Você não pode selecionar mais de 25 tópicos Os tópicos devem começar com uma letra ou um número, podem incluir traços ('-') e podem ter até 35 caracteres.
 
 
 
 
 
 

938 linhas
33 KiB

  1. /*
  2. * Copyright 1999-2019 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the OpenSSL license (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #ifndef HEADER_X509V3_H
  10. # define HEADER_X509V3_H
  11. # include <openssl/bio.h>
  12. # include <openssl/x509.h>
  13. # include <openssl/conf.h>
  14. # include <openssl/x509v3err.h>
  15. #ifdef __cplusplus
  16. extern "C" {
  17. #endif
  18. /* Forward reference */
  19. struct v3_ext_method;
  20. struct v3_ext_ctx;
  21. /* Useful typedefs */
  22. typedef void *(*X509V3_EXT_NEW)(void);
  23. typedef void (*X509V3_EXT_FREE) (void *);
  24. typedef void *(*X509V3_EXT_D2I)(void *, const unsigned char **, long);
  25. typedef int (*X509V3_EXT_I2D) (void *, unsigned char **);
  26. typedef STACK_OF(CONF_VALUE) *
  27. (*X509V3_EXT_I2V) (const struct v3_ext_method *method, void *ext,
  28. STACK_OF(CONF_VALUE) *extlist);
  29. typedef void *(*X509V3_EXT_V2I)(const struct v3_ext_method *method,
  30. struct v3_ext_ctx *ctx,
  31. STACK_OF(CONF_VALUE) *values);
  32. typedef char *(*X509V3_EXT_I2S)(const struct v3_ext_method *method,
  33. void *ext);
  34. typedef void *(*X509V3_EXT_S2I)(const struct v3_ext_method *method,
  35. struct v3_ext_ctx *ctx, const char *str);
  36. typedef int (*X509V3_EXT_I2R) (const struct v3_ext_method *method, void *ext,
  37. BIO *out, int indent);
  38. typedef void *(*X509V3_EXT_R2I)(const struct v3_ext_method *method,
  39. struct v3_ext_ctx *ctx, const char *str);
  40. /* V3 extension structure */
  41. struct v3_ext_method {
  42. int ext_nid;
  43. int ext_flags;
  44. /* If this is set the following four fields are ignored */
  45. ASN1_ITEM_EXP *it;
  46. /* Old style ASN1 calls */
  47. X509V3_EXT_NEW ext_new;
  48. X509V3_EXT_FREE ext_free;
  49. X509V3_EXT_D2I d2i;
  50. X509V3_EXT_I2D i2d;
  51. /* The following pair is used for string extensions */
  52. X509V3_EXT_I2S i2s;
  53. X509V3_EXT_S2I s2i;
  54. /* The following pair is used for multi-valued extensions */
  55. X509V3_EXT_I2V i2v;
  56. X509V3_EXT_V2I v2i;
  57. /* The following are used for raw extensions */
  58. X509V3_EXT_I2R i2r;
  59. X509V3_EXT_R2I r2i;
  60. void *usr_data; /* Any extension specific data */
  61. };
  62. typedef struct X509V3_CONF_METHOD_st {
  63. char *(*get_string) (void *db, const char *section, const char *value);
  64. STACK_OF(CONF_VALUE) *(*get_section) (void *db, const char *section);
  65. void (*free_string) (void *db, char *string);
  66. void (*free_section) (void *db, STACK_OF(CONF_VALUE) *section);
  67. } X509V3_CONF_METHOD;
  68. /* Context specific info */
  69. struct v3_ext_ctx {
  70. # define CTX_TEST 0x1
  71. # define X509V3_CTX_REPLACE 0x2
  72. int flags;
  73. X509 *issuer_cert;
  74. X509 *subject_cert;
  75. X509_REQ *subject_req;
  76. X509_CRL *crl;
  77. X509V3_CONF_METHOD *db_meth;
  78. void *db;
  79. /* Maybe more here */
  80. };
  81. typedef struct v3_ext_method X509V3_EXT_METHOD;
  82. DEFINE_STACK_OF(X509V3_EXT_METHOD)
  83. /* ext_flags values */
  84. # define X509V3_EXT_DYNAMIC 0x1
  85. # define X509V3_EXT_CTX_DEP 0x2
  86. # define X509V3_EXT_MULTILINE 0x4
  87. typedef BIT_STRING_BITNAME ENUMERATED_NAMES;
  88. typedef struct BASIC_CONSTRAINTS_st {
  89. int ca;
  90. ASN1_INTEGER *pathlen;
  91. } BASIC_CONSTRAINTS;
  92. typedef struct PKEY_USAGE_PERIOD_st {
  93. ASN1_GENERALIZEDTIME *notBefore;
  94. ASN1_GENERALIZEDTIME *notAfter;
  95. } PKEY_USAGE_PERIOD;
  96. typedef struct otherName_st {
  97. ASN1_OBJECT *type_id;
  98. ASN1_TYPE *value;
  99. } OTHERNAME;
  100. typedef struct EDIPartyName_st {
  101. ASN1_STRING *nameAssigner;
  102. ASN1_STRING *partyName;
  103. } EDIPARTYNAME;
  104. typedef struct GENERAL_NAME_st {
  105. # define GEN_OTHERNAME 0
  106. # define GEN_EMAIL 1
  107. # define GEN_DNS 2
  108. # define GEN_X400 3
  109. # define GEN_DIRNAME 4
  110. # define GEN_EDIPARTY 5
  111. # define GEN_URI 6
  112. # define GEN_IPADD 7
  113. # define GEN_RID 8
  114. int type;
  115. union {
  116. char *ptr;
  117. OTHERNAME *otherName; /* otherName */
  118. ASN1_IA5STRING *rfc822Name;
  119. ASN1_IA5STRING *dNSName;
  120. ASN1_TYPE *x400Address;
  121. X509_NAME *directoryName;
  122. EDIPARTYNAME *ediPartyName;
  123. ASN1_IA5STRING *uniformResourceIdentifier;
  124. ASN1_OCTET_STRING *iPAddress;
  125. ASN1_OBJECT *registeredID;
  126. /* Old names */
  127. ASN1_OCTET_STRING *ip; /* iPAddress */
  128. X509_NAME *dirn; /* dirn */
  129. ASN1_IA5STRING *ia5; /* rfc822Name, dNSName,
  130. * uniformResourceIdentifier */
  131. ASN1_OBJECT *rid; /* registeredID */
  132. ASN1_TYPE *other; /* x400Address */
  133. } d;
  134. } GENERAL_NAME;
  135. typedef struct ACCESS_DESCRIPTION_st {
  136. ASN1_OBJECT *method;
  137. GENERAL_NAME *location;
  138. } ACCESS_DESCRIPTION;
  139. typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS;
  140. typedef STACK_OF(ASN1_OBJECT) EXTENDED_KEY_USAGE;
  141. typedef STACK_OF(ASN1_INTEGER) TLS_FEATURE;
  142. DEFINE_STACK_OF(GENERAL_NAME)
  143. typedef STACK_OF(GENERAL_NAME) GENERAL_NAMES;
  144. DEFINE_STACK_OF(GENERAL_NAMES)
  145. DEFINE_STACK_OF(ACCESS_DESCRIPTION)
  146. typedef struct DIST_POINT_NAME_st {
  147. int type;
  148. union {
  149. GENERAL_NAMES *fullname;
  150. STACK_OF(X509_NAME_ENTRY) *relativename;
  151. } name;
  152. /* If relativename then this contains the full distribution point name */
  153. X509_NAME *dpname;
  154. } DIST_POINT_NAME;
  155. /* All existing reasons */
  156. # define CRLDP_ALL_REASONS 0x807f
  157. # define CRL_REASON_NONE -1
  158. # define CRL_REASON_UNSPECIFIED 0
  159. # define CRL_REASON_KEY_COMPROMISE 1
  160. # define CRL_REASON_CA_COMPROMISE 2
  161. # define CRL_REASON_AFFILIATION_CHANGED 3
  162. # define CRL_REASON_SUPERSEDED 4
  163. # define CRL_REASON_CESSATION_OF_OPERATION 5
  164. # define CRL_REASON_CERTIFICATE_HOLD 6
  165. # define CRL_REASON_REMOVE_FROM_CRL 8
  166. # define CRL_REASON_PRIVILEGE_WITHDRAWN 9
  167. # define CRL_REASON_AA_COMPROMISE 10
  168. struct DIST_POINT_st {
  169. DIST_POINT_NAME *distpoint;
  170. ASN1_BIT_STRING *reasons;
  171. GENERAL_NAMES *CRLissuer;
  172. int dp_reasons;
  173. };
  174. typedef STACK_OF(DIST_POINT) CRL_DIST_POINTS;
  175. DEFINE_STACK_OF(DIST_POINT)
  176. struct AUTHORITY_KEYID_st {
  177. ASN1_OCTET_STRING *keyid;
  178. GENERAL_NAMES *issuer;
  179. ASN1_INTEGER *serial;
  180. };
  181. /* Strong extranet structures */
  182. typedef struct SXNET_ID_st {
  183. ASN1_INTEGER *zone;
  184. ASN1_OCTET_STRING *user;
  185. } SXNETID;
  186. DEFINE_STACK_OF(SXNETID)
  187. typedef struct SXNET_st {
  188. ASN1_INTEGER *version;
  189. STACK_OF(SXNETID) *ids;
  190. } SXNET;
  191. typedef struct NOTICEREF_st {
  192. ASN1_STRING *organization;
  193. STACK_OF(ASN1_INTEGER) *noticenos;
  194. } NOTICEREF;
  195. typedef struct USERNOTICE_st {
  196. NOTICEREF *noticeref;
  197. ASN1_STRING *exptext;
  198. } USERNOTICE;
  199. typedef struct POLICYQUALINFO_st {
  200. ASN1_OBJECT *pqualid;
  201. union {
  202. ASN1_IA5STRING *cpsuri;
  203. USERNOTICE *usernotice;
  204. ASN1_TYPE *other;
  205. } d;
  206. } POLICYQUALINFO;
  207. DEFINE_STACK_OF(POLICYQUALINFO)
  208. typedef struct POLICYINFO_st {
  209. ASN1_OBJECT *policyid;
  210. STACK_OF(POLICYQUALINFO) *qualifiers;
  211. } POLICYINFO;
  212. typedef STACK_OF(POLICYINFO) CERTIFICATEPOLICIES;
  213. DEFINE_STACK_OF(POLICYINFO)
  214. typedef struct POLICY_MAPPING_st {
  215. ASN1_OBJECT *issuerDomainPolicy;
  216. ASN1_OBJECT *subjectDomainPolicy;
  217. } POLICY_MAPPING;
  218. DEFINE_STACK_OF(POLICY_MAPPING)
  219. typedef STACK_OF(POLICY_MAPPING) POLICY_MAPPINGS;
  220. typedef struct GENERAL_SUBTREE_st {
  221. GENERAL_NAME *base;
  222. ASN1_INTEGER *minimum;
  223. ASN1_INTEGER *maximum;
  224. } GENERAL_SUBTREE;
  225. DEFINE_STACK_OF(GENERAL_SUBTREE)
  226. struct NAME_CONSTRAINTS_st {
  227. STACK_OF(GENERAL_SUBTREE) *permittedSubtrees;
  228. STACK_OF(GENERAL_SUBTREE) *excludedSubtrees;
  229. };
  230. typedef struct POLICY_CONSTRAINTS_st {
  231. ASN1_INTEGER *requireExplicitPolicy;
  232. ASN1_INTEGER *inhibitPolicyMapping;
  233. } POLICY_CONSTRAINTS;
  234. /* Proxy certificate structures, see RFC 3820 */
  235. typedef struct PROXY_POLICY_st {
  236. ASN1_OBJECT *policyLanguage;
  237. ASN1_OCTET_STRING *policy;
  238. } PROXY_POLICY;
  239. typedef struct PROXY_CERT_INFO_EXTENSION_st {
  240. ASN1_INTEGER *pcPathLengthConstraint;
  241. PROXY_POLICY *proxyPolicy;
  242. } PROXY_CERT_INFO_EXTENSION;
  243. DECLARE_ASN1_FUNCTIONS(PROXY_POLICY)
  244. DECLARE_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION)
  245. struct ISSUING_DIST_POINT_st {
  246. DIST_POINT_NAME *distpoint;
  247. int onlyuser;
  248. int onlyCA;
  249. ASN1_BIT_STRING *onlysomereasons;
  250. int indirectCRL;
  251. int onlyattr;
  252. };
  253. /* Values in idp_flags field */
  254. /* IDP present */
  255. # define IDP_PRESENT 0x1
  256. /* IDP values inconsistent */
  257. # define IDP_INVALID 0x2
  258. /* onlyuser true */
  259. # define IDP_ONLYUSER 0x4
  260. /* onlyCA true */
  261. # define IDP_ONLYCA 0x8
  262. /* onlyattr true */
  263. # define IDP_ONLYATTR 0x10
  264. /* indirectCRL true */
  265. # define IDP_INDIRECT 0x20
  266. /* onlysomereasons present */
  267. # define IDP_REASONS 0x40
  268. # define X509V3_conf_err(val) ERR_add_error_data(6, \
  269. "section:", (val)->section, \
  270. ",name:", (val)->name, ",value:", (val)->value)
  271. # define X509V3_set_ctx_test(ctx) \
  272. X509V3_set_ctx(ctx, NULL, NULL, NULL, NULL, CTX_TEST)
  273. # define X509V3_set_ctx_nodb(ctx) (ctx)->db = NULL;
  274. # define EXT_BITSTRING(nid, table) { nid, 0, ASN1_ITEM_ref(ASN1_BIT_STRING), \
  275. 0,0,0,0, \
  276. 0,0, \
  277. (X509V3_EXT_I2V)i2v_ASN1_BIT_STRING, \
  278. (X509V3_EXT_V2I)v2i_ASN1_BIT_STRING, \
  279. NULL, NULL, \
  280. table}
  281. # define EXT_IA5STRING(nid) { nid, 0, ASN1_ITEM_ref(ASN1_IA5STRING), \
  282. 0,0,0,0, \
  283. (X509V3_EXT_I2S)i2s_ASN1_IA5STRING, \
  284. (X509V3_EXT_S2I)s2i_ASN1_IA5STRING, \
  285. 0,0,0,0, \
  286. NULL}
  287. # define EXT_END { -1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}
  288. /* X509_PURPOSE stuff */
  289. # define EXFLAG_BCONS 0x1
  290. # define EXFLAG_KUSAGE 0x2
  291. # define EXFLAG_XKUSAGE 0x4
  292. # define EXFLAG_NSCERT 0x8
  293. # define EXFLAG_CA 0x10
  294. /* Really self issued not necessarily self signed */
  295. # define EXFLAG_SI 0x20
  296. # define EXFLAG_V1 0x40
  297. # define EXFLAG_INVALID 0x80
  298. /* EXFLAG_SET is set to indicate that some values have been precomputed */
  299. # define EXFLAG_SET 0x100
  300. # define EXFLAG_CRITICAL 0x200
  301. # define EXFLAG_PROXY 0x400
  302. # define EXFLAG_INVALID_POLICY 0x800
  303. # define EXFLAG_FRESHEST 0x1000
  304. /* Self signed */
  305. # define EXFLAG_SS 0x2000
  306. # define KU_DIGITAL_SIGNATURE 0x0080
  307. # define KU_NON_REPUDIATION 0x0040
  308. # define KU_KEY_ENCIPHERMENT 0x0020
  309. # define KU_DATA_ENCIPHERMENT 0x0010
  310. # define KU_KEY_AGREEMENT 0x0008
  311. # define KU_KEY_CERT_SIGN 0x0004
  312. # define KU_CRL_SIGN 0x0002
  313. # define KU_ENCIPHER_ONLY 0x0001
  314. # define KU_DECIPHER_ONLY 0x8000
  315. # define NS_SSL_CLIENT 0x80
  316. # define NS_SSL_SERVER 0x40
  317. # define NS_SMIME 0x20
  318. # define NS_OBJSIGN 0x10
  319. # define NS_SSL_CA 0x04
  320. # define NS_SMIME_CA 0x02
  321. # define NS_OBJSIGN_CA 0x01
  322. # define NS_ANY_CA (NS_SSL_CA|NS_SMIME_CA|NS_OBJSIGN_CA)
  323. # define XKU_SSL_SERVER 0x1
  324. # define XKU_SSL_CLIENT 0x2
  325. # define XKU_SMIME 0x4
  326. # define XKU_CODE_SIGN 0x8
  327. # define XKU_SGC 0x10
  328. # define XKU_OCSP_SIGN 0x20
  329. # define XKU_TIMESTAMP 0x40
  330. # define XKU_DVCS 0x80
  331. # define XKU_ANYEKU 0x100
  332. # define X509_PURPOSE_DYNAMIC 0x1
  333. # define X509_PURPOSE_DYNAMIC_NAME 0x2
  334. typedef struct x509_purpose_st {
  335. int purpose;
  336. int trust; /* Default trust ID */
  337. int flags;
  338. int (*check_purpose) (const struct x509_purpose_st *, const X509 *, int);
  339. char *name;
  340. char *sname;
  341. void *usr_data;
  342. } X509_PURPOSE;
  343. # define X509_PURPOSE_SSL_CLIENT 1
  344. # define X509_PURPOSE_SSL_SERVER 2
  345. # define X509_PURPOSE_NS_SSL_SERVER 3
  346. # define X509_PURPOSE_SMIME_SIGN 4
  347. # define X509_PURPOSE_SMIME_ENCRYPT 5
  348. # define X509_PURPOSE_CRL_SIGN 6
  349. # define X509_PURPOSE_ANY 7
  350. # define X509_PURPOSE_OCSP_HELPER 8
  351. # define X509_PURPOSE_TIMESTAMP_SIGN 9
  352. # define X509_PURPOSE_MIN 1
  353. # define X509_PURPOSE_MAX 9
  354. /* Flags for X509V3_EXT_print() */
  355. # define X509V3_EXT_UNKNOWN_MASK (0xfL << 16)
  356. /* Return error for unknown extensions */
  357. # define X509V3_EXT_DEFAULT 0
  358. /* Print error for unknown extensions */
  359. # define X509V3_EXT_ERROR_UNKNOWN (1L << 16)
  360. /* ASN1 parse unknown extensions */
  361. # define X509V3_EXT_PARSE_UNKNOWN (2L << 16)
  362. /* BIO_dump unknown extensions */
  363. # define X509V3_EXT_DUMP_UNKNOWN (3L << 16)
  364. /* Flags for X509V3_add1_i2d */
  365. # define X509V3_ADD_OP_MASK 0xfL
  366. # define X509V3_ADD_DEFAULT 0L
  367. # define X509V3_ADD_APPEND 1L
  368. # define X509V3_ADD_REPLACE 2L
  369. # define X509V3_ADD_REPLACE_EXISTING 3L
  370. # define X509V3_ADD_KEEP_EXISTING 4L
  371. # define X509V3_ADD_DELETE 5L
  372. # define X509V3_ADD_SILENT 0x10
  373. DEFINE_STACK_OF(X509_PURPOSE)
  374. DECLARE_ASN1_FUNCTIONS(BASIC_CONSTRAINTS)
  375. DECLARE_ASN1_FUNCTIONS(SXNET)
  376. DECLARE_ASN1_FUNCTIONS(SXNETID)
  377. int SXNET_add_id_asc(SXNET **psx, const char *zone, const char *user, int userlen);
  378. int SXNET_add_id_ulong(SXNET **psx, unsigned long lzone, const char *user,
  379. int userlen);
  380. int SXNET_add_id_INTEGER(SXNET **psx, ASN1_INTEGER *izone, const char *user,
  381. int userlen);
  382. ASN1_OCTET_STRING *SXNET_get_id_asc(SXNET *sx, const char *zone);
  383. ASN1_OCTET_STRING *SXNET_get_id_ulong(SXNET *sx, unsigned long lzone);
  384. ASN1_OCTET_STRING *SXNET_get_id_INTEGER(SXNET *sx, ASN1_INTEGER *zone);
  385. DECLARE_ASN1_FUNCTIONS(AUTHORITY_KEYID)
  386. DECLARE_ASN1_FUNCTIONS(PKEY_USAGE_PERIOD)
  387. DECLARE_ASN1_FUNCTIONS(GENERAL_NAME)
  388. GENERAL_NAME *GENERAL_NAME_dup(GENERAL_NAME *a);
  389. int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b);
  390. ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
  391. X509V3_CTX *ctx,
  392. STACK_OF(CONF_VALUE) *nval);
  393. STACK_OF(CONF_VALUE) *i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
  394. ASN1_BIT_STRING *bits,
  395. STACK_OF(CONF_VALUE) *extlist);
  396. char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method, ASN1_IA5STRING *ia5);
  397. ASN1_IA5STRING *s2i_ASN1_IA5STRING(X509V3_EXT_METHOD *method,
  398. X509V3_CTX *ctx, const char *str);
  399. STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method,
  400. GENERAL_NAME *gen,
  401. STACK_OF(CONF_VALUE) *ret);
  402. int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen);
  403. DECLARE_ASN1_FUNCTIONS(GENERAL_NAMES)
  404. STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method,
  405. GENERAL_NAMES *gen,
  406. STACK_OF(CONF_VALUE) *extlist);
  407. GENERAL_NAMES *v2i_GENERAL_NAMES(const X509V3_EXT_METHOD *method,
  408. X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
  409. DECLARE_ASN1_FUNCTIONS(OTHERNAME)
  410. DECLARE_ASN1_FUNCTIONS(EDIPARTYNAME)
  411. int OTHERNAME_cmp(OTHERNAME *a, OTHERNAME *b);
  412. void GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, void *value);
  413. void *GENERAL_NAME_get0_value(const GENERAL_NAME *a, int *ptype);
  414. int GENERAL_NAME_set0_othername(GENERAL_NAME *gen,
  415. ASN1_OBJECT *oid, ASN1_TYPE *value);
  416. int GENERAL_NAME_get0_otherName(const GENERAL_NAME *gen,
  417. ASN1_OBJECT **poid, ASN1_TYPE **pvalue);
  418. char *i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method,
  419. const ASN1_OCTET_STRING *ia5);
  420. ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method,
  421. X509V3_CTX *ctx, const char *str);
  422. DECLARE_ASN1_FUNCTIONS(EXTENDED_KEY_USAGE)
  423. int i2a_ACCESS_DESCRIPTION(BIO *bp, const ACCESS_DESCRIPTION *a);
  424. DECLARE_ASN1_ALLOC_FUNCTIONS(TLS_FEATURE)
  425. DECLARE_ASN1_FUNCTIONS(CERTIFICATEPOLICIES)
  426. DECLARE_ASN1_FUNCTIONS(POLICYINFO)
  427. DECLARE_ASN1_FUNCTIONS(POLICYQUALINFO)
  428. DECLARE_ASN1_FUNCTIONS(USERNOTICE)
  429. DECLARE_ASN1_FUNCTIONS(NOTICEREF)
  430. DECLARE_ASN1_FUNCTIONS(CRL_DIST_POINTS)
  431. DECLARE_ASN1_FUNCTIONS(DIST_POINT)
  432. DECLARE_ASN1_FUNCTIONS(DIST_POINT_NAME)
  433. DECLARE_ASN1_FUNCTIONS(ISSUING_DIST_POINT)
  434. int DIST_POINT_set_dpname(DIST_POINT_NAME *dpn, X509_NAME *iname);
  435. int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc);
  436. int NAME_CONSTRAINTS_check_CN(X509 *x, NAME_CONSTRAINTS *nc);
  437. DECLARE_ASN1_FUNCTIONS(ACCESS_DESCRIPTION)
  438. DECLARE_ASN1_FUNCTIONS(AUTHORITY_INFO_ACCESS)
  439. DECLARE_ASN1_ITEM(POLICY_MAPPING)
  440. DECLARE_ASN1_ALLOC_FUNCTIONS(POLICY_MAPPING)
  441. DECLARE_ASN1_ITEM(POLICY_MAPPINGS)
  442. DECLARE_ASN1_ITEM(GENERAL_SUBTREE)
  443. DECLARE_ASN1_ALLOC_FUNCTIONS(GENERAL_SUBTREE)
  444. DECLARE_ASN1_ITEM(NAME_CONSTRAINTS)
  445. DECLARE_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS)
  446. DECLARE_ASN1_ALLOC_FUNCTIONS(POLICY_CONSTRAINTS)
  447. DECLARE_ASN1_ITEM(POLICY_CONSTRAINTS)
  448. GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out,
  449. const X509V3_EXT_METHOD *method,
  450. X509V3_CTX *ctx, int gen_type,
  451. const char *value, int is_nc);
  452. # ifdef HEADER_CONF_H
  453. GENERAL_NAME *v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method,
  454. X509V3_CTX *ctx, CONF_VALUE *cnf);
  455. GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out,
  456. const X509V3_EXT_METHOD *method,
  457. X509V3_CTX *ctx, CONF_VALUE *cnf,
  458. int is_nc);
  459. void X509V3_conf_free(CONF_VALUE *val);
  460. X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid,
  461. const char *value);
  462. X509_EXTENSION *X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, const char *name,
  463. const char *value);
  464. int X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, const char *section,
  465. STACK_OF(X509_EXTENSION) **sk);
  466. int X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section,
  467. X509 *cert);
  468. int X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section,
  469. X509_REQ *req);
  470. int X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section,
  471. X509_CRL *crl);
  472. X509_EXTENSION *X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf,
  473. X509V3_CTX *ctx, int ext_nid,
  474. const char *value);
  475. X509_EXTENSION *X509V3_EXT_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
  476. const char *name, const char *value);
  477. int X509V3_EXT_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
  478. const char *section, X509 *cert);
  479. int X509V3_EXT_REQ_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
  480. const char *section, X509_REQ *req);
  481. int X509V3_EXT_CRL_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
  482. const char *section, X509_CRL *crl);
  483. int X509V3_add_value_bool_nf(const char *name, int asn1_bool,
  484. STACK_OF(CONF_VALUE) **extlist);
  485. int X509V3_get_value_bool(const CONF_VALUE *value, int *asn1_bool);
  486. int X509V3_get_value_int(const CONF_VALUE *value, ASN1_INTEGER **aint);
  487. void X509V3_set_nconf(X509V3_CTX *ctx, CONF *conf);
  488. void X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH_OF(CONF_VALUE) *lhash);
  489. # endif
  490. char *X509V3_get_string(X509V3_CTX *ctx, const char *name, const char *section);
  491. STACK_OF(CONF_VALUE) *X509V3_get_section(X509V3_CTX *ctx, const char *section);
  492. void X509V3_string_free(X509V3_CTX *ctx, char *str);
  493. void X509V3_section_free(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *section);
  494. void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subject,
  495. X509_REQ *req, X509_CRL *crl, int flags);
  496. int X509V3_add_value(const char *name, const char *value,
  497. STACK_OF(CONF_VALUE) **extlist);
  498. int X509V3_add_value_uchar(const char *name, const unsigned char *value,
  499. STACK_OF(CONF_VALUE) **extlist);
  500. int X509V3_add_value_bool(const char *name, int asn1_bool,
  501. STACK_OF(CONF_VALUE) **extlist);
  502. int X509V3_add_value_int(const char *name, const ASN1_INTEGER *aint,
  503. STACK_OF(CONF_VALUE) **extlist);
  504. char *i2s_ASN1_INTEGER(X509V3_EXT_METHOD *meth, const ASN1_INTEGER *aint);
  505. ASN1_INTEGER *s2i_ASN1_INTEGER(X509V3_EXT_METHOD *meth, const char *value);
  506. char *i2s_ASN1_ENUMERATED(X509V3_EXT_METHOD *meth, const ASN1_ENUMERATED *aint);
  507. char *i2s_ASN1_ENUMERATED_TABLE(X509V3_EXT_METHOD *meth,
  508. const ASN1_ENUMERATED *aint);
  509. int X509V3_EXT_add(X509V3_EXT_METHOD *ext);
  510. int X509V3_EXT_add_list(X509V3_EXT_METHOD *extlist);
  511. int X509V3_EXT_add_alias(int nid_to, int nid_from);
  512. void X509V3_EXT_cleanup(void);
  513. const X509V3_EXT_METHOD *X509V3_EXT_get(X509_EXTENSION *ext);
  514. const X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid);
  515. int X509V3_add_standard_extensions(void);
  516. STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line);
  517. void *X509V3_EXT_d2i(X509_EXTENSION *ext);
  518. void *X509V3_get_d2i(const STACK_OF(X509_EXTENSION) *x, int nid, int *crit,
  519. int *idx);
  520. X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc);
  521. int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value,
  522. int crit, unsigned long flags);
  523. #if OPENSSL_API_COMPAT < 0x10100000L
  524. /* The new declarations are in crypto.h, but the old ones were here. */
  525. # define hex_to_string OPENSSL_buf2hexstr
  526. # define string_to_hex OPENSSL_hexstr2buf
  527. #endif
  528. void X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent,
  529. int ml);
  530. int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag,
  531. int indent);
  532. #ifndef OPENSSL_NO_STDIO
  533. int X509V3_EXT_print_fp(FILE *out, X509_EXTENSION *ext, int flag, int indent);
  534. #endif
  535. int X509V3_extensions_print(BIO *out, const char *title,
  536. const STACK_OF(X509_EXTENSION) *exts,
  537. unsigned long flag, int indent);
  538. int X509_check_ca(X509 *x);
  539. int X509_check_purpose(X509 *x, int id, int ca);
  540. int X509_supported_extension(X509_EXTENSION *ex);
  541. int X509_PURPOSE_set(int *p, int purpose);
  542. int X509_check_issued(X509 *issuer, X509 *subject);
  543. int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid);
  544. void X509_set_proxy_flag(X509 *x);
  545. void X509_set_proxy_pathlen(X509 *x, long l);
  546. long X509_get_proxy_pathlen(X509 *x);
  547. uint32_t X509_get_extension_flags(X509 *x);
  548. uint32_t X509_get_key_usage(X509 *x);
  549. uint32_t X509_get_extended_key_usage(X509 *x);
  550. const ASN1_OCTET_STRING *X509_get0_subject_key_id(X509 *x);
  551. const ASN1_OCTET_STRING *X509_get0_authority_key_id(X509 *x);
  552. const GENERAL_NAMES *X509_get0_authority_issuer(X509 *x);
  553. const ASN1_INTEGER *X509_get0_authority_serial(X509 *x);
  554. int X509_PURPOSE_get_count(void);
  555. X509_PURPOSE *X509_PURPOSE_get0(int idx);
  556. int X509_PURPOSE_get_by_sname(const char *sname);
  557. int X509_PURPOSE_get_by_id(int id);
  558. int X509_PURPOSE_add(int id, int trust, int flags,
  559. int (*ck) (const X509_PURPOSE *, const X509 *, int),
  560. const char *name, const char *sname, void *arg);
  561. char *X509_PURPOSE_get0_name(const X509_PURPOSE *xp);
  562. char *X509_PURPOSE_get0_sname(const X509_PURPOSE *xp);
  563. int X509_PURPOSE_get_trust(const X509_PURPOSE *xp);
  564. void X509_PURPOSE_cleanup(void);
  565. int X509_PURPOSE_get_id(const X509_PURPOSE *);
  566. STACK_OF(OPENSSL_STRING) *X509_get1_email(X509 *x);
  567. STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email(X509_REQ *x);
  568. void X509_email_free(STACK_OF(OPENSSL_STRING) *sk);
  569. STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x);
  570. /* Flags for X509_check_* functions */
  571. /*
  572. * Always check subject name for host match even if subject alt names present
  573. */
  574. # define X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT 0x1
  575. /* Disable wildcard matching for dnsName fields and common name. */
  576. # define X509_CHECK_FLAG_NO_WILDCARDS 0x2
  577. /* Wildcards must not match a partial label. */
  578. # define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0x4
  579. /* Allow (non-partial) wildcards to match multiple labels. */
  580. # define X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS 0x8
  581. /* Constraint verifier subdomain patterns to match a single labels. */
  582. # define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0x10
  583. /* Never check the subject CN */
  584. # define X509_CHECK_FLAG_NEVER_CHECK_SUBJECT 0x20
  585. /*
  586. * Match reference identifiers starting with "." to any sub-domain.
  587. * This is a non-public flag, turned on implicitly when the subject
  588. * reference identity is a DNS name.
  589. */
  590. # define _X509_CHECK_FLAG_DOT_SUBDOMAINS 0x8000
  591. int X509_check_host(X509 *x, const char *chk, size_t chklen,
  592. unsigned int flags, char **peername);
  593. int X509_check_email(X509 *x, const char *chk, size_t chklen,
  594. unsigned int flags);
  595. int X509_check_ip(X509 *x, const unsigned char *chk, size_t chklen,
  596. unsigned int flags);
  597. int X509_check_ip_asc(X509 *x, const char *ipasc, unsigned int flags);
  598. ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc);
  599. ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc);
  600. int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE) *dn_sk,
  601. unsigned long chtype);
  602. void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent);
  603. DEFINE_STACK_OF(X509_POLICY_NODE)
  604. #ifndef OPENSSL_NO_RFC3779
  605. typedef struct ASRange_st {
  606. ASN1_INTEGER *min, *max;
  607. } ASRange;
  608. # define ASIdOrRange_id 0
  609. # define ASIdOrRange_range 1
  610. typedef struct ASIdOrRange_st {
  611. int type;
  612. union {
  613. ASN1_INTEGER *id;
  614. ASRange *range;
  615. } u;
  616. } ASIdOrRange;
  617. typedef STACK_OF(ASIdOrRange) ASIdOrRanges;
  618. DEFINE_STACK_OF(ASIdOrRange)
  619. # define ASIdentifierChoice_inherit 0
  620. # define ASIdentifierChoice_asIdsOrRanges 1
  621. typedef struct ASIdentifierChoice_st {
  622. int type;
  623. union {
  624. ASN1_NULL *inherit;
  625. ASIdOrRanges *asIdsOrRanges;
  626. } u;
  627. } ASIdentifierChoice;
  628. typedef struct ASIdentifiers_st {
  629. ASIdentifierChoice *asnum, *rdi;
  630. } ASIdentifiers;
  631. DECLARE_ASN1_FUNCTIONS(ASRange)
  632. DECLARE_ASN1_FUNCTIONS(ASIdOrRange)
  633. DECLARE_ASN1_FUNCTIONS(ASIdentifierChoice)
  634. DECLARE_ASN1_FUNCTIONS(ASIdentifiers)
  635. typedef struct IPAddressRange_st {
  636. ASN1_BIT_STRING *min, *max;
  637. } IPAddressRange;
  638. # define IPAddressOrRange_addressPrefix 0
  639. # define IPAddressOrRange_addressRange 1
  640. typedef struct IPAddressOrRange_st {
  641. int type;
  642. union {
  643. ASN1_BIT_STRING *addressPrefix;
  644. IPAddressRange *addressRange;
  645. } u;
  646. } IPAddressOrRange;
  647. typedef STACK_OF(IPAddressOrRange) IPAddressOrRanges;
  648. DEFINE_STACK_OF(IPAddressOrRange)
  649. # define IPAddressChoice_inherit 0
  650. # define IPAddressChoice_addressesOrRanges 1
  651. typedef struct IPAddressChoice_st {
  652. int type;
  653. union {
  654. ASN1_NULL *inherit;
  655. IPAddressOrRanges *addressesOrRanges;
  656. } u;
  657. } IPAddressChoice;
  658. typedef struct IPAddressFamily_st {
  659. ASN1_OCTET_STRING *addressFamily;
  660. IPAddressChoice *ipAddressChoice;
  661. } IPAddressFamily;
  662. typedef STACK_OF(IPAddressFamily) IPAddrBlocks;
  663. DEFINE_STACK_OF(IPAddressFamily)
  664. DECLARE_ASN1_FUNCTIONS(IPAddressRange)
  665. DECLARE_ASN1_FUNCTIONS(IPAddressOrRange)
  666. DECLARE_ASN1_FUNCTIONS(IPAddressChoice)
  667. DECLARE_ASN1_FUNCTIONS(IPAddressFamily)
  668. /*
  669. * API tag for elements of the ASIdentifer SEQUENCE.
  670. */
  671. # define V3_ASID_ASNUM 0
  672. # define V3_ASID_RDI 1
  673. /*
  674. * AFI values, assigned by IANA. It'd be nice to make the AFI
  675. * handling code totally generic, but there are too many little things
  676. * that would need to be defined for other address families for it to
  677. * be worth the trouble.
  678. */
  679. # define IANA_AFI_IPV4 1
  680. # define IANA_AFI_IPV6 2
  681. /*
  682. * Utilities to construct and extract values from RFC3779 extensions,
  683. * since some of the encodings (particularly for IP address prefixes
  684. * and ranges) are a bit tedious to work with directly.
  685. */
  686. int X509v3_asid_add_inherit(ASIdentifiers *asid, int which);
  687. int X509v3_asid_add_id_or_range(ASIdentifiers *asid, int which,
  688. ASN1_INTEGER *min, ASN1_INTEGER *max);
  689. int X509v3_addr_add_inherit(IPAddrBlocks *addr,
  690. const unsigned afi, const unsigned *safi);
  691. int X509v3_addr_add_prefix(IPAddrBlocks *addr,
  692. const unsigned afi, const unsigned *safi,
  693. unsigned char *a, const int prefixlen);
  694. int X509v3_addr_add_range(IPAddrBlocks *addr,
  695. const unsigned afi, const unsigned *safi,
  696. unsigned char *min, unsigned char *max);
  697. unsigned X509v3_addr_get_afi(const IPAddressFamily *f);
  698. int X509v3_addr_get_range(IPAddressOrRange *aor, const unsigned afi,
  699. unsigned char *min, unsigned char *max,
  700. const int length);
  701. /*
  702. * Canonical forms.
  703. */
  704. int X509v3_asid_is_canonical(ASIdentifiers *asid);
  705. int X509v3_addr_is_canonical(IPAddrBlocks *addr);
  706. int X509v3_asid_canonize(ASIdentifiers *asid);
  707. int X509v3_addr_canonize(IPAddrBlocks *addr);
  708. /*
  709. * Tests for inheritance and containment.
  710. */
  711. int X509v3_asid_inherits(ASIdentifiers *asid);
  712. int X509v3_addr_inherits(IPAddrBlocks *addr);
  713. int X509v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b);
  714. int X509v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b);
  715. /*
  716. * Check whether RFC 3779 extensions nest properly in chains.
  717. */
  718. int X509v3_asid_validate_path(X509_STORE_CTX *);
  719. int X509v3_addr_validate_path(X509_STORE_CTX *);
  720. int X509v3_asid_validate_resource_set(STACK_OF(X509) *chain,
  721. ASIdentifiers *ext,
  722. int allow_inheritance);
  723. int X509v3_addr_validate_resource_set(STACK_OF(X509) *chain,
  724. IPAddrBlocks *ext, int allow_inheritance);
  725. #endif /* OPENSSL_NO_RFC3779 */
  726. DEFINE_STACK_OF(ASN1_STRING)
  727. /*
  728. * Admission Syntax
  729. */
  730. typedef struct NamingAuthority_st NAMING_AUTHORITY;
  731. typedef struct ProfessionInfo_st PROFESSION_INFO;
  732. typedef struct Admissions_st ADMISSIONS;
  733. typedef struct AdmissionSyntax_st ADMISSION_SYNTAX;
  734. DECLARE_ASN1_FUNCTIONS(NAMING_AUTHORITY)
  735. DECLARE_ASN1_FUNCTIONS(PROFESSION_INFO)
  736. DECLARE_ASN1_FUNCTIONS(ADMISSIONS)
  737. DECLARE_ASN1_FUNCTIONS(ADMISSION_SYNTAX)
  738. DEFINE_STACK_OF(ADMISSIONS)
  739. DEFINE_STACK_OF(PROFESSION_INFO)
  740. typedef STACK_OF(PROFESSION_INFO) PROFESSION_INFOS;
  741. const ASN1_OBJECT *NAMING_AUTHORITY_get0_authorityId(
  742. const NAMING_AUTHORITY *n);
  743. const ASN1_IA5STRING *NAMING_AUTHORITY_get0_authorityURL(
  744. const NAMING_AUTHORITY *n);
  745. const ASN1_STRING *NAMING_AUTHORITY_get0_authorityText(
  746. const NAMING_AUTHORITY *n);
  747. void NAMING_AUTHORITY_set0_authorityId(NAMING_AUTHORITY *n,
  748. ASN1_OBJECT* namingAuthorityId);
  749. void NAMING_AUTHORITY_set0_authorityURL(NAMING_AUTHORITY *n,
  750. ASN1_IA5STRING* namingAuthorityUrl);
  751. void NAMING_AUTHORITY_set0_authorityText(NAMING_AUTHORITY *n,
  752. ASN1_STRING* namingAuthorityText);
  753. const GENERAL_NAME *ADMISSION_SYNTAX_get0_admissionAuthority(
  754. const ADMISSION_SYNTAX *as);
  755. void ADMISSION_SYNTAX_set0_admissionAuthority(
  756. ADMISSION_SYNTAX *as, GENERAL_NAME *aa);
  757. const STACK_OF(ADMISSIONS) *ADMISSION_SYNTAX_get0_contentsOfAdmissions(
  758. const ADMISSION_SYNTAX *as);
  759. void ADMISSION_SYNTAX_set0_contentsOfAdmissions(
  760. ADMISSION_SYNTAX *as, STACK_OF(ADMISSIONS) *a);
  761. const GENERAL_NAME *ADMISSIONS_get0_admissionAuthority(const ADMISSIONS *a);
  762. void ADMISSIONS_set0_admissionAuthority(ADMISSIONS *a, GENERAL_NAME *aa);
  763. const NAMING_AUTHORITY *ADMISSIONS_get0_namingAuthority(const ADMISSIONS *a);
  764. void ADMISSIONS_set0_namingAuthority(ADMISSIONS *a, NAMING_AUTHORITY *na);
  765. const PROFESSION_INFOS *ADMISSIONS_get0_professionInfos(const ADMISSIONS *a);
  766. void ADMISSIONS_set0_professionInfos(ADMISSIONS *a, PROFESSION_INFOS *pi);
  767. const ASN1_OCTET_STRING *PROFESSION_INFO_get0_addProfessionInfo(
  768. const PROFESSION_INFO *pi);
  769. void PROFESSION_INFO_set0_addProfessionInfo(
  770. PROFESSION_INFO *pi, ASN1_OCTET_STRING *aos);
  771. const NAMING_AUTHORITY *PROFESSION_INFO_get0_namingAuthority(
  772. const PROFESSION_INFO *pi);
  773. void PROFESSION_INFO_set0_namingAuthority(
  774. PROFESSION_INFO *pi, NAMING_AUTHORITY *na);
  775. const STACK_OF(ASN1_STRING) *PROFESSION_INFO_get0_professionItems(
  776. const PROFESSION_INFO *pi);
  777. void PROFESSION_INFO_set0_professionItems(
  778. PROFESSION_INFO *pi, STACK_OF(ASN1_STRING) *as);
  779. const STACK_OF(ASN1_OBJECT) *PROFESSION_INFO_get0_professionOIDs(
  780. const PROFESSION_INFO *pi);
  781. void PROFESSION_INFO_set0_professionOIDs(
  782. PROFESSION_INFO *pi, STACK_OF(ASN1_OBJECT) *po);
  783. const ASN1_PRINTABLESTRING *PROFESSION_INFO_get0_registrationNumber(
  784. const PROFESSION_INFO *pi);
  785. void PROFESSION_INFO_set0_registrationNumber(
  786. PROFESSION_INFO *pi, ASN1_PRINTABLESTRING *rn);
  787. # ifdef __cplusplus
  788. }
  789. # endif
  790. #endif