1 /*
2 * Copyright (C) 2003-2012 Free Software Foundation, Inc.
3 * Copyright (C) 2017 Red Hat, Inc.
4 *
5 * Author: Nikos Mavrogiannopoulos
6 *
7 * This file is part of GnuTLS.
8 *
9 * The GnuTLS is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public License
11 * as published by the Free Software Foundation; either version 2.1 of
12 * the License, or (at your option) any later version.
13 *
14 * This library is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
18 *
19 * You should have received a copy of the GNU Lesser General Public License
20 * along with this program. If not, see <https://www.gnu.org/licenses/>
21 *
22 */
23
24 #ifndef GNUTLS_LIB_X509_X509_INT_H
25 #define GNUTLS_LIB_X509_X509_INT_H
26
27 #include <gnutls/x509.h>
28 #include <gnutls/x509-ext.h>
29 #include <gnutls/abstract.h>
30
31 #include <libtasn1.h>
32
33 #define MAX_CRQ_EXTENSIONS_SIZE 8*1024
34 #define MAX_OID_SIZE 128
35 #define MAX_KEY_ID_SIZE 128
36 #define MAX_SALT_SIZE 256
37 #define MAX_NAME_SIZE (3*ASN1_MAX_NAME_SIZE)
38
39 #define HASH_OID_SHA1 "1.3.14.3.2.26"
40 #define HASH_OID_MD5 "1.2.840.113549.2.5"
41 #define HASH_OID_MD2 "1.2.840.113549.2.2"
42 #define HASH_OID_RMD160 "1.3.36.3.2.1"
43 #define HASH_OID_SHA224 "2.16.840.1.101.3.4.2.4"
44 #define HASH_OID_SHA256 "2.16.840.1.101.3.4.2.1"
45 #define HASH_OID_SHA384 "2.16.840.1.101.3.4.2.2"
46 #define HASH_OID_SHA512 "2.16.840.1.101.3.4.2.3"
47 #define HASH_OID_SHA3_224 "2.16.840.1.101.3.4.2.7"
48 #define HASH_OID_SHA3_256 "2.16.840.1.101.3.4.2.8"
49 #define HASH_OID_SHA3_384 "2.16.840.1.101.3.4.2.9"
50 #define HASH_OID_SHA3_512 "2.16.840.1.101.3.4.2.10"
51 #define HASH_OID_SHAKE_128 "2.16.840.1.101.3.4.2.11"
52 #define HASH_OID_SHAKE_256 "2.16.840.1.101.3.4.2.12"
53 #define HASH_OID_GOST_R_3411_94 "1.2.643.2.2.9"
54 #define HASH_OID_STREEBOG_256 "1.2.643.7.1.1.2.2"
55 #define HASH_OID_STREEBOG_512 "1.2.643.7.1.1.2.3"
56
57 #define HASH_OID_GOST_R_3411_94_CRYPTOPRO_PARAMS "1.2.643.2.2.30.1"
58
59 /* from rfc8479 */
60 #define OID_ATTR_PROV_SEED "1.3.6.1.4.1.2312.18.8.1"
61
62 struct gnutls_x509_crl_iter {
63 /* This is used to optimize reads by gnutls_x509_crl_iter_crt_serial() */
64 ASN1_TYPE rcache;
65 unsigned rcache_idx;
66 };
67
68 typedef struct gnutls_x509_crl_int {
69 ASN1_TYPE crl;
70
71 unsigned expanded;
72 /* This is used to optimize reads by gnutls_x509_crl_get_crt_serial2() */
73 ASN1_TYPE rcache;
74 unsigned rcache_idx;
75 int use_extensions;
76
77 gnutls_datum_t der;
78 gnutls_datum_t raw_issuer_dn;
79 } gnutls_x509_crl_int;
80
81 typedef struct gnutls_x509_dn_st {
82 ASN1_TYPE asn;
83 } gnutls_x509_dn_st;
84
85 typedef struct gnutls_x509_crt_int {
86 ASN1_TYPE cert;
87 int use_extensions;
88 unsigned expanded; /* a certificate has been expanded */
89 unsigned modified; /* the cached values below may no longer be valid */
90 unsigned flags;
91
92 struct pin_info_st pin;
93
94 /* These two cached values allow fast calls to
95 * get_raw_*_dn(). */
96 gnutls_datum_t raw_dn;
97 gnutls_datum_t raw_issuer_dn;
98 gnutls_datum_t raw_spki;
99
100 gnutls_datum_t der;
101
102 /* this cached value allows fast access to alt names */
103 gnutls_subject_alt_names_t san;
104 gnutls_subject_alt_names_t ian;
105
106 /* backwards compatibility for gnutls_x509_crt_get_subject()
107 * and gnutls_x509_crt_get_issuer() */
108 gnutls_x509_dn_st dn;
109 gnutls_x509_dn_st idn;
110 } gnutls_x509_crt_int;
111
112 #define MODIFIED(crt) crt->modified=1
113
114 typedef struct gnutls_x509_crq_int {
115 ASN1_TYPE crq;
116 } gnutls_x509_crq_int;
117
118 typedef struct gnutls_pkcs7_attrs_st {
119 char *oid;
120 gnutls_datum_t data;
121 struct gnutls_pkcs7_attrs_st *next;
122 } gnutls_pkcs7_attrs_st;
123
124 typedef struct gnutls_pkcs7_int {
125 ASN1_TYPE pkcs7;
126
127 char encap_data_oid[MAX_OID_SIZE];
128
129 gnutls_datum_t der_signed_data;
130 ASN1_TYPE signed_data;
131 unsigned expanded;
132 } gnutls_pkcs7_int;
133
134 struct pbkdf2_params {
135 uint8_t salt[MAX_SALT_SIZE];
136 int salt_size;
137 unsigned iter_count;
138 unsigned key_size;
139 gnutls_mac_algorithm_t mac;
140 };
141
142 typedef struct gnutls_x509_privkey_int {
143 /* the size of params depends on the public
144 * key algorithm
145 */
146 gnutls_pk_params_st params;
147
148 unsigned expanded;
149 unsigned flags;
150
151 ASN1_TYPE key;
152 struct pin_info_st pin;
153 } gnutls_x509_privkey_int;
154
155 int _gnutls_x509_crt_cpy(gnutls_x509_crt_t dest, gnutls_x509_crt_t src);
156
157 int _gnutls_x509_compare_raw_dn(const gnutls_datum_t * dn1,
158 const gnutls_datum_t * dn2);
159
160 int _gnutls_x509_crl_cpy(gnutls_x509_crl_t dest, gnutls_x509_crl_t src);
161 int _gnutls_x509_crl_get_raw_issuer_dn(gnutls_x509_crl_t crl,
162 gnutls_datum_t * dn);
163
164 /* sign.c */
165 int _gnutls_x509_get_tbs(ASN1_TYPE cert, const char *tbs_name,
166 gnutls_datum_t * tbs);
167 int _gnutls_x509_pkix_sign(ASN1_TYPE src, const char *src_name,
168 gnutls_digest_algorithm_t,
169 unsigned int flags,
170 gnutls_x509_crt_t issuer,
171 gnutls_privkey_t issuer_key);
172 int _gnutls_x509_crt_get_spki_params(gnutls_x509_crt_t issuer,
173 const gnutls_x509_spki_st *key_params,
174 gnutls_x509_spki_st *params);
175
176 #define map_errs_to_zero(x) ((x)<0?0:(x))
177
178 /* dn.c */
179 #define OID_X520_COUNTRY_NAME "2.5.4.6"
180 #define OID_X520_ORGANIZATION_NAME "2.5.4.10"
181 #define OID_X520_ORGANIZATIONAL_UNIT_NAME "2.5.4.11"
182 #define OID_X520_COMMON_NAME "2.5.4.3"
183 #define OID_X520_LOCALITY_NAME "2.5.4.7"
184 #define OID_X520_STATE_OR_PROVINCE_NAME "2.5.4.8"
185 #define OID_LDAP_DC "0.9.2342.19200300.100.1.25"
186 #define OID_LDAP_UID "0.9.2342.19200300.100.1.1"
187 #define OID_PKCS9_EMAIL "1.2.840.113549.1.9.1"
188
189 int _gnutls_x509_parse_dn(ASN1_TYPE asn1_struct,
190 const char *asn1_rdn_name, char *buf,
191 size_t * sizeof_buf,
192 unsigned flags);
193
194 int
195 _gnutls_x509_get_dn(ASN1_TYPE asn1_struct,
196 const char *asn1_rdn_name, gnutls_datum_t * dn,
197 unsigned flags);
198
199 int
200 _gnutls_x509_parse_dn_oid(ASN1_TYPE asn1_struct,
201 const char *asn1_rdn_name,
202 const char *given_oid, int indx,
203 unsigned int raw_flag, gnutls_datum_t * out);
204
205 int _gnutls_x509_set_dn_oid(ASN1_TYPE asn1_struct,
206 const char *asn1_rdn_name, const char *oid,
207 int raw_flag, const char *name,
208 int sizeof_name);
209
210 int _gnutls_x509_get_dn_oid(ASN1_TYPE asn1_struct,
211 const char *asn1_rdn_name,
212 int indx, void *_oid, size_t * sizeof_oid);
213
214 int _gnutls_encode_othername_data(unsigned flags, const void *data, unsigned data_size, gnutls_datum_t *output);
215
216 int _gnutls_parse_general_name(ASN1_TYPE src, const char *src_name,
217 int seq, void *name, size_t * name_size,
218 unsigned int *ret_type, int othername_oid);
219
220 int
221 _gnutls_parse_general_name2(ASN1_TYPE src, const char *src_name,
222 int seq, gnutls_datum_t *dname,
223 unsigned int *ret_type, int othername_oid);
224
225 int
226 _gnutls_write_new_general_name(ASN1_TYPE ext, const char *ext_name,
227 gnutls_x509_subject_alt_name_t type,
228 const void *data, unsigned int data_size);
229
230 int
231 _gnutls_write_new_othername(ASN1_TYPE ext, const char *ext_name,
232 const char *oid,
233 const void *data, unsigned int data_size);
234
235 /* dsa.c */
236
237
238 /* verify.c */
239 int gnutls_x509_crt_is_issuer(gnutls_x509_crt_t cert,
240 gnutls_x509_crt_t issuer);
241
242 int
243 _gnutls_x509_verify_algorithm(gnutls_digest_algorithm_t * hash,
244 const gnutls_datum_t * signature,
245 gnutls_pk_algorithm_t pk,
246 gnutls_pk_params_st * issuer_params);
247
248 /* privkey.h */
249 void _gnutls_x509_privkey_reinit(gnutls_x509_privkey_t key);
250
251 ASN1_TYPE _gnutls_privkey_decode_pkcs1_rsa_key(const gnutls_datum_t *
252 raw_key,
253 gnutls_x509_privkey_t pkey);
254 int _gnutls_privkey_decode_ecc_key(ASN1_TYPE* pkey_asn, const gnutls_datum_t *
255 raw_key,
256 gnutls_x509_privkey_t pkey,
257 gnutls_ecc_curve_t curve);
258
259 int _gnutls_privkey_decode_eddsa_key(ASN1_TYPE* pkey_asn,
260 const gnutls_datum_t *raw_key,
261 gnutls_x509_privkey_t pkey,
262 gnutls_ecc_curve_t curve);
263
264 int
265 _gnutls_x509_read_ecc_params(uint8_t * der, int dersize,
266 unsigned int *curve);
267
268 int
269 _gnutls_x509_read_gost_params(uint8_t * der, int dersize,
270 gnutls_pk_params_st * params,
271 gnutls_pk_algorithm_t algo);
272
273 int _gnutls_asn1_encode_privkey(ASN1_TYPE * c2,
274 gnutls_pk_params_st * params);
275
276 void _gnutls_x509_privkey_get_spki_params(gnutls_x509_privkey_t key,
277 gnutls_x509_spki_st * params);
278
279 int _gnutls_x509_read_rsa_pss_params(uint8_t * der, int dersize,
280 gnutls_x509_spki_st * params);
281 int _gnutls_x509_write_rsa_pss_params(const gnutls_x509_spki_st * params,
282 gnutls_datum_t * der);
283
284 /* extensions.c */
285 int _gnutls_x509_crl_get_extension_oid(gnutls_x509_crl_t crl,
286 int indx, void *oid,
287 size_t * sizeof_oid);
288
289 int _gnutls_x509_crl_set_extension(gnutls_x509_crl_t crl,
290 const char *ext_id,
291 const gnutls_datum_t * ext_data,
292 unsigned int critical);
293
294 int
295 _gnutls_x509_crl_get_extension(gnutls_x509_crl_t crl,
296 const char *extension_id, int indx,
297 gnutls_datum_t * data,
298 unsigned int *critical);
299
300 int
301 _gnutls_x509_crt_get_extension(gnutls_x509_crt_t cert,
302 const char *extension_id, int indx,
303 gnutls_datum_t * data, unsigned int *critical);
304
305 int _gnutls_x509_crt_get_extension_oid(gnutls_x509_crt_t cert,
306 int indx, void *ret,
307 size_t * ret_size);
308 int _gnutls_x509_crt_set_extension(gnutls_x509_crt_t cert,
309 const char *extension_id,
310 const gnutls_datum_t * ext_data,
311 unsigned int critical);
312
313 int
314 _gnutls_x509_ext_extract_number(uint8_t * number,
315 size_t * nr_size,
316 uint8_t * extnValue, int extnValueLen);
317 int
318 _gnutls_x509_ext_gen_number(const uint8_t * number, size_t nr_size,
319 gnutls_datum_t * der_ext);
320
321
322 int
323 _gnutls_write_general_name(ASN1_TYPE ext, const char *ext_name,
324 gnutls_x509_subject_alt_name_t type,
325 const void *data, unsigned int data_size);
326
327 int _gnutls_x509_ext_gen_subject_alt_name(gnutls_x509_subject_alt_name_t
328 type,
329 const char *othername_oid,
330 const void *data,
331 unsigned int data_size,
332 const gnutls_datum_t * prev_der_ext,
333 gnutls_datum_t * der_ext);
334 int _gnutls_x509_ext_gen_auth_key_id(const void *id, size_t id_size,
335 gnutls_datum_t * der_data);
336
337 /* mpi.c */
338 int _gnutls_x509_crq_get_mpis(gnutls_x509_crq_t cert,
339 gnutls_pk_params_st *);
340
341 int _gnutls_x509_crt_get_mpis(gnutls_x509_crt_t cert,
342 gnutls_pk_params_st * params);
343
344 int _gnutls_x509_read_pubkey_params(gnutls_pk_algorithm_t, uint8_t * der,
345 int dersize,
346 gnutls_pk_params_st * params);
347 int _gnutls_x509_check_pubkey_params(gnutls_pk_params_st * params);
348
349 int _gnutls_x509_read_pubkey(gnutls_pk_algorithm_t, uint8_t * der,
350 int dersize, gnutls_pk_params_st * params);
351
352 int _gnutls_x509_read_pubkey_signature_params(gnutls_pk_algorithm_t algo,
353 uint8_t * der, int dersize,
354 gnutls_pk_params_st * params);
355
356 int _gnutls_x509_write_ecc_params(const gnutls_ecc_curve_t curve,
357 gnutls_datum_t * der);
358 int _gnutls_x509_write_ecc_pubkey(const gnutls_pk_params_st * params,
359 gnutls_datum_t * der);
360
361 int _gnutls_x509_write_eddsa_pubkey(const gnutls_pk_params_st * params,
362 gnutls_datum_t * der);
363
364 int
365 _gnutls_x509_write_pubkey_params(const gnutls_pk_params_st * params,
366 gnutls_datum_t * der);
367 int _gnutls_x509_write_pubkey(const gnutls_pk_params_st * params,
368 gnutls_datum_t * der);
369
370 int _gnutls_x509_read_uint(ASN1_TYPE node, const char *value,
371 unsigned int *ret);
372
373 int _gnutls_x509_read_der_int(uint8_t * der, int dersize, bigint_t * out);
374 int _gnutls_x509_read_der_uint(uint8_t * der, int dersize, unsigned int *out);
375
376 int _gnutls_x509_read_int(ASN1_TYPE node, const char *value,
377 bigint_t * ret_mpi);
378 int _gnutls_x509_write_int(ASN1_TYPE node, const char *value, bigint_t mpi,
379 int lz);
380
381 int _gnutls_x509_write_uint32(ASN1_TYPE node, const char *value,
382 uint32_t num);
383
384
385 int _gnutls_x509_read_key_int(ASN1_TYPE node, const char *value,
386 bigint_t * ret_mpi);
387 int _gnutls_x509_write_key_int(ASN1_TYPE node, const char *value, bigint_t mpi,
388 int lz);
389
390 int _gnutls_x509_read_key_int_le(ASN1_TYPE node, const char *value,
391 bigint_t * ret_mpi);
392 int _gnutls_x509_write_key_int_le(ASN1_TYPE node, const char *value,
393 bigint_t mpi);
394
395 int _gnutls_x509_read_pkalgo_params(ASN1_TYPE src, const char *src_name,
396 gnutls_x509_spki_st *params, unsigned is_sig);
397 int _gnutls_x509_write_sign_params(ASN1_TYPE dst, const char *dst_name,
398 const gnutls_sign_entry_st *se, gnutls_x509_spki_st *params);
399
400 #define _gnutls_x509_read_sign_params(src,name,params) _gnutls_x509_read_pkalgo_params(src,name,params,1)
401 #define _gnutls_x509_read_spki_params(src,name,params) _gnutls_x509_read_pkalgo_params(src,name,params,0)
402 int _gnutls_x509_write_spki_params(ASN1_TYPE dst, const char *dst_name,
403 gnutls_x509_spki_st *params);
404
405 inline static int
_gnutls_x509_crt_read_spki_params(gnutls_x509_crt_t crt,gnutls_x509_spki_st * params)406 _gnutls_x509_crt_read_spki_params(gnutls_x509_crt_t crt,
407 gnutls_x509_spki_st *params)
408 {
409 return _gnutls_x509_read_spki_params(crt->cert,
410 "tbsCertificate."
411 "subjectPublicKeyInfo."
412 "algorithm",
413 params);
414 }
415
416 inline static int
_gnutls_x509_crq_read_spki_params(gnutls_x509_crq_t crt,gnutls_x509_spki_st * params)417 _gnutls_x509_crq_read_spki_params(gnutls_x509_crq_t crt,
418 gnutls_x509_spki_st *params)
419 {
420 return _gnutls_x509_read_spki_params(crt->crq,
421 "certificationRequestInfo."
422 "subjectPKInfo."
423 "algorithm",
424 params);
425 }
426
427
428 /* pkcs12.h */
429 #include <gnutls/pkcs12.h>
430
431 typedef struct gnutls_pkcs12_int {
432 ASN1_TYPE pkcs12;
433 unsigned expanded;
434 } gnutls_pkcs12_int;
435
436 #define MAX_BAG_ELEMENTS 32
437
438 struct bag_element {
439 gnutls_datum_t data;
440 gnutls_pkcs12_bag_type_t type;
441 gnutls_datum_t local_key_id;
442 char *friendly_name;
443 };
444
445 typedef struct gnutls_pkcs12_bag_int {
446 struct bag_element element[MAX_BAG_ELEMENTS];
447 unsigned bag_elements;
448 } gnutls_pkcs12_bag_int;
449
450 #define BAG_PKCS8_KEY "1.2.840.113549.1.12.10.1.1"
451 #define BAG_PKCS8_ENCRYPTED_KEY "1.2.840.113549.1.12.10.1.2"
452 #define BAG_CERTIFICATE "1.2.840.113549.1.12.10.1.3"
453 #define BAG_CRL "1.2.840.113549.1.12.10.1.4"
454 #define BAG_SECRET "1.2.840.113549.1.12.10.1.5"
455
456 /* Bag attributes
457 */
458 #define FRIENDLY_NAME_OID "1.2.840.113549.1.9.20"
459 #define KEY_ID_OID "1.2.840.113549.1.9.21"
460
461 int
462 _gnutls_pkcs12_string_to_key(const mac_entry_st * me,
463 unsigned int id, const uint8_t * salt,
464 unsigned int salt_size, unsigned int iter,
465 const char *pw, unsigned int req_keylen,
466 uint8_t * keybuf);
467
468
469 int _pkcs12_decode_safe_contents(const gnutls_datum_t * content,
470 gnutls_pkcs12_bag_t bag);
471
472 int
473 _pkcs12_encode_safe_contents(gnutls_pkcs12_bag_t bag, ASN1_TYPE * content,
474 int *enc);
475
476 int _pkcs12_decode_crt_bag(gnutls_pkcs12_bag_type_t type,
477 const gnutls_datum_t * in,
478 gnutls_datum_t * out);
479 int _pkcs12_encode_crt_bag(gnutls_pkcs12_bag_type_t type,
480 const gnutls_datum_t * raw,
481 gnutls_datum_t * out);
482
483 /* crq */
484 int _gnutls_x509_crq_set_extension(gnutls_x509_crq_t crq,
485 const char *ext_id,
486 const gnutls_datum_t * ext_data,
487 unsigned int critical);
488
489 int
490 gnutls_x509_crt_verify_data3(gnutls_x509_crt_t crt,
491 gnutls_sign_algorithm_t algo,
492 gnutls_typed_vdata_st *vdata,
493 unsigned int vdata_size,
494 const gnutls_datum_t *data,
495 const gnutls_datum_t *signature,
496 unsigned int flags);
497
498 unsigned int
499 _gnutls_verify_crt_status(const gnutls_x509_crt_t * certificate_list,
500 int clist_size,
501 const gnutls_x509_crt_t * trusted_cas,
502 int tcas_size,
503 unsigned int flags,
504 const char *purpose,
505 gnutls_verify_output_function func);
506
507 #ifdef ENABLE_PKCS11
508 unsigned int
509 _gnutls_pkcs11_verify_crt_status(const char* url,
510 const gnutls_x509_crt_t * certificate_list,
511 unsigned clist_size,
512 const char *purpose,
513 unsigned int flags,
514 gnutls_verify_output_function func);
515 #endif
516
517 int _gnutls_check_cert_sanity(gnutls_x509_crt_t cert);
518
519 int
520 _gnutls_x509_crt_check_revocation(gnutls_x509_crt_t cert,
521 const gnutls_x509_crl_t * crl_list,
522 int crl_list_length,
523 gnutls_verify_output_function func);
524
525 typedef struct gnutls_name_constraints_st {
526 struct name_constraints_node_st * permitted;
527 struct name_constraints_node_st * excluded;
528 } gnutls_name_constraints_st;
529
530 typedef struct name_constraints_node_st {
531 unsigned type;
532 gnutls_datum_t name;
533 struct name_constraints_node_st *next;
534 } name_constraints_node_st;
535
536 int _gnutls_extract_name_constraints(ASN1_TYPE c2, const char *vstr,
537 name_constraints_node_st ** _nc);
538 void _gnutls_name_constraints_node_free (name_constraints_node_st *node);
539 int _gnutls_x509_name_constraints_merge(gnutls_x509_name_constraints_t nc,
540 gnutls_x509_name_constraints_t nc2);
541
542 void _gnutls_x509_policies_erase(gnutls_x509_policies_t policies, unsigned int seq);
543
544 struct gnutls_x509_tlsfeatures_st {
545 uint16_t feature[MAX_EXT_TYPES];
546 unsigned int size;
547 };
548
549 unsigned _gnutls_is_broken_sig_allowed(const gnutls_sign_entry_st *se, unsigned int flags);
550
551 #endif /* GNUTLS_LIB_X509_X509_INT_H */
552