diff options
Diffstat (limited to 'src/include/openssl/x509.h')
-rw-r--r-- | src/include/openssl/x509.h | 126 |
1 files changed, 76 insertions, 50 deletions
diff --git a/src/include/openssl/x509.h b/src/include/openssl/x509.h index 30ad4d26..dafa6773 100644 --- a/src/include/openssl/x509.h +++ b/src/include/openssl/x509.h @@ -110,19 +110,28 @@ extern "C" { #define X509v3_KU_DECIPHER_ONLY 0x8000 #define X509v3_KU_UNDEF 0xffff -struct X509_algor_st { - ASN1_OBJECT *algorithm; - ASN1_TYPE *parameter; -} /* X509_ALGOR */; - -DECLARE_ASN1_FUNCTIONS(X509_ALGOR) - DEFINE_STACK_OF(X509_ALGOR) typedef STACK_OF(X509_ALGOR) X509_ALGORS; +struct X509_name_entry_st { + ASN1_OBJECT *object; + ASN1_STRING *value; + int set; +} /* X509_NAME_ENTRY */; + DEFINE_STACK_OF(X509_NAME_ENTRY) +// we always keep X509_NAMEs in 2 forms. +struct X509_name_st { + STACK_OF(X509_NAME_ENTRY) *entries; + int modified; // true if 'bytes' needs to be built + BUF_MEM *bytes; + // unsigned long hash; Keep the hash around for lookups + unsigned char *canon_enc; + int canon_enclen; +} /* X509_NAME */; + DEFINE_STACK_OF(X509_NAME) typedef STACK_OF(X509_EXTENSION) X509_EXTENSIONS; @@ -131,6 +140,20 @@ DEFINE_STACK_OF(X509_EXTENSION) DEFINE_STACK_OF(X509_ATTRIBUTE) +struct x509_cinf_st { + ASN1_INTEGER *version; // [ 0 ] default of v1 + ASN1_INTEGER *serialNumber; + X509_ALGOR *signature; + X509_NAME *issuer; + X509_VAL *validity; + X509_NAME *subject; + X509_PUBKEY *key; + ASN1_BIT_STRING *issuerUID; // [ 1 ] optional in v2 + ASN1_BIT_STRING *subjectUID; // [ 2 ] optional in v2 + STACK_OF(X509_EXTENSION) *extensions; // [ 3 ] optional in v3 + ASN1_ENCODING enc; +} /* X509_CINF */; + // This stuff is certificate "auxiliary info" // it contains details which are useful in certificate // stores and databases. When used this is tagged onto @@ -139,6 +162,31 @@ DEFINE_STACK_OF(X509_ATTRIBUTE) DECLARE_STACK_OF(DIST_POINT) DECLARE_STACK_OF(GENERAL_NAME) +struct x509_st { + X509_CINF *cert_info; + X509_ALGOR *sig_alg; + ASN1_BIT_STRING *signature; + CRYPTO_refcount_t references; + CRYPTO_EX_DATA ex_data; + // These contain copies of various extension values + long ex_pathlen; + long ex_pcpathlen; + unsigned long ex_flags; + unsigned long ex_kusage; + unsigned long ex_xkusage; + unsigned long ex_nscert; + ASN1_OCTET_STRING *skid; + AUTHORITY_KEYID *akid; + X509_POLICY_CACHE *policy_cache; + STACK_OF(DIST_POINT) *crldp; + STACK_OF(GENERAL_NAME) *altname; + NAME_CONSTRAINTS *nc; + unsigned char sha1_hash[SHA_DIGEST_LENGTH]; + X509_CERT_AUX *aux; + CRYPTO_BUFFER *buf; + CRYPTO_MUTEX lock; +} /* X509 */; + DEFINE_STACK_OF(X509) // This is used for a table of trust checking functions @@ -206,7 +254,7 @@ DEFINE_STACK_OF(X509_TRUST) #define XN_FLAG_SEP_MASK (0xf << 16) #define XN_FLAG_COMPAT 0 // Traditional SSLeay: use old X509_NAME_print -#define XN_FLAG_SEP_COMMA_PLUS (1 << 16) // RFC 2253 ,+ +#define XN_FLAG_SEP_COMMA_PLUS (1 << 16) // RFC2253 ,+ #define XN_FLAG_SEP_CPLUS_SPC (2 << 16) // ,+ spaced: more readable #define XN_FLAG_SEP_SPLUS_SPC (3 << 16) // ;+ spaced #define XN_FLAG_SEP_MULTILINE (4 << 16) // One line per field @@ -225,13 +273,13 @@ DEFINE_STACK_OF(X509_TRUST) #define XN_FLAG_SPC_EQ (1 << 23) // Put spaces round '=' // This determines if we dump fields we don't recognise: -// RFC 2253 requires this. +// RFC2253 requires this. #define XN_FLAG_DUMP_UNKNOWN_FIELDS (1 << 24) #define XN_FLAG_FN_ALIGN (1 << 25) // Align field names to 20 characters -// Complete set of RFC 2253 flags +// Complete set of RFC2253 flags #define XN_FLAG_RFC2253 \ (ASN1_STRFLGS_RFC2253 | XN_FLAG_SEP_COMMA_PLUS | XN_FLAG_DN_REV | \ @@ -408,7 +456,7 @@ OPENSSL_EXPORT void X509_get0_uids(const X509 *x509, #define X509_extract_key(x) X509_get_pubkey(x) // X509_get_pathlen returns path length constraint from the basic constraints -// extension in |x509|. (See RFC 5280, section 4.2.1.9.) It returns -1 if the +// extension in |x509|. (See RFC5280, section 4.2.1.9.) It returns -1 if the // constraint is not present, or if some extension in |x509| was invalid. // // Note that decoding an |X509| object will not check for invalid extensions. To @@ -676,6 +724,7 @@ OPENSSL_EXPORT int X509_NAME_digest(const X509_NAME *name, const EVP_MD *md, // copying parts of it as a normal |d2i_X509| call would do. OPENSSL_EXPORT X509 *X509_parse_from_buffer(CRYPTO_BUFFER *buf); +#ifndef OPENSSL_NO_FP_API OPENSSL_EXPORT X509 *d2i_X509_fp(FILE *fp, X509 **x509); OPENSSL_EXPORT int i2d_X509_fp(FILE *fp, X509 *x509); OPENSSL_EXPORT X509_CRL *d2i_X509_CRL_fp(FILE *fp, X509_CRL **crl); @@ -709,6 +758,7 @@ OPENSSL_EXPORT int i2d_PrivateKey_fp(FILE *fp, EVP_PKEY *pkey); OPENSSL_EXPORT EVP_PKEY *d2i_PrivateKey_fp(FILE *fp, EVP_PKEY **a); OPENSSL_EXPORT int i2d_PUBKEY_fp(FILE *fp, EVP_PKEY *pkey); OPENSSL_EXPORT EVP_PKEY *d2i_PUBKEY_fp(FILE *fp, EVP_PKEY **a); +#endif OPENSSL_EXPORT X509 *d2i_X509_bio(BIO *bp, X509 **x509); OPENSSL_EXPORT int i2d_X509_bio(BIO *bp, X509 *x509); @@ -810,30 +860,12 @@ OPENSSL_EXPORT int X509_NAME_ENTRY_set(const X509_NAME_ENTRY *ne); OPENSSL_EXPORT int X509_NAME_get0_der(X509_NAME *nm, const unsigned char **pder, size_t *pderlen); -// X509_cmp_time compares |s| against |*t|. On success, it returns a negative -// number if |s| <= |*t| and a positive number if |s| > |*t|. On error, it -// returns zero. If |t| is NULL, it uses the current time instead of |*t|. -// -// WARNING: Unlike most comparison functions, this function returns zero on -// error, not equality. OPENSSL_EXPORT int X509_cmp_time(const ASN1_TIME *s, time_t *t); - -// X509_cmp_current_time behaves like |X509_cmp_time| but compares |s| against -// the current time. OPENSSL_EXPORT int X509_cmp_current_time(const ASN1_TIME *s); - -// X509_time_adj calls |X509_time_adj_ex| with |offset_day| equal to zero. -OPENSSL_EXPORT ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, - time_t *t); - -// X509_time_adj_ex behaves like |ASN1_TIME_adj|, but adds an offset to |*t|. If -// |t| is NULL, it uses the current time instead of |*t|. +OPENSSL_EXPORT ASN1_TIME *X509_time_adj(ASN1_TIME *s, long adj, time_t *t); OPENSSL_EXPORT ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s, int offset_day, long offset_sec, time_t *t); - -// X509_gmtime_adj behaves like |X509_time_adj_ex| but adds |offset_sec| to the -// current time. -OPENSSL_EXPORT ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long offset_sec); +OPENSSL_EXPORT ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj); OPENSSL_EXPORT const char *X509_get_default_cert_area(void); OPENSSL_EXPORT const char *X509_get_default_cert_dir(void); @@ -850,15 +882,7 @@ DECLARE_ASN1_FUNCTIONS(X509_VAL) DECLARE_ASN1_FUNCTIONS(X509_PUBKEY) -// X509_PUBKEY_set serializes |pkey| into a newly-allocated |X509_PUBKEY| -// structure. On success, it frees |*x|, sets |*x| to the new object, and -// returns one. Otherwise, it returns zero. OPENSSL_EXPORT int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey); - -// X509_PUBKEY_get decodes the public key in |key| and returns an |EVP_PKEY| on -// success, or NULL on error. The caller must release the result with -// |EVP_PKEY_free| when done. The |EVP_PKEY| is cached in |key|, so callers must -// not mutate the result. OPENSSL_EXPORT EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key); DECLARE_ASN1_FUNCTIONS(X509_SIG) @@ -880,10 +904,10 @@ DECLARE_ASN1_FUNCTIONS(X509_NAME_ENTRY) DECLARE_ASN1_FUNCTIONS(X509_NAME) -// X509_NAME_set makes a copy of |name|. On success, it frees |*xn|, sets |*xn| -// to the copy, and returns one. Otherwise, it returns zero. OPENSSL_EXPORT int X509_NAME_set(X509_NAME **xn, X509_NAME *name); +DECLARE_ASN1_FUNCTIONS(X509_CINF) + DECLARE_ASN1_FUNCTIONS(X509) DECLARE_ASN1_FUNCTIONS(X509_CERT_AUX) @@ -1087,7 +1111,7 @@ OPENSSL_EXPORT void X509_REQ_get0_signature(const X509_REQ *req, // a known NID. OPENSSL_EXPORT int X509_REQ_get_signature_nid(const X509_REQ *req); -// i2d_re_X509_REQ_tbs serializes the CertificationRequestInfo (see RFC 2986) +// i2d_re_X509_REQ_tbs serializes the CertificationRequestInfo (see RFC2986) // portion of |req|. If |outp| is NULL, nothing is written. Otherwise, if // |*outp| is not NULL, the result is written to |*outp|, which must have enough // space available, and |*outp| is advanced just past the output. If |outp| is @@ -1114,7 +1138,7 @@ OPENSSL_EXPORT EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req); // X509_REQ_extension_nid returns one if |nid| is a supported CSR attribute type // for carrying extensions and zero otherwise. The supported types are -// |NID_ext_req| (pkcs-9-at-extensionRequest from RFC 2985) and |NID_ms_ext_req| +// |NID_ext_req| (pkcs-9-at-extensionRequest from RFC2985) and |NID_ms_ext_req| // (a Microsoft szOID_CERT_EXTENSIONS variant). OPENSSL_EXPORT int X509_REQ_extension_nid(int nid); @@ -1122,7 +1146,7 @@ OPENSSL_EXPORT int X509_REQ_extension_nid(int nid); // returns a newly-allocated |STACK_OF(X509_EXTENSION)| containing the result. // It returns NULL on error, or if |req| did not request extensions. // -// This function supports both pkcs-9-at-extensionRequest from RFC 2985 and the +// This function supports both pkcs-9-at-extensionRequest from RFC2985 and the // Microsoft szOID_CERT_EXTENSIONS variant. OPENSSL_EXPORT STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req); @@ -1342,6 +1366,7 @@ OPENSSL_EXPORT unsigned long X509_NAME_hash_old(X509_NAME *x); OPENSSL_EXPORT int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b); OPENSSL_EXPORT int X509_CRL_match(const X509_CRL *a, const X509_CRL *b); +#ifndef OPENSSL_NO_FP_API OPENSSL_EXPORT int X509_print_ex_fp(FILE *bp, X509 *x, unsigned long nmflag, unsigned long cflag); OPENSSL_EXPORT int X509_print_fp(FILE *bp, X509 *x); @@ -1349,6 +1374,7 @@ OPENSSL_EXPORT int X509_CRL_print_fp(FILE *bp, X509_CRL *x); OPENSSL_EXPORT int X509_REQ_print_fp(FILE *bp, X509_REQ *req); OPENSSL_EXPORT int X509_NAME_print_ex_fp(FILE *fp, const X509_NAME *nm, int indent, unsigned long flags); +#endif OPENSSL_EXPORT int X509_NAME_print(BIO *bp, const X509_NAME *name, int obase); OPENSSL_EXPORT int X509_NAME_print_ex(BIO *out, const X509_NAME *nm, int indent, @@ -1887,16 +1913,12 @@ OPENSSL_EXPORT char *X509_TRUST_get0_name(const X509_TRUST *xp); OPENSSL_EXPORT int X509_TRUST_get_trust(const X509_TRUST *xp); -struct rsa_pss_params_st { +typedef struct rsa_pss_params_st { X509_ALGOR *hashAlgorithm; X509_ALGOR *maskGenAlgorithm; ASN1_INTEGER *saltLength; ASN1_INTEGER *trailerField; - // OpenSSL caches the MGF hash on |RSA_PSS_PARAMS| in some cases. None of the - // cases apply to BoringSSL, so this is always NULL, but Node expects the - // field to be present. - X509_ALGOR *maskHash; -} /* RSA_PSS_PARAMS */; +} RSA_PSS_PARAMS; DECLARE_ASN1_FUNCTIONS(RSA_PSS_PARAMS) @@ -1936,6 +1958,10 @@ BORINGSSL_MAKE_UP_REF(X509_STORE, X509_STORE_up_ref) BORINGSSL_MAKE_DELETER(X509_STORE_CTX, X509_STORE_CTX_free) BORINGSSL_MAKE_DELETER(X509_VERIFY_PARAM, X509_VERIFY_PARAM_free) +using ScopedX509_STORE_CTX = + internal::StackAllocated<X509_STORE_CTX, void, X509_STORE_CTX_zero, + X509_STORE_CTX_cleanup>; + BSSL_NAMESPACE_END } // extern C++ |