lib/hx509/hx_locl.h

   1 /*
   2  * Copyright (c) 2004 - 2016 Kungliga Tekniska Högskolan
   3  * (Royal Institute of Technology, Stockholm, Sweden).
   4  * All rights reserved.
   5  *
   6  * Redistribution and use in source and binary forms, with or without
   7  * modification, are permitted provided that the following conditions
   8  * are met:
   9  *
  10  * 1. Redistributions of source code must retain the above copyright
  11  *    notice, this list of conditions and the following disclaimer.
  12  *
  13  * 2. Redistributions in binary form must reproduce the above copyright
  14  *    notice, this list of conditions and the following disclaimer in the
  15  *    documentation and/or other materials provided with the distribution.
  16  *
  17  * 3. Neither the name of the Institute nor the names of its contributors
  18  *    may be used to endorse or promote products derived from this software
  19  *    without specific prior written permission.
  20  *
  21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
  22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
  25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  31  * SUCH DAMAGE.
  32  */
  33
  34 /* $Id$ */
  35
  36 #include <config.h>
  37
  38 #include <stdio.h>
  39 #include <stdlib.h>
  40 #include <ctype.h>
  41 #include <errno.h>
  42 #ifdef HAVE_STRINGS_H
  43 #include <strings.h>
  44 #endif
  45 #include <assert.h>
  46 #include <stdarg.h>
  47 #include <err.h>
  48 #include <limits.h>
  49
  50 #include <roken.h>
  51
  52 #include <getarg.h>
  53 #include <base64.h>
  54 #include <hex.h>
  55 #include <com_err.h>
  56 #include <parse_units.h>
  57 #include <parse_bytes.h>
  58
  59 #include <krb5-types.h>
  60
  61 #include <rfc2459_asn1.h>
  62 #include <cms_asn1.h>
  63 #include <pkcs8_asn1.h>
  64 #include <pkcs9_asn1.h>
  65 #include <pkcs12_asn1.h>
  66 #include <ocsp_asn1.h>
  67 #include <pkcs10_asn1.h>
  68 #include <asn1_err.h>
  69 #include <pkinit_asn1.h>
  70
  71 #include <der.h>
  72
  73 /*
  74  * We use OpenSSL for EC, but to do this we need to disable cross-references
  75  * between OpenSSL and hcrypto bn.h and such.  Source files that use OpenSSL EC
  76  * must define HEIM_NO_CRYPTO_HDRS before including this file.
  77  */
  78
  79 #define HC_DEPRECATED_CRYPTO
  80 #ifndef HEIM_NO_CRYPTO_HDRS
  81 #include "crypto-headers.h"
  82 #endif
  83
  84 struct hx509_keyset_ops;
  85 struct hx509_collector;
  86 struct hx509_generate_private_context;
  87 typedef struct hx509_path hx509_path;
  88
  89 #include <heimbase.h>
  90
  91 #include <hx509.h>
  92
  93 typedef void (*_hx509_cert_release_func)(struct hx509_cert_data *, void *);
  94
  95
  96 #include "sel.h"
  97
  98 #include <hx509-private.h>
  99 #include <hx509_err.h>
 100
 101 struct hx509_peer_info {
 102     hx509_cert cert;
 103     AlgorithmIdentifier *val;
 104     size_t len;
 105 };
 106
 107 #define HX509_CERTS_FIND_SERIALNUMBER           1
 108 #define HX509_CERTS_FIND_ISSUER                 2
 109 #define HX509_CERTS_FIND_SUBJECT                4
 110 #define HX509_CERTS_FIND_ISSUER_KEY_ID          8
 111 #define HX509_CERTS_FIND_SUBJECT_KEY_ID         16
 112
 113 struct hx509_name_data {
 114     Name der_name;
 115 };
 116
 117 struct hx509_path {
 118     size_t len;
 119     hx509_cert *val;
 120 };
 121
 122 struct hx509_query_data {
 123     int match;
 124 #define HX509_QUERY_FIND_ISSUER_CERT            0x000001
 125 #define HX509_QUERY_MATCH_SERIALNUMBER          0x000002
 126 #define HX509_QUERY_MATCH_ISSUER_NAME           0x000004
 127 #define HX509_QUERY_MATCH_SUBJECT_NAME          0x000008
 128 #define HX509_QUERY_MATCH_SUBJECT_KEY_ID        0x000010
 129 #define HX509_QUERY_MATCH_ISSUER_ID             0x000020
 130 #define HX509_QUERY_PRIVATE_KEY                 0x000040
 131 #define HX509_QUERY_KU_ENCIPHERMENT             0x000080
 132 #define HX509_QUERY_KU_DIGITALSIGNATURE         0x000100
 133 #define HX509_QUERY_KU_KEYCERTSIGN              0x000200
 134 #define HX509_QUERY_KU_CRLSIGN                  0x000400
 135 #define HX509_QUERY_KU_NONREPUDIATION           0x000800
 136 #define HX509_QUERY_KU_KEYAGREEMENT             0x001000
 137 #define HX509_QUERY_KU_DATAENCIPHERMENT         0x002000
 138 #define HX509_QUERY_ANCHOR                      0x004000
 139 #define HX509_QUERY_MATCH_CERTIFICATE           0x008000
 140 #define HX509_QUERY_MATCH_LOCAL_KEY_ID          0x010000
 141 #define HX509_QUERY_NO_MATCH_PATH               0x020000
 142 #define HX509_QUERY_MATCH_FRIENDLY_NAME         0x040000
 143 #define HX509_QUERY_MATCH_FUNCTION              0x080000
 144 #define HX509_QUERY_MATCH_KEY_HASH_SHA1         0x100000
 145 #define HX509_QUERY_MATCH_TIME                  0x200000
 146 #define HX509_QUERY_MATCH_EKU                   0x400000
 147 #define HX509_QUERY_MATCH_EXPR                  0x800000
 148 #define HX509_QUERY_MASK                        0xffffff
 149     Certificate *subject;
 150     Certificate *certificate;
 151     heim_integer *serial;
 152     heim_octet_string *subject_id;
 153     heim_octet_string *local_key_id;
 154     Name *issuer_name;
 155     Name *subject_name;
 156     hx509_path *path;
 157     char *friendlyname;
 158     int (*cmp_func)(hx509_context, hx509_cert, void *);
 159     void *cmp_func_ctx;
 160     heim_octet_string *keyhash_sha1;
 161     time_t timenow;
 162     heim_oid *eku;
 163     struct hx_expr *expr;
 164 };
 165
 166 struct hx509_keyset_ops {
 167     const char *name;
 168     int flags;
 169     int (*init)(hx509_context, hx509_certs, void **,
 170                 int, const char *, hx509_lock);
 171     int (*store)(hx509_context, hx509_certs, void *, int, hx509_lock);
 172     int (*free)(hx509_certs, void *);
 173     int (*add)(hx509_context, hx509_certs, void *, hx509_cert);
 174     int (*query)(hx509_context, hx509_certs, void *,
 175                  const hx509_query *, hx509_cert *);
 176     int (*iter_start)(hx509_context, hx509_certs, void *, void **);
 177     int (*iter)(hx509_context, hx509_certs, void *, void *, hx509_cert *);
 178     int (*iter_end)(hx509_context, hx509_certs, void *, void *);
 179     int (*printinfo)(hx509_context, hx509_certs,
 180                      void *, int (*)(void *, const char *), void *);
 181     int (*getkeys)(hx509_context, hx509_certs, void *, hx509_private_key **);
 182     int (*addkey)(hx509_context, hx509_certs, void *, hx509_private_key);
 183 };
 184
 185 struct _hx509_password {
 186     size_t len;
 187     char **val;
 188 };
 189
 190 extern hx509_lock _hx509_empty_lock;
 191
 192 struct hx509_context_data {
 193     struct hx509_keyset_ops **ks_ops;
 194     int ks_num_ops;
 195     int flags;
 196 #define HX509_CTX_VERIFY_MISSING_OK     1
 197     int ocsp_time_diff;
 198 #define HX509_DEFAULT_OCSP_TIME_DIFF    (5*60)
 199     heim_error_t error;
 200     struct et_list *et_list;
 201     char *querystat;
 202     hx509_certs default_trust_anchors;
 203 };
 204
 205 /* _hx509_calculate_path flag field */
 206 #define HX509_CALCULATE_PATH_NO_ANCHOR 1
 207
 208 /* environment */
 209 struct hx509_env_data {
 210     enum { env_string, env_list } type;
 211     char *name;
 212     struct hx509_env_data *next;
 213     union {
 214         char *string;
 215         struct hx509_env_data *list;
 216     } u;
 217 };
 218
 219
 220 extern const AlgorithmIdentifier * _hx509_crypto_default_sig_alg;
 221 extern const AlgorithmIdentifier * _hx509_crypto_default_digest_alg;
 222 extern const AlgorithmIdentifier * _hx509_crypto_default_secret_alg;
 223
 224 /*
 225  * Private bits from crypto.c, so crypto-ec.c can also see them.
 226  *
 227  * This is part of the use-OpenSSL-for-EC hack.
 228  */
 229
 230 struct hx509_crypto;
 231
 232 struct signature_alg;
 233
 234 struct hx509_generate_private_context {
 235     const heim_oid *key_oid;
 236     int isCA;
 237     unsigned long num_bits;
 238 };
 239
 240 struct hx509_private_key_ops {
 241     const char *pemtype;
 242     const heim_oid *key_oid;
 243     int (*available)(const hx509_private_key,
 244                      const AlgorithmIdentifier *);
 245     int (*get_spki)(hx509_context,
 246                     const hx509_private_key,
 247                     SubjectPublicKeyInfo *);
 248     int (*export)(hx509_context context,
 249                   const hx509_private_key,
 250                   hx509_key_format_t,
 251                   heim_octet_string *);
 252     int (*import)(hx509_context, const AlgorithmIdentifier *,
 253                   const void *, size_t, hx509_key_format_t,
 254                   hx509_private_key);
 255     int (*generate_private_key)(hx509_context,
 256                                 struct hx509_generate_private_context *,
 257                                 hx509_private_key);
 258     BIGNUM *(*get_internal)(hx509_context, hx509_private_key, const char *);
 259 };
 260
 261 struct hx509_private_key {
 262     unsigned int ref;
 263     const struct signature_alg *md;
 264     const heim_oid *signature_alg;
 265     union {
 266         RSA *rsa;
 267         void *keydata;
 268         void *ecdsa; /* EC_KEY */
 269     } private_key;
 270     hx509_private_key_ops *ops;
 271 };
 272
 273 /*
 274  *
 275  */
 276
 277 struct signature_alg {
 278     const char *name;
 279     const heim_oid *sig_oid;
 280     const AlgorithmIdentifier *sig_alg;
 281     const heim_oid *key_oid;
 282     const AlgorithmIdentifier *digest_alg;
 283     int flags;
 284 #define PROVIDE_CONF    0x1
 285 #define REQUIRE_SIGNER  0x2
 286 #define SELF_SIGNED_OK  0x4
 287 #define WEAK_SIG_ALG    0x8
 288
 289 #define SIG_DIGEST      0x100
 290 #define SIG_PUBLIC_SIG  0x200
 291 #define SIG_SECRET      0x400
 292
 293 #define RA_RSA_USES_DIGEST_INFO 0x1000000
 294
 295     time_t best_before; /* refuse signature made after best before date */
 296     const EVP_MD *(*evp_md)(void);
 297     int (*verify_signature)(hx509_context context,
 298                             const struct signature_alg *,
 299                             const Certificate *,
 300                             const AlgorithmIdentifier *,
 301                             const heim_octet_string *,
 302                             const heim_octet_string *);
 303     int (*create_signature)(hx509_context,
 304                             const struct signature_alg *,
 305                             const hx509_private_key,
 306                             const AlgorithmIdentifier *,
 307                             const heim_octet_string *,
 308                             AlgorithmIdentifier *,
 309                             heim_octet_string *);
 310     int digest_size;
 311 };
 312
 313 /*
 314  * Configurable options
 315  */
 316
 317 #ifdef __APPLE__
 318 #define HX509_DEFAULT_ANCHORS "KEYCHAIN:system-anchors"
 319 #endif