2 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
5 /* ====================================================================
6 * Copyright (c) 2013 The OpenSSL Project. All rights reserved.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
34 * 6. Redistributions of any form whatsoever must retain the following
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
60 * This structure holds all parameters associated with a verify operation by
61 * including an X509_VERIFY_PARAM structure in related structures the
62 * parameters used can be customized
65 struct X509_VERIFY_PARAM_st
{
67 time_t check_time
; /* Time to use */
68 unsigned long inh_flags
; /* Inheritance flags */
69 unsigned long flags
; /* Various verify flags */
70 int purpose
; /* purpose to check untrusted certificates */
71 int trust
; /* trust setting to check */
72 int depth
; /* Verify depth */
73 int auth_level
; /* Security level for chain verification */
74 STACK_OF(ASN1_OBJECT
) *policies
; /* Permissible policies */
75 /* Peer identity details */
76 STACK_OF(OPENSSL_STRING
) *hosts
; /* Set of acceptable names */
77 unsigned int hostflags
; /* Flags to control matching features */
78 char *peername
; /* Matching hostname in peer certificate */
79 char *email
; /* If not NULL email address to match */
81 unsigned char *ip
; /* If not NULL IP address to match */
82 size_t iplen
; /* Length of IP address */
85 /* No error callback if depth < 0 */
86 int x509_check_cert_time(X509_STORE_CTX
*ctx
, X509
*x
, int depth
);
88 /* a sequence of these are used */
89 struct x509_attributes_st
{
91 STACK_OF(ASN1_TYPE
) *set
;
94 struct X509_extension_st
{
96 ASN1_BOOLEAN critical
;
97 ASN1_OCTET_STRING value
;
101 * Method to handle CRL access. In general a CRL could be very large (several
102 * Mb) and can consume large amounts of resources if stored in memory by
103 * multiple processes. This method allows general CRL operations to be
104 * redirected to more efficient callbacks: for example a CRL entry database.
107 #define X509_CRL_METHOD_DYNAMIC 1
109 struct x509_crl_method_st
{
111 int (*crl_init
) (X509_CRL
*crl
);
112 int (*crl_free
) (X509_CRL
*crl
);
113 int (*crl_lookup
) (X509_CRL
*crl
, X509_REVOKED
**ret
,
114 ASN1_INTEGER
*ser
, X509_NAME
*issuer
);
115 int (*crl_verify
) (X509_CRL
*crl
, EVP_PKEY
*pk
);
118 struct x509_lookup_method_st
{
120 int (*new_item
) (X509_LOOKUP
*ctx
);
121 void (*free
) (X509_LOOKUP
*ctx
);
122 int (*init
) (X509_LOOKUP
*ctx
);
123 int (*shutdown
) (X509_LOOKUP
*ctx
);
124 int (*ctrl
) (X509_LOOKUP
*ctx
, int cmd
, const char *argc
, long argl
,
126 int (*get_by_subject
) (X509_LOOKUP
*ctx
, int type
, X509_NAME
*name
,
128 int (*get_by_issuer_serial
) (X509_LOOKUP
*ctx
, int type
, X509_NAME
*name
,
129 ASN1_INTEGER
*serial
, X509_OBJECT
*ret
);
130 int (*get_by_fingerprint
) (X509_LOOKUP
*ctx
, int type
,
131 unsigned char *bytes
, int len
,
133 int (*get_by_alias
) (X509_LOOKUP
*ctx
, int type
, char *str
, int len
,
137 /* This is the functions plus an instance of the local variables. */
138 struct x509_lookup_st
{
139 int init
; /* have we been started */
140 int skip
; /* don't use us. */
141 X509_LOOKUP_METHOD
*method
; /* the functions */
142 char *method_data
; /* method data */
143 X509_STORE
*store_ctx
; /* who owns us */
147 * This is used to hold everything. It is used for all certificate
148 * validation. Once we have a certificate chain, the 'verify' function is
149 * then called to actually check the cert chain.
151 struct x509_store_st
{
152 /* The following is a cache of trusted certs */
153 int cache
; /* if true, stash any hits */
154 STACK_OF(X509_OBJECT
) *objs
; /* Cache of all objects */
155 /* These are external lookup methods */
156 STACK_OF(X509_LOOKUP
) *get_cert_methods
;
157 X509_VERIFY_PARAM
*param
;
158 /* Callbacks for various operations */
159 /* called to verify a certificate */
160 int (*verify
) (X509_STORE_CTX
*ctx
);
162 int (*verify_cb
) (int ok
, X509_STORE_CTX
*ctx
);
163 /* get issuers cert from ctx */
164 int (*get_issuer
) (X509
**issuer
, X509_STORE_CTX
*ctx
, X509
*x
);
166 int (*check_issued
) (X509_STORE_CTX
*ctx
, X509
*x
, X509
*issuer
);
167 /* Check revocation status of chain */
168 int (*check_revocation
) (X509_STORE_CTX
*ctx
);
170 int (*get_crl
) (X509_STORE_CTX
*ctx
, X509_CRL
**crl
, X509
*x
);
171 /* Check CRL validity */
172 int (*check_crl
) (X509_STORE_CTX
*ctx
, X509_CRL
*crl
);
173 /* Check certificate against CRL */
174 int (*cert_crl
) (X509_STORE_CTX
*ctx
, X509_CRL
*crl
, X509
*x
);
175 STACK_OF(X509
) *(*lookup_certs
) (X509_STORE_CTX
*ctx
, X509_NAME
*nm
);
176 STACK_OF(X509_CRL
) *(*lookup_crls
) (X509_STORE_CTX
*ctx
, X509_NAME
*nm
);
177 int (*cleanup
) (X509_STORE_CTX
*ctx
);
178 CRYPTO_EX_DATA ex_data
;
183 typedef struct lookup_dir_hashes_st BY_DIR_HASH
;
184 typedef struct lookup_dir_entry_st BY_DIR_ENTRY
;
185 DEFINE_STACK_OF(BY_DIR_HASH
)
186 DEFINE_STACK_OF(BY_DIR_ENTRY
)
187 typedef STACK_OF(X509_NAME_ENTRY
) STACK_OF_X509_NAME_ENTRY
;
188 DEFINE_STACK_OF(STACK_OF_X509_NAME_ENTRY
)