hx509-protos.h revision 1.2
1/* This is a generated file */ 2#ifndef __hx509_protos_h__ 3#define __hx509_protos_h__ 4#ifndef DOXY 5 6#include <stdarg.h> 7 8#ifdef __cplusplus 9extern "C" { 10#endif 11 12#ifndef HX509_LIB 13#ifndef HX509_LIB_FUNCTION 14#if defined(_WIN32) 15#define HX509_LIB_FUNCTION __declspec(dllimport) 16#define HX509_LIB_CALL __stdcall 17#define HX509_LIB_VARIABLE __declspec(dllimport) 18#else 19#define HX509_LIB_FUNCTION 20#define HX509_LIB_CALL 21#define HX509_LIB_VARIABLE 22#endif 23#endif 24#endif 25/** 26 * Print a bitstring using a hx509_vprint_func function. To print to 27 * stdout use hx509_print_stdout(). 28 * 29 * @param b bit string to print. 30 * @param func hx509_vprint_func to print with. 31 * @param ctx context variable to hx509_vprint_func function. 32 * 33 * @ingroup hx509_print 34 */ 35 36void 37hx509_bitstring_print ( 38 const heim_bit_string */*b*/, 39 hx509_vprint_func /*func*/, 40 void */*ctx*/); 41 42/** 43 * Sign a to-be-signed certificate object with a issuer certificate. 44 * 45 * The caller needs to at least have called the following functions on the 46 * to-be-signed certificate object: 47 * - hx509_ca_tbs_init() 48 * - hx509_ca_tbs_set_subject() 49 * - hx509_ca_tbs_set_spki() 50 * 51 * When done the to-be-signed certificate object should be freed with 52 * hx509_ca_tbs_free(). 53 * 54 * When creating self-signed certificate use hx509_ca_sign_self() instead. 55 * 56 * @param context A hx509 context. 57 * @param tbs object to be signed. 58 * @param signer the CA certificate object to sign with (need private key). 59 * @param certificate return cerificate, free with hx509_cert_free(). 60 * 61 * @return An hx509 error code, see hx509_get_error_string(). 62 * 63 * @ingroup hx509_ca 64 */ 65 66int 67hx509_ca_sign ( 68 hx509_context /*context*/, 69 hx509_ca_tbs /*tbs*/, 70 hx509_cert /*signer*/, 71 hx509_cert */*certificate*/); 72 73/** 74 * Work just like hx509_ca_sign() but signs it-self. 75 * 76 * @param context A hx509 context. 77 * @param tbs object to be signed. 78 * @param signer private key to sign with. 79 * @param certificate return cerificate, free with hx509_cert_free(). 80 * 81 * @return An hx509 error code, see hx509_get_error_string(). 82 * 83 * @ingroup hx509_ca 84 */ 85 86int 87hx509_ca_sign_self ( 88 hx509_context /*context*/, 89 hx509_ca_tbs /*tbs*/, 90 hx509_private_key /*signer*/, 91 hx509_cert */*certificate*/); 92 93/** 94 * Add CRL distribution point URI to the to-be-signed certificate 95 * object. 96 * 97 * @param context A hx509 context. 98 * @param tbs object to be signed. 99 * @param uri uri to the CRL. 100 * @param issuername name of the issuer. 101 * 102 * @return An hx509 error code, see hx509_get_error_string(). 103 * 104 * @ingroup hx509_ca 105 */ 106 107int 108hx509_ca_tbs_add_crl_dp_uri ( 109 hx509_context /*context*/, 110 hx509_ca_tbs /*tbs*/, 111 const char */*uri*/, 112 hx509_name /*issuername*/); 113 114/** 115 * An an extended key usage to the to-be-signed certificate object. 116 * Duplicates will detected and not added. 117 * 118 * @param context A hx509 context. 119 * @param tbs object to be signed. 120 * @param oid extended key usage to add. 121 * 122 * @return An hx509 error code, see hx509_get_error_string(). 123 * 124 * @ingroup hx509_ca 125 */ 126 127int 128hx509_ca_tbs_add_eku ( 129 hx509_context /*context*/, 130 hx509_ca_tbs /*tbs*/, 131 const heim_oid */*oid*/); 132 133/** 134 * Add a Subject Alternative Name hostname to to-be-signed certificate 135 * object. A domain match starts with ., an exact match does not. 136 * 137 * Example of a an domain match: .domain.se matches the hostname 138 * host.domain.se. 139 * 140 * @param context A hx509 context. 141 * @param tbs object to be signed. 142 * @param dnsname a hostame. 143 * 144 * @return An hx509 error code, see hx509_get_error_string(). 145 * 146 * @ingroup hx509_ca 147 */ 148 149int 150hx509_ca_tbs_add_san_hostname ( 151 hx509_context /*context*/, 152 hx509_ca_tbs /*tbs*/, 153 const char */*dnsname*/); 154 155/** 156 * Add a Jabber/XMPP jid Subject Alternative Name to the to-be-signed 157 * certificate object. The jid is an UTF8 string. 158 * 159 * @param context A hx509 context. 160 * @param tbs object to be signed. 161 * @param jid string of an a jabber id in UTF8. 162 * 163 * @return An hx509 error code, see hx509_get_error_string(). 164 * 165 * @ingroup hx509_ca 166 */ 167 168int 169hx509_ca_tbs_add_san_jid ( 170 hx509_context /*context*/, 171 hx509_ca_tbs /*tbs*/, 172 const char */*jid*/); 173 174/** 175 * Add Microsoft UPN Subject Alternative Name to the to-be-signed 176 * certificate object. The principal string is a UTF8 string. 177 * 178 * @param context A hx509 context. 179 * @param tbs object to be signed. 180 * @param principal Microsoft UPN string. 181 * 182 * @return An hx509 error code, see hx509_get_error_string(). 183 * 184 * @ingroup hx509_ca 185 */ 186 187int 188hx509_ca_tbs_add_san_ms_upn ( 189 hx509_context /*context*/, 190 hx509_ca_tbs /*tbs*/, 191 const char */*principal*/); 192 193/** 194 * Add Subject Alternative Name otherName to the to-be-signed 195 * certificate object. 196 * 197 * @param context A hx509 context. 198 * @param tbs object to be signed. 199 * @param oid the oid of the OtherName. 200 * @param os data in the other name. 201 * 202 * @return An hx509 error code, see hx509_get_error_string(). 203 * 204 * @ingroup hx509_ca 205 */ 206 207int 208hx509_ca_tbs_add_san_otherName ( 209 hx509_context /*context*/, 210 hx509_ca_tbs /*tbs*/, 211 const heim_oid */*oid*/, 212 const heim_octet_string */*os*/); 213 214/** 215 * Add Kerberos Subject Alternative Name to the to-be-signed 216 * certificate object. The principal string is a UTF8 string. 217 * 218 * @param context A hx509 context. 219 * @param tbs object to be signed. 220 * @param principal Kerberos principal to add to the certificate. 221 * 222 * @return An hx509 error code, see hx509_get_error_string(). 223 * 224 * @ingroup hx509_ca 225 */ 226 227int 228hx509_ca_tbs_add_san_pkinit ( 229 hx509_context /*context*/, 230 hx509_ca_tbs /*tbs*/, 231 const char */*principal*/); 232 233/** 234 * Add a Subject Alternative Name rfc822 (email address) to 235 * to-be-signed certificate object. 236 * 237 * @param context A hx509 context. 238 * @param tbs object to be signed. 239 * @param rfc822Name a string to a email address. 240 * 241 * @return An hx509 error code, see hx509_get_error_string(). 242 * 243 * @ingroup hx509_ca 244 */ 245 246int 247hx509_ca_tbs_add_san_rfc822name ( 248 hx509_context /*context*/, 249 hx509_ca_tbs /*tbs*/, 250 const char */*rfc822Name*/); 251 252/** 253 * Free an To Be Signed object. 254 * 255 * @param tbs object to free. 256 * 257 * @ingroup hx509_ca 258 */ 259 260void 261hx509_ca_tbs_free (hx509_ca_tbs */*tbs*/); 262 263/** 264 * Allocate an to-be-signed certificate object that will be converted 265 * into an certificate. 266 * 267 * @param context A hx509 context. 268 * @param tbs returned to-be-signed certicate object, free with 269 * hx509_ca_tbs_free(). 270 * 271 * @return An hx509 error code, see hx509_get_error_string(). 272 * 273 * @ingroup hx509_ca 274 */ 275 276int 277hx509_ca_tbs_init ( 278 hx509_context /*context*/, 279 hx509_ca_tbs */*tbs*/); 280 281/** 282 * Make the to-be-signed certificate object a CA certificate. If the 283 * pathLenConstraint is negative path length constraint is used. 284 * 285 * @param context A hx509 context. 286 * @param tbs object to be signed. 287 * @param pathLenConstraint path length constraint, negative, no 288 * constraint. 289 * 290 * @return An hx509 error code, see hx509_get_error_string(). 291 * 292 * @ingroup hx509_ca 293 */ 294 295int 296hx509_ca_tbs_set_ca ( 297 hx509_context /*context*/, 298 hx509_ca_tbs /*tbs*/, 299 int /*pathLenConstraint*/); 300 301/** 302 * Make the to-be-signed certificate object a windows domain controller certificate. 303 * 304 * @param context A hx509 context. 305 * @param tbs object to be signed. 306 * 307 * @return An hx509 error code, see hx509_get_error_string(). 308 * 309 * @ingroup hx509_ca 310 */ 311 312int 313hx509_ca_tbs_set_domaincontroller ( 314 hx509_context /*context*/, 315 hx509_ca_tbs /*tbs*/); 316 317/** 318 * Set the absolute time when the certificate is valid to. 319 * 320 * @param context A hx509 context. 321 * @param tbs object to be signed. 322 * @param t time when the certificate will expire 323 * 324 * @return An hx509 error code, see hx509_get_error_string(). 325 * 326 * @ingroup hx509_ca 327 */ 328 329int 330hx509_ca_tbs_set_notAfter ( 331 hx509_context /*context*/, 332 hx509_ca_tbs /*tbs*/, 333 time_t /*t*/); 334 335/** 336 * Set the relative time when the certificiate is going to expire. 337 * 338 * @param context A hx509 context. 339 * @param tbs object to be signed. 340 * @param delta seconds to the certificate is going to expire. 341 * 342 * @return An hx509 error code, see hx509_get_error_string(). 343 * 344 * @ingroup hx509_ca 345 */ 346 347int 348hx509_ca_tbs_set_notAfter_lifetime ( 349 hx509_context /*context*/, 350 hx509_ca_tbs /*tbs*/, 351 time_t /*delta*/); 352 353/** 354 * Set the absolute time when the certificate is valid from. If not 355 * set the current time will be used. 356 * 357 * @param context A hx509 context. 358 * @param tbs object to be signed. 359 * @param t time the certificated will start to be valid 360 * 361 * @return An hx509 error code, see hx509_get_error_string(). 362 * 363 * @ingroup hx509_ca 364 */ 365 366int 367hx509_ca_tbs_set_notBefore ( 368 hx509_context /*context*/, 369 hx509_ca_tbs /*tbs*/, 370 time_t /*t*/); 371 372/** 373 * Make the to-be-signed certificate object a proxy certificate. If the 374 * pathLenConstraint is negative path length constraint is used. 375 * 376 * @param context A hx509 context. 377 * @param tbs object to be signed. 378 * @param pathLenConstraint path length constraint, negative, no 379 * constraint. 380 * 381 * @return An hx509 error code, see hx509_get_error_string(). 382 * 383 * @ingroup hx509_ca 384 */ 385 386int 387hx509_ca_tbs_set_proxy ( 388 hx509_context /*context*/, 389 hx509_ca_tbs /*tbs*/, 390 int /*pathLenConstraint*/); 391 392/** 393 * Set the serial number to use for to-be-signed certificate object. 394 * 395 * @param context A hx509 context. 396 * @param tbs object to be signed. 397 * @param serialNumber serial number to use for the to-be-signed 398 * certificate object. 399 * 400 * @return An hx509 error code, see hx509_get_error_string(). 401 * 402 * @ingroup hx509_ca 403 */ 404 405int 406hx509_ca_tbs_set_serialnumber ( 407 hx509_context /*context*/, 408 hx509_ca_tbs /*tbs*/, 409 const heim_integer */*serialNumber*/); 410 411/** 412 * Set signature algorithm on the to be signed certificate 413 * 414 * @param context A hx509 context. 415 * @param tbs object to be signed. 416 * @param sigalg signature algorithm to use 417 * 418 * @return An hx509 error code, see hx509_get_error_string(). 419 * 420 * @ingroup hx509_ca 421 */ 422 423int 424hx509_ca_tbs_set_signature_algorithm ( 425 hx509_context /*context*/, 426 hx509_ca_tbs /*tbs*/, 427 const AlgorithmIdentifier */*sigalg*/); 428 429/** 430 * Set the subject public key info (SPKI) in the to-be-signed certificate 431 * object. SPKI is the public key and key related parameters in the 432 * certificate. 433 * 434 * @param context A hx509 context. 435 * @param tbs object to be signed. 436 * @param spki subject public key info to use for the to-be-signed certificate object. 437 * 438 * @return An hx509 error code, see hx509_get_error_string(). 439 * 440 * @ingroup hx509_ca 441 */ 442 443int 444hx509_ca_tbs_set_spki ( 445 hx509_context /*context*/, 446 hx509_ca_tbs /*tbs*/, 447 const SubjectPublicKeyInfo */*spki*/); 448 449/** 450 * Set the subject name of a to-be-signed certificate object. 451 * 452 * @param context A hx509 context. 453 * @param tbs object to be signed. 454 * @param subject the name to set a subject. 455 * 456 * @return An hx509 error code, see hx509_get_error_string(). 457 * 458 * @ingroup hx509_ca 459 */ 460 461int 462hx509_ca_tbs_set_subject ( 463 hx509_context /*context*/, 464 hx509_ca_tbs /*tbs*/, 465 hx509_name /*subject*/); 466 467/** 468 * Initialize the to-be-signed certificate object from a template certifiate. 469 * 470 * @param context A hx509 context. 471 * @param tbs object to be signed. 472 * @param flags bit field selecting what to copy from the template 473 * certifiate. 474 * @param cert template certificate. 475 * 476 * @return An hx509 error code, see hx509_get_error_string(). 477 * 478 * @ingroup hx509_ca 479 */ 480 481int 482hx509_ca_tbs_set_template ( 483 hx509_context /*context*/, 484 hx509_ca_tbs /*tbs*/, 485 int /*flags*/, 486 hx509_cert /*cert*/); 487 488/** 489 * Set the issuerUniqueID and subjectUniqueID 490 * 491 * These are only supposed to be used considered with version 2 492 * certificates, replaced by the two extensions SubjectKeyIdentifier 493 * and IssuerKeyIdentifier. This function is to allow application 494 * using legacy protocol to issue them. 495 * 496 * @param context A hx509 context. 497 * @param tbs object to be signed. 498 * @param issuerUniqueID to be set 499 * @param subjectUniqueID to be set 500 * 501 * @return An hx509 error code, see hx509_get_error_string(). 502 * 503 * @ingroup hx509_ca 504 */ 505 506int 507hx509_ca_tbs_set_unique ( 508 hx509_context /*context*/, 509 hx509_ca_tbs /*tbs*/, 510 const heim_bit_string */*subjectUniqueID*/, 511 const heim_bit_string */*issuerUniqueID*/); 512 513/** 514 * Expand the the subject name in the to-be-signed certificate object 515 * using hx509_name_expand(). 516 * 517 * @param context A hx509 context. 518 * @param tbs object to be signed. 519 * @param env environment variable to expand variables in the subject 520 * name, see hx509_env_init(). 521 * 522 * @return An hx509 error code, see hx509_get_error_string(). 523 * 524 * @ingroup hx509_ca 525 */ 526 527int 528hx509_ca_tbs_subject_expand ( 529 hx509_context /*context*/, 530 hx509_ca_tbs /*tbs*/, 531 hx509_env /*env*/); 532 533/** 534 * Make of template units, use to build flags argument to 535 * hx509_ca_tbs_set_template() with parse_units(). 536 * 537 * @return an units structure. 538 * 539 * @ingroup hx509_ca 540 */ 541 542const struct units * 543hx509_ca_tbs_template_units (void); 544 545/** 546 * Encodes the hx509 certificate as a DER encode binary. 547 * 548 * @param context A hx509 context. 549 * @param c the certificate to encode. 550 * @param os the encode certificate, set to NULL, 0 on case of 551 * error. Free the os->data with hx509_xfree(). 552 * 553 * @return An hx509 error code, see hx509_get_error_string(). 554 * 555 * @ingroup hx509_cert 556 */ 557 558int 559hx509_cert_binary ( 560 hx509_context /*context*/, 561 hx509_cert /*c*/, 562 heim_octet_string */*os*/); 563 564/** 565 * Check the extended key usage on the hx509 certificate. 566 * 567 * @param context A hx509 context. 568 * @param cert A hx509 context. 569 * @param eku the EKU to check for 570 * @param allow_any_eku if the any EKU is set, allow that to be a 571 * substitute. 572 * 573 * @return An hx509 error code, see hx509_get_error_string(). 574 * 575 * @ingroup hx509_cert 576 */ 577 578int 579hx509_cert_check_eku ( 580 hx509_context /*context*/, 581 hx509_cert /*cert*/, 582 const heim_oid */*eku*/, 583 int /*allow_any_eku*/); 584 585/** 586 * Compare to hx509 certificate object, useful for sorting. 587 * 588 * @param p a hx509 certificate object. 589 * @param q a hx509 certificate object. 590 * 591 * @return 0 the objects are the same, returns > 0 is p is "larger" 592 * then q, < 0 if p is "smaller" then q. 593 * 594 * @ingroup hx509_cert 595 */ 596 597int 598hx509_cert_cmp ( 599 hx509_cert /*p*/, 600 hx509_cert /*q*/); 601 602/** 603 * Return a list of subjectAltNames specified by oid in the 604 * certificate. On error the 605 * 606 * The returned list of octet string should be freed with 607 * hx509_free_octet_string_list(). 608 * 609 * @param context A hx509 context. 610 * @param cert a hx509 certificate object. 611 * @param oid an oid to for SubjectAltName. 612 * @param list list of matching SubjectAltName. 613 * 614 * @return An hx509 error code, see hx509_get_error_string(). 615 * 616 * @ingroup hx509_cert 617 */ 618 619int 620hx509_cert_find_subjectAltName_otherName ( 621 hx509_context /*context*/, 622 hx509_cert /*cert*/, 623 const heim_oid */*oid*/, 624 hx509_octet_string_list */*list*/); 625 626/** 627 * Free reference to the hx509 certificate object, if the refcounter 628 * reaches 0, the object if freed. Its allowed to pass in NULL. 629 * 630 * @param cert the cert to free. 631 * 632 * @ingroup hx509_cert 633 */ 634 635void 636hx509_cert_free (hx509_cert /*cert*/); 637 638/** 639 * Get the SubjectPublicKeyInfo structure from the hx509 certificate. 640 * 641 * @param context a hx509 context. 642 * @param p a hx509 certificate object. 643 * @param spki SubjectPublicKeyInfo, should be freed with 644 * free_SubjectPublicKeyInfo(). 645 * 646 * @return An hx509 error code, see hx509_get_error_string(). 647 * 648 * @ingroup hx509_cert 649 */ 650 651int 652hx509_cert_get_SPKI ( 653 hx509_context /*context*/, 654 hx509_cert /*p*/, 655 SubjectPublicKeyInfo */*spki*/); 656 657/** 658 * Get the AlgorithmIdentifier from the hx509 certificate. 659 * 660 * @param context a hx509 context. 661 * @param p a hx509 certificate object. 662 * @param alg AlgorithmIdentifier, should be freed with 663 * free_AlgorithmIdentifier(). The algorithmidentifier is 664 * typicly rsaEncryption, or id-ecPublicKey, or some other 665 * public key mechanism. 666 * 667 * @return An hx509 error code, see hx509_get_error_string(). 668 * 669 * @ingroup hx509_cert 670 */ 671 672int 673hx509_cert_get_SPKI_AlgorithmIdentifier ( 674 hx509_context /*context*/, 675 hx509_cert /*p*/, 676 AlgorithmIdentifier */*alg*/); 677 678/** 679 * Get an external attribute for the certificate, examples are 680 * friendly name and id. 681 * 682 * @param cert hx509 certificate object to search 683 * @param oid an oid to search for. 684 * 685 * @return an hx509_cert_attribute, only valid as long as the 686 * certificate is referenced. 687 * 688 * @ingroup hx509_cert 689 */ 690 691hx509_cert_attribute 692hx509_cert_get_attribute ( 693 hx509_cert /*cert*/, 694 const heim_oid */*oid*/); 695 696/** 697 * Return the name of the base subject of the hx509 certificate. If 698 * the certiicate is a verified proxy certificate, the this function 699 * return the base certificate (root of the proxy chain). If the proxy 700 * certificate is not verified with the base certificate 701 * HX509_PROXY_CERTIFICATE_NOT_CANONICALIZED is returned. 702 * 703 * @param context a hx509 context. 704 * @param c a hx509 certificate object. 705 * @param name a pointer to a hx509 name, should be freed by 706 * hx509_name_free(). See also hx509_cert_get_subject(). 707 * 708 * @return An hx509 error code, see hx509_get_error_string(). 709 * 710 * @ingroup hx509_cert 711 */ 712 713int 714hx509_cert_get_base_subject ( 715 hx509_context /*context*/, 716 hx509_cert /*c*/, 717 hx509_name */*name*/); 718 719/** 720 * Get friendly name of the certificate. 721 * 722 * @param cert cert to get the friendly name from. 723 * 724 * @return an friendly name or NULL if there is. The friendly name is 725 * only valid as long as the certificate is referenced. 726 * 727 * @ingroup hx509_cert 728 */ 729 730const char * 731hx509_cert_get_friendly_name (hx509_cert /*cert*/); 732 733/** 734 * Return the name of the issuer of the hx509 certificate. 735 * 736 * @param p a hx509 certificate object. 737 * @param name a pointer to a hx509 name, should be freed by 738 * hx509_name_free(). 739 * 740 * @return An hx509 error code, see hx509_get_error_string(). 741 * 742 * @ingroup hx509_cert 743 */ 744 745int 746hx509_cert_get_issuer ( 747 hx509_cert /*p*/, 748 hx509_name */*name*/); 749 750/** 751 * Get a copy of the Issuer Unique ID 752 * 753 * @param context a hx509_context 754 * @param p a hx509 certificate 755 * @param issuer the issuer id returned, free with der_free_bit_string() 756 * 757 * @return An hx509 error code, see hx509_get_error_string(). The 758 * error code HX509_EXTENSION_NOT_FOUND is returned if the certificate 759 * doesn't have a issuerUniqueID 760 * 761 * @ingroup hx509_cert 762 */ 763 764int 765hx509_cert_get_issuer_unique_id ( 766 hx509_context /*context*/, 767 hx509_cert /*p*/, 768 heim_bit_string */*issuer*/); 769 770/** 771 * Get notAfter time of the certificate. 772 * 773 * @param p a hx509 certificate object. 774 * 775 * @return return not after time. 776 * 777 * @ingroup hx509_cert 778 */ 779 780time_t 781hx509_cert_get_notAfter (hx509_cert /*p*/); 782 783/** 784 * Get notBefore time of the certificate. 785 * 786 * @param p a hx509 certificate object. 787 * 788 * @return return not before time 789 * 790 * @ingroup hx509_cert 791 */ 792 793time_t 794hx509_cert_get_notBefore (hx509_cert /*p*/); 795 796/** 797 * Get serial number of the certificate. 798 * 799 * @param p a hx509 certificate object. 800 * @param i serial number, should be freed ith der_free_heim_integer(). 801 * 802 * @return An hx509 error code, see hx509_get_error_string(). 803 * 804 * @ingroup hx509_cert 805 */ 806 807int 808hx509_cert_get_serialnumber ( 809 hx509_cert /*p*/, 810 heim_integer */*i*/); 811 812/** 813 * Return the name of the subject of the hx509 certificate. 814 * 815 * @param p a hx509 certificate object. 816 * @param name a pointer to a hx509 name, should be freed by 817 * hx509_name_free(). See also hx509_cert_get_base_subject(). 818 * 819 * @return An hx509 error code, see hx509_get_error_string(). 820 * 821 * @ingroup hx509_cert 822 */ 823 824int 825hx509_cert_get_subject ( 826 hx509_cert /*p*/, 827 hx509_name */*name*/); 828 829/** 830 * Get a copy of the Subect Unique ID 831 * 832 * @param context a hx509_context 833 * @param p a hx509 certificate 834 * @param subject the subject id returned, free with der_free_bit_string() 835 * 836 * @return An hx509 error code, see hx509_get_error_string(). The 837 * error code HX509_EXTENSION_NOT_FOUND is returned if the certificate 838 * doesn't have a subjectUniqueID 839 * 840 * @ingroup hx509_cert 841 */ 842 843int 844hx509_cert_get_subject_unique_id ( 845 hx509_context /*context*/, 846 hx509_cert /*p*/, 847 heim_bit_string */*subject*/); 848 849int 850hx509_cert_have_private_key (hx509_cert /*p*/); 851 852/** 853 * Allocate and init an hx509 certificate object from the decoded 854 * certificate `c��. 855 * 856 * @param context A hx509 context. 857 * @param c 858 * @param error 859 * 860 * @return Returns an hx509 certificate 861 * 862 * @ingroup hx509_cert 863 */ 864 865hx509_cert 866hx509_cert_init ( 867 hx509_context /*context*/, 868 const Certificate */*c*/, 869 heim_error_t */*error*/); 870 871/** 872 * Just like hx509_cert_init(), but instead of a decode certificate 873 * takes an pointer and length to a memory region that contains a 874 * DER/BER encoded certificate. 875 * 876 * If the memory region doesn't contain just the certificate and 877 * nothing more the function will fail with 878 * HX509_EXTRA_DATA_AFTER_STRUCTURE. 879 * 880 * @param context A hx509 context. 881 * @param ptr pointer to memory region containing encoded certificate. 882 * @param len length of memory region. 883 * @param error possibly returns an error 884 * 885 * @return An hx509 certificate 886 * 887 * @ingroup hx509_cert 888 */ 889 890hx509_cert 891hx509_cert_init_data ( 892 hx509_context /*context*/, 893 const void */*ptr*/, 894 size_t /*len*/, 895 heim_error_t */*error*/); 896 897/** 898 * Print certificate usage for a certificate to a string. 899 * 900 * @param context A hx509 context. 901 * @param c a certificate print the keyusage for. 902 * @param s the return string with the keysage printed in to, free 903 * with hx509_xfree(). 904 * 905 * @return An hx509 error code, see hx509_get_error_string(). 906 * 907 * @ingroup hx509_print 908 */ 909 910int 911hx509_cert_keyusage_print ( 912 hx509_context /*context*/, 913 hx509_cert /*c*/, 914 char **/*s*/); 915 916int 917hx509_cert_public_encrypt ( 918 hx509_context /*context*/, 919 const heim_octet_string */*cleartext*/, 920 const hx509_cert /*p*/, 921 heim_oid */*encryption_oid*/, 922 heim_octet_string */*ciphertext*/); 923 924/** 925 * Add a reference to a hx509 certificate object. 926 * 927 * @param cert a pointer to an hx509 certificate object. 928 * 929 * @return the same object as is passed in. 930 * 931 * @ingroup hx509_cert 932 */ 933 934hx509_cert 935hx509_cert_ref (hx509_cert /*cert*/); 936 937/** 938 * Set the friendly name on the certificate. 939 * 940 * @param cert The certificate to set the friendly name on 941 * @param name Friendly name. 942 * 943 * @return An hx509 error code, see hx509_get_error_string(). 944 * 945 * @ingroup hx509_cert 946 */ 947 948int 949hx509_cert_set_friendly_name ( 950 hx509_cert /*cert*/, 951 const char */*name*/); 952 953/** 954 * Add a certificate to the certificiate store. 955 * 956 * The receiving keyset certs will either increase reference counter 957 * of the cert or make a deep copy, either way, the caller needs to 958 * free the cert itself. 959 * 960 * @param context a hx509 context. 961 * @param certs certificate store to add the certificate to. 962 * @param cert certificate to add. 963 * 964 * @return Returns an hx509 error code. 965 * 966 * @ingroup hx509_keyset 967 */ 968 969int 970hx509_certs_add ( 971 hx509_context /*context*/, 972 hx509_certs /*certs*/, 973 hx509_cert /*cert*/); 974 975/** 976 * Same a hx509_certs_merge() but use a lock and name to describe the 977 * from source. 978 * 979 * @param context a hx509 context. 980 * @param to the store to merge into. 981 * @param lock a lock that unlocks the certificates store, use NULL to 982 * select no password/certifictes/prompt lock (see @ref page_lock). 983 * @param name name of the source store 984 * 985 * @return Returns an hx509 error code. 986 * 987 * @ingroup hx509_keyset 988 */ 989 990int 991hx509_certs_append ( 992 hx509_context /*context*/, 993 hx509_certs /*to*/, 994 hx509_lock /*lock*/, 995 const char */*name*/); 996 997/** 998 * End the iteration over certificates. 999 * 1000 * @param context a hx509 context. 1001 * @param certs certificate store to iterate over. 1002 * @param cursor cursor that will keep track of progress, freed. 1003 * 1004 * @return Returns an hx509 error code. 1005 * 1006 * @ingroup hx509_keyset 1007 */ 1008 1009int 1010hx509_certs_end_seq ( 1011 hx509_context /*context*/, 1012 hx509_certs /*certs*/, 1013 hx509_cursor /*cursor*/); 1014 1015/** 1016 * Filter certificate matching the query. 1017 * 1018 * @param context a hx509 context. 1019 * @param certs certificate store to search. 1020 * @param q query allocated with @ref hx509_query functions. 1021 * @param result the filtered certificate store, caller must free with 1022 * hx509_certs_free(). 1023 * 1024 * @return Returns an hx509 error code. 1025 * 1026 * @ingroup hx509_keyset 1027 */ 1028 1029int 1030hx509_certs_filter ( 1031 hx509_context /*context*/, 1032 hx509_certs /*certs*/, 1033 const hx509_query */*q*/, 1034 hx509_certs */*result*/); 1035 1036/** 1037 * Find a certificate matching the query. 1038 * 1039 * @param context a hx509 context. 1040 * @param certs certificate store to search. 1041 * @param q query allocated with @ref hx509_query functions. 1042 * @param r return certificate (or NULL on error), should be freed 1043 * with hx509_cert_free(). 1044 * 1045 * @return Returns an hx509 error code. 1046 * 1047 * @ingroup hx509_keyset 1048 */ 1049 1050int 1051hx509_certs_find ( 1052 hx509_context /*context*/, 1053 hx509_certs /*certs*/, 1054 const hx509_query */*q*/, 1055 hx509_cert */*r*/); 1056 1057/** 1058 * Free a certificate store. 1059 * 1060 * @param certs certificate store to free. 1061 * 1062 * @ingroup hx509_keyset 1063 */ 1064 1065void 1066hx509_certs_free (hx509_certs */*certs*/); 1067 1068/** 1069 * Print some info about the certificate store. 1070 * 1071 * @param context a hx509 context. 1072 * @param certs certificate store to print information about. 1073 * @param func function that will get each line of the information, if 1074 * NULL is used the data is printed on a FILE descriptor that should 1075 * be passed in ctx, if ctx also is NULL, stdout is used. 1076 * @param ctx parameter to func. 1077 * 1078 * @return Returns an hx509 error code. 1079 * 1080 * @ingroup hx509_keyset 1081 */ 1082 1083int 1084hx509_certs_info ( 1085 hx509_context /*context*/, 1086 hx509_certs /*certs*/, 1087 int (*/*func*/)(void *, const char *), 1088 void */*ctx*/); 1089 1090/** 1091 * Open or creates a new hx509 certificate store. 1092 * 1093 * @param context A hx509 context 1094 * @param name name of the store, format is TYPE:type-specific-string, 1095 * if NULL is used the MEMORY store is used. 1096 * @param flags list of flags: 1097 * - HX509_CERTS_CREATE create a new keystore of the specific TYPE. 1098 * - HX509_CERTS_UNPROTECT_ALL fails if any private key failed to be extracted. 1099 * @param lock a lock that unlocks the certificates store, use NULL to 1100 * select no password/certifictes/prompt lock (see @ref page_lock). 1101 * @param certs return pointer, free with hx509_certs_free(). 1102 * 1103 * @return Returns an hx509 error code. 1104 * 1105 * @ingroup hx509_keyset 1106 */ 1107 1108int 1109hx509_certs_init ( 1110 hx509_context /*context*/, 1111 const char */*name*/, 1112 int /*flags*/, 1113 hx509_lock /*lock*/, 1114 hx509_certs */*certs*/); 1115 1116/** 1117 * Iterate over all certificates in a keystore and call a block 1118 * for each of them. 1119 * 1120 * @param context a hx509 context. 1121 * @param certs certificate store to iterate over. 1122 * @param func block to call for each certificate. The function 1123 * should return non-zero to abort the iteration, that value is passed 1124 * back to the caller of hx509_certs_iter(). 1125 * 1126 * @return Returns an hx509 error code. 1127 * 1128 * @ingroup hx509_keyset 1129 */ 1130 1131#ifdef __BLOCKS__ 1132int 1133hx509_certs_iter ( 1134 hx509_context /*context*/, 1135 hx509_certs /*certs*/, 1136 int (^func)(hx509_cert)); 1137#endif /* __BLOCKS__ */ 1138 1139/** 1140 * Iterate over all certificates in a keystore and call a function 1141 * for each of them. 1142 * 1143 * @param context a hx509 context. 1144 * @param certs certificate store to iterate over. 1145 * @param func function to call for each certificate. The function 1146 * should return non-zero to abort the iteration, that value is passed 1147 * back to the caller of hx509_certs_iter_f(). 1148 * @param ctx context variable that will passed to the function. 1149 * 1150 * @return Returns an hx509 error code. 1151 * 1152 * @ingroup hx509_keyset 1153 */ 1154 1155int 1156hx509_certs_iter_f ( 1157 hx509_context /*context*/, 1158 hx509_certs /*certs*/, 1159 int (*/*func*/)(hx509_context, void *, hx509_cert), 1160 void */*ctx*/); 1161 1162/** 1163 * Merge a certificate store into another. The from store is keep 1164 * intact. 1165 * 1166 * @param context a hx509 context. 1167 * @param to the store to merge into. 1168 * @param from the store to copy the object from. 1169 * 1170 * @return Returns an hx509 error code. 1171 * 1172 * @ingroup hx509_keyset 1173 */ 1174 1175int 1176hx509_certs_merge ( 1177 hx509_context /*context*/, 1178 hx509_certs /*to*/, 1179 hx509_certs /*from*/); 1180 1181/** 1182 * Get next ceritificate from the certificate keystore pointed out by 1183 * cursor. 1184 * 1185 * @param context a hx509 context. 1186 * @param certs certificate store to iterate over. 1187 * @param cursor cursor that keeps track of progress. 1188 * @param cert return certificate next in store, NULL if the store 1189 * contains no more certificates. Free with hx509_cert_free(). 1190 * 1191 * @return Returns an hx509 error code. 1192 * 1193 * @ingroup hx509_keyset 1194 */ 1195 1196int 1197hx509_certs_next_cert ( 1198 hx509_context /*context*/, 1199 hx509_certs /*certs*/, 1200 hx509_cursor /*cursor*/, 1201 hx509_cert */*cert*/); 1202 1203hx509_certs 1204hx509_certs_ref (hx509_certs /*certs*/); 1205 1206/** 1207 * Start the integration 1208 * 1209 * @param context a hx509 context. 1210 * @param certs certificate store to iterate over 1211 * @param cursor cursor that will keep track of progress, free with 1212 * hx509_certs_end_seq(). 1213 * 1214 * @return Returns an hx509 error code. HX509_UNSUPPORTED_OPERATION is 1215 * returned if the certificate store doesn't support the iteration 1216 * operation. 1217 * 1218 * @ingroup hx509_keyset 1219 */ 1220 1221int 1222hx509_certs_start_seq ( 1223 hx509_context /*context*/, 1224 hx509_certs /*certs*/, 1225 hx509_cursor */*cursor*/); 1226 1227/** 1228 * Write the certificate store to stable storage. 1229 * 1230 * @param context A hx509 context. 1231 * @param certs a certificate store to store. 1232 * @param flags currently unused, use 0. 1233 * @param lock a lock that unlocks the certificates store, use NULL to 1234 * select no password/certifictes/prompt lock (see @ref page_lock). 1235 * 1236 * @return Returns an hx509 error code. HX509_UNSUPPORTED_OPERATION if 1237 * the certificate store doesn't support the store operation. 1238 * 1239 * @ingroup hx509_keyset 1240 */ 1241 1242int 1243hx509_certs_store ( 1244 hx509_context /*context*/, 1245 hx509_certs /*certs*/, 1246 int /*flags*/, 1247 hx509_lock /*lock*/); 1248 1249/** 1250 * Function to use to hx509_certs_iter_f() as a function argument, the 1251 * ctx variable to hx509_certs_iter_f() should be a FILE file descriptor. 1252 * 1253 * @param context a hx509 context. 1254 * @param ctx used by hx509_certs_iter_f(). 1255 * @param c a certificate 1256 * 1257 * @return Returns an hx509 error code. 1258 * 1259 * @ingroup hx509_keyset 1260 */ 1261 1262int 1263hx509_ci_print_names ( 1264 hx509_context /*context*/, 1265 void */*ctx*/, 1266 hx509_cert /*c*/); 1267 1268/** 1269 * Resets the error strings the hx509 context. 1270 * 1271 * @param context A hx509 context. 1272 * 1273 * @ingroup hx509_error 1274 */ 1275 1276void 1277hx509_clear_error_string (hx509_context /*context*/); 1278 1279int 1280hx509_cms_create_signed ( 1281 hx509_context /*context*/, 1282 int /*flags*/, 1283 const heim_oid */*eContentType*/, 1284 const void */*data*/, 1285 size_t /*length*/, 1286 const AlgorithmIdentifier */*digest_alg*/, 1287 hx509_certs /*certs*/, 1288 hx509_peer_info /*peer*/, 1289 hx509_certs /*anchors*/, 1290 hx509_certs /*pool*/, 1291 heim_octet_string */*signed_data*/); 1292 1293/** 1294 * Decode SignedData and verify that the signature is correct. 1295 * 1296 * @param context A hx509 context. 1297 * @param flags 1298 * @param eContentType the type of the data. 1299 * @param data data to sign 1300 * @param length length of the data that data point to. 1301 * @param digest_alg digest algorithm to use, use NULL to get the 1302 * default or the peer determined algorithm. 1303 * @param cert certificate to use for sign the data. 1304 * @param peer info about the peer the message to send the message to, 1305 * like what digest algorithm to use. 1306 * @param anchors trust anchors that the client will use, used to 1307 * polulate the certificates included in the message 1308 * @param pool certificates to use in try to build the path to the 1309 * trust anchors. 1310 * @param signed_data the output of the function, free with 1311 * der_free_octet_string(). 1312 * 1313 * @return Returns an hx509 error code. 1314 * 1315 * @ingroup hx509_cms 1316 */ 1317 1318int 1319hx509_cms_create_signed_1 ( 1320 hx509_context /*context*/, 1321 int /*flags*/, 1322 const heim_oid */*eContentType*/, 1323 const void */*data*/, 1324 size_t /*length*/, 1325 const AlgorithmIdentifier */*digest_alg*/, 1326 hx509_cert /*cert*/, 1327 hx509_peer_info /*peer*/, 1328 hx509_certs /*anchors*/, 1329 hx509_certs /*pool*/, 1330 heim_octet_string */*signed_data*/); 1331 1332/** 1333 * Use HX509_CMS_SIGNATURE_NO_SIGNER to create no sigInfo (no 1334 * signatures). 1335 */ 1336 1337int 1338hx509_cms_decrypt_encrypted ( 1339 hx509_context /*context*/, 1340 hx509_lock /*lock*/, 1341 const void */*data*/, 1342 size_t /*length*/, 1343 heim_oid */*contentType*/, 1344 heim_octet_string */*content*/); 1345 1346/** 1347 * Encrypt end encode EnvelopedData. 1348 * 1349 * Encrypt and encode EnvelopedData. The data is encrypted with a 1350 * random key and the the random key is encrypted with the 1351 * certificates private key. This limits what private key type can be 1352 * used to RSA. 1353 * 1354 * @param context A hx509 context. 1355 * @param flags flags to control the behavior. 1356 * - HX509_CMS_EV_NO_KU_CHECK - Dont check KU on certificate 1357 * - HX509_CMS_EV_ALLOW_WEAK - Allow weak crytpo 1358 * - HX509_CMS_EV_ID_NAME - prefer issuer name and serial number 1359 * @param cert Certificate to encrypt the EnvelopedData encryption key 1360 * with. 1361 * @param data pointer the data to encrypt. 1362 * @param length length of the data that data point to. 1363 * @param encryption_type Encryption cipher to use for the bulk data, 1364 * use NULL to get default. 1365 * @param contentType type of the data that is encrypted 1366 * @param content the output of the function, 1367 * free with der_free_octet_string(). 1368 * 1369 * @return an hx509 error code. 1370 * 1371 * @ingroup hx509_cms 1372 */ 1373 1374int 1375hx509_cms_envelope_1 ( 1376 hx509_context /*context*/, 1377 int /*flags*/, 1378 hx509_cert /*cert*/, 1379 const void */*data*/, 1380 size_t /*length*/, 1381 const heim_oid */*encryption_type*/, 1382 const heim_oid */*contentType*/, 1383 heim_octet_string */*content*/); 1384 1385/** 1386 * Decode and unencrypt EnvelopedData. 1387 * 1388 * Extract data and parameteres from from the EnvelopedData. Also 1389 * supports using detached EnvelopedData. 1390 * 1391 * @param context A hx509 context. 1392 * @param certs Certificate that can decrypt the EnvelopedData 1393 * encryption key. 1394 * @param flags HX509_CMS_UE flags to control the behavior. 1395 * @param data pointer the structure the contains the DER/BER encoded 1396 * EnvelopedData stucture. 1397 * @param length length of the data that data point to. 1398 * @param encryptedContent in case of detached signature, this 1399 * contains the actual encrypted data, othersize its should be NULL. 1400 * @param time_now set the current time, if zero the library uses now as the date. 1401 * @param contentType output type oid, should be freed with der_free_oid(). 1402 * @param content the data, free with der_free_octet_string(). 1403 * 1404 * @return an hx509 error code. 1405 * 1406 * @ingroup hx509_cms 1407 */ 1408 1409int 1410hx509_cms_unenvelope ( 1411 hx509_context /*context*/, 1412 hx509_certs /*certs*/, 1413 int /*flags*/, 1414 const void */*data*/, 1415 size_t /*length*/, 1416 const heim_octet_string */*encryptedContent*/, 1417 time_t /*time_now*/, 1418 heim_oid */*contentType*/, 1419 heim_octet_string */*content*/); 1420 1421/** 1422 * Decode an ContentInfo and unwrap data and oid it. 1423 * 1424 * @param in the encoded buffer. 1425 * @param oid type of the content. 1426 * @param out data to be wrapped. 1427 * @param have_data since the data is optional, this flags show dthe 1428 * diffrence between no data and the zero length data. 1429 * 1430 * @return Returns an hx509 error code. 1431 * 1432 * @ingroup hx509_cms 1433 */ 1434 1435int 1436hx509_cms_unwrap_ContentInfo ( 1437 const heim_octet_string */*in*/, 1438 heim_oid */*oid*/, 1439 heim_octet_string */*out*/, 1440 int */*have_data*/); 1441 1442/** 1443 * Decode SignedData and verify that the signature is correct. 1444 * 1445 * @param context A hx509 context. 1446 * @param ctx a hx509 verify context. 1447 * @param flags to control the behaivor of the function. 1448 * - HX509_CMS_VS_NO_KU_CHECK - Don't check KeyUsage 1449 * - HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH - allow oid mismatch 1450 * - HX509_CMS_VS_ALLOW_ZERO_SIGNER - no signer, see below. 1451 * @param data pointer to CMS SignedData encoded data. 1452 * @param length length of the data that data point to. 1453 * @param signedContent external data used for signature. 1454 * @param pool certificate pool to build certificates paths. 1455 * @param contentType free with der_free_oid(). 1456 * @param content the output of the function, free with 1457 * der_free_octet_string(). 1458 * @param signer_certs list of the cerficates used to sign this 1459 * request, free with hx509_certs_free(). 1460 * 1461 * @return an hx509 error code. 1462 * 1463 * @ingroup hx509_cms 1464 */ 1465 1466int 1467hx509_cms_verify_signed ( 1468 hx509_context /*context*/, 1469 hx509_verify_ctx /*ctx*/, 1470 unsigned int /*flags*/, 1471 const void */*data*/, 1472 size_t /*length*/, 1473 const heim_octet_string */*signedContent*/, 1474 hx509_certs /*pool*/, 1475 heim_oid */*contentType*/, 1476 heim_octet_string */*content*/, 1477 hx509_certs */*signer_certs*/); 1478 1479/** 1480 * Wrap data and oid in a ContentInfo and encode it. 1481 * 1482 * @param oid type of the content. 1483 * @param buf data to be wrapped. If a NULL pointer is passed in, the 1484 * optional content field in the ContentInfo is not going be filled 1485 * in. 1486 * @param res the encoded buffer, the result should be freed with 1487 * der_free_octet_string(). 1488 * 1489 * @return Returns an hx509 error code. 1490 * 1491 * @ingroup hx509_cms 1492 */ 1493 1494int 1495hx509_cms_wrap_ContentInfo ( 1496 const heim_oid */*oid*/, 1497 const heim_octet_string */*buf*/, 1498 heim_octet_string */*res*/); 1499 1500/** 1501 * Free the context allocated by hx509_context_init(). 1502 * 1503 * @param context context to be freed. 1504 * 1505 * @ingroup hx509 1506 */ 1507 1508void 1509hx509_context_free (hx509_context */*context*/); 1510 1511/** 1512 * Creates a hx509 context that most functions in the library 1513 * uses. The context is only allowed to be used by one thread at each 1514 * moment. Free the context with hx509_context_free(). 1515 * 1516 * @param context Returns a pointer to new hx509 context. 1517 * 1518 * @return Returns an hx509 error code. 1519 * 1520 * @ingroup hx509 1521 */ 1522 1523int 1524hx509_context_init (hx509_context */*context*/); 1525 1526/** 1527 * Selects if the hx509_revoke_verify() function is going to require 1528 * the existans of a revokation method (OCSP, CRL) or not. Note that 1529 * hx509_verify_path(), hx509_cms_verify_signed(), and other function 1530 * call hx509_revoke_verify(). 1531 * 1532 * @param context hx509 context to change the flag for. 1533 * @param flag zero, revokation method required, non zero missing 1534 * revokation method ok 1535 * 1536 * @ingroup hx509_verify 1537 */ 1538 1539void 1540hx509_context_set_missing_revoke ( 1541 hx509_context /*context*/, 1542 int /*flag*/); 1543 1544/** 1545 * Add revoked certificate to an CRL context. 1546 * 1547 * @param context a hx509 context. 1548 * @param crl the CRL to add the revoked certificate to. 1549 * @param certs keyset of certificate to revoke. 1550 * 1551 * @return An hx509 error code, see hx509_get_error_string(). 1552 * 1553 * @ingroup hx509_verify 1554 */ 1555 1556int 1557hx509_crl_add_revoked_certs ( 1558 hx509_context /*context*/, 1559 hx509_crl /*crl*/, 1560 hx509_certs /*certs*/); 1561 1562/** 1563 * Create a CRL context. Use hx509_crl_free() to free the CRL context. 1564 * 1565 * @param context a hx509 context. 1566 * @param crl return pointer to a newly allocated CRL context. 1567 * 1568 * @return An hx509 error code, see hx509_get_error_string(). 1569 * 1570 * @ingroup hx509_verify 1571 */ 1572 1573int 1574hx509_crl_alloc ( 1575 hx509_context /*context*/, 1576 hx509_crl */*crl*/); 1577 1578/** 1579 * Free a CRL context. 1580 * 1581 * @param context a hx509 context. 1582 * @param crl a CRL context to free. 1583 * 1584 * @ingroup hx509_verify 1585 */ 1586 1587void 1588hx509_crl_free ( 1589 hx509_context /*context*/, 1590 hx509_crl */*crl*/); 1591 1592/** 1593 * Set the lifetime of a CRL context. 1594 * 1595 * @param context a hx509 context. 1596 * @param crl a CRL context 1597 * @param delta delta time the certificate is valid, library adds the 1598 * current time to this. 1599 * 1600 * @return An hx509 error code, see hx509_get_error_string(). 1601 * 1602 * @ingroup hx509_verify 1603 */ 1604 1605int 1606hx509_crl_lifetime ( 1607 hx509_context /*context*/, 1608 hx509_crl /*crl*/, 1609 int /*delta*/); 1610 1611/** 1612 * Sign a CRL and return an encode certificate. 1613 * 1614 * @param context a hx509 context. 1615 * @param signer certificate to sign the CRL with 1616 * @param crl the CRL to sign 1617 * @param os return the signed and encoded CRL, free with 1618 * free_heim_octet_string() 1619 * 1620 * @return An hx509 error code, see hx509_get_error_string(). 1621 * 1622 * @ingroup hx509_verify 1623 */ 1624 1625int 1626hx509_crl_sign ( 1627 hx509_context /*context*/, 1628 hx509_cert /*signer*/, 1629 hx509_crl /*crl*/, 1630 heim_octet_string */*os*/); 1631 1632const AlgorithmIdentifier * 1633hx509_crypto_aes128_cbc (void); 1634 1635const AlgorithmIdentifier * 1636hx509_crypto_aes256_cbc (void); 1637 1638void 1639hx509_crypto_allow_weak (hx509_crypto /*crypto*/); 1640 1641int 1642hx509_crypto_available ( 1643 hx509_context /*context*/, 1644 int /*type*/, 1645 hx509_cert /*source*/, 1646 AlgorithmIdentifier **/*val*/, 1647 unsigned int */*plen*/); 1648 1649int 1650hx509_crypto_decrypt ( 1651 hx509_crypto /*crypto*/, 1652 const void */*data*/, 1653 const size_t /*length*/, 1654 heim_octet_string */*ivec*/, 1655 heim_octet_string */*clear*/); 1656 1657const AlgorithmIdentifier * 1658hx509_crypto_des_rsdi_ede3_cbc (void); 1659 1660void 1661hx509_crypto_destroy (hx509_crypto /*crypto*/); 1662 1663int 1664hx509_crypto_encrypt ( 1665 hx509_crypto /*crypto*/, 1666 const void */*data*/, 1667 const size_t /*length*/, 1668 const heim_octet_string */*ivec*/, 1669 heim_octet_string **/*ciphertext*/); 1670 1671const heim_oid * 1672hx509_crypto_enctype_by_name (const char */*name*/); 1673 1674void 1675hx509_crypto_free_algs ( 1676 AlgorithmIdentifier */*val*/, 1677 unsigned int /*len*/); 1678 1679int 1680hx509_crypto_get_params ( 1681 hx509_context /*context*/, 1682 hx509_crypto /*crypto*/, 1683 const heim_octet_string */*ivec*/, 1684 heim_octet_string */*param*/); 1685 1686int 1687hx509_crypto_init ( 1688 hx509_context /*context*/, 1689 const char */*provider*/, 1690 const heim_oid */*enctype*/, 1691 hx509_crypto */*crypto*/); 1692 1693const char * 1694hx509_crypto_provider (hx509_crypto /*crypto*/); 1695 1696int 1697hx509_crypto_random_iv ( 1698 hx509_crypto /*crypto*/, 1699 heim_octet_string */*ivec*/); 1700 1701int 1702hx509_crypto_select ( 1703 const hx509_context /*context*/, 1704 int /*type*/, 1705 const hx509_private_key /*source*/, 1706 hx509_peer_info /*peer*/, 1707 AlgorithmIdentifier */*selected*/); 1708 1709int 1710hx509_crypto_set_key_data ( 1711 hx509_crypto /*crypto*/, 1712 const void */*data*/, 1713 size_t /*length*/); 1714 1715int 1716hx509_crypto_set_key_name ( 1717 hx509_crypto /*crypto*/, 1718 const char */*name*/); 1719 1720void 1721hx509_crypto_set_padding ( 1722 hx509_crypto /*crypto*/, 1723 int /*padding_type*/); 1724 1725int 1726hx509_crypto_set_params ( 1727 hx509_context /*context*/, 1728 hx509_crypto /*crypto*/, 1729 const heim_octet_string */*param*/, 1730 heim_octet_string */*ivec*/); 1731 1732int 1733hx509_crypto_set_random_key ( 1734 hx509_crypto /*crypto*/, 1735 heim_octet_string */*key*/); 1736 1737/** 1738 * Add a new key/value pair to the hx509_env. 1739 * 1740 * @param context A hx509 context. 1741 * @param env environment to add the environment variable too. 1742 * @param key key to add 1743 * @param value value to add 1744 * 1745 * @return An hx509 error code, see hx509_get_error_string(). 1746 * 1747 * @ingroup hx509_env 1748 */ 1749 1750int 1751hx509_env_add ( 1752 hx509_context /*context*/, 1753 hx509_env */*env*/, 1754 const char */*key*/, 1755 const char */*value*/); 1756 1757/** 1758 * Add a new key/binding pair to the hx509_env. 1759 * 1760 * @param context A hx509 context. 1761 * @param env environment to add the environment variable too. 1762 * @param key key to add 1763 * @param list binding list to add 1764 * 1765 * @return An hx509 error code, see hx509_get_error_string(). 1766 * 1767 * @ingroup hx509_env 1768 */ 1769 1770int 1771hx509_env_add_binding ( 1772 hx509_context /*context*/, 1773 hx509_env */*env*/, 1774 const char */*key*/, 1775 hx509_env /*list*/); 1776 1777/** 1778 * Search the hx509_env for a key. 1779 * 1780 * @param context A hx509 context. 1781 * @param env environment to add the environment variable too. 1782 * @param key key to search for. 1783 * 1784 * @return the value if the key is found, NULL otherwise. 1785 * 1786 * @ingroup hx509_env 1787 */ 1788 1789const char * 1790hx509_env_find ( 1791 hx509_context /*context*/, 1792 hx509_env /*env*/, 1793 const char */*key*/); 1794 1795/** 1796 * Search the hx509_env for a binding. 1797 * 1798 * @param context A hx509 context. 1799 * @param env environment to add the environment variable too. 1800 * @param key key to search for. 1801 * 1802 * @return the binding if the key is found, NULL if not found. 1803 * 1804 * @ingroup hx509_env 1805 */ 1806 1807hx509_env 1808hx509_env_find_binding ( 1809 hx509_context /*context*/, 1810 hx509_env /*env*/, 1811 const char */*key*/); 1812 1813/** 1814 * Free an hx509_env environment context. 1815 * 1816 * @param env the environment to free. 1817 * 1818 * @ingroup hx509_env 1819 */ 1820 1821void 1822hx509_env_free (hx509_env */*env*/); 1823 1824/** 1825 * Search the hx509_env for a length based key. 1826 * 1827 * @param context A hx509 context. 1828 * @param env environment to add the environment variable too. 1829 * @param key key to search for. 1830 * @param len length of key. 1831 * 1832 * @return the value if the key is found, NULL otherwise. 1833 * 1834 * @ingroup hx509_env 1835 */ 1836 1837const char * 1838hx509_env_lfind ( 1839 hx509_context /*context*/, 1840 hx509_env /*env*/, 1841 const char */*key*/, 1842 size_t /*len*/); 1843 1844/** 1845 * Print error message and fatally exit from error code 1846 * 1847 * @param context A hx509 context. 1848 * @param exit_code exit() code from process. 1849 * @param error_code Error code for the reason to exit. 1850 * @param fmt format string with the exit message. 1851 * @param ... argument to format string. 1852 * 1853 * @ingroup hx509_error 1854 */ 1855 1856void 1857hx509_err ( 1858 hx509_context /*context*/, 1859 int /*exit_code*/, 1860 int /*error_code*/, 1861 const char */*fmt*/, 1862 ...); 1863 1864hx509_private_key_ops * 1865hx509_find_private_alg (const heim_oid */*oid*/); 1866 1867/** 1868 * Free error string returned by hx509_get_error_string(). 1869 * 1870 * @param str error string to free. 1871 * 1872 * @ingroup hx509_error 1873 */ 1874 1875void 1876hx509_free_error_string (char */*str*/); 1877 1878/** 1879 * Free a list of octet strings returned by another hx509 library 1880 * function. 1881 * 1882 * @param list list to be freed. 1883 * 1884 * @ingroup hx509_misc 1885 */ 1886 1887void 1888hx509_free_octet_string_list (hx509_octet_string_list */*list*/); 1889 1890/** 1891 * Unparse the hx509 name in name into a string. 1892 * 1893 * @param name the name to print 1894 * @param str an allocated string returns the name in string form 1895 * 1896 * @return An hx509 error code, see hx509_get_error_string(). 1897 * 1898 * @ingroup hx509_name 1899 */ 1900 1901int 1902hx509_general_name_unparse ( 1903 GeneralName */*name*/, 1904 char **/*str*/); 1905 1906/** 1907 * Get an error string from context associated with error_code. 1908 * 1909 * @param context A hx509 context. 1910 * @param error_code Get error message for this error code. 1911 * 1912 * @return error string, free with hx509_free_error_string(). 1913 * 1914 * @ingroup hx509_error 1915 */ 1916 1917char * 1918hx509_get_error_string ( 1919 hx509_context /*context*/, 1920 int /*error_code*/); 1921 1922/** 1923 * Get one random certificate from the certificate store. 1924 * 1925 * @param context a hx509 context. 1926 * @param certs a certificate store to get the certificate from. 1927 * @param c return certificate, should be freed with hx509_cert_free(). 1928 * 1929 * @return Returns an hx509 error code. 1930 * 1931 * @ingroup hx509_keyset 1932 */ 1933 1934int 1935hx509_get_one_cert ( 1936 hx509_context /*context*/, 1937 hx509_certs /*certs*/, 1938 hx509_cert */*c*/); 1939 1940int 1941hx509_lock_add_cert ( 1942 hx509_context /*context*/, 1943 hx509_lock /*lock*/, 1944 hx509_cert /*cert*/); 1945 1946int 1947hx509_lock_add_certs ( 1948 hx509_context /*context*/, 1949 hx509_lock /*lock*/, 1950 hx509_certs /*certs*/); 1951 1952int 1953hx509_lock_add_password ( 1954 hx509_lock /*lock*/, 1955 const char */*password*/); 1956 1957int 1958hx509_lock_command_string ( 1959 hx509_lock /*lock*/, 1960 const char */*string*/); 1961 1962void 1963hx509_lock_free (hx509_lock /*lock*/); 1964 1965/** 1966 * @page page_lock Locking and unlocking certificates and encrypted data. 1967 * 1968 * See the library functions here: @ref hx509_lock 1969 */ 1970 1971int 1972hx509_lock_init ( 1973 hx509_context /*context*/, 1974 hx509_lock */*lock*/); 1975 1976int 1977hx509_lock_prompt ( 1978 hx509_lock /*lock*/, 1979 hx509_prompt */*prompt*/); 1980 1981void 1982hx509_lock_reset_certs ( 1983 hx509_context /*context*/, 1984 hx509_lock /*lock*/); 1985 1986void 1987hx509_lock_reset_passwords (hx509_lock /*lock*/); 1988 1989void 1990hx509_lock_reset_promper (hx509_lock /*lock*/); 1991 1992int 1993hx509_lock_set_prompter ( 1994 hx509_lock /*lock*/, 1995 hx509_prompter_fct /*prompt*/, 1996 void */*data*/); 1997 1998/** 1999 * Convert a hx509_name object to DER encoded name. 2000 * 2001 * @param name name to concert 2002 * @param os data to a DER encoded name, free the resulting octet 2003 * string with hx509_xfree(os->data). 2004 * 2005 * @return An hx509 error code, see hx509_get_error_string(). 2006 * 2007 * @ingroup hx509_name 2008 */ 2009 2010int 2011hx509_name_binary ( 2012 const hx509_name /*name*/, 2013 heim_octet_string */*os*/); 2014 2015/** 2016 * Compare to hx509 name object, useful for sorting. 2017 * 2018 * @param n1 a hx509 name object. 2019 * @param n2 a hx509 name object. 2020 * 2021 * @return 0 the objects are the same, returns > 0 is n2 is "larger" 2022 * then n2, < 0 if n1 is "smaller" then n2. 2023 * 2024 * @ingroup hx509_name 2025 */ 2026 2027int 2028hx509_name_cmp ( 2029 hx509_name /*n1*/, 2030 hx509_name /*n2*/); 2031 2032/** 2033 * Copy a hx509 name object. 2034 * 2035 * @param context A hx509 cotext. 2036 * @param from the name to copy from 2037 * @param to the name to copy to 2038 * 2039 * @return An hx509 error code, see hx509_get_error_string(). 2040 * 2041 * @ingroup hx509_name 2042 */ 2043 2044int 2045hx509_name_copy ( 2046 hx509_context /*context*/, 2047 const hx509_name /*from*/, 2048 hx509_name */*to*/); 2049 2050/** 2051 * Expands variables in the name using env. Variables are on the form 2052 * ${name}. Useful when dealing with certificate templates. 2053 * 2054 * @param context A hx509 cotext. 2055 * @param name the name to expand. 2056 * @param env environment variable to expand. 2057 * 2058 * @return An hx509 error code, see hx509_get_error_string(). 2059 * 2060 * @ingroup hx509_name 2061 */ 2062 2063int 2064hx509_name_expand ( 2065 hx509_context /*context*/, 2066 hx509_name /*name*/, 2067 hx509_env /*env*/); 2068 2069/** 2070 * Free a hx509 name object, upond return *name will be NULL. 2071 * 2072 * @param name a hx509 name object to be freed. 2073 * 2074 * @ingroup hx509_name 2075 */ 2076 2077void 2078hx509_name_free (hx509_name */*name*/); 2079 2080/** 2081 * Unparse the hx509 name in name into a string. 2082 * 2083 * @param name the name to check if its empty/null. 2084 * 2085 * @return non zero if the name is empty/null. 2086 * 2087 * @ingroup hx509_name 2088 */ 2089 2090int 2091hx509_name_is_null_p (const hx509_name /*name*/); 2092 2093int 2094hx509_name_normalize ( 2095 hx509_context /*context*/, 2096 hx509_name /*name*/); 2097 2098/** 2099 * Convert a hx509_name into a Name. 2100 * 2101 * @param from the name to copy from 2102 * @param to the name to copy to 2103 * 2104 * @return An hx509 error code, see hx509_get_error_string(). 2105 * 2106 * @ingroup hx509_name 2107 */ 2108 2109int 2110hx509_name_to_Name ( 2111 const hx509_name /*from*/, 2112 Name */*to*/); 2113 2114/** 2115 * Convert the hx509 name object into a printable string. 2116 * The resulting string should be freed with free(). 2117 * 2118 * @param name name to print 2119 * @param str the string to return 2120 * 2121 * @return An hx509 error code, see hx509_get_error_string(). 2122 * 2123 * @ingroup hx509_name 2124 */ 2125 2126int 2127hx509_name_to_string ( 2128 const hx509_name /*name*/, 2129 char **/*str*/); 2130 2131/** 2132 * Create an OCSP request for a set of certificates. 2133 * 2134 * @param context a hx509 context 2135 * @param reqcerts list of certificates to request ocsp data for 2136 * @param pool certificate pool to use when signing 2137 * @param signer certificate to use to sign the request 2138 * @param digest the signing algorithm in the request, if NULL use the 2139 * default signature algorithm, 2140 * @param request the encoded request, free with free_heim_octet_string(). 2141 * @param nonce nonce in the request, free with free_heim_octet_string(). 2142 * 2143 * @return An hx509 error code, see hx509_get_error_string(). 2144 * 2145 * @ingroup hx509_revoke 2146 */ 2147 2148int 2149hx509_ocsp_request ( 2150 hx509_context /*context*/, 2151 hx509_certs /*reqcerts*/, 2152 hx509_certs /*pool*/, 2153 hx509_cert /*signer*/, 2154 const AlgorithmIdentifier */*digest*/, 2155 heim_octet_string */*request*/, 2156 heim_octet_string */*nonce*/); 2157 2158/** 2159 * Verify that the certificate is part of the OCSP reply and it's not 2160 * expired. Doesn't verify signature the OCSP reply or it's done by a 2161 * authorized sender, that is assumed to be already done. 2162 * 2163 * @param context a hx509 context 2164 * @param now the time right now, if 0, use the current time. 2165 * @param cert the certificate to verify 2166 * @param flags flags control the behavior 2167 * @param data pointer to the encode ocsp reply 2168 * @param length the length of the encode ocsp reply 2169 * @param expiration return the time the OCSP will expire and need to 2170 * be rechecked. 2171 * 2172 * @return An hx509 error code, see hx509_get_error_string(). 2173 * 2174 * @ingroup hx509_verify 2175 */ 2176 2177int 2178hx509_ocsp_verify ( 2179 hx509_context /*context*/, 2180 time_t /*now*/, 2181 hx509_cert /*cert*/, 2182 int /*flags*/, 2183 const void */*data*/, 2184 size_t /*length*/, 2185 time_t */*expiration*/); 2186 2187/** 2188 * Print a oid using a hx509_vprint_func function. To print to stdout 2189 * use hx509_print_stdout(). 2190 * 2191 * @param oid oid to print 2192 * @param func hx509_vprint_func to print with. 2193 * @param ctx context variable to hx509_vprint_func function. 2194 * 2195 * @ingroup hx509_print 2196 */ 2197 2198void 2199hx509_oid_print ( 2200 const heim_oid */*oid*/, 2201 hx509_vprint_func /*func*/, 2202 void */*ctx*/); 2203 2204/** 2205 * Print a oid to a string. 2206 * 2207 * @param oid oid to print 2208 * @param str allocated string, free with hx509_xfree(). 2209 * 2210 * @return An hx509 error code, see hx509_get_error_string(). 2211 * 2212 * @ingroup hx509_print 2213 */ 2214 2215int 2216hx509_oid_sprint ( 2217 const heim_oid */*oid*/, 2218 char **/*str*/); 2219 2220/** 2221 * Parse a string into a hx509 name object. 2222 * 2223 * @param context A hx509 context. 2224 * @param str a string to parse. 2225 * @param name the resulting object, NULL in case of error. 2226 * 2227 * @return An hx509 error code, see hx509_get_error_string(). 2228 * 2229 * @ingroup hx509_name 2230 */ 2231 2232int 2233hx509_parse_name ( 2234 hx509_context /*context*/, 2235 const char */*str*/, 2236 hx509_name */*name*/); 2237 2238int 2239hx509_parse_private_key ( 2240 hx509_context /*context*/, 2241 const AlgorithmIdentifier */*keyai*/, 2242 const void */*data*/, 2243 size_t /*len*/, 2244 hx509_key_format_t /*format*/, 2245 hx509_private_key */*private_key*/); 2246 2247/** 2248 * Add an additional algorithm that the peer supports. 2249 * 2250 * @param context A hx509 context. 2251 * @param peer the peer to set the new algorithms for 2252 * @param val an AlgorithmsIdentier to add 2253 * 2254 * @return An hx509 error code, see hx509_get_error_string(). 2255 * 2256 * @ingroup hx509_peer 2257 */ 2258 2259int 2260hx509_peer_info_add_cms_alg ( 2261 hx509_context /*context*/, 2262 hx509_peer_info /*peer*/, 2263 const AlgorithmIdentifier */*val*/); 2264 2265/** 2266 * Allocate a new peer info structure an init it to default values. 2267 * 2268 * @param context A hx509 context. 2269 * @param peer return an allocated peer, free with hx509_peer_info_free(). 2270 * 2271 * @return An hx509 error code, see hx509_get_error_string(). 2272 * 2273 * @ingroup hx509_peer 2274 */ 2275 2276int 2277hx509_peer_info_alloc ( 2278 hx509_context /*context*/, 2279 hx509_peer_info */*peer*/); 2280 2281/** 2282 * Free a peer info structure. 2283 * 2284 * @param peer peer info to be freed. 2285 * 2286 * @ingroup hx509_peer 2287 */ 2288 2289void 2290hx509_peer_info_free (hx509_peer_info /*peer*/); 2291 2292/** 2293 * Set the certificate that remote peer is using. 2294 * 2295 * @param peer peer info to update 2296 * @param cert cerificate of the remote peer. 2297 * 2298 * @return An hx509 error code, see hx509_get_error_string(). 2299 * 2300 * @ingroup hx509_peer 2301 */ 2302 2303int 2304hx509_peer_info_set_cert ( 2305 hx509_peer_info /*peer*/, 2306 hx509_cert /*cert*/); 2307 2308/** 2309 * Set the algorithms that the peer supports. 2310 * 2311 * @param context A hx509 context. 2312 * @param peer the peer to set the new algorithms for 2313 * @param val array of supported AlgorithmsIdentiers 2314 * @param len length of array val. 2315 * 2316 * @return An hx509 error code, see hx509_get_error_string(). 2317 * 2318 * @ingroup hx509_peer 2319 */ 2320 2321int 2322hx509_peer_info_set_cms_algs ( 2323 hx509_context /*context*/, 2324 hx509_peer_info /*peer*/, 2325 const AlgorithmIdentifier */*val*/, 2326 size_t /*len*/); 2327 2328int 2329hx509_pem_add_header ( 2330 hx509_pem_header **/*headers*/, 2331 const char */*header*/, 2332 const char */*value*/); 2333 2334const char * 2335hx509_pem_find_header ( 2336 const hx509_pem_header */*h*/, 2337 const char */*header*/); 2338 2339void 2340hx509_pem_free_header (hx509_pem_header */*headers*/); 2341 2342int 2343hx509_pem_read ( 2344 hx509_context /*context*/, 2345 FILE */*f*/, 2346 hx509_pem_read_func /*func*/, 2347 void */*ctx*/); 2348 2349int 2350hx509_pem_write ( 2351 hx509_context /*context*/, 2352 const char */*type*/, 2353 hx509_pem_header */*headers*/, 2354 FILE */*f*/, 2355 const void */*data*/, 2356 size_t /*size*/); 2357 2358/** 2359 * Print a simple representation of a certificate 2360 * 2361 * @param context A hx509 context, can be NULL 2362 * @param cert certificate to print 2363 * @param out the stdio output stream, if NULL, stdout is used 2364 * 2365 * @return An hx509 error code 2366 * 2367 * @ingroup hx509_cert 2368 */ 2369 2370int 2371hx509_print_cert ( 2372 hx509_context /*context*/, 2373 hx509_cert /*cert*/, 2374 FILE */*out*/); 2375 2376/** 2377 * Helper function to print on stdout for: 2378 * - hx509_oid_print(), 2379 * - hx509_bitstring_print(), 2380 * - hx509_validate_ctx_set_print(). 2381 * 2382 * @param ctx the context to the print function. If the ctx is NULL, 2383 * stdout is used. 2384 * @param fmt the printing format. 2385 * @param va the argumet list. 2386 * 2387 * @ingroup hx509_print 2388 */ 2389 2390void 2391hx509_print_stdout ( 2392 void */*ctx*/, 2393 const char */*fmt*/, 2394 va_list /*va*/); 2395 2396int 2397hx509_private_key2SPKI ( 2398 hx509_context /*context*/, 2399 hx509_private_key /*private_key*/, 2400 SubjectPublicKeyInfo */*spki*/); 2401 2402void 2403hx509_private_key_assign_rsa ( 2404 hx509_private_key /*key*/, 2405 void */*ptr*/); 2406 2407int 2408hx509_private_key_free (hx509_private_key */*key*/); 2409 2410int 2411hx509_private_key_init ( 2412 hx509_private_key */*key*/, 2413 hx509_private_key_ops */*ops*/, 2414 void */*keydata*/); 2415 2416int 2417hx509_private_key_private_decrypt ( 2418 hx509_context /*context*/, 2419 const heim_octet_string */*ciphertext*/, 2420 const heim_oid */*encryption_oid*/, 2421 hx509_private_key /*p*/, 2422 heim_octet_string */*cleartext*/); 2423 2424int 2425hx509_prompt_hidden (hx509_prompt_type /*type*/); 2426 2427/** 2428 * Allocate an query controller. Free using hx509_query_free(). 2429 * 2430 * @param context A hx509 context. 2431 * @param q return pointer to a hx509_query. 2432 * 2433 * @return An hx509 error code, see hx509_get_error_string(). 2434 * 2435 * @ingroup hx509_cert 2436 */ 2437 2438int 2439hx509_query_alloc ( 2440 hx509_context /*context*/, 2441 hx509_query **/*q*/); 2442 2443/** 2444 * Free the query controller. 2445 * 2446 * @param context A hx509 context. 2447 * @param q a pointer to the query controller. 2448 * 2449 * @ingroup hx509_cert 2450 */ 2451 2452void 2453hx509_query_free ( 2454 hx509_context /*context*/, 2455 hx509_query */*q*/); 2456 2457/** 2458 * Set the query controller to match using a specific match function. 2459 * 2460 * @param q a hx509 query controller. 2461 * @param func function to use for matching, if the argument is NULL, 2462 * the match function is removed. 2463 * @param ctx context passed to the function. 2464 * 2465 * @return An hx509 error code, see hx509_get_error_string(). 2466 * 2467 * @ingroup hx509_cert 2468 */ 2469 2470int 2471hx509_query_match_cmp_func ( 2472 hx509_query */*q*/, 2473 int (*/*func*/)(hx509_context, hx509_cert, void *), 2474 void */*ctx*/); 2475 2476/** 2477 * Set the query controller to require an one specific EKU (extended 2478 * key usage). Any previous EKU matching is overwitten. If NULL is 2479 * passed in as the eku, the EKU requirement is reset. 2480 * 2481 * @param q a hx509 query controller. 2482 * @param eku an EKU to match on. 2483 * 2484 * @return An hx509 error code, see hx509_get_error_string(). 2485 * 2486 * @ingroup hx509_cert 2487 */ 2488 2489int 2490hx509_query_match_eku ( 2491 hx509_query */*q*/, 2492 const heim_oid */*eku*/); 2493 2494int 2495hx509_query_match_expr ( 2496 hx509_context /*context*/, 2497 hx509_query */*q*/, 2498 const char */*expr*/); 2499 2500/** 2501 * Set the query controller to match on a friendly name 2502 * 2503 * @param q a hx509 query controller. 2504 * @param name a friendly name to match on 2505 * 2506 * @return An hx509 error code, see hx509_get_error_string(). 2507 * 2508 * @ingroup hx509_cert 2509 */ 2510 2511int 2512hx509_query_match_friendly_name ( 2513 hx509_query */*q*/, 2514 const char */*name*/); 2515 2516/** 2517 * Set the issuer and serial number of match in the query 2518 * controller. The function make copies of the isser and serial number. 2519 * 2520 * @param q a hx509 query controller 2521 * @param issuer issuer to search for 2522 * @param serialNumber the serialNumber of the issuer. 2523 * 2524 * @return An hx509 error code, see hx509_get_error_string(). 2525 * 2526 * @ingroup hx509_cert 2527 */ 2528 2529int 2530hx509_query_match_issuer_serial ( 2531 hx509_query */*q*/, 2532 const Name */*issuer*/, 2533 const heim_integer */*serialNumber*/); 2534 2535/** 2536 * Set match options for the hx509 query controller. 2537 * 2538 * @param q query controller. 2539 * @param option options to control the query controller. 2540 * 2541 * @return An hx509 error code, see hx509_get_error_string(). 2542 * 2543 * @ingroup hx509_cert 2544 */ 2545 2546void 2547hx509_query_match_option ( 2548 hx509_query */*q*/, 2549 hx509_query_option /*option*/); 2550 2551/** 2552 * Set a statistic file for the query statistics. 2553 * 2554 * @param context A hx509 context. 2555 * @param fn statistics file name 2556 * 2557 * @ingroup hx509_cert 2558 */ 2559 2560void 2561hx509_query_statistic_file ( 2562 hx509_context /*context*/, 2563 const char */*fn*/); 2564 2565/** 2566 * Unparse the statistics file and print the result on a FILE descriptor. 2567 * 2568 * @param context A hx509 context. 2569 * @param printtype tyep to print 2570 * @param out the FILE to write the data on. 2571 * 2572 * @ingroup hx509_cert 2573 */ 2574 2575void 2576hx509_query_unparse_stats ( 2577 hx509_context /*context*/, 2578 int /*printtype*/, 2579 FILE */*out*/); 2580 2581void 2582hx509_request_free (hx509_request */*req*/); 2583 2584int 2585hx509_request_get_SubjectPublicKeyInfo ( 2586 hx509_context /*context*/, 2587 hx509_request /*req*/, 2588 SubjectPublicKeyInfo */*key*/); 2589 2590int 2591hx509_request_get_name ( 2592 hx509_context /*context*/, 2593 hx509_request /*req*/, 2594 hx509_name */*name*/); 2595 2596int 2597hx509_request_init ( 2598 hx509_context /*context*/, 2599 hx509_request */*req*/); 2600 2601int 2602hx509_request_set_SubjectPublicKeyInfo ( 2603 hx509_context /*context*/, 2604 hx509_request /*req*/, 2605 const SubjectPublicKeyInfo */*key*/); 2606 2607int 2608hx509_request_set_name ( 2609 hx509_context /*context*/, 2610 hx509_request /*req*/, 2611 hx509_name /*name*/); 2612 2613/** 2614 * Add a CRL file to the revokation context. 2615 * 2616 * @param context hx509 context 2617 * @param ctx hx509 revokation context 2618 * @param path path to file that is going to be added to the context. 2619 * 2620 * @return An hx509 error code, see hx509_get_error_string(). 2621 * 2622 * @ingroup hx509_revoke 2623 */ 2624 2625int 2626hx509_revoke_add_crl ( 2627 hx509_context /*context*/, 2628 hx509_revoke_ctx /*ctx*/, 2629 const char */*path*/); 2630 2631/** 2632 * Add a OCSP file to the revokation context. 2633 * 2634 * @param context hx509 context 2635 * @param ctx hx509 revokation context 2636 * @param path path to file that is going to be added to the context. 2637 * 2638 * @return An hx509 error code, see hx509_get_error_string(). 2639 * 2640 * @ingroup hx509_revoke 2641 */ 2642 2643int 2644hx509_revoke_add_ocsp ( 2645 hx509_context /*context*/, 2646 hx509_revoke_ctx /*ctx*/, 2647 const char */*path*/); 2648 2649/** 2650 * Free a hx509 revokation context. 2651 * 2652 * @param ctx context to be freed 2653 * 2654 * @ingroup hx509_revoke 2655 */ 2656 2657void 2658hx509_revoke_free (hx509_revoke_ctx */*ctx*/); 2659 2660/** 2661 * Allocate a revokation context. Free with hx509_revoke_free(). 2662 * 2663 * @param context A hx509 context. 2664 * @param ctx returns a newly allocated revokation context. 2665 * 2666 * @return An hx509 error code, see hx509_get_error_string(). 2667 * 2668 * @ingroup hx509_revoke 2669 */ 2670 2671int 2672hx509_revoke_init ( 2673 hx509_context /*context*/, 2674 hx509_revoke_ctx */*ctx*/); 2675 2676/** 2677 * Print the OCSP reply stored in a file. 2678 * 2679 * @param context a hx509 context 2680 * @param path path to a file with a OCSP reply 2681 * @param out the out FILE descriptor to print the reply on 2682 * 2683 * @return An hx509 error code, see hx509_get_error_string(). 2684 * 2685 * @ingroup hx509_revoke 2686 */ 2687 2688int 2689hx509_revoke_ocsp_print ( 2690 hx509_context /*context*/, 2691 const char */*path*/, 2692 FILE */*out*/); 2693 2694int 2695hx509_revoke_print ( 2696 hx509_context /*context*/, 2697 hx509_revoke_ctx /*ctx*/, 2698 FILE */*out*/); 2699 2700/** 2701 * Check that a certificate is not expired according to a revokation 2702 * context. Also need the parent certificte to the check OCSP 2703 * parent identifier. 2704 * 2705 * @param context hx509 context 2706 * @param ctx hx509 revokation context 2707 * @param certs 2708 * @param now 2709 * @param cert 2710 * @param parent_cert 2711 * 2712 * @return An hx509 error code, see hx509_get_error_string(). 2713 * 2714 * @ingroup hx509_revoke 2715 */ 2716 2717int 2718hx509_revoke_verify ( 2719 hx509_context /*context*/, 2720 hx509_revoke_ctx /*ctx*/, 2721 hx509_certs /*certs*/, 2722 time_t /*now*/, 2723 hx509_cert /*cert*/, 2724 hx509_cert /*parent_cert*/); 2725 2726/** 2727 * See hx509_set_error_stringv(). 2728 * 2729 * @param context A hx509 context. 2730 * @param flags 2731 * - HX509_ERROR_APPEND appends the error string to the old messages 2732 (code is updated). 2733 * @param code error code related to error message 2734 * @param fmt error message format 2735 * @param ... arguments to error message format 2736 * 2737 * @ingroup hx509_error 2738 */ 2739 2740void 2741hx509_set_error_string ( 2742 hx509_context /*context*/, 2743 int /*flags*/, 2744 int /*code*/, 2745 const char */*fmt*/, 2746 ...); 2747 2748/** 2749 * Add an error message to the hx509 context. 2750 * 2751 * @param context A hx509 context. 2752 * @param flags 2753 * - HX509_ERROR_APPEND appends the error string to the old messages 2754 (code is updated). 2755 * @param code error code related to error message 2756 * @param fmt error message format 2757 * @param ap arguments to error message format 2758 * 2759 * @ingroup hx509_error 2760 */ 2761 2762void 2763hx509_set_error_stringv ( 2764 hx509_context /*context*/, 2765 int /*flags*/, 2766 int /*code*/, 2767 const char */*fmt*/, 2768 va_list /*ap*/); 2769 2770const AlgorithmIdentifier * 2771hx509_signature_ecPublicKey (void); 2772 2773const AlgorithmIdentifier * 2774hx509_signature_ecdsa_with_sha256 (void); 2775 2776const AlgorithmIdentifier * 2777hx509_signature_md5 (void); 2778 2779const AlgorithmIdentifier * 2780hx509_signature_rsa (void); 2781 2782const AlgorithmIdentifier * 2783hx509_signature_rsa_pkcs1_x509 (void); 2784 2785const AlgorithmIdentifier * 2786hx509_signature_rsa_with_md5 (void); 2787 2788const AlgorithmIdentifier * 2789hx509_signature_rsa_with_sha1 (void); 2790 2791const AlgorithmIdentifier * 2792hx509_signature_rsa_with_sha256 (void); 2793 2794const AlgorithmIdentifier * 2795hx509_signature_rsa_with_sha384 (void); 2796 2797const AlgorithmIdentifier * 2798hx509_signature_rsa_with_sha512 (void); 2799 2800const AlgorithmIdentifier * 2801hx509_signature_sha1 (void); 2802 2803const AlgorithmIdentifier * 2804hx509_signature_sha256 (void); 2805 2806const AlgorithmIdentifier * 2807hx509_signature_sha384 (void); 2808 2809const AlgorithmIdentifier * 2810hx509_signature_sha512 (void); 2811 2812/** 2813 * Convert a DER encoded name info a string. 2814 * 2815 * @param data data to a DER/BER encoded name 2816 * @param length length of data 2817 * @param str the resulting string, is NULL on failure. 2818 * 2819 * @return An hx509 error code, see hx509_get_error_string(). 2820 * 2821 * @ingroup hx509_name 2822 */ 2823 2824int 2825hx509_unparse_der_name ( 2826 const void */*data*/, 2827 size_t /*length*/, 2828 char **/*str*/); 2829 2830/** 2831 * Validate/Print the status of the certificate. 2832 * 2833 * @param context A hx509 context. 2834 * @param ctx A hx509 validation context. 2835 * @param cert the cerificate to validate/print. 2836 2837 * @return An hx509 error code, see hx509_get_error_string(). 2838 * 2839 * @ingroup hx509_print 2840 */ 2841 2842int 2843hx509_validate_cert ( 2844 hx509_context /*context*/, 2845 hx509_validate_ctx /*ctx*/, 2846 hx509_cert /*cert*/); 2847 2848/** 2849 * Add flags to control the behaivor of the hx509_validate_cert() 2850 * function. 2851 * 2852 * @param ctx A hx509 validation context. 2853 * @param flags flags to add to the validation context. 2854 * 2855 * @return An hx509 error code, see hx509_get_error_string(). 2856 * 2857 * @ingroup hx509_print 2858 */ 2859 2860void 2861hx509_validate_ctx_add_flags ( 2862 hx509_validate_ctx /*ctx*/, 2863 int /*flags*/); 2864 2865/** 2866 * Free an hx509 validate context. 2867 * 2868 * @param ctx the hx509 validate context to free. 2869 * 2870 * @ingroup hx509_print 2871 */ 2872 2873void 2874hx509_validate_ctx_free (hx509_validate_ctx /*ctx*/); 2875 2876/** 2877 * Allocate a hx509 validation/printing context. 2878 * 2879 * @param context A hx509 context. 2880 * @param ctx a new allocated hx509 validation context, free with 2881 * hx509_validate_ctx_free(). 2882 2883 * @return An hx509 error code, see hx509_get_error_string(). 2884 * 2885 * @ingroup hx509_print 2886 */ 2887 2888int 2889hx509_validate_ctx_init ( 2890 hx509_context /*context*/, 2891 hx509_validate_ctx */*ctx*/); 2892 2893/** 2894 * Set the printing functions for the validation context. 2895 * 2896 * @param ctx a hx509 valication context. 2897 * @param func the printing function to usea. 2898 * @param c the context variable to the printing function. 2899 * 2900 * @return An hx509 error code, see hx509_get_error_string(). 2901 * 2902 * @ingroup hx509_print 2903 */ 2904 2905void 2906hx509_validate_ctx_set_print ( 2907 hx509_validate_ctx /*ctx*/, 2908 hx509_vprint_func /*func*/, 2909 void */*c*/); 2910 2911/** 2912 * Set the trust anchors in the verification context, makes an 2913 * reference to the keyset, so the consumer can free the keyset 2914 * independent of the destruction of the verification context (ctx). 2915 * If there already is a keyset attached, it's released. 2916 * 2917 * @param ctx a verification context 2918 * @param set a keyset containing the trust anchors. 2919 * 2920 * @ingroup hx509_verify 2921 */ 2922 2923void 2924hx509_verify_attach_anchors ( 2925 hx509_verify_ctx /*ctx*/, 2926 hx509_certs /*set*/); 2927 2928/** 2929 * Attach an revocation context to the verfication context, , makes an 2930 * reference to the revoke context, so the consumer can free the 2931 * revoke context independent of the destruction of the verification 2932 * context. If there is no revoke context, the verification process is 2933 * NOT going to check any verification status. 2934 * 2935 * @param ctx a verification context. 2936 * @param revoke_ctx a revoke context. 2937 * 2938 * @ingroup hx509_verify 2939 */ 2940 2941void 2942hx509_verify_attach_revoke ( 2943 hx509_verify_ctx /*ctx*/, 2944 hx509_revoke_ctx /*revoke_ctx*/); 2945 2946void 2947hx509_verify_ctx_f_allow_best_before_signature_algs ( 2948 hx509_context /*ctx*/, 2949 int /*boolean*/); 2950 2951/** 2952 * Allow using the operating system builtin trust anchors if no other 2953 * trust anchors are configured. 2954 * 2955 * @param ctx a verification context 2956 * @param boolean if non zero, useing the operating systems builtin 2957 * trust anchors. 2958 * 2959 * 2960 * @return An hx509 error code, see hx509_get_error_string(). 2961 * 2962 * @ingroup hx509_cert 2963 */ 2964 2965void 2966hx509_verify_ctx_f_allow_default_trustanchors ( 2967 hx509_verify_ctx /*ctx*/, 2968 int /*boolean*/); 2969 2970/** 2971 * Free an hx509 verification context. 2972 * 2973 * @param ctx the context to be freed. 2974 * 2975 * @ingroup hx509_verify 2976 */ 2977 2978void 2979hx509_verify_destroy_ctx (hx509_verify_ctx /*ctx*/); 2980 2981/** 2982 * Verify that the certificate is allowed to be used for the hostname 2983 * and address. 2984 * 2985 * @param context A hx509 context. 2986 * @param cert the certificate to match with 2987 * @param flags Flags to modify the behavior: 2988 * - HX509_VHN_F_ALLOW_NO_MATCH no match is ok 2989 * @param type type of hostname: 2990 * - HX509_HN_HOSTNAME for plain hostname. 2991 * - HX509_HN_DNSSRV for DNS SRV names. 2992 * @param hostname the hostname to check 2993 * @param sa address of the host 2994 * @param sa_size length of address 2995 * 2996 * @return An hx509 error code, see hx509_get_error_string(). 2997 * 2998 * @ingroup hx509_cert 2999 */ 3000 3001int 3002hx509_verify_hostname ( 3003 hx509_context /*context*/, 3004 const hx509_cert /*cert*/, 3005 int /*flags*/, 3006 hx509_hostname_type /*type*/, 3007 const char */*hostname*/, 3008 const struct sockaddr */*sa*/, 3009 int /*sa_size*/); 3010 3011/** 3012 * Allocate an verification context that is used fo control the 3013 * verification process. 3014 * 3015 * @param context A hx509 context. 3016 * @param ctx returns a pointer to a hx509_verify_ctx object. 3017 * 3018 * @return An hx509 error code, see hx509_get_error_string(). 3019 * 3020 * @ingroup hx509_verify 3021 */ 3022 3023int 3024hx509_verify_init_ctx ( 3025 hx509_context /*context*/, 3026 hx509_verify_ctx */*ctx*/); 3027 3028/** 3029 * Build and verify the path for the certificate to the trust anchor 3030 * specified in the verify context. The path is constructed from the 3031 * certificate, the pool and the trust anchors. 3032 * 3033 * @param context A hx509 context. 3034 * @param ctx A hx509 verification context. 3035 * @param cert the certificate to build the path from. 3036 * @param pool A keyset of certificates to build the chain from. 3037 * 3038 * @return An hx509 error code, see hx509_get_error_string(). 3039 * 3040 * @ingroup hx509_verify 3041 */ 3042 3043int 3044hx509_verify_path ( 3045 hx509_context /*context*/, 3046 hx509_verify_ctx /*ctx*/, 3047 hx509_cert /*cert*/, 3048 hx509_certs /*pool*/); 3049 3050/** 3051 * Set the maximum depth of the certificate chain that the path 3052 * builder is going to try. 3053 * 3054 * @param ctx a verification context 3055 * @param max_depth maxium depth of the certificate chain, include 3056 * trust anchor. 3057 * 3058 * @ingroup hx509_verify 3059 */ 3060 3061void 3062hx509_verify_set_max_depth ( 3063 hx509_verify_ctx /*ctx*/, 3064 unsigned int /*max_depth*/); 3065 3066/** 3067 * Allow or deny the use of proxy certificates 3068 * 3069 * @param ctx a verification context 3070 * @param boolean if non zero, allow proxy certificates. 3071 * 3072 * @ingroup hx509_verify 3073 */ 3074 3075void 3076hx509_verify_set_proxy_certificate ( 3077 hx509_verify_ctx /*ctx*/, 3078 int /*boolean*/); 3079 3080/** 3081 * Select strict RFC3280 verification of certificiates. This means 3082 * checking key usage on CA certificates, this will make version 1 3083 * certificiates unuseable. 3084 * 3085 * @param ctx a verification context 3086 * @param boolean if non zero, use strict verification. 3087 * 3088 * @ingroup hx509_verify 3089 */ 3090 3091void 3092hx509_verify_set_strict_rfc3280_verification ( 3093 hx509_verify_ctx /*ctx*/, 3094 int /*boolean*/); 3095 3096/** 3097 * Set the clock time the the verification process is going to 3098 * use. Used to check certificate in the past and future time. If not 3099 * set the current time will be used. 3100 * 3101 * @param ctx a verification context. 3102 * @param t the time the verifiation is using. 3103 * 3104 * 3105 * @ingroup hx509_verify 3106 */ 3107 3108void 3109hx509_verify_set_time ( 3110 hx509_verify_ctx /*ctx*/, 3111 time_t /*t*/); 3112 3113/** 3114 * Verify a signature made using the private key of an certificate. 3115 * 3116 * @param context A hx509 context. 3117 * @param signer the certificate that made the signature. 3118 * @param alg algorthm that was used to sign the data. 3119 * @param data the data that was signed. 3120 * @param sig the sigature to verify. 3121 * 3122 * @return An hx509 error code, see hx509_get_error_string(). 3123 * 3124 * @ingroup hx509_crypto 3125 */ 3126 3127int 3128hx509_verify_signature ( 3129 hx509_context /*context*/, 3130 const hx509_cert /*signer*/, 3131 const AlgorithmIdentifier */*alg*/, 3132 const heim_octet_string */*data*/, 3133 const heim_octet_string */*sig*/); 3134 3135/** 3136 * Free a data element allocated in the library. 3137 * 3138 * @param ptr data to be freed. 3139 * 3140 * @ingroup hx509_misc 3141 */ 3142 3143void 3144hx509_xfree (void */*ptr*/); 3145 3146int 3147yywrap (void); 3148 3149#ifdef __cplusplus 3150} 3151#endif 3152 3153#endif /* DOXY */ 3154#endif /* __hx509_protos_h__ */ 3155