/* This is a generated file */ #ifndef __hx509_protos_h__ #define __hx509_protos_h__ #ifndef DOXY #include #ifdef __cplusplus extern "C" { #endif #ifndef HX509_LIB #ifndef HX509_LIB_FUNCTION #if defined(_WIN32) #define HX509_LIB_FUNCTION __declspec(dllimport) #define HX509_LIB_CALL __stdcall #define HX509_LIB_VARIABLE __declspec(dllimport) #else #define HX509_LIB_FUNCTION #define HX509_LIB_CALL #define HX509_LIB_VARIABLE #endif #endif #endif /** * Print a bitstring using a hx509_vprint_func function. To print to * stdout use hx509_print_stdout(). * * @param b bit string to print. * @param func hx509_vprint_func to print with. * @param ctx context variable to hx509_vprint_func function. * * @ingroup hx509_print */ void hx509_bitstring_print ( const heim_bit_string */*b*/, hx509_vprint_func /*func*/, void */*ctx*/); /** * Sign a to-be-signed certificate object with a issuer certificate. * * The caller needs to at least have called the following functions on the * to-be-signed certificate object: * - hx509_ca_tbs_init() * - hx509_ca_tbs_set_subject() * - hx509_ca_tbs_set_spki() * * When done the to-be-signed certificate object should be freed with * hx509_ca_tbs_free(). * * When creating self-signed certificate use hx509_ca_sign_self() instead. * * @param context A hx509 context. * @param tbs object to be signed. * @param signer the CA certificate object to sign with (need private key). * @param certificate return cerificate, free with hx509_cert_free(). * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_ca */ int hx509_ca_sign ( hx509_context /*context*/, hx509_ca_tbs /*tbs*/, hx509_cert /*signer*/, hx509_cert */*certificate*/); /** * Work just like hx509_ca_sign() but signs it-self. * * @param context A hx509 context. * @param tbs object to be signed. * @param signer private key to sign with. * @param certificate return cerificate, free with hx509_cert_free(). * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_ca */ int hx509_ca_sign_self ( hx509_context /*context*/, hx509_ca_tbs /*tbs*/, hx509_private_key /*signer*/, hx509_cert */*certificate*/); /** * Add CRL distribution point URI to the to-be-signed certificate * object. * * @param context A hx509 context. * @param tbs object to be signed. * @param uri uri to the CRL. * @param issuername name of the issuer. * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_ca */ int hx509_ca_tbs_add_crl_dp_uri ( hx509_context /*context*/, hx509_ca_tbs /*tbs*/, const char */*uri*/, hx509_name /*issuername*/); /** * An an extended key usage to the to-be-signed certificate object. * Duplicates will detected and not added. * * @param context A hx509 context. * @param tbs object to be signed. * @param oid extended key usage to add. * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_ca */ int hx509_ca_tbs_add_eku ( hx509_context /*context*/, hx509_ca_tbs /*tbs*/, const heim_oid */*oid*/); /** * Add a Subject Alternative Name hostname to to-be-signed certificate * object. A domain match starts with ., an exact match does not. * * Example of a an domain match: .domain.se matches the hostname * host.domain.se. * * @param context A hx509 context. * @param tbs object to be signed. * @param dnsname a hostame. * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_ca */ int hx509_ca_tbs_add_san_hostname ( hx509_context /*context*/, hx509_ca_tbs /*tbs*/, const char */*dnsname*/); /** * Add a Jabber/XMPP jid Subject Alternative Name to the to-be-signed * certificate object. The jid is an UTF8 string. * * @param context A hx509 context. * @param tbs object to be signed. * @param jid string of an a jabber id in UTF8. * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_ca */ int hx509_ca_tbs_add_san_jid ( hx509_context /*context*/, hx509_ca_tbs /*tbs*/, const char */*jid*/); /** * Add Microsoft UPN Subject Alternative Name to the to-be-signed * certificate object. The principal string is a UTF8 string. * * @param context A hx509 context. * @param tbs object to be signed. * @param principal Microsoft UPN string. * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_ca */ int hx509_ca_tbs_add_san_ms_upn ( hx509_context /*context*/, hx509_ca_tbs /*tbs*/, const char */*principal*/); /** * Add Subject Alternative Name otherName to the to-be-signed * certificate object. * * @param context A hx509 context. * @param tbs object to be signed. * @param oid the oid of the OtherName. * @param os data in the other name. * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_ca */ int hx509_ca_tbs_add_san_otherName ( hx509_context /*context*/, hx509_ca_tbs /*tbs*/, const heim_oid */*oid*/, const heim_octet_string */*os*/); /** * Add Kerberos Subject Alternative Name to the to-be-signed * certificate object. The principal string is a UTF8 string. * * @param context A hx509 context. * @param tbs object to be signed. * @param principal Kerberos principal to add to the certificate. * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_ca */ int hx509_ca_tbs_add_san_pkinit ( hx509_context /*context*/, hx509_ca_tbs /*tbs*/, const char */*principal*/); /** * Add a Subject Alternative Name rfc822 (email address) to * to-be-signed certificate object. * * @param context A hx509 context. * @param tbs object to be signed. * @param rfc822Name a string to a email address. * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_ca */ int hx509_ca_tbs_add_san_rfc822name ( hx509_context /*context*/, hx509_ca_tbs /*tbs*/, const char */*rfc822Name*/); /** * Free an To Be Signed object. * * @param tbs object to free. * * @ingroup hx509_ca */ void hx509_ca_tbs_free (hx509_ca_tbs */*tbs*/); /** * Allocate an to-be-signed certificate object that will be converted * into an certificate. * * @param context A hx509 context. * @param tbs returned to-be-signed certicate object, free with * hx509_ca_tbs_free(). * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_ca */ int hx509_ca_tbs_init ( hx509_context /*context*/, hx509_ca_tbs */*tbs*/); /** * Make the to-be-signed certificate object a CA certificate. If the * pathLenConstraint is negative path length constraint is used. * * @param context A hx509 context. * @param tbs object to be signed. * @param pathLenConstraint path length constraint, negative, no * constraint. * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_ca */ int hx509_ca_tbs_set_ca ( hx509_context /*context*/, hx509_ca_tbs /*tbs*/, int /*pathLenConstraint*/); /** * Make the to-be-signed certificate object a windows domain controller certificate. * * @param context A hx509 context. * @param tbs object to be signed. * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_ca */ int hx509_ca_tbs_set_domaincontroller ( hx509_context /*context*/, hx509_ca_tbs /*tbs*/); /** * Set the absolute time when the certificate is valid to. * * @param context A hx509 context. * @param tbs object to be signed. * @param t time when the certificate will expire * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_ca */ int hx509_ca_tbs_set_notAfter ( hx509_context /*context*/, hx509_ca_tbs /*tbs*/, time_t /*t*/); /** * Set the relative time when the certificiate is going to expire. * * @param context A hx509 context. * @param tbs object to be signed. * @param delta seconds to the certificate is going to expire. * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_ca */ int hx509_ca_tbs_set_notAfter_lifetime ( hx509_context /*context*/, hx509_ca_tbs /*tbs*/, time_t /*delta*/); /** * Set the absolute time when the certificate is valid from. If not * set the current time will be used. * * @param context A hx509 context. * @param tbs object to be signed. * @param t time the certificated will start to be valid * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_ca */ int hx509_ca_tbs_set_notBefore ( hx509_context /*context*/, hx509_ca_tbs /*tbs*/, time_t /*t*/); /** * Make the to-be-signed certificate object a proxy certificate. If the * pathLenConstraint is negative path length constraint is used. * * @param context A hx509 context. * @param tbs object to be signed. * @param pathLenConstraint path length constraint, negative, no * constraint. * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_ca */ int hx509_ca_tbs_set_proxy ( hx509_context /*context*/, hx509_ca_tbs /*tbs*/, int /*pathLenConstraint*/); /** * Set the serial number to use for to-be-signed certificate object. * * @param context A hx509 context. * @param tbs object to be signed. * @param serialNumber serial number to use for the to-be-signed * certificate object. * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_ca */ int hx509_ca_tbs_set_serialnumber ( hx509_context /*context*/, hx509_ca_tbs /*tbs*/, const heim_integer */*serialNumber*/); /** * Set signature algorithm on the to be signed certificate * * @param context A hx509 context. * @param tbs object to be signed. * @param sigalg signature algorithm to use * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_ca */ int hx509_ca_tbs_set_signature_algorithm ( hx509_context /*context*/, hx509_ca_tbs /*tbs*/, const AlgorithmIdentifier */*sigalg*/); /** * Set the subject public key info (SPKI) in the to-be-signed certificate * object. SPKI is the public key and key related parameters in the * certificate. * * @param context A hx509 context. * @param tbs object to be signed. * @param spki subject public key info to use for the to-be-signed certificate object. * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_ca */ int hx509_ca_tbs_set_spki ( hx509_context /*context*/, hx509_ca_tbs /*tbs*/, const SubjectPublicKeyInfo */*spki*/); /** * Set the subject name of a to-be-signed certificate object. * * @param context A hx509 context. * @param tbs object to be signed. * @param subject the name to set a subject. * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_ca */ int hx509_ca_tbs_set_subject ( hx509_context /*context*/, hx509_ca_tbs /*tbs*/, hx509_name /*subject*/); /** * Initialize the to-be-signed certificate object from a template certifiate. * * @param context A hx509 context. * @param tbs object to be signed. * @param flags bit field selecting what to copy from the template * certifiate. * @param cert template certificate. * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_ca */ int hx509_ca_tbs_set_template ( hx509_context /*context*/, hx509_ca_tbs /*tbs*/, int /*flags*/, hx509_cert /*cert*/); /** * Set the issuerUniqueID and subjectUniqueID * * These are only supposed to be used considered with version 2 * certificates, replaced by the two extensions SubjectKeyIdentifier * and IssuerKeyIdentifier. This function is to allow application * using legacy protocol to issue them. * * @param context A hx509 context. * @param tbs object to be signed. * @param issuerUniqueID to be set * @param subjectUniqueID to be set * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_ca */ int hx509_ca_tbs_set_unique ( hx509_context /*context*/, hx509_ca_tbs /*tbs*/, const heim_bit_string */*subjectUniqueID*/, const heim_bit_string */*issuerUniqueID*/); /** * Expand the the subject name in the to-be-signed certificate object * using hx509_name_expand(). * * @param context A hx509 context. * @param tbs object to be signed. * @param env environment variable to expand variables in the subject * name, see hx509_env_init(). * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_ca */ int hx509_ca_tbs_subject_expand ( hx509_context /*context*/, hx509_ca_tbs /*tbs*/, hx509_env /*env*/); /** * Make of template units, use to build flags argument to * hx509_ca_tbs_set_template() with parse_units(). * * @return an units structure. * * @ingroup hx509_ca */ const struct units * hx509_ca_tbs_template_units (void); /** * Encodes the hx509 certificate as a DER encode binary. * * @param context A hx509 context. * @param c the certificate to encode. * @param os the encode certificate, set to NULL, 0 on case of * error. Free the os->data with hx509_xfree(). * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_cert */ int hx509_cert_binary ( hx509_context /*context*/, hx509_cert /*c*/, heim_octet_string */*os*/); /** * Check the extended key usage on the hx509 certificate. * * @param context A hx509 context. * @param cert A hx509 context. * @param eku the EKU to check for * @param allow_any_eku if the any EKU is set, allow that to be a * substitute. * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_cert */ int hx509_cert_check_eku ( hx509_context /*context*/, hx509_cert /*cert*/, const heim_oid */*eku*/, int /*allow_any_eku*/); /** * Compare to hx509 certificate object, useful for sorting. * * @param p a hx509 certificate object. * @param q a hx509 certificate object. * * @return 0 the objects are the same, returns > 0 is p is "larger" * then q, < 0 if p is "smaller" then q. * * @ingroup hx509_cert */ int hx509_cert_cmp ( hx509_cert /*p*/, hx509_cert /*q*/); /** * Return a list of subjectAltNames specified by oid in the * certificate. On error the * * The returned list of octet string should be freed with * hx509_free_octet_string_list(). * * @param context A hx509 context. * @param cert a hx509 certificate object. * @param oid an oid to for SubjectAltName. * @param list list of matching SubjectAltName. * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_cert */ int hx509_cert_find_subjectAltName_otherName ( hx509_context /*context*/, hx509_cert /*cert*/, const heim_oid */*oid*/, hx509_octet_string_list */*list*/); /** * Free reference to the hx509 certificate object, if the refcounter * reaches 0, the object if freed. Its allowed to pass in NULL. * * @param cert the cert to free. * * @ingroup hx509_cert */ void hx509_cert_free (hx509_cert /*cert*/); /** * Get the SubjectPublicKeyInfo structure from the hx509 certificate. * * @param context a hx509 context. * @param p a hx509 certificate object. * @param spki SubjectPublicKeyInfo, should be freed with * free_SubjectPublicKeyInfo(). * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_cert */ int hx509_cert_get_SPKI ( hx509_context /*context*/, hx509_cert /*p*/, SubjectPublicKeyInfo */*spki*/); /** * Get the AlgorithmIdentifier from the hx509 certificate. * * @param context a hx509 context. * @param p a hx509 certificate object. * @param alg AlgorithmIdentifier, should be freed with * free_AlgorithmIdentifier(). The algorithmidentifier is * typicly rsaEncryption, or id-ecPublicKey, or some other * public key mechanism. * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_cert */ int hx509_cert_get_SPKI_AlgorithmIdentifier ( hx509_context /*context*/, hx509_cert /*p*/, AlgorithmIdentifier */*alg*/); /** * Get an external attribute for the certificate, examples are * friendly name and id. * * @param cert hx509 certificate object to search * @param oid an oid to search for. * * @return an hx509_cert_attribute, only valid as long as the * certificate is referenced. * * @ingroup hx509_cert */ hx509_cert_attribute hx509_cert_get_attribute ( hx509_cert /*cert*/, const heim_oid */*oid*/); /** * Return the name of the base subject of the hx509 certificate. If * the certiicate is a verified proxy certificate, the this function * return the base certificate (root of the proxy chain). If the proxy * certificate is not verified with the base certificate * HX509_PROXY_CERTIFICATE_NOT_CANONICALIZED is returned. * * @param context a hx509 context. * @param c a hx509 certificate object. * @param name a pointer to a hx509 name, should be freed by * hx509_name_free(). See also hx509_cert_get_subject(). * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_cert */ int hx509_cert_get_base_subject ( hx509_context /*context*/, hx509_cert /*c*/, hx509_name */*name*/); /** * Get friendly name of the certificate. * * @param cert cert to get the friendly name from. * * @return an friendly name or NULL if there is. The friendly name is * only valid as long as the certificate is referenced. * * @ingroup hx509_cert */ const char * hx509_cert_get_friendly_name (hx509_cert /*cert*/); /** * Return the name of the issuer of the hx509 certificate. * * @param p a hx509 certificate object. * @param name a pointer to a hx509 name, should be freed by * hx509_name_free(). * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_cert */ int hx509_cert_get_issuer ( hx509_cert /*p*/, hx509_name */*name*/); /** * Get a copy of the Issuer Unique ID * * @param context a hx509_context * @param p a hx509 certificate * @param issuer the issuer id returned, free with der_free_bit_string() * * @return An hx509 error code, see hx509_get_error_string(). The * error code HX509_EXTENSION_NOT_FOUND is returned if the certificate * doesn't have a issuerUniqueID * * @ingroup hx509_cert */ int hx509_cert_get_issuer_unique_id ( hx509_context /*context*/, hx509_cert /*p*/, heim_bit_string */*issuer*/); /** * Get notAfter time of the certificate. * * @param p a hx509 certificate object. * * @return return not after time. * * @ingroup hx509_cert */ time_t hx509_cert_get_notAfter (hx509_cert /*p*/); /** * Get notBefore time of the certificate. * * @param p a hx509 certificate object. * * @return return not before time * * @ingroup hx509_cert */ time_t hx509_cert_get_notBefore (hx509_cert /*p*/); /** * Get serial number of the certificate. * * @param p a hx509 certificate object. * @param i serial number, should be freed ith der_free_heim_integer(). * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_cert */ int hx509_cert_get_serialnumber ( hx509_cert /*p*/, heim_integer */*i*/); /** * Return the name of the subject of the hx509 certificate. * * @param p a hx509 certificate object. * @param name a pointer to a hx509 name, should be freed by * hx509_name_free(). See also hx509_cert_get_base_subject(). * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_cert */ int hx509_cert_get_subject ( hx509_cert /*p*/, hx509_name */*name*/); /** * Get a copy of the Subect Unique ID * * @param context a hx509_context * @param p a hx509 certificate * @param subject the subject id returned, free with der_free_bit_string() * * @return An hx509 error code, see hx509_get_error_string(). The * error code HX509_EXTENSION_NOT_FOUND is returned if the certificate * doesn't have a subjectUniqueID * * @ingroup hx509_cert */ int hx509_cert_get_subject_unique_id ( hx509_context /*context*/, hx509_cert /*p*/, heim_bit_string */*subject*/); int hx509_cert_have_private_key (hx509_cert /*p*/); /** * Allocate and init an hx509 certificate object from the decoded * certificate `c´. * * @param context A hx509 context. * @param c * @param error * * @return Returns an hx509 certificate * * @ingroup hx509_cert */ hx509_cert hx509_cert_init ( hx509_context /*context*/, const Certificate */*c*/, heim_error_t */*error*/); /** * Just like hx509_cert_init(), but instead of a decode certificate * takes an pointer and length to a memory region that contains a * DER/BER encoded certificate. * * If the memory region doesn't contain just the certificate and * nothing more the function will fail with * HX509_EXTRA_DATA_AFTER_STRUCTURE. * * @param context A hx509 context. * @param ptr pointer to memory region containing encoded certificate. * @param len length of memory region. * @param error possibly returns an error * * @return An hx509 certificate * * @ingroup hx509_cert */ hx509_cert hx509_cert_init_data ( hx509_context /*context*/, const void */*ptr*/, size_t /*len*/, heim_error_t */*error*/); /** * Print certificate usage for a certificate to a string. * * @param context A hx509 context. * @param c a certificate print the keyusage for. * @param s the return string with the keysage printed in to, free * with hx509_xfree(). * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_print */ int hx509_cert_keyusage_print ( hx509_context /*context*/, hx509_cert /*c*/, char **/*s*/); int hx509_cert_public_encrypt ( hx509_context /*context*/, const heim_octet_string */*cleartext*/, const hx509_cert /*p*/, heim_oid */*encryption_oid*/, heim_octet_string */*ciphertext*/); /** * Add a reference to a hx509 certificate object. * * @param cert a pointer to an hx509 certificate object. * * @return the same object as is passed in. * * @ingroup hx509_cert */ hx509_cert hx509_cert_ref (hx509_cert /*cert*/); /** * Set the friendly name on the certificate. * * @param cert The certificate to set the friendly name on * @param name Friendly name. * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_cert */ int hx509_cert_set_friendly_name ( hx509_cert /*cert*/, const char */*name*/); /** * Add a certificate to the certificiate store. * * The receiving keyset certs will either increase reference counter * of the cert or make a deep copy, either way, the caller needs to * free the cert itself. * * @param context a hx509 context. * @param certs certificate store to add the certificate to. * @param cert certificate to add. * * @return Returns an hx509 error code. * * @ingroup hx509_keyset */ int hx509_certs_add ( hx509_context /*context*/, hx509_certs /*certs*/, hx509_cert /*cert*/); /** * Same a hx509_certs_merge() but use a lock and name to describe the * from source. * * @param context a hx509 context. * @param to the store to merge into. * @param lock a lock that unlocks the certificates store, use NULL to * select no password/certifictes/prompt lock (see @ref page_lock). * @param name name of the source store * * @return Returns an hx509 error code. * * @ingroup hx509_keyset */ int hx509_certs_append ( hx509_context /*context*/, hx509_certs /*to*/, hx509_lock /*lock*/, const char */*name*/); /** * End the iteration over certificates. * * @param context a hx509 context. * @param certs certificate store to iterate over. * @param cursor cursor that will keep track of progress, freed. * * @return Returns an hx509 error code. * * @ingroup hx509_keyset */ int hx509_certs_end_seq ( hx509_context /*context*/, hx509_certs /*certs*/, hx509_cursor /*cursor*/); /** * Filter certificate matching the query. * * @param context a hx509 context. * @param certs certificate store to search. * @param q query allocated with @ref hx509_query functions. * @param result the filtered certificate store, caller must free with * hx509_certs_free(). * * @return Returns an hx509 error code. * * @ingroup hx509_keyset */ int hx509_certs_filter ( hx509_context /*context*/, hx509_certs /*certs*/, const hx509_query */*q*/, hx509_certs */*result*/); /** * Find a certificate matching the query. * * @param context a hx509 context. * @param certs certificate store to search. * @param q query allocated with @ref hx509_query functions. * @param r return certificate (or NULL on error), should be freed * with hx509_cert_free(). * * @return Returns an hx509 error code. * * @ingroup hx509_keyset */ int hx509_certs_find ( hx509_context /*context*/, hx509_certs /*certs*/, const hx509_query */*q*/, hx509_cert */*r*/); /** * Free a certificate store. * * @param certs certificate store to free. * * @ingroup hx509_keyset */ void hx509_certs_free (hx509_certs */*certs*/); /** * Print some info about the certificate store. * * @param context a hx509 context. * @param certs certificate store to print information about. * @param func function that will get each line of the information, if * NULL is used the data is printed on a FILE descriptor that should * be passed in ctx, if ctx also is NULL, stdout is used. * @param ctx parameter to func. * * @return Returns an hx509 error code. * * @ingroup hx509_keyset */ int hx509_certs_info ( hx509_context /*context*/, hx509_certs /*certs*/, int (*/*func*/)(void *, const char *), void */*ctx*/); /** * Open or creates a new hx509 certificate store. * * @param context A hx509 context * @param name name of the store, format is TYPE:type-specific-string, * if NULL is used the MEMORY store is used. * @param flags list of flags: * - HX509_CERTS_CREATE create a new keystore of the specific TYPE. * - HX509_CERTS_UNPROTECT_ALL fails if any private key failed to be extracted. * @param lock a lock that unlocks the certificates store, use NULL to * select no password/certifictes/prompt lock (see @ref page_lock). * @param certs return pointer, free with hx509_certs_free(). * * @return Returns an hx509 error code. * * @ingroup hx509_keyset */ int hx509_certs_init ( hx509_context /*context*/, const char */*name*/, int /*flags*/, hx509_lock /*lock*/, hx509_certs */*certs*/); /** * Iterate over all certificates in a keystore and call a block * for each of them. * * @param context a hx509 context. * @param certs certificate store to iterate over. * @param func block to call for each certificate. The function * should return non-zero to abort the iteration, that value is passed * back to the caller of hx509_certs_iter(). * * @return Returns an hx509 error code. * * @ingroup hx509_keyset */ #ifdef __BLOCKS__ int hx509_certs_iter ( hx509_context /*context*/, hx509_certs /*certs*/, int (^func)(hx509_cert)); #endif /* __BLOCKS__ */ /** * Iterate over all certificates in a keystore and call a function * for each of them. * * @param context a hx509 context. * @param certs certificate store to iterate over. * @param func function to call for each certificate. The function * should return non-zero to abort the iteration, that value is passed * back to the caller of hx509_certs_iter_f(). * @param ctx context variable that will passed to the function. * * @return Returns an hx509 error code. * * @ingroup hx509_keyset */ int hx509_certs_iter_f ( hx509_context /*context*/, hx509_certs /*certs*/, int (*/*func*/)(hx509_context, void *, hx509_cert), void */*ctx*/); /** * Merge a certificate store into another. The from store is keep * intact. * * @param context a hx509 context. * @param to the store to merge into. * @param from the store to copy the object from. * * @return Returns an hx509 error code. * * @ingroup hx509_keyset */ int hx509_certs_merge ( hx509_context /*context*/, hx509_certs /*to*/, hx509_certs /*from*/); /** * Get next ceritificate from the certificate keystore pointed out by * cursor. * * @param context a hx509 context. * @param certs certificate store to iterate over. * @param cursor cursor that keeps track of progress. * @param cert return certificate next in store, NULL if the store * contains no more certificates. Free with hx509_cert_free(). * * @return Returns an hx509 error code. * * @ingroup hx509_keyset */ int hx509_certs_next_cert ( hx509_context /*context*/, hx509_certs /*certs*/, hx509_cursor /*cursor*/, hx509_cert */*cert*/); hx509_certs hx509_certs_ref (hx509_certs /*certs*/); /** * Start the integration * * @param context a hx509 context. * @param certs certificate store to iterate over * @param cursor cursor that will keep track of progress, free with * hx509_certs_end_seq(). * * @return Returns an hx509 error code. HX509_UNSUPPORTED_OPERATION is * returned if the certificate store doesn't support the iteration * operation. * * @ingroup hx509_keyset */ int hx509_certs_start_seq ( hx509_context /*context*/, hx509_certs /*certs*/, hx509_cursor */*cursor*/); /** * Write the certificate store to stable storage. * * @param context A hx509 context. * @param certs a certificate store to store. * @param flags currently unused, use 0. * @param lock a lock that unlocks the certificates store, use NULL to * select no password/certifictes/prompt lock (see @ref page_lock). * * @return Returns an hx509 error code. HX509_UNSUPPORTED_OPERATION if * the certificate store doesn't support the store operation. * * @ingroup hx509_keyset */ int hx509_certs_store ( hx509_context /*context*/, hx509_certs /*certs*/, int /*flags*/, hx509_lock /*lock*/); /** * Function to use to hx509_certs_iter_f() as a function argument, the * ctx variable to hx509_certs_iter_f() should be a FILE file descriptor. * * @param context a hx509 context. * @param ctx used by hx509_certs_iter_f(). * @param c a certificate * * @return Returns an hx509 error code. * * @ingroup hx509_keyset */ int hx509_ci_print_names ( hx509_context /*context*/, void */*ctx*/, hx509_cert /*c*/); /** * Resets the error strings the hx509 context. * * @param context A hx509 context. * * @ingroup hx509_error */ void hx509_clear_error_string (hx509_context /*context*/); int hx509_cms_create_signed ( hx509_context /*context*/, int /*flags*/, const heim_oid */*eContentType*/, const void */*data*/, size_t /*length*/, const AlgorithmIdentifier */*digest_alg*/, hx509_certs /*certs*/, hx509_peer_info /*peer*/, hx509_certs /*anchors*/, hx509_certs /*pool*/, heim_octet_string */*signed_data*/); /** * Decode SignedData and verify that the signature is correct. * * @param context A hx509 context. * @param flags * @param eContentType the type of the data. * @param data data to sign * @param length length of the data that data point to. * @param digest_alg digest algorithm to use, use NULL to get the * default or the peer determined algorithm. * @param cert certificate to use for sign the data. * @param peer info about the peer the message to send the message to, * like what digest algorithm to use. * @param anchors trust anchors that the client will use, used to * polulate the certificates included in the message * @param pool certificates to use in try to build the path to the * trust anchors. * @param signed_data the output of the function, free with * der_free_octet_string(). * * @return Returns an hx509 error code. * * @ingroup hx509_cms */ int hx509_cms_create_signed_1 ( hx509_context /*context*/, int /*flags*/, const heim_oid */*eContentType*/, const void */*data*/, size_t /*length*/, const AlgorithmIdentifier */*digest_alg*/, hx509_cert /*cert*/, hx509_peer_info /*peer*/, hx509_certs /*anchors*/, hx509_certs /*pool*/, heim_octet_string */*signed_data*/); /** * Use HX509_CMS_SIGNATURE_NO_SIGNER to create no sigInfo (no * signatures). */ int hx509_cms_decrypt_encrypted ( hx509_context /*context*/, hx509_lock /*lock*/, const void */*data*/, size_t /*length*/, heim_oid */*contentType*/, heim_octet_string */*content*/); /** * Encrypt end encode EnvelopedData. * * Encrypt and encode EnvelopedData. The data is encrypted with a * random key and the the random key is encrypted with the * certificates private key. This limits what private key type can be * used to RSA. * * @param context A hx509 context. * @param flags flags to control the behavior. * - HX509_CMS_EV_NO_KU_CHECK - Don't check KU on certificate * - HX509_CMS_EV_ALLOW_WEAK - Allow weak crytpo * - HX509_CMS_EV_ID_NAME - prefer issuer name and serial number * @param cert Certificate to encrypt the EnvelopedData encryption key * with. * @param data pointer the data to encrypt. * @param length length of the data that data point to. * @param encryption_type Encryption cipher to use for the bulk data, * use NULL to get default. * @param contentType type of the data that is encrypted * @param content the output of the function, * free with der_free_octet_string(). * * @return an hx509 error code. * * @ingroup hx509_cms */ int hx509_cms_envelope_1 ( hx509_context /*context*/, int /*flags*/, hx509_cert /*cert*/, const void */*data*/, size_t /*length*/, const heim_oid */*encryption_type*/, const heim_oid */*contentType*/, heim_octet_string */*content*/); /** * Decode and unencrypt EnvelopedData. * * Extract data and parameteres from from the EnvelopedData. Also * supports using detached EnvelopedData. * * @param context A hx509 context. * @param certs Certificate that can decrypt the EnvelopedData * encryption key. * @param flags HX509_CMS_UE flags to control the behavior. * @param data pointer the structure the contains the DER/BER encoded * EnvelopedData stucture. * @param length length of the data that data point to. * @param encryptedContent in case of detached signature, this * contains the actual encrypted data, othersize its should be NULL. * @param time_now set the current time, if zero the library uses now as the date. * @param contentType output type oid, should be freed with der_free_oid(). * @param content the data, free with der_free_octet_string(). * * @return an hx509 error code. * * @ingroup hx509_cms */ int hx509_cms_unenvelope ( hx509_context /*context*/, hx509_certs /*certs*/, int /*flags*/, const void */*data*/, size_t /*length*/, const heim_octet_string */*encryptedContent*/, time_t /*time_now*/, heim_oid */*contentType*/, heim_octet_string */*content*/); /** * Decode an ContentInfo and unwrap data and oid it. * * @param in the encoded buffer. * @param oid type of the content. * @param out data to be wrapped. * @param have_data since the data is optional, this flags show dthe * diffrence between no data and the zero length data. * * @return Returns an hx509 error code. * * @ingroup hx509_cms */ int hx509_cms_unwrap_ContentInfo ( const heim_octet_string */*in*/, heim_oid */*oid*/, heim_octet_string */*out*/, int */*have_data*/); /** * Decode SignedData and verify that the signature is correct. * * @param context A hx509 context. * @param ctx a hx509 verify context. * @param flags to control the behaivor of the function. * - HX509_CMS_VS_NO_KU_CHECK - Don't check KeyUsage * - HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH - allow oid mismatch * - HX509_CMS_VS_ALLOW_ZERO_SIGNER - no signer, see below. * @param data pointer to CMS SignedData encoded data. * @param length length of the data that data point to. * @param signedContent external data used for signature. * @param pool certificate pool to build certificates paths. * @param contentType free with der_free_oid(). * @param content the output of the function, free with * der_free_octet_string(). * @param signer_certs list of the cerficates used to sign this * request, free with hx509_certs_free(). * * @return an hx509 error code. * * @ingroup hx509_cms */ int hx509_cms_verify_signed ( hx509_context /*context*/, hx509_verify_ctx /*ctx*/, unsigned int /*flags*/, const void */*data*/, size_t /*length*/, const heim_octet_string */*signedContent*/, hx509_certs /*pool*/, heim_oid */*contentType*/, heim_octet_string */*content*/, hx509_certs */*signer_certs*/); /** * Wrap data and oid in a ContentInfo and encode it. * * @param oid type of the content. * @param buf data to be wrapped. If a NULL pointer is passed in, the * optional content field in the ContentInfo is not going be filled * in. * @param res the encoded buffer, the result should be freed with * der_free_octet_string(). * * @return Returns an hx509 error code. * * @ingroup hx509_cms */ int hx509_cms_wrap_ContentInfo ( const heim_oid */*oid*/, const heim_octet_string */*buf*/, heim_octet_string */*res*/); /** * Free the context allocated by hx509_context_init(). * * @param context context to be freed. * * @ingroup hx509 */ void hx509_context_free (hx509_context */*context*/); /** * Creates a hx509 context that most functions in the library * uses. The context is only allowed to be used by one thread at each * moment. Free the context with hx509_context_free(). * * @param context Returns a pointer to new hx509 context. * * @return Returns an hx509 error code. * * @ingroup hx509 */ int hx509_context_init (hx509_context */*context*/); /** * Selects if the hx509_revoke_verify() function is going to require * the existans of a revokation method (OCSP, CRL) or not. Note that * hx509_verify_path(), hx509_cms_verify_signed(), and other function * call hx509_revoke_verify(). * * @param context hx509 context to change the flag for. * @param flag zero, revokation method required, non zero missing * revokation method ok * * @ingroup hx509_verify */ void hx509_context_set_missing_revoke ( hx509_context /*context*/, int /*flag*/); /** * Add revoked certificate to an CRL context. * * @param context a hx509 context. * @param crl the CRL to add the revoked certificate to. * @param certs keyset of certificate to revoke. * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_verify */ int hx509_crl_add_revoked_certs ( hx509_context /*context*/, hx509_crl /*crl*/, hx509_certs /*certs*/); /** * Create a CRL context. Use hx509_crl_free() to free the CRL context. * * @param context a hx509 context. * @param crl return pointer to a newly allocated CRL context. * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_verify */ int hx509_crl_alloc ( hx509_context /*context*/, hx509_crl */*crl*/); /** * Free a CRL context. * * @param context a hx509 context. * @param crl a CRL context to free. * * @ingroup hx509_verify */ void hx509_crl_free ( hx509_context /*context*/, hx509_crl */*crl*/); /** * Set the lifetime of a CRL context. * * @param context a hx509 context. * @param crl a CRL context * @param delta delta time the certificate is valid, library adds the * current time to this. * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_verify */ int hx509_crl_lifetime ( hx509_context /*context*/, hx509_crl /*crl*/, int /*delta*/); /** * Sign a CRL and return an encode certificate. * * @param context a hx509 context. * @param signer certificate to sign the CRL with * @param crl the CRL to sign * @param os return the signed and encoded CRL, free with * free_heim_octet_string() * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_verify */ int hx509_crl_sign ( hx509_context /*context*/, hx509_cert /*signer*/, hx509_crl /*crl*/, heim_octet_string */*os*/); const AlgorithmIdentifier * hx509_crypto_aes128_cbc (void); const AlgorithmIdentifier * hx509_crypto_aes256_cbc (void); void hx509_crypto_allow_weak (hx509_crypto /*crypto*/); int hx509_crypto_available ( hx509_context /*context*/, int /*type*/, hx509_cert /*source*/, AlgorithmIdentifier **/*val*/, unsigned int */*plen*/); int hx509_crypto_decrypt ( hx509_crypto /*crypto*/, const void */*data*/, const size_t /*length*/, heim_octet_string */*ivec*/, heim_octet_string */*clear*/); const AlgorithmIdentifier * hx509_crypto_des_rsdi_ede3_cbc (void); void hx509_crypto_destroy (hx509_crypto /*crypto*/); int hx509_crypto_encrypt ( hx509_crypto /*crypto*/, const void */*data*/, const size_t /*length*/, const heim_octet_string */*ivec*/, heim_octet_string **/*ciphertext*/); const heim_oid * hx509_crypto_enctype_by_name (const char */*name*/); void hx509_crypto_free_algs ( AlgorithmIdentifier */*val*/, unsigned int /*len*/); int hx509_crypto_get_params ( hx509_context /*context*/, hx509_crypto /*crypto*/, const heim_octet_string */*ivec*/, heim_octet_string */*param*/); int hx509_crypto_init ( hx509_context /*context*/, const char */*provider*/, const heim_oid */*enctype*/, hx509_crypto */*crypto*/); const char * hx509_crypto_provider (hx509_crypto /*crypto*/); int hx509_crypto_random_iv ( hx509_crypto /*crypto*/, heim_octet_string */*ivec*/); int hx509_crypto_select ( const hx509_context /*context*/, int /*type*/, const hx509_private_key /*source*/, hx509_peer_info /*peer*/, AlgorithmIdentifier */*selected*/); int hx509_crypto_set_key_data ( hx509_crypto /*crypto*/, const void */*data*/, size_t /*length*/); int hx509_crypto_set_key_name ( hx509_crypto /*crypto*/, const char */*name*/); void hx509_crypto_set_padding ( hx509_crypto /*crypto*/, int /*padding_type*/); int hx509_crypto_set_params ( hx509_context /*context*/, hx509_crypto /*crypto*/, const heim_octet_string */*param*/, heim_octet_string */*ivec*/); int hx509_crypto_set_random_key ( hx509_crypto /*crypto*/, heim_octet_string */*key*/); /** * Add a new key/value pair to the hx509_env. * * @param context A hx509 context. * @param env environment to add the environment variable too. * @param key key to add * @param value value to add * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_env */ int hx509_env_add ( hx509_context /*context*/, hx509_env */*env*/, const char */*key*/, const char */*value*/); /** * Add a new key/binding pair to the hx509_env. * * @param context A hx509 context. * @param env environment to add the environment variable too. * @param key key to add * @param list binding list to add * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_env */ int hx509_env_add_binding ( hx509_context /*context*/, hx509_env */*env*/, const char */*key*/, hx509_env /*list*/); /** * Search the hx509_env for a key. * * @param context A hx509 context. * @param env environment to add the environment variable too. * @param key key to search for. * * @return the value if the key is found, NULL otherwise. * * @ingroup hx509_env */ const char * hx509_env_find ( hx509_context /*context*/, hx509_env /*env*/, const char */*key*/); /** * Search the hx509_env for a binding. * * @param context A hx509 context. * @param env environment to add the environment variable too. * @param key key to search for. * * @return the binding if the key is found, NULL if not found. * * @ingroup hx509_env */ hx509_env hx509_env_find_binding ( hx509_context /*context*/, hx509_env /*env*/, const char */*key*/); /** * Free an hx509_env environment context. * * @param env the environment to free. * * @ingroup hx509_env */ void hx509_env_free (hx509_env */*env*/); /** * Search the hx509_env for a length based key. * * @param context A hx509 context. * @param env environment to add the environment variable too. * @param key key to search for. * @param len length of key. * * @return the value if the key is found, NULL otherwise. * * @ingroup hx509_env */ const char * hx509_env_lfind ( hx509_context /*context*/, hx509_env /*env*/, const char */*key*/, size_t /*len*/); /** * Print error message and fatally exit from error code * * @param context A hx509 context. * @param exit_code exit() code from process. * @param error_code Error code for the reason to exit. * @param fmt format string with the exit message. * @param ... argument to format string. * * @ingroup hx509_error */ void hx509_err ( hx509_context /*context*/, int /*exit_code*/, int /*error_code*/, const char */*fmt*/, ...); hx509_private_key_ops * hx509_find_private_alg (const heim_oid */*oid*/); /** * Free error string returned by hx509_get_error_string(). * * @param str error string to free. * * @ingroup hx509_error */ void hx509_free_error_string (char */*str*/); /** * Free a list of octet strings returned by another hx509 library * function. * * @param list list to be freed. * * @ingroup hx509_misc */ void hx509_free_octet_string_list (hx509_octet_string_list */*list*/); /** * Unparse the hx509 name in name into a string. * * @param name the name to print * @param str an allocated string returns the name in string form * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_name */ int hx509_general_name_unparse ( GeneralName */*name*/, char **/*str*/); /** * Get an error string from context associated with error_code. * * @param context A hx509 context. * @param error_code Get error message for this error code. * * @return error string, free with hx509_free_error_string(). * * @ingroup hx509_error */ char * hx509_get_error_string ( hx509_context /*context*/, int /*error_code*/); /** * Get one random certificate from the certificate store. * * @param context a hx509 context. * @param certs a certificate store to get the certificate from. * @param c return certificate, should be freed with hx509_cert_free(). * * @return Returns an hx509 error code. * * @ingroup hx509_keyset */ int hx509_get_one_cert ( hx509_context /*context*/, hx509_certs /*certs*/, hx509_cert */*c*/); int hx509_lock_add_cert ( hx509_context /*context*/, hx509_lock /*lock*/, hx509_cert /*cert*/); int hx509_lock_add_certs ( hx509_context /*context*/, hx509_lock /*lock*/, hx509_certs /*certs*/); int hx509_lock_add_password ( hx509_lock /*lock*/, const char */*password*/); int hx509_lock_command_string ( hx509_lock /*lock*/, const char */*string*/); void hx509_lock_free (hx509_lock /*lock*/); /** * @page page_lock Locking and unlocking certificates and encrypted data. * * See the library functions here: @ref hx509_lock */ int hx509_lock_init ( hx509_context /*context*/, hx509_lock */*lock*/); int hx509_lock_prompt ( hx509_lock /*lock*/, hx509_prompt */*prompt*/); void hx509_lock_reset_certs ( hx509_context /*context*/, hx509_lock /*lock*/); void hx509_lock_reset_passwords (hx509_lock /*lock*/); void hx509_lock_reset_promper (hx509_lock /*lock*/); int hx509_lock_set_prompter ( hx509_lock /*lock*/, hx509_prompter_fct /*prompt*/, void */*data*/); /** * Convert a hx509_name object to DER encoded name. * * @param name name to concert * @param os data to a DER encoded name, free the resulting octet * string with hx509_xfree(os->data). * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_name */ int hx509_name_binary ( const hx509_name /*name*/, heim_octet_string */*os*/); /** * Compare to hx509 name object, useful for sorting. * * @param n1 a hx509 name object. * @param n2 a hx509 name object. * * @return 0 the objects are the same, returns > 0 is n2 is "larger" * then n2, < 0 if n1 is "smaller" then n2. * * @ingroup hx509_name */ int hx509_name_cmp ( hx509_name /*n1*/, hx509_name /*n2*/); /** * Copy a hx509 name object. * * @param context A hx509 cotext. * @param from the name to copy from * @param to the name to copy to * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_name */ int hx509_name_copy ( hx509_context /*context*/, const hx509_name /*from*/, hx509_name */*to*/); /** * Expands variables in the name using env. Variables are on the form * ${name}. Useful when dealing with certificate templates. * * @param context A hx509 cotext. * @param name the name to expand. * @param env environment variable to expand. * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_name */ int hx509_name_expand ( hx509_context /*context*/, hx509_name /*name*/, hx509_env /*env*/); /** * Free a hx509 name object, upond return *name will be NULL. * * @param name a hx509 name object to be freed. * * @ingroup hx509_name */ void hx509_name_free (hx509_name */*name*/); /** * Unparse the hx509 name in name into a string. * * @param name the name to check if its empty/null. * * @return non zero if the name is empty/null. * * @ingroup hx509_name */ int hx509_name_is_null_p (const hx509_name /*name*/); int hx509_name_normalize ( hx509_context /*context*/, hx509_name /*name*/); /** * Convert a hx509_name into a Name. * * @param from the name to copy from * @param to the name to copy to * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_name */ int hx509_name_to_Name ( const hx509_name /*from*/, Name */*to*/); /** * Convert the hx509 name object into a printable string. * The resulting string should be freed with free(). * * @param name name to print * @param str the string to return * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_name */ int hx509_name_to_string ( const hx509_name /*name*/, char **/*str*/); /** * Create an OCSP request for a set of certificates. * * @param context a hx509 context * @param reqcerts list of certificates to request ocsp data for * @param pool certificate pool to use when signing * @param signer certificate to use to sign the request * @param digest the signing algorithm in the request, if NULL use the * default signature algorithm, * @param request the encoded request, free with free_heim_octet_string(). * @param nonce nonce in the request, free with free_heim_octet_string(). * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_revoke */ int hx509_ocsp_request ( hx509_context /*context*/, hx509_certs /*reqcerts*/, hx509_certs /*pool*/, hx509_cert /*signer*/, const AlgorithmIdentifier */*digest*/, heim_octet_string */*request*/, heim_octet_string */*nonce*/); /** * Verify that the certificate is part of the OCSP reply and it's not * expired. Doesn't verify signature the OCSP reply or it's done by a * authorized sender, that is assumed to be already done. * * @param context a hx509 context * @param now the time right now, if 0, use the current time. * @param cert the certificate to verify * @param flags flags control the behavior * @param data pointer to the encode ocsp reply * @param length the length of the encode ocsp reply * @param expiration return the time the OCSP will expire and need to * be rechecked. * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_verify */ int hx509_ocsp_verify ( hx509_context /*context*/, time_t /*now*/, hx509_cert /*cert*/, int /*flags*/, const void */*data*/, size_t /*length*/, time_t */*expiration*/); /** * Print a oid using a hx509_vprint_func function. To print to stdout * use hx509_print_stdout(). * * @param oid oid to print * @param func hx509_vprint_func to print with. * @param ctx context variable to hx509_vprint_func function. * * @ingroup hx509_print */ void hx509_oid_print ( const heim_oid */*oid*/, hx509_vprint_func /*func*/, void */*ctx*/); /** * Print a oid to a string. * * @param oid oid to print * @param str allocated string, free with hx509_xfree(). * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_print */ int hx509_oid_sprint ( const heim_oid */*oid*/, char **/*str*/); /** * Parse a string into a hx509 name object. * * @param context A hx509 context. * @param str a string to parse. * @param name the resulting object, NULL in case of error. * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_name */ int hx509_parse_name ( hx509_context /*context*/, const char */*str*/, hx509_name */*name*/); int hx509_parse_private_key ( hx509_context /*context*/, const AlgorithmIdentifier */*keyai*/, const void */*data*/, size_t /*len*/, hx509_key_format_t /*format*/, hx509_private_key */*private_key*/); /** * Add an additional algorithm that the peer supports. * * @param context A hx509 context. * @param peer the peer to set the new algorithms for * @param val an AlgorithmsIdentier to add * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_peer */ int hx509_peer_info_add_cms_alg ( hx509_context /*context*/, hx509_peer_info /*peer*/, const AlgorithmIdentifier */*val*/); /** * Allocate a new peer info structure an init it to default values. * * @param context A hx509 context. * @param peer return an allocated peer, free with hx509_peer_info_free(). * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_peer */ int hx509_peer_info_alloc ( hx509_context /*context*/, hx509_peer_info */*peer*/); /** * Free a peer info structure. * * @param peer peer info to be freed. * * @ingroup hx509_peer */ void hx509_peer_info_free (hx509_peer_info /*peer*/); /** * Set the certificate that remote peer is using. * * @param peer peer info to update * @param cert cerificate of the remote peer. * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_peer */ int hx509_peer_info_set_cert ( hx509_peer_info /*peer*/, hx509_cert /*cert*/); /** * Set the algorithms that the peer supports. * * @param context A hx509 context. * @param peer the peer to set the new algorithms for * @param val array of supported AlgorithmsIdentiers * @param len length of array val. * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_peer */ int hx509_peer_info_set_cms_algs ( hx509_context /*context*/, hx509_peer_info /*peer*/, const AlgorithmIdentifier */*val*/, size_t /*len*/); int hx509_pem_add_header ( hx509_pem_header **/*headers*/, const char */*header*/, const char */*value*/); const char * hx509_pem_find_header ( const hx509_pem_header */*h*/, const char */*header*/); void hx509_pem_free_header (hx509_pem_header */*headers*/); int hx509_pem_read ( hx509_context /*context*/, FILE */*f*/, hx509_pem_read_func /*func*/, void */*ctx*/); int hx509_pem_write ( hx509_context /*context*/, const char */*type*/, hx509_pem_header */*headers*/, FILE */*f*/, const void */*data*/, size_t /*size*/); /** * Print a simple representation of a certificate * * @param context A hx509 context, can be NULL * @param cert certificate to print * @param out the stdio output stream, if NULL, stdout is used * * @return An hx509 error code * * @ingroup hx509_cert */ int hx509_print_cert ( hx509_context /*context*/, hx509_cert /*cert*/, FILE */*out*/); /** * Helper function to print on stdout for: * - hx509_oid_print(), * - hx509_bitstring_print(), * - hx509_validate_ctx_set_print(). * * @param ctx the context to the print function. If the ctx is NULL, * stdout is used. * @param fmt the printing format. * @param va the argumet list. * * @ingroup hx509_print */ void hx509_print_stdout ( void */*ctx*/, const char */*fmt*/, va_list /*va*/); int hx509_private_key2SPKI ( hx509_context /*context*/, hx509_private_key /*private_key*/, SubjectPublicKeyInfo */*spki*/); void hx509_private_key_assign_rsa ( hx509_private_key /*key*/, void */*ptr*/); int hx509_private_key_free (hx509_private_key */*key*/); int hx509_private_key_init ( hx509_private_key */*key*/, hx509_private_key_ops */*ops*/, void */*keydata*/); int hx509_private_key_private_decrypt ( hx509_context /*context*/, const heim_octet_string */*ciphertext*/, const heim_oid */*encryption_oid*/, hx509_private_key /*p*/, heim_octet_string */*cleartext*/); int hx509_prompt_hidden (hx509_prompt_type /*type*/); /** * Allocate an query controller. Free using hx509_query_free(). * * @param context A hx509 context. * @param q return pointer to a hx509_query. * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_cert */ int hx509_query_alloc ( hx509_context /*context*/, hx509_query **/*q*/); /** * Free the query controller. * * @param context A hx509 context. * @param q a pointer to the query controller. * * @ingroup hx509_cert */ void hx509_query_free ( hx509_context /*context*/, hx509_query */*q*/); /** * Set the query controller to match using a specific match function. * * @param q a hx509 query controller. * @param func function to use for matching, if the argument is NULL, * the match function is removed. * @param ctx context passed to the function. * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_cert */ int hx509_query_match_cmp_func ( hx509_query */*q*/, int (*/*func*/)(hx509_context, hx509_cert, void *), void */*ctx*/); /** * Set the query controller to require an one specific EKU (extended * key usage). Any previous EKU matching is overwitten. If NULL is * passed in as the eku, the EKU requirement is reset. * * @param q a hx509 query controller. * @param eku an EKU to match on. * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_cert */ int hx509_query_match_eku ( hx509_query */*q*/, const heim_oid */*eku*/); int hx509_query_match_expr ( hx509_context /*context*/, hx509_query */*q*/, const char */*expr*/); /** * Set the query controller to match on a friendly name * * @param q a hx509 query controller. * @param name a friendly name to match on * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_cert */ int hx509_query_match_friendly_name ( hx509_query */*q*/, const char */*name*/); /** * Set the issuer and serial number of match in the query * controller. The function make copies of the isser and serial number. * * @param q a hx509 query controller * @param issuer issuer to search for * @param serialNumber the serialNumber of the issuer. * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_cert */ int hx509_query_match_issuer_serial ( hx509_query */*q*/, const Name */*issuer*/, const heim_integer */*serialNumber*/); /** * Set match options for the hx509 query controller. * * @param q query controller. * @param option options to control the query controller. * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_cert */ void hx509_query_match_option ( hx509_query */*q*/, hx509_query_option /*option*/); /** * Set a statistic file for the query statistics. * * @param context A hx509 context. * @param fn statistics file name * * @ingroup hx509_cert */ void hx509_query_statistic_file ( hx509_context /*context*/, const char */*fn*/); /** * Unparse the statistics file and print the result on a FILE descriptor. * * @param context A hx509 context. * @param printtype tyep to print * @param out the FILE to write the data on. * * @ingroup hx509_cert */ void hx509_query_unparse_stats ( hx509_context /*context*/, int /*printtype*/, FILE */*out*/); void hx509_request_free (hx509_request */*req*/); int hx509_request_get_SubjectPublicKeyInfo ( hx509_context /*context*/, hx509_request /*req*/, SubjectPublicKeyInfo */*key*/); int hx509_request_get_name ( hx509_context /*context*/, hx509_request /*req*/, hx509_name */*name*/); int hx509_request_init ( hx509_context /*context*/, hx509_request */*req*/); int hx509_request_set_SubjectPublicKeyInfo ( hx509_context /*context*/, hx509_request /*req*/, const SubjectPublicKeyInfo */*key*/); int hx509_request_set_name ( hx509_context /*context*/, hx509_request /*req*/, hx509_name /*name*/); /** * Add a CRL file to the revokation context. * * @param context hx509 context * @param ctx hx509 revokation context * @param path path to file that is going to be added to the context. * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_revoke */ int hx509_revoke_add_crl ( hx509_context /*context*/, hx509_revoke_ctx /*ctx*/, const char */*path*/); /** * Add a OCSP file to the revokation context. * * @param context hx509 context * @param ctx hx509 revokation context * @param path path to file that is going to be added to the context. * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_revoke */ int hx509_revoke_add_ocsp ( hx509_context /*context*/, hx509_revoke_ctx /*ctx*/, const char */*path*/); /** * Free a hx509 revokation context. * * @param ctx context to be freed * * @ingroup hx509_revoke */ void hx509_revoke_free (hx509_revoke_ctx */*ctx*/); /** * Allocate a revokation context. Free with hx509_revoke_free(). * * @param context A hx509 context. * @param ctx returns a newly allocated revokation context. * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_revoke */ int hx509_revoke_init ( hx509_context /*context*/, hx509_revoke_ctx */*ctx*/); /** * Print the OCSP reply stored in a file. * * @param context a hx509 context * @param path path to a file with a OCSP reply * @param out the out FILE descriptor to print the reply on * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_revoke */ int hx509_revoke_ocsp_print ( hx509_context /*context*/, const char */*path*/, FILE */*out*/); int hx509_revoke_print ( hx509_context /*context*/, hx509_revoke_ctx /*ctx*/, FILE */*out*/); /** * Check that a certificate is not expired according to a revokation * context. Also need the parent certificte to the check OCSP * parent identifier. * * @param context hx509 context * @param ctx hx509 revokation context * @param certs * @param now * @param cert * @param parent_cert * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_revoke */ int hx509_revoke_verify ( hx509_context /*context*/, hx509_revoke_ctx /*ctx*/, hx509_certs /*certs*/, time_t /*now*/, hx509_cert /*cert*/, hx509_cert /*parent_cert*/); /** * See hx509_set_error_stringv(). * * @param context A hx509 context. * @param flags * - HX509_ERROR_APPEND appends the error string to the old messages (code is updated). * @param code error code related to error message * @param fmt error message format * @param ... arguments to error message format * * @ingroup hx509_error */ void hx509_set_error_string ( hx509_context /*context*/, int /*flags*/, int /*code*/, const char */*fmt*/, ...); /** * Add an error message to the hx509 context. * * @param context A hx509 context. * @param flags * - HX509_ERROR_APPEND appends the error string to the old messages (code is updated). * @param code error code related to error message * @param fmt error message format * @param ap arguments to error message format * * @ingroup hx509_error */ void hx509_set_error_stringv ( hx509_context /*context*/, int /*flags*/, int /*code*/, const char */*fmt*/, va_list /*ap*/); const AlgorithmIdentifier * hx509_signature_ecPublicKey (void); const AlgorithmIdentifier * hx509_signature_ecdsa_with_sha256 (void); const AlgorithmIdentifier * hx509_signature_md5 (void); const AlgorithmIdentifier * hx509_signature_rsa (void); const AlgorithmIdentifier * hx509_signature_rsa_pkcs1_x509 (void); const AlgorithmIdentifier * hx509_signature_rsa_with_md5 (void); const AlgorithmIdentifier * hx509_signature_rsa_with_sha1 (void); const AlgorithmIdentifier * hx509_signature_rsa_with_sha256 (void); const AlgorithmIdentifier * hx509_signature_rsa_with_sha384 (void); const AlgorithmIdentifier * hx509_signature_rsa_with_sha512 (void); const AlgorithmIdentifier * hx509_signature_sha1 (void); const AlgorithmIdentifier * hx509_signature_sha256 (void); const AlgorithmIdentifier * hx509_signature_sha384 (void); const AlgorithmIdentifier * hx509_signature_sha512 (void); /** * Convert a DER encoded name info a string. * * @param data data to a DER/BER encoded name * @param length length of data * @param str the resulting string, is NULL on failure. * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_name */ int hx509_unparse_der_name ( const void */*data*/, size_t /*length*/, char **/*str*/); /** * Validate/Print the status of the certificate. * * @param context A hx509 context. * @param ctx A hx509 validation context. * @param cert the cerificate to validate/print. * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_print */ int hx509_validate_cert ( hx509_context /*context*/, hx509_validate_ctx /*ctx*/, hx509_cert /*cert*/); /** * Add flags to control the behaivor of the hx509_validate_cert() * function. * * @param ctx A hx509 validation context. * @param flags flags to add to the validation context. * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_print */ void hx509_validate_ctx_add_flags ( hx509_validate_ctx /*ctx*/, int /*flags*/); /** * Free an hx509 validate context. * * @param ctx the hx509 validate context to free. * * @ingroup hx509_print */ void hx509_validate_ctx_free (hx509_validate_ctx /*ctx*/); /** * Allocate a hx509 validation/printing context. * * @param context A hx509 context. * @param ctx a new allocated hx509 validation context, free with * hx509_validate_ctx_free(). * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_print */ int hx509_validate_ctx_init ( hx509_context /*context*/, hx509_validate_ctx */*ctx*/); /** * Set the printing functions for the validation context. * * @param ctx a hx509 valication context. * @param func the printing function to usea. * @param c the context variable to the printing function. * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_print */ void hx509_validate_ctx_set_print ( hx509_validate_ctx /*ctx*/, hx509_vprint_func /*func*/, void */*c*/); /** * Set the trust anchors in the verification context, makes an * reference to the keyset, so the consumer can free the keyset * independent of the destruction of the verification context (ctx). * If there already is a keyset attached, it's released. * * @param ctx a verification context * @param set a keyset containing the trust anchors. * * @ingroup hx509_verify */ void hx509_verify_attach_anchors ( hx509_verify_ctx /*ctx*/, hx509_certs /*set*/); /** * Attach an revocation context to the verfication context, , makes an * reference to the revoke context, so the consumer can free the * revoke context independent of the destruction of the verification * context. If there is no revoke context, the verification process is * NOT going to check any verification status. * * @param ctx a verification context. * @param revoke_ctx a revoke context. * * @ingroup hx509_verify */ void hx509_verify_attach_revoke ( hx509_verify_ctx /*ctx*/, hx509_revoke_ctx /*revoke_ctx*/); void hx509_verify_ctx_f_allow_best_before_signature_algs ( hx509_context /*ctx*/, int /*boolean*/); /** * Allow using the operating system builtin trust anchors if no other * trust anchors are configured. * * @param ctx a verification context * @param boolean if non zero, useing the operating systems builtin * trust anchors. * * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_cert */ void hx509_verify_ctx_f_allow_default_trustanchors ( hx509_verify_ctx /*ctx*/, int /*boolean*/); /** * Free an hx509 verification context. * * @param ctx the context to be freed. * * @ingroup hx509_verify */ void hx509_verify_destroy_ctx (hx509_verify_ctx /*ctx*/); /** * Verify that the certificate is allowed to be used for the hostname * and address. * * @param context A hx509 context. * @param cert the certificate to match with * @param flags Flags to modify the behavior: * - HX509_VHN_F_ALLOW_NO_MATCH no match is ok * @param type type of hostname: * - HX509_HN_HOSTNAME for plain hostname. * - HX509_HN_DNSSRV for DNS SRV names. * @param hostname the hostname to check * @param sa address of the host * @param sa_size length of address * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_cert */ int hx509_verify_hostname ( hx509_context /*context*/, const hx509_cert /*cert*/, int /*flags*/, hx509_hostname_type /*type*/, const char */*hostname*/, const struct sockaddr */*sa*/, int /*sa_size*/); /** * Allocate an verification context that is used fo control the * verification process. * * @param context A hx509 context. * @param ctx returns a pointer to a hx509_verify_ctx object. * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_verify */ int hx509_verify_init_ctx ( hx509_context /*context*/, hx509_verify_ctx */*ctx*/); /** * Build and verify the path for the certificate to the trust anchor * specified in the verify context. The path is constructed from the * certificate, the pool and the trust anchors. * * @param context A hx509 context. * @param ctx A hx509 verification context. * @param cert the certificate to build the path from. * @param pool A keyset of certificates to build the chain from. * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_verify */ int hx509_verify_path ( hx509_context /*context*/, hx509_verify_ctx /*ctx*/, hx509_cert /*cert*/, hx509_certs /*pool*/); /** * Set the maximum depth of the certificate chain that the path * builder is going to try. * * @param ctx a verification context * @param max_depth maxium depth of the certificate chain, include * trust anchor. * * @ingroup hx509_verify */ void hx509_verify_set_max_depth ( hx509_verify_ctx /*ctx*/, unsigned int /*max_depth*/); /** * Allow or deny the use of proxy certificates * * @param ctx a verification context * @param boolean if non zero, allow proxy certificates. * * @ingroup hx509_verify */ void hx509_verify_set_proxy_certificate ( hx509_verify_ctx /*ctx*/, int /*boolean*/); /** * Select strict RFC3280 verification of certificiates. This means * checking key usage on CA certificates, this will make version 1 * certificiates unuseable. * * @param ctx a verification context * @param boolean if non zero, use strict verification. * * @ingroup hx509_verify */ void hx509_verify_set_strict_rfc3280_verification ( hx509_verify_ctx /*ctx*/, int /*boolean*/); /** * Set the clock time the the verification process is going to * use. Used to check certificate in the past and future time. If not * set the current time will be used. * * @param ctx a verification context. * @param t the time the verifiation is using. * * * @ingroup hx509_verify */ void hx509_verify_set_time ( hx509_verify_ctx /*ctx*/, time_t /*t*/); /** * Verify a signature made using the private key of an certificate. * * @param context A hx509 context. * @param signer the certificate that made the signature. * @param alg algorthm that was used to sign the data. * @param data the data that was signed. * @param sig the sigature to verify. * * @return An hx509 error code, see hx509_get_error_string(). * * @ingroup hx509_crypto */ int hx509_verify_signature ( hx509_context /*context*/, const hx509_cert /*signer*/, const AlgorithmIdentifier */*alg*/, const heim_octet_string */*data*/, const heim_octet_string */*sig*/); /** * Free a data element allocated in the library. * * @param ptr data to be freed. * * @ingroup hx509_misc */ void hx509_xfree (void */*ptr*/); int yywrap (void); #ifdef __cplusplus } #endif #endif /* DOXY */ #endif /* __hx509_protos_h__ */