Renesas
/
SecureDweet
Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
Embed:
(wiki syntax)
Show/hide line numbers
asn.h
00001 /* asn.h 00002 * 00003 * Copyright (C) 2006-2016 wolfSSL Inc. 00004 * 00005 * This file is part of wolfSSL. 00006 * 00007 * wolfSSL is free software; you can redistribute it and/or modify 00008 * it under the terms of the GNU General Public License as published by 00009 * the Free Software Foundation; either version 2 of the License, or 00010 * (at your option) any later version. 00011 * 00012 * wolfSSL is distributed in the hope that it will be useful, 00013 * but WITHOUT ANY WARRANTY; without even the implied warranty of 00014 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 00015 * GNU General Public License for more details. 00016 * 00017 * You should have received a copy of the GNU General Public License 00018 * along with this program; if not, write to the Free Software 00019 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA 00020 */ 00021 00022 00023 #ifndef WOLF_CRYPT_ASN_H 00024 #define WOLF_CRYPT_ASN_H 00025 00026 #include <wolfssl/wolfcrypt/types.h> 00027 00028 #ifndef NO_ASN 00029 00030 #include <wolfssl/wolfcrypt/integer.h> 00031 #ifndef NO_RSA 00032 #include <wolfssl/wolfcrypt/rsa.h> 00033 #endif 00034 00035 /* fips declare of RsaPrivateKeyDecode @wc_fips */ 00036 #if defined(HAVE_FIPS) && !defined(NO_RSA) 00037 #include <cyassl/ctaocrypt/rsa.h> 00038 #endif 00039 00040 #ifndef NO_DH 00041 #include <wolfssl/wolfcrypt/dh.h> 00042 #endif 00043 #ifndef NO_DSA 00044 #include <wolfssl/wolfcrypt/dsa.h> 00045 #endif 00046 #ifndef NO_SHA 00047 #include <wolfssl/wolfcrypt/sha.h> 00048 #endif 00049 #ifndef NO_MD5 00050 #include <wolfssl/wolfcrypt/md5.h> 00051 #endif 00052 #include <wolfssl/wolfcrypt/sha256.h> 00053 #include <wolfssl/wolfcrypt/asn_public.h> /* public interface */ 00054 #ifdef HAVE_ECC 00055 #include <wolfssl/wolfcrypt/ecc.h> 00056 #endif 00057 00058 #ifdef __cplusplus 00059 extern "C" { 00060 #endif 00061 00062 00063 enum { 00064 ISSUER = 0, 00065 SUBJECT = 1, 00066 00067 EXTERNAL_SERIAL_SIZE = 32, 00068 00069 BEFORE = 0, 00070 AFTER = 1 00071 }; 00072 00073 /* ASN Tags */ 00074 enum ASN_Tags { 00075 ASN_BOOLEAN = 0x01, 00076 ASN_INTEGER = 0x02, 00077 ASN_BIT_STRING = 0x03, 00078 ASN_OCTET_STRING = 0x04, 00079 ASN_TAG_NULL = 0x05, 00080 ASN_OBJECT_ID = 0x06, 00081 ASN_ENUMERATED = 0x0a, 00082 ASN_UTF8STRING = 0x0c, 00083 ASN_SEQUENCE = 0x10, 00084 ASN_SET = 0x11, 00085 ASN_UTC_TIME = 0x17, 00086 ASN_OTHER_TYPE = 0x00, 00087 ASN_RFC822_TYPE = 0x01, 00088 ASN_DNS_TYPE = 0x02, 00089 ASN_DIR_TYPE = 0x04, 00090 ASN_GENERALIZED_TIME = 0x18, 00091 CRL_EXTENSIONS = 0xa0, 00092 ASN_EXTENSIONS = 0xa3, 00093 ASN_LONG_LENGTH = 0x80 00094 }; 00095 00096 enum ASN_Flags{ 00097 ASN_CONSTRUCTED = 0x20, 00098 ASN_CONTEXT_SPECIFIC = 0x80 00099 }; 00100 00101 enum DN_Tags { 00102 ASN_COMMON_NAME = 0x03, /* CN */ 00103 ASN_SUR_NAME = 0x04, /* SN */ 00104 ASN_SERIAL_NUMBER = 0x05, /* serialNumber */ 00105 ASN_COUNTRY_NAME = 0x06, /* C */ 00106 ASN_LOCALITY_NAME = 0x07, /* L */ 00107 ASN_STATE_NAME = 0x08, /* ST */ 00108 ASN_ORG_NAME = 0x0a, /* O */ 00109 ASN_ORGUNIT_NAME = 0x0b /* OU */ 00110 }; 00111 00112 enum PBES { 00113 PBE_MD5_DES = 0, 00114 PBE_SHA1_DES = 1, 00115 PBE_SHA1_DES3 = 2, 00116 PBE_SHA1_RC4_128 = 3, 00117 PBES2 = 13 /* algo ID */ 00118 }; 00119 00120 enum ENCRYPTION_TYPES { 00121 DES_TYPE = 0, 00122 DES3_TYPE = 1, 00123 RC4_TYPE = 2 00124 }; 00125 00126 enum ECC_TYPES { 00127 ECC_PREFIX_0 = 160, 00128 ECC_PREFIX_1 = 161 00129 }; 00130 00131 enum Misc_ASN { 00132 ASN_NAME_MAX = 256, 00133 MAX_SALT_SIZE = 64, /* MAX PKCS Salt length */ 00134 MAX_IV_SIZE = 64, /* MAX PKCS Iv length */ 00135 MAX_KEY_SIZE = 64, /* MAX PKCS Key length */ 00136 PKCS5 = 5, /* PKCS oid tag */ 00137 PKCS5v2 = 6, /* PKCS #5 v2.0 */ 00138 PKCS12 = 12, /* PKCS #12 */ 00139 MAX_UNICODE_SZ = 256, 00140 ASN_BOOL_SIZE = 2, /* including type */ 00141 ASN_ECC_HEADER_SZ = 2, /* String type + 1 byte len */ 00142 ASN_ECC_CONTEXT_SZ = 2, /* Content specific type + 1 byte len */ 00143 #ifdef NO_SHA 00144 KEYID_SIZE = SHA256_DIGEST_SIZE, 00145 #else 00146 KEYID_SIZE = SHA_DIGEST_SIZE, 00147 #endif 00148 RSA_INTS = 8, /* RSA ints in private key */ 00149 DSA_INTS = 5, /* DSA ints in private key */ 00150 MIN_DATE_SIZE = 13, 00151 MAX_DATE_SIZE = 32, 00152 ASN_GEN_TIME_SZ = 15, /* 7 numbers * 2 + Zulu tag */ 00153 MAX_ENCODED_SIG_SZ = 512, 00154 MAX_SIG_SZ = 256, 00155 MAX_ALGO_SZ = 20, 00156 MAX_SEQ_SZ = 5, /* enum(seq | con) + length(4) */ 00157 MAX_SET_SZ = 5, /* enum(set | con) + length(4) */ 00158 MAX_OCTET_STR_SZ = 5, /* enum(set | con) + length(4) */ 00159 MAX_EXP_SZ = 5, /* enum(contextspec|con|exp) + length(4) */ 00160 MAX_PRSTR_SZ = 5, /* enum(prstr) + length(4) */ 00161 MAX_VERSION_SZ = 5, /* enum + id + version(byte) + (header(2))*/ 00162 MAX_ENCODED_DIG_SZ = 73, /* sha512 + enum(bit or octet) + length(4) */ 00163 MAX_RSA_INT_SZ = 517, /* RSA raw sz 4096 for bits + tag + len(4) */ 00164 MAX_NTRU_KEY_SZ = 610, /* NTRU 112 bit public key */ 00165 MAX_NTRU_ENC_SZ = 628, /* NTRU 112 bit DER public encoding */ 00166 MAX_LENGTH_SZ = 4, /* Max length size for DER encoding */ 00167 MAX_RSA_E_SZ = 16, /* Max RSA public e size */ 00168 MAX_CA_SZ = 32, /* Max encoded CA basic constraint length */ 00169 MAX_SN_SZ = 35, /* Max encoded serial number (INT) length */ 00170 MAX_DER_DIGEST_SZ = MAX_ENCODED_DIG_SZ + MAX_ALGO_SZ + MAX_SEQ_SZ, /* Maximum DER digest size */ 00171 #ifdef WOLFSSL_CERT_GEN 00172 #ifdef WOLFSSL_CERT_REQ 00173 /* Max encoded cert req attributes length */ 00174 MAX_ATTRIB_SZ = MAX_SEQ_SZ * 3 + (11 + MAX_SEQ_SZ) * 2 + 00175 MAX_PRSTR_SZ + CTC_NAME_SIZE, /* 11 is the OID size */ 00176 #endif 00177 #if defined(WOLFSSL_ALT_NAMES) || defined(WOLFSSL_CERT_EXT) 00178 MAX_EXTENSIONS_SZ = 1 + MAX_LENGTH_SZ + CTC_MAX_ALT_SIZE, 00179 #else 00180 MAX_EXTENSIONS_SZ = 1 + MAX_LENGTH_SZ + MAX_CA_SZ, 00181 #endif 00182 /* Max total extensions, id + len + others */ 00183 #endif 00184 #ifdef WOLFSSL_CERT_EXT 00185 MAX_KID_SZ = 45, /* Max encoded KID length (SHA-256 case) */ 00186 MAX_KEYUSAGE_SZ = 18, /* Max encoded Key Usage length */ 00187 MAX_OID_SZ = 32, /* Max DER length of OID*/ 00188 MAX_OID_STRING_SZ = 64, /* Max string length representation of OID*/ 00189 MAX_CERTPOL_NB = CTC_MAX_CERTPOL_NB,/* Max number of Cert Policy */ 00190 MAX_CERTPOL_SZ = CTC_MAX_CERTPOL_SZ, 00191 #endif 00192 OCSP_NONCE_EXT_SZ = 37, /* OCSP Nonce Extension size */ 00193 MAX_OCSP_EXT_SZ = 58, /* Max OCSP Extension length */ 00194 MAX_OCSP_NONCE_SZ = 16, /* OCSP Nonce size */ 00195 EIGHTK_BUF = 8192, /* Tmp buffer size */ 00196 MAX_PUBLIC_KEY_SZ = MAX_NTRU_ENC_SZ + MAX_ALGO_SZ + MAX_SEQ_SZ * 2, 00197 /* use bigger NTRU size */ 00198 HEADER_ENCRYPTED_KEY_SIZE = 88 /* Extra header size for encrypted key */ 00199 }; 00200 00201 00202 enum Oid_Types { 00203 hashType = 0, 00204 sigType = 1, 00205 keyType = 2, 00206 curveType = 3, 00207 blkType = 4, 00208 ocspType = 5, 00209 certExtType = 6, 00210 certAuthInfoType = 7, 00211 certPolicyType = 8, 00212 certAltNameType = 9, 00213 certKeyUseType = 10, 00214 kdfType = 11, 00215 ignoreType 00216 }; 00217 00218 00219 enum Hash_Sum { 00220 MD2h = 646, 00221 MD5h = 649, 00222 SHAh = 88, 00223 SHA256h = 414, 00224 SHA384h = 415, 00225 SHA512h = 416 00226 }; 00227 00228 00229 enum Block_Sum { 00230 DESb = 69, 00231 DES3b = 652 00232 }; 00233 00234 00235 enum Key_Sum { 00236 DSAk = 515, 00237 RSAk = 645, 00238 NTRUk = 274, 00239 ECDSAk = 518 00240 }; 00241 00242 00243 enum Ecc_Sum { 00244 ECC_256R1 = 526, 00245 ECC_384R1 = 210, 00246 ECC_521R1 = 211, 00247 ECC_160R1 = 184, 00248 ECC_192R1 = 520, 00249 ECC_224R1 = 209 00250 }; 00251 00252 00253 enum KDF_Sum { 00254 PBKDF2_OID = 660 00255 }; 00256 00257 00258 enum Extensions_Sum { 00259 BASIC_CA_OID = 133, 00260 ALT_NAMES_OID = 131, 00261 CRL_DIST_OID = 145, 00262 AUTH_INFO_OID = 69, 00263 AUTH_KEY_OID = 149, 00264 SUBJ_KEY_OID = 128, 00265 CERT_POLICY_OID = 146, 00266 KEY_USAGE_OID = 129, /* 2.5.29.15 */ 00267 INHIBIT_ANY_OID = 168, /* 2.5.29.54 */ 00268 EXT_KEY_USAGE_OID = 151, /* 2.5.29.37 */ 00269 NAME_CONS_OID = 144 /* 2.5.29.30 */ 00270 }; 00271 00272 enum CertificatePolicy_Sum { 00273 CP_ANY_OID = 146 /* id-ce 32 0 */ 00274 }; 00275 00276 enum SepHardwareName_Sum { 00277 HW_NAME_OID = 79 /* 1.3.6.1.5.5.7.8.4 from RFC 4108*/ 00278 }; 00279 00280 enum AuthInfo_Sum { 00281 AIA_OCSP_OID = 116, /* 1.3.6.1.5.5.7.48.1 */ 00282 AIA_CA_ISSUER_OID = 117 /* 1.3.6.1.5.5.7.48.2 */ 00283 }; 00284 00285 enum ExtKeyUsage_Sum { /* From RFC 5280 */ 00286 EKU_ANY_OID = 151, /* 2.5.29.37.0, anyExtendedKeyUsage */ 00287 EKU_SERVER_AUTH_OID = 71, /* 1.3.6.1.5.5.7.3.1, id-kp-serverAuth */ 00288 EKU_CLIENT_AUTH_OID = 72, /* 1.3.6.1.5.5.7.3.2, id-kp-clientAuth */ 00289 EKU_OCSP_SIGN_OID = 79 /* 1.3.6.1.5.5.7.3.9, OCSPSigning */ 00290 }; 00291 00292 00293 enum VerifyType { 00294 NO_VERIFY = 0, 00295 VERIFY = 1 00296 }; 00297 00298 #ifdef WOLFSSL_CERT_EXT 00299 enum KeyIdType { 00300 SKID_TYPE = 0, 00301 AKID_TYPE = 1 00302 }; 00303 #endif 00304 00305 /* Key usage extension bits */ 00306 #define KEYUSE_DIGITAL_SIG 0x0080 00307 #define KEYUSE_CONTENT_COMMIT 0x0040 00308 #define KEYUSE_KEY_ENCIPHER 0x0020 00309 #define KEYUSE_DATA_ENCIPHER 0x0010 00310 #define KEYUSE_KEY_AGREE 0x0008 00311 #define KEYUSE_KEY_CERT_SIGN 0x0004 00312 #define KEYUSE_CRL_SIGN 0x0002 00313 #define KEYUSE_ENCIPHER_ONLY 0x0001 00314 #define KEYUSE_DECIPHER_ONLY 0x8000 00315 00316 #define EXTKEYUSE_ANY 0x08 00317 #define EXTKEYUSE_OCSP_SIGN 0x04 00318 #define EXTKEYUSE_CLIENT_AUTH 0x02 00319 #define EXTKEYUSE_SERVER_AUTH 0x01 00320 00321 typedef struct DNS_entry DNS_entry; 00322 00323 struct DNS_entry { 00324 DNS_entry* next; /* next on DNS list */ 00325 char* name; /* actual DNS name */ 00326 }; 00327 00328 00329 typedef struct Base_entry Base_entry; 00330 00331 struct Base_entry { 00332 Base_entry* next; /* next on name base list */ 00333 char* name; /* actual name base */ 00334 int nameSz; /* name length */ 00335 byte type; /* Name base type (DNS or RFC822) */ 00336 }; 00337 00338 00339 struct DecodedName { 00340 char* fullName; 00341 int fullNameLen; 00342 int entryCount; 00343 int cnIdx; 00344 int cnLen; 00345 int snIdx; 00346 int snLen; 00347 int cIdx; 00348 int cLen; 00349 int lIdx; 00350 int lLen; 00351 int stIdx; 00352 int stLen; 00353 int oIdx; 00354 int oLen; 00355 int ouIdx; 00356 int ouLen; 00357 int emailIdx; 00358 int emailLen; 00359 int uidIdx; 00360 int uidLen; 00361 int serialIdx; 00362 int serialLen; 00363 }; 00364 00365 00366 typedef struct DecodedCert DecodedCert; 00367 typedef struct DecodedName DecodedName; 00368 typedef struct Signer Signer; 00369 #ifdef WOLFSSL_TRUST_PEER_CERT 00370 typedef struct TrustedPeerCert TrustedPeerCert; 00371 #endif /* WOLFSSL_TRUST_PEER_CERT */ 00372 00373 00374 struct DecodedCert { 00375 byte* publicKey; 00376 word32 pubKeySize; 00377 int pubKeyStored; 00378 word32 certBegin; /* offset to start of cert */ 00379 word32 sigIndex; /* offset to start of signature */ 00380 word32 sigLength; /* length of signature */ 00381 word32 signatureOID; /* sum of algorithm object id */ 00382 word32 keyOID; /* sum of key algo object id */ 00383 int version; /* cert version, 1 or 3 */ 00384 DNS_entry* altNames; /* alt names list of dns entries */ 00385 #ifndef IGNORE_NAME_CONSTRAINTS 00386 DNS_entry* altEmailNames; /* alt names list of RFC822 entries */ 00387 Base_entry* permittedNames; /* Permitted name bases */ 00388 Base_entry* excludedNames; /* Excluded name bases */ 00389 #endif /* IGNORE_NAME_CONSTRAINTS */ 00390 byte subjectHash[KEYID_SIZE]; /* hash of all Names */ 00391 byte issuerHash[KEYID_SIZE]; /* hash of all Names */ 00392 #ifdef HAVE_OCSP 00393 byte issuerKeyHash[KEYID_SIZE]; /* hash of the public Key */ 00394 #endif /* HAVE_OCSP */ 00395 byte* signature; /* not owned, points into raw cert */ 00396 char* subjectCN; /* CommonName */ 00397 int subjectCNLen; /* CommonName Length */ 00398 char subjectCNEnc; /* CommonName Encoding */ 00399 int subjectCNStored; /* have we saved a copy we own */ 00400 char issuer[ASN_NAME_MAX]; /* full name including common name */ 00401 char subject[ASN_NAME_MAX]; /* full name including common name */ 00402 int verify; /* Default to yes, but could be off */ 00403 byte* source; /* byte buffer holder cert, NOT owner */ 00404 word32 srcIdx; /* current offset into buffer */ 00405 word32 maxIdx; /* max offset based on init size */ 00406 void* heap; /* for user memory overrides */ 00407 byte serial[EXTERNAL_SERIAL_SIZE]; /* raw serial number */ 00408 int serialSz; /* raw serial bytes stored */ 00409 byte* extensions; /* not owned, points into raw cert */ 00410 int extensionsSz; /* length of cert extensions */ 00411 word32 extensionsIdx; /* if want to go back and parse later */ 00412 byte* extAuthInfo; /* Authority Information Access URI */ 00413 int extAuthInfoSz; /* length of the URI */ 00414 byte* extCrlInfo; /* CRL Distribution Points */ 00415 int extCrlInfoSz; /* length of the URI */ 00416 byte extSubjKeyId[KEYID_SIZE]; /* Subject Key ID */ 00417 byte extSubjKeyIdSet; /* Set when the SKID was read from cert */ 00418 byte extAuthKeyId[KEYID_SIZE]; /* Authority Key ID */ 00419 byte extAuthKeyIdSet; /* Set when the AKID was read from cert */ 00420 #ifndef IGNORE_NAME_CONSTRAINTS 00421 byte extNameConstraintSet; 00422 #endif /* IGNORE_NAME_CONSTRAINTS */ 00423 byte isCA; /* CA basic constraint true */ 00424 byte weOwnAltNames; /* altNames haven't been given to copy */ 00425 byte extKeyUsageSet; 00426 word16 extKeyUsage; /* Key usage bitfield */ 00427 byte extExtKeyUsageSet; /* Extended Key Usage */ 00428 byte extExtKeyUsage; /* Extended Key usage bitfield */ 00429 #ifdef OPENSSL_EXTRA 00430 byte extBasicConstSet; 00431 byte extBasicConstCrit; 00432 byte extBasicConstPlSet; 00433 word32 pathLength; /* CA basic constraint path length, opt */ 00434 byte extSubjAltNameSet; 00435 byte extSubjAltNameCrit; 00436 byte extAuthKeyIdCrit; 00437 #ifndef IGNORE_NAME_CONSTRAINTS 00438 byte extNameConstraintCrit; 00439 #endif /* IGNORE_NAME_CONSTRAINTS */ 00440 byte extSubjKeyIdCrit; 00441 byte extKeyUsageCrit; 00442 byte extExtKeyUsageCrit; 00443 byte* extExtKeyUsageSrc; 00444 word32 extExtKeyUsageSz; 00445 word32 extExtKeyUsageCount; 00446 byte* extAuthKeyIdSrc; 00447 word32 extAuthKeyIdSz; 00448 byte* extSubjKeyIdSrc; 00449 word32 extSubjKeyIdSz; 00450 #endif 00451 #ifdef HAVE_ECC 00452 word32 pkCurveOID; /* Public Key's curve OID */ 00453 #endif /* HAVE_ECC */ 00454 byte* beforeDate; 00455 int beforeDateLen; 00456 byte* afterDate; 00457 int afterDateLen; 00458 #ifdef HAVE_PKCS7 00459 byte* issuerRaw; /* pointer to issuer inside source */ 00460 int issuerRawLen; 00461 #endif 00462 #ifndef IGNORE_NAME_CONSTRAINT 00463 byte* subjectRaw; /* pointer to subject inside source */ 00464 int subjectRawLen; 00465 #endif 00466 #if defined(WOLFSSL_CERT_GEN) 00467 /* easy access to subject info for other sign */ 00468 char* subjectSN; 00469 int subjectSNLen; 00470 char subjectSNEnc; 00471 char* subjectC; 00472 int subjectCLen; 00473 char subjectCEnc; 00474 char* subjectL; 00475 int subjectLLen; 00476 char subjectLEnc; 00477 char* subjectST; 00478 int subjectSTLen; 00479 char subjectSTEnc; 00480 char* subjectO; 00481 int subjectOLen; 00482 char subjectOEnc; 00483 char* subjectOU; 00484 int subjectOULen; 00485 char subjectOUEnc; 00486 char* subjectEmail; 00487 int subjectEmailLen; 00488 #endif /* WOLFSSL_CERT_GEN */ 00489 #ifdef OPENSSL_EXTRA 00490 DecodedName issuerName; 00491 DecodedName subjectName; 00492 #endif /* OPENSSL_EXTRA */ 00493 #ifdef WOLFSSL_SEP 00494 int deviceTypeSz; 00495 byte* deviceType; 00496 int hwTypeSz; 00497 byte* hwType; 00498 int hwSerialNumSz; 00499 byte* hwSerialNum; 00500 #ifdef OPENSSL_EXTRA 00501 byte extCertPolicySet; 00502 byte extCertPolicyCrit; 00503 #endif /* OPENSSL_EXTRA */ 00504 #endif /* WOLFSSL_SEP */ 00505 #ifdef WOLFSSL_CERT_EXT 00506 char extCertPolicies[MAX_CERTPOL_NB][MAX_CERTPOL_SZ]; 00507 int extCertPoliciesNb; 00508 #endif /* WOLFSSL_CERT_EXT */ 00509 }; 00510 00511 extern const char* BEGIN_CERT; 00512 extern const char* END_CERT; 00513 extern const char* BEGIN_CERT_REQ; 00514 extern const char* END_CERT_REQ; 00515 extern const char* BEGIN_DH_PARAM; 00516 extern const char* END_DH_PARAM; 00517 extern const char* BEGIN_X509_CRL; 00518 extern const char* END_X509_CRL; 00519 extern const char* BEGIN_RSA_PRIV; 00520 extern const char* END_RSA_PRIV; 00521 extern const char* BEGIN_PRIV_KEY; 00522 extern const char* END_PRIV_KEY; 00523 extern const char* BEGIN_ENC_PRIV_KEY; 00524 extern const char* END_ENC_PRIV_KEY; 00525 extern const char* BEGIN_EC_PRIV; 00526 extern const char* END_EC_PRIV; 00527 extern const char* BEGIN_DSA_PRIV; 00528 extern const char* END_DSA_PRIV; 00529 extern const char* BEGIN_PUB_KEY; 00530 extern const char* END_PUB_KEY; 00531 00532 #ifdef NO_SHA 00533 #define SIGNER_DIGEST_SIZE SHA256_DIGEST_SIZE 00534 #else 00535 #define SIGNER_DIGEST_SIZE SHA_DIGEST_SIZE 00536 #endif 00537 00538 /* CA Signers */ 00539 /* if change layout change PERSIST_CERT_CACHE functions too */ 00540 struct Signer { 00541 word32 pubKeySize; 00542 word32 keyOID; /* key type */ 00543 word16 keyUsage; 00544 byte* publicKey; 00545 int nameLen; 00546 char* name; /* common name */ 00547 #ifndef IGNORE_NAME_CONSTRAINTS 00548 Base_entry* permittedNames; 00549 Base_entry* excludedNames; 00550 #endif /* IGNORE_NAME_CONSTRAINTS */ 00551 byte subjectNameHash[SIGNER_DIGEST_SIZE]; 00552 /* sha hash of names in certificate */ 00553 #ifndef NO_SKID 00554 byte subjectKeyIdHash[SIGNER_DIGEST_SIZE]; 00555 /* sha hash of names in certificate */ 00556 #endif 00557 Signer* next; 00558 }; 00559 00560 00561 #ifdef WOLFSSL_TRUST_PEER_CERT 00562 /* used for having trusted peer certs rather then CA */ 00563 struct TrustedPeerCert { 00564 int nameLen; 00565 char* name; /* common name */ 00566 #ifndef IGNORE_NAME_CONSTRAINTS 00567 Base_entry* permittedNames; 00568 Base_entry* excludedNames; 00569 #endif /* IGNORE_NAME_CONSTRAINTS */ 00570 byte subjectNameHash[SIGNER_DIGEST_SIZE]; 00571 /* sha hash of names in certificate */ 00572 #ifndef NO_SKID 00573 byte subjectKeyIdHash[SIGNER_DIGEST_SIZE]; 00574 /* sha hash of names in certificate */ 00575 #endif 00576 word32 sigLen; 00577 byte* sig; 00578 struct TrustedPeerCert* next; 00579 }; 00580 #endif /* WOLFSSL_TRUST_PEER_CERT */ 00581 00582 00583 /* not for public consumption but may use for testing sometimes */ 00584 #ifdef WOLFSSL_TEST_CERT 00585 #define WOLFSSL_TEST_API WOLFSSL_API 00586 #else 00587 #define WOLFSSL_TEST_API WOLFSSL_LOCAL 00588 #endif 00589 00590 WOLFSSL_TEST_API void FreeAltNames(DNS_entry*, void*); 00591 #ifndef IGNORE_NAME_CONSTRAINTS 00592 WOLFSSL_TEST_API void FreeNameSubtrees(Base_entry*, void*); 00593 #endif /* IGNORE_NAME_CONSTRAINTS */ 00594 WOLFSSL_TEST_API void InitDecodedCert(DecodedCert*, byte*, word32, void*); 00595 WOLFSSL_TEST_API void FreeDecodedCert(DecodedCert*); 00596 WOLFSSL_TEST_API int ParseCert(DecodedCert*, int type, int verify, void* cm); 00597 00598 WOLFSSL_LOCAL int ParseCertRelative(DecodedCert*,int type,int verify,void* cm); 00599 WOLFSSL_LOCAL int DecodeToKey(DecodedCert*, int verify); 00600 00601 WOLFSSL_LOCAL Signer* MakeSigner(void*); 00602 WOLFSSL_LOCAL void FreeSigner(Signer*, void*); 00603 WOLFSSL_LOCAL void FreeSignerTable(Signer**, int, void*); 00604 #ifdef WOLFSSL_TRUST_PEER_CERT 00605 WOLFSSL_LOCAL void FreeTrustedPeer(TrustedPeerCert*, void*); 00606 WOLFSSL_LOCAL void FreeTrustedPeerTable(TrustedPeerCert**, int, void*); 00607 #endif /* WOLFSSL_TRUST_PEER_CERT */ 00608 00609 WOLFSSL_LOCAL int ToTraditional(byte* buffer, word32 length); 00610 WOLFSSL_LOCAL int ToTraditionalEnc(byte* buffer, word32 length,const char*,int); 00611 00612 WOLFSSL_LOCAL int ValidateDate(const byte* date, byte format, int dateType); 00613 00614 /* ASN.1 helper functions */ 00615 WOLFSSL_LOCAL int GetLength(const byte* input, word32* inOutIdx, int* len, 00616 word32 maxIdx); 00617 WOLFSSL_LOCAL int GetSequence(const byte* input, word32* inOutIdx, int* len, 00618 word32 maxIdx); 00619 WOLFSSL_LOCAL int GetSet(const byte* input, word32* inOutIdx, int* len, 00620 word32 maxIdx); 00621 WOLFSSL_LOCAL int GetMyVersion(const byte* input, word32* inOutIdx, 00622 int* version); 00623 WOLFSSL_LOCAL int GetInt(mp_int* mpi, const byte* input, word32* inOutIdx, 00624 word32 maxIdx); 00625 WOLFSSL_LOCAL int GetObjectId(const byte* input, word32* inOutIdx, word32* oid, 00626 word32 oidType, word32 maxIdx); 00627 WOLFSSL_LOCAL int GetAlgoId(const byte* input, word32* inOutIdx, word32* oid, 00628 word32 oidType, word32 maxIdx); 00629 WOLFSSL_LOCAL word32 SetLength(word32 length, byte* output); 00630 WOLFSSL_LOCAL word32 SetSequence(word32 len, byte* output); 00631 WOLFSSL_LOCAL word32 SetOctetString(word32 len, byte* output); 00632 WOLFSSL_LOCAL word32 SetImplicit(byte tag,byte number,word32 len,byte* output); 00633 WOLFSSL_LOCAL word32 SetExplicit(byte number, word32 len, byte* output); 00634 WOLFSSL_LOCAL word32 SetSet(word32 len, byte* output); 00635 WOLFSSL_LOCAL word32 SetAlgoID(int algoOID,byte* output,int type,int curveSz); 00636 WOLFSSL_LOCAL int SetMyVersion(word32 version, byte* output, int header); 00637 WOLFSSL_LOCAL int SetSerialNumber(const byte* sn, word32 snSz, byte* output); 00638 WOLFSSL_LOCAL int GetNameHash(const byte* source, word32* idx, byte* hash, 00639 int maxIdx); 00640 00641 #ifdef HAVE_ECC 00642 /* ASN sig helpers */ 00643 WOLFSSL_LOCAL int StoreECC_DSA_Sig(byte* out, word32* outLen, mp_int* r, 00644 mp_int* s); 00645 WOLFSSL_LOCAL int DecodeECC_DSA_Sig(const byte* sig, word32 sigLen, 00646 mp_int* r, mp_int* s); 00647 #endif 00648 00649 #ifdef WOLFSSL_CERT_GEN 00650 00651 enum cert_enums { 00652 NAME_ENTRIES = 8, 00653 JOINT_LEN = 2, 00654 EMAIL_JOINT_LEN = 9, 00655 RSA_KEY = 10, 00656 NTRU_KEY = 11, 00657 ECC_KEY = 12 00658 }; 00659 00660 #ifndef WOLFSSL_PEMCERT_TODER_DEFINED 00661 #ifndef NO_FILESYSTEM 00662 /* forward from wolfSSL */ 00663 WOLFSSL_API 00664 int wolfSSL_PemCertToDer(const char* fileName,unsigned char* derBuf,int derSz); 00665 #define WOLFSSL_PEMCERT_TODER_DEFINED 00666 #endif 00667 #endif 00668 00669 #endif /* WOLFSSL_CERT_GEN */ 00670 00671 00672 00673 /* for pointer use */ 00674 typedef struct CertStatus CertStatus; 00675 00676 #ifdef HAVE_OCSP 00677 00678 enum Ocsp_Response_Status { 00679 OCSP_SUCCESSFUL = 0, /* Response has valid confirmations */ 00680 OCSP_MALFORMED_REQUEST = 1, /* Illegal confirmation request */ 00681 OCSP_INTERNAL_ERROR = 2, /* Internal error in issuer */ 00682 OCSP_TRY_LATER = 3, /* Try again later */ 00683 OCSP_SIG_REQUIRED = 5, /* Must sign the request (4 is skipped) */ 00684 OCSP_UNAUTHROIZED = 6 /* Request unauthorized */ 00685 }; 00686 00687 00688 enum Ocsp_Cert_Status { 00689 CERT_GOOD = 0, 00690 CERT_REVOKED = 1, 00691 CERT_UNKNOWN = 2 00692 }; 00693 00694 00695 enum Ocsp_Sums { 00696 OCSP_BASIC_OID = 117, 00697 OCSP_NONCE_OID = 118 00698 }; 00699 00700 00701 typedef struct OcspRequest OcspRequest; 00702 typedef struct OcspResponse OcspResponse; 00703 00704 00705 struct CertStatus { 00706 CertStatus* next; 00707 00708 byte serial[EXTERNAL_SERIAL_SIZE]; 00709 int serialSz; 00710 00711 int status; 00712 00713 byte thisDate[MAX_DATE_SIZE]; 00714 byte nextDate[MAX_DATE_SIZE]; 00715 byte thisDateFormat; 00716 byte nextDateFormat; 00717 00718 byte* rawOcspResponse; 00719 word32 rawOcspResponseSz; 00720 }; 00721 00722 00723 struct OcspResponse { 00724 int responseStatus; /* return code from Responder */ 00725 00726 byte* response; /* Pointer to beginning of OCSP Response */ 00727 word32 responseSz; /* length of the OCSP Response */ 00728 00729 byte producedDate[MAX_DATE_SIZE]; 00730 /* Date at which this response was signed */ 00731 byte producedDateFormat; /* format of the producedDate */ 00732 byte* issuerHash; 00733 byte* issuerKeyHash; 00734 00735 byte* cert; 00736 word32 certSz; 00737 00738 byte* sig; /* Pointer to sig in source */ 00739 word32 sigSz; /* Length in octets for the sig */ 00740 word32 sigOID; /* OID for hash used for sig */ 00741 00742 CertStatus* status; /* certificate status to fill out */ 00743 00744 byte* nonce; /* pointer to nonce inside ASN.1 response */ 00745 int nonceSz; /* length of the nonce string */ 00746 00747 byte* source; /* pointer to source buffer, not owned */ 00748 word32 maxIdx; /* max offset based on init size */ 00749 }; 00750 00751 00752 struct OcspRequest { 00753 byte issuerHash[KEYID_SIZE]; 00754 byte issuerKeyHash[KEYID_SIZE]; 00755 byte* serial; /* copy of the serial number in source cert */ 00756 int serialSz; 00757 byte* url; /* copy of the extAuthInfo in source cert */ 00758 int urlSz; 00759 00760 byte nonce[MAX_OCSP_NONCE_SZ]; 00761 int nonceSz; 00762 }; 00763 00764 00765 WOLFSSL_LOCAL void InitOcspResponse(OcspResponse*, CertStatus*, byte*, word32); 00766 WOLFSSL_LOCAL int OcspResponseDecode(OcspResponse*, void*); 00767 00768 WOLFSSL_LOCAL int InitOcspRequest(OcspRequest*, DecodedCert*, byte); 00769 WOLFSSL_LOCAL void FreeOcspRequest(OcspRequest*); 00770 WOLFSSL_LOCAL int EncodeOcspRequest(OcspRequest*, byte*, word32); 00771 WOLFSSL_LOCAL word32 EncodeOcspRequestExtensions(OcspRequest*, byte*, word32); 00772 00773 00774 WOLFSSL_LOCAL int CompareOcspReqResp(OcspRequest*, OcspResponse*); 00775 00776 00777 #endif /* HAVE_OCSP */ 00778 00779 00780 /* for pointer use */ 00781 typedef struct RevokedCert RevokedCert; 00782 00783 #ifdef HAVE_CRL 00784 00785 struct RevokedCert { 00786 byte serialNumber[EXTERNAL_SERIAL_SIZE]; 00787 int serialSz; 00788 RevokedCert* next; 00789 }; 00790 00791 typedef struct DecodedCRL DecodedCRL; 00792 00793 struct DecodedCRL { 00794 word32 certBegin; /* offset to start of cert */ 00795 word32 sigIndex; /* offset to start of signature */ 00796 word32 sigLength; /* length of signature */ 00797 word32 signatureOID; /* sum of algorithm object id */ 00798 byte* signature; /* pointer into raw source, not owned */ 00799 byte issuerHash[SIGNER_DIGEST_SIZE]; /* issuer hash */ 00800 byte crlHash[SIGNER_DIGEST_SIZE]; /* raw crl data hash */ 00801 byte lastDate[MAX_DATE_SIZE]; /* last date updated */ 00802 byte nextDate[MAX_DATE_SIZE]; /* next update date */ 00803 byte lastDateFormat; /* format of last date */ 00804 byte nextDateFormat; /* format of next date */ 00805 RevokedCert* certs; /* revoked cert list */ 00806 int totalCerts; /* number on list */ 00807 }; 00808 00809 WOLFSSL_LOCAL void InitDecodedCRL(DecodedCRL*); 00810 WOLFSSL_LOCAL int ParseCRL(DecodedCRL*, const byte* buff, word32 sz, void* cm); 00811 WOLFSSL_LOCAL void FreeDecodedCRL(DecodedCRL*); 00812 00813 00814 #endif /* HAVE_CRL */ 00815 00816 00817 #ifdef __cplusplus 00818 } /* extern "C" */ 00819 #endif 00820 00821 #endif /* !NO_ASN */ 00822 #endif /* WOLF_CRYPT_ASN_H */ 00823
Generated on Tue Jul 12 2022 15:55:17 by
1.7.2