1 /* 2 * Copyright (C) 2012 Red Hat Inc. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 8 * * Redistributions of source code must retain the above 9 * copyright notice, this list of conditions and the 10 * following disclaimer. 11 * * Redistributions in binary form must reproduce the 12 * above copyright notice, this list of conditions and 13 * the following disclaimer in the documentation and/or 14 * other materials provided with the distribution. 15 * * The names of contributors to this software may not be 16 * used to endorse or promote products derived from this 17 * software without specific prior written permission. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 20 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 21 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 22 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 23 * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 24 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 25 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS 26 * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED 27 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 28 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF 29 * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH 30 * DAMAGE. 31 * 32 * Author: Stef Walter <stefw@redhat.com> 33 */ 34 35 #ifndef P11_OIDS_H_ 36 #define P11_OIDS_H_ 37 38 #include "compat.h" 39 40 bool p11_oid_simple (const unsigned char *oid, 41 int len); 42 43 unsigned int p11_oid_hash (const void *oid); 44 45 bool p11_oid_equal (const void *oid_one, 46 const void *oid_two); 47 48 int p11_oid_length (const unsigned char *oid); 49 50 /* 51 * 2.5.4.3: CN or commonName 52 */ 53 static const unsigned char P11_OID_CN[] = 54 { 0x06, 0x03, 0x55, 0x04, 0x03, }; 55 56 /* 57 * 2.5.4.10: O or organization 58 */ 59 static const unsigned char P11_OID_O[] = 60 { 0x06, 0x03, 0x55, 0x04, 0x0a, }; 61 62 /* 63 * 2.5.4.11: OU or organizationalUnit 64 */ 65 static const unsigned char P11_OID_OU[] = 66 { 0x06, 0x03, 0x55, 0x04, 0x0b, }; 67 68 /* 69 * Our support of certificate extensions and so on is not limited to what is 70 * listed here. This is simply the OIDs used by the parsing code that generates 71 * backwards compatible PKCS#11 objects for NSS and the like. 72 */ 73 74 /* 75 * 2.5.29.14: SubjectKeyIdentifier 76 */ 77 static const unsigned char P11_OID_SUBJECT_KEY_IDENTIFIER[] = 78 { 0x06, 0x03, 0x55, 0x1d, 0x0e }; 79 static const char P11_OID_SUBJECT_KEY_IDENTIFIER_STR[] = "2.5.29.14"; 80 81 /* 82 * 2.5.29.15: KeyUsage 83 * 84 * Defined in RFC 5280 85 */ 86 static const unsigned char P11_OID_KEY_USAGE[] = 87 { 0x06, 0x03, 0x55, 0x1d, 0x0f }; 88 static const char P11_OID_KEY_USAGE_STR[] = { "2.5.29.15" }; 89 90 enum { 91 P11_KU_DIGITAL_SIGNATURE = 128, 92 P11_KU_NON_REPUDIATION = 64, 93 P11_KU_KEY_ENCIPHERMENT = 32, 94 P11_KU_DATA_ENCIPHERMENT = 16, 95 P11_KU_KEY_AGREEMENT = 8, 96 P11_KU_KEY_CERT_SIGN = 4, 97 P11_KU_CRL_SIGN = 2, 98 P11_KU_ENCIPHER_ONLY = 1, 99 P11_KU_DECIPHER_ONLY = 32768, 100 }; 101 102 /* 103 * 2.5.29.19: BasicConstraints 104 * 105 * Defined in RFC 5280 106 */ 107 static const unsigned char P11_OID_BASIC_CONSTRAINTS[] = 108 { 0x06, 0x03, 0x55, 0x1d, 0x13 }; 109 static const char P11_OID_BASIC_CONSTRAINTS_STR[] = "2.5.29.19"; 110 111 /* 112 * 2.5.29.37: ExtendedKeyUsage 113 * 114 * Defined in RFC 5280 115 */ 116 static const unsigned char P11_OID_EXTENDED_KEY_USAGE[] = 117 { 0x06, 0x03, 0x55, 0x1d, 0x25 }; 118 static const char P11_OID_EXTENDED_KEY_USAGE_STR[] = "2.5.29.37"; 119 120 /* 121 * 2.5.29.37.0: anyExtendedKeyUsage 122 * 123 * Defined in RFC 5280 124 */ 125 static const unsigned char P11_OID_ANY_EXTENDED_KEY_USAGE[] = 126 { 0x06, 0x03, 0x55, 0x1d, 0x25, 0x00 }; 127 static const char P11_OID_ANY_EXTENDED_KEY_USAGE_STR[] = "2.5.29.37.0"; 128 129 /* 130 * 1.3.6.1.4.1.3319.6.10.1: OpenSSL reject extension 131 * 132 * An internally defined certificate extension. 133 * 134 * OpenSSL contains a list of OID extended key usages to reject. 135 * The normal X.509 model is to only *include* the extended key 136 * usages that are to be allowed. It's not clear exactly how 137 * valid and useful the reject per extended key usage model is. 138 * 139 * However in order to parse openssl trust policy information and 140 * be able to write it back out in the same way, we define a custom 141 * certificate extension to store it. 142 * 143 * It is not expected (or supported) for others outside of p11-kit 144 * to read this information at this point. 145 * 146 * This extension is never marked critical. It is not necessary to 147 * respect information in this certificate extension given that the 148 * ExtendedKeyUsage extension carries the same information as an 149 * allowlist. 150 */ 151 static const unsigned char P11_OID_OPENSSL_REJECT[] = 152 { 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x99, 0x77, 0x06, 0x0a, 0x01 }; 153 static const char P11_OID_OPENSSL_REJECT_STR[] = "1.3.6.1.4.1.3319.6.10.1"; 154 155 /* 156 * 1.3.6.1.5.5.7.3.1: Server Auth 157 * 158 * Defined in RFC 5280 159 */ 160 static const unsigned char P11_OID_SERVER_AUTH[] = 161 { 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01 }; 162 static const char P11_OID_SERVER_AUTH_STR[] = "1.3.6.1.5.5.7.3.1"; 163 164 /* 165 * 1.3.6.1.5.5.7.3.2: Client Auth 166 * 167 * Defined in RFC 5280 168 */ 169 static const unsigned char P11_OID_CLIENT_AUTH[] = 170 { 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x02 }; 171 static const char P11_OID_CLIENT_AUTH_STR[] = "1.3.6.1.5.5.7.3.2"; 172 173 /* 174 * 1.3.6.1.5.5.7.3.3: Code Signing 175 * 176 * Defined in RFC 5280 177 */ 178 static const unsigned char P11_OID_CODE_SIGNING[] = 179 { 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x03 }; 180 static const char P11_OID_CODE_SIGNING_STR[] = "1.3.6.1.5.5.7.3.3"; 181 182 /* 183 * 1.3.6.1.5.5.7.3.4: Email Protection 184 * 185 * Defined in RFC 5280 186 */ 187 static const unsigned char P11_OID_EMAIL_PROTECTION[] = 188 { 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x04 }; 189 static const char P11_OID_EMAIL_PROTECTION_STR[] = "1.3.6.1.5.5.7.3.4"; 190 191 /* 192 * 1.3.6.1.5.5.7.3.5: IPSec End System 193 * 194 * Defined in RFC 2459 195 */ 196 static const unsigned char P11_OID_IPSEC_END_SYSTEM[] = 197 { 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x05 }; 198 static const char P11_OID_IPSEC_END_SYSTEM_STR[] = "1.3.6.1.5.5.7.3.5"; 199 200 /* 201 * 1.3.6.1.5.5.7.3.6: IPSec Tunnel 202 * 203 * Defined in RFC 2459 204 */ 205 static const unsigned char P11_OID_IPSEC_TUNNEL[] = 206 { 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x06 }; 207 static const char P11_OID_IPSEC_TUNNEL_STR[] = "1.3.6.1.5.5.7.3.6"; 208 209 /* 210 * 1.3.6.1.5.5.7.3.7: IPSec User 211 * 212 * Defined in RFC 2459 213 */ 214 static const unsigned char P11_OID_IPSEC_USER[] = 215 { 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x07 }; 216 static const char P11_OID_IPSEC_USER_STR[] = "1.3.6.1.5.5.7.3.7"; 217 218 /* 219 * 1.3.6.1.5.5.7.3.8: Time Stamping 220 * 221 * Defined in RFC 2459 222 */ 223 static const unsigned char P11_OID_TIME_STAMPING[] = 224 { 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x08 }; 225 static const char P11_OID_TIME_STAMPING_STR[] = "1.3.6.1.5.5.7.3.8"; 226 /* 227 * 1.3.6.1.4.1.3319.6.10.16: Reserved key purpose 228 * 229 * An internally defined reserved/dummy key purpose 230 * 231 * This is used with ExtendedKeyUsage certificate extensions to 232 * be a place holder when no other purposes are defined. 233 * 234 * In theory such a certificate should be distrusted. But in reality 235 * many implementations use such empty sets of purposes. RFC 5280 requires 236 * at least one purpose in an ExtendedKeyUsage. 237 * 238 * Obviously this purpose should never be checked against. 239 */ 240 static const unsigned char P11_OID_RESERVED_PURPOSE[] = 241 { 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x99, 0x77, 0x06, 0x0a, 0x10 }; 242 static const char P11_OID_RESERVED_PURPOSE_STR[] = "1.3.6.1.4.1.3319.6.10.16"; 243 244 #endif 245