source: asp3_tinet_ecnl_arm/trunk/wolfssl-3.12.2/wolfssl/wolfcrypt/asn.h@ 352

Last change on this file since 352 was 352, checked in by coas-nagasima, 6 years ago

arm向けASP3版ECNLを追加
  • Property svn:eol-style set to native
  • Property svn:mime-type set to text/x-chdr;charset=UTF-8
File size: 32.5 KB
RevLine 
[352]1/* asn.h
2 *
3 * Copyright (C) 2006-2017 wolfSSL Inc.
4 *
5 * This file is part of wolfSSL.
6 *
7 * wolfSSL is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
11 *
12 * wolfSSL is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
20 */
21
22
23#ifndef WOLF_CRYPT_ASN_H
24#define WOLF_CRYPT_ASN_H
25
26#include <wolfssl/wolfcrypt/types.h>
27
28#ifndef NO_ASN
29
30#include <wolfssl/wolfcrypt/integer.h>
31
32/* fips declare of RsaPrivateKeyDecode @wc_fips */
33#if defined(HAVE_FIPS) && !defined(NO_RSA)
34 #include <cyassl/ctaocrypt/rsa.h>
35#endif
36
37#ifndef NO_DH
38 #include <wolfssl/wolfcrypt/dh.h>
39#endif
40#ifndef NO_DSA
41 #include <wolfssl/wolfcrypt/dsa.h>
42#endif
43#ifndef NO_SHA
44 #include <wolfssl/wolfcrypt/sha.h>
45#endif
46#ifndef NO_MD5
47 #include <wolfssl/wolfcrypt/md5.h>
48#endif
49#include <wolfssl/wolfcrypt/sha256.h>
50#include <wolfssl/wolfcrypt/asn_public.h> /* public interface */
51
52
53#ifdef __cplusplus
54 extern "C" {
55#endif
56
57enum {
58 ISSUER = 0,
59 SUBJECT = 1,
60
61 EXTERNAL_SERIAL_SIZE = 32,
62
63 BEFORE = 0,
64 AFTER = 1
65};
66
67/* ASN Tags */
68enum ASN_Tags {
69 ASN_BOOLEAN = 0x01,
70 ASN_INTEGER = 0x02,
71 ASN_BIT_STRING = 0x03,
72 ASN_OCTET_STRING = 0x04,
73 ASN_TAG_NULL = 0x05,
74 ASN_OBJECT_ID = 0x06,
75 ASN_ENUMERATED = 0x0a,
76 ASN_UTF8STRING = 0x0c,
77 ASN_SEQUENCE = 0x10,
78 ASN_SET = 0x11,
79 ASN_UTC_TIME = 0x17,
80 ASN_OTHER_TYPE = 0x00,
81 ASN_RFC822_TYPE = 0x01,
82 ASN_DNS_TYPE = 0x02,
83 ASN_DIR_TYPE = 0x04,
84 ASN_GENERALIZED_TIME = 0x18,
85 CRL_EXTENSIONS = 0xa0,
86 ASN_EXTENSIONS = 0xa3,
87 ASN_LONG_LENGTH = 0x80
88};
89
90enum ASN_Flags {
91 ASN_CONSTRUCTED = 0x20,
92 ASN_CONTEXT_SPECIFIC = 0x80
93};
94
95enum DN_Tags {
96 ASN_COMMON_NAME = 0x03, /* CN */
97 ASN_SUR_NAME = 0x04, /* SN */
98 ASN_SERIAL_NUMBER = 0x05, /* serialNumber */
99 ASN_COUNTRY_NAME = 0x06, /* C */
100 ASN_LOCALITY_NAME = 0x07, /* L */
101 ASN_STATE_NAME = 0x08, /* ST */
102 ASN_ORG_NAME = 0x0a, /* O */
103 ASN_ORGUNIT_NAME = 0x0b /* OU */
104};
105
106enum PBES {
107 PBE_MD5_DES = 0,
108 PBE_SHA1_DES = 1,
109 PBE_SHA1_DES3 = 2,
110 PBE_SHA1_RC4_128 = 3,
111 PBES2 = 13 /* algo ID */
112};
113
114enum ENCRYPTION_TYPES {
115 DES_TYPE = 0,
116 DES3_TYPE = 1,
117 RC4_TYPE = 2
118};
119
120enum ECC_TYPES {
121 ECC_PREFIX_0 = 160,
122 ECC_PREFIX_1 = 161
123};
124
125enum Misc_ASN {
126 ASN_NAME_MAX = 256,
127 MAX_SALT_SIZE = 64, /* MAX PKCS Salt length */
128 MAX_IV_SIZE = 64, /* MAX PKCS Iv length */
129 MAX_KEY_SIZE = 64, /* MAX PKCS Key length */
130 PKCS5 = 5, /* PKCS oid tag */
131 PKCS5v2 = 6, /* PKCS #5 v2.0 */
132 PKCS8v0 = 0, /* default PKCS#8 version */
133 PKCS12v1 = 12, /* PKCS #12 */
134 MAX_UNICODE_SZ = 256,
135 ASN_BOOL_SIZE = 2, /* including type */
136 ASN_ECC_HEADER_SZ = 2, /* String type + 1 byte len */
137 ASN_ECC_CONTEXT_SZ = 2, /* Content specific type + 1 byte len */
138#ifdef NO_SHA
139 KEYID_SIZE = WC_SHA256_DIGEST_SIZE,
140#else
141 KEYID_SIZE = WC_SHA_DIGEST_SIZE,
142#endif
143 RSA_INTS = 8, /* RSA ints in private key */
144 DSA_INTS = 5, /* DSA ints in private key */
145 MIN_DATE_SIZE = 13,
146 MAX_DATE_SIZE = 32,
147 ASN_GEN_TIME_SZ = 15, /* 7 numbers * 2 + Zulu tag */
148 MAX_ENCODED_SIG_SZ = 512,
149 MAX_SIG_SZ = 256,
150 MAX_ALGO_SZ = 20,
151 MAX_SEQ_SZ = 5, /* enum(seq | con) + length(4) */
152 MAX_SET_SZ = 5, /* enum(set | con) + length(4) */
153 MAX_OCTET_STR_SZ = 5, /* enum(set | con) + length(4) */
154 MAX_EXP_SZ = 5, /* enum(contextspec|con|exp) + length(4) */
155 MAX_PRSTR_SZ = 5, /* enum(prstr) + length(4) */
156 MAX_VERSION_SZ = 5, /* enum + id + version(byte) + (header(2))*/
157 MAX_ENCODED_DIG_SZ = 73, /* sha512 + enum(bit or octet) + length(4) */
158 MAX_RSA_INT_SZ = 517, /* RSA raw sz 4096 for bits + tag + len(4) */
159 MAX_NTRU_KEY_SZ = 610, /* NTRU 112 bit public key */
160 MAX_NTRU_ENC_SZ = 628, /* NTRU 112 bit DER public encoding */
161 MAX_LENGTH_SZ = 4, /* Max length size for DER encoding */
162 MAX_RSA_E_SZ = 16, /* Max RSA public e size */
163 MAX_CA_SZ = 32, /* Max encoded CA basic constraint length */
164 MAX_SN_SZ = 35, /* Max encoded serial number (INT) length */
165 MAX_DER_DIGEST_SZ = MAX_ENCODED_DIG_SZ + MAX_ALGO_SZ + MAX_SEQ_SZ, /* Maximum DER digest size */
166#ifdef WOLFSSL_CERT_GEN
167 #ifdef WOLFSSL_CERT_REQ
168 /* Max encoded cert req attributes length */
169 MAX_ATTRIB_SZ = MAX_SEQ_SZ * 3 + (11 + MAX_SEQ_SZ) * 2 +
170 MAX_PRSTR_SZ + CTC_NAME_SIZE, /* 11 is the OID size */
171 #endif
172 #if defined(WOLFSSL_ALT_NAMES) || defined(WOLFSSL_CERT_EXT)
173 MAX_EXTENSIONS_SZ = 1 + MAX_LENGTH_SZ + CTC_MAX_ALT_SIZE,
174 #else
175 MAX_EXTENSIONS_SZ = 1 + MAX_LENGTH_SZ + MAX_CA_SZ,
176 #endif
177 /* Max total extensions, id + len + others */
178#endif
179#ifdef WOLFSSL_CERT_EXT
180 MAX_KID_SZ = 45, /* Max encoded KID length (SHA-256 case) */
181 MAX_KEYUSAGE_SZ = 18, /* Max encoded Key Usage length */
182 MAX_EXTKEYUSAGE_SZ = 12 + (6 * (8 + 2)), /* Max encoded ExtKeyUsage
183 (SEQ/LEN + OBJID + OCTSTR/LEN + SEQ + (6 * (SEQ + OID))) */
184 MAX_OID_SZ = 32, /* Max DER length of OID*/
185 MAX_OID_STRING_SZ = 64, /* Max string length representation of OID*/
186 MAX_CERTPOL_NB = CTC_MAX_CERTPOL_NB,/* Max number of Cert Policy */
187 MAX_CERTPOL_SZ = CTC_MAX_CERTPOL_SZ,
188#endif
189 OCSP_NONCE_EXT_SZ = 35, /* OCSP Nonce Extension size */
190 MAX_OCSP_EXT_SZ = 58, /* Max OCSP Extension length */
191 MAX_OCSP_NONCE_SZ = 16, /* OCSP Nonce size */
192 EIGHTK_BUF = 8192, /* Tmp buffer size */
193 MAX_PUBLIC_KEY_SZ = MAX_NTRU_ENC_SZ + MAX_ALGO_SZ + MAX_SEQ_SZ * 2,
194 /* use bigger NTRU size */
195 HEADER_ENCRYPTED_KEY_SIZE = 88,/* Extra header size for encrypted key */
196 TRAILING_ZERO = 1, /* Used for size of zero pad */
197 MIN_VERSION_SZ = 3, /* Min bytes needed for GetMyVersion */
198#if defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
199 MAX_TIME_STRING_SZ = 25, /* Max length of formatted time string */
200#endif
201};
202
203
204enum Oid_Types {
205 oidHashType = 0,
206 oidSigType = 1,
207 oidKeyType = 2,
208 oidCurveType = 3,
209 oidBlkType = 4,
210 oidOcspType = 5,
211 oidCertExtType = 6,
212 oidCertAuthInfoType = 7,
213 oidCertPolicyType = 8,
214 oidCertAltNameType = 9,
215 oidCertKeyUseType = 10,
216 oidKdfType = 11,
217 oidKeyWrapType = 12,
218 oidCmsKeyAgreeType = 13,
219 oidIgnoreType
220};
221
222
223enum Hash_Sum {
224 MD2h = 646,
225 MD5h = 649,
226 SHAh = 88,
227 SHA224h = 417,
228 SHA256h = 414,
229 SHA384h = 415,
230 SHA512h = 416
231};
232
233
234enum Block_Sum {
235 AES128CBCb = 414,
236 AES192CBCb = 434,
237 AES256CBCb = 454,
238 DESb = 69,
239 DES3b = 652
240};
241
242
243enum Key_Sum {
244 DSAk = 515,
245 RSAk = 645,
246 NTRUk = 274,
247 ECDSAk = 518,
248 ED25519k = 256
249};
250
251
252enum KeyWrap_Sum {
253 AES128_WRAP = 417,
254 AES192_WRAP = 437,
255 AES256_WRAP = 457
256};
257
258
259enum Key_Agree {
260 dhSinglePass_stdDH_sha1kdf_scheme = 464,
261 dhSinglePass_stdDH_sha224kdf_scheme = 188,
262 dhSinglePass_stdDH_sha256kdf_scheme = 189,
263 dhSinglePass_stdDH_sha384kdf_scheme = 190,
264 dhSinglePass_stdDH_sha512kdf_scheme = 191,
265};
266
267
268enum Ecc_Sum {
269 ECC_SECP112R1_OID = 182,
270 ECC_SECP112R2_OID = 183,
271 ECC_SECP128R1_OID = 204,
272 ECC_SECP128R2_OID = 205,
273 ECC_SECP160R1_OID = 184,
274 ECC_SECP160R2_OID = 206,
275 ECC_SECP160K1_OID = 185,
276 ECC_BRAINPOOLP160R1_OID = 98,
277 ECC_SECP192R1_OID = 520,
278 ECC_PRIME192V2_OID = 521,
279 ECC_PRIME192V3_OID = 522,
280 ECC_SECP192K1_OID = 207,
281 ECC_BRAINPOOLP192R1_OID = 100,
282 ECC_SECP224R1_OID = 209,
283 ECC_SECP224K1_OID = 208,
284 ECC_BRAINPOOLP224R1_OID = 102,
285 ECC_PRIME239V1_OID = 523,
286 ECC_PRIME239V2_OID = 524,
287 ECC_PRIME239V3_OID = 525,
288 ECC_SECP256R1_OID = 526,
289 ECC_SECP256K1_OID = 186,
290 ECC_BRAINPOOLP256R1_OID = 104,
291 ECC_X25519_OID = 365,
292 ECC_ED25519_OID = 256,
293 ECC_BRAINPOOLP320R1_OID = 106,
294 ECC_SECP384R1_OID = 210,
295 ECC_BRAINPOOLP384R1_OID = 108,
296 ECC_BRAINPOOLP512R1_OID = 110,
297 ECC_SECP521R1_OID = 211,
298};
299
300
301enum KDF_Sum {
302 PBKDF2_OID = 660
303};
304
305
306enum Extensions_Sum {
307 BASIC_CA_OID = 133,
308 ALT_NAMES_OID = 131,
309 CRL_DIST_OID = 145,
310 AUTH_INFO_OID = 69, /* id-pe 1 */
311 AUTH_KEY_OID = 149,
312 SUBJ_KEY_OID = 128,
313 CERT_POLICY_OID = 146,
314 KEY_USAGE_OID = 129, /* 2.5.29.15 */
315 INHIBIT_ANY_OID = 168, /* 2.5.29.54 */
316 EXT_KEY_USAGE_OID = 151, /* 2.5.29.37 */
317 NAME_CONS_OID = 144, /* 2.5.29.30 */
318 PRIV_KEY_USAGE_PERIOD_OID = 130, /* 2.5.29.16 */
319 SUBJECT_INFO_ACCESS = 79, /* id-pe 11 */
320 POLICY_MAP_OID = 147,
321 POLICY_CONST_OID = 150,
322 ISSUE_ALT_NAMES_OID = 132,
323 TLS_FEATURE_OID = 92 /* id-pe 24 */
324};
325
326enum CertificatePolicy_Sum {
327 CP_ANY_OID = 146 /* id-ce 32 0 */
328};
329
330enum SepHardwareName_Sum {
331 HW_NAME_OID = 79 /* 1.3.6.1.5.5.7.8.4 from RFC 4108*/
332};
333
334enum AuthInfo_Sum {
335 AIA_OCSP_OID = 116, /* 1.3.6.1.5.5.7.48.1 */
336 AIA_CA_ISSUER_OID = 117 /* 1.3.6.1.5.5.7.48.2 */
337};
338
339enum ExtKeyUsage_Sum { /* From RFC 5280 */
340 EKU_ANY_OID = 151, /* 2.5.29.37.0, anyExtendedKeyUsage */
341 EKU_SERVER_AUTH_OID = 71, /* 1.3.6.1.5.5.7.3.1, id-kp-serverAuth */
342 EKU_CLIENT_AUTH_OID = 72, /* 1.3.6.1.5.5.7.3.2, id-kp-clientAuth */
343 EKU_CODESIGNING_OID = 73, /* 1.3.6.1.5.5.7.3.3, id-kp-codeSigning */
344 EKU_EMAILPROTECT_OID = 74, /* 1.3.6.1.5.5.7.3.4, id-kp-emailProtection */
345 EKU_TIMESTAMP_OID = 78, /* 1.3.6.1.5.5.7.3.8, id-kp-timeStamping */
346 EKU_OCSP_SIGN_OID = 79 /* 1.3.6.1.5.5.7.3.9, id-kp-OCSPSigning */
347};
348
349
350enum VerifyType {
351 NO_VERIFY = 0,
352 VERIFY = 1,
353 VERIFY_CRL = 2,
354 VERIFY_OCSP = 3
355};
356
357#ifdef WOLFSSL_CERT_EXT
358enum KeyIdType {
359 SKID_TYPE = 0,
360 AKID_TYPE = 1
361};
362#endif
363
364/* Key usage extension bits (based on RFC 5280) */
365#define KEYUSE_DIGITAL_SIG 0x0080
366#define KEYUSE_CONTENT_COMMIT 0x0040
367#define KEYUSE_KEY_ENCIPHER 0x0020
368#define KEYUSE_DATA_ENCIPHER 0x0010
369#define KEYUSE_KEY_AGREE 0x0008
370#define KEYUSE_KEY_CERT_SIGN 0x0004
371#define KEYUSE_CRL_SIGN 0x0002
372#define KEYUSE_ENCIPHER_ONLY 0x0001
373#define KEYUSE_DECIPHER_ONLY 0x8000
374
375/* Extended Key Usage bits (internal mapping only) */
376#define EXTKEYUSE_OCSP_SIGN 0x40
377#define EXTKEYUSE_TIMESTAMP 0x20
378#define EXTKEYUSE_EMAILPROT 0x10
379#define EXTKEYUSE_CODESIGN 0x08
380#define EXTKEYUSE_CLIENT_AUTH 0x04
381#define EXTKEYUSE_SERVER_AUTH 0x02
382#define EXTKEYUSE_ANY 0x01
383
384typedef struct DNS_entry DNS_entry;
385
386struct DNS_entry {
387 DNS_entry* next; /* next on DNS list */
388 char* name; /* actual DNS name */
389};
390
391
392typedef struct Base_entry Base_entry;
393
394struct Base_entry {
395 Base_entry* next; /* next on name base list */
396 char* name; /* actual name base */
397 int nameSz; /* name length */
398 byte type; /* Name base type (DNS or RFC822) */
399};
400
401
402struct DecodedName {
403 char* fullName;
404 int fullNameLen;
405 int entryCount;
406 int cnIdx;
407 int cnLen;
408 int snIdx;
409 int snLen;
410 int cIdx;
411 int cLen;
412 int lIdx;
413 int lLen;
414 int stIdx;
415 int stLen;
416 int oIdx;
417 int oLen;
418 int ouIdx;
419 int ouLen;
420 int emailIdx;
421 int emailLen;
422 int uidIdx;
423 int uidLen;
424 int serialIdx;
425 int serialLen;
426};
427
428enum SignatureState {
429 SIG_STATE_BEGIN,
430 SIG_STATE_HASH,
431 SIG_STATE_KEY,
432 SIG_STATE_DO,
433 SIG_STATE_CHECK,
434};
435
436struct SignatureCtx {
437 void* heap;
438 byte* digest;
439#ifndef NO_RSA
440 byte* out;
441 byte* plain;
442#endif
443#if defined(HAVE_ECC) || defined(HAVE_ED25519)
444 int verify;
445#endif
446 union {
447 #ifndef NO_RSA
448 struct RsaKey* rsa;
449 #endif
450 #ifdef HAVE_ECC
451 struct ecc_key* ecc;
452 #endif
453 #ifdef HAVE_ED25519
454 struct ed25519_key* ed25519;
455 #endif
456 void* ptr;
457 } key;
458 int devId;
459 int state;
460 int typeH;
461 int digestSz;
462 word32 keyOID;
463#ifdef WOLFSSL_ASYNC_CRYPT
464 WC_ASYNC_DEV* asyncDev;
465 void* asyncCtx;
466#endif
467};
468
469enum CertSignState {
470 CERTSIGN_STATE_BEGIN,
471 CERTSIGN_STATE_DIGEST,
472 CERTSIGN_STATE_ENCODE,
473 CERTSIGN_STATE_DO,
474};
475
476struct CertSignCtx {
477 byte* sig;
478 byte* digest;
479 #ifndef NO_RSA
480 byte* encSig;
481 int encSigSz;
482 #endif
483 int state; /* enum CertSignState */
484};
485
486
487typedef struct DecodedCert DecodedCert;
488typedef struct DecodedName DecodedName;
489typedef struct Signer Signer;
490#ifdef WOLFSSL_TRUST_PEER_CERT
491typedef struct TrustedPeerCert TrustedPeerCert;
492#endif /* WOLFSSL_TRUST_PEER_CERT */
493typedef struct SignatureCtx SignatureCtx;
494typedef struct CertSignCtx CertSignCtx;
495
496
497struct DecodedCert {
498 byte* publicKey;
499 word32 pubKeySize;
500 int pubKeyStored;
501 word32 certBegin; /* offset to start of cert */
502 word32 sigIndex; /* offset to start of signature */
503 word32 sigLength; /* length of signature */
504 word32 signatureOID; /* sum of algorithm object id */
505 word32 keyOID; /* sum of key algo object id */
506 int version; /* cert version, 1 or 3 */
507 DNS_entry* altNames; /* alt names list of dns entries */
508#ifndef IGNORE_NAME_CONSTRAINTS
509 DNS_entry* altEmailNames; /* alt names list of RFC822 entries */
510 Base_entry* permittedNames; /* Permitted name bases */
511 Base_entry* excludedNames; /* Excluded name bases */
512#endif /* IGNORE_NAME_CONSTRAINTS */
513 byte subjectHash[KEYID_SIZE]; /* hash of all Names */
514 byte issuerHash[KEYID_SIZE]; /* hash of all Names */
515#ifdef HAVE_OCSP
516 byte issuerKeyHash[KEYID_SIZE]; /* hash of the public Key */
517#endif /* HAVE_OCSP */
518 byte* signature; /* not owned, points into raw cert */
519 char* subjectCN; /* CommonName */
520 int subjectCNLen; /* CommonName Length */
521 char subjectCNEnc; /* CommonName Encoding */
522 int subjectCNStored; /* have we saved a copy we own */
523 char issuer[ASN_NAME_MAX]; /* full name including common name */
524 char subject[ASN_NAME_MAX]; /* full name including common name */
525 int verify; /* Default to yes, but could be off */
526 byte* source; /* byte buffer holder cert, NOT owner */
527 word32 srcIdx; /* current offset into buffer */
528 word32 maxIdx; /* max offset based on init size */
529 void* heap; /* for user memory overrides */
530 byte serial[EXTERNAL_SERIAL_SIZE]; /* raw serial number */
531 int serialSz; /* raw serial bytes stored */
532 byte* extensions; /* not owned, points into raw cert */
533 int extensionsSz; /* length of cert extensions */
534 word32 extensionsIdx; /* if want to go back and parse later */
535 byte* extAuthInfo; /* Authority Information Access URI */
536 int extAuthInfoSz; /* length of the URI */
537 byte* extCrlInfo; /* CRL Distribution Points */
538 int extCrlInfoSz; /* length of the URI */
539 byte extSubjKeyId[KEYID_SIZE]; /* Subject Key ID */
540 byte extSubjKeyIdSet; /* Set when the SKID was read from cert */
541 byte extAuthKeyId[KEYID_SIZE]; /* Authority Key ID */
542 byte extAuthKeyIdSet; /* Set when the AKID was read from cert */
543#ifndef IGNORE_NAME_CONSTRAINTS
544 byte extNameConstraintSet;
545#endif /* IGNORE_NAME_CONSTRAINTS */
546 byte isCA; /* CA basic constraint true */
547 byte pathLengthSet; /* CA basic const path length set */
548 byte pathLength; /* CA basic constraint path length */
549 byte weOwnAltNames; /* altNames haven't been given to copy */
550 byte extKeyUsageSet;
551 word16 extKeyUsage; /* Key usage bitfield */
552 byte extExtKeyUsageSet; /* Extended Key Usage */
553 byte extExtKeyUsage; /* Extended Key usage bitfield */
554#ifdef OPENSSL_EXTRA
555 byte extCRLdistSet;
556 byte extCRLdistCrit;
557 byte extAuthInfoSet;
558 byte extAuthInfoCrit;
559 byte extBasicConstSet;
560 byte extBasicConstCrit;
561 byte extSubjAltNameSet;
562 byte extSubjAltNameCrit;
563 byte extAuthKeyIdCrit;
564#ifndef IGNORE_NAME_CONSTRAINTS
565 byte extNameConstraintCrit;
566#endif /* IGNORE_NAME_CONSTRAINTS */
567 byte extSubjKeyIdCrit;
568 byte extKeyUsageCrit;
569 byte extExtKeyUsageCrit;
570 byte* extExtKeyUsageSrc;
571 word32 extExtKeyUsageSz;
572 word32 extExtKeyUsageCount;
573 byte* extAuthKeyIdSrc;
574 word32 extAuthKeyIdSz;
575 byte* extSubjKeyIdSrc;
576 word32 extSubjKeyIdSz;
577#endif
578#if defined(HAVE_ECC) || defined(HAVE_ED25519)
579 word32 pkCurveOID; /* Public Key's curve OID */
580#endif /* HAVE_ECC */
581 byte* beforeDate;
582 int beforeDateLen;
583 byte* afterDate;
584 int afterDateLen;
585#ifdef HAVE_PKCS7
586 byte* issuerRaw; /* pointer to issuer inside source */
587 int issuerRawLen;
588#endif
589#ifndef IGNORE_NAME_CONSTRAINT
590 byte* subjectRaw; /* pointer to subject inside source */
591 int subjectRawLen;
592#endif
593#if defined(WOLFSSL_CERT_GEN)
594 /* easy access to subject info for other sign */
595 char* subjectSN;
596 int subjectSNLen;
597 char subjectSNEnc;
598 char* subjectC;
599 int subjectCLen;
600 char subjectCEnc;
601 char* subjectL;
602 int subjectLLen;
603 char subjectLEnc;
604 char* subjectST;
605 int subjectSTLen;
606 char subjectSTEnc;
607 char* subjectO;
608 int subjectOLen;
609 char subjectOEnc;
610 char* subjectOU;
611 int subjectOULen;
612 char subjectOUEnc;
613 char* subjectEmail;
614 int subjectEmailLen;
615#endif /* WOLFSSL_CERT_GEN */
616#ifdef OPENSSL_EXTRA
617 DecodedName issuerName;
618 DecodedName subjectName;
619#endif /* OPENSSL_EXTRA */
620#ifdef WOLFSSL_SEP
621 int deviceTypeSz;
622 byte* deviceType;
623 int hwTypeSz;
624 byte* hwType;
625 int hwSerialNumSz;
626 byte* hwSerialNum;
627 #ifdef OPENSSL_EXTRA
628 byte extCertPolicySet;
629 byte extCertPolicyCrit;
630 #endif /* OPENSSL_EXTRA */
631#endif /* WOLFSSL_SEP */
632#ifdef WOLFSSL_CERT_EXT
633 char extCertPolicies[MAX_CERTPOL_NB][MAX_CERTPOL_SZ];
634 int extCertPoliciesNb;
635#endif /* WOLFSSL_CERT_EXT */
636
637 Signer* ca;
638 SignatureCtx sigCtx;
639};
640
641
642struct WOLFSSL_ASN1_OBJECT {
643 void* heap;
644 byte* obj;
645 int type; /* oid */
646 word32 objSz;
647 byte dynamic; /* if 1 then obj was dynamiclly created, 0 otherwise */
648};
649
650
651extern const char* BEGIN_CERT;
652extern const char* END_CERT;
653extern const char* BEGIN_CERT_REQ;
654extern const char* END_CERT_REQ;
655extern const char* BEGIN_DSA_PARAM;
656extern const char* END_DSA_PARAM;
657extern const char* BEGIN_DH_PARAM;
658extern const char* END_DH_PARAM;
659extern const char* BEGIN_X509_CRL;
660extern const char* END_X509_CRL;
661extern const char* BEGIN_RSA_PRIV;
662extern const char* END_RSA_PRIV;
663extern const char* BEGIN_PRIV_KEY;
664extern const char* END_PRIV_KEY;
665extern const char* BEGIN_ENC_PRIV_KEY;
666extern const char* END_ENC_PRIV_KEY;
667extern const char* BEGIN_EC_PRIV;
668extern const char* END_EC_PRIV;
669extern const char* BEGIN_DSA_PRIV;
670extern const char* END_DSA_PRIV;
671extern const char* BEGIN_PUB_KEY;
672extern const char* END_PUB_KEY;
673extern const char* BEGIN_EDDSA_PRIV;
674extern const char* END_EDDSA_PRIV;
675
676#ifdef NO_SHA
677 #define SIGNER_DIGEST_SIZE WC_SHA256_DIGEST_SIZE
678#else
679 #define SIGNER_DIGEST_SIZE WC_SHA_DIGEST_SIZE
680#endif
681
682/* CA Signers */
683/* if change layout change PERSIST_CERT_CACHE functions too */
684struct Signer {
685 word32 pubKeySize;
686 word32 keyOID; /* key type */
687 word16 keyUsage;
688 byte pathLength;
689 byte pathLengthSet;
690 byte* publicKey;
691 int nameLen;
692 char* name; /* common name */
693#ifndef IGNORE_NAME_CONSTRAINTS
694 Base_entry* permittedNames;
695 Base_entry* excludedNames;
696#endif /* IGNORE_NAME_CONSTRAINTS */
697 byte subjectNameHash[SIGNER_DIGEST_SIZE];
698 /* sha hash of names in certificate */
699 #ifndef NO_SKID
700 byte subjectKeyIdHash[SIGNER_DIGEST_SIZE];
701 /* sha hash of names in certificate */
702 #endif
703 Signer* next;
704};
705
706
707#ifdef WOLFSSL_TRUST_PEER_CERT
708/* used for having trusted peer certs rather then CA */
709struct TrustedPeerCert {
710 int nameLen;
711 char* name; /* common name */
712 #ifndef IGNORE_NAME_CONSTRAINTS
713 Base_entry* permittedNames;
714 Base_entry* excludedNames;
715 #endif /* IGNORE_NAME_CONSTRAINTS */
716 byte subjectNameHash[SIGNER_DIGEST_SIZE];
717 /* sha hash of names in certificate */
718 #ifndef NO_SKID
719 byte subjectKeyIdHash[SIGNER_DIGEST_SIZE];
720 /* sha hash of names in certificate */
721 #endif
722 word32 sigLen;
723 byte* sig;
724 struct TrustedPeerCert* next;
725};
726#endif /* WOLFSSL_TRUST_PEER_CERT */
727
728
729/* for testing or custom openssl wrappers */
730#if defined(WOLFSSL_TEST_CERT) || defined(OPENSSL_EXTRA)
731 #define WOLFSSL_ASN_API WOLFSSL_API
732#else
733 #define WOLFSSL_ASN_API WOLFSSL_LOCAL
734#endif
735
736WOLFSSL_ASN_API void FreeAltNames(DNS_entry*, void*);
737#ifndef IGNORE_NAME_CONSTRAINTS
738 WOLFSSL_ASN_API void FreeNameSubtrees(Base_entry*, void*);
739#endif /* IGNORE_NAME_CONSTRAINTS */
740WOLFSSL_ASN_API void InitDecodedCert(DecodedCert*, byte*, word32, void*);
741WOLFSSL_ASN_API void FreeDecodedCert(DecodedCert*);
742WOLFSSL_ASN_API int ParseCert(DecodedCert*, int type, int verify, void* cm);
743
744WOLFSSL_LOCAL int ParseCertRelative(DecodedCert*,int type,int verify,void* cm);
745WOLFSSL_LOCAL int DecodeToKey(DecodedCert*, int verify);
746
747WOLFSSL_LOCAL Signer* MakeSigner(void*);
748WOLFSSL_LOCAL void FreeSigner(Signer*, void*);
749WOLFSSL_LOCAL void FreeSignerTable(Signer**, int, void*);
750#ifdef WOLFSSL_TRUST_PEER_CERT
751WOLFSSL_LOCAL void FreeTrustedPeer(TrustedPeerCert*, void*);
752WOLFSSL_LOCAL void FreeTrustedPeerTable(TrustedPeerCert**, int, void*);
753#endif /* WOLFSSL_TRUST_PEER_CERT */
754
755WOLFSSL_ASN_API int ToTraditional(byte* buffer, word32 length);
756WOLFSSL_LOCAL int ToTraditionalInline(const byte* input, word32* inOutIdx,
757 word32 length);
758WOLFSSL_LOCAL int ToTraditionalEnc(byte* buffer, word32 length,const char*,int);
759WOLFSSL_LOCAL int DecryptContent(byte* input, word32 sz,const char* psw,int pswSz);
760WOLFSSL_LOCAL int wc_GetKeyOID(byte* key, word32 keySz, const byte** curveOID,
761 word32* oidSz, int* algoID, void* heap);
762
763typedef struct tm wolfssl_tm;
764#if defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
765WOLFSSL_LOCAL int GetTimeString(byte* date, int format, char* buf, int len);
766#endif
767WOLFSSL_LOCAL int ExtractDate(const unsigned char* date, unsigned char format,
768 wolfssl_tm* certTime, int* idx);
769WOLFSSL_LOCAL int ValidateDate(const byte* date, byte format, int dateType);
770
771/* ASN.1 helper functions */
772#ifdef WOLFSSL_CERT_GEN
773WOLFSSL_ASN_API int SetName(byte* output, word32 outputSz, CertName* name);
774#endif
775WOLFSSL_LOCAL int GetShortInt(const byte* input, word32* inOutIdx, int* number,
776 word32 maxIdx);
777WOLFSSL_LOCAL int GetLength(const byte* input, word32* inOutIdx, int* len,
778 word32 maxIdx);
779WOLFSSL_LOCAL int GetSequence(const byte* input, word32* inOutIdx, int* len,
780 word32 maxIdx);
781WOLFSSL_LOCAL int GetSet(const byte* input, word32* inOutIdx, int* len,
782 word32 maxIdx);
783WOLFSSL_LOCAL int GetMyVersion(const byte* input, word32* inOutIdx,
784 int* version, word32 maxIdx);
785WOLFSSL_LOCAL int GetInt(mp_int* mpi, const byte* input, word32* inOutIdx,
786 word32 maxIdx);
787#ifdef HAVE_OID_ENCODING
788 WOLFSSL_LOCAL int EncodeObjectId(const word16* in, word32 inSz,
789 byte* out, word32* outSz);
790#endif
791#ifdef HAVE_OID_DECODING
792 WOLFSSL_LOCAL int DecodeObjectId(const byte* in, word32 inSz,
793 word16* out, word32* outSz);
794#endif
795WOLFSSL_LOCAL int GetObjectId(const byte* input, word32* inOutIdx, word32* oid,
796 word32 oidType, word32 maxIdx);
797WOLFSSL_LOCAL int GetAlgoId(const byte* input, word32* inOutIdx, word32* oid,
798 word32 oidType, word32 maxIdx);
799WOLFSSL_LOCAL word32 SetLength(word32 length, byte* output);
800WOLFSSL_LOCAL word32 SetSequence(word32 len, byte* output);
801WOLFSSL_LOCAL word32 SetOctetString(word32 len, byte* output);
802WOLFSSL_LOCAL word32 SetImplicit(byte tag,byte number,word32 len,byte* output);
803WOLFSSL_LOCAL word32 SetExplicit(byte number, word32 len, byte* output);
804WOLFSSL_LOCAL word32 SetSet(word32 len, byte* output);
805WOLFSSL_LOCAL word32 SetAlgoID(int algoOID,byte* output,int type,int curveSz);
806WOLFSSL_LOCAL int SetMyVersion(word32 version, byte* output, int header);
807WOLFSSL_LOCAL int SetSerialNumber(const byte* sn, word32 snSz, byte* output,
808 int maxSnSz);
809WOLFSSL_LOCAL int GetSerialNumber(const byte* input, word32* inOutIdx,
810 byte* serial, int* serialSz, word32 maxIdx);
811WOLFSSL_LOCAL int GetNameHash(const byte* source, word32* idx, byte* hash,
812 int maxIdx);
813WOLFSSL_LOCAL int wc_CheckPrivateKey(byte* key, word32 keySz, DecodedCert* der);
814
815#ifdef HAVE_ECC
816 /* ASN sig helpers */
817 WOLFSSL_LOCAL int StoreECC_DSA_Sig(byte* out, word32* outLen, mp_int* r,
818 mp_int* s);
819 WOLFSSL_LOCAL int DecodeECC_DSA_Sig(const byte* sig, word32 sigLen,
820 mp_int* r, mp_int* s);
821#endif
822
823WOLFSSL_LOCAL void InitSignatureCtx(SignatureCtx* sigCtx, void* heap, int devId);
824WOLFSSL_LOCAL void FreeSignatureCtx(SignatureCtx* sigCtx);
825
826
827#ifdef WOLFSSL_CERT_GEN
828
829enum cert_enums {
830 NAME_ENTRIES = 8,
831 JOINT_LEN = 2,
832 EMAIL_JOINT_LEN = 9,
833 RSA_KEY = 10,
834 NTRU_KEY = 11,
835 ECC_KEY = 12,
836 ED25519_KEY = 13
837};
838
839#ifndef WOLFSSL_PEMCERT_TODER_DEFINED
840#ifndef NO_FILESYSTEM
841/* forward from wolfSSL */
842WOLFSSL_API
843int wolfSSL_PemCertToDer(const char* fileName,unsigned char* derBuf,int derSz);
844#define WOLFSSL_PEMCERT_TODER_DEFINED
845#endif
846#endif
847
848#endif /* WOLFSSL_CERT_GEN */
849
850
851
852/* for pointer use */
853typedef struct CertStatus CertStatus;
854
855#ifdef HAVE_OCSP
856
857enum Ocsp_Response_Status {
858 OCSP_SUCCESSFUL = 0, /* Response has valid confirmations */
859 OCSP_MALFORMED_REQUEST = 1, /* Illegal confirmation request */
860 OCSP_INTERNAL_ERROR = 2, /* Internal error in issuer */
861 OCSP_TRY_LATER = 3, /* Try again later */
862 OCSP_SIG_REQUIRED = 5, /* Must sign the request (4 is skipped) */
863 OCSP_UNAUTHROIZED = 6 /* Request unauthorized */
864};
865
866
867enum Ocsp_Cert_Status {
868 CERT_GOOD = 0,
869 CERT_REVOKED = 1,
870 CERT_UNKNOWN = 2
871};
872
873
874enum Ocsp_Sums {
875 OCSP_BASIC_OID = 117,
876 OCSP_NONCE_OID = 118
877};
878
879
880typedef struct OcspRequest OcspRequest;
881typedef struct OcspResponse OcspResponse;
882
883
884struct CertStatus {
885 CertStatus* next;
886
887 byte serial[EXTERNAL_SERIAL_SIZE];
888 int serialSz;
889
890 int status;
891
892 byte thisDate[MAX_DATE_SIZE];
893 byte nextDate[MAX_DATE_SIZE];
894 byte thisDateFormat;
895 byte nextDateFormat;
896#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
897 byte* thisDateAsn;
898 byte* nextDateAsn;
899#endif
900
901 byte* rawOcspResponse;
902 word32 rawOcspResponseSz;
903};
904
905
906struct OcspResponse {
907 int responseStatus; /* return code from Responder */
908
909 byte* response; /* Pointer to beginning of OCSP Response */
910 word32 responseSz; /* length of the OCSP Response */
911
912 byte producedDate[MAX_DATE_SIZE];
913 /* Date at which this response was signed */
914 byte producedDateFormat; /* format of the producedDate */
915 byte* issuerHash;
916 byte* issuerKeyHash;
917
918 byte* cert;
919 word32 certSz;
920
921 byte* sig; /* Pointer to sig in source */
922 word32 sigSz; /* Length in octets for the sig */
923 word32 sigOID; /* OID for hash used for sig */
924
925 CertStatus* status; /* certificate status to fill out */
926
927 byte* nonce; /* pointer to nonce inside ASN.1 response */
928 int nonceSz; /* length of the nonce string */
929
930 byte* source; /* pointer to source buffer, not owned */
931 word32 maxIdx; /* max offset based on init size */
932};
933
934
935struct OcspRequest {
936 byte issuerHash[KEYID_SIZE];
937 byte issuerKeyHash[KEYID_SIZE];
938 byte* serial; /* copy of the serial number in source cert */
939 int serialSz;
940 byte* url; /* copy of the extAuthInfo in source cert */
941 int urlSz;
942
943 byte nonce[MAX_OCSP_NONCE_SZ];
944 int nonceSz;
945 void* heap;
946 void* ssl;
947};
948
949
950WOLFSSL_LOCAL void InitOcspResponse(OcspResponse*, CertStatus*, byte*, word32);
951WOLFSSL_LOCAL int OcspResponseDecode(OcspResponse*, void*, void* heap, int);
952
953WOLFSSL_LOCAL int InitOcspRequest(OcspRequest*, DecodedCert*, byte, void*);
954WOLFSSL_LOCAL void FreeOcspRequest(OcspRequest*);
955WOLFSSL_LOCAL int EncodeOcspRequest(OcspRequest*, byte*, word32);
956WOLFSSL_LOCAL word32 EncodeOcspRequestExtensions(OcspRequest*, byte*, word32);
957
958
959WOLFSSL_LOCAL int CompareOcspReqResp(OcspRequest*, OcspResponse*);
960
961
962#endif /* HAVE_OCSP */
963
964
965/* for pointer use */
966typedef struct RevokedCert RevokedCert;
967
968#ifdef HAVE_CRL
969
970struct RevokedCert {
971 byte serialNumber[EXTERNAL_SERIAL_SIZE];
972 int serialSz;
973 RevokedCert* next;
974};
975
976typedef struct DecodedCRL DecodedCRL;
977
978struct DecodedCRL {
979 word32 certBegin; /* offset to start of cert */
980 word32 sigIndex; /* offset to start of signature */
981 word32 sigLength; /* length of signature */
982 word32 signatureOID; /* sum of algorithm object id */
983 byte* signature; /* pointer into raw source, not owned */
984 byte issuerHash[SIGNER_DIGEST_SIZE]; /* issuer hash */
985 byte crlHash[SIGNER_DIGEST_SIZE]; /* raw crl data hash */
986 byte lastDate[MAX_DATE_SIZE]; /* last date updated */
987 byte nextDate[MAX_DATE_SIZE]; /* next update date */
988 byte lastDateFormat; /* format of last date */
989 byte nextDateFormat; /* format of next date */
990 RevokedCert* certs; /* revoked cert list */
991 int totalCerts; /* number on list */
992 void* heap;
993};
994
995WOLFSSL_LOCAL void InitDecodedCRL(DecodedCRL*, void* heap);
996WOLFSSL_LOCAL int VerifyCRL_Signature(SignatureCtx* sigCtx,
997 const byte* toBeSigned, word32 tbsSz,
998 const byte* signature, word32 sigSz,
999 word32 signatureOID, Signer *ca,
1000 void* heap);
1001WOLFSSL_LOCAL int ParseCRL(DecodedCRL*, const byte* buff, word32 sz, void* cm);
1002WOLFSSL_LOCAL void FreeDecodedCRL(DecodedCRL*);
1003
1004
1005#endif /* HAVE_CRL */
1006
1007
1008#ifdef __cplusplus
1009 } /* extern "C" */
1010#endif
1011
1012#endif /* !NO_ASN */
1013#endif /* WOLF_CRYPT_ASN_H */
Note: See TracBrowser for help on using the repository browser.