1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
|
#ifndef __DIGI_DOC_CERT_H__
#define __DIGI_DOC_CERT_H__
//==================================================
// FILE: DigiDocCert.h
// PROJECT: Digi Doc
// DESCRIPTION: Digi Doc functions for certificate handling
// AUTHOR: Veiko Sinivee, S|E|B IT Partner Estonia
//==================================================
// Copyright (C) AS Sertifitseerimiskeskus
// This library is free software; you can redistribute it and/or
// modify it under the terms of the GNU Lesser General Public
// License as published by the Free Software Foundation; either
// version 2.1 of the License, or (at your option) any later version.
// This library is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
// Lesser General Public License for more details.ode
// GNU Lesser General Public Licence is available at
// http://www.gnu.org/copyleft/lesser.html
//==========< HISTORY >=============================
//==================================================
#ifdef __cplusplus
extern "C" {
#endif
#include <openssl/evp.h>
#include <openssl/objects.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <libdigidoc/DigiDocDefs.h>
#include <libdigidoc/DigiDocLib.h>
// structure for reading certificate policies
typedef struct PolicyIdentifier_st {
char* szOID; // stringified OID
char* szCPS; // CPS URL
char* szUserNotice; // user notice
} PolicyIdentifier;
EXP_OPTION int ReadPrivateKey(EVP_PKEY **privKey, const char *keyfile, const char* passwd, int format);
EXP_OPTION int WritePrivateKey(EVP_PKEY *privKey, const char *keyfile, const char* passwd, int format);
int ReadPublicKey(EVP_PKEY **pkey, const char *certfile);
int GetPublicKey(EVP_PKEY **pubKey, const X509* x509);
//--------------------------------------------------
// Writes a private key and cert to a PEM file
// privKey - private key
// pCert - certificate
// keyfile - name of the private key file
// passwd - key password (problems with encrypted passwwords!)
//--------------------------------------------------
EXP_OPTION int ddocWriteKeyAndCertPem(EVP_PKEY *privKey, X509* pCert,
const char *keyfile, const char* passwd);
EXP_OPTION int ReadCertificate(X509 **x509, const char *certfile);
EXP_OPTION int ReadCertificateNoErr(X509 **x509, const char *szCertfile);
EXP_OPTION int ReadCertSerialNumber(char* szSerial, int nMaxLen, X509 *x509);
EXP_OPTION int ReadCertificateByPKCS12(X509 **x509, const char *pkcs12file, const char *passwd, EVP_PKEY **pkey);
// Decodes binary (DER) cert data and returns a cert object
EXP_OPTION int ddocDecodeX509Data(X509 **ppX509, const byte* certData, int certLen);
// Decodes base64 (PEM) cert data and returns a cert object
EXP_OPTION int ddocDecodeX509PEMData(X509 **ppX509, const char* certData, int certLen);
// get certificate PEM form
EXP_OPTION int getCertPEM(X509* cert, int bHeaders, char** buf);
// retrieves this certificates serial number
EXP_OPTION int GetCertSerialNumber(char* szSerial, int nMaxLen, const char *szCertfile);
// Returns the certificates validity first date
EXP_OPTION int getCertNotBefore(const SignedDoc* pSigDoc, X509* cert, char* timestamp, int len);
// Retrieves the certificates first validity time as tim_t in GMT zone
EXP_OPTION time_t getCertNotBeforeTimeT(X509* pCert);
// Retrieves the certificates last validity time as tim_t in GMT zone
EXP_OPTION time_t getCertNotAfterTimeT(X509* pCert);
// Returns the certificates validity last date
EXP_OPTION int getCertNotAfter(const SignedDoc* pSigDoc, X509* cert, char* timestamp, int len);
// Saves the certificate in a file
EXP_OPTION int saveCert(X509* cert, const char* szFileName, int nFormat);
// decodes PEM cert data
EXP_OPTION void* decodeCert(const char* pemData);
// encodes certificate
EXP_OPTION void encodeCert(const X509* x509, char * encodedCert, int* encodedCertLen);
// Reads certificates PolicyIdentifiers and returns
// them in a newly allocated structure
EXP_OPTION int readCertPolicies(X509* pX509, PolicyIdentifier** pPolicies, int* nPols);
// Frees policy identifiers array
EXP_OPTION void PolicyIdentifiers_free(PolicyIdentifier* pPolicies, int nPols);
// Checks if this is a company CPS policy
EXP_OPTION int isCompanyCPSPolicy(PolicyIdentifier* pPolicy);
EXP_OPTION int isCertValid(X509* cert, time_t tDate);
EXP_OPTION int isCertSignedBy(X509* cert, const char* cafile);
int writeCertToXMLFile(BIO* bout, X509* cert);
//--------------------------------------------------
// Verifys a certificate by sending an OCSP_REQUEST object
// to the notary server and checking the response.
// Uses servers timestamps hash code as nonce value.
// pCert - certificate to test
// caCerts - responder CA certs chain
// notaryCert - notarys cert search
// proxyHost - proxy servers name
// proxyPort - proxy servers port
// notaryURL - notarys URL
// ppResp - address to return OCSP response. Use NULL if
// you don't want OCSP response to be returned
// return 0 for OK, or error code
//--------------------------------------------------
EXP_OPTION int verifyCertificateByOCSP(X509* pCert, const X509** caCerts,
const X509* notaryCert, char* notaryURL,
char* proxyHost, char* proxyPort,
const char* pkcs12file, const char* pkcs12paswd,
OCSP_RESPONSE **ppResp);
//--------------------------------------------------
// Verifys a certificate by sending an OCSP_REQUEST object
// to the notary server and checking the response.
// Uses servers timestamps hash code as nonce value.
// pCert - certificate to test
// caCerts - responder CA certs chain
// notaryCert - notarys cert search
// proxyHost - proxy servers name
// proxyPort - proxy servers port
// notaryURL - notarys URL
// ppResp - address to return OCSP response. Use NULL if
// you don't want OCSP response to be returned
// return 0 for OK, or error code
//--------------------------------------------------
EXP_OPTION int verifyCertificateByOCSPWithIp(X509* pCert, const X509** caCerts,
const X509* notaryCert, char* notaryURL,
char* proxyHost, char* proxyPort,
const char* pkcs12file, const char* pkcs12paswd,
OCSP_RESPONSE **ppResp, unsigned long ip);
//--------------------------------------------------
// Returns the certificates sha1 hash.
// pCert - certificate data
// pMemBuf - memory buffer object for storing DN
// returns error code or ERR_OK
//--------------------------------------------------
int ddocCertGetDigest(X509* pCert, DigiDocMemBuf* pMemBuf);
//--------------------------------------------------
// Returns the certificates public key sha1 hash.
// pCert - certificate data
// pMemBuf - memory buffer object for storing DN
// returns error code or ERR_OK
//--------------------------------------------------
int ddocCertGetPubkeyDigest(X509* pCert, DigiDocMemBuf* pMemBuf);
//--------------------------------------------------
// Returns the certificates issuer name.
// pCert - certificate data
// pMemBuf - memory buffer object for storing DN
// returns error code or ERR_OK
//--------------------------------------------------
EXP_OPTION int ddocCertGetIssuerDN(X509* pCert, DigiDocMemBuf* pMemBuf);
//--------------------------------------------------
// Returns the certificates subject name.
// pCert - certificate data
// pMemBuf - memory buffer object for storing DN
// returns error code or ERR_OK
//--------------------------------------------------
EXP_OPTION int ddocCertGetSubjectDN(X509* pCert, DigiDocMemBuf* pMemBuf);
//--------------------------------------------------
// Returns the certificates subject name sha1 hash.
// pCert - certificate data
// pMemBuf - memory buffer object for storing DN
// returns error code or ERR_OK
//--------------------------------------------------
int ddocCertGetSubjectNameDigest(X509* pCert, DigiDocMemBuf* pMemBuf);
//--------------------------------------------------
// Returns the certificates issuer name sha1 hash.
// pCert - certificate data
// pMemBuf - memory buffer object for storing DN
// returns error code or ERR_OK
//--------------------------------------------------
int ddocCertGetIssuerNameDigest(X509* pCert, DigiDocMemBuf* pMemBuf);
//--------------------------------------------------
// Returns the certificates DN.
// Do not call directly, subject to change
// pName - certificate X509 name
// pMemBuf - memory buffer object for storing DN
// bIssuer - 1=issuer, 0=subject
// returns error code or ERR_OK
//--------------------------------------------------
EXP_OPTION int ddocCertGetDNFromName(X509_NAME* pName, DigiDocMemBuf* pMemBuf);
#define KUIDX_DIGITAL_SIGNATURE 0
#define KUIDX_NON_REPUDIATION 1
#define KUIDX_KEY_ENCIPHERMENT 2
#define KUIDX_DATA_ENCIPHERMENT 3
#define KUIDX_KEY_AGREEMENT 4
#define KUIDX_KEY_CERT_SIGN 5
#define KUIDX_CRL_SIGN 6
#define KUIDX_ENCIPHERMENT_ONLY 7
#define KUIDX_DECIPHERMENT_ONLY 8
#define NID_firstName 99
#define NID_lastName 100
#define NID_perCode 105
#define NID_countryName 14
#define NID_serialNumber 105
#define NID_organization 17
#define NID_organizationUnit 18
#define NID_commonName 13
#define NID_emailAddress 48
//--------------------------------------------------------
// Checks if the desired key-usage bit is set on a given cert
// pCert - certificate
// nBit - flag index
// return 1 if bit is set
//--------------------------------------------------------
EXP_OPTION int ddocCertCheckKeyUsage(X509 *pCert, int nBit);
//--------------------------------------------------
// Returns the certificates subject CN
// pCert - certificate data
// pMemBuf - memory buffer object for storing result
// returns error code or ERR_OK
//--------------------------------------------------
EXP_OPTION int ddocCertGetSubjectCN(X509* pCert, DigiDocMemBuf* pMemBuf);
//--------------------------------------------------
// Returns the certificates issuer CN
// pCert - certificate data
// pMemBuf - memory buffer object for storing result
// returns error code or ERR_OK
//--------------------------------------------------
EXP_OPTION int ddocCertGetIssuerCN(X509* pCert, DigiDocMemBuf* pMemBuf);
//--------------------------------------------------
// Returns the certificates subject first name
// pCert - certificate data
// pMemBuf - memory buffer object for storing result
// returns error code or ERR_OK
//--------------------------------------------------
EXP_OPTION int ddocCertGetSubjectFirstName(X509* pCert, DigiDocMemBuf* pMemBuf);
//--------------------------------------------------
// Returns the certificates subject last name
// pCert - certificate data
// pMemBuf - memory buffer object for storing result
// returns error code or ERR_OK
//--------------------------------------------------
EXP_OPTION int ddocCertGetSubjectLastName(X509* pCert, DigiDocMemBuf* pMemBuf);
//--------------------------------------------------
// Returns the certificates subject personal code
// pCert - certificate data
// pMemBuf - memory buffer object for storing result
// returns error code or ERR_OK
//--------------------------------------------------
EXP_OPTION int ddocCertGetSubjectPerCode(X509* pCert, DigiDocMemBuf* pMemBuf);
//--------------------------------------------------
// Returns the certificates subject country code
// pCert - certificate data
// pMemBuf - memory buffer object for storing result
// returns error code or ERR_OK
//--------------------------------------------------
EXP_OPTION int ddocCertGetSubjectCountryName(X509* pCert, DigiDocMemBuf* pMemBuf);
//--------------------------------------------------
// Returns the certificates subject organization
// pCert - certificate data
// pMemBuf - memory buffer object for storing result
// returns error code or ERR_OK
//--------------------------------------------------
EXP_OPTION int ddocCertGetSubjectOrganization(X509* pCert, DigiDocMemBuf* pMemBuf);
//--------------------------------------------------
// Returns the certificates subject organization unit
// pCert - certificate data
// pMemBuf - memory buffer object for storing result
// returns error code or ERR_OK
//--------------------------------------------------
EXP_OPTION int ddocCertGetSubjectOrganizationUnit(X509* pCert, DigiDocMemBuf* pMemBuf);
//--------------------------------------------------
// Reads certificates authority key identifier
// pCert - certificate
// pMemBuf - memory buffer to return data
//--------------------------------------------------
EXP_OPTION int readAuthorityKeyIdentifier(X509* pCert, DigiDocMemBuf* pMemBuf);
//--------------------------------------------------
// Reads certificates subject key identifier
// pCert - certificate
// pMemBuf - memory buffer to return data
//--------------------------------------------------
EXP_OPTION int readSubjectKeyIdentifier(X509* pCert, DigiDocMemBuf* pMemBuf);
//================< deprecated functions> =================================
// these functions are deprecated. Use the replacements in DigiDocCert.h
// these functions will be removed in future releases!
#ifdef WITH_DEPRECATED_FUNCTIONS
// decodes cert data - deprecated!
// USE ddocDecodeX509PEMData() instead!
EXP_OPTION int decodeCertificateData(X509 **newX509, const byte* certData, int certLen);
// Returns the certificates issuer name
// USE: ddocCertGetIssuerDN()
EXP_OPTION int getCertIssuerName(X509* cert, char* buf, int* buflen);
// Returns the certificates subject name
// USE: ddocCertGetSubjectDN()
EXP_OPTION int getCertSubjectName(X509* cert, char* buf, int* buflen);
// reads cert issuers CN
// USE: ddocCertGetIssuerCN()
EXP_OPTION int getCertIssuerCN(X509* cert, char* buf, int* buflen, int bUTF8);
// Returns the certificates subjects DN
// USE: ddocCertGetSubjectDN()
EXP_OPTION int getCertSubjectDN(X509* cert, char* buf, int* buflen, int bUTF8);
// reads cert subjects CN
// USE: ddocCertGetSubjectCN()
EXP_OPTION int getCertSubjectCN(X509* cert, char* buf, int* buflen, int bUTF8);
// get certificate owners id-code
// USE: ddocCertGetSubjectPerCode()
EXP_OPTION int getCertOwnerCode(const X509* pCert, char* buf, int len);
//--------------------------------------------------
// Returns the desired item from string rep of DN
// sDn - certificate DN
// sId - searched DN part
// pMBuf - memory buffer object for storing result
// returns error code or ERR_OK
//--------------------------------------------------
EXP_OPTION int ddocGetDNPartFromString(const char* sDn, const char* sId, DigiDocMemBuf* pMBuf);
#endif // WITH_DEPRECATED_FUNCTIONS
#ifdef __cplusplus
}
#endif
#endif // __DIGI_DOC_CERT_H__
|
