1*5158016fSjsg /* $OpenBSD: x509_internal.h,v 1.28 2024/05/19 07:12:50 jsg Exp $ */ 2d27446edSbeck /* 3d27446edSbeck * Copyright (c) 2020 Bob Beck <beck@openbsd.org> 4d27446edSbeck * 5d27446edSbeck * Permission to use, copy, modify, and distribute this software for any 6d27446edSbeck * purpose with or without fee is hereby granted, provided that the above 7d27446edSbeck * copyright notice and this permission notice appear in all copies. 8d27446edSbeck * 9d27446edSbeck * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10d27446edSbeck * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11d27446edSbeck * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12d27446edSbeck * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13d27446edSbeck * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14d27446edSbeck * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15d27446edSbeck * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16d27446edSbeck */ 17d27446edSbeck #ifndef HEADER_X509_INTERNAL_H 18d27446edSbeck #define HEADER_X509_INTERNAL_H 19d27446edSbeck 20d27446edSbeck /* Internal use only, not public API */ 21d27446edSbeck #include <netinet/in.h> 22d27446edSbeck 23f06436f8Sbeck #include "bytestring.h" 24c9675a23Stb #include "x509_local.h" 251ac7cf52Stb #include "x509_verify.h" 26838f0b6dStb 2723258cfeSbeck /* Hard limits on structure size and number of signature checks. */ 2823258cfeSbeck #define X509_VERIFY_MAX_CHAINS 8 /* Max validated chains */ 2923258cfeSbeck #define X509_VERIFY_MAX_CHAIN_CERTS 32 /* Max depth of a chain */ 3023258cfeSbeck #define X509_VERIFY_MAX_SIGCHECKS 256 /* Max signature checks */ 3123258cfeSbeck 32d27446edSbeck /* 33d27446edSbeck * Limit the number of names and constraints we will check in a chain 34d27446edSbeck * to avoid a hostile input DOS 35d27446edSbeck */ 36d27446edSbeck #define X509_VERIFY_MAX_CHAIN_NAMES 512 37d27446edSbeck #define X509_VERIFY_MAX_CHAIN_CONSTRAINTS 512 38d27446edSbeck 39d27446edSbeck /* 40d27446edSbeck * Hold the parsed and validated result of names from a certificate. 41d27446edSbeck * these typically come from a GENERALNAME, but we store the parsed 42d27446edSbeck * and validated results, not the ASN1 bytes. 43d27446edSbeck */ 44d27446edSbeck struct x509_constraints_name { 45d27446edSbeck int type; /* GEN_* types from GENERAL_NAME */ 46d27446edSbeck char *name; /* Name to check */ 47d27446edSbeck char *local; /* holds the local part of GEN_EMAIL */ 48d27446edSbeck uint8_t *der; /* DER encoded value or NULL*/ 49d27446edSbeck size_t der_len; 50d27446edSbeck int af; /* INET and INET6 are supported */ 51d27446edSbeck uint8_t address[32]; /* Must hold ipv6 + mask */ 52d27446edSbeck }; 53d27446edSbeck 54d27446edSbeck struct x509_constraints_names { 55d27446edSbeck struct x509_constraints_name **names; 56d27446edSbeck size_t names_count; 5742f3108aStb size_t names_len; 5842f3108aStb size_t names_max; 59d27446edSbeck }; 60d27446edSbeck 61d27446edSbeck struct x509_verify_chain { 62d27446edSbeck STACK_OF(X509) *certs; /* Kept in chain order, includes leaf */ 63a235c622Sjsing int *cert_errors; /* Verify error for each cert in chain. */ 64d27446edSbeck struct x509_constraints_names *names; /* All names from all certs */ 65d27446edSbeck }; 66d27446edSbeck 6723258cfeSbeck struct x509_verify_ctx { 6823258cfeSbeck X509_STORE_CTX *xsc; 6923258cfeSbeck struct x509_verify_chain **chains; /* Validated chains */ 709ab39fd2Sbeck STACK_OF(X509) *saved_error_chain; 719ab39fd2Sbeck int saved_error; 729ab39fd2Sbeck int saved_error_depth; 7323258cfeSbeck size_t chains_count; 7423258cfeSbeck STACK_OF(X509) *roots; /* Trusted roots for this validation */ 7523258cfeSbeck STACK_OF(X509) *intermediates; /* Intermediates provided by peer */ 7623258cfeSbeck time_t *check_time; /* Time for validity checks */ 7723258cfeSbeck int purpose; /* Cert purpose we are validating */ 7823258cfeSbeck size_t max_chains; /* Max chains to return */ 7923258cfeSbeck size_t max_depth; /* Max chain depth for validation */ 8023258cfeSbeck size_t max_sigs; /* Max number of signature checks */ 8123258cfeSbeck size_t sig_checks; /* Number of signature checks done */ 8223258cfeSbeck size_t error_depth; /* Depth of last error seen */ 8323258cfeSbeck int error; /* Last error seen */ 8423258cfeSbeck }; 8523258cfeSbeck 8623258cfeSbeck int ASN1_time_tm_clamp_notafter(struct tm *tm); 8723258cfeSbeck 88d27446edSbeck __BEGIN_HIDDEN_DECLS 89d27446edSbeck 9023258cfeSbeck int x509_vfy_check_id(X509_STORE_CTX *ctx); 9123258cfeSbeck int x509_vfy_check_revocation(X509_STORE_CTX *ctx); 9223258cfeSbeck int x509_vfy_check_policy(X509_STORE_CTX *ctx); 9323258cfeSbeck int x509_vfy_check_trust(X509_STORE_CTX *ctx); 9423258cfeSbeck int x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx); 953f851282Sbeck int x509_vfy_callback_indicate_completion(X509_STORE_CTX *ctx); 960051318fSjob int x509v3_cache_extensions(X509 *x); 97ac5ed168Sbeck X509 *x509_vfy_lookup_cert_match(X509_STORE_CTX *ctx, X509 *x); 9823258cfeSbeck 9991b40737Stb int x509_verify_asn1_time_to_time_t(const ASN1_TIME *atime, int notafter, 10091b40737Stb time_t *out); 101e3c58b6dSbeck 10299d404ebSbeck struct x509_verify_ctx *x509_verify_ctx_new_from_xsc(X509_STORE_CTX *xsc); 10323258cfeSbeck 104d27446edSbeck void x509_constraints_name_clear(struct x509_constraints_name *name); 105a7f2167bStb void x509_constraints_name_free(struct x509_constraints_name *name); 106d27446edSbeck int x509_constraints_names_add(struct x509_constraints_names *names, 107d27446edSbeck struct x509_constraints_name *name); 108d27446edSbeck struct x509_constraints_names *x509_constraints_names_dup( 109d27446edSbeck struct x509_constraints_names *names); 110d27446edSbeck void x509_constraints_names_clear(struct x509_constraints_names *names); 11142f3108aStb struct x509_constraints_names *x509_constraints_names_new(size_t names_max); 112ecede11eSbeck int x509_constraints_general_to_bytes(GENERAL_NAME *name, uint8_t **bytes, 113ecede11eSbeck size_t *len); 114d27446edSbeck void x509_constraints_names_free(struct x509_constraints_names *names); 115c57a1965Sbeck int x509_constraints_valid_host(CBS *cbs, int permit_ip); 116f06436f8Sbeck int x509_constraints_valid_sandns(CBS *cbs); 117d27446edSbeck int x509_constraints_domain(char *domain, size_t dlen, char *constraint, 118d27446edSbeck size_t len); 119f06436f8Sbeck int x509_constraints_parse_mailbox(CBS *candidate, 120d27446edSbeck struct x509_constraints_name *name); 121f06436f8Sbeck int x509_constraints_valid_domain_constraint(CBS *cbs); 122d27446edSbeck int x509_constraints_uri_host(uint8_t *uri, size_t len, char **hostp); 123d27446edSbeck int x509_constraints_uri(uint8_t *uri, size_t ulen, uint8_t *constraint, 124d27446edSbeck size_t len, int *error); 125d27446edSbeck int x509_constraints_extract_names(struct x509_constraints_names *names, 126d27446edSbeck X509 *cert, int include_cn, int *error); 127d27446edSbeck int x509_constraints_extract_constraints(X509 *cert, 128d27446edSbeck struct x509_constraints_names *permitted, 129d27446edSbeck struct x509_constraints_names *excluded, int *error); 1304238ebebStb int x509_constraints_validate(GENERAL_NAME *constraint, 131a7f2167bStb struct x509_constraints_name **out_name, int *error); 132d27446edSbeck int x509_constraints_check(struct x509_constraints_names *names, 133d27446edSbeck struct x509_constraints_names *permitted, 134d27446edSbeck struct x509_constraints_names *excluded, int *error); 135d27446edSbeck int x509_constraints_chain(STACK_OF(X509) *chain, int *error, 136d27446edSbeck int *depth); 137284c6bbfStb int x509_vfy_check_security_level(X509_STORE_CTX *ctx); 138d27446edSbeck 139d27446edSbeck __END_HIDDEN_DECLS 140d27446edSbeck 141d27446edSbeck #endif 142