1 /**************************************************************************/ 2 /* */ 3 /* Copyright (c) Microsoft Corporation. All rights reserved. */ 4 /* */ 5 /* This software is licensed under the Microsoft Software License */ 6 /* Terms for Microsoft Azure RTOS. Full text of the license can be */ 7 /* found in the LICENSE file at https://aka.ms/AzureRTOS_EULA */ 8 /* and in the root directory of this software. */ 9 /* */ 10 /**************************************************************************/ 11 12 13 /**************************************************************************/ 14 /**************************************************************************/ 15 /** */ 16 /** NetX Secure Component */ 17 /** */ 18 /** X.509 Digital Certificates */ 19 /** */ 20 /**************************************************************************/ 21 /**************************************************************************/ 22 23 24 /**************************************************************************/ 25 /* */ 26 /* COMPONENT DEFINITION RELEASE */ 27 /* */ 28 /* nx_secure_x509.h PORTABLE C */ 29 /* 6.2.1 */ 30 /* AUTHOR */ 31 /* */ 32 /* Timothy Stapko, Microsoft Corporation */ 33 /* */ 34 /* DESCRIPTION */ 35 /* */ 36 /* This file defines all service prototypes and data structure */ 37 /* definitions for X.509 implementation. */ 38 /* */ 39 /* RELEASE HISTORY */ 40 /* */ 41 /* DATE NAME DESCRIPTION */ 42 /* */ 43 /* 05-19-2020 Timothy Stapko Initial Version 6.0 */ 44 /* 09-30-2020 Timothy Stapko Modified comment(s), */ 45 /* fixed key usage bit order, */ 46 /* resulting in version 6.1 */ 47 /* 04-02-2021 Timothy Stapko Modified comment(s), */ 48 /* removed dependency on TLS, */ 49 /* resulting in version 6.1.6 */ 50 /* 06-02-2021 Timothy Stapko Modified comment(s), */ 51 /* supported hardware EC */ 52 /* private key, */ 53 /* resulting in version 6.1.7 */ 54 /* 01-31-2022 Timothy Stapko Modified comment(s), */ 55 /* ignored public key in EC */ 56 /* private key, */ 57 /* resulting in version 6.1.10 */ 58 /* 07-29-2022 Yuxin Zhou Modified comment(s), */ 59 /* checked expiration for all */ 60 /* the certs in the chain, */ 61 /* resulting in version 6.1.12 */ 62 /* 03-08-2023 Yanwu Cai Modified comment(s), */ 63 /* included TLS port header, */ 64 /* resulting in version 6.2.1 */ 65 /* */ 66 /**************************************************************************/ 67 68 #ifndef SRC_NX_SECURE_X509_H_ 69 #define SRC_NX_SECURE_X509_H_ 70 71 /* Determine if a C++ compiler is being used. If so, ensure that standard 72 C is used to process the API information. */ 73 #ifdef __cplusplus 74 75 /* Yes, C++ compiler is present. Use standard C. */ 76 extern "C" { 77 78 #endif 79 80 #include "nx_crypto.h" 81 82 #ifndef NX_CRYPTO_STANDALONE_ENABLE 83 #include "nx_secure_port.h" 84 #endif 85 86 /* Enable ECC by default. */ 87 #ifndef NX_SECURE_DISABLE_ECC_CIPHERSUITE 88 #ifndef NX_SECURE_ENABLE_ECC_CIPHERSUITE 89 #define NX_SECURE_ENABLE_ECC_CIPHERSUITE 90 #endif 91 #else 92 #undef NX_SECURE_ENABLE_ECC_CIPHERSUITE 93 #endif 94 95 #ifndef NX_SECURE_CALLER_CHECKING_EXTERNS 96 #ifdef NX_CRYPTO_STANDALONE_ENABLE 97 #define NX_SECURE_CALLER_CHECKING_EXTERNS 98 #else 99 #define NX_SECURE_CALLER_CHECKING_EXTERNS NX_CALLER_CHECKING_EXTERNS 100 #endif 101 #endif 102 103 #ifndef NX_THREADS_ONLY_CALLER_CHECKING 104 #ifdef NX_CRYPTO_STANDALONE_ENABLE 105 #define NX_THREADS_ONLY_CALLER_CHECKING 106 #endif 107 #endif 108 109 /* Define memcpy, memset and memcmp functions used internal. */ 110 #ifndef NX_SECURE_MEMCPY 111 #define NX_SECURE_MEMCPY memcpy 112 #endif /* NX_SECURE_MEMCPY */ 113 114 #ifndef NX_SECURE_MEMCMP 115 #define NX_SECURE_MEMCMP memcmp 116 #endif /* NX_SECURE_MEMCMP */ 117 118 #ifndef NX_SECURE_MEMSET 119 #define NX_SECURE_MEMSET memset 120 #endif /* NX_SECURE_MEMSET */ 121 122 #ifndef NX_SECURE_MEMMOVE 123 #define NX_SECURE_MEMMOVE memmove 124 #endif /* NX_SECURE_MEMMOVE */ 125 126 /* Define extensions used for user defined actions during X509 parse. */ 127 #ifndef NX_SECURE_X509_PARSE_CERTIFICATE_EXTENSION 128 #define NX_SECURE_X509_PARSE_CERTIFICATE_EXTENSION 129 #endif /* NX_SECURE_X509_PARSE_CERTIFICATE_EXTENSION */ 130 131 #ifndef NX_SECURE_X509_CERTIFICATE_VERIFY_EXTENSION 132 #define NX_SECURE_X509_CERTIFICATE_VERIFY_EXTENSION 133 #endif /* NX_SECURE_X509_CERTIFICATE_VERIFY_EXTENSION */ 134 135 #ifndef NX_SECURE_X509_PARSE_CRL_EXTENSION 136 #define NX_SECURE_X509_PARSE_CRL_EXTENSION 137 #endif /* NX_SECURE_X509_PARSE_CRL_EXTENSION */ 138 139 #ifndef NX_SECURE_X509_CRL_VERIFY_EXTENSION 140 #define NX_SECURE_X509_CRL_VERIFY_EXTENSION 141 #endif /* NX_SECURE_X509_CRL_VERIFY_EXTENSION */ 142 143 #ifndef NX_SECURE_X509_CERTIFICATE_INITIALIZE_EXTENSION 144 #define NX_SECURE_X509_CERTIFICATE_INITIALIZE_EXTENSION 145 #endif /* NX_SECURE_X509_CERTIFICATE_INITIALIZE_EXTENSION */ 146 147 /* Return values for X509 errors. */ 148 #define NX_SECURE_X509_SUCCESS 0 /* Successful return status. */ 149 #define NX_SECURE_X509_MULTIBYTE_TAG_UNSUPPORTED 0x181 /* We encountered a multi-byte ASN.1 tag - not currently supported. */ 150 #define NX_SECURE_X509_ASN1_LENGTH_TOO_LONG 0x182 /* Encountered a length value longer than we can handle. */ 151 #define NX_SECURE_X509_FOUND_NON_ZERO_PADDING 0x183 /* Expected a padding value of 0 - got something different. */ 152 #define NX_SECURE_X509_MISSING_PUBLIC_KEY 0x184 /* X509 expected a public key but didn't find one. */ 153 #define NX_SECURE_X509_INVALID_PUBLIC_KEY 0x185 /* Found a public key, but it is invalid or has an incorrect format. */ 154 #define NX_SECURE_X509_INVALID_CERTIFICATE_SEQUENCE 0x186 /* The top-level ASN.1 block is not a sequence - invalid X509 certificate. */ 155 #define NX_SECURE_X509_MISSING_SIGNATURE_ALGORITHM 0x187 /* Expecting a signature algorithm identifier, did not find it. */ 156 #define NX_SECURE_X509_INVALID_CERTIFICATE_DATA 0x188 /* Certificate identity data is in an invalid format. */ 157 #define NX_SECURE_X509_UNEXPECTED_ASN1_TAG 0x189 /* We were expecting a specific ASN.1 tag for X509 format but we got something else. */ 158 #define NX_SECURE_PKCS1_INVALID_PRIVATE_KEY 0x18A /* A PKCS#1 private key file was passed in, but the formatting was incorrect. */ 159 #define NX_SECURE_X509_CHAIN_TOO_SHORT 0x18B /* An X509 certificate chain was too short to hold the entire chain during chain building. */ 160 #define NX_SECURE_X509_CHAIN_VERIFY_FAILURE 0x18C /* An X509 certificate chain was unable to be verified (catch-all error). */ 161 #define NX_SECURE_X509_PKCS7_PARSING_FAILED 0x18D /* Parsing an X.509 PKCS#7-encoded signature failed. */ 162 #define NX_SECURE_X509_CERTIFICATE_NOT_FOUND 0x18E /* In looking up a certificate, no matching entry was found. */ 163 #define NX_SECURE_X509_INVALID_VERSION 0x18F /* A certificate included a field that isn't compatible with the given version. */ 164 #define NX_SECURE_X509_INVALID_TAG_CLASS 0x190 /* A certificate included an ASN.1 tag with an invalid tag class value. */ 165 #define NX_SECURE_X509_INVALID_EXTENSIONS 0x191 /* A certificate included an extensions TLV but that did not contain a sequence. */ 166 #define NX_SECURE_X509_INVALID_EXTENSION_SEQUENCE 0x192 /* A certificate included an extension sequence that was invalid X.509. */ 167 #define NX_SECURE_X509_CERTIFICATE_EXPIRED 0x193 /* A certificate had a "not after" field that was less than the current time. */ 168 #define NX_SECURE_X509_CERTIFICATE_NOT_YET_VALID 0x194 /* A certificate had a "not before" field that was greater than the current time. */ 169 #define NX_SECURE_X509_CERTIFICATE_DNS_MISMATCH 0x195 /* A certificate Common Name or Subject Alt Name did not match a given DNS TLD. */ 170 #define NX_SECURE_X509_INVALID_DATE_FORMAT 0x196 /* A certificate contained a date field that is not in a recognized format. */ 171 #define NX_SECURE_X509_CRL_ISSUER_MISMATCH 0x197 /* A provided CRL and certificate were not issued by the same Certificate Authority. */ 172 #define NX_SECURE_X509_CRL_SIGNATURE_CHECK_FAILED 0x198 /* A CRL signature check failed against its issuer. */ 173 #define NX_SECURE_X509_CRL_CERTIFICATE_REVOKED 0x199 /* A certificate was found in a valid CRL and has therefore been revoked. */ 174 #define NX_SECURE_X509_WRONG_SIGNATURE_METHOD 0x19A /* In attempting to validate a signature the signature method did not match the expected method. */ 175 #define NX_SECURE_X509_EXTENSION_NOT_FOUND 0x19B /* In looking for an extension, no extension with a matching ID was found. */ 176 #define NX_SECURE_X509_ALT_NAME_NOT_FOUND 0x19C /* A name was searched for in a subjectAltName extension but was not found. */ 177 #define NX_SECURE_X509_INVALID_PRIVATE_KEY_TYPE 0x19D /* Private key type given was unknown or invalid. */ 178 #define NX_SECURE_X509_NAME_STRING_TOO_LONG 0x19E /* A name passed as a parameter was too long for an internal fixed-size buffer. */ 179 #define NX_SECURE_X509_EXT_KEY_USAGE_NOT_FOUND 0x19F /* In parsing an ExtendedKeyUsage extension, the specified usage was not found. */ 180 #define NX_SECURE_X509_KEY_USAGE_ERROR 0x1A0 /* For use with key usage extensions - return this to indicate an error at the application level with key usage. */ 181 182 /* Return values from TLS. */ 183 #define NX_SECURE_X509_UNSUPPORTED_PUBLIC_CIPHER 0x1A1 /* A certificate provided by a server specified a public-key operation we do not support. */ 184 #define NX_SECURE_X509_INVALID_CERTIFICATE 0x1A2 /* An X509 certificate did not parse correctly. */ 185 #define NX_SECURE_X509_UNKNOWN_CERT_SIG_ALGORITHM 0x1A3 /* A certificate during verification had an unsupported signature algorithm. */ 186 #define NX_SECURE_X509_CERTIFICATE_SIG_CHECK_FAILED 0x1A4 /* A certificate signature verification check failed - certificate data did not match signature. */ 187 #define NX_SECURE_X509_INVALID_SELF_SIGNED_CERT 0x1A5 /* The remote host sent a self-signed certificate and NX_SECURE_ALLOW_SELF_SIGNED_CERTIFICATES is not defined. */ 188 #define NX_SECURE_X509_ISSUER_CERTIFICATE_NOT_FOUND 0x1A6 /* A remote certificate was received with an issuer not in the local trusted store. */ 189 #define NX_SECURE_X509_NO_CERT_SPACE_ALLOCATED 0x1A7 /* No certificate space was allocated for incoming remote certificates. */ 190 #define NX_SECURE_X509_INSUFFICIENT_CERT_SPACE 0x1A8 /* Not enough certificate buffer space allocated for a certificate. */ 191 #define NX_SECURE_X509_CERT_ID_DUPLICATE 0x1A9 /* Tried to add a certificate with a numeric ID that was already used - needs to be unique. */ 192 #define NX_SECURE_X509_MISSING_CRYPTO_ROUTINE 0x1AA /* In attempting to perform a cryptographic operation, an entry in the ciphersuite table (or one of its function pointers) was NULL. */ 193 194 /* Defines for working with private key types. */ 195 #define NX_SECURE_X509_KEY_TYPE_USER_DEFINED_MASK (0xFFFF0000) 196 197 /* Private key type defines for initializing private key data associated with an X.509 certificate. */ 198 #define NX_SECURE_X509_KEY_TYPE_NONE 0x00000000 /* Default value for no key. */ 199 #define NX_SECURE_X509_KEY_TYPE_RSA_PKCS1_DER 0x00000001 /* DER-encoded PKCS-1 RSA private key. */ 200 #define NX_SECURE_X509_KEY_TYPE_EC_DER 0x00000002 /* DER-encoded EC private key. */ 201 #define NX_SECURE_X509_KEY_TYPE_HARDWARE 0x00000003 /* Hardware private key */ 202 203 204 /* ASN.1 Format: 205 * <Type, Length, Value> 206 * - Type is simply a tag value (defined below) 207 * - Length is: 208 * <= 127 (7 bits), length is the number of bytes of Value 209 * > 127, high bit is set, and lower 7 bits becomes the number of following bytes of *length* 210 * so 841 bytes of Value is encoded as 0x82, 0x03, 0x49 (0x82 = 2 bytes of length, 0x0349 = 841). 211 * - Value depends on the Tag 212 * */ 213 214 /* ASN.1 Tags relevant to X509. */ 215 #define NX_SECURE_ASN_TAG_BER 0 216 #define NX_SECURE_ASN_TAG_BOOLEAN 1 217 #define NX_SECURE_ASN_TAG_INTEGER 2 218 #define NX_SECURE_ASN_TAG_BIT_STRING 3 219 #define NX_SECURE_ASN_TAG_OCTET_STRING 4 220 #define NX_SECURE_ASN_TAG_NULL 5 221 #define NX_SECURE_ASN_TAG_OID 6 222 #define NX_SECURE_ASN_TAG_OBJ_DESCRIPTOR 7 223 #define NX_SECURE_ASN_TAG_EXTERNAL_INSTANCE 8 224 #define NX_SECURE_ASN_TAG_REAL 9 225 #define NX_SECURE_ASN_TAG_ENUMERATED 10 226 #define NX_SECURE_ASN_TAG_EMBEDDED_PPV 11 227 #define NX_SECURE_ASN_TAG_UTF8_STRING 12 228 #define NX_SECURE_ASN_TAG_RELATIVE_OID 13 229 #define NX_SECURE_ASN_TAG_UNDEFINED_14 14 230 #define NX_SECURE_ASN_TAG_UNDEFINED_15 15 231 #define NX_SECURE_ASN_TAG_SEQUENCE 16 232 #define NX_SECURE_ASN_TAG_SET 17 233 #define NX_SECURE_ASN_TAG_NUMERIC_STRING 18 234 #define NX_SECURE_ASN_TAG_PRINTABLE_STRING 19 235 #define NX_SECURE_ASN_TAG_TELETEX_STRING 20 236 #define NX_SECURE_ASN_TAG_T61_STRING 20 237 #define NX_SECURE_ASN_TAG_VIDEOTEX_STRING 21 238 #define NX_SECURE_ASN_TAG_IA5_STRING 22 239 #define NX_SECURE_ASN_TAG_UTC_TIME 23 240 #define NX_SECURE_ASN_TAG_GENERALIZED_TIME 24 241 #define NX_SECURE_ASN_TAG_GRAPHIC_STRING 25 242 #define NX_SECURE_ASN_TAG_VISIBLE_STRING 26 243 #define NX_SECURE_ASN_TAG_GENERAL_STRING 27 244 #define NX_SECURE_ASN_TAG_UNIVERSAL_STRING 28 245 #define NX_SECURE_ASN_TAG_CHARACTER_STRING 29 246 #define NX_SECURE_ASN_TAG_BMP_STRING 30 247 248 #define NX_SECURE_ASN_TAG_CONSTRUCTED_MASK 0x20 /* If bit 6 is set, it is a constructed type. */ 249 250 #define NX_SECURE_ASN_TAG_CLASS_MASK 0xC0 /* Top 2 bits of tag are the "class". */ 251 #define NX_SECURE_ASN_TAG_MASK 0x1F /* Bottom 6 bits are the tag itself. */ 252 #define NX_SECURE_ASN_TAG_MULTIBYTE_MASK 0x1F /* Some tags are multi-byte but never in x509. */ 253 254 /* Tag classes. Bits refer to bit locations in the tag octet. 255 * Note that "Application" and "Private" are not recommended for use and 256 * should probably never be encountered in an X.509 certificate. 257 * Class | Bit 7 | Bit 8 | 258 * --------------------------------------------- 259 * Universal | 0 | 0 | 260 * Application | 0 | 1 | 261 * Context-specific | 1 | 0 | 262 * Private | 1 | 1 | 263 */ 264 #define NX_SECURE_ASN_TAG_CLASS_UNIVERSAL 0x00 /* ASN.1 standard tag values. */ 265 #define NX_SECURE_ASN_TAG_CLASS_APPLICATION 0x01 /* (UNUSED) Application-specific tag values. */ 266 #define NX_SECURE_ASN_TAG_CLASS_CONTEXT 0x02 /* Context-specific tag values. */ 267 #define NX_SECURE_ASN_TAG_CLASS_PRIVATE 0x03 /* (UNUSED) Private tag values. */ 268 269 /* X.509 version identifiers. */ 270 #define NX_SECURE_X509_VERSION_1 (0x0) 271 #define NX_SECURE_X509_VERSION_2 (0x1) 272 #define NX_SECURE_X509_VERSION_3 (0x2) 273 274 /* X.509 context-specific tag values. */ 275 #define NX_SECURE_X509_TAG_VERSION (0x00) /* In TBSCertificate ASN.1, version field tag. */ 276 #define NX_SECURE_X509_TAG_ISSUER_UNIQUE_ID (0x01) /* In TBSCertificate ASN.1, Issuer unique id field tag. */ 277 #define NX_SECURE_X509_TAG_SUBJECT_UNIQUE_ID (0x02) /* In TBSCertificate ASN.1, Subject unique id field tag. */ 278 #define NX_SECURE_X509_TAG_EXTENSIONS (0x03) /* In TBSCertificate ASN.1, Extensions field tag. */ 279 280 /* X.509 subjectAltName context-specific tag values. */ 281 #define NX_SECURE_X509_SUB_ALT_NAME_TAG_OTHERNAME (0) 282 #define NX_SECURE_X509_SUB_ALT_NAME_TAG_RFC822NAME (1) 283 #define NX_SECURE_X509_SUB_ALT_NAME_TAG_DNSNAME (2) 284 #define NX_SECURE_X509_SUB_ALT_NAME_TAG_X400ADDRESS (3) 285 #define NX_SECURE_X509_SUB_ALT_NAME_TAG_DIRECTORYNAME (4) 286 #define NX_SECURE_X509_SUB_ALT_NAME_TAG_EDIPARTYNAME (5) 287 #define NX_SECURE_X509_SUB_ALT_NAME_TAG_UNIFORMRESOURCEIDENTIFIER (6) 288 #define NX_SECURE_X509_SUB_ALT_NAME_TAG_IPADDRESS (7) 289 #define NX_SECURE_X509_SUB_ALT_NAME_TAG_REGISTEREDID (8) 290 291 /* X.509 CRL context-specific tags. */ 292 #define NX_SECURE_X509_CRL_TAG_EXTENSIONS (0x00) /* In CRL ASN.1, extensions field tag. */ 293 294 /* X.509 KeyUsage extension bit field values. */ 295 #define NX_SECURE_X509_KEY_USAGE_DIGITAL_SIGNATURE (0x8000) 296 #define NX_SECURE_X509_KEY_USAGE_NON_REPUDIATION (0x4000) 297 #define NX_SECURE_X509_KEY_USAGE_KEY_ENCIPHERMENT (0x2000) 298 #define NX_SECURE_X509_KEY_USAGE_DATA_ENCIPHERMENT (0X1000) 299 #define NX_SECURE_X509_KEY_USAGE_KEY_AGREEMENT (0X0800) 300 #define NX_SECURE_X509_KEY_USAGE_KEY_CERT_SIGN (0X0400) 301 #define NX_SECURE_X509_KEY_USAGE_CRL_SIGN (0X0200) 302 #define NX_SECURE_X509_KEY_USAGE_ENCIPHER_ONLY (0X0100) 303 #define NX_SECURE_X509_KEY_USAGE_DECIPHER_ONLY (0X0080) 304 305 306 /* Internal NetX Secure identifiers for X.509 OID values. The OIDs are variable-length multi-byte 307 values so it's useful to have them map to a simple enumeration. */ 308 #define NX_SECURE_TLS_X509_TYPE_UNKNOWN 0 309 #define NX_SECURE_TLS_X509_TYPE_RSA 1 310 #define NX_SECURE_TLS_X509_TYPE_RSA_MD5 2 311 #define NX_SECURE_TLS_X509_TYPE_RSA_SHA_1 3 312 #define NX_SECURE_TLS_X509_TYPE_RSA_SHA_256 4 313 #define NX_SECURE_TLS_X509_TYPE_RSA_SHA_384 5 314 #define NX_SECURE_TLS_X509_TYPE_RSA_SHA_512 6 315 #define NX_SECURE_TLS_X509_TYPE_DH 7 316 #define NX_SECURE_TLS_X509_TYPE_DSS_SHA_1 8 317 #define NX_SECURE_TLS_X509_TYPE_COMMON_NAME 9 318 #define NX_SECURE_TLS_X509_TYPE_EMAIL 10 319 #define NX_SECURE_TLS_X509_TYPE_COUNTRY 11 320 #define NX_SECURE_TLS_X509_TYPE_STATE 12 321 #define NX_SECURE_TLS_X509_TYPE_LOCALITY 13 322 #define NX_SECURE_TLS_X509_TYPE_ORGANIZATION 14 323 #define NX_SECURE_TLS_X509_TYPE_ORG_UNIT 15 324 /*#define NX_SECURE_TLS_X509_TYPE_EXTENSIONS_PREFIX 16*/ 325 #define NX_SECURE_TLS_X509_TYPE_DIRECTORY_ATTRIBUTES 17 326 #define NX_SECURE_TLS_X509_TYPE_SUBJECT_KEY_ID 18 327 #define NX_SECURE_TLS_X509_TYPE_KEY_USAGE 19 328 #define NX_SECURE_TLS_X509_TYPE_SUBJECT_ALT_NAME 20 329 #define NX_SECURE_TLS_X509_TYPE_ISSUER_ALT_NAME 21 330 #define NX_SECURE_TLS_X509_TYPE_BASIC_CONSTRAINTS 22 331 #define NX_SECURE_TLS_X509_TYPE_NAME_CONSTRAINTS 23 332 #define NX_SECURE_TLS_X509_TYPE_CRL_DISTRIBUTION 24 333 #define NX_SECURE_TLS_X509_TYPE_CERTIFICATE_POLICIES 25 334 #define NX_SECURE_TLS_X509_TYPE_CERT_POLICY_MAPPINGS 26 335 #define NX_SECURE_TLS_X509_TYPE_AUTHORITY_KEY_ID 27 336 #define NX_SECURE_TLS_X509_TYPE_POLICY_CONSTRAINTS 28 337 #define NX_SECURE_TLS_X509_TYPE_EXTENDED_KEY_USAGE 29 338 #define NX_SECURE_TLS_X509_TYPE_ANY_EXTENDED_KEY_USAGE 30 339 #define NX_SECURE_TLS_X509_TYPE_FRESHEST_CRL 31 340 #define NX_SECURE_TLS_X509_TYPE_INHIBIT_ANYPOLICY 32 341 #define NX_SECURE_TLS_X509_TYPE_SURNAME 33 342 #define NX_SECURE_TLS_X509_TYPE_SERIAL_NUMBER 34 343 #define NX_SECURE_TLS_X509_TYPE_TITLE 35 344 #define NX_SECURE_TLS_X509_TYPE_NAME 36 345 #define NX_SECURE_TLS_X509_TYPE_GIVEN_NAME 37 346 #define NX_SECURE_TLS_X509_TYPE_INITIALS 38 347 #define NX_SECURE_TLS_X509_TYPE_GENERATION 39 348 #define NX_SECURE_TLS_X509_TYPE_DN_QUALIFIER 40 349 #define NX_SECURE_TLS_X509_TYPE_PSEUDONYM 41 350 #define NX_SECURE_TLS_X509_TYPE_PKIX_EXT_PREFIX 42 351 #define NX_SECURE_TLS_X509_TYPE_PKIX_AIA 43 352 #define NX_SECURE_TLS_X509_TYPE_PKIX_SIA 44 353 #define NX_SECURE_TLS_X509_TYPE_NETSCAPE_COMMENT 45 354 #define NX_SECURE_TLS_X509_TYPE_ANY_POLICY 46 355 #define NX_SECURE_TLS_X509_TYPE_PKIX_QT 47 356 #define NX_SECURE_TLS_X509_TYPE_PKIX_QT_CPS 48 357 #define NX_SECURE_TLS_X509_TYPE_PKIX_QT_UNOTICE 49 358 #define NX_SECURE_TLS_X509_TYPE_PKIX_KP 50 359 #define NX_SECURE_TLS_X509_TYPE_PKIX_KP_SERVER_AUTH 51 360 #define NX_SECURE_TLS_X509_TYPE_PKIX_KP_CLIENT_AUTH 52 361 #define NX_SECURE_TLS_X509_TYPE_PKIX_KP_CODE_SIGNING 53 362 #define NX_SECURE_TLS_X509_TYPE_PKIX_KP_EMAIL_PROTECT 54 363 #define NX_SECURE_TLS_X509_TYPE_PKIX_KP_TIME_STAMPING 55 364 #define NX_SECURE_TLS_X509_TYPE_PKIX_KP_OCSP_SIGNING 56 365 #define NX_SECURE_TLS_X509_TYPE_EC 57 366 #define NX_SECURE_TLS_X509_TYPE_ECDSA_SHA_1 58 367 #define NX_SECURE_TLS_X509_TYPE_ECDSA_SHA_224 59 368 #define NX_SECURE_TLS_X509_TYPE_ECDSA_SHA_256 60 369 #define NX_SECURE_TLS_X509_TYPE_ECDSA_SHA_384 61 370 #define NX_SECURE_TLS_X509_TYPE_ECDSA_SHA_512 62 371 372 #define NX_SECURE_TLS_X509_EC_SECT163K1 0x00060001 373 #define NX_SECURE_TLS_X509_EC_SECT163R1 0x00060002 374 #define NX_SECURE_TLS_X509_EC_SECT163R2 0x00060003 375 #define NX_SECURE_TLS_X509_EC_SECT193R1 0x00060004 376 #define NX_SECURE_TLS_X509_EC_SECT193R2 0x00060005 377 #define NX_SECURE_TLS_X509_EC_SECT233K1 0x00060006 378 #define NX_SECURE_TLS_X509_EC_SECT233R1 0x00060007 379 #define NX_SECURE_TLS_X509_EC_SECT239K1 0x00060008 380 #define NX_SECURE_TLS_X509_EC_SECT283K1 0x00060009 381 #define NX_SECURE_TLS_X509_EC_SECT283R1 0x0006000A 382 #define NX_SECURE_TLS_X509_EC_SECT409K1 0x0006000B 383 #define NX_SECURE_TLS_X509_EC_SECT409R1 0x0006000C 384 #define NX_SECURE_TLS_X509_EC_SECT571K1 0x0006000D 385 #define NX_SECURE_TLS_X509_EC_SECT571R1 0x0006000E 386 #define NX_SECURE_TLS_X509_EC_SECP160K1 0x0006000F 387 #define NX_SECURE_TLS_X509_EC_SECP160R1 0x00060010 388 #define NX_SECURE_TLS_X509_EC_SECP160R2 0x00060011 389 #define NX_SECURE_TLS_X509_EC_SECP192K1 0x00060012 390 #define NX_SECURE_TLS_X509_EC_SECP192R1 0x00060013 391 #define NX_SECURE_TLS_X509_EC_SECP224K1 0x00060014 392 #define NX_SECURE_TLS_X509_EC_SECP224R1 0x00060015 393 #define NX_SECURE_TLS_X509_EC_SECP256K1 0x00060016 394 #define NX_SECURE_TLS_X509_EC_SECP256R1 0x00060017 395 #define NX_SECURE_TLS_X509_EC_SECP384R1 0x00060018 396 #define NX_SECURE_TLS_X509_EC_SECP521R1 0x00060019 397 398 /* Bitfield mappings for Distinguished name comparison. When using nx_secure_x509_distinguished_name_compare, 399 these values are used for the "compare_fields" parameter - bitwise OR these values together to compare 400 only the desired fields. 401 */ 402 #define NX_SECURE_X509_NAME_COUNTRY (0x00000001L) 403 #define NX_SECURE_X509_NAME_ORGANIZATION (0x00000002L) 404 #define NX_SECURE_X509_NAME_ORG_UNIT (0x00000004L) 405 #define NX_SECURE_X509_NAME_QUALIFIER (0x00000008L) 406 #define NX_SECURE_X509_NAME_STATE (0x00000010L) 407 #define NX_SECURE_X509_NAME_COMMON_NAME (0x00000020L) 408 #define NX_SECURE_X509_NAME_SERIAL_NUMBER (0x00000040L) 409 #define NX_SECURE_X509_NAME_LOCALITY (0x00000080L) 410 #define NX_SECURE_X509_NAME_TITLE (0x00000100L) 411 #define NX_SECURE_X509_NAME_SURNAME (0x00000200L) 412 #define NX_SECURE_X509_NAME_GIVEN_NAME (0x00000400L) 413 #define NX_SECURE_X509_NAME_INITIALS (0x00000800L) 414 #define NX_SECURE_X509_NAME_PSEUDONYM (0x00001000L) 415 #define NX_SECURE_X509_NAME_GENERATION_QUALIFIER (0x00002000L) 416 #define NX_SECURE_X509_NAME_ALL_FIELDS (0xFFFFFFFFL) 417 418 /* Structure to contain distinguished names. */ 419 typedef struct NX_SECURE_X509_DISTINGUISHED_NAME_STRUCT 420 { 421 /* 422 X509 Distinguished Names consist of attributes. 423 Must contain the following items: 424 425 * country/region, 426 * organization, 427 * organizational unit, 428 * distinguished name qualifier, 429 * state or province name, 430 * common name (e.g., "Susan Housley"), and 431 * serial number. 432 433 Optional attributes: 434 * locality, 435 * title, 436 * surname, 437 * given name, 438 * initials, 439 * pseudonym, and 440 * generation qualifier (e.g., "Jr.", "3rd", or "IV"). 441 */ 442 443 444 /* The following fields are X509 distinguished name attributes that MUST 445 be supported as per the X509 RFC. */ 446 const UCHAR *nx_secure_x509_country; 447 USHORT nx_secure_x509_country_length; 448 449 const UCHAR *nx_secure_x509_organization; 450 USHORT nx_secure_x509_organization_length; 451 452 const UCHAR *nx_secure_x509_org_unit; 453 USHORT nx_secure_x509_org_unit_length; 454 455 const UCHAR *nx_secure_x509_distinguished_name_qualifier; 456 USHORT nx_secure_x509_distinguished_name_qualifier_length; 457 458 const UCHAR *nx_secure_x509_state; 459 USHORT nx_secure_x509_state_length; 460 461 const UCHAR *nx_secure_x509_common_name; 462 USHORT nx_secure_x509_common_name_length; 463 464 const UCHAR *nx_secure_x509_serial_number; 465 USHORT nx_secure_x509_serial_number_length; 466 467 #ifdef NX_SECURE_X509_USE_EXTENDED_DISTINGUISHED_NAMES 468 /* The following fields are OPTIONAL per the X509 RFC, disable 469 them to save on memory usage. */ 470 const UCHAR *nx_secure_x509_locality; 471 USHORT nx_secure_x509_locality_length; 472 473 const UCHAR *nx_secure_x509_title; 474 USHORT nx_secure_x509_title_length; 475 476 const UCHAR *nx_secure_x509_surname; 477 USHORT nx_secure_x509_surname_length; 478 479 const UCHAR *nx_secure_x509_given_name; 480 USHORT nx_secure_x509_given_name_length; 481 482 const UCHAR *nx_secure_x509_initials; 483 USHORT nx_secure_x509_initials_length; 484 485 const UCHAR *nx_secure_x509_pseudonym; 486 USHORT nx_secure_x509_pseudonym_length; 487 488 const UCHAR *nx_secure_x509_generation_qualifier; 489 USHORT nx_secure_x509_generation_qualifier_length; 490 #endif 491 } NX_SECURE_X509_DISTINGUISHED_NAME; 492 493 494 /* RSA public key information. */ 495 typedef struct NX_SECURE_RSA_PUBLIC_KEY_STRUCT 496 { 497 /* Public Modulus for RSA or DH. */ 498 const UCHAR *nx_secure_rsa_public_modulus; 499 500 /* Size of the key used by the algorithm. */ 501 USHORT nx_secure_rsa_public_modulus_length; 502 503 /* Public Exponent for RSA. */ 504 const UCHAR *nx_secure_rsa_public_exponent; 505 506 /* Size of the key used by the algorithm. */ 507 USHORT nx_secure_rsa_public_exponent_length; 508 } NX_SECURE_RSA_PUBLIC_KEY; 509 510 /* RSA private key information. */ 511 typedef struct NX_SECURE_RSA_PRIVATE_KEY_STRUCT 512 { 513 /* The public modulus is used in all RSA operations. */ 514 const UCHAR *nx_secure_rsa_public_modulus; 515 USHORT nx_secure_rsa_public_modulus_length; 516 517 /* The public exponent is used for encrypting messages intended for the private key holder. */ 518 const UCHAR *nx_secure_rsa_public_exponent; 519 USHORT nx_secure_rsa_public_exponent_length; 520 521 /* The private exponent is the true "private" part of an RSA key. */ 522 const UCHAR *nx_secure_rsa_private_exponent; 523 USHORT nx_secure_rsa_private_exponent_length; 524 525 /* P and Q are the primes used to calculate the RSA key. Using these, we 526 can utilize the Chinese Remainder Theorem and speed up RSA encryption. */ 527 const UCHAR *nx_secure_rsa_private_prime_q; 528 USHORT nx_secure_rsa_private_prime_q_length; 529 const UCHAR *nx_secure_rsa_private_prime_p; 530 USHORT nx_secure_rsa_private_prime_p_length; 531 } NX_SECURE_RSA_PRIVATE_KEY; 532 533 #ifdef NX_SECURE_ENABLE_ECC_CIPHERSUITE 534 /* EC public key information. */ 535 typedef struct NX_SECURE_EC_PUBLIC_KEY_STRUCT 536 { 537 /* Public key for EC. */ 538 const UCHAR *nx_secure_ec_public_key; 539 540 /* Size of the key used by the algorithm. */ 541 USHORT nx_secure_ec_public_key_length; 542 543 /* Named curve used. */ 544 UINT nx_secure_ec_named_curve; 545 546 } NX_SECURE_EC_PUBLIC_KEY; 547 548 /* EC private key information. */ 549 typedef struct NX_SECURE_EC_PRIVATE_KEY_STRUCT 550 { 551 /* Private key for EC. */ 552 const UCHAR *nx_secure_ec_private_key; 553 554 /* Size of the EC private key. */ 555 USHORT nx_secure_ec_private_key_length; 556 557 /* Named curve used. */ 558 UINT nx_secure_ec_named_curve; 559 560 } NX_SECURE_EC_PRIVATE_KEY; 561 #endif /* NX_SECURE_ENABLE_ECC_CIPHERSUITE */ 562 563 /* Structure to hold X.509 cryptographic routine information. */ 564 typedef struct NX_SECURE_X509_CRYPTO_STRUCT 565 { 566 /* Internal NetX Secure identifier for certificate "ciphersuite" which consists of 567 a hash and a public key operation. These can be mapped to OIDs in X.509. */ 568 USHORT nx_secure_x509_crypto_identifier; 569 570 /* Public-Key Cryptographic method used by certificates. */ 571 const NX_CRYPTO_METHOD *nx_secure_x509_public_cipher_method; 572 573 /* Hash method used by certificates. */ 574 const NX_CRYPTO_METHOD *nx_secure_x509_hash_method; 575 } NX_SECURE_X509_CRYPTO; 576 577 /* Structure to hold policy qualifiers for the certificatePolicies extension. */ 578 typedef struct NX_SECURE_X509_CERTIFICATE_POLICY_STRUCT 579 { 580 /* Pointer to OID for this specific policy, if needed. */ 581 const UCHAR *nx_secure_x509_policy_oid; 582 583 /* Qualifier OID type - defines what the policy qualifier is (if present). */ 584 UINT nx_secure_x509_policy_qualifier_type; 585 586 /* Qualifier data. */ 587 union 588 { 589 /* CPS URI policy qualifier. */ 590 UCHAR nx_secure_x509_policy_qualifier_cps[200]; 591 592 /* UserNotice qualifier. */ 593 struct 594 { 595 /* NoticeRef structure. */ 596 struct 597 { 598 UCHAR nx_secure_x509_policy_organization[200]; 599 UINT nx_secure_x509_policy_notice_numbers[20]; 600 } nx_secure_x509_policy_notice_ref; 601 602 /* Explicit text data. */ 603 UCHAR nx_secure_x509_policy_explicit_text[200]; 604 } nx_secure_x509_policy_unotice; 605 } nx_secure_x509_policy_qualifier; 606 607 /* Pointer for linked list. */ 608 struct NX_SECURE_X509_CERTIFICATE_POLICY_STRUCT *nx_secure_x509_policy_next; 609 } NX_SECURE_X509_CERTIFICATE_POLICY; 610 611 /* Structure to hold extension information for an X.509 certificate. 612 Also used to contain information about an X.509 policy, either 613 when parsing an X.509 certificate or when defining policies for 614 X.509 path validation. */ 615 typedef struct NX_SECURE_X509_EXTENSION_STRUCT 616 { 617 /* Identifier (maps to OID) for this extension. */ 618 USHORT nx_secure_x509_extension_id; 619 620 /* Critical flag - boolean value. */ 621 USHORT nx_secure_x509_extension_critical; 622 623 /* Pointer to DER-encoded extension data. */ 624 const UCHAR *nx_secure_x509_extension_data; 625 ULONG nx_secure_x509_extension_data_length; 626 } NX_SECURE_X509_EXTENSION; 627 628 629 /* Domain name entries. */ 630 631 /* Maximum size of a DNS name entry. */ 632 #define NX_SECURE_X509_DNS_NAME_MAX (100) 633 typedef struct NX_SECURE_X509_DNS_NAME_STRUCT 634 { 635 /* Pointer to string containing the DNS name. */ 636 UCHAR nx_secure_x509_dns_name[NX_SECURE_X509_DNS_NAME_MAX]; 637 638 /* Length of name. */ 639 USHORT nx_secure_x509_dns_name_length; 640 641 /* Pointer for linked list. */ 642 struct NX_SECURE_X509_DNS_NAME_STRUCT *nx_secure_x509_dns_name_next; 643 } NX_SECURE_X509_DNS_NAME; 644 645 /* Structure to hold policy information for certificate chain verification. */ 646 typedef struct NX_SECURE_X509_POLICIES_STRUCT 647 { 648 /* X.509 policies and path validation (RFC 5280): 649 * "Conforming implementations are not required to support the setting of 650 all of these inputs. For example, a conforming implementation may be 651 designed to validate all certification paths using a value of FALSE 652 for initial-any-policy-inhibit." 653 */ 654 655 /* Linked list of policies, keyed on policy OID.*/ 656 NX_SECURE_X509_EXTENSION *nx_secure_x509_valid_policy_tree; 657 658 /* Indicates if policy mapping is allowed for the chain. */ 659 USHORT nx_secure_x509_policy_mapping_inhibit; 660 661 /* Indicates if the chain must be valid for at least one policy. 662 If false, the chain does not need to be valid for any policies 663 (it still must be trusted though).*/ 664 USHORT nx_secure_x509_explicit_policy; 665 666 /* Indicates if the anyPolicy OID is processed or ignored. */ 667 USHORT nx_secure_x509_any_policy_inhibit; 668 669 /* For name constraint checking, a collection of name subtrees that 670 are permitted when checking DNS names (or other name types). */ 671 NX_SECURE_X509_DNS_NAME *nx_secure_x509_permitted_subtrees; 672 673 /* For name constraint checking, a collection of name subtrees that 674 are NOT permitted when checking DNS names (or other name types). */ 675 NX_SECURE_X509_DNS_NAME *nx_secure_x509_excluded_subtrees; 676 677 /* Maximum path length for validation, set to n and decremented for each 678 * non-self-signed certificate in the path. */ 679 USHORT nx_secure_x509_max_path_length; 680 681 /* Other X.509 variables are contained within nx_secure_x509_certificate chain verify: 682 (g) working_public_key_algorithm 683 (h) working_public_key 684 (i) working_public_key_parameters 685 (j) working_issuer_name 686 */ 687 } NX_SECURE_X509_POLICIES; 688 689 /* This structure is used in parsing the X509 certificate. The ASN.1-encoded certificate 690 * contains embedded byte strings which contain ASN.1 data within. The initial parsing 691 * of the ASN.1 buffer will populate this structure, which will then be used to 692 * extract further information. This is specific to X509 certificates! 693 * NOTE: All specific data are returned as pointers into the original buffer to avoid copying! */ 694 typedef struct NX_SECURE_X509_CERT_STRUCT 695 { 696 /* Is this certificate used to identify the local device? */ 697 UINT nx_secure_x509_certificate_is_identity_cert; 698 699 /* What version of certificate is this? */ 700 USHORT nx_secure_x509_version; 701 702 /* Identifier used for TLS to distinguish between certificates outside of information 703 contained within the certificate. */ 704 UINT nx_secure_x509_cert_identifier; 705 706 /* Serial number. */ 707 const UCHAR *nx_secure_x509_serial_number; 708 USHORT nx_secure_x509_serial_number_length; 709 710 /* Validity time format - either ASN.1 generalized time or ASN.1 UTC time. 711 Uses the ASN.1 tag value. */ 712 USHORT nx_secure_x509_validity_format; 713 714 /* Validity period. Stored as ASN.1 generalized time or UTC time. */ 715 const UCHAR *nx_secure_x509_not_before; 716 USHORT nx_secure_x509_not_before_length; 717 const UCHAR *nx_secure_x509_not_after; 718 USHORT nx_secure_x509_not_after_length; 719 720 /* Pointer to certificate data. */ 721 UCHAR *nx_secure_x509_certificate_raw_data; 722 UINT nx_secure_x509_certificate_raw_buffer_size; 723 UINT nx_secure_x509_certificate_raw_data_length; 724 725 const UCHAR *nx_secure_x509_certificate_data; 726 UINT nx_secure_x509_certificate_data_length; 727 728 /* Signature Algorithm (For encrypting signature hash - RSA, DSS, etc). */ 729 UINT nx_secure_x509_signature_algorithm; 730 731 /* Pointer to the signature data in the certificate used for verification. */ 732 const UCHAR *nx_secure_x509_signature_data; 733 734 /* Length of the certificate digital signature data. */ 735 UINT nx_secure_x509_signature_data_length; 736 737 /* Issuer distinguished name. Used to authenticate this certificate against the trusted store. 738 * If this pointer is NULL, it is a root CA. For self-signed certs this will point to a 739 * structure with the same information. */ 740 NX_SECURE_X509_DISTINGUISHED_NAME nx_secure_x509_issuer; 741 742 /* This pointer points to the issuer chain for this certificate (follow the chain for verification). */ 743 struct NX_SECURE_X509_CERT_STRUCT *nx_secure_x509_issuer_chain; 744 745 /* X509 subject - Distinguished Name of the certificate. */ 746 NX_SECURE_X509_DISTINGUISHED_NAME nx_secure_x509_distinguished_name; 747 748 /* Pointer to lookup table for X.509 cryptographic routines. */ 749 NX_SECURE_X509_CRYPTO *nx_secure_x509_cipher_table; 750 751 /* Number of entried in the cipher lookup table. */ 752 USHORT nx_secure_x509_cipher_table_size; 753 754 /* Define the public cipher metadata area. */ 755 VOID *nx_secure_x509_public_cipher_metadata_area; 756 757 /* Define the public cipher metadata size. */ 758 ULONG nx_secure_x509_public_cipher_metadata_size; 759 760 /* Define the hash metadata area. */ 761 VOID *nx_secure_x509_hash_metadata_area; 762 763 /* Define the hash metadata size. */ 764 ULONG nx_secure_x509_hash_metadata_size; 765 766 /* This pointer points to a singly-linked list of certificates - used for the certificate stores. */ 767 struct NX_SECURE_X509_CERT_STRUCT *nx_secure_x509_next_certificate; 768 769 /* Public Key Algorithm (RSA, DH, etc). Tagged union gives us the actual key data.*/ 770 UINT nx_secure_x509_public_algorithm; 771 772 union 773 { 774 NX_SECURE_RSA_PUBLIC_KEY rsa_public_key; 775 776 #ifdef NX_SECURE_ENABLE_ECC_CIPHERSUITE 777 NX_SECURE_EC_PUBLIC_KEY ec_public_key; 778 #endif /* NX_SECURE_ENABLE_ECC_CIPHERSUITE */ 779 } nx_secure_x509_public_key; 780 781 /* Private key associated with this certificate. A tagged union represents the key data in parsed form 782 (if the type is known) or a pointer to a buffer of user-defined key data. Note that the private 783 key is typically loaded separately from the certificate so even if the private key data contains 784 the public key, we keep the private keys separate from the public keys (above).*/ 785 UINT nx_secure_x509_private_key_type; 786 787 union 788 { 789 /* RSA key type. */ 790 NX_SECURE_RSA_PRIVATE_KEY rsa_private_key; 791 792 #ifdef NX_SECURE_ENABLE_ECC_CIPHERSUITE 793 /* EC key type. */ 794 NX_SECURE_EC_PRIVATE_KEY ec_private_key; 795 #endif /* NX_SECURE_ENABLE_ECC_CIPHERSUITE */ 796 797 /* User-defined key type. */ 798 struct 799 { 800 const UCHAR *key_data; 801 ULONG key_length; 802 } user_key; 803 } nx_secure_x509_private_key; 804 805 /* Optional issuer identifier field. X509v2 or X509v3. */ 806 const UCHAR *nx_secure_x509_issuer_identifier; 807 USHORT nx_secure_x509_issuer_identifier_length; 808 809 /* Optional subject identifier field. X509v2 or X509v3. */ 810 const UCHAR *nx_secure_x509_subject_identifier; 811 USHORT nx_secure_x509_subject_identifier_length; 812 813 /* Pointer to start of extensions so we can optionally parse them later. */ 814 const UCHAR *nx_secure_x509_extensions_data; 815 ULONG nx_secure_x509_extensions_data_length; 816 817 /* Indicates whether a certificate was allocated by the application or 818 automatically by TLS. */ 819 UINT nx_secure_x509_user_allocated_cert; 820 } NX_SECURE_X509_CERT; 821 822 UINT _nx_secure_x509_certificate_parse(const UCHAR *buffer, UINT length, UINT *bytes_processed, NX_SECURE_X509_CERT *cert); 823 UINT _nx_secure_x509_asn1_tlv_block_parse(const UCHAR *buffer, ULONG *buffer_length, USHORT *tlv_type, USHORT *tlv_tag_class, ULONG *tlv_length, const UCHAR **tlv_data, ULONG *header_length); 824 825 UINT _nx_secure_x509_pkcs1_rsa_private_key_parse(const UCHAR *buffer, UINT length, UINT *bytes_processed, NX_SECURE_RSA_PRIVATE_KEY *rsa_key); 826 #ifdef NX_SECURE_ENABLE_ECC_CIPHERSUITE 827 UINT _nx_secure_x509_ec_private_key_parse(const UCHAR *buffer, UINT length, 828 UINT *bytes_processed, 829 NX_SECURE_EC_PRIVATE_KEY *ec_key); 830 UINT _nx_secure_x509_find_curve_method(USHORT named_curve, const NX_CRYPTO_METHOD **curve_method); 831 832 #endif /* NX_SECURE_ENABLE_ECC_CIPHERSUITE */ 833 834 /* CRL parsing. */ 835 #ifndef NX_SECURE_X509_DISABLE_CRL 836 837 typedef struct NX_SECURE_X509_CRL_STRUCT 838 { 839 /* Pointer to raw CRL data, used for signature verification. */ 840 const UCHAR *nx_secure_x509_crl_verify_data; 841 USHORT nx_secure_x509_crl_verify_data_length; 842 843 /* Issuer distinguished name. Used to authenticate this CRL against the trusted store. */ 844 NX_SECURE_X509_DISTINGUISHED_NAME nx_secure_x509_crl_issuer; 845 846 /* What version of CRL is this? */ 847 USHORT nx_secure_x509_crl_version; 848 849 /* Signature Algorithm (For encrypting signature hash - RSA, DSS, etc). */ 850 USHORT nx_secure_x509_crl_signature_algorithm; 851 852 /* Pointer to the signature data in the CRL used for verification of the list. */ 853 const UCHAR *nx_secure_x509_crl_signature_data; 854 855 /* Length of the CRL digital signature data. */ 856 UINT nx_secure_x509_crl_signature_data_length; 857 858 /* Validity period. Stored as ASN.1 generalized time or UTC time. */ 859 USHORT nx_secure_x509_crl_time_format; 860 const UCHAR *nx_secure_x509_crl_this_update; 861 USHORT nx_secure_x509_crl_this_update_length; 862 const UCHAR *nx_secure_x509_crl_next_update; 863 USHORT nx_secure_x509_crl_next_update_length; 864 865 /* Pointer to start of revoked certificate list. This will be parsed whenever a certificate 866 is being validated. */ 867 const UCHAR *nx_secure_x509_crl_revoked_certs; 868 ULONG nx_secure_x509_crl_revoked_certs_length; 869 } NX_SECURE_X509_CRL; 870 871 #endif 872 873 /* X509 API. */ 874 875 #define NX_SECURE_X509_CERT_LOCATION_NONE 0 /* Certificate location is uninitialized. */ 876 #define NX_SECURE_X509_CERT_LOCATION_LOCAL 1 /* Certificate is in the Local device certificate store. */ 877 #define NX_SECURE_X509_CERT_LOCATION_REMOTE 2 /* Certificate is in the remote certificate store. */ 878 #define NX_SECURE_X509_CERT_LOCATION_TRUSTED 3 /* Certificate is in the trusted store. */ 879 #define NX_SECURE_X509_CERT_LOCATION_EXCEPTIONS 4 /* Certificate is added as an exception (trusted temporarily). */ 880 #define NX_SECURE_X509_CERT_LOCATION_FREE 5 /* Certificate is uninitialized (except for next pointer) and usable by X509, TLS, etc. */ 881 882 /* Certificate store structure - contains linked lists of all certificates for this device. */ 883 typedef struct NX_SECURE_X509_CERTIFICATE_STORE_STRUCT 884 { 885 /* Pointer to certificates identifying this host. */ 886 NX_SECURE_X509_CERT *nx_secure_x509_local_certificates; 887 888 /* Pointer to certificates identifying the remote host. */ 889 NX_SECURE_X509_CERT *nx_secure_x509_remote_certificates; 890 891 /* Pointer to certificates that are free to use for parsing (will be placed in another list 892 after being initialized). */ 893 NX_SECURE_X509_CERT *nx_secure_x509_free_certificates; 894 895 /* Pointer to local store of trusted certificates. */ 896 NX_SECURE_X509_CERT *nx_secure_x509_trusted_certificates; 897 898 /* Pointer to store of exceptions - certificates that we want to trust but possibly only 899 temporarily and not something we want in a the trusted store. Keep this store separate 900 so we can clear it out more easily. */ 901 NX_SECURE_X509_CERT *nx_secure_x509_certificate_exceptions; 902 } NX_SECURE_X509_CERTIFICATE_STORE; 903 904 /* Get certificate for local device. */ 905 UINT _nx_secure_x509_local_device_certificate_get(NX_SECURE_X509_CERTIFICATE_STORE *store, 906 NX_SECURE_X509_DISTINGUISHED_NAME *name, 907 NX_SECURE_X509_CERT **certificate); 908 909 UINT _nx_secure_x509_local_certificate_find(NX_SECURE_X509_CERTIFICATE_STORE *store, 910 NX_SECURE_X509_CERT **certificate, UINT cert_id); 911 912 /* Get certificate sent by remote host. */ 913 UINT _nx_secure_x509_remote_endpoint_certificate_get(NX_SECURE_X509_CERTIFICATE_STORE *store, 914 NX_SECURE_X509_CERT **certificate); 915 916 /* Add a certificates to an X509 store. "location" indicates where the certificate will go: [ TRUSTED, LOCAL, REMOTE, EXCEPTION ] */ 917 UINT _nx_secure_x509_store_certificate_add(NX_SECURE_X509_CERT *certificate, 918 NX_SECURE_X509_CERTIFICATE_STORE *store, UINT location); 919 920 /* Remove a certificate from the supplied store given a distinguished name and optional location. */ 921 UINT _nx_secure_x509_store_certificate_remove(NX_SECURE_X509_CERTIFICATE_STORE *store, 922 NX_SECURE_X509_DISTINGUISHED_NAME *name, 923 UINT location, UINT cert_id); 924 925 /* Compares two distinguished names to see if they are equal. */ 926 INT _nx_secure_x509_distinguished_name_compare(NX_SECURE_X509_DISTINGUISHED_NAME *name, 927 NX_SECURE_X509_DISTINGUISHED_NAME *compare_name, ULONG compare_fields); 928 929 /* Parse an X.509 DER-encoded distinguished name. */ 930 UINT _nx_secure_x509_distinguished_name_parse(const UCHAR *buffer, UINT length, 931 UINT *bytes_processed, 932 NX_SECURE_X509_DISTINGUISHED_NAME *name); 933 934 UINT _nx_secure_x509_store_certificate_find(NX_SECURE_X509_CERTIFICATE_STORE *store, 935 NX_SECURE_X509_DISTINGUISHED_NAME *name, 936 UINT cert_id, 937 NX_SECURE_X509_CERT **certificate, UINT *location); 938 939 /* Build an X509 certificate chain using the supplied certificate store and the given distinguished name. */ 940 UINT _nx_secure_x509_certificate_chain_build(NX_SECURE_X509_CERTIFICATE_STORE *store, 941 NX_SECURE_X509_CERT *certificate); 942 943 /* Verify a certificate against its issuer. */ 944 UINT _nx_secure_x509_certificate_verify(NX_SECURE_X509_CERTIFICATE_STORE *store, 945 NX_SECURE_X509_CERT *certificate, 946 NX_SECURE_X509_CERT *issuer_certificate); 947 948 /* Verify a given certificate chain to see if the end-entity certificate can be traced through the chain to a trust anchor. */ 949 UINT _nx_secure_x509_certificate_chain_verify(NX_SECURE_X509_CERTIFICATE_STORE *store, 950 NX_SECURE_X509_CERT *certificate, ULONG current_time); 951 952 /* Parse an OID string, returning an internally-used constant (defined above) for use in other parsing. */ 953 VOID _nx_secure_x509_oid_parse(const UCHAR *oid, ULONG length, UINT *oid_value); 954 955 UINT _nx_secure_x509_pkcs7_decode(const UCHAR *signature_pointer, UINT signature_length, 956 const UCHAR **signature_oid, UINT *signature_oid_length, 957 const UCHAR **hash_data, UINT *hash_length); 958 959 /* Initialize an X509 certificate structure with a DER-encoded certificate blob. */ 960 UINT _nx_secure_x509_certificate_initialize(NX_SECURE_X509_CERT *certificate, 961 UCHAR *certificate_data, USHORT length, 962 UCHAR *raw_data_buffer, USHORT buffer_size, 963 const UCHAR *private_key, 964 USHORT priv_len, UINT private_key_type); 965 966 UINT _nx_secure_x509_dns_name_initialize(NX_SECURE_X509_DNS_NAME *dns_name, 967 const UCHAR *name_string, USHORT length); 968 969 /* Return a structure containing cryptographic methods for a particular certificate. */ 970 UINT _nx_secure_x509_find_certificate_methods(NX_SECURE_X509_CERT *cert, USHORT signature_algorithm, 971 NX_SECURE_X509_CRYPTO **crypto_methods); 972 973 /* Get a "free" certificate allocated earlier by the application. */ 974 UINT _nx_secure_x509_free_certificate_get(NX_SECURE_X509_CERTIFICATE_STORE *store, 975 NX_SECURE_X509_CERT **certificate); 976 977 /* Utility methods for certificate linked-lists. */ 978 UINT _nx_secure_x509_certificate_list_add(NX_SECURE_X509_CERT **list_head, 979 NX_SECURE_X509_CERT *certificate, UINT duplicates_ok); 980 UINT _nx_secure_x509_certificate_list_find(NX_SECURE_X509_CERT **list_head, 981 NX_SECURE_X509_DISTINGUISHED_NAME *name, 982 UINT cert_id, 983 NX_SECURE_X509_CERT **certificate); 984 UINT _nx_secure_x509_certificate_list_remove(NX_SECURE_X509_CERT **list_head, 985 NX_SECURE_X509_DISTINGUISHED_NAME *name, UINT cert_id); 986 987 #ifndef NX_SECURE_X509_DISABLE_CRL 988 UINT _nx_secure_x509_certificate_revocation_list_parse(const UCHAR *buffer, UINT length, 989 UINT *bytes_processed, NX_SECURE_X509_CRL *crl); 990 #endif /* NX_SECURE_X509_DISABLE_CRL */ 991 UINT _nx_secure_x509_common_name_dns_check(NX_SECURE_X509_CERT *certificate, 992 const UCHAR *dns_tld, UINT dns_tld_length); 993 INT _nx_secure_x509_wildcard_compare(const UCHAR *dns_name, UINT dns_name_len, 994 const UCHAR *wildcard_name, UINT wildcard_len); 995 UINT _nx_secure_x509_crl_revocation_check(const UCHAR *crl_data, UINT length, 996 NX_SECURE_X509_CERTIFICATE_STORE *store, 997 NX_SECURE_X509_CERT *certificate); 998 #ifndef NX_SECURE_X509_DISABLE_CRL 999 UINT _nx_secure_x509_crl_verify(NX_SECURE_X509_CERT *certificate, NX_SECURE_X509_CRL *crl, 1000 NX_SECURE_X509_CERTIFICATE_STORE *store, 1001 NX_SECURE_X509_CERT *issuer_certificate); 1002 #endif /* NX_SECURE_X509_DISABLE_CRL */ 1003 UINT _nx_secure_x509_expiration_check(NX_SECURE_X509_CERT *certificate, ULONG current_time); 1004 1005 UINT _nx_secure_x509_extended_key_usage_extension_parse(NX_SECURE_X509_CERT *certificate, 1006 UINT key_usage); 1007 UINT _nx_secure_x509_extension_find(NX_SECURE_X509_CERT *certificate, 1008 NX_SECURE_X509_EXTENSION *extension, USHORT extension_id); 1009 UINT _nx_secure_x509_key_usage_extension_parse(NX_SECURE_X509_CERT *certificate, USHORT *bitfield); 1010 UINT _nx_secure_x509_subject_alt_names_find(NX_SECURE_X509_EXTENSION *extension, const UCHAR *name, 1011 UINT name_length, USHORT name_type); 1012 1013 /* Error-checking APIs. */ 1014 UINT _nxe_secure_x509_certificate_initialize(NX_SECURE_X509_CERT *certificate, 1015 UCHAR *certificate_data, USHORT length, 1016 UCHAR *raw_data_buffer, USHORT buffer_size, 1017 const UCHAR *private_key, USHORT priv_len, 1018 UINT private_key_type); 1019 UINT _nxe_secure_x509_common_name_dns_check(NX_SECURE_X509_CERT *certificate, const UCHAR *dns_tld, 1020 UINT dns_tld_length); 1021 UINT _nxe_secure_x509_dns_name_initialize(NX_SECURE_X509_DNS_NAME *dns_name, 1022 const UCHAR *name_string, USHORT length); 1023 UINT _nxe_secure_x509_crl_revocation_check(const UCHAR *crl_data, UINT crl_length, 1024 NX_SECURE_X509_CERTIFICATE_STORE *store, 1025 NX_SECURE_X509_CERT *certificate); 1026 UINT _nxe_secure_x509_extended_key_usage_extension_parse(NX_SECURE_X509_CERT *certificate, 1027 UINT key_usage); 1028 UINT _nxe_secure_x509_extension_find(NX_SECURE_X509_CERT *certificate, 1029 NX_SECURE_X509_EXTENSION *extension, USHORT extension_id); 1030 UINT _nxe_secure_x509_key_usage_extension_parse(NX_SECURE_X509_CERT *certificate, USHORT *bitfield); 1031 1032 1033 /* MAP APIs. */ 1034 #ifdef NX_SECURE_DISABLE_ERROR_CHECKING 1035 #define nx_secure_x509_certificate_initialize _nx_secure_x509_certificate_initialize 1036 #define nx_secure_x509_common_name_dns_check _nx_secure_x509_common_name_dns_check 1037 #define nx_secure_x509_dns_name_initialize _nx_secure_x509_dns_name_initialize 1038 #define nx_secure_x509_crl_revocation_check _nx_secure_x509_crl_revocation_check 1039 #define nx_secure_x509_extended_key_usage_extension_parse _nx_secure_x509_extended_key_usage_extension_parse 1040 #define nx_secure_x509_extension_find _nx_secure_x509_extension_find 1041 #define nx_secure_x509_key_usage_extension_parse _nx_secure_x509_key_usage_extension_parse 1042 #else 1043 #define nx_secure_x509_certificate_initialize _nxe_secure_x509_certificate_initialize 1044 #define nx_secure_x509_common_name_dns_check _nxe_secure_x509_common_name_dns_check 1045 #define nx_secure_x509_dns_name_initialize _nxe_secure_x509_dns_name_initialize 1046 #define nx_secure_x509_crl_revocation_check _nxe_secure_x509_crl_revocation_check 1047 #define nx_secure_x509_extended_key_usage_extension_parse _nxe_secure_x509_extended_key_usage_extension_parse 1048 #define nx_secure_x509_extension_find _nxe_secure_x509_extension_find 1049 #define nx_secure_x509_key_usage_extension_parse _nxe_secure_x509_key_usage_extension_parse 1050 #endif 1051 1052 UINT nx_secure_x509_certificate_initialize(NX_SECURE_X509_CERT *certificate, UCHAR *certificate_data, 1053 USHORT length, UCHAR *raw_data_buffer, USHORT buffer_size, 1054 const UCHAR *private_key, USHORT priv_len, 1055 UINT private_key_type); 1056 UINT nx_secure_x509_common_name_dns_check(NX_SECURE_X509_CERT *certificate, const UCHAR *dns_tld, 1057 UINT dns_tld_length); 1058 UINT nx_secure_x509_dns_name_initialize(NX_SECURE_X509_DNS_NAME *dns_name, 1059 const UCHAR *name_string, USHORT length); 1060 UINT nx_secure_x509_crl_revocation_check(const UCHAR *crl_data, UINT crl_length, 1061 NX_SECURE_X509_CERTIFICATE_STORE *store, 1062 NX_SECURE_X509_CERT *certificate); 1063 UINT nx_secure_x509_extended_key_usage_extension_parse(NX_SECURE_X509_CERT *certificate, 1064 UINT key_usage); 1065 UINT nx_secure_x509_extension_find(NX_SECURE_X509_CERT *certificate, 1066 NX_SECURE_X509_EXTENSION *extension, USHORT extension_id); 1067 UINT nx_secure_x509_key_usage_extension_parse(NX_SECURE_X509_CERT *certificate, USHORT *bitfield); 1068 1069 #ifdef __cplusplus 1070 } 1071 #endif 1072 1073 #endif /* SRC_NX_SECURE_X509_H_ */ 1074 1075
