Context Navigation

asn.h@ 389

Last change on this file since 389 was 389, checked in by coas-nagasima, 5 years ago
ビルドが通るよう更新
Property svn:eol-style set to `native` Property svn:mime-type set to `text/x-chdr;charset=UTF-8`
File size: 42.4 KB

Line
1	/* asn.h
2	*
3	* Copyright (C) 2006-2017 wolfSSL Inc.
4	*
5	* This file is part of wolfSSL.
6	*
7	* wolfSSL is free software; you can redistribute it and/or modify
8	* it under the terms of the GNU General Public License as published by
9	* the Free Software Foundation; either version 2 of the License, or
10	* (at your option) any later version.
11	*
12	* wolfSSL is distributed in the hope that it will be useful,
13	* but WITHOUT ANY WARRANTY; without even the implied warranty of
14	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15	* GNU General Public License for more details.
16	*
17	* You should have received a copy of the GNU General Public License
18	* along with this program; if not, write to the Free Software
19	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
20	*/
21
22	/*!
23	\file wolfssl/wolfcrypt/asn.h
24	*/
25
26	#ifndef WOLF_CRYPT_ASN_H
27	#define WOLF_CRYPT_ASN_H
28
29	#include <wolfssl/wolfcrypt/types.h>
30
31	#ifndef NO_ASN
32
33
34	#if !defined(NO_ASN_TIME) && defined(NO_TIME_H)
35	#define NO_ASN_TIME /* backwards compatibility with NO_TIME_H */
36	#endif
37
38	#include <wolfssl/wolfcrypt/integer.h>
39
40	/* fips declare of RsaPrivateKeyDecode @wc_fips */
41	#if defined(HAVE_FIPS) && !defined(NO_RSA) && \
42	(!defined(HAVE_FIPS_VERSION) \|\| (HAVE_FIPS_VERSION < 2))
43	#include <cyassl/ctaocrypt/rsa.h>
44	#endif
45
46	#ifndef NO_DH
47	#include <wolfssl/wolfcrypt/dh.h>
48	#endif
49	#ifndef NO_DSA
50	#include <wolfssl/wolfcrypt/dsa.h>
51	#endif
52	#ifndef NO_SHA
53	#include <wolfssl/wolfcrypt/sha.h>
54	#endif
55	#ifndef NO_MD5
56	#include <wolfssl/wolfcrypt/md5.h>
57	#endif
58	#include <wolfssl/wolfcrypt/sha256.h>
59	#include <wolfssl/wolfcrypt/asn_public.h> /* public interface */
60
61	#if defined(NO_SHA) && defined(NO_SHA256)
62	#define WC_SHA256_DIGEST_SIZE 32
63	#endif
64
65	#ifdef __cplusplus
66	extern "C" {
67	#endif
68
69	enum {
70	ISSUER = 0,
71	SUBJECT = 1,
72
73	EXTERNAL_SERIAL_SIZE = 32,
74
75	BEFORE = 0,
76	AFTER = 1
77	};
78
79	/* ASN Tags */
80	enum ASN_Tags {
81	ASN_BOOLEAN = 0x01,
82	ASN_INTEGER = 0x02,
83	ASN_BIT_STRING = 0x03,
84	ASN_OCTET_STRING = 0x04,
85	ASN_TAG_NULL = 0x05,
86	ASN_OBJECT_ID = 0x06,
87	ASN_ENUMERATED = 0x0a,
88	ASN_UTF8STRING = 0x0c,
89	ASN_SEQUENCE = 0x10,
90	ASN_SET = 0x11,
91	ASN_PRINTABLE_STRING = 0x13,
92	ASN_UTC_TIME = 0x17,
93	ASN_OTHER_TYPE = 0x00,
94	ASN_RFC822_TYPE = 0x01,
95	ASN_DNS_TYPE = 0x02,
96	ASN_DIR_TYPE = 0x04,
97	ASN_URI_TYPE = 0x06, /* the value 6 is from GeneralName OID */
98	ASN_GENERALIZED_TIME = 0x18,
99	CRL_EXTENSIONS = 0xa0,
100	ASN_EXTENSIONS = 0xa3,
101	ASN_LONG_LENGTH = 0x80,
102	ASN_INDEF_LENGTH = 0x80,
103
104	/* ASN_Flags - Bitmask */
105	ASN_CONSTRUCTED = 0x20,
106	ASN_APPLICATION = 0x40,
107	ASN_CONTEXT_SPECIFIC = 0x80,
108	};
109
110	#define ASN_UTC_TIME_SIZE 14
111	#define ASN_GENERALIZED_TIME_SIZE 16
112	#define ASN_GENERALIZED_TIME_MAX 68
113
114	enum DN_Tags {
115	ASN_COMMON_NAME = 0x03, /* CN */
116	ASN_SUR_NAME = 0x04, /* SN */
117	ASN_SERIAL_NUMBER = 0x05, /* serialNumber */
118	ASN_COUNTRY_NAME = 0x06, /* C */
119	ASN_LOCALITY_NAME = 0x07, /* L */
120	ASN_STATE_NAME = 0x08, /* ST */
121	ASN_ORG_NAME = 0x0a, /* O */
122	ASN_ORGUNIT_NAME = 0x0b, /* OU */
123	ASN_BUS_CAT = 0x0f, /* businessCategory */
124	ASN_EMAIL_NAME = 0x98, /* not oid number there is 97 in 2.5.4.0-97 */
125
126	/* pilot attribute types
127	* OID values of 0.9.2342.19200300.100.1.* */
128	ASN_USER_ID = 0x01, /* UID */
129	ASN_DOMAIN_COMPONENT = 0x19 /* DC */
130	};
131
132	/* DN Tag Strings */
133	#define WOLFSSL_COMMON_NAME "/CN="
134	#define WOLFSSL_SUR_NAME "/SN="
135	#define WOLFSSL_SERIAL_NUMBER "/serialNumber="
136	#define WOLFSSL_COUNTRY_NAME "/C="
137	#define WOLFSSL_LOCALITY_NAME "/L="
138	#define WOLFSSL_STATE_NAME "/ST="
139	#define WOLFSSL_ORG_NAME "/O="
140	#define WOLFSSL_ORGUNIT_NAME "/OU="
141	#define WOLFSSL_DOMAIN_COMPONENT "/DC="
142	#define WOLFSSL_BUS_CAT "/businessCategory="
143	#define WOLFSSL_JOI_C "/jurisdictionC="
144	#define WOLFSSL_JOI_ST "/jurisdictionST="
145	#define WOLFSSL_EMAIL_ADDR "/emailAddress="
146
147	/* NIDs */
148	enum
149	{
150	NID_undef = 0,
151	NID_des = 66,
152	NID_des3 = 67,
153	NID_sha256 = 672,
154	NID_sha384 = 673,
155	NID_sha512 = 674,
156	NID_hw_name_oid = 73,
157	NID_id_pkix_OCSP_basic = 74,
158	NID_any_policy = 75,
159	NID_anyExtendedKeyUsage = 76,
160	NID_basic_constraints = 133,
161	NID_key_usage = 129, /* 2.5.29.15 */
162	NID_ext_key_usage = 151, /* 2.5.29.37 */
163	NID_subject_key_identifier = 128,
164	NID_authority_key_identifier = 149,
165	NID_private_key_usage_period = 130, /* 2.5.29.16 */
166	NID_subject_alt_name = 131,
167	NID_issuer_alt_name = 132,
168	NID_info_access = 69,
169	NID_sinfo_access = 79, /* id-pe 11 */
170	NID_name_constraints = 144, /* 2.5.29.30 */
171	NID_certificate_policies = 146,
172	NID_policy_mappings = 147,
173	NID_policy_constraints = 150,
174	NID_inhibit_any_policy = 168, /* 2.5.29.54 */
175	NID_tlsfeature = 92, /* id-pe 24 */
176	NID_commonName = 0x03, /* matchs ASN_COMMON_NAME in asn.h */
177	NID_surname = 0x04, /* SN */
178	NID_serialNumber = 0x05, /* serialNumber */
179	NID_countryName = 0x06, /* C */
180	NID_localityName = 0x07, /* L */
181	NID_stateOrProvinceName = 0x08, /* ST */
182	NID_organizationName = 0x0a, /* O */
183	NID_organizationalUnitName = 0x0b, /* OU */
184	NID_domainComponent = 0x19, /* matchs ASN_DOMAIN_COMPONENT in asn.h */
185	NID_emailAddress = 0x30, /* emailAddress */
186	};
187
188	enum ECC_TYPES
189	{
190	ECC_PREFIX_0 = 160,
191	ECC_PREFIX_1 = 161
192	};
193
194	#ifdef WOLFSSL_CERT_PIV
195	enum PIV_Tags {
196	ASN_PIV_CERT = 0x0A,
197	ASN_PIV_NONCE = 0x0B,
198	ASN_PIV_SIGNED_NONCE = 0x0C,
199
200	ASN_PIV_TAG_CERT = 0x70,
201	ASN_PIV_TAG_CERT_INFO = 0x71,
202	ASN_PIV_TAG_MSCUID = 0x72,
203	ASN_PIV_TAG_ERR_DET = 0xFE,
204
205	/* certificate info masks */
206	ASN_PIV_CERT_INFO_COMPRESSED = 0x03,
207	ASN_PIV_CERT_INFO_ISX509 = 0x04,
208	};
209	#endif /* WOLFSSL_CERT_PIV */
210
211
212	#define ASN_JOI_PREFIX "\x2b\x06\x01\x04\x01\x82\x37\x3c\x02\x01"
213	#define ASN_JOI_C 0x3
214	#define ASN_JOI_ST 0x2
215
216	#ifndef WC_ASN_NAME_MAX
217	#define WC_ASN_NAME_MAX 256
218	#endif
219
220	enum Misc_ASN {
221	ASN_NAME_MAX = WC_ASN_NAME_MAX,
222	MAX_SALT_SIZE = 64, /* MAX PKCS Salt length */
223	MAX_IV_SIZE = 64, /* MAX PKCS Iv length */
224	ASN_BOOL_SIZE = 2, /* including type */
225	ASN_ECC_HEADER_SZ = 2, /* String type + 1 byte len */
226	ASN_ECC_CONTEXT_SZ = 2, /* Content specific type + 1 byte len */
227	#ifdef NO_SHA
228	KEYID_SIZE = WC_SHA256_DIGEST_SIZE,
229	#else
230	KEYID_SIZE = WC_SHA_DIGEST_SIZE,
231	#endif
232	RSA_INTS = 8, /* RSA ints in private key */
233	DSA_INTS = 5, /* DSA ints in private key */
234	MIN_DATE_SIZE = 13,
235	MAX_DATE_SIZE = 32,
236	ASN_GEN_TIME_SZ = 15, /* 7 numbers * 2 + Zulu tag */
237	#ifndef NO_RSA
238	MAX_ENCODED_SIG_SZ = 512,
239	#elif defined(HAVE_ECC)
240	MAX_ENCODED_SIG_SZ = 140,
241	#else
242	MAX_ENCODED_SIG_SZ = 64,
243	#endif
244	MAX_SIG_SZ = 256,
245	MAX_ALGO_SZ = 20,
246	MAX_SHORT_SZ = 6, /* asn int + byte len + 4 byte length */
247	MAX_SEQ_SZ = 5, /* enum(seq \| con) + length(4) */
248	MAX_SET_SZ = 5, /* enum(set \| con) + length(4) */
249	MAX_OCTET_STR_SZ = 5, /* enum(set \| con) + length(4) */
250	MAX_EXP_SZ = 5, /* enum(contextspec\|con\|exp) + length(4) */
251	MAX_PRSTR_SZ = 5, /* enum(prstr) + length(4) */
252	MAX_VERSION_SZ = 5, /* enum + id + version(byte) + (header(2))*/
253	MAX_ENCODED_DIG_ASN_SZ= 9, /* enum(bit or octet) + length(4) */
254	MAX_ENCODED_DIG_SZ = 64 + MAX_ENCODED_DIG_ASN_SZ, /* asn header + sha512 */
255	MAX_RSA_INT_SZ = 517, /* RSA raw sz 4096 for bits + tag + len(4) */
256	MAX_NTRU_KEY_SZ = 610, /* NTRU 112 bit public key */
257	MAX_NTRU_ENC_SZ = 628, /* NTRU 112 bit DER public encoding */
258	MAX_LENGTH_SZ = 4, /* Max length size for DER encoding */
259	MAX_RSA_E_SZ = 16, /* Max RSA public e size */
260	MAX_CA_SZ = 32, /* Max encoded CA basic constraint length */
261	MAX_SN_SZ = 35, /* Max encoded serial number (INT) length */
262	MAX_DER_DIGEST_SZ = MAX_ENCODED_DIG_SZ + MAX_ALGO_SZ + MAX_SEQ_SZ,
263	/* Maximum DER digest size */
264	MAX_DER_DIGEST_ASN_SZ = MAX_ENCODED_DIG_ASN_SZ + MAX_ALGO_SZ + MAX_SEQ_SZ,
265	/* Maximum DER digest ASN header size */
266	#ifdef WOLFSSL_CERT_GEN
267	#ifdef WOLFSSL_CERT_REQ
268	/* Max encoded cert req attributes length */
269	MAX_ATTRIB_SZ = MAX_SEQ_SZ * 3 + (11 + MAX_SEQ_SZ) * 2 +
270	MAX_PRSTR_SZ + CTC_NAME_SIZE, /* 11 is the OID size */
271	#endif
272	#if defined(WOLFSSL_ALT_NAMES) \|\| defined(WOLFSSL_CERT_EXT)
273	MAX_EXTENSIONS_SZ = 1 + MAX_LENGTH_SZ + CTC_MAX_ALT_SIZE,
274	#else
275	MAX_EXTENSIONS_SZ = 1 + MAX_LENGTH_SZ + MAX_CA_SZ,
276	#endif
277	/* Max total extensions, id + len + others */
278	#endif
279	#if defined(WOLFSSL_CERT_EXT) \|\| defined(OPENSSL_EXTRA) \|\| defined(HAVE_PKCS7)
280	MAX_OID_SZ = 32, /* Max DER length of OID*/
281	MAX_OID_STRING_SZ = 64, /* Max string length representation of OID*/
282	#endif
283	#ifdef WOLFSSL_CERT_EXT
284	MAX_KID_SZ = 45, /* Max encoded KID length (SHA-256 case) */
285	MAX_KEYUSAGE_SZ = 18, /* Max encoded Key Usage length */
286	MAX_EXTKEYUSAGE_SZ = 12 + (6 * (8 + 2)) +
287	CTC_MAX_EKU_OID_SZ, /* Max encoded ExtKeyUsage
288	(SEQ/LEN + OBJID + OCTSTR/LEN + SEQ +
289	(6 * (SEQ + OID))) */
290	MAX_CERTPOL_NB = CTC_MAX_CERTPOL_NB,/* Max number of Cert Policy */
291	MAX_CERTPOL_SZ = CTC_MAX_CERTPOL_SZ,
292	#endif
293	MAX_NAME_ENTRIES = 5, /* extra entries added to x509 name struct */
294	OCSP_NONCE_EXT_SZ = 35, /* OCSP Nonce Extension size */
295	MAX_OCSP_EXT_SZ = 58, /* Max OCSP Extension length */
296	MAX_OCSP_NONCE_SZ = 16, /* OCSP Nonce size */
297	EIGHTK_BUF = 8192, /* Tmp buffer size */
298	MAX_PUBLIC_KEY_SZ = MAX_NTRU_ENC_SZ + MAX_ALGO_SZ + MAX_SEQ_SZ * 2,
299	/* use bigger NTRU size */
300	#ifdef WOLFSSL_ENCRYPTED_KEYS
301	HEADER_ENCRYPTED_KEY_SIZE = 88,/* Extra header size for encrypted key */
302	#else
303	HEADER_ENCRYPTED_KEY_SIZE = 0,
304	#endif
305	TRAILING_ZERO = 1, /* Used for size of zero pad */
306	ASN_TAG_SZ = 1, /* single byte ASN.1 tag */
307	MIN_VERSION_SZ = 3, /* Min bytes needed for GetMyVersion */
308	#if defined(OPENSSL_ALL) \|\| defined(WOLFSSL_MYSQL_COMPATIBLE) \|\| \
309	defined(WOLFSSL_NGINX) \|\| defined(WOLFSSL_HAPROXY) \|\| \
310	defined(OPENSSL_EXTRA) \|\| defined(HAVE_PKCS7)
311	MAX_TIME_STRING_SZ = 25, /* Max length of formatted time string */
312	#endif
313
314	PKCS5_SALT_SZ = 8,
315
316	PEM_LINE_LEN = 80, /* PEM line max + fudge */
317	};
318
319
320	enum Oid_Types {
321	oidHashType = 0,
322	oidSigType = 1,
323	oidKeyType = 2,
324	oidCurveType = 3,
325	oidBlkType = 4,
326	oidOcspType = 5,
327	oidCertExtType = 6,
328	oidCertAuthInfoType = 7,
329	oidCertPolicyType = 8,
330	oidCertAltNameType = 9,
331	oidCertKeyUseType = 10,
332	oidKdfType = 11,
333	oidKeyWrapType = 12,
334	oidCmsKeyAgreeType = 13,
335	oidPBEType = 14,
336	oidHmacType = 15,
337	oidCompressType = 16,
338	oidCertNameType = 17,
339	oidIgnoreType
340	};
341
342
343	enum Hash_Sum {
344	MD2h = 646,
345	MD5h = 649,
346	SHAh = 88,
347	SHA224h = 417,
348	SHA256h = 414,
349	SHA384h = 415,
350	SHA512h = 416
351	};
352
353
354	#if !defined(NO_DES3) \|\| !defined(NO_AES)
355	enum Block_Sum {
356	#ifdef WOLFSSL_AES_128
357	AES128CBCb = 414,
358	AES128GCMb = 418,
359	AES128CCMb = 419,
360	#endif
361	#ifdef WOLFSSL_AES_192
362	AES192CBCb = 434,
363	AES192GCMb = 438,
364	AES192CCMb = 439,
365	#endif
366	#ifdef WOLFSSL_AES_256
367	AES256CBCb = 454,
368	AES256GCMb = 458,
369	AES256CCMb = 459,
370	#endif
371	#ifndef NO_DES3
372	DESb = 69,
373	DES3b = 652
374	#endif
375	};
376	#endif /* !NO_DES3 \|\| !NO_AES */
377
378
379	enum Key_Sum {
380	DSAk = 515,
381	RSAk = 645,
382	NTRUk = 274,
383	ECDSAk = 518,
384	ED25519k = 256
385	};
386
387
388	#if !defined(NO_AES) \|\| defined(HAVE_PKCS7)
389	enum KeyWrap_Sum {
390	#ifdef WOLFSSL_AES_128
391	AES128_WRAP = 417,
392	#endif
393	#ifdef WOLFSSL_AES_192
394	AES192_WRAP = 437,
395	#endif
396	#ifdef WOLFSSL_AES_256
397	AES256_WRAP = 457,
398	#endif
399	#ifdef HAVE_PKCS7
400	PWRI_KEK_WRAP = 680 /id-alg-PWRI-KEK, 1.2.840.113549.1.9.16.3.9 /
401	#endif
402	};
403	#endif /* !NO_AES \|\| PKCS7 */
404
405	enum Key_Agree {
406	dhSinglePass_stdDH_sha1kdf_scheme = 464,
407	dhSinglePass_stdDH_sha224kdf_scheme = 188,
408	dhSinglePass_stdDH_sha256kdf_scheme = 189,
409	dhSinglePass_stdDH_sha384kdf_scheme = 190,
410	dhSinglePass_stdDH_sha512kdf_scheme = 191,
411	};
412
413
414	enum Ecc_Sum {
415	ECC_SECP112R1_OID = 182,
416	ECC_SECP112R2_OID = 183,
417	ECC_SECP128R1_OID = 204,
418	ECC_SECP128R2_OID = 205,
419	ECC_SECP160R1_OID = 184,
420	ECC_SECP160R2_OID = 206,
421	ECC_SECP160K1_OID = 185,
422	ECC_BRAINPOOLP160R1_OID = 98,
423	ECC_SECP192R1_OID = 520,
424	ECC_PRIME192V2_OID = 521,
425	ECC_PRIME192V3_OID = 522,
426	ECC_SECP192K1_OID = 207,
427	ECC_BRAINPOOLP192R1_OID = 100,
428	ECC_SECP224R1_OID = 209,
429	ECC_SECP224K1_OID = 208,
430	ECC_BRAINPOOLP224R1_OID = 102,
431	ECC_PRIME239V1_OID = 523,
432	ECC_PRIME239V2_OID = 524,
433	ECC_PRIME239V3_OID = 525,
434	ECC_SECP256R1_OID = 526,
435	ECC_SECP256K1_OID = 186,
436	ECC_BRAINPOOLP256R1_OID = 104,
437	ECC_X25519_OID = 365,
438	ECC_ED25519_OID = 256,
439	ECC_BRAINPOOLP320R1_OID = 106,
440	ECC_SECP384R1_OID = 210,
441	ECC_BRAINPOOLP384R1_OID = 108,
442	ECC_BRAINPOOLP512R1_OID = 110,
443	ECC_SECP521R1_OID = 211,
444	};
445
446
447	enum KDF_Sum {
448	PBKDF2_OID = 660
449	};
450
451
452	enum HMAC_Sum {
453	HMAC_SHA224_OID = 652,
454	HMAC_SHA256_OID = 653,
455	HMAC_SHA384_OID = 654,
456	HMAC_SHA512_OID = 655
457	};
458
459
460	enum Extensions_Sum {
461	BASIC_CA_OID = 133,
462	ALT_NAMES_OID = 131,
463	CRL_DIST_OID = 145,
464	AUTH_INFO_OID = 69, /* id-pe 1 */
465	AUTH_KEY_OID = 149,
466	SUBJ_KEY_OID = 128,
467	CERT_POLICY_OID = 146,
468	KEY_USAGE_OID = 129, /* 2.5.29.15 */
469	INHIBIT_ANY_OID = 168, /* 2.5.29.54 */
470	EXT_KEY_USAGE_OID = 151, /* 2.5.29.37 */
471	NAME_CONS_OID = 144, /* 2.5.29.30 */
472	PRIV_KEY_USAGE_PERIOD_OID = 130, /* 2.5.29.16 */
473	SUBJECT_INFO_ACCESS = 79, /* id-pe 11 */
474	POLICY_MAP_OID = 147,
475	POLICY_CONST_OID = 150,
476	ISSUE_ALT_NAMES_OID = 132,
477	TLS_FEATURE_OID = 92 /* id-pe 24 */
478	};
479
480	enum CertificatePolicy_Sum {
481	CP_ANY_OID = 146 /* id-ce 32 0 */
482	};
483
484	enum SepHardwareName_Sum {
485	HW_NAME_OID = 79 /* 1.3.6.1.5.5.7.8.4 from RFC 4108*/
486	};
487
488	enum AuthInfo_Sum {
489	AIA_OCSP_OID = 116, /* 1.3.6.1.5.5.7.48.1 */
490	AIA_CA_ISSUER_OID = 117 /* 1.3.6.1.5.5.7.48.2 */
491	};
492
493	enum ExtKeyUsage_Sum { /* From RFC 5280 */
494	EKU_ANY_OID = 151, /* 2.5.29.37.0, anyExtendedKeyUsage */
495	EKU_SERVER_AUTH_OID = 71, /* 1.3.6.1.5.5.7.3.1, id-kp-serverAuth */
496	EKU_CLIENT_AUTH_OID = 72, /* 1.3.6.1.5.5.7.3.2, id-kp-clientAuth */
497	EKU_CODESIGNING_OID = 73, /* 1.3.6.1.5.5.7.3.3, id-kp-codeSigning */
498	EKU_EMAILPROTECT_OID = 74, /* 1.3.6.1.5.5.7.3.4, id-kp-emailProtection */
499	EKU_TIMESTAMP_OID = 78, /* 1.3.6.1.5.5.7.3.8, id-kp-timeStamping */
500	EKU_OCSP_SIGN_OID = 79 /* 1.3.6.1.5.5.7.3.9, id-kp-OCSPSigning */
501	};
502
503	#ifdef HAVE_LIBZ
504	enum CompressAlg_Sum {
505	ZLIBc = 679 /* 1.2.840.113549.1.9.16.3.8, id-alg-zlibCompress */
506	};
507	#endif
508
509	enum VerifyType {
510	NO_VERIFY = 0,
511	VERIFY = 1,
512	VERIFY_CRL = 2,
513	VERIFY_OCSP = 3,
514	VERIFY_NAME = 4
515	};
516
517	#ifdef WOLFSSL_CERT_EXT
518	enum KeyIdType {
519	SKID_TYPE = 0,
520	AKID_TYPE = 1
521	};
522	#endif
523
524	/* Key usage extension bits (based on RFC 5280) */
525	#define KEYUSE_DIGITAL_SIG 0x0080
526	#define KEYUSE_CONTENT_COMMIT 0x0040
527	#define KEYUSE_KEY_ENCIPHER 0x0020
528	#define KEYUSE_DATA_ENCIPHER 0x0010
529	#define KEYUSE_KEY_AGREE 0x0008
530	#define KEYUSE_KEY_CERT_SIGN 0x0004
531	#define KEYUSE_CRL_SIGN 0x0002
532	#define KEYUSE_ENCIPHER_ONLY 0x0001
533	#define KEYUSE_DECIPHER_ONLY 0x8000
534
535	/* Extended Key Usage bits (internal mapping only) */
536	#define EXTKEYUSE_USER 0x80
537	#define EXTKEYUSE_OCSP_SIGN 0x40
538	#define EXTKEYUSE_TIMESTAMP 0x20
539	#define EXTKEYUSE_EMAILPROT 0x10
540	#define EXTKEYUSE_CODESIGN 0x08
541	#define EXTKEYUSE_CLIENT_AUTH 0x04
542	#define EXTKEYUSE_SERVER_AUTH 0x02
543	#define EXTKEYUSE_ANY 0x01
544
545	typedef struct DNS_entry DNS_entry;
546
547	struct DNS_entry {
548	DNS_entry* next; /* next on DNS list */
549	int type; /* i.e. ASN_DNS_TYPE */
550	int len; /* actual DNS len */
551	char* name; /* actual DNS name */
552	};
553
554
555	typedef struct Base_entry Base_entry;
556
557	struct Base_entry {
558	Base_entry* next; /* next on name base list */
559	char* name; /* actual name base */
560	int nameSz; /* name length */
561	byte type; /* Name base type (DNS or RFC822) */
562	};
563
564	#define DOMAIN_COMPONENT_MAX 10
565
566	struct DecodedName {
567	char* fullName;
568	int fullNameLen;
569	int entryCount;
570	int cnIdx;
571	int cnLen;
572	int cnNid;
573	int snIdx;
574	int snLen;
575	int snNid;
576	int cIdx;
577	int cLen;
578	int cNid;
579	int lIdx;
580	int lLen;
581	int lNid;
582	int stIdx;
583	int stLen;
584	int stNid;
585	int oIdx;
586	int oLen;
587	int oNid;
588	int ouIdx;
589	int ouLen;
590	#ifdef WOLFSSL_CERT_EXT
591	int bcIdx;
592	int bcLen;
593	int jcIdx;
594	int jcLen;
595	int jsIdx;
596	int jsLen;
597	#endif
598	int ouNid;
599	int emailIdx;
600	int emailLen;
601	int emailNid;
602	int uidIdx;
603	int uidLen;
604	int uidNid;
605	int serialIdx;
606	int serialLen;
607	int serialNid;
608	int dcIdx[DOMAIN_COMPONENT_MAX];
609	int dcLen[DOMAIN_COMPONENT_MAX];
610	int dcNum;
611	int dcMode;
612	};
613
614	enum SignatureState {
615	SIG_STATE_BEGIN,
616	SIG_STATE_HASH,
617	SIG_STATE_KEY,
618	SIG_STATE_DO,
619	SIG_STATE_CHECK,
620	};
621
622
623	#ifdef HAVE_PK_CALLBACKS
624	#ifdef HAVE_ECC
625	typedef int (*wc_CallbackEccVerify)(
626	const unsigned char* sig, unsigned int sigSz,
627	const unsigned char* hash, unsigned int hashSz,
628	const unsigned char* keyDer, unsigned int keySz,
629	int* result, void* ctx);
630	#endif
631	#ifndef NO_RSA
632	typedef int (*wc_CallbackRsaVerify)(
633	unsigned char* sig, unsigned int sigSz,
634	unsigned char** out,
635	const unsigned char* keyDer, unsigned int keySz,
636	void* ctx);
637	#endif
638	#endif /* HAVE_PK_CALLBACKS */
639
640	struct SignatureCtx {
641	void* heap;
642	byte* digest;
643	#ifndef NO_RSA
644	byte* out;
645	byte* plain;
646	#endif
647	#if defined(HAVE_ECC) \|\| defined(HAVE_ED25519)
648	int verify;
649	#endif
650	union {
651	#ifndef NO_RSA
652	struct RsaKey* rsa;
653	#endif
654	#ifdef HAVE_ECC
655	struct ecc_key* ecc;
656	#endif
657	#ifdef HAVE_ED25519
658	struct ed25519_key* ed25519;
659	#endif
660	void* ptr;
661	} key;
662	int devId;
663	int state;
664	int typeH;
665	int digestSz;
666	word32 keyOID;
667	#ifdef WOLFSSL_ASYNC_CRYPT
668	WC_ASYNC_DEV* asyncDev;
669	void* asyncCtx;
670	#endif
671
672	#ifdef HAVE_PK_CALLBACKS
673	#ifdef HAVE_ECC
674	wc_CallbackEccVerify pkCbEcc;
675	void* pkCtxEcc;
676	#endif
677	#ifndef NO_RSA
678	wc_CallbackRsaVerify pkCbRsa;
679	void* pkCtxRsa;
680	#endif
681	#endif /* HAVE_PK_CALLBACKS */
682	};
683
684	enum CertSignState {
685	CERTSIGN_STATE_BEGIN,
686	CERTSIGN_STATE_DIGEST,
687	CERTSIGN_STATE_ENCODE,
688	CERTSIGN_STATE_DO,
689	};
690
691	struct CertSignCtx {
692	byte* sig;
693	byte* digest;
694	#ifndef NO_RSA
695	byte* encSig;
696	int encSigSz;
697	#endif
698	int state; /* enum CertSignState */
699	};
700
701
702	typedef struct DecodedCert DecodedCert;
703	typedef struct DecodedName DecodedName;
704	typedef struct Signer Signer;
705	#ifdef WOLFSSL_TRUST_PEER_CERT
706	typedef struct TrustedPeerCert TrustedPeerCert;
707	#endif /* WOLFSSL_TRUST_PEER_CERT */
708	typedef struct SignatureCtx SignatureCtx;
709	typedef struct CertSignCtx CertSignCtx;
710
711
712	struct DecodedCert {
713	const byte* publicKey;
714	word32 pubKeySize;
715	int pubKeyStored;
716	word32 certBegin; /* offset to start of cert */
717	word32 sigIndex; /* offset to start of signature */
718	word32 sigLength; /* length of signature */
719	word32 signatureOID; /* sum of algorithm object id */
720	word32 keyOID; /* sum of key algo object id */
721	int version; /* cert version, 1 or 3 */
722	DNS_entry* altNames; /* alt names list of dns entries */
723	#ifndef IGNORE_NAME_CONSTRAINTS
724	DNS_entry* altEmailNames; /* alt names list of RFC822 entries */
725	Base_entry* permittedNames; /* Permitted name bases */
726	Base_entry* excludedNames; /* Excluded name bases */
727	#endif /* IGNORE_NAME_CONSTRAINTS */
728	byte subjectHash[KEYID_SIZE]; /* hash of all Names */
729	byte issuerHash[KEYID_SIZE]; /* hash of all Names */
730	#ifdef HAVE_OCSP
731	byte issuerKeyHash[KEYID_SIZE]; /* hash of the public Key */
732	#endif /* HAVE_OCSP */
733	const byte* signature; /* not owned, points into raw cert */
734	char* subjectCN; /* CommonName */
735	int subjectCNLen; /* CommonName Length */
736	char subjectCNEnc; /* CommonName Encoding */
737	char issuer[ASN_NAME_MAX]; /* full name including common name */
738	char subject[ASN_NAME_MAX]; /* full name including common name */
739	int verify; /* Default to yes, but could be off */
740	const byte* source; /* byte buffer holder cert, NOT owner */
741	word32 srcIdx; /* current offset into buffer */
742	word32 maxIdx; /* max offset based on init size */
743	void* heap; /* for user memory overrides */
744	byte serial[EXTERNAL_SERIAL_SIZE]; /* raw serial number */
745	int serialSz; /* raw serial bytes stored */
746	const byte* extensions; /* not owned, points into raw cert */
747	int extensionsSz; /* length of cert extensions */
748	word32 extensionsIdx; /* if want to go back and parse later */
749	const byte* extAuthInfo; /* Authority Information Access URI */
750	int extAuthInfoSz; /* length of the URI */
751	const byte* extCrlInfo; /* CRL Distribution Points */
752	int extCrlInfoSz; /* length of the URI */
753	byte extSubjKeyId[KEYID_SIZE]; /* Subject Key ID */
754	byte extAuthKeyId[KEYID_SIZE]; /* Authority Key ID */
755	byte pathLength; /* CA basic constraint path length */
756	word16 extKeyUsage; /* Key usage bitfield */
757	byte extExtKeyUsage; /* Extended Key usage bitfield */
758
759	#if defined(OPENSSL_EXTRA) \|\| defined(OPENSSL_EXTRA_X509_SMALL)
760	const byte* extExtKeyUsageSrc;
761	word32 extExtKeyUsageSz;
762	word32 extExtKeyUsageCount;
763	const byte* extAuthKeyIdSrc;
764	word32 extAuthKeyIdSz;
765	const byte* extSubjKeyIdSrc;
766	word32 extSubjKeyIdSz;
767	#endif
768
769	#if defined(HAVE_ECC) \|\| defined(HAVE_ED25519)
770	word32 pkCurveOID; /* Public Key's curve OID */
771	#endif /* HAVE_ECC */
772	const byte* beforeDate;
773	int beforeDateLen;
774	const byte* afterDate;
775	int afterDateLen;
776	#if defined(HAVE_PKCS7) \|\| defined(WOLFSSL_CERT_EXT)
777	const byte* issuerRaw; /* pointer to issuer inside source */
778	int issuerRawLen;
779	#endif
780	#ifndef IGNORE_NAME_CONSTRAINT
781	const byte* subjectRaw; /* pointer to subject inside source */
782	int subjectRawLen;
783	#endif
784	#if defined(WOLFSSL_CERT_GEN) \|\| defined(WOLFSSL_CERT_EXT)
785	/* easy access to subject info for other sign */
786	char* subjectSN;
787	int subjectSNLen;
788	char subjectSNEnc;
789	char* subjectC;
790	int subjectCLen;
791	char subjectCEnc;
792	char* subjectL;
793	int subjectLLen;
794	char subjectLEnc;
795	char* subjectST;
796	int subjectSTLen;
797	char subjectSTEnc;
798	char* subjectO;
799	int subjectOLen;
800	char subjectOEnc;
801	char* subjectOU;
802	int subjectOULen;
803	char subjectOUEnc;
804	char* subjectSND;
805	int subjectSNDLen;
806	char subjectSNDEnc;
807	#ifdef WOLFSSL_CERT_EXT
808	char* subjectBC;
809	int subjectBCLen;
810	char subjectBCEnc;
811	char* subjectJC;
812	int subjectJCLen;
813	char subjectJCEnc;
814	char* subjectJS;
815	int subjectJSLen;
816	char subjectJSEnc;
817	#endif
818	char* subjectEmail;
819	int subjectEmailLen;
820	#endif /* WOLFSSL_CERT_GEN */
821	#if defined(OPENSSL_EXTRA) \|\| defined(OPENSSL_EXTRA_X509_SMALL)
822	DecodedName issuerName;
823	DecodedName subjectName;
824	#endif /* OPENSSL_EXTRA */
825	#ifdef WOLFSSL_SEP
826	int deviceTypeSz;
827	byte* deviceType;
828	int hwTypeSz;
829	byte* hwType;
830	int hwSerialNumSz;
831	byte* hwSerialNum;
832	#endif /* WOLFSSL_SEP */
833	#ifdef WOLFSSL_CERT_EXT
834	char extCertPolicies[MAX_CERTPOL_NB][MAX_CERTPOL_SZ];
835	int extCertPoliciesNb;
836	#endif /* defined(WOLFSSL_CERT_GEN) \|\| defined(WOLFSSL_CERT_EXT) */
837
838	Signer* ca;
839	SignatureCtx sigCtx;
840
841	/* Option Bits */
842	byte subjectCNStored : 1; /* have we saved a copy we own */
843	byte extSubjKeyIdSet : 1; /* Set when the SKID was read from cert */
844	byte extAuthKeyIdSet : 1; /* Set when the AKID was read from cert */
845	#ifndef IGNORE_NAME_CONSTRAINTS
846	byte extNameConstraintSet : 1;
847	#endif
848	byte isCA : 1; /* CA basic constraint true */
849	byte pathLengthSet : 1; /* CA basic const path length set */
850	byte weOwnAltNames : 1; /* altNames haven't been given to copy */
851	byte extKeyUsageSet : 1;
852	byte extExtKeyUsageSet : 1; /* Extended Key Usage set */
853	byte extCRLdistSet : 1;
854	byte extAuthInfoSet : 1;
855	byte extBasicConstSet : 1;
856	byte extSubjAltNameSet : 1;
857	byte inhibitAnyOidSet : 1;
858	#ifdef WOLFSSL_SEP
859	byte extCertPolicySet : 1;
860	#endif
861	#if defined(OPENSSL_EXTRA) \|\| defined(OPENSSL_EXTRA_X509_SMALL)
862	byte extCRLdistCrit : 1;
863	byte extAuthInfoCrit : 1;
864	byte extBasicConstCrit : 1;
865	byte extSubjAltNameCrit : 1;
866	byte extAuthKeyIdCrit : 1;
867	#ifndef IGNORE_NAME_CONSTRAINTS
868	byte extNameConstraintCrit : 1;
869	#endif
870	byte extSubjKeyIdCrit : 1;
871	byte extKeyUsageCrit : 1;
872	byte extExtKeyUsageCrit : 1;
873	#endif /* OPENSSL_EXTRA */
874	#ifdef WOLFSSL_SEP
875	byte extCertPolicyCrit : 1;
876	#endif
877
878	};
879
880
881	#ifdef NO_SHA
882	#define SIGNER_DIGEST_SIZE WC_SHA256_DIGEST_SIZE
883	#else
884	#define SIGNER_DIGEST_SIZE WC_SHA_DIGEST_SIZE
885	#endif
886
887	/* CA Signers */
888	/* if change layout change PERSIST_CERT_CACHE functions too */
889	struct Signer {
890	word32 pubKeySize;
891	word32 keyOID; /* key type */
892	word16 keyUsage;
893	byte pathLength;
894	byte pathLengthSet;
895	const byte* publicKey;
896	int nameLen;
897	char* name; /* common name */
898	#ifndef IGNORE_NAME_CONSTRAINTS
899	Base_entry* permittedNames;
900	Base_entry* excludedNames;
901	#endif /* IGNORE_NAME_CONSTRAINTS */
902	byte subjectNameHash[SIGNER_DIGEST_SIZE];
903	/* sha hash of names in certificate */
904	#ifndef NO_SKID
905	byte subjectKeyIdHash[SIGNER_DIGEST_SIZE];
906	/* sha hash of names in certificate */
907	#endif
908	#ifdef WOLFSSL_SIGNER_DER_CERT
909	DerBuffer* derCert;
910	#endif
911	Signer* next;
912	};
913
914
915	#ifdef WOLFSSL_TRUST_PEER_CERT
916	/* used for having trusted peer certs rather then CA */
917	struct TrustedPeerCert {
918	int nameLen;
919	char* name; /* common name */
920	#ifndef IGNORE_NAME_CONSTRAINTS
921	Base_entry* permittedNames;
922	Base_entry* excludedNames;
923	#endif /* IGNORE_NAME_CONSTRAINTS */
924	byte subjectNameHash[SIGNER_DIGEST_SIZE];
925	/* sha hash of names in certificate */
926	#ifndef NO_SKID
927	byte subjectKeyIdHash[SIGNER_DIGEST_SIZE];
928	/* sha hash of names in certificate */
929	#endif
930	word32 sigLen;
931	byte* sig;
932	struct TrustedPeerCert* next;
933	};
934	#endif /* WOLFSSL_TRUST_PEER_CERT */
935
936
937	/* for testing or custom openssl wrappers */
938	#if defined(WOLFSSL_TEST_CERT) \|\| defined(OPENSSL_EXTRA) \|\| \
939	defined(OPENSSL_EXTRA_X509_SMALL)
940	#define WOLFSSL_ASN_API WOLFSSL_API
941	#else
942	#define WOLFSSL_ASN_API WOLFSSL_LOCAL
943	#endif
944
945	/* Macro for calculating hashId */
946	#if defined(NO_SHA) && defined(NO_SHA256)
947	#ifdef WOLF_CRYPTO_DEV
948	#define CalcHashId(data, len, hash) wc_CryptoDevSha256Hash(data, len, hash)
949	#else
950	#define CalcHashId(data, len, hash) NOT_COMPILED_IN
951	#endif
952	#elif defined(NO_SHA)
953	#define CalcHashId(data, len, hash) wc_Sha256Hash(data, len, hash)
954	#else
955	#define CalcHashId(data, len, hash) wc_ShaHash(data, len, hash)
956	#endif
957
958
959	WOLFSSL_ASN_API int wc_BerToDer(const byte* ber, word32 berSz, byte* der,
960	word32* derSz);
961
962	WOLFSSL_ASN_API void FreeAltNames(DNS_entry, void);
963	#ifndef IGNORE_NAME_CONSTRAINTS
964	WOLFSSL_ASN_API void FreeNameSubtrees(Base_entry, void);
965	#endif /* IGNORE_NAME_CONSTRAINTS */
966	WOLFSSL_ASN_API void InitDecodedCert(DecodedCert, const byte, word32, void*);
967	WOLFSSL_ASN_API void FreeDecodedCert(DecodedCert*);
968	WOLFSSL_ASN_API int ParseCert(DecodedCert, int type, int verify, void cm);
969
970	WOLFSSL_LOCAL int DecodePolicyOID(char *o, word32 oSz,
971	const byte *in, word32 inSz);
972	WOLFSSL_API int CheckCertSignature(const byte,word32,void,void* cm);
973	WOLFSSL_LOCAL int ParseCertRelative(DecodedCert,int type,int verify,void cm);
974	WOLFSSL_LOCAL int DecodeToKey(DecodedCert*, int verify);
975
976	WOLFSSL_LOCAL const byte* OidFromId(word32 id, word32 type, word32* oidSz);
977	WOLFSSL_LOCAL Signer* MakeSigner(void*);
978	WOLFSSL_LOCAL void FreeSigner(Signer, void);
979	WOLFSSL_LOCAL void FreeSignerTable(Signer*, int, void);
980	#ifdef WOLFSSL_TRUST_PEER_CERT
981	WOLFSSL_LOCAL void FreeTrustedPeer(TrustedPeerCert, void);
982	WOLFSSL_LOCAL void FreeTrustedPeerTable(TrustedPeerCert*, int, void);
983	#endif /* WOLFSSL_TRUST_PEER_CERT */
984
985	WOLFSSL_ASN_API int ToTraditional(byte* buffer, word32 length);
986	WOLFSSL_ASN_API int ToTraditional_ex(byte* buffer, word32 length,
987	word32* algId);
988	WOLFSSL_LOCAL int ToTraditionalInline(const byte* input, word32* inOutIdx,
989	word32 length);
990	WOLFSSL_LOCAL int ToTraditionalInline_ex(const byte* input, word32* inOutIdx,
991	word32 length, word32* algId);
992	WOLFSSL_LOCAL int ToTraditionalEnc(byte* buffer, word32 length,const char*,int,
993	word32* algId);
994	WOLFSSL_ASN_API int UnTraditionalEnc(byte* key, word32 keySz, byte* out,
995	word32* outSz, const char* password, int passwordSz, int vPKCS,
996	int vAlgo, byte* salt, word32 saltSz, int itt, WC_RNG* rng, void* heap);
997	WOLFSSL_ASN_API int TraditionalEnc(byte* key, word32 keySz, byte* out,
998	word32* outSz, const char* password, int passwordSz, int vPKCS,
999	int vAlgo, int encAlgId, byte* salt, word32 saltSz, int itt,
1000	WC_RNG* rng, void* heap);
1001	WOLFSSL_LOCAL int DecryptContent(byte* input, word32 sz,const char* psw,int pswSz);
1002	WOLFSSL_LOCAL int EncryptContent(byte* input, word32 sz, byte* out, word32* outSz,
1003	const char* password,int passwordSz, int vPKCS, int vAlgo,
1004	byte* salt, word32 saltSz, int itt, WC_RNG* rng, void* heap);
1005	WOLFSSL_LOCAL int wc_GetKeyOID(byte* key, word32 keySz, const byte** curveOID,
1006	word32* oidSz, int* algoID, void* heap);
1007
1008	typedef struct tm wolfssl_tm;
1009	#if defined(OPENSSL_ALL) \|\| defined(WOLFSSL_MYSQL_COMPATIBLE) \|\| defined(OPENSSL_EXTRA) \|\| \
1010	defined(WOLFSSL_NGINX) \|\| defined(WOLFSSL_HAPROXY)
1011	WOLFSSL_LOCAL int GetTimeString(byte* date, int format, char* buf, int len);
1012	#endif
1013	#if !defined(NO_ASN_TIME) && defined(HAVE_PKCS7)
1014	WOLFSSL_LOCAL int GetAsnTimeString(void* currTime, byte* buf, word32 len);
1015	#endif
1016	WOLFSSL_LOCAL int ExtractDate(const unsigned char* date, unsigned char format,
1017	wolfssl_tm* certTime, int* idx);
1018	WOLFSSL_LOCAL int ValidateDate(const byte* date, byte format, int dateType);
1019	WOLFSSL_LOCAL int OBJ_sn2nid(const char *sn);
1020
1021	/* ASN.1 helper functions */
1022	#ifdef WOLFSSL_CERT_GEN
1023	WOLFSSL_ASN_API int SetName(byte* output, word32 outputSz, CertName* name);
1024	#endif
1025	WOLFSSL_LOCAL int GetShortInt(const byte* input, word32* inOutIdx, int* number,
1026	word32 maxIdx);
1027	WOLFSSL_LOCAL char* GetSigName(int oid);
1028	WOLFSSL_LOCAL int GetLength(const byte* input, word32* inOutIdx, int* len,
1029	word32 maxIdx);
1030	WOLFSSL_LOCAL int GetLength_ex(const byte* input, word32* inOutIdx, int* len,
1031	word32 maxIdx, int check);
1032	WOLFSSL_LOCAL int GetSequence(const byte* input, word32* inOutIdx, int* len,
1033	word32 maxIdx);
1034	WOLFSSL_LOCAL int GetSequence_ex(const byte* input, word32* inOutIdx, int* len,
1035	word32 maxIdx, int check);
1036	WOLFSSL_LOCAL int GetSet(const byte* input, word32* inOutIdx, int* len,
1037	word32 maxIdx);
1038	WOLFSSL_LOCAL int GetMyVersion(const byte* input, word32* inOutIdx,
1039	int* version, word32 maxIdx);
1040	WOLFSSL_LOCAL int GetInt(mp_int* mpi, const byte* input, word32* inOutIdx,
1041	word32 maxIdx);
1042	#ifdef HAVE_OID_ENCODING
1043	WOLFSSL_LOCAL int EncodeObjectId(const word16* in, word32 inSz,
1044	byte* out, word32* outSz);
1045	#endif
1046	#ifdef HAVE_OID_DECODING
1047	WOLFSSL_LOCAL int DecodeObjectId(const byte* in, word32 inSz,
1048	word16* out, word32* outSz);
1049	#endif
1050	WOLFSSL_LOCAL int GetASNObjectId(const byte* input, word32* inOutIdx, int* len,
1051	word32 maxIdx);
1052	WOLFSSL_LOCAL int SetObjectId(int len, byte* output);
1053	WOLFSSL_LOCAL int GetObjectId(const byte* input, word32* inOutIdx, word32* oid,
1054	word32 oidType, word32 maxIdx);
1055	WOLFSSL_LOCAL int GetAlgoId(const byte* input, word32* inOutIdx, word32* oid,
1056	word32 oidType, word32 maxIdx);
1057	WOLFSSL_LOCAL word32 SetLength(word32 length, byte* output);
1058	WOLFSSL_LOCAL word32 SetSequence(word32 len, byte* output);
1059	WOLFSSL_LOCAL word32 SetOctetString(word32 len, byte* output);
1060	WOLFSSL_LOCAL word32 SetImplicit(byte tag,byte number,word32 len,byte* output);
1061	WOLFSSL_LOCAL word32 SetExplicit(byte number, word32 len, byte* output);
1062	WOLFSSL_LOCAL word32 SetSet(word32 len, byte* output);
1063	WOLFSSL_LOCAL word32 SetAlgoID(int algoOID,byte* output,int type,int curveSz);
1064	WOLFSSL_LOCAL int SetMyVersion(word32 version, byte* output, int header);
1065	WOLFSSL_LOCAL int SetSerialNumber(const byte* sn, word32 snSz, byte* output,
1066	int maxSnSz);
1067	WOLFSSL_LOCAL int GetSerialNumber(const byte* input, word32* inOutIdx,
1068	byte* serial, int* serialSz, word32 maxIdx);
1069	WOLFSSL_LOCAL int GetNameHash(const byte* source, word32* idx, byte* hash,
1070	int maxIdx);
1071	WOLFSSL_LOCAL int wc_CheckPrivateKey(byte* key, word32 keySz, DecodedCert* der);
1072	WOLFSSL_LOCAL int RsaPublicKeyDerSize(RsaKey* key, int with_header);
1073
1074	#ifdef HAVE_ECC
1075	/* ASN sig helpers */
1076	WOLFSSL_LOCAL int StoreECC_DSA_Sig(byte* out, word32* outLen, mp_int* r,
1077	mp_int* s);
1078	WOLFSSL_LOCAL int DecodeECC_DSA_Sig(const byte* sig, word32 sigLen,
1079	mp_int* r, mp_int* s);
1080	#endif
1081
1082	WOLFSSL_LOCAL void InitSignatureCtx(SignatureCtx* sigCtx, void* heap, int devId);
1083	WOLFSSL_LOCAL void FreeSignatureCtx(SignatureCtx* sigCtx);
1084
1085	#ifndef NO_CERTS
1086
1087	WOLFSSL_LOCAL int wc_EncryptedInfoParse(EncryptedInfo* info, char** pBuffer,
1088	size_t bufSz);
1089
1090	WOLFSSL_LOCAL int PemToDer(const unsigned char* buff, long sz, int type,
1091	DerBuffer** pDer, void* heap, EncryptedInfo* info,
1092	int* eccKey);
1093	WOLFSSL_LOCAL int AllocDer(DerBuffer** der, word32 length, int type, void* heap);
1094	WOLFSSL_LOCAL void FreeDer(DerBuffer** der);
1095
1096	#endif /* !NO_CERTS */
1097
1098	#ifdef WOLFSSL_CERT_GEN
1099
1100	enum cert_enums {
1101	#ifdef WOLFSSL_CERT_EXT
1102	NAME_ENTRIES = 10,
1103	#else
1104	NAME_ENTRIES = 9,
1105	#endif
1106	JOINT_LEN = 2,
1107	EMAIL_JOINT_LEN = 9,
1108	PILOT_JOINT_LEN = 10,
1109	RSA_KEY = 10,
1110	NTRU_KEY = 11,
1111	ECC_KEY = 12,
1112	ED25519_KEY = 13
1113	};
1114
1115	#endif /* WOLFSSL_CERT_GEN */
1116
1117
1118
1119	/* for pointer use */
1120	typedef struct CertStatus CertStatus;
1121
1122	#ifdef HAVE_OCSP
1123
1124	enum Ocsp_Response_Status {
1125	OCSP_SUCCESSFUL = 0, /* Response has valid confirmations */
1126	OCSP_MALFORMED_REQUEST = 1, /* Illegal confirmation request */
1127	OCSP_INTERNAL_ERROR = 2, /* Internal error in issuer */
1128	OCSP_TRY_LATER = 3, /* Try again later */
1129	OCSP_SIG_REQUIRED = 5, /* Must sign the request (4 is skipped) */
1130	OCSP_UNAUTHROIZED = 6 /* Request unauthorized */
1131	};
1132
1133
1134	enum Ocsp_Cert_Status {
1135	CERT_GOOD = 0,
1136	CERT_REVOKED = 1,
1137	CERT_UNKNOWN = 2
1138	};
1139
1140
1141	enum Ocsp_Sums {
1142	OCSP_BASIC_OID = 117,
1143	OCSP_NONCE_OID = 118
1144	};
1145
1146	#ifdef OPENSSL_EXTRA
1147	enum Ocsp_Verify_Error {
1148	OCSP_VERIFY_ERROR_NONE = 0,
1149	OCSP_BAD_ISSUER = 1
1150	};
1151	#endif
1152
1153
1154	typedef struct OcspRequest OcspRequest;
1155	typedef struct OcspResponse OcspResponse;
1156
1157
1158	struct CertStatus {
1159	CertStatus* next;
1160
1161	byte serial[EXTERNAL_SERIAL_SIZE];
1162	int serialSz;
1163
1164	int status;
1165
1166	byte thisDate[MAX_DATE_SIZE];
1167	byte nextDate[MAX_DATE_SIZE];
1168	byte thisDateFormat;
1169	byte nextDateFormat;
1170	#if defined(OPENSSL_ALL) \|\| defined(WOLFSSL_NGINX) \|\| defined(WOLFSSL_HAPROXY)
1171	byte* thisDateAsn;
1172	byte* nextDateAsn;
1173	#endif
1174
1175	byte* rawOcspResponse;
1176	word32 rawOcspResponseSz;
1177	};
1178
1179
1180	struct OcspResponse {
1181	int responseStatus; /* return code from Responder */
1182
1183	byte* response; /* Pointer to beginning of OCSP Response */
1184	word32 responseSz; /* length of the OCSP Response */
1185
1186	byte producedDate[MAX_DATE_SIZE];
1187	/* Date at which this response was signed */
1188	byte producedDateFormat; /* format of the producedDate */
1189	byte* issuerHash;
1190	byte* issuerKeyHash;
1191
1192	byte* cert;
1193	word32 certSz;
1194
1195	byte* sig; /* Pointer to sig in source */
1196	word32 sigSz; /* Length in octets for the sig */
1197	word32 sigOID; /* OID for hash used for sig */
1198
1199	CertStatus* status; /* certificate status to fill out */
1200
1201	byte* nonce; /* pointer to nonce inside ASN.1 response */
1202	int nonceSz; /* length of the nonce string */
1203
1204	byte* source; /* pointer to source buffer, not owned */
1205	word32 maxIdx; /* max offset based on init size */
1206
1207	#ifdef OPENSSL_EXTRA
1208	int verifyError;
1209	#endif
1210	};
1211
1212
1213	struct OcspRequest {
1214	byte issuerHash[KEYID_SIZE];
1215	byte issuerKeyHash[KEYID_SIZE];
1216	byte* serial; /* copy of the serial number in source cert */
1217	int serialSz;
1218	byte* url; /* copy of the extAuthInfo in source cert */
1219	int urlSz;
1220
1221	byte nonce[MAX_OCSP_NONCE_SZ];
1222	int nonceSz;
1223	void* heap;
1224	void* ssl;
1225	};
1226
1227
1228	WOLFSSL_LOCAL void InitOcspResponse(OcspResponse, CertStatus, byte*, word32);
1229	WOLFSSL_LOCAL int OcspResponseDecode(OcspResponse, void, void* heap, int);
1230
1231	WOLFSSL_LOCAL int InitOcspRequest(OcspRequest, DecodedCert, byte, void*);
1232	WOLFSSL_LOCAL void FreeOcspRequest(OcspRequest*);
1233	WOLFSSL_LOCAL int EncodeOcspRequest(OcspRequest, byte, word32);
1234	WOLFSSL_LOCAL word32 EncodeOcspRequestExtensions(OcspRequest, byte, word32);
1235
1236
1237	WOLFSSL_LOCAL int CompareOcspReqResp(OcspRequest, OcspResponse);
1238
1239
1240	#endif /* HAVE_OCSP */
1241
1242
1243	/* for pointer use */
1244	typedef struct RevokedCert RevokedCert;
1245
1246	#ifdef HAVE_CRL
1247
1248	struct RevokedCert {
1249	byte serialNumber[EXTERNAL_SERIAL_SIZE];
1250	int serialSz;
1251	RevokedCert* next;
1252	};
1253
1254	typedef struct DecodedCRL DecodedCRL;
1255
1256	struct DecodedCRL {
1257	word32 certBegin; /* offset to start of cert */
1258	word32 sigIndex; /* offset to start of signature */
1259	word32 sigLength; /* length of signature */
1260	word32 signatureOID; /* sum of algorithm object id */
1261	byte* signature; /* pointer into raw source, not owned */
1262	byte issuerHash[SIGNER_DIGEST_SIZE]; /* issuer hash */
1263	byte crlHash[SIGNER_DIGEST_SIZE]; /* raw crl data hash */
1264	byte lastDate[MAX_DATE_SIZE]; /* last date updated */
1265	byte nextDate[MAX_DATE_SIZE]; /* next update date */
1266	byte lastDateFormat; /* format of last date */
1267	byte nextDateFormat; /* format of next date */
1268	RevokedCert* certs; /* revoked cert list */
1269	int totalCerts; /* number on list */
1270	void* heap;
1271	};
1272
1273	WOLFSSL_LOCAL void InitDecodedCRL(DecodedCRL, void heap);
1274	WOLFSSL_LOCAL int VerifyCRL_Signature(SignatureCtx* sigCtx,
1275	const byte* toBeSigned, word32 tbsSz,
1276	const byte* signature, word32 sigSz,
1277	word32 signatureOID, Signer *ca,
1278	void* heap);
1279	WOLFSSL_LOCAL int ParseCRL(DecodedCRL, const byte buff, word32 sz, void* cm);
1280	WOLFSSL_LOCAL void FreeDecodedCRL(DecodedCRL*);
1281
1282
1283	#endif /* HAVE_CRL */
1284
1285
1286	#ifdef __cplusplus
1287	} /* extern "C" */
1288	#endif
1289
1290	#endif /* !NO_ASN */
1291
1292
1293	#if !defined(NO_ASN) \|\| !defined(NO_PWDBASED)
1294
1295	#ifndef MAX_KEY_SIZE
1296	#define MAX_KEY_SIZE 64 /* MAX PKCS Key length */
1297	#endif
1298	#ifndef MAX_UNICODE_SZ
1299	#define MAX_UNICODE_SZ 256
1300	#endif
1301
1302	enum PBESTypes {
1303	PBE_MD5_DES = 0,
1304	PBE_SHA1_RC4_128 = 1,
1305	PBE_SHA1_DES = 2,
1306	PBE_SHA1_DES3 = 3,
1307	PBE_AES256_CBC = 4,
1308
1309	PBE_SHA1_RC4_128_SUM = 657,
1310	PBE_SHA1_DES3_SUM = 659,
1311	PBES2 = 13 /* algo ID */
1312	};
1313
1314	enum PKCSTypes {
1315	PKCS5v2 = 6, /* PKCS #5 v2.0 */
1316	PKCS12v1 = 12, /* PKCS #12 */
1317	PKCS5 = 5, /* PKCS oid tag */
1318	PKCS8v0 = 0, /* default PKCS#8 version */
1319	};
1320
1321	#endif /* !NO_ASN \|\| !NO_PWDBASED */
1322
1323	#endif /* WOLF_CRYPT_ASN_H */

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: azure_iot_hub/trunk/wolfssl-3.15.7/wolfssl/wolfcrypt/asn.h@ 389

Download in other formats: