/src/gnutls/lib/x509/x509_int.h

Source (jump to first uncovered line)
/*
 * Copyright (C) 2003-2012 Free Software Foundation, Inc.
 * Copyright (C) 2017 Red Hat, Inc.
 *
 * Author: Nikos Mavrogiannopoulos
 *
 * This file is part of GnuTLS.
 *
 * The GnuTLS is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public License
 * as published by the Free Software Foundation; either version 2.1 of
 * the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public License
 * along with this program.  If not, see <https://www.gnu.org/licenses/>
 *
 */

#ifndef GNUTLS_LIB_X509_X509_INT_H
# define GNUTLS_LIB_X509_X509_INT_H

# include <gnutls/x509.h>
# include <gnutls/x509-ext.h>
# include <gnutls/abstract.h>

# include <libtasn1.h>

# define MAX_CRQ_EXTENSIONS_SIZE 8*1024
# define MAX_OID_SIZE 128
# define MAX_KEY_ID_SIZE 128
# define MAX_SALT_SIZE 256
# define MAX_NAME_SIZE (3*ASN1_MAX_NAME_SIZE)

# define HASH_OID_SHA1 "1.3.14.3.2.26"
# define HASH_OID_MD5 "1.2.840.113549.2.5"
# define HASH_OID_MD2 "1.2.840.113549.2.2"
# define HASH_OID_RMD160 "1.3.36.3.2.1"
# define HASH_OID_SHA224 "2.16.840.1.101.3.4.2.4"
# define HASH_OID_SHA256 "2.16.840.1.101.3.4.2.1"
# define HASH_OID_SHA384 "2.16.840.1.101.3.4.2.2"
# define HASH_OID_SHA512 "2.16.840.1.101.3.4.2.3"
# define HASH_OID_SHA3_224 "2.16.840.1.101.3.4.2.7"
# define HASH_OID_SHA3_256 "2.16.840.1.101.3.4.2.8"
# define HASH_OID_SHA3_384 "2.16.840.1.101.3.4.2.9"
# define HASH_OID_SHA3_512 "2.16.840.1.101.3.4.2.10"
# define HASH_OID_SHAKE_128 "2.16.840.1.101.3.4.2.11"
# define HASH_OID_SHAKE_256 "2.16.840.1.101.3.4.2.12"
# define HASH_OID_GOST_R_3411_94 "1.2.643.2.2.9"
# define HASH_OID_STREEBOG_256 "1.2.643.7.1.1.2.2"
# define HASH_OID_STREEBOG_512 "1.2.643.7.1.1.2.3"

# define HASH_OID_GOST_R_3411_94_CRYPTOPRO_PARAMS "1.2.643.2.2.30.1"

/* from rfc8479 */
# define OID_ATTR_PROV_SEED "1.3.6.1.4.1.2312.18.8.1"

struct gnutls_x509_crl_iter {
  /* This is used to optimize reads by gnutls_x509_crl_iter_crt_serial() */
  asn1_node rcache;
  unsigned rcache_idx;
};

typedef struct gnutls_x509_crl_int {
  asn1_node crl;

  unsigned expanded;
  /* This is used to optimize reads by gnutls_x509_crl_get_crt_serial2() */
  asn1_node rcache;
  unsigned rcache_idx;
  int use_extensions;

  gnutls_datum_t der;
  gnutls_datum_t raw_issuer_dn;
} gnutls_x509_crl_int;

typedef struct gnutls_x509_dn_st {
  asn1_node asn;
} gnutls_x509_dn_st;

typedef struct gnutls_x509_crt_int {
  asn1_node cert;
  int use_extensions;
  unsigned expanded;  /* a certificate has been expanded */
  unsigned modified;  /* the cached values below may no longer be valid */
  unsigned flags;

  struct pin_info_st pin;

  /* These two cached values allow fast calls to
   * get_raw_*_dn(). */
  gnutls_datum_t raw_dn;
  gnutls_datum_t raw_issuer_dn;
  gnutls_datum_t raw_spki;

  gnutls_datum_t der;

  /* this cached value allows fast access to alt names */
  gnutls_subject_alt_names_t san;
  gnutls_subject_alt_names_t ian;

  /* backwards compatibility for gnutls_x509_crt_get_subject()
   * and gnutls_x509_crt_get_issuer() */
  gnutls_x509_dn_st dn;
  gnutls_x509_dn_st idn;
} gnutls_x509_crt_int;

# define MODIFIED(crt) crt->modified=1

typedef struct gnutls_x509_crq_int {
  asn1_node crq;
} gnutls_x509_crq_int;

typedef struct gnutls_pkcs7_attrs_st {
  char *oid;
  gnutls_datum_t data;
  struct gnutls_pkcs7_attrs_st *next;
} gnutls_pkcs7_attrs_st;

typedef struct gnutls_pkcs7_int {
  asn1_node pkcs7;

  char encap_data_oid[MAX_OID_SIZE];

  gnutls_datum_t der_signed_data;
  asn1_node signed_data;
  unsigned expanded;
} gnutls_pkcs7_int;

struct pbkdf2_params {
  uint8_t salt[MAX_SALT_SIZE];
  int salt_size;
  unsigned iter_count;
  unsigned key_size;
  gnutls_mac_algorithm_t mac;
};

typedef struct gnutls_x509_privkey_int {
  /* the size of params depends on the public
   * key algorithm
   */
  gnutls_pk_params_st params;

  unsigned expanded;
  unsigned flags;

  asn1_node key;
  struct pin_info_st pin;
} gnutls_x509_privkey_int;

int _gnutls_x509_crt_cpy(gnutls_x509_crt_t dest, gnutls_x509_crt_t src);

int _gnutls_x509_compare_raw_dn(const gnutls_datum_t * dn1,
        const gnutls_datum_t * dn2);

int _gnutls_x509_crl_cpy(gnutls_x509_crl_t dest, gnutls_x509_crl_t src);
int _gnutls_x509_crl_get_raw_issuer_dn(gnutls_x509_crl_t crl,
               gnutls_datum_t * dn);

/* sign.c */
int _gnutls_x509_get_tbs(asn1_node cert, const char *tbs_name,
       gnutls_datum_t * tbs);
int _gnutls_x509_pkix_sign(asn1_node src, const char *src_name,
         gnutls_digest_algorithm_t,
         unsigned int flags,
         gnutls_x509_crt_t issuer,
         gnutls_privkey_t issuer_key);
int _gnutls_x509_crt_get_spki_params(gnutls_x509_crt_t issuer,
             const gnutls_x509_spki_st * key_params,
             gnutls_x509_spki_st * params);

# define map_errs_to_zero(x) ((x)<0?0:(x))

/* dn.c */
# define OID_X520_COUNTRY_NAME    "2.5.4.6"
# define OID_X520_ORGANIZATION_NAME "2.5.4.10"
# define OID_X520_ORGANIZATIONAL_UNIT_NAME "2.5.4.11"
# define OID_X520_COMMON_NAME   "2.5.4.3"
# define OID_X520_LOCALITY_NAME   "2.5.4.7"
# define OID_X520_STATE_OR_PROVINCE_NAME  "2.5.4.8"
# define OID_LDAP_DC      "0.9.2342.19200300.100.1.25"
# define OID_LDAP_UID     "0.9.2342.19200300.100.1.1"
# define OID_PKCS9_EMAIL      "1.2.840.113549.1.9.1"

int _gnutls_x509_parse_dn(asn1_node asn1_struct,
        const char *asn1_rdn_name, char *buf,
        size_t *sizeof_buf, unsigned flags);

int
_gnutls_x509_get_dn(asn1_node asn1_struct,
        const char *asn1_rdn_name, gnutls_datum_t * dn,
        unsigned flags);

int
_gnutls_x509_parse_dn_oid(asn1_node asn1_struct,
        const char *asn1_rdn_name,
        const char *given_oid, int indx,
        unsigned int raw_flag, gnutls_datum_t * out);

int _gnutls_x509_set_dn_oid(asn1_node asn1_struct,
          const char *asn1_rdn_name, const char *oid,
          int raw_flag, const char *name, int sizeof_name);

int _gnutls_x509_get_dn_oid(asn1_node asn1_struct,
          const char *asn1_rdn_name,
          int indx, void *_oid, size_t *sizeof_oid);

int _gnutls_encode_othername_data(unsigned flags, const void *data,
          unsigned data_size, gnutls_datum_t * output);

int _gnutls_parse_general_name(asn1_node src, const char *src_name,
             int seq, void *name, size_t *name_size,
             unsigned int *ret_type, int othername_oid);

int
_gnutls_parse_general_name2(asn1_node src, const char *src_name,
          int seq, gnutls_datum_t * dname,
          unsigned int *ret_type, int othername_oid);

int
_gnutls_write_new_general_name(asn1_node ext, const char *ext_name,
             gnutls_x509_subject_alt_name_t type,
             const void *data, unsigned int data_size);

int
_gnutls_write_new_othername(asn1_node ext, const char *ext_name,
          const char *oid,
          const void *data, unsigned int data_size);

/* dsa.c */

/* verify.c */
int gnutls_x509_crt_is_issuer(gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer);

int
_gnutls_x509_verify_algorithm(gnutls_digest_algorithm_t * hash,
            const gnutls_datum_t * signature,
            gnutls_pk_algorithm_t pk,
            gnutls_pk_params_st * issuer_params);

/* privkey.h */
void _gnutls_x509_privkey_reinit(gnutls_x509_privkey_t key);

asn1_node _gnutls_privkey_decode_pkcs1_rsa_key(const gnutls_datum_t *
                 raw_key,
                 gnutls_x509_privkey_t pkey);
int _gnutls_privkey_decode_ecc_key(asn1_node * pkey_asn, const gnutls_datum_t *
           raw_key,
           gnutls_x509_privkey_t pkey,
           gnutls_ecc_curve_t curve);

int _gnutls_privkey_decode_eddsa_key(asn1_node * pkey_asn,
             const gnutls_datum_t * raw_key,
             gnutls_x509_privkey_t pkey,
             gnutls_ecc_curve_t curve);

int
_gnutls_x509_read_ecc_params(uint8_t * der, int dersize, unsigned int *curve);

int
_gnutls_x509_read_gost_params(uint8_t * der, int dersize,
            gnutls_pk_params_st * params,
            gnutls_pk_algorithm_t algo);

int _gnutls_asn1_encode_privkey(asn1_node * c2, gnutls_pk_params_st * params);

void _gnutls_x509_privkey_get_spki_params(gnutls_x509_privkey_t key,
            gnutls_x509_spki_st * params);

int _gnutls_x509_read_rsa_pss_params(uint8_t * der, int dersize,
             gnutls_x509_spki_st * params);
int _gnutls_x509_write_rsa_pss_params(const gnutls_x509_spki_st * params,
              gnutls_datum_t * der);

/* extensions.c */
int _gnutls_x509_crl_get_extension_oid(gnutls_x509_crl_t crl,
               int indx, void *oid, size_t *sizeof_oid);

int _gnutls_x509_crl_set_extension(gnutls_x509_crl_t crl,
           const char *ext_id,
           const gnutls_datum_t * ext_data,
           unsigned int critical);

int
_gnutls_x509_crl_get_extension(gnutls_x509_crl_t crl,
             const char *extension_id, int indx,
             gnutls_datum_t * data, unsigned int *critical);

int
_gnutls_x509_crt_get_extension(gnutls_x509_crt_t cert,
             const char *extension_id, int indx,
             gnutls_datum_t * data, unsigned int *critical);

int _gnutls_x509_crt_get_extension_oid(gnutls_x509_crt_t cert,
               int indx, void *ret, size_t *ret_size);
int _gnutls_x509_crt_set_extension(gnutls_x509_crt_t cert,
           const char *extension_id,
           const gnutls_datum_t * ext_data,
           unsigned int critical);

int
_gnutls_x509_ext_extract_number(uint8_t * number,
        size_t *nr_size,
        uint8_t * extnValue, int extnValueLen);
int
_gnutls_x509_ext_gen_number(const uint8_t * number, size_t nr_size,
          gnutls_datum_t * der_ext);

int
_gnutls_write_general_name(asn1_node ext, const char *ext_name,
         gnutls_x509_subject_alt_name_t type,
         const void *data, unsigned int data_size);

int _gnutls_x509_ext_gen_subject_alt_name(gnutls_x509_subject_alt_name_t
            type,
            const char *othername_oid,
            const void *data,
            unsigned int data_size,
            const gnutls_datum_t * prev_der_ext,
            gnutls_datum_t * der_ext);
int _gnutls_x509_ext_gen_auth_key_id(const void *id, size_t id_size,
             gnutls_datum_t * der_data);

/* mpi.c */
int _gnutls_x509_crq_get_mpis(gnutls_x509_crq_t cert, gnutls_pk_params_st *);

int _gnutls_x509_crt_get_mpis(gnutls_x509_crt_t cert,
            gnutls_pk_params_st * params);

int _gnutls_x509_read_pubkey_params(gnutls_pk_algorithm_t, uint8_t * der,
            int dersize, gnutls_pk_params_st * params);
int _gnutls_x509_check_pubkey_params(gnutls_pk_params_st * params);

int _gnutls_x509_read_pubkey(gnutls_pk_algorithm_t, uint8_t * der,
           int dersize, gnutls_pk_params_st * params);

int _gnutls_x509_read_pubkey_signature_params(gnutls_pk_algorithm_t algo,
                uint8_t * der, int dersize,
                gnutls_pk_params_st * params);

int _gnutls_x509_write_ecc_params(const gnutls_ecc_curve_t curve,
          gnutls_datum_t * der);
int _gnutls_x509_write_ecc_pubkey(const gnutls_pk_params_st * params,
          gnutls_datum_t * der);

int _gnutls_x509_write_eddsa_pubkey(const gnutls_pk_params_st * params,
            gnutls_datum_t * der);

int
_gnutls_x509_write_pubkey_params(const gnutls_pk_params_st * params,
         gnutls_datum_t * der);
int _gnutls_x509_write_pubkey(const gnutls_pk_params_st * params,
            gnutls_datum_t * der);

int _gnutls_x509_read_uint(asn1_node node, const char *value,
         unsigned int *ret);

int _gnutls_x509_read_der_int(uint8_t * der, int dersize, bigint_t * out);
int _gnutls_x509_read_der_uint(uint8_t * der, int dersize, unsigned int *out);

int _gnutls_x509_read_int(asn1_node node, const char *value,
        bigint_t * ret_mpi);
int _gnutls_x509_write_int(asn1_node node, const char *value, bigint_t mpi,
         int lz);

int _gnutls_x509_write_uint32(asn1_node node, const char *value, uint32_t num);

int _gnutls_x509_read_key_int(asn1_node node, const char *value,
            bigint_t * ret_mpi);
int _gnutls_x509_write_key_int(asn1_node node, const char *value, bigint_t mpi,
             int lz);

int _gnutls_x509_read_key_int_le(asn1_node node, const char *value,
         bigint_t * ret_mpi);
int _gnutls_x509_write_key_int_le(asn1_node node, const char *value,
          bigint_t mpi);

int _gnutls_x509_read_pkalgo_params(asn1_node src, const char *src_name,
            gnutls_x509_spki_st * params,
            unsigned is_sig);
int _gnutls_x509_write_sign_params(asn1_node dst, const char *dst_name,
           const gnutls_sign_entry_st * se,
           gnutls_x509_spki_st * params);

# define _gnutls_x509_read_sign_params(src,name,params) _gnutls_x509_read_pkalgo_params(src,name,params,1)
# define _gnutls_x509_read_spki_params(src,name,params) _gnutls_x509_read_pkalgo_params(src,name,params,0)
int _gnutls_x509_write_spki_params(asn1_node dst, const char *dst_name,
           gnutls_x509_spki_st * params);

inline static int
_gnutls_x509_crt_read_spki_params(gnutls_x509_crt_t crt,
          gnutls_x509_spki_st * params)
{
  return _gnutls_x509_read_spki_params(crt->cert,
               "tbsCertificate."
               "subjectPublicKeyInfo."
               "algorithm", params);
}

inline static int
_gnutls_x509_crq_read_spki_params(gnutls_x509_crq_t crt,
          gnutls_x509_spki_st * params)
{
  return _gnutls_x509_read_spki_params(crt->crq,
               "certificationRequestInfo."
               "subjectPKInfo."
               "algorithm", params);
}

/* pkcs12.h */
# include <gnutls/pkcs12.h>

typedef struct gnutls_pkcs12_int {
  asn1_node pkcs12;
  unsigned expanded;
} gnutls_pkcs12_int;

# define MAX_BAG_ELEMENTS 32

struct bag_element {
  gnutls_datum_t data;
  gnutls_pkcs12_bag_type_t type;
  gnutls_datum_t local_key_id;
  char *friendly_name;
};

typedef struct gnutls_pkcs12_bag_int {
  struct bag_element element[MAX_BAG_ELEMENTS];
  unsigned bag_elements;
} gnutls_pkcs12_bag_int;

# define BAG_PKCS8_KEY "1.2.840.113549.1.12.10.1.1"
# define BAG_PKCS8_ENCRYPTED_KEY "1.2.840.113549.1.12.10.1.2"
# define BAG_CERTIFICATE "1.2.840.113549.1.12.10.1.3"
# define BAG_CRL "1.2.840.113549.1.12.10.1.4"
# define BAG_SECRET "1.2.840.113549.1.12.10.1.5"

/* Bag attributes
 */
# define FRIENDLY_NAME_OID "1.2.840.113549.1.9.20"
# define KEY_ID_OID "1.2.840.113549.1.9.21"

int
_gnutls_pkcs12_string_to_key(const mac_entry_st * me,
           unsigned int id, const uint8_t * salt,
           unsigned int salt_size, unsigned int iter,
           const char *pw, unsigned int req_keylen,
           uint8_t * keybuf);

int _pkcs12_decode_safe_contents(const gnutls_datum_t * content,
         gnutls_pkcs12_bag_t bag);

int
_pkcs12_encode_safe_contents(gnutls_pkcs12_bag_t bag, asn1_node * content,
           int *enc);

int _pkcs12_decode_crt_bag(gnutls_pkcs12_bag_type_t type,
         const gnutls_datum_t * in, gnutls_datum_t * out);
int _pkcs12_encode_crt_bag(gnutls_pkcs12_bag_type_t type,
         const gnutls_datum_t * raw, gnutls_datum_t * out);

/* crq */
int _gnutls_x509_crq_set_extension(gnutls_x509_crq_t crq,
           const char *ext_id,
           const gnutls_datum_t * ext_data,
           unsigned int critical);

int
gnutls_x509_crt_verify_data3(gnutls_x509_crt_t crt,
           gnutls_sign_algorithm_t algo,
           gnutls_typed_vdata_st * vdata,
           unsigned int vdata_size,
           const gnutls_datum_t * data,
           const gnutls_datum_t * signature,
           unsigned int flags);

int _gnutls_trust_list_get_issuer(gnutls_x509_trust_list_t list,
          gnutls_x509_crt_t cert,
          gnutls_x509_crt_t * issuer,
          unsigned int flags);

unsigned int
_gnutls_verify_crt_status(gnutls_x509_trust_list_t tlist,
        const gnutls_x509_crt_t * certificate_list,
        int clist_size,
        const gnutls_x509_crt_t * trusted_cas,
        int tcas_size,
        unsigned int flags,
        const char *purpose,
        gnutls_verify_output_function func);

# ifdef ENABLE_PKCS11
unsigned int
_gnutls_pkcs11_verify_crt_status(gnutls_x509_trust_list_t tlist,
         const char *url,
         const gnutls_x509_crt_t * certificate_list,
         unsigned clist_size,
         const char *purpose,
         unsigned int flags,
         gnutls_verify_output_function func);
# endif

int _gnutls_check_cert_sanity(gnutls_x509_crt_t cert);

int
_gnutls_x509_crt_check_revocation(gnutls_x509_crt_t cert,
          const gnutls_x509_crl_t * crl_list,
          int crl_list_length,
          gnutls_verify_output_function func);

typedef struct gnutls_name_constraints_st {
  struct name_constraints_node_st *permitted;
  struct name_constraints_node_st *excluded;
} gnutls_name_constraints_st;

typedef struct name_constraints_node_st {
  unsigned type;
  gnutls_datum_t name;
  struct name_constraints_node_st *next;
} name_constraints_node_st;

int _gnutls_extract_name_constraints(asn1_node c2, const char *vstr,
             name_constraints_node_st ** _nc);
void _gnutls_name_constraints_node_free(name_constraints_node_st * node);
int _gnutls_x509_name_constraints_merge(gnutls_x509_name_constraints_t nc,
          gnutls_x509_name_constraints_t nc2);

void _gnutls_x509_policies_erase(gnutls_x509_policies_t policies,
         unsigned int seq);

struct gnutls_x509_tlsfeatures_st {
  uint16_t feature[MAX_EXT_TYPES];
  unsigned int size;
};

unsigned _gnutls_is_broken_sig_allowed(const gnutls_sign_entry_st * se,
               unsigned int flags);

#endif        /* GNUTLS_LIB_X509_X509_INT_H */

Coverage Report

Created: 2023-03-26 08:33