src/pluto/x509.h


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139

/* Support of X.509 certificates
 * Copyright (C) 2000 Andreas Hess, Patric Lichtsteiner, Roger Wegmann
 * Copyright (C) 2001 Marco Bertossa, Andreas Schleiss
 * Copyright (C) 2002 Mario Strasser
 * Copyright (C) 2000-2009 Andreas Steffen, Hochschule fuer Technik Rapperswil
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the
 * Free Software Foundation; either version 2 of the License, or (at your
 * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * for more details.
 */

#ifndef _X509_H
#define _X509_H

#include <credentials/keys/public_key.h>
#include <credentials/keys/private_key.h>

#include "constants.h"
#include "id.h"

/* Definition of generalNames kinds */

typedef enum {
	GN_OTHER_NAME =             0,
	GN_RFC822_NAME =            1,
	GN_DNS_NAME =               2,
	GN_X400_ADDRESS =           3,
	GN_DIRECTORY_NAME =         4,
	GN_EDI_PARTY_NAME =         5,
	GN_URI =                    6,
	GN_IP_ADDRESS =             7,
	GN_REGISTERED_ID =          8
} generalNames_t;

/* access structure for a GeneralName */

typedef struct generalName generalName_t;

struct generalName {
	generalName_t   *next;
	generalNames_t  kind;
	chunk_t         name;
};

/* access structure for an X.509v3 certificate */

typedef struct x509cert x509cert_t;

struct x509cert {
	x509cert_t     *next;
	time_t         installed;
	int            count;
	bool           smartcard;
	u_char         authority_flags;
	chunk_t        certificate;
	chunk_t          tbsCertificate;
	u_int              version;
	chunk_t            serialNumber;
				  /*   signature */
	int                  sigAlg;
  	chunk_t            issuer;
				  /*   validity */
	time_t               notBefore;
	time_t               notAfter;
	chunk_t            subject;
	public_key_t       *public_key;  
				  /*   issuerUniqueID */
				  /*   subjectUniqueID */
				  /*   v3 extensions */
				  /*   extension */
				  /*     extension */
				  /*       extnID */
				  /*       critical */
				  /*       extnValue */
	bool                     isCA;
	bool                     isOcspSigner; /* ocsp */
	chunk_t                  subjectKeyID;
	chunk_t                  authKeyID;
	chunk_t                  authKeySerialNumber;
	chunk_t                  accessLocation; /* ocsp */
	generalName_t            *subjectAltName;
	generalName_t            *crlDistributionPoints;
				  /* signatureAlgorithm */
	int                algorithm;
	chunk_t          signature;
};

/* used for initialization */
extern const x509cert_t empty_x509cert;

extern bool same_serial(chunk_t a, chunk_t b);
extern bool same_keyid(chunk_t a, chunk_t b);
extern bool same_dn(chunk_t a, chunk_t b);
extern bool match_dn(chunk_t a, chunk_t b, int *wildcards);
extern bool same_x509cert(const x509cert_t *a, const x509cert_t *b);
extern void hex_str(chunk_t bin, chunk_t *str);
extern int dn_count_wildcards(chunk_t dn);
extern int dntoa(char *dst, size_t dstlen, chunk_t dn);
extern int dntoa_or_null(char *dst, size_t dstlen, chunk_t dn,
						 const char* null_dn);
extern err_t atodn(char *src, chunk_t *dn);
extern void gntoid(struct id *id, const generalName_t *gn);
extern bool compute_subjectKeyID(x509cert_t *cert, chunk_t subjectKeyID);
extern void select_x509cert_id(x509cert_t *cert, struct id *end_id);
extern bool parse_x509cert(chunk_t blob, u_int level0, x509cert_t *cert);
extern time_t parse_time(chunk_t blob, int level0);
extern void parse_authorityKeyIdentifier(chunk_t blob, int level0
	, chunk_t *authKeyID, chunk_t *authKeySerialNumber);
extern chunk_t get_directoryName(chunk_t blob, int level, bool implicit);
extern err_t check_validity(const x509cert_t *cert, time_t *until);

extern bool x509_check_signature(chunk_t tbs, chunk_t sig, int algorithm,
								 const x509cert_t *issuer_cert);
extern chunk_t x509_build_signature(chunk_t tbs, int algorithm,
									private_key_t *key, bool bit_string);

extern bool verify_x509cert(const x509cert_t *cert, bool strict, time_t *until);
extern x509cert_t* add_x509cert(x509cert_t *cert);
extern x509cert_t* get_x509cert(chunk_t issuer, chunk_t serial, chunk_t keyid,
								x509cert_t* chain);
extern void build_x509cert(x509cert_t *cert, public_key_t *cert_key,
						   private_key_t *signer_key);
extern chunk_t build_subjectAltNames(generalName_t *subjectAltNames);
extern void share_x509cert(x509cert_t *cert);
extern void release_x509cert(x509cert_t *cert);
extern void free_x509cert(x509cert_t *cert);
extern void store_x509certs(x509cert_t **firstcert, bool strict);
extern void list_x509cert_chain(const char *caption, x509cert_t* cert,
								u_char auth_flags, bool utc);
extern void list_x509_end_certs(bool utc);
extern void free_generalNames(generalName_t* gn, bool free_name);

#endif /* _X509_H */