1 /*
2  * X.509v3 certificate parsing and processing
3  * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #ifndef X509V3_H
10 #define X509V3_H
11 
12 #include "asn1.h"
13 
14 struct x509_algorithm_identifier {
15 	struct asn1_oid oid;
16 };
17 
18 struct x509_name_attr {
19 	enum x509_name_attr_type {
20 		X509_NAME_ATTR_NOT_USED,
21 		X509_NAME_ATTR_DC,
22 		X509_NAME_ATTR_CN,
23 		X509_NAME_ATTR_C,
24 		X509_NAME_ATTR_L,
25 		X509_NAME_ATTR_ST,
26 		X509_NAME_ATTR_O,
27 		X509_NAME_ATTR_OU
28 	} type;
29 	char *value;
30 };
31 
32 #define X509_MAX_NAME_ATTRIBUTES 20
33 
34 struct x509_name {
35 	struct x509_name_attr attr[X509_MAX_NAME_ATTRIBUTES];
36 	size_t num_attr;
37 	char *email; /* emailAddress */
38 
39 	/* from alternative name extension */
40 	char *alt_email; /* rfc822Name */
41 	char *dns; /* dNSName */
42 	char *uri; /* uniformResourceIdentifier */
43 	u8 *ip; /* iPAddress */
44 	size_t ip_len; /* IPv4: 4, IPv6: 16 */
45 	struct asn1_oid rid; /* registeredID */
46 };
47 
48 #define X509_MAX_SERIAL_NUM_LEN 20
49 
50 struct x509_certificate {
51 	struct x509_certificate *next;
52 	enum { X509_CERT_V1 = 0, X509_CERT_V2 = 1, X509_CERT_V3 = 2 } version;
53 	u8 serial_number[X509_MAX_SERIAL_NUM_LEN];
54 	size_t serial_number_len;
55 	struct x509_algorithm_identifier signature;
56 	struct x509_name issuer;
57 	struct x509_name subject;
58 	u8 *subject_dn;
59 	size_t subject_dn_len;
60 	os_time_t not_before;
61 	os_time_t not_after;
62 	struct x509_algorithm_identifier public_key_alg;
63 	u8 *public_key;
64 	size_t public_key_len;
65 	struct x509_algorithm_identifier signature_alg;
66 	u8 *sign_value;
67 	size_t sign_value_len;
68 
69 	/* Extensions */
70 	unsigned int extensions_present;
71 #define X509_EXT_BASIC_CONSTRAINTS		(1 << 0)
72 #define X509_EXT_PATH_LEN_CONSTRAINT		(1 << 1)
73 #define X509_EXT_KEY_USAGE			(1 << 2)
74 #define X509_EXT_SUBJECT_ALT_NAME		(1 << 3)
75 #define X509_EXT_ISSUER_ALT_NAME		(1 << 4)
76 #define X509_EXT_EXT_KEY_USAGE			(1 << 5)
77 #define X509_EXT_CERTIFICATE_POLICY		(1 << 6)
78 
79 	/* BasicConstraints */
80 	int ca; /* cA */
81 	unsigned long path_len_constraint; /* pathLenConstraint */
82 
83 	/* KeyUsage */
84 	unsigned long key_usage;
85 #define X509_KEY_USAGE_DIGITAL_SIGNATURE	(1 << 0)
86 #define X509_KEY_USAGE_NON_REPUDIATION		(1 << 1)
87 #define X509_KEY_USAGE_KEY_ENCIPHERMENT		(1 << 2)
88 #define X509_KEY_USAGE_DATA_ENCIPHERMENT	(1 << 3)
89 #define X509_KEY_USAGE_KEY_AGREEMENT		(1 << 4)
90 #define X509_KEY_USAGE_KEY_CERT_SIGN		(1 << 5)
91 #define X509_KEY_USAGE_CRL_SIGN			(1 << 6)
92 #define X509_KEY_USAGE_ENCIPHER_ONLY		(1 << 7)
93 #define X509_KEY_USAGE_DECIPHER_ONLY		(1 << 8)
94 
95 	/* ExtKeyUsage */
96 	unsigned long ext_key_usage;
97 #define X509_EXT_KEY_USAGE_ANY			(1 << 0)
98 #define X509_EXT_KEY_USAGE_SERVER_AUTH		(1 << 1)
99 #define X509_EXT_KEY_USAGE_CLIENT_AUTH		(1 << 2)
100 #define X509_EXT_KEY_USAGE_OCSP			(1 << 3)
101 
102 	/* CertificatePolicy */
103 	unsigned long certificate_policy;
104 #define X509_EXT_CERT_POLICY_ANY		(1 << 0)
105 #define X509_EXT_CERT_POLICY_TOD_STRICT		(1 << 1)
106 #define X509_EXT_CERT_POLICY_TOD_TOFU		(1 << 2)
107 
108 	/*
109 	 * The DER format certificate follows struct x509_certificate. These
110 	 * pointers point to that buffer.
111 	 */
112 	const u8 *cert_start;
113 	size_t cert_len;
114 	const u8 *tbs_cert_start;
115 	size_t tbs_cert_len;
116 
117 	/* Meta data used for certificate validation */
118 	unsigned int ocsp_good:1;
119 	unsigned int ocsp_revoked:1;
120 	unsigned int issuer_trusted:1;
121 };
122 
123 enum {
124 	X509_VALIDATE_OK,
125 	X509_VALIDATE_BAD_CERTIFICATE,
126 	X509_VALIDATE_UNSUPPORTED_CERTIFICATE,
127 	X509_VALIDATE_CERTIFICATE_REVOKED,
128 	X509_VALIDATE_CERTIFICATE_EXPIRED,
129 	X509_VALIDATE_CERTIFICATE_UNKNOWN,
130 	X509_VALIDATE_UNKNOWN_CA
131 };
132 
133 void x509_certificate_free(struct x509_certificate *cert);
134 int x509_parse_algorithm_identifier(const u8 *buf, size_t len,
135 				    struct x509_algorithm_identifier *id,
136 				    const u8 **next);
137 int x509_parse_name(const u8 *buf, size_t len, struct x509_name *name,
138 		    const u8 **next);
139 int x509_parse_time(const u8 *buf, size_t len, u8 asn1_tag, os_time_t *val);
140 struct x509_certificate * x509_certificate_parse(const u8 *buf, size_t len);
141 void x509_free_name(struct x509_name *name);
142 void x509_name_string(struct x509_name *name, char *buf, size_t len);
143 int x509_name_compare(struct x509_name *a, struct x509_name *b);
144 void x509_certificate_chain_free(struct x509_certificate *cert);
145 int x509_check_signature(struct x509_certificate *issuer,
146 			 struct x509_algorithm_identifier *signature,
147 			 const u8 *sign_value, size_t sign_value_len,
148 			 const u8 *signed_data, size_t signed_data_len);
149 int x509_certificate_check_signature(struct x509_certificate *issuer,
150 				     struct x509_certificate *cert);
151 int x509_certificate_chain_validate(struct x509_certificate *trusted,
152 				    struct x509_certificate *chain,
153 				    int *reason, int disable_time_checks);
154 struct x509_certificate *
155 x509_certificate_get_subject(struct x509_certificate *chain,
156 			     struct x509_name *name);
157 int x509_certificate_self_signed(struct x509_certificate *cert);
158 
159 int x509_sha1_oid(struct asn1_oid *oid);
160 int x509_sha256_oid(struct asn1_oid *oid);
161 int x509_sha384_oid(struct asn1_oid *oid);
162 int x509_sha512_oid(struct asn1_oid *oid);
163 
164 #endif /* X509V3_H */
165