Arrange other X509_STORE, etc. symbols into sections Also some minor fixes from running doc.go over x509.h. Bug: 426 Change-Id: I8d4cf0cc2161aa7ab8ff9461b6d99daa9d9360c6 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/65211 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: David Benjamin <davidben@google.com>
diff --git a/include/openssl/x509.h b/include/openssl/x509.h index 4993d95..59356ed 100644 --- a/include/openssl/x509.h +++ b/include/openssl/x509.h
@@ -1832,7 +1832,7 @@ #define GEN_IPADD 7 #define GEN_RID 8 -// A |GENERAL_NAME_st|, aka |GENERAL_NAME|, represents an X.509 GeneralName. The +// A GENERAL_NAME_st, aka |GENERAL_NAME|, represents an X.509 GeneralName. The // |type| field determines which member of |d| is active. A |GENERAL_NAME| may // also be empty, in which case |type| is -1 and |d| is NULL. Empty // |GENERAL_NAME|s are invalid and will never be returned from the parser, but @@ -2257,6 +2257,44 @@ // |X509_STORE_CTX_set0_crls|. OPENSSL_EXPORT int X509_STORE_add_crl(X509_STORE *store, X509_CRL *crl); +// X509_STORE_get0_param returns |store|'s verification parameters. This object +// is mutable and may be modified by the caller. For an individual certificate +// verification operation, |X509_STORE_CTX_init| initializes the +// |X509_STORE_CTX|'s parameters with these parameters. +// +// WARNING: |X509_STORE_CTX_init| applies some default parameters (as in +// |X509_VERIFY_PARAM_inherit|) after copying |store|'s parameters. This means +// it is impossible to leave some parameters unset at |store|. They must be +// explicitly unset after creating the |X509_STORE_CTX|. +// +// As of writing these late defaults are a depth limit (see +// |X509_VERIFY_PARAM_set_depth|) and the |X509_V_FLAG_TRUSTED_FIRST| flag. This +// warning does not apply if the parameters were set in |store|. +// +// TODO(crbug.com/boringssl/441): This behavior is very surprising. Can we +// remove this notion of late defaults? The unsettable value at |X509_STORE| is +// -1, which rejects everything but explicitly-trusted self-signed certificates. +// |X509_V_FLAG_TRUSTED_FIRST| is mostly a workaround for poor path-building. +OPENSSL_EXPORT X509_VERIFY_PARAM *X509_STORE_get0_param(X509_STORE *store); + +// X509_STORE_set1_param copies verification parameters from |param| as in +// |X509_VERIFY_PARAM_set1|. It returns one on success and zero on error. +OPENSSL_EXPORT int X509_STORE_set1_param(X509_STORE *store, + const X509_VERIFY_PARAM *param); + +// X509_STORE_set_flags enables all values in |flags| in |store|'s verification +// flags. |flags| should be a combination of |X509_V_FLAG_*| constants. +// +// WARNING: These flags will be combined with default flags when copied to an +// |X509_STORE_CTX|. This means it is impossible to unset those defaults from +// the |X509_STORE|. See discussion in |X509_STORE_get0_param|. +OPENSSL_EXPORT int X509_STORE_set_flags(X509_STORE *store, unsigned long flags); + +// X509_STORE_set_depth configures |store| to, by default, limit certificate +// chains to |depth| intermediate certificates. This count excludes both the +// target certificate and the trust anchor (root certificate). +OPENSSL_EXPORT int X509_STORE_set_depth(X509_STORE *store, int depth); + // X509_STORE_set_purpose configures the purpose check for |store|. See // |X509_VERIFY_PARAM_set_purpose| for details. OPENSSL_EXPORT int X509_STORE_set_purpose(X509_STORE *store, int purpose); @@ -2265,15 +2303,13 @@ // |X509_VERIFY_PARAM_set_trust| for details. OPENSSL_EXPORT int X509_STORE_set_trust(X509_STORE *store, int trust); -// TODO(crbug.com/boringssl/426): Move the other |X509_STORE| functions here. - // Certificate verification. // // An |X509_STORE_CTX| object represents a single certificate verification // operation. To verify a certificate chain, callers construct an // |X509_STORE_CTX|, initialize it with |X509_STORE_CTX_init|, configure extra -// parameters, and call |X509_verify_cert|. +// parameters with |X509_STORE_CTX_get0_param|, and call |X509_verify_cert|. // X509_STORE_CTX_new returns a newly-allocated, empty |X509_STORE_CTX|, or NULL // on error. @@ -2301,6 +2337,136 @@ // error information. OPENSSL_EXPORT int X509_verify_cert(X509_STORE_CTX *ctx); +// X509_STORE_CTX_get0_chain, after a successful |X509_verify_cert| call, +// returns the verified certificate chain. The chain begins with the leaf and +// ends with trust anchor. +// +// At other points, such as after a failed verification or during the deprecated +// verification callback, it returns the partial chain built so far. Callers +// should avoid relying on this as this exposes unstable library implementation +// details. +OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get0_chain( + const X509_STORE_CTX *ctx); + +// X509_STORE_CTX_get1_chain behaves like |X509_STORE_CTX_get0_chain| but +// returns a newly-allocated |STACK_OF(X509)| containing the completed chain, +// with each certificate's reference count incremented. Callers must free the +// result with |sk_X509_pop_free| and |X509_free| when done. +OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get1_chain( + const X509_STORE_CTX *ctx); + +// The following values are possible outputs of |X509_STORE_CTX_get_error|. +#define X509_V_OK 0 +#define X509_V_ERR_UNSPECIFIED 1 +#define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT 2 +#define X509_V_ERR_UNABLE_TO_GET_CRL 3 +#define X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE 4 +#define X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE 5 +#define X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY 6 +#define X509_V_ERR_CERT_SIGNATURE_FAILURE 7 +#define X509_V_ERR_CRL_SIGNATURE_FAILURE 8 +#define X509_V_ERR_CERT_NOT_YET_VALID 9 +#define X509_V_ERR_CERT_HAS_EXPIRED 10 +#define X509_V_ERR_CRL_NOT_YET_VALID 11 +#define X509_V_ERR_CRL_HAS_EXPIRED 12 +#define X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD 13 +#define X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD 14 +#define X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD 15 +#define X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD 16 +#define X509_V_ERR_OUT_OF_MEM 17 +#define X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT 18 +#define X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN 19 +#define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY 20 +#define X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE 21 +#define X509_V_ERR_CERT_CHAIN_TOO_LONG 22 +#define X509_V_ERR_CERT_REVOKED 23 +#define X509_V_ERR_INVALID_CA 24 +#define X509_V_ERR_PATH_LENGTH_EXCEEDED 25 +#define X509_V_ERR_INVALID_PURPOSE 26 +#define X509_V_ERR_CERT_UNTRUSTED 27 +#define X509_V_ERR_CERT_REJECTED 28 +#define X509_V_ERR_SUBJECT_ISSUER_MISMATCH 29 +#define X509_V_ERR_AKID_SKID_MISMATCH 30 +#define X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH 31 +#define X509_V_ERR_KEYUSAGE_NO_CERTSIGN 32 +#define X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER 33 +#define X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION 34 +#define X509_V_ERR_KEYUSAGE_NO_CRL_SIGN 35 +#define X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION 36 +#define X509_V_ERR_INVALID_NON_CA 37 +#define X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED 38 +#define X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE 39 +#define X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED 40 +#define X509_V_ERR_INVALID_EXTENSION 41 +#define X509_V_ERR_INVALID_POLICY_EXTENSION 42 +#define X509_V_ERR_NO_EXPLICIT_POLICY 43 +#define X509_V_ERR_DIFFERENT_CRL_SCOPE 44 +#define X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE 45 +#define X509_V_ERR_UNNESTED_RESOURCE 46 +#define X509_V_ERR_PERMITTED_VIOLATION 47 +#define X509_V_ERR_EXCLUDED_VIOLATION 48 +#define X509_V_ERR_SUBTREE_MINMAX 49 +#define X509_V_ERR_APPLICATION_VERIFICATION 50 +#define X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE 51 +#define X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX 52 +#define X509_V_ERR_UNSUPPORTED_NAME_SYNTAX 53 +#define X509_V_ERR_CRL_PATH_VALIDATION_ERROR 54 +#define X509_V_ERR_HOSTNAME_MISMATCH 62 +#define X509_V_ERR_EMAIL_MISMATCH 63 +#define X509_V_ERR_IP_ADDRESS_MISMATCH 64 +#define X509_V_ERR_INVALID_CALL 65 +#define X509_V_ERR_STORE_LOOKUP 66 +#define X509_V_ERR_NAME_CONSTRAINTS_WITHOUT_SANS 67 + +// X509_STORE_CTX_get_error, after |X509_verify_cert| returns, returns +// |X509_V_OK| if verification succeeded or an |X509_V_ERR_*| describing why +// verification failed. This will be consistent with |X509_verify_cert|'s return +// value, unless the caller used the deprecated verification callback (see +// |X509_STORE_CTX_set_verify_cb|) in a way that breaks |ctx|'s invariants. +// +// If called during the deprecated verification callback when |ok| is zero, it +// returns the current error under consideration. +OPENSSL_EXPORT int X509_STORE_CTX_get_error(const X509_STORE_CTX *ctx); + +// X509_STORE_CTX_set_error sets |ctx|'s error to |err|, which should be +// |X509_V_OK| or an |X509_V_ERR_*| constant. It is not expected to be called in +// typical |X509_STORE_CTX| usage, but may be used in callback APIs where +// applications synthesize |X509_STORE_CTX| error conditions. See also +// |X509_STORE_CTX_set_verify_cb| and |SSL_CTX_set_cert_verify_callback|. +OPENSSL_EXPORT void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err); + +// X509_verify_cert_error_string returns |err| as a human-readable string, where +// |err| should be one of the |X509_V_*| values. If |err| is unknown, it returns +// a default description. +OPENSSL_EXPORT const char *X509_verify_cert_error_string(long err); + +// X509_STORE_CTX_get_error_depth returns the depth at which the error returned +// by |X509_STORE_CTX_get_error| occured. This is zero-indexed integer into the +// certificate chain. Zero indicates the target certificate, one its issuer, and +// so on. +OPENSSL_EXPORT int X509_STORE_CTX_get_error_depth(const X509_STORE_CTX *ctx); + +// X509_STORE_CTX_get_current_cert returns the certificate which caused the +// error returned by |X509_STORE_CTX_get_error|. +OPENSSL_EXPORT X509 *X509_STORE_CTX_get_current_cert(const X509_STORE_CTX *ctx); + +// X509_STORE_CTX_get0_current_crl returns the CRL which caused the error +// returned by |X509_STORE_CTX_get_error|. +OPENSSL_EXPORT X509_CRL *X509_STORE_CTX_get0_current_crl( + const X509_STORE_CTX *ctx); + +// X509_STORE_CTX_get0_store returns the |X509_STORE| that |ctx| uses. +OPENSSL_EXPORT X509_STORE *X509_STORE_CTX_get0_store(const X509_STORE_CTX *ctx); + +// X509_STORE_CTX_get0_cert returns the leaf certificate that |ctx| is +// verifying. +OPENSSL_EXPORT X509 *X509_STORE_CTX_get0_cert(const X509_STORE_CTX *ctx); + +// X509_STORE_CTX_get0_untrusted returns the stack of untrusted intermediates +// used by |ctx| for certificate verification. +OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get0_untrusted( + const X509_STORE_CTX *ctx); + // X509_STORE_CTX_set0_trusted_stack configures |ctx| to trust the certificates // in |sk|. |sk| must remain valid for the duration of |ctx|. Calling this // function causes |ctx| to ignore any certificates configured in the @@ -2313,6 +2479,16 @@ OPENSSL_EXPORT void X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk); +// X509_STORE_CTX_set0_crls configures |ctx| to consider the CRLs in |sk| as +// candidates for CRL lookup. |sk| must remain valid for the duration of |ctx|. +// These CRLs are considered in addition to CRLs found in |X509_STORE|. +// +// WARNING: This function differs from most |set0| functions in that it does not +// take ownership of its input. The caller is required to ensure the lifetimes +// are consistent. +OPENSSL_EXPORT void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, + STACK_OF(X509_CRL) *sk); + // X509_STORE_CTX_set_default looks up the set of parameters named |name| and // applies those default verification parameters for |ctx|. As in // |X509_VERIFY_PARAM_inherit|, only unset parameters are changed. This function @@ -2330,6 +2506,49 @@ OPENSSL_EXPORT int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name); +// X509_STORE_CTX_get0_param returns |ctx|'s verification parameters. This +// object is mutable and may be modified by the caller. +OPENSSL_EXPORT X509_VERIFY_PARAM *X509_STORE_CTX_get0_param( + X509_STORE_CTX *ctx); + +// X509_STORE_CTX_set0_param returns |ctx|'s verification parameters to |param| +// and takes ownership of |param|. After this function returns, the caller +// should not free |param|. +// +// WARNING: This function discards any values which were previously applied in +// |ctx|, including the "default" parameters applied late in +// |X509_STORE_CTX_init|. These late defaults are not applied to parameters +// created standalone by |X509_VERIFY_PARAM_new|. +// +// TODO(crbug.com/boringssl/441): This behavior is very surprising. Should we +// re-apply the late defaults in |param|, or somehow avoid this notion of late +// defaults altogether? +OPENSSL_EXPORT void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, + X509_VERIFY_PARAM *param); + +// X509_STORE_CTX_set_flags enables all values in |flags| in |ctx|'s +// verification flags. |flags| should be a combination of |X509_V_FLAG_*| +// constants. +OPENSSL_EXPORT void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, + unsigned long flags); + +// X509_STORE_CTX_set_time configures certificate verification to use |t| +// instead of the current time. |flags| is ignored and should be zero. +OPENSSL_EXPORT void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, + unsigned long flags, time_t t); + +// X509_STORE_CTX_set_time_posix configures certificate verification to use |t| +// instead of the current time. |t| is interpreted as a POSIX timestamp in +// seconds. |flags| is ignored and should be zero. +OPENSSL_EXPORT void X509_STORE_CTX_set_time_posix(X509_STORE_CTX *ctx, + unsigned long flags, + int64_t t); + +// X509_STORE_CTX_set_depth configures |ctx| to, by default, limit certificate +// chains to |depth| intermediate certificates. This count excludes both the +// target certificate and the trust anchor (root certificate). +OPENSSL_EXPORT void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); + // X509_STORE_CTX_set_purpose simultaneously configures |ctx|'s purpose and // trust checks, if unset. It returns one on success and zero if |purpose| is // not a valid purpose value. |purpose| should be an |X509_PURPOSE_*| constant. @@ -2365,9 +2584,6 @@ // difference. OPENSSL_EXPORT int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust); -// TODO(crbug.com/boringssl/426): Move the other |X509_STORE_CTX| functions -// here. - // Verification parameters. // @@ -2381,6 +2597,128 @@ // X509_VERIFY_PARAM_free releases memory associated with |param|. OPENSSL_EXPORT void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param); +// X509_VERIFY_PARAM_inherit applies |from| as the default values for |to|. That +// is, for each parameter that is unset in |to|, it copies the value in |from|. +// This function returns one on success and zero on error. +OPENSSL_EXPORT int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *to, + const X509_VERIFY_PARAM *from); + +// X509_VERIFY_PARAM_set1 copies parameters from |from| to |to|. If a parameter +// is unset in |from|, the existing value in |to| is preserved. This function +// returns one on success and zero on error. +OPENSSL_EXPORT int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to, + const X509_VERIFY_PARAM *from); + +// X509_VERIFY_PARAM_set_flags enables all values in |flags| in |param|'s +// verification flags and returns one. |flags| should be a combination of +// |X509_V_FLAG_*| constants. +OPENSSL_EXPORT int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, + unsigned long flags); + +// X509_VERIFY_PARAM_clear_flags disables all values in |flags| in |param|'s +// verification flags and returns one. |flags| should be a combination of +// |X509_V_FLAG_*| constants. +OPENSSL_EXPORT int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, + unsigned long flags); + +// X509_VERIFY_PARAM_get_flags returns |param|'s verification flags. +OPENSSL_EXPORT unsigned long X509_VERIFY_PARAM_get_flags( + const X509_VERIFY_PARAM *param); + +// X509_VERIFY_PARAM_set_depth configures |param| to limit certificate chains to +// |depth| intermediate certificates. This count excludes both the target +// certificate and the trust anchor (root certificate). +OPENSSL_EXPORT void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, + int depth); + +// X509_VERIFY_PARAM_get_depth returns the maximum depth configured in |param|. +// See |X509_VERIFY_PARAM_set_depth|. +OPENSSL_EXPORT int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param); + +// X509_VERIFY_PARAM_set_time configures certificate verification to use |t| +// instead of the current time. +OPENSSL_EXPORT void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, + time_t t); + +// X509_VERIFY_PARAM_set_time_posix configures certificate verification to use +// |t| instead of the current time. |t| is interpreted as a POSIX timestamp in +// seconds. +OPENSSL_EXPORT void X509_VERIFY_PARAM_set_time_posix(X509_VERIFY_PARAM *param, + int64_t t); + +// X509_VERIFY_PARAM_add0_policy adds |policy| to the user-initial-policy-set +// (see Section 6.1.1 of RFC 5280). On success, it takes ownership of +// |policy| and returns one. Otherwise, it returns zero and the caller retains +// owneship of |policy|. +OPENSSL_EXPORT int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, + ASN1_OBJECT *policy); + +// X509_VERIFY_PARAM_set1_policies sets the user-initial-policy-set (see +// Section 6.1.1 of RFC 5280) to a copy of |policies|. It returns one on success +// and zero on error. +OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_policies( + X509_VERIFY_PARAM *param, const STACK_OF(ASN1_OBJECT) *policies); + +// X509_VERIFY_PARAM_set1_host configures |param| to check for the DNS name +// specified by |name|. It returns one on success and zero on error. +// +// By default, both subject alternative names and the subject's common name +// attribute are checked. The latter has long been deprecated, so callers should +// call |X509_VERIFY_PARAM_set_hostflags| with +// |X509_CHECK_FLAG_NEVER_CHECK_SUBJECT| to use the standard behavior. +// https://crbug.com/boringssl/464 tracks fixing the default. +OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param, + const char *name, + size_t name_len); + +// X509_VERIFY_PARAM_add1_host adds |name| to the list of names checked by +// |param|. If any configured DNS name matches the certificate, verification +// succeeds. It returns one on success and zero on error. +// +// By default, both subject alternative names and the subject's common name +// attribute are checked. The latter has long been deprecated, so callers should +// call |X509_VERIFY_PARAM_set_hostflags| with +// |X509_CHECK_FLAG_NEVER_CHECK_SUBJECT| to use the standard behavior. +// https://crbug.com/boringssl/464 tracks fixing the default. +OPENSSL_EXPORT int X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param, + const char *name, + size_t name_len); + +// X509_CHECK_FLAG_NO_WILDCARDS disables wildcard matching for DNS names. +#define X509_CHECK_FLAG_NO_WILDCARDS 0x2 + +// X509_CHECK_FLAG_NEVER_CHECK_SUBJECT disables the subject fallback, normally +// enabled when subjectAltNames is missing. +#define X509_CHECK_FLAG_NEVER_CHECK_SUBJECT 0x20 + +// X509_VERIFY_PARAM_set_hostflags sets the name-checking flags on |param| to +// |flags|. |flags| should be a combination of |X509_CHECK_FLAG_*| constants. +OPENSSL_EXPORT void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param, + unsigned int flags); + +// X509_VERIFY_PARAM_set1_email configures |param| to check for the email +// address specified by |email|. It returns one on success and zero on error. +// +// By default, both subject alternative names and the subject's email address +// attribute are checked. The |X509_CHECK_FLAG_NEVER_CHECK_SUBJECT| flag may be +// used to change this behavior. +OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param, + const char *email, + size_t email_len); + +// X509_VERIFY_PARAM_set1_ip configures |param| to check for the IP address +// specified by |ip|. It returns one on success and zero on error. The IP +// address is specified in its binary representation. |ip_len| must be 4 for an +// IPv4 address and 16 for an IPv6 address. +OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param, + const uint8_t *ip, size_t ip_len); + +// X509_VERIFY_PARAM_set1_ip_asc decodes |ipasc| as the ASCII representation of +// an IPv4 or IPv6 address, and configures |param| to check for it. It returns +// one on success and zero on error. +OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *param, + const char *ipasc); + // X509_PURPOSE_SSL_CLIENT validates TLS client certificates. It checks for the // id-kp-clientAuth EKU and one of digitalSignature or keyAgreement key usages. // The TLS library is expected to check for the key usage specific to the @@ -2499,9 +2837,6 @@ OPENSSL_EXPORT int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust); -// TODO(crbug.com/boringssl/426): Move the other |X509_VERIFY_PARAM| functions -// here. - // SignedPublicKeyAndChallenge structures. // @@ -3878,6 +4213,17 @@ OPENSSL_EXPORT void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk); +// The following flags do nothing. The corresponding non-standard options have +// been removed. +#define X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT 0 +#define X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS 0 +#define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0 + +// X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS does nothing, but is necessary in +// OpenSSL to enable standard wildcard matching. In BoringSSL, this behavior is +// always enabled. +#define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0 + // Private structures. @@ -3913,11 +4259,6 @@ #define X509_TRUST_DEFAULT (-1) // Only valid in purpose settings -// X509_verify_cert_error_string returns |err| as a human-readable string, where -// |err| should be one of the |X509_V_*| values. If |err| is unknown, it returns -// a default description. -OPENSSL_EXPORT const char *X509_verify_cert_error_string(long err); - OPENSSL_EXPORT const char *X509_get_default_cert_area(void); OPENSSL_EXPORT const char *X509_get_default_cert_dir(void); OPENSSL_EXPORT const char *X509_get_default_cert_file(void); @@ -3990,17 +4331,6 @@ DEFINE_STACK_OF(X509_OBJECT) - -// X509_STORE_set_depth configures |store| to, by default, limit certificate -// chains to |depth| intermediate certificates. This count excludes both the -// target certificate and the trust anchor (root certificate). -OPENSSL_EXPORT int X509_STORE_set_depth(X509_STORE *store, int depth); - -// X509_STORE_CTX_set_depth configures |ctx| to, by default, limit certificate -// chains to |depth| intermediate certificates. This count excludes both the -// target certificate and the trust anchor (root certificate). -OPENSSL_EXPORT void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); - #define X509_STORE_CTX_set_app_data(ctx, data) \ X509_STORE_CTX_set_ex_data(ctx, 0, data) #define X509_STORE_CTX_get_app_data(ctx) X509_STORE_CTX_get_ex_data(ctx, 0) @@ -4030,80 +4360,6 @@ OPENSSL_EXPORT int X509_LOOKUP_add_dir(X509_LOOKUP *lookup, const char *path, int type); -#define X509_V_OK 0 -#define X509_V_ERR_UNSPECIFIED 1 - -#define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT 2 -#define X509_V_ERR_UNABLE_TO_GET_CRL 3 -#define X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE 4 -#define X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE 5 -#define X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY 6 -#define X509_V_ERR_CERT_SIGNATURE_FAILURE 7 -#define X509_V_ERR_CRL_SIGNATURE_FAILURE 8 -#define X509_V_ERR_CERT_NOT_YET_VALID 9 -#define X509_V_ERR_CERT_HAS_EXPIRED 10 -#define X509_V_ERR_CRL_NOT_YET_VALID 11 -#define X509_V_ERR_CRL_HAS_EXPIRED 12 -#define X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD 13 -#define X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD 14 -#define X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD 15 -#define X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD 16 -#define X509_V_ERR_OUT_OF_MEM 17 -#define X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT 18 -#define X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN 19 -#define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY 20 -#define X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE 21 -#define X509_V_ERR_CERT_CHAIN_TOO_LONG 22 -#define X509_V_ERR_CERT_REVOKED 23 -#define X509_V_ERR_INVALID_CA 24 -#define X509_V_ERR_PATH_LENGTH_EXCEEDED 25 -#define X509_V_ERR_INVALID_PURPOSE 26 -#define X509_V_ERR_CERT_UNTRUSTED 27 -#define X509_V_ERR_CERT_REJECTED 28 -// These are 'informational' when looking for issuer cert -#define X509_V_ERR_SUBJECT_ISSUER_MISMATCH 29 -#define X509_V_ERR_AKID_SKID_MISMATCH 30 -#define X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH 31 -#define X509_V_ERR_KEYUSAGE_NO_CERTSIGN 32 - -#define X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER 33 -#define X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION 34 -#define X509_V_ERR_KEYUSAGE_NO_CRL_SIGN 35 -#define X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION 36 -#define X509_V_ERR_INVALID_NON_CA 37 -#define X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED 38 -#define X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE 39 -#define X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED 40 - -#define X509_V_ERR_INVALID_EXTENSION 41 -#define X509_V_ERR_INVALID_POLICY_EXTENSION 42 -#define X509_V_ERR_NO_EXPLICIT_POLICY 43 -#define X509_V_ERR_DIFFERENT_CRL_SCOPE 44 -#define X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE 45 - -#define X509_V_ERR_UNNESTED_RESOURCE 46 - -#define X509_V_ERR_PERMITTED_VIOLATION 47 -#define X509_V_ERR_EXCLUDED_VIOLATION 48 -#define X509_V_ERR_SUBTREE_MINMAX 49 -#define X509_V_ERR_APPLICATION_VERIFICATION 50 -#define X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE 51 -#define X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX 52 -#define X509_V_ERR_UNSUPPORTED_NAME_SYNTAX 53 -#define X509_V_ERR_CRL_PATH_VALIDATION_ERROR 54 - -// Host, email and IP check errors -#define X509_V_ERR_HOSTNAME_MISMATCH 62 -#define X509_V_ERR_EMAIL_MISMATCH 63 -#define X509_V_ERR_IP_ADDRESS_MISMATCH 64 - -// Caller error -#define X509_V_ERR_INVALID_CALL 65 -// Issuer lookup error -#define X509_V_ERR_STORE_LOOKUP 66 - -#define X509_V_ERR_NAME_CONSTRAINTS_WITHOUT_SANS 67 - // Certificate verify flags // Send issuer+subject checks to verify_cb @@ -4172,46 +4428,6 @@ OPENSSL_EXPORT STACK_OF(X509_CRL) *X509_STORE_CTX_get1_crls(X509_STORE_CTX *st, X509_NAME *nm); -// X509_STORE_set_flags enables all values in |flags| in |store|'s verification -// flags. |flags| should be a combination of |X509_V_FLAG_*| constants. -// -// WARNING: These flags will be combined with default flags when copied to an -// |X509_STORE_CTX|. This means it is impossible to unset those defaults from -// the |X509_STORE|. See discussion in |X509_STORE_get0_param|. -OPENSSL_EXPORT int X509_STORE_set_flags(X509_STORE *store, unsigned long flags); - -// |X509_STORE_set1_param| copies verification parameters from |param| as in -// |X509_VERIFY_PARAM_set1|. It returns one on success and zero on error. -OPENSSL_EXPORT int X509_STORE_set1_param(X509_STORE *store, - const X509_VERIFY_PARAM *param); - -// X509_STORE_get0_param returns |store|'s verification parameters. This object -// is mutable and may be modified by the caller. For an individual certificate -// verification operation, |X509_STORE_CTX_init| initializes the -// |X509_STORE_CTX|'s parameters with these parameters. -// -// WARNING: |X509_STORE_CTX_init| applies some default parameters (as in -// |X509_VERIFY_PARAM_inherit|) after copying |store|'s parameters. This means -// it is impossible to leave some parameters unset at |store|. They must be -// explicitly unset after creating the |X509_STORE_CTX|. -// -// As of writing these late defaults are a depth limit (see -// |X509_VERIFY_PARAM_set_depth|) and the |X509_V_FLAG_TRUSTED_FIRST| flag. This -// warning does not apply if the parameters were set in |store|. -// -// TODO(crbug.com/boringssl/441): This behavior is very surprising. Can we -// remove this notion of late defaults? The unsettable value at |X509_STORE| is -// -1, which rejects everything but explicitly-trusted self-signed certificates. -// |X509_V_FLAG_TRUSTED_FIRST| is mostly a workaround for poor path-building. -OPENSSL_EXPORT X509_VERIFY_PARAM *X509_STORE_get0_param(X509_STORE *store); - -// X509_STORE_CTX_get0_store returns the |X509_STORE| that |ctx| uses. -OPENSSL_EXPORT X509_STORE *X509_STORE_CTX_get0_store(const X509_STORE_CTX *ctx); - -// X509_STORE_CTX_get0_cert returns the leaf certificate that |ctx| is -// verifying. -OPENSSL_EXPORT X509 *X509_STORE_CTX_get0_cert(const X509_STORE_CTX *ctx); - OPENSSL_EXPORT X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, const X509_LOOKUP_METHOD *m); @@ -4236,209 +4452,6 @@ const char *dir); OPENSSL_EXPORT int X509_STORE_set_default_paths(X509_STORE *ctx); -// X509_STORE_CTX_get_error, after |X509_verify_cert| returns, returns -// |X509_V_OK| if verification succeeded or an |X509_V_ERR_*| describing why -// verification failed. This will be consistent with |X509_verify_cert|'s return -// value, unless the caller used the deprecated verification callback (see -// |X509_STORE_CTX_set_verify_cb|) in a way that breaks |ctx|'s invariants. -// -// If called during the deprecated verification callback when |ok| is zero, it -// returns the current error under consideration. -OPENSSL_EXPORT int X509_STORE_CTX_get_error(const X509_STORE_CTX *ctx); - -// X509_STORE_CTX_set_error sets |ctx|'s error to |err|, which should be -// |X509_V_OK| or an |X509_V_ERR_*| constant. It is not expected to be called in -// typical |X509_STORE_CTX| usage, but may be used in callback APIs where -// applications synthesize |X509_STORE_CTX| error conditions. See also -// |X509_STORE_CTX_set_verify_cb| and |SSL_CTX_set_cert_verify_callback|. -OPENSSL_EXPORT void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err); - -// X509_STORE_CTX_get_error_depth returns the depth at which the error returned -// by |X509_STORE_CTX_get_error| occured. This is zero-indexed integer into the -// certificate chain. Zero indicates the target certificate, one its issuer, and -// so on. -OPENSSL_EXPORT int X509_STORE_CTX_get_error_depth(const X509_STORE_CTX *ctx); - -OPENSSL_EXPORT X509 *X509_STORE_CTX_get_current_cert(const X509_STORE_CTX *ctx); -OPENSSL_EXPORT X509_CRL *X509_STORE_CTX_get0_current_crl( - const X509_STORE_CTX *ctx); - -// X509_STORE_CTX_get0_chain, after a successful |X509_verify_cert| call, -// returns the verified certificate chain. The chain begins with the leaf and -// ends with trust anchor. -// -// At other points, such as after a failed verification or during the deprecated -// verification callback, it returns the partial chain built so far. Callers -// should avoid relying on this as this exposes unstable library implementation -// details. -OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get0_chain( - const X509_STORE_CTX *ctx); - -// X509_STORE_CTX_get1_chain behaves like |X509_STORE_CTX_get0_chain| but -// returns a newly-allocated |STACK_OF(X509)| containing the completed chain, -// with each certificate's reference count incremented. Callers must free the -// result with |sk_X509_pop_free| and |X509_free| when done. -OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get1_chain( - const X509_STORE_CTX *ctx); - -OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get0_untrusted( - const X509_STORE_CTX *ctx); -OPENSSL_EXPORT void X509_STORE_CTX_set0_crls(X509_STORE_CTX *c, - STACK_OF(X509_CRL) *sk); - -// X509_STORE_CTX_set_flags enables all values in |flags| in |ctx|'s -// verification flags. |flags| should be a combination of |X509_V_FLAG_*| -// constants. -OPENSSL_EXPORT void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, - unsigned long flags); - -// X509_STORE_CTX_set_time configures certificate verification to use |t| -// instead of the current time. |flags| is ignored and should be zero. -OPENSSL_EXPORT void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, - unsigned long flags, time_t t); - -// X509_STORE_CTX_set_time_posix configures certificate verification to use |t| -// instead of the current time. |t| is interpreted as a POSIX timestamp in -// seconds. |flags| is ignored and should be zero. -OPENSSL_EXPORT void X509_STORE_CTX_set_time_posix(X509_STORE_CTX *ctx, - unsigned long flags, - int64_t t); - -// X509_STORE_CTX_get0_param returns |ctx|'s verification parameters. This -// object is mutable and may be modified by the caller. -OPENSSL_EXPORT X509_VERIFY_PARAM *X509_STORE_CTX_get0_param( - X509_STORE_CTX *ctx); - -// X509_STORE_CTX_set0_param returns |ctx|'s verification parameters to |param| -// and takes ownership of |param|. After this function returns, the caller -// should not free |param|. -// -// WARNING: This function discards any values which were previously applied in -// |ctx|, including the "default" parameters applied late in -// |X509_STORE_CTX_init|. These late defaults are not applied to parameters -// created standalone by |X509_VERIFY_PARAM_new|. -// -// TODO(crbug.com/boringssl/441): This behavior is very surprising. Should we -// re-apply the late defaults in |param|, or somehow avoid this notion of late -// defaults altogether? -OPENSSL_EXPORT void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, - X509_VERIFY_PARAM *param); - -// X509_VERIFY_PARAM_inherit applies |from| as the default values for |to|. That -// is, for each parameter that is unset in |to|, it copies the value in |from|. -// This function returns one on success and zero on error. -OPENSSL_EXPORT int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *to, - const X509_VERIFY_PARAM *from); - -// X509_VERIFY_PARAM_set1 copies parameters from |from| to |to|. If a parameter -// is unset in |from|, the existing value in |to| is preserved. This function -// returns one on success and zero on error. -OPENSSL_EXPORT int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to, - const X509_VERIFY_PARAM *from); - -// X509_VERIFY_PARAM_set_flags enables all values in |flags| in |param|'s -// verification flags and returns one. |flags| should be a combination of -// |X509_V_FLAG_*| constants. -OPENSSL_EXPORT int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, - unsigned long flags); - -// X509_VERIFY_PARAM_clear_flags disables all values in |flags| in |param|'s -// verification flags and returns one. |flags| should be a combination of -// |X509_V_FLAG_*| constants. -OPENSSL_EXPORT int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, - unsigned long flags); - -// X509_VERIFY_PARAM_get_flags returns |param|'s verification flags. -OPENSSL_EXPORT unsigned long X509_VERIFY_PARAM_get_flags( - const X509_VERIFY_PARAM *param); - -// X509_VERIFY_PARAM_set_depth configures |param| to limit certificate chains to -// |depth| intermediate certificates. This count excludes both the target -// certificate and the trust anchor (root certificate). -OPENSSL_EXPORT void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, - int depth); - -// X509_VERIFY_PARAM_set_time configures certificate verification to use |t| -// instead of the current time. -OPENSSL_EXPORT void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, - time_t t); - -// X509_VERIFY_PARAM_set_time_posix configures certificate verification to use -// |t| instead of the current time. |t| is interpreted as a POSIX timestamp in -// seconds. -OPENSSL_EXPORT void X509_VERIFY_PARAM_set_time_posix(X509_VERIFY_PARAM *param, - int64_t t); - -// X509_VERIFY_PARAM_add0_policy adds |policy| to the user-initial-policy-set -// (see Section 6.1.1 of RFC 5280). On success, it takes ownership of -// |policy| and returns one. Otherwise, it returns zero and the caller retains -// owneship of |policy|. -OPENSSL_EXPORT int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, - ASN1_OBJECT *policy); - -// X509_VERIFY_PARAM_set1_policies sets the user-initial-policy-set (see -// Section 6.1.1 of RFC 5280) to a copy of |policies|. It returns one on success -// and zero on error. -OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_policies( - X509_VERIFY_PARAM *param, const STACK_OF(ASN1_OBJECT) *policies); - -// X509_VERIFY_PARAM_set1_host configures |param| to check for the DNS name -// specified by |name|. It returns one on success and zero on error. -// -// By default, both subject alternative names and the subject's common name -// attribute are checked. The latter has long been deprecated, so callers should -// call |X509_VERIFY_PARAM_set_hostflags| with -// |X509_CHECK_FLAG_NEVER_CHECK_SUBJECT| to use the standard behavior. -// https://crbug.com/boringssl/464 tracks fixing the default. -OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param, - const char *name, - size_t name_len); - -// X509_VERIFY_PARAM_add1_host adds |name| to the list of names checked by -// |param|. If any configured DNS name matches the certificate, verification -// succeeds. It returns one on success and zero on error. -// -// By default, both subject alternative names and the subject's common name -// attribute are checked. The latter has long been deprecated, so callers should -// call |X509_VERIFY_PARAM_set_hostflags| with -// |X509_CHECK_FLAG_NEVER_CHECK_SUBJECT| to use the standard behavior. -// https://crbug.com/boringssl/464 tracks fixing the default. -OPENSSL_EXPORT int X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param, - const char *name, - size_t name_len); - -// X509_VERIFY_PARAM_set_hostflags sets the name-checking flags on |param| to -// |flags|. |flags| should be a combination of |X509_CHECK_FLAG_*| constants. -OPENSSL_EXPORT void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param, - unsigned int flags); - -// X509_VERIFY_PARAM_set1_email configures |param| to check for the email -// address specified by |email|. It returns one on success and zero on error. -// -// By default, both subject alternative names and the subject's email address -// attribute are checked. The |X509_CHECK_FLAG_NEVER_CHECK_SUBJECT| flag may be -// used to change this behavior. -OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param, - const char *email, - size_t email_len); - -// X509_VERIFY_PARAM_set1_ip configures |param| to check for the IP address -// specified by |ip|. It returns one on success and zero on error. The IP -// address is specified in its binary representation. |ip_len| must be 4 for an -// IPv4 address and 16 for an IPv6 address. -OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param, - const uint8_t *ip, size_t ip_len); - -// X509_VERIFY_PARAM_set1_ip_asc decodes |ipasc| as the ASCII representation of -// an IPv4 or IPv6 address, and configures |param| to check for it. It returns -// one on success and zero on error. -OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *param, - const char *ipasc); - -// X509_VERIFY_PARAM_get_depth returns the maximum depth configured in |param|. -// See |X509_VERIFY_PARAM_set_depth|. -OPENSSL_EXPORT int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param); - typedef void *(*X509V3_EXT_NEW)(void); typedef void (*X509V3_EXT_FREE)(void *); typedef void *(*X509V3_EXT_D2I)(void *, const unsigned char **, long); @@ -4838,23 +4851,6 @@ OPENSSL_EXPORT int X509_PURPOSE_get_trust(const X509_PURPOSE *xp); OPENSSL_EXPORT int X509_PURPOSE_get_id(const X509_PURPOSE *); -// Flags for X509_check_* functions - -// Deprecated: this flag does nothing -#define X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT 0 -// Disable wildcard matching for dnsName fields and common name. -#define X509_CHECK_FLAG_NO_WILDCARDS 0x2 -// X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS does nothing, but is necessary in -// OpenSSL to enable standard wildcard matching. In BoringSSL, this behavior is -// always enabled. -#define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0 -// Deprecated: this flag does nothing -#define X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS 0 -// Deprecated: this flag does nothing -#define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0 -// Skip the subject common name fallback if subjectAltNames is missing. -#define X509_CHECK_FLAG_NEVER_CHECK_SUBJECT 0x20 - #if defined(__cplusplus) } // extern C