1*1dcdf01fSchristos /* 2*1dcdf01fSchristos * Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. 3*1dcdf01fSchristos * 4*1dcdf01fSchristos * Licensed under the OpenSSL license (the "License"). You may not use 5*1dcdf01fSchristos * this file except in compliance with the License. You can obtain a copy 6*1dcdf01fSchristos * in the file LICENSE in the source distribution or at 7*1dcdf01fSchristos * https://www.openssl.org/source/license.html 8*1dcdf01fSchristos */ 9*1dcdf01fSchristos 10*1dcdf01fSchristos #include "internal/refcount.h" 11*1dcdf01fSchristos #include <openssl/x509.h> 12*1dcdf01fSchristos #include <openssl/conf.h> 13*1dcdf01fSchristos 14*1dcdf01fSchristos /* Internal X509 structures and functions: not for application use */ 15*1dcdf01fSchristos 16*1dcdf01fSchristos /* Note: unless otherwise stated a field pointer is mandatory and should 17*1dcdf01fSchristos * never be set to NULL: the ASN.1 code and accessors rely on mandatory 18*1dcdf01fSchristos * fields never being NULL. 19*1dcdf01fSchristos */ 20*1dcdf01fSchristos 21*1dcdf01fSchristos /* 22*1dcdf01fSchristos * name entry structure, equivalent to AttributeTypeAndValue defined 23*1dcdf01fSchristos * in RFC5280 et al. 24*1dcdf01fSchristos */ 25*1dcdf01fSchristos struct X509_name_entry_st { 26*1dcdf01fSchristos ASN1_OBJECT *object; /* AttributeType */ 27*1dcdf01fSchristos ASN1_STRING *value; /* AttributeValue */ 28*1dcdf01fSchristos int set; /* index of RDNSequence for this entry */ 29*1dcdf01fSchristos int size; /* temp variable */ 30*1dcdf01fSchristos }; 31*1dcdf01fSchristos 32*1dcdf01fSchristos /* Name from RFC 5280. */ 33*1dcdf01fSchristos struct X509_name_st { 34*1dcdf01fSchristos STACK_OF(X509_NAME_ENTRY) *entries; /* DN components */ 35*1dcdf01fSchristos int modified; /* true if 'bytes' needs to be built */ 36*1dcdf01fSchristos BUF_MEM *bytes; /* cached encoding: cannot be NULL */ 37*1dcdf01fSchristos /* canonical encoding used for rapid Name comparison */ 38*1dcdf01fSchristos unsigned char *canon_enc; 39*1dcdf01fSchristos int canon_enclen; 40*1dcdf01fSchristos } /* X509_NAME */ ; 41*1dcdf01fSchristos 42*1dcdf01fSchristos /* Signature info structure */ 43*1dcdf01fSchristos 44*1dcdf01fSchristos struct x509_sig_info_st { 45*1dcdf01fSchristos /* NID of message digest */ 46*1dcdf01fSchristos int mdnid; 47*1dcdf01fSchristos /* NID of public key algorithm */ 48*1dcdf01fSchristos int pknid; 49*1dcdf01fSchristos /* Security bits */ 50*1dcdf01fSchristos int secbits; 51*1dcdf01fSchristos /* Various flags */ 52*1dcdf01fSchristos uint32_t flags; 53*1dcdf01fSchristos }; 54*1dcdf01fSchristos 55*1dcdf01fSchristos /* PKCS#10 certificate request */ 56*1dcdf01fSchristos 57*1dcdf01fSchristos struct X509_req_info_st { 58*1dcdf01fSchristos ASN1_ENCODING enc; /* cached encoding of signed part */ 59*1dcdf01fSchristos ASN1_INTEGER *version; /* version, defaults to v1(0) so can be NULL */ 60*1dcdf01fSchristos X509_NAME *subject; /* certificate request DN */ 61*1dcdf01fSchristos X509_PUBKEY *pubkey; /* public key of request */ 62*1dcdf01fSchristos /* 63*1dcdf01fSchristos * Zero or more attributes. 64*1dcdf01fSchristos * NB: although attributes is a mandatory field some broken 65*1dcdf01fSchristos * encodings omit it so this may be NULL in that case. 66*1dcdf01fSchristos */ 67*1dcdf01fSchristos STACK_OF(X509_ATTRIBUTE) *attributes; 68*1dcdf01fSchristos }; 69*1dcdf01fSchristos 70*1dcdf01fSchristos struct X509_req_st { 71*1dcdf01fSchristos X509_REQ_INFO req_info; /* signed certificate request data */ 72*1dcdf01fSchristos X509_ALGOR sig_alg; /* signature algorithm */ 73*1dcdf01fSchristos ASN1_BIT_STRING *signature; /* signature */ 74*1dcdf01fSchristos CRYPTO_REF_COUNT references; 75*1dcdf01fSchristos CRYPTO_RWLOCK *lock; 76*1dcdf01fSchristos }; 77*1dcdf01fSchristos 78*1dcdf01fSchristos struct X509_crl_info_st { 79*1dcdf01fSchristos ASN1_INTEGER *version; /* version: defaults to v1(0) so may be NULL */ 80*1dcdf01fSchristos X509_ALGOR sig_alg; /* signature algorithm */ 81*1dcdf01fSchristos X509_NAME *issuer; /* CRL issuer name */ 82*1dcdf01fSchristos ASN1_TIME *lastUpdate; /* lastUpdate field */ 83*1dcdf01fSchristos ASN1_TIME *nextUpdate; /* nextUpdate field: optional */ 84*1dcdf01fSchristos STACK_OF(X509_REVOKED) *revoked; /* revoked entries: optional */ 85*1dcdf01fSchristos STACK_OF(X509_EXTENSION) *extensions; /* extensions: optional */ 86*1dcdf01fSchristos ASN1_ENCODING enc; /* encoding of signed portion of CRL */ 87*1dcdf01fSchristos }; 88*1dcdf01fSchristos 89*1dcdf01fSchristos struct X509_crl_st { 90*1dcdf01fSchristos X509_CRL_INFO crl; /* signed CRL data */ 91*1dcdf01fSchristos X509_ALGOR sig_alg; /* CRL signature algorithm */ 92*1dcdf01fSchristos ASN1_BIT_STRING signature; /* CRL signature */ 93*1dcdf01fSchristos CRYPTO_REF_COUNT references; 94*1dcdf01fSchristos int flags; 95*1dcdf01fSchristos /* 96*1dcdf01fSchristos * Cached copies of decoded extension values, since extensions 97*1dcdf01fSchristos * are optional any of these can be NULL. 98*1dcdf01fSchristos */ 99*1dcdf01fSchristos AUTHORITY_KEYID *akid; 100*1dcdf01fSchristos ISSUING_DIST_POINT *idp; 101*1dcdf01fSchristos /* Convenient breakdown of IDP */ 102*1dcdf01fSchristos int idp_flags; 103*1dcdf01fSchristos int idp_reasons; 104*1dcdf01fSchristos /* CRL and base CRL numbers for delta processing */ 105*1dcdf01fSchristos ASN1_INTEGER *crl_number; 106*1dcdf01fSchristos ASN1_INTEGER *base_crl_number; 107*1dcdf01fSchristos STACK_OF(GENERAL_NAMES) *issuers; 108*1dcdf01fSchristos /* hash of CRL */ 109*1dcdf01fSchristos unsigned char sha1_hash[SHA_DIGEST_LENGTH]; 110*1dcdf01fSchristos /* alternative method to handle this CRL */ 111*1dcdf01fSchristos const X509_CRL_METHOD *meth; 112*1dcdf01fSchristos void *meth_data; 113*1dcdf01fSchristos CRYPTO_RWLOCK *lock; 114*1dcdf01fSchristos }; 115*1dcdf01fSchristos 116*1dcdf01fSchristos struct x509_revoked_st { 117*1dcdf01fSchristos ASN1_INTEGER serialNumber; /* revoked entry serial number */ 118*1dcdf01fSchristos ASN1_TIME *revocationDate; /* revocation date */ 119*1dcdf01fSchristos STACK_OF(X509_EXTENSION) *extensions; /* CRL entry extensions: optional */ 120*1dcdf01fSchristos /* decoded value of CRLissuer extension: set if indirect CRL */ 121*1dcdf01fSchristos STACK_OF(GENERAL_NAME) *issuer; 122*1dcdf01fSchristos /* revocation reason: set to CRL_REASON_NONE if reason extension absent */ 123*1dcdf01fSchristos int reason; 124*1dcdf01fSchristos /* 125*1dcdf01fSchristos * CRL entries are reordered for faster lookup of serial numbers. This 126*1dcdf01fSchristos * field contains the original load sequence for this entry. 127*1dcdf01fSchristos */ 128*1dcdf01fSchristos int sequence; 129*1dcdf01fSchristos }; 130*1dcdf01fSchristos 131*1dcdf01fSchristos /* 132*1dcdf01fSchristos * This stuff is certificate "auxiliary info": it contains details which are 133*1dcdf01fSchristos * useful in certificate stores and databases. When used this is tagged onto 134*1dcdf01fSchristos * the end of the certificate itself. OpenSSL specific structure not defined 135*1dcdf01fSchristos * in any RFC. 136*1dcdf01fSchristos */ 137*1dcdf01fSchristos 138*1dcdf01fSchristos struct x509_cert_aux_st { 139*1dcdf01fSchristos STACK_OF(ASN1_OBJECT) *trust; /* trusted uses */ 140*1dcdf01fSchristos STACK_OF(ASN1_OBJECT) *reject; /* rejected uses */ 141*1dcdf01fSchristos ASN1_UTF8STRING *alias; /* "friendly name" */ 142*1dcdf01fSchristos ASN1_OCTET_STRING *keyid; /* key id of private key */ 143*1dcdf01fSchristos STACK_OF(X509_ALGOR) *other; /* other unspecified info */ 144*1dcdf01fSchristos }; 145*1dcdf01fSchristos 146*1dcdf01fSchristos struct x509_cinf_st { 147*1dcdf01fSchristos ASN1_INTEGER *version; /* [ 0 ] default of v1 */ 148*1dcdf01fSchristos ASN1_INTEGER serialNumber; 149*1dcdf01fSchristos X509_ALGOR signature; 150*1dcdf01fSchristos X509_NAME *issuer; 151*1dcdf01fSchristos X509_VAL validity; 152*1dcdf01fSchristos X509_NAME *subject; 153*1dcdf01fSchristos X509_PUBKEY *key; 154*1dcdf01fSchristos ASN1_BIT_STRING *issuerUID; /* [ 1 ] optional in v2 */ 155*1dcdf01fSchristos ASN1_BIT_STRING *subjectUID; /* [ 2 ] optional in v2 */ 156*1dcdf01fSchristos STACK_OF(X509_EXTENSION) *extensions; /* [ 3 ] optional in v3 */ 157*1dcdf01fSchristos ASN1_ENCODING enc; 158*1dcdf01fSchristos }; 159*1dcdf01fSchristos 160*1dcdf01fSchristos struct x509_st { 161*1dcdf01fSchristos X509_CINF cert_info; 162*1dcdf01fSchristos X509_ALGOR sig_alg; 163*1dcdf01fSchristos ASN1_BIT_STRING signature; 164*1dcdf01fSchristos X509_SIG_INFO siginf; 165*1dcdf01fSchristos CRYPTO_REF_COUNT references; 166*1dcdf01fSchristos CRYPTO_EX_DATA ex_data; 167*1dcdf01fSchristos /* These contain copies of various extension values */ 168*1dcdf01fSchristos long ex_pathlen; 169*1dcdf01fSchristos long ex_pcpathlen; 170*1dcdf01fSchristos uint32_t ex_flags; 171*1dcdf01fSchristos uint32_t ex_kusage; 172*1dcdf01fSchristos uint32_t ex_xkusage; 173*1dcdf01fSchristos uint32_t ex_nscert; 174*1dcdf01fSchristos ASN1_OCTET_STRING *skid; 175*1dcdf01fSchristos AUTHORITY_KEYID *akid; 176*1dcdf01fSchristos X509_POLICY_CACHE *policy_cache; 177*1dcdf01fSchristos STACK_OF(DIST_POINT) *crldp; 178*1dcdf01fSchristos STACK_OF(GENERAL_NAME) *altname; 179*1dcdf01fSchristos NAME_CONSTRAINTS *nc; 180*1dcdf01fSchristos #ifndef OPENSSL_NO_RFC3779 181*1dcdf01fSchristos STACK_OF(IPAddressFamily) *rfc3779_addr; 182*1dcdf01fSchristos struct ASIdentifiers_st *rfc3779_asid; 183*1dcdf01fSchristos # endif 184*1dcdf01fSchristos unsigned char sha1_hash[SHA_DIGEST_LENGTH]; 185*1dcdf01fSchristos X509_CERT_AUX *aux; 186*1dcdf01fSchristos CRYPTO_RWLOCK *lock; 187*1dcdf01fSchristos volatile int ex_cached; 188*1dcdf01fSchristos } /* X509 */ ; 189*1dcdf01fSchristos 190*1dcdf01fSchristos /* 191*1dcdf01fSchristos * This is a used when verifying cert chains. Since the gathering of the 192*1dcdf01fSchristos * cert chain can take some time (and have to be 'retried', this needs to be 193*1dcdf01fSchristos * kept and passed around. 194*1dcdf01fSchristos */ 195*1dcdf01fSchristos struct x509_store_ctx_st { /* X509_STORE_CTX */ 196*1dcdf01fSchristos X509_STORE *ctx; 197*1dcdf01fSchristos /* The following are set by the caller */ 198*1dcdf01fSchristos /* The cert to check */ 199*1dcdf01fSchristos X509 *cert; 200*1dcdf01fSchristos /* chain of X509s - untrusted - passed in */ 201*1dcdf01fSchristos STACK_OF(X509) *untrusted; 202*1dcdf01fSchristos /* set of CRLs passed in */ 203*1dcdf01fSchristos STACK_OF(X509_CRL) *crls; 204*1dcdf01fSchristos X509_VERIFY_PARAM *param; 205*1dcdf01fSchristos /* Other info for use with get_issuer() */ 206*1dcdf01fSchristos void *other_ctx; 207*1dcdf01fSchristos /* Callbacks for various operations */ 208*1dcdf01fSchristos /* called to verify a certificate */ 209*1dcdf01fSchristos int (*verify) (X509_STORE_CTX *ctx); 210*1dcdf01fSchristos /* error callback */ 211*1dcdf01fSchristos int (*verify_cb) (int ok, X509_STORE_CTX *ctx); 212*1dcdf01fSchristos /* get issuers cert from ctx */ 213*1dcdf01fSchristos int (*get_issuer) (X509 **issuer, X509_STORE_CTX *ctx, X509 *x); 214*1dcdf01fSchristos /* check issued */ 215*1dcdf01fSchristos int (*check_issued) (X509_STORE_CTX *ctx, X509 *x, X509 *issuer); 216*1dcdf01fSchristos /* Check revocation status of chain */ 217*1dcdf01fSchristos int (*check_revocation) (X509_STORE_CTX *ctx); 218*1dcdf01fSchristos /* retrieve CRL */ 219*1dcdf01fSchristos int (*get_crl) (X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x); 220*1dcdf01fSchristos /* Check CRL validity */ 221*1dcdf01fSchristos int (*check_crl) (X509_STORE_CTX *ctx, X509_CRL *crl); 222*1dcdf01fSchristos /* Check certificate against CRL */ 223*1dcdf01fSchristos int (*cert_crl) (X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); 224*1dcdf01fSchristos /* Check policy status of the chain */ 225*1dcdf01fSchristos int (*check_policy) (X509_STORE_CTX *ctx); 226*1dcdf01fSchristos STACK_OF(X509) *(*lookup_certs) (X509_STORE_CTX *ctx, X509_NAME *nm); 227*1dcdf01fSchristos STACK_OF(X509_CRL) *(*lookup_crls) (X509_STORE_CTX *ctx, X509_NAME *nm); 228*1dcdf01fSchristos int (*cleanup) (X509_STORE_CTX *ctx); 229*1dcdf01fSchristos /* The following is built up */ 230*1dcdf01fSchristos /* if 0, rebuild chain */ 231*1dcdf01fSchristos int valid; 232*1dcdf01fSchristos /* number of untrusted certs */ 233*1dcdf01fSchristos int num_untrusted; 234*1dcdf01fSchristos /* chain of X509s - built up and trusted */ 235*1dcdf01fSchristos STACK_OF(X509) *chain; 236*1dcdf01fSchristos /* Valid policy tree */ 237*1dcdf01fSchristos X509_POLICY_TREE *tree; 238*1dcdf01fSchristos /* Require explicit policy value */ 239*1dcdf01fSchristos int explicit_policy; 240*1dcdf01fSchristos /* When something goes wrong, this is why */ 241*1dcdf01fSchristos int error_depth; 242*1dcdf01fSchristos int error; 243*1dcdf01fSchristos X509 *current_cert; 244*1dcdf01fSchristos /* cert currently being tested as valid issuer */ 245*1dcdf01fSchristos X509 *current_issuer; 246*1dcdf01fSchristos /* current CRL */ 247*1dcdf01fSchristos X509_CRL *current_crl; 248*1dcdf01fSchristos /* score of current CRL */ 249*1dcdf01fSchristos int current_crl_score; 250*1dcdf01fSchristos /* Reason mask */ 251*1dcdf01fSchristos unsigned int current_reasons; 252*1dcdf01fSchristos /* For CRL path validation: parent context */ 253*1dcdf01fSchristos X509_STORE_CTX *parent; 254*1dcdf01fSchristos CRYPTO_EX_DATA ex_data; 255*1dcdf01fSchristos SSL_DANE *dane; 256*1dcdf01fSchristos /* signed via bare TA public key, rather than CA certificate */ 257*1dcdf01fSchristos int bare_ta_signed; 258*1dcdf01fSchristos }; 259*1dcdf01fSchristos 260*1dcdf01fSchristos /* PKCS#8 private key info structure */ 261*1dcdf01fSchristos 262*1dcdf01fSchristos struct pkcs8_priv_key_info_st { 263*1dcdf01fSchristos ASN1_INTEGER *version; 264*1dcdf01fSchristos X509_ALGOR *pkeyalg; 265*1dcdf01fSchristos ASN1_OCTET_STRING *pkey; 266*1dcdf01fSchristos STACK_OF(X509_ATTRIBUTE) *attributes; 267*1dcdf01fSchristos }; 268*1dcdf01fSchristos 269*1dcdf01fSchristos struct X509_sig_st { 270*1dcdf01fSchristos X509_ALGOR *algor; 271*1dcdf01fSchristos ASN1_OCTET_STRING *digest; 272*1dcdf01fSchristos }; 273*1dcdf01fSchristos 274*1dcdf01fSchristos struct x509_object_st { 275*1dcdf01fSchristos /* one of the above types */ 276*1dcdf01fSchristos X509_LOOKUP_TYPE type; 277*1dcdf01fSchristos union { 278*1dcdf01fSchristos char *ptr; 279*1dcdf01fSchristos X509 *x509; 280*1dcdf01fSchristos X509_CRL *crl; 281*1dcdf01fSchristos EVP_PKEY *pkey; 282*1dcdf01fSchristos } data; 283*1dcdf01fSchristos }; 284*1dcdf01fSchristos 285*1dcdf01fSchristos int a2i_ipadd(unsigned char *ipout, const char *ipasc); 286*1dcdf01fSchristos int x509_set1_time(ASN1_TIME **ptm, const ASN1_TIME *tm); 287*1dcdf01fSchristos 288*1dcdf01fSchristos void x509_init_sig_info(X509 *x); 289*1dcdf01fSchristos 290*1dcdf01fSchristos int x509v3_add_len_value_uchar(const char *name, const unsigned char *value, 291*1dcdf01fSchristos size_t vallen, STACK_OF(CONF_VALUE) **extlist); 292