2 * Copyright (c) 2004 - 2016 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
56 #include <parse_units.h>
57 #include <parse_bytes.h>
59 #include <krb5-types.h>
61 #include <rfc2459_asn1.h>
62 #include <rfc4108_asn1.h>
64 #include <pkcs8_asn1.h>
65 #include <pkcs9_asn1.h>
66 #include <pkcs12_asn1.h>
67 #include <ocsp_asn1.h>
68 #include <pkcs10_asn1.h>
70 #include <pkinit_asn1.h>
82 * We use OpenSSL for EC, but to do this we need to disable cross-references
83 * between OpenSSL and hcrypto bn.h and such. Source files that use OpenSSL EC
84 * must define HEIM_NO_CRYPTO_HDRS before including this file.
87 #define HC_DEPRECATED_CRYPTO
88 #ifndef HEIM_NO_CRYPTO_HDRS
89 #include "crypto-headers.h"
92 struct hx509_keyset_ops
;
93 struct hx509_collector
;
94 struct hx509_generate_private_context
;
95 typedef struct hx509_path hx509_path
;
101 typedef void (*_hx509_cert_release_func
)(struct hx509_cert_data
*, void *);
106 #include <hx509-private.h>
107 #include <hx509_err.h>
109 struct hx509_peer_info
{
111 AlgorithmIdentifier
*val
;
115 #define HX509_CERTS_FIND_SERIALNUMBER 1
116 #define HX509_CERTS_FIND_ISSUER 2
117 #define HX509_CERTS_FIND_SUBJECT 4
118 #define HX509_CERTS_FIND_ISSUER_KEY_ID 8
119 #define HX509_CERTS_FIND_SUBJECT_KEY_ID 16
121 struct hx509_name_data
{
130 struct hx509_query_data
{
132 #define HX509_QUERY_FIND_ISSUER_CERT 0x000001
133 #define HX509_QUERY_MATCH_SERIALNUMBER 0x000002
134 #define HX509_QUERY_MATCH_ISSUER_NAME 0x000004
135 #define HX509_QUERY_MATCH_SUBJECT_NAME 0x000008
136 #define HX509_QUERY_MATCH_SUBJECT_KEY_ID 0x000010
137 #define HX509_QUERY_MATCH_ISSUER_ID 0x000020
138 #define HX509_QUERY_PRIVATE_KEY 0x000040
139 #define HX509_QUERY_KU_ENCIPHERMENT 0x000080
140 #define HX509_QUERY_KU_DIGITALSIGNATURE 0x000100
141 #define HX509_QUERY_KU_KEYCERTSIGN 0x000200
142 #define HX509_QUERY_KU_CRLSIGN 0x000400
143 #define HX509_QUERY_KU_NONREPUDIATION 0x000800
144 #define HX509_QUERY_KU_KEYAGREEMENT 0x001000
145 #define HX509_QUERY_KU_DATAENCIPHERMENT 0x002000
146 #define HX509_QUERY_ANCHOR 0x004000
147 #define HX509_QUERY_MATCH_CERTIFICATE 0x008000
148 #define HX509_QUERY_MATCH_LOCAL_KEY_ID 0x010000
149 #define HX509_QUERY_NO_MATCH_PATH 0x020000
150 #define HX509_QUERY_MATCH_FRIENDLY_NAME 0x040000
151 #define HX509_QUERY_MATCH_FUNCTION 0x080000
152 #define HX509_QUERY_MATCH_KEY_HASH_SHA1 0x100000
153 #define HX509_QUERY_MATCH_TIME 0x200000
154 #define HX509_QUERY_MATCH_EKU 0x400000
155 #define HX509_QUERY_MATCH_EXPR 0x800000
156 #define HX509_QUERY_MASK 0xffffff
157 Certificate
*subject
;
158 Certificate
*certificate
;
159 heim_integer
*serial
;
160 heim_octet_string
*subject_id
;
161 heim_octet_string
*local_key_id
;
166 int (*cmp_func
)(hx509_context
, hx509_cert
, void *);
168 heim_octet_string
*keyhash_sha1
;
171 struct hx_expr
*expr
;
174 struct hx509_keyset_ops
{
177 int (*init
)(hx509_context
, hx509_certs
, void **,
178 int, const char *, hx509_lock
);
179 int (*store
)(hx509_context
, hx509_certs
, void *, int, hx509_lock
);
180 int (*free
)(hx509_certs
, void *);
181 int (*add
)(hx509_context
, hx509_certs
, void *, hx509_cert
);
182 int (*query
)(hx509_context
, hx509_certs
, void *,
183 const hx509_query
*, hx509_cert
*);
184 int (*iter_start
)(hx509_context
, hx509_certs
, void *, void **);
185 int (*iter
)(hx509_context
, hx509_certs
, void *, void *, hx509_cert
*);
186 int (*iter_end
)(hx509_context
, hx509_certs
, void *, void *);
187 int (*printinfo
)(hx509_context
, hx509_certs
,
188 void *, int (*)(void *, const char *), void *);
189 int (*getkeys
)(hx509_context
, hx509_certs
, void *, hx509_private_key
**);
190 int (*addkey
)(hx509_context
, hx509_certs
, void *, hx509_private_key
);
191 int (*destroy
)(hx509_context
, hx509_certs
, void *);
194 struct _hx509_password
{
199 extern hx509_lock _hx509_empty_lock
;
201 struct hx509_context_data
{
202 struct hx509_keyset_ops
**ks_ops
;
205 #define HX509_CTX_VERIFY_MISSING_OK 1
207 #define HX509_DEFAULT_OCSP_TIME_DIFF (5*60)
209 struct et_list
*et_list
;
211 hx509_certs default_trust_anchors
;
212 heim_context hcontext
;
213 heim_config_section
*cf
;
216 /* _hx509_calculate_path flag field */
217 #define HX509_CALCULATE_PATH_NO_ANCHOR 1
220 struct hx509_env_data
{
221 enum { env_string
, env_list
} type
;
223 struct hx509_env_data
*next
;
226 struct hx509_env_data
*list
;
231 extern const AlgorithmIdentifier
* _hx509_crypto_default_sig_alg
;
232 extern const AlgorithmIdentifier
* _hx509_crypto_default_digest_alg
;
233 extern const AlgorithmIdentifier
* _hx509_crypto_default_secret_alg
;
236 * Private bits from crypto.c, so crypto-ec.c can also see them.
238 * This is part of the use-OpenSSL-for-EC hack.
243 struct signature_alg
;
245 struct hx509_generate_private_context
{
246 const heim_oid
*key_oid
;
248 unsigned long num_bits
;
251 struct hx509_private_key_ops
{
253 const heim_oid
*key_oid
;
254 int (*available
)(const hx509_private_key
,
255 const AlgorithmIdentifier
*);
256 int (*get_spki
)(hx509_context
,
257 const hx509_private_key
,
258 SubjectPublicKeyInfo
*);
259 int (*export
)(hx509_context context
,
260 const hx509_private_key
,
262 heim_octet_string
*);
263 int (*import
)(hx509_context
, const AlgorithmIdentifier
*,
264 const void *, size_t, hx509_key_format_t
,
266 int (*generate_private_key
)(hx509_context
,
267 struct hx509_generate_private_context
*,
269 BIGNUM
*(*get_internal
)(hx509_context
, hx509_private_key
, const char *);
272 struct hx509_private_key
{
274 const struct signature_alg
*md
;
275 const heim_oid
*signature_alg
;
279 void *ecdsa
; /* EC_KEY */
281 hx509_private_key_ops
*ops
;
288 struct signature_alg
{
290 const heim_oid
*sig_oid
;
291 const AlgorithmIdentifier
*sig_alg
;
292 const heim_oid
*key_oid
;
293 const AlgorithmIdentifier
*digest_alg
;
295 #define PROVIDE_CONF 0x1
296 #define REQUIRE_SIGNER 0x2
297 #define SELF_SIGNED_OK 0x4
298 #define WEAK_SIG_ALG 0x8
300 #define SIG_DIGEST 0x100
301 #define SIG_PUBLIC_SIG 0x200
302 #define SIG_SECRET 0x400
304 #define RA_RSA_USES_DIGEST_INFO 0x1000000
306 time_t best_before
; /* refuse signature made after best before date */
307 const EVP_MD
*(*evp_md
)(void);
308 int (*verify_signature
)(hx509_context context
,
309 const struct signature_alg
*,
311 const AlgorithmIdentifier
*,
312 const heim_octet_string
*,
313 const heim_octet_string
*);
314 int (*create_signature
)(hx509_context
,
315 const struct signature_alg
*,
316 const hx509_private_key
,
317 const AlgorithmIdentifier
*,
318 const heim_octet_string
*,
319 AlgorithmIdentifier
*,
320 heim_octet_string
*);
325 * Configurable options
329 #define HX509_DEFAULT_ANCHORS "KEYCHAIN:system-anchors"