asn.h
Go to the documentation of this file.
1 /* asn.h
2  *
3  * Copyright (C) 2006-2020 wolfSSL Inc.
4  *
5  * This file is part of wolfSSL.
6  *
7  * wolfSSL is free software; you can redistribute it and/or modify
8  * it under the terms of the GNU General Public License as published by
9  * the Free Software Foundation; either version 2 of the License, or
10  * (at your option) any later version.
11  *
12  * wolfSSL is distributed in the hope that it will be useful,
13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15  * GNU General Public License for more details.
16  *
17  * You should have received a copy of the GNU General Public License
18  * along with this program; if not, write to the Free Software
19  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
20  */
21 
26 #ifndef WOLF_CRYPT_ASN_H
27 #define WOLF_CRYPT_ASN_H
28 
29 #include <wolfssl/wolfcrypt/types.h>
30 
31 #ifndef NO_ASN
32 
33 
34 #if !defined(NO_ASN_TIME) && defined(NO_TIME_H)
35  #define NO_ASN_TIME /* backwards compatibility with NO_TIME_H */
36 #endif
37 
38 #include <wolfssl/wolfcrypt/integer.h>
39 
40 /* fips declare of RsaPrivateKeyDecode @wc_fips */
41 #if defined(HAVE_FIPS) && !defined(NO_RSA) && \
42  (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
43  #include <cyassl/ctaocrypt/rsa.h>
44 #endif
45 
46 #ifndef NO_DH
47  #include <wolfssl/wolfcrypt/dh.h>
48 #endif
49 #ifndef NO_DSA
50  #include <wolfssl/wolfcrypt/dsa.h>
51 #endif
52 #ifndef NO_SHA
53  #include <wolfssl/wolfcrypt/sha.h>
54 #endif
55 #ifndef NO_MD5
56  #include <wolfssl/wolfcrypt/md5.h>
57 #endif
58 #include <wolfssl/wolfcrypt/sha256.h>
59 #include <wolfssl/wolfcrypt/asn_public.h> /* public interface */
60 
61 #if defined(NO_SHA) && defined(NO_SHA256)
62  #define WC_SHA256_DIGEST_SIZE 32
63 #endif
64 
65 #ifdef __cplusplus
66  extern "C" {
67 #endif
68 
69 #ifndef EXTERNAL_SERIAL_SIZE
70  #define EXTERNAL_SERIAL_SIZE 32
71 #endif
72 
73 enum {
74  ISSUER = 0,
75  SUBJECT = 1,
76 
77  BEFORE = 0,
78  AFTER = 1
79 };
80 
81 /* ASN Tags */
82 enum ASN_Tags {
83  ASN_EOC = 0x00,
84  ASN_BOOLEAN = 0x01,
85  ASN_INTEGER = 0x02,
86  ASN_BIT_STRING = 0x03,
87  ASN_OCTET_STRING = 0x04,
88  ASN_TAG_NULL = 0x05,
89  ASN_OBJECT_ID = 0x06,
90  ASN_ENUMERATED = 0x0a,
91  ASN_UTF8STRING = 0x0c,
92  ASN_SEQUENCE = 0x10,
93  ASN_SET = 0x11,
94  ASN_PRINTABLE_STRING = 0x13,
95  ASN_UTC_TIME = 0x17,
96  ASN_OTHER_TYPE = 0x00,
97  ASN_RFC822_TYPE = 0x01,
98  ASN_DNS_TYPE = 0x02,
99  ASN_DIR_TYPE = 0x04,
100  ASN_URI_TYPE = 0x06, /* the value 6 is from GeneralName OID */
101  ASN_IP_TYPE = 0x07, /* the value 7 is from GeneralName OID */
102  ASN_GENERALIZED_TIME = 0x18,
103  CRL_EXTENSIONS = 0xa0,
104  ASN_EXTENSIONS = 0xa3,
105  ASN_LONG_LENGTH = 0x80,
106  ASN_INDEF_LENGTH = 0x80,
107 
108  /* ASN_Flags - Bitmask */
109  ASN_CONSTRUCTED = 0x20,
110  ASN_APPLICATION = 0x40,
111  ASN_CONTEXT_SPECIFIC = 0x80,
112 };
113 
114 #define ASN_UTC_TIME_SIZE 14
115 #define ASN_GENERALIZED_TIME_SIZE 16
116 #define ASN_GENERALIZED_TIME_MAX 68
117 
118 enum DN_Tags {
119  ASN_DN_NULL = 0x00,
120  ASN_COMMON_NAME = 0x03, /* CN */
121  ASN_SUR_NAME = 0x04, /* SN */
122  ASN_SERIAL_NUMBER = 0x05, /* serialNumber */
123  ASN_COUNTRY_NAME = 0x06, /* C */
124  ASN_LOCALITY_NAME = 0x07, /* L */
125  ASN_STATE_NAME = 0x08, /* ST */
126  ASN_ORG_NAME = 0x0a, /* O */
127  ASN_ORGUNIT_NAME = 0x0b, /* OU */
128  ASN_BUS_CAT = 0x0f, /* businessCategory */
129  ASN_EMAIL_NAME = 0x98, /* not oid number there is 97 in 2.5.4.0-97 */
130 
131  /* pilot attribute types
132  * OID values of 0.9.2342.19200300.100.1.* */
133  ASN_USER_ID = 0x01, /* UID */
134  ASN_DOMAIN_COMPONENT = 0x19 /* DC */
135 };
136 
137 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
138 typedef struct WOLFSSL_ObjectInfo {
139  int nid;
140  int id;
141  word32 type;
142  const char* sName;
143  const char* lName;
144 } WOLFSSL_ObjectInfo;
145 extern const size_t wolfssl_object_info_sz;
146 extern const WOLFSSL_ObjectInfo wolfssl_object_info[];
147 #endif /* defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) */
148 
149 /* DN Tag Strings */
150 #define WOLFSSL_COMMON_NAME "/CN="
151 #define WOLFSSL_LN_COMMON_NAME "/commonName="
152 #define WOLFSSL_SUR_NAME "/SN="
153 #define WOLFSSL_SERIAL_NUMBER "/serialNumber="
154 #define WOLFSSL_COUNTRY_NAME "/C="
155 #define WOLFSSL_LN_COUNTRY_NAME "/countryName="
156 #define WOLFSSL_LOCALITY_NAME "/L="
157 #define WOLFSSL_LN_LOCALITY_NAME "/localityName="
158 #define WOLFSSL_STATE_NAME "/ST="
159 #define WOLFSSL_LN_STATE_NAME "/stateOrProvinceName="
160 #define WOLFSSL_ORG_NAME "/O="
161 #define WOLFSSL_LN_ORG_NAME "/organizationName="
162 #define WOLFSSL_ORGUNIT_NAME "/OU="
163 #define WOLFSSL_LN_ORGUNIT_NAME "/organizationalUnitName="
164 #define WOLFSSL_DOMAIN_COMPONENT "/DC="
165 #define WOLFSSL_LN_DOMAIN_COMPONENT "/domainComponent="
166 #define WOLFSSL_BUS_CAT "/businessCategory="
167 #define WOLFSSL_JOI_C "/jurisdictionC="
168 #define WOLFSSL_JOI_ST "/jurisdictionST="
169 #define WOLFSSL_EMAIL_ADDR "/emailAddress="
170 
171 #define WOLFSSL_USER_ID "/UID="
172 #define WOLFSSL_DOMAIN_COMPONENT "/DC="
173 
174 #if defined(WOLFSSL_APACHE_HTTPD)
175  /* otherName strings */
176  #define WOLFSSL_SN_MS_UPN "msUPN"
177  #define WOLFSSL_LN_MS_UPN "Microsoft User Principal Name"
178  #define WOLFSSL_MS_UPN_SUM 265
179  #define WOLFSSL_SN_DNS_SRV "id-on-dnsSRV"
180  #define WOLFSSL_LN_DNS_SRV "SRVName"
181  /* TLS features extension strings */
182  #define WOLFSSL_SN_TLS_FEATURE "tlsfeature"
183  #define WOLFSSL_LN_TLS_FEATURE "TLS Feature"
184  #define WOLFSSL_TLS_FEATURE_SUM 92
185 #endif
186 
187 /* NIDs */
188 enum
189 {
190  NID_undef = 0,
191  NID_netscape_cert_type = NID_undef,
192  NID_des = 66,
193  NID_des3 = 67,
194  NID_sha256 = 672,
195  NID_sha384 = 673,
196  NID_sha512 = 674,
197  NID_hw_name_oid = 73,
198  NID_id_pkix_OCSP_basic = 74,
199  NID_any_policy = 75,
200  NID_anyExtendedKeyUsage = 76,
201  NID_givenName = 99,
202  NID_initials = 101,
203  NID_title = 106,
204  NID_description = 107,
205  NID_basic_constraints = 133,
206  NID_key_usage = 129, /* 2.5.29.15 */
207  NID_ext_key_usage = 151, /* 2.5.29.37 */
208  NID_subject_key_identifier = 128,
209  NID_authority_key_identifier = 149,
210  NID_private_key_usage_period = 130, /* 2.5.29.16 */
211  NID_subject_alt_name = 131,
212  NID_issuer_alt_name = 132,
213  NID_info_access = 69,
214  NID_sinfo_access = 79, /* id-pe 11 */
215  NID_name_constraints = 144, /* 2.5.29.30 */
216  NID_crl_distribution_points = 145, /* 2.5.29.31 */
217  NID_certificate_policies = 146,
218  NID_policy_mappings = 147,
219  NID_policy_constraints = 150,
220  NID_inhibit_any_policy = 168, /* 2.5.29.54 */
221  NID_tlsfeature = 1020, /* id-pe 24 */
222  NID_commonName = 0x03, /* matches ASN_COMMON_NAME in asn.h */
223 
224 
225  NID_surname = 0x04, /* SN */
226  NID_serialNumber = 0x05, /* serialNumber */
227  NID_countryName = 0x06, /* C */
228  NID_localityName = 0x07, /* L */
229  NID_stateOrProvinceName = 0x08, /* ST */
230  NID_organizationName = 0x0a, /* O */
231  NID_organizationalUnitName = 0x0b, /* OU */
232  NID_jurisdictionCountryName = 0xc,
233  NID_jurisdictionStateOrProvinceName = 0xd,
234  NID_businessCategory = ASN_BUS_CAT,
235  NID_domainComponent = ASN_DOMAIN_COMPONENT,
236  NID_emailAddress = 0x30, /* emailAddress */
237  NID_id_on_dnsSRV = 82, /* 1.3.6.1.5.5.7.8.7 */
238  NID_ms_upn = 265, /* 1.3.6.1.4.1.311.20.2.3 */
239 
240  NID_X9_62_prime_field = 406 /* 1.2.840.10045.1.1 */
241 };
242 
243 enum ECC_TYPES
244 {
245  ECC_PREFIX_0 = 160,
246  ECC_PREFIX_1 = 161
247 };
248 
249 #ifdef WOLFSSL_CERT_PIV
250  enum PIV_Tags {
251  ASN_PIV_CERT = 0x0A,
252  ASN_PIV_NONCE = 0x0B,
253  ASN_PIV_SIGNED_NONCE = 0x0C,
254 
255  ASN_PIV_TAG_CERT = 0x70,
256  ASN_PIV_TAG_CERT_INFO = 0x71,
257  ASN_PIV_TAG_MSCUID = 0x72,
258  ASN_PIV_TAG_ERR_DET = 0xFE,
259 
260  /* certificate info masks */
261  ASN_PIV_CERT_INFO_COMPRESSED = 0x03,
262  ASN_PIV_CERT_INFO_ISX509 = 0x04,
263  };
264 #endif /* WOLFSSL_CERT_PIV */
265 
266 
267 #define ASN_JOI_PREFIX_SZ 10
268 #define ASN_JOI_PREFIX "\x2b\x06\x01\x04\x01\x82\x37\x3c\x02\x01"
269 #define ASN_JOI_C 0x3
270 #define ASN_JOI_ST 0x2
271 
272 #ifndef WC_ASN_NAME_MAX
273  #ifdef OPENSSL_EXTRA
274  #define WC_ASN_NAME_MAX 300
275  #else
276  #define WC_ASN_NAME_MAX 256
277  #endif
278 #endif
279 #define ASN_NAME_MAX WC_ASN_NAME_MAX
280 
281 enum Misc_ASN {
282  MAX_SALT_SIZE = 64, /* MAX PKCS Salt length */
283  MAX_IV_SIZE = 64, /* MAX PKCS Iv length */
284  ASN_BOOL_SIZE = 2, /* including type */
285  ASN_ECC_HEADER_SZ = 2, /* String type + 1 byte len */
286  ASN_ECC_CONTEXT_SZ = 2, /* Content specific type + 1 byte len */
287 #ifdef NO_SHA
288  KEYID_SIZE = WC_SHA256_DIGEST_SIZE,
289 #else
290  KEYID_SIZE = WC_SHA_DIGEST_SIZE,
291 #endif
292  RSA_INTS = 8, /* RSA ints in private key */
293  DSA_INTS = 5, /* DSA ints in private key */
294  MIN_DATE_SIZE = 13,
295  MAX_DATE_SIZE = 32,
296  ASN_GEN_TIME_SZ = 15, /* 7 numbers * 2 + Zulu tag */
297 #ifndef NO_RSA
298  MAX_ENCODED_SIG_SZ = 512,
299 #elif defined(HAVE_ECC)
300  MAX_ENCODED_SIG_SZ = 140,
301 #elif defined(HAVE_CURVE448)
302  MAX_ENCODED_SIG_SZ = 114,
303 #else
304  MAX_ENCODED_SIG_SZ = 64,
305 #endif
306  MAX_SIG_SZ = 256,
307  MAX_ALGO_SZ = 20,
308  MAX_SHORT_SZ = 6, /* asn int + byte len + 4 byte length */
309  MAX_SEQ_SZ = 5, /* enum(seq | con) + length(4) */
310  MAX_SET_SZ = 5, /* enum(set | con) + length(4) */
311  MAX_OCTET_STR_SZ = 5, /* enum(set | con) + length(4) */
312  MAX_EXP_SZ = 5, /* enum(contextspec|con|exp) + length(4) */
313  MAX_PRSTR_SZ = 5, /* enum(prstr) + length(4) */
314  MAX_VERSION_SZ = 5, /* enum + id + version(byte) + (header(2))*/
315  MAX_ENCODED_DIG_ASN_SZ= 9, /* enum(bit or octet) + length(4) */
316  MAX_ENCODED_DIG_SZ = 64 + MAX_ENCODED_DIG_ASN_SZ, /* asn header + sha512 */
317  MAX_RSA_INT_SZ = 517, /* RSA raw sz 4096 for bits + tag + len(4) */
318  MAX_DSA_INT_SZ = 261, /* DSA raw sz 2048 for bits + tag + len(4) */
319  MAX_NTRU_KEY_SZ = 610, /* NTRU 112 bit public key */
320  MAX_NTRU_ENC_SZ = 628, /* NTRU 112 bit DER public encoding */
321  MAX_LENGTH_SZ = 4, /* Max length size for DER encoding */
322  MAX_RSA_E_SZ = 16, /* Max RSA public e size */
323  MAX_CA_SZ = 32, /* Max encoded CA basic constraint length */
324  MAX_SN_SZ = 35, /* Max encoded serial number (INT) length */
325  MAX_DER_DIGEST_SZ = MAX_ENCODED_DIG_SZ + MAX_ALGO_SZ + MAX_SEQ_SZ,
326  /* Maximum DER digest size */
327  MAX_DER_DIGEST_ASN_SZ = MAX_ENCODED_DIG_ASN_SZ + MAX_ALGO_SZ + MAX_SEQ_SZ,
328  /* Maximum DER digest ASN header size */
329 #ifdef WOLFSSL_CERT_GEN
330  #ifdef WOLFSSL_CERT_REQ
331  /* Max encoded cert req attributes length */
332  MAX_ATTRIB_SZ = MAX_SEQ_SZ * 3 + (11 + MAX_SEQ_SZ) * 2 +
333  MAX_PRSTR_SZ + CTC_NAME_SIZE, /* 11 is the OID size */
334  #endif
335  #if defined(WOLFSSL_ALT_NAMES) || defined(WOLFSSL_CERT_EXT)
336  MAX_EXTENSIONS_SZ = 1 + MAX_LENGTH_SZ + CTC_MAX_ALT_SIZE,
337  #else
338  MAX_EXTENSIONS_SZ = 1 + MAX_LENGTH_SZ + MAX_CA_SZ,
339  #endif
340  /* Max total extensions, id + len + others */
341 #endif
342 #if defined(WOLFSSL_CERT_EXT) || defined(OPENSSL_EXTRA) || defined(HAVE_PKCS7)
343  MAX_OID_SZ = 32, /* Max DER length of OID*/
344  MAX_OID_STRING_SZ = 64, /* Max string length representation of OID*/
345 #endif
346 #ifdef WOLFSSL_CERT_EXT
347  MAX_KID_SZ = 45, /* Max encoded KID length (SHA-256 case) */
348  MAX_KEYUSAGE_SZ = 18, /* Max encoded Key Usage length */
349  MAX_EXTKEYUSAGE_SZ = 12 + (6 * (8 + 2)) +
350  CTC_MAX_EKU_OID_SZ, /* Max encoded ExtKeyUsage
351  (SEQ/LEN + OBJID + OCTSTR/LEN + SEQ +
352  (6 * (SEQ + OID))) */
353  MAX_CERTPOL_NB = CTC_MAX_CERTPOL_NB,/* Max number of Cert Policy */
354  MAX_CERTPOL_SZ = CTC_MAX_CERTPOL_SZ,
355 #endif
356  MAX_AIA_SZ = 2, /* Max Authority Info Access extension size*/
357  MAX_NAME_ENTRIES = 5, /* extra entries added to x509 name struct */
358  OCSP_NONCE_EXT_SZ = 35, /* OCSP Nonce Extension size */
359  MAX_OCSP_EXT_SZ = 58, /* Max OCSP Extension length */
360  MAX_OCSP_NONCE_SZ = 16, /* OCSP Nonce size */
361  EIGHTK_BUF = 8192, /* Tmp buffer size */
362  MAX_PUBLIC_KEY_SZ = MAX_NTRU_ENC_SZ + MAX_ALGO_SZ + MAX_SEQ_SZ * 2,
363  /* use bigger NTRU size */
364 #ifdef WOLFSSL_ENCRYPTED_KEYS
365  HEADER_ENCRYPTED_KEY_SIZE = 88,/* Extra header size for encrypted key */
366 #else
367  HEADER_ENCRYPTED_KEY_SIZE = 0,
368 #endif
369  TRAILING_ZERO = 1, /* Used for size of zero pad */
370  ASN_TAG_SZ = 1, /* single byte ASN.1 tag */
371  MIN_VERSION_SZ = 3, /* Min bytes needed for GetMyVersion */
372 #if defined(OPENSSL_ALL) || defined(WOLFSSL_MYSQL_COMPATIBLE) || \
373  defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || \
374  defined(OPENSSL_EXTRA) || defined(HAVE_PKCS7)
375  MAX_TIME_STRING_SZ = 25, /* Max length of formatted time string */
376 #endif
377 
378  PKCS5_SALT_SZ = 8,
379 
380  PEM_LINE_LEN = 80, /* PEM line max + fudge */
381 };
382 
383 
384 enum Oid_Types {
385  oidHashType = 0,
386  oidSigType = 1,
387  oidKeyType = 2,
388  oidCurveType = 3,
389  oidBlkType = 4,
390  oidOcspType = 5,
391  oidCertExtType = 6,
392  oidCertAuthInfoType = 7,
393  oidCertPolicyType = 8,
394  oidCertAltNameType = 9,
395  oidCertKeyUseType = 10,
396  oidKdfType = 11,
397  oidKeyWrapType = 12,
398  oidCmsKeyAgreeType = 13,
399  oidPBEType = 14,
400  oidHmacType = 15,
401  oidCompressType = 16,
402  oidCertNameType = 17,
403  oidTlsExtType = 18,
404  oidCrlExtType = 19,
405  oidIgnoreType
406 };
407 
408 
409 enum Hash_Sum {
410  MD2h = 646,
411  MD5h = 649,
412  SHAh = 88,
413  SHA224h = 417,
414  SHA256h = 414,
415  SHA384h = 415,
416  SHA512h = 416,
417  SHA3_224h = 420,
418  SHA3_256h = 421,
419  SHA3_384h = 422,
420  SHA3_512h = 423
421 };
422 
423 
424 #if !defined(NO_DES3) || !defined(NO_AES)
425 enum Block_Sum {
426 #ifdef WOLFSSL_AES_128
427  AES128CBCb = 414,
428  AES128GCMb = 418,
429  AES128CCMb = 419,
430 #endif
431 #ifdef WOLFSSL_AES_192
432  AES192CBCb = 434,
433  AES192GCMb = 438,
434  AES192CCMb = 439,
435 #endif
436 #ifdef WOLFSSL_AES_256
437  AES256CBCb = 454,
438  AES256GCMb = 458,
439  AES256CCMb = 459,
440 #endif
441 #ifndef NO_DES3
442  DESb = 69,
443  DES3b = 652
444 #endif
445 };
446 #endif /* !NO_DES3 || !NO_AES */
447 
448 
449 enum Key_Sum {
450  DSAk = 515,
451  RSAk = 645,
452  NTRUk = 274,
453  ECDSAk = 518,
454  ED25519k = 256,
455  ED448k = 257,
456  DHk = 647, /* dhKeyAgreement OID: 1.2.840.113549.1.3.1 */
457 };
458 
459 #if !defined(NO_AES) || defined(HAVE_PKCS7)
460 enum KeyWrap_Sum {
461 #ifdef WOLFSSL_AES_128
462  AES128_WRAP = 417,
463 #endif
464 #ifdef WOLFSSL_AES_192
465  AES192_WRAP = 437,
466 #endif
467 #ifdef WOLFSSL_AES_256
468  AES256_WRAP = 457,
469 #endif
470 #ifdef HAVE_PKCS7
471  PWRI_KEK_WRAP = 680 /*id-alg-PWRI-KEK, 1.2.840.113549.1.9.16.3.9 */
472 #endif
473 };
474 #endif /* !NO_AES || PKCS7 */
475 
476 enum Key_Agree {
477  dhSinglePass_stdDH_sha1kdf_scheme = 464,
478  dhSinglePass_stdDH_sha224kdf_scheme = 188,
479  dhSinglePass_stdDH_sha256kdf_scheme = 189,
480  dhSinglePass_stdDH_sha384kdf_scheme = 190,
481  dhSinglePass_stdDH_sha512kdf_scheme = 191,
482 };
483 
484 
485 
486 enum KDF_Sum {
487  PBKDF2_OID = 660
488 };
489 
490 
491 enum HMAC_Sum {
492  HMAC_SHA224_OID = 652,
493  HMAC_SHA256_OID = 653,
494  HMAC_SHA384_OID = 654,
495  HMAC_SHA512_OID = 655,
496  HMAC_SHA3_224_OID = 426,
497  HMAC_SHA3_256_OID = 427,
498  HMAC_SHA3_384_OID = 428,
499  HMAC_SHA3_512_OID = 429
500 };
501 
502 
503 enum Extensions_Sum {
504  BASIC_CA_OID = 133,
505  ALT_NAMES_OID = 131,
506  CRL_DIST_OID = 145,
507  AUTH_INFO_OID = 69, /* id-pe 1 */
508  AUTH_KEY_OID = 149,
509  SUBJ_KEY_OID = 128,
510  CERT_POLICY_OID = 146,
511  KEY_USAGE_OID = 129, /* 2.5.29.15 */
512  INHIBIT_ANY_OID = 168, /* 2.5.29.54 */
513  EXT_KEY_USAGE_OID = 151, /* 2.5.29.37 */
514  NAME_CONS_OID = 144, /* 2.5.29.30 */
515  PRIV_KEY_USAGE_PERIOD_OID = 130, /* 2.5.29.16 */
516  SUBJECT_INFO_ACCESS = 79, /* id-pe 11 */
517  POLICY_MAP_OID = 147,
518  POLICY_CONST_OID = 150,
519  ISSUE_ALT_NAMES_OID = 132,
520  TLS_FEATURE_OID = 92, /* id-pe 24 */
521  NETSCAPE_CT_OID = 753 /* 2.16.840.1.113730.1.1 */
522 };
523 
524 enum CertificatePolicy_Sum {
525  CP_ANY_OID = 146 /* id-ce 32 0 */
526 };
527 
528 enum SepHardwareName_Sum {
529  HW_NAME_OID = 79 /* 1.3.6.1.5.5.7.8.4 from RFC 4108*/
530 };
531 
532 enum AuthInfo_Sum {
533  AIA_OCSP_OID = 116, /* 1.3.6.1.5.5.7.48.1 */
534  AIA_CA_ISSUER_OID = 117 /* 1.3.6.1.5.5.7.48.2 */
535 };
536 
537 enum ExtKeyUsage_Sum { /* From RFC 5280 */
538  EKU_ANY_OID = 151, /* 2.5.29.37.0, anyExtendedKeyUsage */
539  EKU_SERVER_AUTH_OID = 71, /* 1.3.6.1.5.5.7.3.1, id-kp-serverAuth */
540  EKU_CLIENT_AUTH_OID = 72, /* 1.3.6.1.5.5.7.3.2, id-kp-clientAuth */
541  EKU_CODESIGNING_OID = 73, /* 1.3.6.1.5.5.7.3.3, id-kp-codeSigning */
542  EKU_EMAILPROTECT_OID = 74, /* 1.3.6.1.5.5.7.3.4, id-kp-emailProtection */
543  EKU_TIMESTAMP_OID = 78, /* 1.3.6.1.5.5.7.3.8, id-kp-timeStamping */
544  EKU_OCSP_SIGN_OID = 79 /* 1.3.6.1.5.5.7.3.9, id-kp-OCSPSigning */
545 };
546 
547 #ifdef HAVE_LIBZ
548 enum CompressAlg_Sum {
549  ZLIBc = 679 /* 1.2.840.113549.1.9.16.3.8, id-alg-zlibCompress */
550 };
551 #endif
552 
553 enum VerifyType {
554  NO_VERIFY = 0,
555  VERIFY = 1,
556  VERIFY_CRL = 2,
557  VERIFY_OCSP = 3,
558  VERIFY_NAME = 4,
559  VERIFY_SKIP_DATE = 5,
560 };
561 
562 #ifdef WOLFSSL_CERT_EXT
563 enum KeyIdType {
564  SKID_TYPE = 0,
565  AKID_TYPE = 1
566 };
567 #endif
568 
569 /* Key usage extension bits (based on RFC 5280) */
570 #define KEYUSE_DIGITAL_SIG 0x0080
571 #define KEYUSE_CONTENT_COMMIT 0x0040
572 #define KEYUSE_KEY_ENCIPHER 0x0020
573 #define KEYUSE_DATA_ENCIPHER 0x0010
574 #define KEYUSE_KEY_AGREE 0x0008
575 #define KEYUSE_KEY_CERT_SIGN 0x0004
576 #define KEYUSE_CRL_SIGN 0x0002
577 #define KEYUSE_ENCIPHER_ONLY 0x0001
578 #define KEYUSE_DECIPHER_ONLY 0x8000
579 
580 /* Extended Key Usage bits (internal mapping only) */
581 #define EXTKEYUSE_USER 0x80
582 #define EXTKEYUSE_OCSP_SIGN 0x40
583 #define EXTKEYUSE_TIMESTAMP 0x20
584 #define EXTKEYUSE_EMAILPROT 0x10
585 #define EXTKEYUSE_CODESIGN 0x08
586 #define EXTKEYUSE_CLIENT_AUTH 0x04
587 #define EXTKEYUSE_SERVER_AUTH 0x02
588 #define EXTKEYUSE_ANY 0x01
589 
590 typedef struct DNS_entry DNS_entry;
591 
592 struct DNS_entry {
593  DNS_entry* next; /* next on DNS list */
594  int type; /* i.e. ASN_DNS_TYPE */
595  int len; /* actual DNS len */
596  char* name; /* actual DNS name */
597 };
598 
599 
600 typedef struct Base_entry Base_entry;
601 
602 struct Base_entry {
603  Base_entry* next; /* next on name base list */
604  char* name; /* actual name base */
605  int nameSz; /* name length */
606  byte type; /* Name base type (DNS or RFC822) */
607 };
608 
609 #define DOMAIN_COMPONENT_MAX 10
610 #define DN_NAMES_MAX 9
611 
612 struct DecodedName {
613  char* fullName;
614  int fullNameLen;
615  int entryCount;
616  int cnIdx;
617  int cnLen;
618  int cnNid;
619  int snIdx;
620  int snLen;
621  int snNid;
622  int cIdx;
623  int cLen;
624  int cNid;
625  int lIdx;
626  int lLen;
627  int lNid;
628  int stIdx;
629  int stLen;
630  int stNid;
631  int oIdx;
632  int oLen;
633  int oNid;
634  int ouIdx;
635  int ouLen;
636 #ifdef WOLFSSL_CERT_EXT
637  int bcIdx;
638  int bcLen;
639  int jcIdx;
640  int jcLen;
641  int jsIdx;
642  int jsLen;
643 #endif
644  int ouNid;
645  int emailIdx;
646  int emailLen;
647  int emailNid;
648  int uidIdx;
649  int uidLen;
650  int uidNid;
651  int serialIdx;
652  int serialLen;
653  int serialNid;
654  int dcIdx[DOMAIN_COMPONENT_MAX];
655  int dcLen[DOMAIN_COMPONENT_MAX];
656  int dcNum;
657  int dcMode;
658 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
659  /* hold the location / order with which each of the DN tags was found
660  *
661  * example of ASN_DOMAIN_COMPONENT at index 0 if first found and so on.
662  */
663  int loc[DOMAIN_COMPONENT_MAX + DN_NAMES_MAX];
664  int locSz;
665 #endif
666 };
667 
668 enum SignatureState {
669  SIG_STATE_BEGIN,
670  SIG_STATE_HASH,
671  SIG_STATE_KEY,
672  SIG_STATE_DO,
673  SIG_STATE_CHECK,
674 };
675 
676 
677 #ifdef HAVE_PK_CALLBACKS
678 #ifdef HAVE_ECC
679  typedef int (*wc_CallbackEccVerify)(
680  const unsigned char* sig, unsigned int sigSz,
681  const unsigned char* hash, unsigned int hashSz,
682  const unsigned char* keyDer, unsigned int keySz,
683  int* result, void* ctx);
684 #endif
685 #ifndef NO_RSA
686  typedef int (*wc_CallbackRsaVerify)(
687  unsigned char* sig, unsigned int sigSz,
688  unsigned char** out,
689  const unsigned char* keyDer, unsigned int keySz,
690  void* ctx);
691 #endif
692 #endif /* HAVE_PK_CALLBACKS */
693 
694 struct SignatureCtx {
695  void* heap;
696  byte* digest;
697 #ifndef NO_RSA
698  byte* out;
699  byte* plain;
700 #endif
701 #if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448)
702  int verify;
703 #endif
704  union {
705  #ifndef NO_RSA
706  struct RsaKey* rsa;
707  #endif
708  #ifdef HAVE_ECC
709  struct ecc_key* ecc;
710  #endif
711  #ifdef HAVE_ED25519
712  struct ed25519_key* ed25519;
713  #endif
714  #ifdef HAVE_ED448
715  struct ed448_key* ed448;
716  #endif
717  void* ptr;
718  } key;
719  int devId;
720  int state;
721  int typeH;
722  int digestSz;
723  word32 keyOID;
724 #ifdef WOLFSSL_ASYNC_CRYPT
725  WC_ASYNC_DEV* asyncDev;
726  void* asyncCtx;
727 #endif
728 
729 #ifdef HAVE_PK_CALLBACKS
730 #ifdef HAVE_ECC
731  wc_CallbackEccVerify pkCbEcc;
732  void* pkCtxEcc;
733 #endif
734 #ifndef NO_RSA
735  wc_CallbackRsaVerify pkCbRsa;
736  void* pkCtxRsa;
737 #endif
738 #endif /* HAVE_PK_CALLBACKS */
739 #ifndef NO_RSA
740 #ifdef WOLFSSL_RENESAS_TSIP_TLS
741  byte verifyByTSIP;
742  word32 certBegin;
743  word32 pubkey_n_start;
744  word32 pubkey_n_len;
745  word32 pubkey_e_start;
746  word32 pubkey_e_len;
747 #endif
748 #endif
749 };
750 
751 enum CertSignState {
752  CERTSIGN_STATE_BEGIN,
753  CERTSIGN_STATE_DIGEST,
754  CERTSIGN_STATE_ENCODE,
755  CERTSIGN_STATE_DO,
756 };
757 
758 struct CertSignCtx {
759  byte* sig;
760  byte* digest;
761  #ifndef NO_RSA
762  byte* encSig;
763  int encSigSz;
764  #endif
765  int state; /* enum CertSignState */
766 };
767 
768 #ifndef WOLFSSL_MAX_PATH_LEN
769  /* RFC 5280 Section 6.1.2. "Initialization" - item (k) defines
770  * (k) max_path_length: this integer is initialized to "n", is
771  * decremented for each non-self-issued certificate in the path,
772  * and may be reduced to the value in the path length constraint
773  * field within the basic constraints extension of a CA
774  * certificate.
775  *
776  * wolfSSL has arbitrarily selected the value 127 for "n" in the above
777  * description. Users can modify the maximum path length by setting
778  * WOLFSSL_MAX_PATH_LEN to a preferred value at build time
779  */
780  #define WOLFSSL_MAX_PATH_LEN 127
781 #endif
782 
783 typedef struct DecodedCert DecodedCert;
784 typedef struct DecodedName DecodedName;
785 typedef struct Signer Signer;
786 #ifdef WOLFSSL_TRUST_PEER_CERT
787 typedef struct TrustedPeerCert TrustedPeerCert;
788 #endif /* WOLFSSL_TRUST_PEER_CERT */
789 typedef struct SignatureCtx SignatureCtx;
790 typedef struct CertSignCtx CertSignCtx;
791 
792 
793 struct DecodedCert {
794  const byte* publicKey;
795  word32 pubKeySize;
796  int pubKeyStored;
797  word32 certBegin; /* offset to start of cert */
798  word32 sigIndex; /* offset to start of signature */
799  word32 sigLength; /* length of signature */
800  word32 signatureOID; /* sum of algorithm object id */
801  word32 keyOID; /* sum of key algo object id */
802  int version; /* cert version, 1 or 3 */
803  DNS_entry* altNames; /* alt names list of dns entries */
804 #ifndef IGNORE_NAME_CONSTRAINTS
805  DNS_entry* altEmailNames; /* alt names list of RFC822 entries */
806  Base_entry* permittedNames; /* Permitted name bases */
807  Base_entry* excludedNames; /* Excluded name bases */
808 #endif /* IGNORE_NAME_CONSTRAINTS */
809  byte subjectHash[KEYID_SIZE]; /* hash of all Names */
810  byte issuerHash[KEYID_SIZE]; /* hash of all Names */
811 #ifdef HAVE_OCSP
812  byte subjectKeyHash[KEYID_SIZE]; /* hash of the public Key */
813  byte issuerKeyHash[KEYID_SIZE]; /* hash of the public Key */
814 #endif /* HAVE_OCSP */
815  const byte* signature; /* not owned, points into raw cert */
816  char* subjectCN; /* CommonName */
817  int subjectCNLen; /* CommonName Length */
818  char subjectCNEnc; /* CommonName Encoding */
819  char issuer[ASN_NAME_MAX]; /* full name including common name */
820  char subject[ASN_NAME_MAX]; /* full name including common name */
821  int verify; /* Default to yes, but could be off */
822  const byte* source; /* byte buffer holder cert, NOT owner */
823  word32 srcIdx; /* current offset into buffer */
824  word32 maxIdx; /* max offset based on init size */
825  void* heap; /* for user memory overrides */
826  byte serial[EXTERNAL_SERIAL_SIZE]; /* raw serial number */
827  int serialSz; /* raw serial bytes stored */
828  const byte* extensions; /* not owned, points into raw cert */
829  int extensionsSz; /* length of cert extensions */
830  word32 extensionsIdx; /* if want to go back and parse later */
831  const byte* extAuthInfo; /* Authority Information Access URI */
832  int extAuthInfoSz; /* length of the URI */
833 #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT)
834  const byte* extAuthInfoCaIssuer; /* Authority Info Access caIssuer URI */
835  int extAuthInfoCaIssuerSz; /* length of the caIssuer URI */
836 #endif
837  const byte* extCrlInfo; /* CRL Distribution Points */
838  int extCrlInfoSz; /* length of the URI */
839  byte extSubjKeyId[KEYID_SIZE]; /* Subject Key ID */
840  byte extAuthKeyId[KEYID_SIZE]; /* Authority Key ID */
841  byte pathLength; /* CA basic constraint path length */
842  byte maxPathLen; /* max_path_len see RFC 5280 section
843  * 6.1.2 "Initialization" - (k) for
844  * description of max_path_len */
845  word16 extKeyUsage; /* Key usage bitfield */
846  byte extExtKeyUsage; /* Extended Key usage bitfield */
847 
848 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
849  const byte* extExtKeyUsageSrc;
850  word32 extExtKeyUsageSz;
851  word32 extExtKeyUsageCount;
852  const byte* extAuthKeyIdSrc;
853  word32 extAuthKeyIdSz;
854  const byte* extSubjKeyIdSrc;
855  word32 extSubjKeyIdSz;
856 #endif
857 
858 #if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448)
859  word32 pkCurveOID; /* Public Key's curve OID */
860 #endif /* HAVE_ECC */
861  const byte* beforeDate;
862  int beforeDateLen;
863  const byte* afterDate;
864  int afterDateLen;
865 #if defined(HAVE_PKCS7) || defined(WOLFSSL_CERT_EXT)
866  const byte* issuerRaw; /* pointer to issuer inside source */
867  int issuerRawLen;
868 #endif
869 #if !defined(IGNORE_NAME_CONSTRAINTS) || defined(WOLFSSL_CERT_EXT)
870  const byte* subjectRaw; /* pointer to subject inside source */
871  int subjectRawLen;
872 #endif
873 #if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT)
874  /* easy access to subject info for other sign */
875  char* subjectSN;
876  int subjectSNLen;
877  char subjectSNEnc;
878  char* subjectC;
879  int subjectCLen;
880  char subjectCEnc;
881  char* subjectL;
882  int subjectLLen;
883  char subjectLEnc;
884  char* subjectST;
885  int subjectSTLen;
886  char subjectSTEnc;
887  char* subjectO;
888  int subjectOLen;
889  char subjectOEnc;
890  char* subjectOU;
891  int subjectOULen;
892  char subjectOUEnc;
893  char* subjectSND;
894  int subjectSNDLen;
895  char subjectSNDEnc;
896 #ifdef WOLFSSL_CERT_EXT
897  char* subjectBC;
898  int subjectBCLen;
899  char subjectBCEnc;
900  char* subjectJC;
901  int subjectJCLen;
902  char subjectJCEnc;
903  char* subjectJS;
904  int subjectJSLen;
905  char subjectJSEnc;
906 #endif
907  char* subjectEmail;
908  int subjectEmailLen;
909 #endif /* WOLFSSL_CERT_GEN */
910 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
911  DecodedName issuerName;
912  DecodedName subjectName;
913 #endif /* OPENSSL_EXTRA */
914 #ifdef WOLFSSL_SEP
915  int deviceTypeSz;
916  byte* deviceType;
917  int hwTypeSz;
918  byte* hwType;
919  int hwSerialNumSz;
920  byte* hwSerialNum;
921 #endif /* WOLFSSL_SEP */
922 #ifdef WOLFSSL_CERT_EXT
923  char extCertPolicies[MAX_CERTPOL_NB][MAX_CERTPOL_SZ];
924  int extCertPoliciesNb;
925 #endif /* defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) */
926 
927  Signer* ca;
928 #ifndef NO_CERTS
929  SignatureCtx sigCtx;
930 #endif
931 #ifdef WOLFSSL_RENESAS_TSIP
932  byte* tsip_encRsaKeyIdx;
933 #endif
934 
935  int badDate;
936  int criticalExt;
937 
938  /* Option Bits */
939  byte subjectCNStored : 1; /* have we saved a copy we own */
940  byte extSubjKeyIdSet : 1; /* Set when the SKID was read from cert */
941  byte extAuthKeyIdSet : 1; /* Set when the AKID was read from cert */
942 #ifndef IGNORE_NAME_CONSTRAINTS
943  byte extNameConstraintSet : 1;
944 #endif
945  byte isCA : 1; /* CA basic constraint true */
946  byte pathLengthSet : 1; /* CA basic const path length set */
947  byte weOwnAltNames : 1; /* altNames haven't been given to copy */
948  byte extKeyUsageSet : 1;
949  byte extExtKeyUsageSet : 1; /* Extended Key Usage set */
950  byte extCRLdistSet : 1;
951  byte extAuthInfoSet : 1;
952  byte extBasicConstSet : 1;
953  byte extSubjAltNameSet : 1;
954  byte inhibitAnyOidSet : 1;
955  byte selfSigned : 1; /* Indicates subject and issuer are same */
956 #if defined(WOLFSSL_SEP) || defined(WOLFSSL_QT)
957  byte extCertPolicySet : 1;
958 #endif
959 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
960  byte extCRLdistCrit : 1;
961  byte extAuthInfoCrit : 1;
962  byte extBasicConstCrit : 1;
963  byte extSubjAltNameCrit : 1;
964  byte extAuthKeyIdCrit : 1;
965  #ifndef IGNORE_NAME_CONSTRAINTS
966  byte extNameConstraintCrit : 1;
967  #endif
968  byte extSubjKeyIdCrit : 1;
969  byte extKeyUsageCrit : 1;
970  byte extExtKeyUsageCrit : 1;
971 #endif /* OPENSSL_EXTRA */
972 #if defined(WOLFSSL_SEP) || defined(WOLFSSL_QT)
973  byte extCertPolicyCrit : 1;
974 #endif
975 
976 };
977 
978 
979 #ifdef NO_SHA
980  #define SIGNER_DIGEST_SIZE WC_SHA256_DIGEST_SIZE
981 #else
982  #define SIGNER_DIGEST_SIZE WC_SHA_DIGEST_SIZE
983 #endif
984 
985 /* CA Signers */
986 /* if change layout change PERSIST_CERT_CACHE functions too */
987 struct Signer {
988  word32 pubKeySize;
989  word32 keyOID; /* key type */
990  word16 keyUsage;
991  byte maxPathLen;
992  byte pathLength;
993  byte pathLengthSet : 1;
994  byte selfSigned : 1;
995  const byte* publicKey;
996  int nameLen;
997  char* name; /* common name */
998 #ifndef IGNORE_NAME_CONSTRAINTS
999  Base_entry* permittedNames;
1000  Base_entry* excludedNames;
1001 #endif /* IGNORE_NAME_CONSTRAINTS */
1002  byte subjectNameHash[SIGNER_DIGEST_SIZE];
1003  /* sha hash of names in certificate */
1004  #ifndef NO_SKID
1005  byte subjectKeyIdHash[SIGNER_DIGEST_SIZE];
1006  /* sha hash of names in certificate */
1007  #endif
1008  #ifdef HAVE_OCSP
1009  byte subjectKeyHash[KEYID_SIZE];
1010  #endif
1011 #ifdef WOLFSSL_SIGNER_DER_CERT
1012  DerBuffer* derCert;
1013 #endif
1014 #ifdef WOLFSSL_RENESAS_TSIP_TLS
1015  word32 cm_idx;
1016 #endif
1017  Signer* next;
1018 };
1019 
1020 
1021 #ifdef WOLFSSL_TRUST_PEER_CERT
1022 /* used for having trusted peer certs rather then CA */
1023 struct TrustedPeerCert {
1024  int nameLen;
1025  char* name; /* common name */
1026  #ifndef IGNORE_NAME_CONSTRAINTS
1027  Base_entry* permittedNames;
1028  Base_entry* excludedNames;
1029  #endif /* IGNORE_NAME_CONSTRAINTS */
1030  byte subjectNameHash[SIGNER_DIGEST_SIZE];
1031  /* sha hash of names in certificate */
1032  #ifndef NO_SKID
1033  byte subjectKeyIdHash[SIGNER_DIGEST_SIZE];
1034  /* sha hash of names in certificate */
1035  #endif
1036  word32 sigLen;
1037  byte* sig;
1038  struct TrustedPeerCert* next;
1039 };
1040 #endif /* WOLFSSL_TRUST_PEER_CERT */
1041 
1042 
1043 /* for testing or custom openssl wrappers */
1044 #if defined(WOLFSSL_TEST_CERT) || defined(OPENSSL_EXTRA) || \
1045  defined(OPENSSL_EXTRA_X509_SMALL)
1046  #define WOLFSSL_ASN_API WOLFSSL_API
1047 #else
1048  #define WOLFSSL_ASN_API WOLFSSL_LOCAL
1049 #endif
1050 
1051 WOLFSSL_LOCAL int CalcHashId(const byte* data, word32 len, byte* hash);
1052 
1053 WOLFSSL_ASN_API int wc_BerToDer(const byte* ber, word32 berSz, byte* der,
1054  word32* derSz);
1055 
1056 WOLFSSL_ASN_API void FreeAltNames(DNS_entry*, void*);
1057 #ifndef IGNORE_NAME_CONSTRAINTS
1058  WOLFSSL_ASN_API void FreeNameSubtrees(Base_entry*, void*);
1059 #endif /* IGNORE_NAME_CONSTRAINTS */
1060 WOLFSSL_ASN_API void InitDecodedCert(DecodedCert*, const byte*, word32, void*);
1061 WOLFSSL_ASN_API void FreeDecodedCert(DecodedCert*);
1062 WOLFSSL_ASN_API int ParseCert(DecodedCert*, int type, int verify, void* cm);
1063 
1064 WOLFSSL_LOCAL int DecodePolicyOID(char *o, word32 oSz,
1065  const byte *in, word32 inSz);
1066 WOLFSSL_LOCAL int EncodePolicyOID(byte *out, word32 *outSz,
1067  const char *in, void* heap);
1068 WOLFSSL_API int CheckCertSignature(const byte*,word32,void*,void* cm);
1069 WOLFSSL_LOCAL int CheckCertSignaturePubKey(const byte* cert, word32 certSz,
1070  void* heap, const byte* pubKey, word32 pubKeySz, int pubKeyOID);
1071 WOLFSSL_LOCAL int ParseCertRelative(DecodedCert*,int type,int verify,void* cm);
1072 WOLFSSL_LOCAL int DecodeToKey(DecodedCert*, int verify);
1073 WOLFSSL_LOCAL int wc_GetPubX509(DecodedCert* cert, int verify, int* badDate);
1074 
1075 WOLFSSL_LOCAL const byte* OidFromId(word32 id, word32 type, word32* oidSz);
1076 WOLFSSL_LOCAL Signer* MakeSigner(void*);
1077 WOLFSSL_LOCAL void FreeSigner(Signer*, void*);
1078 WOLFSSL_LOCAL void FreeSignerTable(Signer**, int, void*);
1079 #ifdef WOLFSSL_TRUST_PEER_CERT
1080 WOLFSSL_LOCAL void FreeTrustedPeer(TrustedPeerCert*, void*);
1081 WOLFSSL_LOCAL void FreeTrustedPeerTable(TrustedPeerCert**, int, void*);
1082 #endif /* WOLFSSL_TRUST_PEER_CERT */
1083 
1084 WOLFSSL_ASN_API int ToTraditional(byte* buffer, word32 length);
1085 WOLFSSL_ASN_API int ToTraditional_ex(byte* buffer, word32 length,
1086  word32* algId);
1087 WOLFSSL_LOCAL int ToTraditionalInline(const byte* input, word32* inOutIdx,
1088  word32 length);
1089 WOLFSSL_LOCAL int ToTraditionalInline_ex(const byte* input, word32* inOutIdx,
1090  word32 length, word32* algId);
1091 WOLFSSL_LOCAL int ToTraditionalEnc(byte* buffer, word32 length,const char*,int,
1092  word32* algId);
1093 WOLFSSL_ASN_API int UnTraditionalEnc(byte* key, word32 keySz, byte* out,
1094  word32* outSz, const char* password, int passwordSz, int vPKCS,
1095  int vAlgo, byte* salt, word32 saltSz, int itt, WC_RNG* rng, void* heap);
1096 WOLFSSL_ASN_API int TraditionalEnc(byte* key, word32 keySz, byte* out,
1097  word32* outSz, const char* password, int passwordSz, int vPKCS,
1098  int vAlgo, int encAlgId, byte* salt, word32 saltSz, int itt,
1099  WC_RNG* rng, void* heap);
1100 WOLFSSL_LOCAL int DecryptContent(byte* input, word32 sz,const char* psw,int pswSz);
1101 WOLFSSL_LOCAL int EncryptContent(byte* input, word32 sz, byte* out, word32* outSz,
1102  const char* password,int passwordSz, int vPKCS, int vAlgo,
1103  byte* salt, word32 saltSz, int itt, WC_RNG* rng, void* heap);
1104 WOLFSSL_LOCAL int wc_GetKeyOID(byte* key, word32 keySz, const byte** curveOID,
1105  word32* oidSz, int* algoID, void* heap);
1106 
1107 typedef struct tm wolfssl_tm;
1108 #if defined(OPENSSL_ALL) || defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(OPENSSL_EXTRA) || \
1109  defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
1110 WOLFSSL_LOCAL int GetTimeString(byte* date, int format, char* buf, int len);
1111 #endif
1112 #if !defined(NO_ASN_TIME) && defined(HAVE_PKCS7)
1113 WOLFSSL_LOCAL int GetAsnTimeString(void* currTime, byte* buf, word32 len);
1114 #endif
1115 WOLFSSL_LOCAL int ExtractDate(const unsigned char* date, unsigned char format,
1116  wolfssl_tm* certTime, int* idx);
1117 WOLFSSL_LOCAL int DateGreaterThan(const struct tm* a, const struct tm* b);
1118 WOLFSSL_LOCAL int ValidateDate(const byte* date, byte format, int dateType);
1119 WOLFSSL_LOCAL int wc_OBJ_sn2nid(const char *sn);
1120 
1121 /* ASN.1 helper functions */
1122 #ifdef WOLFSSL_CERT_GEN
1123 WOLFSSL_ASN_API int SetName(byte* output, word32 outputSz, CertName* name);
1124 #endif
1125 WOLFSSL_LOCAL int GetShortInt(const byte* input, word32* inOutIdx, int* number,
1126  word32 maxIdx);
1127 WOLFSSL_LOCAL int SetShortInt(byte* input, word32* inOutIdx, word32 number,
1128  word32 maxIdx);
1129 
1130 WOLFSSL_LOCAL const char* GetSigName(int oid);
1131 WOLFSSL_LOCAL int GetLength(const byte* input, word32* inOutIdx, int* len,
1132  word32 maxIdx);
1133 WOLFSSL_LOCAL int GetLength_ex(const byte* input, word32* inOutIdx, int* len,
1134  word32 maxIdx, int check);
1135 WOLFSSL_LOCAL int GetSequence(const byte* input, word32* inOutIdx, int* len,
1136  word32 maxIdx);
1137 WOLFSSL_LOCAL int GetSequence_ex(const byte* input, word32* inOutIdx, int* len,
1138  word32 maxIdx, int check);
1139 WOLFSSL_LOCAL int GetOctetString(const byte* input, word32* inOutIdx, int* len,
1140  word32 maxIdx);
1141 WOLFSSL_LOCAL int GetSet(const byte* input, word32* inOutIdx, int* len,
1142  word32 maxIdx);
1143 WOLFSSL_LOCAL int GetSet_ex(const byte* input, word32* inOutIdx, int* len,
1144  word32 maxIdx, int check);
1145 WOLFSSL_LOCAL int GetMyVersion(const byte* input, word32* inOutIdx,
1146  int* version, word32 maxIdx);
1147 WOLFSSL_LOCAL int GetInt(mp_int* mpi, const byte* input, word32* inOutIdx,
1148  word32 maxIdx);
1149 #ifdef HAVE_OID_ENCODING
1150  WOLFSSL_LOCAL int EncodeObjectId(const word16* in, word32 inSz,
1151  byte* out, word32* outSz);
1152 #endif
1153 #ifdef HAVE_OID_DECODING
1154  WOLFSSL_LOCAL int DecodeObjectId(const byte* in, word32 inSz,
1155  word16* out, word32* outSz);
1156 #endif
1157 WOLFSSL_LOCAL int GetASNObjectId(const byte* input, word32* inOutIdx, int* len,
1158  word32 maxIdx);
1159 WOLFSSL_LOCAL int SetObjectId(int len, byte* output);
1160 WOLFSSL_LOCAL int GetObjectId(const byte* input, word32* inOutIdx, word32* oid,
1161  word32 oidType, word32 maxIdx);
1162 WOLFSSL_LOCAL int GetAlgoId(const byte* input, word32* inOutIdx, word32* oid,
1163  word32 oidType, word32 maxIdx);
1164 WOLFSSL_LOCAL int GetASNTag(const byte* input, word32* idx, byte* tag,
1165  word32 inputSz);
1166 WOLFSSL_LOCAL word32 SetLength(word32 length, byte* output);
1167 WOLFSSL_LOCAL word32 SetSequence(word32 len, byte* output);
1168 WOLFSSL_LOCAL word32 SetOctetString(word32 len, byte* output);
1169 #if (defined(WOLFSSL_QT) || defined(OPENSSL_ALL)) && !defined(NO_DH) \
1170  || defined(WOLFSSL_OPENSSH)
1171 WOLFSSL_LOCAL int wc_DhParamsToDer(DhKey* key, byte* out, word32* outSz);
1172 WOLFSSL_LOCAL int wc_DhPubKeyToDer(DhKey* key, byte* out, word32* outSz);
1173 WOLFSSL_LOCAL int wc_DhPrivKeyToDer(DhKey* key, byte* out, word32* outSz);
1174 #endif
1175 WOLFSSL_LOCAL word32 SetBitString(word32 len, byte unusedBits, byte* output);
1176 WOLFSSL_LOCAL word32 SetImplicit(byte tag,byte number,word32 len,byte* output);
1177 WOLFSSL_LOCAL word32 SetExplicit(byte number, word32 len, byte* output);
1178 WOLFSSL_LOCAL word32 SetSet(word32 len, byte* output);
1179 WOLFSSL_LOCAL word32 SetAlgoID(int algoOID,byte* output,int type,int curveSz);
1180 WOLFSSL_LOCAL int SetMyVersion(word32 version, byte* output, int header);
1181 WOLFSSL_LOCAL int SetSerialNumber(const byte* sn, word32 snSz, byte* output,
1182  word32 outputSz, int maxSnSz);
1183 WOLFSSL_LOCAL int GetSerialNumber(const byte* input, word32* inOutIdx,
1184  byte* serial, int* serialSz, word32 maxIdx);
1185 WOLFSSL_LOCAL int GetNameHash(const byte* source, word32* idx, byte* hash,
1186  int maxIdx);
1187 WOLFSSL_LOCAL int wc_CheckPrivateKey(byte* key, word32 keySz, DecodedCert* der);
1188 WOLFSSL_LOCAL int StoreDHparams(byte* out, word32* outLen, mp_int* p, mp_int* g);
1189 WOLFSSL_LOCAL int FlattenAltNames( byte*, word32, const DNS_entry*);
1190 
1191 #ifdef HAVE_ECC
1192  /* ASN sig helpers */
1193  WOLFSSL_LOCAL int StoreECC_DSA_Sig(byte* out, word32* outLen, mp_int* r,
1194  mp_int* s);
1195  WOLFSSL_LOCAL int DecodeECC_DSA_Sig(const byte* sig, word32 sigLen,
1196  mp_int* r, mp_int* s);
1197 #endif
1198 #if defined HAVE_ECC && (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL))
1199 WOLFSSL_API int EccEnumToNID(int n);
1200 #endif
1201 
1202 WOLFSSL_LOCAL void InitSignatureCtx(SignatureCtx* sigCtx, void* heap, int devId);
1203 WOLFSSL_LOCAL void FreeSignatureCtx(SignatureCtx* sigCtx);
1204 
1205 #ifndef NO_CERTS
1206 
1207 WOLFSSL_LOCAL int wc_EncryptedInfoParse(EncryptedInfo* info, char** pBuffer,
1208  size_t bufSz);
1209 
1210 WOLFSSL_LOCAL int PemToDer(const unsigned char* buff, long sz, int type,
1211  DerBuffer** pDer, void* heap, EncryptedInfo* info,
1212  int* eccKey);
1213 WOLFSSL_LOCAL int AllocDer(DerBuffer** der, word32 length, int type, void* heap);
1214 WOLFSSL_LOCAL void FreeDer(DerBuffer** der);
1215 
1216 #endif /* !NO_CERTS */
1217 
1218 #ifdef WOLFSSL_CERT_GEN
1219 
1220 enum cert_enums {
1221 #ifdef WOLFSSL_CERT_EXT
1222  NAME_ENTRIES = 10,
1223 #else
1224  NAME_ENTRIES = 9,
1225 #endif
1226  JOINT_LEN = 2,
1227  EMAIL_JOINT_LEN = 9,
1228  PILOT_JOINT_LEN = 10,
1229  RSA_KEY = 10,
1230  NTRU_KEY = 11,
1231  ECC_KEY = 12,
1232  ED25519_KEY = 13,
1233  ED448_KEY = 14
1234 };
1235 
1236 #endif /* WOLFSSL_CERT_GEN */
1237 
1238 
1239 
1240 /* for pointer use */
1241 typedef struct CertStatus CertStatus;
1242 
1243 #ifdef HAVE_OCSP
1244 
1245 enum Ocsp_Response_Status {
1246  OCSP_SUCCESSFUL = 0, /* Response has valid confirmations */
1247  OCSP_MALFORMED_REQUEST = 1, /* Illegal confirmation request */
1248  OCSP_INTERNAL_ERROR = 2, /* Internal error in issuer */
1249  OCSP_TRY_LATER = 3, /* Try again later */
1250  OCSP_SIG_REQUIRED = 5, /* Must sign the request (4 is skipped) */
1251  OCSP_UNAUTHROIZED = 6 /* Request unauthorized */
1252 };
1253 
1254 
1255 enum Ocsp_Cert_Status {
1256  CERT_GOOD = 0,
1257  CERT_REVOKED = 1,
1258  CERT_UNKNOWN = 2
1259 };
1260 
1261 
1262 enum Ocsp_Sums {
1263  OCSP_BASIC_OID = 117,
1264  OCSP_NONCE_OID = 118
1265 };
1266 
1267 #ifdef OPENSSL_EXTRA
1268 enum Ocsp_Verify_Error {
1269  OCSP_VERIFY_ERROR_NONE = 0,
1270  OCSP_BAD_ISSUER = 1
1271 };
1272 #endif
1273 
1274 
1275 typedef struct OcspRequest OcspRequest;
1276 typedef struct OcspResponse OcspResponse;
1277 
1278 
1279 struct CertStatus {
1280  CertStatus* next;
1281 
1282  byte serial[EXTERNAL_SERIAL_SIZE];
1283  int serialSz;
1284 
1285  int status;
1286 
1287  byte thisDate[MAX_DATE_SIZE];
1288  byte nextDate[MAX_DATE_SIZE];
1289  byte thisDateFormat;
1290  byte nextDateFormat;
1291 #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
1292  WOLFSSL_ASN1_TIME thisDateParsed;
1293  WOLFSSL_ASN1_TIME nextDateParsed;
1294  byte* thisDateAsn;
1295  byte* nextDateAsn;
1296 #endif
1297 
1298  byte* rawOcspResponse;
1299  word32 rawOcspResponseSz;
1300 };
1301 
1302 
1303 struct OcspResponse {
1304  int responseStatus; /* return code from Responder */
1305 
1306  byte* response; /* Pointer to beginning of OCSP Response */
1307  word32 responseSz; /* length of the OCSP Response */
1308 
1309  byte producedDate[MAX_DATE_SIZE];
1310  /* Date at which this response was signed */
1311  byte producedDateFormat; /* format of the producedDate */
1312  byte* issuerHash;
1313  byte* issuerKeyHash;
1314 
1315  byte* cert;
1316  word32 certSz;
1317 
1318  byte* sig; /* Pointer to sig in source */
1319  word32 sigSz; /* Length in octets for the sig */
1320  word32 sigOID; /* OID for hash used for sig */
1321 
1322  CertStatus* status; /* certificate status to fill out */
1323 
1324  byte* nonce; /* pointer to nonce inside ASN.1 response */
1325  int nonceSz; /* length of the nonce string */
1326 
1327  byte* source; /* pointer to source buffer, not owned */
1328  word32 maxIdx; /* max offset based on init size */
1329 
1330 #ifdef OPENSSL_EXTRA
1331  int verifyError;
1332 #endif
1333 };
1334 
1335 
1336 struct OcspRequest {
1337  byte issuerHash[KEYID_SIZE];
1338  byte issuerKeyHash[KEYID_SIZE];
1339  byte* serial; /* copy of the serial number in source cert */
1340  int serialSz;
1341 #ifdef OPENSSL_EXTRA
1342  WOLFSSL_ASN1_INTEGER* serialInt;
1343 #endif
1344  byte* url; /* copy of the extAuthInfo in source cert */
1345  int urlSz;
1346 
1347  byte nonce[MAX_OCSP_NONCE_SZ];
1348  int nonceSz;
1349  void* heap;
1350  void* ssl;
1351 };
1352 
1353 typedef struct OcspEntry OcspEntry;
1354 
1355 #ifdef NO_SHA
1356 #define OCSP_DIGEST_SIZE WC_SHA256_DIGEST_SIZE
1357 #else
1358 #define OCSP_DIGEST_SIZE WC_SHA_DIGEST_SIZE
1359 #endif
1360 
1361 struct OcspEntry
1362 {
1363  OcspEntry *next; /* next entry */
1364  byte issuerHash[OCSP_DIGEST_SIZE]; /* issuer hash */
1365  byte issuerKeyHash[OCSP_DIGEST_SIZE]; /* issuer public key hash */
1366  CertStatus *status; /* OCSP response list */
1367  int totalStatus; /* number on list */
1368 };
1369 
1370 WOLFSSL_LOCAL void InitOcspResponse(OcspResponse*, CertStatus*, byte*, word32);
1371 WOLFSSL_LOCAL int OcspResponseDecode(OcspResponse*, void*, void* heap, int);
1372 
1373 WOLFSSL_LOCAL int InitOcspRequest(OcspRequest*, DecodedCert*, byte, void*);
1374 WOLFSSL_LOCAL void FreeOcspRequest(OcspRequest*);
1375 WOLFSSL_LOCAL int EncodeOcspRequest(OcspRequest*, byte*, word32);
1376 WOLFSSL_LOCAL word32 EncodeOcspRequestExtensions(OcspRequest*, byte*, word32);
1377 
1378 
1379 WOLFSSL_LOCAL int CompareOcspReqResp(OcspRequest*, OcspResponse*);
1380 
1381 
1382 #endif /* HAVE_OCSP */
1383 
1384 
1385 /* for pointer use */
1386 typedef struct RevokedCert RevokedCert;
1387 
1388 #ifdef HAVE_CRL
1389 
1390 struct RevokedCert {
1391  byte serialNumber[EXTERNAL_SERIAL_SIZE];
1392  int serialSz;
1393  RevokedCert* next;
1394 };
1395 
1396 typedef struct DecodedCRL DecodedCRL;
1397 
1398 struct DecodedCRL {
1399  word32 certBegin; /* offset to start of cert */
1400  word32 sigIndex; /* offset to start of signature */
1401  word32 sigLength; /* length of signature */
1402  word32 signatureOID; /* sum of algorithm object id */
1403  byte* signature; /* pointer into raw source, not owned */
1404  byte issuerHash[SIGNER_DIGEST_SIZE]; /* issuer name hash */
1405  byte crlHash[SIGNER_DIGEST_SIZE]; /* raw crl data hash */
1406  byte lastDate[MAX_DATE_SIZE]; /* last date updated */
1407  byte nextDate[MAX_DATE_SIZE]; /* next update date */
1408  byte lastDateFormat; /* format of last date */
1409  byte nextDateFormat; /* format of next date */
1410  RevokedCert* certs; /* revoked cert list */
1411  int totalCerts; /* number on list */
1412  void* heap;
1413 #ifndef NO_SKID
1414  byte extAuthKeyIdSet;
1415  byte extAuthKeyId[SIGNER_DIGEST_SIZE]; /* Authority Key ID */
1416 #endif
1417 };
1418 
1419 WOLFSSL_LOCAL void InitDecodedCRL(DecodedCRL*, void* heap);
1420 WOLFSSL_LOCAL int VerifyCRL_Signature(SignatureCtx* sigCtx,
1421  const byte* toBeSigned, word32 tbsSz,
1422  const byte* signature, word32 sigSz,
1423  word32 signatureOID, Signer *ca,
1424  void* heap);
1425 WOLFSSL_LOCAL int ParseCRL(DecodedCRL*, const byte* buff, word32 sz, void* cm);
1426 WOLFSSL_LOCAL void FreeDecodedCRL(DecodedCRL*);
1427 
1428 
1429 #endif /* HAVE_CRL */
1430 
1431 
1432 #ifdef __cplusplus
1433  } /* extern "C" */
1434 #endif
1435 
1436 #endif /* !NO_ASN */
1437 
1438 
1439 #if !defined(NO_ASN) || !defined(NO_PWDBASED)
1440 
1441 #ifndef MAX_KEY_SIZE
1442  #define MAX_KEY_SIZE 64 /* MAX PKCS Key length */
1443 #endif
1444 #ifndef MAX_UNICODE_SZ
1445  #define MAX_UNICODE_SZ 256
1446 #endif
1447 
1448 enum PBESTypes {
1449  PBE_MD5_DES = 0,
1450  PBE_SHA1_RC4_128 = 1,
1451  PBE_SHA1_DES = 2,
1452  PBE_SHA1_DES3 = 3,
1453  PBE_AES256_CBC = 4,
1454  PBE_AES128_CBC = 5,
1455 
1456  PBE_SHA1_RC4_128_SUM = 657,
1457  PBE_SHA1_DES3_SUM = 659,
1458  PBES2 = 13 /* algo ID */
1459 };
1460 
1461 enum PKCSTypes {
1462  PKCS5v2 = 6, /* PKCS #5 v2.0 */
1463  PKCS12v1 = 12, /* PKCS #12 */
1464  PKCS5 = 5, /* PKCS oid tag */
1465  PKCS8v0 = 0, /* default PKCS#8 version */
1466 };
1467 
1468 #endif /* !NO_ASN || !NO_PWDBASED */
1469 
1470 #endif /* WOLF_CRYPT_ASN_H */
OcspEntry
Definition: asn.h:1361
ed448_key
Definition: ed448.h:77
OcspRequest
Definition: asn.h:1336
CertStatus
Definition: asn.h:1279
DecodedName
Definition: asn.h:612
DNS_entry
Definition: asn.h:592
OcspResponse
Definition: asn.h:1303
DecodedCert
Definition: asn.h:793
Base_entry
Definition: asn.h:602
asn_public.h
DecodedCRL
Definition: asn.h:1398
mp_int
Definition: integer.h:200
EncryptedInfo
Definition: asn_public.h:195
Signer
Definition: asn.h:987
CertName
Definition: asn_public.h:260
DhKey
Definition: dh.h:60
WOLFSSL_ASN1_TIME
Definition: asn_public.h:178
ecc_key
Definition: ecc.h:357
TrustedPeerCert
Definition: asn.h:1023
WC_RNG
Definition: random.h:153
WOLFSSL_ObjectInfo
Definition: asn.h:138
ed25519_key
Definition: ed25519.h:78
RevokedCert
Definition: asn.h:1390
CertSignCtx
Definition: asn.h:758
SignatureCtx
Definition: asn.h:694
RsaKey
Definition: user_rsa.h:60
DerBuffer
Definition: asn_public.h:170
WOLFSSL_ASN1_INTEGER
Definition: asn_public.h:213