1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
|
/*
* Copyright 2019 Daniel Silverstone <dsilvers@netsurf-browser.org>
*
* This file is part of NetSurf, http://www.netsurf-browser.org/
*
* NetSurf is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; version 2 of the License.
*
* NetSurf is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
/**
* \file
*
* SSL related types and values
*/
#ifndef NETSURF_SSL_CERTS_H_
#define NETSURF_SSL_CERTS_H_
/**
* ssl certificate error status
*
* Do not reorder / remove entries because these may be persisted to the disk
* cache as simple ints.
*/
typedef enum {
SSL_CERT_ERR_OK, /**< Nothing wrong with this certificate */
SSL_CERT_ERR_UNKNOWN, /**< Unknown error */
SSL_CERT_ERR_BAD_ISSUER, /**< Bad issuer */
SSL_CERT_ERR_BAD_SIG, /**< Bad signature on this certificate */
SSL_CERT_ERR_TOO_YOUNG, /**< This certificate is not yet valid */
SSL_CERT_ERR_TOO_OLD, /**< This certificate is no longer valid */
SSL_CERT_ERR_SELF_SIGNED, /**< This certificate (or the chain) is self signed */
SSL_CERT_ERR_CHAIN_SELF_SIGNED, /**< This certificate chain is self signed */
SSL_CERT_ERR_REVOKED, /**< This certificate has been revoked */
SSL_CERT_ERR_HOSTNAME_MISMATCH, /**< This certificate host did not match the server */
SSL_CERT_ERR_CERT_MISSING, /**< This certificate was missing from the chain, its data is useless */
} ssl_cert_err;
/** Always the max known ssl certificate error type */
#define SSL_CERT_ERR_MAX_KNOWN SSL_CERT_ERR_HOSTNAME_MISMATCH
/** maximum number of X509 certificates in chain for TLS connection */
#define MAX_CERT_DEPTH 10
/**
* X509 certificate chain
*/
struct cert_chain {
/**
* the number of certificates in the chain
* */
size_t depth;
struct {
/**
* Whatever is wrong with this certificate
*/
ssl_cert_err err;
/**
* data in Distinguished Encoding Rules (DER) format
*/
uint8_t *der;
/**
* DER length
*/
size_t der_length;
} certs[MAX_CERT_DEPTH];
};
/**
* create new certificate chain
*
* \param dpth the depth to set in the new chain.
* \param chain_out A pointer to recive the new chain.
* \return NSERROR_OK on success or NSERROR_NOMEM on memory exhaustion
*/
nserror cert_chain_alloc(size_t depth, struct cert_chain **chain_out);
/**
* duplicate a certificate chain
*
* \param src The certificate chain to copy from
* \param dst_out A pointer to recive the duplicated chain
* \return NSERROR_OK on success or NSERROR_NOMEM on memory exhaustion
*/
nserror cert_chain_dup(const struct cert_chain *src, struct cert_chain **dst_out);
/**
* free a certificate chain
*
* \param chain The certificate chain to free
* \return NSERROR_OK on success
*/
nserror cert_chain_free(struct cert_chain *chain);
/**
* total number of data bytes in a chain
*
* \param chain The chain to size
* \return the number of bytes used by the chain
*/
size_t cert_chain_size(const struct cert_chain *chain);
#endif /* NETSURF_SSL_CERTS_H_ */
|