Gitiles
Code Review Sign In
192.168.1.100 / T106_DC / 9ed821d7e5d875a3395740a9cc2545671fa429b7 / . / ap / app / wpa_supplicant-2.10 / src / tls / x509v3.h
blob: e3b108ff43817073a0e2d54558e260e723a73c21 [file] [log] [blame]
lh9ed821d2023-04-07 01:36:19 -0700[diff] [blame^]1/*
2 * X.509v3 certificate parsing and processing
3 * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9#ifndef X509V3_H
10#define X509V3_H
11
12#include "asn1.h"
13
14struct x509_algorithm_identifier {
15 struct asn1_oid oid;
16};
17
18struct x509_name_attr {
19 enum x509_name_attr_type {
20 X509_NAME_ATTR_NOT_USED,
21 X509_NAME_ATTR_DC,
22 X509_NAME_ATTR_CN,
23 X509_NAME_ATTR_C,
24 X509_NAME_ATTR_L,
25 X509_NAME_ATTR_ST,
26 X509_NAME_ATTR_O,
27 X509_NAME_ATTR_OU
28 } type;
29 char *value;
30};
31
32#define X509_MAX_NAME_ATTRIBUTES 20
33
34struct x509_name {
35 struct x509_name_attr attr[X509_MAX_NAME_ATTRIBUTES];
36 size_t num_attr;
37 char *email; /* emailAddress */
38
39 /* from alternative name extension */
40 char *alt_email; /* rfc822Name */
41 char *dns; /* dNSName */
42 char *uri; /* uniformResourceIdentifier */
43 u8 *ip; /* iPAddress */
44 size_t ip_len; /* IPv4: 4, IPv6: 16 */
45 struct asn1_oid rid; /* registeredID */
46};
47
48#define X509_MAX_SERIAL_NUM_LEN 20
49
50struct x509_certificate {
51 struct x509_certificate *next;
52 enum { X509_CERT_V1 = 0, X509_CERT_V2 = 1, X509_CERT_V3 = 2 } version;
53 u8 serial_number[X509_MAX_SERIAL_NUM_LEN];
54 size_t serial_number_len;
55 struct x509_algorithm_identifier signature;
56 struct x509_name issuer;
57 struct x509_name subject;
58 u8 *subject_dn;
59 size_t subject_dn_len;
60 os_time_t not_before;
61 os_time_t not_after;
62 struct x509_algorithm_identifier public_key_alg;
63 u8 *public_key;
64 size_t public_key_len;
65 struct x509_algorithm_identifier signature_alg;
66 u8 *sign_value;
67 size_t sign_value_len;
68
69 /* Extensions */
70 unsigned int extensions_present;
71#define X509_EXT_BASIC_CONSTRAINTS (1 << 0)
72#define X509_EXT_PATH_LEN_CONSTRAINT (1 << 1)
73#define X509_EXT_KEY_USAGE (1 << 2)
74#define X509_EXT_SUBJECT_ALT_NAME (1 << 3)
75#define X509_EXT_ISSUER_ALT_NAME (1 << 4)
76#define X509_EXT_EXT_KEY_USAGE (1 << 5)
77#define X509_EXT_CERTIFICATE_POLICY (1 << 6)
78
79 /* BasicConstraints */
80 int ca; /* cA */
81 unsigned long path_len_constraint; /* pathLenConstraint */
82
83 /* KeyUsage */
84 unsigned long key_usage;
85#define X509_KEY_USAGE_DIGITAL_SIGNATURE (1 << 0)
86#define X509_KEY_USAGE_NON_REPUDIATION (1 << 1)
87#define X509_KEY_USAGE_KEY_ENCIPHERMENT (1 << 2)
88#define X509_KEY_USAGE_DATA_ENCIPHERMENT (1 << 3)
89#define X509_KEY_USAGE_KEY_AGREEMENT (1 << 4)
90#define X509_KEY_USAGE_KEY_CERT_SIGN (1 << 5)
91#define X509_KEY_USAGE_CRL_SIGN (1 << 6)
92#define X509_KEY_USAGE_ENCIPHER_ONLY (1 << 7)
93#define X509_KEY_USAGE_DECIPHER_ONLY (1 << 8)
94
95 /* ExtKeyUsage */
96 unsigned long ext_key_usage;
97#define X509_EXT_KEY_USAGE_ANY (1 << 0)
98#define X509_EXT_KEY_USAGE_SERVER_AUTH (1 << 1)
99#define X509_EXT_KEY_USAGE_CLIENT_AUTH (1 << 2)
100#define X509_EXT_KEY_USAGE_OCSP (1 << 3)
101
102 /* CertificatePolicy */
103 unsigned long certificate_policy;
104#define X509_EXT_CERT_POLICY_ANY (1 << 0)
105#define X509_EXT_CERT_POLICY_TOD_STRICT (1 << 1)
106#define X509_EXT_CERT_POLICY_TOD_TOFU (1 << 2)
107
108 /*
109 * The DER format certificate follows struct x509_certificate. These
110 * pointers point to that buffer.
111 */
112 const u8 *cert_start;
113 size_t cert_len;
114 const u8 *tbs_cert_start;
115 size_t tbs_cert_len;
116
117 /* Meta data used for certificate validation */
118 unsigned int ocsp_good:1;
119 unsigned int ocsp_revoked:1;
120 unsigned int issuer_trusted:1;
121};
122
123enum {
124 X509_VALIDATE_OK,
125 X509_VALIDATE_BAD_CERTIFICATE,
126 X509_VALIDATE_UNSUPPORTED_CERTIFICATE,
127 X509_VALIDATE_CERTIFICATE_REVOKED,
128 X509_VALIDATE_CERTIFICATE_EXPIRED,
129 X509_VALIDATE_CERTIFICATE_UNKNOWN,
130 X509_VALIDATE_UNKNOWN_CA
131};
132
133void x509_certificate_free(struct x509_certificate *cert);
134int x509_parse_algorithm_identifier(const u8 *buf, size_t len,
135 struct x509_algorithm_identifier *id,
136 const u8 **next);
137int x509_parse_name(const u8 *buf, size_t len, struct x509_name *name,
138 const u8 **next);
139int x509_parse_time(const u8 *buf, size_t len, u8 asn1_tag, os_time_t *val);
140struct x509_certificate * x509_certificate_parse(const u8 *buf, size_t len);
141void x509_free_name(struct x509_name *name);
142void x509_name_string(struct x509_name *name, char *buf, size_t len);
143int x509_name_compare(struct x509_name *a, struct x509_name *b);
144void x509_certificate_chain_free(struct x509_certificate *cert);
145int x509_check_signature(struct x509_certificate *issuer,
146 struct x509_algorithm_identifier *signature,
147 const u8 *sign_value, size_t sign_value_len,
148 const u8 *signed_data, size_t signed_data_len);
149int x509_certificate_check_signature(struct x509_certificate *issuer,
150 struct x509_certificate *cert);
151int x509_certificate_chain_validate(struct x509_certificate *trusted,
152 struct x509_certificate *chain,
153 int *reason, int disable_time_checks);
154struct x509_certificate *
155x509_certificate_get_subject(struct x509_certificate *chain,
156 struct x509_name *name);
157int x509_certificate_self_signed(struct x509_certificate *cert);
158
159int x509_sha1_oid(struct asn1_oid *oid);
160int x509_sha256_oid(struct asn1_oid *oid);
161int x509_sha384_oid(struct asn1_oid *oid);
162int x509_sha512_oid(struct asn1_oid *oid);
163
164#endif /* X509V3_H */