1c19800e8SDoug Rabson /* 2*ae771770SStanislav Sedov * Copyright (c) 2004 - 2006 Kungliga Tekniska Högskolan 3c19800e8SDoug Rabson * (Royal Institute of Technology, Stockholm, Sweden). 4c19800e8SDoug Rabson * All rights reserved. 5c19800e8SDoug Rabson * 6c19800e8SDoug Rabson * Redistribution and use in source and binary forms, with or without 7c19800e8SDoug Rabson * modification, are permitted provided that the following conditions 8c19800e8SDoug Rabson * are met: 9c19800e8SDoug Rabson * 10c19800e8SDoug Rabson * 1. Redistributions of source code must retain the above copyright 11c19800e8SDoug Rabson * notice, this list of conditions and the following disclaimer. 12c19800e8SDoug Rabson * 13c19800e8SDoug Rabson * 2. Redistributions in binary form must reproduce the above copyright 14c19800e8SDoug Rabson * notice, this list of conditions and the following disclaimer in the 15c19800e8SDoug Rabson * documentation and/or other materials provided with the distribution. 16c19800e8SDoug Rabson * 17c19800e8SDoug Rabson * 3. Neither the name of the Institute nor the names of its contributors 18c19800e8SDoug Rabson * may be used to endorse or promote products derived from this software 19c19800e8SDoug Rabson * without specific prior written permission. 20c19800e8SDoug Rabson * 21c19800e8SDoug Rabson * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 22c19800e8SDoug Rabson * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23c19800e8SDoug Rabson * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24c19800e8SDoug Rabson * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 25c19800e8SDoug Rabson * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26c19800e8SDoug Rabson * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27c19800e8SDoug Rabson * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28c19800e8SDoug Rabson * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29c19800e8SDoug Rabson * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30c19800e8SDoug Rabson * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31c19800e8SDoug Rabson * SUCH DAMAGE. 32c19800e8SDoug Rabson */ 33c19800e8SDoug Rabson 34*ae771770SStanislav Sedov /* $Id$ */ 35c19800e8SDoug Rabson 36c19800e8SDoug Rabson #include <config.h> 37c19800e8SDoug Rabson 38c19800e8SDoug Rabson #include <stdio.h> 39c19800e8SDoug Rabson #include <stdlib.h> 40c19800e8SDoug Rabson #include <ctype.h> 41c19800e8SDoug Rabson #include <errno.h> 42*ae771770SStanislav Sedov #ifdef HAVE_STRINGS_H 43c19800e8SDoug Rabson #include <strings.h> 44*ae771770SStanislav Sedov #endif 45c19800e8SDoug Rabson #include <assert.h> 46c19800e8SDoug Rabson #include <stdarg.h> 47c19800e8SDoug Rabson #include <err.h> 48*ae771770SStanislav Sedov #include <limits.h> 49*ae771770SStanislav Sedov 50*ae771770SStanislav Sedov #include <roken.h> 51*ae771770SStanislav Sedov 52c19800e8SDoug Rabson #include <getarg.h> 53c19800e8SDoug Rabson #include <base64.h> 54c19800e8SDoug Rabson #include <hex.h> 55c19800e8SDoug Rabson #include <com_err.h> 56c19800e8SDoug Rabson #include <parse_units.h> 57c19800e8SDoug Rabson #include <parse_bytes.h> 58c19800e8SDoug Rabson 59c19800e8SDoug Rabson #include <krb5-types.h> 60c19800e8SDoug Rabson 61c19800e8SDoug Rabson #include <rfc2459_asn1.h> 62c19800e8SDoug Rabson #include <cms_asn1.h> 63c19800e8SDoug Rabson #include <pkcs8_asn1.h> 64c19800e8SDoug Rabson #include <pkcs9_asn1.h> 65c19800e8SDoug Rabson #include <pkcs12_asn1.h> 66c19800e8SDoug Rabson #include <ocsp_asn1.h> 67c19800e8SDoug Rabson #include <pkcs10_asn1.h> 68c19800e8SDoug Rabson #include <asn1_err.h> 69c19800e8SDoug Rabson #include <pkinit_asn1.h> 70c19800e8SDoug Rabson 71c19800e8SDoug Rabson #include <der.h> 72c19800e8SDoug Rabson 73*ae771770SStanislav Sedov #define HC_DEPRECATED_CRYPTO 74c19800e8SDoug Rabson #include "crypto-headers.h" 75c19800e8SDoug Rabson 76c19800e8SDoug Rabson struct hx509_keyset_ops; 77c19800e8SDoug Rabson struct hx509_collector; 78c19800e8SDoug Rabson struct hx509_generate_private_context; 79c19800e8SDoug Rabson typedef struct hx509_path hx509_path; 80c19800e8SDoug Rabson 81c19800e8SDoug Rabson #include <hx509.h> 82c19800e8SDoug Rabson 83c19800e8SDoug Rabson typedef void (*_hx509_cert_release_func)(struct hx509_cert_data *, void *); 84c19800e8SDoug Rabson 85*ae771770SStanislav Sedov 86*ae771770SStanislav Sedov #include "sel.h" 87c19800e8SDoug Rabson 88c19800e8SDoug Rabson #include <hx509-private.h> 89c19800e8SDoug Rabson #include <hx509_err.h> 90c19800e8SDoug Rabson 91c19800e8SDoug Rabson struct hx509_peer_info { 92c19800e8SDoug Rabson hx509_cert cert; 93c19800e8SDoug Rabson AlgorithmIdentifier *val; 94c19800e8SDoug Rabson size_t len; 95c19800e8SDoug Rabson }; 96c19800e8SDoug Rabson 97c19800e8SDoug Rabson #define HX509_CERTS_FIND_SERIALNUMBER 1 98c19800e8SDoug Rabson #define HX509_CERTS_FIND_ISSUER 2 99c19800e8SDoug Rabson #define HX509_CERTS_FIND_SUBJECT 4 100c19800e8SDoug Rabson #define HX509_CERTS_FIND_ISSUER_KEY_ID 8 101c19800e8SDoug Rabson #define HX509_CERTS_FIND_SUBJECT_KEY_ID 16 102c19800e8SDoug Rabson 103c19800e8SDoug Rabson struct hx509_name_data { 104c19800e8SDoug Rabson Name der_name; 105c19800e8SDoug Rabson }; 106c19800e8SDoug Rabson 107c19800e8SDoug Rabson struct hx509_path { 108c19800e8SDoug Rabson size_t len; 109c19800e8SDoug Rabson hx509_cert *val; 110c19800e8SDoug Rabson }; 111c19800e8SDoug Rabson 112c19800e8SDoug Rabson struct hx509_query_data { 113c19800e8SDoug Rabson int match; 114c19800e8SDoug Rabson #define HX509_QUERY_FIND_ISSUER_CERT 0x000001 115c19800e8SDoug Rabson #define HX509_QUERY_MATCH_SERIALNUMBER 0x000002 116c19800e8SDoug Rabson #define HX509_QUERY_MATCH_ISSUER_NAME 0x000004 117c19800e8SDoug Rabson #define HX509_QUERY_MATCH_SUBJECT_NAME 0x000008 118c19800e8SDoug Rabson #define HX509_QUERY_MATCH_SUBJECT_KEY_ID 0x000010 119c19800e8SDoug Rabson #define HX509_QUERY_MATCH_ISSUER_ID 0x000020 120c19800e8SDoug Rabson #define HX509_QUERY_PRIVATE_KEY 0x000040 121c19800e8SDoug Rabson #define HX509_QUERY_KU_ENCIPHERMENT 0x000080 122c19800e8SDoug Rabson #define HX509_QUERY_KU_DIGITALSIGNATURE 0x000100 123c19800e8SDoug Rabson #define HX509_QUERY_KU_KEYCERTSIGN 0x000200 124c19800e8SDoug Rabson #define HX509_QUERY_KU_CRLSIGN 0x000400 125c19800e8SDoug Rabson #define HX509_QUERY_KU_NONREPUDIATION 0x000800 126c19800e8SDoug Rabson #define HX509_QUERY_KU_KEYAGREEMENT 0x001000 127c19800e8SDoug Rabson #define HX509_QUERY_KU_DATAENCIPHERMENT 0x002000 128c19800e8SDoug Rabson #define HX509_QUERY_ANCHOR 0x004000 129c19800e8SDoug Rabson #define HX509_QUERY_MATCH_CERTIFICATE 0x008000 130c19800e8SDoug Rabson #define HX509_QUERY_MATCH_LOCAL_KEY_ID 0x010000 131c19800e8SDoug Rabson #define HX509_QUERY_NO_MATCH_PATH 0x020000 132c19800e8SDoug Rabson #define HX509_QUERY_MATCH_FRIENDLY_NAME 0x040000 133c19800e8SDoug Rabson #define HX509_QUERY_MATCH_FUNCTION 0x080000 134c19800e8SDoug Rabson #define HX509_QUERY_MATCH_KEY_HASH_SHA1 0x100000 135c19800e8SDoug Rabson #define HX509_QUERY_MATCH_TIME 0x200000 136*ae771770SStanislav Sedov #define HX509_QUERY_MATCH_EKU 0x400000 137*ae771770SStanislav Sedov #define HX509_QUERY_MATCH_EXPR 0x800000 138*ae771770SStanislav Sedov #define HX509_QUERY_MASK 0xffffff 139c19800e8SDoug Rabson Certificate *subject; 140c19800e8SDoug Rabson Certificate *certificate; 141c19800e8SDoug Rabson heim_integer *serial; 142c19800e8SDoug Rabson heim_octet_string *subject_id; 143c19800e8SDoug Rabson heim_octet_string *local_key_id; 144c19800e8SDoug Rabson Name *issuer_name; 145c19800e8SDoug Rabson Name *subject_name; 146c19800e8SDoug Rabson hx509_path *path; 147c19800e8SDoug Rabson char *friendlyname; 148*ae771770SStanislav Sedov int (*cmp_func)(hx509_context, hx509_cert, void *); 149c19800e8SDoug Rabson void *cmp_func_ctx; 150c19800e8SDoug Rabson heim_octet_string *keyhash_sha1; 151c19800e8SDoug Rabson time_t timenow; 152*ae771770SStanislav Sedov heim_oid *eku; 153*ae771770SStanislav Sedov struct hx_expr *expr; 154c19800e8SDoug Rabson }; 155c19800e8SDoug Rabson 156c19800e8SDoug Rabson struct hx509_keyset_ops { 157c19800e8SDoug Rabson const char *name; 158c19800e8SDoug Rabson int flags; 159c19800e8SDoug Rabson int (*init)(hx509_context, hx509_certs, void **, 160c19800e8SDoug Rabson int, const char *, hx509_lock); 161c19800e8SDoug Rabson int (*store)(hx509_context, hx509_certs, void *, int, hx509_lock); 162c19800e8SDoug Rabson int (*free)(hx509_certs, void *); 163c19800e8SDoug Rabson int (*add)(hx509_context, hx509_certs, void *, hx509_cert); 164c19800e8SDoug Rabson int (*query)(hx509_context, hx509_certs, void *, 165c19800e8SDoug Rabson const hx509_query *, hx509_cert *); 166c19800e8SDoug Rabson int (*iter_start)(hx509_context, hx509_certs, void *, void **); 167c19800e8SDoug Rabson int (*iter)(hx509_context, hx509_certs, void *, void *, hx509_cert *); 168c19800e8SDoug Rabson int (*iter_end)(hx509_context, hx509_certs, void *, void *); 169c19800e8SDoug Rabson int (*printinfo)(hx509_context, hx509_certs, 170c19800e8SDoug Rabson void *, int (*)(void *, const char *), void *); 171c19800e8SDoug Rabson int (*getkeys)(hx509_context, hx509_certs, void *, hx509_private_key **); 172c19800e8SDoug Rabson int (*addkey)(hx509_context, hx509_certs, void *, hx509_private_key); 173c19800e8SDoug Rabson }; 174c19800e8SDoug Rabson 175c19800e8SDoug Rabson struct _hx509_password { 176c19800e8SDoug Rabson size_t len; 177c19800e8SDoug Rabson char **val; 178c19800e8SDoug Rabson }; 179c19800e8SDoug Rabson 180c19800e8SDoug Rabson extern hx509_lock _hx509_empty_lock; 181c19800e8SDoug Rabson 182c19800e8SDoug Rabson struct hx509_context_data { 183c19800e8SDoug Rabson struct hx509_keyset_ops **ks_ops; 184c19800e8SDoug Rabson int ks_num_ops; 185c19800e8SDoug Rabson int flags; 186c19800e8SDoug Rabson #define HX509_CTX_VERIFY_MISSING_OK 1 187c19800e8SDoug Rabson int ocsp_time_diff; 188c19800e8SDoug Rabson #define HX509_DEFAULT_OCSP_TIME_DIFF (5*60) 189c19800e8SDoug Rabson hx509_error error; 190c19800e8SDoug Rabson struct et_list *et_list; 191c19800e8SDoug Rabson char *querystat; 192c19800e8SDoug Rabson hx509_certs default_trust_anchors; 193c19800e8SDoug Rabson }; 194c19800e8SDoug Rabson 195c19800e8SDoug Rabson /* _hx509_calculate_path flag field */ 196c19800e8SDoug Rabson #define HX509_CALCULATE_PATH_NO_ANCHOR 1 197c19800e8SDoug Rabson 198*ae771770SStanislav Sedov /* environment */ 199*ae771770SStanislav Sedov struct hx509_env_data { 200*ae771770SStanislav Sedov enum { env_string, env_list } type; 201*ae771770SStanislav Sedov char *name; 202*ae771770SStanislav Sedov struct hx509_env_data *next; 203*ae771770SStanislav Sedov union { 204*ae771770SStanislav Sedov char *string; 205*ae771770SStanislav Sedov struct hx509_env_data *list; 206*ae771770SStanislav Sedov } u; 207*ae771770SStanislav Sedov }; 208*ae771770SStanislav Sedov 209*ae771770SStanislav Sedov 210c19800e8SDoug Rabson extern const AlgorithmIdentifier * _hx509_crypto_default_sig_alg; 211c19800e8SDoug Rabson extern const AlgorithmIdentifier * _hx509_crypto_default_digest_alg; 212c19800e8SDoug Rabson extern const AlgorithmIdentifier * _hx509_crypto_default_secret_alg; 213c19800e8SDoug Rabson 214c19800e8SDoug Rabson /* 215c19800e8SDoug Rabson * Configurable options 216c19800e8SDoug Rabson */ 217c19800e8SDoug Rabson 218c19800e8SDoug Rabson #ifdef __APPLE__ 219c19800e8SDoug Rabson #define HX509_DEFAULT_ANCHORS "KEYCHAIN:system-anchors" 220c19800e8SDoug Rabson #endif 221