1 /* $OpenBSD: x509_lcl.h,v 1.16 2022/08/15 11:52:37 tb Exp $ */ 2 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 3 * project 2013. 4 */ 5 /* ==================================================================== 6 * Copyright (c) 2013 The OpenSSL Project. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in 17 * the documentation and/or other materials provided with the 18 * distribution. 19 * 20 * 3. All advertising materials mentioning features or use of this 21 * software must display the following acknowledgment: 22 * "This product includes software developed by the OpenSSL Project 23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 24 * 25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 26 * endorse or promote products derived from this software without 27 * prior written permission. For written permission, please contact 28 * licensing@OpenSSL.org. 29 * 30 * 5. Products derived from this software may not be called "OpenSSL" 31 * nor may "OpenSSL" appear in their names without prior written 32 * permission of the OpenSSL Project. 33 * 34 * 6. Redistributions of any form whatsoever must retain the following 35 * acknowledgment: 36 * "This product includes software developed by the OpenSSL Project 37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 38 * 39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 50 * OF THE POSSIBILITY OF SUCH DAMAGE. 51 * ==================================================================== 52 * 53 * This product includes cryptographic software written by Eric Young 54 * (eay@cryptsoft.com). This product includes software written by Tim 55 * Hudson (tjh@cryptsoft.com). 56 * 57 */ 58 59 #ifndef HEADER_X509_LCL_H 60 #define HEADER_X509_LCL_H 61 62 __BEGIN_HIDDEN_DECLS 63 64 #define TS_HASH_EVP EVP_sha1() 65 #define TS_HASH_LEN SHA_DIGEST_LENGTH 66 67 #define X509_CERT_HASH_EVP EVP_sha512() 68 #define X509_CERT_HASH_LEN SHA512_DIGEST_LENGTH 69 #define X509_CRL_HASH_EVP EVP_sha512() 70 #define X509_CRL_HASH_LEN SHA512_DIGEST_LENGTH 71 72 struct X509_pubkey_st { 73 X509_ALGOR *algor; 74 ASN1_BIT_STRING *public_key; 75 EVP_PKEY *pkey; 76 }; 77 78 struct X509_sig_st { 79 X509_ALGOR *algor; 80 ASN1_OCTET_STRING *digest; 81 } /* X509_SIG */; 82 83 struct X509_name_entry_st { 84 ASN1_OBJECT *object; 85 ASN1_STRING *value; 86 int set; 87 int size; /* temp variable */ 88 } /* X509_NAME_ENTRY */; 89 90 /* we always keep X509_NAMEs in 2 forms. */ 91 struct X509_name_st { 92 STACK_OF(X509_NAME_ENTRY) *entries; 93 int modified; /* true if 'bytes' needs to be built */ 94 #ifndef OPENSSL_NO_BUFFER 95 BUF_MEM *bytes; 96 #else 97 char *bytes; 98 #endif 99 /* unsigned long hash; Keep the hash around for lookups */ 100 unsigned char *canon_enc; 101 int canon_enclen; 102 } /* X509_NAME */; 103 104 struct X509_extension_st { 105 ASN1_OBJECT *object; 106 ASN1_BOOLEAN critical; 107 ASN1_OCTET_STRING *value; 108 } /* X509_EXTENSION */; 109 110 struct x509_attributes_st { 111 ASN1_OBJECT *object; 112 STACK_OF(ASN1_TYPE) *set; 113 } /* X509_ATTRIBUTE */; 114 115 struct X509_req_info_st { 116 ASN1_ENCODING enc; 117 ASN1_INTEGER *version; 118 X509_NAME *subject; 119 X509_PUBKEY *pubkey; 120 /* d=2 hl=2 l= 0 cons: cont: 00 */ 121 STACK_OF(X509_ATTRIBUTE) *attributes; /* [ 0 ] */ 122 } /* X509_REQ_INFO */; 123 124 struct X509_req_st { 125 X509_REQ_INFO *req_info; 126 X509_ALGOR *sig_alg; 127 ASN1_BIT_STRING *signature; 128 int references; 129 } /* X509_REQ */; 130 131 /* 132 * This stuff is certificate "auxiliary info" it contains details which are 133 * useful in certificate stores and databases. When used this is tagged onto 134 * the end of the certificate itself. 135 */ 136 struct x509_cert_aux_st { 137 STACK_OF(ASN1_OBJECT) *trust; /* trusted uses */ 138 STACK_OF(ASN1_OBJECT) *reject; /* rejected uses */ 139 ASN1_UTF8STRING *alias; /* "friendly name" */ 140 ASN1_OCTET_STRING *keyid; /* key id of private key */ 141 STACK_OF(X509_ALGOR) *other; /* other unspecified info */ 142 } /* X509_CERT_AUX */; 143 144 struct x509_cinf_st { 145 ASN1_INTEGER *version; /* [ 0 ] default of v1 */ 146 ASN1_INTEGER *serialNumber; 147 X509_ALGOR *signature; 148 X509_NAME *issuer; 149 X509_VAL *validity; 150 X509_NAME *subject; 151 X509_PUBKEY *key; 152 ASN1_BIT_STRING *issuerUID; /* [ 1 ] optional in v2 */ 153 ASN1_BIT_STRING *subjectUID; /* [ 2 ] optional in v2 */ 154 STACK_OF(X509_EXTENSION) *extensions; /* [ 3 ] optional in v3 */ 155 ASN1_ENCODING enc; 156 } /* X509_CINF */; 157 158 struct x509_st { 159 X509_CINF *cert_info; 160 X509_ALGOR *sig_alg; 161 ASN1_BIT_STRING *signature; 162 int valid; 163 int references; 164 char *name; 165 CRYPTO_EX_DATA ex_data; 166 /* These contain copies of various extension values */ 167 long ex_pathlen; 168 long ex_pcpathlen; 169 unsigned long ex_flags; 170 unsigned long ex_kusage; 171 unsigned long ex_xkusage; 172 unsigned long ex_nscert; 173 ASN1_OCTET_STRING *skid; 174 AUTHORITY_KEYID *akid; 175 X509_POLICY_CACHE *policy_cache; 176 STACK_OF(DIST_POINT) *crldp; 177 STACK_OF(GENERAL_NAME) *altname; 178 NAME_CONSTRAINTS *nc; 179 #ifndef OPENSSL_NO_RFC3779 180 STACK_OF(IPAddressFamily) *rfc3779_addr; 181 struct ASIdentifiers_st *rfc3779_asid; 182 #endif 183 unsigned char hash[X509_CERT_HASH_LEN]; 184 time_t not_before; 185 time_t not_after; 186 X509_CERT_AUX *aux; 187 } /* X509 */; 188 189 struct x509_revoked_st { 190 ASN1_INTEGER *serialNumber; 191 ASN1_TIME *revocationDate; 192 STACK_OF(X509_EXTENSION) /* optional */ *extensions; 193 /* Set up if indirect CRL */ 194 STACK_OF(GENERAL_NAME) *issuer; 195 /* Revocation reason */ 196 int reason; 197 int sequence; /* load sequence */ 198 }; 199 200 struct X509_crl_info_st { 201 ASN1_INTEGER *version; 202 X509_ALGOR *sig_alg; 203 X509_NAME *issuer; 204 ASN1_TIME *lastUpdate; 205 ASN1_TIME *nextUpdate; 206 STACK_OF(X509_REVOKED) *revoked; 207 STACK_OF(X509_EXTENSION) /* [0] */ *extensions; 208 ASN1_ENCODING enc; 209 } /* X509_CRL_INFO */; 210 211 struct X509_crl_st { 212 /* actual signature */ 213 X509_CRL_INFO *crl; 214 X509_ALGOR *sig_alg; 215 ASN1_BIT_STRING *signature; 216 int references; 217 int flags; 218 /* Copies of various extensions */ 219 AUTHORITY_KEYID *akid; 220 ISSUING_DIST_POINT *idp; 221 /* Convenient breakdown of IDP */ 222 int idp_flags; 223 int idp_reasons; 224 /* CRL and base CRL numbers for delta processing */ 225 ASN1_INTEGER *crl_number; 226 ASN1_INTEGER *base_crl_number; 227 unsigned char hash[X509_CRL_HASH_LEN]; 228 STACK_OF(GENERAL_NAMES) *issuers; 229 const X509_CRL_METHOD *meth; 230 void *meth_data; 231 } /* X509_CRL */; 232 233 struct pkcs8_priv_key_info_st { 234 ASN1_INTEGER *version; 235 X509_ALGOR *pkeyalg; 236 ASN1_OCTET_STRING *pkey; 237 STACK_OF(X509_ATTRIBUTE) *attributes; 238 }; 239 240 struct x509_object_st { 241 /* one of the above types */ 242 int type; 243 union { 244 X509 *x509; 245 X509_CRL *crl; 246 } data; 247 } /* X509_OBJECT */; 248 249 struct x509_lookup_method_st { 250 const char *name; 251 int (*new_item)(X509_LOOKUP *ctx); 252 void (*free)(X509_LOOKUP *ctx); 253 int (*init)(X509_LOOKUP *ctx); 254 int (*shutdown)(X509_LOOKUP *ctx); 255 int (*ctrl)(X509_LOOKUP *ctx, int cmd, const char *argc, long argl, 256 char **ret); 257 int (*get_by_subject)(X509_LOOKUP *ctx, int type, X509_NAME *name, 258 X509_OBJECT *ret); 259 int (*get_by_issuer_serial)(X509_LOOKUP *ctx, int type, X509_NAME *name, 260 ASN1_INTEGER *serial,X509_OBJECT *ret); 261 int (*get_by_fingerprint)(X509_LOOKUP *ctx, int type, 262 const unsigned char *bytes, int len, X509_OBJECT *ret); 263 int (*get_by_alias)(X509_LOOKUP *ctx, int type, const char *str, 264 int len, X509_OBJECT *ret); 265 } /* X509_LOOKUP_METHOD */; 266 267 struct X509_VERIFY_PARAM_st { 268 char *name; 269 time_t check_time; /* Time to use */ 270 unsigned long inh_flags; /* Inheritance flags */ 271 unsigned long flags; /* Various verify flags */ 272 int purpose; /* purpose to check untrusted certificates */ 273 int trust; /* trust setting to check */ 274 int depth; /* Verify depth */ 275 int security_level; /* 'Security level', see SP800-57. */ 276 STACK_OF(ASN1_OBJECT) *policies; /* Permissible policies */ 277 X509_VERIFY_PARAM_ID *id; /* opaque ID data */ 278 } /* X509_VERIFY_PARAM */; 279 280 /* 281 * This is used to hold everything. It is used for all certificate 282 * validation. Once we have a certificate chain, the 'verify' 283 * function is then called to actually check the cert chain. 284 */ 285 struct x509_store_st { 286 /* The following is a cache of trusted certs */ 287 STACK_OF(X509_OBJECT) *objs; /* Cache of all objects */ 288 289 /* These are external lookup methods */ 290 STACK_OF(X509_LOOKUP) *get_cert_methods; 291 292 X509_VERIFY_PARAM *param; 293 294 /* Callbacks for various operations */ 295 int (*verify)(X509_STORE_CTX *ctx); /* called to verify a certificate */ 296 int (*verify_cb)(int ok,X509_STORE_CTX *ctx); /* error callback */ 297 int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); /* get issuers cert from ctx */ 298 int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); /* check issued */ 299 int (*check_revocation)(X509_STORE_CTX *ctx); /* Check revocation status of chain */ 300 int (*get_crl)(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x); /* retrieve CRL */ 301 int (*check_crl)(X509_STORE_CTX *ctx, X509_CRL *crl); /* Check CRL validity */ 302 int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); /* Check certificate against CRL */ 303 STACK_OF(X509) * (*lookup_certs)(X509_STORE_CTX *ctx, X509_NAME *nm); 304 STACK_OF(X509_CRL) * (*lookup_crls)(X509_STORE_CTX *ctx, X509_NAME *nm); 305 int (*cleanup)(X509_STORE_CTX *ctx); 306 307 CRYPTO_EX_DATA ex_data; 308 int references; 309 } /* X509_STORE */; 310 311 /* This is the functions plus an instance of the local variables. */ 312 struct x509_lookup_st { 313 int init; /* have we been started */ 314 X509_LOOKUP_METHOD *method; /* the functions */ 315 char *method_data; /* method data */ 316 317 X509_STORE *store_ctx; /* who owns us */ 318 } /* X509_LOOKUP */; 319 320 /* 321 * This is used when verifying cert chains. Since the gathering of the cert 322 * chain can take some time (and has to be 'retried'), this needs to be kept 323 * and passed around. 324 */ 325 struct x509_store_ctx_st { 326 X509_STORE *store; 327 int current_method; /* used when looking up certs */ 328 329 /* The following are set by the caller */ 330 X509 *cert; /* The cert to check */ 331 STACK_OF(X509) *untrusted; /* chain of X509s - untrusted - passed in */ 332 STACK_OF(X509_CRL) *crls; /* set of CRLs passed in */ 333 334 X509_VERIFY_PARAM *param; 335 void *other_ctx; /* Other info for use with get_issuer() */ 336 337 /* Callbacks for various operations */ 338 int (*verify)(X509_STORE_CTX *ctx); /* called to verify a certificate */ 339 int (*verify_cb)(int ok,X509_STORE_CTX *ctx); /* error callback */ 340 int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); /* get issuers cert from ctx */ 341 int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); /* check issued */ 342 int (*check_revocation)(X509_STORE_CTX *ctx); /* Check revocation status of chain */ 343 int (*get_crl)(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x); /* retrieve CRL */ 344 int (*check_crl)(X509_STORE_CTX *ctx, X509_CRL *crl); /* Check CRL validity */ 345 int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); /* Check certificate against CRL */ 346 int (*check_policy)(X509_STORE_CTX *ctx); 347 STACK_OF(X509) * (*lookup_certs)(X509_STORE_CTX *ctx, X509_NAME *nm); 348 STACK_OF(X509_CRL) * (*lookup_crls)(X509_STORE_CTX *ctx, X509_NAME *nm); 349 int (*cleanup)(X509_STORE_CTX *ctx); 350 351 /* The following is built up */ 352 int valid; /* if 0, rebuild chain */ 353 int num_untrusted; /* number of untrusted certs in chain */ 354 STACK_OF(X509) *chain; /* chain of X509s - built up and trusted */ 355 X509_POLICY_TREE *tree; /* Valid policy tree */ 356 357 int explicit_policy; /* Require explicit policy value */ 358 359 /* When something goes wrong, this is why */ 360 int error_depth; 361 int error; 362 X509 *current_cert; 363 X509 *current_issuer; /* cert currently being tested as valid issuer */ 364 X509_CRL *current_crl; /* current CRL */ 365 366 int current_crl_score; /* score of current CRL */ 367 unsigned int current_reasons; /* Reason mask */ 368 369 X509_STORE_CTX *parent; /* For CRL path validation: parent context */ 370 371 CRYPTO_EX_DATA ex_data; 372 } /* X509_STORE_CTX */; 373 374 int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int quiet); 375 376 int name_cmp(const char *name, const char *cmp); 377 378 __END_HIDDEN_DECLS 379 380 #endif /* !HEADER_X509_LCL_H */ 381