2 * Copyright (c) 2004 - 2016 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
56 #include <parse_units.h>
57 #include <parse_bytes.h>
59 #include <krb5-types.h>
61 #include <rfc2459_asn1.h>
63 #include <pkcs8_asn1.h>
64 #include <pkcs9_asn1.h>
65 #include <pkcs12_asn1.h>
66 #include <ocsp_asn1.h>
67 #include <pkcs10_asn1.h>
69 #include <pkinit_asn1.h>
74 * We use OpenSSL for EC, but to do this we need to disable cross-references
75 * between OpenSSL and hcrypto bn.h and such. Source files that use OpenSSL EC
76 * must define HEIM_NO_CRYPTO_HDRS before including this file.
79 #define HC_DEPRECATED_CRYPTO
80 #ifndef HEIM_NO_CRYPTO_HDRS
81 #include "crypto-headers.h"
84 struct hx509_keyset_ops
;
85 struct hx509_collector
;
86 struct hx509_generate_private_context
;
87 typedef struct hx509_path hx509_path
;
93 typedef void (*_hx509_cert_release_func
)(struct hx509_cert_data
*, void *);
98 #include <hx509-private.h>
99 #include <hx509_err.h>
101 struct hx509_peer_info
{
103 AlgorithmIdentifier
*val
;
107 #define HX509_CERTS_FIND_SERIALNUMBER 1
108 #define HX509_CERTS_FIND_ISSUER 2
109 #define HX509_CERTS_FIND_SUBJECT 4
110 #define HX509_CERTS_FIND_ISSUER_KEY_ID 8
111 #define HX509_CERTS_FIND_SUBJECT_KEY_ID 16
113 struct hx509_name_data
{
122 struct hx509_query_data
{
124 #define HX509_QUERY_FIND_ISSUER_CERT 0x000001
125 #define HX509_QUERY_MATCH_SERIALNUMBER 0x000002
126 #define HX509_QUERY_MATCH_ISSUER_NAME 0x000004
127 #define HX509_QUERY_MATCH_SUBJECT_NAME 0x000008
128 #define HX509_QUERY_MATCH_SUBJECT_KEY_ID 0x000010
129 #define HX509_QUERY_MATCH_ISSUER_ID 0x000020
130 #define HX509_QUERY_PRIVATE_KEY 0x000040
131 #define HX509_QUERY_KU_ENCIPHERMENT 0x000080
132 #define HX509_QUERY_KU_DIGITALSIGNATURE 0x000100
133 #define HX509_QUERY_KU_KEYCERTSIGN 0x000200
134 #define HX509_QUERY_KU_CRLSIGN 0x000400
135 #define HX509_QUERY_KU_NONREPUDIATION 0x000800
136 #define HX509_QUERY_KU_KEYAGREEMENT 0x001000
137 #define HX509_QUERY_KU_DATAENCIPHERMENT 0x002000
138 #define HX509_QUERY_ANCHOR 0x004000
139 #define HX509_QUERY_MATCH_CERTIFICATE 0x008000
140 #define HX509_QUERY_MATCH_LOCAL_KEY_ID 0x010000
141 #define HX509_QUERY_NO_MATCH_PATH 0x020000
142 #define HX509_QUERY_MATCH_FRIENDLY_NAME 0x040000
143 #define HX509_QUERY_MATCH_FUNCTION 0x080000
144 #define HX509_QUERY_MATCH_KEY_HASH_SHA1 0x100000
145 #define HX509_QUERY_MATCH_TIME 0x200000
146 #define HX509_QUERY_MATCH_EKU 0x400000
147 #define HX509_QUERY_MATCH_EXPR 0x800000
148 #define HX509_QUERY_MASK 0xffffff
149 Certificate
*subject
;
150 Certificate
*certificate
;
151 heim_integer
*serial
;
152 heim_octet_string
*subject_id
;
153 heim_octet_string
*local_key_id
;
158 int (*cmp_func
)(hx509_context
, hx509_cert
, void *);
160 heim_octet_string
*keyhash_sha1
;
163 struct hx_expr
*expr
;
166 struct hx509_keyset_ops
{
169 int (*init
)(hx509_context
, hx509_certs
, void **,
170 int, const char *, hx509_lock
);
171 int (*store
)(hx509_context
, hx509_certs
, void *, int, hx509_lock
);
172 int (*free
)(hx509_certs
, void *);
173 int (*add
)(hx509_context
, hx509_certs
, void *, hx509_cert
);
174 int (*query
)(hx509_context
, hx509_certs
, void *,
175 const hx509_query
*, hx509_cert
*);
176 int (*iter_start
)(hx509_context
, hx509_certs
, void *, void **);
177 int (*iter
)(hx509_context
, hx509_certs
, void *, void *, hx509_cert
*);
178 int (*iter_end
)(hx509_context
, hx509_certs
, void *, void *);
179 int (*printinfo
)(hx509_context
, hx509_certs
,
180 void *, int (*)(void *, const char *), void *);
181 int (*getkeys
)(hx509_context
, hx509_certs
, void *, hx509_private_key
**);
182 int (*addkey
)(hx509_context
, hx509_certs
, void *, hx509_private_key
);
185 struct _hx509_password
{
190 extern hx509_lock _hx509_empty_lock
;
192 struct hx509_context_data
{
193 struct hx509_keyset_ops
**ks_ops
;
196 #define HX509_CTX_VERIFY_MISSING_OK 1
198 #define HX509_DEFAULT_OCSP_TIME_DIFF (5*60)
200 struct et_list
*et_list
;
202 hx509_certs default_trust_anchors
;
205 /* _hx509_calculate_path flag field */
206 #define HX509_CALCULATE_PATH_NO_ANCHOR 1
209 struct hx509_env_data
{
210 enum { env_string
, env_list
} type
;
212 struct hx509_env_data
*next
;
215 struct hx509_env_data
*list
;
220 extern const AlgorithmIdentifier
* _hx509_crypto_default_sig_alg
;
221 extern const AlgorithmIdentifier
* _hx509_crypto_default_digest_alg
;
222 extern const AlgorithmIdentifier
* _hx509_crypto_default_secret_alg
;
225 * Private bits from crypto.c, so crypto-ec.c can also see them.
227 * This is part of the use-OpenSSL-for-EC hack.
232 struct signature_alg
;
234 struct hx509_generate_private_context
{
235 const heim_oid
*key_oid
;
237 unsigned long num_bits
;
240 struct hx509_private_key_ops
{
242 const heim_oid
*key_oid
;
243 int (*available
)(const hx509_private_key
,
244 const AlgorithmIdentifier
*);
245 int (*get_spki
)(hx509_context
,
246 const hx509_private_key
,
247 SubjectPublicKeyInfo
*);
248 int (*export
)(hx509_context context
,
249 const hx509_private_key
,
251 heim_octet_string
*);
252 int (*import
)(hx509_context
, const AlgorithmIdentifier
*,
253 const void *, size_t, hx509_key_format_t
,
255 int (*generate_private_key
)(hx509_context
,
256 struct hx509_generate_private_context
*,
258 BIGNUM
*(*get_internal
)(hx509_context
, hx509_private_key
, const char *);
261 struct hx509_private_key
{
263 const struct signature_alg
*md
;
264 const heim_oid
*signature_alg
;
268 void *ecdsa
; /* EC_KEY */
270 hx509_private_key_ops
*ops
;
277 struct signature_alg
{
279 const heim_oid
*sig_oid
;
280 const AlgorithmIdentifier
*sig_alg
;
281 const heim_oid
*key_oid
;
282 const AlgorithmIdentifier
*digest_alg
;
284 #define PROVIDE_CONF 0x1
285 #define REQUIRE_SIGNER 0x2
286 #define SELF_SIGNED_OK 0x4
287 #define WEAK_SIG_ALG 0x8
289 #define SIG_DIGEST 0x100
290 #define SIG_PUBLIC_SIG 0x200
291 #define SIG_SECRET 0x400
293 #define RA_RSA_USES_DIGEST_INFO 0x1000000
295 time_t best_before
; /* refuse signature made after best before date */
296 const EVP_MD
*(*evp_md
)(void);
297 int (*verify_signature
)(hx509_context context
,
298 const struct signature_alg
*,
300 const AlgorithmIdentifier
*,
301 const heim_octet_string
*,
302 const heim_octet_string
*);
303 int (*create_signature
)(hx509_context
,
304 const struct signature_alg
*,
305 const hx509_private_key
,
306 const AlgorithmIdentifier
*,
307 const heim_octet_string
*,
308 AlgorithmIdentifier
*,
309 heim_octet_string
*);
314 * Configurable options
318 #define HX509_DEFAULT_ANCHORS "KEYCHAIN:system-anchors"