1/* 2 * Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10#include "internal/refcount.h" 11#include <openssl/x509.h> 12#include <openssl/conf.h> 13 14/* Internal X509 structures and functions: not for application use */ 15 16/* Note: unless otherwise stated a field pointer is mandatory and should 17 * never be set to NULL: the ASN.1 code and accessors rely on mandatory 18 * fields never being NULL. 19 */ 20 21/* 22 * name entry structure, equivalent to AttributeTypeAndValue defined 23 * in RFC5280 et al. 24 */ 25struct X509_name_entry_st { 26 ASN1_OBJECT *object; /* AttributeType */ 27 ASN1_STRING *value; /* AttributeValue */ 28 int set; /* index of RDNSequence for this entry */ 29 int size; /* temp variable */ 30}; 31 32/* Name from RFC 5280. */ 33struct X509_name_st { 34 STACK_OF(X509_NAME_ENTRY) *entries; /* DN components */ 35 int modified; /* true if 'bytes' needs to be built */ 36 BUF_MEM *bytes; /* cached encoding: cannot be NULL */ 37 /* canonical encoding used for rapid Name comparison */ 38 unsigned char *canon_enc; 39 int canon_enclen; 40} /* X509_NAME */ ; 41 42/* Signature info structure */ 43 44struct x509_sig_info_st { 45 /* NID of message digest */ 46 int mdnid; 47 /* NID of public key algorithm */ 48 int pknid; 49 /* Security bits */ 50 int secbits; 51 /* Various flags */ 52 uint32_t flags; 53}; 54 55/* PKCS#10 certificate request */ 56 57struct X509_req_info_st { 58 ASN1_ENCODING enc; /* cached encoding of signed part */ 59 ASN1_INTEGER *version; /* version, defaults to v1(0) so can be NULL */ 60 X509_NAME *subject; /* certificate request DN */ 61 X509_PUBKEY *pubkey; /* public key of request */ 62 /* 63 * Zero or more attributes. 64 * NB: although attributes is a mandatory field some broken 65 * encodings omit it so this may be NULL in that case. 66 */ 67 STACK_OF(X509_ATTRIBUTE) *attributes; 68}; 69 70struct X509_req_st { 71 X509_REQ_INFO req_info; /* signed certificate request data */ 72 X509_ALGOR sig_alg; /* signature algorithm */ 73 ASN1_BIT_STRING *signature; /* signature */ 74 CRYPTO_REF_COUNT references; 75 CRYPTO_RWLOCK *lock; 76}; 77 78struct X509_crl_info_st { 79 ASN1_INTEGER *version; /* version: defaults to v1(0) so may be NULL */ 80 X509_ALGOR sig_alg; /* signature algorithm */ 81 X509_NAME *issuer; /* CRL issuer name */ 82 ASN1_TIME *lastUpdate; /* lastUpdate field */ 83 ASN1_TIME *nextUpdate; /* nextUpdate field: optional */ 84 STACK_OF(X509_REVOKED) *revoked; /* revoked entries: optional */ 85 STACK_OF(X509_EXTENSION) *extensions; /* extensions: optional */ 86 ASN1_ENCODING enc; /* encoding of signed portion of CRL */ 87}; 88 89struct X509_crl_st { 90 X509_CRL_INFO crl; /* signed CRL data */ 91 X509_ALGOR sig_alg; /* CRL signature algorithm */ 92 ASN1_BIT_STRING signature; /* CRL signature */ 93 CRYPTO_REF_COUNT references; 94 int flags; 95 /* 96 * Cached copies of decoded extension values, since extensions 97 * are optional any of these can be NULL. 98 */ 99 AUTHORITY_KEYID *akid; 100 ISSUING_DIST_POINT *idp; 101 /* Convenient breakdown of IDP */ 102 int idp_flags; 103 int idp_reasons; 104 /* CRL and base CRL numbers for delta processing */ 105 ASN1_INTEGER *crl_number; 106 ASN1_INTEGER *base_crl_number; 107 STACK_OF(GENERAL_NAMES) *issuers; 108 /* hash of CRL */ 109 unsigned char sha1_hash[SHA_DIGEST_LENGTH]; 110 /* alternative method to handle this CRL */ 111 const X509_CRL_METHOD *meth; 112 void *meth_data; 113 CRYPTO_RWLOCK *lock; 114}; 115 116struct x509_revoked_st { 117 ASN1_INTEGER serialNumber; /* revoked entry serial number */ 118 ASN1_TIME *revocationDate; /* revocation date */ 119 STACK_OF(X509_EXTENSION) *extensions; /* CRL entry extensions: optional */ 120 /* decoded value of CRLissuer extension: set if indirect CRL */ 121 STACK_OF(GENERAL_NAME) *issuer; 122 /* revocation reason: set to CRL_REASON_NONE if reason extension absent */ 123 int reason; 124 /* 125 * CRL entries are reordered for faster lookup of serial numbers. This 126 * field contains the original load sequence for this entry. 127 */ 128 int sequence; 129}; 130 131/* 132 * This stuff is certificate "auxiliary info": it contains details which are 133 * useful in certificate stores and databases. When used this is tagged onto 134 * the end of the certificate itself. OpenSSL specific structure not defined 135 * in any RFC. 136 */ 137 138struct x509_cert_aux_st { 139 STACK_OF(ASN1_OBJECT) *trust; /* trusted uses */ 140 STACK_OF(ASN1_OBJECT) *reject; /* rejected uses */ 141 ASN1_UTF8STRING *alias; /* "friendly name" */ 142 ASN1_OCTET_STRING *keyid; /* key id of private key */ 143 STACK_OF(X509_ALGOR) *other; /* other unspecified info */ 144}; 145 146struct x509_cinf_st { 147 ASN1_INTEGER *version; /* [ 0 ] default of v1 */ 148 ASN1_INTEGER serialNumber; 149 X509_ALGOR signature; 150 X509_NAME *issuer; 151 X509_VAL validity; 152 X509_NAME *subject; 153 X509_PUBKEY *key; 154 ASN1_BIT_STRING *issuerUID; /* [ 1 ] optional in v2 */ 155 ASN1_BIT_STRING *subjectUID; /* [ 2 ] optional in v2 */ 156 STACK_OF(X509_EXTENSION) *extensions; /* [ 3 ] optional in v3 */ 157 ASN1_ENCODING enc; 158}; 159 160struct x509_st { 161 X509_CINF cert_info; 162 X509_ALGOR sig_alg; 163 ASN1_BIT_STRING signature; 164 X509_SIG_INFO siginf; 165 CRYPTO_REF_COUNT references; 166 CRYPTO_EX_DATA ex_data; 167 /* These contain copies of various extension values */ 168 long ex_pathlen; 169 long ex_pcpathlen; 170 uint32_t ex_flags; 171 uint32_t ex_kusage; 172 uint32_t ex_xkusage; 173 uint32_t ex_nscert; 174 ASN1_OCTET_STRING *skid; 175 AUTHORITY_KEYID *akid; 176 X509_POLICY_CACHE *policy_cache; 177 STACK_OF(DIST_POINT) *crldp; 178 STACK_OF(GENERAL_NAME) *altname; 179 NAME_CONSTRAINTS *nc; 180#ifndef OPENSSL_NO_RFC3779 181 STACK_OF(IPAddressFamily) *rfc3779_addr; 182 struct ASIdentifiers_st *rfc3779_asid; 183# endif 184 unsigned char sha1_hash[SHA_DIGEST_LENGTH]; 185 X509_CERT_AUX *aux; 186 CRYPTO_RWLOCK *lock; 187 volatile int ex_cached; 188} /* X509 */ ; 189 190/* 191 * This is a used when verifying cert chains. Since the gathering of the 192 * cert chain can take some time (and have to be 'retried', this needs to be 193 * kept and passed around. 194 */ 195struct x509_store_ctx_st { /* X509_STORE_CTX */ 196 X509_STORE *ctx; 197 /* The following are set by the caller */ 198 /* The cert to check */ 199 X509 *cert; 200 /* chain of X509s - untrusted - passed in */ 201 STACK_OF(X509) *untrusted; 202 /* set of CRLs passed in */ 203 STACK_OF(X509_CRL) *crls; 204 X509_VERIFY_PARAM *param; 205 /* Other info for use with get_issuer() */ 206 void *other_ctx; 207 /* Callbacks for various operations */ 208 /* called to verify a certificate */ 209 int (*verify) (X509_STORE_CTX *ctx); 210 /* error callback */ 211 int (*verify_cb) (int ok, X509_STORE_CTX *ctx); 212 /* get issuers cert from ctx */ 213 int (*get_issuer) (X509 **issuer, X509_STORE_CTX *ctx, X509 *x); 214 /* check issued */ 215 int (*check_issued) (X509_STORE_CTX *ctx, X509 *x, X509 *issuer); 216 /* Check revocation status of chain */ 217 int (*check_revocation) (X509_STORE_CTX *ctx); 218 /* retrieve CRL */ 219 int (*get_crl) (X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x); 220 /* Check CRL validity */ 221 int (*check_crl) (X509_STORE_CTX *ctx, X509_CRL *crl); 222 /* Check certificate against CRL */ 223 int (*cert_crl) (X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); 224 /* Check policy status of the chain */ 225 int (*check_policy) (X509_STORE_CTX *ctx); 226 STACK_OF(X509) *(*lookup_certs) (X509_STORE_CTX *ctx, X509_NAME *nm); 227 STACK_OF(X509_CRL) *(*lookup_crls) (X509_STORE_CTX *ctx, X509_NAME *nm); 228 int (*cleanup) (X509_STORE_CTX *ctx); 229 /* The following is built up */ 230 /* if 0, rebuild chain */ 231 int valid; 232 /* number of untrusted certs */ 233 int num_untrusted; 234 /* chain of X509s - built up and trusted */ 235 STACK_OF(X509) *chain; 236 /* Valid policy tree */ 237 X509_POLICY_TREE *tree; 238 /* Require explicit policy value */ 239 int explicit_policy; 240 /* When something goes wrong, this is why */ 241 int error_depth; 242 int error; 243 X509 *current_cert; 244 /* cert currently being tested as valid issuer */ 245 X509 *current_issuer; 246 /* current CRL */ 247 X509_CRL *current_crl; 248 /* score of current CRL */ 249 int current_crl_score; 250 /* Reason mask */ 251 unsigned int current_reasons; 252 /* For CRL path validation: parent context */ 253 X509_STORE_CTX *parent; 254 CRYPTO_EX_DATA ex_data; 255 SSL_DANE *dane; 256 /* signed via bare TA public key, rather than CA certificate */ 257 int bare_ta_signed; 258}; 259 260/* PKCS#8 private key info structure */ 261 262struct pkcs8_priv_key_info_st { 263 ASN1_INTEGER *version; 264 X509_ALGOR *pkeyalg; 265 ASN1_OCTET_STRING *pkey; 266 STACK_OF(X509_ATTRIBUTE) *attributes; 267}; 268 269struct X509_sig_st { 270 X509_ALGOR *algor; 271 ASN1_OCTET_STRING *digest; 272}; 273 274struct x509_object_st { 275 /* one of the above types */ 276 X509_LOOKUP_TYPE type; 277 union { 278 char *ptr; 279 X509 *x509; 280 X509_CRL *crl; 281 EVP_PKEY *pkey; 282 } data; 283}; 284 285int a2i_ipadd(unsigned char *ipout, const char *ipasc); 286int x509_set1_time(ASN1_TIME **ptm, const ASN1_TIME *tm); 287 288void x509_init_sig_info(X509 *x); 289 290int x509v3_add_len_value_uchar(const char *name, const unsigned char *value, 291 size_t vallen, STACK_OF(CONF_VALUE) **extlist); 292