x509.h

Go to the documentation of this file.
00001 /*
00002  * Copyright (C) 2003, 2004, 2005, 2007 Free Software Foundation
00003  *
00004  * Author: Nikos Mavrogiannopoulos
00005  *
00006  * This file is part of GNUTLS.
00007  *
00008  * The GNUTLS library is free software; you can redistribute it and/or
00009  * modify it under the terms of the GNU Lesser General Public License
00010  * as published by the Free Software Foundation; either version 2.1 of
00011  * the License, or (at your option) any later version.
00012  *
00013  * This library is distributed in the hope that it will be useful, but
00014  * WITHOUT ANY WARRANTY; without even the implied warranty of
00015  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
00016  * Lesser General Public License for more details.
00017  *
00018  * You should have received a copy of the GNU Lesser General Public
00019  * License along with this library; if not, write to the Free Software
00020  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
00021  * USA
00022  *
00023  */
00024 
00025 #ifndef X509_H
00026 #define X509_H
00027 
00028 #ifndef MIN
00029 #define MIN(X,Y) ((X) > (Y) ? (Y) : (X));
00030 #endif
00031 
00032 #ifdef __cplusplus
00033 extern "C"
00034 {
00035 #endif
00036 
00037 #include <gnutls.h>
00038 #include <libtasn1.h>
00039 #include "gnutls_mpi.h"
00040 
00041 /* Some OIDs usually found in Distinguished names, or
00042  * in Subject Directory Attribute extensions.
00043  */
00044 #define GNUTLS_OID_X520_COUNTRY_NAME    "2.5.4.6"
00045 #define GNUTLS_OID_X520_ORGANIZATION_NAME "2.5.4.10"
00046 #define GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME "2.5.4.11"
00047 #define GNUTLS_OID_X520_COMMON_NAME   "2.5.4.3"
00048 #define GNUTLS_OID_X520_LOCALITY_NAME   "2.5.4.7"
00049 #define GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME  "2.5.4.8"
00050 
00051 #define GNUTLS_OID_X520_INITIALS    "2.5.4.43"
00052 #define GNUTLS_OID_X520_GENERATION_QUALIFIER  "2.5.4.44"
00053 #define GNUTLS_OID_X520_SURNAME     "2.5.4.4"
00054 #define GNUTLS_OID_X520_GIVEN_NAME    "2.5.4.42"
00055 #define GNUTLS_OID_X520_TITLE     "2.5.4.12"
00056 #define GNUTLS_OID_X520_DN_QUALIFIER    "2.5.4.46"
00057 #define GNUTLS_OID_X520_PSEUDONYM   "2.5.4.65"
00058 
00059 #define GNUTLS_OID_LDAP_DC      "0.9.2342.19200300.100.1.25"
00060 #define GNUTLS_OID_LDAP_UID     "0.9.2342.19200300.100.1.1"
00061 
00062 /* The following should not be included in DN.
00063  */
00064 #define GNUTLS_OID_PKCS9_EMAIL      "1.2.840.113549.1.9.1"
00065 
00066 #define GNUTLS_OID_PKIX_DATE_OF_BIRTH   "1.3.6.1.5.5.7.9.1"
00067 #define GNUTLS_OID_PKIX_PLACE_OF_BIRTH    "1.3.6.1.5.5.7.9.2"
00068 #define GNUTLS_OID_PKIX_GENDER      "1.3.6.1.5.5.7.9.3"
00069 #define GNUTLS_OID_PKIX_COUNTRY_OF_CITIZENSHIP  "1.3.6.1.5.5.7.9.4"
00070 #define GNUTLS_OID_PKIX_COUNTRY_OF_RESIDENCE  "1.3.6.1.5.5.7.9.5"
00071 
00072 /* Key purpose Object Identifiers.
00073  */
00074 #define GNUTLS_KP_TLS_WWW_SERVER    "1.3.6.1.5.5.7.3.1"
00075 #define GNUTLS_KP_TLS_WWW_CLIENT                "1.3.6.1.5.5.7.3.2"
00076 #define GNUTLS_KP_CODE_SIGNING      "1.3.6.1.5.5.7.3.3"
00077 #define GNUTLS_KP_EMAIL_PROTECTION    "1.3.6.1.5.5.7.3.4"
00078 #define GNUTLS_KP_TIME_STAMPING     "1.3.6.1.5.5.7.3.8"
00079 #define GNUTLS_KP_OCSP_SIGNING      "1.3.6.1.5.5.7.3.9"
00080 #define GNUTLS_KP_ANY       "2.5.29.37.0"
00081 
00082 /* Certificate handling functions.
00083  */
00084   typedef enum MHD_gnutls_certificate_import_flags
00085   {
00086     /* Fail if the certificates in the buffer are more than the space
00087      * allocated for certificates. The error code will be
00088      * GNUTLS_E_SHORT_MEMORY_BUFFER.
00089      */
00090     GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED = 1
00091   } MHD_gnutls_certificate_import_flags;
00092 
00093   int MHD_gnutls_x509_crt_init (MHD_gnutls_x509_crt_t * cert);
00094   void MHD_gnutls_x509_crt_deinit (MHD_gnutls_x509_crt_t cert);
00095   int MHD_gnutls_x509_crt_import (MHD_gnutls_x509_crt_t cert,
00096                                   const MHD_gnutls_datum_t * data,
00097                                   MHD_gnutls_x509_crt_fmt_t format);
00098   int MHD_gnutls_x509_crt_export (MHD_gnutls_x509_crt_t cert,
00099                                   MHD_gnutls_x509_crt_fmt_t format,
00100                                   void *output_data,
00101                                   size_t * output_data_size);
00102   int MHD_gnutls_x509_crt_get_version (MHD_gnutls_x509_crt_t cert);
00103 
00104 #define GNUTLS_CRL_REASON_UNUSED 128
00105 #define GNUTLS_CRL_REASON_KEY_COMPROMISE 64
00106 #define GNUTLS_CRL_REASON_CA_COMPROMISE 32
00107 #define GNUTLS_CRL_REASON_AFFILIATION_CHANGED 16
00108 #define GNUTLS_CRL_REASON_SUPERSEEDED 8
00109 #define GNUTLS_CRL_REASON_CESSATION_OF_OPERATION 4
00110 #define GNUTLS_CRL_REASON_CERTIFICATE_HOLD 2
00111 #define GNUTLS_CRL_REASON_PRIVILEGE_WITHDRAWN 1
00112 #define GNUTLS_CRL_REASON_AA_COMPROMISE 32768
00113 
00114   int MHD_gnutls_x509_crt_get_pk_algorithm (MHD_gnutls_x509_crt_t cert,
00115                                             unsigned int *bits);
00116   int MHD_gnutls_x509_crt_get_ca_status (MHD_gnutls_x509_crt_t cert,
00117                                          unsigned int *critical);
00118 /* The key_usage flags are defined in gnutls.h. They are the
00119  * GNUTLS_KEY_* definitions.
00120  */
00121   int MHD_gnutls_x509_crt_get_key_usage (MHD_gnutls_x509_crt_t cert,
00122                                          unsigned int *key_usage,
00123                                          unsigned int *critical);
00124   int MHD_gnutls_x509_crt_set_key_usage (MHD_gnutls_x509_crt_t crt,
00125                                          unsigned int usage);
00126 
00127 /* Read extensions by sequence number. */
00128   int MHD_gnutls_x509_crt_set_extension_by_oid (MHD_gnutls_x509_crt_t crt,
00129                                                 const char *oid,
00130                                                 const void *buf,
00131                                                 size_t sizeof_buf,
00132                                                 unsigned int critical);
00133 
00134 /* X.509 Certificate writing.
00135  */
00136   int MHD_gnutls_x509_crt_set_dn_by_oid (MHD_gnutls_x509_crt_t crt,
00137                                          const char *oid,
00138                                          unsigned int raw_flag,
00139                                          const void *name,
00140                                          unsigned int sizeof_name);
00141   int MHD_gnutls_x509_crt_set_issuer_dn_by_oid (MHD_gnutls_x509_crt_t crt,
00142                                                 const char *oid,
00143                                                 unsigned int raw_flag,
00144                                                 const void *name,
00145                                                 unsigned int sizeof_name);
00146   int MHD_gnutls_x509_crt_set_version (MHD_gnutls_x509_crt_t crt,
00147                                        unsigned int version);
00148   int MHD_gnutls_x509_crt_set_key (MHD_gnutls_x509_crt_t crt,
00149                                    MHD_gnutls_x509_privkey_t key);
00150   int MHD_gnutls_x509_crt_set_ca_status (MHD_gnutls_x509_crt_t crt,
00151                                          unsigned int ca);
00152   int MHD_gnutls_x509_crt_set_basic_constraints (MHD_gnutls_x509_crt_t crt,
00153                                                  unsigned int ca,
00154                                                  int pathLenConstraint);
00155   int MHD_gnutls_x509_crt_set_subject_alternative_name (MHD_gnutls_x509_crt_t
00156                                                         crt,
00157                                                         MHD_gnutls_x509_subject_alt_name_t
00158                                                         type,
00159                                                         const char
00160                                                         *data_string);
00161   int MHD_gnutls_x509_crt_sign (MHD_gnutls_x509_crt_t crt,
00162                                 MHD_gnutls_x509_crt_t issuer,
00163                                 MHD_gnutls_x509_privkey_t issuer_key);
00164   int MHD_gnutls_x509_crt_sign2 (MHD_gnutls_x509_crt_t crt,
00165                                  MHD_gnutls_x509_crt_t issuer,
00166                                  MHD_gnutls_x509_privkey_t issuer_key,
00167                                  enum MHD_GNUTLS_HashAlgorithm,
00168                                  unsigned int flags);
00169   int MHD_gnutls_x509_crt_set_serial (MHD_gnutls_x509_crt_t cert,
00170                                       const void *serial, size_t serial_size);
00171 
00172   int MHD_gnutls_x509_crt_set_subject_key_id (MHD_gnutls_x509_crt_t cert,
00173                                               const void *id, size_t id_size);
00174 
00175   int MHD_gnutls_x509_crt_set_proxy_dn (MHD_gnutls_x509_crt_t crt,
00176                                         MHD_gnutls_x509_crt_t eecrt,
00177                                         unsigned int raw_flag,
00178                                         const void *name,
00179                                         unsigned int sizeof_name);
00180   int MHD_gnutls_x509_crt_set_proxy (MHD_gnutls_x509_crt_t crt,
00181                                      int pathLenConstraint,
00182                                      const char *policyLanguage,
00183                                      const char *policy,
00184                                      size_t sizeof_policy);
00185 
00186   typedef enum MHD_gnutls_certificate_print_formats
00187   {
00188     GNUTLS_X509_CRT_FULL,
00189     GNUTLS_X509_CRT_ONELINE,
00190     GNUTLS_X509_CRT_UNSIGNED_FULL
00191   } MHD_gnutls_certificate_print_formats_t;
00192 
00193   int MHD_gnutls_x509_crt_print (MHD_gnutls_x509_crt_t cert,
00194                                  MHD_gnutls_certificate_print_formats_t
00195                                  format, MHD_gnutls_datum_t * out);
00196 /* Access to internal Certificate fields.
00197  */
00198 
00199   typedef void *MHD_gnutls_x509_dn_t;
00200 
00201 /* X.509 Certificate verification functions.
00202  */
00203   typedef enum MHD_gnutls_certificate_verify_flags
00204   {
00205     /* If set a signer does not have to be a certificate authority. This
00206      * flag should normaly be disabled, unless you know what this means.
00207      */
00208     GNUTLS_VERIFY_DISABLE_CA_SIGN = 1,
00209 
00210     /* Allow only trusted CA certificates that have version 1.  This is
00211      * safer than GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT, and should be
00212      * used instead. That way only signers in your trusted list will be
00213      * allowed to have certificates of version 1.
00214      */
00215     GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT = 2,
00216 
00217     /* If a certificate is not signed by anyone trusted but exists in
00218      * the trusted CA list do not treat it as trusted.
00219      */
00220     GNUTLS_VERIFY_DO_NOT_ALLOW_SAME = 4,
00221 
00222     /* Allow CA certificates that have version 1 (both root and
00223      * intermediate). This might be dangerous since those haven't the
00224      * basicConstraints extension. Must be used in combination with
00225      * GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT.
00226      */
00227     GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT = 8,
00228 
00229     /* Allow certificates to be signed using the broken MD2 algorithm.
00230      */
00231     GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2 = 16,
00232 
00233     /* Allow certificates to be signed using the broken MD5 algorithm.
00234      */
00235     GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 32
00236   } MHD_gnutls_certificate_verify_flags;
00237 
00238 
00239 /* Flags for the MHD_gnutls_x509_privkey_export_pkcs8() function.
00240  */
00241   typedef enum MHD_gnutls_pkcs_encrypt_flags_t
00242   {
00243     GNUTLS_PKCS_PLAIN = 1,      /* if set the private key will not
00244                                  * be encrypted.
00245                                  */
00246     GNUTLS_PKCS_USE_PKCS12_3DES = 2,
00247     GNUTLS_PKCS_USE_PKCS12_ARCFOUR = 4,
00248     GNUTLS_PKCS_USE_PKCS12_RC2_40 = 8,
00249     GNUTLS_PKCS_USE_PBES2_3DES = 16
00250   } MHD_gnutls_pkcs_encrypt_flags_t;
00251 
00252 #define GNUTLS_PKCS8_PLAIN GNUTLS_PKCS_PLAIN
00253 #define GNUTLS_PKCS8_USE_PKCS12_3DES GNUTLS_PKCS_USE_PKCS12_3DES
00254 #define GNUTLS_PKCS8_USE_PKCS12_ARCFOUR GNUTLS_PKCS_USE_PKCS12_ARCFOUR
00255 #define GNUTLS_PKCS8_USE_PKCS12_RC2_40 GNUTLS_PKCS_USE_PKCS12_RC2_40
00256 
00257   int MHD_gnutls_x509_privkey_init (MHD_gnutls_x509_privkey_t * key);
00258   void MHD_gnutls_x509_privkey_deinit (MHD_gnutls_x509_privkey_t key);
00259   int MHD_gnutls_x509_privkey_import (MHD_gnutls_x509_privkey_t key,
00260                                       const MHD_gnutls_datum_t * data,
00261                                       MHD_gnutls_x509_crt_fmt_t format);
00262   int MHD_gnutls_x509_privkey_get_key_id (MHD_gnutls_x509_privkey_t key,
00263                                           unsigned int flags,
00264                                           unsigned char *output_data,
00265                                           size_t * output_data_size);
00266 
00267   int MHD_gnutls_x509_privkey_export (MHD_gnutls_x509_privkey_t key,
00268                                       MHD_gnutls_x509_crt_fmt_t format,
00269                                       void *output_data,
00270                                       size_t * output_data_size);
00271   int MHD_gnutls_x509_privkey_export_pkcs8 (MHD_gnutls_x509_privkey_t key,
00272                                             MHD_gnutls_x509_crt_fmt_t format,
00273                                             const char *password,
00274                                             unsigned int flags,
00275                                             void *output_data,
00276                                             size_t * output_data_size);
00277   int MHD_gnutls_x509_privkey_export_rsa_raw (MHD_gnutls_x509_privkey_t key,
00278                                               MHD_gnutls_datum_t * m,
00279                                               MHD_gnutls_datum_t * e,
00280                                               MHD_gnutls_datum_t * d,
00281                                               MHD_gnutls_datum_t * p,
00282                                               MHD_gnutls_datum_t * q,
00283                                               MHD_gnutls_datum_t * u);
00284 
00285   int MHD_gnutls_x509_privkey_verify_data (MHD_gnutls_x509_privkey_t key,
00286                                            unsigned int flags,
00287                                            const MHD_gnutls_datum_t * data,
00288                                            const MHD_gnutls_datum_t *
00289                                            signature);
00290 
00291 #ifdef __cplusplus
00292 }
00293 #endif
00294 
00295 #define HASH_OID_SHA1 "1.3.14.3.2.26"
00296 #define HASH_OID_MD5 "1.2.840.113549.2.5"
00297 #define HASH_OID_MD2 "1.2.840.113549.2.2"
00298 #define HASH_OID_RMD160 "1.3.36.3.2.1"
00299 #define HASH_OID_SHA256 "2.16.840.1.101.3.4.2.1"
00300 #define HASH_OID_SHA384 "2.16.840.1.101.3.4.2.2"
00301 #define HASH_OID_SHA512 "2.16.840.1.101.3.4.2.3"
00302 
00303 typedef struct MHD_gnutls_x509_crt_int
00304 {
00305   ASN1_TYPE cert;
00306   int use_extensions;
00307 } MHD_gnutls_x509_crt_int;
00308 
00309 #define MAX_PRIV_PARAMS_SIZE 6  /* ok for RSA and DSA */
00310 
00311 /* parameters should not be larger than this limit */
00312 #define DSA_PRIVATE_PARAMS 5
00313 #define DSA_PUBLIC_PARAMS 4
00314 #define RSA_PRIVATE_PARAMS 6
00315 #define RSA_PUBLIC_PARAMS 2
00316 
00317 #if MAX_PRIV_PARAMS_SIZE - RSA_PRIVATE_PARAMS < 0
00318 # error INCREASE MAX_PRIV_PARAMS
00319 #endif
00320 
00321 #if MAX_PRIV_PARAMS_SIZE - DSA_PRIVATE_PARAMS < 0
00322 # error INCREASE MAX_PRIV_PARAMS
00323 #endif
00324 
00325 typedef struct MHD_gtls_x509_privkey_int
00326 {
00327   mpi_t params[MAX_PRIV_PARAMS_SIZE];   /* the size of params depends on the public
00328                                          * key algorithm
00329                                          */
00330   /*
00331    * RSA: [0] is modulus
00332    *      [1] is public exponent
00333    *      [2] is private exponent
00334    *      [3] is prime1 (p)
00335    *      [4] is prime2 (q)
00336    *      [5] is coefficient (u == inverse of p mod q)
00337    *          note that other packages used inverse of q mod p,
00338    *          so we need to perform conversions.
00339    * DSA: [0] is p
00340    *      [1] is q
00341    *      [2] is g
00342    *      [3] is y (public key)
00343    *      [4] is x (private key)
00344    */
00345   int params_size;              /* holds the number of params */
00346 
00347   enum MHD_GNUTLS_PublicKeyAlgorithm pk_algorithm;
00348 
00349   int crippled;                 /* The crippled keys will not use the ASN1_TYPE key.
00350                                  * The encoding will only be performed at the export
00351                                  * phase, to optimize copying etc. Cannot be used with
00352                                  * the exported API (used internally only).
00353                                  */
00354   ASN1_TYPE key;
00355 } MHD_gnutls_x509_privkey_int;
00356 
00357 int MHD_gnutls_x509_crt_get_pk_algorithm (MHD_gnutls_x509_crt_t cert,
00358                                           unsigned int *bits);
00359 
00360 int MHD_gnutls_x509_crt_get_serial (MHD_gnutls_x509_crt_t cert,
00361                                     void *result, size_t * result_size);
00362 
00363 int MHD_gnutls_x509_crt_init (MHD_gnutls_x509_crt_t * cert);
00364 void MHD_gnutls_x509_crt_deinit (MHD_gnutls_x509_crt_t cert);
00365 int MHD_gnutls_x509_crt_import (MHD_gnutls_x509_crt_t cert,
00366                                 const MHD_gnutls_datum_t * data,
00367                                 MHD_gnutls_x509_crt_fmt_t format);
00368 int MHD_gnutls_x509_crt_export (MHD_gnutls_x509_crt_t cert,
00369                                 MHD_gnutls_x509_crt_fmt_t format,
00370                                 void *output_data, size_t * output_data_size);
00371 
00372 int MHD_gnutls_x509_crt_get_key_usage (MHD_gnutls_x509_crt_t cert,
00373                                        unsigned int *key_usage,
00374                                        unsigned int *critical);
00375 int MHD_gnutls_x509_crt_get_version (MHD_gnutls_x509_crt_t cert);
00376 
00377 int MHD_gnutls_x509_privkey_init (MHD_gnutls_x509_privkey_t * key);
00378 void MHD_gnutls_x509_privkey_deinit (MHD_gnutls_x509_privkey_t key);
00379 
00380 int MHD_gnutls_x509_privkey_generate (MHD_gnutls_x509_privkey_t key,
00381                                       enum MHD_GNUTLS_PublicKeyAlgorithm algo,
00382                                       unsigned int bits, unsigned int flags);
00383 
00384 int MHD_gnutls_x509_privkey_import (MHD_gnutls_x509_privkey_t key,
00385                                     const MHD_gnutls_datum_t * data,
00386                                     MHD_gnutls_x509_crt_fmt_t format);
00387 int MHD_gnutls_x509_privkey_export_rsa_raw (MHD_gnutls_x509_privkey_t key,
00388                                             MHD_gnutls_datum_t * m,
00389                                             MHD_gnutls_datum_t * e,
00390                                             MHD_gnutls_datum_t * d,
00391                                             MHD_gnutls_datum_t * p,
00392                                             MHD_gnutls_datum_t * q,
00393                                             MHD_gnutls_datum_t * u);
00394 int MHD_gnutls_x509_privkey_export (MHD_gnutls_x509_privkey_t key,
00395                                     MHD_gnutls_x509_crt_fmt_t format,
00396                                     void *output_data,
00397                                     size_t * output_data_size);
00398 
00399 #define GNUTLS_CRL_REASON_UNUSED 128
00400 #define GNUTLS_CRL_REASON_KEY_COMPROMISE 64
00401 #define GNUTLS_CRL_REASON_CA_COMPROMISE 32
00402 #define GNUTLS_CRL_REASON_AFFILIATION_CHANGED 16
00403 #define GNUTLS_CRL_REASON_SUPERSEEDED 8
00404 #define GNUTLS_CRL_REASON_CESSATION_OF_OPERATION 4
00405 #define GNUTLS_CRL_REASON_CERTIFICATE_HOLD 2
00406 #define GNUTLS_CRL_REASON_PRIVILEGE_WITHDRAWN 1
00407 #define GNUTLS_CRL_REASON_AA_COMPROMISE 32768
00408 
00409 #endif

Generated on Fri Feb 27 18:31:19 2009 for GNU libmicrohttpd by  doxygen 1.5.7.1