NetSurf
ssl_certs.h
Go to the documentation of this file.
1/*
2 * Copyright 2019 Daniel Silverstone <dsilvers@netsurf-browser.org>
3 *
4 * This file is part of NetSurf, http://www.netsurf-browser.org/
5 *
6 * NetSurf is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; version 2 of the License.
9 *
10 * NetSurf is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
14 *
15 * You should have received a copy of the GNU General Public License
16 * along with this program. If not, see <http://www.gnu.org/licenses/>.
17 */
18
19/**
20 * \file
21 *
22 * SSL related types and values
23 */
24
25#ifndef NETSURF_SSL_CERTS_H_
26#define NETSURF_SSL_CERTS_H_
27
28struct nsurl;
29
30/**
31 * ssl certificate error status
32 *
33 * Do not reorder / remove entries because these may be persisted to the disk
34 * cache as simple ints.
35 */
36typedef enum {
37 SSL_CERT_ERR_OK, /**< Nothing wrong with this certificate */
38 SSL_CERT_ERR_UNKNOWN, /**< Unknown error */
39 SSL_CERT_ERR_BAD_ISSUER, /**< Bad issuer */
40 SSL_CERT_ERR_BAD_SIG, /**< Bad signature on this certificate */
41 SSL_CERT_ERR_TOO_YOUNG, /**< This certificate is not yet valid */
42 SSL_CERT_ERR_TOO_OLD, /**< This certificate is no longer valid */
43 SSL_CERT_ERR_SELF_SIGNED, /**< This certificate (or the chain) is self signed */
44 SSL_CERT_ERR_CHAIN_SELF_SIGNED, /**< This certificate chain is self signed */
45 SSL_CERT_ERR_REVOKED, /**< This certificate has been revoked */
46 SSL_CERT_ERR_HOSTNAME_MISMATCH, /**< This certificate host did not match the server */
47 SSL_CERT_ERR_CERT_MISSING, /**< This certificate was missing from the chain, its data is useless */
49
50/** Always the max known ssl certificate error type */
51#define SSL_CERT_ERR_MAX_KNOWN SSL_CERT_ERR_HOSTNAME_MISMATCH
52
53/** maximum number of X509 certificates in chain for TLS connection */
54#define MAX_CERT_DEPTH 10
55
56/**
57 * X509 certificate chain
58 */
59struct cert_chain {
60 /**
61 * the number of certificates in the chain
62 * */
63 size_t depth;
64 struct {
65 /**
66 * Whatever is wrong with this certificate
67 */
69
70 /**
71 * data in Distinguished Encoding Rules (DER) format
72 */
73 uint8_t *der;
74
75 /**
76 * DER length
77 */
78 size_t der_length;
80};
81
82/**
83 * create new certificate chain
84 *
85 * \param dpth the depth to set in the new chain.
86 * \param chain_out A pointer to recive the new chain.
87 * \return NSERROR_OK on success or NSERROR_NOMEM on memory exhaustion
88 */
89nserror cert_chain_alloc(size_t depth, struct cert_chain **chain_out);
90
91/**
92 * duplicate a certificate chain into an existing chain
93 *
94 * \param src The certificate chain to copy from
95 * \param dst The chain to overwrite with a copy of src
96 * \return NSERROR_OK on success or NSERROR_NOMEM on memory exhaustion
97 *
98 * NOTE: if this returns NSERROR_NOMEM then the destination chain will have
99 * some amount of content and should be cleaned up with cert_chain_free.
100 */
101nserror cert_chain_dup_into(const struct cert_chain *src, struct cert_chain *dst);
102
103/**
104 * duplicate a certificate chain
105 *
106 * \param src The certificate chain to copy from
107 * \param dst_out A pointer to recive the duplicated chain
108 * \return NSERROR_OK on success or NSERROR_NOMEM on memory exhaustion
109 */
110nserror cert_chain_dup(const struct cert_chain *src, struct cert_chain **dst_out);
111
112/**
113 * create a certificate chain from a fetch query string
114 *
115 * \param url The url to convert the query from
116 * \param dst_out A pointer to recive the duplicated chain
117 * \return NSERROR_OK on success or NSERROR_NOMEM on memory exhaustion
118 */
119nserror cert_chain_from_query(struct nsurl *url, struct cert_chain **chain_out);
120
121/**
122 * create a fetch query string from a certificate chain
123 *
124 *
125 * \return NSERROR_OK on success or NSERROR_NOMEM on memory exhaustion
126 */
127nserror cert_chain_to_query(struct cert_chain *chain, struct nsurl **url_out);
128
129/**
130 * free a certificate chain
131 *
132 * \param chain The certificate chain to free
133 * \return NSERROR_OK on success
134 */
135nserror cert_chain_free(struct cert_chain *chain);
136
137/**
138 * total number of data bytes in a chain
139 *
140 * \param chain The chain to size
141 * \return the number of bytes used by the chain
142 */
143size_t cert_chain_size(const struct cert_chain *chain);
144
145#endif /* NETSURF_SSL_CERTS_H_ */
nserror
Enumeration of error codes.
Definition: errors.h:29
struct nsurl nsurl
NetSurf URL object.
Definition: nsurl.h:31
nserror cert_chain_from_query(struct nsurl *url, struct cert_chain **chain_out)
create a certificate chain from a fetch query string
Definition: ssl_certs.c:169
nserror cert_chain_alloc(size_t depth, struct cert_chain **chain_out)
create new certificate chain
Definition: ssl_certs.c:41
ssl_cert_err
ssl certificate error status
Definition: ssl_certs.h:36
@ SSL_CERT_ERR_TOO_YOUNG
This certificate is not yet valid.
Definition: ssl_certs.h:41
@ SSL_CERT_ERR_BAD_SIG
Bad signature on this certificate.
Definition: ssl_certs.h:40
@ SSL_CERT_ERR_BAD_ISSUER
Bad issuer.
Definition: ssl_certs.h:39
@ SSL_CERT_ERR_SELF_SIGNED
This certificate (or the chain) is self signed.
Definition: ssl_certs.h:43
@ SSL_CERT_ERR_OK
Nothing wrong with this certificate.
Definition: ssl_certs.h:37
@ SSL_CERT_ERR_HOSTNAME_MISMATCH
This certificate host did not match the server.
Definition: ssl_certs.h:46
@ SSL_CERT_ERR_TOO_OLD
This certificate is no longer valid.
Definition: ssl_certs.h:42
@ SSL_CERT_ERR_REVOKED
This certificate has been revoked.
Definition: ssl_certs.h:45
@ SSL_CERT_ERR_CHAIN_SELF_SIGNED
This certificate chain is self signed.
Definition: ssl_certs.h:44
@ SSL_CERT_ERR_CERT_MISSING
This certificate was missing from the chain, its data is useless.
Definition: ssl_certs.h:47
@ SSL_CERT_ERR_UNKNOWN
Unknown error.
Definition: ssl_certs.h:38
nserror cert_chain_dup_into(const struct cert_chain *src, struct cert_chain *dst)
duplicate a certificate chain into an existing chain
Definition: ssl_certs.c:64
nserror cert_chain_dup(const struct cert_chain *src, struct cert_chain **dst_out)
duplicate a certificate chain
Definition: ssl_certs.c:101
nserror cert_chain_free(struct cert_chain *chain)
free a certificate chain
Definition: ssl_certs.c:317
#define MAX_CERT_DEPTH
maximum number of X509 certificates in chain for TLS connection
Definition: ssl_certs.h:54
size_t cert_chain_size(const struct cert_chain *chain)
total number of data bytes in a chain
Definition: ssl_certs.c:340
nserror cert_chain_to_query(struct cert_chain *chain, struct nsurl **url_out)
create a fetch query string from a certificate chain
Definition: ssl_certs.c:226
X509 certificate chain.
Definition: ssl_certs.h:59
struct cert_chain::@57 certs[MAX_CERT_DEPTH]
size_t depth
the number of certificates in the chain
Definition: ssl_certs.h:63
uint8_t * der
data in Distinguished Encoding Rules (DER) format
Definition: ssl_certs.h:73
size_t der_length
DER length.
Definition: ssl_certs.h:78
ssl_cert_err err
Whatever is wrong with this certificate.
Definition: ssl_certs.h:68