wolf SSL
/
wolfSSL-TLS13-Beta
Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
Embed:
(wiki syntax)
Show/hide line numbers
asn.h
00001 /* asn.h 00002 * 00003 * Copyright (C) 2006-2016 wolfSSL Inc. 00004 * 00005 * This file is part of wolfSSL. 00006 * 00007 * wolfSSL is free software; you can redistribute it and/or modify 00008 * it under the terms of the GNU General Public License as published by 00009 * the Free Software Foundation; either version 2 of the License, or 00010 * (at your option) any later version. 00011 * 00012 * wolfSSL is distributed in the hope that it will be useful, 00013 * but WITHOUT ANY WARRANTY; without even the implied warranty of 00014 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 00015 * GNU General Public License for more details. 00016 * 00017 * You should have received a copy of the GNU General Public License 00018 * along with this program; if not, write to the Free Software 00019 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA 00020 */ 00021 00022 00023 #ifndef WOLF_CRYPT_ASN_H 00024 #define WOLF_CRYPT_ASN_H 00025 00026 #include <wolfssl/wolfcrypt/types.h> 00027 00028 #ifndef NO_ASN 00029 00030 #include <wolfssl/wolfcrypt/integer.h> 00031 00032 /* fips declare of RsaPrivateKeyDecode @wc_fips */ 00033 #if defined(HAVE_FIPS) && !defined(NO_RSA) 00034 #include <cyassl/ctaocrypt/rsa.h> 00035 #endif 00036 00037 #ifndef NO_DH 00038 #include <wolfssl/wolfcrypt/dh.h> 00039 #endif 00040 #ifndef NO_DSA 00041 #include <wolfssl/wolfcrypt/dsa.h> 00042 #endif 00043 #ifndef NO_SHA 00044 #include <wolfssl/wolfcrypt/sha.h> 00045 #endif 00046 #ifndef NO_MD5 00047 #include <wolfssl/wolfcrypt/md5.h> 00048 #endif 00049 #include <wolfssl/wolfcrypt/sha256.h> 00050 #include <wolfssl/wolfcrypt/asn_public.h> /* public interface */ 00051 00052 00053 #ifdef __cplusplus 00054 extern "C" { 00055 #endif 00056 00057 enum { 00058 ISSUER = 0, 00059 SUBJECT = 1, 00060 00061 EXTERNAL_SERIAL_SIZE = 32, 00062 00063 BEFORE = 0, 00064 AFTER = 1 00065 }; 00066 00067 /* ASN Tags */ 00068 enum ASN_Tags { 00069 ASN_BOOLEAN = 0x01, 00070 ASN_INTEGER = 0x02, 00071 ASN_BIT_STRING = 0x03, 00072 ASN_OCTET_STRING = 0x04, 00073 ASN_TAG_NULL = 0x05, 00074 ASN_OBJECT_ID = 0x06, 00075 ASN_ENUMERATED = 0x0a, 00076 ASN_UTF8STRING = 0x0c, 00077 ASN_SEQUENCE = 0x10, 00078 ASN_SET = 0x11, 00079 ASN_UTC_TIME = 0x17, 00080 ASN_OTHER_TYPE = 0x00, 00081 ASN_RFC822_TYPE = 0x01, 00082 ASN_DNS_TYPE = 0x02, 00083 ASN_DIR_TYPE = 0x04, 00084 ASN_GENERALIZED_TIME = 0x18, 00085 CRL_EXTENSIONS = 0xa0, 00086 ASN_EXTENSIONS = 0xa3, 00087 ASN_LONG_LENGTH = 0x80 00088 }; 00089 00090 enum ASN_Flags{ 00091 ASN_CONSTRUCTED = 0x20, 00092 ASN_CONTEXT_SPECIFIC = 0x80 00093 }; 00094 00095 enum DN_Tags { 00096 ASN_COMMON_NAME = 0x03, /* CN */ 00097 ASN_SUR_NAME = 0x04, /* SN */ 00098 ASN_SERIAL_NUMBER = 0x05, /* serialNumber */ 00099 ASN_COUNTRY_NAME = 0x06, /* C */ 00100 ASN_LOCALITY_NAME = 0x07, /* L */ 00101 ASN_STATE_NAME = 0x08, /* ST */ 00102 ASN_ORG_NAME = 0x0a, /* O */ 00103 ASN_ORGUNIT_NAME = 0x0b /* OU */ 00104 }; 00105 00106 enum PBES { 00107 PBE_MD5_DES = 0, 00108 PBE_SHA1_DES = 1, 00109 PBE_SHA1_DES3 = 2, 00110 PBE_SHA1_RC4_128 = 3, 00111 PBES2 = 13 /* algo ID */ 00112 }; 00113 00114 enum ENCRYPTION_TYPES { 00115 DES_TYPE = 0, 00116 DES3_TYPE = 1, 00117 RC4_TYPE = 2 00118 }; 00119 00120 enum ECC_TYPES { 00121 ECC_PREFIX_0 = 160, 00122 ECC_PREFIX_1 = 161 00123 }; 00124 00125 enum Misc_ASN { 00126 ASN_NAME_MAX = 256, 00127 MAX_SALT_SIZE = 64, /* MAX PKCS Salt length */ 00128 MAX_IV_SIZE = 64, /* MAX PKCS Iv length */ 00129 MAX_KEY_SIZE = 64, /* MAX PKCS Key length */ 00130 PKCS5 = 5, /* PKCS oid tag */ 00131 PKCS5v2 = 6, /* PKCS #5 v2.0 */ 00132 PKCS8v0 = 0, /* default PKCS#8 version */ 00133 PKCS12v1 = 12, /* PKCS #12 */ 00134 MAX_UNICODE_SZ = 256, 00135 ASN_BOOL_SIZE = 2, /* including type */ 00136 ASN_ECC_HEADER_SZ = 2, /* String type + 1 byte len */ 00137 ASN_ECC_CONTEXT_SZ = 2, /* Content specific type + 1 byte len */ 00138 #ifdef NO_SHA 00139 KEYID_SIZE = SHA256_DIGEST_SIZE, 00140 #else 00141 KEYID_SIZE = SHA_DIGEST_SIZE, 00142 #endif 00143 RSA_INTS = 8, /* RSA ints in private key */ 00144 DSA_INTS = 5, /* DSA ints in private key */ 00145 MIN_DATE_SIZE = 13, 00146 MAX_DATE_SIZE = 32, 00147 ASN_GEN_TIME_SZ = 15, /* 7 numbers * 2 + Zulu tag */ 00148 MAX_ENCODED_SIG_SZ = 512, 00149 MAX_SIG_SZ = 256, 00150 MAX_ALGO_SZ = 20, 00151 MAX_SEQ_SZ = 5, /* enum(seq | con) + length(4) */ 00152 MAX_SET_SZ = 5, /* enum(set | con) + length(4) */ 00153 MAX_OCTET_STR_SZ = 5, /* enum(set | con) + length(4) */ 00154 MAX_EXP_SZ = 5, /* enum(contextspec|con|exp) + length(4) */ 00155 MAX_PRSTR_SZ = 5, /* enum(prstr) + length(4) */ 00156 MAX_VERSION_SZ = 5, /* enum + id + version(byte) + (header(2))*/ 00157 MAX_ENCODED_DIG_SZ = 73, /* sha512 + enum(bit or octet) + length(4) */ 00158 MAX_RSA_INT_SZ = 517, /* RSA raw sz 4096 for bits + tag + len(4) */ 00159 MAX_NTRU_KEY_SZ = 610, /* NTRU 112 bit public key */ 00160 MAX_NTRU_ENC_SZ = 628, /* NTRU 112 bit DER public encoding */ 00161 MAX_LENGTH_SZ = 4, /* Max length size for DER encoding */ 00162 MAX_RSA_E_SZ = 16, /* Max RSA public e size */ 00163 MAX_CA_SZ = 32, /* Max encoded CA basic constraint length */ 00164 MAX_SN_SZ = 35, /* Max encoded serial number (INT) length */ 00165 MAX_DER_DIGEST_SZ = MAX_ENCODED_DIG_SZ + MAX_ALGO_SZ + MAX_SEQ_SZ, /* Maximum DER digest size */ 00166 #ifdef WOLFSSL_CERT_GEN 00167 #ifdef WOLFSSL_CERT_REQ 00168 /* Max encoded cert req attributes length */ 00169 MAX_ATTRIB_SZ = MAX_SEQ_SZ * 3 + (11 + MAX_SEQ_SZ) * 2 + 00170 MAX_PRSTR_SZ + CTC_NAME_SIZE, /* 11 is the OID size */ 00171 #endif 00172 #if defined(WOLFSSL_ALT_NAMES) || defined(WOLFSSL_CERT_EXT) 00173 MAX_EXTENSIONS_SZ = 1 + MAX_LENGTH_SZ + CTC_MAX_ALT_SIZE, 00174 #else 00175 MAX_EXTENSIONS_SZ = 1 + MAX_LENGTH_SZ + MAX_CA_SZ, 00176 #endif 00177 /* Max total extensions, id + len + others */ 00178 #endif 00179 #ifdef WOLFSSL_CERT_EXT 00180 MAX_KID_SZ = 45, /* Max encoded KID length (SHA-256 case) */ 00181 MAX_KEYUSAGE_SZ = 18, /* Max encoded Key Usage length */ 00182 MAX_OID_SZ = 32, /* Max DER length of OID*/ 00183 MAX_OID_STRING_SZ = 64, /* Max string length representation of OID*/ 00184 MAX_CERTPOL_NB = CTC_MAX_CERTPOL_NB,/* Max number of Cert Policy */ 00185 MAX_CERTPOL_SZ = CTC_MAX_CERTPOL_SZ, 00186 #endif 00187 OCSP_NONCE_EXT_SZ = 35, /* OCSP Nonce Extension size */ 00188 MAX_OCSP_EXT_SZ = 58, /* Max OCSP Extension length */ 00189 MAX_OCSP_NONCE_SZ = 16, /* OCSP Nonce size */ 00190 EIGHTK_BUF = 8192, /* Tmp buffer size */ 00191 MAX_PUBLIC_KEY_SZ = MAX_NTRU_ENC_SZ + MAX_ALGO_SZ + MAX_SEQ_SZ * 2, 00192 /* use bigger NTRU size */ 00193 HEADER_ENCRYPTED_KEY_SIZE = 88,/* Extra header size for encrypted key */ 00194 TRAILING_ZERO = 1, /* Used for size of zero pad */ 00195 MIN_VERSION_SZ = 3, /* Min bytes needed for GetMyVersion */ 00196 #if defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) 00197 MAX_TIME_STRING_SZ = 21, /* Max length of formatted time string */ 00198 #endif 00199 }; 00200 00201 00202 enum Oid_Types { 00203 oidHashType = 0, 00204 oidSigType = 1, 00205 oidKeyType = 2, 00206 oidCurveType = 3, 00207 oidBlkType = 4, 00208 oidOcspType = 5, 00209 oidCertExtType = 6, 00210 oidCertAuthInfoType = 7, 00211 oidCertPolicyType = 8, 00212 oidCertAltNameType = 9, 00213 oidCertKeyUseType = 10, 00214 oidKdfType = 11, 00215 oidKeyWrapType = 12, 00216 oidCmsKeyAgreeType = 13, 00217 oidIgnoreType 00218 }; 00219 00220 00221 enum Hash_Sum { 00222 MD2h = 646, 00223 MD5h = 649, 00224 SHAh = 88, 00225 SHA224h = 417, 00226 SHA256h = 414, 00227 SHA384h = 415, 00228 SHA512h = 416 00229 }; 00230 00231 00232 enum Block_Sum { 00233 AES128CBCb = 414, 00234 AES192CBCb = 434, 00235 AES256CBCb = 454, 00236 DESb = 69, 00237 DES3b = 652 00238 }; 00239 00240 00241 enum Key_Sum { 00242 DSAk = 515, 00243 RSAk = 645, 00244 NTRUk = 274, 00245 ECDSAk = 518 00246 }; 00247 00248 00249 enum KeyWrap_Sum { 00250 AES128_WRAP = 417, 00251 AES192_WRAP = 437, 00252 AES256_WRAP = 457 00253 }; 00254 00255 00256 enum Key_Agree { 00257 dhSinglePass_stdDH_sha1kdf_scheme = 464, 00258 dhSinglePass_stdDH_sha224kdf_scheme = 188, 00259 dhSinglePass_stdDH_sha256kdf_scheme = 189, 00260 dhSinglePass_stdDH_sha384kdf_scheme = 190, 00261 dhSinglePass_stdDH_sha512kdf_scheme = 191, 00262 }; 00263 00264 00265 enum Ecc_Sum { 00266 ECC_SECP112R1_OID = 182, 00267 ECC_SECP112R2_OID = 183, 00268 ECC_SECP128R1_OID = 204, 00269 ECC_SECP128R2_OID = 205, 00270 ECC_SECP160R1_OID = 184, 00271 ECC_SECP160R2_OID = 206, 00272 ECC_SECP160K1_OID = 185, 00273 ECC_BRAINPOOLP160R1_OID = 98, 00274 ECC_SECP192R1_OID = 520, 00275 ECC_PRIME192V2_OID = 521, 00276 ECC_PRIME192V3_OID = 522, 00277 ECC_SECP192K1_OID = 207, 00278 ECC_BRAINPOOLP192R1_OID = 100, 00279 ECC_SECP224R1_OID = 209, 00280 ECC_SECP224K1_OID = 208, 00281 ECC_BRAINPOOLP224R1_OID = 102, 00282 ECC_PRIME239V1_OID = 523, 00283 ECC_PRIME239V2_OID = 524, 00284 ECC_PRIME239V3_OID = 525, 00285 ECC_SECP256R1_OID = 526, 00286 ECC_SECP256K1_OID = 186, 00287 ECC_BRAINPOOLP256R1_OID = 104, 00288 ECC_BRAINPOOLP320R1_OID = 106, 00289 ECC_SECP384R1_OID = 210, 00290 ECC_BRAINPOOLP384R1_OID = 108, 00291 ECC_BRAINPOOLP512R1_OID = 110, 00292 ECC_SECP521R1_OID = 211, 00293 }; 00294 00295 00296 enum KDF_Sum { 00297 PBKDF2_OID = 660 00298 }; 00299 00300 00301 enum Extensions_Sum { 00302 BASIC_CA_OID = 133, 00303 ALT_NAMES_OID = 131, 00304 CRL_DIST_OID = 145, 00305 AUTH_INFO_OID = 69, /* id-pe 1 */ 00306 AUTH_KEY_OID = 149, 00307 SUBJ_KEY_OID = 128, 00308 CERT_POLICY_OID = 146, 00309 KEY_USAGE_OID = 129, /* 2.5.29.15 */ 00310 INHIBIT_ANY_OID = 168, /* 2.5.29.54 */ 00311 EXT_KEY_USAGE_OID = 151, /* 2.5.29.37 */ 00312 NAME_CONS_OID = 144, /* 2.5.29.30 */ 00313 PRIV_KEY_USAGE_PERIOD_OID = 130, /* 2.5.29.16 */ 00314 SUBJECT_INFO_ACCESS = 79, /* id-pe 11 */ 00315 POLICY_MAP_OID = 147, 00316 POLICY_CONST_OID = 150, 00317 ISSUE_ALT_NAMES_OID = 132, 00318 TLS_FEATURE_OID = 92 /* id-pe 24 */ 00319 }; 00320 00321 enum CertificatePolicy_Sum { 00322 CP_ANY_OID = 146 /* id-ce 32 0 */ 00323 }; 00324 00325 enum SepHardwareName_Sum { 00326 HW_NAME_OID = 79 /* 1.3.6.1.5.5.7.8.4 from RFC 4108*/ 00327 }; 00328 00329 enum AuthInfo_Sum { 00330 AIA_OCSP_OID = 116, /* 1.3.6.1.5.5.7.48.1 */ 00331 AIA_CA_ISSUER_OID = 117 /* 1.3.6.1.5.5.7.48.2 */ 00332 }; 00333 00334 enum ExtKeyUsage_Sum { /* From RFC 5280 */ 00335 EKU_ANY_OID = 151, /* 2.5.29.37.0, anyExtendedKeyUsage */ 00336 EKU_SERVER_AUTH_OID = 71, /* 1.3.6.1.5.5.7.3.1, id-kp-serverAuth */ 00337 EKU_CLIENT_AUTH_OID = 72, /* 1.3.6.1.5.5.7.3.2, id-kp-clientAuth */ 00338 EKU_OCSP_SIGN_OID = 79 /* 1.3.6.1.5.5.7.3.9, OCSPSigning */ 00339 }; 00340 00341 00342 enum VerifyType { 00343 NO_VERIFY = 0, 00344 VERIFY = 1, 00345 VERIFY_CRL = 2, 00346 VERIFY_OCSP = 3 00347 }; 00348 00349 #ifdef WOLFSSL_CERT_EXT 00350 enum KeyIdType { 00351 SKID_TYPE = 0, 00352 AKID_TYPE = 1 00353 }; 00354 #endif 00355 00356 /* Key usage extension bits */ 00357 #define KEYUSE_DIGITAL_SIG 0x0080 00358 #define KEYUSE_CONTENT_COMMIT 0x0040 00359 #define KEYUSE_KEY_ENCIPHER 0x0020 00360 #define KEYUSE_DATA_ENCIPHER 0x0010 00361 #define KEYUSE_KEY_AGREE 0x0008 00362 #define KEYUSE_KEY_CERT_SIGN 0x0004 00363 #define KEYUSE_CRL_SIGN 0x0002 00364 #define KEYUSE_ENCIPHER_ONLY 0x0001 00365 #define KEYUSE_DECIPHER_ONLY 0x8000 00366 00367 #define EXTKEYUSE_ANY 0x08 00368 #define EXTKEYUSE_OCSP_SIGN 0x04 00369 #define EXTKEYUSE_CLIENT_AUTH 0x02 00370 #define EXTKEYUSE_SERVER_AUTH 0x01 00371 00372 typedef struct DNS_entry DNS_entry; 00373 00374 struct DNS_entry { 00375 DNS_entry* next; /* next on DNS list */ 00376 char* name; /* actual DNS name */ 00377 }; 00378 00379 00380 typedef struct Base_entry Base_entry; 00381 00382 struct Base_entry { 00383 Base_entry* next; /* next on name base list */ 00384 char* name; /* actual name base */ 00385 int nameSz; /* name length */ 00386 byte type; /* Name base type (DNS or RFC822) */ 00387 }; 00388 00389 00390 struct DecodedName { 00391 char* fullName; 00392 int fullNameLen; 00393 int entryCount; 00394 int cnIdx; 00395 int cnLen; 00396 int snIdx; 00397 int snLen; 00398 int cIdx; 00399 int cLen; 00400 int lIdx; 00401 int lLen; 00402 int stIdx; 00403 int stLen; 00404 int oIdx; 00405 int oLen; 00406 int ouIdx; 00407 int ouLen; 00408 int emailIdx; 00409 int emailLen; 00410 int uidIdx; 00411 int uidLen; 00412 int serialIdx; 00413 int serialLen; 00414 }; 00415 00416 enum SignatureState { 00417 SIG_STATE_BEGIN, 00418 SIG_STATE_HASH, 00419 SIG_STATE_KEY, 00420 SIG_STATE_DO, 00421 SIG_STATE_CHECK, 00422 }; 00423 00424 struct SignatureCtx { 00425 void* heap; 00426 byte* digest; 00427 #ifndef NO_RSA 00428 byte* out; 00429 byte* plain; 00430 #endif 00431 #ifdef HAVE_ECC 00432 int verify; 00433 #endif 00434 union { 00435 #ifndef NO_RSA 00436 struct RsaKey* rsa; 00437 #endif 00438 #ifdef HAVE_ECC 00439 struct ecc_key* ecc; 00440 #endif 00441 void* ptr; 00442 } key; 00443 int devId; 00444 int state; 00445 int typeH; 00446 int digestSz; 00447 word32 keyOID; 00448 #ifdef WOLFSSL_ASYNC_CRYPT 00449 WC_ASYNC_DEV* asyncDev; 00450 #endif 00451 }; 00452 00453 enum CertSignState { 00454 CERTSIGN_STATE_BEGIN, 00455 CERTSIGN_STATE_DIGEST, 00456 CERTSIGN_STATE_ENCODE, 00457 CERTSIGN_STATE_DO, 00458 }; 00459 00460 struct CertSignCtx { 00461 byte* sig; 00462 byte* digest; 00463 #ifndef NO_RSA 00464 byte* encSig; 00465 int encSigSz; 00466 #endif 00467 int state; /* enum CertSignState */ 00468 }; 00469 00470 00471 typedef struct DecodedCert DecodedCert; 00472 typedef struct DecodedName DecodedName; 00473 typedef struct Signer Signer; 00474 #ifdef WOLFSSL_TRUST_PEER_CERT 00475 typedef struct TrustedPeerCert TrustedPeerCert; 00476 #endif /* WOLFSSL_TRUST_PEER_CERT */ 00477 typedef struct SignatureCtx SignatureCtx; 00478 typedef struct CertSignCtx CertSignCtx; 00479 00480 00481 struct DecodedCert { 00482 byte* publicKey; 00483 word32 pubKeySize; 00484 int pubKeyStored; 00485 word32 certBegin; /* offset to start of cert */ 00486 word32 sigIndex; /* offset to start of signature */ 00487 word32 sigLength; /* length of signature */ 00488 word32 signatureOID; /* sum of algorithm object id */ 00489 word32 keyOID; /* sum of key algo object id */ 00490 int version; /* cert version, 1 or 3 */ 00491 DNS_entry* altNames; /* alt names list of dns entries */ 00492 #ifndef IGNORE_NAME_CONSTRAINTS 00493 DNS_entry* altEmailNames; /* alt names list of RFC822 entries */ 00494 Base_entry* permittedNames; /* Permitted name bases */ 00495 Base_entry* excludedNames; /* Excluded name bases */ 00496 #endif /* IGNORE_NAME_CONSTRAINTS */ 00497 byte subjectHash[KEYID_SIZE]; /* hash of all Names */ 00498 byte issuerHash[KEYID_SIZE]; /* hash of all Names */ 00499 #ifdef HAVE_OCSP 00500 byte issuerKeyHash[KEYID_SIZE]; /* hash of the public Key */ 00501 #endif /* HAVE_OCSP */ 00502 byte* signature; /* not owned, points into raw cert */ 00503 char* subjectCN; /* CommonName */ 00504 int subjectCNLen; /* CommonName Length */ 00505 char subjectCNEnc; /* CommonName Encoding */ 00506 int subjectCNStored; /* have we saved a copy we own */ 00507 char issuer[ASN_NAME_MAX]; /* full name including common name */ 00508 char subject[ASN_NAME_MAX]; /* full name including common name */ 00509 int verify; /* Default to yes, but could be off */ 00510 byte* source; /* byte buffer holder cert, NOT owner */ 00511 word32 srcIdx; /* current offset into buffer */ 00512 word32 maxIdx; /* max offset based on init size */ 00513 void* heap; /* for user memory overrides */ 00514 byte serial[EXTERNAL_SERIAL_SIZE]; /* raw serial number */ 00515 int serialSz; /* raw serial bytes stored */ 00516 byte* extensions; /* not owned, points into raw cert */ 00517 int extensionsSz; /* length of cert extensions */ 00518 word32 extensionsIdx; /* if want to go back and parse later */ 00519 byte* extAuthInfo; /* Authority Information Access URI */ 00520 int extAuthInfoSz; /* length of the URI */ 00521 byte* extCrlInfo; /* CRL Distribution Points */ 00522 int extCrlInfoSz; /* length of the URI */ 00523 byte extSubjKeyId[KEYID_SIZE]; /* Subject Key ID */ 00524 byte extSubjKeyIdSet; /* Set when the SKID was read from cert */ 00525 byte extAuthKeyId[KEYID_SIZE]; /* Authority Key ID */ 00526 byte extAuthKeyIdSet; /* Set when the AKID was read from cert */ 00527 #ifndef IGNORE_NAME_CONSTRAINTS 00528 byte extNameConstraintSet; 00529 #endif /* IGNORE_NAME_CONSTRAINTS */ 00530 byte isCA; /* CA basic constraint true */ 00531 byte pathLengthSet; /* CA basic const path length set */ 00532 byte pathLength; /* CA basic constraint path length */ 00533 byte weOwnAltNames; /* altNames haven't been given to copy */ 00534 byte extKeyUsageSet; 00535 word16 extKeyUsage; /* Key usage bitfield */ 00536 byte extExtKeyUsageSet; /* Extended Key Usage */ 00537 byte extExtKeyUsage; /* Extended Key usage bitfield */ 00538 #ifdef OPENSSL_EXTRA 00539 byte extCRLdistSet; 00540 byte extCRLdistCrit; 00541 byte extAuthInfoSet; 00542 byte extAuthInfoCrit; 00543 byte extBasicConstSet; 00544 byte extBasicConstCrit; 00545 byte extSubjAltNameSet; 00546 byte extSubjAltNameCrit; 00547 byte extAuthKeyIdCrit; 00548 #ifndef IGNORE_NAME_CONSTRAINTS 00549 byte extNameConstraintCrit; 00550 #endif /* IGNORE_NAME_CONSTRAINTS */ 00551 byte extSubjKeyIdCrit; 00552 byte extKeyUsageCrit; 00553 byte extExtKeyUsageCrit; 00554 byte* extExtKeyUsageSrc; 00555 word32 extExtKeyUsageSz; 00556 word32 extExtKeyUsageCount; 00557 byte* extAuthKeyIdSrc; 00558 word32 extAuthKeyIdSz; 00559 byte* extSubjKeyIdSrc; 00560 word32 extSubjKeyIdSz; 00561 #endif 00562 #ifdef HAVE_ECC 00563 word32 pkCurveOID; /* Public Key's curve OID */ 00564 #endif /* HAVE_ECC */ 00565 byte* beforeDate; 00566 int beforeDateLen; 00567 byte* afterDate; 00568 int afterDateLen; 00569 #ifdef HAVE_PKCS7 00570 byte* issuerRaw; /* pointer to issuer inside source */ 00571 int issuerRawLen; 00572 #endif 00573 #ifndef IGNORE_NAME_CONSTRAINT 00574 byte* subjectRaw; /* pointer to subject inside source */ 00575 int subjectRawLen; 00576 #endif 00577 #if defined(WOLFSSL_CERT_GEN) 00578 /* easy access to subject info for other sign */ 00579 char* subjectSN; 00580 int subjectSNLen; 00581 char subjectSNEnc; 00582 char* subjectC; 00583 int subjectCLen; 00584 char subjectCEnc; 00585 char* subjectL; 00586 int subjectLLen; 00587 char subjectLEnc; 00588 char* subjectST; 00589 int subjectSTLen; 00590 char subjectSTEnc; 00591 char* subjectO; 00592 int subjectOLen; 00593 char subjectOEnc; 00594 char* subjectOU; 00595 int subjectOULen; 00596 char subjectOUEnc; 00597 char* subjectEmail; 00598 int subjectEmailLen; 00599 #endif /* WOLFSSL_CERT_GEN */ 00600 #ifdef OPENSSL_EXTRA 00601 DecodedName issuerName; 00602 DecodedName subjectName; 00603 #endif /* OPENSSL_EXTRA */ 00604 #ifdef WOLFSSL_SEP 00605 int deviceTypeSz; 00606 byte* deviceType; 00607 int hwTypeSz; 00608 byte* hwType; 00609 int hwSerialNumSz; 00610 byte* hwSerialNum; 00611 #ifdef OPENSSL_EXTRA 00612 byte extCertPolicySet; 00613 byte extCertPolicyCrit; 00614 #endif /* OPENSSL_EXTRA */ 00615 #endif /* WOLFSSL_SEP */ 00616 #ifdef WOLFSSL_CERT_EXT 00617 char extCertPolicies[MAX_CERTPOL_NB][MAX_CERTPOL_SZ]; 00618 int extCertPoliciesNb; 00619 #endif /* WOLFSSL_CERT_EXT */ 00620 00621 Signer* ca; 00622 SignatureCtx sigCtx; 00623 }; 00624 00625 00626 struct WOLFSSL_ASN1_OBJECT { 00627 void* heap; 00628 byte* obj; 00629 int type; /* oid */ 00630 word32 objSz; 00631 byte dynamic; /* if 1 then obj was dynamiclly created, 0 otherwise */ 00632 }; 00633 00634 00635 extern const char* BEGIN_CERT; 00636 extern const char* END_CERT; 00637 extern const char* BEGIN_CERT_REQ; 00638 extern const char* END_CERT_REQ; 00639 extern const char* BEGIN_DSA_PARAM; 00640 extern const char* END_DSA_PARAM; 00641 extern const char* BEGIN_DH_PARAM; 00642 extern const char* END_DH_PARAM; 00643 extern const char* BEGIN_X509_CRL; 00644 extern const char* END_X509_CRL; 00645 extern const char* BEGIN_RSA_PRIV; 00646 extern const char* END_RSA_PRIV; 00647 extern const char* BEGIN_PRIV_KEY; 00648 extern const char* END_PRIV_KEY; 00649 extern const char* BEGIN_ENC_PRIV_KEY; 00650 extern const char* END_ENC_PRIV_KEY; 00651 extern const char* BEGIN_EC_PRIV; 00652 extern const char* END_EC_PRIV; 00653 extern const char* BEGIN_DSA_PRIV; 00654 extern const char* END_DSA_PRIV; 00655 extern const char* BEGIN_PUB_KEY; 00656 extern const char* END_PUB_KEY; 00657 00658 #ifdef NO_SHA 00659 #define SIGNER_DIGEST_SIZE SHA256_DIGEST_SIZE 00660 #else 00661 #define SIGNER_DIGEST_SIZE SHA_DIGEST_SIZE 00662 #endif 00663 00664 /* CA Signers */ 00665 /* if change layout change PERSIST_CERT_CACHE functions too */ 00666 struct Signer { 00667 word32 pubKeySize; 00668 word32 keyOID; /* key type */ 00669 word16 keyUsage; 00670 byte pathLength; 00671 byte pathLengthSet; 00672 byte* publicKey; 00673 int nameLen; 00674 char* name; /* common name */ 00675 #ifndef IGNORE_NAME_CONSTRAINTS 00676 Base_entry* permittedNames; 00677 Base_entry* excludedNames; 00678 #endif /* IGNORE_NAME_CONSTRAINTS */ 00679 byte subjectNameHash[SIGNER_DIGEST_SIZE]; 00680 /* sha hash of names in certificate */ 00681 #ifndef NO_SKID 00682 byte subjectKeyIdHash[SIGNER_DIGEST_SIZE]; 00683 /* sha hash of names in certificate */ 00684 #endif 00685 Signer* next; 00686 }; 00687 00688 00689 #ifdef WOLFSSL_TRUST_PEER_CERT 00690 /* used for having trusted peer certs rather then CA */ 00691 struct TrustedPeerCert { 00692 int nameLen; 00693 char* name; /* common name */ 00694 #ifndef IGNORE_NAME_CONSTRAINTS 00695 Base_entry* permittedNames; 00696 Base_entry* excludedNames; 00697 #endif /* IGNORE_NAME_CONSTRAINTS */ 00698 byte subjectNameHash[SIGNER_DIGEST_SIZE]; 00699 /* sha hash of names in certificate */ 00700 #ifndef NO_SKID 00701 byte subjectKeyIdHash[SIGNER_DIGEST_SIZE]; 00702 /* sha hash of names in certificate */ 00703 #endif 00704 word32 sigLen; 00705 byte* sig; 00706 struct TrustedPeerCert* next; 00707 }; 00708 #endif /* WOLFSSL_TRUST_PEER_CERT */ 00709 00710 00711 /* for testing or custom openssl wrappers */ 00712 #if defined(WOLFSSL_TEST_CERT) || defined(OPENSSL_EXTRA) 00713 #define WOLFSSL_ASN_API WOLFSSL_API 00714 #else 00715 #define WOLFSSL_ASN_API WOLFSSL_LOCAL 00716 #endif 00717 00718 WOLFSSL_ASN_API void FreeAltNames(DNS_entry*, void*); 00719 #ifndef IGNORE_NAME_CONSTRAINTS 00720 WOLFSSL_ASN_API void FreeNameSubtrees(Base_entry*, void*); 00721 #endif /* IGNORE_NAME_CONSTRAINTS */ 00722 WOLFSSL_ASN_API void InitDecodedCert(DecodedCert*, byte*, word32, void*); 00723 WOLFSSL_ASN_API void FreeDecodedCert(DecodedCert*); 00724 WOLFSSL_ASN_API int ParseCert(DecodedCert*, int type, int verify, void* cm); 00725 00726 WOLFSSL_LOCAL int ParseCertRelative(DecodedCert*,int type,int verify,void* cm); 00727 WOLFSSL_LOCAL int DecodeToKey(DecodedCert*, int verify); 00728 00729 WOLFSSL_LOCAL Signer* MakeSigner(void*); 00730 WOLFSSL_LOCAL void FreeSigner(Signer*, void*); 00731 WOLFSSL_LOCAL void FreeSignerTable(Signer**, int, void*); 00732 #ifdef WOLFSSL_TRUST_PEER_CERT 00733 WOLFSSL_LOCAL void FreeTrustedPeer(TrustedPeerCert*, void*); 00734 WOLFSSL_LOCAL void FreeTrustedPeerTable(TrustedPeerCert**, int, void*); 00735 #endif /* WOLFSSL_TRUST_PEER_CERT */ 00736 00737 WOLFSSL_ASN_API int ToTraditional(byte* buffer, word32 length); 00738 WOLFSSL_LOCAL int ToTraditionalInline(const byte* input, word32* inOutIdx, 00739 word32 length); 00740 WOLFSSL_LOCAL int ToTraditionalEnc(byte* buffer, word32 length,const char*,int); 00741 WOLFSSL_LOCAL int DecryptContent(byte* input, word32 sz,const char* psw,int pswSz); 00742 WOLFSSL_LOCAL int wc_GetKeyOID(byte* key, word32 keySz, const byte** curveOID, 00743 word32* oidSz, int* algoID, void* heap); 00744 00745 typedef struct tm wolfssl_tm; 00746 #if defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) 00747 WOLFSSL_LOCAL int GetTimeString(byte* date, int format, char* buf, int len); 00748 #endif 00749 WOLFSSL_LOCAL int ExtractDate(const unsigned char* date, unsigned char format, 00750 wolfssl_tm* certTime, int* idx); 00751 WOLFSSL_LOCAL int ValidateDate(const byte* date, byte format, int dateType); 00752 00753 /* ASN.1 helper functions */ 00754 #ifdef WOLFSSL_CERT_GEN 00755 WOLFSSL_ASN_API int SetName(byte* output, word32 outputSz, CertName* name); 00756 #endif 00757 WOLFSSL_LOCAL int GetShortInt(const byte* input, word32* inOutIdx, int* number, 00758 word32 maxIdx); 00759 WOLFSSL_LOCAL int GetLength(const byte* input, word32* inOutIdx, int* len, 00760 word32 maxIdx); 00761 WOLFSSL_LOCAL int GetSequence(const byte* input, word32* inOutIdx, int* len, 00762 word32 maxIdx); 00763 WOLFSSL_LOCAL int GetSet(const byte* input, word32* inOutIdx, int* len, 00764 word32 maxIdx); 00765 WOLFSSL_LOCAL int GetMyVersion(const byte* input, word32* inOutIdx, 00766 int* version, word32 maxIdx); 00767 WOLFSSL_LOCAL int GetInt(mp_int* mpi, const byte* input, word32* inOutIdx, 00768 word32 maxIdx); 00769 #ifdef HAVE_OID_ENCODING 00770 WOLFSSL_LOCAL int EncodeObjectId(const word16* in, word32 inSz, 00771 byte* out, word32* outSz); 00772 #endif 00773 #ifdef HAVE_OID_DECODING 00774 WOLFSSL_LOCAL int DecodeObjectId(const byte* in, word32 inSz, 00775 word16* out, word32* outSz); 00776 #endif 00777 WOLFSSL_LOCAL int GetObjectId(const byte* input, word32* inOutIdx, word32* oid, 00778 word32 oidType, word32 maxIdx); 00779 WOLFSSL_LOCAL int GetAlgoId(const byte* input, word32* inOutIdx, word32* oid, 00780 word32 oidType, word32 maxIdx); 00781 WOLFSSL_LOCAL word32 SetLength(word32 length, byte* output); 00782 WOLFSSL_LOCAL word32 SetSequence(word32 len, byte* output); 00783 WOLFSSL_LOCAL word32 SetOctetString(word32 len, byte* output); 00784 WOLFSSL_LOCAL word32 SetImplicit(byte tag,byte number,word32 len,byte* output); 00785 WOLFSSL_LOCAL word32 SetExplicit(byte number, word32 len, byte* output); 00786 WOLFSSL_LOCAL word32 SetSet(word32 len, byte* output); 00787 WOLFSSL_LOCAL word32 SetAlgoID(int algoOID,byte* output,int type,int curveSz); 00788 WOLFSSL_LOCAL int SetMyVersion(word32 version, byte* output, int header); 00789 WOLFSSL_LOCAL int SetSerialNumber(const byte* sn, word32 snSz, byte* output); 00790 WOLFSSL_LOCAL int GetSerialNumber(const byte* input, word32* inOutIdx, 00791 byte* serial, int* serialSz, word32 maxIdx); 00792 WOLFSSL_LOCAL int GetNameHash(const byte* source, word32* idx, byte* hash, 00793 int maxIdx); 00794 WOLFSSL_LOCAL int wc_CheckPrivateKey(byte* key, word32 keySz, DecodedCert* der); 00795 00796 #ifdef HAVE_ECC 00797 /* ASN sig helpers */ 00798 WOLFSSL_LOCAL int StoreECC_DSA_Sig(byte* out, word32* outLen, mp_int* r, 00799 mp_int* s); 00800 WOLFSSL_LOCAL int DecodeECC_DSA_Sig(const byte* sig, word32 sigLen, 00801 mp_int* r, mp_int* s); 00802 #endif 00803 00804 WOLFSSL_LOCAL void InitSignatureCtx(SignatureCtx* sigCtx, void* heap, int devId); 00805 WOLFSSL_LOCAL void FreeSignatureCtx(SignatureCtx* sigCtx); 00806 00807 00808 #ifdef WOLFSSL_CERT_GEN 00809 00810 enum cert_enums { 00811 NAME_ENTRIES = 8, 00812 JOINT_LEN = 2, 00813 EMAIL_JOINT_LEN = 9, 00814 RSA_KEY = 10, 00815 NTRU_KEY = 11, 00816 ECC_KEY = 12 00817 }; 00818 00819 #ifndef WOLFSSL_PEMCERT_TODER_DEFINED 00820 #ifndef NO_FILESYSTEM 00821 /* forward from wolfSSL */ 00822 WOLFSSL_API 00823 int wolfSSL_PemCertToDer(const char* fileName,unsigned char* derBuf,int derSz); 00824 #define WOLFSSL_PEMCERT_TODER_DEFINED 00825 #endif 00826 #endif 00827 00828 #endif /* WOLFSSL_CERT_GEN */ 00829 00830 00831 00832 /* for pointer use */ 00833 typedef struct CertStatus CertStatus; 00834 00835 #ifdef HAVE_OCSP 00836 00837 enum Ocsp_Response_Status { 00838 OCSP_SUCCESSFUL = 0, /* Response has valid confirmations */ 00839 OCSP_MALFORMED_REQUEST = 1, /* Illegal confirmation request */ 00840 OCSP_INTERNAL_ERROR = 2, /* Internal error in issuer */ 00841 OCSP_TRY_LATER = 3, /* Try again later */ 00842 OCSP_SIG_REQUIRED = 5, /* Must sign the request (4 is skipped) */ 00843 OCSP_UNAUTHROIZED = 6 /* Request unauthorized */ 00844 }; 00845 00846 00847 enum Ocsp_Cert_Status { 00848 CERT_GOOD = 0, 00849 CERT_REVOKED = 1, 00850 CERT_UNKNOWN = 2 00851 }; 00852 00853 00854 enum Ocsp_Sums { 00855 OCSP_BASIC_OID = 117, 00856 OCSP_NONCE_OID = 118 00857 }; 00858 00859 00860 typedef struct OcspRequest OcspRequest; 00861 typedef struct OcspResponse OcspResponse; 00862 00863 00864 struct CertStatus { 00865 CertStatus* next; 00866 00867 byte serial[EXTERNAL_SERIAL_SIZE]; 00868 int serialSz; 00869 00870 int status; 00871 00872 byte thisDate[MAX_DATE_SIZE]; 00873 byte nextDate[MAX_DATE_SIZE]; 00874 byte thisDateFormat; 00875 byte nextDateFormat; 00876 #if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) 00877 byte* thisDateAsn; 00878 byte* nextDateAsn; 00879 #endif 00880 00881 byte* rawOcspResponse; 00882 word32 rawOcspResponseSz; 00883 }; 00884 00885 00886 struct OcspResponse { 00887 int responseStatus; /* return code from Responder */ 00888 00889 byte* response; /* Pointer to beginning of OCSP Response */ 00890 word32 responseSz; /* length of the OCSP Response */ 00891 00892 byte producedDate[MAX_DATE_SIZE]; 00893 /* Date at which this response was signed */ 00894 byte producedDateFormat; /* format of the producedDate */ 00895 byte* issuerHash; 00896 byte* issuerKeyHash; 00897 00898 byte* cert; 00899 word32 certSz; 00900 00901 byte* sig; /* Pointer to sig in source */ 00902 word32 sigSz; /* Length in octets for the sig */ 00903 word32 sigOID; /* OID for hash used for sig */ 00904 00905 CertStatus* status; /* certificate status to fill out */ 00906 00907 byte* nonce; /* pointer to nonce inside ASN.1 response */ 00908 int nonceSz; /* length of the nonce string */ 00909 00910 byte* source; /* pointer to source buffer, not owned */ 00911 word32 maxIdx; /* max offset based on init size */ 00912 }; 00913 00914 00915 struct OcspRequest { 00916 byte issuerHash[KEYID_SIZE]; 00917 byte issuerKeyHash[KEYID_SIZE]; 00918 byte* serial; /* copy of the serial number in source cert */ 00919 int serialSz; 00920 byte* url; /* copy of the extAuthInfo in source cert */ 00921 int urlSz; 00922 00923 byte nonce[MAX_OCSP_NONCE_SZ]; 00924 int nonceSz; 00925 void* heap; 00926 00927 #if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) 00928 void* ssl; 00929 #endif 00930 }; 00931 00932 00933 WOLFSSL_LOCAL void InitOcspResponse(OcspResponse*, CertStatus*, byte*, word32); 00934 WOLFSSL_LOCAL int OcspResponseDecode(OcspResponse*, void*, void* heap, int); 00935 00936 WOLFSSL_LOCAL int InitOcspRequest(OcspRequest*, DecodedCert*, byte, void*); 00937 WOLFSSL_LOCAL void FreeOcspRequest(OcspRequest*); 00938 WOLFSSL_LOCAL int EncodeOcspRequest(OcspRequest*, byte*, word32); 00939 WOLFSSL_LOCAL word32 EncodeOcspRequestExtensions(OcspRequest*, byte*, word32); 00940 00941 00942 WOLFSSL_LOCAL int CompareOcspReqResp(OcspRequest*, OcspResponse*); 00943 00944 00945 #endif /* HAVE_OCSP */ 00946 00947 00948 /* for pointer use */ 00949 typedef struct RevokedCert RevokedCert; 00950 00951 #ifdef HAVE_CRL 00952 00953 struct RevokedCert { 00954 byte serialNumber[EXTERNAL_SERIAL_SIZE]; 00955 int serialSz; 00956 RevokedCert* next; 00957 }; 00958 00959 typedef struct DecodedCRL DecodedCRL; 00960 00961 struct DecodedCRL { 00962 word32 certBegin; /* offset to start of cert */ 00963 word32 sigIndex; /* offset to start of signature */ 00964 word32 sigLength; /* length of signature */ 00965 word32 signatureOID; /* sum of algorithm object id */ 00966 byte* signature; /* pointer into raw source, not owned */ 00967 byte issuerHash[SIGNER_DIGEST_SIZE]; /* issuer hash */ 00968 byte crlHash[SIGNER_DIGEST_SIZE]; /* raw crl data hash */ 00969 byte lastDate[MAX_DATE_SIZE]; /* last date updated */ 00970 byte nextDate[MAX_DATE_SIZE]; /* next update date */ 00971 byte lastDateFormat; /* format of last date */ 00972 byte nextDateFormat; /* format of next date */ 00973 RevokedCert* certs; /* revoked cert list */ 00974 int totalCerts; /* number on list */ 00975 void* heap; 00976 }; 00977 00978 WOLFSSL_LOCAL void InitDecodedCRL(DecodedCRL*, void* heap); 00979 WOLFSSL_LOCAL int ParseCRL(DecodedCRL*, const byte* buff, word32 sz, void* cm); 00980 WOLFSSL_LOCAL void FreeDecodedCRL(DecodedCRL*); 00981 00982 00983 #endif /* HAVE_CRL */ 00984 00985 00986 #ifdef __cplusplus 00987 } /* extern "C" */ 00988 #endif 00989 00990 #endif /* !NO_ASN */ 00991 #endif /* WOLF_CRYPT_ASN_H */ 00992
Generated on Tue Jul 12 2022 23:30:54 by
1.7.2