summaryrefslogtreecommitdiff
path: root/include/netsurf/ssl_certs.h
blob: e3e4188484feb5695698a4c8595cf4a8685a995d (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
/*
 * Copyright 2019 Daniel Silverstone <dsilvers@netsurf-browser.org>
 *
 * This file is part of NetSurf, http://www.netsurf-browser.org/
 *
 * NetSurf is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; version 2 of the License.
 *
 * NetSurf is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */

/**
 * \file
 *
 * SSL related types and values
 */

#ifndef NETSURF_SSL_CERTS_H_
#define NETSURF_SSL_CERTS_H_

struct nsurl;

/**
 * ssl certificate error status
 *
 * Do not reorder / remove entries because these may be persisted to the disk
 * cache as simple ints.
 */
typedef enum {
	SSL_CERT_ERR_OK,	/**< Nothing wrong with this certificate */
	SSL_CERT_ERR_UNKNOWN,	/**< Unknown error */
	SSL_CERT_ERR_BAD_ISSUER, /**< Bad issuer */
	SSL_CERT_ERR_BAD_SIG,	/**< Bad signature on this certificate */
	SSL_CERT_ERR_TOO_YOUNG,	/**< This certificate is not yet valid */
	SSL_CERT_ERR_TOO_OLD,	/**< This certificate is no longer valid */
	SSL_CERT_ERR_SELF_SIGNED, /**< This certificate (or the chain) is self signed */
	SSL_CERT_ERR_CHAIN_SELF_SIGNED, /**< This certificate chain is self signed */
	SSL_CERT_ERR_REVOKED,	/**< This certificate has been revoked */
	SSL_CERT_ERR_HOSTNAME_MISMATCH, /**< This certificate host did not match the server */
	SSL_CERT_ERR_CERT_MISSING, /**< This certificate was missing from the chain, its data is useless */
} ssl_cert_err;

/** Always the max known ssl certificate error type */
#define SSL_CERT_ERR_MAX_KNOWN SSL_CERT_ERR_HOSTNAME_MISMATCH

/** maximum number of X509 certificates in chain for TLS connection */
#define MAX_CERT_DEPTH 10

/**
 * X509 certificate chain
 */
struct cert_chain {
	/**
	 * the number of certificates in the chain
	 * */
	size_t depth;
	struct {
		/**
		 * Whatever is wrong with this certificate
		 */
		ssl_cert_err err;

		/**
		 * data in Distinguished Encoding Rules (DER) format
		 */
		uint8_t *der;

		/**
		 * DER length
		 */
		size_t der_length;
	} certs[MAX_CERT_DEPTH];
};

/**
 * create new certificate chain
 *
 * \param dpth the depth to set in the new chain.
 * \param chain_out A pointer to recive the new chain.
 * \return NSERROR_OK on success or NSERROR_NOMEM on memory exhaustion
 */
nserror cert_chain_alloc(size_t depth, struct cert_chain **chain_out);

/**
 * duplicate a certificate chain into an existing chain
 *
 * \param src The certificate chain to copy from
 * \param dst The chain to overwrite with a copy of src
 * \return NSERROR_OK on success or NSERROR_NOMEM on memory exhaustion
 *
 * NOTE: if this returns NSERROR_NOMEM then the destination chain will have
 * some amount of content and should be cleaned up with cert_chain_free.
 */
nserror cert_chain_dup_into(const struct cert_chain *src, struct cert_chain *dst);

/**
 * duplicate a certificate chain
 *
 * \param src The certificate chain to copy from
 * \param dst_out A pointer to recive the duplicated chain
 * \return NSERROR_OK on success or NSERROR_NOMEM on memory exhaustion
 */
nserror cert_chain_dup(const struct cert_chain *src, struct cert_chain **dst_out);

/**
 * create a certificate chain from a fetch query string
 *
 * \param url The url to convert the query from
 * \param dst_out A pointer to recive the duplicated chain
 * \return NSERROR_OK on success or NSERROR_NOMEM on memory exhaustion
 */
nserror cert_chain_from_query(struct nsurl *url, struct cert_chain **chain_out);

/**
 * free a certificate chain
 *
 * \param chain The certificate chain to free
 * \return NSERROR_OK on success
 */
nserror cert_chain_free(struct cert_chain *chain);

/**
 * total number of data bytes in a chain
 *
 * \param chain The chain to size
 * \return the number of bytes used by the chain
 */
size_t cert_chain_size(const struct cert_chain *chain);

#endif /* NETSURF_SSL_CERTS_H_ */