1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
|
/*
* X.509v3 certificate parsing and processing
* Copyright (c) 2006, Jouni Malinen <j@w1.fi>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*
* Alternatively, this software may be distributed under the terms of BSD
* license.
*
* See README and COPYING for more details.
*/
#ifndef X509V3_H
#define X509V3_H
#include "asn1.h"
struct x509_algorithm_identifier {
struct asn1_oid oid;
};
struct x509_name_attr {
enum x509_name_attr_type {
X509_NAME_ATTR_NOT_USED,
X509_NAME_ATTR_DC,
X509_NAME_ATTR_CN,
X509_NAME_ATTR_C,
X509_NAME_ATTR_L,
X509_NAME_ATTR_ST,
X509_NAME_ATTR_O,
X509_NAME_ATTR_OU
} type;
char *value;
};
#define X509_MAX_NAME_ATTRIBUTES 20
struct x509_name {
struct x509_name_attr attr[X509_MAX_NAME_ATTRIBUTES];
size_t num_attr;
char *email; /* emailAddress */
/* from alternative name extension */
char *alt_email; /* rfc822Name */
char *dns; /* dNSName */
char *uri; /* uniformResourceIdentifier */
u8 *ip; /* iPAddress */
size_t ip_len; /* IPv4: 4, IPv6: 16 */
struct asn1_oid rid; /* registeredID */
};
struct x509_certificate {
struct x509_certificate *next;
enum { X509_CERT_V1 = 0, X509_CERT_V2 = 1, X509_CERT_V3 = 2 } version;
unsigned long serial_number;
struct x509_algorithm_identifier signature;
struct x509_name issuer;
struct x509_name subject;
os_time_t not_before;
os_time_t not_after;
struct x509_algorithm_identifier public_key_alg;
u8 *public_key;
size_t public_key_len;
struct x509_algorithm_identifier signature_alg;
u8 *sign_value;
size_t sign_value_len;
/* Extensions */
unsigned int extensions_present;
#define X509_EXT_BASIC_CONSTRAINTS (1 << 0)
#define X509_EXT_PATH_LEN_CONSTRAINT (1 << 1)
#define X509_EXT_KEY_USAGE (1 << 2)
#define X509_EXT_SUBJECT_ALT_NAME (1 << 3)
#define X509_EXT_ISSUER_ALT_NAME (1 << 4)
/* BasicConstraints */
int ca; /* cA */
unsigned long path_len_constraint; /* pathLenConstraint */
/* KeyUsage */
unsigned long key_usage;
#define X509_KEY_USAGE_DIGITAL_SIGNATURE (1 << 0)
#define X509_KEY_USAGE_NON_REPUDIATION (1 << 1)
#define X509_KEY_USAGE_KEY_ENCIPHERMENT (1 << 2)
#define X509_KEY_USAGE_DATA_ENCIPHERMENT (1 << 3)
#define X509_KEY_USAGE_KEY_AGREEMENT (1 << 4)
#define X509_KEY_USAGE_KEY_CERT_SIGN (1 << 5)
#define X509_KEY_USAGE_CRL_SIGN (1 << 6)
#define X509_KEY_USAGE_ENCIPHER_ONLY (1 << 7)
#define X509_KEY_USAGE_DECIPHER_ONLY (1 << 8)
/*
* The DER format certificate follows struct x509_certificate. These
* pointers point to that buffer.
*/
const u8 *cert_start;
size_t cert_len;
const u8 *tbs_cert_start;
size_t tbs_cert_len;
};
enum {
X509_VALIDATE_OK,
X509_VALIDATE_BAD_CERTIFICATE,
X509_VALIDATE_UNSUPPORTED_CERTIFICATE,
X509_VALIDATE_CERTIFICATE_REVOKED,
X509_VALIDATE_CERTIFICATE_EXPIRED,
X509_VALIDATE_CERTIFICATE_UNKNOWN,
X509_VALIDATE_UNKNOWN_CA
};
void x509_certificate_free(struct x509_certificate *cert);
struct x509_certificate * x509_certificate_parse(const u8 *buf, size_t len);
void x509_name_string(struct x509_name *name, char *buf, size_t len);
int x509_name_compare(struct x509_name *a, struct x509_name *b);
void x509_certificate_chain_free(struct x509_certificate *cert);
int x509_certificate_check_signature(struct x509_certificate *issuer,
struct x509_certificate *cert);
int x509_certificate_chain_validate(struct x509_certificate *trusted,
struct x509_certificate *chain,
int *reason);
struct x509_certificate *
x509_certificate_get_subject(struct x509_certificate *chain,
struct x509_name *name);
int x509_certificate_self_signed(struct x509_certificate *cert);
#endif /* X509V3_H */
|