1 /*************************************************************************** 2 * Copyright (c) 2024 Microsoft Corporation 3 * 4 * This program and the accompanying materials are made available under the 5 * terms of the MIT License which is available at 6 * https://opensource.org/licenses/MIT. 7 * 8 * SPDX-License-Identifier: MIT 9 **************************************************************************/ 10 11 12 /**************************************************************************/ 13 /**************************************************************************/ 14 /** */ 15 /** NetX Secure Component */ 16 /** */ 17 /** X.509 Digital Certificates */ 18 /** */ 19 /**************************************************************************/ 20 /**************************************************************************/ 21 22 23 /**************************************************************************/ 24 /* */ 25 /* COMPONENT DEFINITION RELEASE */ 26 /* */ 27 /* nx_secure_x509.h PORTABLE C */ 28 /* 6.2.1 */ 29 /* AUTHOR */ 30 /* */ 31 /* Timothy Stapko, Microsoft Corporation */ 32 /* */ 33 /* DESCRIPTION */ 34 /* */ 35 /* This file defines all service prototypes and data structure */ 36 /* definitions for X.509 implementation. */ 37 /* */ 38 /* RELEASE HISTORY */ 39 /* */ 40 /* DATE NAME DESCRIPTION */ 41 /* */ 42 /* 05-19-2020 Timothy Stapko Initial Version 6.0 */ 43 /* 09-30-2020 Timothy Stapko Modified comment(s), */ 44 /* fixed key usage bit order, */ 45 /* resulting in version 6.1 */ 46 /* 04-02-2021 Timothy Stapko Modified comment(s), */ 47 /* removed dependency on TLS, */ 48 /* resulting in version 6.1.6 */ 49 /* 06-02-2021 Timothy Stapko Modified comment(s), */ 50 /* supported hardware EC */ 51 /* private key, */ 52 /* resulting in version 6.1.7 */ 53 /* 01-31-2022 Timothy Stapko Modified comment(s), */ 54 /* ignored public key in EC */ 55 /* private key, */ 56 /* resulting in version 6.1.10 */ 57 /* 07-29-2022 Yuxin Zhou Modified comment(s), */ 58 /* checked expiration for all */ 59 /* the certs in the chain, */ 60 /* resulting in version 6.1.12 */ 61 /* 03-08-2023 Yanwu Cai Modified comment(s), */ 62 /* included TLS port header, */ 63 /* resulting in version 6.2.1 */ 64 /* */ 65 /**************************************************************************/ 66 67 #ifndef SRC_NX_SECURE_X509_H_ 68 #define SRC_NX_SECURE_X509_H_ 69 70 /* Determine if a C++ compiler is being used. If so, ensure that standard 71 C is used to process the API information. */ 72 #ifdef __cplusplus 73 74 /* Yes, C++ compiler is present. Use standard C. */ 75 extern "C" { 76 77 #endif 78 79 #include "nx_crypto.h" 80 81 #ifndef NX_CRYPTO_STANDALONE_ENABLE 82 #include "nx_secure_port.h" 83 #endif 84 85 /* Enable ECC by default. */ 86 #ifndef NX_SECURE_DISABLE_ECC_CIPHERSUITE 87 #ifndef NX_SECURE_ENABLE_ECC_CIPHERSUITE 88 #define NX_SECURE_ENABLE_ECC_CIPHERSUITE 89 #endif 90 #else 91 #undef NX_SECURE_ENABLE_ECC_CIPHERSUITE 92 #endif 93 94 #ifndef NX_SECURE_CALLER_CHECKING_EXTERNS 95 #ifdef NX_CRYPTO_STANDALONE_ENABLE 96 #define NX_SECURE_CALLER_CHECKING_EXTERNS 97 #else 98 #define NX_SECURE_CALLER_CHECKING_EXTERNS NX_CALLER_CHECKING_EXTERNS 99 #endif 100 #endif 101 102 #ifndef NX_THREADS_ONLY_CALLER_CHECKING 103 #ifdef NX_CRYPTO_STANDALONE_ENABLE 104 #define NX_THREADS_ONLY_CALLER_CHECKING 105 #endif 106 #endif 107 108 /* Define memcpy, memset and memcmp functions used internal. */ 109 #ifndef NX_SECURE_MEMCPY 110 #define NX_SECURE_MEMCPY memcpy 111 #endif /* NX_SECURE_MEMCPY */ 112 113 #ifndef NX_SECURE_MEMCMP 114 #define NX_SECURE_MEMCMP memcmp 115 #endif /* NX_SECURE_MEMCMP */ 116 117 #ifndef NX_SECURE_MEMSET 118 #define NX_SECURE_MEMSET memset 119 #endif /* NX_SECURE_MEMSET */ 120 121 #ifndef NX_SECURE_MEMMOVE 122 #define NX_SECURE_MEMMOVE memmove 123 #endif /* NX_SECURE_MEMMOVE */ 124 125 /* Define extensions used for user defined actions during X509 parse. */ 126 #ifndef NX_SECURE_X509_PARSE_CERTIFICATE_EXTENSION 127 #define NX_SECURE_X509_PARSE_CERTIFICATE_EXTENSION 128 #endif /* NX_SECURE_X509_PARSE_CERTIFICATE_EXTENSION */ 129 130 #ifndef NX_SECURE_X509_CERTIFICATE_VERIFY_EXTENSION 131 #define NX_SECURE_X509_CERTIFICATE_VERIFY_EXTENSION 132 #endif /* NX_SECURE_X509_CERTIFICATE_VERIFY_EXTENSION */ 133 134 #ifndef NX_SECURE_X509_PARSE_CRL_EXTENSION 135 #define NX_SECURE_X509_PARSE_CRL_EXTENSION 136 #endif /* NX_SECURE_X509_PARSE_CRL_EXTENSION */ 137 138 #ifndef NX_SECURE_X509_CRL_VERIFY_EXTENSION 139 #define NX_SECURE_X509_CRL_VERIFY_EXTENSION 140 #endif /* NX_SECURE_X509_CRL_VERIFY_EXTENSION */ 141 142 #ifndef NX_SECURE_X509_CERTIFICATE_INITIALIZE_EXTENSION 143 #define NX_SECURE_X509_CERTIFICATE_INITIALIZE_EXTENSION 144 #endif /* NX_SECURE_X509_CERTIFICATE_INITIALIZE_EXTENSION */ 145 146 /* Return values for X509 errors. */ 147 #define NX_SECURE_X509_SUCCESS 0 /* Successful return status. */ 148 #define NX_SECURE_X509_MULTIBYTE_TAG_UNSUPPORTED 0x181 /* We encountered a multi-byte ASN.1 tag - not currently supported. */ 149 #define NX_SECURE_X509_ASN1_LENGTH_TOO_LONG 0x182 /* Encountered a length value longer than we can handle. */ 150 #define NX_SECURE_X509_FOUND_NON_ZERO_PADDING 0x183 /* Expected a padding value of 0 - got something different. */ 151 #define NX_SECURE_X509_MISSING_PUBLIC_KEY 0x184 /* X509 expected a public key but didn't find one. */ 152 #define NX_SECURE_X509_INVALID_PUBLIC_KEY 0x185 /* Found a public key, but it is invalid or has an incorrect format. */ 153 #define NX_SECURE_X509_INVALID_CERTIFICATE_SEQUENCE 0x186 /* The top-level ASN.1 block is not a sequence - invalid X509 certificate. */ 154 #define NX_SECURE_X509_MISSING_SIGNATURE_ALGORITHM 0x187 /* Expecting a signature algorithm identifier, did not find it. */ 155 #define NX_SECURE_X509_INVALID_CERTIFICATE_DATA 0x188 /* Certificate identity data is in an invalid format. */ 156 #define NX_SECURE_X509_UNEXPECTED_ASN1_TAG 0x189 /* We were expecting a specific ASN.1 tag for X509 format but we got something else. */ 157 #define NX_SECURE_PKCS1_INVALID_PRIVATE_KEY 0x18A /* A PKCS#1 private key file was passed in, but the formatting was incorrect. */ 158 #define NX_SECURE_X509_CHAIN_TOO_SHORT 0x18B /* An X509 certificate chain was too short to hold the entire chain during chain building. */ 159 #define NX_SECURE_X509_CHAIN_VERIFY_FAILURE 0x18C /* An X509 certificate chain was unable to be verified (catch-all error). */ 160 #define NX_SECURE_X509_PKCS7_PARSING_FAILED 0x18D /* Parsing an X.509 PKCS#7-encoded signature failed. */ 161 #define NX_SECURE_X509_CERTIFICATE_NOT_FOUND 0x18E /* In looking up a certificate, no matching entry was found. */ 162 #define NX_SECURE_X509_INVALID_VERSION 0x18F /* A certificate included a field that isn't compatible with the given version. */ 163 #define NX_SECURE_X509_INVALID_TAG_CLASS 0x190 /* A certificate included an ASN.1 tag with an invalid tag class value. */ 164 #define NX_SECURE_X509_INVALID_EXTENSIONS 0x191 /* A certificate included an extensions TLV but that did not contain a sequence. */ 165 #define NX_SECURE_X509_INVALID_EXTENSION_SEQUENCE 0x192 /* A certificate included an extension sequence that was invalid X.509. */ 166 #define NX_SECURE_X509_CERTIFICATE_EXPIRED 0x193 /* A certificate had a "not after" field that was less than the current time. */ 167 #define NX_SECURE_X509_CERTIFICATE_NOT_YET_VALID 0x194 /* A certificate had a "not before" field that was greater than the current time. */ 168 #define NX_SECURE_X509_CERTIFICATE_DNS_MISMATCH 0x195 /* A certificate Common Name or Subject Alt Name did not match a given DNS TLD. */ 169 #define NX_SECURE_X509_INVALID_DATE_FORMAT 0x196 /* A certificate contained a date field that is not in a recognized format. */ 170 #define NX_SECURE_X509_CRL_ISSUER_MISMATCH 0x197 /* A provided CRL and certificate were not issued by the same Certificate Authority. */ 171 #define NX_SECURE_X509_CRL_SIGNATURE_CHECK_FAILED 0x198 /* A CRL signature check failed against its issuer. */ 172 #define NX_SECURE_X509_CRL_CERTIFICATE_REVOKED 0x199 /* A certificate was found in a valid CRL and has therefore been revoked. */ 173 #define NX_SECURE_X509_WRONG_SIGNATURE_METHOD 0x19A /* In attempting to validate a signature the signature method did not match the expected method. */ 174 #define NX_SECURE_X509_EXTENSION_NOT_FOUND 0x19B /* In looking for an extension, no extension with a matching ID was found. */ 175 #define NX_SECURE_X509_ALT_NAME_NOT_FOUND 0x19C /* A name was searched for in a subjectAltName extension but was not found. */ 176 #define NX_SECURE_X509_INVALID_PRIVATE_KEY_TYPE 0x19D /* Private key type given was unknown or invalid. */ 177 #define NX_SECURE_X509_NAME_STRING_TOO_LONG 0x19E /* A name passed as a parameter was too long for an internal fixed-size buffer. */ 178 #define NX_SECURE_X509_EXT_KEY_USAGE_NOT_FOUND 0x19F /* In parsing an ExtendedKeyUsage extension, the specified usage was not found. */ 179 #define NX_SECURE_X509_KEY_USAGE_ERROR 0x1A0 /* For use with key usage extensions - return this to indicate an error at the application level with key usage. */ 180 181 /* Return values from TLS. */ 182 #define NX_SECURE_X509_UNSUPPORTED_PUBLIC_CIPHER 0x1A1 /* A certificate provided by a server specified a public-key operation we do not support. */ 183 #define NX_SECURE_X509_INVALID_CERTIFICATE 0x1A2 /* An X509 certificate did not parse correctly. */ 184 #define NX_SECURE_X509_UNKNOWN_CERT_SIG_ALGORITHM 0x1A3 /* A certificate during verification had an unsupported signature algorithm. */ 185 #define NX_SECURE_X509_CERTIFICATE_SIG_CHECK_FAILED 0x1A4 /* A certificate signature verification check failed - certificate data did not match signature. */ 186 #define NX_SECURE_X509_INVALID_SELF_SIGNED_CERT 0x1A5 /* The remote host sent a self-signed certificate and NX_SECURE_ALLOW_SELF_SIGNED_CERTIFICATES is not defined. */ 187 #define NX_SECURE_X509_ISSUER_CERTIFICATE_NOT_FOUND 0x1A6 /* A remote certificate was received with an issuer not in the local trusted store. */ 188 #define NX_SECURE_X509_NO_CERT_SPACE_ALLOCATED 0x1A7 /* No certificate space was allocated for incoming remote certificates. */ 189 #define NX_SECURE_X509_INSUFFICIENT_CERT_SPACE 0x1A8 /* Not enough certificate buffer space allocated for a certificate. */ 190 #define NX_SECURE_X509_CERT_ID_DUPLICATE 0x1A9 /* Tried to add a certificate with a numeric ID that was already used - needs to be unique. */ 191 #define NX_SECURE_X509_MISSING_CRYPTO_ROUTINE 0x1AA /* In attempting to perform a cryptographic operation, an entry in the ciphersuite table (or one of its function pointers) was NULL. */ 192 193 /* Defines for working with private key types. */ 194 #define NX_SECURE_X509_KEY_TYPE_USER_DEFINED_MASK (0xFFFF0000) 195 196 /* Private key type defines for initializing private key data associated with an X.509 certificate. */ 197 #define NX_SECURE_X509_KEY_TYPE_NONE 0x00000000 /* Default value for no key. */ 198 #define NX_SECURE_X509_KEY_TYPE_RSA_PKCS1_DER 0x00000001 /* DER-encoded PKCS-1 RSA private key. */ 199 #define NX_SECURE_X509_KEY_TYPE_EC_DER 0x00000002 /* DER-encoded EC private key. */ 200 #define NX_SECURE_X509_KEY_TYPE_HARDWARE 0x00000003 /* Hardware private key */ 201 202 203 /* ASN.1 Format: 204 * <Type, Length, Value> 205 * - Type is simply a tag value (defined below) 206 * - Length is: 207 * <= 127 (7 bits), length is the number of bytes of Value 208 * > 127, high bit is set, and lower 7 bits becomes the number of following bytes of *length* 209 * so 841 bytes of Value is encoded as 0x82, 0x03, 0x49 (0x82 = 2 bytes of length, 0x0349 = 841). 210 * - Value depends on the Tag 211 * */ 212 213 /* ASN.1 Tags relevant to X509. */ 214 #define NX_SECURE_ASN_TAG_BER 0 215 #define NX_SECURE_ASN_TAG_BOOLEAN 1 216 #define NX_SECURE_ASN_TAG_INTEGER 2 217 #define NX_SECURE_ASN_TAG_BIT_STRING 3 218 #define NX_SECURE_ASN_TAG_OCTET_STRING 4 219 #define NX_SECURE_ASN_TAG_NULL 5 220 #define NX_SECURE_ASN_TAG_OID 6 221 #define NX_SECURE_ASN_TAG_OBJ_DESCRIPTOR 7 222 #define NX_SECURE_ASN_TAG_EXTERNAL_INSTANCE 8 223 #define NX_SECURE_ASN_TAG_REAL 9 224 #define NX_SECURE_ASN_TAG_ENUMERATED 10 225 #define NX_SECURE_ASN_TAG_EMBEDDED_PPV 11 226 #define NX_SECURE_ASN_TAG_UTF8_STRING 12 227 #define NX_SECURE_ASN_TAG_RELATIVE_OID 13 228 #define NX_SECURE_ASN_TAG_UNDEFINED_14 14 229 #define NX_SECURE_ASN_TAG_UNDEFINED_15 15 230 #define NX_SECURE_ASN_TAG_SEQUENCE 16 231 #define NX_SECURE_ASN_TAG_SET 17 232 #define NX_SECURE_ASN_TAG_NUMERIC_STRING 18 233 #define NX_SECURE_ASN_TAG_PRINTABLE_STRING 19 234 #define NX_SECURE_ASN_TAG_TELETEX_STRING 20 235 #define NX_SECURE_ASN_TAG_T61_STRING 20 236 #define NX_SECURE_ASN_TAG_VIDEOTEX_STRING 21 237 #define NX_SECURE_ASN_TAG_IA5_STRING 22 238 #define NX_SECURE_ASN_TAG_UTC_TIME 23 239 #define NX_SECURE_ASN_TAG_GENERALIZED_TIME 24 240 #define NX_SECURE_ASN_TAG_GRAPHIC_STRING 25 241 #define NX_SECURE_ASN_TAG_VISIBLE_STRING 26 242 #define NX_SECURE_ASN_TAG_GENERAL_STRING 27 243 #define NX_SECURE_ASN_TAG_UNIVERSAL_STRING 28 244 #define NX_SECURE_ASN_TAG_CHARACTER_STRING 29 245 #define NX_SECURE_ASN_TAG_BMP_STRING 30 246 247 #define NX_SECURE_ASN_TAG_CONSTRUCTED_MASK 0x20 /* If bit 6 is set, it is a constructed type. */ 248 249 #define NX_SECURE_ASN_TAG_CLASS_MASK 0xC0 /* Top 2 bits of tag are the "class". */ 250 #define NX_SECURE_ASN_TAG_MASK 0x1F /* Bottom 6 bits are the tag itself. */ 251 #define NX_SECURE_ASN_TAG_MULTIBYTE_MASK 0x1F /* Some tags are multi-byte but never in x509. */ 252 253 /* Tag classes. Bits refer to bit locations in the tag octet. 254 * Note that "Application" and "Private" are not recommended for use and 255 * should probably never be encountered in an X.509 certificate. 256 * Class | Bit 7 | Bit 8 | 257 * --------------------------------------------- 258 * Universal | 0 | 0 | 259 * Application | 0 | 1 | 260 * Context-specific | 1 | 0 | 261 * Private | 1 | 1 | 262 */ 263 #define NX_SECURE_ASN_TAG_CLASS_UNIVERSAL 0x00 /* ASN.1 standard tag values. */ 264 #define NX_SECURE_ASN_TAG_CLASS_APPLICATION 0x01 /* (UNUSED) Application-specific tag values. */ 265 #define NX_SECURE_ASN_TAG_CLASS_CONTEXT 0x02 /* Context-specific tag values. */ 266 #define NX_SECURE_ASN_TAG_CLASS_PRIVATE 0x03 /* (UNUSED) Private tag values. */ 267 268 /* X.509 version identifiers. */ 269 #define NX_SECURE_X509_VERSION_1 (0x0) 270 #define NX_SECURE_X509_VERSION_2 (0x1) 271 #define NX_SECURE_X509_VERSION_3 (0x2) 272 273 /* X.509 context-specific tag values. */ 274 #define NX_SECURE_X509_TAG_VERSION (0x00) /* In TBSCertificate ASN.1, version field tag. */ 275 #define NX_SECURE_X509_TAG_ISSUER_UNIQUE_ID (0x01) /* In TBSCertificate ASN.1, Issuer unique id field tag. */ 276 #define NX_SECURE_X509_TAG_SUBJECT_UNIQUE_ID (0x02) /* In TBSCertificate ASN.1, Subject unique id field tag. */ 277 #define NX_SECURE_X509_TAG_EXTENSIONS (0x03) /* In TBSCertificate ASN.1, Extensions field tag. */ 278 279 /* X.509 subjectAltName context-specific tag values. */ 280 #define NX_SECURE_X509_SUB_ALT_NAME_TAG_OTHERNAME (0) 281 #define NX_SECURE_X509_SUB_ALT_NAME_TAG_RFC822NAME (1) 282 #define NX_SECURE_X509_SUB_ALT_NAME_TAG_DNSNAME (2) 283 #define NX_SECURE_X509_SUB_ALT_NAME_TAG_X400ADDRESS (3) 284 #define NX_SECURE_X509_SUB_ALT_NAME_TAG_DIRECTORYNAME (4) 285 #define NX_SECURE_X509_SUB_ALT_NAME_TAG_EDIPARTYNAME (5) 286 #define NX_SECURE_X509_SUB_ALT_NAME_TAG_UNIFORMRESOURCEIDENTIFIER (6) 287 #define NX_SECURE_X509_SUB_ALT_NAME_TAG_IPADDRESS (7) 288 #define NX_SECURE_X509_SUB_ALT_NAME_TAG_REGISTEREDID (8) 289 290 /* X.509 CRL context-specific tags. */ 291 #define NX_SECURE_X509_CRL_TAG_EXTENSIONS (0x00) /* In CRL ASN.1, extensions field tag. */ 292 293 /* X.509 KeyUsage extension bit field values. */ 294 #define NX_SECURE_X509_KEY_USAGE_DIGITAL_SIGNATURE (0x8000) 295 #define NX_SECURE_X509_KEY_USAGE_NON_REPUDIATION (0x4000) 296 #define NX_SECURE_X509_KEY_USAGE_KEY_ENCIPHERMENT (0x2000) 297 #define NX_SECURE_X509_KEY_USAGE_DATA_ENCIPHERMENT (0X1000) 298 #define NX_SECURE_X509_KEY_USAGE_KEY_AGREEMENT (0X0800) 299 #define NX_SECURE_X509_KEY_USAGE_KEY_CERT_SIGN (0X0400) 300 #define NX_SECURE_X509_KEY_USAGE_CRL_SIGN (0X0200) 301 #define NX_SECURE_X509_KEY_USAGE_ENCIPHER_ONLY (0X0100) 302 #define NX_SECURE_X509_KEY_USAGE_DECIPHER_ONLY (0X0080) 303 304 305 /* Internal NetX Secure identifiers for X.509 OID values. The OIDs are variable-length multi-byte 306 values so it's useful to have them map to a simple enumeration. */ 307 #define NX_SECURE_TLS_X509_TYPE_UNKNOWN 0 308 #define NX_SECURE_TLS_X509_TYPE_RSA 1 309 #define NX_SECURE_TLS_X509_TYPE_RSA_MD5 2 310 #define NX_SECURE_TLS_X509_TYPE_RSA_SHA_1 3 311 #define NX_SECURE_TLS_X509_TYPE_RSA_SHA_256 4 312 #define NX_SECURE_TLS_X509_TYPE_RSA_SHA_384 5 313 #define NX_SECURE_TLS_X509_TYPE_RSA_SHA_512 6 314 #define NX_SECURE_TLS_X509_TYPE_DH 7 315 #define NX_SECURE_TLS_X509_TYPE_DSS_SHA_1 8 316 #define NX_SECURE_TLS_X509_TYPE_COMMON_NAME 9 317 #define NX_SECURE_TLS_X509_TYPE_EMAIL 10 318 #define NX_SECURE_TLS_X509_TYPE_COUNTRY 11 319 #define NX_SECURE_TLS_X509_TYPE_STATE 12 320 #define NX_SECURE_TLS_X509_TYPE_LOCALITY 13 321 #define NX_SECURE_TLS_X509_TYPE_ORGANIZATION 14 322 #define NX_SECURE_TLS_X509_TYPE_ORG_UNIT 15 323 /*#define NX_SECURE_TLS_X509_TYPE_EXTENSIONS_PREFIX 16*/ 324 #define NX_SECURE_TLS_X509_TYPE_DIRECTORY_ATTRIBUTES 17 325 #define NX_SECURE_TLS_X509_TYPE_SUBJECT_KEY_ID 18 326 #define NX_SECURE_TLS_X509_TYPE_KEY_USAGE 19 327 #define NX_SECURE_TLS_X509_TYPE_SUBJECT_ALT_NAME 20 328 #define NX_SECURE_TLS_X509_TYPE_ISSUER_ALT_NAME 21 329 #define NX_SECURE_TLS_X509_TYPE_BASIC_CONSTRAINTS 22 330 #define NX_SECURE_TLS_X509_TYPE_NAME_CONSTRAINTS 23 331 #define NX_SECURE_TLS_X509_TYPE_CRL_DISTRIBUTION 24 332 #define NX_SECURE_TLS_X509_TYPE_CERTIFICATE_POLICIES 25 333 #define NX_SECURE_TLS_X509_TYPE_CERT_POLICY_MAPPINGS 26 334 #define NX_SECURE_TLS_X509_TYPE_AUTHORITY_KEY_ID 27 335 #define NX_SECURE_TLS_X509_TYPE_POLICY_CONSTRAINTS 28 336 #define NX_SECURE_TLS_X509_TYPE_EXTENDED_KEY_USAGE 29 337 #define NX_SECURE_TLS_X509_TYPE_ANY_EXTENDED_KEY_USAGE 30 338 #define NX_SECURE_TLS_X509_TYPE_FRESHEST_CRL 31 339 #define NX_SECURE_TLS_X509_TYPE_INHIBIT_ANYPOLICY 32 340 #define NX_SECURE_TLS_X509_TYPE_SURNAME 33 341 #define NX_SECURE_TLS_X509_TYPE_SERIAL_NUMBER 34 342 #define NX_SECURE_TLS_X509_TYPE_TITLE 35 343 #define NX_SECURE_TLS_X509_TYPE_NAME 36 344 #define NX_SECURE_TLS_X509_TYPE_GIVEN_NAME 37 345 #define NX_SECURE_TLS_X509_TYPE_INITIALS 38 346 #define NX_SECURE_TLS_X509_TYPE_GENERATION 39 347 #define NX_SECURE_TLS_X509_TYPE_DN_QUALIFIER 40 348 #define NX_SECURE_TLS_X509_TYPE_PSEUDONYM 41 349 #define NX_SECURE_TLS_X509_TYPE_PKIX_EXT_PREFIX 42 350 #define NX_SECURE_TLS_X509_TYPE_PKIX_AIA 43 351 #define NX_SECURE_TLS_X509_TYPE_PKIX_SIA 44 352 #define NX_SECURE_TLS_X509_TYPE_NETSCAPE_COMMENT 45 353 #define NX_SECURE_TLS_X509_TYPE_ANY_POLICY 46 354 #define NX_SECURE_TLS_X509_TYPE_PKIX_QT 47 355 #define NX_SECURE_TLS_X509_TYPE_PKIX_QT_CPS 48 356 #define NX_SECURE_TLS_X509_TYPE_PKIX_QT_UNOTICE 49 357 #define NX_SECURE_TLS_X509_TYPE_PKIX_KP 50 358 #define NX_SECURE_TLS_X509_TYPE_PKIX_KP_SERVER_AUTH 51 359 #define NX_SECURE_TLS_X509_TYPE_PKIX_KP_CLIENT_AUTH 52 360 #define NX_SECURE_TLS_X509_TYPE_PKIX_KP_CODE_SIGNING 53 361 #define NX_SECURE_TLS_X509_TYPE_PKIX_KP_EMAIL_PROTECT 54 362 #define NX_SECURE_TLS_X509_TYPE_PKIX_KP_TIME_STAMPING 55 363 #define NX_SECURE_TLS_X509_TYPE_PKIX_KP_OCSP_SIGNING 56 364 #define NX_SECURE_TLS_X509_TYPE_EC 57 365 #define NX_SECURE_TLS_X509_TYPE_ECDSA_SHA_1 58 366 #define NX_SECURE_TLS_X509_TYPE_ECDSA_SHA_224 59 367 #define NX_SECURE_TLS_X509_TYPE_ECDSA_SHA_256 60 368 #define NX_SECURE_TLS_X509_TYPE_ECDSA_SHA_384 61 369 #define NX_SECURE_TLS_X509_TYPE_ECDSA_SHA_512 62 370 371 #define NX_SECURE_TLS_X509_EC_SECT163K1 0x00060001 372 #define NX_SECURE_TLS_X509_EC_SECT163R1 0x00060002 373 #define NX_SECURE_TLS_X509_EC_SECT163R2 0x00060003 374 #define NX_SECURE_TLS_X509_EC_SECT193R1 0x00060004 375 #define NX_SECURE_TLS_X509_EC_SECT193R2 0x00060005 376 #define NX_SECURE_TLS_X509_EC_SECT233K1 0x00060006 377 #define NX_SECURE_TLS_X509_EC_SECT233R1 0x00060007 378 #define NX_SECURE_TLS_X509_EC_SECT239K1 0x00060008 379 #define NX_SECURE_TLS_X509_EC_SECT283K1 0x00060009 380 #define NX_SECURE_TLS_X509_EC_SECT283R1 0x0006000A 381 #define NX_SECURE_TLS_X509_EC_SECT409K1 0x0006000B 382 #define NX_SECURE_TLS_X509_EC_SECT409R1 0x0006000C 383 #define NX_SECURE_TLS_X509_EC_SECT571K1 0x0006000D 384 #define NX_SECURE_TLS_X509_EC_SECT571R1 0x0006000E 385 #define NX_SECURE_TLS_X509_EC_SECP160K1 0x0006000F 386 #define NX_SECURE_TLS_X509_EC_SECP160R1 0x00060010 387 #define NX_SECURE_TLS_X509_EC_SECP160R2 0x00060011 388 #define NX_SECURE_TLS_X509_EC_SECP192K1 0x00060012 389 #define NX_SECURE_TLS_X509_EC_SECP192R1 0x00060013 390 #define NX_SECURE_TLS_X509_EC_SECP224K1 0x00060014 391 #define NX_SECURE_TLS_X509_EC_SECP224R1 0x00060015 392 #define NX_SECURE_TLS_X509_EC_SECP256K1 0x00060016 393 #define NX_SECURE_TLS_X509_EC_SECP256R1 0x00060017 394 #define NX_SECURE_TLS_X509_EC_SECP384R1 0x00060018 395 #define NX_SECURE_TLS_X509_EC_SECP521R1 0x00060019 396 397 /* Bitfield mappings for Distinguished name comparison. When using nx_secure_x509_distinguished_name_compare, 398 these values are used for the "compare_fields" parameter - bitwise OR these values together to compare 399 only the desired fields. 400 */ 401 #define NX_SECURE_X509_NAME_COUNTRY (0x00000001L) 402 #define NX_SECURE_X509_NAME_ORGANIZATION (0x00000002L) 403 #define NX_SECURE_X509_NAME_ORG_UNIT (0x00000004L) 404 #define NX_SECURE_X509_NAME_QUALIFIER (0x00000008L) 405 #define NX_SECURE_X509_NAME_STATE (0x00000010L) 406 #define NX_SECURE_X509_NAME_COMMON_NAME (0x00000020L) 407 #define NX_SECURE_X509_NAME_SERIAL_NUMBER (0x00000040L) 408 #define NX_SECURE_X509_NAME_LOCALITY (0x00000080L) 409 #define NX_SECURE_X509_NAME_TITLE (0x00000100L) 410 #define NX_SECURE_X509_NAME_SURNAME (0x00000200L) 411 #define NX_SECURE_X509_NAME_GIVEN_NAME (0x00000400L) 412 #define NX_SECURE_X509_NAME_INITIALS (0x00000800L) 413 #define NX_SECURE_X509_NAME_PSEUDONYM (0x00001000L) 414 #define NX_SECURE_X509_NAME_GENERATION_QUALIFIER (0x00002000L) 415 #define NX_SECURE_X509_NAME_ALL_FIELDS (0xFFFFFFFFL) 416 417 /* Structure to contain distinguished names. */ 418 typedef struct NX_SECURE_X509_DISTINGUISHED_NAME_STRUCT 419 { 420 /* 421 X509 Distinguished Names consist of attributes. 422 Must contain the following items: 423 424 * country/region, 425 * organization, 426 * organizational unit, 427 * distinguished name qualifier, 428 * state or province name, 429 * common name (e.g., "Susan Housley"), and 430 * serial number. 431 432 Optional attributes: 433 * locality, 434 * title, 435 * surname, 436 * given name, 437 * initials, 438 * pseudonym, and 439 * generation qualifier (e.g., "Jr.", "3rd", or "IV"). 440 */ 441 442 443 /* The following fields are X509 distinguished name attributes that MUST 444 be supported as per the X509 RFC. */ 445 const UCHAR *nx_secure_x509_country; 446 USHORT nx_secure_x509_country_length; 447 448 const UCHAR *nx_secure_x509_organization; 449 USHORT nx_secure_x509_organization_length; 450 451 const UCHAR *nx_secure_x509_org_unit; 452 USHORT nx_secure_x509_org_unit_length; 453 454 const UCHAR *nx_secure_x509_distinguished_name_qualifier; 455 USHORT nx_secure_x509_distinguished_name_qualifier_length; 456 457 const UCHAR *nx_secure_x509_state; 458 USHORT nx_secure_x509_state_length; 459 460 const UCHAR *nx_secure_x509_common_name; 461 USHORT nx_secure_x509_common_name_length; 462 463 const UCHAR *nx_secure_x509_serial_number; 464 USHORT nx_secure_x509_serial_number_length; 465 466 #ifdef NX_SECURE_X509_USE_EXTENDED_DISTINGUISHED_NAMES 467 /* The following fields are OPTIONAL per the X509 RFC, disable 468 them to save on memory usage. */ 469 const UCHAR *nx_secure_x509_locality; 470 USHORT nx_secure_x509_locality_length; 471 472 const UCHAR *nx_secure_x509_title; 473 USHORT nx_secure_x509_title_length; 474 475 const UCHAR *nx_secure_x509_surname; 476 USHORT nx_secure_x509_surname_length; 477 478 const UCHAR *nx_secure_x509_given_name; 479 USHORT nx_secure_x509_given_name_length; 480 481 const UCHAR *nx_secure_x509_initials; 482 USHORT nx_secure_x509_initials_length; 483 484 const UCHAR *nx_secure_x509_pseudonym; 485 USHORT nx_secure_x509_pseudonym_length; 486 487 const UCHAR *nx_secure_x509_generation_qualifier; 488 USHORT nx_secure_x509_generation_qualifier_length; 489 #endif 490 } NX_SECURE_X509_DISTINGUISHED_NAME; 491 492 493 /* RSA public key information. */ 494 typedef struct NX_SECURE_RSA_PUBLIC_KEY_STRUCT 495 { 496 /* Public Modulus for RSA or DH. */ 497 const UCHAR *nx_secure_rsa_public_modulus; 498 499 /* Size of the key used by the algorithm. */ 500 USHORT nx_secure_rsa_public_modulus_length; 501 502 /* Public Exponent for RSA. */ 503 const UCHAR *nx_secure_rsa_public_exponent; 504 505 /* Size of the key used by the algorithm. */ 506 USHORT nx_secure_rsa_public_exponent_length; 507 } NX_SECURE_RSA_PUBLIC_KEY; 508 509 /* RSA private key information. */ 510 typedef struct NX_SECURE_RSA_PRIVATE_KEY_STRUCT 511 { 512 /* The public modulus is used in all RSA operations. */ 513 const UCHAR *nx_secure_rsa_public_modulus; 514 USHORT nx_secure_rsa_public_modulus_length; 515 516 /* The public exponent is used for encrypting messages intended for the private key holder. */ 517 const UCHAR *nx_secure_rsa_public_exponent; 518 USHORT nx_secure_rsa_public_exponent_length; 519 520 /* The private exponent is the true "private" part of an RSA key. */ 521 const UCHAR *nx_secure_rsa_private_exponent; 522 USHORT nx_secure_rsa_private_exponent_length; 523 524 /* P and Q are the primes used to calculate the RSA key. Using these, we 525 can utilize the Chinese Remainder Theorem and speed up RSA encryption. */ 526 const UCHAR *nx_secure_rsa_private_prime_q; 527 USHORT nx_secure_rsa_private_prime_q_length; 528 const UCHAR *nx_secure_rsa_private_prime_p; 529 USHORT nx_secure_rsa_private_prime_p_length; 530 } NX_SECURE_RSA_PRIVATE_KEY; 531 532 #ifdef NX_SECURE_ENABLE_ECC_CIPHERSUITE 533 /* EC public key information. */ 534 typedef struct NX_SECURE_EC_PUBLIC_KEY_STRUCT 535 { 536 /* Public key for EC. */ 537 const UCHAR *nx_secure_ec_public_key; 538 539 /* Size of the key used by the algorithm. */ 540 USHORT nx_secure_ec_public_key_length; 541 542 /* Named curve used. */ 543 UINT nx_secure_ec_named_curve; 544 545 } NX_SECURE_EC_PUBLIC_KEY; 546 547 /* EC private key information. */ 548 typedef struct NX_SECURE_EC_PRIVATE_KEY_STRUCT 549 { 550 /* Private key for EC. */ 551 const UCHAR *nx_secure_ec_private_key; 552 553 /* Size of the EC private key. */ 554 USHORT nx_secure_ec_private_key_length; 555 556 /* Named curve used. */ 557 UINT nx_secure_ec_named_curve; 558 559 } NX_SECURE_EC_PRIVATE_KEY; 560 #endif /* NX_SECURE_ENABLE_ECC_CIPHERSUITE */ 561 562 /* Structure to hold X.509 cryptographic routine information. */ 563 typedef struct NX_SECURE_X509_CRYPTO_STRUCT 564 { 565 /* Internal NetX Secure identifier for certificate "ciphersuite" which consists of 566 a hash and a public key operation. These can be mapped to OIDs in X.509. */ 567 USHORT nx_secure_x509_crypto_identifier; 568 569 /* Public-Key Cryptographic method used by certificates. */ 570 const NX_CRYPTO_METHOD *nx_secure_x509_public_cipher_method; 571 572 /* Hash method used by certificates. */ 573 const NX_CRYPTO_METHOD *nx_secure_x509_hash_method; 574 } NX_SECURE_X509_CRYPTO; 575 576 /* Structure to hold policy qualifiers for the certificatePolicies extension. */ 577 typedef struct NX_SECURE_X509_CERTIFICATE_POLICY_STRUCT 578 { 579 /* Pointer to OID for this specific policy, if needed. */ 580 const UCHAR *nx_secure_x509_policy_oid; 581 582 /* Qualifier OID type - defines what the policy qualifier is (if present). */ 583 UINT nx_secure_x509_policy_qualifier_type; 584 585 /* Qualifier data. */ 586 union 587 { 588 /* CPS URI policy qualifier. */ 589 UCHAR nx_secure_x509_policy_qualifier_cps[200]; 590 591 /* UserNotice qualifier. */ 592 struct 593 { 594 /* NoticeRef structure. */ 595 struct 596 { 597 UCHAR nx_secure_x509_policy_organization[200]; 598 UINT nx_secure_x509_policy_notice_numbers[20]; 599 } nx_secure_x509_policy_notice_ref; 600 601 /* Explicit text data. */ 602 UCHAR nx_secure_x509_policy_explicit_text[200]; 603 } nx_secure_x509_policy_unotice; 604 } nx_secure_x509_policy_qualifier; 605 606 /* Pointer for linked list. */ 607 struct NX_SECURE_X509_CERTIFICATE_POLICY_STRUCT *nx_secure_x509_policy_next; 608 } NX_SECURE_X509_CERTIFICATE_POLICY; 609 610 /* Structure to hold extension information for an X.509 certificate. 611 Also used to contain information about an X.509 policy, either 612 when parsing an X.509 certificate or when defining policies for 613 X.509 path validation. */ 614 typedef struct NX_SECURE_X509_EXTENSION_STRUCT 615 { 616 /* Identifier (maps to OID) for this extension. */ 617 USHORT nx_secure_x509_extension_id; 618 619 /* Critical flag - boolean value. */ 620 USHORT nx_secure_x509_extension_critical; 621 622 /* Pointer to DER-encoded extension data. */ 623 const UCHAR *nx_secure_x509_extension_data; 624 ULONG nx_secure_x509_extension_data_length; 625 } NX_SECURE_X509_EXTENSION; 626 627 628 /* Domain name entries. */ 629 630 /* Maximum size of a DNS name entry. */ 631 #define NX_SECURE_X509_DNS_NAME_MAX (100) 632 typedef struct NX_SECURE_X509_DNS_NAME_STRUCT 633 { 634 /* Pointer to string containing the DNS name. */ 635 UCHAR nx_secure_x509_dns_name[NX_SECURE_X509_DNS_NAME_MAX]; 636 637 /* Length of name. */ 638 USHORT nx_secure_x509_dns_name_length; 639 640 /* Pointer for linked list. */ 641 struct NX_SECURE_X509_DNS_NAME_STRUCT *nx_secure_x509_dns_name_next; 642 } NX_SECURE_X509_DNS_NAME; 643 644 /* Structure to hold policy information for certificate chain verification. */ 645 typedef struct NX_SECURE_X509_POLICIES_STRUCT 646 { 647 /* X.509 policies and path validation (RFC 5280): 648 * "Conforming implementations are not required to support the setting of 649 all of these inputs. For example, a conforming implementation may be 650 designed to validate all certification paths using a value of FALSE 651 for initial-any-policy-inhibit." 652 */ 653 654 /* Linked list of policies, keyed on policy OID.*/ 655 NX_SECURE_X509_EXTENSION *nx_secure_x509_valid_policy_tree; 656 657 /* Indicates if policy mapping is allowed for the chain. */ 658 USHORT nx_secure_x509_policy_mapping_inhibit; 659 660 /* Indicates if the chain must be valid for at least one policy. 661 If false, the chain does not need to be valid for any policies 662 (it still must be trusted though).*/ 663 USHORT nx_secure_x509_explicit_policy; 664 665 /* Indicates if the anyPolicy OID is processed or ignored. */ 666 USHORT nx_secure_x509_any_policy_inhibit; 667 668 /* For name constraint checking, a collection of name subtrees that 669 are permitted when checking DNS names (or other name types). */ 670 NX_SECURE_X509_DNS_NAME *nx_secure_x509_permitted_subtrees; 671 672 /* For name constraint checking, a collection of name subtrees that 673 are NOT permitted when checking DNS names (or other name types). */ 674 NX_SECURE_X509_DNS_NAME *nx_secure_x509_excluded_subtrees; 675 676 /* Maximum path length for validation, set to n and decremented for each 677 * non-self-signed certificate in the path. */ 678 USHORT nx_secure_x509_max_path_length; 679 680 /* Other X.509 variables are contained within nx_secure_x509_certificate chain verify: 681 (g) working_public_key_algorithm 682 (h) working_public_key 683 (i) working_public_key_parameters 684 (j) working_issuer_name 685 */ 686 } NX_SECURE_X509_POLICIES; 687 688 /* This structure is used in parsing the X509 certificate. The ASN.1-encoded certificate 689 * contains embedded byte strings which contain ASN.1 data within. The initial parsing 690 * of the ASN.1 buffer will populate this structure, which will then be used to 691 * extract further information. This is specific to X509 certificates! 692 * NOTE: All specific data are returned as pointers into the original buffer to avoid copying! */ 693 typedef struct NX_SECURE_X509_CERT_STRUCT 694 { 695 /* Is this certificate used to identify the local device? */ 696 UINT nx_secure_x509_certificate_is_identity_cert; 697 698 /* What version of certificate is this? */ 699 USHORT nx_secure_x509_version; 700 701 /* Identifier used for TLS to distinguish between certificates outside of information 702 contained within the certificate. */ 703 UINT nx_secure_x509_cert_identifier; 704 705 /* Serial number. */ 706 const UCHAR *nx_secure_x509_serial_number; 707 USHORT nx_secure_x509_serial_number_length; 708 709 /* Validity time format - either ASN.1 generalized time or ASN.1 UTC time. 710 Uses the ASN.1 tag value. */ 711 USHORT nx_secure_x509_validity_format; 712 713 /* Validity period. Stored as ASN.1 generalized time or UTC time. */ 714 const UCHAR *nx_secure_x509_not_before; 715 USHORT nx_secure_x509_not_before_length; 716 const UCHAR *nx_secure_x509_not_after; 717 USHORT nx_secure_x509_not_after_length; 718 719 /* Pointer to certificate data. */ 720 UCHAR *nx_secure_x509_certificate_raw_data; 721 UINT nx_secure_x509_certificate_raw_buffer_size; 722 UINT nx_secure_x509_certificate_raw_data_length; 723 724 const UCHAR *nx_secure_x509_certificate_data; 725 UINT nx_secure_x509_certificate_data_length; 726 727 /* Signature Algorithm (For encrypting signature hash - RSA, DSS, etc). */ 728 UINT nx_secure_x509_signature_algorithm; 729 730 /* Pointer to the signature data in the certificate used for verification. */ 731 const UCHAR *nx_secure_x509_signature_data; 732 733 /* Length of the certificate digital signature data. */ 734 UINT nx_secure_x509_signature_data_length; 735 736 /* Issuer distinguished name. Used to authenticate this certificate against the trusted store. 737 * If this pointer is NULL, it is a root CA. For self-signed certs this will point to a 738 * structure with the same information. */ 739 NX_SECURE_X509_DISTINGUISHED_NAME nx_secure_x509_issuer; 740 741 /* This pointer points to the issuer chain for this certificate (follow the chain for verification). */ 742 struct NX_SECURE_X509_CERT_STRUCT *nx_secure_x509_issuer_chain; 743 744 /* X509 subject - Distinguished Name of the certificate. */ 745 NX_SECURE_X509_DISTINGUISHED_NAME nx_secure_x509_distinguished_name; 746 747 /* Pointer to lookup table for X.509 cryptographic routines. */ 748 NX_SECURE_X509_CRYPTO *nx_secure_x509_cipher_table; 749 750 /* Number of entried in the cipher lookup table. */ 751 USHORT nx_secure_x509_cipher_table_size; 752 753 /* Define the public cipher metadata area. */ 754 VOID *nx_secure_x509_public_cipher_metadata_area; 755 756 /* Define the public cipher metadata size. */ 757 ULONG nx_secure_x509_public_cipher_metadata_size; 758 759 /* Define the hash metadata area. */ 760 VOID *nx_secure_x509_hash_metadata_area; 761 762 /* Define the hash metadata size. */ 763 ULONG nx_secure_x509_hash_metadata_size; 764 765 /* This pointer points to a singly-linked list of certificates - used for the certificate stores. */ 766 struct NX_SECURE_X509_CERT_STRUCT *nx_secure_x509_next_certificate; 767 768 /* Public Key Algorithm (RSA, DH, etc). Tagged union gives us the actual key data.*/ 769 UINT nx_secure_x509_public_algorithm; 770 771 union 772 { 773 NX_SECURE_RSA_PUBLIC_KEY rsa_public_key; 774 775 #ifdef NX_SECURE_ENABLE_ECC_CIPHERSUITE 776 NX_SECURE_EC_PUBLIC_KEY ec_public_key; 777 #endif /* NX_SECURE_ENABLE_ECC_CIPHERSUITE */ 778 } nx_secure_x509_public_key; 779 780 /* Private key associated with this certificate. A tagged union represents the key data in parsed form 781 (if the type is known) or a pointer to a buffer of user-defined key data. Note that the private 782 key is typically loaded separately from the certificate so even if the private key data contains 783 the public key, we keep the private keys separate from the public keys (above).*/ 784 UINT nx_secure_x509_private_key_type; 785 786 union 787 { 788 /* RSA key type. */ 789 NX_SECURE_RSA_PRIVATE_KEY rsa_private_key; 790 791 #ifdef NX_SECURE_ENABLE_ECC_CIPHERSUITE 792 /* EC key type. */ 793 NX_SECURE_EC_PRIVATE_KEY ec_private_key; 794 #endif /* NX_SECURE_ENABLE_ECC_CIPHERSUITE */ 795 796 /* User-defined key type. */ 797 struct 798 { 799 const UCHAR *key_data; 800 ULONG key_length; 801 } user_key; 802 } nx_secure_x509_private_key; 803 804 /* Optional issuer identifier field. X509v2 or X509v3. */ 805 const UCHAR *nx_secure_x509_issuer_identifier; 806 USHORT nx_secure_x509_issuer_identifier_length; 807 808 /* Optional subject identifier field. X509v2 or X509v3. */ 809 const UCHAR *nx_secure_x509_subject_identifier; 810 USHORT nx_secure_x509_subject_identifier_length; 811 812 /* Pointer to start of extensions so we can optionally parse them later. */ 813 const UCHAR *nx_secure_x509_extensions_data; 814 ULONG nx_secure_x509_extensions_data_length; 815 816 /* Indicates whether a certificate was allocated by the application or 817 automatically by TLS. */ 818 UINT nx_secure_x509_user_allocated_cert; 819 } NX_SECURE_X509_CERT; 820 821 UINT _nx_secure_x509_certificate_parse(const UCHAR *buffer, UINT length, UINT *bytes_processed, NX_SECURE_X509_CERT *cert); 822 UINT _nx_secure_x509_asn1_tlv_block_parse(const UCHAR *buffer, ULONG *buffer_length, USHORT *tlv_type, USHORT *tlv_tag_class, ULONG *tlv_length, const UCHAR **tlv_data, ULONG *header_length); 823 824 UINT _nx_secure_x509_pkcs1_rsa_private_key_parse(const UCHAR *buffer, UINT length, UINT *bytes_processed, NX_SECURE_RSA_PRIVATE_KEY *rsa_key); 825 #ifdef NX_SECURE_ENABLE_ECC_CIPHERSUITE 826 UINT _nx_secure_x509_ec_private_key_parse(const UCHAR *buffer, UINT length, 827 UINT *bytes_processed, 828 NX_SECURE_EC_PRIVATE_KEY *ec_key); 829 UINT _nx_secure_x509_find_curve_method(USHORT named_curve, const NX_CRYPTO_METHOD **curve_method); 830 831 #endif /* NX_SECURE_ENABLE_ECC_CIPHERSUITE */ 832 833 /* CRL parsing. */ 834 #ifndef NX_SECURE_X509_DISABLE_CRL 835 836 typedef struct NX_SECURE_X509_CRL_STRUCT 837 { 838 /* Pointer to raw CRL data, used for signature verification. */ 839 const UCHAR *nx_secure_x509_crl_verify_data; 840 USHORT nx_secure_x509_crl_verify_data_length; 841 842 /* Issuer distinguished name. Used to authenticate this CRL against the trusted store. */ 843 NX_SECURE_X509_DISTINGUISHED_NAME nx_secure_x509_crl_issuer; 844 845 /* What version of CRL is this? */ 846 USHORT nx_secure_x509_crl_version; 847 848 /* Signature Algorithm (For encrypting signature hash - RSA, DSS, etc). */ 849 USHORT nx_secure_x509_crl_signature_algorithm; 850 851 /* Pointer to the signature data in the CRL used for verification of the list. */ 852 const UCHAR *nx_secure_x509_crl_signature_data; 853 854 /* Length of the CRL digital signature data. */ 855 UINT nx_secure_x509_crl_signature_data_length; 856 857 /* Validity period. Stored as ASN.1 generalized time or UTC time. */ 858 USHORT nx_secure_x509_crl_time_format; 859 const UCHAR *nx_secure_x509_crl_this_update; 860 USHORT nx_secure_x509_crl_this_update_length; 861 const UCHAR *nx_secure_x509_crl_next_update; 862 USHORT nx_secure_x509_crl_next_update_length; 863 864 /* Pointer to start of revoked certificate list. This will be parsed whenever a certificate 865 is being validated. */ 866 const UCHAR *nx_secure_x509_crl_revoked_certs; 867 ULONG nx_secure_x509_crl_revoked_certs_length; 868 } NX_SECURE_X509_CRL; 869 870 #endif 871 872 /* X509 API. */ 873 874 #define NX_SECURE_X509_CERT_LOCATION_NONE 0 /* Certificate location is uninitialized. */ 875 #define NX_SECURE_X509_CERT_LOCATION_LOCAL 1 /* Certificate is in the Local device certificate store. */ 876 #define NX_SECURE_X509_CERT_LOCATION_REMOTE 2 /* Certificate is in the remote certificate store. */ 877 #define NX_SECURE_X509_CERT_LOCATION_TRUSTED 3 /* Certificate is in the trusted store. */ 878 #define NX_SECURE_X509_CERT_LOCATION_EXCEPTIONS 4 /* Certificate is added as an exception (trusted temporarily). */ 879 #define NX_SECURE_X509_CERT_LOCATION_FREE 5 /* Certificate is uninitialized (except for next pointer) and usable by X509, TLS, etc. */ 880 881 /* Certificate store structure - contains linked lists of all certificates for this device. */ 882 typedef struct NX_SECURE_X509_CERTIFICATE_STORE_STRUCT 883 { 884 /* Pointer to certificates identifying this host. */ 885 NX_SECURE_X509_CERT *nx_secure_x509_local_certificates; 886 887 /* Pointer to certificates identifying the remote host. */ 888 NX_SECURE_X509_CERT *nx_secure_x509_remote_certificates; 889 890 /* Pointer to certificates that are free to use for parsing (will be placed in another list 891 after being initialized). */ 892 NX_SECURE_X509_CERT *nx_secure_x509_free_certificates; 893 894 /* Pointer to local store of trusted certificates. */ 895 NX_SECURE_X509_CERT *nx_secure_x509_trusted_certificates; 896 897 /* Pointer to store of exceptions - certificates that we want to trust but possibly only 898 temporarily and not something we want in a the trusted store. Keep this store separate 899 so we can clear it out more easily. */ 900 NX_SECURE_X509_CERT *nx_secure_x509_certificate_exceptions; 901 } NX_SECURE_X509_CERTIFICATE_STORE; 902 903 /* Get certificate for local device. */ 904 UINT _nx_secure_x509_local_device_certificate_get(NX_SECURE_X509_CERTIFICATE_STORE *store, 905 NX_SECURE_X509_DISTINGUISHED_NAME *name, 906 NX_SECURE_X509_CERT **certificate); 907 908 UINT _nx_secure_x509_local_certificate_find(NX_SECURE_X509_CERTIFICATE_STORE *store, 909 NX_SECURE_X509_CERT **certificate, UINT cert_id); 910 911 /* Get certificate sent by remote host. */ 912 UINT _nx_secure_x509_remote_endpoint_certificate_get(NX_SECURE_X509_CERTIFICATE_STORE *store, 913 NX_SECURE_X509_CERT **certificate); 914 915 /* Add a certificates to an X509 store. "location" indicates where the certificate will go: [ TRUSTED, LOCAL, REMOTE, EXCEPTION ] */ 916 UINT _nx_secure_x509_store_certificate_add(NX_SECURE_X509_CERT *certificate, 917 NX_SECURE_X509_CERTIFICATE_STORE *store, UINT location); 918 919 /* Remove a certificate from the supplied store given a distinguished name and optional location. */ 920 UINT _nx_secure_x509_store_certificate_remove(NX_SECURE_X509_CERTIFICATE_STORE *store, 921 NX_SECURE_X509_DISTINGUISHED_NAME *name, 922 UINT location, UINT cert_id); 923 924 /* Compares two distinguished names to see if they are equal. */ 925 INT _nx_secure_x509_distinguished_name_compare(NX_SECURE_X509_DISTINGUISHED_NAME *name, 926 NX_SECURE_X509_DISTINGUISHED_NAME *compare_name, ULONG compare_fields); 927 928 /* Parse an X.509 DER-encoded distinguished name. */ 929 UINT _nx_secure_x509_distinguished_name_parse(const UCHAR *buffer, UINT length, 930 UINT *bytes_processed, 931 NX_SECURE_X509_DISTINGUISHED_NAME *name); 932 933 UINT _nx_secure_x509_store_certificate_find(NX_SECURE_X509_CERTIFICATE_STORE *store, 934 NX_SECURE_X509_DISTINGUISHED_NAME *name, 935 UINT cert_id, 936 NX_SECURE_X509_CERT **certificate, UINT *location); 937 938 /* Build an X509 certificate chain using the supplied certificate store and the given distinguished name. */ 939 UINT _nx_secure_x509_certificate_chain_build(NX_SECURE_X509_CERTIFICATE_STORE *store, 940 NX_SECURE_X509_CERT *certificate); 941 942 /* Verify a certificate against its issuer. */ 943 UINT _nx_secure_x509_certificate_verify(NX_SECURE_X509_CERTIFICATE_STORE *store, 944 NX_SECURE_X509_CERT *certificate, 945 NX_SECURE_X509_CERT *issuer_certificate); 946 947 /* Verify a given certificate chain to see if the end-entity certificate can be traced through the chain to a trust anchor. */ 948 UINT _nx_secure_x509_certificate_chain_verify(NX_SECURE_X509_CERTIFICATE_STORE *store, 949 NX_SECURE_X509_CERT *certificate, ULONG current_time); 950 951 /* Parse an OID string, returning an internally-used constant (defined above) for use in other parsing. */ 952 VOID _nx_secure_x509_oid_parse(const UCHAR *oid, ULONG length, UINT *oid_value); 953 954 UINT _nx_secure_x509_pkcs7_decode(const UCHAR *signature_pointer, UINT signature_length, 955 const UCHAR **signature_oid, UINT *signature_oid_length, 956 const UCHAR **hash_data, UINT *hash_length); 957 958 /* Initialize an X509 certificate structure with a DER-encoded certificate blob. */ 959 UINT _nx_secure_x509_certificate_initialize(NX_SECURE_X509_CERT *certificate, 960 UCHAR *certificate_data, USHORT length, 961 UCHAR *raw_data_buffer, USHORT buffer_size, 962 const UCHAR *private_key, 963 USHORT priv_len, UINT private_key_type); 964 965 UINT _nx_secure_x509_dns_name_initialize(NX_SECURE_X509_DNS_NAME *dns_name, 966 const UCHAR *name_string, USHORT length); 967 968 /* Return a structure containing cryptographic methods for a particular certificate. */ 969 UINT _nx_secure_x509_find_certificate_methods(NX_SECURE_X509_CERT *cert, USHORT signature_algorithm, 970 NX_SECURE_X509_CRYPTO **crypto_methods); 971 972 /* Get a "free" certificate allocated earlier by the application. */ 973 UINT _nx_secure_x509_free_certificate_get(NX_SECURE_X509_CERTIFICATE_STORE *store, 974 NX_SECURE_X509_CERT **certificate); 975 976 /* Utility methods for certificate linked-lists. */ 977 UINT _nx_secure_x509_certificate_list_add(NX_SECURE_X509_CERT **list_head, 978 NX_SECURE_X509_CERT *certificate, UINT duplicates_ok); 979 UINT _nx_secure_x509_certificate_list_find(NX_SECURE_X509_CERT **list_head, 980 NX_SECURE_X509_DISTINGUISHED_NAME *name, 981 UINT cert_id, 982 NX_SECURE_X509_CERT **certificate); 983 UINT _nx_secure_x509_certificate_list_remove(NX_SECURE_X509_CERT **list_head, 984 NX_SECURE_X509_DISTINGUISHED_NAME *name, UINT cert_id); 985 986 #ifndef NX_SECURE_X509_DISABLE_CRL 987 UINT _nx_secure_x509_certificate_revocation_list_parse(const UCHAR *buffer, UINT length, 988 UINT *bytes_processed, NX_SECURE_X509_CRL *crl); 989 #endif /* NX_SECURE_X509_DISABLE_CRL */ 990 UINT _nx_secure_x509_common_name_dns_check(NX_SECURE_X509_CERT *certificate, 991 const UCHAR *dns_tld, UINT dns_tld_length); 992 INT _nx_secure_x509_wildcard_compare(const UCHAR *dns_name, UINT dns_name_len, 993 const UCHAR *wildcard_name, UINT wildcard_len); 994 UINT _nx_secure_x509_crl_revocation_check(const UCHAR *crl_data, UINT length, 995 NX_SECURE_X509_CERTIFICATE_STORE *store, 996 NX_SECURE_X509_CERT *certificate); 997 #ifndef NX_SECURE_X509_DISABLE_CRL 998 UINT _nx_secure_x509_crl_verify(NX_SECURE_X509_CERT *certificate, NX_SECURE_X509_CRL *crl, 999 NX_SECURE_X509_CERTIFICATE_STORE *store, 1000 NX_SECURE_X509_CERT *issuer_certificate); 1001 #endif /* NX_SECURE_X509_DISABLE_CRL */ 1002 UINT _nx_secure_x509_expiration_check(NX_SECURE_X509_CERT *certificate, ULONG current_time); 1003 1004 UINT _nx_secure_x509_extended_key_usage_extension_parse(NX_SECURE_X509_CERT *certificate, 1005 UINT key_usage); 1006 UINT _nx_secure_x509_extension_find(NX_SECURE_X509_CERT *certificate, 1007 NX_SECURE_X509_EXTENSION *extension, USHORT extension_id); 1008 UINT _nx_secure_x509_key_usage_extension_parse(NX_SECURE_X509_CERT *certificate, USHORT *bitfield); 1009 UINT _nx_secure_x509_subject_alt_names_find(NX_SECURE_X509_EXTENSION *extension, const UCHAR *name, 1010 UINT name_length, USHORT name_type); 1011 1012 /* Error-checking APIs. */ 1013 UINT _nxe_secure_x509_certificate_initialize(NX_SECURE_X509_CERT *certificate, 1014 UCHAR *certificate_data, USHORT length, 1015 UCHAR *raw_data_buffer, USHORT buffer_size, 1016 const UCHAR *private_key, USHORT priv_len, 1017 UINT private_key_type); 1018 UINT _nxe_secure_x509_common_name_dns_check(NX_SECURE_X509_CERT *certificate, const UCHAR *dns_tld, 1019 UINT dns_tld_length); 1020 UINT _nxe_secure_x509_dns_name_initialize(NX_SECURE_X509_DNS_NAME *dns_name, 1021 const UCHAR *name_string, USHORT length); 1022 UINT _nxe_secure_x509_crl_revocation_check(const UCHAR *crl_data, UINT crl_length, 1023 NX_SECURE_X509_CERTIFICATE_STORE *store, 1024 NX_SECURE_X509_CERT *certificate); 1025 UINT _nxe_secure_x509_extended_key_usage_extension_parse(NX_SECURE_X509_CERT *certificate, 1026 UINT key_usage); 1027 UINT _nxe_secure_x509_extension_find(NX_SECURE_X509_CERT *certificate, 1028 NX_SECURE_X509_EXTENSION *extension, USHORT extension_id); 1029 UINT _nxe_secure_x509_key_usage_extension_parse(NX_SECURE_X509_CERT *certificate, USHORT *bitfield); 1030 1031 1032 /* MAP APIs. */ 1033 #ifdef NX_SECURE_DISABLE_ERROR_CHECKING 1034 #define nx_secure_x509_certificate_initialize _nx_secure_x509_certificate_initialize 1035 #define nx_secure_x509_common_name_dns_check _nx_secure_x509_common_name_dns_check 1036 #define nx_secure_x509_dns_name_initialize _nx_secure_x509_dns_name_initialize 1037 #define nx_secure_x509_crl_revocation_check _nx_secure_x509_crl_revocation_check 1038 #define nx_secure_x509_extended_key_usage_extension_parse _nx_secure_x509_extended_key_usage_extension_parse 1039 #define nx_secure_x509_extension_find _nx_secure_x509_extension_find 1040 #define nx_secure_x509_key_usage_extension_parse _nx_secure_x509_key_usage_extension_parse 1041 #else 1042 #define nx_secure_x509_certificate_initialize _nxe_secure_x509_certificate_initialize 1043 #define nx_secure_x509_common_name_dns_check _nxe_secure_x509_common_name_dns_check 1044 #define nx_secure_x509_dns_name_initialize _nxe_secure_x509_dns_name_initialize 1045 #define nx_secure_x509_crl_revocation_check _nxe_secure_x509_crl_revocation_check 1046 #define nx_secure_x509_extended_key_usage_extension_parse _nxe_secure_x509_extended_key_usage_extension_parse 1047 #define nx_secure_x509_extension_find _nxe_secure_x509_extension_find 1048 #define nx_secure_x509_key_usage_extension_parse _nxe_secure_x509_key_usage_extension_parse 1049 #endif 1050 1051 UINT nx_secure_x509_certificate_initialize(NX_SECURE_X509_CERT *certificate, UCHAR *certificate_data, 1052 USHORT length, UCHAR *raw_data_buffer, USHORT buffer_size, 1053 const UCHAR *private_key, USHORT priv_len, 1054 UINT private_key_type); 1055 UINT nx_secure_x509_common_name_dns_check(NX_SECURE_X509_CERT *certificate, const UCHAR *dns_tld, 1056 UINT dns_tld_length); 1057 UINT nx_secure_x509_dns_name_initialize(NX_SECURE_X509_DNS_NAME *dns_name, 1058 const UCHAR *name_string, USHORT length); 1059 UINT nx_secure_x509_crl_revocation_check(const UCHAR *crl_data, UINT crl_length, 1060 NX_SECURE_X509_CERTIFICATE_STORE *store, 1061 NX_SECURE_X509_CERT *certificate); 1062 UINT nx_secure_x509_extended_key_usage_extension_parse(NX_SECURE_X509_CERT *certificate, 1063 UINT key_usage); 1064 UINT nx_secure_x509_extension_find(NX_SECURE_X509_CERT *certificate, 1065 NX_SECURE_X509_EXTENSION *extension, USHORT extension_id); 1066 UINT nx_secure_x509_key_usage_extension_parse(NX_SECURE_X509_CERT *certificate, USHORT *bitfield); 1067 1068 #ifdef __cplusplus 1069 } 1070 #endif 1071 1072 #endif /* SRC_NX_SECURE_X509_H_ */ 1073 1074
