From 16f504a9dca3fe3b70568f67b7d41241ae485288 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Sun, 7 Apr 2024 18:49:04 +0200
Subject: Adding upstream version 7.0.6-dfsg.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 include/iprt/crypto/x509.h | 1180 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 1180 insertions(+)
 create mode 100644 include/iprt/crypto/x509.h

(limited to 'include/iprt/crypto/x509.h')

diff --git a/include/iprt/crypto/x509.h b/include/iprt/crypto/x509.h
new file mode 100644
index 00000000..41f5bcc0
--- /dev/null
+++ b/include/iprt/crypto/x509.h
@@ -0,0 +1,1180 @@
+/** @file
+ * IPRT - Crypto - X.509, Public Key and Privilege Management Infrastructure.
+ */
+
+/*
+ * Copyright (C) 2014-2022 Oracle and/or its affiliates.
+ *
+ * This file is part of VirtualBox base platform packages, as
+ * available from https://www.virtualbox.org.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation, in version 3 of the
+ * License.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <https://www.gnu.org/licenses>.
+ *
+ * The contents of this file may alternatively be used under the terms
+ * of the Common Development and Distribution License Version 1.0
+ * (CDDL), a copy of it is provided in the "COPYING.CDDL" file included
+ * in the VirtualBox distribution, in which case the provisions of the
+ * CDDL are applicable instead of those of the GPL.
+ *
+ * You may elect to license modified versions of this file under the
+ * terms and conditions of either the GPL or the CDDL or both.
+ *
+ * SPDX-License-Identifier: GPL-3.0-only OR CDDL-1.0
+ */
+
+#ifndef IPRT_INCLUDED_crypto_x509_h
+#define IPRT_INCLUDED_crypto_x509_h
+#ifndef RT_WITHOUT_PRAGMA_ONCE
+# pragma once
+#endif
+
+#include <iprt/asn1.h>
+#include <iprt/crypto/pem.h>
+
+
+RT_C_DECLS_BEGIN
+
+struct RTCRPKCS7SETOFCERTS;
+
+
+/** @defgroup grp_rt_crypto Crypto
+ * @ingroup grp_rt
+ * @{
+ */
+
+/** @defgroup grp_rt_crx509 RTCrX509 - Public Key and Privilege Management Infrastructure.
+ * @{
+ */
+
+/**
+ * X.509 algorithm identifier (IPRT representation).
+ */
+typedef struct RTCRX509ALGORITHMIDENTIFIER
+{
+    /** The sequence making up this algorithm identifier. */
+    RTASN1SEQUENCECORE                  SeqCore;
+    /** The algorithm object ID. */
+    RTASN1OBJID                         Algorithm;
+    /** Optional parameters specified by the algorithm. */
+    RTASN1DYNTYPE                       Parameters;
+} RTCRX509ALGORITHMIDENTIFIER;
+/** Poitner to the IPRT representation of a X.509 algorithm identifier. */
+typedef RTCRX509ALGORITHMIDENTIFIER *PRTCRX509ALGORITHMIDENTIFIER;
+/** Poitner to the const IPRT representation of a X.509 algorithm identifier. */
+typedef RTCRX509ALGORITHMIDENTIFIER const *PCRTCRX509ALGORITHMIDENTIFIER;
+RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509ALGORITHMIDENTIFIER, RTDECL, RTCrX509AlgorithmIdentifier, SeqCore.Asn1Core);
+RTASN1_IMPL_GEN_SET_OF_TYPEDEFS_AND_PROTOS(RTCRX509ALGORITHMIDENTIFIERS, RTCRX509ALGORITHMIDENTIFIER, RTDECL, RTCrX509AlgorithmIdentifiers);
+
+/**
+ * Tries to convert an X.509 digest algorithm ID into a RTDIGESTTYPE value.
+ *
+ * @returns Valid RTDIGESTTYPE on success, RTDIGESTTYPE_INVALID on failure.
+ * @param   pThis           The IPRT representation of a X.509 algorithm
+ *                          identifier object.
+ */
+RTDECL(RTDIGESTTYPE) RTCrX509AlgorithmIdentifier_QueryDigestType(PCRTCRX509ALGORITHMIDENTIFIER pThis);
+
+/**
+ * Tries to figure the digest size of an X.509 digest algorithm ID.
+ *
+ * @returns The digest size in bytes, UINT32_MAX if unknown digest.
+ * @param   pThis           The IPRT representation of a X.509 algorithm
+ *                          identifier object.
+ */
+RTDECL(uint32_t) RTCrX509AlgorithmIdentifier_QueryDigestSize(PCRTCRX509ALGORITHMIDENTIFIER pThis);
+
+RTDECL(int) RTCrX509AlgorithmIdentifier_CompareWithString(PCRTCRX509ALGORITHMIDENTIFIER pThis, const char *pszObjId);
+
+/**
+ * Compares a digest with an encrypted digest algorithm, checking if they
+ * specify the same digest.
+ *
+ * @returns 0 if same digest, -1 if the digest is unknown, 1 if the encrypted
+ *          digest does not match.
+ * @param   pDigest             The digest algorithm.
+ * @param   pEncryptedDigest    The encrypted digest algorithm.
+ */
+RTDECL(int) RTCrX509AlgorithmIdentifier_CompareDigestAndEncryptedDigest(PCRTCRX509ALGORITHMIDENTIFIER pDigest,
+                                                                        PCRTCRX509ALGORITHMIDENTIFIER pEncryptedDigest);
+/**
+ * Compares a digest OID with an encrypted digest algorithm OID, checking if
+ * they specify the same digest.
+ *
+ * @returns 0 if same digest, -1 if the digest is unknown, 1 if the encrypted
+ *          digest does not match.
+ * @param   pszDigestOid            The digest algorithm OID.
+ * @param   pszEncryptedDigestOid   The encrypted digest algorithm OID.
+ */
+RTDECL(int) RTCrX509AlgorithmIdentifier_CompareDigestOidAndEncryptedDigestOid(const char *pszDigestOid,
+                                                                              const char *pszEncryptedDigestOid);
+
+
+/**
+ * Combine the encryption algorithm with the digest algorithm.
+ *
+ * @returns OID of encrypted digest algorithm.
+ * @param   pEncryption         The encryption algorithm.  Will work if this is
+ *                              the OID of an encrypted digest algorithm too, as
+ *                              long as it matches @a pDigest.
+ * @param   pDigest             The digest algorithm.  Will work if this is the
+ *                              OID of an encrypted digest algorithm too, as
+ *                              long as it matches @a pEncryption.
+ */
+RTDECL(const char *) RTCrX509AlgorithmIdentifier_CombineEncryptionAndDigest(PCRTCRX509ALGORITHMIDENTIFIER pEncryption,
+                                                                            PCRTCRX509ALGORITHMIDENTIFIER pDigest);
+
+/**
+ * Combine the encryption algorithm OID with the digest algorithm OID.
+ *
+ * @returns OID of encrypted digest algorithm.
+ * @param   pszEncryptionOid    The encryption algorithm.  Will work if this is
+ *                              the OID of an encrypted digest algorithm too, as
+ *                              long as it matches @a pszDigestOid.
+ * @param   pszDigestOid        The digest algorithm.  Will work if this is the
+ *                              OID of an encrypted digest algorithm too, as
+ *                              long as it matches @a pszEncryptionOid.
+ */
+RTDECL(const char *) RTCrX509AlgorithmIdentifier_CombineEncryptionOidAndDigestOid(const char *pszEncryptionOid,
+                                                                                  const char *pszDigestOid);
+
+
+/** @name Typical Digest Algorithm OIDs.
+ * @{ */
+#define RTCRX509ALGORITHMIDENTIFIERID_MD2               "1.2.840.113549.2.2"
+#define RTCRX509ALGORITHMIDENTIFIERID_MD4               "1.2.840.113549.2.4"
+#define RTCRX509ALGORITHMIDENTIFIERID_MD5               "1.2.840.113549.2.5"
+#define RTCRX509ALGORITHMIDENTIFIERID_SHA1              "1.3.14.3.2.26"
+#define RTCRX509ALGORITHMIDENTIFIERID_SHA256            "2.16.840.1.101.3.4.2.1"
+#define RTCRX509ALGORITHMIDENTIFIERID_SHA384            "2.16.840.1.101.3.4.2.2"
+#define RTCRX509ALGORITHMIDENTIFIERID_SHA512            "2.16.840.1.101.3.4.2.3"
+#define RTCRX509ALGORITHMIDENTIFIERID_SHA224            "2.16.840.1.101.3.4.2.4"
+#define RTCRX509ALGORITHMIDENTIFIERID_SHA512T224        "2.16.840.1.101.3.4.2.5"
+#define RTCRX509ALGORITHMIDENTIFIERID_SHA512T256        "2.16.840.1.101.3.4.2.6"
+#define RTCRX509ALGORITHMIDENTIFIERID_SHA3_224          "2.16.840.1.101.3.4.2.7"
+#define RTCRX509ALGORITHMIDENTIFIERID_SHA3_256          "2.16.840.1.101.3.4.2.8"
+#define RTCRX509ALGORITHMIDENTIFIERID_SHA3_384          "2.16.840.1.101.3.4.2.9"
+#define RTCRX509ALGORITHMIDENTIFIERID_SHA3_512          "2.16.840.1.101.3.4.2.10"
+#define RTCRX509ALGORITHMIDENTIFIERID_WHIRLPOOL         "1.0.10118.3.0.55"
+/** @} */
+
+/** @name Encrypted Digest Algorithm OIDs.
+ * @remarks The PKCS variants are the default ones, alternative OID are marked
+ *          as such.
+ * @{ */
+#define RTCRX509ALGORITHMIDENTIFIERID_RSA                   "1.2.840.113549.1.1.1"
+#define RTCRX509ALGORITHMIDENTIFIERID_MD2_WITH_RSA          "1.2.840.113549.1.1.2"
+#define RTCRX509ALGORITHMIDENTIFIERID_MD4_WITH_RSA          "1.2.840.113549.1.1.3"
+#define RTCRX509ALGORITHMIDENTIFIERID_MD5_WITH_RSA          "1.2.840.113549.1.1.4"
+#define RTCRX509ALGORITHMIDENTIFIERID_SHA1_WITH_RSA         "1.2.840.113549.1.1.5"
+#define RTCRX509ALGORITHMIDENTIFIERID_SHA256_WITH_RSA       "1.2.840.113549.1.1.11"
+#define RTCRX509ALGORITHMIDENTIFIERID_SHA384_WITH_RSA       "1.2.840.113549.1.1.12"
+#define RTCRX509ALGORITHMIDENTIFIERID_SHA512_WITH_RSA       "1.2.840.113549.1.1.13"
+#define RTCRX509ALGORITHMIDENTIFIERID_SHA224_WITH_RSA       "1.2.840.113549.1.1.14"
+#define RTCRX509ALGORITHMIDENTIFIERID_SHA512T224_WITH_RSA   "1.2.840.113549.1.1.15"
+#define RTCRX509ALGORITHMIDENTIFIERID_SHA512T256_WITH_RSA   "1.2.840.113549.1.1.16"
+#define RTCRX509ALGORITHMIDENTIFIERID_SHA3_224_WITH_RSA     "2.16.840.1.101.3.4.3.13"
+#define RTCRX509ALGORITHMIDENTIFIERID_SHA3_256_WITH_RSA     "2.16.840.1.101.3.4.3.14"
+#define RTCRX509ALGORITHMIDENTIFIERID_SHA3_384_WITH_RSA     "2.16.840.1.101.3.4.3.15"
+#define RTCRX509ALGORITHMIDENTIFIERID_SHA3_512_WITH_RSA     "2.16.840.1.101.3.4.3.16"
+/** @} */
+
+
+
+
+/**
+ * One X.509 AttributeTypeAndValue (IPRT representation).
+ */
+typedef struct RTCRX509ATTRIBUTETYPEANDVALUE
+{
+    /** Sequence core. */
+    RTASN1SEQUENCECORE                  SeqCore;
+    /** The attribute type (object ID). */
+    RTASN1OBJID                         Type;
+    /** The attribute value (what it is is defined by Type). */
+    RTASN1DYNTYPE                       Value;
+} RTCRX509ATTRIBUTETYPEANDVALUE;
+/** Pointer to a X.509 AttributeTypeAndValue (IPRT representation). */
+typedef RTCRX509ATTRIBUTETYPEANDVALUE *PRTCRX509ATTRIBUTETYPEANDVALUE;
+/** Pointer to a const X.509 AttributeTypeAndValue (IPRT representation). */
+typedef RTCRX509ATTRIBUTETYPEANDVALUE const *PCRTCRX509ATTRIBUTETYPEANDVALUE;
+RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509ATTRIBUTETYPEANDVALUE, RTDECL, RTCrX509AttributeTypeAndValue, SeqCore.Asn1Core);
+RTASN1_IMPL_GEN_SET_OF_TYPEDEFS_AND_PROTOS(RTCRX509ATTRIBUTETYPEANDVALUES, RTCRX509ATTRIBUTETYPEANDVALUE, RTDECL, RTCrX509AttributeTypeAndValues);
+
+RTASN1TYPE_ALIAS(RTCRX509RELATIVEDISTINGUISHEDNAME, RTCRX509ATTRIBUTETYPEANDVALUES, RTCrX509RelativeDistinguishedName, RTCrX509AttributeTypeAndValues);
+
+
+RTASN1_IMPL_GEN_SEQ_OF_TYPEDEFS_AND_PROTOS(RTCRX509NAME, RTCRX509RELATIVEDISTINGUISHEDNAME, RTDECL, RTCrX509Name);
+RTDECL(int) RTCrX509Name_CheckSanity(PCRTCRX509NAME pName, uint32_t fFlags, PRTERRINFO pErrInfo, const char *pszErrorTag);
+RTDECL(bool) RTCrX509Name_MatchByRfc5280(PCRTCRX509NAME pLeft, PCRTCRX509NAME pRight);
+
+/**
+ * Name constraint matching (RFC-5280).
+ *
+ * @returns true on match, false on mismatch.
+ * @param   pConstraint     The constraint name.
+ * @param   pName           The name to match against the constraint.
+ * @sa      RTCrX509GeneralName_ConstraintMatch,
+ *          RTCrX509RelativeDistinguishedName_ConstraintMatch
+ */
+RTDECL(bool) RTCrX509Name_ConstraintMatch(PCRTCRX509NAME pConstraint, PCRTCRX509NAME pName);
+RTDECL(int) RTCrX509Name_RecodeAsUtf8(PRTCRX509NAME pThis, PCRTASN1ALLOCATORVTABLE pAllocator);
+
+/**
+ * Matches the directory name against a comma separated list of the component
+ * strings (case sensitive).
+ *
+ * @returns true if match, false if mismatch.
+ * @param   pThis           The name object.
+ * @param   pszString       The string to match against. For example:
+ *                          "C=US, ST=California, L=Redwood Shores, O=Oracle Corporation"
+ *
+ * @remarks This is doing a straight compare, no extra effort is expended in
+ *          dealing with different component order.  If the component order
+ *          differs, there won't be any match.
+ */
+RTDECL(bool) RTCrX509Name_MatchWithString(PCRTCRX509NAME pThis, const char *pszString);
+
+/**
+ * Formats the name as a command separated list of components with type
+ * prefixes.
+ *
+ * The output of this function is suitable for use with
+ * RTCrX509Name_MatchWithString.
+ *
+ * @returns IPRT status code.
+ * @param   pThis           The name object.
+ * @param   pszBuf          The output buffer.
+ * @param   cbBuf           The size of the output buffer.
+ * @param   pcbActual       Where to return the number of bytes required for the
+ *                          output, including the null terminator character.
+ *                          Optional.
+ */
+RTDECL(int) RTCrX509Name_FormatAsString(PCRTCRX509NAME pThis, char *pszBuf, size_t cbBuf, size_t *pcbActual);
+
+
+/**
+ * Looks up the RDN ID and returns the short name for it, if found.
+ *
+ * @returns Short name (e.g. 'CN') or NULL.
+ * @param   pRdnId          The RDN ID to look up.
+ */
+RTDECL(const char *) RTCrX509Name_GetShortRdn(PCRTASN1OBJID pRdnId);
+
+/**
+ * One X.509 OtherName (IPRT representation).
+ */
+typedef struct RTCRX509OTHERNAME
+{
+    /** The sequence core. */
+    RTASN1SEQUENCECORE                  SeqCore;
+    /** The name type identifier. */
+    RTASN1OBJID                         TypeId;
+    /** The name value (explicit tag 0). */
+    RTASN1DYNTYPE                       Value;
+} RTCRX509OTHERNAME;
+/** Pointer to a X.509 OtherName (IPRT representation). */
+typedef RTCRX509OTHERNAME *PRTCRX509OTHERNAME;
+/** Pointer to a const X.509 OtherName (IPRT representation). */
+typedef RTCRX509OTHERNAME const *PCRTCRX509OTHERNAME;
+RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509OTHERNAME, RTDECL, RTCrX509OtherName, SeqCore.Asn1Core);
+
+
+typedef enum RTCRX509GENERALNAMECHOICE
+{
+    RTCRX509GENERALNAMECHOICE_INVALID = 0,
+    RTCRX509GENERALNAMECHOICE_OTHER_NAME,
+    RTCRX509GENERALNAMECHOICE_RFC822_NAME,
+    RTCRX509GENERALNAMECHOICE_DNS_NAME,
+    RTCRX509GENERALNAMECHOICE_X400_ADDRESS,
+    RTCRX509GENERALNAMECHOICE_DIRECTORY_NAME,
+    RTCRX509GENERALNAMECHOICE_EDI_PARTY_NAME,
+    RTCRX509GENERALNAMECHOICE_URI,
+    RTCRX509GENERALNAMECHOICE_IP_ADDRESS,
+    RTCRX509GENERALNAMECHOICE_REGISTERED_ID,
+    RTCRX509GENERALNAMECHOICE_END,
+    RTCRX509GENERALNAMECHOICE_32BIT_HACK = 0x7fffffff
+} RTCRX509GENERALNAMECHOICE;
+
+/**
+ * One X.509 GeneralName (IPRT representation).
+ *
+ * This is represented as a union.  Use the RTCRX509GENERALNAME_IS_XXX predicate
+ * macros to figure out which member is valid (Asn1Core is always valid).
+ */
+typedef struct RTCRX509GENERALNAME
+{
+    /** Dummy ASN.1 record, not encoded. */
+    RTASN1DUMMY                         Dummy;
+    /** The value allocation. */
+    RTASN1ALLOCATION                    Allocation;
+    /** The choice of value.   */
+    RTCRX509GENERALNAMECHOICE           enmChoice;
+    /** The value union. */
+    union
+    {
+        /** Tag 0: Other Name.  */
+        PRTCRX509OTHERNAME              pT0_OtherName;
+        /** Tag 1: RFC-822 Name.  */
+        PRTASN1STRING                   pT1_Rfc822;
+        /** Tag 2: DNS name.  */
+        PRTASN1STRING                   pT2_DnsName;
+        /** Tag 3: X.400 Address.  */
+        struct
+        {
+            /** Context tag 3. */
+            RTASN1CONTEXTTAG3           CtxTag3;
+            /** Later. */
+            RTASN1DYNTYPE               X400Address;
+        } *pT3;
+        /** Tag 4: Directory Name.  */
+        struct
+        {
+            /** Context tag 4. */
+            RTASN1CONTEXTTAG4           CtxTag4;
+            /** Directory name. */
+            RTCRX509NAME                DirectoryName;
+        } *pT4;
+        /** Tag 5: EDI Party Name.  */
+        struct
+        {
+            /** Context tag 5. */
+            RTASN1CONTEXTTAG5           CtxTag5;
+            /** Later. */
+            RTASN1DYNTYPE               EdiPartyName;
+        } *pT5;
+        /** Tag 6: URI.  */
+        PRTASN1STRING                   pT6_Uri;
+        /** Tag 7: IP address. Either 4/8 (IPv4) or 16/32 (IPv16) octets long. */
+        PRTASN1OCTETSTRING              pT7_IpAddress;
+        /** Tag 8: Registered ID. */
+        PRTASN1OBJID                    pT8_RegisteredId;
+    } u;
+} RTCRX509GENERALNAME;
+/** Pointer to the IPRT representation of an X.509 general name. */
+typedef RTCRX509GENERALNAME *PRTCRX509GENERALNAME;
+/** Pointer to the const IPRT representation of an X.509 general name. */
+typedef RTCRX509GENERALNAME const *PCRTCRX509GENERALNAME;
+RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509GENERALNAME, RTDECL, RTCrX509GeneralName, Dummy.Asn1Core);
+
+/** @name RTCRX509GENERALNAME tag predicates.
+ * @{ */
+#define RTCRX509GENERALNAME_IS_OTHER_NAME(a_GenName)        ((a_GenName)->enmChoice == RTCRX509GENERALNAMECHOICE_OTHER_NAME)
+#define RTCRX509GENERALNAME_IS_RFC822_NAME(a_GenName)       ((a_GenName)->enmChoice == RTCRX509GENERALNAMECHOICE_RFC822_NAME)
+#define RTCRX509GENERALNAME_IS_DNS_NAME(a_GenName)          ((a_GenName)->enmChoice == RTCRX509GENERALNAMECHOICE_DNS_NAME)
+#define RTCRX509GENERALNAME_IS_X400_ADDRESS(a_GenName)      ((a_GenName)->enmChoice == RTCRX509GENERALNAMECHOICE_X400_ADDRESS)
+#define RTCRX509GENERALNAME_IS_DIRECTORY_NAME(a_GenName)    ((a_GenName)->enmChoice == RTCRX509GENERALNAMECHOICE_DIRECTORY_NAME)
+#define RTCRX509GENERALNAME_IS_EDI_PARTY_NAME(a_GenName)    ((a_GenName)->enmChoice == RTCRX509GENERALNAMECHOICE_EDI_PARTY_NAME)
+#define RTCRX509GENERALNAME_IS_URI(a_GenName)               ((a_GenName)->enmChoice == RTCRX509GENERALNAMECHOICE_URI)
+#define RTCRX509GENERALNAME_IS_IP_ADDRESS(a_GenName)        ((a_GenName)->enmChoice == RTCRX509GENERALNAMECHOICE_IP_ADDRESS)
+#define RTCRX509GENERALNAME_IS_REGISTERED_ID(a_GenName)     ((a_GenName)->enmChoice == RTCRX509GENERALNAMECHOICE_REGISTERED_ID)
+/** @} */
+
+
+RTASN1_IMPL_GEN_SEQ_OF_TYPEDEFS_AND_PROTOS(RTCRX509GENERALNAMES, RTCRX509GENERALNAME, RTDECL, RTCrX509GeneralNames);
+RTDECL(bool) RTCrX509GeneralName_ConstraintMatch(PCRTCRX509GENERALNAME pConstraint, PCRTCRX509GENERALNAME pName);
+
+
+/**
+ * X.509 Validity (IPRT representation).
+ */
+typedef struct RTCRX509VALIDITY
+{
+    /** Core sequence bits. */
+    RTASN1SEQUENCECORE                  SeqCore;
+    /** Effective starting. */
+    RTASN1TIME                          NotBefore;
+    /** Expires after. */
+    RTASN1TIME                          NotAfter;
+} RTCRX509VALIDITY;
+/** Pointer to the IPRT representation of an X.509 validity sequence. */
+typedef RTCRX509VALIDITY *PRTCRX509VALIDITY;
+/** Pointer ot the const IPRT representation of an X.509 validity sequence. */
+typedef RTCRX509VALIDITY const *PCRTCRX509VALIDITY;
+RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509VALIDITY, RTDECL, RTCrX509Validity, SeqCore.Asn1Core);
+
+RTDECL(bool) RTCrX509Validity_IsValidAtTimeSpec(PCRTCRX509VALIDITY pThis, PCRTTIMESPEC pTimeSpec);
+
+
+#if 0
+/**
+ * X.509 UniqueIdentifier (IPRT representation).
+ */
+typedef struct RTCRX509UNIQUEIDENTIFIER
+{
+    /** Representation is a bit string. */
+    RTASN1BITSTRING                     BitString;
+} RTCRX509UNIQUEIDENTIFIER;
+/** Pointer to the IPRT representation of an X.509 unique identifier. */
+typedef RTCRX509UNIQUEIDENTIFIER *PRTCRX509UNIQUEIDENTIFIER;
+/** Pointer to the const IPRT representation of an X.509 unique identifier. */
+typedef RTCRX509UNIQUEIDENTIFIER const *PCRTCRX509UNIQUEIDENTIFIER;
+RTASN1TYPE_STANDARD_PROTOTYPES_NO_GET_CORE(RTCRX509UNIQUEIDENTIFIER, RTDECL, RTCrX509UniqueIdentifier);
+#endif
+RTASN1TYPE_ALIAS(RTCRX509UNIQUEIDENTIFIER, RTASN1BITSTRING, RTCrX509UniqueIdentifier, RTAsn1BitString);
+
+
+/**
+ * X.509 SubjectPublicKeyInfo (IPRT representation).
+ */
+typedef struct RTCRX509SUBJECTPUBLICKEYINFO
+{
+    /** Core sequence bits. */
+    RTASN1SEQUENCECORE                  SeqCore;
+    /** The algorithm used with the public key. */
+    RTCRX509ALGORITHMIDENTIFIER         Algorithm;
+    /** A bit string containing the public key.
+     *
+     * For algorithms like rsaEncryption this is generally a sequence of two
+     * integers, where the first one has lots of bits, and the second one being a
+     * modulous value.  These are details specific to the algorithm and not relevant
+     * when validating the certificate chain. */
+    RTASN1BITSTRING                     SubjectPublicKey;
+} RTCRX509SUBJECTPUBLICKEYINFO;
+/** Pointer to the IPRT representation of an X.509 subject public key info
+ *  sequence. */
+typedef RTCRX509SUBJECTPUBLICKEYINFO *PRTCRX509SUBJECTPUBLICKEYINFO;
+/** Pointer to the const IPRT representation of an X.509 subject public key info
+ *  sequence. */
+typedef RTCRX509SUBJECTPUBLICKEYINFO const *PCRTCRX509SUBJECTPUBLICKEYINFO;
+RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509SUBJECTPUBLICKEYINFO, RTDECL, RTCrX509SubjectPublicKeyInfo, SeqCore.Asn1Core);
+
+
+/**
+ * One X.509 AuthorityKeyIdentifier (IPRT representation).
+ */
+typedef struct RTCRX509AUTHORITYKEYIDENTIFIER
+{
+    /** Sequence core. */
+    RTASN1SEQUENCECORE              SeqCore;
+    /** Tag 0, optional, implicit: Key identifier. */
+    RTASN1OCTETSTRING               KeyIdentifier;
+    /** Tag 1, optional, implicit: Issuer name. */
+    RTCRX509GENERALNAMES            AuthorityCertIssuer;
+    /** Tag 2, optional, implicit: Serial number of issuer. */
+    RTASN1INTEGER                   AuthorityCertSerialNumber;
+}  RTCRX509AUTHORITYKEYIDENTIFIER;
+/** Pointer to the IPRT representation of an X.509 AuthorityKeyIdentifier
+ * sequence. */
+typedef RTCRX509AUTHORITYKEYIDENTIFIER *PRTCRX509AUTHORITYKEYIDENTIFIER;
+/** Pointer to the const IPRT representation of an X.509 AuthorityKeyIdentifier
+ * sequence. */
+typedef RTCRX509AUTHORITYKEYIDENTIFIER const *PCRTCRX509AUTHORITYKEYIDENTIFIER;
+RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509AUTHORITYKEYIDENTIFIER, RTDECL, RTCrX509AuthorityKeyIdentifier, SeqCore.Asn1Core);
+
+
+/**
+ * One X.509 OldAuthorityKeyIdentifier (IPRT representation).
+ */
+typedef struct RTCRX509OLDAUTHORITYKEYIDENTIFIER
+{
+    /** Sequence core. */
+    RTASN1SEQUENCECORE              SeqCore;
+    /** Tag 0, optional, implicit: Key identifier. */
+    RTASN1OCTETSTRING               KeyIdentifier;
+    struct
+    {
+        RTASN1CONTEXTTAG1           CtxTag1;
+        /** Tag 1, optional, implicit: Issuer name. */
+        RTCRX509NAME                AuthorityCertIssuer;
+    } T1;
+    /** Tag 2, optional, implicit: Serial number of issuer. */
+    RTASN1INTEGER                   AuthorityCertSerialNumber;
+}  RTCRX509OLDAUTHORITYKEYIDENTIFIER;
+/** Pointer to the IPRT representation of an X.509 AuthorityKeyIdentifier
+ * sequence. */
+typedef RTCRX509OLDAUTHORITYKEYIDENTIFIER *PRTCRX509OLDAUTHORITYKEYIDENTIFIER;
+/** Pointer to the const IPRT representation of an X.509 AuthorityKeyIdentifier
+ * sequence. */
+typedef RTCRX509OLDAUTHORITYKEYIDENTIFIER const *PCRTCRX509OLDAUTHORITYKEYIDENTIFIER;
+RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509OLDAUTHORITYKEYIDENTIFIER, RTDECL, RTCrX509OldAuthorityKeyIdentifier, SeqCore.Asn1Core);
+
+
+/**
+ * One X.509 PolicyQualifierInfo (IPRT representation).
+ */
+typedef struct RTCRX509POLICYQUALIFIERINFO
+{
+    /** Core sequence bits. */
+    RTASN1SEQUENCECORE                  SeqCore;
+    /** The policy object ID. */
+    RTASN1OBJID                         PolicyQualifierId;
+    /** Anything defined by the policy qualifier id. */
+    RTASN1DYNTYPE                       Qualifier;
+} RTCRX509POLICYQUALIFIERINFO;
+/** Pointer to the IPRT representation of an X.509 PolicyQualifierInfo
+ * sequence. */
+typedef RTCRX509POLICYQUALIFIERINFO *PRTCRX509POLICYQUALIFIERINFO;
+/** Pointer to the const IPRT representation of an X.509 PolicyQualifierInfo
+ * sequence. */
+typedef RTCRX509POLICYQUALIFIERINFO const *PCRTCRX509POLICYQUALIFIERINFO;
+RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509POLICYQUALIFIERINFO, RTDECL, RTCrX509PolicyQualifierInfo, SeqCore.Asn1Core);
+RTASN1_IMPL_GEN_SEQ_OF_TYPEDEFS_AND_PROTOS(RTCRX509POLICYQUALIFIERINFOS, RTCRX509POLICYQUALIFIERINFO, RTDECL, RTCrX509PolicyQualifierInfos);
+
+
+/**
+ * One X.509 PolicyInformation (IPRT representation).
+ */
+typedef struct RTCRX509POLICYINFORMATION
+{
+    /** Core sequence bits. */
+    RTASN1SEQUENCECORE                  SeqCore;
+    /** The policy object ID. */
+    RTASN1OBJID                         PolicyIdentifier;
+    /** Optional sequence of policy qualifiers. */
+    RTCRX509POLICYQUALIFIERINFOS        PolicyQualifiers;
+} RTCRX509POLICYINFORMATION;
+/** Pointer to the IPRT representation of an X.509 PolicyInformation
+ * sequence. */
+typedef RTCRX509POLICYINFORMATION *PRTCRX509POLICYINFORMATION;
+/** Pointer to the const IPRT representation of an X.509 PolicyInformation
+ * sequence. */
+typedef RTCRX509POLICYINFORMATION const *PCRTCRX509POLICYINFORMATION;
+RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509POLICYINFORMATION, RTDECL, RTCrX509PolicyInformation, SeqCore.Asn1Core);
+RTASN1_IMPL_GEN_SEQ_OF_TYPEDEFS_AND_PROTOS(RTCRX509CERTIFICATEPOLICIES, RTCRX509POLICYINFORMATION, RTDECL, RTCrX509CertificatePolicies);
+
+/** Sepcial policy object ID that matches any policy. */
+#define RTCRX509_ID_CE_CP_ANY_POLICY_OID    "2.5.29.32.0"
+
+
+/**
+ * One X.509 PolicyMapping (IPRT representation).
+ */
+typedef struct RTCRX509POLICYMAPPING
+{
+    /** Core sequence bits. */
+    RTASN1SEQUENCECORE                  SeqCore;
+    /** Issuer policy ID. */
+    RTASN1OBJID                         IssuerDomainPolicy;
+    /** Subject policy ID. */
+    RTASN1OBJID                         SubjectDomainPolicy;
+} RTCRX509POLICYMAPPING;
+/** Pointer to the IPRT representation of a sequence of X.509 PolicyMapping. */
+typedef RTCRX509POLICYMAPPING *PRTCRX509POLICYMAPPING;
+/** Pointer to the const IPRT representation of a sequence of X.509
+ * PolicyMapping. */
+typedef RTCRX509POLICYMAPPING const *PCRTCRX509POLICYMAPPING;
+RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509POLICYMAPPING, RTDECL, RTCrX509PolicyMapping, SeqCore.Asn1Core);
+RTASN1_IMPL_GEN_SEQ_OF_TYPEDEFS_AND_PROTOS(RTCRX509POLICYMAPPINGS, RTCRX509POLICYMAPPING, RTDECL, RTCrX509PolicyMappings);
+
+
+/**
+ * X.509 BasicConstraints (IPRT representation).
+ */
+typedef struct RTCRX509BASICCONSTRAINTS
+{
+    /** Core sequence bits. */
+    RTASN1SEQUENCECORE                  SeqCore;
+    /** Is this ia certficiate authority? Default to false. */
+    RTASN1BOOLEAN                       CA;
+    /** Path length constraint. */
+    RTASN1INTEGER                       PathLenConstraint;
+} RTCRX509BASICCONSTRAINTS;
+/** Pointer to the IPRT representation of a sequence of X.509
+ *  BasicConstraints. */
+typedef RTCRX509BASICCONSTRAINTS *PRTCRX509BASICCONSTRAINTS;
+/** Pointer to the const IPRT representation of a sequence of X.509
+ * BasicConstraints. */
+typedef RTCRX509BASICCONSTRAINTS const *PCRTCRX509BASICCONSTRAINTS;
+RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509BASICCONSTRAINTS, RTDECL, RTCrX509BasicConstraints, SeqCore.Asn1Core);
+
+
+/**
+ * X.509 GeneralSubtree (IPRT representation).
+ */
+typedef struct RTCRX509GENERALSUBTREE
+{
+    /** Core sequence bits. */
+    RTASN1SEQUENCECORE                  SeqCore;
+    /** Base name. */
+    RTCRX509GENERALNAME                 Base;
+    /** Tag 0, optional: Minimum, default 0.  Fixed at 0 by RFC-5280. */
+    RTASN1INTEGER                       Minimum;
+    /** Tag 1, optional: Maximum. Fixed as not-present by RFC-5280. */
+    RTASN1INTEGER                       Maximum;
+} RTCRX509GENERALSUBTREE;
+/** Pointer to the IPRT representation of a sequence of X.509 GeneralSubtree. */
+typedef RTCRX509GENERALSUBTREE *PRTCRX509GENERALSUBTREE;
+/** Pointer to the const IPRT representation of a sequence of X.509
+ * GeneralSubtree. */
+typedef RTCRX509GENERALSUBTREE const *PCRTCRX509GENERALSUBTREE;
+RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509GENERALSUBTREE, RTDECL, RTCrX509GeneralSubtree, SeqCore.Asn1Core);
+
+RTDECL(bool) RTCrX509GeneralSubtree_ConstraintMatch(PCRTCRX509GENERALSUBTREE pConstraint, PCRTCRX509GENERALSUBTREE pName);
+
+RTASN1_IMPL_GEN_SEQ_OF_TYPEDEFS_AND_PROTOS(RTCRX509GENERALSUBTREES, RTCRX509GENERALSUBTREE, RTDECL, RTCrX509GeneralSubtrees);
+
+
+/**
+ * X.509 NameConstraints (IPRT representation).
+ */
+typedef struct RTCRX509NAMECONSTRAINTS
+{
+    /** Core sequence bits. */
+    RTASN1SEQUENCECORE                  SeqCore;
+    /** Tag 0, optional: Permitted subtrees. */
+    struct
+    {
+        /** Context tag. */
+        RTASN1CONTEXTTAG0               CtxTag0;
+        /** The permitted subtrees. */
+        RTCRX509GENERALSUBTREES         PermittedSubtrees;
+    } T0;
+    /** Tag 1, optional: Excluded subtrees. */
+    struct
+    {
+        /** Context tag. */
+        RTASN1CONTEXTTAG1               CtxTag1;
+        /** The excluded subtrees. */
+        RTCRX509GENERALSUBTREES         ExcludedSubtrees;
+    } T1;
+} RTCRX509NAMECONSTRAINTS;
+/** Pointer to the IPRT representation of a sequence of X.509
+ *  NameConstraints. */
+typedef RTCRX509NAMECONSTRAINTS *PRTCRX509NAMECONSTRAINTS;
+/** Pointer to the const IPRT representation of a sequence of X.509
+ * NameConstraints. */
+typedef RTCRX509NAMECONSTRAINTS const *PCRTCRX509NAMECONSTRAINTS;
+RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509NAMECONSTRAINTS, RTDECL, RTCrX509NameConstraints, SeqCore.Asn1Core);
+
+
+/**
+ * X.509 PolicyConstraints (IPRT representation).
+ */
+typedef struct RTCRX509POLICYCONSTRAINTS
+{
+    /** Core sequence bits. */
+    RTASN1SEQUENCECORE                  SeqCore;
+    /** Tag 0, optional: Certificates before an explicit policy is required. */
+    RTASN1INTEGER                       RequireExplicitPolicy;
+    /** Tag 1, optional: Certificates before policy mapping is inhibited. */
+    RTASN1INTEGER                       InhibitPolicyMapping;
+} RTCRX509POLICYCONSTRAINTS;
+/** Pointer to the IPRT representation of a sequence of X.509
+ *  PolicyConstraints. */
+typedef RTCRX509POLICYCONSTRAINTS *PRTCRX509POLICYCONSTRAINTS;
+/** Pointer to the const IPRT representation of a sequence of X.509
+ * PolicyConstraints. */
+typedef RTCRX509POLICYCONSTRAINTS const *PCRTCRX509POLICYCONSTRAINTS;
+RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509POLICYCONSTRAINTS, RTDECL, RTCrX509PolicyConstraints, SeqCore.Asn1Core);
+
+
+/**
+ * Indicates what an X.509 extension value encapsulates.
+ */
+typedef enum RTCRX509EXTENSIONVALUE
+{
+    RTCRX509EXTENSIONVALUE_INVALID = 0,
+    /** Unknown, no decoding available just the octet string. */
+    RTCRX509EXTENSIONVALUE_UNKNOWN,
+    /** Unencapsulated (i.e. octet string). */
+    RTCRX509EXTENSIONVALUE_NOT_ENCAPSULATED,
+
+    /** Bit string (RTASN1BITSTRING). */
+    RTCRX509EXTENSIONVALUE_BIT_STRING,
+    /** Octet string (RTASN1OCTETSTRING). */
+    RTCRX509EXTENSIONVALUE_OCTET_STRING,
+    /** Integer string (RTASN1INTEGER). */
+    RTCRX509EXTENSIONVALUE_INTEGER,
+    /** Sequence of object identifiers (RTASN1SEQOFOBJIDS). */
+    RTCRX509EXTENSIONVALUE_SEQ_OF_OBJ_IDS,
+
+    /** Authority key identifier (RTCRX509AUTHORITYKEYIDENTIFIER). */
+    RTCRX509EXTENSIONVALUE_AUTHORITY_KEY_IDENTIFIER,
+    /** Old Authority key identifier (RTCRX509OLDAUTHORITYKEYIDENTIFIER). */
+    RTCRX509EXTENSIONVALUE_OLD_AUTHORITY_KEY_IDENTIFIER,
+    /** Certificate policies (RTCRX509CERTIFICATEPOLICIES). */
+    RTCRX509EXTENSIONVALUE_CERTIFICATE_POLICIES,
+    /** Sequence of policy mappings (RTCRX509POLICYMAPPINGS). */
+    RTCRX509EXTENSIONVALUE_POLICY_MAPPINGS,
+    /** Basic constraints (RTCRX509BASICCONSTRAINTS). */
+    RTCRX509EXTENSIONVALUE_BASIC_CONSTRAINTS,
+    /** Name constraints (RTCRX509NAMECONSTRAINTS). */
+    RTCRX509EXTENSIONVALUE_NAME_CONSTRAINTS,
+    /** Policy constraints (RTCRX509POLICYCONSTRAINTS). */
+    RTCRX509EXTENSIONVALUE_POLICY_CONSTRAINTS,
+    /** Sequence of general names (RTCRX509GENERALNAMES). */
+    RTCRX509EXTENSIONVALUE_GENERAL_NAMES,
+
+    /** Blow the type up to 32-bits. */
+    RTCRX509EXTENSIONVALUE_32BIT_HACK = 0x7fffffff
+} RTCRX509EXTENSIONVALUE;
+
+/**
+ * One X.509 Extension (IPRT representation).
+ */
+typedef struct RTCRX509EXTENSION
+{
+    /** Core sequence bits. */
+    RTASN1SEQUENCECORE                  SeqCore;
+    /** Extension ID. */
+    RTASN1OBJID                         ExtnId;
+    /** Whether this is critical (default @c false). */
+    RTASN1BOOLEAN                       Critical;
+    /** Indicates what ExtnValue.pEncapsulated points at. */
+    RTCRX509EXTENSIONVALUE              enmValue;
+    /** The value.
+     * Contains extension specific data that we don't yet parse. */
+    RTASN1OCTETSTRING                   ExtnValue;
+} RTCRX509EXTENSION;
+/** Pointer to the IPRT representation of one X.509 extensions. */
+typedef RTCRX509EXTENSION *PRTCRX509EXTENSION;
+/** Pointer to the const IPRT representation of one X.509 extension. */
+typedef RTCRX509EXTENSION const *PCRTCRX509EXTENSION;
+RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509EXTENSION, RTDECL, RTCrX509Extension, SeqCore.Asn1Core);
+RTASN1_IMPL_GEN_SEQ_OF_TYPEDEFS_AND_PROTOS(RTCRX509EXTENSIONS, RTCRX509EXTENSION, RTDECL, RTCrX509Extensions);
+
+RTDECL(int) RTCrX509Extension_ExtnValue_DecodeAsn1(PRTASN1CURSOR pCursor, uint32_t fFlags,
+                                                   PRTCRX509EXTENSION pThis, const char *pszErrorTag);
+
+
+/**
+ * X.509 To-be-signed certificate information (IPRT representation).
+ */
+typedef struct RTCRX509TBSCERTIFICATE
+{
+    /** Sequence core. */
+    RTASN1SEQUENCECORE                  SeqCore;
+    /** Structure version. */
+    struct
+    {
+        /** Context tag with value 0. */
+        RTASN1CONTEXTTAG0               CtxTag0;
+        /** The actual value (RTCRX509TBSCERTIFICATE_V1, ...). */
+        RTASN1INTEGER                   Version;
+    } T0;
+    /** The serial number of the certificate. */
+    RTASN1INTEGER                       SerialNumber;
+    /** The signature algorithm. */
+    RTCRX509ALGORITHMIDENTIFIER         Signature;
+    /** The issuer name. */
+    RTCRX509NAME                        Issuer;
+    /** The certificate validity period. */
+    RTCRX509VALIDITY                    Validity;
+    /** The subject name. */
+    RTCRX509NAME                        Subject;
+    /** The public key for this certificate.  */
+    RTCRX509SUBJECTPUBLICKEYINFO        SubjectPublicKeyInfo;
+    /** Issuer unique identifier (optional, version >= v2).  */
+    struct
+    {
+        /** Context tag with value 1. */
+        RTASN1CONTEXTTAG1               CtxTag1;
+        /** The unique identifier value. */
+        RTCRX509UNIQUEIDENTIFIER        IssuerUniqueId;
+    } T1;
+    /** Subject unique identifier (optional, version >= v2).  */
+    struct
+    {
+        /** Context tag with value 2. */
+        RTASN1CONTEXTTAG2               CtxTag2;
+        /** The unique identifier value. */
+        RTCRX509UNIQUEIDENTIFIER        SubjectUniqueId;
+    } T2;
+    /** Extensions (optional, version >= v3).  */
+    struct
+    {
+        /** Context tag with value 3. */
+        RTASN1CONTEXTTAG3               CtxTag3;
+        /** The unique identifier value. */
+        RTCRX509EXTENSIONS              Extensions;
+        /** Extensions summary flags (RTCRX509TBSCERTIFICATE_F_PRESENT_XXX). */
+        uint32_t                        fFlags;
+        /** Key usage flags (RTCRX509CERT_KEY_USAGE_F_XXX). */
+        uint32_t                        fKeyUsage;
+        /** Extended key usage flags (RTCRX509CERT_EKU_F_XXX). */
+        uint64_t                        fExtKeyUsage;
+
+        /** Pointer to the authority key ID extension if present. */
+        PCRTCRX509AUTHORITYKEYIDENTIFIER pAuthorityKeyIdentifier;
+        /** Pointer to the OLD authority key ID extension if present. */
+        PCRTCRX509OLDAUTHORITYKEYIDENTIFIER pOldAuthorityKeyIdentifier;
+        /** Pointer to the subject key ID extension if present. */
+        PCRTASN1OCTETSTRING             pSubjectKeyIdentifier;
+        /** Pointer to the alternative subject name extension if present. */
+        PCRTCRX509GENERALNAMES          pAltSubjectName;
+        /** Pointer to the alternative issuer name extension if present. */
+        PCRTCRX509GENERALNAMES          pAltIssuerName;
+        /** Pointer to the certificate policies extension if present. */
+        PCRTCRX509CERTIFICATEPOLICIES   pCertificatePolicies;
+        /** Pointer to the policy mappings extension if present. */
+        PCRTCRX509POLICYMAPPINGS        pPolicyMappings;
+        /** Pointer to the basic constraints extension if present. */
+        PCRTCRX509BASICCONSTRAINTS      pBasicConstraints;
+        /** Pointer to the name constraints extension if present. */
+        PCRTCRX509NAMECONSTRAINTS       pNameConstraints;
+        /** Pointer to the policy constraints extension if present. */
+        PCRTCRX509POLICYCONSTRAINTS     pPolicyConstraints;
+        /** Pointer to the inhibit anyPolicy extension if present. */
+        PCRTASN1INTEGER                 pInhibitAnyPolicy;
+    } T3;
+} RTCRX509TBSCERTIFICATE;
+/** Pointer to the IPRT representation of a X.509 TBSCertificate. */
+typedef RTCRX509TBSCERTIFICATE *PRTCRX509TBSCERTIFICATE;
+/** Pointer to the const IPRT representation of a X.509 TBSCertificate. */
+typedef RTCRX509TBSCERTIFICATE const *PCRTCRX509TBSCERTIFICATE;
+RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509TBSCERTIFICATE, RTDECL, RTCrX509TbsCertificate, SeqCore.Asn1Core);
+
+/** @name RTCRX509TBSCERTIFICATE::T0.Version values.
+ * @{ */
+#define RTCRX509TBSCERTIFICATE_V1   0
+#define RTCRX509TBSCERTIFICATE_V2   1
+#define RTCRX509TBSCERTIFICATE_V3   2
+/** @} */
+
+/** @name RTCRX509TBSCERTIFICATE::T3.fFlags values.
+ * @{ */
+#define RTCRX509TBSCERTIFICATE_F_PRESENT_KEY_USAGE                      RT_BIT_32(0)
+#define RTCRX509TBSCERTIFICATE_F_PRESENT_EXT_KEY_USAGE                  RT_BIT_32(1)
+#define RTCRX509TBSCERTIFICATE_F_PRESENT_SUBJECT_KEY_IDENTIFIER         RT_BIT_32(2)
+#define RTCRX509TBSCERTIFICATE_F_PRESENT_SUBJECT_ALT_NAME               RT_BIT_32(3)
+#define RTCRX509TBSCERTIFICATE_F_PRESENT_ISSUER_ALT_NAME                RT_BIT_32(4)
+#define RTCRX509TBSCERTIFICATE_F_PRESENT_CERTIFICATE_POLICIES           RT_BIT_32(5)
+#define RTCRX509TBSCERTIFICATE_F_PRESENT_POLICY_MAPPINGS                RT_BIT_32(6)
+#define RTCRX509TBSCERTIFICATE_F_PRESENT_BASIC_CONSTRAINTS              RT_BIT_32(7)
+#define RTCRX509TBSCERTIFICATE_F_PRESENT_NAME_CONSTRAINTS               RT_BIT_32(8)
+#define RTCRX509TBSCERTIFICATE_F_PRESENT_POLICY_CONSTRAINTS             RT_BIT_32(9)
+#define RTCRX509TBSCERTIFICATE_F_PRESENT_AUTHORITY_KEY_IDENTIFIER       RT_BIT_32(10)
+#define RTCRX509TBSCERTIFICATE_F_PRESENT_OLD_AUTHORITY_KEY_IDENTIFIER   RT_BIT_32(11)
+#define RTCRX509TBSCERTIFICATE_F_PRESENT_ACCEPTABLE_CERT_POLICIES       RT_BIT_32(12)
+#define RTCRX509TBSCERTIFICATE_F_PRESENT_INHIBIT_ANY_POLICY             RT_BIT_32(13)
+#define RTCRX509TBSCERTIFICATE_F_PRESENT_OTHER                          RT_BIT_32(22) /**< Other unknown extension present. */
+#define RTCRX509TBSCERTIFICATE_F_PRESENT_NONE                           RT_BIT_32(23) /**< No extensions present. */
+/** @} */
+
+/** @name X.509 Key Usage flags. (RFC-5280 section 4.2.1.3.)
+ * @{ */
+#define RTCRX509CERT_KEY_USAGE_F_DIGITAL_SIGNATURE_BIT      0
+#define RTCRX509CERT_KEY_USAGE_F_DIGITAL_SIGNATURE          RT_BIT_32(0)
+#define RTCRX509CERT_KEY_USAGE_F_CONTENT_COMMITTMENT_BIT    1
+#define RTCRX509CERT_KEY_USAGE_F_CONTENT_COMMITTMENT        RT_BIT_32(1)
+#define RTCRX509CERT_KEY_USAGE_F_KEY_ENCIPHERMENT_BIT       2
+#define RTCRX509CERT_KEY_USAGE_F_KEY_ENCIPHERMENT           RT_BIT_32(2)
+#define RTCRX509CERT_KEY_USAGE_F_DATA_ENCIPHERMENT_BIT      3
+#define RTCRX509CERT_KEY_USAGE_F_DATA_ENCIPHERMENT          RT_BIT_32(3)
+#define RTCRX509CERT_KEY_USAGE_F_KEY_AGREEMENT_BIT          4
+#define RTCRX509CERT_KEY_USAGE_F_KEY_AGREEMENT              RT_BIT_32(4)
+#define RTCRX509CERT_KEY_USAGE_F_KEY_CERT_SIGN_BIT          5
+#define RTCRX509CERT_KEY_USAGE_F_KEY_CERT_SIGN              RT_BIT_32(5)
+#define RTCRX509CERT_KEY_USAGE_F_CRL_SIGN_BIT               6
+#define RTCRX509CERT_KEY_USAGE_F_CRL_SIGN                   RT_BIT_32(6)
+#define RTCRX509CERT_KEY_USAGE_F_ENCIPHERMENT_ONLY_BIT      7
+#define RTCRX509CERT_KEY_USAGE_F_ENCIPHERMENT_ONLY          RT_BIT_32(7)
+#define RTCRX509CERT_KEY_USAGE_F_DECIPHERMENT_ONLY_BIT      8
+#define RTCRX509CERT_KEY_USAGE_F_DECIPHERMENT_ONLY          RT_BIT_32(8)
+/** @} */
+
+/** @name X.509 Extended Key Usage flags. (RFC-5280 section 4.2.1.12, ++.)
+ * @remarks Needless to say, these flags doesn't cover all possible extended key
+ *          usages, because there is a potential unlimited number of them.  Only
+ *          ones relevant to IPRT and it's users are covered.
+ * @{ */
+#define RTCRX509CERT_EKU_F_ANY                              RT_BIT_64(0)
+#define RTCRX509CERT_EKU_F_SERVER_AUTH                      RT_BIT_64(1)
+#define RTCRX509CERT_EKU_F_CLIENT_AUTH                      RT_BIT_64(2)
+#define RTCRX509CERT_EKU_F_CODE_SIGNING                     RT_BIT_64(3)
+#define RTCRX509CERT_EKU_F_EMAIL_PROTECTION                 RT_BIT_64(4)
+#define RTCRX509CERT_EKU_F_IPSEC_END_SYSTEM                 RT_BIT_64(5)
+#define RTCRX509CERT_EKU_F_IPSEC_TUNNEL                     RT_BIT_64(6)
+#define RTCRX509CERT_EKU_F_IPSEC_USER                       RT_BIT_64(7)
+#define RTCRX509CERT_EKU_F_TIMESTAMPING                     RT_BIT_64(8)
+#define RTCRX509CERT_EKU_F_OCSP_SIGNING                     RT_BIT_64(9)
+#define RTCRX509CERT_EKU_F_DVCS                             RT_BIT_64(10)
+#define RTCRX509CERT_EKU_F_SBGP_CERT_AA_SERVICE_AUTH        RT_BIT_64(11)
+#define RTCRX509CERT_EKU_F_EAP_OVER_PPP                     RT_BIT_64(12)
+#define RTCRX509CERT_EKU_F_EAP_OVER_LAN                     RT_BIT_64(13)
+#define RTCRX509CERT_EKU_F_OTHER                            RT_BIT_64(16) /**< Other unknown extended key usage present. */
+#define RTCRX509CERT_EKU_F_APPLE_CODE_SIGNING               RT_BIT_64(24)
+#define RTCRX509CERT_EKU_F_APPLE_CODE_SIGNING_DEVELOPMENT   RT_BIT_64(25)
+#define RTCRX509CERT_EKU_F_APPLE_SOFTWARE_UPDATE_SIGNING    RT_BIT_64(26)
+#define RTCRX509CERT_EKU_F_APPLE_CODE_SIGNING_THIRD_PARTY   RT_BIT_64(27)
+#define RTCRX509CERT_EKU_F_APPLE_RESOURCE_SIGNING           RT_BIT_64(28)
+#define RTCRX509CERT_EKU_F_APPLE_SYSTEM_IDENTITY            RT_BIT_64(29)
+#define RTCRX509CERT_EKU_F_MS_TIMESTAMP_SIGNING             RT_BIT_64(32)
+#define RTCRX509CERT_EKU_F_MS_NT5_CRYPTO                    RT_BIT_64(33)
+#define RTCRX509CERT_EKU_F_MS_OEM_WHQL_CRYPTO               RT_BIT_64(34)
+#define RTCRX509CERT_EKU_F_MS_EMBEDDED_NT_CRYPTO            RT_BIT_64(35)
+#define RTCRX509CERT_EKU_F_MS_KERNEL_MODE_CODE_SIGNING      RT_BIT_64(36)
+#define RTCRX509CERT_EKU_F_MS_LIFETIME_SIGNING              RT_BIT_64(37)
+#define RTCRX509CERT_EKU_F_MS_DRM                           RT_BIT_64(38)
+#define RTCRX509CERT_EKU_F_MS_DRM_INDIVIDUALIZATION         RT_BIT_64(39)
+#define RTCRX509CERT_EKU_F_MS_WHQL_CRYPTO                   RT_BIT_64(40)
+#define RTCRX509CERT_EKU_F_MS_ATTEST_WHQL_CRYPTO            RT_BIT_64(41)
+/** @} */
+
+/** @name Key purpose OIDs (extKeyUsage)
+ * @{ */
+#define RTCRX509_ANY_EXTENDED_KEY_USAGE_OID                 "2.5.29.37.0"
+#define RTCRX509_ID_KP_OID                                  "1.3.6.1.5.5.7.3"
+#define RTCRX509_ID_KP_SERVER_AUTH_OID                      "1.3.6.1.5.5.7.3.1"
+#define RTCRX509_ID_KP_CLIENT_AUTH_OID                      "1.3.6.1.5.5.7.3.2"
+#define RTCRX509_ID_KP_CODE_SIGNING_OID                     "1.3.6.1.5.5.7.3.3"
+#define RTCRX509_ID_KP_EMAIL_PROTECTION_OID                 "1.3.6.1.5.5.7.3.4"
+#define RTCRX509_ID_KP_IPSEC_END_SYSTEM_OID                 "1.3.6.1.5.5.7.3.5"
+#define RTCRX509_ID_KP_IPSEC_TUNNEL_OID                     "1.3.6.1.5.5.7.3.6"
+#define RTCRX509_ID_KP_IPSEC_USER_OID                       "1.3.6.1.5.5.7.3.7"
+#define RTCRX509_ID_KP_TIMESTAMPING_OID                     "1.3.6.1.5.5.7.3.8"
+#define RTCRX509_ID_KP_OCSP_SIGNING_OID                     "1.3.6.1.5.5.7.3.9"
+#define RTCRX509_ID_KP_DVCS_OID                             "1.3.6.1.5.5.7.3.10"
+#define RTCRX509_ID_KP_SBGP_CERT_AA_SERVICE_AUTH_OID        "1.3.6.1.5.5.7.3.11"
+#define RTCRX509_ID_KP_EAP_OVER_PPP_OID                     "1.3.6.1.5.5.7.3.13"
+#define RTCRX509_ID_KP_EAP_OVER_LAN_OID                     "1.3.6.1.5.5.7.3.14"
+/** @} */
+
+/** @name Microsoft extended key usage OIDs
+ * @{ */
+#define RTCRX509_MS_EKU_CERT_TRUST_LIST_SIGNING_OID         "1.3.6.1.4.1.311.10.3.1"
+#define RTCRX509_MS_EKU_TIMESTAMP_SIGNING_OID               "1.3.6.1.4.1.311.10.3.2"
+#define RTCRX509_MS_EKU_SERVER_GATED_CRYPTO_OID             "1.3.6.1.4.1.311.10.3.3"
+#define RTCRX509_MS_EKU_SGC_SERIALIZED_OID                  "1.3.6.1.4.1.311.10.3.3.1"
+#define RTCRX509_MS_EKU_ENCRYPTED_FILE_SYSTEM_OID           "1.3.6.1.4.1.311.10.3.4"
+#define RTCRX509_MS_EKU_WHQL_CRYPTO_OID                     "1.3.6.1.4.1.311.10.3.5"
+#define RTCRX509_MS_EKU_ATTEST_WHQL_CRYPTO_OID              "1.3.6.1.4.1.311.10.3.5.1"
+#define RTCRX509_MS_EKU_NT5_CRYPTO_OID                      "1.3.6.1.4.1.311.10.3.6"
+#define RTCRX509_MS_EKU_OEM_WHQL_CRYPTO_OID                 "1.3.6.1.4.1.311.10.3.7"
+#define RTCRX509_MS_EKU_EMBEDDED_NT_CRYPTO_OID              "1.3.6.1.4.1.311.10.3.8"
+#define RTCRX509_MS_EKU_ROOT_LIST_SIGNER_OID                "1.3.6.1.4.1.311.10.3.9"
+#define RTCRX509_MS_EKU_QUALIFIED_SUBORDINATE_OID           "1.3.6.1.4.1.311.10.3.10"
+#define RTCRX509_MS_EKU_KEY_RECOVERY_3_OID                  "1.3.6.1.4.1.311.10.3.11"
+#define RTCRX509_MS_EKU_DOCUMENT_SIGNING_OID                "1.3.6.1.4.1.311.10.3.12"
+#define RTCRX509_MS_EKU_LIFETIME_SIGNING_OID                "1.3.6.1.4.1.311.10.3.13"
+#define RTCRX509_MS_EKU_MOBILE_DEVICE_SOFTWARE_OID          "1.3.6.1.4.1.311.10.3.14"
+#define RTCRX509_MS_EKU_SMART_DISPLAY_OID                   "1.3.6.1.4.1.311.10.3.15"
+#define RTCRX509_MS_EKU_CSP_SIGNATURE_OID                   "1.3.6.1.4.1.311.10.3.16"
+#define RTCRX509_MS_EKU_EFS_RECOVERY_OID                    "1.3.6.1.4.1.311.10.3.4.1"
+#define RTCRX509_MS_EKU_DRM_OID                             "1.3.6.1.4.1.311.10.5.1"
+#define RTCRX509_MS_EKU_DRM_INDIVIDUALIZATION_OID           "1.3.6.1.4.1.311.10.5.2"
+#define RTCRX509_MS_EKU_LICENSES_OID                        "1.3.6.1.4.1.311.10.5.3"
+#define RTCRX509_MS_EKU_LICENSE_SERVER_OID                  "1.3.6.1.4.1.311.10.5.4"
+#define RTCRX509_MS_EKU_ENROLLMENT_AGENT_OID                "1.3.6.1.4.1.311.20.2.1"
+#define RTCRX509_MS_EKU_SMARTCARD_LOGON_OID                 "1.3.6.1.4.1.311.20.2.2"
+#define RTCRX509_MS_EKU_CA_EXCHANGE_OID                     "1.3.6.1.4.1.311.21.5"
+#define RTCRX509_MS_EKU_KEY_RECOVERY_21_OID                 "1.3.6.1.4.1.311.21.6"
+#define RTCRX509_MS_EKU_SYSTEM_HEALTH_OID                   "1.3.6.1.4.1.311.47.1.1"
+#define RTCRX509_MS_EKU_SYSTEM_HEALTH_LOOPHOLE_OID          "1.3.6.1.4.1.311.47.1.3"
+#define RTCRX509_MS_EKU_KERNEL_MODE_CODE_SIGNING_OID        "1.3.6.1.4.1.311.61.1.1"
+/** @} */
+
+/** @name Apple extended key usage OIDs
+ * @{ */
+#define RTCRX509_APPLE_EKU_APPLE_EXTENDED_KEY_USAGE_OID     "1.2.840.113635.100.4"
+#define RTCRX509_APPLE_EKU_CODE_SIGNING_OID                 "1.2.840.113635.100.4.1"
+#define RTCRX509_APPLE_EKU_CODE_SIGNING_DEVELOPMENT_OID     "1.2.840.113635.100.4.1.1"
+#define RTCRX509_APPLE_EKU_SOFTWARE_UPDATE_SIGNING_OID      "1.2.840.113635.100.4.1.2"
+#define RTCRX509_APPLE_EKU_CODE_SIGNING_THRID_PARTY_OID     "1.2.840.113635.100.4.1.3"
+#define RTCRX509_APPLE_EKU_RESOURCE_SIGNING_OID             "1.2.840.113635.100.4.1.4"
+#define RTCRX509_APPLE_EKU_ICHAT_SIGNING_OID                "1.2.840.113635.100.4.2"
+#define RTCRX509_APPLE_EKU_ICHAT_ENCRYPTION_OID             "1.2.840.113635.100.4.3"
+#define RTCRX509_APPLE_EKU_SYSTEM_IDENTITY_OID              "1.2.840.113635.100.4.4"
+#define RTCRX509_APPLE_EKU_CRYPTO_ENV_OID                   "1.2.840.113635.100.4.5"
+#define RTCRX509_APPLE_EKU_CRYPTO_PRODUCTION_ENV_OID        "1.2.840.113635.100.4.5.1"
+#define RTCRX509_APPLE_EKU_CRYPTO_MAINTENANCE_ENV_OID       "1.2.840.113635.100.4.5.2"
+#define RTCRX509_APPLE_EKU_CRYPTO_TEST_ENV_OID              "1.2.840.113635.100.4.5.3"
+#define RTCRX509_APPLE_EKU_CRYPTO_DEVELOPMENT_ENV_OID       "1.2.840.113635.100.4.5.4"
+#define RTCRX509_APPLE_EKU_CRYPTO_QOS_OID                   "1.2.840.113635.100.4.6"
+#define RTCRX509_APPLE_EKU_CRYPTO_TIER0_QOS_OID             "1.2.840.113635.100.4.6.1"
+#define RTCRX509_APPLE_EKU_CRYPTO_TIER1_QOS_OID             "1.2.840.113635.100.4.6.2"
+#define RTCRX509_APPLE_EKU_CRYPTO_TIER2_QOS_OID             "1.2.840.113635.100.4.6.3"
+#define RTCRX509_APPLE_EKU_CRYPTO_TIER3_QOS_OID             "1.2.840.113635.100.4.6.4"
+/** @} */
+
+/**
+ * Use this to update derived values after changing the certificate
+ * extensions.
+ *
+ * @returns IPRT status code
+ * @param   pThis       The certificate.
+ * @param   pErrInfo    Where to return additional error information. Optional.
+ */
+RTDECL(int) RTCrX509TbsCertificate_ReprocessExtensions(PRTCRX509TBSCERTIFICATE pThis, PRTERRINFO pErrInfo);
+
+
+/**
+ * One X.509 Certificate (IPRT representation).
+ */
+typedef struct RTCRX509CERTIFICATE
+{
+    /** Sequence core. */
+    RTASN1SEQUENCECORE                  SeqCore;
+    /** The to-be-signed certificate information. */
+    RTCRX509TBSCERTIFICATE              TbsCertificate;
+    /** The signature algorithm (must match TbsCertificate.Signature). */
+    RTCRX509ALGORITHMIDENTIFIER         SignatureAlgorithm;
+    /** The signature value. */
+    RTASN1BITSTRING                     SignatureValue;
+} RTCRX509CERTIFICATE;
+/** Pointer to the IPRT representation of one X.509 certificate. */
+typedef RTCRX509CERTIFICATE *PRTCRX509CERTIFICATE;
+/** Pointer to the const IPRT representation of one X.509 certificate. */
+typedef RTCRX509CERTIFICATE const *PCRTCRX509CERTIFICATE;
+RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509CERTIFICATE, RTDECL, RTCrX509Certificate, SeqCore.Asn1Core);
+
+/**
+ * Checks if a certificate matches a given issuer name and serial number.
+ *
+ * @returns True / false.
+ * @param   pCertificate    The X.509 certificat.
+ * @param   pIssuer         The issuer name to match against.
+ * @param   pSerialNumber   The serial number to match against.
+ */
+RTDECL(bool) RTCrX509Certificate_MatchIssuerAndSerialNumber(PCRTCRX509CERTIFICATE pCertificate,
+                                                            PCRTCRX509NAME pIssuer, PCRTASN1INTEGER pSerialNumber);
+
+RTDECL(bool) RTCrX509Certificate_MatchSubjectOrAltSubjectByRfc5280(PCRTCRX509CERTIFICATE pThis, PCRTCRX509NAME pName);
+RTDECL(bool) RTCrX509Certificate_IsSelfSigned(PCRTCRX509CERTIFICATE pCertificate);
+
+RTDECL(int) RTCrX509Certificate_VerifySignature(PCRTCRX509CERTIFICATE pThis, PCRTASN1OBJID pAlgorithm,
+                                                PCRTASN1DYNTYPE pParameters, PCRTASN1BITSTRING pPublicKey,
+                                                PRTERRINFO pErrInfo);
+RTDECL(int) RTCrX509Certificate_VerifySignatureSelfSigned(PCRTCRX509CERTIFICATE pThis, PRTERRINFO pErrInfo);
+RTDECL(int) RTCrX509Certificate_ReadFromFile(PRTCRX509CERTIFICATE pCertificate, const char *pszFilename, uint32_t fFlags,
+                                             PCRTASN1ALLOCATORVTABLE pAllocator, PRTERRINFO pErrInfo);
+RTDECL(int) RTCrX509Certificate_ReadFromBuffer(PRTCRX509CERTIFICATE pCertificate, const void *pvBuf, size_t cbBuf,
+                                               uint32_t fFlags, PCRTASN1ALLOCATORVTABLE pAllocator,
+                                               PRTERRINFO pErrInfo, const char *pszErrorTag);
+/** @name Flags for RTCrX509Certificate_ReadFromFile and
+ *        RTCrX509Certificate_ReadFromBuffer
+ * @{ */
+/** Only allow PEM certificates, not binary ones.
+ * @sa RTCRPEMREADFILE_F_ONLY_PEM  */
+#define RTCRX509CERT_READ_F_PEM_ONLY        RT_BIT(1)
+/** @} */
+
+/** X509 Certificate markers for RTCrPemFindFirstSectionInContent et al. */
+extern RTDATADECL(RTCRPEMMARKER const)  g_aRTCrX509CertificateMarkers[];
+/** Number of entries in g_aRTCrX509CertificateMarkers. */
+extern RTDATADECL(uint32_t const)       g_cRTCrX509CertificateMarkers;
+
+
+/** Wrapper around RTCrPemWriteAsn1ToVfsIoStrm().  */
+DECLINLINE(ssize_t) RTCrX509Certificate_WriteToVfsIoStrm(RTVFSIOSTREAM hVfsIos, PRTCRX509CERTIFICATE pCertificate,
+                                                         PRTERRINFO pErrInfo)
+{
+    return RTCrPemWriteAsn1ToVfsIoStrm(hVfsIos, &pCertificate->SeqCore.Asn1Core, 0 /*fFlags*/,
+                                       g_aRTCrX509CertificateMarkers[0].paWords[0].pszWord, pErrInfo);
+}
+
+/** Wrapper around RTCrPemWriteAsn1ToVfsFile().  */
+DECLINLINE(ssize_t) RTCrX509Certificate_WriteToVfsFile(RTVFSFILE hVfsFile, PRTCRX509CERTIFICATE pCertificate,
+                                                       PRTERRINFO pErrInfo)
+{
+    return RTCrPemWriteAsn1ToVfsFile(hVfsFile, &pCertificate->SeqCore.Asn1Core, 0 /*fFlags*/,
+                                     g_aRTCrX509CertificateMarkers[0].paWords[0].pszWord, pErrInfo);
+}
+
+/** @name X.509 Certificate Extensions
+ * @{ */
+/** Old AuthorityKeyIdentifier OID. */
+#define RTCRX509_ID_CE_OLD_AUTHORITY_KEY_IDENTIFIER_OID         "2.5.29.1"
+/** Old CertificatePolicies extension OID. */
+#define RTCRX509_ID_CE_OLD_CERTIFICATE_POLICIES_OID             "2.5.29.3"
+/** Old SubjectAltName extension OID. */
+#define RTCRX509_ID_CE_OLD_SUBJECT_ALT_NAME_OID                 "2.5.29.7"
+/** Old IssuerAltName extension OID. */
+#define RTCRX509_ID_CE_OLD_ISSUER_ALT_NAME_OID                  "2.5.29.8"
+/** Old BasicContraints extension OID. */
+#define RTCRX509_ID_CE_OLD_BASIC_CONSTRAINTS_OID                "2.5.29.10"
+/** SubjectKeyIdentifier OID. */
+#define RTCRX509_ID_CE_SUBJECT_KEY_IDENTIFIER_OID               "2.5.29.14"
+/** KeyUsage OID. */
+#define RTCRX509_ID_CE_KEY_USAGE_OID                            "2.5.29.15"
+/** PrivateKeyUsagePeriod OID. */
+#define RTCRX509_ID_CE_PRIVATE_KEY_USAGE_PERIOD_OID             "2.5.29.16"
+/** SubjectAltName extension OID. */
+#define RTCRX509_ID_CE_SUBJECT_ALT_NAME_OID                     "2.5.29.17"
+/** IssuerAltName extension OID. */
+#define RTCRX509_ID_CE_ISSUER_ALT_NAME_OID                      "2.5.29.18"
+/** BasicContraints extension OID. */
+#define RTCRX509_ID_CE_BASIC_CONSTRAINTS_OID                    "2.5.29.19"
+/** NameContraints extension OID. */
+#define RTCRX509_ID_CE_NAME_CONSTRAINTS_OID                     "2.5.29.30"
+/** CertificatePolicies extension OID. */
+#define RTCRX509_ID_CE_CERTIFICATE_POLICIES_OID                 "2.5.29.32"
+/** PolicyMappings extension OID. */
+#define RTCRX509_ID_CE_POLICY_MAPPINGS_OID                      "2.5.29.33"
+/** AuthorityKeyIdentifier OID. */
+#define RTCRX509_ID_CE_AUTHORITY_KEY_IDENTIFIER_OID             "2.5.29.35"
+/** PolicyContraints extension OID. */
+#define RTCRX509_ID_CE_POLICY_CONSTRAINTS_OID                   "2.5.29.36"
+/** ExtKeyUsage (extended key usage) extension OID. */
+#define RTCRX509_ID_CE_EXT_KEY_USAGE_OID                        "2.5.29.37"
+/** ExtKeyUsage: OID for permitting any unspecified key usage. */
+#define RTCRX509_ID_CE_ANY_EXTENDED_KEY_USAGE_OID               "2.5.29.37.0"
+/** AuthorityAttributeIdentifier OID. */
+#define RTCRX509_ID_CE_AUTHORITY_ATTRIBUTE_IDENTIFIER_OID       "2.5.29.38"
+/** AcceptableCertPolicies OID. */
+#define RTCRX509_ID_CE_ACCEPTABLE_CERT_POLICIES_OID             "2.5.29.52"
+/** InhibitAnyPolicy OID. */
+#define RTCRX509_ID_CE_INHIBIT_ANY_POLICY_OID                   "2.5.29.54"
+/** @} */
+
+
+/*
+ * Sequence of X.509 Certifcates (IPRT representation).
+ */
+RTASN1_IMPL_GEN_SET_OF_TYPEDEFS_AND_PROTOS(RTCRX509CERTIFICATES, RTCRX509CERTIFICATE, RTDECL, RTCrX509Certificates);
+
+/**
+ * Looks up a certificate by issuer name and serial number.
+ *
+ * @returns Pointer to the given certificate if found, NULL if not.
+ * @param   pCertificates   The X.509 certificate set to search.
+ * @param   pIssuer         The issuer name of the wanted certificate.
+ * @param   pSerialNumber   The serial number of the wanted certificate.
+ */
+RTDECL(PCRTCRX509CERTIFICATE) RTCrX509Certificates_FindByIssuerAndSerialNumber(PCRTCRX509CERTIFICATES pCertificates,
+                                                                               PCRTCRX509NAME pIssuer,
+                                                                               PCRTASN1INTEGER pSerialNumber);
+
+
+
+RTDECL(int) RTCrX509CertPathsCreate(PRTCRX509CERTPATHS phCertPaths, PCRTCRX509CERTIFICATE pTarget);
+RTDECL(uint32_t) RTCrX509CertPathsRetain(RTCRX509CERTPATHS hCertPaths);
+RTDECL(uint32_t) RTCrX509CertPathsRelease(RTCRX509CERTPATHS hCertPaths);
+RTDECL(int) RTCrX509CertPathsSetTrustedStore(RTCRX509CERTPATHS hCertPaths, RTCRSTORE hTrustedStore);
+RTDECL(int) RTCrX509CertPathsSetUntrustedStore(RTCRX509CERTPATHS hCertPaths, RTCRSTORE hUntrustedStore);
+RTDECL(int) RTCrX509CertPathsSetUntrustedArray(RTCRX509CERTPATHS hCertPaths, PCRTCRX509CERTIFICATE paCerts, uint32_t cCerts);
+RTDECL(int) RTCrX509CertPathsSetUntrustedSet(RTCRX509CERTPATHS hCertPaths, struct RTCRPKCS7SETOFCERTS const *pSetOfCerts);
+RTDECL(int) RTCrX509CertPathsSetValidTime(RTCRX509CERTPATHS hCertPaths, PCRTTIME pTime);
+RTDECL(int) RTCrX509CertPathsSetValidTimeSpec(RTCRX509CERTPATHS hCertPaths, PCRTTIMESPEC pTimeSpec);
+RTDECL(int) RTCrX509CertPathsSetTrustAnchorChecks(RTCRX509CERTPATHS hCertPaths, bool fEnable);
+RTDECL(int) RTCrX509CertPathsCreateEx(PRTCRX509CERTPATHS phCertPaths, PCRTCRX509CERTIFICATE pTarget, RTCRSTORE hTrustedStore,
+                                      RTCRSTORE hUntrustedStore, PCRTCRX509CERTIFICATE paUntrustedCerts, uint32_t cUntrustedCerts,
+                                      PCRTTIMESPEC pValidTime);
+RTDECL(int) RTCrX509CertPathsBuild(RTCRX509CERTPATHS hCertPaths, PRTERRINFO pErrInfo);
+RTDECL(int) RTCrX509CertPathsDumpOne(RTCRX509CERTPATHS hCertPaths, uint32_t iPath, uint32_t uVerbosity,
+                                     PFNRTDUMPPRINTFV pfnPrintfV, void *pvUser);
+RTDECL(int) RTCrX509CertPathsDumpAll(RTCRX509CERTPATHS hCertPaths, uint32_t uVerbosity,
+                                     PFNRTDUMPPRINTFV pfnPrintfV, void *pvUser);
+
+RTDECL(int) RTCrX509CertPathsValidateOne(RTCRX509CERTPATHS hCertPaths, uint32_t iPath, PRTERRINFO pErrInfo);
+RTDECL(int) RTCrX509CertPathsValidateAll(RTCRX509CERTPATHS hCertPaths, uint32_t *pcValidPaths, PRTERRINFO pErrInfo);
+
+RTDECL(uint32_t) RTCrX509CertPathsGetPathCount(RTCRX509CERTPATHS hCertPaths);
+RTDECL(int) RTCrX509CertPathsQueryPathInfo(RTCRX509CERTPATHS hCertPaths, uint32_t iPath,
+                                           bool *pfTrusted, uint32_t *pcNodes, PCRTCRX509NAME *ppSubject,
+                                           PCRTCRX509SUBJECTPUBLICKEYINFO *ppPublicKeyInfo,
+                                           PCRTCRX509CERTIFICATE *ppCert, PCRTCRCERTCTX *ppCertCtx, int *prcVerify);
+RTDECL(uint32_t) RTCrX509CertPathsGetPathLength(RTCRX509CERTPATHS hCertPaths, uint32_t iPath);
+RTDECL(int) RTCrX509CertPathsGetPathVerifyResult(RTCRX509CERTPATHS hCertPaths, uint32_t iPath);
+RTDECL(PCRTCRX509CERTIFICATE) RTCrX509CertPathsGetPathNodeCert(RTCRX509CERTPATHS hCertPaths, uint32_t iPath, uint32_t iNode);
+
+
+RT_C_DECLS_END
+
+/** @} */
+
+/** @} */
+
+#endif /* !IPRT_INCLUDED_crypto_x509_h */
+
-- 
cgit v1.2.3