/* * Copyright (C) 2012 Red Hat Inc. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * * Redistributions of source code must retain the above * copyright notice, this list of conditions and the * following disclaimer. * * Redistributions in binary form must reproduce the * above copyright notice, this list of conditions and * the following disclaimer in the documentation and/or * other materials provided with the distribution. * * The names of contributors to this software may not be * used to endorse or promote products derived from this * software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH * DAMAGE. * * Author: Stef Walter */ #ifndef P11_OIDS_H_ #define P11_OIDS_H_ #include "compat.h" bool p11_oid_simple (const unsigned char *oid, int len); unsigned int p11_oid_hash (const void *oid); bool p11_oid_equal (const void *oid_one, const void *oid_two); int p11_oid_length (const unsigned char *oid); /* * Our support of certificate extensions and so on is not limited to what is * listed here. This is simply the OIDs used by the parsing code that generates * backwards compatible PKCS#11 objects for NSS and the like. */ /* * 2.5.29.14: SubjectKeyIdentifier */ static const unsigned char P11_OID_SUBJECT_KEY_IDENTIFIER[] = { 0x06, 0x03, 0x55, 0x1d, 0x0e }; /* * 2.5.29.15: KeyUsage * * Defined in RFC 5280 */ static const unsigned char P11_OID_KEY_USAGE[] = { 0x06, 0x03, 0x55, 0x1d, 0x0f }; enum { P11_KU_DIGITAL_SIGNATURE = 128, P11_KU_NON_REPUDIATION = 64, P11_KU_KEY_ENCIPHERMENT = 32, P11_KU_DATA_ENCIPHERMENT = 16, P11_KU_KEY_AGREEMENT = 8, P11_KU_KEY_CERT_SIGN = 4, P11_KU_CRL_SIGN = 2, P11_KU_ENCIPHER_ONLY = 1, P11_KU_DECIPHER_ONLY = 32768, }; /* * 2.5.29.19: BasicConstraints * * Defined in RFC 5280 */ static const unsigned char P11_OID_BASIC_CONSTRAINTS[] = { 0x06, 0x03, 0x55, 0x1d, 0x13 }; /* * 2.5.29.37: ExtendedKeyUsage * * Defined in RFC 5280 */ static const unsigned char P11_OID_EXTENDED_KEY_USAGE[] = { 0x06, 0x03, 0x55, 0x1d, 0x25 }; /* * 1.3.6.1.4.1.3319.6.10.1: OpenSSL reject extension * * An internally defined certificate extension. * * OpenSSL contains a list of OID extended key usages to reject. * The normal X.509 model is to only *include* the extended key * usages that are to be allowed (ie: a whitelist). It's not clear * exactly how valid and useful the reject per extended key usage * model is. * * However in order to parse openssl trust policy information and * be able to write it back out in the same way, we define a custom * certificate extension to store it. * * It is not expected (or supported) for others outside of p11-kit * to read this information at this point. * * This extension is never marked critical. It is not necessary to * respect information in this certificate extension given that the * ExtendedKeyUsage extension carries the same information as a * whitelist. */ static const unsigned char P11_OID_OPENSSL_REJECT[] = { 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x99, 0x77, 0x06, 0x0a, 0x01 }; /* * 1.3.6.1.5.5.7.3.1: Server Auth * * Defined in RFC 5280 */ static const unsigned char P11_OID_SERVER_AUTH[] = { 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01 }; static const char P11_OID_SERVER_AUTH_STR[] = "1.3.6.1.5.5.7.3.1"; /* * 1.3.6.1.5.5.7.3.2: Client Auth * * Defined in RFC 5280 */ static const unsigned char P11_OID_CLIENT_AUTH[] = { 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x02 }; static const char P11_OID_CLIENT_AUTH_STR[] = "1.3.6.1.5.5.7.3.2"; /* * 1.3.6.1.5.5.7.3.3: Code Signing * * Defined in RFC 5280 */ static const unsigned char P11_OID_CODE_SIGNING[] = { 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x03 }; static const char P11_OID_CODE_SIGNING_STR[] = "1.3.6.1.5.5.7.3.3"; /* * 1.3.6.1.5.5.7.3.4: Email Protection * * Defined in RFC 5280 */ static const unsigned char P11_OID_EMAIL_PROTECTION[] = { 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x04 }; static const char P11_OID_EMAIL_PROTECTION_STR[] = "1.3.6.1.5.5.7.3.4"; /* * 1.3.6.1.5.5.7.3.5: IPSec End System * * Defined in RFC 2459 */ static const unsigned char P11_OID_IPSEC_END_SYSTEM[] = { 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x05 }; static const char P11_OID_IPSEC_END_SYSTEM_STR[] = "1.3.6.1.5.5.7.3.5"; /* * 1.3.6.1.5.5.7.3.6: IPSec Tunnel * * Defined in RFC 2459 */ static const unsigned char P11_OID_IPSEC_TUNNEL[] = { 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x06 }; static const char P11_OID_IPSEC_TUNNEL_STR[] = "1.3.6.1.5.5.7.3.6"; /* * 1.3.6.1.5.5.7.3.7: IPSec User * * Defined in RFC 2459 */ static const unsigned char P11_OID_IPSEC_USER[] = { 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x07 }; static const char P11_OID_IPSEC_USER_STR[] = "1.3.6.1.5.5.7.3.7"; /* * 1.3.6.1.5.5.7.3.8: Time Stamping * * Defined in RFC 2459 */ static const unsigned char P11_OID_TIME_STAMPING[] = { 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x08 }; static const char P11_OID_TIME_STAMPING_STR[] = "1.3.6.1.5.5.7.3.8"; /* * 1.3.6.1.4.1.3319.6.10.16: Reserved key purpose * * An internally defined reserved/dummy key purpose * * This is used with ExtendedKeyUsage certificate extensions to * be a place holder when no other purposes are defined. * * In theory such a certificate should be blacklisted. But in reality * many implementations use such empty sets of purposes. RFC 5280 requires * at least one purpose in an ExtendedKeyUsage. * * Obviously this purpose should never be checked against. */ static const unsigned char P11_OID_RESERVED_PURPOSE[] = { 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x99, 0x77, 0x06, 0x0a, 0x10 }; static const char P11_OID_RESERVED_PURPOSE_STR[] = "1.3.6.1.4.1.3319.6.10.16"; #endif