My Project
Loading...
Searching...
No Matches
asn.h
Go to the documentation of this file.
1/* asn.h
2 *
3 * Copyright (C) 2006-2020 wolfSSL Inc.
4 *
5 * This file is part of wolfSSL.
6 *
7 * wolfSSL is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
11 *
12 * wolfSSL is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
20 */
21
26#ifndef WOLF_CRYPT_ASN_H
27#define WOLF_CRYPT_ASN_H
28
29#include <wolfssl/wolfcrypt/types.h>
30
31#ifndef NO_ASN
32
33
34#if !defined(NO_ASN_TIME) && defined(NO_TIME_H)
35 #define NO_ASN_TIME /* backwards compatibility with NO_TIME_H */
36#endif
37
38#include <wolfssl/wolfcrypt/integer.h>
39
40/* fips declare of RsaPrivateKeyDecode @wc_fips */
41#if defined(HAVE_FIPS) && !defined(NO_RSA) && \
42 (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
43 #include <cyassl/ctaocrypt/rsa.h>
44#endif
45
46#ifndef NO_DH
47 #include <wolfssl/wolfcrypt/dh.h>
48#endif
49#ifndef NO_DSA
50 #include <wolfssl/wolfcrypt/dsa.h>
51#endif
52#ifndef NO_SHA
53 #include <wolfssl/wolfcrypt/sha.h>
54#endif
55#ifndef NO_MD5
56 #include <wolfssl/wolfcrypt/md5.h>
57#endif
58#include <wolfssl/wolfcrypt/sha256.h>
59#include <wolfssl/wolfcrypt/asn_public.h> /* public interface */
60
61#if defined(NO_SHA) && defined(NO_SHA256)
62 #define WC_SHA256_DIGEST_SIZE 32
63#endif
64
65#ifdef __cplusplus
66 extern "C" {
67#endif
68
69#ifndef EXTERNAL_SERIAL_SIZE
70 #define EXTERNAL_SERIAL_SIZE 32
71#endif
72
73enum {
74 ISSUER = 0,
75 SUBJECT = 1,
76
77 BEFORE = 0,
78 AFTER = 1
79};
80
81/* ASN Tags */
82enum ASN_Tags {
83 ASN_EOC = 0x00,
84 ASN_BOOLEAN = 0x01,
85 ASN_INTEGER = 0x02,
86 ASN_BIT_STRING = 0x03,
87 ASN_OCTET_STRING = 0x04,
88 ASN_TAG_NULL = 0x05,
89 ASN_OBJECT_ID = 0x06,
90 ASN_ENUMERATED = 0x0a,
91 ASN_UTF8STRING = 0x0c,
92 ASN_SEQUENCE = 0x10,
93 ASN_SET = 0x11,
94 ASN_PRINTABLE_STRING = 0x13,
95 ASN_UTC_TIME = 0x17,
96 ASN_OTHER_TYPE = 0x00,
97 ASN_RFC822_TYPE = 0x01,
98 ASN_DNS_TYPE = 0x02,
99 ASN_DIR_TYPE = 0x04,
100 ASN_URI_TYPE = 0x06, /* the value 6 is from GeneralName OID */
101 ASN_IP_TYPE = 0x07, /* the value 7 is from GeneralName OID */
102 ASN_GENERALIZED_TIME = 0x18,
103 CRL_EXTENSIONS = 0xa0,
104 ASN_EXTENSIONS = 0xa3,
105 ASN_LONG_LENGTH = 0x80,
106 ASN_INDEF_LENGTH = 0x80,
107
108 /* ASN_Flags - Bitmask */
109 ASN_CONSTRUCTED = 0x20,
110 ASN_APPLICATION = 0x40,
111 ASN_CONTEXT_SPECIFIC = 0x80,
112};
113
114#define ASN_UTC_TIME_SIZE 14
115#define ASN_GENERALIZED_TIME_SIZE 16
116#define ASN_GENERALIZED_TIME_MAX 68
117
118enum DN_Tags {
119 ASN_DN_NULL = 0x00,
120 ASN_COMMON_NAME = 0x03, /* CN */
121 ASN_SUR_NAME = 0x04, /* SN */
122 ASN_SERIAL_NUMBER = 0x05, /* serialNumber */
123 ASN_COUNTRY_NAME = 0x06, /* C */
124 ASN_LOCALITY_NAME = 0x07, /* L */
125 ASN_STATE_NAME = 0x08, /* ST */
126 ASN_ORG_NAME = 0x0a, /* O */
127 ASN_ORGUNIT_NAME = 0x0b, /* OU */
128 ASN_BUS_CAT = 0x0f, /* businessCategory */
129 ASN_EMAIL_NAME = 0x98, /* not oid number there is 97 in 2.5.4.0-97 */
130
131 /* pilot attribute types
132 * OID values of 0.9.2342.19200300.100.1.* */
133 ASN_USER_ID = 0x01, /* UID */
134 ASN_DOMAIN_COMPONENT = 0x19 /* DC */
135};
136
137#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
138typedef struct WOLFSSL_ObjectInfo {
139 int nid;
140 int id;
141 word32 type;
142 const char* sName;
143 const char* lName;
144} WOLFSSL_ObjectInfo;
145extern const size_t wolfssl_object_info_sz;
146extern const WOLFSSL_ObjectInfo wolfssl_object_info[];
147#endif /* defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) */
148
149/* DN Tag Strings */
150#define WOLFSSL_COMMON_NAME "/CN="
151#define WOLFSSL_LN_COMMON_NAME "/commonName="
152#define WOLFSSL_SUR_NAME "/SN="
153#define WOLFSSL_SERIAL_NUMBER "/serialNumber="
154#define WOLFSSL_COUNTRY_NAME "/C="
155#define WOLFSSL_LN_COUNTRY_NAME "/countryName="
156#define WOLFSSL_LOCALITY_NAME "/L="
157#define WOLFSSL_LN_LOCALITY_NAME "/localityName="
158#define WOLFSSL_STATE_NAME "/ST="
159#define WOLFSSL_LN_STATE_NAME "/stateOrProvinceName="
160#define WOLFSSL_ORG_NAME "/O="
161#define WOLFSSL_LN_ORG_NAME "/organizationName="
162#define WOLFSSL_ORGUNIT_NAME "/OU="
163#define WOLFSSL_LN_ORGUNIT_NAME "/organizationalUnitName="
164#define WOLFSSL_DOMAIN_COMPONENT "/DC="
165#define WOLFSSL_LN_DOMAIN_COMPONENT "/domainComponent="
166#define WOLFSSL_BUS_CAT "/businessCategory="
167#define WOLFSSL_JOI_C "/jurisdictionC="
168#define WOLFSSL_JOI_ST "/jurisdictionST="
169#define WOLFSSL_EMAIL_ADDR "/emailAddress="
170
171#define WOLFSSL_USER_ID "/UID="
172#define WOLFSSL_DOMAIN_COMPONENT "/DC="
173
174#if defined(WOLFSSL_APACHE_HTTPD)
175 /* otherName strings */
176 #define WOLFSSL_SN_MS_UPN "msUPN"
177 #define WOLFSSL_LN_MS_UPN "Microsoft User Principal Name"
178 #define WOLFSSL_MS_UPN_SUM 265
179 #define WOLFSSL_SN_DNS_SRV "id-on-dnsSRV"
180 #define WOLFSSL_LN_DNS_SRV "SRVName"
181 /* TLS features extension strings */
182 #define WOLFSSL_SN_TLS_FEATURE "tlsfeature"
183 #define WOLFSSL_LN_TLS_FEATURE "TLS Feature"
184 #define WOLFSSL_TLS_FEATURE_SUM 92
185#endif
186
187/* NIDs */
188enum
189{
190 NID_undef = 0,
191 NID_netscape_cert_type = NID_undef,
192 NID_des = 66,
193 NID_des3 = 67,
194 NID_sha256 = 672,
195 NID_sha384 = 673,
196 NID_sha512 = 674,
197 NID_hw_name_oid = 73,
198 NID_id_pkix_OCSP_basic = 74,
199 NID_any_policy = 75,
200 NID_anyExtendedKeyUsage = 76,
201 NID_givenName = 99,
202 NID_initials = 101,
203 NID_title = 106,
204 NID_description = 107,
205 NID_basic_constraints = 133,
206 NID_key_usage = 129, /* 2.5.29.15 */
207 NID_ext_key_usage = 151, /* 2.5.29.37 */
208 NID_subject_key_identifier = 128,
209 NID_authority_key_identifier = 149,
210 NID_private_key_usage_period = 130, /* 2.5.29.16 */
211 NID_subject_alt_name = 131,
212 NID_issuer_alt_name = 132,
213 NID_info_access = 69,
214 NID_sinfo_access = 79, /* id-pe 11 */
215 NID_name_constraints = 144, /* 2.5.29.30 */
216 NID_crl_distribution_points = 145, /* 2.5.29.31 */
217 NID_certificate_policies = 146,
218 NID_policy_mappings = 147,
219 NID_policy_constraints = 150,
220 NID_inhibit_any_policy = 168, /* 2.5.29.54 */
221 NID_tlsfeature = 1020, /* id-pe 24 */
222 NID_commonName = 0x03, /* matches ASN_COMMON_NAME in asn.h */
223
224
225 NID_surname = 0x04, /* SN */
226 NID_serialNumber = 0x05, /* serialNumber */
227 NID_countryName = 0x06, /* C */
228 NID_localityName = 0x07, /* L */
229 NID_stateOrProvinceName = 0x08, /* ST */
230 NID_organizationName = 0x0a, /* O */
231 NID_organizationalUnitName = 0x0b, /* OU */
232 NID_jurisdictionCountryName = 0xc,
233 NID_jurisdictionStateOrProvinceName = 0xd,
234 NID_businessCategory = ASN_BUS_CAT,
235 NID_domainComponent = ASN_DOMAIN_COMPONENT,
236 NID_emailAddress = 0x30, /* emailAddress */
237 NID_id_on_dnsSRV = 82, /* 1.3.6.1.5.5.7.8.7 */
238 NID_ms_upn = 265, /* 1.3.6.1.4.1.311.20.2.3 */
239
240 NID_X9_62_prime_field = 406 /* 1.2.840.10045.1.1 */
241};
242
243enum ECC_TYPES
244{
245 ECC_PREFIX_0 = 160,
246 ECC_PREFIX_1 = 161
247};
248
249#ifdef WOLFSSL_CERT_PIV
250 enum PIV_Tags {
251 ASN_PIV_CERT = 0x0A,
252 ASN_PIV_NONCE = 0x0B,
253 ASN_PIV_SIGNED_NONCE = 0x0C,
254
255 ASN_PIV_TAG_CERT = 0x70,
256 ASN_PIV_TAG_CERT_INFO = 0x71,
257 ASN_PIV_TAG_MSCUID = 0x72,
258 ASN_PIV_TAG_ERR_DET = 0xFE,
259
260 /* certificate info masks */
261 ASN_PIV_CERT_INFO_COMPRESSED = 0x03,
262 ASN_PIV_CERT_INFO_ISX509 = 0x04,
263 };
264#endif /* WOLFSSL_CERT_PIV */
265
266
267#define ASN_JOI_PREFIX_SZ 10
268#define ASN_JOI_PREFIX "\x2b\x06\x01\x04\x01\x82\x37\x3c\x02\x01"
269#define ASN_JOI_C 0x3
270#define ASN_JOI_ST 0x2
271
272#ifndef WC_ASN_NAME_MAX
273 #ifdef OPENSSL_EXTRA
274 #define WC_ASN_NAME_MAX 300
275 #else
276 #define WC_ASN_NAME_MAX 256
277 #endif
278#endif
279#define ASN_NAME_MAX WC_ASN_NAME_MAX
280
281enum Misc_ASN {
282 MAX_SALT_SIZE = 64, /* MAX PKCS Salt length */
283 MAX_IV_SIZE = 64, /* MAX PKCS Iv length */
284 ASN_BOOL_SIZE = 2, /* including type */
285 ASN_ECC_HEADER_SZ = 2, /* String type + 1 byte len */
286 ASN_ECC_CONTEXT_SZ = 2, /* Content specific type + 1 byte len */
287#ifdef NO_SHA
288 KEYID_SIZE = WC_SHA256_DIGEST_SIZE,
289#else
290 KEYID_SIZE = WC_SHA_DIGEST_SIZE,
291#endif
292 RSA_INTS = 8, /* RSA ints in private key */
293 DSA_INTS = 5, /* DSA ints in private key */
294 MIN_DATE_SIZE = 13,
295 MAX_DATE_SIZE = 32,
296 ASN_GEN_TIME_SZ = 15, /* 7 numbers * 2 + Zulu tag */
297#ifndef NO_RSA
298 MAX_ENCODED_SIG_SZ = 512,
299#elif defined(HAVE_ECC)
300 MAX_ENCODED_SIG_SZ = 140,
301#elif defined(HAVE_CURVE448)
302 MAX_ENCODED_SIG_SZ = 114,
303#else
304 MAX_ENCODED_SIG_SZ = 64,
305#endif
306 MAX_SIG_SZ = 256,
307 MAX_ALGO_SZ = 20,
308 MAX_SHORT_SZ = 6, /* asn int + byte len + 4 byte length */
309 MAX_SEQ_SZ = 5, /* enum(seq | con) + length(4) */
310 MAX_SET_SZ = 5, /* enum(set | con) + length(4) */
311 MAX_OCTET_STR_SZ = 5, /* enum(set | con) + length(4) */
312 MAX_EXP_SZ = 5, /* enum(contextspec|con|exp) + length(4) */
313 MAX_PRSTR_SZ = 5, /* enum(prstr) + length(4) */
314 MAX_VERSION_SZ = 5, /* enum + id + version(byte) + (header(2))*/
315 MAX_ENCODED_DIG_ASN_SZ= 9, /* enum(bit or octet) + length(4) */
316 MAX_ENCODED_DIG_SZ = 64 + MAX_ENCODED_DIG_ASN_SZ, /* asn header + sha512 */
317 MAX_RSA_INT_SZ = 517, /* RSA raw sz 4096 for bits + tag + len(4) */
318 MAX_DSA_INT_SZ = 261, /* DSA raw sz 2048 for bits + tag + len(4) */
319 MAX_NTRU_KEY_SZ = 610, /* NTRU 112 bit public key */
320 MAX_NTRU_ENC_SZ = 628, /* NTRU 112 bit DER public encoding */
321 MAX_LENGTH_SZ = 4, /* Max length size for DER encoding */
322 MAX_RSA_E_SZ = 16, /* Max RSA public e size */
323 MAX_CA_SZ = 32, /* Max encoded CA basic constraint length */
324 MAX_SN_SZ = 35, /* Max encoded serial number (INT) length */
325 MAX_DER_DIGEST_SZ = MAX_ENCODED_DIG_SZ + MAX_ALGO_SZ + MAX_SEQ_SZ,
326 /* Maximum DER digest size */
327 MAX_DER_DIGEST_ASN_SZ = MAX_ENCODED_DIG_ASN_SZ + MAX_ALGO_SZ + MAX_SEQ_SZ,
328 /* Maximum DER digest ASN header size */
329#ifdef WOLFSSL_CERT_GEN
330 #ifdef WOLFSSL_CERT_REQ
331 /* Max encoded cert req attributes length */
332 MAX_ATTRIB_SZ = MAX_SEQ_SZ * 3 + (11 + MAX_SEQ_SZ) * 2 +
333 MAX_PRSTR_SZ + CTC_NAME_SIZE, /* 11 is the OID size */
334 #endif
335 #if defined(WOLFSSL_ALT_NAMES) || defined(WOLFSSL_CERT_EXT)
336 MAX_EXTENSIONS_SZ = 1 + MAX_LENGTH_SZ + CTC_MAX_ALT_SIZE,
337 #else
338 MAX_EXTENSIONS_SZ = 1 + MAX_LENGTH_SZ + MAX_CA_SZ,
339 #endif
340 /* Max total extensions, id + len + others */
341#endif
342#if defined(WOLFSSL_CERT_EXT) || defined(OPENSSL_EXTRA) || defined(HAVE_PKCS7)
343 MAX_OID_SZ = 32, /* Max DER length of OID*/
344 MAX_OID_STRING_SZ = 64, /* Max string length representation of OID*/
345#endif
346#ifdef WOLFSSL_CERT_EXT
347 MAX_KID_SZ = 45, /* Max encoded KID length (SHA-256 case) */
348 MAX_KEYUSAGE_SZ = 18, /* Max encoded Key Usage length */
349 MAX_EXTKEYUSAGE_SZ = 12 + (6 * (8 + 2)) +
350 CTC_MAX_EKU_OID_SZ, /* Max encoded ExtKeyUsage
351 (SEQ/LEN + OBJID + OCTSTR/LEN + SEQ +
352 (6 * (SEQ + OID))) */
353 MAX_CERTPOL_NB = CTC_MAX_CERTPOL_NB,/* Max number of Cert Policy */
354 MAX_CERTPOL_SZ = CTC_MAX_CERTPOL_SZ,
355#endif
356 MAX_AIA_SZ = 2, /* Max Authority Info Access extension size*/
357 MAX_NAME_ENTRIES = 5, /* extra entries added to x509 name struct */
358 OCSP_NONCE_EXT_SZ = 35, /* OCSP Nonce Extension size */
359 MAX_OCSP_EXT_SZ = 58, /* Max OCSP Extension length */
360 MAX_OCSP_NONCE_SZ = 16, /* OCSP Nonce size */
361 EIGHTK_BUF = 8192, /* Tmp buffer size */
362 MAX_PUBLIC_KEY_SZ = MAX_NTRU_ENC_SZ + MAX_ALGO_SZ + MAX_SEQ_SZ * 2,
363 /* use bigger NTRU size */
364#ifdef WOLFSSL_ENCRYPTED_KEYS
365 HEADER_ENCRYPTED_KEY_SIZE = 88,/* Extra header size for encrypted key */
366#else
367 HEADER_ENCRYPTED_KEY_SIZE = 0,
368#endif
369 TRAILING_ZERO = 1, /* Used for size of zero pad */
370 ASN_TAG_SZ = 1, /* single byte ASN.1 tag */
371 MIN_VERSION_SZ = 3, /* Min bytes needed for GetMyVersion */
372#if defined(OPENSSL_ALL) || defined(WOLFSSL_MYSQL_COMPATIBLE) || \
373 defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || \
374 defined(OPENSSL_EXTRA) || defined(HAVE_PKCS7)
375 MAX_TIME_STRING_SZ = 25, /* Max length of formatted time string */
376#endif
377
378 PKCS5_SALT_SZ = 8,
379
380 PEM_LINE_LEN = 80, /* PEM line max + fudge */
381};
382
383
384enum Oid_Types {
385 oidHashType = 0,
386 oidSigType = 1,
387 oidKeyType = 2,
388 oidCurveType = 3,
389 oidBlkType = 4,
390 oidOcspType = 5,
391 oidCertExtType = 6,
392 oidCertAuthInfoType = 7,
393 oidCertPolicyType = 8,
394 oidCertAltNameType = 9,
395 oidCertKeyUseType = 10,
396 oidKdfType = 11,
397 oidKeyWrapType = 12,
398 oidCmsKeyAgreeType = 13,
399 oidPBEType = 14,
400 oidHmacType = 15,
401 oidCompressType = 16,
402 oidCertNameType = 17,
403 oidTlsExtType = 18,
404 oidCrlExtType = 19,
405 oidIgnoreType
406};
407
408
409enum Hash_Sum {
410 MD2h = 646,
411 MD5h = 649,
412 SHAh = 88,
413 SHA224h = 417,
414 SHA256h = 414,
415 SHA384h = 415,
416 SHA512h = 416,
417 SHA3_224h = 420,
418 SHA3_256h = 421,
419 SHA3_384h = 422,
420 SHA3_512h = 423
421};
422
423
424#if !defined(NO_DES3) || !defined(NO_AES)
425enum Block_Sum {
426#ifdef WOLFSSL_AES_128
427 AES128CBCb = 414,
428 AES128GCMb = 418,
429 AES128CCMb = 419,
430#endif
431#ifdef WOLFSSL_AES_192
432 AES192CBCb = 434,
433 AES192GCMb = 438,
434 AES192CCMb = 439,
435#endif
436#ifdef WOLFSSL_AES_256
437 AES256CBCb = 454,
438 AES256GCMb = 458,
439 AES256CCMb = 459,
440#endif
441#ifndef NO_DES3
442 DESb = 69,
443 DES3b = 652
444#endif
445};
446#endif /* !NO_DES3 || !NO_AES */
447
448
449enum Key_Sum {
450 DSAk = 515,
451 RSAk = 645,
452 NTRUk = 274,
453 ECDSAk = 518,
454 ED25519k = 256,
455 ED448k = 257,
456 DHk = 647, /* dhKeyAgreement OID: 1.2.840.113549.1.3.1 */
457};
458
459#if !defined(NO_AES) || defined(HAVE_PKCS7)
460enum KeyWrap_Sum {
461#ifdef WOLFSSL_AES_128
462 AES128_WRAP = 417,
463#endif
464#ifdef WOLFSSL_AES_192
465 AES192_WRAP = 437,
466#endif
467#ifdef WOLFSSL_AES_256
468 AES256_WRAP = 457,
469#endif
470#ifdef HAVE_PKCS7
471 PWRI_KEK_WRAP = 680 /*id-alg-PWRI-KEK, 1.2.840.113549.1.9.16.3.9 */
472#endif
473};
474#endif /* !NO_AES || PKCS7 */
475
476enum Key_Agree {
477 dhSinglePass_stdDH_sha1kdf_scheme = 464,
478 dhSinglePass_stdDH_sha224kdf_scheme = 188,
479 dhSinglePass_stdDH_sha256kdf_scheme = 189,
480 dhSinglePass_stdDH_sha384kdf_scheme = 190,
481 dhSinglePass_stdDH_sha512kdf_scheme = 191,
482};
483
484
485
486enum KDF_Sum {
487 PBKDF2_OID = 660
488};
489
490
491enum HMAC_Sum {
492 HMAC_SHA224_OID = 652,
493 HMAC_SHA256_OID = 653,
494 HMAC_SHA384_OID = 654,
495 HMAC_SHA512_OID = 655,
496 HMAC_SHA3_224_OID = 426,
497 HMAC_SHA3_256_OID = 427,
498 HMAC_SHA3_384_OID = 428,
499 HMAC_SHA3_512_OID = 429
500};
501
502
503enum Extensions_Sum {
504 BASIC_CA_OID = 133,
505 ALT_NAMES_OID = 131,
506 CRL_DIST_OID = 145,
507 AUTH_INFO_OID = 69, /* id-pe 1 */
508 AUTH_KEY_OID = 149,
509 SUBJ_KEY_OID = 128,
510 CERT_POLICY_OID = 146,
511 KEY_USAGE_OID = 129, /* 2.5.29.15 */
512 INHIBIT_ANY_OID = 168, /* 2.5.29.54 */
513 EXT_KEY_USAGE_OID = 151, /* 2.5.29.37 */
514 NAME_CONS_OID = 144, /* 2.5.29.30 */
515 PRIV_KEY_USAGE_PERIOD_OID = 130, /* 2.5.29.16 */
516 SUBJECT_INFO_ACCESS = 79, /* id-pe 11 */
517 POLICY_MAP_OID = 147,
518 POLICY_CONST_OID = 150,
519 ISSUE_ALT_NAMES_OID = 132,
520 TLS_FEATURE_OID = 92, /* id-pe 24 */
521 NETSCAPE_CT_OID = 753 /* 2.16.840.1.113730.1.1 */
522};
523
524enum CertificatePolicy_Sum {
525 CP_ANY_OID = 146 /* id-ce 32 0 */
526};
527
528enum SepHardwareName_Sum {
529 HW_NAME_OID = 79 /* 1.3.6.1.5.5.7.8.4 from RFC 4108*/
530};
531
532enum AuthInfo_Sum {
533 AIA_OCSP_OID = 116, /* 1.3.6.1.5.5.7.48.1 */
534 AIA_CA_ISSUER_OID = 117 /* 1.3.6.1.5.5.7.48.2 */
535};
536
537enum ExtKeyUsage_Sum { /* From RFC 5280 */
538 EKU_ANY_OID = 151, /* 2.5.29.37.0, anyExtendedKeyUsage */
539 EKU_SERVER_AUTH_OID = 71, /* 1.3.6.1.5.5.7.3.1, id-kp-serverAuth */
540 EKU_CLIENT_AUTH_OID = 72, /* 1.3.6.1.5.5.7.3.2, id-kp-clientAuth */
541 EKU_CODESIGNING_OID = 73, /* 1.3.6.1.5.5.7.3.3, id-kp-codeSigning */
542 EKU_EMAILPROTECT_OID = 74, /* 1.3.6.1.5.5.7.3.4, id-kp-emailProtection */
543 EKU_TIMESTAMP_OID = 78, /* 1.3.6.1.5.5.7.3.8, id-kp-timeStamping */
544 EKU_OCSP_SIGN_OID = 79 /* 1.3.6.1.5.5.7.3.9, id-kp-OCSPSigning */
545};
546
547#ifdef HAVE_LIBZ
548enum CompressAlg_Sum {
549 ZLIBc = 679 /* 1.2.840.113549.1.9.16.3.8, id-alg-zlibCompress */
550};
551#endif
552
553enum VerifyType {
554 NO_VERIFY = 0,
555 VERIFY = 1,
556 VERIFY_CRL = 2,
557 VERIFY_OCSP = 3,
558 VERIFY_NAME = 4,
559 VERIFY_SKIP_DATE = 5,
560};
561
562#ifdef WOLFSSL_CERT_EXT
563enum KeyIdType {
564 SKID_TYPE = 0,
565 AKID_TYPE = 1
566};
567#endif
568
569/* Key usage extension bits (based on RFC 5280) */
570#define KEYUSE_DIGITAL_SIG 0x0080
571#define KEYUSE_CONTENT_COMMIT 0x0040
572#define KEYUSE_KEY_ENCIPHER 0x0020
573#define KEYUSE_DATA_ENCIPHER 0x0010
574#define KEYUSE_KEY_AGREE 0x0008
575#define KEYUSE_KEY_CERT_SIGN 0x0004
576#define KEYUSE_CRL_SIGN 0x0002
577#define KEYUSE_ENCIPHER_ONLY 0x0001
578#define KEYUSE_DECIPHER_ONLY 0x8000
579
580/* Extended Key Usage bits (internal mapping only) */
581#define EXTKEYUSE_USER 0x80
582#define EXTKEYUSE_OCSP_SIGN 0x40
583#define EXTKEYUSE_TIMESTAMP 0x20
584#define EXTKEYUSE_EMAILPROT 0x10
585#define EXTKEYUSE_CODESIGN 0x08
586#define EXTKEYUSE_CLIENT_AUTH 0x04
587#define EXTKEYUSE_SERVER_AUTH 0x02
588#define EXTKEYUSE_ANY 0x01
589
590typedef struct DNS_entry DNS_entry;
591
592struct DNS_entry {
593 DNS_entry* next; /* next on DNS list */
594 int type; /* i.e. ASN_DNS_TYPE */
595 int len; /* actual DNS len */
596 char* name; /* actual DNS name */
597};
598
599
600typedef struct Base_entry Base_entry;
601
602struct Base_entry {
603 Base_entry* next; /* next on name base list */
604 char* name; /* actual name base */
605 int nameSz; /* name length */
606 byte type; /* Name base type (DNS or RFC822) */
607};
608
609#define DOMAIN_COMPONENT_MAX 10
610#define DN_NAMES_MAX 9
611
612struct DecodedName {
613 char* fullName;
614 int fullNameLen;
615 int entryCount;
616 int cnIdx;
617 int cnLen;
618 int cnNid;
619 int snIdx;
620 int snLen;
621 int snNid;
622 int cIdx;
623 int cLen;
624 int cNid;
625 int lIdx;
626 int lLen;
627 int lNid;
628 int stIdx;
629 int stLen;
630 int stNid;
631 int oIdx;
632 int oLen;
633 int oNid;
634 int ouIdx;
635 int ouLen;
636#ifdef WOLFSSL_CERT_EXT
637 int bcIdx;
638 int bcLen;
639 int jcIdx;
640 int jcLen;
641 int jsIdx;
642 int jsLen;
643#endif
644 int ouNid;
645 int emailIdx;
646 int emailLen;
647 int emailNid;
648 int uidIdx;
649 int uidLen;
650 int uidNid;
651 int serialIdx;
652 int serialLen;
653 int serialNid;
654 int dcIdx[DOMAIN_COMPONENT_MAX];
655 int dcLen[DOMAIN_COMPONENT_MAX];
656 int dcNum;
657 int dcMode;
658#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
659 /* hold the location / order with which each of the DN tags was found
660 *
661 * example of ASN_DOMAIN_COMPONENT at index 0 if first found and so on.
662 */
663 int loc[DOMAIN_COMPONENT_MAX + DN_NAMES_MAX];
664 int locSz;
665#endif
666};
667
668enum SignatureState {
669 SIG_STATE_BEGIN,
670 SIG_STATE_HASH,
671 SIG_STATE_KEY,
672 SIG_STATE_DO,
673 SIG_STATE_CHECK,
674};
675
676
677#ifdef HAVE_PK_CALLBACKS
678#ifdef HAVE_ECC
679 typedef int (*wc_CallbackEccVerify)(
680 const unsigned char* sig, unsigned int sigSz,
681 const unsigned char* hash, unsigned int hashSz,
682 const unsigned char* keyDer, unsigned int keySz,
683 int* result, void* ctx);
684#endif
685#ifndef NO_RSA
686 typedef int (*wc_CallbackRsaVerify)(
687 unsigned char* sig, unsigned int sigSz,
688 unsigned char** out,
689 const unsigned char* keyDer, unsigned int keySz,
690 void* ctx);
691#endif
692#endif /* HAVE_PK_CALLBACKS */
693
694struct SignatureCtx {
695 void* heap;
696 byte* digest;
697#ifndef NO_RSA
698 byte* out;
699 byte* plain;
700#endif
701#if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448)
702 int verify;
703#endif
704 union {
705 #ifndef NO_RSA
706 struct RsaKey* rsa;
707 #endif
708 #ifdef HAVE_ECC
709 struct ecc_key* ecc;
710 #endif
711 #ifdef HAVE_ED25519
712 struct ed25519_key* ed25519;
713 #endif
714 #ifdef HAVE_ED448
715 struct ed448_key* ed448;
716 #endif
717 void* ptr;
718 } key;
719 int devId;
720 int state;
721 int typeH;
722 int digestSz;
723 word32 keyOID;
724#ifdef WOLFSSL_ASYNC_CRYPT
725 WC_ASYNC_DEV* asyncDev;
726 void* asyncCtx;
727#endif
728
729#ifdef HAVE_PK_CALLBACKS
730#ifdef HAVE_ECC
731 wc_CallbackEccVerify pkCbEcc;
732 void* pkCtxEcc;
733#endif
734#ifndef NO_RSA
735 wc_CallbackRsaVerify pkCbRsa;
736 void* pkCtxRsa;
737#endif
738#endif /* HAVE_PK_CALLBACKS */
739#ifndef NO_RSA
740#ifdef WOLFSSL_RENESAS_TSIP_TLS
741 byte verifyByTSIP;
742 word32 certBegin;
743 word32 pubkey_n_start;
744 word32 pubkey_n_len;
745 word32 pubkey_e_start;
746 word32 pubkey_e_len;
747#endif
748#endif
749};
750
751enum CertSignState {
752 CERTSIGN_STATE_BEGIN,
753 CERTSIGN_STATE_DIGEST,
754 CERTSIGN_STATE_ENCODE,
755 CERTSIGN_STATE_DO,
756};
757
758struct CertSignCtx {
759 byte* sig;
760 byte* digest;
761 #ifndef NO_RSA
762 byte* encSig;
763 int encSigSz;
764 #endif
765 int state; /* enum CertSignState */
766};
767
768#ifndef WOLFSSL_MAX_PATH_LEN
769 /* RFC 5280 Section 6.1.2. "Initialization" - item (k) defines
770 * (k) max_path_length: this integer is initialized to "n", is
771 * decremented for each non-self-issued certificate in the path,
772 * and may be reduced to the value in the path length constraint
773 * field within the basic constraints extension of a CA
774 * certificate.
775 *
776 * wolfSSL has arbitrarily selected the value 127 for "n" in the above
777 * description. Users can modify the maximum path length by setting
778 * WOLFSSL_MAX_PATH_LEN to a preferred value at build time
779 */
780 #define WOLFSSL_MAX_PATH_LEN 127
781#endif
782
783typedef struct DecodedCert DecodedCert;
784typedef struct DecodedName DecodedName;
785typedef struct Signer Signer;
786#ifdef WOLFSSL_TRUST_PEER_CERT
787typedef struct TrustedPeerCert TrustedPeerCert;
788#endif /* WOLFSSL_TRUST_PEER_CERT */
789typedef struct SignatureCtx SignatureCtx;
790typedef struct CertSignCtx CertSignCtx;
791
792
793struct DecodedCert {
794 const byte* publicKey;
795 word32 pubKeySize;
796 int pubKeyStored;
797 word32 certBegin; /* offset to start of cert */
798 word32 sigIndex; /* offset to start of signature */
799 word32 sigLength; /* length of signature */
800 word32 signatureOID; /* sum of algorithm object id */
801 word32 keyOID; /* sum of key algo object id */
802 int version; /* cert version, 1 or 3 */
803 DNS_entry* altNames; /* alt names list of dns entries */
804#ifndef IGNORE_NAME_CONSTRAINTS
805 DNS_entry* altEmailNames; /* alt names list of RFC822 entries */
806 Base_entry* permittedNames; /* Permitted name bases */
807 Base_entry* excludedNames; /* Excluded name bases */
808#endif /* IGNORE_NAME_CONSTRAINTS */
809 byte subjectHash[KEYID_SIZE]; /* hash of all Names */
810 byte issuerHash[KEYID_SIZE]; /* hash of all Names */
811#ifdef HAVE_OCSP
812 byte subjectKeyHash[KEYID_SIZE]; /* hash of the public Key */
813 byte issuerKeyHash[KEYID_SIZE]; /* hash of the public Key */
814#endif /* HAVE_OCSP */
815 const byte* signature; /* not owned, points into raw cert */
816 char* subjectCN; /* CommonName */
817 int subjectCNLen; /* CommonName Length */
818 char subjectCNEnc; /* CommonName Encoding */
819 char issuer[ASN_NAME_MAX]; /* full name including common name */
820 char subject[ASN_NAME_MAX]; /* full name including common name */
821 int verify; /* Default to yes, but could be off */
822 const byte* source; /* byte buffer holder cert, NOT owner */
823 word32 srcIdx; /* current offset into buffer */
824 word32 maxIdx; /* max offset based on init size */
825 void* heap; /* for user memory overrides */
826 byte serial[EXTERNAL_SERIAL_SIZE]; /* raw serial number */
827 int serialSz; /* raw serial bytes stored */
828 const byte* extensions; /* not owned, points into raw cert */
829 int extensionsSz; /* length of cert extensions */
830 word32 extensionsIdx; /* if want to go back and parse later */
831 const byte* extAuthInfo; /* Authority Information Access URI */
832 int extAuthInfoSz; /* length of the URI */
833#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT)
834 const byte* extAuthInfoCaIssuer; /* Authority Info Access caIssuer URI */
835 int extAuthInfoCaIssuerSz; /* length of the caIssuer URI */
836#endif
837 const byte* extCrlInfo; /* CRL Distribution Points */
838 int extCrlInfoSz; /* length of the URI */
839 byte extSubjKeyId[KEYID_SIZE]; /* Subject Key ID */
840 byte extAuthKeyId[KEYID_SIZE]; /* Authority Key ID */
841 byte pathLength; /* CA basic constraint path length */
842 byte maxPathLen; /* max_path_len see RFC 5280 section
843 * 6.1.2 "Initialization" - (k) for
844 * description of max_path_len */
845 word16 extKeyUsage; /* Key usage bitfield */
846 byte extExtKeyUsage; /* Extended Key usage bitfield */
847
848#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
849 const byte* extExtKeyUsageSrc;
850 word32 extExtKeyUsageSz;
851 word32 extExtKeyUsageCount;
852 const byte* extAuthKeyIdSrc;
853 word32 extAuthKeyIdSz;
854 const byte* extSubjKeyIdSrc;
855 word32 extSubjKeyIdSz;
856#endif
857
858#if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448)
859 word32 pkCurveOID; /* Public Key's curve OID */
860#endif /* HAVE_ECC */
861 const byte* beforeDate;
862 int beforeDateLen;
863 const byte* afterDate;
864 int afterDateLen;
865#if defined(HAVE_PKCS7) || defined(WOLFSSL_CERT_EXT)
866 const byte* issuerRaw; /* pointer to issuer inside source */
867 int issuerRawLen;
868#endif
869#if !defined(IGNORE_NAME_CONSTRAINTS) || defined(WOLFSSL_CERT_EXT)
870 const byte* subjectRaw; /* pointer to subject inside source */
871 int subjectRawLen;
872#endif
873#if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT)
874 /* easy access to subject info for other sign */
875 char* subjectSN;
876 int subjectSNLen;
877 char subjectSNEnc;
878 char* subjectC;
879 int subjectCLen;
880 char subjectCEnc;
881 char* subjectL;
882 int subjectLLen;
883 char subjectLEnc;
884 char* subjectST;
885 int subjectSTLen;
886 char subjectSTEnc;
887 char* subjectO;
888 int subjectOLen;
889 char subjectOEnc;
890 char* subjectOU;
891 int subjectOULen;
892 char subjectOUEnc;
893 char* subjectSND;
894 int subjectSNDLen;
895 char subjectSNDEnc;
896#ifdef WOLFSSL_CERT_EXT
897 char* subjectBC;
898 int subjectBCLen;
899 char subjectBCEnc;
900 char* subjectJC;
901 int subjectJCLen;
902 char subjectJCEnc;
903 char* subjectJS;
904 int subjectJSLen;
905 char subjectJSEnc;
906#endif
907 char* subjectEmail;
908 int subjectEmailLen;
909#endif /* WOLFSSL_CERT_GEN */
910#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
911 DecodedName issuerName;
912 DecodedName subjectName;
913#endif /* OPENSSL_EXTRA */
914#ifdef WOLFSSL_SEP
915 int deviceTypeSz;
916 byte* deviceType;
917 int hwTypeSz;
918 byte* hwType;
919 int hwSerialNumSz;
920 byte* hwSerialNum;
921#endif /* WOLFSSL_SEP */
922#ifdef WOLFSSL_CERT_EXT
923 char extCertPolicies[MAX_CERTPOL_NB][MAX_CERTPOL_SZ];
924 int extCertPoliciesNb;
925#endif /* defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) */
926
927 Signer* ca;
928#ifndef NO_CERTS
929 SignatureCtx sigCtx;
930#endif
931#ifdef WOLFSSL_RENESAS_TSIP
932 byte* tsip_encRsaKeyIdx;
933#endif
934
935 int badDate;
936 int criticalExt;
937
938 /* Option Bits */
939 byte subjectCNStored : 1; /* have we saved a copy we own */
940 byte extSubjKeyIdSet : 1; /* Set when the SKID was read from cert */
941 byte extAuthKeyIdSet : 1; /* Set when the AKID was read from cert */
942#ifndef IGNORE_NAME_CONSTRAINTS
943 byte extNameConstraintSet : 1;
944#endif
945 byte isCA : 1; /* CA basic constraint true */
946 byte pathLengthSet : 1; /* CA basic const path length set */
947 byte weOwnAltNames : 1; /* altNames haven't been given to copy */
948 byte extKeyUsageSet : 1;
949 byte extExtKeyUsageSet : 1; /* Extended Key Usage set */
950 byte extCRLdistSet : 1;
951 byte extAuthInfoSet : 1;
952 byte extBasicConstSet : 1;
953 byte extSubjAltNameSet : 1;
954 byte inhibitAnyOidSet : 1;
955 byte selfSigned : 1; /* Indicates subject and issuer are same */
956#if defined(WOLFSSL_SEP) || defined(WOLFSSL_QT)
957 byte extCertPolicySet : 1;
958#endif
959#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
960 byte extCRLdistCrit : 1;
961 byte extAuthInfoCrit : 1;
962 byte extBasicConstCrit : 1;
963 byte extSubjAltNameCrit : 1;
964 byte extAuthKeyIdCrit : 1;
965 #ifndef IGNORE_NAME_CONSTRAINTS
966 byte extNameConstraintCrit : 1;
967 #endif
968 byte extSubjKeyIdCrit : 1;
969 byte extKeyUsageCrit : 1;
970 byte extExtKeyUsageCrit : 1;
971#endif /* OPENSSL_EXTRA */
972#if defined(WOLFSSL_SEP) || defined(WOLFSSL_QT)
973 byte extCertPolicyCrit : 1;
974#endif
975
976};
977
978
979#ifdef NO_SHA
980 #define SIGNER_DIGEST_SIZE WC_SHA256_DIGEST_SIZE
981#else
982 #define SIGNER_DIGEST_SIZE WC_SHA_DIGEST_SIZE
983#endif
984
985/* CA Signers */
986/* if change layout change PERSIST_CERT_CACHE functions too */
987struct Signer {
988 word32 pubKeySize;
989 word32 keyOID; /* key type */
990 word16 keyUsage;
991 byte maxPathLen;
992 byte pathLength;
993 byte pathLengthSet : 1;
994 byte selfSigned : 1;
995 const byte* publicKey;
996 int nameLen;
997 char* name; /* common name */
998#ifndef IGNORE_NAME_CONSTRAINTS
999 Base_entry* permittedNames;
1000 Base_entry* excludedNames;
1001#endif /* IGNORE_NAME_CONSTRAINTS */
1002 byte subjectNameHash[SIGNER_DIGEST_SIZE];
1003 /* sha hash of names in certificate */
1004 #ifndef NO_SKID
1005 byte subjectKeyIdHash[SIGNER_DIGEST_SIZE];
1006 /* sha hash of names in certificate */
1007 #endif
1008 #ifdef HAVE_OCSP
1009 byte subjectKeyHash[KEYID_SIZE];
1010 #endif
1011#ifdef WOLFSSL_SIGNER_DER_CERT
1012 DerBuffer* derCert;
1013#endif
1014#ifdef WOLFSSL_RENESAS_TSIP_TLS
1015 word32 cm_idx;
1016#endif
1017 Signer* next;
1018};
1019
1020
1021#ifdef WOLFSSL_TRUST_PEER_CERT
1022/* used for having trusted peer certs rather then CA */
1023struct TrustedPeerCert {
1024 int nameLen;
1025 char* name; /* common name */
1026 #ifndef IGNORE_NAME_CONSTRAINTS
1027 Base_entry* permittedNames;
1028 Base_entry* excludedNames;
1029 #endif /* IGNORE_NAME_CONSTRAINTS */
1030 byte subjectNameHash[SIGNER_DIGEST_SIZE];
1031 /* sha hash of names in certificate */
1032 #ifndef NO_SKID
1033 byte subjectKeyIdHash[SIGNER_DIGEST_SIZE];
1034 /* sha hash of names in certificate */
1035 #endif
1036 word32 sigLen;
1037 byte* sig;
1038 struct TrustedPeerCert* next;
1039};
1040#endif /* WOLFSSL_TRUST_PEER_CERT */
1041
1042
1043/* for testing or custom openssl wrappers */
1044#if defined(WOLFSSL_TEST_CERT) || defined(OPENSSL_EXTRA) || \
1045 defined(OPENSSL_EXTRA_X509_SMALL)
1046 #define WOLFSSL_ASN_API WOLFSSL_API
1047#else
1048 #define WOLFSSL_ASN_API WOLFSSL_LOCAL
1049#endif
1050
1051WOLFSSL_LOCAL int CalcHashId(const byte* data, word32 len, byte* hash);
1052
1053WOLFSSL_ASN_API int wc_BerToDer(const byte* ber, word32 berSz, byte* der,
1054 word32* derSz);
1055
1056WOLFSSL_ASN_API void FreeAltNames(DNS_entry*, void*);
1057#ifndef IGNORE_NAME_CONSTRAINTS
1058 WOLFSSL_ASN_API void FreeNameSubtrees(Base_entry*, void*);
1059#endif /* IGNORE_NAME_CONSTRAINTS */
1060WOLFSSL_ASN_API void InitDecodedCert(DecodedCert*, const byte*, word32, void*);
1061WOLFSSL_ASN_API void FreeDecodedCert(DecodedCert*);
1062WOLFSSL_ASN_API int ParseCert(DecodedCert*, int type, int verify, void* cm);
1063
1064WOLFSSL_LOCAL int DecodePolicyOID(char *o, word32 oSz,
1065 const byte *in, word32 inSz);
1066WOLFSSL_LOCAL int EncodePolicyOID(byte *out, word32 *outSz,
1067 const char *in, void* heap);
1068WOLFSSL_API int CheckCertSignature(const byte*,word32,void*,void* cm);
1069WOLFSSL_LOCAL int CheckCertSignaturePubKey(const byte* cert, word32 certSz,
1070 void* heap, const byte* pubKey, word32 pubKeySz, int pubKeyOID);
1071WOLFSSL_LOCAL int ParseCertRelative(DecodedCert*,int type,int verify,void* cm);
1072WOLFSSL_LOCAL int DecodeToKey(DecodedCert*, int verify);
1073WOLFSSL_LOCAL int wc_GetPubX509(DecodedCert* cert, int verify, int* badDate);
1074
1075WOLFSSL_LOCAL const byte* OidFromId(word32 id, word32 type, word32* oidSz);
1076WOLFSSL_LOCAL Signer* MakeSigner(void*);
1077WOLFSSL_LOCAL void FreeSigner(Signer*, void*);
1078WOLFSSL_LOCAL void FreeSignerTable(Signer**, int, void*);
1079#ifdef WOLFSSL_TRUST_PEER_CERT
1080WOLFSSL_LOCAL void FreeTrustedPeer(TrustedPeerCert*, void*);
1081WOLFSSL_LOCAL void FreeTrustedPeerTable(TrustedPeerCert**, int, void*);
1082#endif /* WOLFSSL_TRUST_PEER_CERT */
1083
1084WOLFSSL_ASN_API int ToTraditional(byte* buffer, word32 length);
1085WOLFSSL_ASN_API int ToTraditional_ex(byte* buffer, word32 length,
1086 word32* algId);
1087WOLFSSL_LOCAL int ToTraditionalInline(const byte* input, word32* inOutIdx,
1088 word32 length);
1089WOLFSSL_LOCAL int ToTraditionalInline_ex(const byte* input, word32* inOutIdx,
1090 word32 length, word32* algId);
1091WOLFSSL_LOCAL int ToTraditionalEnc(byte* buffer, word32 length,const char*,int,
1092 word32* algId);
1093WOLFSSL_ASN_API int UnTraditionalEnc(byte* key, word32 keySz, byte* out,
1094 word32* outSz, const char* password, int passwordSz, int vPKCS,
1095 int vAlgo, byte* salt, word32 saltSz, int itt, WC_RNG* rng, void* heap);
1096WOLFSSL_ASN_API int TraditionalEnc(byte* key, word32 keySz, byte* out,
1097 word32* outSz, const char* password, int passwordSz, int vPKCS,
1098 int vAlgo, int encAlgId, byte* salt, word32 saltSz, int itt,
1099 WC_RNG* rng, void* heap);
1100WOLFSSL_LOCAL int DecryptContent(byte* input, word32 sz,const char* psw,int pswSz);
1101WOLFSSL_LOCAL int EncryptContent(byte* input, word32 sz, byte* out, word32* outSz,
1102 const char* password,int passwordSz, int vPKCS, int vAlgo,
1103 byte* salt, word32 saltSz, int itt, WC_RNG* rng, void* heap);
1104WOLFSSL_LOCAL int wc_GetKeyOID(byte* key, word32 keySz, const byte** curveOID,
1105 word32* oidSz, int* algoID, void* heap);
1106
1107typedef struct tm wolfssl_tm;
1108#if defined(OPENSSL_ALL) || defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(OPENSSL_EXTRA) || \
1109 defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
1110WOLFSSL_LOCAL int GetTimeString(byte* date, int format, char* buf, int len);
1111#endif
1112#if !defined(NO_ASN_TIME) && defined(HAVE_PKCS7)
1113WOLFSSL_LOCAL int GetAsnTimeString(void* currTime, byte* buf, word32 len);
1114#endif
1115WOLFSSL_LOCAL int ExtractDate(const unsigned char* date, unsigned char format,
1116 wolfssl_tm* certTime, int* idx);
1117WOLFSSL_LOCAL int DateGreaterThan(const struct tm* a, const struct tm* b);
1118WOLFSSL_LOCAL int ValidateDate(const byte* date, byte format, int dateType);
1119WOLFSSL_LOCAL int wc_OBJ_sn2nid(const char *sn);
1120
1121/* ASN.1 helper functions */
1122#ifdef WOLFSSL_CERT_GEN
1123WOLFSSL_ASN_API int SetName(byte* output, word32 outputSz, CertName* name);
1124#endif
1125WOLFSSL_LOCAL int GetShortInt(const byte* input, word32* inOutIdx, int* number,
1126 word32 maxIdx);
1127WOLFSSL_LOCAL int SetShortInt(byte* input, word32* inOutIdx, word32 number,
1128 word32 maxIdx);
1129
1130WOLFSSL_LOCAL const char* GetSigName(int oid);
1131WOLFSSL_LOCAL int GetLength(const byte* input, word32* inOutIdx, int* len,
1132 word32 maxIdx);
1133WOLFSSL_LOCAL int GetLength_ex(const byte* input, word32* inOutIdx, int* len,
1134 word32 maxIdx, int check);
1135WOLFSSL_LOCAL int GetSequence(const byte* input, word32* inOutIdx, int* len,
1136 word32 maxIdx);
1137WOLFSSL_LOCAL int GetSequence_ex(const byte* input, word32* inOutIdx, int* len,
1138 word32 maxIdx, int check);
1139WOLFSSL_LOCAL int GetOctetString(const byte* input, word32* inOutIdx, int* len,
1140 word32 maxIdx);
1141WOLFSSL_LOCAL int GetSet(const byte* input, word32* inOutIdx, int* len,
1142 word32 maxIdx);
1143WOLFSSL_LOCAL int GetSet_ex(const byte* input, word32* inOutIdx, int* len,
1144 word32 maxIdx, int check);
1145WOLFSSL_LOCAL int GetMyVersion(const byte* input, word32* inOutIdx,
1146 int* version, word32 maxIdx);
1147WOLFSSL_LOCAL int GetInt(mp_int* mpi, const byte* input, word32* inOutIdx,
1148 word32 maxIdx);
1149#ifdef HAVE_OID_ENCODING
1150 WOLFSSL_LOCAL int EncodeObjectId(const word16* in, word32 inSz,
1151 byte* out, word32* outSz);
1152#endif
1153#ifdef HAVE_OID_DECODING
1154 WOLFSSL_LOCAL int DecodeObjectId(const byte* in, word32 inSz,
1155 word16* out, word32* outSz);
1156#endif
1157WOLFSSL_LOCAL int GetASNObjectId(const byte* input, word32* inOutIdx, int* len,
1158 word32 maxIdx);
1159WOLFSSL_LOCAL int SetObjectId(int len, byte* output);
1160WOLFSSL_LOCAL int GetObjectId(const byte* input, word32* inOutIdx, word32* oid,
1161 word32 oidType, word32 maxIdx);
1162WOLFSSL_LOCAL int GetAlgoId(const byte* input, word32* inOutIdx, word32* oid,
1163 word32 oidType, word32 maxIdx);
1164WOLFSSL_LOCAL int GetASNTag(const byte* input, word32* idx, byte* tag,
1165 word32 inputSz);
1166WOLFSSL_LOCAL word32 SetLength(word32 length, byte* output);
1167WOLFSSL_LOCAL word32 SetSequence(word32 len, byte* output);
1168WOLFSSL_LOCAL word32 SetOctetString(word32 len, byte* output);
1169#if (defined(WOLFSSL_QT) || defined(OPENSSL_ALL)) && !defined(NO_DH) \
1170 || defined(WOLFSSL_OPENSSH)
1171WOLFSSL_LOCAL int wc_DhParamsToDer(DhKey* key, byte* out, word32* outSz);
1172WOLFSSL_LOCAL int wc_DhPubKeyToDer(DhKey* key, byte* out, word32* outSz);
1173WOLFSSL_LOCAL int wc_DhPrivKeyToDer(DhKey* key, byte* out, word32* outSz);
1174#endif
1175WOLFSSL_LOCAL word32 SetBitString(word32 len, byte unusedBits, byte* output);
1176WOLFSSL_LOCAL word32 SetImplicit(byte tag,byte number,word32 len,byte* output);
1177WOLFSSL_LOCAL word32 SetExplicit(byte number, word32 len, byte* output);
1178WOLFSSL_LOCAL word32 SetSet(word32 len, byte* output);
1179WOLFSSL_LOCAL word32 SetAlgoID(int algoOID,byte* output,int type,int curveSz);
1180WOLFSSL_LOCAL int SetMyVersion(word32 version, byte* output, int header);
1181WOLFSSL_LOCAL int SetSerialNumber(const byte* sn, word32 snSz, byte* output,
1182 word32 outputSz, int maxSnSz);
1183WOLFSSL_LOCAL int GetSerialNumber(const byte* input, word32* inOutIdx,
1184 byte* serial, int* serialSz, word32 maxIdx);
1185WOLFSSL_LOCAL int GetNameHash(const byte* source, word32* idx, byte* hash,
1186 int maxIdx);
1187WOLFSSL_LOCAL int wc_CheckPrivateKey(byte* key, word32 keySz, DecodedCert* der);
1188WOLFSSL_LOCAL int StoreDHparams(byte* out, word32* outLen, mp_int* p, mp_int* g);
1189WOLFSSL_LOCAL int FlattenAltNames( byte*, word32, const DNS_entry*);
1190
1191#ifdef HAVE_ECC
1192 /* ASN sig helpers */
1193 WOLFSSL_LOCAL int StoreECC_DSA_Sig(byte* out, word32* outLen, mp_int* r,
1194 mp_int* s);
1195 WOLFSSL_LOCAL int DecodeECC_DSA_Sig(const byte* sig, word32 sigLen,
1196 mp_int* r, mp_int* s);
1197#endif
1198#if defined HAVE_ECC && (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL))
1199WOLFSSL_API int EccEnumToNID(int n);
1200#endif
1201
1202WOLFSSL_LOCAL void InitSignatureCtx(SignatureCtx* sigCtx, void* heap, int devId);
1203WOLFSSL_LOCAL void FreeSignatureCtx(SignatureCtx* sigCtx);
1204
1205#ifndef NO_CERTS
1206
1207WOLFSSL_LOCAL int wc_EncryptedInfoParse(EncryptedInfo* info, char** pBuffer,
1208 size_t bufSz);
1209
1210WOLFSSL_LOCAL int PemToDer(const unsigned char* buff, long sz, int type,
1211 DerBuffer** pDer, void* heap, EncryptedInfo* info,
1212 int* eccKey);
1213WOLFSSL_LOCAL int AllocDer(DerBuffer** der, word32 length, int type, void* heap);
1214WOLFSSL_LOCAL void FreeDer(DerBuffer** der);
1215
1216#endif /* !NO_CERTS */
1217
1218#ifdef WOLFSSL_CERT_GEN
1219
1220enum cert_enums {
1221#ifdef WOLFSSL_CERT_EXT
1222 NAME_ENTRIES = 10,
1223#else
1224 NAME_ENTRIES = 9,
1225#endif
1226 JOINT_LEN = 2,
1227 EMAIL_JOINT_LEN = 9,
1228 PILOT_JOINT_LEN = 10,
1229 RSA_KEY = 10,
1230 NTRU_KEY = 11,
1231 ECC_KEY = 12,
1232 ED25519_KEY = 13,
1233 ED448_KEY = 14
1234};
1235
1236#endif /* WOLFSSL_CERT_GEN */
1237
1238
1239
1240/* for pointer use */
1241typedef struct CertStatus CertStatus;
1242
1243#ifdef HAVE_OCSP
1244
1245enum Ocsp_Response_Status {
1246 OCSP_SUCCESSFUL = 0, /* Response has valid confirmations */
1247 OCSP_MALFORMED_REQUEST = 1, /* Illegal confirmation request */
1248 OCSP_INTERNAL_ERROR = 2, /* Internal error in issuer */
1249 OCSP_TRY_LATER = 3, /* Try again later */
1250 OCSP_SIG_REQUIRED = 5, /* Must sign the request (4 is skipped) */
1251 OCSP_UNAUTHROIZED = 6 /* Request unauthorized */
1252};
1253
1254
1255enum Ocsp_Cert_Status {
1256 CERT_GOOD = 0,
1257 CERT_REVOKED = 1,
1258 CERT_UNKNOWN = 2
1259};
1260
1261
1262enum Ocsp_Sums {
1263 OCSP_BASIC_OID = 117,
1264 OCSP_NONCE_OID = 118
1265};
1266
1267#ifdef OPENSSL_EXTRA
1268enum Ocsp_Verify_Error {
1269 OCSP_VERIFY_ERROR_NONE = 0,
1270 OCSP_BAD_ISSUER = 1
1271};
1272#endif
1273
1274
1275typedef struct OcspRequest OcspRequest;
1276typedef struct OcspResponse OcspResponse;
1277
1278
1279struct CertStatus {
1280 CertStatus* next;
1281
1282 byte serial[EXTERNAL_SERIAL_SIZE];
1283 int serialSz;
1284
1285 int status;
1286
1287 byte thisDate[MAX_DATE_SIZE];
1288 byte nextDate[MAX_DATE_SIZE];
1289 byte thisDateFormat;
1290 byte nextDateFormat;
1291#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
1292 WOLFSSL_ASN1_TIME thisDateParsed;
1293 WOLFSSL_ASN1_TIME nextDateParsed;
1294 byte* thisDateAsn;
1295 byte* nextDateAsn;
1296#endif
1297
1298 byte* rawOcspResponse;
1299 word32 rawOcspResponseSz;
1300};
1301
1302
1303struct OcspResponse {
1304 int responseStatus; /* return code from Responder */
1305
1306 byte* response; /* Pointer to beginning of OCSP Response */
1307 word32 responseSz; /* length of the OCSP Response */
1308
1309 byte producedDate[MAX_DATE_SIZE];
1310 /* Date at which this response was signed */
1311 byte producedDateFormat; /* format of the producedDate */
1312 byte* issuerHash;
1313 byte* issuerKeyHash;
1314
1315 byte* cert;
1316 word32 certSz;
1317
1318 byte* sig; /* Pointer to sig in source */
1319 word32 sigSz; /* Length in octets for the sig */
1320 word32 sigOID; /* OID for hash used for sig */
1321
1322 CertStatus* status; /* certificate status to fill out */
1323
1324 byte* nonce; /* pointer to nonce inside ASN.1 response */
1325 int nonceSz; /* length of the nonce string */
1326
1327 byte* source; /* pointer to source buffer, not owned */
1328 word32 maxIdx; /* max offset based on init size */
1329
1330#ifdef OPENSSL_EXTRA
1331 int verifyError;
1332#endif
1333};
1334
1335
1336struct OcspRequest {
1337 byte issuerHash[KEYID_SIZE];
1338 byte issuerKeyHash[KEYID_SIZE];
1339 byte* serial; /* copy of the serial number in source cert */
1340 int serialSz;
1341#ifdef OPENSSL_EXTRA
1342 WOLFSSL_ASN1_INTEGER* serialInt;
1343#endif
1344 byte* url; /* copy of the extAuthInfo in source cert */
1345 int urlSz;
1346
1347 byte nonce[MAX_OCSP_NONCE_SZ];
1348 int nonceSz;
1349 void* heap;
1350 void* ssl;
1351};
1352
1353typedef struct OcspEntry OcspEntry;
1354
1355#ifdef NO_SHA
1356#define OCSP_DIGEST_SIZE WC_SHA256_DIGEST_SIZE
1357#else
1358#define OCSP_DIGEST_SIZE WC_SHA_DIGEST_SIZE
1359#endif
1360
1361struct OcspEntry
1362{
1363 OcspEntry *next; /* next entry */
1364 byte issuerHash[OCSP_DIGEST_SIZE]; /* issuer hash */
1365 byte issuerKeyHash[OCSP_DIGEST_SIZE]; /* issuer public key hash */
1366 CertStatus *status; /* OCSP response list */
1367 int totalStatus; /* number on list */
1368};
1369
1370WOLFSSL_LOCAL void InitOcspResponse(OcspResponse*, CertStatus*, byte*, word32);
1371WOLFSSL_LOCAL int OcspResponseDecode(OcspResponse*, void*, void* heap, int);
1372
1373WOLFSSL_LOCAL int InitOcspRequest(OcspRequest*, DecodedCert*, byte, void*);
1374WOLFSSL_LOCAL void FreeOcspRequest(OcspRequest*);
1375WOLFSSL_LOCAL int EncodeOcspRequest(OcspRequest*, byte*, word32);
1376WOLFSSL_LOCAL word32 EncodeOcspRequestExtensions(OcspRequest*, byte*, word32);
1377
1378
1379WOLFSSL_LOCAL int CompareOcspReqResp(OcspRequest*, OcspResponse*);
1380
1381
1382#endif /* HAVE_OCSP */
1383
1384
1385/* for pointer use */
1386typedef struct RevokedCert RevokedCert;
1387
1388#ifdef HAVE_CRL
1389
1390struct RevokedCert {
1391 byte serialNumber[EXTERNAL_SERIAL_SIZE];
1392 int serialSz;
1393 RevokedCert* next;
1394};
1395
1396typedef struct DecodedCRL DecodedCRL;
1397
1398struct DecodedCRL {
1399 word32 certBegin; /* offset to start of cert */
1400 word32 sigIndex; /* offset to start of signature */
1401 word32 sigLength; /* length of signature */
1402 word32 signatureOID; /* sum of algorithm object id */
1403 byte* signature; /* pointer into raw source, not owned */
1404 byte issuerHash[SIGNER_DIGEST_SIZE]; /* issuer name hash */
1405 byte crlHash[SIGNER_DIGEST_SIZE]; /* raw crl data hash */
1406 byte lastDate[MAX_DATE_SIZE]; /* last date updated */
1407 byte nextDate[MAX_DATE_SIZE]; /* next update date */
1408 byte lastDateFormat; /* format of last date */
1409 byte nextDateFormat; /* format of next date */
1410 RevokedCert* certs; /* revoked cert list */
1411 int totalCerts; /* number on list */
1412 void* heap;
1413#ifndef NO_SKID
1414 byte extAuthKeyIdSet;
1415 byte extAuthKeyId[SIGNER_DIGEST_SIZE]; /* Authority Key ID */
1416#endif
1417};
1418
1419WOLFSSL_LOCAL void InitDecodedCRL(DecodedCRL*, void* heap);
1420WOLFSSL_LOCAL int VerifyCRL_Signature(SignatureCtx* sigCtx,
1421 const byte* toBeSigned, word32 tbsSz,
1422 const byte* signature, word32 sigSz,
1423 word32 signatureOID, Signer *ca,
1424 void* heap);
1425WOLFSSL_LOCAL int ParseCRL(DecodedCRL*, const byte* buff, word32 sz, void* cm);
1426WOLFSSL_LOCAL void FreeDecodedCRL(DecodedCRL*);
1427
1428
1429#endif /* HAVE_CRL */
1430
1431
1432#ifdef __cplusplus
1433 } /* extern "C" */
1434#endif
1435
1436#endif /* !NO_ASN */
1437
1438
1439#if !defined(NO_ASN) || !defined(NO_PWDBASED)
1440
1441#ifndef MAX_KEY_SIZE
1442 #define MAX_KEY_SIZE 64 /* MAX PKCS Key length */
1443#endif
1444#ifndef MAX_UNICODE_SZ
1445 #define MAX_UNICODE_SZ 256
1446#endif
1447
1448enum PBESTypes {
1449 PBE_MD5_DES = 0,
1450 PBE_SHA1_RC4_128 = 1,
1451 PBE_SHA1_DES = 2,
1452 PBE_SHA1_DES3 = 3,
1453 PBE_AES256_CBC = 4,
1454 PBE_AES128_CBC = 5,
1455
1456 PBE_SHA1_RC4_128_SUM = 657,
1457 PBE_SHA1_DES3_SUM = 659,
1458 PBES2 = 13 /* algo ID */
1459};
1460
1461enum PKCSTypes {
1462 PKCS5v2 = 6, /* PKCS #5 v2.0 */
1463 PKCS12v1 = 12, /* PKCS #12 */
1464 PKCS5 = 5, /* PKCS oid tag */
1465 PKCS8v0 = 0, /* default PKCS#8 version */
1466};
1467
1468#endif /* !NO_ASN || !NO_PWDBASED */
1469
1470#endif /* WOLF_CRYPT_ASN_H */
Base_entry
Definition asn.h:602
CertName
Definition asn_public.h:260
CertSignCtx
Definition asn.h:758
CertStatus
Definition asn.h:1279
DNS_entry
Definition asn.h:592
DecodedCRL
Definition asn.h:1398
DecodedCert
Definition asn.h:793
DecodedName
Definition asn.h:612
DerBuffer
Definition asn_public.h:170
DhKey
Definition dh.h:60
EncryptedInfo
Definition asn_public.h:195
OcspEntry
Definition asn.h:1362
OcspRequest
Definition asn.h:1336
OcspResponse
Definition asn.h:1303
RevokedCert
Definition asn.h:1390
RsaKey
Definition user_rsa.h:60
SignatureCtx
Definition asn.h:694
Signer
Definition asn.h:987
TrustedPeerCert
Definition asn.h:1023
WC_RNG
Definition random.h:153
WOLFSSL_ASN1_INTEGER
Definition asn_public.h:213
WOLFSSL_ASN1_TIME
Definition asn_public.h:178
WOLFSSL_ObjectInfo
Definition asn.h:138
ecc_key
Definition ecc.h:357
ed25519_key
Definition ed25519.h:78
ed448_key
Definition ed448.h:77
mp_int
Definition integer.h:200
asn_public.h