9 files changed, 666 insertions, 0 deletions
diff --git a/include/freerdp/crypto/ber.h b/include/freerdp/crypto/ber.h
new file mode 100644
index 0000000..072517c
--- /dev/null
+++ b/include/freerdp/crypto/ber.h
@@ -0,0 +1,106 @@
+/**
+ * FreeRDP: A Remote Desktop Protocol Implementation
+ * ASN.1 Basic Encoding Rules (BER)
+ *
+ * Copyright 2011-2012 Marc-Andre Moreau <marcandre.moreau@gmail.com>
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef FREERDP_CRYPTO_BER_H
+#define FREERDP_CRYPTO_BER_H
+
+#include <freerdp/api.h>
+#include <freerdp/types.h>
+
+#include <winpr/stream.h>
+
+/* BER type */
+
+/* Class - bits 8 and 7 */
+#define BER_CLASS_MASK 0xC0
+#define BER_CLASS_UNIV 0x00 /* 0 0 */
+#define BER_CLASS_APPL 0x40 /* 0 1 */
+#define BER_CLASS_CTXT 0x80 /* 1 0 */
+#define BER_CLASS_PRIV 0xC0 /* 1 1 */
+
+/* P/C - bit 6 */
+#define BER_PC_MASK 0x20
+#define BER_PRIMITIVE 0x00 /* 0 */
+#define BER_CONSTRUCT 0x20 /* 1 */
+
+/* Tag - bits 5 to 1 */
+#define BER_TAG_MASK 0x1F
+#define BER_TAG_BOOLEAN 0x01
+#define BER_TAG_INTEGER 0x02
+#define BER_TAG_BIT_STRING 0x03
+#define BER_TAG_OCTET_STRING 0x04
+#define BER_TAG_OBJECT_IDENFIER 0x06
+#define BER_TAG_ENUMERATED 0x0A
+#define BER_TAG_SEQUENCE 0x10
+#define BER_TAG_SEQUENCE_OF 0x10
+
+#define BER_PC(_pc) (_pc ? BER_CONSTRUCT : BER_PRIMITIVE)
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
+	FREERDP_API BOOL ber_read_length(wStream* s, size_t* length);
+	FREERDP_API size_t ber_write_length(wStream* s, size_t length);
+	FREERDP_API size_t _ber_sizeof_length(size_t length);
+	FREERDP_API BOOL ber_read_universal_tag(wStream* s, BYTE tag, BOOL pc);
+	FREERDP_API size_t ber_write_universal_tag(wStream* s, BYTE tag, BOOL pc);
+	FREERDP_API BOOL ber_read_application_tag(wStream* s, BYTE tag, size_t* length);
+	FREERDP_API void ber_write_application_tag(wStream* s, BYTE tag, size_t length);
+	FREERDP_API BOOL ber_read_enumerated(wStream* s, BYTE* enumerated, BYTE count);
+	FREERDP_API void ber_write_enumerated(wStream* s, BYTE enumerated, BYTE count);
+	FREERDP_API BOOL ber_read_contextual_tag(wStream* s, BYTE tag, size_t* length, BOOL pc);
+	FREERDP_API size_t ber_write_contextual_tag(wStream* s, BYTE tag, size_t length, BOOL pc);
+	FREERDP_API size_t ber_sizeof_contextual_tag(size_t length);
+	FREERDP_API BOOL ber_read_sequence_tag(wStream* s, size_t* length);
+	FREERDP_API size_t ber_write_sequence_tag(wStream* s, size_t length);
+	FREERDP_API size_t ber_sizeof_sequence(size_t length);
+	FREERDP_API size_t ber_sizeof_sequence_tag(size_t length);
+	FREERDP_API BOOL ber_read_bit_string(wStream* s, size_t* length, BYTE* padding);
+
+	FREERDP_API BOOL ber_read_octet_string_tag(wStream* s, size_t* length);
+	FREERDP_API BOOL ber_read_octet_string(wStream* s, BYTE** content, size_t* length);
+	FREERDP_API size_t ber_write_octet_string_tag(wStream* s, size_t length);
+	FREERDP_API size_t ber_sizeof_octet_string(size_t length);
+	FREERDP_API size_t ber_sizeof_contextual_octet_string(size_t length);
+	FREERDP_API size_t ber_write_char_to_unicode_octet_string(wStream* s, const char* str);
+	FREERDP_API size_t ber_write_contextual_char_to_unicode_octet_string(wStream* s, BYTE tag,
+	                                                                     const char* oct_str);
+	FREERDP_API size_t ber_write_octet_string(wStream* s, const BYTE* oct_str, size_t length);
+	FREERDP_API BOOL ber_read_char_from_unicode_octet_string(wStream* s, char** str);
+	FREERDP_API BOOL ber_read_unicode_octet_string(wStream* s, LPWSTR* str);
+	FREERDP_API size_t ber_write_contextual_octet_string(wStream* s, BYTE tag, const BYTE* oct_str,
+	                                                     size_t length);
+	FREERDP_API size_t ber_write_contextual_unicode_octet_string(wStream* s, BYTE tag, LPWSTR str);
+
+	FREERDP_API BOOL ber_read_BOOL(wStream* s, BOOL* value);
+	FREERDP_API void ber_write_BOOL(wStream* s, BOOL value);
+	FREERDP_API BOOL ber_read_integer(wStream* s, UINT32* value);
+	FREERDP_API size_t ber_write_integer(wStream* s, UINT32 value);
+	FREERDP_API size_t ber_write_contextual_integer(wStream* s, BYTE tag, UINT32 value);
+	FREERDP_API BOOL ber_read_integer_length(wStream* s, size_t* length);
+	FREERDP_API size_t ber_sizeof_integer(UINT32 value);
+	FREERDP_API size_t ber_sizeof_contextual_integer(UINT32 value);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* FREERDP_CRYPTO_BER_H */
diff --git a/include/freerdp/crypto/certificate.h b/include/freerdp/crypto/certificate.h
new file mode 100644
index 0000000..d16f903
--- /dev/null
+++ b/include/freerdp/crypto/certificate.h
@@ -0,0 +1,103 @@
+/**
+ * FreeRDP: A Remote Desktop Protocol Implementation
+ * Certificate Handling
+ *
+ * Copyright 2023 Armin Novak <anovak@thincast.com>
+ * Copyright 2023 Thincast Technologies GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef FREERDP_CRYPTO_CERTIFICATE_H
+#define FREERDP_CRYPTO_CERTIFICATE_H
+
+#include <winpr/crypto.h>
+
+#include <freerdp/api.h>
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
+	enum FREERDP_CERT_PARAM
+	{
+		FREERDP_CERT_RSA_E,
+		FREERDP_CERT_RSA_N
+	};
+
+	typedef struct rdp_certificate rdpCertificate;
+
+	FREERDP_API void freerdp_certificate_free(rdpCertificate* certificate);
+
+	WINPR_ATTR_MALLOC(freerdp_certificate_free, 1)
+	FREERDP_API rdpCertificate* freerdp_certificate_new(void);
+
+	WINPR_ATTR_MALLOC(freerdp_certificate_free, 1)
+	FREERDP_API rdpCertificate* freerdp_certificate_new_from_file(const char* file);
+
+	WINPR_ATTR_MALLOC(freerdp_certificate_free, 1)
+	FREERDP_API rdpCertificate* freerdp_certificate_new_from_pem(const char* pem);
+
+	WINPR_ATTR_MALLOC(freerdp_certificate_free, 1)
+	FREERDP_API rdpCertificate* freerdp_certificate_new_from_der(const BYTE* data, size_t length);
+
+	FREERDP_API BOOL freerdp_certificate_is_rsa(const rdpCertificate* certificate);
+
+	FREERDP_API char* freerdp_certificate_get_hash(const rdpCertificate* certificate,
+	                                               const char* hash, size_t* plength);
+
+	FREERDP_API char* freerdp_certificate_get_fingerprint_by_hash(const rdpCertificate* certificate,
+	                                                              const char* hash);
+	FREERDP_API char*
+	freerdp_certificate_get_fingerprint_by_hash_ex(const rdpCertificate* certificate,
+	                                               const char* hash, BOOL separator);
+	FREERDP_API char* freerdp_certificate_get_fingerprint(const rdpCertificate* certificate);
+	FREERDP_API char* freerdp_certificate_get_pem(const rdpCertificate* certificate,
+	                                              size_t* pLength);
+	FREERDP_API BYTE* freerdp_certificate_get_der(const rdpCertificate* certificate,
+	                                              size_t* pLength);
+
+	FREERDP_API char* freerdp_certificate_get_subject(const rdpCertificate* certificate);
+	FREERDP_API char* freerdp_certificate_get_issuer(const rdpCertificate* certificate);
+
+	FREERDP_API char* freerdp_certificate_get_upn(const rdpCertificate* certificate);
+	FREERDP_API char* freerdp_certificate_get_email(const rdpCertificate* certificate);
+
+	FREERDP_API WINPR_MD_TYPE freerdp_certificate_get_signature_alg(const rdpCertificate* cert);
+
+	FREERDP_API char* freerdp_certificate_get_common_name(const rdpCertificate* cert,
+	                                                      size_t* plength);
+	FREERDP_API char** freerdp_certificate_get_dns_names(const rdpCertificate* cert, size_t* pcount,
+	                                                     size_t** pplengths);
+	FREERDP_API void freerdp_certificate_free_dns_names(size_t count, size_t* lengths,
+	                                                    char** names);
+
+	FREERDP_API BOOL freerdp_certificate_check_eku(const rdpCertificate* certificate, int nid);
+
+	FREERDP_API BOOL freerdp_certificate_get_public_key(const rdpCertificate* cert,
+	                                                    BYTE** PublicKey, DWORD* PublicKeyLength);
+
+	FREERDP_API BOOL freerdp_certificate_verify(const rdpCertificate* cert,
+	                                            const char* certificate_store_path);
+
+	FREERDP_API BOOL freerdp_certificate_is_rdp_security_compatible(const rdpCertificate* cert);
+
+	FREERDP_API char* freerdp_certificate_get_param(const rdpCertificate* cert,
+	                                                enum FREERDP_CERT_PARAM what, size_t* psize);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* FREERDP_CRYPTO_CERTIFICATE_H */
diff --git a/include/freerdp/crypto/certificate_data.h b/include/freerdp/crypto/certificate_data.h
new file mode 100644
index 0000000..275d654
--- /dev/null
+++ b/include/freerdp/crypto/certificate_data.h
@@ -0,0 +1,72 @@
+/**
+ * FreeRDP: A Remote Desktop Protocol Implementation
+ * Certificate Handling
+ *
+ * Copyright 2011-2012 Marc-Andre Moreau <marcandre.moreau@gmail.com>
+ * Copyright 2023 Armin Novak <anovak@thincast.com>
+ * Copyright 2023 Thincast Technologies GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef FREERDP_CRYPTO_CERTIFICATE_DATA_H
+#define FREERDP_CRYPTO_CERTIFICATE_DATA_H
+
+#include <freerdp/api.h>
+#include <freerdp/settings.h>
+#include <freerdp/crypto/certificate.h>
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
+	typedef struct rdp_certificate_data rdpCertificateData;
+
+	FREERDP_API char* freerdp_certificate_data_hash(const char* hostname, UINT16 port);
+
+	FREERDP_API void freerdp_certificate_data_free(rdpCertificateData* data);
+
+	WINPR_ATTR_MALLOC(freerdp_certificate_data_free, 1)
+	FREERDP_API rdpCertificateData* freerdp_certificate_data_new(const char* hostname, UINT16 port,
+	                                                             const rdpCertificate* xcert);
+
+	WINPR_ATTR_MALLOC(freerdp_certificate_data_free, 1)
+	FREERDP_API rdpCertificateData* freerdp_certificate_data_new_from_pem(const char* hostname,
+	                                                                      UINT16 port,
+	                                                                      const char* pem,
+	                                                                      size_t length);
+
+	WINPR_ATTR_MALLOC(freerdp_certificate_data_free, 1)
+	FREERDP_API rdpCertificateData*
+	freerdp_certificate_data_new_from_file(const char* hostname, UINT16 port, const char* file);
+
+	FREERDP_API BOOL freerdp_certificate_data_equal(const rdpCertificateData* a,
+	                                                const rdpCertificateData* b);
+
+	FREERDP_API const char* freerdp_certificate_data_get_hash(const rdpCertificateData* cert);
+
+	FREERDP_API const char* freerdp_certificate_data_get_host(const rdpCertificateData* cert);
+	FREERDP_API UINT16 freerdp_certificate_data_get_port(const rdpCertificateData* cert);
+
+	FREERDP_API const char* freerdp_certificate_data_get_pem(const rdpCertificateData* cert);
+	FREERDP_API const char* freerdp_certificate_data_get_subject(const rdpCertificateData* cert);
+	FREERDP_API const char* freerdp_certificate_data_get_issuer(const rdpCertificateData* cert);
+	FREERDP_API const char*
+	freerdp_certificate_data_get_fingerprint(const rdpCertificateData* cert);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* FREERDP_CRYPTO_CERTIFICATE_DATA_H */
diff --git a/include/freerdp/crypto/certificate_store.h b/include/freerdp/crypto/certificate_store.h
new file mode 100644
index 0000000..e7e43e1
--- /dev/null
+++ b/include/freerdp/crypto/certificate_store.h
@@ -0,0 +1,72 @@
+/**
+ * FreeRDP: A Remote Desktop Protocol Implementation
+ * Certificate Handling
+ *
+ * Copyright 2011-2012 Marc-Andre Moreau <marcandre.moreau@gmail.com>
+ * Copyright 2023 Armin Novak <anovak@thincast.com>
+ * Copyright 2023 Thincast Technologies GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef FREERDP_CRYPTO_CERTIFICATE_STORE_H
+#define FREERDP_CRYPTO_CERTIFICATE_STORE_H
+
+#include <freerdp/api.h>
+#include <freerdp/settings.h>
+#include <freerdp/crypto/certificate_data.h>
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
+	typedef struct rdp_certificate_store rdpCertificateStore;
+
+	typedef enum
+	{
+		CERT_STORE_NOT_FOUND = 1,
+		CERT_STORE_MATCH = 0,
+		CERT_STORE_MISMATCH = -1
+	} freerdp_certificate_store_result;
+
+	FREERDP_API void freerdp_certificate_store_free(rdpCertificateStore* store);
+
+	WINPR_ATTR_MALLOC(freerdp_certificate_store_free, 1)
+	FREERDP_API rdpCertificateStore* freerdp_certificate_store_new(const rdpSettings* settings);
+
+	FREERDP_API freerdp_certificate_store_result freerdp_certificate_store_contains_data(
+	    rdpCertificateStore* store, const rdpCertificateData* data);
+
+	WINPR_ATTR_MALLOC(freerdp_certificate_data_free, 1)
+	FREERDP_API rdpCertificateData*
+	freerdp_certificate_store_load_data(rdpCertificateStore* store, const char* host, UINT16 port);
+
+	FREERDP_API BOOL freerdp_certificate_store_save_data(rdpCertificateStore* store,
+	                                                     const rdpCertificateData* data);
+	FREERDP_API BOOL freerdp_certificate_store_remove_data(rdpCertificateStore* store,
+	                                                       const rdpCertificateData* data);
+
+	FREERDP_API const char*
+	freerdp_certificate_store_get_certs_path(const rdpCertificateStore* store);
+	FREERDP_API const char*
+	freerdp_certificate_store_get_hosts_path(const rdpCertificateStore* store);
+
+	FREERDP_API char* freerdp_certificate_store_get_cert_path(const rdpCertificateStore* store,
+	                                                          const char* host, UINT16 port);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* FREERDP_CRYPTO_CERTIFICATE_STORE_H */
diff --git a/include/freerdp/crypto/crypto.h b/include/freerdp/crypto/crypto.h
new file mode 100644
index 0000000..6137769
--- /dev/null
+++ b/include/freerdp/crypto/crypto.h
@@ -0,0 +1,58 @@
+/**
+ * FreeRDP: A Remote Desktop Protocol Implementation
+ * Cryptographic Abstraction Layer
+ *
+ * Copyright 2011-2012 Marc-Andre Moreau <marcandre.moreau@gmail.com>
+ * Copyright 2023 Armin Novak <anovak@thincast.com>
+ * Copyright 2023 Thincast Technologies GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef FREERDP_CRYPTO_H
+#define FREERDP_CRYPTO_H
+
+#include <freerdp/api.h>
+#include <freerdp/types.h>
+#include <freerdp/crypto/certificate_data.h>
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+	struct rdp_CertInfo
+	{
+		BYTE* Modulus;
+		DWORD ModulusLength;
+		BYTE exponent[4];
+	};
+	typedef struct rdp_CertInfo rdpCertInfo;
+
+	FREERDP_API char* crypto_base64_encode(const BYTE* data, size_t length);
+	FREERDP_API char* crypto_base64_encode_ex(const BYTE* data, size_t length, BOOL withCrLf);
+
+	FREERDP_API void crypto_base64_decode(const char* enc_data, size_t length, BYTE** dec_data,
+	                                      size_t* res_length);
+
+	FREERDP_API char* crypto_base64url_encode(const BYTE* data, size_t length);
+	FREERDP_API void crypto_base64url_decode(const char* enc_data, size_t length, BYTE** dec_data,
+	                                         size_t* res_length);
+
+	FREERDP_API char* crypto_read_pem(const char* filename, size_t* plength);
+	FREERDP_API BOOL crypto_write_pem(const char* filename, const char* pem, size_t length);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* FREERDP_CRYPTO_H */
diff --git a/include/freerdp/crypto/der.h b/include/freerdp/crypto/der.h
new file mode 100644
index 0000000..8ec27f0
--- /dev/null
+++ b/include/freerdp/crypto/der.h
@@ -0,0 +1,44 @@
+/**
+ * FreeRDP: A Remote Desktop Protocol Implementation
+ * ASN.1 Basic Encoding Rules (DER)
+ *
+ * Copyright 2011 Samsung, Author Jiten Pathy
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef FREERDP_CRYPTO_DER_H
+#define FREERDP_CRYPTO_DER_H
+
+#include <freerdp/crypto/er.h>
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
+	FREERDP_API int _der_skip_length(int length);
+	FREERDP_API int der_write_length(wStream* s, int length);
+	FREERDP_API int der_get_content_length(int length);
+	FREERDP_API int der_skip_octet_string(int length);
+	FREERDP_API int der_skip_sequence_tag(int length);
+	FREERDP_API int der_write_sequence_tag(wStream* s, int length);
+	FREERDP_API int der_skip_contextual_tag(int length);
+	FREERDP_API int der_write_contextual_tag(wStream* s, BYTE tag, int length, BOOL pc);
+	FREERDP_API void der_write_octet_string(wStream* s, BYTE* oct_str, int length);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* FREERDP_CRYPTO_DER_H */
diff --git a/include/freerdp/crypto/er.h b/include/freerdp/crypto/er.h
new file mode 100644
index 0000000..d981b4e
--- /dev/null
+++ b/include/freerdp/crypto/er.h
@@ -0,0 +1,97 @@
+/**
+ * FreeRDP: A Remote Desktop Protocol Implementation
+ * ASN.1 Encoding Rules (BER/DER common functions)
+ *
+ * Copyright 2011 Marc-Andre Moreau <marcandre.moreau@gmail.com>
+ * Modified by Jiten Pathy
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef FREERDP_CRYPTO_ER_H
+#define FREERDP_CRYPTO_ER_H
+
+#include <freerdp/api.h>
+#include <freerdp/types.h>
+
+#include <winpr/stream.h>
+
+/* ER type */
+
+/* Class - bits 8 and 7 */
+#define ER_CLASS_MASK 0xC0
+#define ER_CLASS_UNIV 0x00 /* 0 0 */
+#define ER_CLASS_APPL 0x40 /* 0 1 */
+#define ER_CLASS_CTXT 0x80 /* 1 0 */
+#define ER_CLASS_PRIV 0xC0 /* 1 1 */
+
+/* P/C - bit 6 */
+#define ER_PC_MASK 0x20
+#define ER_PRIMITIVE 0x00 /* 0 */
+#define ER_CONSTRUCT 0x20 /* 1 */
+
+/* Tag - bits 5 to 1 */
+#define ER_TAG_MASK 0x1F
+#define ER_TAG_BOOLEAN 0x01
+#define ER_TAG_INTEGER 0x02
+#define ER_TAG_BIT_STRING 0x03
+#define ER_TAG_OCTET_STRING 0x04
+#define ER_TAG_OBJECT_IDENTIFIER 0x06
+#define ER_TAG_ENUMERATED 0x0A
+#define ER_TAG_SEQUENCE 0x10
+#define ER_TAG_SEQUENCE_OF 0x10
+#define ER_TAG_GENERAL_STRING 0x1B
+#define ER_TAG_GENERALIZED_TIME 0x18
+
+#define ER_PC(_pc) (_pc ? ER_CONSTRUCT : ER_PRIMITIVE)
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
+	FREERDP_API void er_read_length(wStream* s, int* length);
+	FREERDP_API int er_write_length(wStream* s, int length, BOOL flag);
+	FREERDP_API int _er_skip_length(int length);
+	FREERDP_API int er_get_content_length(int length);
+	FREERDP_API BOOL er_read_universal_tag(wStream* s, BYTE tag, BOOL pc);
+	FREERDP_API void er_write_universal_tag(wStream* s, BYTE tag, BOOL pc);
+	FREERDP_API BOOL er_read_application_tag(wStream* s, BYTE tag, int* length);
+	FREERDP_API void er_write_application_tag(wStream* s, BYTE tag, int length, BOOL flag);
+	FREERDP_API BOOL er_read_enumerated(wStream* s, BYTE* enumerated, BYTE count);
+	FREERDP_API void er_write_enumerated(wStream* s, BYTE enumerated, BYTE count, BOOL flag);
+	FREERDP_API BOOL er_read_contextual_tag(wStream* s, BYTE tag, int* length, BOOL pc);
+	FREERDP_API int er_write_contextual_tag(wStream* s, BYTE tag, int length, BOOL pc, BOOL flag);
+	FREERDP_API int er_skip_contextual_tag(int length);
+	FREERDP_API BOOL er_read_sequence_tag(wStream* s, int* length);
+	FREERDP_API int er_write_sequence_tag(wStream* s, int length, BOOL flag);
+	FREERDP_API int er_skip_sequence(int length);
+	FREERDP_API int er_skip_sequence_tag(int length);
+	FREERDP_API BOOL er_read_bit_string(wStream* s, int* length, BYTE* padding);
+	FREERDP_API BOOL er_write_bit_string_tag(wStream* s, UINT32 length, BYTE padding, BOOL flag);
+	FREERDP_API BOOL er_read_octet_string(wStream* s, int* length);
+	FREERDP_API void er_write_octet_string(wStream* s, BYTE* oct_str, int length, BOOL flag);
+	FREERDP_API int er_write_octet_string_tag(wStream* s, int length, BOOL flag);
+	FREERDP_API int er_skip_octet_string(int length);
+	FREERDP_API BOOL er_read_BOOL(wStream* s, BOOL* value);
+	FREERDP_API void er_write_BOOL(wStream* s, BOOL value);
+	FREERDP_API BOOL er_read_integer(wStream* s, UINT32* value);
+	FREERDP_API int er_write_integer(wStream* s, INT32 value);
+	FREERDP_API BOOL er_read_integer_length(wStream* s, int* length);
+	FREERDP_API int er_skip_integer(INT32 value);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* FREERDP_CRYPTO_ER_H */
diff --git a/include/freerdp/crypto/per.h b/include/freerdp/crypto/per.h
new file mode 100644
index 0000000..087a17f
--- /dev/null
+++ b/include/freerdp/crypto/per.h
@@ -0,0 +1,62 @@
+/**
+ * FreeRDP: A Remote Desktop Protocol Implementation
+ * ASN.1 Packed Encoding Rules (BER)
+ *
+ * Copyright 2011-2012 Marc-Andre Moreau <marcandre.moreau@gmail.com>
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef FREERDP_CRYPTO_PER_H
+#define FREERDP_CRYPTO_PER_H
+
+#include <freerdp/api.h>
+
+#include <winpr/stream.h>
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
+	FREERDP_API BOOL per_read_length(wStream* s, UINT16* length);
+	FREERDP_API BOOL per_write_length(wStream* s, UINT16 length);
+	FREERDP_API BOOL per_read_choice(wStream* s, BYTE* choice);
+	FREERDP_API BOOL per_write_choice(wStream* s, BYTE choice);
+	FREERDP_API BOOL per_read_selection(wStream* s, BYTE* selection);
+	FREERDP_API BOOL per_write_selection(wStream* s, BYTE selection);
+	FREERDP_API BOOL per_read_number_of_sets(wStream* s, BYTE* number);
+	FREERDP_API BOOL per_write_number_of_sets(wStream* s, BYTE number);
+	FREERDP_API BOOL per_read_padding(wStream* s, UINT16 length);
+	FREERDP_API BOOL per_write_padding(wStream* s, UINT16 length);
+	FREERDP_API BOOL per_read_integer(wStream* s, UINT32* integer);
+	FREERDP_API BOOL per_read_integer16(wStream* s, UINT16* integer, UINT16 min);
+	FREERDP_API BOOL per_write_integer(wStream* s, UINT32 integer);
+	FREERDP_API BOOL per_write_integer16(wStream* s, UINT16 integer, UINT16 min);
+	FREERDP_API BOOL per_read_enumerated(wStream* s, BYTE* enumerated, BYTE count);
+	FREERDP_API BOOL per_write_enumerated(wStream* s, BYTE enumerated, BYTE count);
+	FREERDP_API BOOL per_write_object_identifier(wStream* s, const BYTE oid[6]);
+	FREERDP_API BOOL per_read_object_identifier(wStream* s, const BYTE oid[6]);
+	FREERDP_API BOOL per_read_octet_string(wStream* s, const BYTE* oct_str, UINT16 length,
+	                                       UINT16 min);
+	FREERDP_API BOOL per_write_octet_string(wStream* s, const BYTE* oct_str, UINT16 length,
+	                                        UINT16 min);
+	FREERDP_API BOOL per_read_numeric_string(wStream* s, UINT16 min);
+	FREERDP_API BOOL per_write_numeric_string(wStream* s, const BYTE* num_str, UINT16 length,
+	                                          UINT16 min);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* FREERDP_CRYPTO_PER_H */
diff --git a/include/freerdp/crypto/privatekey.h b/include/freerdp/crypto/privatekey.h
new file mode 100644
index 0000000..58fd94b
--- /dev/null
+++ b/include/freerdp/crypto/privatekey.h
@@ -0,0 +1,52 @@
+/**
+ * FreeRDP: A Remote Desktop Protocol Implementation
+ * Private key Handling
+ *
+ * Copyright 2023 Armin Novak <anovak@thincast.com>
+ * Copyright 2023 Thincast Technologies GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef FREERDP_CRYPTO_PRIVATEKEY_H
+#define FREERDP_CRYPTO_PRIVATEKEY_H
+
+#include <freerdp/api.h>
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
+	typedef struct rdp_private_key rdpPrivateKey;
+
+	FREERDP_API void freerdp_key_free(rdpPrivateKey* key);
+
+	WINPR_ATTR_MALLOC(freerdp_key_free, 1)
+	FREERDP_API rdpPrivateKey* freerdp_key_new(void);
+
+	WINPR_ATTR_MALLOC(freerdp_key_free, 1)
+	FREERDP_API rdpPrivateKey* freerdp_key_new_from_file(const char* keyfile);
+
+	WINPR_ATTR_MALLOC(freerdp_key_free, 1)
+	FREERDP_API rdpPrivateKey* freerdp_key_new_from_pem(const char* pem);
+
+	FREERDP_API BOOL freerdp_key_is_rsa(const rdpPrivateKey* key);
+
+	FREERDP_API size_t freerdp_key_get_bits(const rdpPrivateKey* key);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* FREERDP_CRYPTO_PRIVATEKEY_H */