1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
|
#ifndef _IPXE_X509_H
#define _IPXE_X509_H
/** @file
*
* X.509 certificates
*
*/
FILE_LICENCE ( GPL2_OR_LATER );
#include <stdint.h>
#include <stddef.h>
#include <time.h>
#include <ipxe/asn1.h>
/** An X.509 bit string */
struct x509_bit_string {
/** Data */
const void *data;
/** Length */
size_t len;
/** Unused bits at end of data */
unsigned int unused;
};
/** An X.509 serial number */
struct x509_serial {
/** Raw serial number */
struct asn1_cursor raw;
};
/** An X.509 issuer */
struct x509_issuer {
/** Raw issuer */
struct asn1_cursor raw;
};
/** An X.509 time */
struct x509_time {
/** Seconds since the Epoch */
time_t time;
};
/** An X.509 certificate validity period */
struct x509_validity {
/** Not valid before */
struct x509_time not_before;
/** Not valid after */
struct x509_time not_after;
};
/** An X.509 name */
struct x509_name {
/** Name (not NUL-terminated) */
const void *data;
/** Length of name */
size_t len;
};
/** An X.509 certificate public key */
struct x509_public_key {
/** Raw public key */
struct asn1_cursor raw;
/** Public key algorithm */
struct asn1_algorithm *algorithm;
};
/** An X.509 certificate subject */
struct x509_subject {
/** Raw subject */
struct asn1_cursor raw;
/** Common name */
struct x509_name name;
/** Public key information */
struct x509_public_key public_key;
};
/** An X.509 certificate signature */
struct x509_signature {
/** Signature algorithm */
struct asn1_algorithm *algorithm;
/** Signature value */
struct x509_bit_string value;
};
/** An X.509 certificate basic constraints set */
struct x509_basic_constraints {
/** Subject is a CA */
int ca;
/** Path length */
unsigned int path_len;
};
/** An X.509 certificate key usage */
struct x509_key_usage {
/** Key usage extension is present */
int present;
/** Usage bits */
unsigned int bits;
};
/** X.509 certificate key usage bits */
enum x509_key_usage_bits {
X509_DIGITAL_SIGNATURE = 0x0080,
X509_NON_REPUDIATION = 0x0040,
X509_KEY_ENCIPHERMENT = 0x0020,
X509_DATA_ENCIPHERMENT = 0x0010,
X509_KEY_AGREEMENT = 0x0008,
X509_KEY_CERT_SIGN = 0x0004,
X509_CRL_SIGN = 0x0002,
X509_ENCIPHER_ONLY = 0x0001,
X509_DECIPHER_ONLY = 0x8000,
};
/** An X.509 certificate extensions set */
struct x509_extensions {
/** Basic constraints */
struct x509_basic_constraints basic;
/** Key usage */
struct x509_key_usage usage;
};
/** An X.509 certificate */
struct x509_certificate {
/** Raw certificate */
struct asn1_cursor raw;
/** Version */
unsigned int version;
/** Serial number */
struct x509_serial serial;
/** Raw tbsCertificate */
struct asn1_cursor tbs;
/** Signature algorithm */
struct asn1_algorithm *signature_algorithm;
/** Issuer */
struct x509_issuer issuer;
/** Validity */
struct x509_validity validity;
/** Subject */
struct x509_subject subject;
/** Signature */
struct x509_signature signature;
/** Extensions */
struct x509_extensions extensions;
};
/** An X.509 extension */
struct x509_extension {
/** Name */
const char *name;
/** Object identifier */
struct asn1_cursor oid;
/** Parse extension
*
* @v cert X.509 certificate
* @v raw ASN.1 cursor
* @ret rc Return status code
*/
int ( * parse ) ( struct x509_certificate *cert,
const struct asn1_cursor *raw );
};
/** An X.509 root certificate store */
struct x509_root {
/** Fingerprint digest algorithm */
struct digest_algorithm *digest;
/** Number of certificates */
unsigned int count;
/** Certificate fingerprints */
const void *fingerprints;
};
extern int x509_parse ( struct x509_certificate *cert,
const void *data, size_t len );
extern int x509_validate_issuer ( struct x509_certificate *cert,
struct x509_certificate *issuer );
extern void x509_fingerprint ( struct x509_certificate *cert,
struct digest_algorithm *digest,
void *fingerprint );
extern int x509_validate_root ( struct x509_certificate *cert,
struct x509_root *root );
extern int x509_validate_time ( struct x509_certificate *cert, time_t time );
extern int x509_validate_chain ( int ( * parse_next )
( struct x509_certificate *cert,
void *context ),
void *context, time_t time,
struct x509_root *root,
struct x509_certificate *first );
#endif /* _IPXE_X509_H */
|
