VirtualBox

source: vbox/trunk/include/iprt/crypto/x509.h@ 106061

Last change on this file since 106061 was 106061, checked in by vboxsync, 3 months ago

Copyright year updates by scm.

  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
File size: 60.8 KB
Line 
1/** @file
2 * IPRT - Crypto - X.509, Public Key and Privilege Management Infrastructure.
3 */
4
5/*
6 * Copyright (C) 2014-2024 Oracle and/or its affiliates.
7 *
8 * This file is part of VirtualBox base platform packages, as
9 * available from https://www.virtualbox.org.
10 *
11 * This program is free software; you can redistribute it and/or
12 * modify it under the terms of the GNU General Public License
13 * as published by the Free Software Foundation, in version 3 of the
14 * License.
15 *
16 * This program is distributed in the hope that it will be useful, but
17 * WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
19 * General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, see <https://www.gnu.org/licenses>.
23 *
24 * The contents of this file may alternatively be used under the terms
25 * of the Common Development and Distribution License Version 1.0
26 * (CDDL), a copy of it is provided in the "COPYING.CDDL" file included
27 * in the VirtualBox distribution, in which case the provisions of the
28 * CDDL are applicable instead of those of the GPL.
29 *
30 * You may elect to license modified versions of this file under the
31 * terms and conditions of either the GPL or the CDDL or both.
32 *
33 * SPDX-License-Identifier: GPL-3.0-only OR CDDL-1.0
34 */
35
36#ifndef IPRT_INCLUDED_crypto_x509_h
37#define IPRT_INCLUDED_crypto_x509_h
38#ifndef RT_WITHOUT_PRAGMA_ONCE
39# pragma once
40#endif
41
42#include <iprt/asn1.h>
43#include <iprt/crypto/pem.h>
44
45
46RT_C_DECLS_BEGIN
47
48struct RTCRPKCS7SETOFCERTS;
49
50
51/** @defgroup grp_rt_crypto Crypto
52 * @ingroup grp_rt
53 * @{
54 */
55
56/** @defgroup grp_rt_crx509 RTCrX509 - Public Key and Privilege Management Infrastructure.
57 * @{
58 */
59
60/**
61 * X.509 algorithm identifier (IPRT representation).
62 */
63typedef struct RTCRX509ALGORITHMIDENTIFIER
64{
65 /** The sequence making up this algorithm identifier. */
66 RTASN1SEQUENCECORE SeqCore;
67 /** The algorithm object ID. */
68 RTASN1OBJID Algorithm;
69 /** Optional parameters specified by the algorithm. */
70 RTASN1DYNTYPE Parameters;
71} RTCRX509ALGORITHMIDENTIFIER;
72/** Poitner to the IPRT representation of a X.509 algorithm identifier. */
73typedef RTCRX509ALGORITHMIDENTIFIER *PRTCRX509ALGORITHMIDENTIFIER;
74/** Poitner to the const IPRT representation of a X.509 algorithm identifier. */
75typedef RTCRX509ALGORITHMIDENTIFIER const *PCRTCRX509ALGORITHMIDENTIFIER;
76RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509ALGORITHMIDENTIFIER, RTDECL, RTCrX509AlgorithmIdentifier, SeqCore.Asn1Core);
77RTASN1_IMPL_GEN_SET_OF_TYPEDEFS_AND_PROTOS(RTCRX509ALGORITHMIDENTIFIERS, RTCRX509ALGORITHMIDENTIFIER, RTDECL, RTCrX509AlgorithmIdentifiers);
78
79/**
80 * Tries to convert an X.509 digest algorithm ID into a RTDIGESTTYPE value.
81 *
82 * @returns Valid RTDIGESTTYPE on success, RTDIGESTTYPE_INVALID on failure.
83 * @param pThis The IPRT representation of a X.509 algorithm
84 * identifier object.
85 * @param fPureDigestsOnly Whether to only match IDs that only identify
86 * digest algorithms, or whether to also include
87 * IDs that mixes hash and encryption/whatever.
88 */
89RTDECL(RTDIGESTTYPE) RTCrX509AlgorithmIdentifier_GetDigestType(PCRTCRX509ALGORITHMIDENTIFIER pThis, bool fPureDigestsOnly);
90
91/**
92 * Tries to figure the digest size of an X.509 digest algorithm ID.
93 *
94 * @returns The digest size in bytes, UINT32_MAX if unknown digest.
95 * @param pThis The IPRT representation of a X.509 algorithm
96 * identifier object.
97 * @param fPureDigestsOnly Whether to only match IDs that only identify
98 * digest algorithms, or whether to also include
99 * IDs that mixes hash and encryption/whatever.
100 */
101RTDECL(uint32_t) RTCrX509AlgorithmIdentifier_GetDigestSize(PCRTCRX509ALGORITHMIDENTIFIER pThis, bool fPureDigestsOnly);
102
103/**
104 * Tries to get the encryption OID from the algorithm.
105 *
106 * @returns The encryption (cipher) OID on success, NULL on failure.
107 * @param pThis The IPRT representation of a X.509 algorithm
108 * identifier object.
109 * @param fMustIncludeHash Whether the algorithm ID represented by @a pThis
110 * must include a hash (true) or whether it is
111 * okay to accept pure encryption IDs as well
112 * (false).
113 */
114RTDECL(const char *) RTCrX509AlgorithmIdentifier_GetEncryptionOid(PCRTCRX509ALGORITHMIDENTIFIER pThis, bool fMustIncludeHash);
115
116/**
117 * Tries to get the encryption OID from the given algorithm OID string.
118 *
119 * @returns The encryption (cipher) OID on success, NULL on failure.
120 * @param pszAlgorithmOid The IPRT representation of a X.509 algorithm
121 * identifier object.
122 * @param fMustIncludeHash Whether @a pszAlgorithmOid must include a hash
123 * (true) or whether it is okay to accept pure
124 * encryption IDs as well (false).
125 */
126RTDECL(const char *) RTCrX509AlgorithmIdentifier_GetEncryptionOidFromOid(const char *pszAlgorithmOid, bool fMustIncludeHash);
127
128RTDECL(int) RTCrX509AlgorithmIdentifier_CompareWithString(PCRTCRX509ALGORITHMIDENTIFIER pThis, const char *pszObjId);
129
130/**
131 * Compares a digest with an encrypted digest algorithm, checking if they
132 * specify the same digest.
133 *
134 * @returns 0 if same digest, -1 if the digest is unknown, 1 if the encrypted
135 * digest does not match.
136 * @param pDigest The digest algorithm.
137 * @param pEncryptedDigest The encrypted digest algorithm.
138 */
139RTDECL(int) RTCrX509AlgorithmIdentifier_CompareDigestAndEncryptedDigest(PCRTCRX509ALGORITHMIDENTIFIER pDigest,
140 PCRTCRX509ALGORITHMIDENTIFIER pEncryptedDigest);
141/**
142 * Compares a digest OID with an encrypted digest algorithm OID, checking if
143 * they specify the same digest.
144 *
145 * @returns 0 if same digest, -1 if the digest is unknown, 1 if the encrypted
146 * digest does not match.
147 * @param pszDigestOid The digest algorithm OID.
148 * @param pszEncryptedDigestOid The encrypted digest algorithm OID.
149 */
150RTDECL(int) RTCrX509AlgorithmIdentifier_CompareDigestOidAndEncryptedDigestOid(const char *pszDigestOid,
151 const char *pszEncryptedDigestOid);
152
153
154/**
155 * Combine the encryption algorithm with the digest algorithm.
156 *
157 * @returns OID of encrypted digest algorithm.
158 * @param pEncryption The encryption algorithm. Will work if this is
159 * the OID of an encrypted digest algorithm too, as
160 * long as it matches @a pDigest.
161 * @param pDigest The digest algorithm. Will work if this is the
162 * OID of an encrypted digest algorithm too, as
163 * long as it matches @a pEncryption.
164 */
165RTDECL(const char *) RTCrX509AlgorithmIdentifier_CombineEncryptionAndDigest(PCRTCRX509ALGORITHMIDENTIFIER pEncryption,
166 PCRTCRX509ALGORITHMIDENTIFIER pDigest);
167
168/**
169 * Combine the encryption algorithm OID with the digest algorithm OID.
170 *
171 * @returns OID of encrypted digest algorithm.
172 * @param pszEncryptionOid The encryption algorithm. Will work if this is
173 * the OID of an encrypted digest algorithm too, as
174 * long as it matches @a pszDigestOid.
175 * @param pszDigestOid The digest algorithm. Will work if this is the
176 * OID of an encrypted digest algorithm too, as
177 * long as it matches @a pszEncryptionOid.
178 */
179RTDECL(const char *) RTCrX509AlgorithmIdentifier_CombineEncryptionOidAndDigestOid(const char *pszEncryptionOid,
180 const char *pszDigestOid);
181
182
183/** @name Typical Digest Algorithm OIDs.
184 * @{ */
185#define RTCRX509ALGORITHMIDENTIFIERID_MD2 "1.2.840.113549.2.2"
186#define RTCRX509ALGORITHMIDENTIFIERID_MD4 "1.2.840.113549.2.4"
187#define RTCRX509ALGORITHMIDENTIFIERID_MD5 "1.2.840.113549.2.5"
188#define RTCRX509ALGORITHMIDENTIFIERID_SHA0 "1.3.14.3.2.18"
189#define RTCRX509ALGORITHMIDENTIFIERID_SHA1 "1.3.14.3.2.26"
190#define RTCRX509ALGORITHMIDENTIFIERID_SHA256 "2.16.840.1.101.3.4.2.1"
191#define RTCRX509ALGORITHMIDENTIFIERID_SHA384 "2.16.840.1.101.3.4.2.2"
192#define RTCRX509ALGORITHMIDENTIFIERID_SHA512 "2.16.840.1.101.3.4.2.3"
193#define RTCRX509ALGORITHMIDENTIFIERID_SHA224 "2.16.840.1.101.3.4.2.4"
194#define RTCRX509ALGORITHMIDENTIFIERID_SHA512T224 "2.16.840.1.101.3.4.2.5"
195#define RTCRX509ALGORITHMIDENTIFIERID_SHA512T256 "2.16.840.1.101.3.4.2.6"
196#define RTCRX509ALGORITHMIDENTIFIERID_SHA3_224 "2.16.840.1.101.3.4.2.7"
197#define RTCRX509ALGORITHMIDENTIFIERID_SHA3_256 "2.16.840.1.101.3.4.2.8"
198#define RTCRX509ALGORITHMIDENTIFIERID_SHA3_384 "2.16.840.1.101.3.4.2.9"
199#define RTCRX509ALGORITHMIDENTIFIERID_SHA3_512 "2.16.840.1.101.3.4.2.10"
200#define RTCRX509ALGORITHMIDENTIFIERID_WHIRLPOOL "1.0.10118.3.0.55"
201/** @} */
202
203/** @name Encrypted Digest Algorithm OIDs.
204 * @remarks The PKCS variants are the default ones, alternative OID are marked
205 * as such.
206 * @{ */
207#define RTCRX509ALGORITHMIDENTIFIERID_RSA "1.2.840.113549.1.1.1"
208#define RTCRX509ALGORITHMIDENTIFIERID_MD2_WITH_RSA "1.2.840.113549.1.1.2"
209#define RTCRX509ALGORITHMIDENTIFIERID_MD4_WITH_RSA "1.2.840.113549.1.1.3"
210#define RTCRX509ALGORITHMIDENTIFIERID_MD5_WITH_RSA "1.2.840.113549.1.1.4"
211#define RTCRX509ALGORITHMIDENTIFIERID_SHA1_WITH_RSA "1.2.840.113549.1.1.5"
212#define RTCRX509ALGORITHMIDENTIFIERID_SHA256_WITH_RSA "1.2.840.113549.1.1.11"
213#define RTCRX509ALGORITHMIDENTIFIERID_SHA384_WITH_RSA "1.2.840.113549.1.1.12"
214#define RTCRX509ALGORITHMIDENTIFIERID_SHA512_WITH_RSA "1.2.840.113549.1.1.13"
215#define RTCRX509ALGORITHMIDENTIFIERID_SHA224_WITH_RSA "1.2.840.113549.1.1.14"
216#define RTCRX509ALGORITHMIDENTIFIERID_SHA512T224_WITH_RSA "1.2.840.113549.1.1.15"
217#define RTCRX509ALGORITHMIDENTIFIERID_SHA512T256_WITH_RSA "1.2.840.113549.1.1.16"
218#define RTCRX509ALGORITHMIDENTIFIERID_SHA3_224_WITH_RSA "2.16.840.1.101.3.4.3.13"
219#define RTCRX509ALGORITHMIDENTIFIERID_SHA3_256_WITH_RSA "2.16.840.1.101.3.4.3.14"
220#define RTCRX509ALGORITHMIDENTIFIERID_SHA3_384_WITH_RSA "2.16.840.1.101.3.4.3.15"
221#define RTCRX509ALGORITHMIDENTIFIERID_SHA3_512_WITH_RSA "2.16.840.1.101.3.4.3.16"
222#define RTCRX509ALGORITHMIDENTIFIERID_ECDSA "1.2.840.10045.2.1"
223#define RTCRX509ALGORITHMIDENTIFIERID_SHA1_WITH_ECDSA "1.2.840.10045.4.1"
224#define RTCRX509ALGORITHMIDENTIFIERID_SHA224_WITH_ECDSA "1.2.840.10045.4.3.1"
225#define RTCRX509ALGORITHMIDENTIFIERID_SHA256_WITH_ECDSA "1.2.840.10045.4.3.2"
226#define RTCRX509ALGORITHMIDENTIFIERID_SHA384_WITH_ECDSA "1.2.840.10045.4.3.3"
227#define RTCRX509ALGORITHMIDENTIFIERID_SHA512_WITH_ECDSA "1.2.840.10045.4.3.4"
228#define RTCRX509ALGORITHMIDENTIFIERID_SHA3_224_WITH_ECDSA "2.16.840.1.101.3.4.3.9"
229#define RTCRX509ALGORITHMIDENTIFIERID_SHA3_256_WITH_ECDSA "2.16.840.1.101.3.4.3.10"
230#define RTCRX509ALGORITHMIDENTIFIERID_SHA3_384_WITH_ECDSA "2.16.840.1.101.3.4.3.11"
231#define RTCRX509ALGORITHMIDENTIFIERID_SHA3_512_WITH_ECDSA "2.16.840.1.101.3.4.3.12"
232/** @} */
233
234
235
236
237/**
238 * One X.509 AttributeTypeAndValue (IPRT representation).
239 */
240typedef struct RTCRX509ATTRIBUTETYPEANDVALUE
241{
242 /** Sequence core. */
243 RTASN1SEQUENCECORE SeqCore;
244 /** The attribute type (object ID). */
245 RTASN1OBJID Type;
246 /** The attribute value (what it is is defined by Type). */
247 RTASN1DYNTYPE Value;
248} RTCRX509ATTRIBUTETYPEANDVALUE;
249/** Pointer to a X.509 AttributeTypeAndValue (IPRT representation). */
250typedef RTCRX509ATTRIBUTETYPEANDVALUE *PRTCRX509ATTRIBUTETYPEANDVALUE;
251/** Pointer to a const X.509 AttributeTypeAndValue (IPRT representation). */
252typedef RTCRX509ATTRIBUTETYPEANDVALUE const *PCRTCRX509ATTRIBUTETYPEANDVALUE;
253RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509ATTRIBUTETYPEANDVALUE, RTDECL, RTCrX509AttributeTypeAndValue, SeqCore.Asn1Core);
254RTASN1_IMPL_GEN_SET_OF_TYPEDEFS_AND_PROTOS(RTCRX509ATTRIBUTETYPEANDVALUES, RTCRX509ATTRIBUTETYPEANDVALUE, RTDECL, RTCrX509AttributeTypeAndValues);
255
256RTASN1TYPE_ALIAS(RTCRX509RELATIVEDISTINGUISHEDNAME, RTCRX509ATTRIBUTETYPEANDVALUES, RTCrX509RelativeDistinguishedName, RTCrX509AttributeTypeAndValues);
257
258
259RTASN1_IMPL_GEN_SEQ_OF_TYPEDEFS_AND_PROTOS(RTCRX509NAME, RTCRX509RELATIVEDISTINGUISHEDNAME, RTDECL, RTCrX509Name);
260RTDECL(int) RTCrX509Name_CheckSanity(PCRTCRX509NAME pName, uint32_t fFlags, PRTERRINFO pErrInfo, const char *pszErrorTag);
261RTDECL(bool) RTCrX509Name_MatchByRfc5280(PCRTCRX509NAME pLeft, PCRTCRX509NAME pRight);
262
263/**
264 * Name constraint matching (RFC-5280).
265 *
266 * @returns true on match, false on mismatch.
267 * @param pConstraint The constraint name.
268 * @param pName The name to match against the constraint.
269 * @sa RTCrX509GeneralName_ConstraintMatch,
270 * RTCrX509RelativeDistinguishedName_ConstraintMatch
271 */
272RTDECL(bool) RTCrX509Name_ConstraintMatch(PCRTCRX509NAME pConstraint, PCRTCRX509NAME pName);
273RTDECL(int) RTCrX509Name_RecodeAsUtf8(PRTCRX509NAME pThis, PCRTASN1ALLOCATORVTABLE pAllocator);
274
275/**
276 * Matches the directory name against a comma separated list of the component
277 * strings (case sensitive).
278 *
279 * @returns true if match, false if mismatch.
280 * @param pThis The name object.
281 * @param pszString The string to match against. For example:
282 * "C=US, ST=California, L=Redwood Shores, O=Oracle Corporation"
283 *
284 * @remarks This is doing a straight compare, no extra effort is expended in
285 * dealing with different component order. If the component order
286 * differs, there won't be any match.
287 */
288RTDECL(bool) RTCrX509Name_MatchWithString(PCRTCRX509NAME pThis, const char *pszString);
289
290/**
291 * Formats the name as a command separated list of components with type
292 * prefixes.
293 *
294 * The output of this function is suitable for use with
295 * RTCrX509Name_MatchWithString.
296 *
297 * @returns IPRT status code.
298 * @param pThis The name object.
299 * @param pszBuf The output buffer.
300 * @param cbBuf The size of the output buffer.
301 * @param pcbActual Where to return the number of bytes required for the
302 * output, including the null terminator character.
303 * Optional.
304 */
305RTDECL(int) RTCrX509Name_FormatAsString(PCRTCRX509NAME pThis, char *pszBuf, size_t cbBuf, size_t *pcbActual);
306
307
308/**
309 * Looks up the RDN ID and returns the short name for it, if found.
310 *
311 * @returns Short name (e.g. 'CN') or NULL.
312 * @param pRdnId The RDN ID to look up.
313 */
314RTDECL(const char *) RTCrX509Name_GetShortRdn(PCRTASN1OBJID pRdnId);
315
316/**
317 * One X.509 OtherName (IPRT representation).
318 */
319typedef struct RTCRX509OTHERNAME
320{
321 /** The sequence core. */
322 RTASN1SEQUENCECORE SeqCore;
323 /** The name type identifier. */
324 RTASN1OBJID TypeId;
325 /** The name value (explicit tag 0). */
326 RTASN1DYNTYPE Value;
327} RTCRX509OTHERNAME;
328/** Pointer to a X.509 OtherName (IPRT representation). */
329typedef RTCRX509OTHERNAME *PRTCRX509OTHERNAME;
330/** Pointer to a const X.509 OtherName (IPRT representation). */
331typedef RTCRX509OTHERNAME const *PCRTCRX509OTHERNAME;
332RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509OTHERNAME, RTDECL, RTCrX509OtherName, SeqCore.Asn1Core);
333
334
335typedef enum RTCRX509GENERALNAMECHOICE
336{
337 RTCRX509GENERALNAMECHOICE_INVALID = 0,
338 RTCRX509GENERALNAMECHOICE_OTHER_NAME,
339 RTCRX509GENERALNAMECHOICE_RFC822_NAME,
340 RTCRX509GENERALNAMECHOICE_DNS_NAME,
341 RTCRX509GENERALNAMECHOICE_X400_ADDRESS,
342 RTCRX509GENERALNAMECHOICE_DIRECTORY_NAME,
343 RTCRX509GENERALNAMECHOICE_EDI_PARTY_NAME,
344 RTCRX509GENERALNAMECHOICE_URI,
345 RTCRX509GENERALNAMECHOICE_IP_ADDRESS,
346 RTCRX509GENERALNAMECHOICE_REGISTERED_ID,
347 RTCRX509GENERALNAMECHOICE_END,
348 RTCRX509GENERALNAMECHOICE_32BIT_HACK = 0x7fffffff
349} RTCRX509GENERALNAMECHOICE;
350
351/**
352 * One X.509 GeneralName (IPRT representation).
353 *
354 * This is represented as a union. Use the RTCRX509GENERALNAME_IS_XXX predicate
355 * macros to figure out which member is valid (Asn1Core is always valid).
356 */
357typedef struct RTCRX509GENERALNAME
358{
359 /** Dummy ASN.1 record, not encoded. */
360 RTASN1DUMMY Dummy;
361 /** The value allocation. */
362 RTASN1ALLOCATION Allocation;
363 /** The choice of value. */
364 RTCRX509GENERALNAMECHOICE enmChoice;
365 /** The value union. */
366 union
367 {
368 /** Tag 0: Other Name. */
369 PRTCRX509OTHERNAME pT0_OtherName;
370 /** Tag 1: RFC-822 Name. */
371 PRTASN1STRING pT1_Rfc822;
372 /** Tag 2: DNS name. */
373 PRTASN1STRING pT2_DnsName;
374 /** Tag 3: X.400 Address. */
375 struct
376 {
377 /** Context tag 3. */
378 RTASN1CONTEXTTAG3 CtxTag3;
379 /** Later. */
380 RTASN1DYNTYPE X400Address;
381 } *pT3;
382 /** Tag 4: Directory Name. */
383 struct
384 {
385 /** Context tag 4. */
386 RTASN1CONTEXTTAG4 CtxTag4;
387 /** Directory name. */
388 RTCRX509NAME DirectoryName;
389 } *pT4;
390 /** Tag 5: EDI Party Name. */
391 struct
392 {
393 /** Context tag 5. */
394 RTASN1CONTEXTTAG5 CtxTag5;
395 /** Later. */
396 RTASN1DYNTYPE EdiPartyName;
397 } *pT5;
398 /** Tag 6: URI. */
399 PRTASN1STRING pT6_Uri;
400 /** Tag 7: IP address. Either 4/8 (IPv4) or 16/32 (IPv16) octets long. */
401 PRTASN1OCTETSTRING pT7_IpAddress;
402 /** Tag 8: Registered ID. */
403 PRTASN1OBJID pT8_RegisteredId;
404 } u;
405} RTCRX509GENERALNAME;
406/** Pointer to the IPRT representation of an X.509 general name. */
407typedef RTCRX509GENERALNAME *PRTCRX509GENERALNAME;
408/** Pointer to the const IPRT representation of an X.509 general name. */
409typedef RTCRX509GENERALNAME const *PCRTCRX509GENERALNAME;
410RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509GENERALNAME, RTDECL, RTCrX509GeneralName, Dummy.Asn1Core);
411
412/** @name RTCRX509GENERALNAME tag predicates.
413 * @{ */
414#define RTCRX509GENERALNAME_IS_OTHER_NAME(a_GenName) ((a_GenName)->enmChoice == RTCRX509GENERALNAMECHOICE_OTHER_NAME)
415#define RTCRX509GENERALNAME_IS_RFC822_NAME(a_GenName) ((a_GenName)->enmChoice == RTCRX509GENERALNAMECHOICE_RFC822_NAME)
416#define RTCRX509GENERALNAME_IS_DNS_NAME(a_GenName) ((a_GenName)->enmChoice == RTCRX509GENERALNAMECHOICE_DNS_NAME)
417#define RTCRX509GENERALNAME_IS_X400_ADDRESS(a_GenName) ((a_GenName)->enmChoice == RTCRX509GENERALNAMECHOICE_X400_ADDRESS)
418#define RTCRX509GENERALNAME_IS_DIRECTORY_NAME(a_GenName) ((a_GenName)->enmChoice == RTCRX509GENERALNAMECHOICE_DIRECTORY_NAME)
419#define RTCRX509GENERALNAME_IS_EDI_PARTY_NAME(a_GenName) ((a_GenName)->enmChoice == RTCRX509GENERALNAMECHOICE_EDI_PARTY_NAME)
420#define RTCRX509GENERALNAME_IS_URI(a_GenName) ((a_GenName)->enmChoice == RTCRX509GENERALNAMECHOICE_URI)
421#define RTCRX509GENERALNAME_IS_IP_ADDRESS(a_GenName) ((a_GenName)->enmChoice == RTCRX509GENERALNAMECHOICE_IP_ADDRESS)
422#define RTCRX509GENERALNAME_IS_REGISTERED_ID(a_GenName) ((a_GenName)->enmChoice == RTCRX509GENERALNAMECHOICE_REGISTERED_ID)
423/** @} */
424
425
426RTASN1_IMPL_GEN_SEQ_OF_TYPEDEFS_AND_PROTOS(RTCRX509GENERALNAMES, RTCRX509GENERALNAME, RTDECL, RTCrX509GeneralNames);
427RTDECL(bool) RTCrX509GeneralName_ConstraintMatch(PCRTCRX509GENERALNAME pConstraint, PCRTCRX509GENERALNAME pName);
428
429
430/**
431 * X.509 Validity (IPRT representation).
432 */
433typedef struct RTCRX509VALIDITY
434{
435 /** Core sequence bits. */
436 RTASN1SEQUENCECORE SeqCore;
437 /** Effective starting. */
438 RTASN1TIME NotBefore;
439 /** Expires after. */
440 RTASN1TIME NotAfter;
441} RTCRX509VALIDITY;
442/** Pointer to the IPRT representation of an X.509 validity sequence. */
443typedef RTCRX509VALIDITY *PRTCRX509VALIDITY;
444/** Pointer ot the const IPRT representation of an X.509 validity sequence. */
445typedef RTCRX509VALIDITY const *PCRTCRX509VALIDITY;
446RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509VALIDITY, RTDECL, RTCrX509Validity, SeqCore.Asn1Core);
447
448RTDECL(bool) RTCrX509Validity_IsValidAtTimeSpec(PCRTCRX509VALIDITY pThis, PCRTTIMESPEC pTimeSpec);
449
450
451#if 0
452/**
453 * X.509 UniqueIdentifier (IPRT representation).
454 */
455typedef struct RTCRX509UNIQUEIDENTIFIER
456{
457 /** Representation is a bit string. */
458 RTASN1BITSTRING BitString;
459} RTCRX509UNIQUEIDENTIFIER;
460/** Pointer to the IPRT representation of an X.509 unique identifier. */
461typedef RTCRX509UNIQUEIDENTIFIER *PRTCRX509UNIQUEIDENTIFIER;
462/** Pointer to the const IPRT representation of an X.509 unique identifier. */
463typedef RTCRX509UNIQUEIDENTIFIER const *PCRTCRX509UNIQUEIDENTIFIER;
464RTASN1TYPE_STANDARD_PROTOTYPES_NO_GET_CORE(RTCRX509UNIQUEIDENTIFIER, RTDECL, RTCrX509UniqueIdentifier);
465#endif
466RTASN1TYPE_ALIAS(RTCRX509UNIQUEIDENTIFIER, RTASN1BITSTRING, RTCrX509UniqueIdentifier, RTAsn1BitString);
467
468
469/**
470 * X.509 SubjectPublicKeyInfo (IPRT representation).
471 */
472typedef struct RTCRX509SUBJECTPUBLICKEYINFO
473{
474 /** Core sequence bits. */
475 RTASN1SEQUENCECORE SeqCore;
476 /** The algorithm used with the public key. */
477 RTCRX509ALGORITHMIDENTIFIER Algorithm;
478 /** A bit string containing the public key.
479 *
480 * For algorithms like rsaEncryption this is generally a sequence of two
481 * integers, where the first one has lots of bits, and the second one being a
482 * modulous value. These are details specific to the algorithm and not relevant
483 * when validating the certificate chain. */
484 RTASN1BITSTRING SubjectPublicKey;
485} RTCRX509SUBJECTPUBLICKEYINFO;
486/** Pointer to the IPRT representation of an X.509 subject public key info
487 * sequence. */
488typedef RTCRX509SUBJECTPUBLICKEYINFO *PRTCRX509SUBJECTPUBLICKEYINFO;
489/** Pointer to the const IPRT representation of an X.509 subject public key info
490 * sequence. */
491typedef RTCRX509SUBJECTPUBLICKEYINFO const *PCRTCRX509SUBJECTPUBLICKEYINFO;
492RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509SUBJECTPUBLICKEYINFO, RTDECL, RTCrX509SubjectPublicKeyInfo, SeqCore.Asn1Core);
493
494
495/**
496 * One X.509 AuthorityKeyIdentifier (IPRT representation).
497 */
498typedef struct RTCRX509AUTHORITYKEYIDENTIFIER
499{
500 /** Sequence core. */
501 RTASN1SEQUENCECORE SeqCore;
502 /** Tag 0, optional, implicit: Key identifier. */
503 RTASN1OCTETSTRING KeyIdentifier;
504 /** Tag 1, optional, implicit: Issuer name. */
505 RTCRX509GENERALNAMES AuthorityCertIssuer;
506 /** Tag 2, optional, implicit: Serial number of issuer. */
507 RTASN1INTEGER AuthorityCertSerialNumber;
508} RTCRX509AUTHORITYKEYIDENTIFIER;
509/** Pointer to the IPRT representation of an X.509 AuthorityKeyIdentifier
510 * sequence. */
511typedef RTCRX509AUTHORITYKEYIDENTIFIER *PRTCRX509AUTHORITYKEYIDENTIFIER;
512/** Pointer to the const IPRT representation of an X.509 AuthorityKeyIdentifier
513 * sequence. */
514typedef RTCRX509AUTHORITYKEYIDENTIFIER const *PCRTCRX509AUTHORITYKEYIDENTIFIER;
515RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509AUTHORITYKEYIDENTIFIER, RTDECL, RTCrX509AuthorityKeyIdentifier, SeqCore.Asn1Core);
516
517
518/**
519 * One X.509 OldAuthorityKeyIdentifier (IPRT representation).
520 */
521typedef struct RTCRX509OLDAUTHORITYKEYIDENTIFIER
522{
523 /** Sequence core. */
524 RTASN1SEQUENCECORE SeqCore;
525 /** Tag 0, optional, implicit: Key identifier. */
526 RTASN1OCTETSTRING KeyIdentifier;
527 struct
528 {
529 RTASN1CONTEXTTAG1 CtxTag1;
530 /** Tag 1, optional, implicit: Issuer name. */
531 RTCRX509NAME AuthorityCertIssuer;
532 } T1;
533 /** Tag 2, optional, implicit: Serial number of issuer. */
534 RTASN1INTEGER AuthorityCertSerialNumber;
535} RTCRX509OLDAUTHORITYKEYIDENTIFIER;
536/** Pointer to the IPRT representation of an X.509 AuthorityKeyIdentifier
537 * sequence. */
538typedef RTCRX509OLDAUTHORITYKEYIDENTIFIER *PRTCRX509OLDAUTHORITYKEYIDENTIFIER;
539/** Pointer to the const IPRT representation of an X.509 AuthorityKeyIdentifier
540 * sequence. */
541typedef RTCRX509OLDAUTHORITYKEYIDENTIFIER const *PCRTCRX509OLDAUTHORITYKEYIDENTIFIER;
542RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509OLDAUTHORITYKEYIDENTIFIER, RTDECL, RTCrX509OldAuthorityKeyIdentifier, SeqCore.Asn1Core);
543
544
545/**
546 * One X.509 PolicyQualifierInfo (IPRT representation).
547 */
548typedef struct RTCRX509POLICYQUALIFIERINFO
549{
550 /** Core sequence bits. */
551 RTASN1SEQUENCECORE SeqCore;
552 /** The policy object ID. */
553 RTASN1OBJID PolicyQualifierId;
554 /** Anything defined by the policy qualifier id. */
555 RTASN1DYNTYPE Qualifier;
556} RTCRX509POLICYQUALIFIERINFO;
557/** Pointer to the IPRT representation of an X.509 PolicyQualifierInfo
558 * sequence. */
559typedef RTCRX509POLICYQUALIFIERINFO *PRTCRX509POLICYQUALIFIERINFO;
560/** Pointer to the const IPRT representation of an X.509 PolicyQualifierInfo
561 * sequence. */
562typedef RTCRX509POLICYQUALIFIERINFO const *PCRTCRX509POLICYQUALIFIERINFO;
563RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509POLICYQUALIFIERINFO, RTDECL, RTCrX509PolicyQualifierInfo, SeqCore.Asn1Core);
564RTASN1_IMPL_GEN_SEQ_OF_TYPEDEFS_AND_PROTOS(RTCRX509POLICYQUALIFIERINFOS, RTCRX509POLICYQUALIFIERINFO, RTDECL, RTCrX509PolicyQualifierInfos);
565
566
567/**
568 * One X.509 PolicyInformation (IPRT representation).
569 */
570typedef struct RTCRX509POLICYINFORMATION
571{
572 /** Core sequence bits. */
573 RTASN1SEQUENCECORE SeqCore;
574 /** The policy object ID. */
575 RTASN1OBJID PolicyIdentifier;
576 /** Optional sequence of policy qualifiers. */
577 RTCRX509POLICYQUALIFIERINFOS PolicyQualifiers;
578} RTCRX509POLICYINFORMATION;
579/** Pointer to the IPRT representation of an X.509 PolicyInformation
580 * sequence. */
581typedef RTCRX509POLICYINFORMATION *PRTCRX509POLICYINFORMATION;
582/** Pointer to the const IPRT representation of an X.509 PolicyInformation
583 * sequence. */
584typedef RTCRX509POLICYINFORMATION const *PCRTCRX509POLICYINFORMATION;
585RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509POLICYINFORMATION, RTDECL, RTCrX509PolicyInformation, SeqCore.Asn1Core);
586RTASN1_IMPL_GEN_SEQ_OF_TYPEDEFS_AND_PROTOS(RTCRX509CERTIFICATEPOLICIES, RTCRX509POLICYINFORMATION, RTDECL, RTCrX509CertificatePolicies);
587
588/** Sepcial policy object ID that matches any policy. */
589#define RTCRX509_ID_CE_CP_ANY_POLICY_OID "2.5.29.32.0"
590
591
592/**
593 * One X.509 PolicyMapping (IPRT representation).
594 */
595typedef struct RTCRX509POLICYMAPPING
596{
597 /** Core sequence bits. */
598 RTASN1SEQUENCECORE SeqCore;
599 /** Issuer policy ID. */
600 RTASN1OBJID IssuerDomainPolicy;
601 /** Subject policy ID. */
602 RTASN1OBJID SubjectDomainPolicy;
603} RTCRX509POLICYMAPPING;
604/** Pointer to the IPRT representation of a sequence of X.509 PolicyMapping. */
605typedef RTCRX509POLICYMAPPING *PRTCRX509POLICYMAPPING;
606/** Pointer to the const IPRT representation of a sequence of X.509
607 * PolicyMapping. */
608typedef RTCRX509POLICYMAPPING const *PCRTCRX509POLICYMAPPING;
609RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509POLICYMAPPING, RTDECL, RTCrX509PolicyMapping, SeqCore.Asn1Core);
610RTASN1_IMPL_GEN_SEQ_OF_TYPEDEFS_AND_PROTOS(RTCRX509POLICYMAPPINGS, RTCRX509POLICYMAPPING, RTDECL, RTCrX509PolicyMappings);
611
612
613/**
614 * X.509 BasicConstraints (IPRT representation).
615 */
616typedef struct RTCRX509BASICCONSTRAINTS
617{
618 /** Core sequence bits. */
619 RTASN1SEQUENCECORE SeqCore;
620 /** Is this ia certficiate authority? Default to false. */
621 RTASN1BOOLEAN CA;
622 /** Path length constraint. */
623 RTASN1INTEGER PathLenConstraint;
624} RTCRX509BASICCONSTRAINTS;
625/** Pointer to the IPRT representation of a sequence of X.509
626 * BasicConstraints. */
627typedef RTCRX509BASICCONSTRAINTS *PRTCRX509BASICCONSTRAINTS;
628/** Pointer to the const IPRT representation of a sequence of X.509
629 * BasicConstraints. */
630typedef RTCRX509BASICCONSTRAINTS const *PCRTCRX509BASICCONSTRAINTS;
631RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509BASICCONSTRAINTS, RTDECL, RTCrX509BasicConstraints, SeqCore.Asn1Core);
632
633
634/**
635 * X.509 GeneralSubtree (IPRT representation).
636 */
637typedef struct RTCRX509GENERALSUBTREE
638{
639 /** Core sequence bits. */
640 RTASN1SEQUENCECORE SeqCore;
641 /** Base name. */
642 RTCRX509GENERALNAME Base;
643 /** Tag 0, optional: Minimum, default 0. Fixed at 0 by RFC-5280. */
644 RTASN1INTEGER Minimum;
645 /** Tag 1, optional: Maximum. Fixed as not-present by RFC-5280. */
646 RTASN1INTEGER Maximum;
647} RTCRX509GENERALSUBTREE;
648/** Pointer to the IPRT representation of a sequence of X.509 GeneralSubtree. */
649typedef RTCRX509GENERALSUBTREE *PRTCRX509GENERALSUBTREE;
650/** Pointer to the const IPRT representation of a sequence of X.509
651 * GeneralSubtree. */
652typedef RTCRX509GENERALSUBTREE const *PCRTCRX509GENERALSUBTREE;
653RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509GENERALSUBTREE, RTDECL, RTCrX509GeneralSubtree, SeqCore.Asn1Core);
654
655RTDECL(bool) RTCrX509GeneralSubtree_ConstraintMatch(PCRTCRX509GENERALSUBTREE pConstraint, PCRTCRX509GENERALSUBTREE pName);
656
657RTASN1_IMPL_GEN_SEQ_OF_TYPEDEFS_AND_PROTOS(RTCRX509GENERALSUBTREES, RTCRX509GENERALSUBTREE, RTDECL, RTCrX509GeneralSubtrees);
658
659
660/**
661 * X.509 NameConstraints (IPRT representation).
662 */
663typedef struct RTCRX509NAMECONSTRAINTS
664{
665 /** Core sequence bits. */
666 RTASN1SEQUENCECORE SeqCore;
667 /** Tag 0, optional: Permitted subtrees. */
668 struct
669 {
670 /** Context tag. */
671 RTASN1CONTEXTTAG0 CtxTag0;
672 /** The permitted subtrees. */
673 RTCRX509GENERALSUBTREES PermittedSubtrees;
674 } T0;
675 /** Tag 1, optional: Excluded subtrees. */
676 struct
677 {
678 /** Context tag. */
679 RTASN1CONTEXTTAG1 CtxTag1;
680 /** The excluded subtrees. */
681 RTCRX509GENERALSUBTREES ExcludedSubtrees;
682 } T1;
683} RTCRX509NAMECONSTRAINTS;
684/** Pointer to the IPRT representation of a sequence of X.509
685 * NameConstraints. */
686typedef RTCRX509NAMECONSTRAINTS *PRTCRX509NAMECONSTRAINTS;
687/** Pointer to the const IPRT representation of a sequence of X.509
688 * NameConstraints. */
689typedef RTCRX509NAMECONSTRAINTS const *PCRTCRX509NAMECONSTRAINTS;
690RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509NAMECONSTRAINTS, RTDECL, RTCrX509NameConstraints, SeqCore.Asn1Core);
691
692
693/**
694 * X.509 PolicyConstraints (IPRT representation).
695 */
696typedef struct RTCRX509POLICYCONSTRAINTS
697{
698 /** Core sequence bits. */
699 RTASN1SEQUENCECORE SeqCore;
700 /** Tag 0, optional: Certificates before an explicit policy is required. */
701 RTASN1INTEGER RequireExplicitPolicy;
702 /** Tag 1, optional: Certificates before policy mapping is inhibited. */
703 RTASN1INTEGER InhibitPolicyMapping;
704} RTCRX509POLICYCONSTRAINTS;
705/** Pointer to the IPRT representation of a sequence of X.509
706 * PolicyConstraints. */
707typedef RTCRX509POLICYCONSTRAINTS *PRTCRX509POLICYCONSTRAINTS;
708/** Pointer to the const IPRT representation of a sequence of X.509
709 * PolicyConstraints. */
710typedef RTCRX509POLICYCONSTRAINTS const *PCRTCRX509POLICYCONSTRAINTS;
711RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509POLICYCONSTRAINTS, RTDECL, RTCrX509PolicyConstraints, SeqCore.Asn1Core);
712
713
714/**
715 * Indicates what an X.509 extension value encapsulates.
716 */
717typedef enum RTCRX509EXTENSIONVALUE
718{
719 RTCRX509EXTENSIONVALUE_INVALID = 0,
720 /** Unknown, no decoding available just the octet string. */
721 RTCRX509EXTENSIONVALUE_UNKNOWN,
722 /** Unencapsulated (i.e. octet string). */
723 RTCRX509EXTENSIONVALUE_NOT_ENCAPSULATED,
724
725 /** Bit string (RTASN1BITSTRING). */
726 RTCRX509EXTENSIONVALUE_BIT_STRING,
727 /** Octet string (RTASN1OCTETSTRING). */
728 RTCRX509EXTENSIONVALUE_OCTET_STRING,
729 /** Integer string (RTASN1INTEGER). */
730 RTCRX509EXTENSIONVALUE_INTEGER,
731 /** Sequence of object identifiers (RTASN1SEQOFOBJIDS). */
732 RTCRX509EXTENSIONVALUE_SEQ_OF_OBJ_IDS,
733
734 /** Authority key identifier (RTCRX509AUTHORITYKEYIDENTIFIER). */
735 RTCRX509EXTENSIONVALUE_AUTHORITY_KEY_IDENTIFIER,
736 /** Old Authority key identifier (RTCRX509OLDAUTHORITYKEYIDENTIFIER). */
737 RTCRX509EXTENSIONVALUE_OLD_AUTHORITY_KEY_IDENTIFIER,
738 /** Certificate policies (RTCRX509CERTIFICATEPOLICIES). */
739 RTCRX509EXTENSIONVALUE_CERTIFICATE_POLICIES,
740 /** Sequence of policy mappings (RTCRX509POLICYMAPPINGS). */
741 RTCRX509EXTENSIONVALUE_POLICY_MAPPINGS,
742 /** Basic constraints (RTCRX509BASICCONSTRAINTS). */
743 RTCRX509EXTENSIONVALUE_BASIC_CONSTRAINTS,
744 /** Name constraints (RTCRX509NAMECONSTRAINTS). */
745 RTCRX509EXTENSIONVALUE_NAME_CONSTRAINTS,
746 /** Policy constraints (RTCRX509POLICYCONSTRAINTS). */
747 RTCRX509EXTENSIONVALUE_POLICY_CONSTRAINTS,
748 /** Sequence of general names (RTCRX509GENERALNAMES). */
749 RTCRX509EXTENSIONVALUE_GENERAL_NAMES,
750
751 /** Blow the type up to 32-bits. */
752 RTCRX509EXTENSIONVALUE_32BIT_HACK = 0x7fffffff
753} RTCRX509EXTENSIONVALUE;
754
755/**
756 * One X.509 Extension (IPRT representation).
757 */
758typedef struct RTCRX509EXTENSION
759{
760 /** Core sequence bits. */
761 RTASN1SEQUENCECORE SeqCore;
762 /** Extension ID. */
763 RTASN1OBJID ExtnId;
764 /** Whether this is critical (default @c false). */
765 RTASN1BOOLEAN Critical;
766 /** Indicates what ExtnValue.pEncapsulated points at. */
767 RTCRX509EXTENSIONVALUE enmValue;
768 /** The value.
769 * Contains extension specific data that we don't yet parse. */
770 RTASN1OCTETSTRING ExtnValue;
771} RTCRX509EXTENSION;
772/** Pointer to the IPRT representation of one X.509 extensions. */
773typedef RTCRX509EXTENSION *PRTCRX509EXTENSION;
774/** Pointer to the const IPRT representation of one X.509 extension. */
775typedef RTCRX509EXTENSION const *PCRTCRX509EXTENSION;
776RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509EXTENSION, RTDECL, RTCrX509Extension, SeqCore.Asn1Core);
777RTASN1_IMPL_GEN_SEQ_OF_TYPEDEFS_AND_PROTOS(RTCRX509EXTENSIONS, RTCRX509EXTENSION, RTDECL, RTCrX509Extensions);
778
779RTDECL(int) RTCrX509Extension_ExtnValue_DecodeAsn1(PRTASN1CURSOR pCursor, uint32_t fFlags,
780 PRTCRX509EXTENSION pThis, const char *pszErrorTag);
781
782
783/**
784 * X.509 To-be-signed certificate information (IPRT representation).
785 */
786typedef struct RTCRX509TBSCERTIFICATE
787{
788 /** Sequence core. */
789 RTASN1SEQUENCECORE SeqCore;
790 /** Structure version. */
791 struct
792 {
793 /** Context tag with value 0. */
794 RTASN1CONTEXTTAG0 CtxTag0;
795 /** The actual value (RTCRX509TBSCERTIFICATE_V1, ...). */
796 RTASN1INTEGER Version;
797 } T0;
798 /** The serial number of the certificate. */
799 RTASN1INTEGER SerialNumber;
800 /** The signature algorithm. */
801 RTCRX509ALGORITHMIDENTIFIER Signature;
802 /** The issuer name. */
803 RTCRX509NAME Issuer;
804 /** The certificate validity period. */
805 RTCRX509VALIDITY Validity;
806 /** The subject name. */
807 RTCRX509NAME Subject;
808 /** The public key for this certificate. */
809 RTCRX509SUBJECTPUBLICKEYINFO SubjectPublicKeyInfo;
810 /** Issuer unique identifier (optional, version >= v2). */
811 struct
812 {
813 /** Context tag with value 1. */
814 RTASN1CONTEXTTAG1 CtxTag1;
815 /** The unique identifier value. */
816 RTCRX509UNIQUEIDENTIFIER IssuerUniqueId;
817 } T1;
818 /** Subject unique identifier (optional, version >= v2). */
819 struct
820 {
821 /** Context tag with value 2. */
822 RTASN1CONTEXTTAG2 CtxTag2;
823 /** The unique identifier value. */
824 RTCRX509UNIQUEIDENTIFIER SubjectUniqueId;
825 } T2;
826 /** Extensions (optional, version >= v3). */
827 struct
828 {
829 /** Context tag with value 3. */
830 RTASN1CONTEXTTAG3 CtxTag3;
831 /** The unique identifier value. */
832 RTCRX509EXTENSIONS Extensions;
833 /** Extensions summary flags (RTCRX509TBSCERTIFICATE_F_PRESENT_XXX). */
834 uint32_t fFlags;
835 /** Key usage flags (RTCRX509CERT_KEY_USAGE_F_XXX). */
836 uint32_t fKeyUsage;
837 /** Extended key usage flags (RTCRX509CERT_EKU_F_XXX). */
838 uint64_t fExtKeyUsage;
839
840 /** Pointer to the authority key ID extension if present. */
841 PCRTCRX509AUTHORITYKEYIDENTIFIER pAuthorityKeyIdentifier;
842 /** Pointer to the OLD authority key ID extension if present. */
843 PCRTCRX509OLDAUTHORITYKEYIDENTIFIER pOldAuthorityKeyIdentifier;
844 /** Pointer to the subject key ID extension if present. */
845 PCRTASN1OCTETSTRING pSubjectKeyIdentifier;
846 /** Pointer to the alternative subject name extension if present. */
847 PCRTCRX509GENERALNAMES pAltSubjectName;
848 /** Pointer to the alternative issuer name extension if present. */
849 PCRTCRX509GENERALNAMES pAltIssuerName;
850 /** Pointer to the certificate policies extension if present. */
851 PCRTCRX509CERTIFICATEPOLICIES pCertificatePolicies;
852 /** Pointer to the policy mappings extension if present. */
853 PCRTCRX509POLICYMAPPINGS pPolicyMappings;
854 /** Pointer to the basic constraints extension if present. */
855 PCRTCRX509BASICCONSTRAINTS pBasicConstraints;
856 /** Pointer to the name constraints extension if present. */
857 PCRTCRX509NAMECONSTRAINTS pNameConstraints;
858 /** Pointer to the policy constraints extension if present. */
859 PCRTCRX509POLICYCONSTRAINTS pPolicyConstraints;
860 /** Pointer to the inhibit anyPolicy extension if present. */
861 PCRTASN1INTEGER pInhibitAnyPolicy;
862 } T3;
863} RTCRX509TBSCERTIFICATE;
864/** Pointer to the IPRT representation of a X.509 TBSCertificate. */
865typedef RTCRX509TBSCERTIFICATE *PRTCRX509TBSCERTIFICATE;
866/** Pointer to the const IPRT representation of a X.509 TBSCertificate. */
867typedef RTCRX509TBSCERTIFICATE const *PCRTCRX509TBSCERTIFICATE;
868RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509TBSCERTIFICATE, RTDECL, RTCrX509TbsCertificate, SeqCore.Asn1Core);
869
870/** @name RTCRX509TBSCERTIFICATE::T0.Version values.
871 * @{ */
872#define RTCRX509TBSCERTIFICATE_V1 0
873#define RTCRX509TBSCERTIFICATE_V2 1
874#define RTCRX509TBSCERTIFICATE_V3 2
875/** @} */
876
877/** @name RTCRX509TBSCERTIFICATE::T3.fFlags values.
878 * @{ */
879#define RTCRX509TBSCERTIFICATE_F_PRESENT_KEY_USAGE RT_BIT_32(0)
880#define RTCRX509TBSCERTIFICATE_F_PRESENT_EXT_KEY_USAGE RT_BIT_32(1)
881#define RTCRX509TBSCERTIFICATE_F_PRESENT_SUBJECT_KEY_IDENTIFIER RT_BIT_32(2)
882#define RTCRX509TBSCERTIFICATE_F_PRESENT_SUBJECT_ALT_NAME RT_BIT_32(3)
883#define RTCRX509TBSCERTIFICATE_F_PRESENT_ISSUER_ALT_NAME RT_BIT_32(4)
884#define RTCRX509TBSCERTIFICATE_F_PRESENT_CERTIFICATE_POLICIES RT_BIT_32(5)
885#define RTCRX509TBSCERTIFICATE_F_PRESENT_POLICY_MAPPINGS RT_BIT_32(6)
886#define RTCRX509TBSCERTIFICATE_F_PRESENT_BASIC_CONSTRAINTS RT_BIT_32(7)
887#define RTCRX509TBSCERTIFICATE_F_PRESENT_NAME_CONSTRAINTS RT_BIT_32(8)
888#define RTCRX509TBSCERTIFICATE_F_PRESENT_POLICY_CONSTRAINTS RT_BIT_32(9)
889#define RTCRX509TBSCERTIFICATE_F_PRESENT_AUTHORITY_KEY_IDENTIFIER RT_BIT_32(10)
890#define RTCRX509TBSCERTIFICATE_F_PRESENT_OLD_AUTHORITY_KEY_IDENTIFIER RT_BIT_32(11)
891#define RTCRX509TBSCERTIFICATE_F_PRESENT_ACCEPTABLE_CERT_POLICIES RT_BIT_32(12)
892#define RTCRX509TBSCERTIFICATE_F_PRESENT_INHIBIT_ANY_POLICY RT_BIT_32(13)
893#define RTCRX509TBSCERTIFICATE_F_PRESENT_OTHER RT_BIT_32(22) /**< Other unknown extension present. */
894#define RTCRX509TBSCERTIFICATE_F_PRESENT_NONE RT_BIT_32(23) /**< No extensions present. */
895/** @} */
896
897/** @name X.509 Key Usage flags. (RFC-5280 section 4.2.1.3.)
898 * @{ */
899#define RTCRX509CERT_KEY_USAGE_F_DIGITAL_SIGNATURE_BIT 0
900#define RTCRX509CERT_KEY_USAGE_F_DIGITAL_SIGNATURE RT_BIT_32(0)
901#define RTCRX509CERT_KEY_USAGE_F_CONTENT_COMMITTMENT_BIT 1
902#define RTCRX509CERT_KEY_USAGE_F_CONTENT_COMMITTMENT RT_BIT_32(1)
903#define RTCRX509CERT_KEY_USAGE_F_KEY_ENCIPHERMENT_BIT 2
904#define RTCRX509CERT_KEY_USAGE_F_KEY_ENCIPHERMENT RT_BIT_32(2)
905#define RTCRX509CERT_KEY_USAGE_F_DATA_ENCIPHERMENT_BIT 3
906#define RTCRX509CERT_KEY_USAGE_F_DATA_ENCIPHERMENT RT_BIT_32(3)
907#define RTCRX509CERT_KEY_USAGE_F_KEY_AGREEMENT_BIT 4
908#define RTCRX509CERT_KEY_USAGE_F_KEY_AGREEMENT RT_BIT_32(4)
909#define RTCRX509CERT_KEY_USAGE_F_KEY_CERT_SIGN_BIT 5
910#define RTCRX509CERT_KEY_USAGE_F_KEY_CERT_SIGN RT_BIT_32(5)
911#define RTCRX509CERT_KEY_USAGE_F_CRL_SIGN_BIT 6
912#define RTCRX509CERT_KEY_USAGE_F_CRL_SIGN RT_BIT_32(6)
913#define RTCRX509CERT_KEY_USAGE_F_ENCIPHERMENT_ONLY_BIT 7
914#define RTCRX509CERT_KEY_USAGE_F_ENCIPHERMENT_ONLY RT_BIT_32(7)
915#define RTCRX509CERT_KEY_USAGE_F_DECIPHERMENT_ONLY_BIT 8
916#define RTCRX509CERT_KEY_USAGE_F_DECIPHERMENT_ONLY RT_BIT_32(8)
917/** @} */
918
919/** @name X.509 Extended Key Usage flags. (RFC-5280 section 4.2.1.12, ++.)
920 * @remarks Needless to say, these flags doesn't cover all possible extended key
921 * usages, because there is a potential unlimited number of them. Only
922 * ones relevant to IPRT and it's users are covered.
923 * @{ */
924#define RTCRX509CERT_EKU_F_ANY RT_BIT_64(0)
925#define RTCRX509CERT_EKU_F_SERVER_AUTH RT_BIT_64(1)
926#define RTCRX509CERT_EKU_F_CLIENT_AUTH RT_BIT_64(2)
927#define RTCRX509CERT_EKU_F_CODE_SIGNING RT_BIT_64(3)
928#define RTCRX509CERT_EKU_F_EMAIL_PROTECTION RT_BIT_64(4)
929#define RTCRX509CERT_EKU_F_IPSEC_END_SYSTEM RT_BIT_64(5)
930#define RTCRX509CERT_EKU_F_IPSEC_TUNNEL RT_BIT_64(6)
931#define RTCRX509CERT_EKU_F_IPSEC_USER RT_BIT_64(7)
932#define RTCRX509CERT_EKU_F_TIMESTAMPING RT_BIT_64(8)
933#define RTCRX509CERT_EKU_F_OCSP_SIGNING RT_BIT_64(9)
934#define RTCRX509CERT_EKU_F_DVCS RT_BIT_64(10)
935#define RTCRX509CERT_EKU_F_SBGP_CERT_AA_SERVICE_AUTH RT_BIT_64(11)
936#define RTCRX509CERT_EKU_F_EAP_OVER_PPP RT_BIT_64(12)
937#define RTCRX509CERT_EKU_F_EAP_OVER_LAN RT_BIT_64(13)
938#define RTCRX509CERT_EKU_F_OTHER RT_BIT_64(16) /**< Other unknown extended key usage present. */
939#define RTCRX509CERT_EKU_F_APPLE_CODE_SIGNING RT_BIT_64(24)
940#define RTCRX509CERT_EKU_F_APPLE_CODE_SIGNING_DEVELOPMENT RT_BIT_64(25)
941#define RTCRX509CERT_EKU_F_APPLE_SOFTWARE_UPDATE_SIGNING RT_BIT_64(26)
942#define RTCRX509CERT_EKU_F_APPLE_CODE_SIGNING_THIRD_PARTY RT_BIT_64(27)
943#define RTCRX509CERT_EKU_F_APPLE_RESOURCE_SIGNING RT_BIT_64(28)
944#define RTCRX509CERT_EKU_F_APPLE_SYSTEM_IDENTITY RT_BIT_64(29)
945#define RTCRX509CERT_EKU_F_MS_TIMESTAMP_SIGNING RT_BIT_64(32)
946#define RTCRX509CERT_EKU_F_MS_NT5_CRYPTO RT_BIT_64(33)
947#define RTCRX509CERT_EKU_F_MS_OEM_WHQL_CRYPTO RT_BIT_64(34)
948#define RTCRX509CERT_EKU_F_MS_EMBEDDED_NT_CRYPTO RT_BIT_64(35)
949#define RTCRX509CERT_EKU_F_MS_KERNEL_MODE_CODE_SIGNING RT_BIT_64(36)
950#define RTCRX509CERT_EKU_F_MS_LIFETIME_SIGNING RT_BIT_64(37)
951#define RTCRX509CERT_EKU_F_MS_DRM RT_BIT_64(38)
952#define RTCRX509CERT_EKU_F_MS_DRM_INDIVIDUALIZATION RT_BIT_64(39)
953#define RTCRX509CERT_EKU_F_MS_WHQL_CRYPTO RT_BIT_64(40)
954#define RTCRX509CERT_EKU_F_MS_ATTEST_WHQL_CRYPTO RT_BIT_64(41)
955/** @} */
956
957/** @name Key purpose OIDs (extKeyUsage)
958 * @{ */
959#define RTCRX509_ANY_EXTENDED_KEY_USAGE_OID "2.5.29.37.0"
960#define RTCRX509_ID_KP_OID "1.3.6.1.5.5.7.3"
961#define RTCRX509_ID_KP_SERVER_AUTH_OID "1.3.6.1.5.5.7.3.1"
962#define RTCRX509_ID_KP_CLIENT_AUTH_OID "1.3.6.1.5.5.7.3.2"
963#define RTCRX509_ID_KP_CODE_SIGNING_OID "1.3.6.1.5.5.7.3.3"
964#define RTCRX509_ID_KP_EMAIL_PROTECTION_OID "1.3.6.1.5.5.7.3.4"
965#define RTCRX509_ID_KP_IPSEC_END_SYSTEM_OID "1.3.6.1.5.5.7.3.5"
966#define RTCRX509_ID_KP_IPSEC_TUNNEL_OID "1.3.6.1.5.5.7.3.6"
967#define RTCRX509_ID_KP_IPSEC_USER_OID "1.3.6.1.5.5.7.3.7"
968#define RTCRX509_ID_KP_TIMESTAMPING_OID "1.3.6.1.5.5.7.3.8"
969#define RTCRX509_ID_KP_OCSP_SIGNING_OID "1.3.6.1.5.5.7.3.9"
970#define RTCRX509_ID_KP_DVCS_OID "1.3.6.1.5.5.7.3.10"
971#define RTCRX509_ID_KP_SBGP_CERT_AA_SERVICE_AUTH_OID "1.3.6.1.5.5.7.3.11"
972#define RTCRX509_ID_KP_EAP_OVER_PPP_OID "1.3.6.1.5.5.7.3.13"
973#define RTCRX509_ID_KP_EAP_OVER_LAN_OID "1.3.6.1.5.5.7.3.14"
974/** @} */
975
976/** @name Microsoft extended key usage OIDs
977 * @{ */
978#define RTCRX509_MS_EKU_CERT_TRUST_LIST_SIGNING_OID "1.3.6.1.4.1.311.10.3.1"
979#define RTCRX509_MS_EKU_TIMESTAMP_SIGNING_OID "1.3.6.1.4.1.311.10.3.2"
980#define RTCRX509_MS_EKU_SERVER_GATED_CRYPTO_OID "1.3.6.1.4.1.311.10.3.3"
981#define RTCRX509_MS_EKU_SGC_SERIALIZED_OID "1.3.6.1.4.1.311.10.3.3.1"
982#define RTCRX509_MS_EKU_ENCRYPTED_FILE_SYSTEM_OID "1.3.6.1.4.1.311.10.3.4"
983#define RTCRX509_MS_EKU_WHQL_CRYPTO_OID "1.3.6.1.4.1.311.10.3.5"
984#define RTCRX509_MS_EKU_ATTEST_WHQL_CRYPTO_OID "1.3.6.1.4.1.311.10.3.5.1"
985#define RTCRX509_MS_EKU_NT5_CRYPTO_OID "1.3.6.1.4.1.311.10.3.6"
986#define RTCRX509_MS_EKU_OEM_WHQL_CRYPTO_OID "1.3.6.1.4.1.311.10.3.7"
987#define RTCRX509_MS_EKU_EMBEDDED_NT_CRYPTO_OID "1.3.6.1.4.1.311.10.3.8"
988#define RTCRX509_MS_EKU_ROOT_LIST_SIGNER_OID "1.3.6.1.4.1.311.10.3.9"
989#define RTCRX509_MS_EKU_QUALIFIED_SUBORDINATE_OID "1.3.6.1.4.1.311.10.3.10"
990#define RTCRX509_MS_EKU_KEY_RECOVERY_3_OID "1.3.6.1.4.1.311.10.3.11"
991#define RTCRX509_MS_EKU_DOCUMENT_SIGNING_OID "1.3.6.1.4.1.311.10.3.12"
992#define RTCRX509_MS_EKU_LIFETIME_SIGNING_OID "1.3.6.1.4.1.311.10.3.13"
993#define RTCRX509_MS_EKU_MOBILE_DEVICE_SOFTWARE_OID "1.3.6.1.4.1.311.10.3.14"
994#define RTCRX509_MS_EKU_SMART_DISPLAY_OID "1.3.6.1.4.1.311.10.3.15"
995#define RTCRX509_MS_EKU_CSP_SIGNATURE_OID "1.3.6.1.4.1.311.10.3.16"
996#define RTCRX509_MS_EKU_EFS_RECOVERY_OID "1.3.6.1.4.1.311.10.3.4.1"
997#define RTCRX509_MS_EKU_DRM_OID "1.3.6.1.4.1.311.10.5.1"
998#define RTCRX509_MS_EKU_DRM_INDIVIDUALIZATION_OID "1.3.6.1.4.1.311.10.5.2"
999#define RTCRX509_MS_EKU_LICENSES_OID "1.3.6.1.4.1.311.10.5.3"
1000#define RTCRX509_MS_EKU_LICENSE_SERVER_OID "1.3.6.1.4.1.311.10.5.4"
1001#define RTCRX509_MS_EKU_ENROLLMENT_AGENT_OID "1.3.6.1.4.1.311.20.2.1"
1002#define RTCRX509_MS_EKU_SMARTCARD_LOGON_OID "1.3.6.1.4.1.311.20.2.2"
1003#define RTCRX509_MS_EKU_CA_EXCHANGE_OID "1.3.6.1.4.1.311.21.5"
1004#define RTCRX509_MS_EKU_KEY_RECOVERY_21_OID "1.3.6.1.4.1.311.21.6"
1005#define RTCRX509_MS_EKU_SYSTEM_HEALTH_OID "1.3.6.1.4.1.311.47.1.1"
1006#define RTCRX509_MS_EKU_SYSTEM_HEALTH_LOOPHOLE_OID "1.3.6.1.4.1.311.47.1.3"
1007#define RTCRX509_MS_EKU_KERNEL_MODE_CODE_SIGNING_OID "1.3.6.1.4.1.311.61.1.1"
1008/** @} */
1009
1010/** @name Apple extended key usage OIDs
1011 * @{ */
1012#define RTCRX509_APPLE_EKU_APPLE_EXTENDED_KEY_USAGE_OID "1.2.840.113635.100.4"
1013#define RTCRX509_APPLE_EKU_CODE_SIGNING_OID "1.2.840.113635.100.4.1"
1014#define RTCRX509_APPLE_EKU_CODE_SIGNING_DEVELOPMENT_OID "1.2.840.113635.100.4.1.1"
1015#define RTCRX509_APPLE_EKU_SOFTWARE_UPDATE_SIGNING_OID "1.2.840.113635.100.4.1.2"
1016#define RTCRX509_APPLE_EKU_CODE_SIGNING_THRID_PARTY_OID "1.2.840.113635.100.4.1.3"
1017#define RTCRX509_APPLE_EKU_RESOURCE_SIGNING_OID "1.2.840.113635.100.4.1.4"
1018#define RTCRX509_APPLE_EKU_ICHAT_SIGNING_OID "1.2.840.113635.100.4.2"
1019#define RTCRX509_APPLE_EKU_ICHAT_ENCRYPTION_OID "1.2.840.113635.100.4.3"
1020#define RTCRX509_APPLE_EKU_SYSTEM_IDENTITY_OID "1.2.840.113635.100.4.4"
1021#define RTCRX509_APPLE_EKU_CRYPTO_ENV_OID "1.2.840.113635.100.4.5"
1022#define RTCRX509_APPLE_EKU_CRYPTO_PRODUCTION_ENV_OID "1.2.840.113635.100.4.5.1"
1023#define RTCRX509_APPLE_EKU_CRYPTO_MAINTENANCE_ENV_OID "1.2.840.113635.100.4.5.2"
1024#define RTCRX509_APPLE_EKU_CRYPTO_TEST_ENV_OID "1.2.840.113635.100.4.5.3"
1025#define RTCRX509_APPLE_EKU_CRYPTO_DEVELOPMENT_ENV_OID "1.2.840.113635.100.4.5.4"
1026#define RTCRX509_APPLE_EKU_CRYPTO_QOS_OID "1.2.840.113635.100.4.6"
1027#define RTCRX509_APPLE_EKU_CRYPTO_TIER0_QOS_OID "1.2.840.113635.100.4.6.1"
1028#define RTCRX509_APPLE_EKU_CRYPTO_TIER1_QOS_OID "1.2.840.113635.100.4.6.2"
1029#define RTCRX509_APPLE_EKU_CRYPTO_TIER2_QOS_OID "1.2.840.113635.100.4.6.3"
1030#define RTCRX509_APPLE_EKU_CRYPTO_TIER3_QOS_OID "1.2.840.113635.100.4.6.4"
1031/** @} */
1032
1033/**
1034 * Use this to update derived values after changing the certificate
1035 * extensions.
1036 *
1037 * @returns IPRT status code
1038 * @param pThis The certificate.
1039 * @param pErrInfo Where to return additional error information. Optional.
1040 */
1041RTDECL(int) RTCrX509TbsCertificate_ReprocessExtensions(PRTCRX509TBSCERTIFICATE pThis, PRTERRINFO pErrInfo);
1042
1043
1044/**
1045 * One X.509 Certificate (IPRT representation).
1046 */
1047typedef struct RTCRX509CERTIFICATE
1048{
1049 /** Sequence core. */
1050 RTASN1SEQUENCECORE SeqCore;
1051 /** The to-be-signed certificate information. */
1052 RTCRX509TBSCERTIFICATE TbsCertificate;
1053 /** The signature algorithm (must match TbsCertificate.Signature). */
1054 RTCRX509ALGORITHMIDENTIFIER SignatureAlgorithm;
1055 /** The signature value. */
1056 RTASN1BITSTRING SignatureValue;
1057} RTCRX509CERTIFICATE;
1058/** Pointer to the IPRT representation of one X.509 certificate. */
1059typedef RTCRX509CERTIFICATE *PRTCRX509CERTIFICATE;
1060/** Pointer to the const IPRT representation of one X.509 certificate. */
1061typedef RTCRX509CERTIFICATE const *PCRTCRX509CERTIFICATE;
1062RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509CERTIFICATE, RTDECL, RTCrX509Certificate, SeqCore.Asn1Core);
1063
1064/**
1065 * Checks if a certificate matches a given issuer name and serial number.
1066 *
1067 * @returns True / false.
1068 * @param pCertificate The X.509 certificat.
1069 * @param pIssuer The issuer name to match against.
1070 * @param pSerialNumber The serial number to match against.
1071 */
1072RTDECL(bool) RTCrX509Certificate_MatchIssuerAndSerialNumber(PCRTCRX509CERTIFICATE pCertificate,
1073 PCRTCRX509NAME pIssuer, PCRTASN1INTEGER pSerialNumber);
1074
1075RTDECL(bool) RTCrX509Certificate_MatchSubjectOrAltSubjectByRfc5280(PCRTCRX509CERTIFICATE pThis, PCRTCRX509NAME pName);
1076RTDECL(bool) RTCrX509Certificate_IsSelfSigned(PCRTCRX509CERTIFICATE pCertificate);
1077
1078RTDECL(int) RTCrX509Certificate_VerifySignature(PCRTCRX509CERTIFICATE pThis, PCRTASN1OBJID pAlgorithm,
1079 PCRTASN1DYNTYPE pParameters, PCRTASN1BITSTRING pPublicKey,
1080 PRTERRINFO pErrInfo);
1081RTDECL(int) RTCrX509Certificate_VerifySignatureSelfSigned(PCRTCRX509CERTIFICATE pThis, PRTERRINFO pErrInfo);
1082RTDECL(int) RTCrX509Certificate_ReadFromFile(PRTCRX509CERTIFICATE pCertificate, const char *pszFilename, uint32_t fFlags,
1083 PCRTASN1ALLOCATORVTABLE pAllocator, PRTERRINFO pErrInfo);
1084RTDECL(int) RTCrX509Certificate_ReadFromBuffer(PRTCRX509CERTIFICATE pCertificate, const void *pvBuf, size_t cbBuf,
1085 uint32_t fFlags, PCRTASN1ALLOCATORVTABLE pAllocator,
1086 PRTERRINFO pErrInfo, const char *pszErrorTag);
1087/** @name Flags for RTCrX509Certificate_ReadFromFile and
1088 * RTCrX509Certificate_ReadFromBuffer
1089 * @{ */
1090/** Only allow PEM certificates, not binary ones.
1091 * @sa RTCRPEMREADFILE_F_ONLY_PEM */
1092#define RTCRX509CERT_READ_F_PEM_ONLY RT_BIT(1)
1093/** @} */
1094
1095/** X509 Certificate markers for RTCrPemFindFirstSectionInContent et al. */
1096extern RTDATADECL(RTCRPEMMARKER const) g_aRTCrX509CertificateMarkers[];
1097/** Number of entries in g_aRTCrX509CertificateMarkers. */
1098extern RTDATADECL(uint32_t const) g_cRTCrX509CertificateMarkers;
1099
1100
1101/** Wrapper around RTCrPemWriteAsn1ToVfsIoStrm(). */
1102DECLINLINE(ssize_t) RTCrX509Certificate_WriteToVfsIoStrm(RTVFSIOSTREAM hVfsIos, PRTCRX509CERTIFICATE pCertificate,
1103 PRTERRINFO pErrInfo)
1104{
1105 return RTCrPemWriteAsn1ToVfsIoStrm(hVfsIos, &pCertificate->SeqCore.Asn1Core, 0 /*fFlags*/,
1106 g_aRTCrX509CertificateMarkers[0].paWords[0].pszWord, pErrInfo);
1107}
1108
1109/** Wrapper around RTCrPemWriteAsn1ToVfsFile(). */
1110DECLINLINE(ssize_t) RTCrX509Certificate_WriteToVfsFile(RTVFSFILE hVfsFile, PRTCRX509CERTIFICATE pCertificate,
1111 PRTERRINFO pErrInfo)
1112{
1113 return RTCrPemWriteAsn1ToVfsFile(hVfsFile, &pCertificate->SeqCore.Asn1Core, 0 /*fFlags*/,
1114 g_aRTCrX509CertificateMarkers[0].paWords[0].pszWord, pErrInfo);
1115}
1116
1117/** @name X.509 Certificate Extensions
1118 * @{ */
1119/** Old AuthorityKeyIdentifier OID. */
1120#define RTCRX509_ID_CE_OLD_AUTHORITY_KEY_IDENTIFIER_OID "2.5.29.1"
1121/** Old CertificatePolicies extension OID. */
1122#define RTCRX509_ID_CE_OLD_CERTIFICATE_POLICIES_OID "2.5.29.3"
1123/** Old SubjectAltName extension OID. */
1124#define RTCRX509_ID_CE_OLD_SUBJECT_ALT_NAME_OID "2.5.29.7"
1125/** Old IssuerAltName extension OID. */
1126#define RTCRX509_ID_CE_OLD_ISSUER_ALT_NAME_OID "2.5.29.8"
1127/** Old BasicContraints extension OID. */
1128#define RTCRX509_ID_CE_OLD_BASIC_CONSTRAINTS_OID "2.5.29.10"
1129/** SubjectKeyIdentifier OID. */
1130#define RTCRX509_ID_CE_SUBJECT_KEY_IDENTIFIER_OID "2.5.29.14"
1131/** KeyUsage OID. */
1132#define RTCRX509_ID_CE_KEY_USAGE_OID "2.5.29.15"
1133/** PrivateKeyUsagePeriod OID. */
1134#define RTCRX509_ID_CE_PRIVATE_KEY_USAGE_PERIOD_OID "2.5.29.16"
1135/** SubjectAltName extension OID. */
1136#define RTCRX509_ID_CE_SUBJECT_ALT_NAME_OID "2.5.29.17"
1137/** IssuerAltName extension OID. */
1138#define RTCRX509_ID_CE_ISSUER_ALT_NAME_OID "2.5.29.18"
1139/** BasicContraints extension OID. */
1140#define RTCRX509_ID_CE_BASIC_CONSTRAINTS_OID "2.5.29.19"
1141/** NameContraints extension OID. */
1142#define RTCRX509_ID_CE_NAME_CONSTRAINTS_OID "2.5.29.30"
1143/** CertificatePolicies extension OID. */
1144#define RTCRX509_ID_CE_CERTIFICATE_POLICIES_OID "2.5.29.32"
1145/** PolicyMappings extension OID. */
1146#define RTCRX509_ID_CE_POLICY_MAPPINGS_OID "2.5.29.33"
1147/** AuthorityKeyIdentifier OID. */
1148#define RTCRX509_ID_CE_AUTHORITY_KEY_IDENTIFIER_OID "2.5.29.35"
1149/** PolicyContraints extension OID. */
1150#define RTCRX509_ID_CE_POLICY_CONSTRAINTS_OID "2.5.29.36"
1151/** ExtKeyUsage (extended key usage) extension OID. */
1152#define RTCRX509_ID_CE_EXT_KEY_USAGE_OID "2.5.29.37"
1153/** ExtKeyUsage: OID for permitting any unspecified key usage. */
1154#define RTCRX509_ID_CE_ANY_EXTENDED_KEY_USAGE_OID "2.5.29.37.0"
1155/** AuthorityAttributeIdentifier OID. */
1156#define RTCRX509_ID_CE_AUTHORITY_ATTRIBUTE_IDENTIFIER_OID "2.5.29.38"
1157/** AcceptableCertPolicies OID. */
1158#define RTCRX509_ID_CE_ACCEPTABLE_CERT_POLICIES_OID "2.5.29.52"
1159/** InhibitAnyPolicy OID. */
1160#define RTCRX509_ID_CE_INHIBIT_ANY_POLICY_OID "2.5.29.54"
1161/** @} */
1162
1163
1164/*
1165 * Sequence of X.509 Certifcates (IPRT representation).
1166 */
1167RTASN1_IMPL_GEN_SET_OF_TYPEDEFS_AND_PROTOS(RTCRX509CERTIFICATES, RTCRX509CERTIFICATE, RTDECL, RTCrX509Certificates);
1168
1169/**
1170 * Looks up a certificate by issuer name and serial number.
1171 *
1172 * @returns Pointer to the given certificate if found, NULL if not.
1173 * @param pCertificates The X.509 certificate set to search.
1174 * @param pIssuer The issuer name of the wanted certificate.
1175 * @param pSerialNumber The serial number of the wanted certificate.
1176 */
1177RTDECL(PCRTCRX509CERTIFICATE) RTCrX509Certificates_FindByIssuerAndSerialNumber(PCRTCRX509CERTIFICATES pCertificates,
1178 PCRTCRX509NAME pIssuer,
1179 PCRTASN1INTEGER pSerialNumber);
1180
1181
1182
1183RTDECL(int) RTCrX509CertPathsCreate(PRTCRX509CERTPATHS phCertPaths, PCRTCRX509CERTIFICATE pTarget);
1184RTDECL(uint32_t) RTCrX509CertPathsRetain(RTCRX509CERTPATHS hCertPaths);
1185RTDECL(uint32_t) RTCrX509CertPathsRelease(RTCRX509CERTPATHS hCertPaths);
1186RTDECL(int) RTCrX509CertPathsSetTrustedStore(RTCRX509CERTPATHS hCertPaths, RTCRSTORE hTrustedStore);
1187RTDECL(int) RTCrX509CertPathsSetUntrustedStore(RTCRX509CERTPATHS hCertPaths, RTCRSTORE hUntrustedStore);
1188RTDECL(int) RTCrX509CertPathsSetUntrustedArray(RTCRX509CERTPATHS hCertPaths, PCRTCRX509CERTIFICATE paCerts, uint32_t cCerts);
1189RTDECL(int) RTCrX509CertPathsSetUntrustedSet(RTCRX509CERTPATHS hCertPaths, struct RTCRPKCS7SETOFCERTS const *pSetOfCerts);
1190RTDECL(int) RTCrX509CertPathsSetValidTime(RTCRX509CERTPATHS hCertPaths, PCRTTIME pTime);
1191RTDECL(int) RTCrX509CertPathsSetValidTimeSpec(RTCRX509CERTPATHS hCertPaths, PCRTTIMESPEC pTimeSpec);
1192RTDECL(int) RTCrX509CertPathsSetTrustAnchorChecks(RTCRX509CERTPATHS hCertPaths, bool fEnable);
1193RTDECL(int) RTCrX509CertPathsCreateEx(PRTCRX509CERTPATHS phCertPaths, PCRTCRX509CERTIFICATE pTarget, RTCRSTORE hTrustedStore,
1194 RTCRSTORE hUntrustedStore, PCRTCRX509CERTIFICATE paUntrustedCerts, uint32_t cUntrustedCerts,
1195 PCRTTIMESPEC pValidTime);
1196RTDECL(int) RTCrX509CertPathsBuild(RTCRX509CERTPATHS hCertPaths, PRTERRINFO pErrInfo);
1197RTDECL(int) RTCrX509CertPathsDumpOne(RTCRX509CERTPATHS hCertPaths, uint32_t iPath, uint32_t uVerbosity,
1198 PFNRTDUMPPRINTFV pfnPrintfV, void *pvUser);
1199RTDECL(int) RTCrX509CertPathsDumpAll(RTCRX509CERTPATHS hCertPaths, uint32_t uVerbosity,
1200 PFNRTDUMPPRINTFV pfnPrintfV, void *pvUser);
1201
1202RTDECL(int) RTCrX509CertPathsValidateOne(RTCRX509CERTPATHS hCertPaths, uint32_t iPath, PRTERRINFO pErrInfo);
1203RTDECL(int) RTCrX509CertPathsValidateAll(RTCRX509CERTPATHS hCertPaths, uint32_t *pcValidPaths, PRTERRINFO pErrInfo);
1204
1205RTDECL(uint32_t) RTCrX509CertPathsGetPathCount(RTCRX509CERTPATHS hCertPaths);
1206RTDECL(int) RTCrX509CertPathsQueryPathInfo(RTCRX509CERTPATHS hCertPaths, uint32_t iPath,
1207 bool *pfTrusted, uint32_t *pcNodes, PCRTCRX509NAME *ppSubject,
1208 PCRTCRX509SUBJECTPUBLICKEYINFO *ppPublicKeyInfo,
1209 PCRTCRX509CERTIFICATE *ppCert, PCRTCRCERTCTX *ppCertCtx, int *prcVerify);
1210RTDECL(uint32_t) RTCrX509CertPathsGetPathLength(RTCRX509CERTPATHS hCertPaths, uint32_t iPath);
1211RTDECL(int) RTCrX509CertPathsGetPathVerifyResult(RTCRX509CERTPATHS hCertPaths, uint32_t iPath);
1212RTDECL(PCRTCRX509CERTIFICATE) RTCrX509CertPathsGetPathNodeCert(RTCRX509CERTPATHS hCertPaths, uint32_t iPath, uint32_t iNode);
1213
1214/**
1215 * Generates a self-signed RSA certificate, storing the result as two file.
1216 *
1217 * @note The private key will be stored unencrypted!
1218 *
1219 * @returns IPRT status code.
1220 * @param enmDigestType The digest type to use when signing.
1221 * @param cBits The private key size (in bits).
1222 * @param cSecsValidFor Number of seconds the certificate should be
1223 * valid for (starting now).
1224 * @param fKeyUsage Key usage mask: RTCRX509CERT_KEY_USAGE_F_XXX.
1225 * @param fExtKeyUsage Extended key usage mask: RTCRX509CERT_EKU_F_XXX.
1226 * @param pvSubject Subject name.
1227 * @param pszCertFile Where to store the certificate (PEM formatting).
1228 * @param pszPrivateKeyFile Where to store the unencrypted private key (PEM
1229 * formatting).
1230 * @param pErrInfo Where to return extended error information.
1231 * Optional.
1232 */
1233RTDECL(int) RTCrX509Certificate_GenerateSelfSignedRsa(RTDIGESTTYPE enmDigestType, uint32_t cBits, uint32_t cSecsValidFor,
1234 uint32_t fKeyUsage, uint64_t fExtKeyUsage, const char *pvSubject,
1235 const char *pszCertFile, const char *pszPrivateKeyFile, PRTERRINFO pErrInfo);
1236
1237RT_C_DECLS_END
1238
1239/** @} */
1240
1241/** @} */
1242
1243#endif /* !IPRT_INCLUDED_crypto_x509_h */
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette