(). 554 * 555 * @return An hx509 error code, see hx509_get_error_string(). 556 * 557 * @ingroup hx509_cert 558 */ 559 560int 561hx509_cert_binary ( 562 hx509_context /*context*/, 563 hx509_cert /*c*/, 564 heim_octet_string */*os*/); 565 566/** 567 * Check the extended key usage on the hx509 certificate. 568 * 569 * @param context A hx509 context. 570 * @param cert A hx509 context. 571 * @param eku the EKU to check for 572 * @param allow_any_eku if the any EKU is set, allow that to be a 573 * substitute. 574 * 575 * @return An hx509 error code, see hx509_get_error_string(). 576 * 577 * @ingroup hx509_cert 578 */ 579 580int 581hx509_cert_check_eku ( 582 hx509_context /*context*/, 583 hx509_cert /*cert*/, 584 const heim_oid */*eku*/, 585 int /*allow_any_eku*/); 586 587/** 588 * Compare to hx509 certificate object, useful for sorting. 589 * 590 * @param p a hx509 certificate object. 591 * @param q a hx509 certificate object. 592 * 593 * @return 0 the objects are the same, returns > 0 is p is "larger" 594 * then q, < 0 if p is "smaller" then q. 595 * 596 * @ingroup hx509_cert 597 */ 598 599int 600hx509_cert_cmp ( 601 hx509_cert /*p*/, 602 hx509_cert /*q*/); 603 604/** 605 * Return a list of subjectAltNames specified by oid in the 606 * certificate. On error the 607 * 608 * The returned list of octet string should be freed with 609 * hx509_free_octet_string_list(). 610 * 611 * @param context A hx509 context. 612 * @param cert a hx509 certificate object. 613 * @param oid an oid to for SubjectAltName. 614 * @param list list of matching SubjectAltName. 615 * 616 * @return An hx509 error code, see hx509_get_error_string(). 617 * 618 * @ingroup hx509_cert 619 */ 620 621int 622hx509_cert_find_subjectAltName_otherName ( 623 hx509_context /*context*/, 624 hx509_cert /*cert*/, 625 const heim_oid */*oid*/, 626 hx509_octet_string_list */*list*/); 627 628/** 629 * Free reference to the hx509 certificate object, if the refcounter 630 * reaches 0, the object if freed. Its allowed to pass in NULL. 631 * 632 * @param cert the cert to free. 633 * 634 * @ingroup hx509_cert 635 */ 636 637void 638hx509_cert_free (hx509_cert /*cert*/); 639 640/** 641 * Get the SubjectPublicKeyInfo structure from the hx509 certificate. 642 * 643 * @param context a hx509 context. 644 * @param p a hx509 certificate object. 645 * @param spki SubjectPublicKeyInfo, should be freed with 646 * free_SubjectPublicKeyInfo(). 647 * 648 * @return An hx509 error code, see hx509_get_error_string(). 649 * 650 * @ingroup hx509_cert 651 */ 652 653int 654hx509_cert_get_SPKI ( 655 hx509_context /*context*/, 656 hx509_cert /*p*/, 657 SubjectPublicKeyInfo */*spki*/); 658 659/** 660 * Get the AlgorithmIdentifier from the hx509 certificate. 661 * 662 * @param context a hx509 context. 663 * @param p a hx509 certificate object. 664 * @param alg AlgorithmIdentifier, should be freed with 665 * free_AlgorithmIdentifier(). The algorithmidentifier is 666 * typicly rsaEncryption, or id-ecPublicKey, or some other 667 * public key mechanism. 668 * 669 * @return An hx509 error code, see hx509_get_error_string(). 670 * 671 * @ingroup hx509_cert 672 */ 673 674int 675hx509_cert_get_SPKI_AlgorithmIdentifier ( 676 hx509_context /*context*/, 677 hx509_cert /*p*/, 678 AlgorithmIdentifier */*alg*/); 679 680/** 681 * Get an external attribute for the certificate, examples are 682 * friendly name and id. 683 * 684 * @param cert hx509 certificate object to search 685 * @param oid an oid to search for. 686 * 687 * @return an hx509_cert_attribute, only valid as long as the 688 * certificate is referenced. 689 * 690 * @ingroup hx509_cert 691 */ 692 693hx509_cert_attribute 694hx509_cert_get_attribute ( 695 hx509_cert /*cert*/, 696 const heim_oid */*oid*/); 697 698/** 699 * Return the name of the base subject of the hx509 certificate. If 700 * the certiicate is a verified proxy certificate, the this function 701 * return the base certificate (root of the proxy chain). If the proxy 702 * certificate is not verified with the base certificate 703 * HX509_PROXY_CERTIFICATE_NOT_CANONICALIZED is returned. 704 * 705 * @param context a hx509 context. 706 * @param c a hx509 certificate object. 707 * @param name a pointer to a hx509 name, should be freed by 708 * hx509_name_free(). See also hx509_cert_get_subject(). 709 * 710 * @return An hx509 error code, see hx509_get_error_string(). 711 * 712 * @ingroup hx509_cert 713 */ 714 715int 716hx509_cert_get_base_subject ( 717 hx509_context /*context*/, 718 hx509_cert /*c*/, 719 hx509_name */*name*/); 720 721/** 722 * Get friendly name of the certificate. 723 * 724 * @param cert cert to get the friendly name from. 725 * 726 * @return an friendly name or NULL if there is. The friendly name is 727 * only valid as long as the certificate is referenced. 728 * 729 * @ingroup hx509_cert 730 */ 731 732const char * 733hx509_cert_get_friendly_name (hx509_cert /*cert*/); 734 735/** 736 * Return the name of the issuer of the hx509 certificate. 737 * 738 * @param p a hx509 certificate object. 739 * @param name a pointer to a hx509 name, should be freed by 740 * hx509_name_free(). 741 * 742 * @return An hx509 error code, see hx509_get_error_string(). 743 * 744 * @ingroup hx509_cert 745 */ 746 747int 748hx509_cert_get_issuer ( 749 hx509_cert /*p*/, 750 hx509_name */*name*/); 751 752/** 753 * Get a copy of the Issuer Unique ID 754 * 755 * @param context a hx509_context 756 * @param p a hx509 certificate 757 * @param issuer the issuer id returned, free with der_free_bit_string() 758 * 759 * @return An hx509 error code, see hx509_get_error_string(). The 760 * error code HX509_EXTENSION_NOT_FOUND is returned if the certificate 761 * doesn't have a issuerUniqueID 762 * 763 * @ingroup hx509_cert 764 */ 765 766int 767hx509_cert_get_issuer_unique_id ( 768 hx509_context /*context*/, 769 hx509_cert /*p*/, 770 heim_bit_string */*issuer*/); 771 772/** 773 * Get notAfter time of the certificate. 774 * 775 * @param p a hx509 certificate object. 776 * 777 * @return return not after time. 778 * 779 * @ingroup hx509_cert 780 */ 781 782time_t 783hx509_cert_get_notAfter (hx509_cert /*p*/); 784 785/** 786 * Get notBefore time of the certificate. 787 * 788 * @param p a hx509 certificate object. 789 * 790 * @return return not before time 791 * 792 * @ingroup hx509_cert 793 */ 794 795time_t 796hx509_cert_get_notBefore (hx509_cert /*p*/); 797 798/** 799 * Get serial number of the certificate. 800 * 801 * @param p a hx509 certificate object. 802 * @param i serial number, should be freed ith der_free_heim_integer(). 803 * 804 * @return An hx509 error code, see hx509_get_error_string(). 805 * 806 * @ingroup hx509_cert 807 */ 808 809int 810hx509_cert_get_serialnumber ( 811 hx509_cert /*p*/, 812 heim_integer */*i*/); 813 814/** 815 * Return the name of the subject of the hx509 certificate. 816 * 817 * @param p a hx509 certificate object. 818 * @param name a pointer to a hx509 name, should be freed by 819 * hx509_name_free(). See also hx509_cert_get_base_subject(). 820 * 821 * @return An hx509 error code, see hx509_get_error_string(). 822 * 823 * @ingroup hx509_cert 824 */ 825 826int 827hx509_cert_get_subject ( 828 hx509_cert /*p*/, 829 hx509_name */*name*/); 830 831/** 832 * Get a copy of the Subect Unique ID 833 * 834 * @param context a hx509_context 835 * @param p a hx509 certificate 836 * @param subject the subject id returned, free with der_free_bit_string() 837 * 838 * @return An hx509 error code, see hx509_get_error_string(). The 839 * error code HX509_EXTENSION_NOT_FOUND is returned if the certificate 840 * doesn't have a subjectUniqueID 841 * 842 * @ingroup hx509_cert 843 */ 844 845int 846hx509_cert_get_subject_unique_id ( 847 hx509_context /*context*/, 848 hx509_cert /*p*/, 849 heim_bit_string */*subject*/); 850 851int 852hx509_cert_have_private_key (hx509_cert /*p*/); 853 854/** 855 * Allocate and init an hx509 certificate object from the decoded 856 * certificate `c��. 857 * 858 * @param context A hx509 context. 859 * @param c 860 * @param error 861 * 862 * @return Returns an hx509 certificate 863 * 864 * @ingroup hx509_cert 865 */ 866 867hx509_cert 868hx509_cert_init ( 869 hx509_context /*context*/, 870 const Certificate */*c*/, 871 heim_error_t */*error*/); 872 873/** 874 * Just like hx509_cert_init(), but instead of a decode certificate 875 * takes an pointer and length to a memory region that contains a 876 * DER/BER encoded certificate. 877 * 878 * If the memory region doesn't contain just the certificate and 879 * nothing more the function will fail with 880 * HX509_EXTRA_DATA_AFTER_STRUCTURE. 881 * 882 * @param context A hx509 context. 883 * @param ptr pointer to memory region containing encoded certificate. 884 * @param len length of memory region. 885 * @param error possibly returns an error 886 * 887 * @return An hx509 certificate 888 * 889 * @ingroup hx509_cert 890 */ 891 892hx509_cert 893hx509_cert_init_data ( 894 hx509_context /*context*/, 895 const void */*ptr*/, 896 size_t /*len*/, 897 heim_error_t */*error*/); 898 899/** 900 * Print certificate usage for a certificate to a string. 901 * 902 * @param context A hx509 context. 903 * @param c a certificate print the keyusage for. 904 * @param s the return string with the keysage printed in to, free 905 * with hx509_xfree(). 906 * 907 * @return An hx509 error code, see hx509_get_error_string(). 908 * 909 * @ingroup hx509_print 910 */ 911 912int 913hx509_cert_keyusage_print ( 914 hx509_context /*context*/, 915 hx509_cert /*c*/, 916 char **/*s*/); 917 918int 919hx509_cert_public_encrypt ( 920 hx509_context /*context*/, 921 const heim_octet_string */*cleartext*/, 922 const hx509_cert /*p*/, 923 heim_oid */*encryption_oid*/, 924 heim_octet_string */*ciphertext*/); 925 926/** 927 * Add a reference to a hx509 certificate object. 928 * 929 * @param cert a pointer to an hx509 certificate object. 930 * 931 * @return the same object as is passed in. 932 * 933 * @ingroup hx509_cert 934 */ 935 936hx509_cert 937hx509_cert_ref (hx509_cert /*cert*/); 938 939/** 940 * Set the friendly name on the certificate. 941 * 942 * @param cert The certificate to set the friendly name on 943 * @param name Friendly name. 944 * 945 * @return An hx509 error code, see hx509_get_error_string(). 946 * 947 * @ingroup hx509_cert 948 */ 949 950int 951hx509_cert_set_friendly_name ( 952 hx509_cert /*cert*/, 953 const char */*name*/); 954 955/** 956 * Add a certificate to the certificiate store. 957 * 958 * The receiving keyset certs will either increase reference counter 959 * of the cert or make a deep copy, either way, the caller needs to 960 * free the cert itself. 961 * 962 * @param context a hx509 context. 963 * @param certs certificate store to add the certificate to. 964 * @param cert certificate to add. 965 * 966 * @return Returns an hx509 error code. 967 * 968 * @ingroup hx509_keyset 969 */ 970 971int 972hx509_certs_add ( 973 hx509_context /*context*/, 974 hx509_certs /*certs*/, 975 hx509_cert /*cert*/); 976 977/** 978 * Same a hx509_certs_merge() but use a lock and name to describe the 979 * from source. 980 * 981 * @param context a hx509 context. 982 * @param to the store to merge into. 983 * @param lock a lock that unlocks the certificates store, use NULL to 984 * select no password/certifictes/prompt lock (see @ref page_lock). 985 * @param name name of the source store 986 * 987 * @return Returns an hx509 error code. 988 * 989 * @ingroup hx509_keyset 990 */ 991 992int 993hx509_certs_append ( 994 hx509_context /*context*/, 995 hx509_certs /*to*/, 996 hx509_lock /*lock*/, 997 const char */*name*/); 998 999/** 1000 * End the iteration over certificates. 1001 * 1002 * @param context a hx509 context. 1003 * @param certs certificate store to iterate over. 1004 * @param cursor cursor that will keep track of progress, freed. 1005 * 1006 * @return Returns an hx509 error code. 1007 * 1008 * @ingroup hx509_keyset 1009 */ 1010 1011int 1012hx509_certs_end_seq ( 1013 hx509_context /*context*/, 1014 hx509_certs /*certs*/, 1015 hx509_cursor /*cursor*/); 1016 1017/** 1018 * Filter certificate matching the query. 1019 * 1020 * @param context a hx509 context. 1021 * @param certs certificate store to search. 1022 * @param q query allocated with @ref hx509_query functions. 1023 * @param result the filtered certificate store, caller must free with 1024 * hx509_certs_free(). 1025 * 1026 * @return Returns an hx509 error code. 1027 * 1028 * @ingroup hx509_keyset 1029 */ 1030 1031int 1032hx509_certs_filter ( 1033 hx509_context /*context*/, 1034 hx509_certs /*certs*/, 1035 const hx509_query */*q*/, 1036 hx509_certs */*result*/); 1037 1038/** 1039 * Find a certificate matching the query. 1040 * 1041 * @param context a hx509 context. 1042 * @param certs certificate store to search. 1043 * @param q query allocated with @ref hx509_query functions. 1044 * @param r return certificate (or NULL on error), should be freed 1045 * with hx509_cert_free(). 1046 * 1047 * @return Returns an hx509 error code. 1048 * 1049 * @ingroup hx509_keyset 1050 */ 1051 1052int 1053hx509_certs_find ( 1054 hx509_context /*context*/, 1055 hx509_certs /*certs*/, 1056 const hx509_query */*q*/, 1057 hx509_cert */*r*/); 1058 1059/** 1060 * Free a certificate store. 1061 * 1062 * @param certs certificate store to free. 1063 * 1064 * @ingroup hx509_keyset 1065 */ 1066 1067void 1068hx509_certs_free (hx509_certs */*certs*/); 1069 1070/** 1071 * Print some info about the certificate store. 1072 * 1073 * @param context a hx509 context. 1074 * @param certs certificate store to print information about. 1075 * @param func function that will get each line of the information, if 1076 * NULL is used the data is printed on a FILE descriptor that should 1077 * be passed in ctx, if ctx also is NULL, stdout is used. 1078 * @param ctx parameter to func. 1079 * 1080 * @return Returns an hx509 error code. 1081 * 1082 * @ingroup hx509_keyset 1083 */ 1084 1085int 1086hx509_certs_info ( 1087 hx509_context /*context*/, 1088 hx509_certs /*certs*/, 1089 int (*/*func*/)(void *, const char *), 1090 void */*ctx*/); 1091 1092/** 1093 * Open or creates a new hx509 certificate store. 1094 * 1095 * @param context A hx509 context 1096 * @param name name of the store, format is TYPE:type-specific-string, 1097 * if NULL is used the MEMORY store is used. 1098 * @param flags list of flags: 1099 * - HX509_CERTS_CREATE create a new keystore of the specific TYPE. 1100 * - HX509_CERTS_UNPROTECT_ALL fails if any private key failed to be extracted. 1101 * @param lock a lock that unlocks the certificates store, use NULL to 1102 * select no password/certifictes/prompt lock (see @ref page_lock). 1103 * @param certs return pointer, free with hx509_certs_free(). 1104 * 1105 * @return Returns an hx509 error code. 1106 * 1107 * @ingroup hx509_keyset 1108 */ 1109 1110int 1111hx509_certs_init ( 1112 hx509_context /*context*/, 1113 const char */*name*/, 1114 int /*flags*/, 1115 hx509_lock /*lock*/, 1116 hx509_certs */*certs*/); 1117 1118/** 1119 * Iterate over all certificates in a keystore and call a block 1120 * for each of them. 1121 * 1122 * @param context a hx509 context. 1123 * @param certs certificate store to iterate over. 1124 * @param func block to call for each certificate. The function 1125 * should return non-zero to abort the iteration, that value is passed 1126 * back to the caller of hx509_certs_iter(). 1127 * 1128 * @return Returns an hx509 error code. 1129 * 1130 * @ingroup hx509_keyset 1131 */ 1132 1133#ifdef __BLOCKS__ 1134int 1135hx509_certs_iter ( 1136 hx509_context /*context*/, 1137 hx509_certs /*certs*/, 1138 int (^func)(hx509_cert)); 1139#endif /* __BLOCKS__ */ 1140 1141/** 1142 * Iterate over all certificates in a keystore and call a function 1143 * for each of them. 1144 * 1145 * @param context a hx509 context. 1146 * @param certs certificate store to iterate over. 1147 * @param func function to call for each certificate. The function 1148 * should return non-zero to abort the iteration, that value is passed 1149 * back to the caller of hx509_certs_iter_f(). 1150 * @param ctx context variable that will passed to the function. 1151 * 1152 * @return Returns an hx509 error code. 1153 * 1154 * @ingroup hx509_keyset 1155 */ 1156 1157int 1158hx509_certs_iter_f ( 1159 hx509_context /*context*/, 1160 hx509_certs /*certs*/, 1161 int (*/*func*/)(hx509_context, void *, hx509_cert), 1162 void */*ctx*/); 1163 1164/** 1165 * Merge a certificate store into another. The from store is keep 1166 * intact. 1167 * 1168 * @param context a hx509 context. 1169 * @param to the store to merge into. 1170 * @param from the store to copy the object from. 1171 * 1172 * @return Returns an hx509 error code. 1173 * 1174 * @ingroup hx509_keyset 1175 */ 1176 1177int 1178hx509_certs_merge ( 1179 hx509_context /*context*/, 1180 hx509_certs /*to*/, 1181 hx509_certs /*from*/); 1182 1183/** 1184 * Get next ceritificate from the certificate keystore pointed out by 1185 * cursor. 1186 * 1187 * @param context a hx509 context. 1188 * @param certs certificate store to iterate over. 1189 * @param cursor cursor that keeps track of progress. 1190 * @param cert return certificate next in store, NULL if the store 1191 * contains no more certificates. Free with hx509_cert_free(). 1192 * 1193 * @return Returns an hx509 error code. 1194 * 1195 * @ingroup hx509_keyset 1196 */ 1197 1198int 1199hx509_certs_next_cert ( 1200 hx509_context /*context*/, 1201 hx509_certs /*certs*/, 1202 hx509_cursor /*cursor*/, 1203 hx509_cert */*cert*/); 1204 1205hx509_certs 1206hx509_certs_ref (hx509_certs /*certs*/); 1207 1208/** 1209 * Start the integration 1210 * 1211 * @param context a hx509 context. 1212 * @param certs certificate store to iterate over 1213 * @param cursor cursor that will keep track of progress, free with 1214 * hx509_certs_end_seq(). 1215 * 1216 * @return Returns an hx509 error code. HX509_UNSUPPORTED_OPERATION is 1217 * returned if the certificate store doesn't support the iteration 1218 * operation. 1219 * 1220 * @ingroup hx509_keyset 1221 */ 1222 1223int 1224hx509_certs_start_seq ( 1225 hx509_context /*context*/, 1226 hx509_certs /*certs*/, 1227 hx509_cursor */*cursor*/); 1228 1229/** 1230 * Write the certificate store to stable storage. 1231 * 1232 * @param context A hx509 context. 1233 * @param certs a certificate store to store. 1234 * @param flags currently unused, use 0. 1235 * @param lock a lock that unlocks the certificates store, use NULL to 1236 * select no password/certifictes/prompt lock (see @ref page_lock). 1237 * 1238 * @return Returns an hx509 error code. HX509_UNSUPPORTED_OPERATION if 1239 * the certificate store doesn't support the store operation. 1240 * 1241 * @ingroup hx509_keyset 1242 */ 1243 1244int 1245hx509_certs_store ( 1246 hx509_context /*context*/, 1247 hx509_certs /*certs*/, 1248 int /*flags*/, 1249 hx509_lock /*lock*/); 1250 1251/** 1252 * Function to use to hx509_certs_iter_f() as a function argument, the 1253 * ctx variable to hx509_certs_iter_f() should be a FILE file descriptor. 1254 * 1255 * @param context a hx509 context. 1256 * @param ctx used by hx509_certs_iter_f(). 1257 * @param c a certificate 1258 * 1259 * @return Returns an hx509 error code. 1260 * 1261 * @ingroup hx509_keyset 1262 */ 1263 1264int 1265hx509_ci_print_names ( 1266 hx509_context /*context*/, 1267 void */*ctx*/, 1268 hx509_cert /*c*/); 1269 1270/** 1271 * Resets the error strings the hx509 context. 1272 * 1273 * @param context A hx509 context. 1274 * 1275 * @ingroup hx509_error 1276 */ 1277 1278void 1279hx509_clear_error_string (hx509_context /*context*/); 1280 1281int 1282hx509_cms_create_signed ( 1283 hx509_context /*context*/, 1284 int /*flags*/, 1285 const heim_oid */*eContentType*/, 1286 const void */*data*/, 1287 size_t /*length*/, 1288 const AlgorithmIdentifier */*digest_alg*/, 1289 hx509_certs /*certs*/, 1290 hx509_peer_info /*peer*/, 1291 hx509_certs /*anchors*/, 1292 hx509_certs /*pool*/, 1293 heim_octet_string */*signed_data*/); 1294 1295/** 1296 * Decode SignedData and verify that the signature is correct. 1297 * 1298 * @param context A hx509 context. 1299 * @param flags 1300 * @param eContentType the type of the data. 1301 * @param data data to sign 1302 * @param length length of the data that data point to. 1303 * @param digest_alg digest algorithm to use, use NULL to get the 1304 * default or the peer determined algorithm. 1305 * @param cert certificate to use for sign the data. 1306 * @param peer info about the peer the message to send the message to, 1307 * like what digest algorithm to use. 1308 * @param anchors trust anchors that the client will use, used to 1309 * polulate the certificates included in the message 1310 * @param pool certificates to use in try to build the path to the 1311 * trust anchors. 1312 * @param signed_data the output of the function, free with 1313 * der_free_octet_string(). 1314 * 1315 * @return Returns an hx509 error code. 1316 * 1317 * @ingroup hx509_cms 1318 */ 1319 1320int 1321hx509_cms_create_signed_1 ( 1322 hx509_context /*context*/, 1323 int /*flags*/, 1324 const heim_oid */*eContentType*/, 1325 const void */*data*/, 1326 size_t /*length*/, 1327 const AlgorithmIdentifier */*digest_alg*/, 1328 hx509_cert /*cert*/, 1329 hx509_peer_info /*peer*/, 1330 hx509_certs /*anchors*/, 1331 hx509_certs /*pool*/, 1332 heim_octet_string */*signed_data*/); 1333 1334/** 1335 * Use HX509_CMS_SIGNATURE_NO_SIGNER to create no sigInfo (no 1336 * signatures). 1337 */ 1338 1339int 1340hx509_cms_decrypt_encrypted ( 1341 hx509_context /*context*/, 1342 hx509_lock /*lock*/, 1343 const void */*data*/, 1344 size_t /*length*/, 1345 heim_oid */*contentType*/, 1346 heim_octet_string */*content*/); 1347 1348/** 1349 * Encrypt end encode EnvelopedData. 1350 * 1351 * Encrypt and encode EnvelopedData. The data is encrypted with a 1352 * random key and the the random key is encrypted with the 1353 * certificates private key. This limits what private key type can be 1354 * used to RSA. 1355 * 1356 * @param context A hx509 context. 1357 * @param flags flags to control the behavior. 1358 * - HX509_CMS_EV_NO_KU_CHECK - Don't check KU on certificate 1359 * - HX509_CMS_EV_ALLOW_WEAK - Allow weak crytpo 1360 * - HX509_CMS_EV_ID_NAME - prefer issuer name and serial number 1361 * @param cert Certificate to encrypt the EnvelopedData encryption key 1362 * with. 1363 * @param data pointer the data to encrypt. 1364 * @param length length of the data that data point to. 1365 * @param encryption_type Encryption cipher to use for the bulk data, 1366 * use NULL to get default. 1367 * @param contentType type of the data that is encrypted 1368 * @param content the output of the function, 1369 * free with der_free_octet_string(). 1370 * 1371 * @return an hx509 error code. 1372 * 1373 * @ingroup hx509_cms 1374 */ 1375 1376int 1377hx509_cms_envelope_1 ( 1378 hx509_context /*context*/, 1379 int /*flags*/, 1380 hx509_cert /*cert*/, 1381 const void */*data*/, 1382 size_t /*length*/, 1383 const heim_oid */*encryption_type*/, 1384 const heim_oid */*contentType*/, 1385 heim_octet_string */*content*/); 1386 1387/** 1388 * Decode and unencrypt EnvelopedData. 1389 * 1390 * Extract data and parameteres from from the EnvelopedData. Also 1391 * supports using detached EnvelopedData. 1392 * 1393 * @param context A hx509 context. 1394 * @param certs Certificate that can decrypt the EnvelopedData 1395 * encryption key. 1396 * @param flags HX509_CMS_UE flags to control the behavior. 1397 * @param data pointer the structure the contains the DER/BER encoded 1398 * EnvelopedData stucture. 1399 * @param length length of the data that data point to. 1400 * @param encryptedContent in case of detached signature, this 1401 * contains the actual encrypted data, othersize its should be NULL. 1402 * @param time_now set the current time, if zero the library uses now as the date. 1403 * @param contentType output type oid, should be freed with der_free_oid(). 1404 * @param content the data, free with der_free_octet_string(). 1405 * 1406 * @return an hx509 error code. 1407 * 1408 * @ingroup hx509_cms 1409 */ 1410 1411int 1412hx509_cms_unenvelope ( 1413 hx509_context /*context*/, 1414 hx509_certs /*certs*/, 1415 int /*flags*/, 1416 const void */*data*/, 1417 size_t /*length*/, 1418 const heim_octet_string */*encryptedContent*/, 1419 time_t /*time_now*/, 1420 heim_oid */*contentType*/, 1421 heim_octet_string */*content*/); 1422 1423/** 1424 * Decode an ContentInfo and unwrap data and oid it. 1425 * 1426 * @param in the encoded buffer. 1427 * @param oid type of the content. 1428 * @param out data to be wrapped. 1429 * @param have_data since the data is optional, this flags show dthe 1430 * diffrence between no data and the zero length data. 1431 * 1432 * @return Returns an hx509 error code. 1433 * 1434 * @ingroup hx509_cms 1435 */ 1436 1437int 1438hx509_cms_unwrap_ContentInfo ( 1439 const heim_octet_string */*in*/, 1440 heim_oid */*oid*/, 1441 heim_octet_string */*out*/, 1442 int */*have_data*/); 1443 1444/** 1445 * Decode SignedData and verify that the signature is correct. 1446 * 1447 * @param context A hx509 context. 1448 * @param ctx a hx509 verify context. 1449 * @param flags to control the behaivor of the function. 1450 * - HX509_CMS_VS_NO_KU_CHECK - Don't check KeyUsage 1451 * - HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH - allow oid mismatch 1452 * - HX509_CMS_VS_ALLOW_ZERO_SIGNER - no signer, see below. 1453 * @param data pointer to CMS SignedData encoded data. 1454 * @param length length of the data that data point to. 1455 * @param signedContent external data used for signature. 1456 * @param pool certificate pool to build certificates paths. 1457 * @param contentType free with der_free_oid(). 1458 * @param content the output of the function, free with 1459 * der_free_octet_string(). 1460 * @param signer_certs list of the cerficates used to sign this 1461 * request, free with hx509_certs_free(). 1462 * 1463 * @return an hx509 error code. 1464 * 1465 * @ingroup hx509_cms 1466 */ 1467 1468int 1469hx509_cms_verify_signed ( 1470 hx509_context /*context*/, 1471 hx509_verify_ctx /*ctx*/, 1472 unsigned int /*flags*/, 1473 const void */*data*/, 1474 size_t /*length*/, 1475 const heim_octet_string */*signedContent*/, 1476 hx509_certs /*pool*/, 1477 heim_oid */*contentType*/, 1478 heim_octet_string */*content*/, 1479 hx509_certs */*signer_certs*/); 1480 1481/** 1482 * Wrap data and oid in a ContentInfo and encode it. 1483 * 1484 * @param oid type of the content. 1485 * @param buf data to be wrapped. If a NULL pointer is passed in, the 1486 * optional content field in the ContentInfo is not going be filled 1487 * in. 1488 * @param res the encoded buffer, the result should be freed with 1489 * der_free_octet_string(). 1490 * 1491 * @return Returns an hx509 error code. 1492 * 1493 * @ingroup hx509_cms 1494 */ 1495 1496int 1497hx509_cms_wrap_ContentInfo ( 1498 const heim_oid */*oid*/, 1499 const heim_octet_string */*buf*/, 1500 heim_octet_string */*res*/); 1501 1502/** 1503 * Free the context allocated by hx509_context_init(). 1504 * 1505 * @param context context to be freed. 1506 * 1507 * @ingroup hx509 1508 */ 1509 1510void 1511hx509_context_free (hx509_context */*context*/); 1512 1513/** 1514 * Creates a hx509 context that most functions in the library 1515 * uses. The context is only allowed to be used by one thread at each 1516 * moment. Free the context with hx509_context_free(). 1517 * 1518 * @param context Returns a pointer to new hx509 context. 1519 * 1520 * @return Returns an hx509 error code. 1521 * 1522 * @ingroup hx509 1523 */ 1524 1525int 1526hx509_context_init (hx509_context */*context*/); 1527 1528/** 1529 * Selects if the hx509_revoke_verify() function is going to require 1530 * the existans of a revokation method (OCSP, CRL) or not. Note that 1531 * hx509_verify_path(), hx509_cms_verify_signed(), and other function 1532 * call hx509_revoke_verify(). 1533 * 1534 * @param context hx509 context to change the flag for. 1535 * @param flag zero, revokation method required, non zero missing 1536 * revokation method ok 1537 * 1538 * @ingroup hx509_verify 1539 */ 1540 1541void 1542hx509_context_set_missing_revoke ( 1543 hx509_context /*context*/, 1544 int /*flag*/); 1545 1546/** 1547 * Add revoked certificate to an CRL context. 1548 * 1549 * @param context a hx509 context. 1550 * @param crl the CRL to add the revoked certificate to. 1551 * @param certs keyset of certificate to revoke. 1552 * 1553 * @return An hx509 error code, see hx509_get_error_string(). 1554 * 1555 * @ingroup hx509_verify 1556 */ 1557 1558int 1559hx509_crl_add_revoked_certs ( 1560 hx509_context /*context*/, 1561 hx509_crl /*crl*/, 1562 hx509_certs /*certs*/); 1563 1564/** 1565 * Create a CRL context. Use hx509_crl_free() to free the CRL context. 1566 * 1567 * @param context a hx509 context. 1568 * @param crl return pointer to a newly allocated CRL context. 1569 * 1570 * @return An hx509 error code, see hx509_get_error_string(). 1571 * 1572 * @ingroup hx509_verify 1573 */ 1574 1575int 1576hx509_crl_alloc ( 1577 hx509_context /*context*/, 1578 hx509_crl */*crl*/); 1579 1580/** 1581 * Free a CRL context. 1582 * 1583 * @param context a hx509 context. 1584 * @param crl a CRL context to free. 1585 * 1586 * @ingroup hx509_verify 1587 */ 1588 1589void 1590hx509_crl_free ( 1591 hx509_context /*context*/, 1592 hx509_crl */*crl*/); 1593 1594/** 1595 * Set the lifetime of a CRL context. 1596 * 1597 * @param context a hx509 context. 1598 * @param crl a CRL context 1599 * @param delta delta time the certificate is valid, library adds the 1600 * current time to this. 1601 * 1602 * @return An hx509 error code, see hx509_get_error_string(). 1603 * 1604 * @ingroup hx509_verify 1605 */ 1606 1607int 1608hx509_crl_lifetime ( 1609 hx509_context /*context*/, 1610 hx509_crl /*crl*/, 1611 int /*delta*/); 1612 1613/** 1614 * Sign a CRL and return an encode certificate. 1615 * 1616 * @param context a hx509 context. 1617 * @param signer certificate to sign the CRL with 1618 * @param crl the CRL to sign 1619 * @param os return the signed and encoded CRL, free with 1620 * free_heim_octet_string() 1621 * 1622 * @return An hx509 error code, see hx509_get_error_string(). 1623 * 1624 * @ingroup hx509_verify 1625 */ 1626 1627int 1628hx509_crl_sign ( 1629 hx509_context /*context*/, 1630 hx509_cert /*signer*/, 1631 hx509_crl /*crl*/, 1632 heim_octet_string */*os*/); 1633 1634const AlgorithmIdentifier * 1635hx509_crypto_aes128_cbc (void); 1636 1637const AlgorithmIdentifier * 1638hx509_crypto_aes256_cbc (void); 1639 1640void 1641hx509_crypto_allow_weak (hx509_crypto /*crypto*/); 1642 1643int 1644hx509_crypto_available ( 1645 hx509_context /*context*/, 1646 int /*type*/, 1647 hx509_cert /*source*/, 1648 AlgorithmIdentifier **/*val*/, 1649 unsigned int */*plen*/); 1650 1651int 1652hx509_crypto_decrypt ( 1653 hx509_crypto /*crypto*/, 1654 const void */*data*/, 1655 const size_t /*length*/, 1656 heim_octet_string */*ivec*/, 1657 heim_octet_string */*clear*/); 1658 1659const AlgorithmIdentifier * 1660hx509_crypto_des_rsdi_ede3_cbc (void); 1661 1662void 1663hx509_crypto_destroy (hx509_crypto /*crypto*/); 1664 1665int 1666hx509_crypto_encrypt ( 1667 hx509_crypto /*crypto*/, 1668 const void */*data*/, 1669 const size_t /*length*/, 1670 const heim_octet_string */*ivec*/, 1671 heim_octet_string **/*ciphertext*/); 1672 1673const heim_oid * 1674hx509_crypto_enctype_by_name (const char */*name*/); 1675 1676void 1677hx509_crypto_free_algs ( 1678 AlgorithmIdentifier */*val*/, 1679 unsigned int /*len*/); 1680 1681int 1682hx509_crypto_get_params ( 1683 hx509_context /*context*/, 1684 hx509_crypto /*crypto*/, 1685 const heim_octet_string */*ivec*/, 1686 heim_octet_string */*param*/); 1687 1688int 1689hx509_crypto_init ( 1690 hx509_context /*context*/, 1691 const char */*provider*/, 1692 const heim_oid */*enctype*/, 1693 hx509_crypto */*crypto*/); 1694 1695const char * 1696hx509_crypto_provider (hx509_crypto /*crypto*/); 1697 1698int 1699hx509_crypto_random_iv ( 1700 hx509_crypto /*crypto*/, 1701 heim_octet_string */*ivec*/); 1702 1703int 1704hx509_crypto_select ( 1705 const hx509_context /*context*/, 1706 int /*type*/, 1707 const hx509_private_key /*source*/, 1708 hx509_peer_info /*peer*/, 1709 AlgorithmIdentifier */*selected*/); 1710 1711int 1712hx509_crypto_set_key_data ( 1713 hx509_crypto /*crypto*/, 1714 const void */*data*/, 1715 size_t /*length*/); 1716 1717int 1718hx509_crypto_set_key_name ( 1719 hx509_crypto /*crypto*/, 1720 const char */*name*/); 1721 1722void 1723hx509_crypto_set_padding ( 1724 hx509_crypto /*crypto*/, 1725 int /*padding_type*/); 1726 1727int 1728hx509_crypto_set_params ( 1729 hx509_context /*context*/, 1730 hx509_crypto /*crypto*/, 1731 const heim_octet_string */*param*/, 1732 heim_octet_string */*ivec*/); 1733 1734int 1735hx509_crypto_set_random_key ( 1736 hx509_crypto /*crypto*/, 1737 heim_octet_string */*key*/); 1738 1739/** 1740 * Add a new key/value pair to the hx509_env. 1741 * 1742 * @param context A hx509 context. 1743 * @param env environment to add the environment variable too. 1744 * @param key key to add 1745 * @param value value to add 1746 * 1747 * @return An hx509 error code, see hx509_get_error_string(). 1748 * 1749 * @ingroup hx509_env 1750 */ 1751 1752int 1753hx509_env_add ( 1754 hx509_context /*context*/, 1755 hx509_env */*env*/, 1756 const char */*key*/, 1757 const char */*value*/); 1758 1759/** 1760 * Add a new key/binding pair to the hx509_env. 1761 * 1762 * @param context A hx509 context. 1763 * @param env environment to add the environment variable too. 1764 * @param key key to add 1765 * @param list binding list to add 1766 * 1767 * @return An hx509 error code, see hx509_get_error_string(). 1768 * 1769 * @ingroup hx509_env 1770 */ 1771 1772int 1773hx509_env_add_binding ( 1774 hx509_context /*context*/, 1775 hx509_env */*env*/, 1776 const char */*key*/, 1777 hx509_env /*list*/); 1778 1779/** 1780 * Search the hx509_env for a key. 1781 * 1782 * @param context A hx509 context. 1783 * @param env environment to add the environment variable too. 1784 * @param key key to search for. 1785 * 1786 * @return the value if the key is found, NULL otherwise. 1787 * 1788 * @ingroup hx509_env 1789 */ 1790 1791const char * 1792hx509_env_find ( 1793 hx509_context /*context*/, 1794 hx509_env /*env*/, 1795 const char */*key*/); 1796 1797/** 1798 * Search the hx509_env for a binding. 1799 * 1800 * @param context A hx509 context. 1801 * @param env environment to add the environment variable too. 1802 * @param key key to search for. 1803 * 1804 * @return the binding if the key is found, NULL if not found. 1805 * 1806 * @ingroup hx509_env 1807 */ 1808 1809hx509_env 1810hx509_env_find_binding ( 1811 hx509_context /*context*/, 1812 hx509_env /*env*/, 1813 const char */*key*/); 1814 1815/** 1816 * Free an hx509_env environment context. 1817 * 1818 * @param env the environment to free. 1819 * 1820 * @ingroup hx509_env 1821 */ 1822 1823void 1824hx509_env_free (hx509_env */*env*/); 1825 1826/** 1827 * Search the hx509_env for a length based key. 1828 * 1829 * @param context A hx509 context. 1830 * @param env environment to add the environment variable too. 1831 * @param key key to search for. 1832 * @param len length of key. 1833 * 1834 * @return the value if the key is found, NULL otherwise. 1835 * 1836 * @ingroup hx509_env 1837 */ 1838 1839const char * 1840hx509_env_lfind ( 1841 hx509_context /*context*/, 1842 hx509_env /*env*/, 1843 const char */*key*/, 1844 size_t /*len*/); 1845 1846/** 1847 * Print error message and fatally exit from error code 1848 * 1849 * @param context A hx509 context. 1850 * @param exit_code exit() code from process. 1851 * @param error_code Error code for the reason to exit. 1852 * @param fmt format string with the exit message. 1853 * @param ... argument to format string. 1854 * 1855 * @ingroup hx509_error 1856 */ 1857 1858void 1859hx509_err ( 1860 hx509_context /*context*/, 1861 int /*exit_code*/, 1862 int /*error_code*/, 1863 const char */*fmt*/, 1864 ...); 1865 1866hx509_private_key_ops * 1867hx509_find_private_alg (const heim_oid */*oid*/); 1868 1869/** 1870 * Free error string returned by hx509_get_error_string(). 1871 * 1872 * @param str error string to free. 1873 * 1874 * @ingroup hx509_error 1875 */ 1876 1877void 1878hx509_free_error_string (char */*str*/); 1879 1880/** 1881 * Free a list of octet strings returned by another hx509 library 1882 * function. 1883 * 1884 * @param list list to be freed. 1885 * 1886 * @ingroup hx509_misc 1887 */ 1888 1889void 1890hx509_free_octet_string_list (hx509_octet_string_list */*list*/); 1891 1892/** 1893 * Unparse the hx509 name in name into a string. 1894 * 1895 * @param name the name to print 1896 * @param str an allocated string returns the name in string form 1897 * 1898 * @return An hx509 error code, see hx509_get_error_string(). 1899 * 1900 * @ingroup hx509_name 1901 */ 1902 1903int 1904hx509_general_name_unparse ( 1905 GeneralName */*name*/, 1906 char **/*str*/); 1907 1908/** 1909 * Get an error string from context associated with error_code. 1910 * 1911 * @param context A hx509 context. 1912 * @param error_code Get error message for this error code. 1913 * 1914 * @return error string, free with hx509_free_error_string(). 1915 * 1916 * @ingroup hx509_error 1917 */ 1918 1919char * 1920hx509_get_error_string ( 1921 hx509_context /*context*/, 1922 int /*error_code*/); 1923 1924/** 1925 * Get one random certificate from the certificate store. 1926 * 1927 * @param context a hx509 context. 1928 * @param certs a certificate store to get the certificate from. 1929 * @param c return certificate, should be freed with hx509_cert_free(). 1930 * 1931 * @return Returns an hx509 error code. 1932 * 1933 * @ingroup hx509_keyset 1934 */ 1935 1936int 1937hx509_get_one_cert ( 1938 hx509_context /*context*/, 1939 hx509_certs /*certs*/, 1940 hx509_cert */*c*/); 1941 1942int 1943hx509_lock_add_cert ( 1944 hx509_context /*context*/, 1945 hx509_lock /*lock*/, 1946 hx509_cert /*cert*/); 1947 1948int 1949hx509_lock_add_certs ( 1950 hx509_context /*context*/, 1951 hx509_lock /*lock*/, 1952 hx509_certs /*certs*/); 1953 1954int 1955hx509_lock_add_password ( 1956 hx509_lock /*lock*/, 1957 const char */*password*/); 1958 1959int 1960hx509_lock_command_string ( 1961 hx509_lock /*lock*/, 1962 const char */*string*/); 1963 1964void 1965hx509_lock_free (hx509_lock /*lock*/); 1966 1967/** 1968 * @page page_lock Locking and unlocking certificates and encrypted data. 1969 * 1970 * See the library functions here: @ref hx509_lock 1971 */ 1972 1973int 1974hx509_lock_init ( 1975 hx509_context /*context*/, 1976 hx509_lock */*lock*/); 1977 1978int 1979hx509_lock_prompt ( 1980 hx509_lock /*lock*/, 1981 hx509_prompt */*prompt*/); 1982 1983void 1984hx509_lock_reset_certs ( 1985 hx509_context /*context*/, 1986 hx509_lock /*lock*/); 1987 1988void 1989hx509_lock_reset_passwords (hx509_lock /*lock*/); 1990 1991void 1992hx509_lock_reset_promper (hx509_lock /*lock*/); 1993 1994int 1995hx509_lock_set_prompter ( 1996 hx509_lock /*lock*/, 1997 hx509_prompter_fct /*prompt*/, 1998 void */*data*/); 1999 2000/** 2001 * Convert a hx509_name object to DER encoded name. 2002 * 2003 * @param name name to concert 2004 * @param os data to a DER encoded name, free the resulting octet 2005 * string with hx509_xfree(os->data). 2006 * 2007 * @return An hx509 error code, see hx509_get_error_string(). 2008 * 2009 * @ingroup hx509_name 2010 */ 2011 2012int 2013hx509_name_binary ( 2014 const hx509_name /*name*/, 2015 heim_octet_string */*os*/); 2016 2017/** 2018 * Compare to hx509 name object, useful for sorting. 2019 * 2020 * @param n1 a hx509 name object. 2021 * @param n2 a hx509 name object. 2022 * 2023 * @return 0 the objects are the same, returns > 0 is n2 is "larger" 2024 * then n2, < 0 if n1 is "smaller" then n2. 2025 * 2026 * @ingroup hx509_name 2027 */ 2028 2029int 2030hx509_name_cmp ( 2031 hx509_name /*n1*/, 2032 hx509_name /*n2*/); 2033 2034/** 2035 * Copy a hx509 name object. 2036 * 2037 * @param context A hx509 cotext. 2038 * @param from the name to copy from 2039 * @param to the name to copy to 2040 * 2041 * @return An hx509 error code, see hx509_get_error_string(). 2042 * 2043 * @ingroup hx509_name 2044 */ 2045 2046int 2047hx509_name_copy ( 2048 hx509_context /*context*/, 2049 const hx509_name /*from*/, 2050 hx509_name */*to*/); 2051 2052/** 2053 * Expands variables in the name using env. Variables are on the form 2054 * ${name}. Useful when dealing with certificate templates. 2055 * 2056 * @param context A hx509 cotext. 2057 * @param name the name to expand. 2058 * @param env environment variable to expand. 2059 * 2060 * @return An hx509 error code, see hx509_get_error_string(). 2061 * 2062 * @ingroup hx509_name 2063 */ 2064 2065int 2066hx509_name_expand ( 2067 hx509_context /*context*/, 2068 hx509_name /*name*/, 2069 hx509_env /*env*/); 2070 2071/** 2072 * Free a hx509 name object, upond return *name will be NULL. 2073 * 2074 * @param name a hx509 name object to be freed. 2075 * 2076 * @ingroup hx509_name 2077 */ 2078 2079void 2080hx509_name_free (hx509_name */*name*/); 2081 2082/** 2083 * Unparse the hx509 name in name into a string. 2084 * 2085 * @param name the name to check if its empty/null. 2086 * 2087 * @return non zero if the name is empty/null. 2088 * 2089 * @ingroup hx509_name 2090 */ 2091 2092int 2093hx509_name_is_null_p (const hx509_name /*name*/); 2094 2095int 2096hx509_name_normalize ( 2097 hx509_context /*context*/, 2098 hx509_name /*name*/); 2099 2100/** 2101 * Convert a hx509_name into a Name. 2102 * 2103 * @param from the name to copy from 2104 * @param to the name to copy to 2105 * 2106 * @return An hx509 error code, see hx509_get_error_string(). 2107 * 2108 * @ingroup hx509_name 2109 */ 2110 2111int 2112hx509_name_to_Name ( 2113 const hx509_name /*from*/, 2114 Name */*to*/); 2115 2116/** 2117 * Convert the hx509 name object into a printable string. 2118 * The resulting string should be freed with free(). 2119 * 2120 * @param name name to print 2121 * @param str the string to return 2122 * 2123 * @return An hx509 error code, see hx509_get_error_string(). 2124 * 2125 * @ingroup hx509_name 2126 */ 2127 2128int 2129hx509_name_to_string ( 2130 const hx509_name /*name*/, 2131 char **/*str*/); 2132 2133/** 2134 * Create an OCSP request for a set of certificates. 2135 * 2136 * @param context a hx509 context 2137 * @param reqcerts list of certificates to request ocsp data for 2138 * @param pool certificate pool to use when signing 2139 * @param signer certificate to use to sign the request 2140 * @param digest the signing algorithm in the request, if NULL use the 2141 * default signature algorithm, 2142 * @param request the encoded request, free with free_heim_octet_string(). 2143 * @param nonce nonce in the request, free with free_heim_octet_string(). 2144 * 2145 * @return An hx509 error code, see hx509_get_error_string(). 2146 * 2147 * @ingroup hx509_revoke 2148 */ 2149 2150int 2151hx509_ocsp_request ( 2152 hx509_context /*context*/, 2153 hx509_certs /*reqcerts*/, 2154 hx509_certs /*pool*/, 2155 hx509_cert /*signer*/, 2156 const AlgorithmIdentifier */*digest*/, 2157 heim_octet_string */*request*/, 2158 heim_octet_string */*nonce*/); 2159 2160/** 2161 * Verify that the certificate is part of the OCSP reply and it's not 2162 * expired. Doesn't verify signature the OCSP reply or it's done by a 2163 * authorized sender, that is assumed to be already done. 2164 * 2165 * @param context a hx509 context 2166 * @param now the time right now, if 0, use the current time. 2167 * @param cert the certificate to verify 2168 * @param flags flags control the behavior 2169 * @param data pointer to the encode ocsp reply 2170 * @param length the length of the encode ocsp reply 2171 * @param expiration return the time the OCSP will expire and need to 2172 * be rechecked. 2173 * 2174 * @return An hx509 error code, see hx509_get_error_string(). 2175 * 2176 * @ingroup hx509_verify 2177 */ 2178 2179int 2180hx509_ocsp_verify ( 2181 hx509_context /*context*/, 2182 time_t /*now*/, 2183 hx509_cert /*cert*/, 2184 int /*flags*/, 2185 const void */*data*/, 2186 size_t /*length*/, 2187 time_t */*expiration*/); 2188 2189/** 2190 * Print a oid using a hx509_vprint_func function. To print to stdout 2191 * use hx509_print_stdout(). 2192 * 2193 * @param oid oid to print 2194 * @param func hx509_vprint_func to print with. 2195 * @param ctx context variable to hx509_vprint_func function. 2196 * 2197 * @ingroup hx509_print 2198 */ 2199 2200void 2201hx509_oid_print ( 2202 const heim_oid */*oid*/, 2203 hx509_vprint_func /*func*/, 2204 void */*ctx*/); 2205 2206/** 2207 * Print a oid to a string. 2208 * 2209 * @param oid oid to print 2210 * @param str allocated string, free with hx509_xfree(). 2211 * 2212 * @return An hx509 error code, see hx509_get_error_string(). 2213 * 2214 * @ingroup hx509_print 2215 */ 2216 2217int 2218hx509_oid_sprint ( 2219 const heim_oid */*oid*/, 2220 char **/*str*/); 2221 2222/** 2223 * Parse a string into a hx509 name object. 2224 * 2225 * @param context A hx509 context. 2226 * @param str a string to parse. 2227 * @param name the resulting object, NULL in case of error. 2228 * 2229 * @return An hx509 error code, see hx509_get_error_string(). 2230 * 2231 * @ingroup hx509_name 2232 */ 2233 2234int 2235hx509_parse_name ( 2236 hx509_context /*context*/, 2237 const char */*str*/, 2238 hx509_name */*name*/); 2239 2240int 2241hx509_parse_private_key ( 2242 hx509_context /*context*/, 2243 const AlgorithmIdentifier */*keyai*/, 2244 const void */*data*/, 2245 size_t /*len*/, 2246 hx509_key_format_t /*format*/, 2247 hx509_private_key */*private_key*/); 2248 2249/** 2250 * Add an additional algorithm that the peer supports. 2251 * 2252 * @param context A hx509 context. 2253 * @param peer the peer to set the new algorithms for 2254 * @param val an AlgorithmsIdentier to add 2255 * 2256 * @return An hx509 error code, see hx509_get_error_string(). 2257 * 2258 * @ingroup hx509_peer 2259 */ 2260 2261int 2262hx509_peer_info_add_cms_alg ( 2263 hx509_context /*context*/, 2264 hx509_peer_info /*peer*/, 2265 const AlgorithmIdentifier */*val*/); 2266 2267/** 2268 * Allocate a new peer info structure an init it to default values. 2269 * 2270 * @param context A hx509 context. 2271 * @param peer return an allocated peer, free with hx509_peer_info_free(). 2272 * 2273 * @return An hx509 error code, see hx509_get_error_string(). 2274 * 2275 * @ingroup hx509_peer 2276 */ 2277 2278int 2279hx509_peer_info_alloc ( 2280 hx509_context /*context*/, 2281 hx509_peer_info */*peer*/); 2282 2283/** 2284 * Free a peer info structure. 2285 * 2286 * @param peer peer info to be freed. 2287 * 2288 * @ingroup hx509_peer 2289 */ 2290 2291void 2292hx509_peer_info_free (hx509_peer_info /*peer*/); 2293 2294/** 2295 * Set the certificate that remote peer is using. 2296 * 2297 * @param peer peer info to update 2298 * @param cert cerificate of the remote peer. 2299 * 2300 * @return An hx509 error code, see hx509_get_error_string(). 2301 * 2302 * @ingroup hx509_peer 2303 */ 2304 2305int 2306hx509_peer_info_set_cert ( 2307 hx509_peer_info /*peer*/, 2308 hx509_cert /*cert*/); 2309 2310/** 2311 * Set the algorithms that the peer supports. 2312 * 2313 * @param context A hx509 context. 2314 * @param peer the peer to set the new algorithms for 2315 * @param val array of supported AlgorithmsIdentiers 2316 * @param len length of array val. 2317 * 2318 * @return An hx509 error code, see hx509_get_error_string(). 2319 * 2320 * @ingroup hx509_peer 2321 */ 2322 2323int 2324hx509_peer_info_set_cms_algs ( 2325 hx509_context /*context*/, 2326 hx509_peer_info /*peer*/, 2327 const AlgorithmIdentifier */*val*/, 2328 size_t /*len*/); 2329 2330int 2331hx509_pem_add_header ( 2332 hx509_pem_header **/*headers*/, 2333 const char */*header*/, 2334 const char */*value*/); 2335 2336const char * 2337hx509_pem_find_header ( 2338 const hx509_pem_header */*h*/, 2339 const char */*header*/); 2340 2341void 2342hx509_pem_free_header (hx509_pem_header */*headers*/); 2343 2344int 2345hx509_pem_read ( 2346 hx509_context /*context*/, 2347 FILE */*f*/, 2348 hx509_pem_read_func /*func*/, 2349 void */*ctx*/); 2350 2351int 2352hx509_pem_write ( 2353 hx509_context /*context*/, 2354 const char */*type*/, 2355 hx509_pem_header */*headers*/, 2356 FILE */*f*/, 2357 const void */*data*/, 2358 size_t /*size*/); 2359 2360/** 2361 * Print a simple representation of a certificate 2362 * 2363 * @param context A hx509 context, can be NULL 2364 * @param cert certificate to print 2365 * @param out the stdio output stream, if NULL, stdout is used 2366 * 2367 * @return An hx509 error code 2368 * 2369 * @ingroup hx509_cert 2370 */ 2371 2372int 2373hx509_print_cert ( 2374 hx509_context /*context*/, 2375 hx509_cert /*cert*/, 2376 FILE */*out*/); 2377 2378/** 2379 * Helper function to print on stdout for: 2380 * - hx509_oid_print(), 2381 * - hx509_bitstring_print(), 2382 * - hx509_validate_ctx_set_print(). 2383 * 2384 * @param ctx the context to the print function. If the ctx is NULL, 2385 * stdout is used. 2386 * @param fmt the printing format. 2387 * @param va the argumet list. 2388 * 2389 * @ingroup hx509_print 2390 */ 2391 2392void 2393hx509_print_stdout ( 2394 void */*ctx*/, 2395 const char */*fmt*/, 2396 va_list /*va*/); 2397 2398int 2399hx509_private_key2SPKI ( 2400 hx509_context /*context*/, 2401 hx509_private_key /*private_key*/, 2402 SubjectPublicKeyInfo */*spki*/); 2403 2404void 2405hx509_private_key_assign_rsa ( 2406 hx509_private_key /*key*/, 2407 void */*ptr*/); 2408 2409int 2410hx509_private_key_free (hx509_private_key */*key*/); 2411 2412int 2413hx509_private_key_init ( 2414 hx509_private_key */*key*/, 2415 hx509_private_key_ops */*ops*/, 2416 void */*keydata*/); 2417 2418int 2419hx509_private_key_private_decrypt ( 2420 hx509_context /*context*/, 2421 const heim_octet_string */*ciphertext*/, 2422 const heim_oid */*encryption_oid*/, 2423 hx509_private_key /*p*/, 2424 heim_octet_string */*cleartext*/); 2425 2426int 2427hx509_prompt_hidden (hx509_prompt_type /*type*/); 2428 2429/** 2430 * Allocate an query controller. Free using hx509_query_free(). 2431 * 2432 * @param context A hx509 context. 2433 * @param q return pointer to a hx509_query. 2434 * 2435 * @return An hx509 error code, see hx509_get_error_string(). 2436 * 2437 * @ingroup hx509_cert 2438 */ 2439 2440int 2441hx509_query_alloc ( 2442 hx509_context /*context*/, 2443 hx509_query **/*q*/); 2444 2445/** 2446 * Free the query controller. 2447 * 2448 * @param context A hx509 context. 2449 * @param q a pointer to the query controller. 2450 * 2451 * @ingroup hx509_cert 2452 */ 2453 2454void 2455hx509_query_free ( 2456 hx509_context /*context*/, 2457 hx509_query */*q*/); 2458 2459/** 2460 * Set the query controller to match using a specific match function. 2461 * 2462 * @param q a hx509 query controller. 2463 * @param func function to use for matching, if the argument is NULL, 2464 * the match function is removed. 2465 * @param ctx context passed to the function. 2466 * 2467 * @return An hx509 error code, see hx509_get_error_string(). 2468 * 2469 * @ingroup hx509_cert 2470 */ 2471 2472int 2473hx509_query_match_cmp_func ( 2474 hx509_query */*q*/, 2475 int (*/*func*/)(hx509_context, hx509_cert, void *), 2476 void */*ctx*/); 2477 2478/** 2479 * Set the query controller to require an one specific EKU (extended 2480 * key usage). Any previous EKU matching is overwitten. If NULL is 2481 * passed in as the eku, the EKU requirement is reset. 2482 * 2483 * @param q a hx509 query controller. 2484 * @param eku an EKU to match on. 2485 * 2486 * @return An hx509 error code, see hx509_get_error_string(). 2487 * 2488 * @ingroup hx509_cert 2489 */ 2490 2491int 2492hx509_query_match_eku ( 2493 hx509_query */*q*/, 2494 const heim_oid */*eku*/); 2495 2496int 2497hx509_query_match_expr ( 2498 hx509_context /*context*/, 2499 hx509_query */*q*/, 2500 const char */*expr*/); 2501 2502/** 2503 * Set the query controller to match on a friendly name 2504 * 2505 * @param q a hx509 query controller. 2506 * @param name a friendly name to match on 2507 * 2508 * @return An hx509 error code, see hx509_get_error_string(). 2509 * 2510 * @ingroup hx509_cert 2511 */ 2512 2513int 2514hx509_query_match_friendly_name ( 2515 hx509_query */*q*/, 2516 const char */*name*/); 2517 2518/** 2519 * Set the issuer and serial number of match in the query 2520 * controller. The function make copies of the isser and serial number. 2521 * 2522 * @param q a hx509 query controller 2523 * @param issuer issuer to search for 2524 * @param serialNumber the serialNumber of the issuer. 2525 * 2526 * @return An hx509 error code, see hx509_get_error_string(). 2527 * 2528 * @ingroup hx509_cert 2529 */ 2530 2531int 2532hx509_query_match_issuer_serial ( 2533 hx509_query */*q*/, 2534 const Name */*issuer*/, 2535 const heim_integer */*serialNumber*/); 2536 2537/** 2538 * Set match options for the hx509 query controller. 2539 * 2540 * @param q query controller. 2541 * @param option options to control the query controller. 2542 * 2543 * @return An hx509 error code, see hx509_get_error_string(). 2544 * 2545 * @ingroup hx509_cert 2546 */ 2547 2548void 2549hx509_query_match_option ( 2550 hx509_query */*q*/, 2551 hx509_query_option /*option*/); 2552 2553/** 2554 * Set a statistic file for the query statistics. 2555 * 2556 * @param context A hx509 context. 2557 * @param fn statistics file name 2558 * 2559 * @ingroup hx509_cert 2560 */ 2561 2562void 2563hx509_query_statistic_file ( 2564 hx509_context /*context*/, 2565 const char */*fn*/); 2566 2567/** 2568 * Unparse the statistics file and print the result on a FILE descriptor. 2569 * 2570 * @param context A hx509 context. 2571 * @param printtype tyep to print 2572 * @param out the FILE to write the data on. 2573 * 2574 * @ingroup hx509_cert 2575 */ 2576 2577void 2578hx509_query_unparse_stats ( 2579 hx509_context /*context*/, 2580 int /*printtype*/, 2581 FILE */*out*/); 2582 2583void 2584hx509_request_free (hx509_request */*req*/); 2585 2586int 2587hx509_request_get_SubjectPublicKeyInfo ( 2588 hx509_context /*context*/, 2589 hx509_request /*req*/, 2590 SubjectPublicKeyInfo */*key*/); 2591 2592int 2593hx509_request_get_name ( 2594 hx509_context /*context*/, 2595 hx509_request /*req*/, 2596 hx509_name */*name*/); 2597 2598int 2599hx509_request_init ( 2600 hx509_context /*context*/, 2601 hx509_request */*req*/); 2602 2603int 2604hx509_request_set_SubjectPublicKeyInfo ( 2605 hx509_context /*context*/, 2606 hx509_request /*req*/, 2607 const SubjectPublicKeyInfo */*key*/); 2608 2609int 2610hx509_request_set_name ( 2611 hx509_context /*context*/, 2612 hx509_request /*req*/, 2613 hx509_name /*name*/); 2614 2615/** 2616 * Add a CRL file to the revokation context. 2617 * 2618 * @param context hx509 context 2619 * @param ctx hx509 revokation context 2620 * @param path path to file that is going to be added to the context. 2621 * 2622 * @return An hx509 error code, see hx509_get_error_string(). 2623 * 2624 * @ingroup hx509_revoke 2625 */ 2626 2627int 2628hx509_revoke_add_crl ( 2629 hx509_context /*context*/, 2630 hx509_revoke_ctx /*ctx*/, 2631 const char */*path*/); 2632 2633/** 2634 * Add a OCSP file to the revokation context. 2635 * 2636 * @param context hx509 context 2637 * @param ctx hx509 revokation context 2638 * @param path path to file that is going to be added to the context. 2639 * 2640 * @return An hx509 error code, see hx509_get_error_string(). 2641 * 2642 * @ingroup hx509_revoke 2643 */ 2644 2645int 2646hx509_revoke_add_ocsp ( 2647 hx509_context /*context*/, 2648 hx509_revoke_ctx /*ctx*/, 2649 const char */*path*/); 2650 2651/** 2652 * Free a hx509 revokation context. 2653 * 2654 * @param ctx context to be freed 2655 * 2656 * @ingroup hx509_revoke 2657 */ 2658 2659void 2660hx509_revoke_free (hx509_revoke_ctx */*ctx*/); 2661 2662/** 2663 * Allocate a revokation context. Free with hx509_revoke_free(). 2664 * 2665 * @param context A hx509 context. 2666 * @param ctx returns a newly allocated revokation context. 2667 * 2668 * @return An hx509 error code, see hx509_get_error_string(). 2669 * 2670 * @ingroup hx509_revoke 2671 */ 2672 2673int 2674hx509_revoke_init ( 2675 hx509_context /*context*/, 2676 hx509_revoke_ctx */*ctx*/); 2677 2678/** 2679 * Print the OCSP reply stored in a file. 2680 * 2681 * @param context a hx509 context 2682 * @param path path to a file with a OCSP reply 2683 * @param out the out FILE descriptor to print the reply on 2684 * 2685 * @return An hx509 error code, see hx509_get_error_string(). 2686 * 2687 * @ingroup hx509_revoke 2688 */ 2689 2690int 2691hx509_revoke_ocsp_print ( 2692 hx509_context /*context*/, 2693 const char */*path*/, 2694 FILE */*out*/); 2695 2696int 2697hx509_revoke_print ( 2698 hx509_context /*context*/, 2699 hx509_revoke_ctx /*ctx*/, 2700 FILE */*out*/); 2701 2702/** 2703 * Check that a certificate is not expired according to a revokation 2704 * context. Also need the parent certificte to the check OCSP 2705 * parent identifier. 2706 * 2707 * @param context hx509 context 2708 * @param ctx hx509 revokation context 2709 * @param certs 2710 * @param now 2711 * @param cert 2712 * @param parent_cert 2713 * 2714 * @return An hx509 error code, see hx509_get_error_string(). 2715 * 2716 * @ingroup hx509_revoke 2717 */ 2718 2719int 2720hx509_revoke_verify ( 2721 hx509_context /*context*/, 2722 hx509_revoke_ctx /*ctx*/, 2723 hx509_certs /*certs*/, 2724 time_t /*now*/, 2725 hx509_cert /*cert*/, 2726 hx509_cert /*parent_cert*/); 2727 2728/** 2729 * See hx509_set_error_stringv(). 2730 * 2731 * @param context A hx509 context. 2732 * @param flags 2733 * - HX509_ERROR_APPEND appends the error string to the old messages 2734 (code is updated). 2735 * @param code error code related to error message 2736 * @param fmt error message format 2737 * @param ... arguments to error message format 2738 * 2739 * @ingroup hx509_error 2740 */ 2741 2742void 2743hx509_set_error_string ( 2744 hx509_context /*context*/, 2745 int /*flags*/, 2746 int /*code*/, 2747 const char */*fmt*/, 2748 ...); 2749 2750/** 2751 * Add an error message to the hx509 context. 2752 * 2753 * @param context A hx509 context. 2754 * @param flags 2755 * - HX509_ERROR_APPEND appends the error string to the old messages 2756 (code is updated). 2757 * @param code error code related to error message 2758 * @param fmt error message format 2759 * @param ap arguments to error message format 2760 * 2761 * @ingroup hx509_error 2762 */ 2763 2764void 2765hx509_set_error_stringv ( 2766 hx509_context /*context*/, 2767 int /*flags*/, 2768 int /*code*/, 2769 const char */*fmt*/, 2770 va_list /*ap*/); 2771 2772const AlgorithmIdentifier * 2773hx509_signature_ecPublicKey (void); 2774 2775const AlgorithmIdentifier * 2776hx509_signature_ecdsa_with_sha256 (void); 2777 2778const AlgorithmIdentifier * 2779hx509_signature_md5 (void); 2780 2781const AlgorithmIdentifier * 2782hx509_signature_rsa (void); 2783 2784const AlgorithmIdentifier * 2785hx509_signature_rsa_pkcs1_x509 (void); 2786 2787const AlgorithmIdentifier * 2788hx509_signature_rsa_with_md5 (void); 2789 2790const AlgorithmIdentifier * 2791hx509_signature_rsa_with_sha1 (void); 2792 2793const AlgorithmIdentifier * 2794hx509_signature_rsa_with_sha256 (void); 2795 2796const AlgorithmIdentifier * 2797hx509_signature_rsa_with_sha384 (void); 2798 2799const AlgorithmIdentifier * 2800hx509_signature_rsa_with_sha512 (void); 2801 2802const AlgorithmIdentifier * 2803hx509_signature_sha1 (void); 2804 2805const AlgorithmIdentifier * 2806hx509_signature_sha256 (void); 2807 2808const AlgorithmIdentifier * 2809hx509_signature_sha384 (void); 2810 2811const AlgorithmIdentifier * 2812hx509_signature_sha512 (void); 2813 2814/** 2815 * Convert a DER encoded name info a string. 2816 * 2817 * @param data data to a DER/BER encoded name 2818 * @param length length of data 2819 * @param str the resulting string, is NULL on failure. 2820 * 2821 * @return An hx509 error code, see hx509_get_error_string(). 2822 * 2823 * @ingroup hx509_name 2824 */ 2825 2826int 2827hx509_unparse_der_name ( 2828 const void */*data*/, 2829 size_t /*length*/, 2830 char **/*str*/); 2831 2832/** 2833 * Validate/Print the status of the certificate. 2834 * 2835 * @param context A hx509 context. 2836 * @param ctx A hx509 validation context. 2837 * @param cert the cerificate to validate/print. 2838 2839 * @return An hx509 error code, see hx509_get_error_string(). 2840 * 2841 * @ingroup hx509_print 2842 */ 2843 2844int 2845hx509_validate_cert ( 2846 hx509_context /*context*/, 2847 hx509_validate_ctx /*ctx*/, 2848 hx509_cert /*cert*/); 2849 2850/** 2851 * Add flags to control the behaivor of the hx509_validate_cert() 2852 * function. 2853 * 2854 * @param ctx A hx509 validation context. 2855 * @param flags flags to add to the validation context. 2856 * 2857 * @return An hx509 error code, see hx509_get_error_string(). 2858 * 2859 * @ingroup hx509_print 2860 */ 2861 2862void 2863hx509_validate_ctx_add_flags ( 2864 hx509_validate_ctx /*ctx*/, 2865 int /*flags*/); 2866 2867/** 2868 * Free an hx509 validate context. 2869 * 2870 * @param ctx the hx509 validate context to free. 2871 * 2872 * @ingroup hx509_print 2873 */ 2874 2875void 2876hx509_validate_ctx_free (hx509_validate_ctx /*ctx*/); 2877 2878/** 2879 * Allocate a hx509 validation/printing context. 2880 * 2881 * @param context A hx509 context. 2882 * @param ctx a new allocated hx509 validation context, free with 2883 * hx509_validate_ctx_free(). 2884 2885 * @return An hx509 error code, see hx509_get_error_string(). 2886 * 2887 * @ingroup hx509_print 2888 */ 2889 2890int 2891hx509_validate_ctx_init ( 2892 hx509_context /*context*/, 2893 hx509_validate_ctx */*ctx*/); 2894 2895/** 2896 * Set the printing functions for the validation context. 2897 * 2898 * @param ctx a hx509 valication context. 2899 * @param func the printing function to usea. 2900 * @param c the context variable to the printing function. 2901 * 2902 * @return An hx509 error code, see hx509_get_error_string(). 2903 * 2904 * @ingroup hx509_print 2905 */ 2906 2907void 2908hx509_validate_ctx_set_print ( 2909 hx509_validate_ctx /*ctx*/, 2910 hx509_vprint_func /*func*/, 2911 void */*c*/); 2912 2913/** 2914 * Set the trust anchors in the verification context, makes an 2915 * reference to the keyset, so the consumer can free the keyset 2916 * independent of the destruction of the verification context (ctx). 2917 * If there already is a keyset attached, it's released. 2918 * 2919 * @param ctx a verification context 2920 * @param set a keyset containing the trust anchors. 2921 * 2922 * @ingroup hx509_verify 2923 */ 2924 2925void 2926hx509_verify_attach_anchors ( 2927 hx509_verify_ctx /*ctx*/, 2928 hx509_certs /*set*/); 2929 2930/** 2931 * Attach an revocation context to the verfication context, , makes an 2932 * reference to the revoke context, so the consumer can free the 2933 * revoke context independent of the destruction of the verification 2934 * context. If there is no revoke context, the verification process is 2935 * NOT going to check any verification status. 2936 * 2937 * @param ctx a verification context. 2938 * @param revoke_ctx a revoke context. 2939 * 2940 * @ingroup hx509_verify 2941 */ 2942 2943void 2944hx509_verify_attach_revoke ( 2945 hx509_verify_ctx /*ctx*/, 2946 hx509_revoke_ctx /*revoke_ctx*/); 2947 2948void 2949hx509_verify_ctx_f_allow_best_before_signature_algs ( 2950 hx509_context /*ctx*/, 2951 int /*boolean*/); 2952 2953/** 2954 * Allow using the operating system builtin trust anchors if no other 2955 * trust anchors are configured. 2956 * 2957 * @param ctx a verification context 2958 * @param boolean if non zero, useing the operating systems builtin 2959 * trust anchors. 2960 * 2961 * 2962 * @return An hx509 error code, see hx509_get_error_string(). 2963 * 2964 * @ingroup hx509_cert 2965 */ 2966 2967void 2968hx509_verify_ctx_f_allow_default_trustanchors ( 2969 hx509_verify_ctx /*ctx*/, 2970 int /*boolean*/); 2971 2972/** 2973 * Free an hx509 verification context. 2974 * 2975 * @param ctx the context to be freed. 2976 * 2977 * @ingroup hx509_verify 2978 */ 2979 2980void 2981hx509_verify_destroy_ctx (hx509_verify_ctx /*ctx*/); 2982 2983/** 2984 * Verify that the certificate is allowed to be used for the hostname 2985 * and address. 2986 * 2987 * @param context A hx509 context. 2988 * @param cert the certificate to match with 2989 * @param flags Flags to modify the behavior: 2990 * - HX509_VHN_F_ALLOW_NO_MATCH no match is ok 2991 * @param type type of hostname: 2992 * - HX509_HN_HOSTNAME for plain hostname. 2993 * - HX509_HN_DNSSRV for DNS SRV names. 2994 * @param hostname the hostname to check 2995 * @param sa address of the host 2996 * @param sa_size length of address 2997 * 2998 * @return An hx509 error code, see hx509_get_error_string(). 2999 * 3000 * @ingroup hx509_cert 3001 */ 3002 3003int 3004hx509_verify_hostname ( 3005 hx509_context /*context*/, 3006 const hx509_cert /*cert*/, 3007 int /*flags*/, 3008 hx509_hostname_type /*type*/, 3009 const char */*hostname*/, 3010 const struct sockaddr */*sa*/, 3011 int /*sa_size*/); 3012 3013/** 3014 * Allocate an verification context that is used fo control the 3015 * verification process. 3016 * 3017 * @param context A hx509 context. 3018 * @param ctx returns a pointer to a hx509_verify_ctx object. 3019 * 3020 * @return An hx509 error code, see hx509_get_error_string(). 3021 * 3022 * @ingroup hx509_verify 3023 */ 3024 3025int 3026hx509_verify_init_ctx ( 3027 hx509_context /*context*/, 3028 hx509_verify_ctx */*ctx*/); 3029 3030/** 3031 * Build and verify the path for the certificate to the trust anchor 3032 * specified in the verify context. The path is constructed from the 3033 * certificate, the pool and the trust anchors. 3034 * 3035 * @param context A hx509 context. 3036 * @param ctx A hx509 verification context. 3037 * @param cert the certificate to build the path from. 3038 * @param pool A keyset of certificates to build the chain from. 3039 * 3040 * @return An hx509 error code, see hx509_get_error_string(). 3041 * 3042 * @ingroup hx509_verify 3043 */ 3044 3045int 3046hx509_verify_path ( 3047 hx509_context /*context*/, 3048 hx509_verify_ctx /*ctx*/, 3049 hx509_cert /*cert*/, 3050 hx509_certs /*pool*/); 3051 3052/** 3053 * Set the maximum depth of the certificate chain that the path 3054 * builder is going to try. 3055 * 3056 * @param ctx a verification context 3057 * @param max_depth maxium depth of the certificate chain, include 3058 * trust anchor. 3059 * 3060 * @ingroup hx509_verify 3061 */ 3062 3063void 3064hx509_verify_set_max_depth ( 3065 hx509_verify_ctx /*ctx*/, 3066 unsigned int /*max_depth*/); 3067 3068/** 3069 * Allow or deny the use of proxy certificates 3070 * 3071 * @param ctx a verification context 3072 * @param boolean if non zero, allow proxy certificates. 3073 * 3074 * @ingroup hx509_verify 3075 */ 3076 3077void 3078hx509_verify_set_proxy_certificate ( 3079 hx509_verify_ctx /*ctx*/, 3080 int /*boolean*/); 3081 3082/** 3083 * Select strict RFC3280 verification of certificiates. This means 3084 * checking key usage on CA certificates, this will make version 1 3085 * certificiates unuseable. 3086 * 3087 * @param ctx a verification context 3088 * @param boolean if non zero, use strict verification. 3089 * 3090 * @ingroup hx509_verify 3091 */ 3092 3093void 3094hx509_verify_set_strict_rfc3280_verification ( 3095 hx509_verify_ctx /*ctx*/, 3096 int /*boolean*/); 3097 3098/** 3099 * Set the clock time the the verification process is going to 3100 * use. Used to check certificate in the past and future time. If not 3101 * set the current time will be used. 3102 * 3103 * @param ctx a verification context. 3104 * @param t the time the verifiation is using. 3105 * 3106 * 3107 * @ingroup hx509_verify 3108 */ 3109 3110void 3111hx509_verify_set_time ( 3112 hx509_verify_ctx /*ctx*/, 3113 time_t /*t*/); 3114 3115/** 3116 * Verify a signature made using the private key of an certificate. 3117 * 3118 * @param context A hx509 context. 3119 * @param signer the certificate that made the signature. 3120 * @param alg algorthm that was used to sign the data. 3121 * @param data the data that was signed. 3122 * @param sig the sigature to verify. 3123 * 3124 * @return An hx509 error code, see hx509_get_error_string(). 3125 * 3126 * @ingroup hx509_crypto 3127 */ 3128 3129int 3130hx509_verify_signature ( 3131 hx509_context /*context*/, 3132 const hx509_cert /*signer*/, 3133 const AlgorithmIdentifier */*alg*/, 3134 const heim_octet_string */*data*/, 3135 const heim_octet_string */*sig*/); 3136 3137/** 3138 * Free a data element allocated in the library. 3139 * 3140 * @param ptr data to be freed. 3141 * 3142 * @ingroup hx509_misc 3143 */ 3144 3145void 3146hx509_xfree (void */*ptr*/); 3147 3148int 3149yywrap (void); 3150 3151#ifdef __cplusplus 3152} 3153#endif 3154 3155#endif /* DOXY */ 3156#endif /* __hx509_protos_h__ */ 3157