x509.h@ 100442

Last change on this file since 100442 was 100442, checked in by vboxsync, 15 months ago
IPRT,OpenSSL: Support ECDSA for verficiation purposes when IPRT links with OpenSSL. This required quite a bit of cleanups, so not entirely no-risk. bugref:10479 ticketref:21621
Property svn:eol-style set to `native` Property svn:keywords set to `Author Date Id Revision`
File size: 59.5 KB

Line
1	/** @file
2	* IPRT - Crypto - X.509, Public Key and Privilege Management Infrastructure.
3	*/
4
5	/*
6	* Copyright (C) 2014-2023 Oracle and/or its affiliates.
7	*
8	* This file is part of VirtualBox base platform packages, as
9	* available from https://www.virtualbox.org.
10	*
11	* This program is free software; you can redistribute it and/or
12	* modify it under the terms of the GNU General Public License
13	* as published by the Free Software Foundation, in version 3 of the
14	* License.
15	*
16	* This program is distributed in the hope that it will be useful, but
17	* WITHOUT ANY WARRANTY; without even the implied warranty of
18	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
19	* General Public License for more details.
20	*
21	* You should have received a copy of the GNU General Public License
22	* along with this program; if not, see <https://www.gnu.org/licenses>.
23	*
24	* The contents of this file may alternatively be used under the terms
25	* of the Common Development and Distribution License Version 1.0
26	* (CDDL), a copy of it is provided in the "COPYING.CDDL" file included
27	* in the VirtualBox distribution, in which case the provisions of the
28	* CDDL are applicable instead of those of the GPL.
29	*
30	* You may elect to license modified versions of this file under the
31	* terms and conditions of either the GPL or the CDDL or both.
32	*
33	* SPDX-License-Identifier: GPL-3.0-only OR CDDL-1.0
34	*/
35
36	#ifndef IPRT_INCLUDED_crypto_x509_h
37	#define IPRT_INCLUDED_crypto_x509_h
38	#ifndef RT_WITHOUT_PRAGMA_ONCE
39	# pragma once
40	#endif
41
42	#include <iprt/asn1.h>
43	#include <iprt/crypto/pem.h>
44
45
46	RT_C_DECLS_BEGIN
47
48	struct RTCRPKCS7SETOFCERTS;
49
50
51	/** @defgroup grp_rt_crypto Crypto
52	* @ingroup grp_rt
53	* @{
54	*/
55
56	/** @defgroup grp_rt_crx509 RTCrX509 - Public Key and Privilege Management Infrastructure.
57	* @{
58	*/
59
60	/**
61	* X.509 algorithm identifier (IPRT representation).
62	*/
63	typedef struct RTCRX509ALGORITHMIDENTIFIER
64	{
65	/** The sequence making up this algorithm identifier. */
66	RTASN1SEQUENCECORE SeqCore;
67	/** The algorithm object ID. */
68	RTASN1OBJID Algorithm;
69	/** Optional parameters specified by the algorithm. */
70	RTASN1DYNTYPE Parameters;
71	} RTCRX509ALGORITHMIDENTIFIER;
72	/** Poitner to the IPRT representation of a X.509 algorithm identifier. */
73	typedef RTCRX509ALGORITHMIDENTIFIER *PRTCRX509ALGORITHMIDENTIFIER;
74	/** Poitner to the const IPRT representation of a X.509 algorithm identifier. */
75	typedef RTCRX509ALGORITHMIDENTIFIER const *PCRTCRX509ALGORITHMIDENTIFIER;
76	RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509ALGORITHMIDENTIFIER, RTDECL, RTCrX509AlgorithmIdentifier, SeqCore.Asn1Core);
77	RTASN1_IMPL_GEN_SET_OF_TYPEDEFS_AND_PROTOS(RTCRX509ALGORITHMIDENTIFIERS, RTCRX509ALGORITHMIDENTIFIER, RTDECL, RTCrX509AlgorithmIdentifiers);
78
79	/**
80	* Tries to convert an X.509 digest algorithm ID into a RTDIGESTTYPE value.
81	*
82	* @returns Valid RTDIGESTTYPE on success, RTDIGESTTYPE_INVALID on failure.
83	* @param pThis The IPRT representation of a X.509 algorithm
84	* identifier object.
85	* @param fPureDigestsOnly Whether to only match IDs that only identify
86	* digest algorithms, or whether to also include
87	* IDs that mixes hash and encryption/whatever.
88	*/
89	RTDECL(RTDIGESTTYPE) RTCrX509AlgorithmIdentifier_GetDigestType(PCRTCRX509ALGORITHMIDENTIFIER pThis, bool fPureDigestsOnly);
90
91	/**
92	* Tries to figure the digest size of an X.509 digest algorithm ID.
93	*
94	* @returns The digest size in bytes, UINT32_MAX if unknown digest.
95	* @param pThis The IPRT representation of a X.509 algorithm
96	* identifier object.
97	* @param fPureDigestsOnly Whether to only match IDs that only identify
98	* digest algorithms, or whether to also include
99	* IDs that mixes hash and encryption/whatever.
100	*/
101	RTDECL(uint32_t) RTCrX509AlgorithmIdentifier_GetDigestSize(PCRTCRX509ALGORITHMIDENTIFIER pThis, bool fPureDigestsOnly);
102
103	/**
104	* Tries to get the encryption OID from the algorithm.
105	*
106	* @returns The encryption (cipher) OID on success, NULL on failure.
107	* @param pThis The IPRT representation of a X.509 algorithm
108	* identifier object.
109	* @param fMustIncludeHash Whether the algorithm ID represented by @a pThis
110	* must include a hash (true) or whether it is
111	* okay to accept pure encryption IDs as well
112	* (false).
113	*/
114	RTDECL(const char *) RTCrX509AlgorithmIdentifier_GetEncryptionOid(PCRTCRX509ALGORITHMIDENTIFIER pThis, bool fMustIncludeHash);
115
116	/**
117	* Tries to get the encryption OID from the given algorithm OID string.
118	*
119	* @returns The encryption (cipher) OID on success, NULL on failure.
120	* @param pszAlgorithmOid The IPRT representation of a X.509 algorithm
121	* identifier object.
122	* @param fMustIncludeHash Whether @a pszAlgorithmOid must include a hash
123	* (true) or whether it is okay to accept pure
124	* encryption IDs as well (false).
125	*/
126	RTDECL(const char ) RTCrX509AlgorithmIdentifier_GetEncryptionOidFromOid(const char pszAlgorithmOid, bool fMustIncludeHash);
127
128	RTDECL(int) RTCrX509AlgorithmIdentifier_CompareWithString(PCRTCRX509ALGORITHMIDENTIFIER pThis, const char *pszObjId);
129
130	/**
131	* Compares a digest with an encrypted digest algorithm, checking if they
132	* specify the same digest.
133	*
134	* @returns 0 if same digest, -1 if the digest is unknown, 1 if the encrypted
135	* digest does not match.
136	* @param pDigest The digest algorithm.
137	* @param pEncryptedDigest The encrypted digest algorithm.
138	*/
139	RTDECL(int) RTCrX509AlgorithmIdentifier_CompareDigestAndEncryptedDigest(PCRTCRX509ALGORITHMIDENTIFIER pDigest,
140	PCRTCRX509ALGORITHMIDENTIFIER pEncryptedDigest);
141	/**
142	* Compares a digest OID with an encrypted digest algorithm OID, checking if
143	* they specify the same digest.
144	*
145	* @returns 0 if same digest, -1 if the digest is unknown, 1 if the encrypted
146	* digest does not match.
147	* @param pszDigestOid The digest algorithm OID.
148	* @param pszEncryptedDigestOid The encrypted digest algorithm OID.
149	*/
150	RTDECL(int) RTCrX509AlgorithmIdentifier_CompareDigestOidAndEncryptedDigestOid(const char *pszDigestOid,
151	const char *pszEncryptedDigestOid);
152
153
154	/**
155	* Combine the encryption algorithm with the digest algorithm.
156	*
157	* @returns OID of encrypted digest algorithm.
158	* @param pEncryption The encryption algorithm. Will work if this is
159	* the OID of an encrypted digest algorithm too, as
160	* long as it matches @a pDigest.
161	* @param pDigest The digest algorithm. Will work if this is the
162	* OID of an encrypted digest algorithm too, as
163	* long as it matches @a pEncryption.
164	*/
165	RTDECL(const char *) RTCrX509AlgorithmIdentifier_CombineEncryptionAndDigest(PCRTCRX509ALGORITHMIDENTIFIER pEncryption,
166	PCRTCRX509ALGORITHMIDENTIFIER pDigest);
167
168	/**
169	* Combine the encryption algorithm OID with the digest algorithm OID.
170	*
171	* @returns OID of encrypted digest algorithm.
172	* @param pszEncryptionOid The encryption algorithm. Will work if this is
173	* the OID of an encrypted digest algorithm too, as
174	* long as it matches @a pszDigestOid.
175	* @param pszDigestOid The digest algorithm. Will work if this is the
176	* OID of an encrypted digest algorithm too, as
177	* long as it matches @a pszEncryptionOid.
178	*/
179	RTDECL(const char ) RTCrX509AlgorithmIdentifier_CombineEncryptionOidAndDigestOid(const char pszEncryptionOid,
180	const char *pszDigestOid);
181
182
183	/** @name Typical Digest Algorithm OIDs.
184	* @{ */
185	#define RTCRX509ALGORITHMIDENTIFIERID_MD2 "1.2.840.113549.2.2"
186	#define RTCRX509ALGORITHMIDENTIFIERID_MD4 "1.2.840.113549.2.4"
187	#define RTCRX509ALGORITHMIDENTIFIERID_MD5 "1.2.840.113549.2.5"
188	#define RTCRX509ALGORITHMIDENTIFIERID_SHA0 "1.3.14.3.2.18"
189	#define RTCRX509ALGORITHMIDENTIFIERID_SHA1 "1.3.14.3.2.26"
190	#define RTCRX509ALGORITHMIDENTIFIERID_SHA256 "2.16.840.1.101.3.4.2.1"
191	#define RTCRX509ALGORITHMIDENTIFIERID_SHA384 "2.16.840.1.101.3.4.2.2"
192	#define RTCRX509ALGORITHMIDENTIFIERID_SHA512 "2.16.840.1.101.3.4.2.3"
193	#define RTCRX509ALGORITHMIDENTIFIERID_SHA224 "2.16.840.1.101.3.4.2.4"
194	#define RTCRX509ALGORITHMIDENTIFIERID_SHA512T224 "2.16.840.1.101.3.4.2.5"
195	#define RTCRX509ALGORITHMIDENTIFIERID_SHA512T256 "2.16.840.1.101.3.4.2.6"
196	#define RTCRX509ALGORITHMIDENTIFIERID_SHA3_224 "2.16.840.1.101.3.4.2.7"
197	#define RTCRX509ALGORITHMIDENTIFIERID_SHA3_256 "2.16.840.1.101.3.4.2.8"
198	#define RTCRX509ALGORITHMIDENTIFIERID_SHA3_384 "2.16.840.1.101.3.4.2.9"
199	#define RTCRX509ALGORITHMIDENTIFIERID_SHA3_512 "2.16.840.1.101.3.4.2.10"
200	#define RTCRX509ALGORITHMIDENTIFIERID_WHIRLPOOL "1.0.10118.3.0.55"
201	/** @} */
202
203	/** @name Encrypted Digest Algorithm OIDs.
204	* @remarks The PKCS variants are the default ones, alternative OID are marked
205	* as such.
206	* @{ */
207	#define RTCRX509ALGORITHMIDENTIFIERID_RSA "1.2.840.113549.1.1.1"
208	#define RTCRX509ALGORITHMIDENTIFIERID_MD2_WITH_RSA "1.2.840.113549.1.1.2"
209	#define RTCRX509ALGORITHMIDENTIFIERID_MD4_WITH_RSA "1.2.840.113549.1.1.3"
210	#define RTCRX509ALGORITHMIDENTIFIERID_MD5_WITH_RSA "1.2.840.113549.1.1.4"
211	#define RTCRX509ALGORITHMIDENTIFIERID_SHA1_WITH_RSA "1.2.840.113549.1.1.5"
212	#define RTCRX509ALGORITHMIDENTIFIERID_SHA256_WITH_RSA "1.2.840.113549.1.1.11"
213	#define RTCRX509ALGORITHMIDENTIFIERID_SHA384_WITH_RSA "1.2.840.113549.1.1.12"
214	#define RTCRX509ALGORITHMIDENTIFIERID_SHA512_WITH_RSA "1.2.840.113549.1.1.13"
215	#define RTCRX509ALGORITHMIDENTIFIERID_SHA224_WITH_RSA "1.2.840.113549.1.1.14"
216	#define RTCRX509ALGORITHMIDENTIFIERID_SHA512T224_WITH_RSA "1.2.840.113549.1.1.15"
217	#define RTCRX509ALGORITHMIDENTIFIERID_SHA512T256_WITH_RSA "1.2.840.113549.1.1.16"
218	#define RTCRX509ALGORITHMIDENTIFIERID_SHA3_224_WITH_RSA "2.16.840.1.101.3.4.3.13"
219	#define RTCRX509ALGORITHMIDENTIFIERID_SHA3_256_WITH_RSA "2.16.840.1.101.3.4.3.14"
220	#define RTCRX509ALGORITHMIDENTIFIERID_SHA3_384_WITH_RSA "2.16.840.1.101.3.4.3.15"
221	#define RTCRX509ALGORITHMIDENTIFIERID_SHA3_512_WITH_RSA "2.16.840.1.101.3.4.3.16"
222	#define RTCRX509ALGORITHMIDENTIFIERID_ECDSA "1.2.840.10045.2.1"
223	#define RTCRX509ALGORITHMIDENTIFIERID_SHA1_WITH_ECDSA "1.2.840.10045.4.1"
224	#define RTCRX509ALGORITHMIDENTIFIERID_SHA224_WITH_ECDSA "1.2.840.10045.4.3.1"
225	#define RTCRX509ALGORITHMIDENTIFIERID_SHA256_WITH_ECDSA "1.2.840.10045.4.3.2"
226	#define RTCRX509ALGORITHMIDENTIFIERID_SHA384_WITH_ECDSA "1.2.840.10045.4.3.3"
227	#define RTCRX509ALGORITHMIDENTIFIERID_SHA512_WITH_ECDSA "1.2.840.10045.4.3.4"
228	#define RTCRX509ALGORITHMIDENTIFIERID_SHA3_224_WITH_ECDSA "2.16.840.1.101.3.4.3.9"
229	#define RTCRX509ALGORITHMIDENTIFIERID_SHA3_256_WITH_ECDSA "2.16.840.1.101.3.4.3.10"
230	#define RTCRX509ALGORITHMIDENTIFIERID_SHA3_384_WITH_ECDSA "2.16.840.1.101.3.4.3.11"
231	#define RTCRX509ALGORITHMIDENTIFIERID_SHA3_512_WITH_ECDSA "2.16.840.1.101.3.4.3.12"
232	/** @} */
233
234
235
236
237	/**
238	* One X.509 AttributeTypeAndValue (IPRT representation).
239	*/
240	typedef struct RTCRX509ATTRIBUTETYPEANDVALUE
241	{
242	/** Sequence core. */
243	RTASN1SEQUENCECORE SeqCore;
244	/** The attribute type (object ID). */
245	RTASN1OBJID Type;
246	/** The attribute value (what it is is defined by Type). */
247	RTASN1DYNTYPE Value;
248	} RTCRX509ATTRIBUTETYPEANDVALUE;
249	/** Pointer to a X.509 AttributeTypeAndValue (IPRT representation). */
250	typedef RTCRX509ATTRIBUTETYPEANDVALUE *PRTCRX509ATTRIBUTETYPEANDVALUE;
251	/** Pointer to a const X.509 AttributeTypeAndValue (IPRT representation). */
252	typedef RTCRX509ATTRIBUTETYPEANDVALUE const *PCRTCRX509ATTRIBUTETYPEANDVALUE;
253	RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509ATTRIBUTETYPEANDVALUE, RTDECL, RTCrX509AttributeTypeAndValue, SeqCore.Asn1Core);
254	RTASN1_IMPL_GEN_SET_OF_TYPEDEFS_AND_PROTOS(RTCRX509ATTRIBUTETYPEANDVALUES, RTCRX509ATTRIBUTETYPEANDVALUE, RTDECL, RTCrX509AttributeTypeAndValues);
255
256	RTASN1TYPE_ALIAS(RTCRX509RELATIVEDISTINGUISHEDNAME, RTCRX509ATTRIBUTETYPEANDVALUES, RTCrX509RelativeDistinguishedName, RTCrX509AttributeTypeAndValues);
257
258
259	RTASN1_IMPL_GEN_SEQ_OF_TYPEDEFS_AND_PROTOS(RTCRX509NAME, RTCRX509RELATIVEDISTINGUISHEDNAME, RTDECL, RTCrX509Name);
260	RTDECL(int) RTCrX509Name_CheckSanity(PCRTCRX509NAME pName, uint32_t fFlags, PRTERRINFO pErrInfo, const char *pszErrorTag);
261	RTDECL(bool) RTCrX509Name_MatchByRfc5280(PCRTCRX509NAME pLeft, PCRTCRX509NAME pRight);
262
263	/**
264	* Name constraint matching (RFC-5280).
265	*
266	* @returns true on match, false on mismatch.
267	* @param pConstraint The constraint name.
268	* @param pName The name to match against the constraint.
269	* @sa RTCrX509GeneralName_ConstraintMatch,
270	* RTCrX509RelativeDistinguishedName_ConstraintMatch
271	*/
272	RTDECL(bool) RTCrX509Name_ConstraintMatch(PCRTCRX509NAME pConstraint, PCRTCRX509NAME pName);
273	RTDECL(int) RTCrX509Name_RecodeAsUtf8(PRTCRX509NAME pThis, PCRTASN1ALLOCATORVTABLE pAllocator);
274
275	/**
276	* Matches the directory name against a comma separated list of the component
277	* strings (case sensitive).
278	*
279	* @returns true if match, false if mismatch.
280	* @param pThis The name object.
281	* @param pszString The string to match against. For example:
282	* "C=US, ST=California, L=Redwood Shores, O=Oracle Corporation"
283	*
284	* @remarks This is doing a straight compare, no extra effort is expended in
285	* dealing with different component order. If the component order
286	* differs, there won't be any match.
287	*/
288	RTDECL(bool) RTCrX509Name_MatchWithString(PCRTCRX509NAME pThis, const char *pszString);
289
290	/**
291	* Formats the name as a command separated list of components with type
292	* prefixes.
293	*
294	* The output of this function is suitable for use with
295	* RTCrX509Name_MatchWithString.
296	*
297	* @returns IPRT status code.
298	* @param pThis The name object.
299	* @param pszBuf The output buffer.
300	* @param cbBuf The size of the output buffer.
301	* @param pcbActual Where to return the number of bytes required for the
302	* output, including the null terminator character.
303	* Optional.
304	*/
305	RTDECL(int) RTCrX509Name_FormatAsString(PCRTCRX509NAME pThis, char pszBuf, size_t cbBuf, size_t pcbActual);
306
307
308	/**
309	* Looks up the RDN ID and returns the short name for it, if found.
310	*
311	* @returns Short name (e.g. 'CN') or NULL.
312	* @param pRdnId The RDN ID to look up.
313	*/
314	RTDECL(const char *) RTCrX509Name_GetShortRdn(PCRTASN1OBJID pRdnId);
315
316	/**
317	* One X.509 OtherName (IPRT representation).
318	*/
319	typedef struct RTCRX509OTHERNAME
320	{
321	/** The sequence core. */
322	RTASN1SEQUENCECORE SeqCore;
323	/** The name type identifier. */
324	RTASN1OBJID TypeId;
325	/** The name value (explicit tag 0). */
326	RTASN1DYNTYPE Value;
327	} RTCRX509OTHERNAME;
328	/** Pointer to a X.509 OtherName (IPRT representation). */
329	typedef RTCRX509OTHERNAME *PRTCRX509OTHERNAME;
330	/** Pointer to a const X.509 OtherName (IPRT representation). */
331	typedef RTCRX509OTHERNAME const *PCRTCRX509OTHERNAME;
332	RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509OTHERNAME, RTDECL, RTCrX509OtherName, SeqCore.Asn1Core);
333
334
335	typedef enum RTCRX509GENERALNAMECHOICE
336	{
337	RTCRX509GENERALNAMECHOICE_INVALID = 0,
338	RTCRX509GENERALNAMECHOICE_OTHER_NAME,
339	RTCRX509GENERALNAMECHOICE_RFC822_NAME,
340	RTCRX509GENERALNAMECHOICE_DNS_NAME,
341	RTCRX509GENERALNAMECHOICE_X400_ADDRESS,
342	RTCRX509GENERALNAMECHOICE_DIRECTORY_NAME,
343	RTCRX509GENERALNAMECHOICE_EDI_PARTY_NAME,
344	RTCRX509GENERALNAMECHOICE_URI,
345	RTCRX509GENERALNAMECHOICE_IP_ADDRESS,
346	RTCRX509GENERALNAMECHOICE_REGISTERED_ID,
347	RTCRX509GENERALNAMECHOICE_END,
348	RTCRX509GENERALNAMECHOICE_32BIT_HACK = 0x7fffffff
349	} RTCRX509GENERALNAMECHOICE;
350
351	/**
352	* One X.509 GeneralName (IPRT representation).
353	*
354	* This is represented as a union. Use the RTCRX509GENERALNAME_IS_XXX predicate
355	* macros to figure out which member is valid (Asn1Core is always valid).
356	*/
357	typedef struct RTCRX509GENERALNAME
358	{
359	/** Dummy ASN.1 record, not encoded. */
360	RTASN1DUMMY Dummy;
361	/** The value allocation. */
362	RTASN1ALLOCATION Allocation;
363	/** The choice of value. */
364	RTCRX509GENERALNAMECHOICE enmChoice;
365	/** The value union. */
366	union
367	{
368	/** Tag 0: Other Name. */
369	PRTCRX509OTHERNAME pT0_OtherName;
370	/** Tag 1: RFC-822 Name. */
371	PRTASN1STRING pT1_Rfc822;
372	/** Tag 2: DNS name. */
373	PRTASN1STRING pT2_DnsName;
374	/** Tag 3: X.400 Address. */
375	struct
376	{
377	/** Context tag 3. */
378	RTASN1CONTEXTTAG3 CtxTag3;
379	/** Later. */
380	RTASN1DYNTYPE X400Address;
381	} *pT3;
382	/** Tag 4: Directory Name. */
383	struct
384	{
385	/** Context tag 4. */
386	RTASN1CONTEXTTAG4 CtxTag4;
387	/** Directory name. */
388	RTCRX509NAME DirectoryName;
389	} *pT4;
390	/** Tag 5: EDI Party Name. */
391	struct
392	{
393	/** Context tag 5. */
394	RTASN1CONTEXTTAG5 CtxTag5;
395	/** Later. */
396	RTASN1DYNTYPE EdiPartyName;
397	} *pT5;
398	/** Tag 6: URI. */
399	PRTASN1STRING pT6_Uri;
400	/** Tag 7: IP address. Either 4/8 (IPv4) or 16/32 (IPv16) octets long. */
401	PRTASN1OCTETSTRING pT7_IpAddress;
402	/** Tag 8: Registered ID. */
403	PRTASN1OBJID pT8_RegisteredId;
404	} u;
405	} RTCRX509GENERALNAME;
406	/** Pointer to the IPRT representation of an X.509 general name. */
407	typedef RTCRX509GENERALNAME *PRTCRX509GENERALNAME;
408	/** Pointer to the const IPRT representation of an X.509 general name. */
409	typedef RTCRX509GENERALNAME const *PCRTCRX509GENERALNAME;
410	RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509GENERALNAME, RTDECL, RTCrX509GeneralName, Dummy.Asn1Core);
411
412	/** @name RTCRX509GENERALNAME tag predicates.
413	* @{ */
414	#define RTCRX509GENERALNAME_IS_OTHER_NAME(a_GenName) ((a_GenName)->enmChoice == RTCRX509GENERALNAMECHOICE_OTHER_NAME)
415	#define RTCRX509GENERALNAME_IS_RFC822_NAME(a_GenName) ((a_GenName)->enmChoice == RTCRX509GENERALNAMECHOICE_RFC822_NAME)
416	#define RTCRX509GENERALNAME_IS_DNS_NAME(a_GenName) ((a_GenName)->enmChoice == RTCRX509GENERALNAMECHOICE_DNS_NAME)
417	#define RTCRX509GENERALNAME_IS_X400_ADDRESS(a_GenName) ((a_GenName)->enmChoice == RTCRX509GENERALNAMECHOICE_X400_ADDRESS)
418	#define RTCRX509GENERALNAME_IS_DIRECTORY_NAME(a_GenName) ((a_GenName)->enmChoice == RTCRX509GENERALNAMECHOICE_DIRECTORY_NAME)
419	#define RTCRX509GENERALNAME_IS_EDI_PARTY_NAME(a_GenName) ((a_GenName)->enmChoice == RTCRX509GENERALNAMECHOICE_EDI_PARTY_NAME)
420	#define RTCRX509GENERALNAME_IS_URI(a_GenName) ((a_GenName)->enmChoice == RTCRX509GENERALNAMECHOICE_URI)
421	#define RTCRX509GENERALNAME_IS_IP_ADDRESS(a_GenName) ((a_GenName)->enmChoice == RTCRX509GENERALNAMECHOICE_IP_ADDRESS)
422	#define RTCRX509GENERALNAME_IS_REGISTERED_ID(a_GenName) ((a_GenName)->enmChoice == RTCRX509GENERALNAMECHOICE_REGISTERED_ID)
423	/** @} */
424
425
426	RTASN1_IMPL_GEN_SEQ_OF_TYPEDEFS_AND_PROTOS(RTCRX509GENERALNAMES, RTCRX509GENERALNAME, RTDECL, RTCrX509GeneralNames);
427	RTDECL(bool) RTCrX509GeneralName_ConstraintMatch(PCRTCRX509GENERALNAME pConstraint, PCRTCRX509GENERALNAME pName);
428
429
430	/**
431	* X.509 Validity (IPRT representation).
432	*/
433	typedef struct RTCRX509VALIDITY
434	{
435	/** Core sequence bits. */
436	RTASN1SEQUENCECORE SeqCore;
437	/** Effective starting. */
438	RTASN1TIME NotBefore;
439	/** Expires after. */
440	RTASN1TIME NotAfter;
441	} RTCRX509VALIDITY;
442	/** Pointer to the IPRT representation of an X.509 validity sequence. */
443	typedef RTCRX509VALIDITY *PRTCRX509VALIDITY;
444	/** Pointer ot the const IPRT representation of an X.509 validity sequence. */
445	typedef RTCRX509VALIDITY const *PCRTCRX509VALIDITY;
446	RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509VALIDITY, RTDECL, RTCrX509Validity, SeqCore.Asn1Core);
447
448	RTDECL(bool) RTCrX509Validity_IsValidAtTimeSpec(PCRTCRX509VALIDITY pThis, PCRTTIMESPEC pTimeSpec);
449
450
451	#if 0
452	/**
453	* X.509 UniqueIdentifier (IPRT representation).
454	*/
455	typedef struct RTCRX509UNIQUEIDENTIFIER
456	{
457	/** Representation is a bit string. */
458	RTASN1BITSTRING BitString;
459	} RTCRX509UNIQUEIDENTIFIER;
460	/** Pointer to the IPRT representation of an X.509 unique identifier. */
461	typedef RTCRX509UNIQUEIDENTIFIER *PRTCRX509UNIQUEIDENTIFIER;
462	/** Pointer to the const IPRT representation of an X.509 unique identifier. */
463	typedef RTCRX509UNIQUEIDENTIFIER const *PCRTCRX509UNIQUEIDENTIFIER;
464	RTASN1TYPE_STANDARD_PROTOTYPES_NO_GET_CORE(RTCRX509UNIQUEIDENTIFIER, RTDECL, RTCrX509UniqueIdentifier);
465	#endif
466	RTASN1TYPE_ALIAS(RTCRX509UNIQUEIDENTIFIER, RTASN1BITSTRING, RTCrX509UniqueIdentifier, RTAsn1BitString);
467
468
469	/**
470	* X.509 SubjectPublicKeyInfo (IPRT representation).
471	*/
472	typedef struct RTCRX509SUBJECTPUBLICKEYINFO
473	{
474	/** Core sequence bits. */
475	RTASN1SEQUENCECORE SeqCore;
476	/** The algorithm used with the public key. */
477	RTCRX509ALGORITHMIDENTIFIER Algorithm;
478	/** A bit string containing the public key.
479	*
480	* For algorithms like rsaEncryption this is generally a sequence of two
481	* integers, where the first one has lots of bits, and the second one being a
482	* modulous value. These are details specific to the algorithm and not relevant
483	* when validating the certificate chain. */
484	RTASN1BITSTRING SubjectPublicKey;
485	} RTCRX509SUBJECTPUBLICKEYINFO;
486	/** Pointer to the IPRT representation of an X.509 subject public key info
487	* sequence. */
488	typedef RTCRX509SUBJECTPUBLICKEYINFO *PRTCRX509SUBJECTPUBLICKEYINFO;
489	/** Pointer to the const IPRT representation of an X.509 subject public key info
490	* sequence. */
491	typedef RTCRX509SUBJECTPUBLICKEYINFO const *PCRTCRX509SUBJECTPUBLICKEYINFO;
492	RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509SUBJECTPUBLICKEYINFO, RTDECL, RTCrX509SubjectPublicKeyInfo, SeqCore.Asn1Core);
493
494
495	/**
496	* One X.509 AuthorityKeyIdentifier (IPRT representation).
497	*/
498	typedef struct RTCRX509AUTHORITYKEYIDENTIFIER
499	{
500	/** Sequence core. */
501	RTASN1SEQUENCECORE SeqCore;
502	/** Tag 0, optional, implicit: Key identifier. */
503	RTASN1OCTETSTRING KeyIdentifier;
504	/** Tag 1, optional, implicit: Issuer name. */
505	RTCRX509GENERALNAMES AuthorityCertIssuer;
506	/** Tag 2, optional, implicit: Serial number of issuer. */
507	RTASN1INTEGER AuthorityCertSerialNumber;
508	} RTCRX509AUTHORITYKEYIDENTIFIER;
509	/** Pointer to the IPRT representation of an X.509 AuthorityKeyIdentifier
510	* sequence. */
511	typedef RTCRX509AUTHORITYKEYIDENTIFIER *PRTCRX509AUTHORITYKEYIDENTIFIER;
512	/** Pointer to the const IPRT representation of an X.509 AuthorityKeyIdentifier
513	* sequence. */
514	typedef RTCRX509AUTHORITYKEYIDENTIFIER const *PCRTCRX509AUTHORITYKEYIDENTIFIER;
515	RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509AUTHORITYKEYIDENTIFIER, RTDECL, RTCrX509AuthorityKeyIdentifier, SeqCore.Asn1Core);
516
517
518	/**
519	* One X.509 OldAuthorityKeyIdentifier (IPRT representation).
520	*/
521	typedef struct RTCRX509OLDAUTHORITYKEYIDENTIFIER
522	{
523	/** Sequence core. */
524	RTASN1SEQUENCECORE SeqCore;
525	/** Tag 0, optional, implicit: Key identifier. */
526	RTASN1OCTETSTRING KeyIdentifier;
527	struct
528	{
529	RTASN1CONTEXTTAG1 CtxTag1;
530	/** Tag 1, optional, implicit: Issuer name. */
531	RTCRX509NAME AuthorityCertIssuer;
532	} T1;
533	/** Tag 2, optional, implicit: Serial number of issuer. */
534	RTASN1INTEGER AuthorityCertSerialNumber;
535	} RTCRX509OLDAUTHORITYKEYIDENTIFIER;
536	/** Pointer to the IPRT representation of an X.509 AuthorityKeyIdentifier
537	* sequence. */
538	typedef RTCRX509OLDAUTHORITYKEYIDENTIFIER *PRTCRX509OLDAUTHORITYKEYIDENTIFIER;
539	/** Pointer to the const IPRT representation of an X.509 AuthorityKeyIdentifier
540	* sequence. */
541	typedef RTCRX509OLDAUTHORITYKEYIDENTIFIER const *PCRTCRX509OLDAUTHORITYKEYIDENTIFIER;
542	RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509OLDAUTHORITYKEYIDENTIFIER, RTDECL, RTCrX509OldAuthorityKeyIdentifier, SeqCore.Asn1Core);
543
544
545	/**
546	* One X.509 PolicyQualifierInfo (IPRT representation).
547	*/
548	typedef struct RTCRX509POLICYQUALIFIERINFO
549	{
550	/** Core sequence bits. */
551	RTASN1SEQUENCECORE SeqCore;
552	/** The policy object ID. */
553	RTASN1OBJID PolicyQualifierId;
554	/** Anything defined by the policy qualifier id. */
555	RTASN1DYNTYPE Qualifier;
556	} RTCRX509POLICYQUALIFIERINFO;
557	/** Pointer to the IPRT representation of an X.509 PolicyQualifierInfo
558	* sequence. */
559	typedef RTCRX509POLICYQUALIFIERINFO *PRTCRX509POLICYQUALIFIERINFO;
560	/** Pointer to the const IPRT representation of an X.509 PolicyQualifierInfo
561	* sequence. */
562	typedef RTCRX509POLICYQUALIFIERINFO const *PCRTCRX509POLICYQUALIFIERINFO;
563	RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509POLICYQUALIFIERINFO, RTDECL, RTCrX509PolicyQualifierInfo, SeqCore.Asn1Core);
564	RTASN1_IMPL_GEN_SEQ_OF_TYPEDEFS_AND_PROTOS(RTCRX509POLICYQUALIFIERINFOS, RTCRX509POLICYQUALIFIERINFO, RTDECL, RTCrX509PolicyQualifierInfos);
565
566
567	/**
568	* One X.509 PolicyInformation (IPRT representation).
569	*/
570	typedef struct RTCRX509POLICYINFORMATION
571	{
572	/** Core sequence bits. */
573	RTASN1SEQUENCECORE SeqCore;
574	/** The policy object ID. */
575	RTASN1OBJID PolicyIdentifier;
576	/** Optional sequence of policy qualifiers. */
577	RTCRX509POLICYQUALIFIERINFOS PolicyQualifiers;
578	} RTCRX509POLICYINFORMATION;
579	/** Pointer to the IPRT representation of an X.509 PolicyInformation
580	* sequence. */
581	typedef RTCRX509POLICYINFORMATION *PRTCRX509POLICYINFORMATION;
582	/** Pointer to the const IPRT representation of an X.509 PolicyInformation
583	* sequence. */
584	typedef RTCRX509POLICYINFORMATION const *PCRTCRX509POLICYINFORMATION;
585	RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509POLICYINFORMATION, RTDECL, RTCrX509PolicyInformation, SeqCore.Asn1Core);
586	RTASN1_IMPL_GEN_SEQ_OF_TYPEDEFS_AND_PROTOS(RTCRX509CERTIFICATEPOLICIES, RTCRX509POLICYINFORMATION, RTDECL, RTCrX509CertificatePolicies);
587
588	/** Sepcial policy object ID that matches any policy. */
589	#define RTCRX509_ID_CE_CP_ANY_POLICY_OID "2.5.29.32.0"
590
591
592	/**
593	* One X.509 PolicyMapping (IPRT representation).
594	*/
595	typedef struct RTCRX509POLICYMAPPING
596	{
597	/** Core sequence bits. */
598	RTASN1SEQUENCECORE SeqCore;
599	/** Issuer policy ID. */
600	RTASN1OBJID IssuerDomainPolicy;
601	/** Subject policy ID. */
602	RTASN1OBJID SubjectDomainPolicy;
603	} RTCRX509POLICYMAPPING;
604	/** Pointer to the IPRT representation of a sequence of X.509 PolicyMapping. */
605	typedef RTCRX509POLICYMAPPING *PRTCRX509POLICYMAPPING;
606	/** Pointer to the const IPRT representation of a sequence of X.509
607	* PolicyMapping. */
608	typedef RTCRX509POLICYMAPPING const *PCRTCRX509POLICYMAPPING;
609	RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509POLICYMAPPING, RTDECL, RTCrX509PolicyMapping, SeqCore.Asn1Core);
610	RTASN1_IMPL_GEN_SEQ_OF_TYPEDEFS_AND_PROTOS(RTCRX509POLICYMAPPINGS, RTCRX509POLICYMAPPING, RTDECL, RTCrX509PolicyMappings);
611
612
613	/**
614	* X.509 BasicConstraints (IPRT representation).
615	*/
616	typedef struct RTCRX509BASICCONSTRAINTS
617	{
618	/** Core sequence bits. */
619	RTASN1SEQUENCECORE SeqCore;
620	/** Is this ia certficiate authority? Default to false. */
621	RTASN1BOOLEAN CA;
622	/** Path length constraint. */
623	RTASN1INTEGER PathLenConstraint;
624	} RTCRX509BASICCONSTRAINTS;
625	/** Pointer to the IPRT representation of a sequence of X.509
626	* BasicConstraints. */
627	typedef RTCRX509BASICCONSTRAINTS *PRTCRX509BASICCONSTRAINTS;
628	/** Pointer to the const IPRT representation of a sequence of X.509
629	* BasicConstraints. */
630	typedef RTCRX509BASICCONSTRAINTS const *PCRTCRX509BASICCONSTRAINTS;
631	RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509BASICCONSTRAINTS, RTDECL, RTCrX509BasicConstraints, SeqCore.Asn1Core);
632
633
634	/**
635	* X.509 GeneralSubtree (IPRT representation).
636	*/
637	typedef struct RTCRX509GENERALSUBTREE
638	{
639	/** Core sequence bits. */
640	RTASN1SEQUENCECORE SeqCore;
641	/** Base name. */
642	RTCRX509GENERALNAME Base;
643	/** Tag 0, optional: Minimum, default 0. Fixed at 0 by RFC-5280. */
644	RTASN1INTEGER Minimum;
645	/** Tag 1, optional: Maximum. Fixed as not-present by RFC-5280. */
646	RTASN1INTEGER Maximum;
647	} RTCRX509GENERALSUBTREE;
648	/** Pointer to the IPRT representation of a sequence of X.509 GeneralSubtree. */
649	typedef RTCRX509GENERALSUBTREE *PRTCRX509GENERALSUBTREE;
650	/** Pointer to the const IPRT representation of a sequence of X.509
651	* GeneralSubtree. */
652	typedef RTCRX509GENERALSUBTREE const *PCRTCRX509GENERALSUBTREE;
653	RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509GENERALSUBTREE, RTDECL, RTCrX509GeneralSubtree, SeqCore.Asn1Core);
654
655	RTDECL(bool) RTCrX509GeneralSubtree_ConstraintMatch(PCRTCRX509GENERALSUBTREE pConstraint, PCRTCRX509GENERALSUBTREE pName);
656
657	RTASN1_IMPL_GEN_SEQ_OF_TYPEDEFS_AND_PROTOS(RTCRX509GENERALSUBTREES, RTCRX509GENERALSUBTREE, RTDECL, RTCrX509GeneralSubtrees);
658
659
660	/**
661	* X.509 NameConstraints (IPRT representation).
662	*/
663	typedef struct RTCRX509NAMECONSTRAINTS
664	{
665	/** Core sequence bits. */
666	RTASN1SEQUENCECORE SeqCore;
667	/** Tag 0, optional: Permitted subtrees. */
668	struct
669	{
670	/** Context tag. */
671	RTASN1CONTEXTTAG0 CtxTag0;
672	/** The permitted subtrees. */
673	RTCRX509GENERALSUBTREES PermittedSubtrees;
674	} T0;
675	/** Tag 1, optional: Excluded subtrees. */
676	struct
677	{
678	/** Context tag. */
679	RTASN1CONTEXTTAG1 CtxTag1;
680	/** The excluded subtrees. */
681	RTCRX509GENERALSUBTREES ExcludedSubtrees;
682	} T1;
683	} RTCRX509NAMECONSTRAINTS;
684	/** Pointer to the IPRT representation of a sequence of X.509
685	* NameConstraints. */
686	typedef RTCRX509NAMECONSTRAINTS *PRTCRX509NAMECONSTRAINTS;
687	/** Pointer to the const IPRT representation of a sequence of X.509
688	* NameConstraints. */
689	typedef RTCRX509NAMECONSTRAINTS const *PCRTCRX509NAMECONSTRAINTS;
690	RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509NAMECONSTRAINTS, RTDECL, RTCrX509NameConstraints, SeqCore.Asn1Core);
691
692
693	/**
694	* X.509 PolicyConstraints (IPRT representation).
695	*/
696	typedef struct RTCRX509POLICYCONSTRAINTS
697	{
698	/** Core sequence bits. */
699	RTASN1SEQUENCECORE SeqCore;
700	/** Tag 0, optional: Certificates before an explicit policy is required. */
701	RTASN1INTEGER RequireExplicitPolicy;
702	/** Tag 1, optional: Certificates before policy mapping is inhibited. */
703	RTASN1INTEGER InhibitPolicyMapping;
704	} RTCRX509POLICYCONSTRAINTS;
705	/** Pointer to the IPRT representation of a sequence of X.509
706	* PolicyConstraints. */
707	typedef RTCRX509POLICYCONSTRAINTS *PRTCRX509POLICYCONSTRAINTS;
708	/** Pointer to the const IPRT representation of a sequence of X.509
709	* PolicyConstraints. */
710	typedef RTCRX509POLICYCONSTRAINTS const *PCRTCRX509POLICYCONSTRAINTS;
711	RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509POLICYCONSTRAINTS, RTDECL, RTCrX509PolicyConstraints, SeqCore.Asn1Core);
712
713
714	/**
715	* Indicates what an X.509 extension value encapsulates.
716	*/
717	typedef enum RTCRX509EXTENSIONVALUE
718	{
719	RTCRX509EXTENSIONVALUE_INVALID = 0,
720	/** Unknown, no decoding available just the octet string. */
721	RTCRX509EXTENSIONVALUE_UNKNOWN,
722	/** Unencapsulated (i.e. octet string). */
723	RTCRX509EXTENSIONVALUE_NOT_ENCAPSULATED,
724
725	/** Bit string (RTASN1BITSTRING). */
726	RTCRX509EXTENSIONVALUE_BIT_STRING,
727	/** Octet string (RTASN1OCTETSTRING). */
728	RTCRX509EXTENSIONVALUE_OCTET_STRING,
729	/** Integer string (RTASN1INTEGER). */
730	RTCRX509EXTENSIONVALUE_INTEGER,
731	/** Sequence of object identifiers (RTASN1SEQOFOBJIDS). */
732	RTCRX509EXTENSIONVALUE_SEQ_OF_OBJ_IDS,
733
734	/** Authority key identifier (RTCRX509AUTHORITYKEYIDENTIFIER). */
735	RTCRX509EXTENSIONVALUE_AUTHORITY_KEY_IDENTIFIER,
736	/** Old Authority key identifier (RTCRX509OLDAUTHORITYKEYIDENTIFIER). */
737	RTCRX509EXTENSIONVALUE_OLD_AUTHORITY_KEY_IDENTIFIER,
738	/** Certificate policies (RTCRX509CERTIFICATEPOLICIES). */
739	RTCRX509EXTENSIONVALUE_CERTIFICATE_POLICIES,
740	/** Sequence of policy mappings (RTCRX509POLICYMAPPINGS). */
741	RTCRX509EXTENSIONVALUE_POLICY_MAPPINGS,
742	/** Basic constraints (RTCRX509BASICCONSTRAINTS). */
743	RTCRX509EXTENSIONVALUE_BASIC_CONSTRAINTS,
744	/** Name constraints (RTCRX509NAMECONSTRAINTS). */
745	RTCRX509EXTENSIONVALUE_NAME_CONSTRAINTS,
746	/** Policy constraints (RTCRX509POLICYCONSTRAINTS). */
747	RTCRX509EXTENSIONVALUE_POLICY_CONSTRAINTS,
748	/** Sequence of general names (RTCRX509GENERALNAMES). */
749	RTCRX509EXTENSIONVALUE_GENERAL_NAMES,
750
751	/** Blow the type up to 32-bits. */
752	RTCRX509EXTENSIONVALUE_32BIT_HACK = 0x7fffffff
753	} RTCRX509EXTENSIONVALUE;
754
755	/**
756	* One X.509 Extension (IPRT representation).
757	*/
758	typedef struct RTCRX509EXTENSION
759	{
760	/** Core sequence bits. */
761	RTASN1SEQUENCECORE SeqCore;
762	/** Extension ID. */
763	RTASN1OBJID ExtnId;
764	/** Whether this is critical (default @c false). */
765	RTASN1BOOLEAN Critical;
766	/** Indicates what ExtnValue.pEncapsulated points at. */
767	RTCRX509EXTENSIONVALUE enmValue;
768	/** The value.
769	* Contains extension specific data that we don't yet parse. */
770	RTASN1OCTETSTRING ExtnValue;
771	} RTCRX509EXTENSION;
772	/** Pointer to the IPRT representation of one X.509 extensions. */
773	typedef RTCRX509EXTENSION *PRTCRX509EXTENSION;
774	/** Pointer to the const IPRT representation of one X.509 extension. */
775	typedef RTCRX509EXTENSION const *PCRTCRX509EXTENSION;
776	RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509EXTENSION, RTDECL, RTCrX509Extension, SeqCore.Asn1Core);
777	RTASN1_IMPL_GEN_SEQ_OF_TYPEDEFS_AND_PROTOS(RTCRX509EXTENSIONS, RTCRX509EXTENSION, RTDECL, RTCrX509Extensions);
778
779	RTDECL(int) RTCrX509Extension_ExtnValue_DecodeAsn1(PRTASN1CURSOR pCursor, uint32_t fFlags,
780	PRTCRX509EXTENSION pThis, const char *pszErrorTag);
781
782
783	/**
784	* X.509 To-be-signed certificate information (IPRT representation).
785	*/
786	typedef struct RTCRX509TBSCERTIFICATE
787	{
788	/** Sequence core. */
789	RTASN1SEQUENCECORE SeqCore;
790	/** Structure version. */
791	struct
792	{
793	/** Context tag with value 0. */
794	RTASN1CONTEXTTAG0 CtxTag0;
795	/** The actual value (RTCRX509TBSCERTIFICATE_V1, ...). */
796	RTASN1INTEGER Version;
797	} T0;
798	/** The serial number of the certificate. */
799	RTASN1INTEGER SerialNumber;
800	/** The signature algorithm. */
801	RTCRX509ALGORITHMIDENTIFIER Signature;
802	/** The issuer name. */
803	RTCRX509NAME Issuer;
804	/** The certificate validity period. */
805	RTCRX509VALIDITY Validity;
806	/** The subject name. */
807	RTCRX509NAME Subject;
808	/** The public key for this certificate. */
809	RTCRX509SUBJECTPUBLICKEYINFO SubjectPublicKeyInfo;
810	/** Issuer unique identifier (optional, version >= v2). */
811	struct
812	{
813	/** Context tag with value 1. */
814	RTASN1CONTEXTTAG1 CtxTag1;
815	/** The unique identifier value. */
816	RTCRX509UNIQUEIDENTIFIER IssuerUniqueId;
817	} T1;
818	/** Subject unique identifier (optional, version >= v2). */
819	struct
820	{
821	/** Context tag with value 2. */
822	RTASN1CONTEXTTAG2 CtxTag2;
823	/** The unique identifier value. */
824	RTCRX509UNIQUEIDENTIFIER SubjectUniqueId;
825	} T2;
826	/** Extensions (optional, version >= v3). */
827	struct
828	{
829	/** Context tag with value 3. */
830	RTASN1CONTEXTTAG3 CtxTag3;
831	/** The unique identifier value. */
832	RTCRX509EXTENSIONS Extensions;
833	/** Extensions summary flags (RTCRX509TBSCERTIFICATE_F_PRESENT_XXX). */
834	uint32_t fFlags;
835	/** Key usage flags (RTCRX509CERT_KEY_USAGE_F_XXX). */
836	uint32_t fKeyUsage;
837	/** Extended key usage flags (RTCRX509CERT_EKU_F_XXX). */
838	uint64_t fExtKeyUsage;
839
840	/** Pointer to the authority key ID extension if present. */
841	PCRTCRX509AUTHORITYKEYIDENTIFIER pAuthorityKeyIdentifier;
842	/** Pointer to the OLD authority key ID extension if present. */
843	PCRTCRX509OLDAUTHORITYKEYIDENTIFIER pOldAuthorityKeyIdentifier;
844	/** Pointer to the subject key ID extension if present. */
845	PCRTASN1OCTETSTRING pSubjectKeyIdentifier;
846	/** Pointer to the alternative subject name extension if present. */
847	PCRTCRX509GENERALNAMES pAltSubjectName;
848	/** Pointer to the alternative issuer name extension if present. */
849	PCRTCRX509GENERALNAMES pAltIssuerName;
850	/** Pointer to the certificate policies extension if present. */
851	PCRTCRX509CERTIFICATEPOLICIES pCertificatePolicies;
852	/** Pointer to the policy mappings extension if present. */
853	PCRTCRX509POLICYMAPPINGS pPolicyMappings;
854	/** Pointer to the basic constraints extension if present. */
855	PCRTCRX509BASICCONSTRAINTS pBasicConstraints;
856	/** Pointer to the name constraints extension if present. */
857	PCRTCRX509NAMECONSTRAINTS pNameConstraints;
858	/** Pointer to the policy constraints extension if present. */
859	PCRTCRX509POLICYCONSTRAINTS pPolicyConstraints;
860	/** Pointer to the inhibit anyPolicy extension if present. */
861	PCRTASN1INTEGER pInhibitAnyPolicy;
862	} T3;
863	} RTCRX509TBSCERTIFICATE;
864	/** Pointer to the IPRT representation of a X.509 TBSCertificate. */
865	typedef RTCRX509TBSCERTIFICATE *PRTCRX509TBSCERTIFICATE;
866	/** Pointer to the const IPRT representation of a X.509 TBSCertificate. */
867	typedef RTCRX509TBSCERTIFICATE const *PCRTCRX509TBSCERTIFICATE;
868	RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509TBSCERTIFICATE, RTDECL, RTCrX509TbsCertificate, SeqCore.Asn1Core);
869
870	/** @name RTCRX509TBSCERTIFICATE::T0.Version values.
871	* @{ */
872	#define RTCRX509TBSCERTIFICATE_V1 0
873	#define RTCRX509TBSCERTIFICATE_V2 1
874	#define RTCRX509TBSCERTIFICATE_V3 2
875	/** @} */
876
877	/** @name RTCRX509TBSCERTIFICATE::T3.fFlags values.
878	* @{ */
879	#define RTCRX509TBSCERTIFICATE_F_PRESENT_KEY_USAGE RT_BIT_32(0)
880	#define RTCRX509TBSCERTIFICATE_F_PRESENT_EXT_KEY_USAGE RT_BIT_32(1)
881	#define RTCRX509TBSCERTIFICATE_F_PRESENT_SUBJECT_KEY_IDENTIFIER RT_BIT_32(2)
882	#define RTCRX509TBSCERTIFICATE_F_PRESENT_SUBJECT_ALT_NAME RT_BIT_32(3)
883	#define RTCRX509TBSCERTIFICATE_F_PRESENT_ISSUER_ALT_NAME RT_BIT_32(4)
884	#define RTCRX509TBSCERTIFICATE_F_PRESENT_CERTIFICATE_POLICIES RT_BIT_32(5)
885	#define RTCRX509TBSCERTIFICATE_F_PRESENT_POLICY_MAPPINGS RT_BIT_32(6)
886	#define RTCRX509TBSCERTIFICATE_F_PRESENT_BASIC_CONSTRAINTS RT_BIT_32(7)
887	#define RTCRX509TBSCERTIFICATE_F_PRESENT_NAME_CONSTRAINTS RT_BIT_32(8)
888	#define RTCRX509TBSCERTIFICATE_F_PRESENT_POLICY_CONSTRAINTS RT_BIT_32(9)
889	#define RTCRX509TBSCERTIFICATE_F_PRESENT_AUTHORITY_KEY_IDENTIFIER RT_BIT_32(10)
890	#define RTCRX509TBSCERTIFICATE_F_PRESENT_OLD_AUTHORITY_KEY_IDENTIFIER RT_BIT_32(11)
891	#define RTCRX509TBSCERTIFICATE_F_PRESENT_ACCEPTABLE_CERT_POLICIES RT_BIT_32(12)
892	#define RTCRX509TBSCERTIFICATE_F_PRESENT_INHIBIT_ANY_POLICY RT_BIT_32(13)
893	#define RTCRX509TBSCERTIFICATE_F_PRESENT_OTHER RT_BIT_32(22) /*< Other unknown extension present. /
894	#define RTCRX509TBSCERTIFICATE_F_PRESENT_NONE RT_BIT_32(23) /*< No extensions present. /
895	/** @} */
896
897	/** @name X.509 Key Usage flags. (RFC-5280 section 4.2.1.3.)
898	* @{ */
899	#define RTCRX509CERT_KEY_USAGE_F_DIGITAL_SIGNATURE_BIT 0
900	#define RTCRX509CERT_KEY_USAGE_F_DIGITAL_SIGNATURE RT_BIT_32(0)
901	#define RTCRX509CERT_KEY_USAGE_F_CONTENT_COMMITTMENT_BIT 1
902	#define RTCRX509CERT_KEY_USAGE_F_CONTENT_COMMITTMENT RT_BIT_32(1)
903	#define RTCRX509CERT_KEY_USAGE_F_KEY_ENCIPHERMENT_BIT 2
904	#define RTCRX509CERT_KEY_USAGE_F_KEY_ENCIPHERMENT RT_BIT_32(2)
905	#define RTCRX509CERT_KEY_USAGE_F_DATA_ENCIPHERMENT_BIT 3
906	#define RTCRX509CERT_KEY_USAGE_F_DATA_ENCIPHERMENT RT_BIT_32(3)
907	#define RTCRX509CERT_KEY_USAGE_F_KEY_AGREEMENT_BIT 4
908	#define RTCRX509CERT_KEY_USAGE_F_KEY_AGREEMENT RT_BIT_32(4)
909	#define RTCRX509CERT_KEY_USAGE_F_KEY_CERT_SIGN_BIT 5
910	#define RTCRX509CERT_KEY_USAGE_F_KEY_CERT_SIGN RT_BIT_32(5)
911	#define RTCRX509CERT_KEY_USAGE_F_CRL_SIGN_BIT 6
912	#define RTCRX509CERT_KEY_USAGE_F_CRL_SIGN RT_BIT_32(6)
913	#define RTCRX509CERT_KEY_USAGE_F_ENCIPHERMENT_ONLY_BIT 7
914	#define RTCRX509CERT_KEY_USAGE_F_ENCIPHERMENT_ONLY RT_BIT_32(7)
915	#define RTCRX509CERT_KEY_USAGE_F_DECIPHERMENT_ONLY_BIT 8
916	#define RTCRX509CERT_KEY_USAGE_F_DECIPHERMENT_ONLY RT_BIT_32(8)
917	/** @} */
918
919	/** @name X.509 Extended Key Usage flags. (RFC-5280 section 4.2.1.12, ++.)
920	* @remarks Needless to say, these flags doesn't cover all possible extended key
921	* usages, because there is a potential unlimited number of them. Only
922	* ones relevant to IPRT and it's users are covered.
923	* @{ */
924	#define RTCRX509CERT_EKU_F_ANY RT_BIT_64(0)
925	#define RTCRX509CERT_EKU_F_SERVER_AUTH RT_BIT_64(1)
926	#define RTCRX509CERT_EKU_F_CLIENT_AUTH RT_BIT_64(2)
927	#define RTCRX509CERT_EKU_F_CODE_SIGNING RT_BIT_64(3)
928	#define RTCRX509CERT_EKU_F_EMAIL_PROTECTION RT_BIT_64(4)
929	#define RTCRX509CERT_EKU_F_IPSEC_END_SYSTEM RT_BIT_64(5)
930	#define RTCRX509CERT_EKU_F_IPSEC_TUNNEL RT_BIT_64(6)
931	#define RTCRX509CERT_EKU_F_IPSEC_USER RT_BIT_64(7)
932	#define RTCRX509CERT_EKU_F_TIMESTAMPING RT_BIT_64(8)
933	#define RTCRX509CERT_EKU_F_OCSP_SIGNING RT_BIT_64(9)
934	#define RTCRX509CERT_EKU_F_DVCS RT_BIT_64(10)
935	#define RTCRX509CERT_EKU_F_SBGP_CERT_AA_SERVICE_AUTH RT_BIT_64(11)
936	#define RTCRX509CERT_EKU_F_EAP_OVER_PPP RT_BIT_64(12)
937	#define RTCRX509CERT_EKU_F_EAP_OVER_LAN RT_BIT_64(13)
938	#define RTCRX509CERT_EKU_F_OTHER RT_BIT_64(16) /*< Other unknown extended key usage present. /
939	#define RTCRX509CERT_EKU_F_APPLE_CODE_SIGNING RT_BIT_64(24)
940	#define RTCRX509CERT_EKU_F_APPLE_CODE_SIGNING_DEVELOPMENT RT_BIT_64(25)
941	#define RTCRX509CERT_EKU_F_APPLE_SOFTWARE_UPDATE_SIGNING RT_BIT_64(26)
942	#define RTCRX509CERT_EKU_F_APPLE_CODE_SIGNING_THIRD_PARTY RT_BIT_64(27)
943	#define RTCRX509CERT_EKU_F_APPLE_RESOURCE_SIGNING RT_BIT_64(28)
944	#define RTCRX509CERT_EKU_F_APPLE_SYSTEM_IDENTITY RT_BIT_64(29)
945	#define RTCRX509CERT_EKU_F_MS_TIMESTAMP_SIGNING RT_BIT_64(32)
946	#define RTCRX509CERT_EKU_F_MS_NT5_CRYPTO RT_BIT_64(33)
947	#define RTCRX509CERT_EKU_F_MS_OEM_WHQL_CRYPTO RT_BIT_64(34)
948	#define RTCRX509CERT_EKU_F_MS_EMBEDDED_NT_CRYPTO RT_BIT_64(35)
949	#define RTCRX509CERT_EKU_F_MS_KERNEL_MODE_CODE_SIGNING RT_BIT_64(36)
950	#define RTCRX509CERT_EKU_F_MS_LIFETIME_SIGNING RT_BIT_64(37)
951	#define RTCRX509CERT_EKU_F_MS_DRM RT_BIT_64(38)
952	#define RTCRX509CERT_EKU_F_MS_DRM_INDIVIDUALIZATION RT_BIT_64(39)
953	#define RTCRX509CERT_EKU_F_MS_WHQL_CRYPTO RT_BIT_64(40)
954	#define RTCRX509CERT_EKU_F_MS_ATTEST_WHQL_CRYPTO RT_BIT_64(41)
955	/** @} */
956
957	/** @name Key purpose OIDs (extKeyUsage)
958	* @{ */
959	#define RTCRX509_ANY_EXTENDED_KEY_USAGE_OID "2.5.29.37.0"
960	#define RTCRX509_ID_KP_OID "1.3.6.1.5.5.7.3"
961	#define RTCRX509_ID_KP_SERVER_AUTH_OID "1.3.6.1.5.5.7.3.1"
962	#define RTCRX509_ID_KP_CLIENT_AUTH_OID "1.3.6.1.5.5.7.3.2"
963	#define RTCRX509_ID_KP_CODE_SIGNING_OID "1.3.6.1.5.5.7.3.3"
964	#define RTCRX509_ID_KP_EMAIL_PROTECTION_OID "1.3.6.1.5.5.7.3.4"
965	#define RTCRX509_ID_KP_IPSEC_END_SYSTEM_OID "1.3.6.1.5.5.7.3.5"
966	#define RTCRX509_ID_KP_IPSEC_TUNNEL_OID "1.3.6.1.5.5.7.3.6"
967	#define RTCRX509_ID_KP_IPSEC_USER_OID "1.3.6.1.5.5.7.3.7"
968	#define RTCRX509_ID_KP_TIMESTAMPING_OID "1.3.6.1.5.5.7.3.8"
969	#define RTCRX509_ID_KP_OCSP_SIGNING_OID "1.3.6.1.5.5.7.3.9"
970	#define RTCRX509_ID_KP_DVCS_OID "1.3.6.1.5.5.7.3.10"
971	#define RTCRX509_ID_KP_SBGP_CERT_AA_SERVICE_AUTH_OID "1.3.6.1.5.5.7.3.11"
972	#define RTCRX509_ID_KP_EAP_OVER_PPP_OID "1.3.6.1.5.5.7.3.13"
973	#define RTCRX509_ID_KP_EAP_OVER_LAN_OID "1.3.6.1.5.5.7.3.14"
974	/** @} */
975
976	/** @name Microsoft extended key usage OIDs
977	* @{ */
978	#define RTCRX509_MS_EKU_CERT_TRUST_LIST_SIGNING_OID "1.3.6.1.4.1.311.10.3.1"
979	#define RTCRX509_MS_EKU_TIMESTAMP_SIGNING_OID "1.3.6.1.4.1.311.10.3.2"
980	#define RTCRX509_MS_EKU_SERVER_GATED_CRYPTO_OID "1.3.6.1.4.1.311.10.3.3"
981	#define RTCRX509_MS_EKU_SGC_SERIALIZED_OID "1.3.6.1.4.1.311.10.3.3.1"
982	#define RTCRX509_MS_EKU_ENCRYPTED_FILE_SYSTEM_OID "1.3.6.1.4.1.311.10.3.4"
983	#define RTCRX509_MS_EKU_WHQL_CRYPTO_OID "1.3.6.1.4.1.311.10.3.5"
984	#define RTCRX509_MS_EKU_ATTEST_WHQL_CRYPTO_OID "1.3.6.1.4.1.311.10.3.5.1"
985	#define RTCRX509_MS_EKU_NT5_CRYPTO_OID "1.3.6.1.4.1.311.10.3.6"
986	#define RTCRX509_MS_EKU_OEM_WHQL_CRYPTO_OID "1.3.6.1.4.1.311.10.3.7"
987	#define RTCRX509_MS_EKU_EMBEDDED_NT_CRYPTO_OID "1.3.6.1.4.1.311.10.3.8"
988	#define RTCRX509_MS_EKU_ROOT_LIST_SIGNER_OID "1.3.6.1.4.1.311.10.3.9"
989	#define RTCRX509_MS_EKU_QUALIFIED_SUBORDINATE_OID "1.3.6.1.4.1.311.10.3.10"
990	#define RTCRX509_MS_EKU_KEY_RECOVERY_3_OID "1.3.6.1.4.1.311.10.3.11"
991	#define RTCRX509_MS_EKU_DOCUMENT_SIGNING_OID "1.3.6.1.4.1.311.10.3.12"
992	#define RTCRX509_MS_EKU_LIFETIME_SIGNING_OID "1.3.6.1.4.1.311.10.3.13"
993	#define RTCRX509_MS_EKU_MOBILE_DEVICE_SOFTWARE_OID "1.3.6.1.4.1.311.10.3.14"
994	#define RTCRX509_MS_EKU_SMART_DISPLAY_OID "1.3.6.1.4.1.311.10.3.15"
995	#define RTCRX509_MS_EKU_CSP_SIGNATURE_OID "1.3.6.1.4.1.311.10.3.16"
996	#define RTCRX509_MS_EKU_EFS_RECOVERY_OID "1.3.6.1.4.1.311.10.3.4.1"
997	#define RTCRX509_MS_EKU_DRM_OID "1.3.6.1.4.1.311.10.5.1"
998	#define RTCRX509_MS_EKU_DRM_INDIVIDUALIZATION_OID "1.3.6.1.4.1.311.10.5.2"
999	#define RTCRX509_MS_EKU_LICENSES_OID "1.3.6.1.4.1.311.10.5.3"
1000	#define RTCRX509_MS_EKU_LICENSE_SERVER_OID "1.3.6.1.4.1.311.10.5.4"
1001	#define RTCRX509_MS_EKU_ENROLLMENT_AGENT_OID "1.3.6.1.4.1.311.20.2.1"
1002	#define RTCRX509_MS_EKU_SMARTCARD_LOGON_OID "1.3.6.1.4.1.311.20.2.2"
1003	#define RTCRX509_MS_EKU_CA_EXCHANGE_OID "1.3.6.1.4.1.311.21.5"
1004	#define RTCRX509_MS_EKU_KEY_RECOVERY_21_OID "1.3.6.1.4.1.311.21.6"
1005	#define RTCRX509_MS_EKU_SYSTEM_HEALTH_OID "1.3.6.1.4.1.311.47.1.1"
1006	#define RTCRX509_MS_EKU_SYSTEM_HEALTH_LOOPHOLE_OID "1.3.6.1.4.1.311.47.1.3"
1007	#define RTCRX509_MS_EKU_KERNEL_MODE_CODE_SIGNING_OID "1.3.6.1.4.1.311.61.1.1"
1008	/** @} */
1009
1010	/** @name Apple extended key usage OIDs
1011	* @{ */
1012	#define RTCRX509_APPLE_EKU_APPLE_EXTENDED_KEY_USAGE_OID "1.2.840.113635.100.4"
1013	#define RTCRX509_APPLE_EKU_CODE_SIGNING_OID "1.2.840.113635.100.4.1"
1014	#define RTCRX509_APPLE_EKU_CODE_SIGNING_DEVELOPMENT_OID "1.2.840.113635.100.4.1.1"
1015	#define RTCRX509_APPLE_EKU_SOFTWARE_UPDATE_SIGNING_OID "1.2.840.113635.100.4.1.2"
1016	#define RTCRX509_APPLE_EKU_CODE_SIGNING_THRID_PARTY_OID "1.2.840.113635.100.4.1.3"
1017	#define RTCRX509_APPLE_EKU_RESOURCE_SIGNING_OID "1.2.840.113635.100.4.1.4"
1018	#define RTCRX509_APPLE_EKU_ICHAT_SIGNING_OID "1.2.840.113635.100.4.2"
1019	#define RTCRX509_APPLE_EKU_ICHAT_ENCRYPTION_OID "1.2.840.113635.100.4.3"
1020	#define RTCRX509_APPLE_EKU_SYSTEM_IDENTITY_OID "1.2.840.113635.100.4.4"
1021	#define RTCRX509_APPLE_EKU_CRYPTO_ENV_OID "1.2.840.113635.100.4.5"
1022	#define RTCRX509_APPLE_EKU_CRYPTO_PRODUCTION_ENV_OID "1.2.840.113635.100.4.5.1"
1023	#define RTCRX509_APPLE_EKU_CRYPTO_MAINTENANCE_ENV_OID "1.2.840.113635.100.4.5.2"
1024	#define RTCRX509_APPLE_EKU_CRYPTO_TEST_ENV_OID "1.2.840.113635.100.4.5.3"
1025	#define RTCRX509_APPLE_EKU_CRYPTO_DEVELOPMENT_ENV_OID "1.2.840.113635.100.4.5.4"
1026	#define RTCRX509_APPLE_EKU_CRYPTO_QOS_OID "1.2.840.113635.100.4.6"
1027	#define RTCRX509_APPLE_EKU_CRYPTO_TIER0_QOS_OID "1.2.840.113635.100.4.6.1"
1028	#define RTCRX509_APPLE_EKU_CRYPTO_TIER1_QOS_OID "1.2.840.113635.100.4.6.2"
1029	#define RTCRX509_APPLE_EKU_CRYPTO_TIER2_QOS_OID "1.2.840.113635.100.4.6.3"
1030	#define RTCRX509_APPLE_EKU_CRYPTO_TIER3_QOS_OID "1.2.840.113635.100.4.6.4"
1031	/** @} */
1032
1033	/**
1034	* Use this to update derived values after changing the certificate
1035	* extensions.
1036	*
1037	* @returns IPRT status code
1038	* @param pThis The certificate.
1039	* @param pErrInfo Where to return additional error information. Optional.
1040	*/
1041	RTDECL(int) RTCrX509TbsCertificate_ReprocessExtensions(PRTCRX509TBSCERTIFICATE pThis, PRTERRINFO pErrInfo);
1042
1043
1044	/**
1045	* One X.509 Certificate (IPRT representation).
1046	*/
1047	typedef struct RTCRX509CERTIFICATE
1048	{
1049	/** Sequence core. */
1050	RTASN1SEQUENCECORE SeqCore;
1051	/** The to-be-signed certificate information. */
1052	RTCRX509TBSCERTIFICATE TbsCertificate;
1053	/** The signature algorithm (must match TbsCertificate.Signature). */
1054	RTCRX509ALGORITHMIDENTIFIER SignatureAlgorithm;
1055	/** The signature value. */
1056	RTASN1BITSTRING SignatureValue;
1057	} RTCRX509CERTIFICATE;
1058	/** Pointer to the IPRT representation of one X.509 certificate. */
1059	typedef RTCRX509CERTIFICATE *PRTCRX509CERTIFICATE;
1060	/** Pointer to the const IPRT representation of one X.509 certificate. */
1061	typedef RTCRX509CERTIFICATE const *PCRTCRX509CERTIFICATE;
1062	RTASN1TYPE_STANDARD_PROTOTYPES(RTCRX509CERTIFICATE, RTDECL, RTCrX509Certificate, SeqCore.Asn1Core);
1063
1064	/**
1065	* Checks if a certificate matches a given issuer name and serial number.
1066	*
1067	* @returns True / false.
1068	* @param pCertificate The X.509 certificat.
1069	* @param pIssuer The issuer name to match against.
1070	* @param pSerialNumber The serial number to match against.
1071	*/
1072	RTDECL(bool) RTCrX509Certificate_MatchIssuerAndSerialNumber(PCRTCRX509CERTIFICATE pCertificate,
1073	PCRTCRX509NAME pIssuer, PCRTASN1INTEGER pSerialNumber);
1074
1075	RTDECL(bool) RTCrX509Certificate_MatchSubjectOrAltSubjectByRfc5280(PCRTCRX509CERTIFICATE pThis, PCRTCRX509NAME pName);
1076	RTDECL(bool) RTCrX509Certificate_IsSelfSigned(PCRTCRX509CERTIFICATE pCertificate);
1077
1078	RTDECL(int) RTCrX509Certificate_VerifySignature(PCRTCRX509CERTIFICATE pThis, PCRTASN1OBJID pAlgorithm,
1079	PCRTASN1DYNTYPE pParameters, PCRTASN1BITSTRING pPublicKey,
1080	PRTERRINFO pErrInfo);
1081	RTDECL(int) RTCrX509Certificate_VerifySignatureSelfSigned(PCRTCRX509CERTIFICATE pThis, PRTERRINFO pErrInfo);
1082	RTDECL(int) RTCrX509Certificate_ReadFromFile(PRTCRX509CERTIFICATE pCertificate, const char *pszFilename, uint32_t fFlags,
1083	PCRTASN1ALLOCATORVTABLE pAllocator, PRTERRINFO pErrInfo);
1084	RTDECL(int) RTCrX509Certificate_ReadFromBuffer(PRTCRX509CERTIFICATE pCertificate, const void *pvBuf, size_t cbBuf,
1085	uint32_t fFlags, PCRTASN1ALLOCATORVTABLE pAllocator,
1086	PRTERRINFO pErrInfo, const char *pszErrorTag);
1087	/** @name Flags for RTCrX509Certificate_ReadFromFile and
1088	* RTCrX509Certificate_ReadFromBuffer
1089	* @{ */
1090	/** Only allow PEM certificates, not binary ones.
1091	* @sa RTCRPEMREADFILE_F_ONLY_PEM */
1092	#define RTCRX509CERT_READ_F_PEM_ONLY RT_BIT(1)
1093	/** @} */
1094
1095	/** X509 Certificate markers for RTCrPemFindFirstSectionInContent et al. */
1096	extern RTDATADECL(RTCRPEMMARKER const) g_aRTCrX509CertificateMarkers[];
1097	/** Number of entries in g_aRTCrX509CertificateMarkers. */
1098	extern RTDATADECL(uint32_t const) g_cRTCrX509CertificateMarkers;
1099
1100
1101	/** Wrapper around RTCrPemWriteAsn1ToVfsIoStrm(). */
1102	DECLINLINE(ssize_t) RTCrX509Certificate_WriteToVfsIoStrm(RTVFSIOSTREAM hVfsIos, PRTCRX509CERTIFICATE pCertificate,
1103	PRTERRINFO pErrInfo)
1104	{
1105	return RTCrPemWriteAsn1ToVfsIoStrm(hVfsIos, &pCertificate->SeqCore.Asn1Core, 0 /fFlags/,
1106	g_aRTCrX509CertificateMarkers[0].paWords[0].pszWord, pErrInfo);
1107	}
1108
1109	/** Wrapper around RTCrPemWriteAsn1ToVfsFile(). */
1110	DECLINLINE(ssize_t) RTCrX509Certificate_WriteToVfsFile(RTVFSFILE hVfsFile, PRTCRX509CERTIFICATE pCertificate,
1111	PRTERRINFO pErrInfo)
1112	{
1113	return RTCrPemWriteAsn1ToVfsFile(hVfsFile, &pCertificate->SeqCore.Asn1Core, 0 /fFlags/,
1114	g_aRTCrX509CertificateMarkers[0].paWords[0].pszWord, pErrInfo);
1115	}
1116
1117	/** @name X.509 Certificate Extensions
1118	* @{ */
1119	/** Old AuthorityKeyIdentifier OID. */
1120	#define RTCRX509_ID_CE_OLD_AUTHORITY_KEY_IDENTIFIER_OID "2.5.29.1"
1121	/** Old CertificatePolicies extension OID. */
1122	#define RTCRX509_ID_CE_OLD_CERTIFICATE_POLICIES_OID "2.5.29.3"
1123	/** Old SubjectAltName extension OID. */
1124	#define RTCRX509_ID_CE_OLD_SUBJECT_ALT_NAME_OID "2.5.29.7"
1125	/** Old IssuerAltName extension OID. */
1126	#define RTCRX509_ID_CE_OLD_ISSUER_ALT_NAME_OID "2.5.29.8"
1127	/** Old BasicContraints extension OID. */
1128	#define RTCRX509_ID_CE_OLD_BASIC_CONSTRAINTS_OID "2.5.29.10"
1129	/** SubjectKeyIdentifier OID. */
1130	#define RTCRX509_ID_CE_SUBJECT_KEY_IDENTIFIER_OID "2.5.29.14"
1131	/** KeyUsage OID. */
1132	#define RTCRX509_ID_CE_KEY_USAGE_OID "2.5.29.15"
1133	/** PrivateKeyUsagePeriod OID. */
1134	#define RTCRX509_ID_CE_PRIVATE_KEY_USAGE_PERIOD_OID "2.5.29.16"
1135	/** SubjectAltName extension OID. */
1136	#define RTCRX509_ID_CE_SUBJECT_ALT_NAME_OID "2.5.29.17"
1137	/** IssuerAltName extension OID. */
1138	#define RTCRX509_ID_CE_ISSUER_ALT_NAME_OID "2.5.29.18"
1139	/** BasicContraints extension OID. */
1140	#define RTCRX509_ID_CE_BASIC_CONSTRAINTS_OID "2.5.29.19"
1141	/** NameContraints extension OID. */
1142	#define RTCRX509_ID_CE_NAME_CONSTRAINTS_OID "2.5.29.30"
1143	/** CertificatePolicies extension OID. */
1144	#define RTCRX509_ID_CE_CERTIFICATE_POLICIES_OID "2.5.29.32"
1145	/** PolicyMappings extension OID. */
1146	#define RTCRX509_ID_CE_POLICY_MAPPINGS_OID "2.5.29.33"
1147	/** AuthorityKeyIdentifier OID. */
1148	#define RTCRX509_ID_CE_AUTHORITY_KEY_IDENTIFIER_OID "2.5.29.35"
1149	/** PolicyContraints extension OID. */
1150	#define RTCRX509_ID_CE_POLICY_CONSTRAINTS_OID "2.5.29.36"
1151	/** ExtKeyUsage (extended key usage) extension OID. */
1152	#define RTCRX509_ID_CE_EXT_KEY_USAGE_OID "2.5.29.37"
1153	/** ExtKeyUsage: OID for permitting any unspecified key usage. */
1154	#define RTCRX509_ID_CE_ANY_EXTENDED_KEY_USAGE_OID "2.5.29.37.0"
1155	/** AuthorityAttributeIdentifier OID. */
1156	#define RTCRX509_ID_CE_AUTHORITY_ATTRIBUTE_IDENTIFIER_OID "2.5.29.38"
1157	/** AcceptableCertPolicies OID. */
1158	#define RTCRX509_ID_CE_ACCEPTABLE_CERT_POLICIES_OID "2.5.29.52"
1159	/** InhibitAnyPolicy OID. */
1160	#define RTCRX509_ID_CE_INHIBIT_ANY_POLICY_OID "2.5.29.54"
1161	/** @} */
1162
1163
1164	/*
1165	* Sequence of X.509 Certifcates (IPRT representation).
1166	*/
1167	RTASN1_IMPL_GEN_SET_OF_TYPEDEFS_AND_PROTOS(RTCRX509CERTIFICATES, RTCRX509CERTIFICATE, RTDECL, RTCrX509Certificates);
1168
1169	/**
1170	* Looks up a certificate by issuer name and serial number.
1171	*
1172	* @returns Pointer to the given certificate if found, NULL if not.
1173	* @param pCertificates The X.509 certificate set to search.
1174	* @param pIssuer The issuer name of the wanted certificate.
1175	* @param pSerialNumber The serial number of the wanted certificate.
1176	*/
1177	RTDECL(PCRTCRX509CERTIFICATE) RTCrX509Certificates_FindByIssuerAndSerialNumber(PCRTCRX509CERTIFICATES pCertificates,
1178	PCRTCRX509NAME pIssuer,
1179	PCRTASN1INTEGER pSerialNumber);
1180
1181
1182
1183	RTDECL(int) RTCrX509CertPathsCreate(PRTCRX509CERTPATHS phCertPaths, PCRTCRX509CERTIFICATE pTarget);
1184	RTDECL(uint32_t) RTCrX509CertPathsRetain(RTCRX509CERTPATHS hCertPaths);
1185	RTDECL(uint32_t) RTCrX509CertPathsRelease(RTCRX509CERTPATHS hCertPaths);
1186	RTDECL(int) RTCrX509CertPathsSetTrustedStore(RTCRX509CERTPATHS hCertPaths, RTCRSTORE hTrustedStore);
1187	RTDECL(int) RTCrX509CertPathsSetUntrustedStore(RTCRX509CERTPATHS hCertPaths, RTCRSTORE hUntrustedStore);
1188	RTDECL(int) RTCrX509CertPathsSetUntrustedArray(RTCRX509CERTPATHS hCertPaths, PCRTCRX509CERTIFICATE paCerts, uint32_t cCerts);
1189	RTDECL(int) RTCrX509CertPathsSetUntrustedSet(RTCRX509CERTPATHS hCertPaths, struct RTCRPKCS7SETOFCERTS const *pSetOfCerts);
1190	RTDECL(int) RTCrX509CertPathsSetValidTime(RTCRX509CERTPATHS hCertPaths, PCRTTIME pTime);
1191	RTDECL(int) RTCrX509CertPathsSetValidTimeSpec(RTCRX509CERTPATHS hCertPaths, PCRTTIMESPEC pTimeSpec);
1192	RTDECL(int) RTCrX509CertPathsSetTrustAnchorChecks(RTCRX509CERTPATHS hCertPaths, bool fEnable);
1193	RTDECL(int) RTCrX509CertPathsCreateEx(PRTCRX509CERTPATHS phCertPaths, PCRTCRX509CERTIFICATE pTarget, RTCRSTORE hTrustedStore,
1194	RTCRSTORE hUntrustedStore, PCRTCRX509CERTIFICATE paUntrustedCerts, uint32_t cUntrustedCerts,
1195	PCRTTIMESPEC pValidTime);
1196	RTDECL(int) RTCrX509CertPathsBuild(RTCRX509CERTPATHS hCertPaths, PRTERRINFO pErrInfo);
1197	RTDECL(int) RTCrX509CertPathsDumpOne(RTCRX509CERTPATHS hCertPaths, uint32_t iPath, uint32_t uVerbosity,
1198	PFNRTDUMPPRINTFV pfnPrintfV, void *pvUser);
1199	RTDECL(int) RTCrX509CertPathsDumpAll(RTCRX509CERTPATHS hCertPaths, uint32_t uVerbosity,
1200	PFNRTDUMPPRINTFV pfnPrintfV, void *pvUser);
1201
1202	RTDECL(int) RTCrX509CertPathsValidateOne(RTCRX509CERTPATHS hCertPaths, uint32_t iPath, PRTERRINFO pErrInfo);
1203	RTDECL(int) RTCrX509CertPathsValidateAll(RTCRX509CERTPATHS hCertPaths, uint32_t *pcValidPaths, PRTERRINFO pErrInfo);
1204
1205	RTDECL(uint32_t) RTCrX509CertPathsGetPathCount(RTCRX509CERTPATHS hCertPaths);
1206	RTDECL(int) RTCrX509CertPathsQueryPathInfo(RTCRX509CERTPATHS hCertPaths, uint32_t iPath,
1207	bool pfTrusted, uint32_t pcNodes, PCRTCRX509NAME *ppSubject,
1208	PCRTCRX509SUBJECTPUBLICKEYINFO *ppPublicKeyInfo,
1209	PCRTCRX509CERTIFICATE ppCert, PCRTCRCERTCTX ppCertCtx, int *prcVerify);
1210	RTDECL(uint32_t) RTCrX509CertPathsGetPathLength(RTCRX509CERTPATHS hCertPaths, uint32_t iPath);
1211	RTDECL(int) RTCrX509CertPathsGetPathVerifyResult(RTCRX509CERTPATHS hCertPaths, uint32_t iPath);
1212	RTDECL(PCRTCRX509CERTIFICATE) RTCrX509CertPathsGetPathNodeCert(RTCRX509CERTPATHS hCertPaths, uint32_t iPath, uint32_t iNode);
1213
1214
1215	RT_C_DECLS_END
1216
1217	/** @} */
1218
1219	/** @} */
1220
1221	#endif /* !IPRT_INCLUDED_crypto_x509_h */
1222

Note: See TracBrowser for help on using the repository browser.

source: vbox/trunk/include/iprt/crypto/x509.h@ 100442

Download in other formats: