1 /* $OpenBSD: x509_vfy.h,v 1.32 2021/02/24 18:01:31 tb Exp $ */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as core.stdc.config.c_long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 module libressl_d.openssl.x509_vfy; 59 60 61 private static import core.stdc.config; 62 private static import libressl_d.compat.time; 63 private static import libressl_d.openssl.asn1; 64 private static import libressl_d.openssl.ossl_typ; 65 private static import libressl_d.openssl.stack; 66 private static import libressl_d.openssl.x509v3; 67 public import libressl_d.openssl.bio; 68 public import libressl_d.openssl.crypto; 69 public import libressl_d.openssl.opensslconf; 70 public import libressl_d.openssl.x509; 71 72 static assert(libressl_d.openssl.x509.HEADER_X509_H); 73 74 /* 75 * openssl/x509.h ends up #include-ing this file at about the only 76 * appropriate moment. 77 */ 78 public import libressl_d.openssl.x509; 79 80 version (OPENSSL_NO_LHASH) { 81 } else { 82 public import libressl_d.openssl.lhash; 83 } 84 85 extern (C): 86 nothrow @nogc: 87 88 struct x509_file_st 89 { 90 /** 91 * number of paths to files or directories 92 */ 93 int num_paths; 94 95 int num_alloced; 96 97 /** 98 * the list of paths or directories 99 */ 100 char** paths; 101 102 int* path_type; 103 } 104 105 alias X509_CERT_FILE_CTX = .x509_file_st; 106 107 /* ******************************/ 108 /* 109 * SL_CTX . X509_STORE 110 * . X509_LOOKUP 111 * .X509_LOOKUP_METHOD 112 * . X509_LOOKUP 113 * .X509_LOOKUP_METHOD 114 * 115 * SSL . X509_STORE_CTX 116 * .X509_STORE 117 * 118 * The X509_STORE holds the tables etc for verification stuff. 119 * A X509_STORE_CTX is used while validating a single certificate. 120 * The X509_STORE has X509_LOOKUPs for looking up certs. 121 * The X509_STORE then calls a function to actually verify the 122 * certificate chain. 123 */ 124 125 enum X509_LU_RETRY = -1; 126 enum X509_LU_FAIL = 0; 127 enum X509_LU_X509 = 1; 128 enum X509_LU_CRL = 2; 129 enum X509_LU_PKEY = 3; 130 131 struct x509_object_st 132 { 133 /** 134 * one of the above types 135 */ 136 int type; 137 138 union data_ 139 { 140 char* ptr_; 141 libressl_d.openssl.ossl_typ.X509* x509; 142 libressl_d.openssl.ossl_typ.X509_CRL* crl; 143 libressl_d.openssl.ossl_typ.EVP_PKEY* pkey; 144 } 145 146 data_ data; 147 } 148 149 alias X509_OBJECT = .x509_object_st; 150 151 alias X509_LOOKUP = .x509_lookup_st; 152 153 //DECLARE_STACK_OF(X509_LOOKUP) 154 struct stack_st_X509_LOOKUP 155 { 156 libressl_d.openssl.stack._STACK stack; 157 } 158 159 //DECLARE_STACK_OF(X509_OBJECT) 160 struct stack_st_X509_OBJECT 161 { 162 libressl_d.openssl.stack._STACK stack; 163 } 164 165 /** 166 * This is a static that defines the function interface 167 */ 168 struct x509_lookup_method_st 169 { 170 const (char)* name; 171 int function(.X509_LOOKUP* ctx) new_item; 172 void function(.X509_LOOKUP* ctx) free; 173 int function(.X509_LOOKUP* ctx) init; 174 int function(.X509_LOOKUP* ctx) shutdown; 175 int function(.X509_LOOKUP* ctx, int cmd, const (char)* argc, core.stdc.config.c_long argl, char** ret) ctrl; 176 int function(.X509_LOOKUP* ctx, int type, libressl_d.openssl.ossl_typ.X509_NAME* name, .X509_OBJECT* ret) get_by_subject; 177 int function(.X509_LOOKUP* ctx, int type, libressl_d.openssl.ossl_typ.X509_NAME* name, libressl_d.openssl.ossl_typ.ASN1_INTEGER* serial, .X509_OBJECT* ret) get_by_issuer_serial; 178 int function(.X509_LOOKUP* ctx, int type, const (ubyte)* bytes, int len, .X509_OBJECT* ret) get_by_fingerprint; 179 int function(.X509_LOOKUP* ctx, int type, const (char)* str, int len, .X509_OBJECT* ret) get_by_alias; 180 } 181 182 alias X509_LOOKUP_METHOD = .x509_lookup_method_st; 183 184 struct X509_VERIFY_PARAM_ID_st; 185 alias X509_VERIFY_PARAM_ID = .X509_VERIFY_PARAM_ID_st; 186 187 /** 188 * This structure hold all parameters associated with a verify operation 189 * by including an X509_VERIFY_PARAM structure in related structures the 190 * parameters used can be customized 191 */ 192 struct X509_VERIFY_PARAM_st 193 { 194 char* name; 195 196 /** 197 * Time to use 198 */ 199 libressl_d.compat.time.time_t check_time; 200 201 /** 202 * Inheritance flags 203 */ 204 core.stdc.config.c_ulong inh_flags; 205 206 /** 207 * Various verify flags 208 */ 209 core.stdc.config.c_ulong flags; 210 211 /** 212 * purpose to check untrusted certificates 213 */ 214 int purpose; 215 216 /** 217 * trust setting to check 218 */ 219 int trust; 220 221 /** 222 * Verify depth 223 */ 224 int depth; 225 226 /** 227 * Permissible policies 228 */ 229 libressl_d.openssl.asn1.stack_st_ASN1_OBJECT* policies; 230 231 /** 232 * opaque ID data 233 */ 234 .X509_VERIFY_PARAM_ID* id; 235 } 236 237 alias X509_VERIFY_PARAM = .X509_VERIFY_PARAM_st; 238 239 //DECLARE_STACK_OF(X509_VERIFY_PARAM) 240 struct stack_st_X509_VERIFY_PARAM 241 { 242 libressl_d.openssl.stack._STACK stack; 243 } 244 245 /** 246 * This is used to hold everything. It is used for all certificate 247 * validation. Once we have a certificate chain, the 'verify' 248 * function is then called to actually check the cert chain. 249 */ 250 struct x509_store_st 251 { 252 /* The following is a cache of trusted certs */ 253 254 /** 255 * if true, stash any hits 256 */ 257 int cache; 258 259 /** 260 * Cache of all objects 261 */ 262 .stack_st_X509_OBJECT* objs; 263 264 /* These are external lookup methods */ 265 .stack_st_X509_LOOKUP* get_cert_methods; 266 267 .X509_VERIFY_PARAM* param; 268 269 /* Callbacks for various operations */ 270 271 /** 272 * called to verify a certificate 273 */ 274 int function(libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx) verify; 275 276 /** 277 * error callback 278 */ 279 int function(int ok, libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx) verify_cb; 280 281 /** 282 * get issuers cert from ctx 283 */ 284 int function(libressl_d.openssl.ossl_typ.X509** issuer, libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx, libressl_d.openssl.ossl_typ.X509* x) get_issuer; 285 286 /** 287 * check issued 288 */ 289 int function(libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx, libressl_d.openssl.ossl_typ.X509* x, libressl_d.openssl.ossl_typ.X509* issuer) check_issued; 290 291 /** 292 * Check revocation status of chain 293 */ 294 int function(libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx) check_revocation; 295 296 /** 297 * retrieve CRL 298 */ 299 int function(libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx, libressl_d.openssl.ossl_typ.X509_CRL** crl, libressl_d.openssl.ossl_typ.X509* x) get_crl; 300 301 /** 302 * Check CRL validity 303 */ 304 int function(libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx, libressl_d.openssl.ossl_typ.X509_CRL* crl) check_crl; 305 306 /** 307 * Check certificate against CRL 308 */ 309 int function(libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx, libressl_d.openssl.ossl_typ.X509_CRL* crl, libressl_d.openssl.ossl_typ.X509* x) cert_crl; 310 311 libressl_d.openssl.x509.stack_st_X509* function(libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx, libressl_d.openssl.ossl_typ.X509_NAME* nm) lookup_certs; 312 libressl_d.openssl.x509.stack_st_X509_CRL* function(libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx, libressl_d.openssl.ossl_typ.X509_NAME* nm) lookup_crls; 313 int function(libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx) cleanup; 314 315 libressl_d.openssl.ossl_typ.CRYPTO_EX_DATA ex_data; 316 int references; 317 } 318 319 int X509_STORE_set_depth(libressl_d.openssl.ossl_typ.X509_STORE* store, int depth); 320 321 pragma(inline, true) 322 pure nothrow @trusted @nogc @live 323 void X509_STORE_set_verify_cb_func(scope libressl_d.openssl.ossl_typ.X509_STORE* ctx, int function(int ok, libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx) func) 324 325 in 326 { 327 assert(ctx != null); 328 } 329 330 do 331 { 332 ctx.verify_cb = func; 333 } 334 335 pragma(inline, true) 336 pure nothrow @trusted @nogc @live 337 void X509_STORE_set_verify_func(scope libressl_d.openssl.ossl_typ.X509_STORE* ctx, int function(libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx) func) 338 339 in 340 { 341 assert(ctx != null); 342 } 343 344 do 345 { 346 ctx.verify = func; 347 } 348 349 /** 350 * This is the functions plus an instance of the local variables. 351 */ 352 struct x509_lookup_st 353 { 354 /** 355 * have we been started 356 */ 357 int init; 358 359 /** 360 * don't use us. 361 */ 362 int skip; 363 364 /** 365 * the functions 366 */ 367 .X509_LOOKUP_METHOD* method; 368 369 /** 370 * method data 371 */ 372 char* method_data; 373 374 /** 375 * who owns us 376 */ 377 libressl_d.openssl.ossl_typ.X509_STORE* store_ctx; 378 } 379 380 /** 381 * This is a used when verifying cert chains. Since the 382 * gathering of the cert chain can take some time \(and have to be 383 * 'retried', this needs to be kept and passed around. 384 */ 385 struct x509_store_ctx_st 386 { 387 libressl_d.openssl.ossl_typ.X509_STORE* ctx; 388 389 /** 390 * used when looking up certs 391 */ 392 int current_method; 393 394 /* The following are set by the caller */ 395 396 /** 397 * The cert to check 398 */ 399 libressl_d.openssl.ossl_typ.X509* cert; 400 401 /** 402 * chain of X509s - untrusted - passed in 403 */ 404 libressl_d.openssl.x509.stack_st_X509* untrusted; 405 406 /** 407 * set of CRLs passed in 408 */ 409 libressl_d.openssl.x509.stack_st_X509_CRL* crls; 410 411 .X509_VERIFY_PARAM* param; 412 413 /** 414 * Other info for use with get_issuer() 415 */ 416 void* other_ctx; 417 418 /* Callbacks for various operations */ 419 420 /** 421 * called to verify a certificate 422 */ 423 int function(libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx) verify; 424 425 /** 426 * error callback 427 */ 428 int function(int ok, libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx) verify_cb; 429 430 /** 431 * get issuers cert from ctx 432 */ 433 int function(libressl_d.openssl.ossl_typ.X509** issuer, libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx, libressl_d.openssl.ossl_typ.X509* x) get_issuer; 434 435 /** 436 * check issued 437 */ 438 int function(libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx, libressl_d.openssl.ossl_typ.X509* x, libressl_d.openssl.ossl_typ.X509* issuer) check_issued; 439 440 /** 441 * Check revocation status of chain 442 */ 443 int function(libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx) check_revocation; 444 445 /** 446 * retrieve CRL 447 */ 448 int function(libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx, libressl_d.openssl.ossl_typ.X509_CRL** crl, libressl_d.openssl.ossl_typ.X509* x) get_crl; 449 450 /** 451 * Check CRL validity 452 */ 453 int function(libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx, libressl_d.openssl.ossl_typ.X509_CRL* crl) check_crl; 454 455 /** 456 * Check certificate against CRL 457 */ 458 int function(libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx, libressl_d.openssl.ossl_typ.X509_CRL* crl, libressl_d.openssl.ossl_typ.X509* x) cert_crl; 459 460 int function(libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx) check_policy; 461 libressl_d.openssl.x509.stack_st_X509* function(libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx, libressl_d.openssl.ossl_typ.X509_NAME* nm) lookup_certs; 462 libressl_d.openssl.x509.stack_st_X509_CRL* function(libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx, libressl_d.openssl.ossl_typ.X509_NAME* nm) lookup_crls; 463 int function(libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx) cleanup; 464 465 /* The following is built up */ 466 467 /** 468 * if 0, rebuild chain 469 */ 470 int valid; 471 472 /** 473 * XXX: number of untrusted certs in chain!!! 474 */ 475 int last_untrusted; 476 477 /** 478 * chain of X509s - built up and trusted 479 */ 480 libressl_d.openssl.x509.stack_st_X509* chain; 481 482 /** 483 * Valid policy tree 484 */ 485 libressl_d.openssl.ossl_typ.X509_POLICY_TREE* tree; 486 487 /** 488 * Require explicit policy value 489 */ 490 int explicit_policy; 491 492 /* When something goes wrong, this is why */ 493 int error_depth; 494 int error; 495 libressl_d.openssl.ossl_typ.X509* current_cert; 496 497 /** 498 * cert currently being tested as valid issuer 499 */ 500 libressl_d.openssl.ossl_typ.X509* current_issuer; 501 502 /** 503 * current CRL 504 */ 505 libressl_d.openssl.ossl_typ.X509_CRL* current_crl; 506 507 /** 508 * score of current CRL 509 */ 510 int current_crl_score; 511 512 /** 513 * Reason mask 514 */ 515 uint current_reasons; 516 517 /** 518 * For CRL path validation: parent context 519 */ 520 libressl_d.openssl.ossl_typ.X509_STORE_CTX* parent; 521 522 libressl_d.openssl.ossl_typ.CRYPTO_EX_DATA ex_data; 523 } 524 525 void X509_STORE_CTX_set_depth(libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx, int depth); 526 527 pragma(inline, true) 528 int X509_STORE_CTX_set_app_data(libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx, void* data) 529 530 do 531 { 532 return .X509_STORE_CTX_set_ex_data(ctx, 0, data); 533 } 534 535 pragma(inline, true) 536 void* X509_STORE_CTX_get_app_data(libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx) 537 538 do 539 { 540 return .X509_STORE_CTX_get_ex_data(ctx, 0); 541 } 542 543 enum X509_L_FILE_LOAD = 1; 544 enum X509_L_ADD_DIR = 2; 545 enum X509_L_MEM = 3; 546 547 pragma(inline, true) 548 int X509_LOOKUP_load_file(.X509_LOOKUP* x, const (char)* name, core.stdc.config.c_long type) 549 550 do 551 { 552 return .X509_LOOKUP_ctrl(x, .X509_L_FILE_LOAD, name, type, null); 553 } 554 555 pragma(inline, true) 556 int X509_LOOKUP_add_dir(.X509_LOOKUP* x, const (char)* name, core.stdc.config.c_long type) 557 558 do 559 { 560 return .X509_LOOKUP_ctrl(x, .X509_L_ADD_DIR, name, type, null); 561 } 562 563 pragma(inline, true) 564 int X509_LOOKUP_add_mem(.X509_LOOKUP* x, const (char)* iov, core.stdc.config.c_long type) 565 566 do 567 { 568 return .X509_LOOKUP_ctrl(x, .X509_L_MEM, iov, type, null); 569 } 570 571 enum X509_V_OK = 0; 572 enum X509_V_ERR_UNSPECIFIED = 1; 573 enum X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT = 2; 574 enum X509_V_ERR_UNABLE_TO_GET_CRL = 3; 575 enum X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE = 4; 576 enum X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE = 5; 577 enum X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY = 6; 578 enum X509_V_ERR_CERT_SIGNATURE_FAILURE = 7; 579 enum X509_V_ERR_CRL_SIGNATURE_FAILURE = 8; 580 enum X509_V_ERR_CERT_NOT_YET_VALID = 9; 581 enum X509_V_ERR_CERT_HAS_EXPIRED = 10; 582 enum X509_V_ERR_CRL_NOT_YET_VALID = 11; 583 enum X509_V_ERR_CRL_HAS_EXPIRED = 12; 584 enum X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD = 13; 585 enum X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD = 14; 586 enum X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD = 15; 587 enum X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD = 16; 588 enum X509_V_ERR_OUT_OF_MEM = 17; 589 enum X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT = 18; 590 enum X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN = 19; 591 enum X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY = 20; 592 enum X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE = 21; 593 enum X509_V_ERR_CERT_CHAIN_TOO_LONG = 22; 594 enum X509_V_ERR_CERT_REVOKED = 23; 595 enum X509_V_ERR_INVALID_CA = 24; 596 enum X509_V_ERR_PATH_LENGTH_EXCEEDED = 25; 597 enum X509_V_ERR_INVALID_PURPOSE = 26; 598 enum X509_V_ERR_CERT_UNTRUSTED = 27; 599 enum X509_V_ERR_CERT_REJECTED = 28; 600 /* These are 'informational' when looking for issuer cert */ 601 enum X509_V_ERR_SUBJECT_ISSUER_MISMATCH = 29; 602 enum X509_V_ERR_AKID_SKID_MISMATCH = 30; 603 enum X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH = 31; 604 enum X509_V_ERR_KEYUSAGE_NO_CERTSIGN = 32; 605 606 enum X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER = 33; 607 enum X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION = 34; 608 enum X509_V_ERR_KEYUSAGE_NO_CRL_SIGN = 35; 609 enum X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION = 36; 610 enum X509_V_ERR_INVALID_NON_CA = 37; 611 enum X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED = 38; 612 enum X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE = 39; 613 enum X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED = 40; 614 615 enum X509_V_ERR_INVALID_EXTENSION = 41; 616 enum X509_V_ERR_INVALID_POLICY_EXTENSION = 42; 617 enum X509_V_ERR_NO_EXPLICIT_POLICY = 43; 618 enum X509_V_ERR_DIFFERENT_CRL_SCOPE = 44; 619 enum X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE = 45; 620 621 enum X509_V_ERR_UNNESTED_RESOURCE = 46; 622 623 enum X509_V_ERR_PERMITTED_VIOLATION = 47; 624 enum X509_V_ERR_EXCLUDED_VIOLATION = 48; 625 enum X509_V_ERR_SUBTREE_MINMAX = 49; 626 enum X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE = 51; 627 enum X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX = 52; 628 enum X509_V_ERR_UNSUPPORTED_NAME_SYNTAX = 53; 629 enum X509_V_ERR_CRL_PATH_VALIDATION_ERROR = 54; 630 631 /** 632 * The application is not happy 633 */ 634 enum X509_V_ERR_APPLICATION_VERIFICATION = 50; 635 636 /* Host, email and IP check errors */ 637 enum X509_V_ERR_HOSTNAME_MISMATCH = 62; 638 enum X509_V_ERR_EMAIL_MISMATCH = 63; 639 enum X509_V_ERR_IP_ADDRESS_MISMATCH = 64; 640 641 /** 642 * Caller error 643 */ 644 enum X509_V_ERR_INVALID_CALL = 65; 645 646 /** 647 * Issuer lookup error 648 */ 649 enum X509_V_ERR_STORE_LOOKUP = 66; 650 651 /* Certificate verify flags */ 652 653 /** 654 * Send issuer+subject checks to verify_cb 655 */ 656 enum X509_V_FLAG_CB_ISSUER_CHECK = 0x01; 657 658 /** 659 * Use check time instead of current time 660 */ 661 enum X509_V_FLAG_USE_CHECK_TIME = 0x02; 662 663 /** 664 * Lookup CRLs 665 */ 666 enum X509_V_FLAG_CRL_CHECK = 0x04; 667 668 /** 669 * Lookup CRLs for whole chain 670 */ 671 enum X509_V_FLAG_CRL_CHECK_ALL = 0x08; 672 673 /** 674 * Ignore unhandled critical extensions 675 */ 676 enum X509_V_FLAG_IGNORE_CRITICAL = 0x10; 677 678 /** 679 * Disable workarounds for broken certificates 680 */ 681 enum X509_V_FLAG_X509_STRICT = 0x20; 682 683 /** 684 * Enable proxy certificate validation 685 */ 686 enum X509_V_FLAG_ALLOW_PROXY_CERTS = 0x40; 687 688 /** 689 * Enable policy checking 690 */ 691 enum X509_V_FLAG_POLICY_CHECK = 0x80; 692 693 /** 694 * Policy variable require-explicit-policy 695 */ 696 enum X509_V_FLAG_EXPLICIT_POLICY = 0x0100; 697 698 /** 699 * Policy variable inhibit-any-policy 700 */ 701 enum X509_V_FLAG_INHIBIT_ANY = 0x0200; 702 703 /** 704 * Policy variable inhibit-policy-mapping 705 */ 706 enum X509_V_FLAG_INHIBIT_MAP = 0x0400; 707 708 /** 709 * Notify callback that policy is OK 710 */ 711 enum X509_V_FLAG_NOTIFY_POLICY = 0x0800; 712 713 /** 714 * Extended CRL features such as indirect CRLs, alternate CRL signing keys 715 */ 716 enum X509_V_FLAG_EXTENDED_CRL_SUPPORT = 0x1000; 717 718 /** 719 * Delta CRL support 720 */ 721 enum X509_V_FLAG_USE_DELTAS = 0x2000; 722 723 /** 724 * Check selfsigned CA signature 725 */ 726 enum X509_V_FLAG_CHECK_SS_SIGNATURE = 0x4000; 727 728 /** 729 * Use trusted store first 730 */ 731 enum X509_V_FLAG_TRUSTED_FIRST = 0x8000; 732 733 /** 734 * Allow partial chains if at least one certificate is in trusted store 735 */ 736 enum X509_V_FLAG_PARTIAL_CHAIN = 0x080000; 737 738 /** 739 * If the initial chain is not trusted, do not attempt to build an alternative 740 * chain. Alternate chain checking was introduced in 1.0.2b. Setting this flag 741 * will force the behaviour to match that of previous versions. 742 */ 743 enum X509_V_FLAG_NO_ALT_CHAINS = 0x100000; 744 745 /** 746 * Do not check certificate or CRL validity against current time. 747 */ 748 enum X509_V_FLAG_NO_CHECK_TIME = 0x200000; 749 750 /** 751 * Force the use of the legacy certificate verifcation 752 */ 753 enum X509_V_FLAG_LEGACY_VERIFY = 0x400000; 754 755 enum X509_VP_FLAG_DEFAULT = 0x01; 756 enum X509_VP_FLAG_OVERWRITE = 0x02; 757 enum X509_VP_FLAG_RESET_FLAGS = 0x04; 758 enum X509_VP_FLAG_LOCKED = 0x08; 759 enum X509_VP_FLAG_ONCE = 0x10; 760 761 /** 762 * Internal use: mask of policy related options 763 */ 764 enum X509_V_FLAG_POLICY_MASK = .X509_V_FLAG_POLICY_CHECK | .X509_V_FLAG_EXPLICIT_POLICY | .X509_V_FLAG_INHIBIT_ANY | .X509_V_FLAG_INHIBIT_MAP; 765 766 int X509_OBJECT_idx_by_subject(.stack_st_X509_OBJECT* h, int type, libressl_d.openssl.ossl_typ.X509_NAME* name); 767 .X509_OBJECT* X509_OBJECT_retrieve_by_subject(.stack_st_X509_OBJECT* h, int type, libressl_d.openssl.ossl_typ.X509_NAME* name); 768 .X509_OBJECT* X509_OBJECT_retrieve_match(.stack_st_X509_OBJECT * h, .X509_OBJECT* x); 769 int X509_OBJECT_up_ref_count(.X509_OBJECT* a); 770 int X509_OBJECT_get_type(const (.X509_OBJECT)* a); 771 void X509_OBJECT_free_contents(.X509_OBJECT* a); 772 libressl_d.openssl.ossl_typ.X509* X509_OBJECT_get0_X509(const (.X509_OBJECT)* xo); 773 libressl_d.openssl.ossl_typ.X509_CRL* X509_OBJECT_get0_X509_CRL(.X509_OBJECT* xo); 774 775 libressl_d.openssl.ossl_typ.X509_STORE* X509_STORE_new(); 776 void X509_STORE_free(libressl_d.openssl.ossl_typ.X509_STORE* v); 777 int X509_STORE_up_ref(libressl_d.openssl.ossl_typ.X509_STORE* x); 778 libressl_d.openssl.x509.stack_st_X509* X509_STORE_get1_certs(libressl_d.openssl.ossl_typ.X509_STORE_CTX* st, libressl_d.openssl.ossl_typ.X509_NAME* nm); 779 libressl_d.openssl.x509.stack_st_X509_CRL* X509_STORE_get1_crls(libressl_d.openssl.ossl_typ.X509_STORE_CTX* st, libressl_d.openssl.ossl_typ.X509_NAME* nm); 780 .stack_st_X509_OBJECT* X509_STORE_get0_objects(libressl_d.openssl.ossl_typ.X509_STORE* xs); 781 void* X509_STORE_get_ex_data(libressl_d.openssl.ossl_typ.X509_STORE* xs, int idx); 782 int X509_STORE_set_ex_data(libressl_d.openssl.ossl_typ.X509_STORE* xs, int idx, void* data); 783 784 pragma(inline, true) 785 int X509_STORE_get_ex_new_index(core.stdc.config.c_long l, void* p, libressl_d.openssl.ossl_typ.CRYPTO_EX_new* newf, libressl_d.openssl.ossl_typ.CRYPTO_EX_dup* dupf, libressl_d.openssl.ossl_typ.CRYPTO_EX_free* freef) 786 787 do 788 { 789 return libressl_d.openssl.crypto.CRYPTO_get_ex_new_index(libressl_d.openssl.crypto.CRYPTO_EX_INDEX_X509_STORE, l, p, newf, dupf, freef); 790 } 791 792 int X509_STORE_set_flags(libressl_d.openssl.ossl_typ.X509_STORE* ctx, core.stdc.config.c_ulong flags); 793 int X509_STORE_set_purpose(libressl_d.openssl.ossl_typ.X509_STORE* ctx, int purpose); 794 int X509_STORE_set_trust(libressl_d.openssl.ossl_typ.X509_STORE* ctx, int trust); 795 int X509_STORE_set1_param(libressl_d.openssl.ossl_typ.X509_STORE* ctx, .X509_VERIFY_PARAM* pm); 796 .X509_VERIFY_PARAM* X509_STORE_get0_param(libressl_d.openssl.ossl_typ.X509_STORE* ctx); 797 798 void X509_STORE_set_verify_cb(libressl_d.openssl.ossl_typ.X509_STORE* ctx, int function(int, libressl_d.openssl.ossl_typ.X509_STORE_CTX*) verify_cb); 799 800 libressl_d.openssl.ossl_typ.X509_STORE_CTX* X509_STORE_CTX_new(); 801 802 int X509_STORE_CTX_get1_issuer(libressl_d.openssl.ossl_typ.X509** issuer, libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx, libressl_d.openssl.ossl_typ.X509* x); 803 804 void X509_STORE_CTX_free(libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx); 805 int X509_STORE_CTX_init(libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx, libressl_d.openssl.ossl_typ.X509_STORE* store, libressl_d.openssl.ossl_typ.X509* x509, libressl_d.openssl.x509.stack_st_X509* chain); 806 libressl_d.openssl.ossl_typ.X509* X509_STORE_CTX_get0_cert(libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx); 807 libressl_d.openssl.x509.stack_st_X509* X509_STORE_CTX_get0_chain(libressl_d.openssl.ossl_typ.X509_STORE_CTX* xs); 808 libressl_d.openssl.ossl_typ.X509_STORE* X509_STORE_CTX_get0_store(libressl_d.openssl.ossl_typ.X509_STORE_CTX* xs); 809 libressl_d.openssl.x509.stack_st_X509* X509_STORE_CTX_get0_untrusted(libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx); 810 void X509_STORE_CTX_set0_untrusted(libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx, libressl_d.openssl.x509.stack_st_X509* sk); 811 void X509_STORE_CTX_trusted_stack(libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx, libressl_d.openssl.x509.stack_st_X509* sk); 812 void X509_STORE_CTX_set0_trusted_stack(libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx, libressl_d.openssl.x509.stack_st_X509* sk); 813 void X509_STORE_CTX_cleanup(libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx); 814 815 .X509_LOOKUP* X509_STORE_add_lookup(libressl_d.openssl.ossl_typ.X509_STORE* v, .X509_LOOKUP_METHOD* m); 816 817 .X509_LOOKUP_METHOD* X509_LOOKUP_hash_dir(); 818 .X509_LOOKUP_METHOD* X509_LOOKUP_file(); 819 .X509_LOOKUP_METHOD* X509_LOOKUP_mem(); 820 821 int X509_STORE_add_cert(libressl_d.openssl.ossl_typ.X509_STORE* ctx, libressl_d.openssl.ossl_typ.X509* x); 822 int X509_STORE_add_crl(libressl_d.openssl.ossl_typ.X509_STORE* ctx, libressl_d.openssl.ossl_typ.X509_CRL* x); 823 824 int X509_STORE_get_by_subject(libressl_d.openssl.ossl_typ.X509_STORE_CTX* vs, int type, libressl_d.openssl.ossl_typ.X509_NAME* name, .X509_OBJECT* ret); 825 826 int X509_LOOKUP_ctrl(.X509_LOOKUP* ctx, int cmd, const (char)* argc, core.stdc.config.c_long argl, char** ret); 827 828 int X509_load_cert_file(.X509_LOOKUP* ctx, const (char)* file, int type); 829 int X509_load_crl_file(.X509_LOOKUP* ctx, const (char)* file, int type); 830 int X509_load_cert_crl_file(.X509_LOOKUP* ctx, const (char)* file, int type); 831 832 .X509_LOOKUP* X509_LOOKUP_new(.X509_LOOKUP_METHOD* method); 833 void X509_LOOKUP_free(.X509_LOOKUP* ctx); 834 int X509_LOOKUP_init(.X509_LOOKUP* ctx); 835 int X509_LOOKUP_by_subject(.X509_LOOKUP* ctx, int type, libressl_d.openssl.ossl_typ.X509_NAME* name, .X509_OBJECT* ret); 836 int X509_LOOKUP_by_issuer_serial(.X509_LOOKUP* ctx, int type, libressl_d.openssl.ossl_typ.X509_NAME* name, libressl_d.openssl.ossl_typ.ASN1_INTEGER* serial, .X509_OBJECT* ret); 837 int X509_LOOKUP_by_fingerprint(.X509_LOOKUP* ctx, int type, const (ubyte)* bytes, int len, .X509_OBJECT* ret); 838 int X509_LOOKUP_by_alias(.X509_LOOKUP* ctx, int type, const (char)* str, int len, .X509_OBJECT* ret); 839 int X509_LOOKUP_shutdown(.X509_LOOKUP* ctx); 840 841 int X509_STORE_load_locations(libressl_d.openssl.ossl_typ.X509_STORE* ctx, const (char)* file, const (char)* dir); 842 int X509_STORE_load_mem(libressl_d.openssl.ossl_typ.X509_STORE* ctx, void* buf, int len); 843 int X509_STORE_set_default_paths(libressl_d.openssl.ossl_typ.X509_STORE* ctx); 844 845 int X509_STORE_CTX_get_ex_new_index(core.stdc.config.c_long argl, void* argp, libressl_d.openssl.ossl_typ.CRYPTO_EX_new* new_func, libressl_d.openssl.ossl_typ.CRYPTO_EX_dup* dup_func, libressl_d.openssl.ossl_typ.CRYPTO_EX_free* free_func); 846 int X509_STORE_CTX_set_ex_data(libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx, int idx, void* data); 847 void* X509_STORE_CTX_get_ex_data(libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx, int idx); 848 int X509_STORE_CTX_get_error(libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx); 849 void X509_STORE_CTX_set_error(libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx, int s); 850 int X509_STORE_CTX_get_error_depth(libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx); 851 libressl_d.openssl.ossl_typ.X509* X509_STORE_CTX_get_current_cert(libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx); 852 libressl_d.openssl.ossl_typ.X509* X509_STORE_CTX_get0_current_issuer(libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx); 853 libressl_d.openssl.ossl_typ.X509_CRL* X509_STORE_CTX_get0_current_crl(libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx); 854 libressl_d.openssl.ossl_typ.X509_STORE_CTX* X509_STORE_CTX_get0_parent_ctx(libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx); 855 libressl_d.openssl.x509.stack_st_X509* X509_STORE_CTX_get_chain(libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx); 856 libressl_d.openssl.x509.stack_st_X509* X509_STORE_CTX_get1_chain(libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx); 857 void X509_STORE_CTX_set_cert(libressl_d.openssl.ossl_typ.X509_STORE_CTX* c, libressl_d.openssl.ossl_typ.X509* x); 858 void X509_STORE_CTX_set_chain(libressl_d.openssl.ossl_typ.X509_STORE_CTX* c, libressl_d.openssl.x509.stack_st_X509* sk); 859 void X509_STORE_CTX_set0_crls(libressl_d.openssl.ossl_typ.X509_STORE_CTX* c, libressl_d.openssl.x509.stack_st_X509_CRL* sk); 860 int X509_STORE_CTX_set_purpose(libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx, int purpose); 861 int X509_STORE_CTX_set_trust(libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx, int trust); 862 int X509_STORE_CTX_purpose_inherit(libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx, int def_purpose, int purpose, int trust); 863 void X509_STORE_CTX_set_flags(libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx, core.stdc.config.c_ulong flags); 864 void X509_STORE_CTX_set_time(libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx, core.stdc.config.c_ulong flags, libressl_d.compat.time.time_t t); 865 void X509_STORE_CTX_set_verify_cb(libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx, int function(int, libressl_d.openssl.ossl_typ.X509_STORE_CTX*) verify_cb); 866 867 libressl_d.openssl.ossl_typ.X509_POLICY_TREE* X509_STORE_CTX_get0_policy_tree(libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx); 868 int X509_STORE_CTX_get_explicit_policy(libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx); 869 870 .X509_VERIFY_PARAM* X509_STORE_CTX_get0_param(libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx); 871 void X509_STORE_CTX_set0_param(libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx, .X509_VERIFY_PARAM* param); 872 int X509_STORE_CTX_set_default(libressl_d.openssl.ossl_typ.X509_STORE_CTX* ctx, const (char)* name); 873 874 /* X509_VERIFY_PARAM functions */ 875 876 .X509_VERIFY_PARAM* X509_VERIFY_PARAM_new(); 877 void X509_VERIFY_PARAM_free(.X509_VERIFY_PARAM* param); 878 int X509_VERIFY_PARAM_inherit(.X509_VERIFY_PARAM* to, const (.X509_VERIFY_PARAM)* from); 879 int X509_VERIFY_PARAM_set1(.X509_VERIFY_PARAM* to, const (.X509_VERIFY_PARAM)* from); 880 int X509_VERIFY_PARAM_set1_name(.X509_VERIFY_PARAM* param, const (char)* name); 881 int X509_VERIFY_PARAM_set_flags(.X509_VERIFY_PARAM* param, core.stdc.config.c_ulong flags); 882 int X509_VERIFY_PARAM_clear_flags(.X509_VERIFY_PARAM* param, core.stdc.config.c_ulong flags); 883 core.stdc.config.c_ulong X509_VERIFY_PARAM_get_flags(.X509_VERIFY_PARAM* param); 884 int X509_VERIFY_PARAM_set_purpose(.X509_VERIFY_PARAM* param, int purpose); 885 int X509_VERIFY_PARAM_set_trust(.X509_VERIFY_PARAM* param, int trust); 886 void X509_VERIFY_PARAM_set_depth(.X509_VERIFY_PARAM* param, int depth); 887 void X509_VERIFY_PARAM_set_time(.X509_VERIFY_PARAM* param, libressl_d.compat.time.time_t t); 888 int X509_VERIFY_PARAM_add0_policy(.X509_VERIFY_PARAM* param, libressl_d.openssl.asn1.ASN1_OBJECT* policy); 889 int X509_VERIFY_PARAM_set1_policies(.X509_VERIFY_PARAM* param, libressl_d.openssl.asn1.stack_st_ASN1_OBJECT* policies); 890 int X509_VERIFY_PARAM_get_depth(const (.X509_VERIFY_PARAM)* param); 891 int X509_VERIFY_PARAM_set1_host(.X509_VERIFY_PARAM* param, const (char)* name, size_t namelen); 892 int X509_VERIFY_PARAM_add1_host(.X509_VERIFY_PARAM* param, const (char)* name, size_t namelen); 893 void X509_VERIFY_PARAM_set_hostflags(.X509_VERIFY_PARAM* param, uint flags); 894 char* X509_VERIFY_PARAM_get0_peername(.X509_VERIFY_PARAM* param); 895 int X509_VERIFY_PARAM_set1_email(.X509_VERIFY_PARAM* param, const (char)* email, size_t emaillen); 896 int X509_VERIFY_PARAM_set1_ip(.X509_VERIFY_PARAM* param, const (ubyte)* ip, size_t iplen); 897 int X509_VERIFY_PARAM_set1_ip_asc(.X509_VERIFY_PARAM* param, const (char)* ipasc); 898 const (char)* X509_VERIFY_PARAM_get0_name(const (.X509_VERIFY_PARAM)* param); 899 const (.X509_VERIFY_PARAM)* X509_VERIFY_PARAM_get0(int id); 900 int X509_VERIFY_PARAM_get_count(); 901 902 int X509_VERIFY_PARAM_add0_table(.X509_VERIFY_PARAM* param); 903 const (.X509_VERIFY_PARAM)* X509_VERIFY_PARAM_lookup(const (char)* name); 904 void X509_VERIFY_PARAM_table_cleanup(); 905 906 int X509_policy_check(libressl_d.openssl.ossl_typ.X509_POLICY_TREE** ptree, int* pexplicit_policy, libressl_d.openssl.x509.stack_st_X509* certs, libressl_d.openssl.asn1.stack_st_ASN1_OBJECT* policy_oids, uint flags); 907 908 void X509_policy_tree_free(libressl_d.openssl.ossl_typ.X509_POLICY_TREE* tree); 909 910 int X509_policy_tree_level_count(const (libressl_d.openssl.ossl_typ.X509_POLICY_TREE)* tree); 911 libressl_d.openssl.ossl_typ.X509_POLICY_LEVEL* X509_policy_tree_get0_level(const (libressl_d.openssl.ossl_typ.X509_POLICY_TREE)* tree, int i); 912 913 libressl_d.openssl.x509v3.stack_st_X509_POLICY_NODE* X509_policy_tree_get0_policies(const (libressl_d.openssl.ossl_typ.X509_POLICY_TREE)* tree); 914 915 libressl_d.openssl.x509v3.stack_st_X509_POLICY_NODE* X509_policy_tree_get0_user_policies(const (libressl_d.openssl.ossl_typ.X509_POLICY_TREE)* tree); 916 917 int X509_policy_level_node_count(libressl_d.openssl.ossl_typ.X509_POLICY_LEVEL* level); 918 919 libressl_d.openssl.ossl_typ.X509_POLICY_NODE* X509_policy_level_get0_node(libressl_d.openssl.ossl_typ.X509_POLICY_LEVEL* level, int i); 920 921 const (libressl_d.openssl.asn1.ASN1_OBJECT)* X509_policy_node_get0_policy(const (libressl_d.openssl.ossl_typ.X509_POLICY_NODE)* node); 922 923 libressl_d.openssl.x509v3.stack_st_POLICYQUALINFO* X509_policy_node_get0_qualifiers(const (libressl_d.openssl.ossl_typ.X509_POLICY_NODE)* node); 924 const (libressl_d.openssl.ossl_typ.X509_POLICY_NODE)* X509_policy_node_get0_parent(const (libressl_d.openssl.ossl_typ.X509_POLICY_NODE)* node);