129 lines
5 KiB
C
129 lines
5 KiB
C
|
/* $OpenBSD: x509_internal.h,v 1.3 2020/09/15 11:55:14 beck Exp $ */
|
||
|
/*
|
||
|
* Copyright (c) 2020 Bob Beck <beck@openbsd.org>
|
||
|
*
|
||
|
* Permission to use, copy, modify, and distribute this software for any
|
||
|
* purpose with or without fee is hereby granted, provided that the above
|
||
|
* copyright notice and this permission notice appear in all copies.
|
||
|
*
|
||
|
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||
|
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||
|
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||
|
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||
|
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||
|
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||
|
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||
|
*/
|
||
|
#ifndef HEADER_X509_INTERNAL_H
|
||
|
#define HEADER_X509_INTERNAL_H
|
||
|
|
||
|
/* Internal use only, not public API */
|
||
|
#include <netinet/in.h>
|
||
|
|
||
|
#include <openssl/x509_verify.h>
|
||
|
|
||
|
/* Hard limits on structure size and number of signature checks. */
|
||
|
#define X509_VERIFY_MAX_CHAINS 8 /* Max validated chains */
|
||
|
#define X509_VERIFY_MAX_CHAIN_CERTS 32 /* Max depth of a chain */
|
||
|
#define X509_VERIFY_MAX_SIGCHECKS 256 /* Max signature checks */
|
||
|
|
||
|
/*
|
||
|
* Limit the number of names and constraints we will check in a chain
|
||
|
* to avoid a hostile input DOS
|
||
|
*/
|
||
|
#define X509_VERIFY_MAX_CHAIN_NAMES 512
|
||
|
#define X509_VERIFY_MAX_CHAIN_CONSTRAINTS 512
|
||
|
|
||
|
/*
|
||
|
* Hold the parsed and validated result of names from a certificate.
|
||
|
* these typically come from a GENERALNAME, but we store the parsed
|
||
|
* and validated results, not the ASN1 bytes.
|
||
|
*/
|
||
|
struct x509_constraints_name {
|
||
|
int type; /* GEN_* types from GENERAL_NAME */
|
||
|
char *name; /* Name to check */
|
||
|
char *local; /* holds the local part of GEN_EMAIL */
|
||
|
uint8_t *der; /* DER encoded value or NULL*/
|
||
|
size_t der_len;
|
||
|
int af; /* INET and INET6 are supported */
|
||
|
uint8_t address[32]; /* Must hold ipv6 + mask */
|
||
|
};
|
||
|
|
||
|
struct x509_constraints_names {
|
||
|
struct x509_constraints_name **names;
|
||
|
size_t names_len;
|
||
|
size_t names_count;
|
||
|
};
|
||
|
|
||
|
struct x509_verify_chain {
|
||
|
STACK_OF(X509) *certs; /* Kept in chain order, includes leaf */
|
||
|
struct x509_constraints_names *names; /* All names from all certs */
|
||
|
};
|
||
|
|
||
|
struct x509_verify_ctx {
|
||
|
X509_STORE_CTX *xsc;
|
||
|
struct x509_verify_chain **chains; /* Validated chains */
|
||
|
size_t chains_count;
|
||
|
STACK_OF(X509) *roots; /* Trusted roots for this validation */
|
||
|
STACK_OF(X509) *intermediates; /* Intermediates provided by peer */
|
||
|
time_t *check_time; /* Time for validity checks */
|
||
|
int purpose; /* Cert purpose we are validating */
|
||
|
size_t max_chains; /* Max chains to return */
|
||
|
size_t max_depth; /* Max chain depth for validation */
|
||
|
size_t max_sigs; /* Max number of signature checks */
|
||
|
size_t sig_checks; /* Number of signature checks done */
|
||
|
size_t error_depth; /* Depth of last error seen */
|
||
|
int error; /* Last error seen */
|
||
|
};
|
||
|
|
||
|
int ASN1_time_tm_clamp_notafter(struct tm *tm);
|
||
|
|
||
|
__BEGIN_HIDDEN_DECLS
|
||
|
|
||
|
int x509_vfy_check_id(X509_STORE_CTX *ctx);
|
||
|
int x509_vfy_check_revocation(X509_STORE_CTX *ctx);
|
||
|
int x509_vfy_check_policy(X509_STORE_CTX *ctx);
|
||
|
int x509_vfy_check_trust(X509_STORE_CTX *ctx);
|
||
|
int x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx);
|
||
|
void x509v3_cache_extensions(X509 *x);
|
||
|
|
||
|
int x509_verify_asn1_time_to_tm(const ASN1_TIME *atime, struct tm *tm,
|
||
|
int notafter);
|
||
|
|
||
|
struct x509_verify_ctx *x509_verify_ctx_new_from_xsc(X509_STORE_CTX *xsc,
|
||
|
STACK_OF(X509) *roots);
|
||
|
|
||
|
void x509_constraints_name_clear(struct x509_constraints_name *name);
|
||
|
int x509_constraints_names_add(struct x509_constraints_names *names,
|
||
|
struct x509_constraints_name *name);
|
||
|
struct x509_constraints_names *x509_constraints_names_dup(
|
||
|
struct x509_constraints_names *names);
|
||
|
void x509_constraints_names_clear(struct x509_constraints_names *names);
|
||
|
struct x509_constraints_names *x509_constraints_names_new(void);
|
||
|
void x509_constraints_names_free(struct x509_constraints_names *names);
|
||
|
int x509_constraints_valid_host(uint8_t *name, size_t len);
|
||
|
int x509_constraints_valid_sandns(uint8_t *name, size_t len);
|
||
|
int x509_constraints_domain(char *domain, size_t dlen, char *constraint,
|
||
|
size_t len);
|
||
|
int x509_constraints_parse_mailbox(uint8_t *candidate, size_t len,
|
||
|
struct x509_constraints_name *name);
|
||
|
int x509_constraints_valid_domain_constraint(uint8_t *constraint,
|
||
|
size_t len);
|
||
|
int x509_constraints_uri_host(uint8_t *uri, size_t len, char **hostp);
|
||
|
int x509_constraints_uri(uint8_t *uri, size_t ulen, uint8_t *constraint,
|
||
|
size_t len, int *error);
|
||
|
int x509_constraints_extract_names(struct x509_constraints_names *names,
|
||
|
X509 *cert, int include_cn, int *error);
|
||
|
int x509_constraints_extract_constraints(X509 *cert,
|
||
|
struct x509_constraints_names *permitted,
|
||
|
struct x509_constraints_names *excluded, int *error);
|
||
|
int x509_constraints_check(struct x509_constraints_names *names,
|
||
|
struct x509_constraints_names *permitted,
|
||
|
struct x509_constraints_names *excluded, int *error);
|
||
|
int x509_constraints_chain(STACK_OF(X509) *chain, int *error,
|
||
|
int *depth);
|
||
|
|
||
|
__END_HIDDEN_DECLS
|
||
|
|
||
|
#endif
|