1 /* asn.h 2 * 3 * Copyright (C) 2006-2021 wolfSSL Inc. 4 * 5 * This file is part of wolfSSL. 6 * 7 * wolfSSL is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License as published by 9 * the Free Software Foundation; either version 2 of the License, or 10 * (at your option) any later version. 11 * 12 * wolfSSL is distributed in the hope that it will be useful, 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 * GNU General Public License for more details. 16 * 17 * You should have received a copy of the GNU General Public License 18 * along with this program; if not, write to the Free Software 19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA 20 */ 21 22 /*! 23 \file wolfssl/wolfcrypt/asn.h 24 */ 25 26 /* 27 28 DESCRIPTION 29 This library provides the interface to Abstract Syntax Notation One (ASN.1) objects. 30 ASN.1 is a standard interface description language for defining data structures 31 that can be serialized and deserialized in a cross-platform way. 32 33 */ 34 #ifndef WOLF_CRYPT_ASN_H 35 #define WOLF_CRYPT_ASN_H 36 37 #include <wolfssl/wolfcrypt/types.h> 38 39 #ifndef NO_ASN 40 41 42 #if !defined(NO_ASN_TIME) && defined(NO_TIME_H) 43 #define NO_ASN_TIME /* backwards compatibility with NO_TIME_H */ 44 #endif 45 46 #include <wolfssl/wolfcrypt/integer.h> 47 48 /* fips declare of RsaPrivateKeyDecode @wc_fips */ 49 #if defined(HAVE_FIPS) && !defined(NO_RSA) && \ 50 (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)) 51 #include <cyassl/ctaocrypt/rsa.h> 52 #endif 53 54 #ifndef NO_DH 55 #include <wolfssl/wolfcrypt/dh.h> 56 #endif 57 #ifndef NO_DSA 58 #include <wolfssl/wolfcrypt/dsa.h> 59 #endif 60 #ifndef NO_SHA 61 #include <wolfssl/wolfcrypt/sha.h> 62 #endif 63 #ifndef NO_MD5 64 #include <wolfssl/wolfcrypt/md5.h> 65 #endif 66 #include <wolfssl/wolfcrypt/sha256.h> 67 #include <wolfssl/wolfcrypt/asn_public.h> /* public interface */ 68 69 #if defined(NO_SHA) && defined(NO_SHA256) 70 #define WC_SHA256_DIGEST_SIZE 32 71 #endif 72 73 #ifdef __cplusplus 74 extern "C" { 75 #endif 76 77 #ifndef EXTERNAL_SERIAL_SIZE 78 #define EXTERNAL_SERIAL_SIZE 32 79 #endif 80 81 enum { 82 ISSUER = 0, 83 SUBJECT = 1, 84 85 BEFORE = 0, 86 AFTER = 1 87 }; 88 89 /* ASN Tags */ 90 enum ASN_Tags { 91 ASN_EOC = 0x00, 92 ASN_BOOLEAN = 0x01, 93 ASN_INTEGER = 0x02, 94 ASN_BIT_STRING = 0x03, 95 ASN_OCTET_STRING = 0x04, 96 ASN_TAG_NULL = 0x05, 97 ASN_OBJECT_ID = 0x06, 98 ASN_ENUMERATED = 0x0a, 99 ASN_UTF8STRING = 0x0c, 100 ASN_SEQUENCE = 0x10, 101 ASN_SET = 0x11, 102 ASN_PRINTABLE_STRING = 0x13, 103 ASN_T61STRING = 0x14, 104 ASN_IA5_STRING = 0x16, 105 ASN_UTC_TIME = 0x17, 106 ASN_GENERALIZED_TIME = 0x18, 107 ASN_UNIVERSALSTRING = 0x1c, 108 ASN_BMPSTRING = 0x1e, 109 ASN_TYPE_MASK = 0x1f, 110 111 ASN_LONG_LENGTH = 0x80, 112 ASN_INDEF_LENGTH = 0x80, 113 114 /* ASN_Flags - Bitmask */ 115 ASN_CONSTRUCTED = 0x20, 116 ASN_APPLICATION = 0x40, 117 ASN_CONTEXT_SPECIFIC = 0x80, 118 ASN_PRIVATE = 0xC0, 119 120 CRL_EXTENSIONS = 0xa0, 121 ASN_EXTENSIONS = 0xa3, 122 123 /* GeneralName types */ 124 ASN_OTHER_TYPE = 0x00, 125 ASN_RFC822_TYPE = 0x01, 126 ASN_DNS_TYPE = 0x02, 127 ASN_DIR_TYPE = 0x04, 128 ASN_URI_TYPE = 0x06, /* the value 6 is from GeneralName OID */ 129 ASN_IP_TYPE = 0x07, /* the value 7 is from GeneralName OID */ 130 131 /* PKCS #7 types */ 132 ASN_ENC_CONTENT = 0x00, 133 ASN_OTHERNAME_VALUE = 0x00, 134 135 /* AuthorityKeyIdentifier fields */ 136 ASN_AUTHKEYID_KEYID = 0x00, 137 ASN_AUTHKEYID_ISSUER = 0x01, 138 ASN_AUTHKEYID_SERIAL = 0x02, 139 140 /* GeneralSubtree fields */ 141 ASN_SUBTREE_MIN = 0x00, 142 ASN_SUBTREE_MAX = 0x01, 143 144 /* x509 Cert Fields */ 145 ASN_X509_CERT_VERSION = 0x00, 146 147 /* x509 Cert Extension Fields */ 148 ASN_AKID_KEYID = 0x00, 149 150 /* ECC Key Fields */ 151 ASN_ECC_PARAMS = 0x00, 152 ASN_ECC_PUBKEY = 0x01, 153 154 /* OneAsymmetricKey Fields */ 155 ASN_ASYMKEY_ATTRS = 0x00, 156 ASN_ASYMKEY_PUBKEY = 0x01, 157 }; 158 159 #define ASN_UTC_TIME_SIZE 14 160 #define ASN_GENERALIZED_TIME_SIZE 16 161 #define ASN_GENERALIZED_TIME_MAX 68 162 163 #ifdef WOLFSSL_ASN_TEMPLATE 164 /* Different data types that can be stored in ASNGetData/ASNSetData. */ 165 enum ASNItem_DataType { 166 /* Default for tag type. */ 167 ASN_DATA_TYPE_NONE = 0, 168 /* 8-bit integer value. */ 169 ASN_DATA_TYPE_WORD8 = 1, 170 /* 16-bit integer value. */ 171 ASN_DATA_TYPE_WORD16 = 2, 172 /* 32-bit integer value. */ 173 ASN_DATA_TYPE_WORD32 = 4, 174 /* Buffer with data and length. */ 175 ASN_DATA_TYPE_BUFFER = 5, 176 /* An expected/required buffer with data and length. */ 177 ASN_DATA_TYPE_EXP_BUFFER = 6, 178 /* Replace the item with buffer (data and length). */ 179 ASN_DATA_TYPE_REPLACE_BUFFER = 7, 180 /* Big number as an mp_int. */ 181 ASN_DATA_TYPE_MP = 8, 182 /* Big number as a positive or negative mp_int. */ 183 ASN_DATA_TYPE_MP_POS_NEG = 9, 184 /* ASN.1 CHOICE. A 0 terminated list of tags that are valid. */ 185 ASN_DATA_TYPE_CHOICE = 10, 186 }; 187 188 /* A template entry describing an ASN.1 item. */ 189 typedef struct ASNItem { 190 /* Depth of ASN.1 item - how many constructed ASN.1 items above. */ 191 byte depth; 192 /* BER/DER tag to expect. */ 193 byte tag; 194 /* Whether the ASN.1 item is constructed. */ 195 byte constructed:1; 196 /* Whether to parse the header only or skip data. If 197 * ASNSetData.data.buffer.data is supplied then this option gets 198 * overwritten and the child nodes get ignored. */ 199 byte headerOnly:1; 200 /* Whether ASN.1 item is optional. 201 * - 0 means not optional 202 * - 1 means is optional 203 * - 2+ means one of these at the same level with same value must appear. 204 */ 205 byte optional; 206 } ASNItem; 207 208 /* Dynamic data for setting (encoding) an ASN.1 item. */ 209 typedef struct ASNSetData { 210 /* Reverse offset into buffer of ASN.1 item - calculated in SizeASN_Items(). 211 * SetASN_Items() subtracts from total length to get usable value. 212 */ 213 word32 offset; 214 /* Length of data in ASN.1 item - calculated in SizeASN_Items(). */ 215 word32 length; 216 /* Different data type representation. */ 217 union { 218 /* 8-bit integer value. */ 219 byte u8; 220 /* 16-bit integer value. */ 221 word16 u16; 222 /* 32-bit integer value. */ 223 word32 u32; 224 /* Big number as an mp_int. */ 225 mp_int* mp; 226 /* Buffer as data pointer and length. */ 227 struct { 228 /* Data to write out. */ 229 const byte* data; 230 /* Length of data to write out. */ 231 word32 length; 232 } buffer; 233 } data; 234 /* Type of data stored in data field - enum ASNItem_DataType. */ 235 byte dataType; 236 /* Don't write this ASN.1 item out. 237 * Optional items are dependent on the data being encoded. 238 */ 239 byte noOut; 240 } ASNSetData; 241 242 /* Dynamic data for getting (decoding) an ASN.1 item. */ 243 typedef struct ASNGetData { 244 /* Offset into buffer where encoding starts. */ 245 word32 offset; 246 /* Total length of data in ASN.1 item. 247 * BIT_STRING and INTEGER lengths include leading byte. */ 248 word32 length; 249 union { 250 /* Pointer to 8-bit integer. */ 251 byte* u8; 252 /* Pointer to 16-bit integer. */ 253 word16* u16; 254 /* Pointer to 32-bit integer. */ 255 word32* u32; 256 /* Pointer to mp_int for big number. */ 257 mp_int* mp; 258 /* List of possible tags. Useful for CHOICE ASN.1 items. */ 259 const byte* choice; 260 /* Buffer to copy into. */ 261 struct { 262 /* Buffer to hold ASN.1 data. */ 263 byte* data; 264 /* Maximum length of buffer. */ 265 word32* length; 266 } buffer; 267 /* Refernce to ASN.1 item's data. */ 268 struct { 269 /* Pointer reference into input buffer. */ 270 const byte* data; 271 /* Length of data. */ 272 word32 length; 273 } ref; 274 /* Data of an OBJECT_ID. */ 275 struct { 276 /* OID data reference into input buffer. */ 277 const byte* data; 278 /* Length of OID data. */ 279 word32 length; 280 /* Type of OID expected. */ 281 word32 type; 282 /* OID sum - 32-bit id. */ 283 word32 sum; 284 } oid; 285 } data; 286 /* Type of data stored in data field - enum ASNItem_DataType. */ 287 byte dataType; 288 /* Tag found in BER/DER item. */ 289 byte tag; 290 } ASNGetData; 291 292 WOLFSSL_LOCAL int SizeASN_Items(const ASNItem* asn, ASNSetData *data, 293 int count, int* encSz); 294 WOLFSSL_LOCAL int SetASN_Items(const ASNItem* asn, ASNSetData *data, int count, 295 byte* output); 296 WOLFSSL_LOCAL int GetASN_Items(const ASNItem* asn, ASNGetData *data, int count, 297 int complete, const byte* input, word32* inOutIdx, word32 maxIdx); 298 299 #ifdef WOLFSSL_ASN_TEMPLATE_TYPE_CHECK 300 WOLFSSL_LOCAL void GetASN_Int8Bit(ASNGetData *dataASN, byte* num); 301 WOLFSSL_LOCAL void GetASN_Int16Bit(ASNGetData *dataASN, word16* num); 302 WOLFSSL_LOCAL void GetASN_Int32Bit(ASNGetData *dataASN, word32* num); 303 WOLFSSL_LOCAL void GetASN_Buffer(ASNGetData *dataASN, byte* data, 304 word32* length); 305 WOLFSSL_LOCAL void GetASN_ExpBuffer(ASNGetData *dataASN, const byte* data, 306 word32 length); 307 WOLFSSL_LOCAL void GetASN_MP(ASNGetData *dataASN, mp_int* num); 308 WOLFSSL_LOCAL void GetASN_MP_PosNeg(ASNGetData *dataASN, mp_int* num); 309 WOLFSSL_LOCAL void GetASN_Choice(ASNGetData *dataASN, const byte* options); 310 WOLFSSL_LOCAL void GetASN_Boolean(ASNGetData *dataASN, byte* num); 311 WOLFSSL_LOCAL void GetASN_OID(ASNGetData *dataASN, int oidType); 312 WOLFSSL_LOCAL void GetASN_GetConstRef(ASNGetData * dataASN, const byte** data, 313 word32* length); 314 WOLFSSL_LOCAL void GetASN_GetRef(ASNGetData * dataASN, byte** data, 315 word32* length); 316 WOLFSSL_LOCAL void GetASN_OIDData(ASNGetData * dataASN, byte** data, 317 word32* length); 318 WOLFSSL_LOCAL void SetASN_Boolean(ASNSetData *dataASN, byte val); 319 WOLFSSL_LOCAL void SetASN_Int8Bit(ASNSetData *dataASN, byte num); 320 WOLFSSL_LOCAL void SetASN_Int16Bit(ASNSetData *dataASN, word16 num); 321 WOLFSSL_LOCAL void SetASN_Buffer(ASNSetData *dataASN, const byte* data, 322 word32 length); 323 WOLFSSL_LOCAL void SetASN_ReplaceBuffer(ASNSetData *dataASN, const byte* data, 324 word32 length); 325 WOLFSSL_LOCAL void SetASN_MP(ASNSetData *dataASN, mp_int* num); 326 WOLFSSL_LOCAL void SetASN_OID(ASNSetData *dataASN, int oid, int oidType); 327 #else 328 /* Setup ASN data item to get an 8-bit number. 329 * 330 * @param [in] dataASN Dynamic ASN data item. 331 * @param [in] num Pointer to an 8-bit variable. 332 */ 333 #define GetASN_Int8Bit(dataASN, num) \ 334 do { \ 335 (dataASN)->dataType = ASN_DATA_TYPE_WORD8; \ 336 (dataASN)->data.u8 = num; \ 337 } while (0) 338 339 /* Setup ASN data item to get a 16-bit number. 340 * 341 * @param [in] dataASN Dynamic ASN data item. 342 * @param [in] num Pointer to a 16-bit variable. 343 */ 344 #define GetASN_Int16Bit(dataASN, num) \ 345 do { \ 346 (dataASN)->dataType = ASN_DATA_TYPE_WORD16; \ 347 (dataASN)->data.u16 = num; \ 348 } while (0) 349 350 /* Setup ASN data item to get a 32-bit number. 351 * 352 * @param [in] dataASN Dynamic ASN data item. 353 * @param [in] num Pointer to a 32-bit variable. 354 */ 355 #define GetASN_Int32Bit(dataASN, num) \ 356 do { \ 357 (dataASN)->dataType = ASN_DATA_TYPE_WORD32; \ 358 (dataASN)->data.u32 = num; \ 359 } while (0) 360 361 /* Setup ASN data item to get data into a buffer of a specific length. 362 * 363 * @param [in] dataASN Dynamic ASN data item. 364 * @param [in] d Buffer to hold data. 365 * @param [in] l Length of buffer in bytes. 366 */ 367 #define GetASN_Buffer(dataASN, d, l) \ 368 do { \ 369 (dataASN)->dataType = ASN_DATA_TYPE_BUFFER; \ 370 (dataASN)->data.buffer.data = d; \ 371 (dataASN)->data.buffer.length = l; \ 372 } while (0) 373 374 /* Setup ASN data item to check parsed data against expected buffer. 375 * 376 * @param [in] dataASN Dynamic ASN data item. 377 * @param [in] d Buffer containing expected data. 378 * @param [in] l Length of buffer in bytes. 379 */ 380 #define GetASN_ExpBuffer(dataASN, d, l) \ 381 do { \ 382 (dataASN)->dataType = ASN_DATA_TYPE_EXP_BUFFER; \ 383 (dataASN)->data.ref.data = d; \ 384 (dataASN)->data.ref.length = l; \ 385 } while (0) 386 387 /* Setup ASN data item to get a number into an mp_int. 388 * 389 * @param [in] dataASN Dynamic ASN data item. 390 * @param [in] num Multi-precision number object. 391 */ 392 #define GetASN_MP(dataASN, num) \ 393 do { \ 394 (dataASN)->dataType = ASN_DATA_TYPE_MP; \ 395 (dataASN)->data.mp = num; \ 396 } while (0) 397 398 /* Setup ASN data item to get a positive or negative number into an mp_int. 399 * 400 * @param [in] dataASN Dynamic ASN data item. 401 * @param [in] num Multi-precision number object. 402 */ 403 #define GetASN_MP_PosNeg(dataASN, num) \ 404 do { \ 405 (dataASN)->dataType = ASN_DATA_TYPE_MP_POS_NEG; \ 406 (dataASN)->data.mp = num; \ 407 } while (0) 408 409 /* Setup ASN data item to be a choice of tags. 410 * 411 * @param [in] dataASN Dynamic ASN data item. 412 * @param [in] choice 0 terminated list of tags that are valid. 413 */ 414 #define GetASN_Choice(dataASN, options) \ 415 do { \ 416 (dataASN)->dataType = ASN_DATA_TYPE_CHOICE; \ 417 (dataASN)->data.choice = options; \ 418 } while (0) 419 420 /* Setup ASN data item to get a boolean value. 421 * 422 * @param [in] dataASN Dynamic ASN data item. 423 * @param [in] num Pointer to an 8-bit variable. 424 */ 425 #define GetASN_Boolean(dataASN, num) \ 426 do { \ 427 (dataASN)->dataType = ASN_DATA_TYPE_NONE; \ 428 (dataASN)->data.u8 = num; \ 429 } while (0) 430 431 /* Setup ASN data item to be a an OID of a specific type. 432 * 433 * @param [in] dataASN Dynamic ASN data item. 434 * @param [in] oidType Type of OID to expect. 435 */ 436 #define GetASN_OID(dataASN, oidType) \ 437 (dataASN)->data.oid.type = oidType 438 439 /* Get the data and length from an ASN data item. 440 * 441 * @param [in] dataASN Dynamic ASN data item. 442 * @param [out] d Pointer to data of item. 443 * @param [out] l Length of buffer in bytes. 444 */ 445 #define GetASN_GetConstRef(dataASN, d, l) \ 446 do { \ 447 *(d) = (dataASN)->data.ref.data; \ 448 *(l) = (dataASN)->data.ref.length; \ 449 } while (0) 450 451 /* Get the data and length from an ASN data item. 452 * 453 * @param [in] dataASN Dynamic ASN data item. 454 * @param [out] d Pointer to data of item. 455 * @param [out] l Length of buffer in bytes. 456 */ 457 #define GetASN_GetRef(dataASN, d, l) \ 458 do { \ 459 *(d) = (byte*)(dataASN)->data.ref.data; \ 460 *(l) = (dataASN)->data.ref.length; \ 461 } while (0) 462 463 /* Get the data and length from an ASN data item that is an OID. 464 * 465 * @param [in] dataASN Dynamic ASN data item. 466 * @param [out] d Pointer to . 467 * @param [out] l Length of buffer in bytes. 468 */ 469 #define GetASN_OIDData(dataASN, d, l) \ 470 do { \ 471 *(d) = (byte*)(dataASN)->data.oid.data; \ 472 *(l) = (dataASN)->data.oid.length; \ 473 } while (0) 474 475 /* Setup an ASN data item to set a boolean. 476 * 477 * @param [in] dataASN Dynamic ASN data item. 478 * @param [in] val Boolean value. 479 */ 480 #define SetASN_Boolean(dataASN, val) \ 481 do { \ 482 (dataASN)->dataType = ASN_DATA_TYPE_NONE; \ 483 (dataASN)->data.u8 = val; \ 484 } while (0) 485 486 /* Setup an ASN data item to set an 8-bit number. 487 * 488 * @param [in] dataASN Dynamic ASN data item. 489 * @param [in] num 8-bit number to set. 490 */ 491 #define SetASN_Int8Bit(dataASN, num) \ 492 do { \ 493 (dataASN)->dataType = ASN_DATA_TYPE_WORD8; \ 494 (dataASN)->data.u8 = num; \ 495 } while (0) 496 497 /* Setup an ASN data item to set a 16-bit number. 498 * 499 * @param [in] dataASN Dynamic ASN data item. 500 * @param [in] num 16-bit number to set. 501 */ 502 #define SetASN_Int16Bit(dataASN, num) \ 503 do { \ 504 (dataASN)->dataType = ASN_DATA_TYPE_WORD16; \ 505 (dataASN)->data.u16 = num; \ 506 } while (0) 507 508 /* Setup an ASN data item to set the data in a buffer. 509 * 510 * @param [in] dataASN Dynamic ASN data item. 511 * @param [in] d Buffer containing data to set. 512 * @param [in] l Length of data in buffer in bytes. 513 */ 514 #define SetASN_Buffer(dataASN, d, l) \ 515 do { \ 516 (dataASN)->data.buffer.data = d; \ 517 (dataASN)->data.buffer.length = l; \ 518 } while (0) 519 520 /* Setup an ASN data item to set the DER encode data in a buffer. 521 * 522 * @param [in] dataASN Dynamic ASN data item. 523 * @param [in] d Buffer containing BER encoded data to set. 524 * @param [in] l Length of data in buffer in bytes. 525 */ 526 #define SetASN_ReplaceBuffer(dataASN, d, l) \ 527 do { \ 528 (dataASN)->dataType = ASN_DATA_TYPE_REPLACE_BUFFER; \ 529 (dataASN)->data.buffer.data = d; \ 530 (dataASN)->data.buffer.length = l; \ 531 } while (0) 532 533 /* Setup an ASN data item to set an muli-precision number. 534 * 535 * @param [in] dataASN Dynamic ASN data item. 536 * @param [in] num Multi-precision number. 537 */ 538 #define SetASN_MP(dataASN, num) \ 539 do { \ 540 (dataASN)->dataType = ASN_DATA_TYPE_MP; \ 541 (dataASN)->data.mp = num; \ 542 } while (0) 543 544 /* Setup an ASN data item to set an OID based on id and type. 545 * 546 * oid and oidType pair are unique. 547 * 548 * @param [in] dataASN Dynamic ASN data item. 549 * @param [in] oid OID identifier. 550 * @param [in] oidType Type of OID. 551 */ 552 #define SetASN_OID(dataASN, oid, oidType) \ 553 (dataASN)->data.buffer.data = OidFromId(oid, oidType, \ 554 &(dataASN)->data.buffer.length) 555 #endif /* WOLFSSL_ASN_TEMPLATE_TYPE_CHECK */ 556 557 558 /* Get address at the start of the BER item. 559 * 560 * @param [in] dataASN Dynamic ASN data item. 561 * @param [in] in Input buffer. 562 * @return Address at start of BER item. 563 */ 564 #define GetASNItem_Addr(dataASN, in) \ 565 ((in) + (dataASN).offset) 566 567 /* Get length of a BER item - including tag and length. 568 * 569 * @param [in] dataASN Dynamic ASN data item. 570 * @param [in] in Input buffer. 571 * @return Length of a BER item. 572 */ 573 #define GetASNItem_Length(dataASN, in) \ 574 ((dataASN).length + (word32)((dataASN).data.buffer.data - (in)) - \ 575 (dataASN).offset) 576 577 /* Get the index of a BER item's data. 578 * 579 * @param [in] dataASN Dynamic ASN data item. 580 * @param [in] in Input buffer. 581 * @return Index of a BER item's data. 582 */ 583 #define GetASNItem_DataIdx(dataASN, in) \ 584 (word32)((dataASN).data.ref.data - (in)) 585 586 /* Get the end index of a BER item - index of the start of the next item. 587 * 588 * @param [in] dataASN Dynamic ASN data item. 589 * @param [in] in Input buffer. 590 * @return End index of a BER item. 591 */ 592 #define GetASNItem_EndIdx(dataASN, in) \ 593 ((word32)((dataASN).data.ref.data - (in)) + \ 594 (dataASN).data.ref.length) 595 596 /* For a BIT_STRING, get the unused bits byte. 597 * 598 * @param [in] dataASN Dynamic ASN data item. 599 * @return Unused bits byte in BIT_STRING. 600 */ 601 #define GetASNItem_UnusedBits(dataASN) \ 602 (*(dataASN.data.ref.data - 1)) 603 604 /* Set the data items at indices start to end inclusive to not be encoded. 605 * 606 * @param [in] dataASN Dynamic ASN data item. 607 * @param [in] start First item not to be encoded. 608 * @param [in] end Last item not to be encoded. 609 */ 610 #define SetASNItem_NoOut(dataASN, start, end) \ 611 do { \ 612 int ii; \ 613 for (ii = start; ii <= end; ii++) { \ 614 dataASN[ii].noOut = 1; \ 615 } \ 616 } \ 617 while (0) 618 619 /* Set the data items below node to not be encoded. 620 * 621 * @param [in] dataASN Dynamic ASN data item. 622 * @param [in] node Node who's children should not be encoded. 623 * @param [in] dataASNLen Number of items in dataASN. 624 */ 625 #define SetASNItem_NoOutBelow(dataASN, asn, node, dataASNLen) \ 626 do { \ 627 int ii; \ 628 for (ii = node + 1; ii < (int)(dataASNLen); ii++) { \ 629 if (asn[ii].depth <= asn[node].depth) \ 630 break; \ 631 dataASN[ii].noOut = 1; \ 632 } \ 633 } \ 634 while (0) 635 636 /* Set the node and all nodes below to not be encoded. 637 * 638 * @param [in] dataASN Dynamic ASN data item. 639 * @param [in] node Node which should not be encoded. Child nodes will 640 * also not be encoded. 641 * @param [in] dataASNLen Number of items in dataASN. 642 */ 643 #define SetASNItem_NoOutNode(dataASN, asn, node, dataASNLen) \ 644 do { \ 645 int ii; \ 646 dataASN[node].noOut = 1; \ 647 for (ii = node + 1; ii < (int)(dataASNLen); ii++) { \ 648 if (asn[ii].depth <= asn[node].depth) \ 649 break; \ 650 dataASN[ii].noOut = 1; \ 651 } \ 652 } \ 653 while (0) 654 655 #endif /* WOLFSSL_ASN_TEMPLATE */ 656 657 658 enum DN_Tags { 659 ASN_DN_NULL = 0x00, 660 ASN_COMMON_NAME = 0x03, /* CN */ 661 ASN_SUR_NAME = 0x04, /* SN */ 662 ASN_SERIAL_NUMBER = 0x05, /* serialNumber */ 663 ASN_COUNTRY_NAME = 0x06, /* C */ 664 ASN_LOCALITY_NAME = 0x07, /* L */ 665 ASN_STATE_NAME = 0x08, /* ST */ 666 ASN_STREET_ADDR = 0x09, /* street */ 667 ASN_ORG_NAME = 0x0a, /* O */ 668 ASN_ORGUNIT_NAME = 0x0b, /* OU */ 669 ASN_BUS_CAT = 0x0f, /* businessCategory */ 670 ASN_POSTAL_CODE = 0x11, /* postalCode */ 671 ASN_EMAIL_NAME = 0x98, /* not actual OID (see attrEmailOid) */ 672 ASN_CUSTOM_NAME = 0x99, /* not actual OID (see CertOidField) */ 673 674 /* pilot attribute types 675 * OID values of 0.9.2342.19200300.100.1.* */ 676 ASN_USER_ID = 0x01, /* UID */ 677 ASN_FAVOURITE_DRINK = 0x05, /* favouriteDrink */ 678 ASN_DOMAIN_COMPONENT = 0x19 /* DC */ 679 }; 680 681 /* This is the size of the smallest possible PEM header and footer */ 682 extern const int pem_struct_min_sz; 683 684 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) 685 typedef struct WOLFSSL_ObjectInfo { 686 int nid; 687 int id; 688 word32 type; 689 const char* sName; 690 const char* lName; 691 } WOLFSSL_ObjectInfo; 692 extern const size_t wolfssl_object_info_sz; 693 extern const WOLFSSL_ObjectInfo wolfssl_object_info[]; 694 #endif /* defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) */ 695 696 /* DN Tag Strings */ 697 #define WOLFSSL_COMMON_NAME "/CN=" 698 #define WOLFSSL_LN_COMMON_NAME "/commonName=" 699 #define WOLFSSL_SUR_NAME "/SN=" 700 #define WOLFSSL_SERIAL_NUMBER "/serialNumber=" 701 #define WOLFSSL_COUNTRY_NAME "/C=" 702 #define WOLFSSL_LN_COUNTRY_NAME "/countryName=" 703 #define WOLFSSL_LOCALITY_NAME "/L=" 704 #define WOLFSSL_LN_LOCALITY_NAME "/localityName=" 705 #define WOLFSSL_STATE_NAME "/ST=" 706 #define WOLFSSL_LN_STATE_NAME "/stateOrProvinceName=" 707 #define WOLFSSL_STREET_ADDR_NAME "/street=" 708 #define WOLFSSL_LN_STREET_ADDR_NAME "/streetAddress=" 709 #define WOLFSSL_POSTAL_NAME "/postalCode=" 710 #define WOLFSSL_ORG_NAME "/O=" 711 #define WOLFSSL_LN_ORG_NAME "/organizationName=" 712 #define WOLFSSL_ORGUNIT_NAME "/OU=" 713 #define WOLFSSL_LN_ORGUNIT_NAME "/organizationalUnitName=" 714 #define WOLFSSL_DOMAIN_COMPONENT "/DC=" 715 #define WOLFSSL_LN_DOMAIN_COMPONENT "/domainComponent=" 716 #define WOLFSSL_BUS_CAT "/businessCategory=" 717 #define WOLFSSL_JOI_C "/jurisdictionC=" 718 #define WOLFSSL_JOI_ST "/jurisdictionST=" 719 #define WOLFSSL_EMAIL_ADDR "/emailAddress=" 720 721 #define WOLFSSL_USER_ID "/UID=" 722 #define WOLFSSL_DOMAIN_COMPONENT "/DC=" 723 #define WOLFSSL_FAVOURITE_DRINK "/favouriteDrink=" 724 725 #if defined(WOLFSSL_APACHE_HTTPD) 726 /* otherName strings */ 727 #define WOLFSSL_SN_MS_UPN "msUPN" 728 #define WOLFSSL_LN_MS_UPN "Microsoft User Principal Name" 729 #define WOLFSSL_MS_UPN_SUM 265 730 #define WOLFSSL_SN_DNS_SRV "id-on-dnsSRV" 731 #define WOLFSSL_LN_DNS_SRV "SRVName" 732 /* TLS features extension strings */ 733 #define WOLFSSL_SN_TLS_FEATURE "tlsfeature" 734 #define WOLFSSL_LN_TLS_FEATURE "TLS Feature" 735 #define WOLFSSL_TLS_FEATURE_SUM 92 736 #endif 737 738 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) 739 /* NIDs */ 740 enum 741 { 742 NID_undef = 0, 743 NID_netscape_cert_type = NID_undef, 744 NID_des = 66, 745 NID_des3 = 67, 746 NID_sha256 = 672, 747 NID_sha384 = 673, 748 NID_sha512 = 674, 749 NID_sha512_224 = 1094, 750 NID_sha512_256 = 1095, 751 NID_pkcs9_unstructuredName = 49, 752 NID_pkcs9_contentType = 50, /* 1.2.840.113549.1.9.3 */ 753 NID_pkcs9_challengePassword = 54, 754 NID_hw_name_oid = 73, 755 NID_id_pkix_OCSP_basic = 74, 756 NID_any_policy = 75, 757 NID_anyExtendedKeyUsage = 76, 758 NID_givenName = 99, 759 NID_initials = 101, 760 NID_title = 106, 761 NID_description = 107, 762 NID_basic_constraints = 133, 763 NID_key_usage = 129, /* 2.5.29.15 */ 764 NID_ext_key_usage = 151, /* 2.5.29.37 */ 765 NID_subject_key_identifier = 128, 766 NID_authority_key_identifier = 149, 767 NID_private_key_usage_period = 130, /* 2.5.29.16 */ 768 NID_subject_alt_name = 131, 769 NID_issuer_alt_name = 132, 770 NID_info_access = 69, 771 NID_sinfo_access = 79, /* id-pe 11 */ 772 NID_name_constraints = 144, /* 2.5.29.30 */ 773 NID_crl_distribution_points = 145, /* 2.5.29.31 */ 774 NID_certificate_policies = 146, 775 NID_policy_mappings = 147, 776 NID_policy_constraints = 150, 777 NID_inhibit_any_policy = 168, /* 2.5.29.54 */ 778 NID_tlsfeature = 1020, /* id-pe 24 */ 779 NID_buildingName = 1494, 780 781 782 NID_commonName = 14, /* CN Changed to not conflict 783 * with PBE_SHA1_DES3 */ 784 NID_surname = 0x04, /* SN */ 785 NID_serialNumber = 0x05, /* serialNumber */ 786 NID_countryName = 0x06, /* C */ 787 NID_localityName = 0x07, /* L */ 788 NID_stateOrProvinceName = 0x08, /* ST */ 789 NID_streetAddress = ASN_STREET_ADDR, /* street */ 790 NID_organizationName = 0x0a, /* O */ 791 NID_organizationalUnitName = 0x0b, /* OU */ 792 NID_jurisdictionCountryName = 0xc, 793 NID_jurisdictionStateOrProvinceName = 0xd, 794 NID_businessCategory = ASN_BUS_CAT, 795 NID_domainComponent = ASN_DOMAIN_COMPONENT, 796 NID_postalCode = ASN_POSTAL_CODE, /* postalCode */ 797 NID_favouriteDrink = 462, 798 NID_userId = 458, 799 NID_emailAddress = 0x30, /* emailAddress */ 800 NID_id_on_dnsSRV = 82, /* 1.3.6.1.5.5.7.8.7 */ 801 NID_ms_upn = 265, /* 1.3.6.1.4.1.311.20.2.3 */ 802 803 NID_X9_62_prime_field = 406 /* 1.2.840.10045.1.1 */ 804 }; 805 #endif /* OPENSSL_EXTRA */ 806 807 enum ECC_TYPES 808 { 809 ECC_PREFIX_0 = 160, 810 ECC_PREFIX_1 = 161 811 }; 812 813 #ifdef WOLFSSL_CERT_PIV 814 enum PIV_Tags { 815 ASN_PIV_CERT = 0x0A, 816 ASN_PIV_NONCE = 0x0B, 817 ASN_PIV_SIGNED_NONCE = 0x0C, 818 819 ASN_PIV_TAG_CERT = 0x70, 820 ASN_PIV_TAG_CERT_INFO = 0x71, 821 ASN_PIV_TAG_MSCUID = 0x72, 822 ASN_PIV_TAG_ERR_DET = 0xFE, 823 824 /* certificate info masks */ 825 ASN_PIV_CERT_INFO_COMPRESSED = 0x03, 826 ASN_PIV_CERT_INFO_ISX509 = 0x04, 827 /* GZIP is 0x01 */ 828 ASN_PIV_CERT_INFO_GZIP = 0x01, 829 }; 830 #endif /* WOLFSSL_CERT_PIV */ 831 832 833 #define ASN_JOI_PREFIX_SZ 10 834 #define ASN_JOI_PREFIX "\x2b\x06\x01\x04\x01\x82\x37\x3c\x02\x01" 835 #define ASN_JOI_C 0x3 836 #define ASN_JOI_ST 0x2 837 838 #ifndef WC_ASN_NAME_MAX 839 #ifdef OPENSSL_EXTRA 840 #define WC_ASN_NAME_MAX 330 841 #else 842 #define WC_ASN_NAME_MAX 256 843 #endif 844 #endif 845 #define ASN_NAME_MAX WC_ASN_NAME_MAX 846 847 enum Misc_ASN { 848 MAX_SALT_SIZE = 64, /* MAX PKCS Salt length */ 849 MAX_IV_SIZE = 64, /* MAX PKCS Iv length */ 850 ASN_BOOL_SIZE = 2, /* including type */ 851 ASN_ECC_HEADER_SZ = 2, /* String type + 1 byte len */ 852 ASN_ECC_CONTEXT_SZ = 2, /* Content specific type + 1 byte len */ 853 #ifdef NO_SHA 854 KEYID_SIZE = WC_SHA256_DIGEST_SIZE, 855 #else 856 KEYID_SIZE = WC_SHA_DIGEST_SIZE, 857 #endif 858 RSA_INTS = 8, /* RSA ints in private key */ 859 DSA_PARAM_INTS = 3, /* DSA paramater ints */ 860 RSA_PUB_INTS = 2, /* RSA ints in public key */ 861 DSA_PUB_INTS = 4, /* DSA ints in public key */ 862 DSA_INTS = 5, /* DSA ints in private key */ 863 MIN_DATE_SIZE = 12, 864 MAX_DATE_SIZE = 32, 865 ASN_GEN_TIME_SZ = 15, /* 7 numbers * 2 + Zulu tag */ 866 #ifndef NO_RSA 867 #ifdef WOLFSSL_HAPROXY 868 MAX_ENCODED_SIG_SZ = 1024, /* Supports 8192 bit keys */ 869 #else 870 MAX_ENCODED_SIG_SZ = 512, /* Supports 4096 bit keys */ 871 #endif 872 #elif defined(HAVE_ECC) 873 MAX_ENCODED_SIG_SZ = 140, 874 #elif defined(HAVE_CURVE448) 875 MAX_ENCODED_SIG_SZ = 114, 876 #else 877 MAX_ENCODED_SIG_SZ = 64, 878 #endif 879 MAX_SIG_SZ = 256, 880 MAX_ALGO_SZ = 20, 881 MAX_SHORT_SZ = 6, /* asn int + byte len + 4 byte length */ 882 MAX_LENGTH_SZ = 4, /* Max length size for DER encoding */ 883 MAX_SEQ_SZ = 5, /* enum(seq | con) + length(4) */ 884 MAX_SET_SZ = 5, /* enum(set | con) + length(4) */ 885 MAX_OCTET_STR_SZ = 5, /* enum(set | con) + length(4) */ 886 MAX_EXP_SZ = 5, /* enum(contextspec|con|exp) + length(4) */ 887 MAX_PRSTR_SZ = 5, /* enum(prstr) + length(4) */ 888 MAX_VERSION_SZ = 5, /* enum + id + version(byte) + (header(2))*/ 889 MAX_ENCODED_DIG_ASN_SZ= 9, /* enum(bit or octet) + length(4) */ 890 MAX_ENCODED_DIG_SZ = 64 + MAX_ENCODED_DIG_ASN_SZ, /* asn header + sha512 */ 891 MAX_RSA_INT_SZ = 517, /* RSA raw sz 4096 for bits + tag + len(4) */ 892 MAX_DSA_INT_SZ = 389, /* DSA raw sz 3072 for bits + tag + len(4) */ 893 MAX_DSA_PUBKEY_SZ = (DSA_PUB_INTS * MAX_DSA_INT_SZ) + (2 * MAX_SEQ_SZ) + 894 2 + MAX_LENGTH_SZ, /* Maximum size of a DSA public 895 key taken from wc_SetDsaPublicKey. */ 896 MAX_DSA_PRIVKEY_SZ = (DSA_INTS * MAX_DSA_INT_SZ) + MAX_SEQ_SZ + 897 MAX_VERSION_SZ, /* Maximum size of a DSA Private 898 key taken from DsaKeyIntsToDer. */ 899 MAX_RSA_E_SZ = 16, /* Max RSA public e size */ 900 MAX_CA_SZ = 32, /* Max encoded CA basic constraint length */ 901 MAX_SN_SZ = 35, /* Max encoded serial number (INT) length */ 902 MAX_DER_DIGEST_SZ = MAX_ENCODED_DIG_SZ + MAX_ALGO_SZ + MAX_SEQ_SZ, 903 /* Maximum DER digest size */ 904 MAX_DER_DIGEST_ASN_SZ = MAX_ENCODED_DIG_ASN_SZ + MAX_ALGO_SZ + MAX_SEQ_SZ, 905 /* Maximum DER digest ASN header size */ 906 /* Max X509 header length indicates the max length + 2 ('\n', '\0') */ 907 MAX_X509_HEADER_SZ = (37 + 2), /* Maximum PEM Header/Footer Size */ 908 #ifdef WOLFSSL_CERT_GEN 909 #ifdef WOLFSSL_CERT_REQ 910 /* Max encoded cert req attributes length */ 911 MAX_ATTRIB_SZ = MAX_SEQ_SZ * 3 + (11 + MAX_SEQ_SZ) * 2 + 912 MAX_PRSTR_SZ + CTC_NAME_SIZE, /* 11 is the OID size */ 913 #endif 914 #if defined(WOLFSSL_ALT_NAMES) || defined(WOLFSSL_CERT_EXT) 915 MAX_EXTENSIONS_SZ = 1 + MAX_LENGTH_SZ + CTC_MAX_ALT_SIZE, 916 #else 917 MAX_EXTENSIONS_SZ = 1 + MAX_LENGTH_SZ + MAX_CA_SZ, 918 #endif 919 /* Max total extensions, id + len + others */ 920 #endif 921 #if defined(WOLFSSL_CERT_EXT) || defined(OPENSSL_EXTRA) || \ 922 defined(HAVE_PKCS7) || defined(OPENSSL_EXTRA_X509_SMALL) 923 MAX_OID_SZ = 32, /* Max DER length of OID*/ 924 MAX_OID_STRING_SZ = 64, /* Max string length representation of OID*/ 925 #endif 926 #ifdef WOLFSSL_CERT_EXT 927 MAX_KID_SZ = 45, /* Max encoded KID length (SHA-256 case) */ 928 MAX_KEYUSAGE_SZ = 18, /* Max encoded Key Usage length */ 929 MAX_EXTKEYUSAGE_SZ = 12 + (6 * (8 + 2)) + 930 CTC_MAX_EKU_OID_SZ, /* Max encoded ExtKeyUsage 931 (SEQ/LEN + OBJID + OCTSTR/LEN + SEQ + 932 (6 * (SEQ + OID))) */ 933 #ifndef IGNORE_NETSCAPE_CERT_TYPE 934 MAX_NSCERTTYPE_SZ = MAX_SEQ_SZ + 17, /* SEQ + OID + OCTET STR + 935 * NS BIT STR */ 936 #endif 937 MAX_CERTPOL_NB = CTC_MAX_CERTPOL_NB,/* Max number of Cert Policy */ 938 MAX_CERTPOL_SZ = CTC_MAX_CERTPOL_SZ, 939 #endif 940 MAX_AIA_SZ = 2, /* Max Authority Info Access extension size*/ 941 OCSP_NONCE_EXT_SZ = 35, /* OCSP Nonce Extension size */ 942 MAX_OCSP_EXT_SZ = 58, /* Max OCSP Extension length */ 943 MAX_OCSP_NONCE_SZ = 16, /* OCSP Nonce size */ 944 MAX_PUBLIC_KEY_SZ = MAX_DSA_PUBKEY_SZ + MAX_ALGO_SZ + MAX_SEQ_SZ * 2, 945 #ifdef WOLFSSL_ENCRYPTED_KEYS 946 HEADER_ENCRYPTED_KEY_SIZE = 88,/* Extra header size for encrypted key */ 947 #else 948 HEADER_ENCRYPTED_KEY_SIZE = 0, 949 #endif 950 TRAILING_ZERO = 1, /* Used for size of zero pad */ 951 ASN_TAG_SZ = 1, /* single byte ASN.1 tag */ 952 MIN_VERSION_SZ = 3, /* Min bytes needed for GetMyVersion */ 953 MAX_X509_VERSION = 3, /* Max X509 version allowed */ 954 MIN_X509_VERSION = 0, /* Min X509 version allowed */ 955 WOLFSSL_X509_V1 = 0, 956 WOLFSSL_X509_V2 = 1, 957 WOLFSSL_X509_V3 = 2, 958 #if defined(OPENSSL_ALL) || defined(WOLFSSL_MYSQL_COMPATIBLE) || \ 959 defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || \ 960 defined(OPENSSL_EXTRA) || defined(HAVE_PKCS7) 961 MAX_TIME_STRING_SZ = 25, /* Max length of formatted time string */ 962 #endif 963 964 PKCS5_SALT_SZ = 8, 965 966 PEM_LINE_SZ = 64, /* Length of Base64 encoded line, not including new line */ 967 PEM_LINE_LEN = PEM_LINE_SZ + 12, /* PEM line max + fudge */ 968 }; 969 970 #ifndef WC_MAX_NAME_ENTRIES 971 /* entries added to x509 name struct */ 972 #ifdef OPENSSL_EXTRA 973 #define WC_MAX_NAME_ENTRIES 15 974 #else 975 #define WC_MAX_NAME_ENTRIES 13 976 #endif 977 #endif 978 #define MAX_NAME_ENTRIES WC_MAX_NAME_ENTRIES 979 980 981 enum Oid_Types { 982 oidHashType = 0, 983 oidSigType = 1, 984 oidKeyType = 2, 985 oidCurveType = 3, 986 oidBlkType = 4, 987 oidOcspType = 5, 988 oidCertExtType = 6, 989 oidCertAuthInfoType = 7, 990 oidCertPolicyType = 8, 991 oidCertAltNameType = 9, 992 oidCertKeyUseType = 10, 993 oidKdfType = 11, 994 oidKeyWrapType = 12, 995 oidCmsKeyAgreeType = 13, 996 oidPBEType = 14, 997 oidHmacType = 15, 998 oidCompressType = 16, 999 oidCertNameType = 17, 1000 oidTlsExtType = 18, 1001 oidCrlExtType = 19, 1002 oidCsrAttrType = 20, 1003 oidIgnoreType 1004 }; 1005 1006 1007 enum Hash_Sum { 1008 MD2h = 646, 1009 MD5h = 649, 1010 SHAh = 88, 1011 SHA224h = 417, 1012 SHA256h = 414, 1013 SHA384h = 415, 1014 SHA512h = 416, 1015 SHA512_224h = 418, 1016 SHA512_256h = 419, 1017 SHA3_224h = 420, 1018 SHA3_256h = 421, 1019 SHA3_384h = 422, 1020 SHA3_512h = 423, 1021 SHAKE128h = 424, 1022 SHAKE256h = 425 1023 }; 1024 1025 1026 #if !defined(NO_DES3) || !defined(NO_AES) 1027 enum Block_Sum { 1028 #ifdef WOLFSSL_AES_128 1029 AES128CBCb = 414, 1030 AES128GCMb = 418, 1031 AES128CCMb = 419, 1032 #endif 1033 #ifdef WOLFSSL_AES_192 1034 AES192CBCb = 434, 1035 AES192GCMb = 438, 1036 AES192CCMb = 439, 1037 #endif 1038 #ifdef WOLFSSL_AES_256 1039 AES256CBCb = 454, 1040 AES256GCMb = 458, 1041 AES256CCMb = 459, 1042 #endif 1043 #ifndef NO_DES3 1044 DESb = 69, 1045 DES3b = 652 1046 #endif 1047 }; 1048 #endif /* !NO_DES3 || !NO_AES */ 1049 1050 1051 enum Key_Sum { 1052 DSAk = 515, 1053 RSAk = 645, 1054 ECDSAk = 518, 1055 ED25519k = 256, /* 1.3.101.112 */ 1056 X25519k = 254, /* 1.3.101.110 */ 1057 ED448k = 257, /* 1.3.101.113 */ 1058 X448k = 255, /* 1.3.101.111 */ 1059 DHk = 647, /* dhKeyAgreement OID: 1.2.840.113549.1.3.1 */ 1060 FALCON_LEVEL1k = 268, /* 1.3.9999.3.1 */ 1061 FALCON_LEVEL5k = 271 /* 1.3.9999.3.4 */ 1062 }; 1063 1064 #if !defined(NO_AES) || defined(HAVE_PKCS7) 1065 enum KeyWrap_Sum { 1066 #ifdef WOLFSSL_AES_128 1067 AES128_WRAP = 417, 1068 #endif 1069 #ifdef WOLFSSL_AES_192 1070 AES192_WRAP = 437, 1071 #endif 1072 #ifdef WOLFSSL_AES_256 1073 AES256_WRAP = 457, 1074 #endif 1075 #ifdef HAVE_PKCS7 1076 PWRI_KEK_WRAP = 680 /*id-alg-PWRI-KEK, 1.2.840.113549.1.9.16.3.9 */ 1077 #endif 1078 }; 1079 #endif /* !NO_AES || PKCS7 */ 1080 1081 enum Key_Agree { 1082 dhSinglePass_stdDH_sha1kdf_scheme = 464, 1083 dhSinglePass_stdDH_sha224kdf_scheme = 188, 1084 dhSinglePass_stdDH_sha256kdf_scheme = 189, 1085 dhSinglePass_stdDH_sha384kdf_scheme = 190, 1086 dhSinglePass_stdDH_sha512kdf_scheme = 191, 1087 }; 1088 1089 1090 1091 enum KDF_Sum { 1092 PBKDF2_OID = 660 1093 }; 1094 1095 1096 enum HMAC_Sum { 1097 HMAC_SHA224_OID = 652, 1098 HMAC_SHA256_OID = 653, 1099 HMAC_SHA384_OID = 654, 1100 HMAC_SHA512_OID = 655, 1101 HMAC_SHA3_224_OID = 426, 1102 HMAC_SHA3_256_OID = 427, 1103 HMAC_SHA3_384_OID = 428, 1104 HMAC_SHA3_512_OID = 429 1105 }; 1106 1107 1108 enum Extensions_Sum { 1109 BASIC_CA_OID = 133, /* 2.5.29.19 */ 1110 ALT_NAMES_OID = 131, /* 2.5.29.17 */ 1111 CRL_DIST_OID = 145, /* 2.5.29.31 */ 1112 AUTH_INFO_OID = 69, /* 1.3.6.1.5.5.7.1.1 */ 1113 AUTH_KEY_OID = 149, /* 2.5.29.35 */ 1114 SUBJ_KEY_OID = 128, /* 2.5.29.14 */ 1115 CERT_POLICY_OID = 146, /* 2.5.29.32 */ 1116 CRL_NUMBER_OID = 134, /* 2.5.29.20 */ 1117 KEY_USAGE_OID = 129, /* 2.5.29.15 */ 1118 INHIBIT_ANY_OID = 168, /* 2.5.29.54 */ 1119 EXT_KEY_USAGE_OID = 151, /* 2.5.29.37 */ 1120 NAME_CONS_OID = 144, /* 2.5.29.30 */ 1121 PRIV_KEY_USAGE_PERIOD_OID = 130, /* 2.5.29.16 */ 1122 SUBJECT_INFO_ACCESS = 79, /* 1.3.6.1.5.5.7.1.11 */ 1123 POLICY_MAP_OID = 147, /* 2.5.29.33 */ 1124 POLICY_CONST_OID = 150, /* 2.5.29.36 */ 1125 ISSUE_ALT_NAMES_OID = 132, /* 2.5.29.18 */ 1126 TLS_FEATURE_OID = 92, /* 1.3.6.1.5.5.7.1.24 */ 1127 NETSCAPE_CT_OID = 753, /* 2.16.840.1.113730.1.1 */ 1128 OCSP_NOCHECK_OID = 121, /* 1.3.6.1.5.5.7.48.1.5 1129 id-pkix-ocsp-nocheck */ 1130 1131 AKEY_PACKAGE_OID = 1048 /* 2.16.840.1.101.2.1.2.78.5 1132 RFC 5958 - Asymmetric Key Packages */ 1133 }; 1134 1135 enum CertificatePolicy_Sum { 1136 CP_ANY_OID = 146 /* id-ce 32 0 */ 1137 }; 1138 1139 enum SepHardwareName_Sum { 1140 HW_NAME_OID = 79 /* 1.3.6.1.5.5.7.8.4 from RFC 4108*/ 1141 }; 1142 1143 enum AuthInfo_Sum { 1144 AIA_OCSP_OID = 116, /* 1.3.6.1.5.5.7.48.1 */ 1145 AIA_CA_ISSUER_OID = 117 /* 1.3.6.1.5.5.7.48.2 */ 1146 }; 1147 1148 enum ExtKeyUsage_Sum { /* From RFC 5280 */ 1149 EKU_ANY_OID = 151, /* 2.5.29.37.0, anyExtendedKeyUsage */ 1150 EKU_SERVER_AUTH_OID = 71, /* 1.3.6.1.5.5.7.3.1, id-kp-serverAuth */ 1151 EKU_CLIENT_AUTH_OID = 72, /* 1.3.6.1.5.5.7.3.2, id-kp-clientAuth */ 1152 EKU_CODESIGNING_OID = 73, /* 1.3.6.1.5.5.7.3.3, id-kp-codeSigning */ 1153 EKU_EMAILPROTECT_OID = 74, /* 1.3.6.1.5.5.7.3.4, id-kp-emailProtection */ 1154 EKU_TIMESTAMP_OID = 78, /* 1.3.6.1.5.5.7.3.8, id-kp-timeStamping */ 1155 EKU_OCSP_SIGN_OID = 79 /* 1.3.6.1.5.5.7.3.9, id-kp-OCSPSigning */ 1156 }; 1157 1158 #ifdef HAVE_LIBZ 1159 enum CompressAlg_Sum { 1160 ZLIBc = 679 /* 1.2.840.113549.1.9.16.3.8, id-alg-zlibCompress */ 1161 }; 1162 #endif 1163 1164 enum VerifyType { 1165 NO_VERIFY = 0, 1166 VERIFY = 1, 1167 VERIFY_CRL = 2, 1168 VERIFY_OCSP = 3, 1169 VERIFY_NAME = 4, 1170 VERIFY_SKIP_DATE = 5, 1171 VERIFY_OCSP_CERT = 6, 1172 }; 1173 1174 #ifdef WOLFSSL_CERT_EXT 1175 enum KeyIdType { 1176 SKID_TYPE = 0, 1177 AKID_TYPE = 1 1178 }; 1179 #endif 1180 1181 #ifdef WOLFSSL_CERT_REQ 1182 enum CsrAttrType { 1183 UNSTRUCTURED_NAME_OID = 654, 1184 PKCS9_CONTENT_TYPE_OID = 655, 1185 CHALLENGE_PASSWORD_OID = 659, 1186 SERIAL_NUMBER_OID = 94, 1187 EXTENSION_REQUEST_OID = 666, 1188 }; 1189 #endif 1190 1191 /* Key usage extension bits (based on RFC 5280) */ 1192 #define KEYUSE_DIGITAL_SIG 0x0080 1193 #define KEYUSE_CONTENT_COMMIT 0x0040 1194 #define KEYUSE_KEY_ENCIPHER 0x0020 1195 #define KEYUSE_DATA_ENCIPHER 0x0010 1196 #define KEYUSE_KEY_AGREE 0x0008 1197 #define KEYUSE_KEY_CERT_SIGN 0x0004 1198 #define KEYUSE_CRL_SIGN 0x0002 1199 #define KEYUSE_ENCIPHER_ONLY 0x0001 1200 #define KEYUSE_DECIPHER_ONLY 0x8000 1201 1202 /* Extended Key Usage bits (internal mapping only) */ 1203 #define EXTKEYUSE_USER 0x80 1204 #define EXTKEYUSE_OCSP_SIGN 0x40 1205 #define EXTKEYUSE_TIMESTAMP 0x20 1206 #define EXTKEYUSE_EMAILPROT 0x10 1207 #define EXTKEYUSE_CODESIGN 0x08 1208 #define EXTKEYUSE_CLIENT_AUTH 0x04 1209 #define EXTKEYUSE_SERVER_AUTH 0x02 1210 #define EXTKEYUSE_ANY 0x01 1211 1212 #define WC_NS_SSL_CLIENT 0x80 1213 #define WC_NS_SSL_SERVER 0x40 1214 #define WC_NS_SMIME 0x20 1215 #define WC_NS_OBJSIGN 0x10 1216 #define WC_NS_SSL_CA 0x04 1217 #define WC_NS_SMIME_CA 0x02 1218 #define WC_NS_OBJSIGN_CA 0x01 1219 1220 1221 #if defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA) || \ 1222 defined(WOLFSSL_WPAS_SMALL) || defined(WOLFSSL_IP_ALT_NAME) 1223 #ifndef WOLFSSL_MAX_IPSTR 1224 #define WOLFSSL_MAX_IPSTR 46 /* max ip size IPv4 mapped IPv6 */ 1225 #endif 1226 #define WOLFSSL_IP4_ADDR_LEN 4 1227 #define WOLFSSL_IP6_ADDR_LEN 16 1228 #endif /* OPENSSL_ALL || WOLFSSL_IP_ALT_NAME */ 1229 1230 typedef struct DNS_entry DNS_entry; 1231 1232 struct DNS_entry { 1233 DNS_entry* next; /* next on DNS list */ 1234 int type; /* i.e. ASN_DNS_TYPE */ 1235 int len; /* actual DNS len */ 1236 char* name; /* actual DNS name */ 1237 #if defined(OPENSSL_ALL) || defined(WOLFSSL_IP_ALT_NAME) 1238 char* ipString; /* human readable form of IP address */ 1239 #endif 1240 }; 1241 1242 1243 typedef struct Base_entry Base_entry; 1244 1245 struct Base_entry { 1246 Base_entry* next; /* next on name base list */ 1247 char* name; /* actual name base */ 1248 int nameSz; /* name length */ 1249 byte type; /* Name base type (DNS or RFC822) */ 1250 }; 1251 1252 1253 enum SignatureState { 1254 SIG_STATE_BEGIN, 1255 SIG_STATE_HASH, 1256 SIG_STATE_KEY, 1257 SIG_STATE_DO, 1258 SIG_STATE_CHECK, 1259 }; 1260 1261 1262 #ifdef HAVE_PK_CALLBACKS 1263 #ifdef HAVE_ECC 1264 typedef int (*wc_CallbackEccVerify)( 1265 const unsigned char* sig, unsigned int sigSz, 1266 const unsigned char* hash, unsigned int hashSz, 1267 const unsigned char* keyDer, unsigned int keySz, 1268 int* result, void* ctx); 1269 #endif 1270 #ifndef NO_RSA 1271 typedef int (*wc_CallbackRsaVerify)( 1272 unsigned char* sig, unsigned int sigSz, 1273 unsigned char** out, 1274 const unsigned char* keyDer, unsigned int keySz, 1275 void* ctx); 1276 #endif 1277 #endif /* HAVE_PK_CALLBACKS */ 1278 1279 #if defined(WOLFSSL_RENESAS_TSIP_TLS) || defined(WOLFSSL_RENESAS_SCEPROTECT) ||\ 1280 defined(HAVE_PK_CALLBACKS) 1281 typedef struct tagCertAttribute { 1282 byte verifyByTSIP_SCE; 1283 word32 certBegin; 1284 word32 pubkey_n_start; 1285 word32 pubkey_n_len; 1286 word32 pubkey_e_start; 1287 word32 pubkey_e_len; 1288 int curve_id; 1289 const byte* cert; 1290 word32 certSz; 1291 const byte* keyIndex; 1292 } CertAttribute; 1293 #endif 1294 1295 struct SignatureCtx { 1296 void* heap; 1297 byte* digest; 1298 #ifndef NO_RSA 1299 byte* out; 1300 #endif 1301 #if !(defined(NO_RSA) && defined(NO_DSA)) 1302 byte* sigCpy; 1303 #endif 1304 #if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448) || \ 1305 !defined(NO_DSA) 1306 int verify; 1307 #endif 1308 union { 1309 #ifndef NO_RSA 1310 struct RsaKey* rsa; 1311 #endif 1312 #ifndef NO_DSA 1313 struct DsaKey* dsa; 1314 #endif 1315 #ifdef HAVE_ECC 1316 struct ecc_key* ecc; 1317 #endif 1318 #ifdef HAVE_ED25519 1319 struct ed25519_key* ed25519; 1320 #endif 1321 #ifdef HAVE_ED448 1322 struct ed448_key* ed448; 1323 #endif 1324 #ifdef HAVE_PQC 1325 struct falcon_key* falcon; 1326 #endif 1327 void* ptr; 1328 } key; 1329 int devId; 1330 int state; 1331 int typeH; 1332 int digestSz; 1333 word32 keyOID; 1334 #ifdef WOLFSSL_ASYNC_CRYPT 1335 WC_ASYNC_DEV* asyncDev; 1336 void* asyncCtx; 1337 #endif 1338 1339 #ifdef HAVE_PK_CALLBACKS 1340 #ifdef HAVE_ECC 1341 wc_CallbackEccVerify pkCbEcc; 1342 void* pkCtxEcc; 1343 #endif 1344 #ifndef NO_RSA 1345 wc_CallbackRsaVerify pkCbRsa; 1346 void* pkCtxRsa; 1347 #endif 1348 #endif /* HAVE_PK_CALLBACKS */ 1349 #ifndef NO_RSA 1350 #if defined(WOLFSSL_RENESAS_TSIP_TLS) || defined(WOLFSSL_RENESAS_SCEPROTECT) ||\ 1351 defined(HAVE_PK_CALLBACKS) 1352 CertAttribute CertAtt; 1353 #endif 1354 #endif 1355 }; 1356 1357 enum CertSignState { 1358 CERTSIGN_STATE_BEGIN, 1359 CERTSIGN_STATE_DIGEST, 1360 CERTSIGN_STATE_ENCODE, 1361 CERTSIGN_STATE_DO, 1362 }; 1363 1364 struct CertSignCtx { 1365 byte* sig; 1366 byte* digest; 1367 #ifndef NO_RSA 1368 byte* encSig; 1369 int encSigSz; 1370 #endif 1371 int state; /* enum CertSignState */ 1372 }; 1373 1374 #define DOMAIN_COMPONENT_MAX 10 1375 1376 struct DecodedName { 1377 char* fullName; 1378 int fullNameLen; 1379 int entryCount; 1380 int cnIdx; 1381 int cnLen; 1382 int cnNid; 1383 int snIdx; 1384 int snLen; 1385 int snNid; 1386 int cIdx; 1387 int cLen; 1388 int cNid; 1389 int lIdx; 1390 int lLen; 1391 int lNid; 1392 int stIdx; 1393 int stLen; 1394 int stNid; 1395 int oIdx; 1396 int oLen; 1397 int oNid; 1398 int ouIdx; 1399 int ouLen; 1400 #ifdef WOLFSSL_CERT_EXT 1401 int bcIdx; 1402 int bcLen; 1403 int jcIdx; 1404 int jcLen; 1405 int jsIdx; 1406 int jsLen; 1407 #endif 1408 int ouNid; 1409 int emailIdx; 1410 int emailLen; 1411 int emailNid; 1412 int uidIdx; 1413 int uidLen; 1414 int uidNid; 1415 int serialIdx; 1416 int serialLen; 1417 int serialNid; 1418 int dcIdx[DOMAIN_COMPONENT_MAX]; 1419 int dcLen[DOMAIN_COMPONENT_MAX]; 1420 int dcNum; 1421 int dcMode; 1422 }; 1423 1424 /* ASN Encoded Name field */ 1425 typedef struct EncodedName { 1426 int nameLen; /* actual string value length */ 1427 int totalLen; /* total encoded length */ 1428 int type; /* type of name */ 1429 int used; /* are we actually using this one */ 1430 byte encoded[CTC_NAME_SIZE * 2]; /* encoding */ 1431 } EncodedName; 1432 1433 #ifndef WOLFSSL_MAX_PATH_LEN 1434 /* RFC 5280 Section 6.1.2. "Initialization" - item (k) defines 1435 * (k) max_path_length: this integer is initialized to "n", is 1436 * decremented for each non-self-issued certificate in the path, 1437 * and may be reduced to the value in the path length constraint 1438 * field within the basic constraints extension of a CA 1439 * certificate. 1440 * 1441 * wolfSSL has arbitrarily selected the value 127 for "n" in the above 1442 * description. Users can modify the maximum path length by setting 1443 * WOLFSSL_MAX_PATH_LEN to a preferred value at build time 1444 */ 1445 #define WOLFSSL_MAX_PATH_LEN 127 1446 #endif 1447 1448 typedef struct DecodedName DecodedName; 1449 typedef struct DecodedCert DecodedCert; 1450 typedef struct Signer Signer; 1451 #ifdef WOLFSSL_TRUST_PEER_CERT 1452 typedef struct TrustedPeerCert TrustedPeerCert; 1453 #endif /* WOLFSSL_TRUST_PEER_CERT */ 1454 typedef struct SignatureCtx SignatureCtx; 1455 typedef struct CertSignCtx CertSignCtx; 1456 1457 1458 struct DecodedCert { 1459 const byte* publicKey; 1460 word32 pubKeySize; 1461 int pubKeyStored; 1462 word32 certBegin; /* offset to start of cert */ 1463 word32 sigIndex; /* offset to start of signature */ 1464 word32 sigLength; /* length of signature */ 1465 word32 signatureOID; /* sum of algorithm object id */ 1466 word32 keyOID; /* sum of key algo object id */ 1467 int version; /* cert version, 1 or 3 */ 1468 DNS_entry* altNames; /* alt names list of dns entries */ 1469 #ifndef IGNORE_NAME_CONSTRAINTS 1470 DNS_entry* altEmailNames; /* alt names list of RFC822 entries */ 1471 DNS_entry* altDirNames; /* alt names list of DIR entries */ 1472 Base_entry* permittedNames; /* Permitted name bases */ 1473 Base_entry* excludedNames; /* Excluded name bases */ 1474 #endif /* IGNORE_NAME_CONSTRAINTS */ 1475 byte subjectHash[KEYID_SIZE]; /* hash of all Names */ 1476 byte issuerHash[KEYID_SIZE]; /* hash of all Names */ 1477 #ifdef HAVE_OCSP 1478 byte subjectKeyHash[KEYID_SIZE]; /* hash of the public Key */ 1479 byte issuerKeyHash[KEYID_SIZE]; /* hash of the public Key */ 1480 #endif /* HAVE_OCSP */ 1481 const byte* signature; /* not owned, points into raw cert */ 1482 char* subjectCN; /* CommonName */ 1483 int subjectCNLen; /* CommonName Length */ 1484 char subjectCNEnc; /* CommonName Encoding */ 1485 char issuer[ASN_NAME_MAX]; /* full name including common name */ 1486 char subject[ASN_NAME_MAX]; /* full name including common name */ 1487 int verify; /* Default to yes, but could be off */ 1488 const byte* source; /* byte buffer holder cert, NOT owner */ 1489 word32 srcIdx; /* current offset into buffer */ 1490 word32 maxIdx; /* max offset based on init size */ 1491 void* heap; /* for user memory overrides */ 1492 byte serial[EXTERNAL_SERIAL_SIZE]; /* raw serial number */ 1493 int serialSz; /* raw serial bytes stored */ 1494 const byte* extensions; /* not owned, points into raw cert */ 1495 int extensionsSz; /* length of cert extensions */ 1496 word32 extensionsIdx; /* if want to go back and parse later */ 1497 const byte* extAuthInfo; /* Authority Information Access URI */ 1498 int extAuthInfoSz; /* length of the URI */ 1499 #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) 1500 const byte* extAuthInfoCaIssuer; /* Authority Info Access caIssuer URI */ 1501 int extAuthInfoCaIssuerSz; /* length of the caIssuer URI */ 1502 #endif 1503 const byte* extCrlInfoRaw; /* Entire CRL Distribution Points 1504 * Extension. This is useful when 1505 * re-generating the DER. */ 1506 int extCrlInfoRawSz; /* length of the extension */ 1507 const byte* extCrlInfo; /* CRL Distribution Points */ 1508 int extCrlInfoSz; /* length of the URI */ 1509 byte extSubjKeyId[KEYID_SIZE]; /* Subject Key ID */ 1510 byte extAuthKeyId[KEYID_SIZE]; /* Authority Key ID */ 1511 byte pathLength; /* CA basic constraint path length */ 1512 byte maxPathLen; /* max_path_len see RFC 5280 section 1513 * 6.1.2 "Initialization" - (k) for 1514 * description of max_path_len */ 1515 byte policyConstSkip; /* Policy Constraints skip certs value */ 1516 word16 extKeyUsage; /* Key usage bitfield */ 1517 byte extExtKeyUsage; /* Extended Key usage bitfield */ 1518 1519 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) 1520 const byte* extExtKeyUsageSrc; 1521 word32 extExtKeyUsageSz; 1522 word32 extExtKeyUsageCount; 1523 #ifdef WOLFSSL_AKID_NAME 1524 const byte* extRawAuthKeyIdSrc; 1525 word32 extRawAuthKeyIdSz; 1526 #endif 1527 const byte* extAuthKeyIdSrc; 1528 word32 extAuthKeyIdSz; 1529 const byte* extSubjKeyIdSrc; 1530 word32 extSubjKeyIdSz; 1531 #endif 1532 #ifdef OPENSSL_ALL 1533 const byte* extSubjAltNameSrc; 1534 word32 extSubjAltNameSz; 1535 #endif 1536 1537 #if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448) 1538 word32 pkCurveOID; /* Public Key's curve OID */ 1539 #endif /* HAVE_ECC */ 1540 const byte* beforeDate; 1541 int beforeDateLen; 1542 const byte* afterDate; 1543 int afterDateLen; 1544 #if defined(HAVE_PKCS7) || defined(WOLFSSL_CERT_EXT) 1545 const byte* issuerRaw; /* pointer to issuer inside source */ 1546 int issuerRawLen; 1547 #endif 1548 #if !defined(IGNORE_NAME_CONSTRAINTS) || defined(WOLFSSL_CERT_EXT) 1549 const byte* subjectRaw; /* pointer to subject inside source */ 1550 int subjectRawLen; 1551 #endif 1552 #if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) 1553 /* easy access to subject info for other sign */ 1554 char* subjectSN; 1555 int subjectSNLen; 1556 char subjectSNEnc; 1557 char* subjectC; 1558 int subjectCLen; 1559 char subjectCEnc; 1560 char* subjectL; 1561 int subjectLLen; 1562 char subjectLEnc; 1563 char* subjectST; 1564 int subjectSTLen; 1565 char subjectSTEnc; 1566 char* subjectO; 1567 int subjectOLen; 1568 char subjectOEnc; 1569 char* subjectOU; 1570 int subjectOULen; 1571 char subjectOUEnc; 1572 char* subjectSND; 1573 int subjectSNDLen; 1574 char subjectSNDEnc; 1575 #ifdef WOLFSSL_CERT_EXT 1576 char* subjectStreet; 1577 int subjectStreetLen; 1578 char subjectStreetEnc; 1579 char* subjectBC; 1580 int subjectBCLen; 1581 char subjectBCEnc; 1582 char* subjectJC; 1583 int subjectJCLen; 1584 char subjectJCEnc; 1585 char* subjectJS; 1586 int subjectJSLen; 1587 char subjectJSEnc; 1588 char* subjectPC; 1589 int subjectPCLen; 1590 char subjectPCEnc; 1591 #endif 1592 char* subjectEmail; 1593 int subjectEmailLen; 1594 #endif /* defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) */ 1595 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) 1596 /* WOLFSSL_X509_NAME structures (used void* to avoid including ssl.h) */ 1597 void* issuerName; 1598 void* subjectName; 1599 #endif /* OPENSSL_EXTRA */ 1600 #ifdef WOLFSSL_SEP 1601 int deviceTypeSz; 1602 byte* deviceType; 1603 int hwTypeSz; 1604 byte* hwType; 1605 int hwSerialNumSz; 1606 byte* hwSerialNum; 1607 #endif /* WOLFSSL_SEP */ 1608 #ifdef WOLFSSL_CERT_EXT 1609 char extCertPolicies[MAX_CERTPOL_NB][MAX_CERTPOL_SZ]; 1610 int extCertPoliciesNb; 1611 #endif /* WOLFSSL_CERT_EXT */ 1612 #ifndef IGNORE_NETSCAPE_CERT_TYPE 1613 byte nsCertType; 1614 #endif 1615 1616 #ifdef WOLFSSL_CERT_REQ 1617 /* CSR attributes */ 1618 char* contentType; /* Content Type */ 1619 int contentTypeLen; 1620 char* cPwd; /* Challenge Password */ 1621 int cPwdLen; 1622 char* sNum; /* Serial Number */ 1623 int sNumLen; 1624 #endif /* WOLFSSL_CERT_REQ */ 1625 1626 Signer* ca; 1627 #ifndef NO_CERTS 1628 SignatureCtx sigCtx; 1629 #endif 1630 #if defined(WOLFSSL_RENESAS_TSIP) || defined(WOLFSSL_RENESAS_SCEPROTECT) 1631 byte* sce_tsip_encRsaKeyIdx; 1632 #endif 1633 1634 int badDate; 1635 int criticalExt; 1636 1637 /* Option Bits */ 1638 byte subjectCNStored : 1; /* have we saved a copy we own */ 1639 byte extSubjKeyIdSet : 1; /* Set when the SKID was read from cert */ 1640 byte extAuthKeyIdSet : 1; /* Set when the AKID was read from cert */ 1641 #ifndef IGNORE_NAME_CONSTRAINTS 1642 byte extNameConstraintSet : 1; 1643 #endif 1644 byte isCA : 1; /* CA basic constraint true */ 1645 byte pathLengthSet : 1; /* CA basic const path length set */ 1646 byte weOwnAltNames : 1; /* altNames haven't been given to copy */ 1647 byte extKeyUsageSet : 1; 1648 byte extExtKeyUsageSet : 1; /* Extended Key Usage set */ 1649 #ifdef HAVE_OCSP 1650 byte ocspNoCheckSet : 1; /* id-pkix-ocsp-nocheck set */ 1651 #endif 1652 byte extCRLdistSet : 1; 1653 byte extAuthInfoSet : 1; 1654 byte extBasicConstSet : 1; 1655 byte extPolicyConstSet : 1; 1656 byte extPolicyConstRxpSet : 1; /* requireExplicitPolicy set */ 1657 byte extPolicyConstIpmSet : 1; /* inhibitPolicyMapping set */ 1658 byte extSubjAltNameSet : 1; 1659 byte inhibitAnyOidSet : 1; 1660 byte selfSigned : 1; /* Indicates subject and issuer are same */ 1661 #if defined(WOLFSSL_SEP) || defined(WOLFSSL_QT) 1662 byte extCertPolicySet : 1; 1663 #endif 1664 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) 1665 byte extCRLdistCrit : 1; 1666 byte extAuthInfoCrit : 1; 1667 byte extBasicConstCrit : 1; 1668 byte extPolicyConstCrit : 1; 1669 byte extSubjAltNameCrit : 1; 1670 byte extAuthKeyIdCrit : 1; 1671 #ifndef IGNORE_NAME_CONSTRAINTS 1672 byte extNameConstraintCrit : 1; 1673 #endif 1674 byte extSubjKeyIdCrit : 1; 1675 byte extKeyUsageCrit : 1; 1676 byte extExtKeyUsageCrit : 1; 1677 #endif /* OPENSSL_EXTRA */ 1678 #if defined(WOLFSSL_SEP) || defined(WOLFSSL_QT) 1679 byte extCertPolicyCrit : 1; 1680 #endif 1681 #ifdef WOLFSSL_CERT_REQ 1682 byte isCSR : 1; /* Do we intend on parsing a CSR? */ 1683 #endif 1684 }; 1685 1686 #ifdef NO_SHA 1687 #define SIGNER_DIGEST_SIZE WC_SHA256_DIGEST_SIZE 1688 #else 1689 #define SIGNER_DIGEST_SIZE WC_SHA_DIGEST_SIZE 1690 #endif 1691 1692 /* CA Signers */ 1693 /* if change layout change PERSIST_CERT_CACHE functions too */ 1694 struct Signer { 1695 word32 pubKeySize; 1696 word32 keyOID; /* key type */ 1697 word16 keyUsage; 1698 byte maxPathLen; 1699 byte pathLength; 1700 byte pathLengthSet : 1; 1701 byte selfSigned : 1; 1702 const byte* publicKey; 1703 int nameLen; 1704 char* name; /* common name */ 1705 #ifndef IGNORE_NAME_CONSTRAINTS 1706 Base_entry* permittedNames; 1707 Base_entry* excludedNames; 1708 #endif /* IGNORE_NAME_CONSTRAINTS */ 1709 byte subjectNameHash[SIGNER_DIGEST_SIZE]; 1710 /* sha hash of names in certificate */ 1711 #ifndef NO_SKID 1712 byte subjectKeyIdHash[SIGNER_DIGEST_SIZE]; 1713 /* sha hash of names in certificate */ 1714 #endif 1715 #ifdef HAVE_OCSP 1716 byte subjectKeyHash[KEYID_SIZE]; 1717 #endif 1718 #ifdef WOLFSSL_SIGNER_DER_CERT 1719 DerBuffer* derCert; 1720 #endif 1721 #if defined(WOLFSSL_RENESAS_TSIP_TLS) || defined(WOLFSSL_RENESAS_SCEPROTECT) 1722 word32 cm_idx; 1723 #endif 1724 Signer* next; 1725 }; 1726 1727 1728 #ifdef WOLFSSL_TRUST_PEER_CERT 1729 /* used for having trusted peer certs rather then CA */ 1730 struct TrustedPeerCert { 1731 int nameLen; 1732 char* name; /* common name */ 1733 #ifndef IGNORE_NAME_CONSTRAINTS 1734 Base_entry* permittedNames; 1735 Base_entry* excludedNames; 1736 #endif /* IGNORE_NAME_CONSTRAINTS */ 1737 byte subjectNameHash[SIGNER_DIGEST_SIZE]; 1738 /* sha hash of names in certificate */ 1739 #ifndef NO_SKID 1740 byte subjectKeyIdHash[SIGNER_DIGEST_SIZE]; 1741 /* sha hash of names in certificate */ 1742 #endif 1743 word32 sigLen; 1744 byte* sig; 1745 struct TrustedPeerCert* next; 1746 }; 1747 #endif /* WOLFSSL_TRUST_PEER_CERT */ 1748 1749 1750 /* for testing or custom openssl wrappers */ 1751 #if defined(WOLFSSL_TEST_CERT) || defined(OPENSSL_EXTRA) || \ 1752 defined(OPENSSL_EXTRA_X509_SMALL) 1753 #define WOLFSSL_ASN_API WOLFSSL_API 1754 #else 1755 #define WOLFSSL_ASN_API WOLFSSL_LOCAL 1756 #endif 1757 1758 #ifdef HAVE_SMIME 1759 #define MIME_HEADER_ASCII_MIN 33 1760 #define MIME_HEADER_ASCII_MAX 126 1761 1762 typedef struct MimeParam MimeParam; 1763 typedef struct MimeHdr MimeHdr; 1764 1765 struct MimeParam 1766 { 1767 MimeParam* next; 1768 char* attribute; 1769 char* value; 1770 }; 1771 1772 struct MimeHdr 1773 { 1774 MimeHdr* next; 1775 MimeParam* params; 1776 char* name; 1777 char* body; 1778 }; 1779 1780 typedef enum MimeTypes 1781 { 1782 MIME_HDR, 1783 MIME_PARAM 1784 } MimeTypes; 1785 1786 typedef enum MimeStatus 1787 { 1788 MIME_NAMEATTR, 1789 MIME_BODYVAL 1790 } MimeStatus; 1791 #endif /* HAVE_SMIME */ 1792 1793 1794 WOLFSSL_LOCAL int CalcHashId(const byte* data, word32 len, byte* hash); 1795 WOLFSSL_LOCAL int GetName(DecodedCert* cert, int nameType, int maxIdx); 1796 1797 WOLFSSL_ASN_API int wc_BerToDer(const byte* ber, word32 berSz, byte* der, 1798 word32* derSz); 1799 1800 WOLFSSL_ASN_API void FreeAltNames(DNS_entry*, void*); 1801 WOLFSSL_ASN_API DNS_entry* AltNameNew(void*); 1802 #ifndef IGNORE_NAME_CONSTRAINTS 1803 WOLFSSL_ASN_API void FreeNameSubtrees(Base_entry*, void*); 1804 #endif /* IGNORE_NAME_CONSTRAINTS */ 1805 WOLFSSL_ASN_API void InitDecodedCert(DecodedCert*, const byte*, word32, void*); 1806 WOLFSSL_ASN_API void FreeDecodedCert(DecodedCert*); 1807 WOLFSSL_ASN_API int ParseCert(DecodedCert*, int type, int verify, void* cm); 1808 1809 WOLFSSL_LOCAL int DecodePolicyOID(char *o, word32 oSz, 1810 const byte *in, word32 inSz); 1811 WOLFSSL_LOCAL int EncodePolicyOID(byte *out, word32 *outSz, 1812 const char *in, void* heap); 1813 WOLFSSL_API int CheckCertSignature(const byte*,word32,void*,void* cm); 1814 WOLFSSL_LOCAL int CheckCertSignaturePubKey(const byte* cert, word32 certSz, 1815 void* heap, const byte* pubKey, word32 pubKeySz, int pubKeyOID); 1816 #ifdef WOLFSSL_CERT_REQ 1817 WOLFSSL_LOCAL int CheckCSRSignaturePubKey(const byte* cert, word32 certSz, void* heap, 1818 const byte* pubKey, word32 pubKeySz, int pubKeyOID); 1819 #endif /* WOLFSSL_CERT_REQ */ 1820 WOLFSSL_LOCAL int AddSignature(byte* buf, int bodySz, const byte* sig, int sigSz, 1821 int sigAlgoType); 1822 WOLFSSL_LOCAL int ParseCertRelative(DecodedCert*,int type,int verify,void* cm); 1823 WOLFSSL_LOCAL int DecodeToKey(DecodedCert*, int verify); 1824 #ifdef WOLFSSL_ASN_TEMPLATE 1825 WOLFSSL_LOCAL int DecodeCert(DecodedCert*, int verify, int* criticalExt); 1826 #endif 1827 WOLFSSL_LOCAL int wc_GetPubX509(DecodedCert* cert, int verify, int* badDate); 1828 1829 WOLFSSL_LOCAL const byte* OidFromId(word32 id, word32 type, word32* oidSz); 1830 WOLFSSL_LOCAL Signer* MakeSigner(void*); 1831 WOLFSSL_LOCAL void FreeSigner(Signer*, void*); 1832 WOLFSSL_LOCAL void FreeSignerTable(Signer**, int, void*); 1833 #ifdef WOLFSSL_TRUST_PEER_CERT 1834 WOLFSSL_LOCAL void FreeTrustedPeer(TrustedPeerCert*, void*); 1835 WOLFSSL_LOCAL void FreeTrustedPeerTable(TrustedPeerCert**, int, void*); 1836 #endif /* WOLFSSL_TRUST_PEER_CERT */ 1837 1838 WOLFSSL_ASN_API int ToTraditional(byte* buffer, word32 length); 1839 WOLFSSL_ASN_API int ToTraditional_ex(byte* buffer, word32 length, 1840 word32* algId); 1841 WOLFSSL_LOCAL int ToTraditionalInline(const byte* input, word32* inOutIdx, 1842 word32 length); 1843 WOLFSSL_LOCAL int ToTraditionalInline_ex(const byte* input, word32* inOutIdx, 1844 word32 length, word32* algId); 1845 WOLFSSL_LOCAL int ToTraditionalEnc(byte* buffer, word32 length,const char*,int, 1846 word32* algId); 1847 WOLFSSL_ASN_API int UnTraditionalEnc(byte* key, word32 keySz, byte* out, 1848 word32* outSz, const char* password, int passwordSz, int vPKCS, 1849 int vAlgo, byte* salt, word32 saltSz, int itt, WC_RNG* rng, void* heap); 1850 WOLFSSL_ASN_API int TraditionalEnc(byte* key, word32 keySz, byte* out, 1851 word32* outSz, const char* password, int passwordSz, int vPKCS, 1852 int vAlgo, int encAlgId, byte* salt, word32 saltSz, int itt, 1853 WC_RNG* rng, void* heap); 1854 WOLFSSL_LOCAL int DecryptContent(byte* input, word32 sz,const char* psw,int pswSz); 1855 WOLFSSL_LOCAL int EncryptContent(byte* input, word32 sz, byte* out, word32* outSz, 1856 const char* password,int passwordSz, int vPKCS, int vAlgo, 1857 byte* salt, word32 saltSz, int itt, WC_RNG* rng, void* heap); 1858 WOLFSSL_LOCAL int wc_GetKeyOID(byte* key, word32 keySz, const byte** curveOID, 1859 word32* oidSz, int* algoID, void* heap); 1860 1861 typedef struct tm wolfssl_tm; 1862 #if defined(OPENSSL_ALL) || defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(OPENSSL_EXTRA) || \ 1863 defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) 1864 WOLFSSL_LOCAL int GetTimeString(byte* date, int format, char* buf, int len); 1865 #endif 1866 #if !defined(NO_ASN_TIME) && defined(HAVE_PKCS7) 1867 WOLFSSL_LOCAL int GetAsnTimeString(void* currTime, byte* buf, word32 len); 1868 #endif 1869 WOLFSSL_LOCAL int ExtractDate(const unsigned char* date, unsigned char format, 1870 wolfssl_tm* certTime, int* idx); 1871 WOLFSSL_LOCAL int DateGreaterThan(const struct tm* a, const struct tm* b); 1872 WOLFSSL_LOCAL int wc_ValidateDate(const byte* date, byte format, int dateType); 1873 WOLFSSL_LOCAL int wc_OBJ_sn2nid(const char *sn); 1874 1875 /* ASN.1 helper functions */ 1876 #ifdef WOLFSSL_CERT_GEN 1877 WOLFSSL_LOCAL int SetNameEx(byte* output, word32 outputSz, CertName* name, void* heap); 1878 WOLFSSL_ASN_API int SetName(byte* output, word32 outputSz, CertName* name); 1879 WOLFSSL_LOCAL const char* GetOneCertName(CertName* name, int idx); 1880 WOLFSSL_LOCAL byte GetCertNameId(int idx); 1881 #endif 1882 WOLFSSL_LOCAL int GetShortInt(const byte* input, word32* inOutIdx, int* number, 1883 word32 maxIdx); 1884 WOLFSSL_LOCAL int SetShortInt(byte* input, word32* inOutIdx, word32 number, 1885 word32 maxIdx); 1886 1887 WOLFSSL_LOCAL const char* GetSigName(int oid); 1888 WOLFSSL_LOCAL int GetLength(const byte* input, word32* inOutIdx, int* len, 1889 word32 maxIdx); 1890 WOLFSSL_LOCAL int GetLength_ex(const byte* input, word32* inOutIdx, int* len, 1891 word32 maxIdx, int check); 1892 WOLFSSL_LOCAL int GetSequence(const byte* input, word32* inOutIdx, int* len, 1893 word32 maxIdx); 1894 WOLFSSL_LOCAL int GetSequence_ex(const byte* input, word32* inOutIdx, int* len, 1895 word32 maxIdx, int check); 1896 WOLFSSL_LOCAL int GetOctetString(const byte* input, word32* inOutIdx, int* len, 1897 word32 maxIdx); 1898 WOLFSSL_LOCAL int CheckBitString(const byte* input, word32* inOutIdx, int* len, 1899 word32 maxIdx, int zeroBits, byte* unusedBits); 1900 WOLFSSL_LOCAL int GetSet(const byte* input, word32* inOutIdx, int* len, 1901 word32 maxIdx); 1902 WOLFSSL_LOCAL int GetSet_ex(const byte* input, word32* inOutIdx, int* len, 1903 word32 maxIdx, int check); 1904 WOLFSSL_LOCAL int GetMyVersion(const byte* input, word32* inOutIdx, 1905 int* version, word32 maxIdx); 1906 WOLFSSL_LOCAL int GetInt(mp_int* mpi, const byte* input, word32* inOutIdx, 1907 word32 maxIdx); 1908 1909 #ifdef HAVE_OID_ENCODING 1910 WOLFSSL_LOCAL int EncodeObjectId(const word16* in, word32 inSz, 1911 byte* out, word32* outSz); 1912 #endif 1913 #ifdef HAVE_OID_DECODING 1914 WOLFSSL_LOCAL int DecodeObjectId(const byte* in, word32 inSz, 1915 word16* out, word32* outSz); 1916 #endif 1917 WOLFSSL_LOCAL int GetASNObjectId(const byte* input, word32* inOutIdx, int* len, 1918 word32 maxIdx); 1919 WOLFSSL_LOCAL int SetObjectId(int len, byte* output); 1920 WOLFSSL_LOCAL int GetObjectId(const byte* input, word32* inOutIdx, word32* oid, 1921 word32 oidType, word32 maxIdx); 1922 WOLFSSL_LOCAL int GetAlgoId(const byte* input, word32* inOutIdx, word32* oid, 1923 word32 oidType, word32 maxIdx); 1924 WOLFSSL_LOCAL int GetASNTag(const byte* input, word32* idx, byte* tag, 1925 word32 inputSz); 1926 1927 WOLFSSL_LOCAL word32 SetASNLength(word32 length, byte* output); 1928 WOLFSSL_LOCAL word32 SetASNSequence(word32 len, byte* output); 1929 WOLFSSL_LOCAL word32 SetASNOctetString(word32 len, byte* output); 1930 WOLFSSL_LOCAL word32 SetASNImplicit(byte tag,byte number, word32 len, 1931 byte* output); 1932 WOLFSSL_LOCAL word32 SetASNExplicit(byte number, word32 len, byte* output); 1933 WOLFSSL_LOCAL word32 SetASNSet(word32 len, byte* output); 1934 1935 WOLFSSL_LOCAL word32 SetLength(word32 length, byte* output); 1936 WOLFSSL_LOCAL word32 SetSequence(word32 len, byte* output); 1937 WOLFSSL_LOCAL word32 SetOctetString(word32 len, byte* output); 1938 WOLFSSL_LOCAL int SetASNInt(int len, byte firstByte, byte* output); 1939 WOLFSSL_LOCAL word32 SetBitString(word32 len, byte unusedBits, byte* output); 1940 WOLFSSL_LOCAL word32 SetImplicit(byte tag,byte number,word32 len,byte* output); 1941 WOLFSSL_LOCAL word32 SetExplicit(byte number, word32 len, byte* output); 1942 WOLFSSL_LOCAL word32 SetSet(word32 len, byte* output); 1943 WOLFSSL_LOCAL word32 SetAlgoID(int algoOID,byte* output,int type,int curveSz); 1944 WOLFSSL_LOCAL int SetMyVersion(word32 version, byte* output, int header); 1945 WOLFSSL_LOCAL int SetSerialNumber(const byte* sn, word32 snSz, byte* output, 1946 word32 outputSz, int maxSnSz); 1947 #ifndef WOLFSSL_ASN_TEMPLATE 1948 WOLFSSL_LOCAL int GetSerialNumber(const byte* input, word32* inOutIdx, 1949 byte* serial, int* serialSz, word32 maxIdx); 1950 #endif 1951 WOLFSSL_LOCAL int GetNameHash(const byte* source, word32* idx, byte* hash, 1952 int maxIdx); 1953 WOLFSSL_LOCAL int wc_CheckPrivateKeyCert(const byte* key, word32 keySz, DecodedCert* der); 1954 WOLFSSL_LOCAL int wc_CheckPrivateKey(const byte* privKey, word32 privKeySz, 1955 const byte* pubKey, word32 pubKeySz, enum Key_Sum ks); 1956 WOLFSSL_LOCAL int StoreDHparams(byte* out, word32* outLen, mp_int* p, mp_int* g); 1957 #ifdef WOLFSSL_DH_EXTRA 1958 WOLFSSL_API int wc_DhPublicKeyDecode(const byte* input, word32* inOutIdx, 1959 DhKey* key, word32 inSz); 1960 #endif 1961 WOLFSSL_LOCAL int FlattenAltNames( byte*, word32, const DNS_entry*); 1962 1963 WOLFSSL_LOCAL int wc_EncodeName(EncodedName* name, const char* nameStr, 1964 char nameType, byte type); 1965 WOLFSSL_LOCAL int wc_EncodeNameCanonical(EncodedName* name, const char* nameStr, 1966 char nameType, byte type); 1967 1968 #if defined(HAVE_ECC) || !defined(NO_DSA) 1969 /* ASN sig helpers */ 1970 WOLFSSL_LOCAL int StoreECC_DSA_Sig(byte* out, word32* outLen, mp_int* r, 1971 mp_int* s); 1972 WOLFSSL_LOCAL int StoreECC_DSA_Sig_Bin(byte* out, word32* outLen, 1973 const byte* r, word32 rLen, const byte* s, word32 sLen); 1974 WOLFSSL_LOCAL int DecodeECC_DSA_Sig_Bin(const byte* sig, word32 sigLen, 1975 byte* r, word32* rLen, byte* s, word32* sLen); 1976 WOLFSSL_LOCAL int DecodeECC_DSA_Sig(const byte* sig, word32 sigLen, 1977 mp_int* r, mp_int* s); 1978 #endif 1979 #ifndef NO_DSA 1980 WOLFSSL_LOCAL int StoreDSAParams(byte*, word32*, const mp_int*, const mp_int*, 1981 const mp_int*); 1982 #endif 1983 #if defined HAVE_ECC && (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) 1984 WOLFSSL_API int EccEnumToNID(int n); 1985 #endif 1986 1987 WOLFSSL_LOCAL void InitSignatureCtx(SignatureCtx* sigCtx, void* heap, int devId); 1988 WOLFSSL_LOCAL void FreeSignatureCtx(SignatureCtx* sigCtx); 1989 1990 #ifndef NO_CERTS 1991 1992 WOLFSSL_LOCAL int wc_EncryptedInfoParse(EncryptedInfo* info, 1993 const char** pBuffer, size_t bufSz); 1994 1995 WOLFSSL_LOCAL int PemToDer(const unsigned char* buff, long sz, int type, 1996 DerBuffer** pDer, void* heap, EncryptedInfo* info, 1997 int* eccKey); 1998 WOLFSSL_LOCAL int AllocDer(DerBuffer** der, word32 length, int type, void* heap); 1999 WOLFSSL_LOCAL void FreeDer(DerBuffer** der); 2000 2001 #endif /* !NO_CERTS */ 2002 2003 #ifdef HAVE_SMIME 2004 WOLFSSL_LOCAL int wc_MIME_parse_headers(char* in, int inLen, MimeHdr** hdrs); 2005 WOLFSSL_LOCAL int wc_MIME_header_strip(char* in, char** out, size_t start, size_t end); 2006 WOLFSSL_LOCAL int wc_MIME_create_header(char* name, char* body, MimeHdr** hdr); 2007 WOLFSSL_LOCAL int wc_MIME_create_parameter(char* attribute, char* value, MimeParam** param); 2008 WOLFSSL_LOCAL MimeHdr* wc_MIME_find_header_name(const char* name, MimeHdr* hdr); 2009 WOLFSSL_LOCAL MimeParam* wc_MIME_find_param_attr(const char* attribute, MimeParam* param); 2010 WOLFSSL_LOCAL char* wc_MIME_canonicalize(const char* line); 2011 WOLFSSL_LOCAL int wc_MIME_free_hdrs(MimeHdr* head); 2012 #endif /* HAVE_SMIME */ 2013 2014 #ifdef WOLFSSL_CERT_GEN 2015 2016 enum cert_enums { 2017 RSA_KEY = 10, 2018 ECC_KEY = 12, 2019 ED25519_KEY = 13, 2020 ED448_KEY = 14, 2021 DSA_KEY = 15, 2022 FALCON_LEVEL1_KEY = 16, 2023 FALCON_LEVEL5_KEY = 17 2024 }; 2025 2026 #endif /* WOLFSSL_CERT_GEN */ 2027 2028 2029 2030 /* for pointer use */ 2031 typedef struct CertStatus CertStatus; 2032 2033 #ifdef HAVE_OCSP 2034 2035 enum Ocsp_Response_Status { 2036 OCSP_SUCCESSFUL = 0, /* Response has valid confirmations */ 2037 OCSP_MALFORMED_REQUEST = 1, /* Illegal confirmation request */ 2038 OCSP_INTERNAL_ERROR = 2, /* Internal error in issuer */ 2039 OCSP_TRY_LATER = 3, /* Try again later */ 2040 OCSP_SIG_REQUIRED = 5, /* Must sign the request (4 is skipped) */ 2041 OCSP_UNAUTHORIZED = 6 /* Request unauthorized */ 2042 }; 2043 2044 2045 enum Ocsp_Cert_Status { 2046 CERT_GOOD = 0, 2047 CERT_REVOKED = 1, 2048 CERT_UNKNOWN = 2 2049 }; 2050 2051 2052 enum Ocsp_Sums { 2053 OCSP_BASIC_OID = 117, 2054 OCSP_NONCE_OID = 118 2055 }; 2056 2057 #ifdef OPENSSL_EXTRA 2058 enum Ocsp_Verify_Error { 2059 OCSP_VERIFY_ERROR_NONE = 0, 2060 OCSP_BAD_ISSUER = 1 2061 }; 2062 #endif 2063 2064 2065 typedef struct OcspRequest OcspRequest; 2066 typedef struct OcspResponse OcspResponse; 2067 2068 2069 struct CertStatus { 2070 CertStatus* next; 2071 2072 byte serial[EXTERNAL_SERIAL_SIZE]; 2073 int serialSz; 2074 #ifdef OPENSSL_EXTRA 2075 WOLFSSL_ASN1_INTEGER* serialInt; 2076 #endif 2077 2078 int status; 2079 2080 byte thisDate[MAX_DATE_SIZE]; 2081 byte nextDate[MAX_DATE_SIZE]; 2082 byte thisDateFormat; 2083 byte nextDateFormat; 2084 #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || \ 2085 defined(WOLFSSL_HAPROXY) || defined(HAVE_LIGHTY) 2086 WOLFSSL_ASN1_TIME thisDateParsed; 2087 WOLFSSL_ASN1_TIME nextDateParsed; 2088 byte* thisDateAsn; 2089 byte* nextDateAsn; 2090 #endif 2091 2092 byte* rawOcspResponse; 2093 word32 rawOcspResponseSz; 2094 }; 2095 2096 typedef struct OcspEntry OcspEntry; 2097 2098 #ifdef NO_SHA 2099 #define OCSP_DIGEST_SIZE WC_SHA256_DIGEST_SIZE 2100 #else 2101 #define OCSP_DIGEST_SIZE WC_SHA_DIGEST_SIZE 2102 #endif 2103 2104 struct OcspEntry 2105 { 2106 OcspEntry *next; /* next entry */ 2107 word32 hashAlgoOID; /* hash algo ID */ 2108 byte issuerHash[OCSP_DIGEST_SIZE]; /* issuer hash */ 2109 byte issuerKeyHash[OCSP_DIGEST_SIZE]; /* issuer public key hash */ 2110 CertStatus *status; /* OCSP response list */ 2111 int totalStatus; /* number on list */ 2112 byte* rawCertId; /* raw bytes of the CertID */ 2113 int rawCertIdSize; /* num bytes in raw CertID */ 2114 /* option bits - using 32-bit for alignment */ 2115 word32 ownStatus:1; /* do we need to free the status 2116 * response list */ 2117 word32 isDynamic:1; /* was dynamically allocated */ 2118 word32 used:1; /* entry used */ 2119 }; 2120 2121 /* TODO: Long-term, it would be helpful if we made this struct and other OCSP 2122 structs conform to the ASN spec as described in RFC 6960. It will help 2123 with readability and with implementing OpenSSL compatibility API 2124 functions, because OpenSSL's OCSP data structures conform to the 2125 RFC. */ 2126 struct OcspResponse { 2127 int responseStatus; /* return code from Responder */ 2128 2129 byte* response; /* Pointer to beginning of OCSP Response */ 2130 word32 responseSz; /* length of the OCSP Response */ 2131 2132 byte producedDate[MAX_DATE_SIZE]; 2133 /* Date at which this response was signed */ 2134 byte producedDateFormat; /* format of the producedDate */ 2135 2136 byte* cert; 2137 word32 certSz; 2138 2139 byte* sig; /* Pointer to sig in source */ 2140 word32 sigSz; /* Length in octets for the sig */ 2141 word32 sigOID; /* OID for hash used for sig */ 2142 2143 OcspEntry* single; /* chain of OCSP single responses */ 2144 2145 byte* nonce; /* pointer to nonce inside ASN.1 response */ 2146 int nonceSz; /* length of the nonce string */ 2147 2148 byte* source; /* pointer to source buffer, not owned */ 2149 word32 maxIdx; /* max offset based on init size */ 2150 2151 #ifdef OPENSSL_EXTRA 2152 int verifyError; 2153 #endif 2154 void* heap; 2155 }; 2156 2157 2158 struct OcspRequest { 2159 byte issuerHash[KEYID_SIZE]; 2160 byte issuerKeyHash[KEYID_SIZE]; 2161 byte* serial; /* copy of the serial number in source cert */ 2162 int serialSz; 2163 #ifdef OPENSSL_EXTRA 2164 WOLFSSL_ASN1_INTEGER* serialInt; 2165 #endif 2166 byte* url; /* copy of the extAuthInfo in source cert */ 2167 int urlSz; 2168 2169 byte nonce[MAX_OCSP_NONCE_SZ]; 2170 int nonceSz; 2171 void* heap; 2172 void* ssl; 2173 }; 2174 2175 WOLFSSL_LOCAL void InitOcspResponse(OcspResponse*, OcspEntry*, CertStatus*, byte*, word32, void*); 2176 WOLFSSL_LOCAL void FreeOcspResponse(OcspResponse*); 2177 WOLFSSL_LOCAL int OcspResponseDecode(OcspResponse*, void*, void* heap, int); 2178 2179 WOLFSSL_LOCAL int InitOcspRequest(OcspRequest*, DecodedCert*, byte, void*); 2180 WOLFSSL_LOCAL void FreeOcspRequest(OcspRequest*); 2181 WOLFSSL_LOCAL int EncodeOcspRequest(OcspRequest*, byte*, word32); 2182 WOLFSSL_LOCAL word32 EncodeOcspRequestExtensions(OcspRequest*, byte*, word32); 2183 2184 2185 WOLFSSL_LOCAL int CompareOcspReqResp(OcspRequest*, OcspResponse*); 2186 2187 2188 #endif /* HAVE_OCSP */ 2189 2190 2191 /* for pointer use */ 2192 typedef struct RevokedCert RevokedCert; 2193 2194 #ifdef HAVE_CRL 2195 2196 struct RevokedCert { 2197 byte serialNumber[EXTERNAL_SERIAL_SIZE]; 2198 int serialSz; 2199 RevokedCert* next; 2200 }; 2201 2202 typedef struct DecodedCRL DecodedCRL; 2203 2204 struct DecodedCRL { 2205 word32 certBegin; /* offset to start of cert */ 2206 word32 sigIndex; /* offset to start of signature */ 2207 word32 sigLength; /* length of signature */ 2208 word32 signatureOID; /* sum of algorithm object id */ 2209 byte* signature; /* pointer into raw source, not owned */ 2210 byte issuerHash[SIGNER_DIGEST_SIZE]; /* issuer name hash */ 2211 byte crlHash[SIGNER_DIGEST_SIZE]; /* raw crl data hash */ 2212 byte lastDate[MAX_DATE_SIZE]; /* last date updated */ 2213 byte nextDate[MAX_DATE_SIZE]; /* next update date */ 2214 byte lastDateFormat; /* format of last date */ 2215 byte nextDateFormat; /* format of next date */ 2216 RevokedCert* certs; /* revoked cert list */ 2217 int totalCerts; /* number on list */ 2218 void* heap; 2219 #ifndef NO_SKID 2220 byte extAuthKeyIdSet; 2221 byte extAuthKeyId[SIGNER_DIGEST_SIZE]; /* Authority Key ID */ 2222 #endif 2223 }; 2224 2225 WOLFSSL_LOCAL void InitDecodedCRL(DecodedCRL*, void* heap); 2226 WOLFSSL_LOCAL int VerifyCRL_Signature(SignatureCtx* sigCtx, 2227 const byte* toBeSigned, word32 tbsSz, 2228 const byte* signature, word32 sigSz, 2229 word32 signatureOID, Signer *ca, 2230 void* heap); 2231 WOLFSSL_LOCAL int ParseCRL(DecodedCRL*, const byte* buff, word32 sz, void* cm); 2232 WOLFSSL_LOCAL void FreeDecodedCRL(DecodedCRL*); 2233 2234 2235 #endif /* HAVE_CRL */ 2236 2237 2238 #ifdef __cplusplus 2239 } /* extern "C" */ 2240 #endif 2241 2242 #endif /* !NO_ASN */ 2243 2244 2245 #if !defined(NO_ASN) || !defined(NO_PWDBASED) 2246 2247 #ifndef MAX_KEY_SIZE 2248 #define MAX_KEY_SIZE 64 /* MAX PKCS Key length */ 2249 #endif 2250 #ifndef MAX_UNICODE_SZ 2251 #define MAX_UNICODE_SZ 256 2252 #endif 2253 2254 enum PBESTypes { 2255 PBE_MD5_DES = 0, 2256 PBE_SHA1_RC4_128 = 1, 2257 PBE_SHA1_DES = 2, 2258 PBE_SHA1_DES3 = 3, 2259 PBE_AES256_CBC = 4, 2260 PBE_AES128_CBC = 5, 2261 PBE_SHA1_40RC2_CBC = 6, 2262 2263 PBE_SHA1_RC4_128_SUM = 657, 2264 PBE_SHA1_DES3_SUM = 659, 2265 PBE_MD5_DES_SUM = 651, 2266 PBE_SHA1_DES_SUM = 658, 2267 PBES2_SUM = 661, 2268 2269 PBES2 = 13, /* algo ID */ 2270 PBES1_MD5_DES = 3, 2271 PBES1_SHA1_DES = 10, 2272 }; 2273 2274 enum PKCSTypes { 2275 PKCS5v2 = 6, /* PKCS #5 v2.0 */ 2276 PKCS12v1 = 12, /* PKCS #12 */ 2277 PKCS5 = 5, /* PKCS oid tag */ 2278 PKCS8v0 = 0, /* default PKCS#8 version */ 2279 PKCS8v1 = 1, /* PKCS#8 version including public key */ 2280 PKCS1v0 = 0, /* default PKCS#1 version */ 2281 PKCS1v1 = 1, /* Multi-prime version */ 2282 }; 2283 2284 #endif /* !NO_ASN || !NO_PWDBASED */ 2285 2286 #endif /* WOLF_CRYPT_ASN_H */ 2287