Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
freebsd
GitHub Repository: freebsd/freebsd-src
 Path: blob/main/contrib/bearssl/inc/bearssl_x509.h
39586 views
1
/*

2
 * Copyright (c) 2016 Thomas Pornin <[email protected]>

3
 *

4
 * Permission is hereby granted, free of charge, to any person obtaining 

5
 * a copy of this software and associated documentation files (the

6
 * "Software"), to deal in the Software without restriction, including

7
 * without limitation the rights to use, copy, modify, merge, publish,

8
 * distribute, sublicense, and/or sell copies of the Software, and to

9
 * permit persons to whom the Software is furnished to do so, subject to

10
 * the following conditions:

11
 *

12
 * The above copyright notice and this permission notice shall be 

13
 * included in all copies or substantial portions of the Software.

14
 *

15
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 

16
 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF

17
 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 

18
 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS

19
 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN

20
 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN

21
 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE

22
 * SOFTWARE.

23
 */

24


25
#ifndef BR_BEARSSL_X509_H__

26
#define BR_BEARSSL_X509_H__

27


28
#include <stddef.h>

29
#include <stdint.h>

30


31
#include "bearssl_ec.h"

32
#include "bearssl_hash.h"

33
#include "bearssl_rsa.h"

34


35
#ifdef __cplusplus

36
extern "C" {

37
#endif

38


39
/** \file bearssl_x509.h

40
 *

41
 * # X.509 Certificate Chain Processing

42
 *

43
 * An X.509 processing engine receives an X.509 chain, chunk by chunk,

44
 * as received from a SSL/TLS client or server (the client receives the

45
 * server's certificate chain, and the server receives the client's

46
 * certificate chain if it requested a client certificate). The chain

47
 * is thus injected in the engine in SSL order (end-entity first).

48
 *

49
 * The engine's job is to return the public key to use for SSL/TLS.

50
 * How exactly that key is obtained and verified is entirely up to the

51
 * engine.

52
 *

53
 * **The "known key" engine** returns a public key which is already known

54
 * from out-of-band information (e.g. the client _remembers_ the key from

55
 * a previous connection, as in the usual SSH model). This is the simplest

56
 * engine since it simply ignores the chain, thereby avoiding the need

57
 * for any decoding logic.

58
 *

59
 * **The "minimal" engine** implements minimal X.509 decoding and chain

60
 * validation:

61
 *

62
 *   - The provided chain should validate "as is". There is no attempt

63
 *     at reordering, skipping or downloading extra certificates.

64
 *

65
 *   - X.509 v1, v2 and v3 certificates are supported.

66
 *

67
 *   - Trust anchors are a DN and a public key. Each anchor is either a

68
 *     "CA" anchor, or a non-CA.

69
 *

70
 *   - If the end-entity certificate matches a non-CA anchor (subject DN

71
 *     is equal to the non-CA name, and public key is also identical to

72
 *     the anchor key), then this is a _direct trust_ case and the

73
 *     remaining certificates are ignored.

74
 *

75
 *   - Unless direct trust is applied, the chain must be verifiable up to

76
 *     a certificate whose issuer DN matches the DN from a "CA" trust anchor,

77
 *     and whose signature is verifiable against that anchor's public key.

78
 *     Subsequent certificates in the chain are ignored.

79
 *

80
 *   - The engine verifies subject/issuer DN matching, and enforces

81
 *     processing of Basic Constraints and Key Usage extensions. The

82
 *     Authority Key Identifier, Subject Key Identifier, Issuer Alt Name,

83
 *     Subject Directory Attribute, CRL Distribution Points, Freshest CRL,

84
 *     Authority Info Access and Subject Info Access extensions are

85
 *     ignored. The Subject Alt Name is decoded for the end-entity

86
 *     certificate under some conditions (see below). Other extensions

87
 *     are ignored if non-critical, or imply chain rejection if critical.

88
 *

89
 *   - The Subject Alt Name extension is parsed for names of type `dNSName`

90
 *     when decoding the end-entity certificate, and only if there is a

91
 *     server name to match. If there is no SAN extension, then the

92
 *     Common Name from the subjectDN is used. That name matching is

93
 *     case-insensitive and honours a single starting wildcard (i.e. if

94
 *     the name in the certificate starts with "`*.`" then this matches

95
 *     any word as first element). Note: this name matching is performed

96
 *     also in the "direct trust" model.

97
 *

98
 *   - DN matching is byte-to-byte equality (a future version might

99
 *     include some limited processing for case-insensitive matching and

100
 *     whitespace normalisation).

101
 *

102
 *   - Successful validation produces a public key type but also a set

103
 *     of allowed usages (`BR_KEYTYPE_KEYX` and/or `BR_KEYTYPE_SIGN`).

104
 *     The caller is responsible for checking that the key type and

105
 *     usages are compatible with the expected values (e.g. with the

106
 *     selected cipher suite, when the client validates the server's

107
 *     certificate).

108
 *

109
 * **Important caveats:**

110
 *

111
 *   - The "minimal" engine does not check revocation status. The relevant

112
 *     extensions are ignored, and CRL or OCSP responses are not gathered

113
 *     or checked.

114
 *

115
 *   - The "minimal" engine does not currently support Name Constraints

116
 *     (some basic functionality to handle sub-domains may be added in a

117
 *     later version).

118
 *

119
 *   - The decoder is not "validating" in the sense that it won't reject

120
 *     some certificates with invalid field values when these fields are

121
 *     not actually processed.

122
 */

123


124
/*

125
 * X.509 error codes are in the 32..63 range.

126
 */

127


128
/** \brief X.509 status: validation was successful; this is not actually

129
    an error. */

130
#define BR_ERR_X509_OK                    32

131


132
/** \brief X.509 status: invalid value in an ASN.1 structure. */

133
#define BR_ERR_X509_INVALID_VALUE         33

134


135
/** \brief X.509 status: truncated certificate. */

136
#define BR_ERR_X509_TRUNCATED             34

137


138
/** \brief X.509 status: empty certificate chain (no certificate at all). */

139
#define BR_ERR_X509_EMPTY_CHAIN           35

140


141
/** \brief X.509 status: decoding error: inner element extends beyond

142
    outer element size. */

143
#define BR_ERR_X509_INNER_TRUNC           36

144


145
/** \brief X.509 status: decoding error: unsupported tag class (application

146
    or private). */

147
#define BR_ERR_X509_BAD_TAG_CLASS         37

148


149
/** \brief X.509 status: decoding error: unsupported tag value. */

150
#define BR_ERR_X509_BAD_TAG_VALUE         38

151


152
/** \brief X.509 status: decoding error: indefinite length. */

153
#define BR_ERR_X509_INDEFINITE_LENGTH     39

154


155
/** \brief X.509 status: decoding error: extraneous element. */

156
#define BR_ERR_X509_EXTRA_ELEMENT         40

157


158
/** \brief X.509 status: decoding error: unexpected element. */

159
#define BR_ERR_X509_UNEXPECTED            41

160


161
/** \brief X.509 status: decoding error: expected constructed element, but

162
    is primitive. */

163
#define BR_ERR_X509_NOT_CONSTRUCTED       42

164


165
/** \brief X.509 status: decoding error: expected primitive element, but

166
    is constructed. */

167
#define BR_ERR_X509_NOT_PRIMITIVE         43

168


169
/** \brief X.509 status: decoding error: BIT STRING length is not multiple

170
    of 8. */

171
#define BR_ERR_X509_PARTIAL_BYTE          44

172


173
/** \brief X.509 status: decoding error: BOOLEAN value has invalid length. */

174
#define BR_ERR_X509_BAD_BOOLEAN           45

175


176
/** \brief X.509 status: decoding error: value is off-limits. */

177
#define BR_ERR_X509_OVERFLOW              46

178


179
/** \brief X.509 status: invalid distinguished name. */

180
#define BR_ERR_X509_BAD_DN                47

181


182
/** \brief X.509 status: invalid date/time representation. */

183
#define BR_ERR_X509_BAD_TIME              48

184


185
/** \brief X.509 status: certificate contains unsupported features that

186
    cannot be ignored. */

187
#define BR_ERR_X509_UNSUPPORTED           49

188


189
/** \brief X.509 status: key or signature size exceeds internal limits. */

190
#define BR_ERR_X509_LIMIT_EXCEEDED        50

191


192
/** \brief X.509 status: key type does not match that which was expected. */

193
#define BR_ERR_X509_WRONG_KEY_TYPE        51

194


195
/** \brief X.509 status: signature is invalid. */

196
#define BR_ERR_X509_BAD_SIGNATURE         52

197


198
/** \brief X.509 status: validation time is unknown. */

199
#define BR_ERR_X509_TIME_UNKNOWN          53

200


201
/** \brief X.509 status: certificate is expired or not yet valid. */

202
#define BR_ERR_X509_EXPIRED               54

203


204
/** \brief X.509 status: issuer/subject DN mismatch in the chain. */

205
#define BR_ERR_X509_DN_MISMATCH           55

206


207
/** \brief X.509 status: expected server name was not found in the chain. */

208
#define BR_ERR_X509_BAD_SERVER_NAME       56

209


210
/** \brief X.509 status: unknown critical extension in certificate. */

211
#define BR_ERR_X509_CRITICAL_EXTENSION    57

212


213
/** \brief X.509 status: not a CA, or path length constraint violation */

214
#define BR_ERR_X509_NOT_CA                58

215


216
/** \brief X.509 status: Key Usage extension prohibits intended usage. */

217
#define BR_ERR_X509_FORBIDDEN_KEY_USAGE   59

218


219
/** \brief X.509 status: public key found in certificate is too small. */

220
#define BR_ERR_X509_WEAK_PUBLIC_KEY       60

221


222
/** \brief X.509 status: chain could not be linked to a trust anchor. */

223
#define BR_ERR_X509_NOT_TRUSTED           62

224


225
/**

226
 * \brief Aggregate structure for public keys.

227
 */

228
typedef struct {

229
	/** \brief Key type: `BR_KEYTYPE_RSA` or `BR_KEYTYPE_EC` */

230
	unsigned char key_type;

231
	/** \brief Actual public key. */

232
	union {

233
		/** \brief RSA public key. */

234
		br_rsa_public_key rsa;

235
		/** \brief EC public key. */

236
		br_ec_public_key ec;

237
	} key;

238
} br_x509_pkey;

239


240
/**

241
 * \brief Distinguished Name (X.500) structure.

242
 *

243
 * The DN is DER-encoded.

244
 */

245
typedef struct {

246
	/** \brief Encoded DN data. */

247
	unsigned char *data;

248
	/** \brief Encoded DN length (in bytes). */

249
	size_t len;

250
} br_x500_name;

251


252
/**

253
 * \brief Trust anchor structure.

254
 */

255
typedef struct {

256
	/** \brief Encoded DN (X.500 name). */

257
	br_x500_name dn;

258
	/** \brief Anchor flags (e.g. `BR_X509_TA_CA`). */

259
	unsigned flags;

260
	/** \brief Anchor public key. */

261
	br_x509_pkey pkey;

262
} br_x509_trust_anchor;

263


264
/**

265
 * \brief Trust anchor flag: CA.

266
 *

267
 * A "CA" anchor is deemed fit to verify signatures on certificates.

268
 * A "non-CA" anchor is accepted only for direct trust (server's

269
 * certificate name and key match the anchor).

270
 */

271
#define BR_X509_TA_CA        0x0001

272


273
/*

274
 * Key type: combination of a basic key type (low 4 bits) and some

275
 * optional flags.

276
 *

277
 * For a public key, the basic key type only is set.

278
 *

279
 * For an expected key type, the flags indicate the intended purpose(s)

280
 * for the key; the basic key type may be set to 0 to indicate that any

281
 * key type compatible with the indicated purpose is acceptable.

282
 */

283
/** \brief Key type: algorithm is RSA. */

284
#define BR_KEYTYPE_RSA    1

285
/** \brief Key type: algorithm is EC. */

286
#define BR_KEYTYPE_EC     2

287


288
/**

289
 * \brief Key type: usage is "key exchange".

290
 *

291
 * This value is combined (with bitwise OR) with the algorithm

292
 * (`BR_KEYTYPE_RSA` or `BR_KEYTYPE_EC`) when informing the X.509

293
 * validation engine that it should find a public key of that type,

294
 * fit for key exchanges (e.g. `TLS_RSA_*` and `TLS_ECDH_*` cipher

295
 * suites).

296
 */

297
#define BR_KEYTYPE_KEYX   0x10

298


299
/**

300
 * \brief Key type: usage is "signature".

301
 *

302
 * This value is combined (with bitwise OR) with the algorithm

303
 * (`BR_KEYTYPE_RSA` or `BR_KEYTYPE_EC`) when informing the X.509

304
 * validation engine that it should find a public key of that type,

305
 * fit for signatures (e.g. `TLS_ECDHE_*` cipher suites).

306
 */

307
#define BR_KEYTYPE_SIGN   0x20

308


309
/*

310
 * start_chain   Called when a new chain is started. If 'server_name'

311
 *               is not NULL and non-empty, then it is a name that

312
 *               should be looked for in the EE certificate (in the

313
 *               SAN extension as dNSName, or in the subjectDN's CN

314
 *               if there is no SAN extension).

315
 *               The caller ensures that the provided 'server_name'

316
 *               pointer remains valid throughout validation.

317
 *

318
 * start_cert    Begins a new certificate in the chain. The provided

319
 *               length is in bytes; this is the total certificate length.

320
 *

321
 * append        Get some additional bytes for the current certificate.

322
 *

323
 * end_cert      Ends the current certificate.

324
 *

325
 * end_chain     Called at the end of the chain. Returned value is

326
 *               0 on success, or a non-zero error code.

327
 *

328
 * get_pkey      Returns the EE certificate public key.

329
 *

330
 * For a complete chain, start_chain() and end_chain() are always

331
 * called. For each certificate, start_cert(), some append() calls, then

332
 * end_cert() are called, in that order. There may be no append() call

333
 * at all if the certificate is empty (which is not valid but may happen

334
 * if the peer sends exactly that).

335
 *

336
 * get_pkey() shall return a pointer to a structure that is valid as

337
 * long as a new chain is not started. This may be a sub-structure

338
 * within the context for the engine. This function MAY return a valid

339
 * pointer to a public key even in some cases of validation failure,

340
 * depending on the validation engine.

341
 */

342


343
/**

344
 * \brief Class type for an X.509 engine.

345
 *

346
 * A certificate chain validation uses a caller-allocated context, which

347
 * contains the running state for that validation. Methods are called

348
 * in due order:

349
 *

350
 *   - `start_chain()` is called at the start of the validation.

351
 *   - Certificates are processed one by one, in SSL order (end-entity

352
 *     comes first). For each certificate, the following methods are

353
 *     called:

354
 *

355
 *       - `start_cert()` at the beginning of the certificate.

356
 *       - `append()` is called zero, one or more times, to provide

357
 *         the certificate (possibly in chunks).

358
 *       - `end_cert()` at the end of the certificate.

359
 *

360
 *   - `end_chain()` is called when the last certificate in the chain

361
 *     was processed.

362
 *   - `get_pkey()` is called after chain processing, if the chain

363
 *     validation was successful.

364
 *

365
 * A context structure may be reused; the `start_chain()` method shall

366
 * ensure (re)initialisation.

367
 */

368
typedef struct br_x509_class_ br_x509_class;

369
struct br_x509_class_ {

370
	/**

371
	 * \brief X.509 context size, in bytes.

372
	 */

373
	size_t context_size;

374


375
	/**

376
	 * \brief Start a new chain.

377
	 *

378
	 * This method shall set the vtable (first field) of the context

379
	 * structure.

380
	 *

381
	 * The `server_name`, if not `NULL`, will be considered as a

382
	 * fully qualified domain name, to be matched against the `dNSName`

383
	 * elements of the end-entity certificate's SAN extension (if there

384
	 * is no SAN, then the Common Name from the subjectDN will be used).

385
	 * If `server_name` is `NULL` then no such matching is performed.

386
	 *

387
	 * \param ctx           validation context.

388
	 * \param server_name   server name to match (or `NULL`).

389
	 */

390
	void (*start_chain)(const br_x509_class **ctx,

391
		const char *server_name);

392


393
	/**

394
	 * \brief Start a new certificate.

395
	 *

396
	 * \param ctx      validation context.

397
	 * \param length   new certificate length (in bytes).

398
	 */

399
	void (*start_cert)(const br_x509_class **ctx, uint32_t length);

400


401
	/**

402
	 * \brief Receive some bytes for the current certificate.

403
	 *

404
	 * This function may be called several times in succession for

405
	 * a given certificate. The caller guarantees that for each

406
	 * call, `len` is not zero, and the sum of all chunk lengths

407
	 * for a certificate matches the total certificate length which

408
	 * was provided in the previous `start_cert()` call.

409
	 *

410
	 * If the new certificate is empty (no byte at all) then this

411
	 * function won't be called at all.

412
	 *

413
	 * \param ctx   validation context.

414
	 * \param buf   certificate data chunk.

415
	 * \param len   certificate data chunk length (in bytes).

416
	 */

417
	void (*append)(const br_x509_class **ctx,

418
		const unsigned char *buf, size_t len);

419


420
	/**

421
	 * \brief Finish the current certificate.

422
	 *

423
	 * This function is called when the end of the current certificate

424
	 * is reached.

425
	 *

426
	 * \param ctx   validation context.

427
	 */

428
	void (*end_cert)(const br_x509_class **ctx);

429


430
	/**

431
	 * \brief Finish the chain.

432
	 *

433
	 * This function is called at the end of the chain. It shall

434
	 * return either 0 if the validation was successful, or a

435
	 * non-zero error code. The `BR_ERR_X509_*` constants are

436
	 * error codes, though other values may be possible.

437
	 *

438
	 * \param ctx   validation context.

439
	 * \return  0 on success, or a non-zero error code.

440
	 */

441
	unsigned (*end_chain)(const br_x509_class **ctx);

442


443
	/**

444
	 * \brief Get the resulting end-entity public key.

445
	 *

446
	 * The decoded public key is returned. The returned pointer

447
	 * may be valid only as long as the context structure is

448
	 * unmodified, i.e. it may cease to be valid if the context

449
	 * is released or reused.

450
	 *

451
	 * This function _may_ return `NULL` if the validation failed.

452
	 * However, returning a public key does not mean that the

453
	 * validation was wholly successful; some engines may return

454
	 * a decoded public key even if the chain did not end on a

455
	 * trusted anchor.

456
	 *

457
	 * If validation succeeded and `usage` is not `NULL`, then

458
	 * `*usage` is filled with a combination of `BR_KEYTYPE_SIGN`

459
	 * and/or `BR_KEYTYPE_KEYX` that specifies the validated key

460
	 * usage types. It is the caller's responsibility to check

461
	 * that value against the intended use of the public key.

462
	 *

463
	 * \param ctx   validation context.

464
	 * \return  the end-entity public key, or `NULL`.

465
	 */

466
	const br_x509_pkey *(*get_pkey)(

467
		const br_x509_class *const *ctx, unsigned *usages);

468
};

469


470
/**

471
 * \brief The "known key" X.509 engine structure.

472
 *

473
 * The structure contents are opaque (they shall not be accessed directly),

474
 * except for the first field (the vtable).

475
 *

476
 * The "known key" engine returns an externally configured public key,

477
 * and totally ignores the certificate contents.

478
 */

479
typedef struct {

480
	/** \brief Reference to the context vtable. */

481
	const br_x509_class *vtable;

482
#ifndef BR_DOXYGEN_IGNORE

483
	br_x509_pkey pkey;

484
	unsigned usages;

485
#endif

486
} br_x509_knownkey_context;

487


488
/**

489
 * \brief Class instance for the "known key" X.509 engine.

490
 */

491
extern const br_x509_class br_x509_knownkey_vtable;

492


493
/**

494
 * \brief Initialize a "known key" X.509 engine with a known RSA public key.

495
 *

496
 * The `usages` parameter indicates the allowed key usages for that key

497
 * (`BR_KEYTYPE_KEYX` and/or `BR_KEYTYPE_SIGN`).

498
 *

499
 * The provided pointers are linked in, not copied, so they must remain

500
 * valid while the public key may be in usage.

501
 *

502
 * \param ctx      context to initialise.

503
 * \param pk       known public key.

504
 * \param usages   allowed key usages.

505
 */

506
void br_x509_knownkey_init_rsa(br_x509_knownkey_context *ctx,

507
	const br_rsa_public_key *pk, unsigned usages);

508


509
/**

510
 * \brief Initialize a "known key" X.509 engine with a known EC public key.

511
 *

512
 * The `usages` parameter indicates the allowed key usages for that key

513
 * (`BR_KEYTYPE_KEYX` and/or `BR_KEYTYPE_SIGN`).

514
 *

515
 * The provided pointers are linked in, not copied, so they must remain

516
 * valid while the public key may be in usage.

517
 *

518
 * \param ctx      context to initialise.

519
 * \param pk       known public key.

520
 * \param usages   allowed key usages.

521
 */

522
void br_x509_knownkey_init_ec(br_x509_knownkey_context *ctx,

523
	const br_ec_public_key *pk, unsigned usages);

524


525
#ifndef BR_DOXYGEN_IGNORE

526
/*

527
 * The minimal X.509 engine has some state buffers which must be large

528
 * enough to simultaneously accommodate:

529
 * -- the public key extracted from the current certificate;

530
 * -- the signature on the current certificate or on the previous

531
 *    certificate;

532
 * -- the public key extracted from the EE certificate.

533
 *

534
 * We store public key elements in their raw unsigned big-endian

535
 * encoding. We want to support up to RSA-4096 with a short (up to 64

536
 * bits) public exponent, thus a buffer for a public key must have

537
 * length at least 520 bytes. Similarly, a RSA-4096 signature has length

538
 * 512 bytes.

539
 *

540
 * Though RSA public exponents can formally be as large as the modulus

541
 * (mathematically, even larger exponents would work, but PKCS#1 forbids

542
 * them), exponents that do not fit on 32 bits are extremely rare,

543
 * notably because some widespread implementations (e.g. Microsoft's

544
 * CryptoAPI) don't support them. Moreover, large public exponent do not

545
 * seem to imply any tangible security benefit, and they increase the

546
 * cost of public key operations. The X.509 "minimal" engine will tolerate

547
 * public exponents of arbitrary size as long as the modulus and the

548
 * exponent can fit together in the dedicated buffer.

549
 *

550
 * EC public keys are shorter than RSA public keys; even with curve

551
 * NIST P-521 (the largest curve we care to support), a public key is

552
 * encoded over 133 bytes only.

553
 */

554
#define BR_X509_BUFSIZE_KEY   520

555
#define BR_X509_BUFSIZE_SIG   512

556
#endif

557


558
/**

559
 * \brief Type for receiving a name element.

560
 *

561
 * An array of such structures can be provided to the X.509 decoding

562
 * engines. If the specified elements are found in the certificate

563
 * subject DN or the SAN extension, then the name contents are copied

564
 * as zero-terminated strings into the buffer.

565
 *

566
 * The decoder converts TeletexString and BMPString to UTF8String, and

567
 * ensures that the resulting string is zero-terminated. If the string

568
 * does not fit in the provided buffer, then the copy is aborted and an

569
 * error is reported.

570
 */

571
typedef struct {

572
	/**

573
	 * \brief Element OID.

574
	 *

575
	 * For X.500 name elements (to be extracted from the subject DN),

576
	 * this is the encoded OID for the requested name element; the

577
	 * first byte shall contain the length of the DER-encoded OID

578
	 * value, followed by the OID value (for instance, OID 2.5.4.3,

579
	 * for id-at-commonName, will be `03 55 04 03`). This is

580
	 * equivalent to full DER encoding with the length but without

581
	 * the tag.

582
	 *

583
	 * For SAN name elements, the first byte (`oid[0]`) has value 0,

584
	 * followed by another byte that matches the expected GeneralName

585
	 * tag. Allowed second byte values are then:

586
	 *

587
	 *   - 1: `rfc822Name`

588
	 *

589
	 *   - 2: `dNSName`

590
	 *

591
	 *   - 6: `uniformResourceIdentifier`

592
	 *

593
	 *   - 0: `otherName`

594
	 *

595
	 * If first and second byte are 0, then this is a SAN element of

596
	 * type `otherName`; the `oid[]` array should then contain, right

597
	 * after the two bytes of value 0, an encoded OID (with the same

598
	 * conventions as for X.500 name elements). If a match is found

599
	 * for that OID, then the corresponding name element will be

600
	 * extracted, as long as it is a supported string type.

601
	 */

602
	const unsigned char *oid;

603


604
	/**

605
	 * \brief Destination buffer.

606
	 */

607
	char *buf;

608


609
	/**

610
	 * \brief Length (in bytes) of the destination buffer.

611
	 *

612
	 * The buffer MUST NOT be smaller than 1 byte.

613
	 */

614
	size_t len;

615


616
	/**

617
	 * \brief Decoding status.

618
	 *

619
	 * Status is 0 if the name element was not found, 1 if it was

620
	 * found and decoded, or -1 on error. Error conditions include

621
	 * an unrecognised encoding, an invalid encoding, or a string

622
	 * too large for the destination buffer.

623
	 */

624
	int status;

625


626
} br_name_element;

627


628
/**

629
 * \brief Callback for validity date checks.

630
 *

631
 * The function receives as parameter an arbitrary user-provided context,

632
 * and the notBefore and notAfter dates specified in an X.509 certificate,

633
 * both expressed as a number of days and a number of seconds:

634
 *

635
 *   - Days are counted in a proleptic Gregorian calendar since

636
 *     January 1st, 0 AD. Year "0 AD" is the one that preceded "1 AD";

637
 *     it is also traditionally known as "1 BC".

638
 *

639
 *   - Seconds are counted since midnight, from 0 to 86400 (a count of

640
 *     86400 is possible only if a leap second happened).

641
 *

642
 * Each date and time is understood in the UTC time zone. The "Unix

643
 * Epoch" (January 1st, 1970, 00:00 UTC) corresponds to days=719528 and

644
 * seconds=0; the "Windows Epoch" (January 1st, 1601, 00:00 UTC) is

645
 * days=584754, seconds=0.

646
 *

647
 * This function must return -1 if the current date is strictly before

648
 * the "notBefore" time, or +1 if the current date is strictly after the

649
 * "notAfter" time. If neither condition holds, then the function returns

650
 * 0, which means that the current date falls within the validity range of

651
 * the certificate. If the function returns a value distinct from -1, 0

652
 * and +1, then this is interpreted as an unavailability of the current

653
 * time, which normally ends the validation process with a

654
 * `BR_ERR_X509_TIME_UNKNOWN` error.

655
 *

656
 * During path validation, this callback will be invoked for each

657
 * considered X.509 certificate. Validation fails if any of the calls

658
 * returns a non-zero value.

659
 *

660
 * The context value is an abritrary pointer set by the caller when

661
 * configuring this callback.

662
 *

663
 * \param tctx                 context pointer.

664
 * \param not_before_days      notBefore date (days since Jan 1st, 0 AD).

665
 * \param not_before_seconds   notBefore time (seconds, at most 86400).

666
 * \param not_after_days       notAfter date (days since Jan 1st, 0 AD).

667
 * \param not_after_seconds    notAfter time (seconds, at most 86400).

668
 * \return  -1, 0 or +1.

669
 */

670
typedef int (*br_x509_time_check)(void *tctx,

671
	uint32_t not_before_days, uint32_t not_before_seconds,

672
	uint32_t not_after_days, uint32_t not_after_seconds);

673


674
/**

675
 * \brief The "minimal" X.509 engine structure.

676
 *

677
 * The structure contents are opaque (they shall not be accessed directly),

678
 * except for the first field (the vtable).

679
 *

680
 * The "minimal" engine performs a rudimentary but serviceable X.509 path

681
 * validation.

682
 */

683
typedef struct {

684
	const br_x509_class *vtable;

685


686
#ifndef BR_DOXYGEN_IGNORE

687
	/* Structure for returning the EE public key. */

688
	br_x509_pkey pkey;

689


690
	/* CPU for the T0 virtual machine. */

691
	struct {

692
		uint32_t *dp;

693
		uint32_t *rp;

694
		const unsigned char *ip;

695
	} cpu;

696
	uint32_t dp_stack[31];

697
	uint32_t rp_stack[31];

698
	int err;

699


700
	/* Server name to match with the SAN / CN of the EE certificate. */

701
	const char *server_name;

702


703
	/* Validated key usages. */

704
	unsigned char key_usages;

705


706
	/* Explicitly set date and time. */

707
	uint32_t days, seconds;

708


709
	/* Current certificate length (in bytes). Set to 0 when the

710
	   certificate has been fully processed. */

711
	uint32_t cert_length;

712


713
	/* Number of certificates processed so far in the current chain.

714
	   It is incremented at the end of the processing of a certificate,

715
	   so it is 0 for the EE. */

716
	uint32_t num_certs;

717


718
	/* Certificate data chunk. */

719
	const unsigned char *hbuf;

720
	size_t hlen;

721


722
	/* The pad serves as destination for various operations. */

723
	unsigned char pad[256];

724


725
	/* Buffer for EE public key data. */

726
	unsigned char ee_pkey_data[BR_X509_BUFSIZE_KEY];

727


728
	/* Buffer for currently decoded public key. */

729
	unsigned char pkey_data[BR_X509_BUFSIZE_KEY];

730


731
	/* Signature type: signer key type, offset to the hash

732
	   function OID (in the T0 data block) and hash function

733
	   output length (TBS hash length). */

734
	unsigned char cert_signer_key_type;

735
	uint16_t cert_sig_hash_oid;

736
	unsigned char cert_sig_hash_len;

737


738
	/* Current/last certificate signature. */

739
	unsigned char cert_sig[BR_X509_BUFSIZE_SIG];

740
	uint16_t cert_sig_len;

741


742
	/* Minimum RSA key length (difference in bytes from 128). */

743
	int16_t min_rsa_size;

744


745
	/* Configured trust anchors. */

746
	const br_x509_trust_anchor *trust_anchors;

747
	size_t trust_anchors_num;

748


749
	/*

750
	 * Multi-hasher for the TBS.

751
	 */

752
	unsigned char do_mhash;

753
	br_multihash_context mhash;

754
	unsigned char tbs_hash[64];

755


756
	/*

757
	 * Simple hasher for the subject/issuer DN.

758
	 */

759
	unsigned char do_dn_hash;

760
	const br_hash_class *dn_hash_impl;

761
	br_hash_compat_context dn_hash;

762
	unsigned char current_dn_hash[64];

763
	unsigned char next_dn_hash[64];

764
	unsigned char saved_dn_hash[64];

765


766
	/*

767
	 * Name elements to gather.

768
	 */

769
	br_name_element *name_elts;

770
	size_t num_name_elts;

771


772
	/*

773
	 * Callback function (and context) to get the current date.

774
	 */

775
	void *itime_ctx;

776
	br_x509_time_check itime;

777


778
	/*

779
	 * Public key cryptography implementations (signature verification).

780
	 */

781
	br_rsa_pkcs1_vrfy irsa;

782
	br_ecdsa_vrfy iecdsa;

783
	const br_ec_impl *iec;

784
#endif

785


786
} br_x509_minimal_context;

787


788
/**

789
 * \brief Class instance for the "minimal" X.509 engine.

790
 */

791
extern const br_x509_class br_x509_minimal_vtable;

792


793
/**

794
 * \brief Initialise a "minimal" X.509 engine.

795
 *

796
 * The `dn_hash_impl` parameter shall be a hash function internally used

797
 * to match X.500 names (subject/issuer DN, and anchor names). Any standard

798
 * hash function may be used, but a collision-resistant hash function is

799
 * advised.

800
 *

801
 * After initialization, some implementations for signature verification

802
 * (hash functions and signature algorithms) MUST be added.

803
 *

804
 * \param ctx                 context to initialise.

805
 * \param dn_hash_impl        hash function for DN comparisons.

806
 * \param trust_anchors       trust anchors.

807
 * \param trust_anchors_num   number of trust anchors.

808
 */

809
void br_x509_minimal_init(br_x509_minimal_context *ctx,

810
	const br_hash_class *dn_hash_impl,

811
	const br_x509_trust_anchor *trust_anchors, size_t trust_anchors_num);

812


813
/**

814
 * \brief Set a supported hash function in an X.509 "minimal" engine.

815
 *

816
 * Hash functions are used with signature verification algorithms.

817
 * Once initialised (with `br_x509_minimal_init()`), the context must

818
 * be configured with the hash functions it shall support for that

819
 * purpose. The hash function identifier MUST be one of the standard

820
 * hash function identifiers (1 to 6, for MD5, SHA-1, SHA-224, SHA-256,

821
 * SHA-384 and SHA-512).

822
 *

823
 * If `impl` is `NULL`, this _removes_ support for the designated

824
 * hash function.

825
 *

826
 * \param ctx    validation context.

827
 * \param id     hash function identifier (from 1 to 6).

828
 * \param impl   hash function implementation (or `NULL`).

829
 */

830
static inline void

831
br_x509_minimal_set_hash(br_x509_minimal_context *ctx,

832
	int id, const br_hash_class *impl)

833
{

834
	br_multihash_setimpl(&ctx->mhash, id, impl);

835
}

836


837
/**

838
 * \brief Set a RSA signature verification implementation in the X.509

839
 * "minimal" engine.

840
 *

841
 * Once initialised (with `br_x509_minimal_init()`), the context must

842
 * be configured with the signature verification implementations that

843
 * it is supposed to support. If `irsa` is `0`, then the RSA support

844
 * is disabled.

845
 *

846
 * \param ctx    validation context.

847
 * \param irsa   RSA signature verification implementation (or `0`).

848
 */

849
static inline void

850
br_x509_minimal_set_rsa(br_x509_minimal_context *ctx,

851
	br_rsa_pkcs1_vrfy irsa)

852
{

853
	ctx->irsa = irsa;

854
}

855


856
/**

857
 * \brief Set a ECDSA signature verification implementation in the X.509

858
 * "minimal" engine.

859
 *

860
 * Once initialised (with `br_x509_minimal_init()`), the context must

861
 * be configured with the signature verification implementations that

862
 * it is supposed to support.

863
 *

864
 * If `iecdsa` is `0`, then this call disables ECDSA support; in that

865
 * case, `iec` may be `NULL`. Otherwise, `iecdsa` MUST point to a function

866
 * that verifies ECDSA signatures with format "asn1", and it will use

867
 * `iec` as underlying elliptic curve support.

868
 *

869
 * \param ctx      validation context.

870
 * \param iec      elliptic curve implementation (or `NULL`).

871
 * \param iecdsa   ECDSA implementation (or `0`).

872
 */

873
static inline void

874
br_x509_minimal_set_ecdsa(br_x509_minimal_context *ctx,

875
	const br_ec_impl *iec, br_ecdsa_vrfy iecdsa)

876
{

877
	ctx->iecdsa = iecdsa;

878
	ctx->iec = iec;

879
}

880


881
/**

882
 * \brief Initialise a "minimal" X.509 engine with default algorithms.

883
 *

884
 * This function performs the same job as `br_x509_minimal_init()`, but

885
 * also sets implementations for RSA, ECDSA, and the standard hash

886
 * functions.

887
 *

888
 * \param ctx                 context to initialise.

889
 * \param trust_anchors       trust anchors.

890
 * \param trust_anchors_num   number of trust anchors.

891
 */

892
void br_x509_minimal_init_full(br_x509_minimal_context *ctx,

893
	const br_x509_trust_anchor *trust_anchors, size_t trust_anchors_num);

894


895
/**

896
 * \brief Set the validation time for the X.509 "minimal" engine.

897
 *

898
 * The validation time is set as two 32-bit integers, for days and

899
 * seconds since a fixed epoch:

900
 *

901
 *   - Days are counted in a proleptic Gregorian calendar since

902
 *     January 1st, 0 AD. Year "0 AD" is the one that preceded "1 AD";

903
 *     it is also traditionally known as "1 BC".

904
 *

905
 *   - Seconds are counted since midnight, from 0 to 86400 (a count of

906
 *     86400 is possible only if a leap second happened).

907
 *

908
 * The validation date and time is understood in the UTC time zone. The

909
 * "Unix Epoch" (January 1st, 1970, 00:00 UTC) corresponds to days=719528

910
 * and seconds=0; the "Windows Epoch" (January 1st, 1601, 00:00 UTC) is

911
 * days=584754, seconds=0.

912
 *

913
 * If the validation date and time are not explicitly set, but BearSSL

914
 * was compiled with support for the system clock on the underlying

915
 * platform, then the current time will automatically be used. Otherwise,

916
 * not setting the validation date and time implies a validation

917
 * failure (except in case of direct trust of the EE key).

918
 *

919
 * \param ctx       validation context.

920
 * \param days      days since January 1st, 0 AD (Gregorian calendar).

921
 * \param seconds   seconds since midnight (0 to 86400).

922
 */

923
static inline void

924
br_x509_minimal_set_time(br_x509_minimal_context *ctx,

925
	uint32_t days, uint32_t seconds)

926
{

927
	ctx->days = days;

928
	ctx->seconds = seconds;

929
	ctx->itime = 0;

930
}

931


932
/**

933
 * \brief Set the validity range callback function for the X.509

934
 * "minimal" engine.

935
 *

936
 * The provided function will be invoked to check whether the validation

937
 * date is within the validity range for a given X.509 certificate; a

938
 * call will be issued for each considered certificate. The provided

939
 * context pointer (itime_ctx) will be passed as first parameter to the

940
 * callback.

941
 *

942
 * \param tctx   context for callback invocation.

943
 * \param cb     callback function.

944
 */

945
static inline void

946
br_x509_minimal_set_time_callback(br_x509_minimal_context *ctx,

947
	void *itime_ctx, br_x509_time_check itime)

948
{

949
	ctx->itime_ctx = itime_ctx;

950
	ctx->itime = itime;

951
}

952


953
/**

954
 * \brief Set the minimal acceptable length for RSA keys (X.509 "minimal"

955
 * engine).

956
 *

957
 * The RSA key length is expressed in bytes. The default minimum key

958
 * length is 128 bytes, corresponding to 1017 bits. RSA keys shorter

959
 * than the configured length will be rejected, implying validation

960
 * failure. This setting applies to keys extracted from certificates

961
 * (both end-entity, and intermediate CA) but not to "CA" trust anchors.

962
 *

963
 * \param ctx           validation context.

964
 * \param byte_length   minimum RSA key length, **in bytes** (not bits).

965
 */

966
static inline void

967
br_x509_minimal_set_minrsa(br_x509_minimal_context *ctx, int byte_length)

968
{

969
	ctx->min_rsa_size = (int16_t)(byte_length - 128);

970
}

971


972
/**

973
 * \brief Set the name elements to gather.

974
 *

975
 * The provided array is linked in the context. The elements are

976
 * gathered from the EE certificate. If the same element type is

977
 * requested several times, then the relevant structures will be filled

978
 * in the order the matching values are encountered in the certificate.

979
 *

980
 * \param ctx        validation context.

981
 * \param elts       array of name element structures to fill.

982
 * \param num_elts   number of name element structures to fill.

983
 */

984
static inline void

985
br_x509_minimal_set_name_elements(br_x509_minimal_context *ctx,

986
	br_name_element *elts, size_t num_elts)

987
{

988
	ctx->name_elts = elts;

989
	ctx->num_name_elts = num_elts;

990
}

991


992
/**

993
 * \brief X.509 decoder context.

994
 *

995
 * This structure is _not_ for X.509 validation, but for extracting

996
 * names and public keys from encoded certificates. Intended usage is

997
 * to use (self-signed) certificates as trust anchors.

998
 *

999
 * Contents are opaque and shall not be accessed directly.

1000
 */

1001
typedef struct {

1002


1003
#ifndef BR_DOXYGEN_IGNORE

1004
	/* Structure for returning the public key. */

1005
	br_x509_pkey pkey;

1006


1007
	/* CPU for the T0 virtual machine. */

1008
	struct {

1009
		uint32_t *dp;

1010
		uint32_t *rp;

1011
		const unsigned char *ip;

1012
	} cpu;

1013
	uint32_t dp_stack[32];

1014
	uint32_t rp_stack[32];

1015
	int err;

1016


1017
	/* The pad serves as destination for various operations. */

1018
	unsigned char pad[256];

1019


1020
	/* Flag set when decoding succeeds. */

1021
	unsigned char decoded;

1022


1023
	/* Validity dates. */

1024
	uint32_t notbefore_days, notbefore_seconds;

1025
	uint32_t notafter_days, notafter_seconds;

1026


1027
	/* The "CA" flag. This is set to true if the certificate contains

1028
	   a Basic Constraints extension that asserts CA status. */

1029
	unsigned char isCA;

1030


1031
	/* DN processing: the subject DN is extracted and pushed to the

1032
	   provided callback. */

1033
	unsigned char copy_dn;

1034
	void *append_dn_ctx;

1035
	void (*append_dn)(void *ctx, const void *buf, size_t len);

1036


1037
	/* Certificate data chunk. */

1038
	const unsigned char *hbuf;

1039
	size_t hlen;

1040


1041
	/* Buffer for decoded public key. */

1042
	unsigned char pkey_data[BR_X509_BUFSIZE_KEY];

1043


1044
	/* Type of key and hash function used in the certificate signature. */

1045
	unsigned char signer_key_type;

1046
	unsigned char signer_hash_id;

1047
#endif

1048


1049
} br_x509_decoder_context;

1050


1051
/**

1052
 * \brief Initialise an X.509 decoder context for processing a new

1053
 * certificate.

1054
 *

1055
 * The `append_dn()` callback (with opaque context `append_dn_ctx`)

1056
 * will be invoked to receive, chunk by chunk, the certificate's

1057
 * subject DN. If `append_dn` is `0` then the subject DN will be

1058
 * ignored.

1059
 *

1060
 * \param ctx             X.509 decoder context to initialise.

1061
 * \param append_dn       DN receiver callback (or `0`).

1062
 * \param append_dn_ctx   context for the DN receiver callback.

1063
 */

1064
void br_x509_decoder_init(br_x509_decoder_context *ctx,

1065
	void (*append_dn)(void *ctx, const void *buf, size_t len),

1066
	void *append_dn_ctx);

1067


1068
/**

1069
 * \brief Push some certificate bytes into a decoder context.

1070
 *

1071
 * If `len` is non-zero, then that many bytes are pushed, from address

1072
 * `data`, into the provided decoder context.

1073
 *

1074
 * \param ctx    X.509 decoder context.

1075
 * \param data   certificate data chunk.

1076
 * \param len    certificate data chunk length (in bytes).

1077
 */

1078
void br_x509_decoder_push(br_x509_decoder_context *ctx,

1079
	const void *data, size_t len);

1080


1081
/**

1082
 * \brief Obtain the decoded public key.

1083
 *

1084
 * Returned value is a pointer to a structure internal to the decoder

1085
 * context; releasing or reusing the decoder context invalidates that

1086
 * structure.

1087
 *

1088
 * If decoding was not finished, or failed, then `NULL` is returned.

1089
 *

1090
 * \param ctx   X.509 decoder context.

1091
 * \return  the public key, or `NULL` on unfinished/error.

1092
 */

1093
static inline br_x509_pkey *

1094
br_x509_decoder_get_pkey(br_x509_decoder_context *ctx)

1095
{

1096
	if (ctx->decoded && ctx->err == 0) {

1097
		return &ctx->pkey;

1098
	} else {

1099
		return NULL;

1100
	}

1101
}

1102


1103
/**

1104
 * \brief Get decoder error status.

1105
 *

1106
 * If no error was reported yet but the certificate decoding is not

1107
 * finished, then the error code is `BR_ERR_X509_TRUNCATED`. If decoding

1108
 * was successful, then 0 is returned.

1109
 *

1110
 * \param ctx   X.509 decoder context.

1111
 * \return  0 on successful decoding, or a non-zero error code.

1112
 */

1113
static inline int

1114
br_x509_decoder_last_error(br_x509_decoder_context *ctx)

1115
{

1116
	if (ctx->err != 0) {

1117
		return ctx->err;

1118
	}

1119
	if (!ctx->decoded) {

1120
		return BR_ERR_X509_TRUNCATED;

1121
	}

1122
	return 0;

1123
}

1124


1125
/**

1126
 * \brief Get the "isCA" flag from an X.509 decoder context.

1127
 *

1128
 * This flag is set if the decoded certificate claims to be a CA through

1129
 * a Basic Constraints extension. This flag should not be read before

1130
 * decoding completed successfully.

1131
 *

1132
 * \param ctx   X.509 decoder context.

1133
 * \return  the "isCA" flag.

1134
 */

1135
static inline int

1136
br_x509_decoder_isCA(br_x509_decoder_context *ctx)

1137
{

1138
	return ctx->isCA;

1139
}

1140


1141
/**

1142
 * \brief Get the issuing CA key type (type of algorithm used to sign the

1143
 * decoded certificate).

1144
 *

1145
 * This is `BR_KEYTYPE_RSA` or `BR_KEYTYPE_EC`. The value 0 is returned

1146
 * if the signature type was not recognised.

1147
 *

1148
 * \param ctx   X.509 decoder context.

1149
 * \return  the issuing CA key type.

1150
 */

1151
static inline int

1152
br_x509_decoder_get_signer_key_type(br_x509_decoder_context *ctx)

1153
{

1154
	return ctx->signer_key_type;

1155
}

1156


1157
/**

1158
 * \brief Get the identifier for the hash function used to sign the decoded

1159
 * certificate.

1160
 *

1161
 * This is 0 if the hash function was not recognised.

1162
 *

1163
 * \param ctx   X.509 decoder context.

1164
 * \return  the signature hash function identifier.

1165
 */

1166
static inline int

1167
br_x509_decoder_get_signer_hash_id(br_x509_decoder_context *ctx)

1168
{

1169
	return ctx->signer_hash_id;

1170
}

1171


1172
/**

1173
 * \brief Type for an X.509 certificate (DER-encoded).

1174
 */

1175
typedef struct {

1176
	/** \brief The DER-encoded certificate data. */

1177
	unsigned char *data;

1178
	/** \brief The DER-encoded certificate length (in bytes). */

1179
	size_t data_len;

1180
} br_x509_certificate;

1181


1182
/**

1183
 * \brief Private key decoder context.

1184
 *

1185
 * The private key decoder recognises RSA and EC private keys, either in

1186
 * their raw, DER-encoded format, or wrapped in an unencrypted PKCS#8

1187
 * archive (again DER-encoded).

1188
 *

1189
 * Structure contents are opaque and shall not be accessed directly.

1190
 */

1191
typedef struct {

1192
#ifndef BR_DOXYGEN_IGNORE

1193
	/* Structure for returning the private key. */

1194
	union {

1195
		br_rsa_private_key rsa;

1196
		br_ec_private_key ec;

1197
	} key;

1198


1199
	/* CPU for the T0 virtual machine. */

1200
	struct {

1201
		uint32_t *dp;

1202
		uint32_t *rp;

1203
		const unsigned char *ip;

1204
	} cpu;

1205
	uint32_t dp_stack[32];

1206
	uint32_t rp_stack[32];

1207
	int err;

1208


1209
	/* Private key data chunk. */

1210
	const unsigned char *hbuf;

1211
	size_t hlen;

1212


1213
	/* The pad serves as destination for various operations. */

1214
	unsigned char pad[256];

1215


1216
	/* Decoded key type; 0 until decoding is complete. */

1217
	unsigned char key_type;

1218


1219
	/* Buffer for the private key elements. It shall be large enough

1220
	   to accommodate all elements for a RSA-4096 private key (roughly

1221
	   five 2048-bit integers, possibly a bit more). */

1222
	unsigned char key_data[3 * BR_X509_BUFSIZE_SIG];

1223
#endif

1224
} br_skey_decoder_context;

1225


1226
/**

1227
 * \brief Initialise a private key decoder context.

1228
 *

1229
 * \param ctx   key decoder context to initialise.

1230
 */

1231
void br_skey_decoder_init(br_skey_decoder_context *ctx);

1232


1233
/**

1234
 * \brief Push some data bytes into a private key decoder context.

1235
 *

1236
 * If `len` is non-zero, then that many data bytes, starting at address

1237
 * `data`, are pushed into the decoder.

1238
 *

1239
 * \param ctx    key decoder context.

1240
 * \param data   private key data chunk.

1241
 * \param len    private key data chunk length (in bytes).

1242
 */

1243
void br_skey_decoder_push(br_skey_decoder_context *ctx,

1244
	const void *data, size_t len);

1245


1246
/**

1247
 * \brief Get the decoding status for a private key.

1248
 *

1249
 * Decoding status is 0 on success, or a non-zero error code. If the

1250
 * decoding is unfinished when this function is called, then the

1251
 * status code `BR_ERR_X509_TRUNCATED` is returned.

1252
 *

1253
 * \param ctx   key decoder context.

1254
 * \return  0 on successful decoding, or a non-zero error code.

1255
 */

1256
static inline int

1257
br_skey_decoder_last_error(const br_skey_decoder_context *ctx)

1258
{

1259
	if (ctx->err != 0) {

1260
		return ctx->err;

1261
	}

1262
	if (ctx->key_type == 0) {

1263
		return BR_ERR_X509_TRUNCATED;

1264
	}

1265
	return 0;

1266
}

1267


1268
/**

1269
 * \brief Get the decoded private key type.

1270
 *

1271
 * Private key type is `BR_KEYTYPE_RSA` or `BR_KEYTYPE_EC`. If decoding is

1272
 * not finished or failed, then 0 is returned.

1273
 *

1274
 * \param ctx   key decoder context.

1275
 * \return  decoded private key type, or 0.

1276
 */

1277
static inline int

1278
br_skey_decoder_key_type(const br_skey_decoder_context *ctx)

1279
{

1280
	if (ctx->err == 0) {

1281
		return ctx->key_type;

1282
	} else {

1283
		return 0;

1284
	}

1285
}

1286


1287
/**

1288
 * \brief Get the decoded RSA private key.

1289
 *

1290
 * This function returns `NULL` if the decoding failed, or is not

1291
 * finished, or the key is not RSA. The returned pointer references

1292
 * structures within the context that can become invalid if the context

1293
 * is reused or released.

1294
 *

1295
 * \param ctx   key decoder context.

1296
 * \return  decoded RSA private key, or `NULL`.

1297
 */

1298
static inline const br_rsa_private_key *

1299
br_skey_decoder_get_rsa(const br_skey_decoder_context *ctx)

1300
{

1301
	if (ctx->err == 0 && ctx->key_type == BR_KEYTYPE_RSA) {

1302
		return &ctx->key.rsa;

1303
	} else {

1304
		return NULL;

1305
	}

1306
}

1307


1308
/**

1309
 * \brief Get the decoded EC private key.

1310
 *

1311
 * This function returns `NULL` if the decoding failed, or is not

1312
 * finished, or the key is not EC. The returned pointer references

1313
 * structures within the context that can become invalid if the context

1314
 * is reused or released.

1315
 *

1316
 * \param ctx   key decoder context.

1317
 * \return  decoded EC private key, or `NULL`.

1318
 */

1319
static inline const br_ec_private_key *

1320
br_skey_decoder_get_ec(const br_skey_decoder_context *ctx)

1321
{

1322
	if (ctx->err == 0 && ctx->key_type == BR_KEYTYPE_EC) {

1323
		return &ctx->key.ec;

1324
	} else {

1325
		return NULL;

1326
	}

1327
}

1328


1329
/**

1330
 * \brief Encode an RSA private key (raw DER format).

1331
 *

1332
 * This function encodes the provided key into the "raw" format specified

1333
 * in PKCS#1 (RFC 8017, Appendix C, type `RSAPrivateKey`), with DER

1334
 * encoding rules.

1335
 *

1336
 * The key elements are:

1337
 *

1338
 *  - `sk`: the private key (`p`, `q`, `dp`, `dq` and `iq`)

1339
 *

1340
 *  - `pk`: the public key (`n` and `e`)

1341
 *

1342
 *  - `d` (size: `dlen` bytes): the private exponent

1343
 *

1344
 * The public key elements, and the private exponent `d`, can be

1345
 * recomputed from the private key (see `br_rsa_compute_modulus()`,

1346
 * `br_rsa_compute_pubexp()` and `br_rsa_compute_privexp()`).

1347
 *

1348
 * If `dest` is not `NULL`, then the encoded key is written at that

1349
 * address, and the encoded length (in bytes) is returned. If `dest` is

1350
 * `NULL`, then nothing is written, but the encoded length is still

1351
 * computed and returned.

1352
 *

1353
 * \param dest   the destination buffer (or `NULL`).

1354
 * \param sk     the RSA private key.

1355
 * \param pk     the RSA public key.

1356
 * \param d      the RSA private exponent.

1357
 * \param dlen   the RSA private exponent length (in bytes).

1358
 * \return  the encoded key length (in bytes).

1359
 */

1360
size_t br_encode_rsa_raw_der(void *dest, const br_rsa_private_key *sk,

1361
	const br_rsa_public_key *pk, const void *d, size_t dlen);

1362


1363
/**

1364
 * \brief Encode an RSA private key (PKCS#8 DER format).

1365
 *

1366
 * This function encodes the provided key into the PKCS#8 format

1367
 * (RFC 5958, type `OneAsymmetricKey`). It wraps around the "raw DER"

1368
 * format for the RSA key, as implemented by `br_encode_rsa_raw_der()`.

1369
 *

1370
 * The key elements are:

1371
 *

1372
 *  - `sk`: the private key (`p`, `q`, `dp`, `dq` and `iq`)

1373
 *

1374
 *  - `pk`: the public key (`n` and `e`)

1375
 *

1376
 *  - `d` (size: `dlen` bytes): the private exponent

1377
 *

1378
 * The public key elements, and the private exponent `d`, can be

1379
 * recomputed from the private key (see `br_rsa_compute_modulus()`,

1380
 * `br_rsa_compute_pubexp()` and `br_rsa_compute_privexp()`).

1381
 *

1382
 * If `dest` is not `NULL`, then the encoded key is written at that

1383
 * address, and the encoded length (in bytes) is returned. If `dest` is

1384
 * `NULL`, then nothing is written, but the encoded length is still

1385
 * computed and returned.

1386
 *

1387
 * \param dest   the destination buffer (or `NULL`).

1388
 * \param sk     the RSA private key.

1389
 * \param pk     the RSA public key.

1390
 * \param d      the RSA private exponent.

1391
 * \param dlen   the RSA private exponent length (in bytes).

1392
 * \return  the encoded key length (in bytes).

1393
 */

1394
size_t br_encode_rsa_pkcs8_der(void *dest, const br_rsa_private_key *sk,

1395
	const br_rsa_public_key *pk, const void *d, size_t dlen);

1396


1397
/**

1398
 * \brief Encode an EC private key (raw DER format).

1399
 *

1400
 * This function encodes the provided key into the "raw" format specified

1401
 * in RFC 5915 (type `ECPrivateKey`), with DER encoding rules.

1402
 *

1403
 * The private key is provided in `sk`, the public key being `pk`. If

1404
 * `pk` is `NULL`, then the encoded key will not include the public key

1405
 * in its `publicKey` field (which is nominally optional).

1406
 *

1407
 * If `dest` is not `NULL`, then the encoded key is written at that

1408
 * address, and the encoded length (in bytes) is returned. If `dest` is

1409
 * `NULL`, then nothing is written, but the encoded length is still

1410
 * computed and returned.

1411
 *

1412
 * If the key cannot be encoded (e.g. because there is no known OBJECT

1413
 * IDENTIFIER for the used curve), then 0 is returned.

1414
 *

1415
 * \param dest   the destination buffer (or `NULL`).

1416
 * \param sk     the EC private key.

1417
 * \param pk     the EC public key (or `NULL`).

1418
 * \return  the encoded key length (in bytes), or 0.

1419
 */

1420
size_t br_encode_ec_raw_der(void *dest,

1421
	const br_ec_private_key *sk, const br_ec_public_key *pk);

1422


1423
/**

1424
 * \brief Encode an EC private key (PKCS#8 DER format).

1425
 *

1426
 * This function encodes the provided key into the PKCS#8 format

1427
 * (RFC 5958, type `OneAsymmetricKey`). The curve is identified

1428
 * by an OID provided as parameters to the `privateKeyAlgorithm`

1429
 * field. The private key value (contents of the `privateKey` field)

1430
 * contains the DER encoding of the `ECPrivateKey` type defined in

1431
 * RFC 5915, without the `parameters` field (since they would be

1432
 * redundant with the information in `privateKeyAlgorithm`).

1433
 *

1434
 * The private key is provided in `sk`, the public key being `pk`. If

1435
 * `pk` is not `NULL`, then the encoded public key is included in the

1436
 * `publicKey` field of the private key value (but not in the `publicKey`

1437
 * field of the PKCS#8 `OneAsymmetricKey` wrapper).

1438
 *

1439
 * If `dest` is not `NULL`, then the encoded key is written at that

1440
 * address, and the encoded length (in bytes) is returned. If `dest` is

1441
 * `NULL`, then nothing is written, but the encoded length is still

1442
 * computed and returned.

1443
 *

1444
 * If the key cannot be encoded (e.g. because there is no known OBJECT

1445
 * IDENTIFIER for the used curve), then 0 is returned.

1446
 *

1447
 * \param dest   the destination buffer (or `NULL`).

1448
 * \param sk     the EC private key.

1449
 * \param pk     the EC public key (or `NULL`).

1450
 * \return  the encoded key length (in bytes), or 0.

1451
 */

1452
size_t br_encode_ec_pkcs8_der(void *dest,

1453
	const br_ec_private_key *sk, const br_ec_public_key *pk);

1454


1455
/**

1456
 * \brief PEM banner for RSA private key (raw).

1457
 */

1458
#define BR_ENCODE_PEM_RSA_RAW      "RSA PRIVATE KEY"

1459


1460
/**

1461
 * \brief PEM banner for EC private key (raw).

1462
 */

1463
#define BR_ENCODE_PEM_EC_RAW       "EC PRIVATE KEY"

1464


1465
/**

1466
 * \brief PEM banner for an RSA or EC private key in PKCS#8 format.

1467
 */

1468
#define BR_ENCODE_PEM_PKCS8        "PRIVATE KEY"

1469


1470
#ifdef __cplusplus

1471
}

1472
#endif

1473


1474
#endif

1475


1476