summaryrefslogtreecommitdiffhomepage
path: root/libs/luci-lib-px5g/src/polarssl/x509.h
blob: 908a1dbf51f71158f06a0647bae517e9712e94b5 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
/**
 * \file x509.h
 *
 *  Based on XySSL: Copyright (C) 2006-2008  Christophe Devine
 *
 *  Copyright (C) 2009  Paul Bakker <polarssl_maintainer at polarssl dot org>
 *
 *  All rights reserved.
 *
 *  Redistribution and use in source and binary forms, with or without
 *  modification, are permitted provided that the following conditions
 *  are met:
 *  
 *    * Redistributions of source code must retain the above copyright
 *      notice, this list of conditions and the following disclaimer.
 *    * Redistributions in binary form must reproduce the above copyright
 *      notice, this list of conditions and the following disclaimer in the
 *      documentation and/or other materials provided with the distribution.
 *    * Neither the names of PolarSSL or XySSL nor the names of its contributors
 *      may be used to endorse or promote products derived from this software
 *      without specific prior written permission.
 *  
 *  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 *  "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 *  LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
 *  FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 *  OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 *  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
 *  TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
 *  PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
 *  LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
 *  NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 *  SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
#ifndef POLARSSL_X509_H
#define POLARSSL_X509_H

#include "polarssl/rsa.h"

#define POLARSSL_ERR_ASN1_OUT_OF_DATA                      -0x0014
#define POLARSSL_ERR_ASN1_UNEXPECTED_TAG                   -0x0016
#define POLARSSL_ERR_ASN1_INVALID_LENGTH                   -0x0018
#define POLARSSL_ERR_ASN1_LENGTH_MISMATCH                  -0x001A
#define POLARSSL_ERR_ASN1_INVALID_DATA                     -0x001C

#define POLARSSL_ERR_X509_FEATURE_UNAVAILABLE              -0x0020
#define POLARSSL_ERR_X509_CERT_INVALID_PEM                 -0x0040
#define POLARSSL_ERR_X509_CERT_INVALID_FORMAT              -0x0060
#define POLARSSL_ERR_X509_CERT_INVALID_VERSION             -0x0080
#define POLARSSL_ERR_X509_CERT_INVALID_SERIAL              -0x00A0
#define POLARSSL_ERR_X509_CERT_INVALID_ALG                 -0x00C0
#define POLARSSL_ERR_X509_CERT_INVALID_NAME                -0x00E0
#define POLARSSL_ERR_X509_CERT_INVALID_DATE                -0x0100
#define POLARSSL_ERR_X509_CERT_INVALID_PUBKEY              -0x0120
#define POLARSSL_ERR_X509_CERT_INVALID_SIGNATURE           -0x0140
#define POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS          -0x0160
#define POLARSSL_ERR_X509_CERT_UNKNOWN_VERSION             -0x0180
#define POLARSSL_ERR_X509_CERT_UNKNOWN_SIG_ALG             -0x01A0
#define POLARSSL_ERR_X509_CERT_UNKNOWN_PK_ALG              -0x01C0
#define POLARSSL_ERR_X509_CERT_SIG_MISMATCH                -0x01E0
#define POLARSSL_ERR_X509_CERT_VERIFY_FAILED               -0x0200
#define POLARSSL_ERR_X509_KEY_INVALID_PEM                  -0x0220
#define POLARSSL_ERR_X509_KEY_INVALID_VERSION              -0x0240
#define POLARSSL_ERR_X509_KEY_INVALID_FORMAT               -0x0260
#define POLARSSL_ERR_X509_KEY_INVALID_ENC_IV               -0x0280
#define POLARSSL_ERR_X509_KEY_UNKNOWN_ENC_ALG              -0x02A0
#define POLARSSL_ERR_X509_KEY_PASSWORD_REQUIRED            -0x02C0
#define POLARSSL_ERR_X509_KEY_PASSWORD_MISMATCH            -0x02E0
#define POLARSSL_ERR_X509_POINT_ERROR                      -0x0300
#define POLARSSL_ERR_X509_VALUE_TO_LENGTH                  -0x0320

#define BADCERT_EXPIRED                 1
#define BADCERT_REVOKED                 2
#define BADCERT_CN_MISMATCH             4
#define BADCERT_NOT_TRUSTED             8

/*
 * DER constants
 */
#define ASN1_BOOLEAN                 0x01
#define ASN1_INTEGER                 0x02
#define ASN1_BIT_STRING              0x03
#define ASN1_OCTET_STRING            0x04
#define ASN1_NULL                    0x05
#define ASN1_OID                     0x06
#define ASN1_UTF8_STRING             0x0C
#define ASN1_SEQUENCE                0x10
#define ASN1_SET                     0x11
#define ASN1_PRINTABLE_STRING        0x13
#define ASN1_T61_STRING              0x14
#define ASN1_IA5_STRING              0x16
#define ASN1_UTC_TIME                0x17
#define ASN1_UNIVERSAL_STRING        0x1C
#define ASN1_BMP_STRING              0x1E
#define ASN1_PRIMITIVE               0x00
#define ASN1_CONSTRUCTED             0x20
#define ASN1_CONTEXT_SPECIFIC        0x80

/*
 * various object identifiers
 */
#define X520_COMMON_NAME                3
#define X520_COUNTRY                    6
#define X520_LOCALITY                   7
#define X520_STATE                      8
#define X520_ORGANIZATION              10
#define X520_ORG_UNIT                  11
#define PKCS9_EMAIL                     1

#define X509_OUTPUT_DER              0x01
#define X509_OUTPUT_PEM              0x02
#define PEM_LINE_LENGTH                72
#define X509_ISSUER                  0x01
#define X509_SUBJECT                 0x02

#define OID_X520                "\x55\x04"
#define OID_CN                  "\x55\x04\x03"
#define OID_PKCS1               "\x2A\x86\x48\x86\xF7\x0D\x01\x01"
#define OID_PKCS1_RSA           "\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01"
#define OID_PKCS1_RSA_SHA       "\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05"
#define OID_PKCS9               "\x2A\x86\x48\x86\xF7\x0D\x01\x09"
#define OID_PKCS9_EMAIL         "\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01"

/*
 * Structures for parsing X.509 certificates
 */
typedef struct _x509_buf
{
    int tag;
    int len;
    unsigned char *p;
}
x509_buf;

typedef struct _x509_name
{
    x509_buf oid;
    x509_buf val;
    struct _x509_name *next;
}
x509_name;

typedef struct _x509_time
{
    int year, mon, day;
    int hour, min, sec;
}
x509_time;

typedef struct _x509_cert
{
    x509_buf raw;
    x509_buf tbs;

    int version;
    x509_buf serial;
    x509_buf sig_oid1;

    x509_buf issuer_raw;
    x509_buf subject_raw;

    x509_name issuer;
    x509_name subject;

    x509_time valid_from;
    x509_time valid_to;

    x509_buf pk_oid;
    rsa_context rsa;

    x509_buf issuer_id;
    x509_buf subject_id;
    x509_buf v3_ext;

    int ca_istrue;
    int max_pathlen;

    x509_buf sig_oid2;
    x509_buf sig;

    struct _x509_cert *next; 
}
x509_cert;

/*
 * Structures for writing X.509 certificates
 */
typedef struct _x509_node
{
    unsigned char *data;
    unsigned char *p;
    unsigned char *end;

    size_t len;
}
x509_node;

typedef struct _x509_raw
{
    x509_node raw;
    x509_node tbs;

    x509_node version;
    x509_node serial;
    x509_node tbs_signalg;
    x509_node issuer;
    x509_node validity;
    x509_node subject;
    x509_node subpubkey;

    x509_node signalg;
    x509_node sign;
}
x509_raw;

#ifdef __cplusplus
extern "C" {
#endif

/**
 * \brief          Parse one or more certificates and add them
 *                 to the chained list
 *
 * \param chain    points to the start of the chain
 * \param buf      buffer holding the certificate data
 * \param buflen   size of the buffer
 *
 * \return         0 if successful, or a specific X509 error code
 */
int x509parse_crt( x509_cert *crt, unsigned char *buf, int buflen );

/**
 * \brief          Load one or more certificates and add them
 *                 to the chained list
 *
 * \param chain    points to the start of the chain
 * \param path     filename to read the certificates from
 *
 * \return         0 if successful, or a specific X509 error code
 */
int x509parse_crtfile( x509_cert *crt, char *path );

/**
 * \brief          Parse a private RSA key
 *
 * \param rsa      RSA context to be initialized
 * \param buf      input buffer
 * \param buflen   size of the buffer
 * \param pwd      password for decryption (optional)
 * \param pwdlen   size of the password
 *
 * \return         0 if successful, or a specific X509 error code
 */
int x509parse_key( rsa_context *rsa,
                   unsigned char *buf, int buflen,
                   unsigned char *pwd, int pwdlen );

/**
 * \brief          Load and parse a private RSA key
 *
 * \param rsa      RSA context to be initialized
 * \param path     filename to read the private key from
 * \param pwd      password to decrypt the file (can be NULL)
 *
 * \return         0 if successful, or a specific X509 error code
 */
int x509parse_keyfile( rsa_context *rsa, char *path, char *password );

/**
 * \brief          Store the certificate DN in printable form into buf;
 *                 no more than (end - buf) characters will be written.
 */
int x509parse_dn_gets( char *buf, char *end, x509_name *dn );

/**
 * \brief          Returns an informational string about the
 *                 certificate.
 */
char *x509parse_cert_info( char *prefix, x509_cert *crt );

/**
 * \brief          Return 0 if the certificate is still valid,
 *                 or BADCERT_EXPIRED
 */
int x509parse_expired( x509_cert *crt );

/**
 * \brief          Verify the certificate signature
 *
 * \param crt      a certificate to be verified
 * \param trust_ca the trusted CA chain
 * \param cn       expected Common Name (can be set to
 *                 NULL if the CN must not be verified)
 * \param flags    result of the verification
 *
 * \return         0 if successful or POLARSSL_ERR_X509_SIG_VERIFY_FAILED,
 *                 in which case *flags will have one or more of
 *                 the following values set:
 *                      BADCERT_EXPIRED --
 *                      BADCERT_REVOKED --
 *                      BADCERT_CN_MISMATCH --
 *                      BADCERT_NOT_TRUSTED
 *
 * \note           TODO: add two arguments, depth and crl
 */
int x509parse_verify( x509_cert *crt,
                      x509_cert *trust_ca,
                      char *cn, int *flags );

/**
 * \brief          Unallocate all certificate data
 */
void x509_free( x509_cert *crt );

/**
 * \brief          Checkup routine
 *
 * \return         0 if successful, or 1 if the test failed
 */
int x509_self_test( int verbose );

/**
 * \brief          Write a certificate info file
 *
 * \param chain    points to the raw certificate data
 * \param path     filename to write the certificate to
 * \param format   X509_OUTPUT_DER or X509_OUTPUT_PEM
 *
 * \return         0 if successful, or a specific X509 error code
 */
int x509write_crtfile( x509_raw *chain,
                       unsigned char *path,
                       int format );

/**
 * \brief          Write a certificate signing request message format file
 *
 * \param chain    points to the raw certificate (with x509write_create_csr) data
 * \param path     filename to write the certificate to
 * \param format   X509_OUTPUT_DER or X509_OUTPUT_PEM
 *
 * \return         0 if successful, or a specific X509 error code
 */
int x509write_csrfile( x509_raw *chain,
                       unsigned char *path,
                       int format );

/*
 * \brief          Write a private RSA key into a file
 *
 * \param rsa      points to an RSA key
 * \param path     filename to write the key to
 * \param format   X509_OUTPUT_DER or X509_OUTPUT_PEM
 *
 * \return         0 if successful, or a specific X509 error code
 */
int x509write_keyfile( rsa_context *rsa,
                       char *path,
                       int format );

/**
 * \brief          Add a public key to certificate
 *
 * \param chain    points to the raw certificate data
 * \param pubkey   points to an RSA key
 *
 * \return         0 if successful, or a specific X509 error code
 */
int x509write_add_pubkey( x509_raw *chain, rsa_context *pubkey );

/**
 * \brief          Create x509 subject/issuer field to raw certificate
 *                 from string or CA cert. Make string NULL if you will
 *                 use the CA copy function or make CA NULL then used
 *                 the string parse.
 *
 * \param chain    points to the raw certificate data
 * \param names    a string that can hold (separete with ";"):
 *                     CN=CommonName
 *                 --   O=Organization
 *                 --  OU=OrgUnit
 *                 --  ST=State
 *                 --   L=Locality
 *                 --   R=Email
 *                 --   C=Country
 *                 . Make that NULL if you didn't need that.
 * \param flag     flag is X509_ISSUER or X509_SUBJECT that defined
 *                 where change
 * \param ca       the certificate for copy data. Make that NULL if you
 *                 didn't need that.
 * \param ca_flag  set the ca field from copy to crt
 *
 * \return         0 if successful, or a specific X509 error code
 */
int x509write_add_customize ( x509_raw *crt, 
                          unsigned char *names, 
                          int flag, 
                          x509_cert *ca, 
                          int ca_flag );

/**
* \brief          Add x509 issuer field
*
* \param chain    points to the raw certificate data
* \param issuer   a string holding (separete with ";"):
*                     CN=CommonName
*                 --   O=Organization
*                 --  OU=OrgUnit
*                 --  ST=State
*                 --   L=Locality
*                 --   R=Email
*                 --   C=Country
*                 . Set this to NULL if not needed.
* \return         0 if successful, or a specific X509 error code
*/
int x509write_add_issuer( x509_raw *crt, unsigned char *issuer);

/**
 * \brief          Add x509 subject field
 *
 * \param chain    points to the raw certificate data
 * \param subject  a string holding (separete with ";"):
 *                     CN=CommonName
 *                 --   O=Organization
 *                 --  OU=OrgUnit
 *                 --  ST=State
 *                 --   L=Locality
 *                 --   R=Email
 *                 --   C=Country
 *                 . Set this to NULL if not needed.
 * \return         0 if successful, or a specific X509 error code
 */
int x509write_add_subject( x509_raw *crt, unsigned char *subject);

/**
* \brief          Copy x509 issuer field from another certificate
*
* \param chain    points to the raw certificate data
* \param from_crt the certificate whose issuer is to be copied.
* \return         0 if successful, or a specific X509 error code
*/
int x509write_copy_issuer(x509_raw *crt, x509_cert *from_crt);

/**
* \brief          Copy x509 subject field from another certificate
*
* \param chain    points to the raw certificate data
* \param from_crt the certificate whose subject is to be copied.
* \return         0 if successful, or a specific X509 error code
*/
int x509write_copy_subject(x509_raw *crt, x509_cert *from_crt);

/**
* \brief          Copy x509 issuer field from the subject of another certificate
*
* \param chain    points to the raw certificate data
* \param from_crt the certificate whose subject is to be copied.
* \return         0 if successful, or a specific X509 error code
*/
int x509write_copy_issuer_from_subject(x509_raw *crt, x509_cert *from_crt);

/**
* \brief          Copy x509 subject field from the issuer of another certificate
*
* \param chain    points to the raw certificate data
* \param from_crt the certificate whose issuer is to be copied.
* \return         0 if successful, or a specific X509 error code
*/
int x509write_copy_subject_from_issuer(x509_raw *crt, x509_cert *from_crt);

/**
 * \brief          Create x509 validity time in UTC
 *
 * \param chain    points to the raw certificate data
 * \param before   valid not before in format YYYY-MM-DD hh:mm:ss
 * \param after    valid not after  in format YYYY-MM-DD hh:mm:ss
 *
 * \return         0 if successful, or a specific X509 error code
 */
int x509write_add_validity( x509_raw *crt,
                               unsigned char *before,
                               unsigned char *after );

/**
 * \brief          Create a self-signed certificate
 *
 * \param chain    points to the raw certificate data
 * \param rsa      a private key to sign the certificate
 *
 * \return         0 if successful, or a specific X509 error code
 */
int x509write_create_selfsign( x509_raw *crt, rsa_context *raw );

/**
 * \brief          Create a certificate
 *
 * \param chain    points to the raw certificate data
 * \param rsa      a private key to sign the certificate
 *
 * \return         0 if successful, or a specific X509 error code
 */
int x509write_create_sign( x509_raw *crt, rsa_context *raw );

/**
 * \brief          Create a certificate signing request
 *
 * \param chain    points to the raw certificate data. Didn't use the
 *                 same chain that u have use for certificate.
 * \param privkey  a rsa private key
 *
 * \return         0 if successful, or a specific X509 error code
 */
int x509write_create_csr( x509_raw *chain, rsa_context *privkey );

/**
 * \brief           Serialize an rsa key into DER
 *
 * \param rsa       a rsa key for output
 * \param node      a x509 node for write into
 *
 * \return          0 if successful, or a specific X509 error code
 */
int x509write_serialize_key( rsa_context *rsa, x509_node *node );

/**
 * \brief          Unallocate all raw certificate data
 */
void x509write_free_raw( x509_raw *crt );

/**
 * \brief          Allocate all raw certificate data
 */
void x509write_init_raw( x509_raw *crt );

/**
 * \brief          Unallocate all node certificate data
 */
void x509write_free_node( x509_node *crt_node );

/**
 * \brief          Allocate all node certificate data
 */
void x509write_init_node( x509_node *crt_node );

#ifdef __cplusplus
}
#endif

#endif /* x509.h */