xref: /freebsd/contrib/bearssl/inc/bearssl_x509.h (revision 271171e0d97b88ba2a7c3bf750c9672b484c1c13)
1 /*
2  * Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
3  *
4  * Permission is hereby granted, free of charge, to any person obtaining
5  * a copy of this software and associated documentation files (the
6  * "Software"), to deal in the Software without restriction, including
7  * without limitation the rights to use, copy, modify, merge, publish,
8  * distribute, sublicense, and/or sell copies of the Software, and to
9  * permit persons to whom the Software is furnished to do so, subject to
10  * the following conditions:
11  *
12  * The above copyright notice and this permission notice shall be
13  * included in all copies or substantial portions of the Software.
14  *
15  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16  * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17  * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18  * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19  * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20  * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21  * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22  * SOFTWARE.
23  */
24 
25 #ifndef BR_BEARSSL_X509_H__
26 #define BR_BEARSSL_X509_H__
27 
28 #include <stddef.h>
29 #include <stdint.h>
30 
31 #include "bearssl_ec.h"
32 #include "bearssl_hash.h"
33 #include "bearssl_rsa.h"
34 
35 #ifdef __cplusplus
36 extern "C" {
37 #endif
38 
39 /** \file bearssl_x509.h
40  *
41  * # X.509 Certificate Chain Processing
42  *
43  * An X.509 processing engine receives an X.509 chain, chunk by chunk,
44  * as received from a SSL/TLS client or server (the client receives the
45  * server's certificate chain, and the server receives the client's
46  * certificate chain if it requested a client certificate). The chain
47  * is thus injected in the engine in SSL order (end-entity first).
48  *
49  * The engine's job is to return the public key to use for SSL/TLS.
50  * How exactly that key is obtained and verified is entirely up to the
51  * engine.
52  *
53  * **The "known key" engine** returns a public key which is already known
54  * from out-of-band information (e.g. the client _remembers_ the key from
55  * a previous connection, as in the usual SSH model). This is the simplest
56  * engine since it simply ignores the chain, thereby avoiding the need
57  * for any decoding logic.
58  *
59  * **The "minimal" engine** implements minimal X.509 decoding and chain
60  * validation:
61  *
62  *   - The provided chain should validate "as is". There is no attempt
63  *     at reordering, skipping or downloading extra certificates.
64  *
65  *   - X.509 v1, v2 and v3 certificates are supported.
66  *
67  *   - Trust anchors are a DN and a public key. Each anchor is either a
68  *     "CA" anchor, or a non-CA.
69  *
70  *   - If the end-entity certificate matches a non-CA anchor (subject DN
71  *     is equal to the non-CA name, and public key is also identical to
72  *     the anchor key), then this is a _direct trust_ case and the
73  *     remaining certificates are ignored.
74  *
75  *   - Unless direct trust is applied, the chain must be verifiable up to
76  *     a certificate whose issuer DN matches the DN from a "CA" trust anchor,
77  *     and whose signature is verifiable against that anchor's public key.
78  *     Subsequent certificates in the chain are ignored.
79  *
80  *   - The engine verifies subject/issuer DN matching, and enforces
81  *     processing of Basic Constraints and Key Usage extensions. The
82  *     Authority Key Identifier, Subject Key Identifier, Issuer Alt Name,
83  *     Subject Directory Attribute, CRL Distribution Points, Freshest CRL,
84  *     Authority Info Access and Subject Info Access extensions are
85  *     ignored. The Subject Alt Name is decoded for the end-entity
86  *     certificate under some conditions (see below). Other extensions
87  *     are ignored if non-critical, or imply chain rejection if critical.
88  *
89  *   - The Subject Alt Name extension is parsed for names of type `dNSName`
90  *     when decoding the end-entity certificate, and only if there is a
91  *     server name to match. If there is no SAN extension, then the
92  *     Common Name from the subjectDN is used. That name matching is
93  *     case-insensitive and honours a single starting wildcard (i.e. if
94  *     the name in the certificate starts with "`*.`" then this matches
95  *     any word as first element). Note: this name matching is performed
96  *     also in the "direct trust" model.
97  *
98  *   - DN matching is byte-to-byte equality (a future version might
99  *     include some limited processing for case-insensitive matching and
100  *     whitespace normalisation).
101  *
102  *   - Successful validation produces a public key type but also a set
103  *     of allowed usages (`BR_KEYTYPE_KEYX` and/or `BR_KEYTYPE_SIGN`).
104  *     The caller is responsible for checking that the key type and
105  *     usages are compatible with the expected values (e.g. with the
106  *     selected cipher suite, when the client validates the server's
107  *     certificate).
108  *
109  * **Important caveats:**
110  *
111  *   - The "minimal" engine does not check revocation status. The relevant
112  *     extensions are ignored, and CRL or OCSP responses are not gathered
113  *     or checked.
114  *
115  *   - The "minimal" engine does not currently support Name Constraints
116  *     (some basic functionality to handle sub-domains may be added in a
117  *     later version).
118  *
119  *   - The decoder is not "validating" in the sense that it won't reject
120  *     some certificates with invalid field values when these fields are
121  *     not actually processed.
122  */
123 
124 /*
125  * X.509 error codes are in the 32..63 range.
126  */
127 
128 /** \brief X.509 status: validation was successful; this is not actually
129     an error. */
130 #define BR_ERR_X509_OK                    32
131 
132 /** \brief X.509 status: invalid value in an ASN.1 structure. */
133 #define BR_ERR_X509_INVALID_VALUE         33
134 
135 /** \brief X.509 status: truncated certificate. */
136 #define BR_ERR_X509_TRUNCATED             34
137 
138 /** \brief X.509 status: empty certificate chain (no certificate at all). */
139 #define BR_ERR_X509_EMPTY_CHAIN           35
140 
141 /** \brief X.509 status: decoding error: inner element extends beyond
142     outer element size. */
143 #define BR_ERR_X509_INNER_TRUNC           36
144 
145 /** \brief X.509 status: decoding error: unsupported tag class (application
146     or private). */
147 #define BR_ERR_X509_BAD_TAG_CLASS         37
148 
149 /** \brief X.509 status: decoding error: unsupported tag value. */
150 #define BR_ERR_X509_BAD_TAG_VALUE         38
151 
152 /** \brief X.509 status: decoding error: indefinite length. */
153 #define BR_ERR_X509_INDEFINITE_LENGTH     39
154 
155 /** \brief X.509 status: decoding error: extraneous element. */
156 #define BR_ERR_X509_EXTRA_ELEMENT         40
157 
158 /** \brief X.509 status: decoding error: unexpected element. */
159 #define BR_ERR_X509_UNEXPECTED            41
160 
161 /** \brief X.509 status: decoding error: expected constructed element, but
162     is primitive. */
163 #define BR_ERR_X509_NOT_CONSTRUCTED       42
164 
165 /** \brief X.509 status: decoding error: expected primitive element, but
166     is constructed. */
167 #define BR_ERR_X509_NOT_PRIMITIVE         43
168 
169 /** \brief X.509 status: decoding error: BIT STRING length is not multiple
170     of 8. */
171 #define BR_ERR_X509_PARTIAL_BYTE          44
172 
173 /** \brief X.509 status: decoding error: BOOLEAN value has invalid length. */
174 #define BR_ERR_X509_BAD_BOOLEAN           45
175 
176 /** \brief X.509 status: decoding error: value is off-limits. */
177 #define BR_ERR_X509_OVERFLOW              46
178 
179 /** \brief X.509 status: invalid distinguished name. */
180 #define BR_ERR_X509_BAD_DN                47
181 
182 /** \brief X.509 status: invalid date/time representation. */
183 #define BR_ERR_X509_BAD_TIME              48
184 
185 /** \brief X.509 status: certificate contains unsupported features that
186     cannot be ignored. */
187 #define BR_ERR_X509_UNSUPPORTED           49
188 
189 /** \brief X.509 status: key or signature size exceeds internal limits. */
190 #define BR_ERR_X509_LIMIT_EXCEEDED        50
191 
192 /** \brief X.509 status: key type does not match that which was expected. */
193 #define BR_ERR_X509_WRONG_KEY_TYPE        51
194 
195 /** \brief X.509 status: signature is invalid. */
196 #define BR_ERR_X509_BAD_SIGNATURE         52
197 
198 /** \brief X.509 status: validation time is unknown. */
199 #define BR_ERR_X509_TIME_UNKNOWN          53
200 
201 /** \brief X.509 status: certificate is expired or not yet valid. */
202 #define BR_ERR_X509_EXPIRED               54
203 
204 /** \brief X.509 status: issuer/subject DN mismatch in the chain. */
205 #define BR_ERR_X509_DN_MISMATCH           55
206 
207 /** \brief X.509 status: expected server name was not found in the chain. */
208 #define BR_ERR_X509_BAD_SERVER_NAME       56
209 
210 /** \brief X.509 status: unknown critical extension in certificate. */
211 #define BR_ERR_X509_CRITICAL_EXTENSION    57
212 
213 /** \brief X.509 status: not a CA, or path length constraint violation */
214 #define BR_ERR_X509_NOT_CA                58
215 
216 /** \brief X.509 status: Key Usage extension prohibits intended usage. */
217 #define BR_ERR_X509_FORBIDDEN_KEY_USAGE   59
218 
219 /** \brief X.509 status: public key found in certificate is too small. */
220 #define BR_ERR_X509_WEAK_PUBLIC_KEY       60
221 
222 /** \brief X.509 status: chain could not be linked to a trust anchor. */
223 #define BR_ERR_X509_NOT_TRUSTED           62
224 
225 /**
226  * \brief Aggregate structure for public keys.
227  */
228 typedef struct {
229 	/** \brief Key type: `BR_KEYTYPE_RSA` or `BR_KEYTYPE_EC` */
230 	unsigned char key_type;
231 	/** \brief Actual public key. */
232 	union {
233 		/** \brief RSA public key. */
234 		br_rsa_public_key rsa;
235 		/** \brief EC public key. */
236 		br_ec_public_key ec;
237 	} key;
238 } br_x509_pkey;
239 
240 /**
241  * \brief Distinguished Name (X.500) structure.
242  *
243  * The DN is DER-encoded.
244  */
245 typedef struct {
246 	/** \brief Encoded DN data. */
247 	unsigned char *data;
248 	/** \brief Encoded DN length (in bytes). */
249 	size_t len;
250 } br_x500_name;
251 
252 /**
253  * \brief Trust anchor structure.
254  */
255 typedef struct {
256 	/** \brief Encoded DN (X.500 name). */
257 	br_x500_name dn;
258 	/** \brief Anchor flags (e.g. `BR_X509_TA_CA`). */
259 	unsigned flags;
260 	/** \brief Anchor public key. */
261 	br_x509_pkey pkey;
262 } br_x509_trust_anchor;
263 
264 /**
265  * \brief Trust anchor flag: CA.
266  *
267  * A "CA" anchor is deemed fit to verify signatures on certificates.
268  * A "non-CA" anchor is accepted only for direct trust (server's
269  * certificate name and key match the anchor).
270  */
271 #define BR_X509_TA_CA        0x0001
272 
273 /*
274  * Key type: combination of a basic key type (low 4 bits) and some
275  * optional flags.
276  *
277  * For a public key, the basic key type only is set.
278  *
279  * For an expected key type, the flags indicate the intended purpose(s)
280  * for the key; the basic key type may be set to 0 to indicate that any
281  * key type compatible with the indicated purpose is acceptable.
282  */
283 /** \brief Key type: algorithm is RSA. */
284 #define BR_KEYTYPE_RSA    1
285 /** \brief Key type: algorithm is EC. */
286 #define BR_KEYTYPE_EC     2
287 
288 /**
289  * \brief Key type: usage is "key exchange".
290  *
291  * This value is combined (with bitwise OR) with the algorithm
292  * (`BR_KEYTYPE_RSA` or `BR_KEYTYPE_EC`) when informing the X.509
293  * validation engine that it should find a public key of that type,
294  * fit for key exchanges (e.g. `TLS_RSA_*` and `TLS_ECDH_*` cipher
295  * suites).
296  */
297 #define BR_KEYTYPE_KEYX   0x10
298 
299 /**
300  * \brief Key type: usage is "signature".
301  *
302  * This value is combined (with bitwise OR) with the algorithm
303  * (`BR_KEYTYPE_RSA` or `BR_KEYTYPE_EC`) when informing the X.509
304  * validation engine that it should find a public key of that type,
305  * fit for signatures (e.g. `TLS_ECDHE_*` cipher suites).
306  */
307 #define BR_KEYTYPE_SIGN   0x20
308 
309 /*
310  * start_chain   Called when a new chain is started. If 'server_name'
311  *               is not NULL and non-empty, then it is a name that
312  *               should be looked for in the EE certificate (in the
313  *               SAN extension as dNSName, or in the subjectDN's CN
314  *               if there is no SAN extension).
315  *               The caller ensures that the provided 'server_name'
316  *               pointer remains valid throughout validation.
317  *
318  * start_cert    Begins a new certificate in the chain. The provided
319  *               length is in bytes; this is the total certificate length.
320  *
321  * append        Get some additional bytes for the current certificate.
322  *
323  * end_cert      Ends the current certificate.
324  *
325  * end_chain     Called at the end of the chain. Returned value is
326  *               0 on success, or a non-zero error code.
327  *
328  * get_pkey      Returns the EE certificate public key.
329  *
330  * For a complete chain, start_chain() and end_chain() are always
331  * called. For each certificate, start_cert(), some append() calls, then
332  * end_cert() are called, in that order. There may be no append() call
333  * at all if the certificate is empty (which is not valid but may happen
334  * if the peer sends exactly that).
335  *
336  * get_pkey() shall return a pointer to a structure that is valid as
337  * long as a new chain is not started. This may be a sub-structure
338  * within the context for the engine. This function MAY return a valid
339  * pointer to a public key even in some cases of validation failure,
340  * depending on the validation engine.
341  */
342 
343 /**
344  * \brief Class type for an X.509 engine.
345  *
346  * A certificate chain validation uses a caller-allocated context, which
347  * contains the running state for that validation. Methods are called
348  * in due order:
349  *
350  *   - `start_chain()` is called at the start of the validation.
351  *   - Certificates are processed one by one, in SSL order (end-entity
352  *     comes first). For each certificate, the following methods are
353  *     called:
354  *
355  *       - `start_cert()` at the beginning of the certificate.
356  *       - `append()` is called zero, one or more times, to provide
357  *         the certificate (possibly in chunks).
358  *       - `end_cert()` at the end of the certificate.
359  *
360  *   - `end_chain()` is called when the last certificate in the chain
361  *     was processed.
362  *   - `get_pkey()` is called after chain processing, if the chain
363  *     validation was successful.
364  *
365  * A context structure may be reused; the `start_chain()` method shall
366  * ensure (re)initialisation.
367  */
368 typedef struct br_x509_class_ br_x509_class;
369 struct br_x509_class_ {
370 	/**
371 	 * \brief X.509 context size, in bytes.
372 	 */
373 	size_t context_size;
374 
375 	/**
376 	 * \brief Start a new chain.
377 	 *
378 	 * This method shall set the vtable (first field) of the context
379 	 * structure.
380 	 *
381 	 * The `server_name`, if not `NULL`, will be considered as a
382 	 * fully qualified domain name, to be matched against the `dNSName`
383 	 * elements of the end-entity certificate's SAN extension (if there
384 	 * is no SAN, then the Common Name from the subjectDN will be used).
385 	 * If `server_name` is `NULL` then no such matching is performed.
386 	 *
387 	 * \param ctx           validation context.
388 	 * \param server_name   server name to match (or `NULL`).
389 	 */
390 	void (*start_chain)(const br_x509_class **ctx,
391 		const char *server_name);
392 
393 	/**
394 	 * \brief Start a new certificate.
395 	 *
396 	 * \param ctx      validation context.
397 	 * \param length   new certificate length (in bytes).
398 	 */
399 	void (*start_cert)(const br_x509_class **ctx, uint32_t length);
400 
401 	/**
402 	 * \brief Receive some bytes for the current certificate.
403 	 *
404 	 * This function may be called several times in succession for
405 	 * a given certificate. The caller guarantees that for each
406 	 * call, `len` is not zero, and the sum of all chunk lengths
407 	 * for a certificate matches the total certificate length which
408 	 * was provided in the previous `start_cert()` call.
409 	 *
410 	 * If the new certificate is empty (no byte at all) then this
411 	 * function won't be called at all.
412 	 *
413 	 * \param ctx   validation context.
414 	 * \param buf   certificate data chunk.
415 	 * \param len   certificate data chunk length (in bytes).
416 	 */
417 	void (*append)(const br_x509_class **ctx,
418 		const unsigned char *buf, size_t len);
419 
420 	/**
421 	 * \brief Finish the current certificate.
422 	 *
423 	 * This function is called when the end of the current certificate
424 	 * is reached.
425 	 *
426 	 * \param ctx   validation context.
427 	 */
428 	void (*end_cert)(const br_x509_class **ctx);
429 
430 	/**
431 	 * \brief Finish the chain.
432 	 *
433 	 * This function is called at the end of the chain. It shall
434 	 * return either 0 if the validation was successful, or a
435 	 * non-zero error code. The `BR_ERR_X509_*` constants are
436 	 * error codes, though other values may be possible.
437 	 *
438 	 * \param ctx   validation context.
439 	 * \return  0 on success, or a non-zero error code.
440 	 */
441 	unsigned (*end_chain)(const br_x509_class **ctx);
442 
443 	/**
444 	 * \brief Get the resulting end-entity public key.
445 	 *
446 	 * The decoded public key is returned. The returned pointer
447 	 * may be valid only as long as the context structure is
448 	 * unmodified, i.e. it may cease to be valid if the context
449 	 * is released or reused.
450 	 *
451 	 * This function _may_ return `NULL` if the validation failed.
452 	 * However, returning a public key does not mean that the
453 	 * validation was wholly successful; some engines may return
454 	 * a decoded public key even if the chain did not end on a
455 	 * trusted anchor.
456 	 *
457 	 * If validation succeeded and `usage` is not `NULL`, then
458 	 * `*usage` is filled with a combination of `BR_KEYTYPE_SIGN`
459 	 * and/or `BR_KEYTYPE_KEYX` that specifies the validated key
460 	 * usage types. It is the caller's responsibility to check
461 	 * that value against the intended use of the public key.
462 	 *
463 	 * \param ctx   validation context.
464 	 * \return  the end-entity public key, or `NULL`.
465 	 */
466 	const br_x509_pkey *(*get_pkey)(
467 		const br_x509_class *const *ctx, unsigned *usages);
468 };
469 
470 /**
471  * \brief The "known key" X.509 engine structure.
472  *
473  * The structure contents are opaque (they shall not be accessed directly),
474  * except for the first field (the vtable).
475  *
476  * The "known key" engine returns an externally configured public key,
477  * and totally ignores the certificate contents.
478  */
479 typedef struct {
480 	/** \brief Reference to the context vtable. */
481 	const br_x509_class *vtable;
482 #ifndef BR_DOXYGEN_IGNORE
483 	br_x509_pkey pkey;
484 	unsigned usages;
485 #endif
486 } br_x509_knownkey_context;
487 
488 /**
489  * \brief Class instance for the "known key" X.509 engine.
490  */
491 extern const br_x509_class br_x509_knownkey_vtable;
492 
493 /**
494  * \brief Initialize a "known key" X.509 engine with a known RSA public key.
495  *
496  * The `usages` parameter indicates the allowed key usages for that key
497  * (`BR_KEYTYPE_KEYX` and/or `BR_KEYTYPE_SIGN`).
498  *
499  * The provided pointers are linked in, not copied, so they must remain
500  * valid while the public key may be in usage.
501  *
502  * \param ctx      context to initialise.
503  * \param pk       known public key.
504  * \param usages   allowed key usages.
505  */
506 void br_x509_knownkey_init_rsa(br_x509_knownkey_context *ctx,
507 	const br_rsa_public_key *pk, unsigned usages);
508 
509 /**
510  * \brief Initialize a "known key" X.509 engine with a known EC public key.
511  *
512  * The `usages` parameter indicates the allowed key usages for that key
513  * (`BR_KEYTYPE_KEYX` and/or `BR_KEYTYPE_SIGN`).
514  *
515  * The provided pointers are linked in, not copied, so they must remain
516  * valid while the public key may be in usage.
517  *
518  * \param ctx      context to initialise.
519  * \param pk       known public key.
520  * \param usages   allowed key usages.
521  */
522 void br_x509_knownkey_init_ec(br_x509_knownkey_context *ctx,
523 	const br_ec_public_key *pk, unsigned usages);
524 
525 #ifndef BR_DOXYGEN_IGNORE
526 /*
527  * The minimal X.509 engine has some state buffers which must be large
528  * enough to simultaneously accommodate:
529  * -- the public key extracted from the current certificate;
530  * -- the signature on the current certificate or on the previous
531  *    certificate;
532  * -- the public key extracted from the EE certificate.
533  *
534  * We store public key elements in their raw unsigned big-endian
535  * encoding. We want to support up to RSA-4096 with a short (up to 64
536  * bits) public exponent, thus a buffer for a public key must have
537  * length at least 520 bytes. Similarly, a RSA-4096 signature has length
538  * 512 bytes.
539  *
540  * Though RSA public exponents can formally be as large as the modulus
541  * (mathematically, even larger exponents would work, but PKCS#1 forbids
542  * them), exponents that do not fit on 32 bits are extremely rare,
543  * notably because some widespread implementations (e.g. Microsoft's
544  * CryptoAPI) don't support them. Moreover, large public exponent do not
545  * seem to imply any tangible security benefit, and they increase the
546  * cost of public key operations. The X.509 "minimal" engine will tolerate
547  * public exponents of arbitrary size as long as the modulus and the
548  * exponent can fit together in the dedicated buffer.
549  *
550  * EC public keys are shorter than RSA public keys; even with curve
551  * NIST P-521 (the largest curve we care to support), a public key is
552  * encoded over 133 bytes only.
553  */
554 #define BR_X509_BUFSIZE_KEY   520
555 #define BR_X509_BUFSIZE_SIG   512
556 #endif
557 
558 /**
559  * \brief Type for receiving a name element.
560  *
561  * An array of such structures can be provided to the X.509 decoding
562  * engines. If the specified elements are found in the certificate
563  * subject DN or the SAN extension, then the name contents are copied
564  * as zero-terminated strings into the buffer.
565  *
566  * The decoder converts TeletexString and BMPString to UTF8String, and
567  * ensures that the resulting string is zero-terminated. If the string
568  * does not fit in the provided buffer, then the copy is aborted and an
569  * error is reported.
570  */
571 typedef struct {
572 	/**
573 	 * \brief Element OID.
574 	 *
575 	 * For X.500 name elements (to be extracted from the subject DN),
576 	 * this is the encoded OID for the requested name element; the
577 	 * first byte shall contain the length of the DER-encoded OID
578 	 * value, followed by the OID value (for instance, OID 2.5.4.3,
579 	 * for id-at-commonName, will be `03 55 04 03`). This is
580 	 * equivalent to full DER encoding with the length but without
581 	 * the tag.
582 	 *
583 	 * For SAN name elements, the first byte (`oid[0]`) has value 0,
584 	 * followed by another byte that matches the expected GeneralName
585 	 * tag. Allowed second byte values are then:
586 	 *
587 	 *   - 1: `rfc822Name`
588 	 *
589 	 *   - 2: `dNSName`
590 	 *
591 	 *   - 6: `uniformResourceIdentifier`
592 	 *
593 	 *   - 0: `otherName`
594 	 *
595 	 * If first and second byte are 0, then this is a SAN element of
596 	 * type `otherName`; the `oid[]` array should then contain, right
597 	 * after the two bytes of value 0, an encoded OID (with the same
598 	 * conventions as for X.500 name elements). If a match is found
599 	 * for that OID, then the corresponding name element will be
600 	 * extracted, as long as it is a supported string type.
601 	 */
602 	const unsigned char *oid;
603 
604 	/**
605 	 * \brief Destination buffer.
606 	 */
607 	char *buf;
608 
609 	/**
610 	 * \brief Length (in bytes) of the destination buffer.
611 	 *
612 	 * The buffer MUST NOT be smaller than 1 byte.
613 	 */
614 	size_t len;
615 
616 	/**
617 	 * \brief Decoding status.
618 	 *
619 	 * Status is 0 if the name element was not found, 1 if it was
620 	 * found and decoded, or -1 on error. Error conditions include
621 	 * an unrecognised encoding, an invalid encoding, or a string
622 	 * too large for the destination buffer.
623 	 */
624 	int status;
625 
626 } br_name_element;
627 
628 /**
629  * \brief Callback for validity date checks.
630  *
631  * The function receives as parameter an arbitrary user-provided context,
632  * and the notBefore and notAfter dates specified in an X.509 certificate,
633  * both expressed as a number of days and a number of seconds:
634  *
635  *   - Days are counted in a proleptic Gregorian calendar since
636  *     January 1st, 0 AD. Year "0 AD" is the one that preceded "1 AD";
637  *     it is also traditionally known as "1 BC".
638  *
639  *   - Seconds are counted since midnight, from 0 to 86400 (a count of
640  *     86400 is possible only if a leap second happened).
641  *
642  * Each date and time is understood in the UTC time zone. The "Unix
643  * Epoch" (January 1st, 1970, 00:00 UTC) corresponds to days=719528 and
644  * seconds=0; the "Windows Epoch" (January 1st, 1601, 00:00 UTC) is
645  * days=584754, seconds=0.
646  *
647  * This function must return -1 if the current date is strictly before
648  * the "notBefore" time, or +1 if the current date is strictly after the
649  * "notAfter" time. If neither condition holds, then the function returns
650  * 0, which means that the current date falls within the validity range of
651  * the certificate. If the function returns a value distinct from -1, 0
652  * and +1, then this is interpreted as an unavailability of the current
653  * time, which normally ends the validation process with a
654  * `BR_ERR_X509_TIME_UNKNOWN` error.
655  *
656  * During path validation, this callback will be invoked for each
657  * considered X.509 certificate. Validation fails if any of the calls
658  * returns a non-zero value.
659  *
660  * The context value is an abritrary pointer set by the caller when
661  * configuring this callback.
662  *
663  * \param tctx                 context pointer.
664  * \param not_before_days      notBefore date (days since Jan 1st, 0 AD).
665  * \param not_before_seconds   notBefore time (seconds, at most 86400).
666  * \param not_after_days       notAfter date (days since Jan 1st, 0 AD).
667  * \param not_after_seconds    notAfter time (seconds, at most 86400).
668  * \return  -1, 0 or +1.
669  */
670 typedef int (*br_x509_time_check)(void *tctx,
671 	uint32_t not_before_days, uint32_t not_before_seconds,
672 	uint32_t not_after_days, uint32_t not_after_seconds);
673 
674 /**
675  * \brief The "minimal" X.509 engine structure.
676  *
677  * The structure contents are opaque (they shall not be accessed directly),
678  * except for the first field (the vtable).
679  *
680  * The "minimal" engine performs a rudimentary but serviceable X.509 path
681  * validation.
682  */
683 typedef struct {
684 	const br_x509_class *vtable;
685 
686 #ifndef BR_DOXYGEN_IGNORE
687 	/* Structure for returning the EE public key. */
688 	br_x509_pkey pkey;
689 
690 	/* CPU for the T0 virtual machine. */
691 	struct {
692 		uint32_t *dp;
693 		uint32_t *rp;
694 		const unsigned char *ip;
695 	} cpu;
696 	uint32_t dp_stack[31];
697 	uint32_t rp_stack[31];
698 	int err;
699 
700 	/* Server name to match with the SAN / CN of the EE certificate. */
701 	const char *server_name;
702 
703 	/* Validated key usages. */
704 	unsigned char key_usages;
705 
706 	/* Explicitly set date and time. */
707 	uint32_t days, seconds;
708 
709 	/* Current certificate length (in bytes). Set to 0 when the
710 	   certificate has been fully processed. */
711 	uint32_t cert_length;
712 
713 	/* Number of certificates processed so far in the current chain.
714 	   It is incremented at the end of the processing of a certificate,
715 	   so it is 0 for the EE. */
716 	uint32_t num_certs;
717 
718 	/* Certificate data chunk. */
719 	const unsigned char *hbuf;
720 	size_t hlen;
721 
722 	/* The pad serves as destination for various operations. */
723 	unsigned char pad[256];
724 
725 	/* Buffer for EE public key data. */
726 	unsigned char ee_pkey_data[BR_X509_BUFSIZE_KEY];
727 
728 	/* Buffer for currently decoded public key. */
729 	unsigned char pkey_data[BR_X509_BUFSIZE_KEY];
730 
731 	/* Signature type: signer key type, offset to the hash
732 	   function OID (in the T0 data block) and hash function
733 	   output length (TBS hash length). */
734 	unsigned char cert_signer_key_type;
735 	uint16_t cert_sig_hash_oid;
736 	unsigned char cert_sig_hash_len;
737 
738 	/* Current/last certificate signature. */
739 	unsigned char cert_sig[BR_X509_BUFSIZE_SIG];
740 	uint16_t cert_sig_len;
741 
742 	/* Minimum RSA key length (difference in bytes from 128). */
743 	int16_t min_rsa_size;
744 
745 	/* Configured trust anchors. */
746 	const br_x509_trust_anchor *trust_anchors;
747 	size_t trust_anchors_num;
748 
749 	/*
750 	 * Multi-hasher for the TBS.
751 	 */
752 	unsigned char do_mhash;
753 	br_multihash_context mhash;
754 	unsigned char tbs_hash[64];
755 
756 	/*
757 	 * Simple hasher for the subject/issuer DN.
758 	 */
759 	unsigned char do_dn_hash;
760 	const br_hash_class *dn_hash_impl;
761 	br_hash_compat_context dn_hash;
762 	unsigned char current_dn_hash[64];
763 	unsigned char next_dn_hash[64];
764 	unsigned char saved_dn_hash[64];
765 
766 	/*
767 	 * Name elements to gather.
768 	 */
769 	br_name_element *name_elts;
770 	size_t num_name_elts;
771 
772 	/*
773 	 * Callback function (and context) to get the current date.
774 	 */
775 	void *itime_ctx;
776 	br_x509_time_check itime;
777 
778 	/*
779 	 * Public key cryptography implementations (signature verification).
780 	 */
781 	br_rsa_pkcs1_vrfy irsa;
782 	br_ecdsa_vrfy iecdsa;
783 	const br_ec_impl *iec;
784 #endif
785 
786 } br_x509_minimal_context;
787 
788 /**
789  * \brief Class instance for the "minimal" X.509 engine.
790  */
791 extern const br_x509_class br_x509_minimal_vtable;
792 
793 /**
794  * \brief Initialise a "minimal" X.509 engine.
795  *
796  * The `dn_hash_impl` parameter shall be a hash function internally used
797  * to match X.500 names (subject/issuer DN, and anchor names). Any standard
798  * hash function may be used, but a collision-resistant hash function is
799  * advised.
800  *
801  * After initialization, some implementations for signature verification
802  * (hash functions and signature algorithms) MUST be added.
803  *
804  * \param ctx                 context to initialise.
805  * \param dn_hash_impl        hash function for DN comparisons.
806  * \param trust_anchors       trust anchors.
807  * \param trust_anchors_num   number of trust anchors.
808  */
809 void br_x509_minimal_init(br_x509_minimal_context *ctx,
810 	const br_hash_class *dn_hash_impl,
811 	const br_x509_trust_anchor *trust_anchors, size_t trust_anchors_num);
812 
813 /**
814  * \brief Set a supported hash function in an X.509 "minimal" engine.
815  *
816  * Hash functions are used with signature verification algorithms.
817  * Once initialised (with `br_x509_minimal_init()`), the context must
818  * be configured with the hash functions it shall support for that
819  * purpose. The hash function identifier MUST be one of the standard
820  * hash function identifiers (1 to 6, for MD5, SHA-1, SHA-224, SHA-256,
821  * SHA-384 and SHA-512).
822  *
823  * If `impl` is `NULL`, this _removes_ support for the designated
824  * hash function.
825  *
826  * \param ctx    validation context.
827  * \param id     hash function identifier (from 1 to 6).
828  * \param impl   hash function implementation (or `NULL`).
829  */
830 static inline void
831 br_x509_minimal_set_hash(br_x509_minimal_context *ctx,
832 	int id, const br_hash_class *impl)
833 {
834 	br_multihash_setimpl(&ctx->mhash, id, impl);
835 }
836 
837 /**
838  * \brief Set a RSA signature verification implementation in the X.509
839  * "minimal" engine.
840  *
841  * Once initialised (with `br_x509_minimal_init()`), the context must
842  * be configured with the signature verification implementations that
843  * it is supposed to support. If `irsa` is `0`, then the RSA support
844  * is disabled.
845  *
846  * \param ctx    validation context.
847  * \param irsa   RSA signature verification implementation (or `0`).
848  */
849 static inline void
850 br_x509_minimal_set_rsa(br_x509_minimal_context *ctx,
851 	br_rsa_pkcs1_vrfy irsa)
852 {
853 	ctx->irsa = irsa;
854 }
855 
856 /**
857  * \brief Set a ECDSA signature verification implementation in the X.509
858  * "minimal" engine.
859  *
860  * Once initialised (with `br_x509_minimal_init()`), the context must
861  * be configured with the signature verification implementations that
862  * it is supposed to support.
863  *
864  * If `iecdsa` is `0`, then this call disables ECDSA support; in that
865  * case, `iec` may be `NULL`. Otherwise, `iecdsa` MUST point to a function
866  * that verifies ECDSA signatures with format "asn1", and it will use
867  * `iec` as underlying elliptic curve support.
868  *
869  * \param ctx      validation context.
870  * \param iec      elliptic curve implementation (or `NULL`).
871  * \param iecdsa   ECDSA implementation (or `0`).
872  */
873 static inline void
874 br_x509_minimal_set_ecdsa(br_x509_minimal_context *ctx,
875 	const br_ec_impl *iec, br_ecdsa_vrfy iecdsa)
876 {
877 	ctx->iecdsa = iecdsa;
878 	ctx->iec = iec;
879 }
880 
881 /**
882  * \brief Initialise a "minimal" X.509 engine with default algorithms.
883  *
884  * This function performs the same job as `br_x509_minimal_init()`, but
885  * also sets implementations for RSA, ECDSA, and the standard hash
886  * functions.
887  *
888  * \param ctx                 context to initialise.
889  * \param trust_anchors       trust anchors.
890  * \param trust_anchors_num   number of trust anchors.
891  */
892 void br_x509_minimal_init_full(br_x509_minimal_context *ctx,
893 	const br_x509_trust_anchor *trust_anchors, size_t trust_anchors_num);
894 
895 /**
896  * \brief Set the validation time for the X.509 "minimal" engine.
897  *
898  * The validation time is set as two 32-bit integers, for days and
899  * seconds since a fixed epoch:
900  *
901  *   - Days are counted in a proleptic Gregorian calendar since
902  *     January 1st, 0 AD. Year "0 AD" is the one that preceded "1 AD";
903  *     it is also traditionally known as "1 BC".
904  *
905  *   - Seconds are counted since midnight, from 0 to 86400 (a count of
906  *     86400 is possible only if a leap second happened).
907  *
908  * The validation date and time is understood in the UTC time zone. The
909  * "Unix Epoch" (January 1st, 1970, 00:00 UTC) corresponds to days=719528
910  * and seconds=0; the "Windows Epoch" (January 1st, 1601, 00:00 UTC) is
911  * days=584754, seconds=0.
912  *
913  * If the validation date and time are not explicitly set, but BearSSL
914  * was compiled with support for the system clock on the underlying
915  * platform, then the current time will automatically be used. Otherwise,
916  * not setting the validation date and time implies a validation
917  * failure (except in case of direct trust of the EE key).
918  *
919  * \param ctx       validation context.
920  * \param days      days since January 1st, 0 AD (Gregorian calendar).
921  * \param seconds   seconds since midnight (0 to 86400).
922  */
923 static inline void
924 br_x509_minimal_set_time(br_x509_minimal_context *ctx,
925 	uint32_t days, uint32_t seconds)
926 {
927 	ctx->days = days;
928 	ctx->seconds = seconds;
929 	ctx->itime = 0;
930 }
931 
932 /**
933  * \brief Set the validity range callback function for the X.509
934  * "minimal" engine.
935  *
936  * The provided function will be invoked to check whether the validation
937  * date is within the validity range for a given X.509 certificate; a
938  * call will be issued for each considered certificate. The provided
939  * context pointer (itime_ctx) will be passed as first parameter to the
940  * callback.
941  *
942  * \param tctx   context for callback invocation.
943  * \param cb     callback function.
944  */
945 static inline void
946 br_x509_minimal_set_time_callback(br_x509_minimal_context *ctx,
947 	void *itime_ctx, br_x509_time_check itime)
948 {
949 	ctx->itime_ctx = itime_ctx;
950 	ctx->itime = itime;
951 }
952 
953 /**
954  * \brief Set the minimal acceptable length for RSA keys (X.509 "minimal"
955  * engine).
956  *
957  * The RSA key length is expressed in bytes. The default minimum key
958  * length is 128 bytes, corresponding to 1017 bits. RSA keys shorter
959  * than the configured length will be rejected, implying validation
960  * failure. This setting applies to keys extracted from certificates
961  * (both end-entity, and intermediate CA) but not to "CA" trust anchors.
962  *
963  * \param ctx           validation context.
964  * \param byte_length   minimum RSA key length, **in bytes** (not bits).
965  */
966 static inline void
967 br_x509_minimal_set_minrsa(br_x509_minimal_context *ctx, int byte_length)
968 {
969 	ctx->min_rsa_size = (int16_t)(byte_length - 128);
970 }
971 
972 /**
973  * \brief Set the name elements to gather.
974  *
975  * The provided array is linked in the context. The elements are
976  * gathered from the EE certificate. If the same element type is
977  * requested several times, then the relevant structures will be filled
978  * in the order the matching values are encountered in the certificate.
979  *
980  * \param ctx        validation context.
981  * \param elts       array of name element structures to fill.
982  * \param num_elts   number of name element structures to fill.
983  */
984 static inline void
985 br_x509_minimal_set_name_elements(br_x509_minimal_context *ctx,
986 	br_name_element *elts, size_t num_elts)
987 {
988 	ctx->name_elts = elts;
989 	ctx->num_name_elts = num_elts;
990 }
991 
992 /**
993  * \brief X.509 decoder context.
994  *
995  * This structure is _not_ for X.509 validation, but for extracting
996  * names and public keys from encoded certificates. Intended usage is
997  * to use (self-signed) certificates as trust anchors.
998  *
999  * Contents are opaque and shall not be accessed directly.
1000  */
1001 typedef struct {
1002 
1003 #ifndef BR_DOXYGEN_IGNORE
1004 	/* Structure for returning the public key. */
1005 	br_x509_pkey pkey;
1006 
1007 	/* CPU for the T0 virtual machine. */
1008 	struct {
1009 		uint32_t *dp;
1010 		uint32_t *rp;
1011 		const unsigned char *ip;
1012 	} cpu;
1013 	uint32_t dp_stack[32];
1014 	uint32_t rp_stack[32];
1015 	int err;
1016 
1017 	/* The pad serves as destination for various operations. */
1018 	unsigned char pad[256];
1019 
1020 	/* Flag set when decoding succeeds. */
1021 	unsigned char decoded;
1022 
1023 	/* Validity dates. */
1024 	uint32_t notbefore_days, notbefore_seconds;
1025 	uint32_t notafter_days, notafter_seconds;
1026 
1027 	/* The "CA" flag. This is set to true if the certificate contains
1028 	   a Basic Constraints extension that asserts CA status. */
1029 	unsigned char isCA;
1030 
1031 	/* DN processing: the subject DN is extracted and pushed to the
1032 	   provided callback. */
1033 	unsigned char copy_dn;
1034 	void *append_dn_ctx;
1035 	void (*append_dn)(void *ctx, const void *buf, size_t len);
1036 
1037 	/* Certificate data chunk. */
1038 	const unsigned char *hbuf;
1039 	size_t hlen;
1040 
1041 	/* Buffer for decoded public key. */
1042 	unsigned char pkey_data[BR_X509_BUFSIZE_KEY];
1043 
1044 	/* Type of key and hash function used in the certificate signature. */
1045 	unsigned char signer_key_type;
1046 	unsigned char signer_hash_id;
1047 #endif
1048 
1049 } br_x509_decoder_context;
1050 
1051 /**
1052  * \brief Initialise an X.509 decoder context for processing a new
1053  * certificate.
1054  *
1055  * The `append_dn()` callback (with opaque context `append_dn_ctx`)
1056  * will be invoked to receive, chunk by chunk, the certificate's
1057  * subject DN. If `append_dn` is `0` then the subject DN will be
1058  * ignored.
1059  *
1060  * \param ctx             X.509 decoder context to initialise.
1061  * \param append_dn       DN receiver callback (or `0`).
1062  * \param append_dn_ctx   context for the DN receiver callback.
1063  */
1064 void br_x509_decoder_init(br_x509_decoder_context *ctx,
1065 	void (*append_dn)(void *ctx, const void *buf, size_t len),
1066 	void *append_dn_ctx);
1067 
1068 /**
1069  * \brief Push some certificate bytes into a decoder context.
1070  *
1071  * If `len` is non-zero, then that many bytes are pushed, from address
1072  * `data`, into the provided decoder context.
1073  *
1074  * \param ctx    X.509 decoder context.
1075  * \param data   certificate data chunk.
1076  * \param len    certificate data chunk length (in bytes).
1077  */
1078 void br_x509_decoder_push(br_x509_decoder_context *ctx,
1079 	const void *data, size_t len);
1080 
1081 /**
1082  * \brief Obtain the decoded public key.
1083  *
1084  * Returned value is a pointer to a structure internal to the decoder
1085  * context; releasing or reusing the decoder context invalidates that
1086  * structure.
1087  *
1088  * If decoding was not finished, or failed, then `NULL` is returned.
1089  *
1090  * \param ctx   X.509 decoder context.
1091  * \return  the public key, or `NULL` on unfinished/error.
1092  */
1093 static inline br_x509_pkey *
1094 br_x509_decoder_get_pkey(br_x509_decoder_context *ctx)
1095 {
1096 	if (ctx->decoded && ctx->err == 0) {
1097 		return &ctx->pkey;
1098 	} else {
1099 		return NULL;
1100 	}
1101 }
1102 
1103 /**
1104  * \brief Get decoder error status.
1105  *
1106  * If no error was reported yet but the certificate decoding is not
1107  * finished, then the error code is `BR_ERR_X509_TRUNCATED`. If decoding
1108  * was successful, then 0 is returned.
1109  *
1110  * \param ctx   X.509 decoder context.
1111  * \return  0 on successful decoding, or a non-zero error code.
1112  */
1113 static inline int
1114 br_x509_decoder_last_error(br_x509_decoder_context *ctx)
1115 {
1116 	if (ctx->err != 0) {
1117 		return ctx->err;
1118 	}
1119 	if (!ctx->decoded) {
1120 		return BR_ERR_X509_TRUNCATED;
1121 	}
1122 	return 0;
1123 }
1124 
1125 /**
1126  * \brief Get the "isCA" flag from an X.509 decoder context.
1127  *
1128  * This flag is set if the decoded certificate claims to be a CA through
1129  * a Basic Constraints extension. This flag should not be read before
1130  * decoding completed successfully.
1131  *
1132  * \param ctx   X.509 decoder context.
1133  * \return  the "isCA" flag.
1134  */
1135 static inline int
1136 br_x509_decoder_isCA(br_x509_decoder_context *ctx)
1137 {
1138 	return ctx->isCA;
1139 }
1140 
1141 /**
1142  * \brief Get the issuing CA key type (type of algorithm used to sign the
1143  * decoded certificate).
1144  *
1145  * This is `BR_KEYTYPE_RSA` or `BR_KEYTYPE_EC`. The value 0 is returned
1146  * if the signature type was not recognised.
1147  *
1148  * \param ctx   X.509 decoder context.
1149  * \return  the issuing CA key type.
1150  */
1151 static inline int
1152 br_x509_decoder_get_signer_key_type(br_x509_decoder_context *ctx)
1153 {
1154 	return ctx->signer_key_type;
1155 }
1156 
1157 /**
1158  * \brief Get the identifier for the hash function used to sign the decoded
1159  * certificate.
1160  *
1161  * This is 0 if the hash function was not recognised.
1162  *
1163  * \param ctx   X.509 decoder context.
1164  * \return  the signature hash function identifier.
1165  */
1166 static inline int
1167 br_x509_decoder_get_signer_hash_id(br_x509_decoder_context *ctx)
1168 {
1169 	return ctx->signer_hash_id;
1170 }
1171 
1172 /**
1173  * \brief Type for an X.509 certificate (DER-encoded).
1174  */
1175 typedef struct {
1176 	/** \brief The DER-encoded certificate data. */
1177 	unsigned char *data;
1178 	/** \brief The DER-encoded certificate length (in bytes). */
1179 	size_t data_len;
1180 } br_x509_certificate;
1181 
1182 /**
1183  * \brief Private key decoder context.
1184  *
1185  * The private key decoder recognises RSA and EC private keys, either in
1186  * their raw, DER-encoded format, or wrapped in an unencrypted PKCS#8
1187  * archive (again DER-encoded).
1188  *
1189  * Structure contents are opaque and shall not be accessed directly.
1190  */
1191 typedef struct {
1192 #ifndef BR_DOXYGEN_IGNORE
1193 	/* Structure for returning the private key. */
1194 	union {
1195 		br_rsa_private_key rsa;
1196 		br_ec_private_key ec;
1197 	} key;
1198 
1199 	/* CPU for the T0 virtual machine. */
1200 	struct {
1201 		uint32_t *dp;
1202 		uint32_t *rp;
1203 		const unsigned char *ip;
1204 	} cpu;
1205 	uint32_t dp_stack[32];
1206 	uint32_t rp_stack[32];
1207 	int err;
1208 
1209 	/* Private key data chunk. */
1210 	const unsigned char *hbuf;
1211 	size_t hlen;
1212 
1213 	/* The pad serves as destination for various operations. */
1214 	unsigned char pad[256];
1215 
1216 	/* Decoded key type; 0 until decoding is complete. */
1217 	unsigned char key_type;
1218 
1219 	/* Buffer for the private key elements. It shall be large enough
1220 	   to accommodate all elements for a RSA-4096 private key (roughly
1221 	   five 2048-bit integers, possibly a bit more). */
1222 	unsigned char key_data[3 * BR_X509_BUFSIZE_SIG];
1223 #endif
1224 } br_skey_decoder_context;
1225 
1226 /**
1227  * \brief Initialise a private key decoder context.
1228  *
1229  * \param ctx   key decoder context to initialise.
1230  */
1231 void br_skey_decoder_init(br_skey_decoder_context *ctx);
1232 
1233 /**
1234  * \brief Push some data bytes into a private key decoder context.
1235  *
1236  * If `len` is non-zero, then that many data bytes, starting at address
1237  * `data`, are pushed into the decoder.
1238  *
1239  * \param ctx    key decoder context.
1240  * \param data   private key data chunk.
1241  * \param len    private key data chunk length (in bytes).
1242  */
1243 void br_skey_decoder_push(br_skey_decoder_context *ctx,
1244 	const void *data, size_t len);
1245 
1246 /**
1247  * \brief Get the decoding status for a private key.
1248  *
1249  * Decoding status is 0 on success, or a non-zero error code. If the
1250  * decoding is unfinished when this function is called, then the
1251  * status code `BR_ERR_X509_TRUNCATED` is returned.
1252  *
1253  * \param ctx   key decoder context.
1254  * \return  0 on successful decoding, or a non-zero error code.
1255  */
1256 static inline int
1257 br_skey_decoder_last_error(const br_skey_decoder_context *ctx)
1258 {
1259 	if (ctx->err != 0) {
1260 		return ctx->err;
1261 	}
1262 	if (ctx->key_type == 0) {
1263 		return BR_ERR_X509_TRUNCATED;
1264 	}
1265 	return 0;
1266 }
1267 
1268 /**
1269  * \brief Get the decoded private key type.
1270  *
1271  * Private key type is `BR_KEYTYPE_RSA` or `BR_KEYTYPE_EC`. If decoding is
1272  * not finished or failed, then 0 is returned.
1273  *
1274  * \param ctx   key decoder context.
1275  * \return  decoded private key type, or 0.
1276  */
1277 static inline int
1278 br_skey_decoder_key_type(const br_skey_decoder_context *ctx)
1279 {
1280 	if (ctx->err == 0) {
1281 		return ctx->key_type;
1282 	} else {
1283 		return 0;
1284 	}
1285 }
1286 
1287 /**
1288  * \brief Get the decoded RSA private key.
1289  *
1290  * This function returns `NULL` if the decoding failed, or is not
1291  * finished, or the key is not RSA. The returned pointer references
1292  * structures within the context that can become invalid if the context
1293  * is reused or released.
1294  *
1295  * \param ctx   key decoder context.
1296  * \return  decoded RSA private key, or `NULL`.
1297  */
1298 static inline const br_rsa_private_key *
1299 br_skey_decoder_get_rsa(const br_skey_decoder_context *ctx)
1300 {
1301 	if (ctx->err == 0 && ctx->key_type == BR_KEYTYPE_RSA) {
1302 		return &ctx->key.rsa;
1303 	} else {
1304 		return NULL;
1305 	}
1306 }
1307 
1308 /**
1309  * \brief Get the decoded EC private key.
1310  *
1311  * This function returns `NULL` if the decoding failed, or is not
1312  * finished, or the key is not EC. The returned pointer references
1313  * structures within the context that can become invalid if the context
1314  * is reused or released.
1315  *
1316  * \param ctx   key decoder context.
1317  * \return  decoded EC private key, or `NULL`.
1318  */
1319 static inline const br_ec_private_key *
1320 br_skey_decoder_get_ec(const br_skey_decoder_context *ctx)
1321 {
1322 	if (ctx->err == 0 && ctx->key_type == BR_KEYTYPE_EC) {
1323 		return &ctx->key.ec;
1324 	} else {
1325 		return NULL;
1326 	}
1327 }
1328 
1329 /**
1330  * \brief Encode an RSA private key (raw DER format).
1331  *
1332  * This function encodes the provided key into the "raw" format specified
1333  * in PKCS#1 (RFC 8017, Appendix C, type `RSAPrivateKey`), with DER
1334  * encoding rules.
1335  *
1336  * The key elements are:
1337  *
1338  *  - `sk`: the private key (`p`, `q`, `dp`, `dq` and `iq`)
1339  *
1340  *  - `pk`: the public key (`n` and `e`)
1341  *
1342  *  - `d` (size: `dlen` bytes): the private exponent
1343  *
1344  * The public key elements, and the private exponent `d`, can be
1345  * recomputed from the private key (see `br_rsa_compute_modulus()`,
1346  * `br_rsa_compute_pubexp()` and `br_rsa_compute_privexp()`).
1347  *
1348  * If `dest` is not `NULL`, then the encoded key is written at that
1349  * address, and the encoded length (in bytes) is returned. If `dest` is
1350  * `NULL`, then nothing is written, but the encoded length is still
1351  * computed and returned.
1352  *
1353  * \param dest   the destination buffer (or `NULL`).
1354  * \param sk     the RSA private key.
1355  * \param pk     the RSA public key.
1356  * \param d      the RSA private exponent.
1357  * \param dlen   the RSA private exponent length (in bytes).
1358  * \return  the encoded key length (in bytes).
1359  */
1360 size_t br_encode_rsa_raw_der(void *dest, const br_rsa_private_key *sk,
1361 	const br_rsa_public_key *pk, const void *d, size_t dlen);
1362 
1363 /**
1364  * \brief Encode an RSA private key (PKCS#8 DER format).
1365  *
1366  * This function encodes the provided key into the PKCS#8 format
1367  * (RFC 5958, type `OneAsymmetricKey`). It wraps around the "raw DER"
1368  * format for the RSA key, as implemented by `br_encode_rsa_raw_der()`.
1369  *
1370  * The key elements are:
1371  *
1372  *  - `sk`: the private key (`p`, `q`, `dp`, `dq` and `iq`)
1373  *
1374  *  - `pk`: the public key (`n` and `e`)
1375  *
1376  *  - `d` (size: `dlen` bytes): the private exponent
1377  *
1378  * The public key elements, and the private exponent `d`, can be
1379  * recomputed from the private key (see `br_rsa_compute_modulus()`,
1380  * `br_rsa_compute_pubexp()` and `br_rsa_compute_privexp()`).
1381  *
1382  * If `dest` is not `NULL`, then the encoded key is written at that
1383  * address, and the encoded length (in bytes) is returned. If `dest` is
1384  * `NULL`, then nothing is written, but the encoded length is still
1385  * computed and returned.
1386  *
1387  * \param dest   the destination buffer (or `NULL`).
1388  * \param sk     the RSA private key.
1389  * \param pk     the RSA public key.
1390  * \param d      the RSA private exponent.
1391  * \param dlen   the RSA private exponent length (in bytes).
1392  * \return  the encoded key length (in bytes).
1393  */
1394 size_t br_encode_rsa_pkcs8_der(void *dest, const br_rsa_private_key *sk,
1395 	const br_rsa_public_key *pk, const void *d, size_t dlen);
1396 
1397 /**
1398  * \brief Encode an EC private key (raw DER format).
1399  *
1400  * This function encodes the provided key into the "raw" format specified
1401  * in RFC 5915 (type `ECPrivateKey`), with DER encoding rules.
1402  *
1403  * The private key is provided in `sk`, the public key being `pk`. If
1404  * `pk` is `NULL`, then the encoded key will not include the public key
1405  * in its `publicKey` field (which is nominally optional).
1406  *
1407  * If `dest` is not `NULL`, then the encoded key is written at that
1408  * address, and the encoded length (in bytes) is returned. If `dest` is
1409  * `NULL`, then nothing is written, but the encoded length is still
1410  * computed and returned.
1411  *
1412  * If the key cannot be encoded (e.g. because there is no known OBJECT
1413  * IDENTIFIER for the used curve), then 0 is returned.
1414  *
1415  * \param dest   the destination buffer (or `NULL`).
1416  * \param sk     the EC private key.
1417  * \param pk     the EC public key (or `NULL`).
1418  * \return  the encoded key length (in bytes), or 0.
1419  */
1420 size_t br_encode_ec_raw_der(void *dest,
1421 	const br_ec_private_key *sk, const br_ec_public_key *pk);
1422 
1423 /**
1424  * \brief Encode an EC private key (PKCS#8 DER format).
1425  *
1426  * This function encodes the provided key into the PKCS#8 format
1427  * (RFC 5958, type `OneAsymmetricKey`). The curve is identified
1428  * by an OID provided as parameters to the `privateKeyAlgorithm`
1429  * field. The private key value (contents of the `privateKey` field)
1430  * contains the DER encoding of the `ECPrivateKey` type defined in
1431  * RFC 5915, without the `parameters` field (since they would be
1432  * redundant with the information in `privateKeyAlgorithm`).
1433  *
1434  * The private key is provided in `sk`, the public key being `pk`. If
1435  * `pk` is not `NULL`, then the encoded public key is included in the
1436  * `publicKey` field of the private key value (but not in the `publicKey`
1437  * field of the PKCS#8 `OneAsymmetricKey` wrapper).
1438  *
1439  * If `dest` is not `NULL`, then the encoded key is written at that
1440  * address, and the encoded length (in bytes) is returned. If `dest` is
1441  * `NULL`, then nothing is written, but the encoded length is still
1442  * computed and returned.
1443  *
1444  * If the key cannot be encoded (e.g. because there is no known OBJECT
1445  * IDENTIFIER for the used curve), then 0 is returned.
1446  *
1447  * \param dest   the destination buffer (or `NULL`).
1448  * \param sk     the EC private key.
1449  * \param pk     the EC public key (or `NULL`).
1450  * \return  the encoded key length (in bytes), or 0.
1451  */
1452 size_t br_encode_ec_pkcs8_der(void *dest,
1453 	const br_ec_private_key *sk, const br_ec_public_key *pk);
1454 
1455 /**
1456  * \brief PEM banner for RSA private key (raw).
1457  */
1458 #define BR_ENCODE_PEM_RSA_RAW      "RSA PRIVATE KEY"
1459 
1460 /**
1461  * \brief PEM banner for EC private key (raw).
1462  */
1463 #define BR_ENCODE_PEM_EC_RAW       "EC PRIVATE KEY"
1464 
1465 /**
1466  * \brief PEM banner for an RSA or EC private key in PKCS#8 format.
1467  */
1468 #define BR_ENCODE_PEM_PKCS8        "PRIVATE KEY"
1469 
1470 #ifdef __cplusplus
1471 }
1472 #endif
1473 
1474 #endif
1475