1 files changed, 380 insertions, 0 deletions
diff --git a/src/lib/libcrypto/x509/x509_local.h b/src/lib/libcrypto/x509/x509_local.h
new file mode 100644
index 0000000000..1b1522acaa
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_local.h
@@ -0,0 +1,380 @@
+/*      $OpenBSD: x509_local.h,v 1.1 2022/11/26 16:08:54 tb Exp $ */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project 2013.
+ */
+/* ====================================================================
+ * Copyright (c) 2013 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+#ifndef HEADER_X509_LCL_H
+#define HEADER_X509_LCL_H
+__BEGIN_HIDDEN_DECLS
+#define TS_HASH_EVP             EVP_sha1()
+#define TS_HASH_LEN             SHA_DIGEST_LENGTH
+#define X509_CERT_HASH_EVP      EVP_sha512()
+#define X509_CERT_HASH_LEN      SHA512_DIGEST_LENGTH
+#define X509_CRL_HASH_EVP       EVP_sha512()
+#define X509_CRL_HASH_LEN       SHA512_DIGEST_LENGTH
+struct X509_pubkey_st {
+        X509_ALGOR *algor;
+        ASN1_BIT_STRING *public_key;
+        EVP_PKEY *pkey;
+};
+struct X509_sig_st {
+        X509_ALGOR *algor;
+        ASN1_OCTET_STRING *digest;
+} /* X509_SIG */;
+struct X509_name_entry_st {
+        ASN1_OBJECT *object;
+        ASN1_STRING *value;
+        int set;
+        int size;       /* temp variable */
+} /* X509_NAME_ENTRY */;
+/* we always keep X509_NAMEs in 2 forms. */
+struct X509_name_st {
+        STACK_OF(X509_NAME_ENTRY) *entries;
+        int modified;   /* true if 'bytes' needs to be built */
+#ifndef OPENSSL_NO_BUFFER
+        BUF_MEM *bytes;
+#else
+        char *bytes;
+#endif
+/*      unsigned long hash; Keep the hash around for lookups */
+        unsigned char *canon_enc;
+        int canon_enclen;
+} /* X509_NAME */;
+struct X509_extension_st {
+        ASN1_OBJECT *object;
+        ASN1_BOOLEAN critical;
+        ASN1_OCTET_STRING *value;
+} /* X509_EXTENSION */;
+struct x509_attributes_st {
+        ASN1_OBJECT *object;
+        STACK_OF(ASN1_TYPE) *set;
+} /* X509_ATTRIBUTE */;
+struct X509_req_info_st {
+        ASN1_ENCODING enc;
+        ASN1_INTEGER *version;
+        X509_NAME *subject;
+        X509_PUBKEY *pubkey;
+        /*  d=2 hl=2 l=  0 cons: cont: 00 */
+        STACK_OF(X509_ATTRIBUTE) *attributes; /* [ 0 ] */
+} /* X509_REQ_INFO */;
+struct X509_req_st {
+        X509_REQ_INFO *req_info;
+        X509_ALGOR *sig_alg;
+        ASN1_BIT_STRING *signature;
+        int references;
+} /* X509_REQ */;
+/*
+ * This stuff is certificate "auxiliary info" it contains details which are
+ * useful in certificate stores and databases. When used this is tagged onto
+ * the end of the certificate itself.
+ */
+struct x509_cert_aux_st {
+        STACK_OF(ASN1_OBJECT) *trust;           /* trusted uses */
+        STACK_OF(ASN1_OBJECT) *reject;          /* rejected uses */
+        ASN1_UTF8STRING *alias;                 /* "friendly name" */
+        ASN1_OCTET_STRING *keyid;               /* key id of private key */
+        STACK_OF(X509_ALGOR) *other;            /* other unspecified info */
+} /* X509_CERT_AUX */;
+struct x509_cinf_st {
+        ASN1_INTEGER *version;          /* [ 0 ] default of v1 */
+        ASN1_INTEGER *serialNumber;
+        X509_ALGOR *signature;
+        X509_NAME *issuer;
+        X509_VAL *validity;
+        X509_NAME *subject;
+        X509_PUBKEY *key;
+        ASN1_BIT_STRING *issuerUID;             /* [ 1 ] optional in v2 */
+        ASN1_BIT_STRING *subjectUID;            /* [ 2 ] optional in v2 */
+        STACK_OF(X509_EXTENSION) *extensions;   /* [ 3 ] optional in v3 */
+        ASN1_ENCODING enc;
+} /* X509_CINF */;
+struct x509_st {
+        X509_CINF *cert_info;
+        X509_ALGOR *sig_alg;
+        ASN1_BIT_STRING *signature;
+        int valid;
+        int references;
+        char *name;
+        CRYPTO_EX_DATA ex_data;
+        /* These contain copies of various extension values */
+        long ex_pathlen;
+        long ex_pcpathlen;
+        unsigned long ex_flags;
+        unsigned long ex_kusage;
+        unsigned long ex_xkusage;
+        unsigned long ex_nscert;
+        ASN1_OCTET_STRING *skid;
+        AUTHORITY_KEYID *akid;
+        X509_POLICY_CACHE *policy_cache;
+        STACK_OF(DIST_POINT) *crldp;
+        STACK_OF(GENERAL_NAME) *altname;
+        NAME_CONSTRAINTS *nc;
+#ifndef OPENSSL_NO_RFC3779
+        STACK_OF(IPAddressFamily) *rfc3779_addr;
+        struct ASIdentifiers_st *rfc3779_asid;
+#endif
+        unsigned char hash[X509_CERT_HASH_LEN];
+        time_t not_before;
+        time_t not_after;
+        X509_CERT_AUX *aux;
+} /* X509 */;
+struct x509_revoked_st {
+        ASN1_INTEGER *serialNumber;
+        ASN1_TIME *revocationDate;
+        STACK_OF(X509_EXTENSION) /* optional */ *extensions;
+        /* Set up if indirect CRL */
+        STACK_OF(GENERAL_NAME) *issuer;
+        /* Revocation reason */
+        int reason;
+        int sequence; /* load sequence */
+};
+struct X509_crl_info_st {
+        ASN1_INTEGER *version;
+        X509_ALGOR *sig_alg;
+        X509_NAME *issuer;
+        ASN1_TIME *lastUpdate;
+        ASN1_TIME *nextUpdate;
+        STACK_OF(X509_REVOKED) *revoked;
+        STACK_OF(X509_EXTENSION) /* [0] */ *extensions;
+        ASN1_ENCODING enc;
+} /* X509_CRL_INFO */;
+struct X509_crl_st {
+        /* actual signature */
+        X509_CRL_INFO *crl;
+        X509_ALGOR *sig_alg;
+        ASN1_BIT_STRING *signature;
+        int references;
+        int flags;
+        /* Copies of various extensions */
+        AUTHORITY_KEYID *akid;
+        ISSUING_DIST_POINT *idp;
+        /* Convenient breakdown of IDP */
+        int idp_flags;
+        int idp_reasons;
+        /* CRL and base CRL numbers for delta processing */
+        ASN1_INTEGER *crl_number;
+        ASN1_INTEGER *base_crl_number;
+        unsigned char hash[X509_CRL_HASH_LEN];
+        STACK_OF(GENERAL_NAMES) *issuers;
+        const X509_CRL_METHOD *meth;
+        void *meth_data;
+} /* X509_CRL */;
+struct pkcs8_priv_key_info_st {
+        ASN1_INTEGER *version;
+        X509_ALGOR *pkeyalg;
+        ASN1_OCTET_STRING *pkey;
+        STACK_OF(X509_ATTRIBUTE) *attributes;
+};
+struct x509_object_st {
+        /* one of the above types */
+        int type;
+        union {
+                X509 *x509;
+                X509_CRL *crl;
+        } data;
+} /* X509_OBJECT */;
+struct x509_lookup_method_st {
+        const char *name;
+        int (*new_item)(X509_LOOKUP *ctx);
+        void (*free)(X509_LOOKUP *ctx);
+        int (*init)(X509_LOOKUP *ctx);
+        int (*shutdown)(X509_LOOKUP *ctx);
+        int (*ctrl)(X509_LOOKUP *ctx, int cmd, const char *argc, long argl,
+            char **ret);
+        int (*get_by_subject)(X509_LOOKUP *ctx, int type, X509_NAME *name,
+            X509_OBJECT *ret);
+        int (*get_by_issuer_serial)(X509_LOOKUP *ctx, int type, X509_NAME *name,
+            ASN1_INTEGER *serial,X509_OBJECT *ret);
+        int (*get_by_fingerprint)(X509_LOOKUP *ctx, int type,
+            const unsigned char *bytes, int len, X509_OBJECT *ret);
+        int (*get_by_alias)(X509_LOOKUP *ctx, int type, const char *str,
+            int len, X509_OBJECT *ret);
+} /* X509_LOOKUP_METHOD */;
+struct X509_VERIFY_PARAM_st {
+        char *name;
+        time_t check_time;      /* Time to use */
+        unsigned long inh_flags; /* Inheritance flags */
+        unsigned long flags;    /* Various verify flags */
+        int purpose;            /* purpose to check untrusted certificates */
+        int trust;              /* trust setting to check */
+        int depth;              /* Verify depth */
+        int security_level;     /* 'Security level', see SP800-57. */
+        STACK_OF(ASN1_OBJECT) *policies;        /* Permissible policies */
+        X509_VERIFY_PARAM_ID *id;       /* opaque ID data */
+} /* X509_VERIFY_PARAM */;
+/*
+ * This is used to hold everything.  It is used for all certificate
+ * validation.  Once we have a certificate chain, the 'verify'
+ * function is then called to actually check the cert chain.
+ */
+struct x509_store_st {
+        /* The following is a cache of trusted certs */
+        STACK_OF(X509_OBJECT) *objs;    /* Cache of all objects */
+        /* These are external lookup methods */
+        STACK_OF(X509_LOOKUP) *get_cert_methods;
+        X509_VERIFY_PARAM *param;
+        /* Callbacks for various operations */
+        int (*verify)(X509_STORE_CTX *ctx);     /* called to verify a certificate */
+        int (*verify_cb)(int ok,X509_STORE_CTX *ctx);   /* error callback */
+        int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); /* get issuers cert from ctx */
+        int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); /* check issued */
+        int (*check_revocation)(X509_STORE_CTX *ctx); /* Check revocation status of chain */
+        int (*get_crl)(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x); /* retrieve CRL */
+        int (*check_crl)(X509_STORE_CTX *ctx, X509_CRL *crl); /* Check CRL validity */
+        int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); /* Check certificate against CRL */
+        STACK_OF(X509) * (*lookup_certs)(X509_STORE_CTX *ctx, X509_NAME *nm);
+        STACK_OF(X509_CRL) * (*lookup_crls)(X509_STORE_CTX *ctx, X509_NAME *nm);
+        int (*cleanup)(X509_STORE_CTX *ctx);
+        CRYPTO_EX_DATA ex_data;
+        int references;
+} /* X509_STORE */;
+/* This is the functions plus an instance of the local variables. */
+struct x509_lookup_st {
+        int init;                       /* have we been started */
+        X509_LOOKUP_METHOD *method;     /* the functions */
+        char *method_data;              /* method data */
+        X509_STORE *store_ctx;  /* who owns us */
+} /* X509_LOOKUP */;
+/*
+ * This is used when verifying cert chains.  Since the gathering of the cert
+ * chain can take some time (and has to be 'retried'), this needs to be kept
+ * and passed around.
+ */
+struct x509_store_ctx_st {
+        X509_STORE *store;
+        int current_method;     /* used when looking up certs */
+        /* The following are set by the caller */
+        X509 *cert;             /* The cert to check */
+        STACK_OF(X509) *untrusted;      /* chain of X509s - untrusted - passed in */
+        STACK_OF(X509_CRL) *crls;       /* set of CRLs passed in */
+        X509_VERIFY_PARAM *param;
+        void *other_ctx;        /* Other info for use with get_issuer() */
+        /* Callbacks for various operations */
+        int (*verify)(X509_STORE_CTX *ctx);     /* called to verify a certificate */
+        int (*verify_cb)(int ok,X509_STORE_CTX *ctx);           /* error callback */
+        int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); /* get issuers cert from ctx */
+        int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); /* check issued */
+        int (*check_revocation)(X509_STORE_CTX *ctx); /* Check revocation status of chain */
+        int (*get_crl)(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x); /* retrieve CRL */
+        int (*check_crl)(X509_STORE_CTX *ctx, X509_CRL *crl); /* Check CRL validity */
+        int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); /* Check certificate against CRL */
+        int (*check_policy)(X509_STORE_CTX *ctx);
+        STACK_OF(X509) * (*lookup_certs)(X509_STORE_CTX *ctx, X509_NAME *nm);
+        STACK_OF(X509_CRL) * (*lookup_crls)(X509_STORE_CTX *ctx, X509_NAME *nm);
+        int (*cleanup)(X509_STORE_CTX *ctx);
+        /* The following is built up */
+        int valid;              /* if 0, rebuild chain */
+        int num_untrusted;      /* number of untrusted certs in chain */
+        STACK_OF(X509) *chain;          /* chain of X509s - built up and trusted */
+        X509_POLICY_TREE *tree; /* Valid policy tree */
+        int explicit_policy;    /* Require explicit policy value */
+        /* When something goes wrong, this is why */
+        int error_depth;
+        int error;
+        X509 *current_cert;
+        X509 *current_issuer;   /* cert currently being tested as valid issuer */
+        X509_CRL *current_crl;  /* current CRL */
+        int current_crl_score;  /* score of current CRL */
+        unsigned int current_reasons;  /* Reason mask */
+        X509_STORE_CTX *parent; /* For CRL path validation: parent context */
+        CRYPTO_EX_DATA ex_data;
+} /* X509_STORE_CTX */;
+int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int quiet);
+int name_cmp(const char *name, const char *cmp);
+__END_HIDDEN_DECLS
+#endif /* !HEADER_X509_LCL_H */

diff --git a/src/lib/libcrypto/x509/x509_local.h b/src/lib/libcrypto/x509/x509_local.h new file mode 100644 index 0000000000..1b1522acaa --- /dev/null +++ b/src/lib/libcrypto/x509/x509_local.h
@@ -0,0 +1,380 @@
	1	/* $OpenBSD: x509_local.h,v 1.1 2022/11/26 16:08:54 tb Exp $ */
	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
	3	* project 2013.
	4	*/
	5	/* ====================================================================
	6	* Copyright (c) 2013 The OpenSSL Project. All rights reserved.
	7	*
	8	* Redistribution and use in source and binary forms, with or without
	9	* modification, are permitted provided that the following conditions
	10	* are met:
	11	*
	12	* 1. Redistributions of source code must retain the above copyright
	13	* notice, this list of conditions and the following disclaimer.
	14	*
	15	* 2. Redistributions in binary form must reproduce the above copyright
	16	* notice, this list of conditions and the following disclaimer in
	17	* the documentation and/or other materials provided with the
	18	* distribution.
	19	*
	20	* 3. All advertising materials mentioning features or use of this
	21	* software must display the following acknowledgment:
	22	* "This product includes software developed by the OpenSSL Project
	23	* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
	24	*
	25	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
	26	* endorse or promote products derived from this software without
	27	* prior written permission. For written permission, please contact
	28	* licensing@OpenSSL.org.
	29	*
	30	* 5. Products derived from this software may not be called "OpenSSL"
	31	* nor may "OpenSSL" appear in their names without prior written
	32	* permission of the OpenSSL Project.
	33	*
	34	* 6. Redistributions of any form whatsoever must retain the following
	35	* acknowledgment:
	36	* "This product includes software developed by the OpenSSL Project
	37	* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
	38	*
	39	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
	40	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	41	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
	42	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
	43	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
	44	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	45	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
	46	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	47	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
	48	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
	49	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
	50	* OF THE POSSIBILITY OF SUCH DAMAGE.
	51	* ====================================================================
	52	*
	53	* This product includes cryptographic software written by Eric Young
	54	* (eay@cryptsoft.com). This product includes software written by Tim
	55	* Hudson (tjh@cryptsoft.com).
	56	*
	57	*/
	58
	59	#ifndef HEADER_X509_LCL_H
	60	#define HEADER_X509_LCL_H
	61
	62	__BEGIN_HIDDEN_DECLS
	63
	64	#define TS_HASH_EVP EVP_sha1()
	65	#define TS_HASH_LEN SHA_DIGEST_LENGTH
	66
	67	#define X509_CERT_HASH_EVP EVP_sha512()
	68	#define X509_CERT_HASH_LEN SHA512_DIGEST_LENGTH
	69	#define X509_CRL_HASH_EVP EVP_sha512()
	70	#define X509_CRL_HASH_LEN SHA512_DIGEST_LENGTH
	71
	72	struct X509_pubkey_st {
	73	X509_ALGOR *algor;
	74	ASN1_BIT_STRING *public_key;
	75	EVP_PKEY *pkey;
	76	};
	77
	78	struct X509_sig_st {
	79	X509_ALGOR *algor;
	80	ASN1_OCTET_STRING *digest;
	81	} /* X509_SIG */;
	82
	83	struct X509_name_entry_st {
	84	ASN1_OBJECT *object;
	85	ASN1_STRING *value;
	86	int set;
	87	int size; /* temp variable */
	88	} /* X509_NAME_ENTRY */;
	89
	90	/* we always keep X509_NAMEs in 2 forms. */
	91	struct X509_name_st {
	92	STACK_OF(X509_NAME_ENTRY) *entries;
	93	int modified; /* true if 'bytes' needs to be built */
	94	#ifndef OPENSSL_NO_BUFFER
	95	BUF_MEM *bytes;
	96	#else
	97	char *bytes;
	98	#endif
	99	/* unsigned long hash; Keep the hash around for lookups */
	100	unsigned char *canon_enc;
	101	int canon_enclen;
	102	} /* X509_NAME */;
	103
	104	struct X509_extension_st {
	105	ASN1_OBJECT *object;
	106	ASN1_BOOLEAN critical;
	107	ASN1_OCTET_STRING *value;
	108	} /* X509_EXTENSION */;
	109
	110	struct x509_attributes_st {
	111	ASN1_OBJECT *object;
	112	STACK_OF(ASN1_TYPE) *set;
	113	} /* X509_ATTRIBUTE */;
	114
	115	struct X509_req_info_st {
	116	ASN1_ENCODING enc;
	117	ASN1_INTEGER *version;
	118	X509_NAME *subject;
	119	X509_PUBKEY *pubkey;
	120	/* d=2 hl=2 l= 0 cons: cont: 00 */
	121	STACK_OF(X509_ATTRIBUTE) attributes; / [ 0 ] */
	122	} /* X509_REQ_INFO */;
	123
	124	struct X509_req_st {
	125	X509_REQ_INFO *req_info;
	126	X509_ALGOR *sig_alg;
	127	ASN1_BIT_STRING *signature;
	128	int references;
	129	} /* X509_REQ */;
	130
	131	/*
	132	* This stuff is certificate "auxiliary info" it contains details which are
	133	* useful in certificate stores and databases. When used this is tagged onto
	134	* the end of the certificate itself.
	135	*/
	136	struct x509_cert_aux_st {
	137	STACK_OF(ASN1_OBJECT) trust; / trusted uses */
	138	STACK_OF(ASN1_OBJECT) reject; / rejected uses */
	139	ASN1_UTF8STRING alias; / "friendly name" */
	140	ASN1_OCTET_STRING keyid; / key id of private key */
	141	STACK_OF(X509_ALGOR) other; / other unspecified info */
	142	} /* X509_CERT_AUX */;
	143
	144	struct x509_cinf_st {
	145	ASN1_INTEGER version; / [ 0 ] default of v1 */
	146	ASN1_INTEGER *serialNumber;
	147	X509_ALGOR *signature;
	148	X509_NAME *issuer;
	149	X509_VAL *validity;
	150	X509_NAME *subject;
	151	X509_PUBKEY *key;
	152	ASN1_BIT_STRING issuerUID; / [ 1 ] optional in v2 */
	153	ASN1_BIT_STRING subjectUID; / [ 2 ] optional in v2 */
	154	STACK_OF(X509_EXTENSION) extensions; / [ 3 ] optional in v3 */
	155	ASN1_ENCODING enc;
	156	} /* X509_CINF */;
	157
	158	struct x509_st {
	159	X509_CINF *cert_info;
	160	X509_ALGOR *sig_alg;
	161	ASN1_BIT_STRING *signature;
	162	int valid;
	163	int references;
	164	char *name;
	165	CRYPTO_EX_DATA ex_data;
	166	/* These contain copies of various extension values */
	167	long ex_pathlen;
	168	long ex_pcpathlen;
	169	unsigned long ex_flags;
	170	unsigned long ex_kusage;
	171	unsigned long ex_xkusage;
	172	unsigned long ex_nscert;
	173	ASN1_OCTET_STRING *skid;
	174	AUTHORITY_KEYID *akid;
	175	X509_POLICY_CACHE *policy_cache;
	176	STACK_OF(DIST_POINT) *crldp;
	177	STACK_OF(GENERAL_NAME) *altname;
	178	NAME_CONSTRAINTS *nc;
	179	#ifndef OPENSSL_NO_RFC3779
	180	STACK_OF(IPAddressFamily) *rfc3779_addr;
	181	struct ASIdentifiers_st *rfc3779_asid;
	182	#endif
	183	unsigned char hash[X509_CERT_HASH_LEN];
	184	time_t not_before;
	185	time_t not_after;
	186	X509_CERT_AUX *aux;
	187	} /* X509 */;
	188
	189	struct x509_revoked_st {
	190	ASN1_INTEGER *serialNumber;
	191	ASN1_TIME *revocationDate;
	192	STACK_OF(X509_EXTENSION) /* optional / extensions;
	193	/* Set up if indirect CRL */
	194	STACK_OF(GENERAL_NAME) *issuer;
	195	/* Revocation reason */
	196	int reason;
	197	int sequence; /* load sequence */
	198	};
	199
	200	struct X509_crl_info_st {
	201	ASN1_INTEGER *version;
	202	X509_ALGOR *sig_alg;
	203	X509_NAME *issuer;
	204	ASN1_TIME *lastUpdate;
	205	ASN1_TIME *nextUpdate;
	206	STACK_OF(X509_REVOKED) *revoked;
	207	STACK_OF(X509_EXTENSION) /* [0] / extensions;
	208	ASN1_ENCODING enc;
	209	} /* X509_CRL_INFO */;
	210
	211	struct X509_crl_st {
	212	/* actual signature */
	213	X509_CRL_INFO *crl;
	214	X509_ALGOR *sig_alg;
	215	ASN1_BIT_STRING *signature;
	216	int references;
	217	int flags;
	218	/* Copies of various extensions */
	219	AUTHORITY_KEYID *akid;
	220	ISSUING_DIST_POINT *idp;
	221	/* Convenient breakdown of IDP */
	222	int idp_flags;
	223	int idp_reasons;
	224	/* CRL and base CRL numbers for delta processing */
	225	ASN1_INTEGER *crl_number;
	226	ASN1_INTEGER *base_crl_number;
	227	unsigned char hash[X509_CRL_HASH_LEN];
	228	STACK_OF(GENERAL_NAMES) *issuers;
	229	const X509_CRL_METHOD *meth;
	230	void *meth_data;
	231	} /* X509_CRL */;
	232
	233	struct pkcs8_priv_key_info_st {
	234	ASN1_INTEGER *version;
	235	X509_ALGOR *pkeyalg;
	236	ASN1_OCTET_STRING *pkey;
	237	STACK_OF(X509_ATTRIBUTE) *attributes;
	238	};
	239
	240	struct x509_object_st {
	241	/* one of the above types */
	242	int type;
	243	union {
	244	X509 *x509;
	245	X509_CRL *crl;
	246	} data;
	247	} /* X509_OBJECT */;
	248
	249	struct x509_lookup_method_st {
	250	const char *name;
	251	int (new_item)(X509_LOOKUP ctx);
	252	void (free)(X509_LOOKUP ctx);
	253	int (init)(X509_LOOKUP ctx);
	254	int (shutdown)(X509_LOOKUP ctx);
	255	int (ctrl)(X509_LOOKUP ctx, int cmd, const char *argc, long argl,
	256	char **ret);
	257	int (get_by_subject)(X509_LOOKUP ctx, int type, X509_NAME *name,
	258	X509_OBJECT *ret);
	259	int (get_by_issuer_serial)(X509_LOOKUP ctx, int type, X509_NAME *name,
	260	ASN1_INTEGER serial,X509_OBJECT ret);
	261	int (get_by_fingerprint)(X509_LOOKUP ctx, int type,
	262	const unsigned char bytes, int len, X509_OBJECT ret);
	263	int (get_by_alias)(X509_LOOKUP ctx, int type, const char *str,
	264	int len, X509_OBJECT *ret);
	265	} /* X509_LOOKUP_METHOD */;
	266
	267	struct X509_VERIFY_PARAM_st {
	268	char *name;
	269	time_t check_time; /* Time to use */
	270	unsigned long inh_flags; /* Inheritance flags */
	271	unsigned long flags; /* Various verify flags */
	272	int purpose; /* purpose to check untrusted certificates */
	273	int trust; /* trust setting to check */
	274	int depth; /* Verify depth */
	275	int security_level; /* 'Security level', see SP800-57. */
	276	STACK_OF(ASN1_OBJECT) policies; / Permissible policies */
	277	X509_VERIFY_PARAM_ID id; / opaque ID data */
	278	} /* X509_VERIFY_PARAM */;
	279
	280	/*
	281	* This is used to hold everything. It is used for all certificate
	282	* validation. Once we have a certificate chain, the 'verify'
	283	* function is then called to actually check the cert chain.
	284	*/
	285	struct x509_store_st {
	286	/* The following is a cache of trusted certs */
	287	STACK_OF(X509_OBJECT) objs; / Cache of all objects */
	288
	289	/* These are external lookup methods */
	290	STACK_OF(X509_LOOKUP) *get_cert_methods;
	291
	292	X509_VERIFY_PARAM *param;
	293
	294	/* Callbacks for various operations */
	295	int (verify)(X509_STORE_CTX ctx); /* called to verify a certificate */
	296	int (verify_cb)(int ok,X509_STORE_CTX ctx); /* error callback */
	297	int (get_issuer)(X509 issuer, X509_STORE_CTX ctx, X509 x); / get issuers cert from ctx */
	298	int (check_issued)(X509_STORE_CTX ctx, X509 x, X509 issuer); /* check issued */
	299	int (check_revocation)(X509_STORE_CTX ctx); /* Check revocation status of chain */
	300	int (get_crl)(X509_STORE_CTX ctx, X509_CRL *crl, X509 x); /* retrieve CRL */
	301	int (check_crl)(X509_STORE_CTX ctx, X509_CRL crl); / Check CRL validity */
	302	int (cert_crl)(X509_STORE_CTX ctx, X509_CRL crl, X509 x); /* Check certificate against CRL */
	303	STACK_OF(X509) * (lookup_certs)(X509_STORE_CTX ctx, X509_NAME *nm);
	304	STACK_OF(X509_CRL) * (lookup_crls)(X509_STORE_CTX ctx, X509_NAME *nm);
	305	int (cleanup)(X509_STORE_CTX ctx);
	306
	307	CRYPTO_EX_DATA ex_data;
	308	int references;
	309	} /* X509_STORE */;
	310
	311	/* This is the functions plus an instance of the local variables. */
	312	struct x509_lookup_st {
	313	int init; /* have we been started */
	314	X509_LOOKUP_METHOD method; / the functions */
	315	char method_data; / method data */
	316
	317	X509_STORE store_ctx; / who owns us */
	318	} /* X509_LOOKUP */;
	319
	320	/*
	321	* This is used when verifying cert chains. Since the gathering of the cert
	322	* chain can take some time (and has to be 'retried'), this needs to be kept
	323	* and passed around.
	324	*/
	325	struct x509_store_ctx_st {
	326	X509_STORE *store;
	327	int current_method; /* used when looking up certs */
	328
	329	/* The following are set by the caller */
	330	X509 cert; / The cert to check */
	331	STACK_OF(X509) untrusted; / chain of X509s - untrusted - passed in */
	332	STACK_OF(X509_CRL) crls; / set of CRLs passed in */
	333
	334	X509_VERIFY_PARAM *param;
	335	void other_ctx; / Other info for use with get_issuer() */
	336
	337	/* Callbacks for various operations */
	338	int (verify)(X509_STORE_CTX ctx); /* called to verify a certificate */
	339	int (verify_cb)(int ok,X509_STORE_CTX ctx); /* error callback */
	340	int (get_issuer)(X509 issuer, X509_STORE_CTX ctx, X509 x); / get issuers cert from ctx */
	341	int (check_issued)(X509_STORE_CTX ctx, X509 x, X509 issuer); /* check issued */
	342	int (check_revocation)(X509_STORE_CTX ctx); /* Check revocation status of chain */
	343	int (get_crl)(X509_STORE_CTX ctx, X509_CRL *crl, X509 x); /* retrieve CRL */
	344	int (check_crl)(X509_STORE_CTX ctx, X509_CRL crl); / Check CRL validity */
	345	int (cert_crl)(X509_STORE_CTX ctx, X509_CRL crl, X509 x); /* Check certificate against CRL */
	346	int (check_policy)(X509_STORE_CTX ctx);
	347	STACK_OF(X509) * (lookup_certs)(X509_STORE_CTX ctx, X509_NAME *nm);
	348	STACK_OF(X509_CRL) * (lookup_crls)(X509_STORE_CTX ctx, X509_NAME *nm);
	349	int (cleanup)(X509_STORE_CTX ctx);
	350
	351	/* The following is built up */
	352	int valid; /* if 0, rebuild chain */
	353	int num_untrusted; /* number of untrusted certs in chain */
	354	STACK_OF(X509) chain; / chain of X509s - built up and trusted */
	355	X509_POLICY_TREE tree; / Valid policy tree */
	356
	357	int explicit_policy; /* Require explicit policy value */
	358
	359	/* When something goes wrong, this is why */
	360	int error_depth;
	361	int error;
	362	X509 *current_cert;
	363	X509 current_issuer; / cert currently being tested as valid issuer */
	364	X509_CRL current_crl; / current CRL */
	365
	366	int current_crl_score; /* score of current CRL */
	367	unsigned int current_reasons; /* Reason mask */
	368
	369	X509_STORE_CTX parent; / For CRL path validation: parent context */
	370
	371	CRYPTO_EX_DATA ex_data;
	372	} /* X509_STORE_CTX */;
	373
	374	int x509_check_cert_time(X509_STORE_CTX ctx, X509 x, int quiet);
	375
	376	int name_cmp(const char name, const char cmp);
	377
	378	__END_HIDDEN_DECLS
	379
	380	#endif /* !HEADER_X509_LCL_H */