/src/boringssl/crypto/x509/internal.h
Line | Count | Source |
1 | | // Copyright 2013-2016 The OpenSSL Project Authors. All Rights Reserved. |
2 | | // |
3 | | // Licensed under the Apache License, Version 2.0 (the "License"); |
4 | | // you may not use this file except in compliance with the License. |
5 | | // You may obtain a copy of the License at |
6 | | // |
7 | | // https://www.apache.org/licenses/LICENSE-2.0 |
8 | | // |
9 | | // Unless required by applicable law or agreed to in writing, software |
10 | | // distributed under the License is distributed on an "AS IS" BASIS, |
11 | | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
12 | | // See the License for the specific language governing permissions and |
13 | | // limitations under the License. |
14 | | |
15 | | #ifndef OPENSSL_HEADER_CRYPTO_X509_INTERNAL_H |
16 | | #define OPENSSL_HEADER_CRYPTO_X509_INTERNAL_H |
17 | | |
18 | | #include <openssl/base.h> |
19 | | #include <openssl/evp.h> |
20 | | #include <openssl/span.h> |
21 | | #include <openssl/x509.h> |
22 | | |
23 | | #include "../asn1/internal.h" |
24 | | #include "../mem_internal.h" |
25 | | #include "../internal.h" |
26 | | |
27 | | // Internal structures. |
28 | | |
29 | | DECLARE_OPAQUE_STRUCT(x509_st, X509Impl) |
30 | | DECLARE_OPAQUE_STRUCT(x509_store_st, X509Store) |
31 | | DECLARE_OPAQUE_STRUCT(X509_name_st, X509Name) |
32 | | |
33 | | struct X509_pubkey_st { |
34 | | X509_ALGOR algor; |
35 | | ASN1_BIT_STRING public_key; |
36 | | EVP_PKEY *pkey; |
37 | | } /* X509_PUBKEY */; |
38 | | |
39 | | BSSL_NAMESPACE_BEGIN |
40 | | |
41 | | void x509_pubkey_init(X509_PUBKEY *key); |
42 | | void x509_pubkey_cleanup(X509_PUBKEY *key); |
43 | | |
44 | | int x509_parse_public_key(CBS *cbs, X509_PUBKEY *out, |
45 | | Span<const EVP_PKEY_ALG *const> algs); |
46 | | int x509_marshal_public_key(CBB *cbb, const X509_PUBKEY *in); |
47 | | int x509_pubkey_set1(X509_PUBKEY *key, EVP_PKEY *pkey); |
48 | | |
49 | | // X509_PUBKEY is an |ASN1_ITEM| whose ASN.1 type is SubjectPublicKeyInfo and C |
50 | | // type is |X509_PUBKEY*|. |
51 | | // TODO(crbug.com/42290417): Remove this when |X509| and |X509_REQ| no longer |
52 | | // depend on the tables. |
53 | | DECLARE_ASN1_ITEM(X509_PUBKEY) |
54 | | |
55 | | BSSL_NAMESPACE_END |
56 | | |
57 | | struct X509_name_entry_st { |
58 | | ASN1_OBJECT *object; |
59 | | ASN1_STRING value; |
60 | | int set; |
61 | | } /* X509_NAME_ENTRY */; |
62 | | |
63 | | BSSL_NAMESPACE_BEGIN |
64 | | |
65 | | // X509_NAME_ENTRY is an |ASN1_ITEM| whose ASN.1 type is AttributeTypeAndValue |
66 | | // (RFC 5280) and C type is |X509_NAME_ENTRY*|. |
67 | | DECLARE_ASN1_ITEM(X509_NAME_ENTRY) |
68 | | |
69 | | struct X509_NAME_CACHE { |
70 | | static constexpr bool kAllowUniquePtr = true; |
71 | | // canon contains the DER-encoded canonicalized X.509 Name, not including the |
72 | | // outermost TLV. |
73 | | Array<uint8_t> canon; |
74 | | // der contains the DER-encoded X.509 Name, including the outermost TLV. |
75 | | Array<uint8_t> der; |
76 | | }; |
77 | | |
78 | | class X509Name : public X509_name_st { |
79 | | public: |
80 | | STACK_OF(X509_NAME_ENTRY) *entries = nullptr; |
81 | | mutable bssl::Atomic<bssl::X509_NAME_CACHE *> cache; |
82 | | } /* X509_NAME */; |
83 | | |
84 | | BSSL_NAMESPACE_END |
85 | | |
86 | | struct x509_attributes_st { |
87 | | ASN1_OBJECT *object; |
88 | | STACK_OF(ASN1_TYPE) *set; |
89 | | } /* X509_ATTRIBUTE */; |
90 | | |
91 | | BSSL_NAMESPACE_BEGIN |
92 | | |
93 | | // X509_ATTRIBUTE is an |ASN1_ITEM| whose ASN.1 type is Attribute (RFC 2986) and |
94 | | // C type is |X509_ATTRIBUTE*|. |
95 | | DECLARE_ASN1_ITEM(X509_ATTRIBUTE) |
96 | | |
97 | | typedef struct x509_cert_aux_st { |
98 | | STACK_OF(ASN1_OBJECT) *trust; // trusted uses |
99 | | STACK_OF(ASN1_OBJECT) *reject; // rejected uses |
100 | | ASN1_UTF8STRING *alias; // "friendly name" |
101 | | ASN1_OCTET_STRING *keyid; // key id of private key |
102 | | } X509_CERT_AUX; |
103 | | |
104 | | DECLARE_ASN1_FUNCTIONS_const(X509_CERT_AUX) |
105 | | |
106 | | BSSL_NAMESPACE_END |
107 | | |
108 | | struct X509_extension_st { |
109 | | ASN1_OBJECT *object; |
110 | | ASN1_BOOLEAN critical; |
111 | | ASN1_OCTET_STRING *value; |
112 | | } /* X509_EXTENSION */; |
113 | | |
114 | | // X509_EXTENSION is an |ASN1_ITEM| whose ASN.1 type is X.509 Extension (RFC |
115 | | // 5280) and C type is |X509_EXTENSION*|. |
116 | | DECLARE_ASN1_ITEM(X509_EXTENSION) |
117 | | |
118 | | BSSL_NAMESPACE_BEGIN |
119 | | |
120 | | // X509_EXTENSIONS is an |ASN1_ITEM| whose ASN.1 type is SEQUENCE of Extension |
121 | | // (RFC 5280) and C type is |STACK_OF(X509_EXTENSION)*|. |
122 | | DECLARE_ASN1_ITEM(X509_EXTENSIONS) |
123 | | |
124 | | class X509Impl : public x509_st, public RefCounted<X509Impl> { |
125 | | public: |
126 | | X509Impl(); |
127 | | |
128 | | // TBSCertificate fields: |
129 | | uint8_t version = X509_VERSION_1; // One of the |X509_VERSION_*| constants. |
130 | | ASN1_INTEGER serialNumber; |
131 | | X509_ALGOR tbs_sig_alg; |
132 | | X509Name issuer; |
133 | | ASN1_TIME notBefore; |
134 | | ASN1_TIME notAfter; |
135 | | X509Name subject; |
136 | | X509_PUBKEY key; |
137 | | ASN1_BIT_STRING *issuerUID = nullptr; // [ 1 ] optional in v2 |
138 | | ASN1_BIT_STRING *subjectUID = nullptr; // [ 2 ] optional in v2 |
139 | | STACK_OF(X509_EXTENSION) *extensions = nullptr; // [ 3 ] optional in v3 |
140 | | // Certificate fields: |
141 | | X509_ALGOR sig_alg; |
142 | | ASN1_BIT_STRING signature; |
143 | | // Other state: |
144 | | // buf, if not nullptr, contains a copy of the serialized Certificate. |
145 | | // TODO(davidben): Now every parsed |X509| has an underlying |CRYPTO_BUFFER|, |
146 | | // but |X509|s created peacemeal do not. Can we make this more uniform? |
147 | | CRYPTO_BUFFER *buf = nullptr; |
148 | | CRYPTO_EX_DATA ex_data; |
149 | | // These contain copies of various extension values |
150 | | long ex_pathlen = -1; |
151 | | uint32_t ex_flags = 0; |
152 | | uint32_t ex_kusage = 0; |
153 | | uint32_t ex_xkusage = 0; |
154 | | ASN1_OCTET_STRING *skid = nullptr; |
155 | | AUTHORITY_KEYID *akid = nullptr; |
156 | | STACK_OF(DIST_POINT) *crldp = nullptr; |
157 | | STACK_OF(GENERAL_NAME) *altname = nullptr; |
158 | | NAME_CONSTRAINTS *nc = nullptr; |
159 | | unsigned char cert_hash[SHA256_DIGEST_LENGTH] = {}; |
160 | | bssl::X509_CERT_AUX *aux = nullptr; |
161 | | Mutex lock; |
162 | | |
163 | | private: |
164 | | friend RefCounted; |
165 | | ~X509Impl(); |
166 | | } /* X509 */; |
167 | | |
168 | | int x509_marshal_tbs_cert(CBB *cbb, const X509 *x509); |
169 | | |
170 | | // X509 is an |ASN1_ITEM| whose ASN.1 type is X.509 Certificate (RFC 5280) and C |
171 | | // type is |X509*|. |
172 | | DECLARE_ASN1_ITEM(X509) |
173 | | |
174 | | typedef struct { |
175 | | bssl::ASN1_ENCODING enc; |
176 | | ASN1_INTEGER *version; |
177 | | X509_NAME *subject; |
178 | | X509_PUBKEY *pubkey; |
179 | | // d=2 hl=2 l= 0 cons: cont: 00 |
180 | | STACK_OF(X509_ATTRIBUTE) *attributes; // [ 0 ] |
181 | | } X509_REQ_INFO; |
182 | | |
183 | | DECLARE_ASN1_FUNCTIONS_const(X509_REQ_INFO) |
184 | | |
185 | | BSSL_NAMESPACE_END |
186 | | |
187 | | struct X509_req_st { |
188 | | bssl::X509_REQ_INFO *req_info; |
189 | | X509_ALGOR *sig_alg; |
190 | | ASN1_BIT_STRING *signature; |
191 | | } /* X509_REQ */; |
192 | | |
193 | | BSSL_NAMESPACE_BEGIN |
194 | | |
195 | | // X509_REQ is an |ASN1_ITEM| whose ASN.1 type is CertificateRequest (RFC 2986) |
196 | | // and C type is |X509_REQ*|. |
197 | | DECLARE_ASN1_ITEM(X509_REQ) |
198 | | |
199 | | BSSL_NAMESPACE_END |
200 | | |
201 | | struct x509_revoked_st { |
202 | | ASN1_INTEGER *serialNumber; |
203 | | ASN1_TIME *revocationDate; |
204 | | STACK_OF(X509_EXTENSION) /* optional */ *extensions; |
205 | | // Revocation reason |
206 | | int reason; |
207 | | } /* X509_REVOKED */; |
208 | | |
209 | | BSSL_NAMESPACE_BEGIN |
210 | | |
211 | | // X509_REVOKED is an |ASN1_ITEM| whose ASN.1 type is an element of the |
212 | | // revokedCertificates field of TBSCertList (RFC 5280) and C type is |
213 | | // |X509_REVOKED*|. |
214 | | DECLARE_ASN1_ITEM(X509_REVOKED) |
215 | | |
216 | | typedef struct { |
217 | | ASN1_INTEGER *version; |
218 | | X509_ALGOR *sig_alg; |
219 | | X509_NAME *issuer; |
220 | | ASN1_TIME *lastUpdate; |
221 | | ASN1_TIME *nextUpdate; |
222 | | STACK_OF(X509_REVOKED) *revoked; |
223 | | STACK_OF(X509_EXTENSION) /* [0] */ *extensions; |
224 | | bssl::ASN1_ENCODING enc; |
225 | | } X509_CRL_INFO; |
226 | | |
227 | | DECLARE_ASN1_FUNCTIONS_const(X509_CRL_INFO) |
228 | | |
229 | | BSSL_NAMESPACE_END |
230 | | |
231 | | // Values in idp_flags field |
232 | | // IDP present |
233 | 0 | #define IDP_PRESENT 0x1 |
234 | | // IDP values inconsistent |
235 | 0 | #define IDP_INVALID 0x2 |
236 | | // onlyuser true |
237 | 0 | #define IDP_ONLYUSER 0x4 |
238 | | // onlyCA true |
239 | 0 | #define IDP_ONLYCA 0x8 |
240 | | // onlyattr true |
241 | 0 | #define IDP_ONLYATTR 0x10 |
242 | | // indirectCRL true |
243 | 0 | #define IDP_INDIRECT 0x20 |
244 | | // onlysomereasons present |
245 | 0 | #define IDP_REASONS 0x40 |
246 | | |
247 | | struct X509_crl_st { |
248 | | // actual signature |
249 | | bssl::X509_CRL_INFO *crl; |
250 | | X509_ALGOR *sig_alg; |
251 | | ASN1_BIT_STRING *signature; |
252 | | bssl::CRYPTO_refcount_t references; |
253 | | int flags; |
254 | | // Copies of various extensions |
255 | | AUTHORITY_KEYID *akid; |
256 | | ISSUING_DIST_POINT *idp; |
257 | | // Convenient breakdown of IDP |
258 | | int idp_flags; |
259 | | unsigned char crl_hash[SHA256_DIGEST_LENGTH]; |
260 | | } /* X509_CRL */; |
261 | | |
262 | | BSSL_NAMESPACE_BEGIN |
263 | | |
264 | | // X509_CRL is an |ASN1_ITEM| whose ASN.1 type is X.509 CertificateList (RFC |
265 | | // 5280) and C type is |X509_CRL*|. |
266 | | DECLARE_ASN1_ITEM(X509_CRL) |
267 | | |
268 | | // GENERAL_NAME is an |ASN1_ITEM| whose ASN.1 type is GeneralName and C type is |
269 | | // |GENERAL_NAME*|. |
270 | | DECLARE_ASN1_ITEM(GENERAL_NAME) |
271 | | |
272 | | // GENERAL_NAMES is an |ASN1_ITEM| whose ASN.1 type is SEQUENCE OF GeneralName |
273 | | // and C type is |GENERAL_NAMES*|, aka |STACK_OF(GENERAL_NAME)*|. |
274 | | DECLARE_ASN1_ITEM(GENERAL_NAMES) |
275 | | |
276 | | BSSL_NAMESPACE_END |
277 | | |
278 | | struct X509_VERIFY_PARAM_st { |
279 | | int64_t check_time; // POSIX time to use |
280 | | unsigned long flags; // Various verify flags |
281 | | int purpose; // purpose to check untrusted certificates |
282 | | int trust; // trust setting to check |
283 | | int depth; // Verify depth |
284 | | STACK_OF(ASN1_OBJECT) *policies; // Permissible policies |
285 | | // The following fields specify acceptable peer identities. |
286 | | STACK_OF(OPENSSL_STRING) *hosts; // Set of acceptable names |
287 | | unsigned int hostflags; // Flags to control matching features |
288 | | char *email; // If not NULL email address to match |
289 | | size_t emaillen; |
290 | | unsigned char *ip; // If not NULL IP address to match |
291 | | size_t iplen; // Length of IP address |
292 | | unsigned char poison; // Fail all verifications at name checking |
293 | | } /* X509_VERIFY_PARAM */; |
294 | | |
295 | | struct x509_object_st { |
296 | | // one of the above types |
297 | | int type; |
298 | | union { |
299 | | char *ptr; |
300 | | X509 *x509; |
301 | | X509_CRL *crl; |
302 | | EVP_PKEY *pkey; |
303 | | } data; |
304 | | } /* X509_OBJECT */; |
305 | | |
306 | | BSSL_NAMESPACE_BEGIN |
307 | | |
308 | | // NETSCAPE_SPKI is an |ASN1_ITEM| whose ASN.1 type is |
309 | | // SignedPublicKeyAndChallenge and C type is |NETSCAPE_SPKI*|. |
310 | | DECLARE_ASN1_ITEM(NETSCAPE_SPKI) |
311 | | |
312 | | // NETSCAPE_SPKAC is an |ASN1_ITEM| whose ASN.1 type is PublicKeyAndChallenge |
313 | | // and C type is |NETSCAPE_SPKAC*|. |
314 | | DECLARE_ASN1_ITEM(NETSCAPE_SPKAC) |
315 | | |
316 | | BSSL_NAMESPACE_END |
317 | | |
318 | | // This is a static that defines the function interface |
319 | | struct x509_lookup_method_st { |
320 | | int (*new_item)(X509_LOOKUP *ctx); |
321 | | void (*free)(X509_LOOKUP *ctx); |
322 | | int (*ctrl)(X509_LOOKUP *ctx, int cmd, const char *argc, long argl, |
323 | | char **ret); |
324 | | int (*get_by_subject)(X509_LOOKUP *ctx, int type, const X509_NAME *name, |
325 | | X509_OBJECT *ret); |
326 | | } /* X509_LOOKUP_METHOD */; |
327 | | |
328 | | BSSL_NAMESPACE_BEGIN |
329 | | |
330 | | // This is used to hold everything. It is used for all certificate |
331 | | // validation. Once we have a certificate chain, the 'verify' |
332 | | // function is then called to actually check the cert chain. |
333 | | class X509Store : public x509_store_st, public RefCounted<X509Store> { |
334 | | public: |
335 | | X509Store(); |
336 | | |
337 | | // The following is a cache of trusted certs |
338 | | UniquePtr<STACK_OF(X509_OBJECT)> objs; // Cache of all objects |
339 | | Mutex objs_lock; |
340 | | |
341 | | // These are external lookup methods |
342 | | Vector<UniquePtr<X509_LOOKUP>> get_cert_methods; |
343 | | |
344 | | UniquePtr<X509_VERIFY_PARAM> param; |
345 | | |
346 | | // Callbacks for various operations |
347 | | X509_STORE_CTX_verify_cb verify_cb = nullptr; // error callback |
348 | | |
349 | | private: |
350 | | friend RefCounted; |
351 | 4.74k | ~X509Store() = default; |
352 | | } /* X509_STORE */; |
353 | | |
354 | | BSSL_NAMESPACE_END |
355 | | |
356 | | // This is the functions plus an instance of the local variables. |
357 | | struct x509_lookup_st { |
358 | | const X509_LOOKUP_METHOD *method; // the functions |
359 | | void *method_data; // method data |
360 | | |
361 | | X509_STORE *store_ctx; // who owns us |
362 | | } /* X509_LOOKUP */; |
363 | | |
364 | | // This is a used when verifying cert chains. Since the |
365 | | // gathering of the cert chain can take some time (and have to be |
366 | | // 'retried', this needs to be kept and passed around. |
367 | | struct x509_store_ctx_st { |
368 | | X509_STORE *ctx; |
369 | | |
370 | | // The following are set by the caller |
371 | | X509 *cert; // The cert to check |
372 | | STACK_OF(X509) *untrusted; // chain of X509s - untrusted - passed in |
373 | | STACK_OF(X509_CRL) *crls; // set of CRLs passed in |
374 | | |
375 | | X509_VERIFY_PARAM *param; |
376 | | |
377 | | // trusted_stack, if non-NULL, is a set of trusted certificates to consider |
378 | | // instead of those from |X509_STORE|. |
379 | | STACK_OF(X509) *trusted_stack; |
380 | | |
381 | | // Callbacks for various operations |
382 | | X509_STORE_CTX_verify_cb verify_cb; // error callback |
383 | | |
384 | | // The following is built up |
385 | | int last_untrusted; // index of last untrusted cert |
386 | | STACK_OF(X509) *chain; // chain of X509s - built up and trusted |
387 | | |
388 | | // When something goes wrong, this is why |
389 | | int error_depth; |
390 | | int error; |
391 | | X509 *current_cert; |
392 | | X509_CRL *current_crl; // current CRL |
393 | | |
394 | | X509 *current_crl_issuer; // issuer of current CRL |
395 | | int current_crl_score; // score of current CRL |
396 | | |
397 | | CRYPTO_EX_DATA ex_data; |
398 | | } /* X509_STORE_CTX */; |
399 | | |
400 | | BSSL_NAMESPACE_BEGIN |
401 | | |
402 | | ASN1_TYPE *ASN1_generate_v3(const char *str, const X509V3_CTX *cnf); |
403 | | |
404 | | int X509_CERT_AUX_print(BIO *bp, X509_CERT_AUX *x, int indent); |
405 | | |
406 | | |
407 | | // RSA-PSS functions. |
408 | | |
409 | | // x509_rsa_pss_to_ctx configures |ctx| for an RSA-PSS operation based on |
410 | | // signature algorithm parameters in |sigalg| (which must have type |
411 | | // |NID_rsassaPss|) and key |pkey|. It returns one on success and zero on |
412 | | // error. |
413 | | int x509_rsa_pss_to_ctx(EVP_MD_CTX *ctx, const X509_ALGOR *sigalg, |
414 | | EVP_PKEY *pkey); |
415 | | |
416 | | // x509_rsa_pss_to_ctx sets |algor| to the signature algorithm parameters for |
417 | | // |ctx|, which must have been configured for an RSA-PSS signing operation. It |
418 | | // returns one on success and zero on error. |
419 | | int x509_rsa_ctx_to_pss(EVP_MD_CTX *ctx, X509_ALGOR *algor); |
420 | | |
421 | | // x509_print_rsa_pss_params prints a human-readable representation of RSA-PSS |
422 | | // parameters in |sigalg| to |bp|. It returns one on success and zero on |
423 | | // error. |
424 | | int x509_print_rsa_pss_params(BIO *bp, const X509_ALGOR *sigalg, int indent, |
425 | | ASN1_PCTX *pctx); |
426 | | |
427 | | |
428 | | // Signature algorithm functions. |
429 | | |
430 | | // x509_digest_sign_algorithm encodes the signing parameters of |ctx| as an |
431 | | // AlgorithmIdentifier and saves the result in |algor|. It returns one on |
432 | | // success, or zero on error. |
433 | | int x509_digest_sign_algorithm(EVP_MD_CTX *ctx, X509_ALGOR *algor); |
434 | | |
435 | | // x509_digest_verify_init sets up |ctx| for a signature verification operation |
436 | | // with public key |pkey| and parameters from |algor|. The |ctx| argument must |
437 | | // have been initialised with |EVP_MD_CTX_init|. It returns one on success, or |
438 | | // zero on error. |
439 | | int x509_digest_verify_init(EVP_MD_CTX *ctx, const X509_ALGOR *sigalg, |
440 | | EVP_PKEY *pkey); |
441 | | |
442 | | // x509_verify_signature verifies a |signature| using |sigalg| and |pkey| over |
443 | | // |in|. It returns one if the signature is valid and zero on error. |
444 | | int x509_verify_signature(const X509_ALGOR *sigalg, |
445 | | const ASN1_BIT_STRING *signature, |
446 | | Span<const uint8_t> in, EVP_PKEY *pkey); |
447 | | |
448 | | // x509_sign_to_bit_string signs |in| using |ctx| and saves the result in |out|. |
449 | | // It returns the length of the signature on success and zero on error. |
450 | | int x509_sign_to_bit_string(EVP_MD_CTX *ctx, ASN1_BIT_STRING *out, |
451 | | Span<const uint8_t> in); |
452 | | |
453 | | |
454 | | // Path-building functions. |
455 | | |
456 | | // X509_policy_check checks certificate policies in |certs|. |user_policies| is |
457 | | // the user-initial-policy-set. If |user_policies| is NULL or empty, it is |
458 | | // interpreted as anyPolicy. |flags| is a set of |X509_V_FLAG_*| values to |
459 | | // apply. It returns |X509_V_OK| on success and |X509_V_ERR_*| on error. It |
460 | | // additionally sets |*out_current_cert| to the certificate where the error |
461 | | // occurred. If the function succeeded, or the error applies to the entire |
462 | | // chain, it sets |*out_current_cert| to NULL. |
463 | | int X509_policy_check(const STACK_OF(X509) *certs, |
464 | | const STACK_OF(ASN1_OBJECT) *user_policies, |
465 | | unsigned long flags, X509 **out_current_cert); |
466 | | |
467 | | // x509_check_issued_with_callback calls |X509_check_issued|, but allows the |
468 | | // verify callback to override the result. It returns one on success and zero on |
469 | | // error. |
470 | | // |
471 | | // TODO(davidben): Reduce the scope of the verify callback and remove this. The |
472 | | // callback only runs with |X509_V_FLAG_CB_ISSUER_CHECK|, which is only used by |
473 | | // one internal project and rust-openssl, who use it by mistake. |
474 | | int x509_check_issued_with_callback(X509_STORE_CTX *ctx, const X509 *x, |
475 | | const X509 *issuer); |
476 | | |
477 | | // x509v3_bytes_to_hex encodes |len| bytes from |in| to hex and returns a |
478 | | // newly-allocated NUL-terminated string containing the result, or NULL on |
479 | | // allocation error. |
480 | | // |
481 | | // This function was historically named |hex_to_string| in OpenSSL. Despite the |
482 | | // name, |hex_to_string| converted to hex. |
483 | | OPENSSL_EXPORT char *x509v3_bytes_to_hex(const uint8_t *in, size_t len); |
484 | | |
485 | | // x509v3_hex_string_to_bytes decodes |str| in hex and returns a newly-allocated |
486 | | // array containing the result, or NULL on error. On success, it sets |*len| to |
487 | | // the length of the result. Colon separators between bytes in the input are |
488 | | // allowed and ignored. |
489 | | // |
490 | | // This function was historically named |string_to_hex| in OpenSSL. Despite the |
491 | | // name, |string_to_hex| converted from hex. |
492 | | unsigned char *x509v3_hex_to_bytes(const char *str, size_t *len); |
493 | | |
494 | | // x509v3_conf_name_matches returns one if |name| is equal to |cmp| or begins |
495 | | // with |cmp| followed by '.', and zero otherwise. |
496 | | int x509v3_conf_name_matches(const char *name, const char *cmp); |
497 | | |
498 | | // x509v3_looks_like_dns_name returns one if |in| looks like a DNS name and zero |
499 | | // otherwise. |
500 | | OPENSSL_EXPORT int x509v3_looks_like_dns_name(const unsigned char *in, |
501 | | size_t len); |
502 | | |
503 | | // x509v3_cache_extensions fills in a number of fields relating to X.509 |
504 | | // extensions in |x|. It returns one on success and zero if some extensions were |
505 | | // invalid. |
506 | | OPENSSL_EXPORT int x509v3_cache_extensions(X509 *x); |
507 | | |
508 | | // x509v3_a2i_ipadd decodes |ipasc| as an IPv4 or IPv6 address. IPv6 addresses |
509 | | // use colon-separated syntax while IPv4 addresses use dotted decimal syntax. If |
510 | | // it decodes an IPv4 address, it writes the result to the first four bytes of |
511 | | // |ipout| and returns four. If it decodes an IPv6 address, it writes the result |
512 | | // to all 16 bytes of |ipout| and returns 16. Otherwise, it returns zero. |
513 | | int x509v3_a2i_ipadd(unsigned char ipout[16], const char *ipasc); |
514 | | |
515 | | // A |BIT_STRING_BITNAME| is used to contain a list of bit names. |
516 | | typedef struct { |
517 | | int bitnum; |
518 | | const char *lname; |
519 | | const char *sname; |
520 | | } BIT_STRING_BITNAME; |
521 | | |
522 | | // x509V3_add_value_asn1_string appends a |CONF_VALUE| with the specified name |
523 | | // and value to |*extlist|. if |*extlist| is NULL, it sets |*extlist| to a |
524 | | // newly-allocated |STACK_OF(CONF_VALUE)| first. It returns one on success and |
525 | | // zero on error. |
526 | | int x509V3_add_value_asn1_string(const char *name, const ASN1_STRING *value, |
527 | | STACK_OF(CONF_VALUE) **extlist); |
528 | | |
529 | | // X509V3_NAME_from_section adds attributes to |nm| by interpreting the |
530 | | // key/value pairs in |dn_sk|. It returns one on success and zero on error. |
531 | | // |chtype|, which should be one of |MBSTRING_*| constants, determines the |
532 | | // character encoding used to interpret values. |
533 | | int X509V3_NAME_from_section(X509_NAME *nm, const STACK_OF(CONF_VALUE) *dn_sk, |
534 | | int chtype); |
535 | | |
536 | | // X509V3_bool_from_string decodes |str| as a boolean. On success, it returns |
537 | | // one and sets |*out_bool| to resulting value. Otherwise, it returns zero. |
538 | | int X509V3_bool_from_string(const char *str, ASN1_BOOLEAN *out_bool); |
539 | | |
540 | | // X509V3_get_value_bool decodes |value| as a boolean. On success, it returns |
541 | | // one and sets |*out_bool| to the resulting value. Otherwise, it returns zero. |
542 | | int X509V3_get_value_bool(const CONF_VALUE *value, ASN1_BOOLEAN *out_bool); |
543 | | |
544 | | // X509V3_get_value_int decodes |value| as an integer. On success, it returns |
545 | | // one and sets |*aint| to the resulting value. Otherwise, it returns zero. If |
546 | | // |*aint| was non-NULL at the start of the function, it frees the previous |
547 | | // value before writing a new one. |
548 | | int X509V3_get_value_int(const CONF_VALUE *value, ASN1_INTEGER **aint); |
549 | | |
550 | | // X509V3_get_section behaves like |NCONF_get_section| but queries |ctx|'s |
551 | | // config database. |
552 | | const STACK_OF(CONF_VALUE) *X509V3_get_section(const X509V3_CTX *ctx, |
553 | | const char *section); |
554 | | |
555 | | // X509V3_add_value appends a |CONF_VALUE| containing |name| and |value| to |
556 | | // |*extlist|. It returns one on success and zero on error. If |*extlist| is |
557 | | // NULL, it sets |*extlist| to a newly-allocated |STACK_OF(CONF_VALUE)| |
558 | | // containing the result. Either |name| or |value| may be NULL to omit the |
559 | | // field. |
560 | | // |
561 | | // On failure, if |*extlist| was NULL, |*extlist| will remain NULL when the |
562 | | // function returns. |
563 | | int X509V3_add_value(const char *name, const char *value, |
564 | | STACK_OF(CONF_VALUE) **extlist); |
565 | | |
566 | | // X509V3_add_value_bool behaves like |X509V3_add_value| but stores the value |
567 | | // "TRUE" if |asn1_bool| is non-zero and "FALSE" otherwise. |
568 | | int X509V3_add_value_bool(const char *name, int asn1_bool, |
569 | | STACK_OF(CONF_VALUE) **extlist); |
570 | | |
571 | | // X509V3_add_value_bool behaves like |X509V3_add_value| but stores a string |
572 | | // representation of |aint|. Note this string representation may be decimal or |
573 | | // hexadecimal, depending on the size of |aint|. |
574 | | int X509V3_add_value_int(const char *name, const ASN1_INTEGER *aint, |
575 | | STACK_OF(CONF_VALUE) **extlist); |
576 | | |
577 | | STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line); |
578 | | |
579 | | #define X509V3_conf_err(val) \ |
580 | 1.98k | ERR_add_error_data(6, "section:", (val)->section, ",name:", (val)->name, \ |
581 | 1.98k | ",value:", (val)->value); |
582 | | |
583 | | // GENERAL_NAME_cmp returns zero if |a| and |b| are equal and a non-zero |
584 | | // value otherwise. Note this function does not provide a comparison suitable |
585 | | // for sorting. |
586 | | // |
587 | | // This function is exported for testing. |
588 | | OPENSSL_EXPORT int GENERAL_NAME_cmp(const GENERAL_NAME *a, |
589 | | const GENERAL_NAME *b); |
590 | | |
591 | | // X509_VERIFY_PARAM_lookup returns a pre-defined |X509_VERIFY_PARAM| named by |
592 | | // |name|, or NULL if no such name is defined. |
593 | | const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name); |
594 | | |
595 | | GENERAL_NAME *v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method, |
596 | | const X509V3_CTX *ctx, const CONF_VALUE *cnf); |
597 | | GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out, |
598 | | const X509V3_EXT_METHOD *method, |
599 | | const X509V3_CTX *ctx, const CONF_VALUE *cnf, |
600 | | int is_nc); |
601 | | GENERAL_NAMES *v2i_GENERAL_NAMES(const X509V3_EXT_METHOD *method, |
602 | | const X509V3_CTX *ctx, |
603 | | const STACK_OF(CONF_VALUE) *nval); |
604 | | |
605 | | int X509_check_akid(const X509 *issuer, const AUTHORITY_KEYID *akid); |
606 | | |
607 | | int X509_is_valid_trust_id(int trust); |
608 | | |
609 | | int X509_PURPOSE_get_trust(const X509_PURPOSE *xp); |
610 | | |
611 | | // TODO(https://crbug.com/boringssl/695): Remove this. |
612 | | int DIST_POINT_set_dpname(DIST_POINT_NAME *dpn, X509_NAME *iname); |
613 | | |
614 | | void x509_name_init(X509_NAME *name); |
615 | | void x509_name_cleanup(X509_NAME *name); |
616 | | |
617 | | // x509_parse_name parses a DER-encoded, X.509 Name from |cbs| and writes the |
618 | | // result to |*out|. It returns one on success and zero on error. |
619 | | int x509_parse_name(CBS *cbs, X509_NAME *out); |
620 | | |
621 | | // x509_marshal_name marshals |in| as a DER-encoded, X.509 Name and writes the |
622 | | // result to |out|. It returns one on success and zero on error. |
623 | | int x509_marshal_name(CBB *out, const X509_NAME *in); |
624 | | |
625 | | const X509_NAME_CACHE *x509_name_get_cache(const X509_NAME *name); |
626 | | void x509_name_invalidate_cache(X509_NAME *name); |
627 | | |
628 | | int x509_name_copy(X509_NAME *dst, const X509_NAME *src); |
629 | | |
630 | | void x509_algor_init(X509_ALGOR *alg); |
631 | | void x509_algor_cleanup(X509_ALGOR *alg); |
632 | | |
633 | | // x509_parse_algorithm parses a DER-encoded, AlgorithmIdentifier from |cbs| and |
634 | | // writes the result to |*out|. It returns one on success and zero on error. |
635 | | int x509_parse_algorithm(CBS *cbs, X509_ALGOR *out); |
636 | | |
637 | | // x509_marshal_algorithm marshals |in| as a DER-encoded, AlgorithmIdentifier |
638 | | // and writes the result to |out|. It returns one on success and zero on error. |
639 | | int x509_marshal_algorithm(CBB *out, const X509_ALGOR *in); |
640 | | |
641 | | |
642 | | // Standard extensions. |
643 | | |
644 | | extern const X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku; |
645 | | extern const X509V3_EXT_METHOD v3_info, v3_sinfo; |
646 | | extern const X509V3_EXT_METHOD v3_skey_id, v3_akey_id; |
647 | | extern const X509V3_EXT_METHOD v3_subject_alt_name, v3_issuer_alt_name, |
648 | | v3_certificate_issuer; |
649 | | extern const X509V3_EXT_METHOD v3_netscape_base_url, v3_netscape_revocation_url, |
650 | | v3_netscape_ca_revocation_url, v3_netscape_renewal_url, |
651 | | v3_netscape_ca_policy_url, v3_netscape_ssl_server_name, v3_netscape_comment; |
652 | | extern const X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate; |
653 | | extern const X509V3_EXT_METHOD v3_delta_crl, v3_cpols, v3_crld, v3_freshest_crl; |
654 | | extern const X509V3_EXT_METHOD v3_ocsp_nocheck; |
655 | | extern const X509V3_EXT_METHOD v3_crl_hold; |
656 | | extern const X509V3_EXT_METHOD v3_policy_mappings, v3_policy_constraints; |
657 | | extern const X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp, v3_idp; |
658 | | extern const X509V3_EXT_METHOD v3_addr, v3_asid; |
659 | | |
660 | | BSSL_NAMESPACE_END |
661 | | |
662 | | |
663 | | #endif // OPENSSL_HEADER_CRYPTO_X509_INTERNAL_H |