1 /* $OpenBSD: x509_local.h,v 1.24 2024/04/08 23:46:21 beck Exp $ */ 2 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 3 * project 2013. 4 */ 5 /* ==================================================================== 6 * Copyright (c) 2013 The OpenSSL Project. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in 17 * the documentation and/or other materials provided with the 18 * distribution. 19 * 20 * 3. All advertising materials mentioning features or use of this 21 * software must display the following acknowledgment: 22 * "This product includes software developed by the OpenSSL Project 23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 24 * 25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 26 * endorse or promote products derived from this software without 27 * prior written permission. For written permission, please contact 28 * licensing@OpenSSL.org. 29 * 30 * 5. Products derived from this software may not be called "OpenSSL" 31 * nor may "OpenSSL" appear in their names without prior written 32 * permission of the OpenSSL Project. 33 * 34 * 6. Redistributions of any form whatsoever must retain the following 35 * acknowledgment: 36 * "This product includes software developed by the OpenSSL Project 37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 38 * 39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 50 * OF THE POSSIBILITY OF SUCH DAMAGE. 51 * ==================================================================== 52 * 53 * This product includes cryptographic software written by Eric Young 54 * (eay@cryptsoft.com). This product includes software written by Tim 55 * Hudson (tjh@cryptsoft.com). 56 * 57 */ 58 59 #ifndef HEADER_X509_LOCAL_H 60 #define HEADER_X509_LOCAL_H 61 62 #include <openssl/x509v3.h> 63 64 __BEGIN_HIDDEN_DECLS 65 66 #define TS_HASH_EVP EVP_sha1() 67 #define TS_HASH_LEN SHA_DIGEST_LENGTH 68 69 #define X509_CERT_HASH_EVP EVP_sha512() 70 #define X509_CERT_HASH_LEN SHA512_DIGEST_LENGTH 71 #define X509_CRL_HASH_EVP EVP_sha512() 72 #define X509_CRL_HASH_LEN SHA512_DIGEST_LENGTH 73 74 struct X509_pubkey_st { 75 X509_ALGOR *algor; 76 ASN1_BIT_STRING *public_key; 77 EVP_PKEY *pkey; 78 }; 79 80 struct X509_sig_st { 81 X509_ALGOR *algor; 82 ASN1_OCTET_STRING *digest; 83 } /* X509_SIG */; 84 85 struct X509_name_entry_st { 86 ASN1_OBJECT *object; 87 ASN1_STRING *value; 88 int set; 89 int size; /* temp variable */ 90 } /* X509_NAME_ENTRY */; 91 92 /* we always keep X509_NAMEs in 2 forms. */ 93 struct X509_name_st { 94 STACK_OF(X509_NAME_ENTRY) *entries; 95 int modified; /* true if 'bytes' needs to be built */ 96 #ifndef OPENSSL_NO_BUFFER 97 BUF_MEM *bytes; 98 #else 99 char *bytes; 100 #endif 101 /* unsigned long hash; Keep the hash around for lookups */ 102 unsigned char *canon_enc; 103 int canon_enclen; 104 } /* X509_NAME */; 105 106 struct X509_extension_st { 107 ASN1_OBJECT *object; 108 ASN1_BOOLEAN critical; 109 ASN1_OCTET_STRING *value; 110 } /* X509_EXTENSION */; 111 112 struct x509_attributes_st { 113 ASN1_OBJECT *object; 114 STACK_OF(ASN1_TYPE) *set; 115 } /* X509_ATTRIBUTE */; 116 117 struct X509_req_info_st { 118 ASN1_ENCODING enc; 119 ASN1_INTEGER *version; 120 X509_NAME *subject; 121 X509_PUBKEY *pubkey; 122 /* d=2 hl=2 l= 0 cons: cont: 00 */ 123 STACK_OF(X509_ATTRIBUTE) *attributes; /* [ 0 ] */ 124 } /* X509_REQ_INFO */; 125 126 struct X509_req_st { 127 X509_REQ_INFO *req_info; 128 X509_ALGOR *sig_alg; 129 ASN1_BIT_STRING *signature; 130 int references; 131 } /* X509_REQ */; 132 133 /* 134 * This stuff is certificate "auxiliary info" it contains details which are 135 * useful in certificate stores and databases. When used this is tagged onto 136 * the end of the certificate itself. 137 */ 138 typedef struct x509_cert_aux_st { 139 STACK_OF(ASN1_OBJECT) *trust; /* trusted uses */ 140 STACK_OF(ASN1_OBJECT) *reject; /* rejected uses */ 141 ASN1_UTF8STRING *alias; /* "friendly name" */ 142 ASN1_OCTET_STRING *keyid; /* key id of private key */ 143 STACK_OF(X509_ALGOR) *other; /* other unspecified info */ 144 } X509_CERT_AUX; 145 146 X509_CERT_AUX *X509_CERT_AUX_new(void); 147 void X509_CERT_AUX_free(X509_CERT_AUX *a); 148 X509_CERT_AUX *d2i_X509_CERT_AUX(X509_CERT_AUX **a, const unsigned char **in, long len); 149 int i2d_X509_CERT_AUX(X509_CERT_AUX *a, unsigned char **out); 150 extern const ASN1_ITEM X509_CERT_AUX_it; 151 int X509_CERT_AUX_print(BIO *bp,X509_CERT_AUX *x, int indent); 152 153 struct x509_cinf_st { 154 ASN1_INTEGER *version; /* [ 0 ] default of v1 */ 155 ASN1_INTEGER *serialNumber; 156 X509_ALGOR *signature; 157 X509_NAME *issuer; 158 X509_VAL *validity; 159 X509_NAME *subject; 160 X509_PUBKEY *key; 161 ASN1_BIT_STRING *issuerUID; /* [ 1 ] optional in v2 */ 162 ASN1_BIT_STRING *subjectUID; /* [ 2 ] optional in v2 */ 163 STACK_OF(X509_EXTENSION) *extensions; /* [ 3 ] optional in v3 */ 164 ASN1_ENCODING enc; 165 } /* X509_CINF */; 166 167 struct x509_st { 168 X509_CINF *cert_info; 169 X509_ALGOR *sig_alg; 170 ASN1_BIT_STRING *signature; 171 int valid; 172 int references; 173 char *name; 174 CRYPTO_EX_DATA ex_data; 175 /* These contain copies of various extension values */ 176 long ex_pathlen; 177 unsigned long ex_flags; 178 unsigned long ex_kusage; 179 unsigned long ex_xkusage; 180 unsigned long ex_nscert; 181 ASN1_OCTET_STRING *skid; 182 AUTHORITY_KEYID *akid; 183 STACK_OF(DIST_POINT) *crldp; 184 STACK_OF(GENERAL_NAME) *altname; 185 NAME_CONSTRAINTS *nc; 186 #ifndef OPENSSL_NO_RFC3779 187 STACK_OF(IPAddressFamily) *rfc3779_addr; 188 struct ASIdentifiers_st *rfc3779_asid; 189 #endif 190 unsigned char hash[X509_CERT_HASH_LEN]; 191 X509_CERT_AUX *aux; 192 } /* X509 */; 193 194 struct x509_revoked_st { 195 ASN1_INTEGER *serialNumber; 196 ASN1_TIME *revocationDate; 197 STACK_OF(X509_EXTENSION) /* optional */ *extensions; 198 /* Set up if indirect CRL */ 199 STACK_OF(GENERAL_NAME) *issuer; 200 /* Revocation reason */ 201 int reason; 202 int sequence; /* load sequence */ 203 }; 204 205 struct X509_crl_info_st { 206 ASN1_INTEGER *version; 207 X509_ALGOR *sig_alg; 208 X509_NAME *issuer; 209 ASN1_TIME *lastUpdate; 210 ASN1_TIME *nextUpdate; 211 STACK_OF(X509_REVOKED) *revoked; 212 STACK_OF(X509_EXTENSION) /* [0] */ *extensions; 213 ASN1_ENCODING enc; 214 } /* X509_CRL_INFO */; 215 216 struct X509_crl_st { 217 /* actual signature */ 218 X509_CRL_INFO *crl; 219 X509_ALGOR *sig_alg; 220 ASN1_BIT_STRING *signature; 221 int references; 222 int flags; 223 /* Copies of various extensions */ 224 AUTHORITY_KEYID *akid; 225 ISSUING_DIST_POINT *idp; 226 /* Convenient breakdown of IDP */ 227 int idp_flags; 228 int idp_reasons; 229 /* CRL and base CRL numbers for delta processing */ 230 ASN1_INTEGER *crl_number; 231 ASN1_INTEGER *base_crl_number; 232 unsigned char hash[X509_CRL_HASH_LEN]; 233 STACK_OF(GENERAL_NAMES) *issuers; 234 } /* X509_CRL */; 235 236 struct pkcs8_priv_key_info_st { 237 ASN1_INTEGER *version; 238 X509_ALGOR *pkeyalg; 239 ASN1_OCTET_STRING *pkey; 240 STACK_OF(X509_ATTRIBUTE) *attributes; 241 }; 242 243 struct x509_object_st { 244 /* one of the above types */ 245 int type; 246 union { 247 X509 *x509; 248 X509_CRL *crl; 249 } data; 250 } /* X509_OBJECT */; 251 252 struct x509_lookup_method_st { 253 const char *name; 254 int (*new_item)(X509_LOOKUP *ctx); 255 void (*free)(X509_LOOKUP *ctx); 256 int (*ctrl)(X509_LOOKUP *ctx, int cmd, const char *argc, long argl, 257 char **ret); 258 int (*get_by_subject)(X509_LOOKUP *ctx, int type, X509_NAME *name, 259 X509_OBJECT *ret); 260 } /* X509_LOOKUP_METHOD */; 261 262 struct X509_VERIFY_PARAM_st { 263 char *name; 264 time_t check_time; /* Time to use */ 265 unsigned long inh_flags; /* Inheritance flags */ 266 unsigned long flags; /* Various verify flags */ 267 int purpose; /* purpose to check untrusted certificates */ 268 int trust; /* trust setting to check */ 269 int depth; /* Verify depth */ 270 int security_level; /* 'Security level', see SP800-57. */ 271 STACK_OF(ASN1_OBJECT) *policies; /* Permissible policies */ 272 STACK_OF(OPENSSL_STRING) *hosts; /* Set of acceptable names */ 273 unsigned int hostflags; /* Flags to control matching features */ 274 char *peername; /* Matching hostname in peer certificate */ 275 char *email; /* If not NULL email address to match */ 276 size_t emaillen; 277 unsigned char *ip; /* If not NULL IP address to match */ 278 size_t iplen; /* Length of IP address */ 279 int poisoned; 280 } /* X509_VERIFY_PARAM */; 281 282 /* 283 * This is used to hold everything. It is used for all certificate 284 * validation. Once we have a certificate chain, the 'verify' 285 * function is then called to actually check the cert chain. 286 */ 287 struct x509_store_st { 288 /* The following is a cache of trusted certs */ 289 STACK_OF(X509_OBJECT) *objs; /* Cache of all objects */ 290 291 /* These are external lookup methods */ 292 STACK_OF(X509_LOOKUP) *get_cert_methods; 293 294 X509_VERIFY_PARAM *param; 295 296 /* Callbacks for various operations */ 297 int (*verify)(X509_STORE_CTX *ctx); /* called to verify a certificate */ 298 int (*verify_cb)(int ok,X509_STORE_CTX *ctx); /* error callback */ 299 int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); /* check issued */ 300 301 CRYPTO_EX_DATA ex_data; 302 int references; 303 } /* X509_STORE */; 304 305 /* This is the functions plus an instance of the local variables. */ 306 struct x509_lookup_st { 307 X509_LOOKUP_METHOD *method; /* the functions */ 308 void *method_data; /* method data */ 309 310 X509_STORE *store_ctx; /* who owns us */ 311 } /* X509_LOOKUP */; 312 313 /* 314 * This is used when verifying cert chains. Since the gathering of the cert 315 * chain can take some time (and has to be 'retried'), this needs to be kept 316 * and passed around. 317 */ 318 struct x509_store_ctx_st { 319 X509_STORE *store; 320 int current_method; /* used when looking up certs */ 321 322 /* The following are set by the caller */ 323 X509 *cert; /* The cert to check */ 324 STACK_OF(X509) *untrusted; /* chain of X509s - untrusted - passed in */ 325 STACK_OF(X509) *trusted; /* trusted stack for use with get_issuer() */ 326 STACK_OF(X509_CRL) *crls; /* set of CRLs passed in */ 327 328 X509_VERIFY_PARAM *param; 329 330 /* Callbacks for various operations */ 331 int (*verify)(X509_STORE_CTX *ctx); /* called to verify a certificate */ 332 int (*verify_cb)(int ok,X509_STORE_CTX *ctx); /* error callback */ 333 int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); /* get issuers cert from ctx */ 334 int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); /* check issued */ 335 336 /* The following is built up */ 337 int valid; /* if 0, rebuild chain */ 338 int num_untrusted; /* number of untrusted certs in chain */ 339 STACK_OF(X509) *chain; /* chain of X509s - built up and trusted */ 340 341 int explicit_policy; /* Require explicit policy value */ 342 343 /* When something goes wrong, this is why */ 344 int error_depth; 345 int error; 346 X509 *current_cert; 347 X509 *current_issuer; /* cert currently being tested as valid issuer */ 348 X509_CRL *current_crl; /* current CRL */ 349 350 int current_crl_score; /* score of current CRL */ 351 unsigned int current_reasons; /* Reason mask */ 352 353 X509_STORE_CTX *parent; /* For CRL path validation: parent context */ 354 355 CRYPTO_EX_DATA ex_data; 356 } /* X509_STORE_CTX */; 357 358 int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int quiet); 359 360 int name_cmp(const char *name, const char *cmp); 361 362 int X509_ALGOR_set_evp_md(X509_ALGOR *alg, const EVP_MD *md); 363 int X509_ALGOR_set0_by_nid(X509_ALGOR *alg, int nid, int parameter_type, 364 void *parameter_value); 365 366 int X509_policy_check(const STACK_OF(X509) *certs, 367 const STACK_OF(ASN1_OBJECT) *user_policies, unsigned long flags, 368 X509 **out_current_cert); 369 370 PBEPARAM *PBEPARAM_new(void); 371 void PBEPARAM_free(PBEPARAM *a); 372 PBEPARAM *d2i_PBEPARAM(PBEPARAM **a, const unsigned char **in, long len); 373 int i2d_PBEPARAM(PBEPARAM *a, unsigned char **out); 374 375 /* Password based encryption V2 structures */ 376 typedef struct PBE2PARAM_st { 377 X509_ALGOR *keyfunc; 378 X509_ALGOR *encryption; 379 } PBE2PARAM; 380 381 PBE2PARAM *PBE2PARAM_new(void); 382 void PBE2PARAM_free(PBE2PARAM *a); 383 PBE2PARAM *d2i_PBE2PARAM(PBE2PARAM **a, const unsigned char **in, long len); 384 int i2d_PBE2PARAM(PBE2PARAM *a, unsigned char **out); 385 extern const ASN1_ITEM PBE2PARAM_it; 386 387 typedef struct PBKDF2PARAM_st { 388 /* Usually OCTET STRING but could be anything */ 389 ASN1_TYPE *salt; 390 ASN1_INTEGER *iter; 391 ASN1_INTEGER *keylength; 392 X509_ALGOR *prf; 393 } PBKDF2PARAM; 394 395 PBKDF2PARAM *PBKDF2PARAM_new(void); 396 void PBKDF2PARAM_free(PBKDF2PARAM *a); 397 PBKDF2PARAM *d2i_PBKDF2PARAM(PBKDF2PARAM **a, const unsigned char **in, long len); 398 int i2d_PBKDF2PARAM(PBKDF2PARAM *a, unsigned char **out); 399 extern const ASN1_ITEM PBKDF2PARAM_it; 400 401 int PKCS5_pbe_set0_algor(X509_ALGOR *algor, int alg, int iter, 402 const unsigned char *salt, int saltlen); 403 X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter, 404 unsigned char *salt, int saltlen); 405 X509_ALGOR *PKCS5_pbe_set(int alg, int iter, const unsigned char *salt, 406 int saltlen); 407 X509_ALGOR *PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen, 408 int prf_nid, int keylen); 409 410 int X509_PURPOSE_get_by_id(int id); 411 int X509_PURPOSE_get_trust(const X509_PURPOSE *xp); 412 413 __END_HIDDEN_DECLS 414 415 #endif /* !HEADER_X509_LOCAL_H */ 416