1 /* $NetBSD: hx_locl.h,v 1.2 2017/01/28 21:31:48 christos Exp $ */ 2 3 /* 4 * Copyright (c) 2004 - 2016 Kungliga Tekniska Högskolan 5 * (Royal Institute of Technology, Stockholm, Sweden). 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 19 * 3. Neither the name of the Institute nor the names of its contributors 20 * may be used to endorse or promote products derived from this software 21 * without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 * SUCH DAMAGE. 34 */ 35 36 /* Id */ 37 38 #include <config.h> 39 40 #include <stdio.h> 41 #include <stdlib.h> 42 #include <ctype.h> 43 #include <errno.h> 44 #ifdef HAVE_STRINGS_H 45 #include <strings.h> 46 #endif 47 #include <assert.h> 48 #include <stdarg.h> 49 #include <err.h> 50 #include <limits.h> 51 52 #include <krb5/roken.h> 53 54 #include <krb5/getarg.h> 55 #include <krb5/base64.h> 56 #include <krb5/hex.h> 57 #include <krb5/com_err.h> 58 #include <krb5/parse_units.h> 59 #include <krb5/parse_bytes.h> 60 61 #include <krb5/krb5-types.h> 62 63 #include <krb5/rfc2459_asn1.h> 64 #include <krb5/cms_asn1.h> 65 #include <krb5/pkcs8_asn1.h> 66 #include <krb5/pkcs9_asn1.h> 67 #include <krb5/pkcs12_asn1.h> 68 #include <krb5/ocsp_asn1.h> 69 #include <krb5/pkcs10_asn1.h> 70 #include <krb5/asn1_err.h> 71 #include <krb5/pkinit_asn1.h> 72 73 #include <krb5/der.h> 74 75 /* 76 * We use OpenSSL for EC, but to do this we need to disable cross-references 77 * between OpenSSL and hcrypto bn.h and such. Source files that use OpenSSL EC 78 * must define HEIM_NO_CRYPTO_HDRS before including this file. 79 */ 80 81 #define HC_DEPRECATED_CRYPTO 82 #ifndef HEIM_NO_CRYPTO_HDRS 83 #include "crypto-headers.h" 84 #endif 85 86 struct hx509_keyset_ops; 87 struct hx509_collector; 88 struct hx509_generate_private_context; 89 typedef struct hx509_path hx509_path; 90 91 #include <krb5/heimbase.h> 92 93 #include <krb5/hx509.h> 94 95 typedef void (*_hx509_cert_release_func)(struct hx509_cert_data *, void *); 96 97 98 #include "sel.h" 99 100 #include <hx509-private.h> 101 #include <krb5/hx509_err.h> 102 103 struct hx509_peer_info { 104 hx509_cert cert; 105 AlgorithmIdentifier *val; 106 size_t len; 107 }; 108 109 #define HX509_CERTS_FIND_SERIALNUMBER 1 110 #define HX509_CERTS_FIND_ISSUER 2 111 #define HX509_CERTS_FIND_SUBJECT 4 112 #define HX509_CERTS_FIND_ISSUER_KEY_ID 8 113 #define HX509_CERTS_FIND_SUBJECT_KEY_ID 16 114 115 struct hx509_name_data { 116 Name der_name; 117 }; 118 119 struct hx509_path { 120 size_t len; 121 hx509_cert *val; 122 }; 123 124 struct hx509_query_data { 125 int match; 126 #define HX509_QUERY_FIND_ISSUER_CERT 0x000001 127 #define HX509_QUERY_MATCH_SERIALNUMBER 0x000002 128 #define HX509_QUERY_MATCH_ISSUER_NAME 0x000004 129 #define HX509_QUERY_MATCH_SUBJECT_NAME 0x000008 130 #define HX509_QUERY_MATCH_SUBJECT_KEY_ID 0x000010 131 #define HX509_QUERY_MATCH_ISSUER_ID 0x000020 132 #define HX509_QUERY_PRIVATE_KEY 0x000040 133 #define HX509_QUERY_KU_ENCIPHERMENT 0x000080 134 #define HX509_QUERY_KU_DIGITALSIGNATURE 0x000100 135 #define HX509_QUERY_KU_KEYCERTSIGN 0x000200 136 #define HX509_QUERY_KU_CRLSIGN 0x000400 137 #define HX509_QUERY_KU_NONREPUDIATION 0x000800 138 #define HX509_QUERY_KU_KEYAGREEMENT 0x001000 139 #define HX509_QUERY_KU_DATAENCIPHERMENT 0x002000 140 #define HX509_QUERY_ANCHOR 0x004000 141 #define HX509_QUERY_MATCH_CERTIFICATE 0x008000 142 #define HX509_QUERY_MATCH_LOCAL_KEY_ID 0x010000 143 #define HX509_QUERY_NO_MATCH_PATH 0x020000 144 #define HX509_QUERY_MATCH_FRIENDLY_NAME 0x040000 145 #define HX509_QUERY_MATCH_FUNCTION 0x080000 146 #define HX509_QUERY_MATCH_KEY_HASH_SHA1 0x100000 147 #define HX509_QUERY_MATCH_TIME 0x200000 148 #define HX509_QUERY_MATCH_EKU 0x400000 149 #define HX509_QUERY_MATCH_EXPR 0x800000 150 #define HX509_QUERY_MASK 0xffffff 151 Certificate *subject; 152 Certificate *certificate; 153 heim_integer *serial; 154 heim_octet_string *subject_id; 155 heim_octet_string *local_key_id; 156 Name *issuer_name; 157 Name *subject_name; 158 hx509_path *path; 159 char *friendlyname; 160 int (*cmp_func)(hx509_context, hx509_cert, void *); 161 void *cmp_func_ctx; 162 heim_octet_string *keyhash_sha1; 163 time_t timenow; 164 heim_oid *eku; 165 struct hx_expr *expr; 166 }; 167 168 struct hx509_keyset_ops { 169 const char *name; 170 int flags; 171 int (*init)(hx509_context, hx509_certs, void **, 172 int, const char *, hx509_lock); 173 int (*store)(hx509_context, hx509_certs, void *, int, hx509_lock); 174 int (*free)(hx509_certs, void *); 175 int (*add)(hx509_context, hx509_certs, void *, hx509_cert); 176 int (*query)(hx509_context, hx509_certs, void *, 177 const hx509_query *, hx509_cert *); 178 int (*iter_start)(hx509_context, hx509_certs, void *, void **); 179 int (*iter)(hx509_context, hx509_certs, void *, void *, hx509_cert *); 180 int (*iter_end)(hx509_context, hx509_certs, void *, void *); 181 int (*printinfo)(hx509_context, hx509_certs, 182 void *, int (*)(void *, const char *), void *); 183 int (*getkeys)(hx509_context, hx509_certs, void *, hx509_private_key **); 184 int (*addkey)(hx509_context, hx509_certs, void *, hx509_private_key); 185 }; 186 187 struct _hx509_password { 188 size_t len; 189 char **val; 190 }; 191 192 extern hx509_lock _hx509_empty_lock; 193 194 struct hx509_context_data { 195 struct hx509_keyset_ops **ks_ops; 196 int ks_num_ops; 197 int flags; 198 #define HX509_CTX_VERIFY_MISSING_OK 1 199 int ocsp_time_diff; 200 #define HX509_DEFAULT_OCSP_TIME_DIFF (5*60) 201 heim_error_t error; 202 struct et_list *et_list; 203 char *querystat; 204 hx509_certs default_trust_anchors; 205 }; 206 207 /* _hx509_calculate_path flag field */ 208 #define HX509_CALCULATE_PATH_NO_ANCHOR 1 209 210 /* environment */ 211 struct hx509_env_data { 212 enum { env_string, env_list } type; 213 char *name; 214 struct hx509_env_data *next; 215 union { 216 char *string; 217 struct hx509_env_data *list; 218 } u; 219 }; 220 221 222 extern const AlgorithmIdentifier * _hx509_crypto_default_sig_alg; 223 extern const AlgorithmIdentifier * _hx509_crypto_default_digest_alg; 224 extern const AlgorithmIdentifier * _hx509_crypto_default_secret_alg; 225 226 /* 227 * Private bits from crypto.c, so crypto-ec.c can also see them. 228 * 229 * This is part of the use-OpenSSL-for-EC hack. 230 */ 231 232 struct hx509_crypto; 233 234 struct signature_alg; 235 236 struct hx509_generate_private_context { 237 const heim_oid *key_oid; 238 int isCA; 239 unsigned long num_bits; 240 }; 241 242 struct hx509_private_key_ops { 243 const char *pemtype; 244 const heim_oid *key_oid; 245 int (*available)(const hx509_private_key, 246 const AlgorithmIdentifier *); 247 int (*get_spki)(hx509_context, 248 const hx509_private_key, 249 SubjectPublicKeyInfo *); 250 int (*export)(hx509_context context, 251 const hx509_private_key, 252 hx509_key_format_t, 253 heim_octet_string *); 254 int (*import)(hx509_context, const AlgorithmIdentifier *, 255 const void *, size_t, hx509_key_format_t, 256 hx509_private_key); 257 int (*generate_private_key)(hx509_context, 258 struct hx509_generate_private_context *, 259 hx509_private_key); 260 BIGNUM *(*get_internal)(hx509_context, hx509_private_key, const char *); 261 }; 262 263 struct hx509_private_key { 264 unsigned int ref; 265 const struct signature_alg *md; 266 const heim_oid *signature_alg; 267 union { 268 RSA *rsa; 269 void *keydata; 270 void *ecdsa; /* EC_KEY */ 271 } private_key; 272 hx509_private_key_ops *ops; 273 }; 274 275 /* 276 * 277 */ 278 279 struct signature_alg { 280 const char *name; 281 const heim_oid *sig_oid; 282 const AlgorithmIdentifier *sig_alg; 283 const heim_oid *key_oid; 284 const AlgorithmIdentifier *digest_alg; 285 int flags; 286 #define PROVIDE_CONF 0x1 287 #define REQUIRE_SIGNER 0x2 288 #define SELF_SIGNED_OK 0x4 289 #define WEAK_SIG_ALG 0x8 290 291 #define SIG_DIGEST 0x100 292 #define SIG_PUBLIC_SIG 0x200 293 #define SIG_SECRET 0x400 294 295 #define RA_RSA_USES_DIGEST_INFO 0x1000000 296 297 time_t best_before; /* refuse signature made after best before date */ 298 const EVP_MD *(*evp_md)(void); 299 int (*verify_signature)(hx509_context context, 300 const struct signature_alg *, 301 const Certificate *, 302 const AlgorithmIdentifier *, 303 const heim_octet_string *, 304 const heim_octet_string *); 305 int (*create_signature)(hx509_context, 306 const struct signature_alg *, 307 const hx509_private_key, 308 const AlgorithmIdentifier *, 309 const heim_octet_string *, 310 AlgorithmIdentifier *, 311 heim_octet_string *); 312 int digest_size; 313 }; 314 315 /* 316 * Configurable options 317 */ 318 319 #ifdef __APPLE__ 320 #define HX509_DEFAULT_ANCHORS "KEYCHAIN:system-anchors" 321 #endif 322