1/* $OpenBSD: x509_internal.h,v 1.28 2024/05/19 07:12:50 jsg Exp $ */ 2/* 3 * Copyright (c) 2020 Bob Beck <beck@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17#ifndef HEADER_X509_INTERNAL_H 18#define HEADER_X509_INTERNAL_H 19 20/* Internal use only, not public API */ 21#include <netinet/in.h> 22 23#include "bytestring.h" 24#include "x509_local.h" 25#include "x509_verify.h" 26 27/* Hard limits on structure size and number of signature checks. */ 28#define X509_VERIFY_MAX_CHAINS 8 /* Max validated chains */ 29#define X509_VERIFY_MAX_CHAIN_CERTS 32 /* Max depth of a chain */ 30#define X509_VERIFY_MAX_SIGCHECKS 256 /* Max signature checks */ 31 32/* 33 * Limit the number of names and constraints we will check in a chain 34 * to avoid a hostile input DOS 35 */ 36#define X509_VERIFY_MAX_CHAIN_NAMES 512 37#define X509_VERIFY_MAX_CHAIN_CONSTRAINTS 512 38 39/* 40 * Hold the parsed and validated result of names from a certificate. 41 * these typically come from a GENERALNAME, but we store the parsed 42 * and validated results, not the ASN1 bytes. 43 */ 44struct x509_constraints_name { 45 int type; /* GEN_* types from GENERAL_NAME */ 46 char *name; /* Name to check */ 47 char *local; /* holds the local part of GEN_EMAIL */ 48 uint8_t *der; /* DER encoded value or NULL*/ 49 size_t der_len; 50 int af; /* INET and INET6 are supported */ 51 uint8_t address[32]; /* Must hold ipv6 + mask */ 52}; 53 54struct x509_constraints_names { 55 struct x509_constraints_name **names; 56 size_t names_count; 57 size_t names_len; 58 size_t names_max; 59}; 60 61struct x509_verify_chain { 62 STACK_OF(X509) *certs; /* Kept in chain order, includes leaf */ 63 int *cert_errors; /* Verify error for each cert in chain. */ 64 struct x509_constraints_names *names; /* All names from all certs */ 65}; 66 67struct x509_verify_ctx { 68 X509_STORE_CTX *xsc; 69 struct x509_verify_chain **chains; /* Validated chains */ 70 STACK_OF(X509) *saved_error_chain; 71 int saved_error; 72 int saved_error_depth; 73 size_t chains_count; 74 STACK_OF(X509) *roots; /* Trusted roots for this validation */ 75 STACK_OF(X509) *intermediates; /* Intermediates provided by peer */ 76 time_t *check_time; /* Time for validity checks */ 77 int purpose; /* Cert purpose we are validating */ 78 size_t max_chains; /* Max chains to return */ 79 size_t max_depth; /* Max chain depth for validation */ 80 size_t max_sigs; /* Max number of signature checks */ 81 size_t sig_checks; /* Number of signature checks done */ 82 size_t error_depth; /* Depth of last error seen */ 83 int error; /* Last error seen */ 84}; 85 86int ASN1_time_tm_clamp_notafter(struct tm *tm); 87 88__BEGIN_HIDDEN_DECLS 89 90int x509_vfy_check_id(X509_STORE_CTX *ctx); 91int x509_vfy_check_revocation(X509_STORE_CTX *ctx); 92int x509_vfy_check_policy(X509_STORE_CTX *ctx); 93int x509_vfy_check_trust(X509_STORE_CTX *ctx); 94int x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx); 95int x509_vfy_callback_indicate_completion(X509_STORE_CTX *ctx); 96int x509v3_cache_extensions(X509 *x); 97X509 *x509_vfy_lookup_cert_match(X509_STORE_CTX *ctx, X509 *x); 98 99int x509_verify_asn1_time_to_time_t(const ASN1_TIME *atime, int notafter, 100 time_t *out); 101 102struct x509_verify_ctx *x509_verify_ctx_new_from_xsc(X509_STORE_CTX *xsc); 103 104void x509_constraints_name_clear(struct x509_constraints_name *name); 105void x509_constraints_name_free(struct x509_constraints_name *name); 106int x509_constraints_names_add(struct x509_constraints_names *names, 107 struct x509_constraints_name *name); 108struct x509_constraints_names *x509_constraints_names_dup( 109 struct x509_constraints_names *names); 110void x509_constraints_names_clear(struct x509_constraints_names *names); 111struct x509_constraints_names *x509_constraints_names_new(size_t names_max); 112int x509_constraints_general_to_bytes(GENERAL_NAME *name, uint8_t **bytes, 113 size_t *len); 114void x509_constraints_names_free(struct x509_constraints_names *names); 115int x509_constraints_valid_host(CBS *cbs, int permit_ip); 116int x509_constraints_valid_sandns(CBS *cbs); 117int x509_constraints_domain(char *domain, size_t dlen, char *constraint, 118 size_t len); 119int x509_constraints_parse_mailbox(CBS *candidate, 120 struct x509_constraints_name *name); 121int x509_constraints_valid_domain_constraint(CBS *cbs); 122int x509_constraints_uri_host(uint8_t *uri, size_t len, char **hostp); 123int x509_constraints_uri(uint8_t *uri, size_t ulen, uint8_t *constraint, 124 size_t len, int *error); 125int x509_constraints_extract_names(struct x509_constraints_names *names, 126 X509 *cert, int include_cn, int *error); 127int x509_constraints_extract_constraints(X509 *cert, 128 struct x509_constraints_names *permitted, 129 struct x509_constraints_names *excluded, int *error); 130int x509_constraints_validate(GENERAL_NAME *constraint, 131 struct x509_constraints_name **out_name, int *error); 132int x509_constraints_check(struct x509_constraints_names *names, 133 struct x509_constraints_names *permitted, 134 struct x509_constraints_names *excluded, int *error); 135int x509_constraints_chain(STACK_OF(X509) *chain, int *error, 136 int *depth); 137int x509_vfy_check_security_level(X509_STORE_CTX *ctx); 138 139__END_HIDDEN_DECLS 140 141#endif 142