/** @file * IPRT - Crypto - X.509, Public Key and Privilege Management Infrastructure. */ /* * Copyright (C) 2014-2022 Oracle and/or its affiliates. * * This file is part of VirtualBox base platform packages, as * available from https://www.virtualbox.org. * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License * as published by the Free Software Foundation, in version 3 of the * License. * * This program is distributed in the hope that it will be useful, but * WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, see . * * The contents of this file may alternatively be used under the terms * of the Common Development and Distribution License Version 1.0 * (CDDL), a copy of it is provided in the "COPYING.CDDL" file included * in the VirtualBox distribution, in which case the provisions of the * CDDL are applicable instead of those of the GPL. * * You may elect to license modified versions of this file under the * terms and conditions of either the GPL or the CDDL or both. * * SPDX-License-Identifier: GPL-3.0-only OR CDDL-1.0 */ #ifndef IPRT_INCLUDED_crypto_x509_h #define IPRT_INCLUDED_crypto_x509_h #ifndef RT_WITHOUT_PRAGMA_ONCE # pragma once #endif #include #include RT_C_DECLS_BEGIN struct RTCRPKCS7SETOFCERTS; /** @defgroup grp_rt_crypto Crypto * @ingroup grp_rt * @{ */ /** @defgroup grp_rt_crx509 RTCrX509 - Public Key and Privilege Management Infrastructure. * @{ */ /** * X.509 algorithm identifier (IPRT representation). */ typedef struct RTCRX509ALGORITHMIDENTIFIER { /** The sequence making up this algorithm identifier. */ RTASN1SEQUENCECORE SeqCore; /** The algorithm object ID. */ RTASN1OBJID Algorithm; /** Optional parameters specified by the algorithm. */ RTASN1DYNTYPE Parameters; } RTCRX509ALGORITHMIDENTIFIER; /** Poitner to the IPRT representation of a X.509 algorithm identifier. */ typedef RTCRX509ALGORITHMIDENTIFIER *PRTCRX509ALGORITHMIDENTIFIER; /** Poitner to the const IPRT representation of a X.509 algorithm identifier. */ typedef RTCRX509ALGORITHMIDENTIFIER const *PCRTCRX509ALGORITHMIDENTIFIER; RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509ALGORITHMIDENTIFIER, RTDECL, RTCrX509AlgorithmIdentifier, SeqCore.Asn1Core); RTASN1_IMPL_GEN_SET_OF_TYPEDEFS_AND_PROTOS(RTCRX509ALGORITHMIDENTIFIERS, RTCRX509ALGORITHMIDENTIFIER, RTDECL, RTCrX509AlgorithmIdentifiers); /** * Tries to convert an X.509 digest algorithm ID into a RTDIGESTTYPE value. * * @returns Valid RTDIGESTTYPE on success, RTDIGESTTYPE_INVALID on failure. * @param pThis The IPRT representation of a X.509 algorithm * identifier object. */ RTDECL(RTDIGESTTYPE) RTCrX509AlgorithmIdentifier_QueryDigestType(PCRTCRX509ALGORITHMIDENTIFIER pThis); /** * Tries to figure the digest size of an X.509 digest algorithm ID. * * @returns The digest size in bytes, UINT32_MAX if unknown digest. * @param pThis The IPRT representation of a X.509 algorithm * identifier object. */ RTDECL(uint32_t) RTCrX509AlgorithmIdentifier_QueryDigestSize(PCRTCRX509ALGORITHMIDENTIFIER pThis); RTDECL(int) RTCrX509AlgorithmIdentifier_CompareWithString(PCRTCRX509ALGORITHMIDENTIFIER pThis, const char *pszObjId); /** * Compares a digest with an encrypted digest algorithm, checking if they * specify the same digest. * * @returns 0 if same digest, -1 if the digest is unknown, 1 if the encrypted * digest does not match. * @param pDigest The digest algorithm. * @param pEncryptedDigest The encrypted digest algorithm. */ RTDECL(int) RTCrX509AlgorithmIdentifier_CompareDigestAndEncryptedDigest(PCRTCRX509ALGORITHMIDENTIFIER pDigest, PCRTCRX509ALGORITHMIDENTIFIER pEncryptedDigest); /** * Compares a digest OID with an encrypted digest algorithm OID, checking if * they specify the same digest. * * @returns 0 if same digest, -1 if the digest is unknown, 1 if the encrypted * digest does not match. * @param pszDigestOid The digest algorithm OID. * @param pszEncryptedDigestOid The encrypted digest algorithm OID. */ RTDECL(int) RTCrX509AlgorithmIdentifier_CompareDigestOidAndEncryptedDigestOid(const char *pszDigestOid, const char *pszEncryptedDigestOid); /** * Combine the encryption algorithm with the digest algorithm. * * @returns OID of encrypted digest algorithm. * @param pEncryption The encryption algorithm. Will work if this is * the OID of an encrypted digest algorithm too, as * long as it matches @a pDigest. * @param pDigest The digest algorithm. Will work if this is the * OID of an encrypted digest algorithm too, as * long as it matches @a pEncryption. */ RTDECL(const char *) RTCrX509AlgorithmIdentifier_CombineEncryptionAndDigest(PCRTCRX509ALGORITHMIDENTIFIER pEncryption, PCRTCRX509ALGORITHMIDENTIFIER pDigest); /** * Combine the encryption algorithm OID with the digest algorithm OID. * * @returns OID of encrypted digest algorithm. * @param pszEncryptionOid The encryption algorithm. Will work if this is * the OID of an encrypted digest algorithm too, as * long as it matches @a pszDigestOid. * @param pszDigestOid The digest algorithm. Will work if this is the * OID of an encrypted digest algorithm too, as * long as it matches @a pszEncryptionOid. */ RTDECL(const char *) RTCrX509AlgorithmIdentifier_CombineEncryptionOidAndDigestOid(const char *pszEncryptionOid, const char *pszDigestOid); /** @name Typical Digest Algorithm OIDs. * @{ */ #define RTCRX509ALGORITHMIDENTIFIERID_MD2 "1.2.840.113549.2.2" #define RTCRX509ALGORITHMIDENTIFIERID_MD4 "1.2.840.113549.2.4" #define RTCRX509ALGORITHMIDENTIFIERID_MD5 "1.2.840.113549.2.5" #define RTCRX509ALGORITHMIDENTIFIERID_SHA1 "1.3.14.3.2.26" #define RTCRX509ALGORITHMIDENTIFIERID_SHA256 "2.16.840.1.101.3.4.2.1" #define RTCRX509ALGORITHMIDENTIFIERID_SHA384 "2.16.840.1.101.3.4.2.2" #define RTCRX509ALGORITHMIDENTIFIERID_SHA512 "2.16.840.1.101.3.4.2.3" #define RTCRX509ALGORITHMIDENTIFIERID_SHA224 "2.16.840.1.101.3.4.2.4" #define RTCRX509ALGORITHMIDENTIFIERID_SHA512T224 "2.16.840.1.101.3.4.2.5" #define RTCRX509ALGORITHMIDENTIFIERID_SHA512T256 "2.16.840.1.101.3.4.2.6" #define RTCRX509ALGORITHMIDENTIFIERID_SHA3_224 "2.16.840.1.101.3.4.2.7" #define RTCRX509ALGORITHMIDENTIFIERID_SHA3_256 "2.16.840.1.101.3.4.2.8" #define RTCRX509ALGORITHMIDENTIFIERID_SHA3_384 "2.16.840.1.101.3.4.2.9" #define RTCRX509ALGORITHMIDENTIFIERID_SHA3_512 "2.16.840.1.101.3.4.2.10" #define RTCRX509ALGORITHMIDENTIFIERID_WHIRLPOOL "1.0.10118.3.0.55" /** @} */ /** @name Encrypted Digest Algorithm OIDs. * @remarks The PKCS variants are the default ones, alternative OID are marked * as such. * @{ */ #define RTCRX509ALGORITHMIDENTIFIERID_RSA "1.2.840.113549.1.1.1" #define RTCRX509ALGORITHMIDENTIFIERID_MD2_WITH_RSA "1.2.840.113549.1.1.2" #define RTCRX509ALGORITHMIDENTIFIERID_MD4_WITH_RSA "1.2.840.113549.1.1.3" #define RTCRX509ALGORITHMIDENTIFIERID_MD5_WITH_RSA "1.2.840.113549.1.1.4" #define RTCRX509ALGORITHMIDENTIFIERID_SHA1_WITH_RSA "1.2.840.113549.1.1.5" #define RTCRX509ALGORITHMIDENTIFIERID_SHA256_WITH_RSA "1.2.840.113549.1.1.11" #define RTCRX509ALGORITHMIDENTIFIERID_SHA384_WITH_RSA "1.2.840.113549.1.1.12" #define RTCRX509ALGORITHMIDENTIFIERID_SHA512_WITH_RSA "1.2.840.113549.1.1.13" #define RTCRX509ALGORITHMIDENTIFIERID_SHA224_WITH_RSA "1.2.840.113549.1.1.14" #define RTCRX509ALGORITHMIDENTIFIERID_SHA512T224_WITH_RSA "1.2.840.113549.1.1.15" #define RTCRX509ALGORITHMIDENTIFIERID_SHA512T256_WITH_RSA "1.2.840.113549.1.1.16" #define RTCRX509ALGORITHMIDENTIFIERID_SHA3_224_WITH_RSA "2.16.840.1.101.3.4.3.13" #define RTCRX509ALGORITHMIDENTIFIERID_SHA3_256_WITH_RSA "2.16.840.1.101.3.4.3.14" #define RTCRX509ALGORITHMIDENTIFIERID_SHA3_384_WITH_RSA "2.16.840.1.101.3.4.3.15" #define RTCRX509ALGORITHMIDENTIFIERID_SHA3_512_WITH_RSA "2.16.840.1.101.3.4.3.16" /** @} */ /** * One X.509 AttributeTypeAndValue (IPRT representation). */ typedef struct RTCRX509ATTRIBUTETYPEANDVALUE { /** Sequence core. */ RTASN1SEQUENCECORE SeqCore; /** The attribute type (object ID). */ RTASN1OBJID Type; /** The attribute value (what it is is defined by Type). */ RTASN1DYNTYPE Value; } RTCRX509ATTRIBUTETYPEANDVALUE; /** Pointer to a X.509 AttributeTypeAndValue (IPRT representation). */ typedef RTCRX509ATTRIBUTETYPEANDVALUE *PRTCRX509ATTRIBUTETYPEANDVALUE; /** Pointer to a const X.509 AttributeTypeAndValue (IPRT representation). */ typedef RTCRX509ATTRIBUTETYPEANDVALUE const *PCRTCRX509ATTRIBUTETYPEANDVALUE; RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509ATTRIBUTETYPEANDVALUE, RTDECL, RTCrX509AttributeTypeAndValue, SeqCore.Asn1Core); RTASN1_IMPL_GEN_SET_OF_TYPEDEFS_AND_PROTOS(RTCRX509ATTRIBUTETYPEANDVALUES, RTCRX509ATTRIBUTETYPEANDVALUE, RTDECL, RTCrX509AttributeTypeAndValues); RTASN1TYPE_ALIAS(RTCRX509RELATIVEDISTINGUISHEDNAME, RTCRX509ATTRIBUTETYPEANDVALUES, RTCrX509RelativeDistinguishedName, RTCrX509AttributeTypeAndValues); RTASN1_IMPL_GEN_SEQ_OF_TYPEDEFS_AND_PROTOS(RTCRX509NAME, RTCRX509RELATIVEDISTINGUISHEDNAME, RTDECL, RTCrX509Name); RTDECL(int) RTCrX509Name_CheckSanity(PCRTCRX509NAME pName, uint32_t fFlags, PRTERRINFO pErrInfo, const char *pszErrorTag); RTDECL(bool) RTCrX509Name_MatchByRfc5280(PCRTCRX509NAME pLeft, PCRTCRX509NAME pRight); /** * Name constraint matching (RFC-5280). * * @returns true on match, false on mismatch. * @param pConstraint The constraint name. * @param pName The name to match against the constraint. * @sa RTCrX509GeneralName_ConstraintMatch, * RTCrX509RelativeDistinguishedName_ConstraintMatch */ RTDECL(bool) RTCrX509Name_ConstraintMatch(PCRTCRX509NAME pConstraint, PCRTCRX509NAME pName); RTDECL(int) RTCrX509Name_RecodeAsUtf8(PRTCRX509NAME pThis, PCRTASN1ALLOCATORVTABLE pAllocator); /** * Matches the directory name against a comma separated list of the component * strings (case sensitive). * * @returns true if match, false if mismatch. * @param pThis The name object. * @param pszString The string to match against. For example: * "C=US, ST=California, L=Redwood Shores, O=Oracle Corporation" * * @remarks This is doing a straight compare, no extra effort is expended in * dealing with different component order. If the component order * differs, there won't be any match. */ RTDECL(bool) RTCrX509Name_MatchWithString(PCRTCRX509NAME pThis, const char *pszString); /** * Formats the name as a command separated list of components with type * prefixes. * * The output of this function is suitable for use with * RTCrX509Name_MatchWithString. * * @returns IPRT status code. * @param pThis The name object. * @param pszBuf The output buffer. * @param cbBuf The size of the output buffer. * @param pcbActual Where to return the number of bytes required for the * output, including the null terminator character. * Optional. */ RTDECL(int) RTCrX509Name_FormatAsString(PCRTCRX509NAME pThis, char *pszBuf, size_t cbBuf, size_t *pcbActual); /** * Looks up the RDN ID and returns the short name for it, if found. * * @returns Short name (e.g. 'CN') or NULL. * @param pRdnId The RDN ID to look up. */ RTDECL(const char *) RTCrX509Name_GetShortRdn(PCRTASN1OBJID pRdnId); /** * One X.509 OtherName (IPRT representation). */ typedef struct RTCRX509OTHERNAME { /** The sequence core. */ RTASN1SEQUENCECORE SeqCore; /** The name type identifier. */ RTASN1OBJID TypeId; /** The name value (explicit tag 0). */ RTASN1DYNTYPE Value; } RTCRX509OTHERNAME; /** Pointer to a X.509 OtherName (IPRT representation). */ typedef RTCRX509OTHERNAME *PRTCRX509OTHERNAME; /** Pointer to a const X.509 OtherName (IPRT representation). */ typedef RTCRX509OTHERNAME const *PCRTCRX509OTHERNAME; RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509OTHERNAME, RTDECL, RTCrX509OtherName, SeqCore.Asn1Core); typedef enum RTCRX509GENERALNAMECHOICE { RTCRX509GENERALNAMECHOICE_INVALID = 0, RTCRX509GENERALNAMECHOICE_OTHER_NAME, RTCRX509GENERALNAMECHOICE_RFC822_NAME, RTCRX509GENERALNAMECHOICE_DNS_NAME, RTCRX509GENERALNAMECHOICE_X400_ADDRESS, RTCRX509GENERALNAMECHOICE_DIRECTORY_NAME, RTCRX509GENERALNAMECHOICE_EDI_PARTY_NAME, RTCRX509GENERALNAMECHOICE_URI, RTCRX509GENERALNAMECHOICE_IP_ADDRESS, RTCRX509GENERALNAMECHOICE_REGISTERED_ID, RTCRX509GENERALNAMECHOICE_END, RTCRX509GENERALNAMECHOICE_32BIT_HACK = 0x7fffffff } RTCRX509GENERALNAMECHOICE; /** * One X.509 GeneralName (IPRT representation). * * This is represented as a union. Use the RTCRX509GENERALNAME_IS_XXX predicate * macros to figure out which member is valid (Asn1Core is always valid). */ typedef struct RTCRX509GENERALNAME { /** Dummy ASN.1 record, not encoded. */ RTASN1DUMMY Dummy; /** The value allocation. */ RTASN1ALLOCATION Allocation; /** The choice of value. */ RTCRX509GENERALNAMECHOICE enmChoice; /** The value union. */ union { /** Tag 0: Other Name. */ PRTCRX509OTHERNAME pT0_OtherName; /** Tag 1: RFC-822 Name. */ PRTASN1STRING pT1_Rfc822; /** Tag 2: DNS name. */ PRTASN1STRING pT2_DnsName; /** Tag 3: X.400 Address. */ struct { /** Context tag 3. */ RTASN1CONTEXTTAG3 CtxTag3; /** Later. */ RTASN1DYNTYPE X400Address; } *pT3; /** Tag 4: Directory Name. */ struct { /** Context tag 4. */ RTASN1CONTEXTTAG4 CtxTag4; /** Directory name. */ RTCRX509NAME DirectoryName; } *pT4; /** Tag 5: EDI Party Name. */ struct { /** Context tag 5. */ RTASN1CONTEXTTAG5 CtxTag5; /** Later. */ RTASN1DYNTYPE EdiPartyName; } *pT5; /** Tag 6: URI. */ PRTASN1STRING pT6_Uri; /** Tag 7: IP address. Either 4/8 (IPv4) or 16/32 (IPv16) octets long. */ PRTASN1OCTETSTRING pT7_IpAddress; /** Tag 8: Registered ID. */ PRTASN1OBJID pT8_RegisteredId; } u; } RTCRX509GENERALNAME; /** Pointer to the IPRT representation of an X.509 general name. */ typedef RTCRX509GENERALNAME *PRTCRX509GENERALNAME; /** Pointer to the const IPRT representation of an X.509 general name. */ typedef RTCRX509GENERALNAME const *PCRTCRX509GENERALNAME; RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509GENERALNAME, RTDECL, RTCrX509GeneralName, Dummy.Asn1Core); /** @name RTCRX509GENERALNAME tag predicates. * @{ */ #define RTCRX509GENERALNAME_IS_OTHER_NAME(a_GenName) ((a_GenName)->enmChoice == RTCRX509GENERALNAMECHOICE_OTHER_NAME) #define RTCRX509GENERALNAME_IS_RFC822_NAME(a_GenName) ((a_GenName)->enmChoice == RTCRX509GENERALNAMECHOICE_RFC822_NAME) #define RTCRX509GENERALNAME_IS_DNS_NAME(a_GenName) ((a_GenName)->enmChoice == RTCRX509GENERALNAMECHOICE_DNS_NAME) #define RTCRX509GENERALNAME_IS_X400_ADDRESS(a_GenName) ((a_GenName)->enmChoice == RTCRX509GENERALNAMECHOICE_X400_ADDRESS) #define RTCRX509GENERALNAME_IS_DIRECTORY_NAME(a_GenName) ((a_GenName)->enmChoice == RTCRX509GENERALNAMECHOICE_DIRECTORY_NAME) #define RTCRX509GENERALNAME_IS_EDI_PARTY_NAME(a_GenName) ((a_GenName)->enmChoice == RTCRX509GENERALNAMECHOICE_EDI_PARTY_NAME) #define RTCRX509GENERALNAME_IS_URI(a_GenName) ((a_GenName)->enmChoice == RTCRX509GENERALNAMECHOICE_URI) #define RTCRX509GENERALNAME_IS_IP_ADDRESS(a_GenName) ((a_GenName)->enmChoice == RTCRX509GENERALNAMECHOICE_IP_ADDRESS) #define RTCRX509GENERALNAME_IS_REGISTERED_ID(a_GenName) ((a_GenName)->enmChoice == RTCRX509GENERALNAMECHOICE_REGISTERED_ID) /** @} */ RTASN1_IMPL_GEN_SEQ_OF_TYPEDEFS_AND_PROTOS(RTCRX509GENERALNAMES, RTCRX509GENERALNAME, RTDECL, RTCrX509GeneralNames); RTDECL(bool) RTCrX509GeneralName_ConstraintMatch(PCRTCRX509GENERALNAME pConstraint, PCRTCRX509GENERALNAME pName); /** * X.509 Validity (IPRT representation). */ typedef struct RTCRX509VALIDITY { /** Core sequence bits. */ RTASN1SEQUENCECORE SeqCore; /** Effective starting. */ RTASN1TIME NotBefore; /** Expires after. */ RTASN1TIME NotAfter; } RTCRX509VALIDITY; /** Pointer to the IPRT representation of an X.509 validity sequence. */ typedef RTCRX509VALIDITY *PRTCRX509VALIDITY; /** Pointer ot the const IPRT representation of an X.509 validity sequence. */ typedef RTCRX509VALIDITY const *PCRTCRX509VALIDITY; RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509VALIDITY, RTDECL, RTCrX509Validity, SeqCore.Asn1Core); RTDECL(bool) RTCrX509Validity_IsValidAtTimeSpec(PCRTCRX509VALIDITY pThis, PCRTTIMESPEC pTimeSpec); #if 0 /** * X.509 UniqueIdentifier (IPRT representation). */ typedef struct RTCRX509UNIQUEIDENTIFIER { /** Representation is a bit string. */ RTASN1BITSTRING BitString; } RTCRX509UNIQUEIDENTIFIER; /** Pointer to the IPRT representation of an X.509 unique identifier. */ typedef RTCRX509UNIQUEIDENTIFIER *PRTCRX509UNIQUEIDENTIFIER; /** Pointer to the const IPRT representation of an X.509 unique identifier. */ typedef RTCRX509UNIQUEIDENTIFIER const *PCRTCRX509UNIQUEIDENTIFIER; RTASN1TYPE_STANDARD_PROTOTYPES_NO_GET_CORE(RTCRX509UNIQUEIDENTIFIER, RTDECL, RTCrX509UniqueIdentifier); #endif RTASN1TYPE_ALIAS(RTCRX509UNIQUEIDENTIFIER, RTASN1BITSTRING, RTCrX509UniqueIdentifier, RTAsn1BitString); /** * X.509 SubjectPublicKeyInfo (IPRT representation). */ typedef struct RTCRX509SUBJECTPUBLICKEYINFO { /** Core sequence bits. */ RTASN1SEQUENCECORE SeqCore; /** The algorithm used with the public key. */ RTCRX509ALGORITHMIDENTIFIER Algorithm; /** A bit string containing the public key. * * For algorithms like rsaEncryption this is generally a sequence of two * integers, where the first one has lots of bits, and the second one being a * modulous value. These are details specific to the algorithm and not relevant * when validating the certificate chain. */ RTASN1BITSTRING SubjectPublicKey; } RTCRX509SUBJECTPUBLICKEYINFO; /** Pointer to the IPRT representation of an X.509 subject public key info * sequence. */ typedef RTCRX509SUBJECTPUBLICKEYINFO *PRTCRX509SUBJECTPUBLICKEYINFO; /** Pointer to the const IPRT representation of an X.509 subject public key info * sequence. */ typedef RTCRX509SUBJECTPUBLICKEYINFO const *PCRTCRX509SUBJECTPUBLICKEYINFO; RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509SUBJECTPUBLICKEYINFO, RTDECL, RTCrX509SubjectPublicKeyInfo, SeqCore.Asn1Core); /** * One X.509 AuthorityKeyIdentifier (IPRT representation). */ typedef struct RTCRX509AUTHORITYKEYIDENTIFIER { /** Sequence core. */ RTASN1SEQUENCECORE SeqCore; /** Tag 0, optional, implicit: Key identifier. */ RTASN1OCTETSTRING KeyIdentifier; /** Tag 1, optional, implicit: Issuer name. */ RTCRX509GENERALNAMES AuthorityCertIssuer; /** Tag 2, optional, implicit: Serial number of issuer. */ RTASN1INTEGER AuthorityCertSerialNumber; } RTCRX509AUTHORITYKEYIDENTIFIER; /** Pointer to the IPRT representation of an X.509 AuthorityKeyIdentifier * sequence. */ typedef RTCRX509AUTHORITYKEYIDENTIFIER *PRTCRX509AUTHORITYKEYIDENTIFIER; /** Pointer to the const IPRT representation of an X.509 AuthorityKeyIdentifier * sequence. */ typedef RTCRX509AUTHORITYKEYIDENTIFIER const *PCRTCRX509AUTHORITYKEYIDENTIFIER; RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509AUTHORITYKEYIDENTIFIER, RTDECL, RTCrX509AuthorityKeyIdentifier, SeqCore.Asn1Core); /** * One X.509 OldAuthorityKeyIdentifier (IPRT representation). */ typedef struct RTCRX509OLDAUTHORITYKEYIDENTIFIER { /** Sequence core. */ RTASN1SEQUENCECORE SeqCore; /** Tag 0, optional, implicit: Key identifier. */ RTASN1OCTETSTRING KeyIdentifier; struct { RTASN1CONTEXTTAG1 CtxTag1; /** Tag 1, optional, implicit: Issuer name. */ RTCRX509NAME AuthorityCertIssuer; } T1; /** Tag 2, optional, implicit: Serial number of issuer. */ RTASN1INTEGER AuthorityCertSerialNumber; } RTCRX509OLDAUTHORITYKEYIDENTIFIER; /** Pointer to the IPRT representation of an X.509 AuthorityKeyIdentifier * sequence. */ typedef RTCRX509OLDAUTHORITYKEYIDENTIFIER *PRTCRX509OLDAUTHORITYKEYIDENTIFIER; /** Pointer to the const IPRT representation of an X.509 AuthorityKeyIdentifier * sequence. */ typedef RTCRX509OLDAUTHORITYKEYIDENTIFIER const *PCRTCRX509OLDAUTHORITYKEYIDENTIFIER; RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509OLDAUTHORITYKEYIDENTIFIER, RTDECL, RTCrX509OldAuthorityKeyIdentifier, SeqCore.Asn1Core); /** * One X.509 PolicyQualifierInfo (IPRT representation). */ typedef struct RTCRX509POLICYQUALIFIERINFO { /** Core sequence bits. */ RTASN1SEQUENCECORE SeqCore; /** The policy object ID. */ RTASN1OBJID PolicyQualifierId; /** Anything defined by the policy qualifier id. */ RTASN1DYNTYPE Qualifier; } RTCRX509POLICYQUALIFIERINFO; /** Pointer to the IPRT representation of an X.509 PolicyQualifierInfo * sequence. */ typedef RTCRX509POLICYQUALIFIERINFO *PRTCRX509POLICYQUALIFIERINFO; /** Pointer to the const IPRT representation of an X.509 PolicyQualifierInfo * sequence. */ typedef RTCRX509POLICYQUALIFIERINFO const *PCRTCRX509POLICYQUALIFIERINFO; RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509POLICYQUALIFIERINFO, RTDECL, RTCrX509PolicyQualifierInfo, SeqCore.Asn1Core); RTASN1_IMPL_GEN_SEQ_OF_TYPEDEFS_AND_PROTOS(RTCRX509POLICYQUALIFIERINFOS, RTCRX509POLICYQUALIFIERINFO, RTDECL, RTCrX509PolicyQualifierInfos); /** * One X.509 PolicyInformation (IPRT representation). */ typedef struct RTCRX509POLICYINFORMATION { /** Core sequence bits. */ RTASN1SEQUENCECORE SeqCore; /** The policy object ID. */ RTASN1OBJID PolicyIdentifier; /** Optional sequence of policy qualifiers. */ RTCRX509POLICYQUALIFIERINFOS PolicyQualifiers; } RTCRX509POLICYINFORMATION; /** Pointer to the IPRT representation of an X.509 PolicyInformation * sequence. */ typedef RTCRX509POLICYINFORMATION *PRTCRX509POLICYINFORMATION; /** Pointer to the const IPRT representation of an X.509 PolicyInformation * sequence. */ typedef RTCRX509POLICYINFORMATION const *PCRTCRX509POLICYINFORMATION; RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509POLICYINFORMATION, RTDECL, RTCrX509PolicyInformation, SeqCore.Asn1Core); RTASN1_IMPL_GEN_SEQ_OF_TYPEDEFS_AND_PROTOS(RTCRX509CERTIFICATEPOLICIES, RTCRX509POLICYINFORMATION, RTDECL, RTCrX509CertificatePolicies); /** Sepcial policy object ID that matches any policy. */ #define RTCRX509_ID_CE_CP_ANY_POLICY_OID "2.5.29.32.0" /** * One X.509 PolicyMapping (IPRT representation). */ typedef struct RTCRX509POLICYMAPPING { /** Core sequence bits. */ RTASN1SEQUENCECORE SeqCore; /** Issuer policy ID. */ RTASN1OBJID IssuerDomainPolicy; /** Subject policy ID. */ RTASN1OBJID SubjectDomainPolicy; } RTCRX509POLICYMAPPING; /** Pointer to the IPRT representation of a sequence of X.509 PolicyMapping. */ typedef RTCRX509POLICYMAPPING *PRTCRX509POLICYMAPPING; /** Pointer to the const IPRT representation of a sequence of X.509 * PolicyMapping. */ typedef RTCRX509POLICYMAPPING const *PCRTCRX509POLICYMAPPING; RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509POLICYMAPPING, RTDECL, RTCrX509PolicyMapping, SeqCore.Asn1Core); RTASN1_IMPL_GEN_SEQ_OF_TYPEDEFS_AND_PROTOS(RTCRX509POLICYMAPPINGS, RTCRX509POLICYMAPPING, RTDECL, RTCrX509PolicyMappings); /** * X.509 BasicConstraints (IPRT representation). */ typedef struct RTCRX509BASICCONSTRAINTS { /** Core sequence bits. */ RTASN1SEQUENCECORE SeqCore; /** Is this ia certficiate authority? Default to false. */ RTASN1BOOLEAN CA; /** Path length constraint. */ RTASN1INTEGER PathLenConstraint; } RTCRX509BASICCONSTRAINTS; /** Pointer to the IPRT representation of a sequence of X.509 * BasicConstraints. */ typedef RTCRX509BASICCONSTRAINTS *PRTCRX509BASICCONSTRAINTS; /** Pointer to the const IPRT representation of a sequence of X.509 * BasicConstraints. */ typedef RTCRX509BASICCONSTRAINTS const *PCRTCRX509BASICCONSTRAINTS; RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509BASICCONSTRAINTS, RTDECL, RTCrX509BasicConstraints, SeqCore.Asn1Core); /** * X.509 GeneralSubtree (IPRT representation). */ typedef struct RTCRX509GENERALSUBTREE { /** Core sequence bits. */ RTASN1SEQUENCECORE SeqCore; /** Base name. */ RTCRX509GENERALNAME Base; /** Tag 0, optional: Minimum, default 0. Fixed at 0 by RFC-5280. */ RTASN1INTEGER Minimum; /** Tag 1, optional: Maximum. Fixed as not-present by RFC-5280. */ RTASN1INTEGER Maximum; } RTCRX509GENERALSUBTREE; /** Pointer to the IPRT representation of a sequence of X.509 GeneralSubtree. */ typedef RTCRX509GENERALSUBTREE *PRTCRX509GENERALSUBTREE; /** Pointer to the const IPRT representation of a sequence of X.509 * GeneralSubtree. */ typedef RTCRX509GENERALSUBTREE const *PCRTCRX509GENERALSUBTREE; RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509GENERALSUBTREE, RTDECL, RTCrX509GeneralSubtree, SeqCore.Asn1Core); RTDECL(bool) RTCrX509GeneralSubtree_ConstraintMatch(PCRTCRX509GENERALSUBTREE pConstraint, PCRTCRX509GENERALSUBTREE pName); RTASN1_IMPL_GEN_SEQ_OF_TYPEDEFS_AND_PROTOS(RTCRX509GENERALSUBTREES, RTCRX509GENERALSUBTREE, RTDECL, RTCrX509GeneralSubtrees); /** * X.509 NameConstraints (IPRT representation). */ typedef struct RTCRX509NAMECONSTRAINTS { /** Core sequence bits. */ RTASN1SEQUENCECORE SeqCore; /** Tag 0, optional: Permitted subtrees. */ struct { /** Context tag. */ RTASN1CONTEXTTAG0 CtxTag0; /** The permitted subtrees. */ RTCRX509GENERALSUBTREES PermittedSubtrees; } T0; /** Tag 1, optional: Excluded subtrees. */ struct { /** Context tag. */ RTASN1CONTEXTTAG1 CtxTag1; /** The excluded subtrees. */ RTCRX509GENERALSUBTREES ExcludedSubtrees; } T1; } RTCRX509NAMECONSTRAINTS; /** Pointer to the IPRT representation of a sequence of X.509 * NameConstraints. */ typedef RTCRX509NAMECONSTRAINTS *PRTCRX509NAMECONSTRAINTS; /** Pointer to the const IPRT representation of a sequence of X.509 * NameConstraints. */ typedef RTCRX509NAMECONSTRAINTS const *PCRTCRX509NAMECONSTRAINTS; RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509NAMECONSTRAINTS, RTDECL, RTCrX509NameConstraints, SeqCore.Asn1Core); /** * X.509 PolicyConstraints (IPRT representation). */ typedef struct RTCRX509POLICYCONSTRAINTS { /** Core sequence bits. */ RTASN1SEQUENCECORE SeqCore; /** Tag 0, optional: Certificates before an explicit policy is required. */ RTASN1INTEGER RequireExplicitPolicy; /** Tag 1, optional: Certificates before policy mapping is inhibited. */ RTASN1INTEGER InhibitPolicyMapping; } RTCRX509POLICYCONSTRAINTS; /** Pointer to the IPRT representation of a sequence of X.509 * PolicyConstraints. */ typedef RTCRX509POLICYCONSTRAINTS *PRTCRX509POLICYCONSTRAINTS; /** Pointer to the const IPRT representation of a sequence of X.509 * PolicyConstraints. */ typedef RTCRX509POLICYCONSTRAINTS const *PCRTCRX509POLICYCONSTRAINTS; RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509POLICYCONSTRAINTS, RTDECL, RTCrX509PolicyConstraints, SeqCore.Asn1Core); /** * Indicates what an X.509 extension value encapsulates. */ typedef enum RTCRX509EXTENSIONVALUE { RTCRX509EXTENSIONVALUE_INVALID = 0, /** Unknown, no decoding available just the octet string. */ RTCRX509EXTENSIONVALUE_UNKNOWN, /** Unencapsulated (i.e. octet string). */ RTCRX509EXTENSIONVALUE_NOT_ENCAPSULATED, /** Bit string (RTASN1BITSTRING). */ RTCRX509EXTENSIONVALUE_BIT_STRING, /** Octet string (RTASN1OCTETSTRING). */ RTCRX509EXTENSIONVALUE_OCTET_STRING, /** Integer string (RTASN1INTEGER). */ RTCRX509EXTENSIONVALUE_INTEGER, /** Sequence of object identifiers (RTASN1SEQOFOBJIDS). */ RTCRX509EXTENSIONVALUE_SEQ_OF_OBJ_IDS, /** Authority key identifier (RTCRX509AUTHORITYKEYIDENTIFIER). */ RTCRX509EXTENSIONVALUE_AUTHORITY_KEY_IDENTIFIER, /** Old Authority key identifier (RTCRX509OLDAUTHORITYKEYIDENTIFIER). */ RTCRX509EXTENSIONVALUE_OLD_AUTHORITY_KEY_IDENTIFIER, /** Certificate policies (RTCRX509CERTIFICATEPOLICIES). */ RTCRX509EXTENSIONVALUE_CERTIFICATE_POLICIES, /** Sequence of policy mappings (RTCRX509POLICYMAPPINGS). */ RTCRX509EXTENSIONVALUE_POLICY_MAPPINGS, /** Basic constraints (RTCRX509BASICCONSTRAINTS). */ RTCRX509EXTENSIONVALUE_BASIC_CONSTRAINTS, /** Name constraints (RTCRX509NAMECONSTRAINTS). */ RTCRX509EXTENSIONVALUE_NAME_CONSTRAINTS, /** Policy constraints (RTCRX509POLICYCONSTRAINTS). */ RTCRX509EXTENSIONVALUE_POLICY_CONSTRAINTS, /** Sequence of general names (RTCRX509GENERALNAMES). */ RTCRX509EXTENSIONVALUE_GENERAL_NAMES, /** Blow the type up to 32-bits. */ RTCRX509EXTENSIONVALUE_32BIT_HACK = 0x7fffffff } RTCRX509EXTENSIONVALUE; /** * One X.509 Extension (IPRT representation). */ typedef struct RTCRX509EXTENSION { /** Core sequence bits. */ RTASN1SEQUENCECORE SeqCore; /** Extension ID. */ RTASN1OBJID ExtnId; /** Whether this is critical (default @c false). */ RTASN1BOOLEAN Critical; /** Indicates what ExtnValue.pEncapsulated points at. */ RTCRX509EXTENSIONVALUE enmValue; /** The value. * Contains extension specific data that we don't yet parse. */ RTASN1OCTETSTRING ExtnValue; } RTCRX509EXTENSION; /** Pointer to the IPRT representation of one X.509 extensions. */ typedef RTCRX509EXTENSION *PRTCRX509EXTENSION; /** Pointer to the const IPRT representation of one X.509 extension. */ typedef RTCRX509EXTENSION const *PCRTCRX509EXTENSION; RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509EXTENSION, RTDECL, RTCrX509Extension, SeqCore.Asn1Core); RTASN1_IMPL_GEN_SEQ_OF_TYPEDEFS_AND_PROTOS(RTCRX509EXTENSIONS, RTCRX509EXTENSION, RTDECL, RTCrX509Extensions); RTDECL(int) RTCrX509Extension_ExtnValue_DecodeAsn1(PRTASN1CURSOR pCursor, uint32_t fFlags, PRTCRX509EXTENSION pThis, const char *pszErrorTag); /** * X.509 To-be-signed certificate information (IPRT representation). */ typedef struct RTCRX509TBSCERTIFICATE { /** Sequence core. */ RTASN1SEQUENCECORE SeqCore; /** Structure version. */ struct { /** Context tag with value 0. */ RTASN1CONTEXTTAG0 CtxTag0; /** The actual value (RTCRX509TBSCERTIFICATE_V1, ...). */ RTASN1INTEGER Version; } T0; /** The serial number of the certificate. */ RTASN1INTEGER SerialNumber; /** The signature algorithm. */ RTCRX509ALGORITHMIDENTIFIER Signature; /** The issuer name. */ RTCRX509NAME Issuer; /** The certificate validity period. */ RTCRX509VALIDITY Validity; /** The subject name. */ RTCRX509NAME Subject; /** The public key for this certificate. */ RTCRX509SUBJECTPUBLICKEYINFO SubjectPublicKeyInfo; /** Issuer unique identifier (optional, version >= v2). */ struct { /** Context tag with value 1. */ RTASN1CONTEXTTAG1 CtxTag1; /** The unique identifier value. */ RTCRX509UNIQUEIDENTIFIER IssuerUniqueId; } T1; /** Subject unique identifier (optional, version >= v2). */ struct { /** Context tag with value 2. */ RTASN1CONTEXTTAG2 CtxTag2; /** The unique identifier value. */ RTCRX509UNIQUEIDENTIFIER SubjectUniqueId; } T2; /** Extensions (optional, version >= v3). */ struct { /** Context tag with value 3. */ RTASN1CONTEXTTAG3 CtxTag3; /** The unique identifier value. */ RTCRX509EXTENSIONS Extensions; /** Extensions summary flags (RTCRX509TBSCERTIFICATE_F_PRESENT_XXX). */ uint32_t fFlags; /** Key usage flags (RTCRX509CERT_KEY_USAGE_F_XXX). */ uint32_t fKeyUsage; /** Extended key usage flags (RTCRX509CERT_EKU_F_XXX). */ uint64_t fExtKeyUsage; /** Pointer to the authority key ID extension if present. */ PCRTCRX509AUTHORITYKEYIDENTIFIER pAuthorityKeyIdentifier; /** Pointer to the OLD authority key ID extension if present. */ PCRTCRX509OLDAUTHORITYKEYIDENTIFIER pOldAuthorityKeyIdentifier; /** Pointer to the subject key ID extension if present. */ PCRTASN1OCTETSTRING pSubjectKeyIdentifier; /** Pointer to the alternative subject name extension if present. */ PCRTCRX509GENERALNAMES pAltSubjectName; /** Pointer to the alternative issuer name extension if present. */ PCRTCRX509GENERALNAMES pAltIssuerName; /** Pointer to the certificate policies extension if present. */ PCRTCRX509CERTIFICATEPOLICIES pCertificatePolicies; /** Pointer to the policy mappings extension if present. */ PCRTCRX509POLICYMAPPINGS pPolicyMappings; /** Pointer to the basic constraints extension if present. */ PCRTCRX509BASICCONSTRAINTS pBasicConstraints; /** Pointer to the name constraints extension if present. */ PCRTCRX509NAMECONSTRAINTS pNameConstraints; /** Pointer to the policy constraints extension if present. */ PCRTCRX509POLICYCONSTRAINTS pPolicyConstraints; /** Pointer to the inhibit anyPolicy extension if present. */ PCRTASN1INTEGER pInhibitAnyPolicy; } T3; } RTCRX509TBSCERTIFICATE; /** Pointer to the IPRT representation of a X.509 TBSCertificate. */ typedef RTCRX509TBSCERTIFICATE *PRTCRX509TBSCERTIFICATE; /** Pointer to the const IPRT representation of a X.509 TBSCertificate. */ typedef RTCRX509TBSCERTIFICATE const *PCRTCRX509TBSCERTIFICATE; RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509TBSCERTIFICATE, RTDECL, RTCrX509TbsCertificate, SeqCore.Asn1Core); /** @name RTCRX509TBSCERTIFICATE::T0.Version values. * @{ */ #define RTCRX509TBSCERTIFICATE_V1 0 #define RTCRX509TBSCERTIFICATE_V2 1 #define RTCRX509TBSCERTIFICATE_V3 2 /** @} */ /** @name RTCRX509TBSCERTIFICATE::T3.fFlags values. * @{ */ #define RTCRX509TBSCERTIFICATE_F_PRESENT_KEY_USAGE RT_BIT_32(0) #define RTCRX509TBSCERTIFICATE_F_PRESENT_EXT_KEY_USAGE RT_BIT_32(1) #define RTCRX509TBSCERTIFICATE_F_PRESENT_SUBJECT_KEY_IDENTIFIER RT_BIT_32(2) #define RTCRX509TBSCERTIFICATE_F_PRESENT_SUBJECT_ALT_NAME RT_BIT_32(3) #define RTCRX509TBSCERTIFICATE_F_PRESENT_ISSUER_ALT_NAME RT_BIT_32(4) #define RTCRX509TBSCERTIFICATE_F_PRESENT_CERTIFICATE_POLICIES RT_BIT_32(5) #define RTCRX509TBSCERTIFICATE_F_PRESENT_POLICY_MAPPINGS RT_BIT_32(6) #define RTCRX509TBSCERTIFICATE_F_PRESENT_BASIC_CONSTRAINTS RT_BIT_32(7) #define RTCRX509TBSCERTIFICATE_F_PRESENT_NAME_CONSTRAINTS RT_BIT_32(8) #define RTCRX509TBSCERTIFICATE_F_PRESENT_POLICY_CONSTRAINTS RT_BIT_32(9) #define RTCRX509TBSCERTIFICATE_F_PRESENT_AUTHORITY_KEY_IDENTIFIER RT_BIT_32(10) #define RTCRX509TBSCERTIFICATE_F_PRESENT_OLD_AUTHORITY_KEY_IDENTIFIER RT_BIT_32(11) #define RTCRX509TBSCERTIFICATE_F_PRESENT_ACCEPTABLE_CERT_POLICIES RT_BIT_32(12) #define RTCRX509TBSCERTIFICATE_F_PRESENT_INHIBIT_ANY_POLICY RT_BIT_32(13) #define RTCRX509TBSCERTIFICATE_F_PRESENT_OTHER RT_BIT_32(22) /**< Other unknown extension present. */ #define RTCRX509TBSCERTIFICATE_F_PRESENT_NONE RT_BIT_32(23) /**< No extensions present. */ /** @} */ /** @name X.509 Key Usage flags. (RFC-5280 section 4.2.1.3.) * @{ */ #define RTCRX509CERT_KEY_USAGE_F_DIGITAL_SIGNATURE_BIT 0 #define RTCRX509CERT_KEY_USAGE_F_DIGITAL_SIGNATURE RT_BIT_32(0) #define RTCRX509CERT_KEY_USAGE_F_CONTENT_COMMITTMENT_BIT 1 #define RTCRX509CERT_KEY_USAGE_F_CONTENT_COMMITTMENT RT_BIT_32(1) #define RTCRX509CERT_KEY_USAGE_F_KEY_ENCIPHERMENT_BIT 2 #define RTCRX509CERT_KEY_USAGE_F_KEY_ENCIPHERMENT RT_BIT_32(2) #define RTCRX509CERT_KEY_USAGE_F_DATA_ENCIPHERMENT_BIT 3 #define RTCRX509CERT_KEY_USAGE_F_DATA_ENCIPHERMENT RT_BIT_32(3) #define RTCRX509CERT_KEY_USAGE_F_KEY_AGREEMENT_BIT 4 #define RTCRX509CERT_KEY_USAGE_F_KEY_AGREEMENT RT_BIT_32(4) #define RTCRX509CERT_KEY_USAGE_F_KEY_CERT_SIGN_BIT 5 #define RTCRX509CERT_KEY_USAGE_F_KEY_CERT_SIGN RT_BIT_32(5) #define RTCRX509CERT_KEY_USAGE_F_CRL_SIGN_BIT 6 #define RTCRX509CERT_KEY_USAGE_F_CRL_SIGN RT_BIT_32(6) #define RTCRX509CERT_KEY_USAGE_F_ENCIPHERMENT_ONLY_BIT 7 #define RTCRX509CERT_KEY_USAGE_F_ENCIPHERMENT_ONLY RT_BIT_32(7) #define RTCRX509CERT_KEY_USAGE_F_DECIPHERMENT_ONLY_BIT 8 #define RTCRX509CERT_KEY_USAGE_F_DECIPHERMENT_ONLY RT_BIT_32(8) /** @} */ /** @name X.509 Extended Key Usage flags. (RFC-5280 section 4.2.1.12, ++.) * @remarks Needless to say, these flags doesn't cover all possible extended key * usages, because there is a potential unlimited number of them. Only * ones relevant to IPRT and it's users are covered. * @{ */ #define RTCRX509CERT_EKU_F_ANY RT_BIT_64(0) #define RTCRX509CERT_EKU_F_SERVER_AUTH RT_BIT_64(1) #define RTCRX509CERT_EKU_F_CLIENT_AUTH RT_BIT_64(2) #define RTCRX509CERT_EKU_F_CODE_SIGNING RT_BIT_64(3) #define RTCRX509CERT_EKU_F_EMAIL_PROTECTION RT_BIT_64(4) #define RTCRX509CERT_EKU_F_IPSEC_END_SYSTEM RT_BIT_64(5) #define RTCRX509CERT_EKU_F_IPSEC_TUNNEL RT_BIT_64(6) #define RTCRX509CERT_EKU_F_IPSEC_USER RT_BIT_64(7) #define RTCRX509CERT_EKU_F_TIMESTAMPING RT_BIT_64(8) #define RTCRX509CERT_EKU_F_OCSP_SIGNING RT_BIT_64(9) #define RTCRX509CERT_EKU_F_DVCS RT_BIT_64(10) #define RTCRX509CERT_EKU_F_SBGP_CERT_AA_SERVICE_AUTH RT_BIT_64(11) #define RTCRX509CERT_EKU_F_EAP_OVER_PPP RT_BIT_64(12) #define RTCRX509CERT_EKU_F_EAP_OVER_LAN RT_BIT_64(13) #define RTCRX509CERT_EKU_F_OTHER RT_BIT_64(16) /**< Other unknown extended key usage present. */ #define RTCRX509CERT_EKU_F_APPLE_CODE_SIGNING RT_BIT_64(24) #define RTCRX509CERT_EKU_F_APPLE_CODE_SIGNING_DEVELOPMENT RT_BIT_64(25) #define RTCRX509CERT_EKU_F_APPLE_SOFTWARE_UPDATE_SIGNING RT_BIT_64(26) #define RTCRX509CERT_EKU_F_APPLE_CODE_SIGNING_THIRD_PARTY RT_BIT_64(27) #define RTCRX509CERT_EKU_F_APPLE_RESOURCE_SIGNING RT_BIT_64(28) #define RTCRX509CERT_EKU_F_APPLE_SYSTEM_IDENTITY RT_BIT_64(29) #define RTCRX509CERT_EKU_F_MS_TIMESTAMP_SIGNING RT_BIT_64(32) #define RTCRX509CERT_EKU_F_MS_NT5_CRYPTO RT_BIT_64(33) #define RTCRX509CERT_EKU_F_MS_OEM_WHQL_CRYPTO RT_BIT_64(34) #define RTCRX509CERT_EKU_F_MS_EMBEDDED_NT_CRYPTO RT_BIT_64(35) #define RTCRX509CERT_EKU_F_MS_KERNEL_MODE_CODE_SIGNING RT_BIT_64(36) #define RTCRX509CERT_EKU_F_MS_LIFETIME_SIGNING RT_BIT_64(37) #define RTCRX509CERT_EKU_F_MS_DRM RT_BIT_64(38) #define RTCRX509CERT_EKU_F_MS_DRM_INDIVIDUALIZATION RT_BIT_64(39) #define RTCRX509CERT_EKU_F_MS_WHQL_CRYPTO RT_BIT_64(40) #define RTCRX509CERT_EKU_F_MS_ATTEST_WHQL_CRYPTO RT_BIT_64(41) /** @} */ /** @name Key purpose OIDs (extKeyUsage) * @{ */ #define RTCRX509_ANY_EXTENDED_KEY_USAGE_OID "2.5.29.37.0" #define RTCRX509_ID_KP_OID "1.3.6.1.5.5.7.3" #define RTCRX509_ID_KP_SERVER_AUTH_OID "1.3.6.1.5.5.7.3.1" #define RTCRX509_ID_KP_CLIENT_AUTH_OID "1.3.6.1.5.5.7.3.2" #define RTCRX509_ID_KP_CODE_SIGNING_OID "1.3.6.1.5.5.7.3.3" #define RTCRX509_ID_KP_EMAIL_PROTECTION_OID "1.3.6.1.5.5.7.3.4" #define RTCRX509_ID_KP_IPSEC_END_SYSTEM_OID "1.3.6.1.5.5.7.3.5" #define RTCRX509_ID_KP_IPSEC_TUNNEL_OID "1.3.6.1.5.5.7.3.6" #define RTCRX509_ID_KP_IPSEC_USER_OID "1.3.6.1.5.5.7.3.7" #define RTCRX509_ID_KP_TIMESTAMPING_OID "1.3.6.1.5.5.7.3.8" #define RTCRX509_ID_KP_OCSP_SIGNING_OID "1.3.6.1.5.5.7.3.9" #define RTCRX509_ID_KP_DVCS_OID "1.3.6.1.5.5.7.3.10" #define RTCRX509_ID_KP_SBGP_CERT_AA_SERVICE_AUTH_OID "1.3.6.1.5.5.7.3.11" #define RTCRX509_ID_KP_EAP_OVER_PPP_OID "1.3.6.1.5.5.7.3.13" #define RTCRX509_ID_KP_EAP_OVER_LAN_OID "1.3.6.1.5.5.7.3.14" /** @} */ /** @name Microsoft extended key usage OIDs * @{ */ #define RTCRX509_MS_EKU_CERT_TRUST_LIST_SIGNING_OID "1.3.6.1.4.1.311.10.3.1" #define RTCRX509_MS_EKU_TIMESTAMP_SIGNING_OID "1.3.6.1.4.1.311.10.3.2" #define RTCRX509_MS_EKU_SERVER_GATED_CRYPTO_OID "1.3.6.1.4.1.311.10.3.3" #define RTCRX509_MS_EKU_SGC_SERIALIZED_OID "1.3.6.1.4.1.311.10.3.3.1" #define RTCRX509_MS_EKU_ENCRYPTED_FILE_SYSTEM_OID "1.3.6.1.4.1.311.10.3.4" #define RTCRX509_MS_EKU_WHQL_CRYPTO_OID "1.3.6.1.4.1.311.10.3.5" #define RTCRX509_MS_EKU_ATTEST_WHQL_CRYPTO_OID "1.3.6.1.4.1.311.10.3.5.1" #define RTCRX509_MS_EKU_NT5_CRYPTO_OID "1.3.6.1.4.1.311.10.3.6" #define RTCRX509_MS_EKU_OEM_WHQL_CRYPTO_OID "1.3.6.1.4.1.311.10.3.7" #define RTCRX509_MS_EKU_EMBEDDED_NT_CRYPTO_OID "1.3.6.1.4.1.311.10.3.8" #define RTCRX509_MS_EKU_ROOT_LIST_SIGNER_OID "1.3.6.1.4.1.311.10.3.9" #define RTCRX509_MS_EKU_QUALIFIED_SUBORDINATE_OID "1.3.6.1.4.1.311.10.3.10" #define RTCRX509_MS_EKU_KEY_RECOVERY_3_OID "1.3.6.1.4.1.311.10.3.11" #define RTCRX509_MS_EKU_DOCUMENT_SIGNING_OID "1.3.6.1.4.1.311.10.3.12" #define RTCRX509_MS_EKU_LIFETIME_SIGNING_OID "1.3.6.1.4.1.311.10.3.13" #define RTCRX509_MS_EKU_MOBILE_DEVICE_SOFTWARE_OID "1.3.6.1.4.1.311.10.3.14" #define RTCRX509_MS_EKU_SMART_DISPLAY_OID "1.3.6.1.4.1.311.10.3.15" #define RTCRX509_MS_EKU_CSP_SIGNATURE_OID "1.3.6.1.4.1.311.10.3.16" #define RTCRX509_MS_EKU_EFS_RECOVERY_OID "1.3.6.1.4.1.311.10.3.4.1" #define RTCRX509_MS_EKU_DRM_OID "1.3.6.1.4.1.311.10.5.1" #define RTCRX509_MS_EKU_DRM_INDIVIDUALIZATION_OID "1.3.6.1.4.1.311.10.5.2" #define RTCRX509_MS_EKU_LICENSES_OID "1.3.6.1.4.1.311.10.5.3" #define RTCRX509_MS_EKU_LICENSE_SERVER_OID "1.3.6.1.4.1.311.10.5.4" #define RTCRX509_MS_EKU_ENROLLMENT_AGENT_OID "1.3.6.1.4.1.311.20.2.1" #define RTCRX509_MS_EKU_SMARTCARD_LOGON_OID "1.3.6.1.4.1.311.20.2.2" #define RTCRX509_MS_EKU_CA_EXCHANGE_OID "1.3.6.1.4.1.311.21.5" #define RTCRX509_MS_EKU_KEY_RECOVERY_21_OID "1.3.6.1.4.1.311.21.6" #define RTCRX509_MS_EKU_SYSTEM_HEALTH_OID "1.3.6.1.4.1.311.47.1.1" #define RTCRX509_MS_EKU_SYSTEM_HEALTH_LOOPHOLE_OID "1.3.6.1.4.1.311.47.1.3" #define RTCRX509_MS_EKU_KERNEL_MODE_CODE_SIGNING_OID "1.3.6.1.4.1.311.61.1.1" /** @} */ /** @name Apple extended key usage OIDs * @{ */ #define RTCRX509_APPLE_EKU_APPLE_EXTENDED_KEY_USAGE_OID "1.2.840.113635.100.4" #define RTCRX509_APPLE_EKU_CODE_SIGNING_OID "1.2.840.113635.100.4.1" #define RTCRX509_APPLE_EKU_CODE_SIGNING_DEVELOPMENT_OID "1.2.840.113635.100.4.1.1" #define RTCRX509_APPLE_EKU_SOFTWARE_UPDATE_SIGNING_OID "1.2.840.113635.100.4.1.2" #define RTCRX509_APPLE_EKU_CODE_SIGNING_THRID_PARTY_OID "1.2.840.113635.100.4.1.3" #define RTCRX509_APPLE_EKU_RESOURCE_SIGNING_OID "1.2.840.113635.100.4.1.4" #define RTCRX509_APPLE_EKU_ICHAT_SIGNING_OID "1.2.840.113635.100.4.2" #define RTCRX509_APPLE_EKU_ICHAT_ENCRYPTION_OID "1.2.840.113635.100.4.3" #define RTCRX509_APPLE_EKU_SYSTEM_IDENTITY_OID "1.2.840.113635.100.4.4" #define RTCRX509_APPLE_EKU_CRYPTO_ENV_OID "1.2.840.113635.100.4.5" #define RTCRX509_APPLE_EKU_CRYPTO_PRODUCTION_ENV_OID "1.2.840.113635.100.4.5.1" #define RTCRX509_APPLE_EKU_CRYPTO_MAINTENANCE_ENV_OID "1.2.840.113635.100.4.5.2" #define RTCRX509_APPLE_EKU_CRYPTO_TEST_ENV_OID "1.2.840.113635.100.4.5.3" #define RTCRX509_APPLE_EKU_CRYPTO_DEVELOPMENT_ENV_OID "1.2.840.113635.100.4.5.4" #define RTCRX509_APPLE_EKU_CRYPTO_QOS_OID "1.2.840.113635.100.4.6" #define RTCRX509_APPLE_EKU_CRYPTO_TIER0_QOS_OID "1.2.840.113635.100.4.6.1" #define RTCRX509_APPLE_EKU_CRYPTO_TIER1_QOS_OID "1.2.840.113635.100.4.6.2" #define RTCRX509_APPLE_EKU_CRYPTO_TIER2_QOS_OID "1.2.840.113635.100.4.6.3" #define RTCRX509_APPLE_EKU_CRYPTO_TIER3_QOS_OID "1.2.840.113635.100.4.6.4" /** @} */ /** * Use this to update derived values after changing the certificate * extensions. * * @returns IPRT status code * @param pThis The certificate. * @param pErrInfo Where to return additional error information. Optional. */ RTDECL(int) RTCrX509TbsCertificate_ReprocessExtensions(PRTCRX509TBSCERTIFICATE pThis, PRTERRINFO pErrInfo); /** * One X.509 Certificate (IPRT representation). */ typedef struct RTCRX509CERTIFICATE { /** Sequence core. */ RTASN1SEQUENCECORE SeqCore; /** The to-be-signed certificate information. */ RTCRX509TBSCERTIFICATE TbsCertificate; /** The signature algorithm (must match TbsCertificate.Signature). */ RTCRX509ALGORITHMIDENTIFIER SignatureAlgorithm; /** The signature value. */ RTASN1BITSTRING SignatureValue; } RTCRX509CERTIFICATE; /** Pointer to the IPRT representation of one X.509 certificate. */ typedef RTCRX509CERTIFICATE *PRTCRX509CERTIFICATE; /** Pointer to the const IPRT representation of one X.509 certificate. */ typedef RTCRX509CERTIFICATE const *PCRTCRX509CERTIFICATE; RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509CERTIFICATE, RTDECL, RTCrX509Certificate, SeqCore.Asn1Core); /** * Checks if a certificate matches a given issuer name and serial number. * * @returns True / false. * @param pCertificate The X.509 certificat. * @param pIssuer The issuer name to match against. * @param pSerialNumber The serial number to match against. */ RTDECL(bool) RTCrX509Certificate_MatchIssuerAndSerialNumber(PCRTCRX509CERTIFICATE pCertificate, PCRTCRX509NAME pIssuer, PCRTASN1INTEGER pSerialNumber); RTDECL(bool) RTCrX509Certificate_MatchSubjectOrAltSubjectByRfc5280(PCRTCRX509CERTIFICATE pThis, PCRTCRX509NAME pName); RTDECL(bool) RTCrX509Certificate_IsSelfSigned(PCRTCRX509CERTIFICATE pCertificate); RTDECL(int) RTCrX509Certificate_VerifySignature(PCRTCRX509CERTIFICATE pThis, PCRTASN1OBJID pAlgorithm, PCRTASN1DYNTYPE pParameters, PCRTASN1BITSTRING pPublicKey, PRTERRINFO pErrInfo); RTDECL(int) RTCrX509Certificate_VerifySignatureSelfSigned(PCRTCRX509CERTIFICATE pThis, PRTERRINFO pErrInfo); RTDECL(int) RTCrX509Certificate_ReadFromFile(PRTCRX509CERTIFICATE pCertificate, const char *pszFilename, uint32_t fFlags, PCRTASN1ALLOCATORVTABLE pAllocator, PRTERRINFO pErrInfo); RTDECL(int) RTCrX509Certificate_ReadFromBuffer(PRTCRX509CERTIFICATE pCertificate, const void *pvBuf, size_t cbBuf, uint32_t fFlags, PCRTASN1ALLOCATORVTABLE pAllocator, PRTERRINFO pErrInfo, const char *pszErrorTag); /** @name Flags for RTCrX509Certificate_ReadFromFile and * RTCrX509Certificate_ReadFromBuffer * @{ */ /** Only allow PEM certificates, not binary ones. * @sa RTCRPEMREADFILE_F_ONLY_PEM */ #define RTCRX509CERT_READ_F_PEM_ONLY RT_BIT(1) /** @} */ /** X509 Certificate markers for RTCrPemFindFirstSectionInContent et al. */ extern RTDATADECL(RTCRPEMMARKER const) g_aRTCrX509CertificateMarkers[]; /** Number of entries in g_aRTCrX509CertificateMarkers. */ extern RTDATADECL(uint32_t const) g_cRTCrX509CertificateMarkers; /** Wrapper around RTCrPemWriteAsn1ToVfsIoStrm(). */ DECLINLINE(ssize_t) RTCrX509Certificate_WriteToVfsIoStrm(RTVFSIOSTREAM hVfsIos, PRTCRX509CERTIFICATE pCertificate, PRTERRINFO pErrInfo) { return RTCrPemWriteAsn1ToVfsIoStrm(hVfsIos, &pCertificate->SeqCore.Asn1Core, 0 /*fFlags*/, g_aRTCrX509CertificateMarkers[0].paWords[0].pszWord, pErrInfo); } /** Wrapper around RTCrPemWriteAsn1ToVfsFile(). */ DECLINLINE(ssize_t) RTCrX509Certificate_WriteToVfsFile(RTVFSFILE hVfsFile, PRTCRX509CERTIFICATE pCertificate, PRTERRINFO pErrInfo) { return RTCrPemWriteAsn1ToVfsFile(hVfsFile, &pCertificate->SeqCore.Asn1Core, 0 /*fFlags*/, g_aRTCrX509CertificateMarkers[0].paWords[0].pszWord, pErrInfo); } /** @name X.509 Certificate Extensions * @{ */ /** Old AuthorityKeyIdentifier OID. */ #define RTCRX509_ID_CE_OLD_AUTHORITY_KEY_IDENTIFIER_OID "2.5.29.1" /** Old CertificatePolicies extension OID. */ #define RTCRX509_ID_CE_OLD_CERTIFICATE_POLICIES_OID "2.5.29.3" /** Old SubjectAltName extension OID. */ #define RTCRX509_ID_CE_OLD_SUBJECT_ALT_NAME_OID "2.5.29.7" /** Old IssuerAltName extension OID. */ #define RTCRX509_ID_CE_OLD_ISSUER_ALT_NAME_OID "2.5.29.8" /** Old BasicContraints extension OID. */ #define RTCRX509_ID_CE_OLD_BASIC_CONSTRAINTS_OID "2.5.29.10" /** SubjectKeyIdentifier OID. */ #define RTCRX509_ID_CE_SUBJECT_KEY_IDENTIFIER_OID "2.5.29.14" /** KeyUsage OID. */ #define RTCRX509_ID_CE_KEY_USAGE_OID "2.5.29.15" /** PrivateKeyUsagePeriod OID. */ #define RTCRX509_ID_CE_PRIVATE_KEY_USAGE_PERIOD_OID "2.5.29.16" /** SubjectAltName extension OID. */ #define RTCRX509_ID_CE_SUBJECT_ALT_NAME_OID "2.5.29.17" /** IssuerAltName extension OID. */ #define RTCRX509_ID_CE_ISSUER_ALT_NAME_OID "2.5.29.18" /** BasicContraints extension OID. */ #define RTCRX509_ID_CE_BASIC_CONSTRAINTS_OID "2.5.29.19" /** NameContraints extension OID. */ #define RTCRX509_ID_CE_NAME_CONSTRAINTS_OID "2.5.29.30" /** CertificatePolicies extension OID. */ #define RTCRX509_ID_CE_CERTIFICATE_POLICIES_OID "2.5.29.32" /** PolicyMappings extension OID. */ #define RTCRX509_ID_CE_POLICY_MAPPINGS_OID "2.5.29.33" /** AuthorityKeyIdentifier OID. */ #define RTCRX509_ID_CE_AUTHORITY_KEY_IDENTIFIER_OID "2.5.29.35" /** PolicyContraints extension OID. */ #define RTCRX509_ID_CE_POLICY_CONSTRAINTS_OID "2.5.29.36" /** ExtKeyUsage (extended key usage) extension OID. */ #define RTCRX509_ID_CE_EXT_KEY_USAGE_OID "2.5.29.37" /** ExtKeyUsage: OID for permitting any unspecified key usage. */ #define RTCRX509_ID_CE_ANY_EXTENDED_KEY_USAGE_OID "2.5.29.37.0" /** AuthorityAttributeIdentifier OID. */ #define RTCRX509_ID_CE_AUTHORITY_ATTRIBUTE_IDENTIFIER_OID "2.5.29.38" /** AcceptableCertPolicies OID. */ #define RTCRX509_ID_CE_ACCEPTABLE_CERT_POLICIES_OID "2.5.29.52" /** InhibitAnyPolicy OID. */ #define RTCRX509_ID_CE_INHIBIT_ANY_POLICY_OID "2.5.29.54" /** @} */ /* * Sequence of X.509 Certifcates (IPRT representation). */ RTASN1_IMPL_GEN_SET_OF_TYPEDEFS_AND_PROTOS(RTCRX509CERTIFICATES, RTCRX509CERTIFICATE, RTDECL, RTCrX509Certificates); /** * Looks up a certificate by issuer name and serial number. * * @returns Pointer to the given certificate if found, NULL if not. * @param pCertificates The X.509 certificate set to search. * @param pIssuer The issuer name of the wanted certificate. * @param pSerialNumber The serial number of the wanted certificate. */ RTDECL(PCRTCRX509CERTIFICATE) RTCrX509Certificates_FindByIssuerAndSerialNumber(PCRTCRX509CERTIFICATES pCertificates, PCRTCRX509NAME pIssuer, PCRTASN1INTEGER pSerialNumber); RTDECL(int) RTCrX509CertPathsCreate(PRTCRX509CERTPATHS phCertPaths, PCRTCRX509CERTIFICATE pTarget); RTDECL(uint32_t) RTCrX509CertPathsRetain(RTCRX509CERTPATHS hCertPaths); RTDECL(uint32_t) RTCrX509CertPathsRelease(RTCRX509CERTPATHS hCertPaths); RTDECL(int) RTCrX509CertPathsSetTrustedStore(RTCRX509CERTPATHS hCertPaths, RTCRSTORE hTrustedStore); RTDECL(int) RTCrX509CertPathsSetUntrustedStore(RTCRX509CERTPATHS hCertPaths, RTCRSTORE hUntrustedStore); RTDECL(int) RTCrX509CertPathsSetUntrustedArray(RTCRX509CERTPATHS hCertPaths, PCRTCRX509CERTIFICATE paCerts, uint32_t cCerts); RTDECL(int) RTCrX509CertPathsSetUntrustedSet(RTCRX509CERTPATHS hCertPaths, struct RTCRPKCS7SETOFCERTS const *pSetOfCerts); RTDECL(int) RTCrX509CertPathsSetValidTime(RTCRX509CERTPATHS hCertPaths, PCRTTIME pTime); RTDECL(int) RTCrX509CertPathsSetValidTimeSpec(RTCRX509CERTPATHS hCertPaths, PCRTTIMESPEC pTimeSpec); RTDECL(int) RTCrX509CertPathsSetTrustAnchorChecks(RTCRX509CERTPATHS hCertPaths, bool fEnable); RTDECL(int) RTCrX509CertPathsCreateEx(PRTCRX509CERTPATHS phCertPaths, PCRTCRX509CERTIFICATE pTarget, RTCRSTORE hTrustedStore, RTCRSTORE hUntrustedStore, PCRTCRX509CERTIFICATE paUntrustedCerts, uint32_t cUntrustedCerts, PCRTTIMESPEC pValidTime); RTDECL(int) RTCrX509CertPathsBuild(RTCRX509CERTPATHS hCertPaths, PRTERRINFO pErrInfo); RTDECL(int) RTCrX509CertPathsDumpOne(RTCRX509CERTPATHS hCertPaths, uint32_t iPath, uint32_t uVerbosity, PFNRTDUMPPRINTFV pfnPrintfV, void *pvUser); RTDECL(int) RTCrX509CertPathsDumpAll(RTCRX509CERTPATHS hCertPaths, uint32_t uVerbosity, PFNRTDUMPPRINTFV pfnPrintfV, void *pvUser); RTDECL(int) RTCrX509CertPathsValidateOne(RTCRX509CERTPATHS hCertPaths, uint32_t iPath, PRTERRINFO pErrInfo); RTDECL(int) RTCrX509CertPathsValidateAll(RTCRX509CERTPATHS hCertPaths, uint32_t *pcValidPaths, PRTERRINFO pErrInfo); RTDECL(uint32_t) RTCrX509CertPathsGetPathCount(RTCRX509CERTPATHS hCertPaths); RTDECL(int) RTCrX509CertPathsQueryPathInfo(RTCRX509CERTPATHS hCertPaths, uint32_t iPath, bool *pfTrusted, uint32_t *pcNodes, PCRTCRX509NAME *ppSubject, PCRTCRX509SUBJECTPUBLICKEYINFO *ppPublicKeyInfo, PCRTCRX509CERTIFICATE *ppCert, PCRTCRCERTCTX *ppCertCtx, int *prcVerify); RTDECL(uint32_t) RTCrX509CertPathsGetPathLength(RTCRX509CERTPATHS hCertPaths, uint32_t iPath); RTDECL(int) RTCrX509CertPathsGetPathVerifyResult(RTCRX509CERTPATHS hCertPaths, uint32_t iPath); RTDECL(PCRTCRX509CERTIFICATE) RTCrX509CertPathsGetPathNodeCert(RTCRX509CERTPATHS hCertPaths, uint32_t iPath, uint32_t iNode); RT_C_DECLS_END /** @} */ /** @} */ #endif /* !IPRT_INCLUDED_crypto_x509_h */