x509_common.h

Go to the documentation of this file.

/**
 * @file x509_common.h
 * @brief X.509 common definitions
 *
 * @section License
 *
 * SPDX-License-Identifier: GPL-2.0-or-later
 *
 * Copyright (C) 2010-2024 Oryx Embedded SARL. All rights reserved.
 *
 * This file is part of CycloneCRYPTO Open.
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License
 * as published by the Free Software Foundation; either version 2
 * of the License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software Foundation,
 * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 *
 * @author Oryx Embedded SARL (www.oryx-embedded.com)
 * @version 2.4.0
 **/
 
#ifndef _X509_COMMON_H
#define _X509_COMMON_H
 
//Dependencies
#include "core/crypto.h"
#include "pkc/sign_algorithms.h"
#include "pkc/rsa.h"
#include "pkc/dsa.h"
#include "ecc/ecdsa.h"
#include "ecc/eddsa.h"
#include "date_time.h"
 
//Signature generation/verification callback functions
#ifndef X509_SIGN_CALLBACK_SUPPORT
   #define X509_SIGN_CALLBACK_SUPPORT DISABLED
#elif (X509_SIGN_CALLBACK_SUPPORT != ENABLED && X509_SIGN_CALLBACK_SUPPORT != DISABLED)
   #error X509_SIGN_CALLBACK_SUPPORT parameter is not valid
#endif
 
//RSA certificate support
#ifndef X509_RSA_SUPPORT
   #define X509_RSA_SUPPORT ENABLED
#elif (X509_RSA_SUPPORT != ENABLED && X509_RSA_SUPPORT != DISABLED)
   #error X509_RSA_SUPPORT
#endif
 
//RSA-PSS certificate support
#ifndef X509_RSA_PSS_SUPPORT
   #define X509_RSA_PSS_SUPPORT DISABLED
#elif (X509_RSA_PSS_SUPPORT != ENABLED && X509_RSA_PSS_SUPPORT != DISABLED)
   #error X509_RSA_PSS_SUPPORT
#endif
 
//DSA certificate support
#ifndef X509_DSA_SUPPORT
   #define X509_DSA_SUPPORT DISABLED
#elif (X509_DSA_SUPPORT != ENABLED && X509_DSA_SUPPORT != DISABLED)
   #error X509_DSA_SUPPORT parameter is not valid
#endif
 
//ECDSA certificate support
#ifndef X509_ECDSA_SUPPORT
   #define X509_ECDSA_SUPPORT ENABLED
#elif (X509_ECDSA_SUPPORT != ENABLED && X509_ECDSA_SUPPORT != DISABLED)
   #error X509_ECDSA_SUPPORT parameter is not valid
#endif
 
//MD5 hash support (insecure)
#ifndef X509_MD5_SUPPORT
   #define X509_MD5_SUPPORT DISABLED
#elif (X509_MD5_SUPPORT != ENABLED && X509_MD5_SUPPORT != DISABLED)
   #error X509_MD5_SUPPORT parameter is not valid
#endif
 
//SHA-1 hash support (weak)
#ifndef X509_SHA1_SUPPORT
   #define X509_SHA1_SUPPORT DISABLED
#elif (X509_SHA1_SUPPORT != ENABLED && X509_SHA1_SUPPORT != DISABLED)
   #error X509_SHA1_SUPPORT parameter is not valid
#endif
 
//SHA-224 hash support (weak)
#ifndef X509_SHA224_SUPPORT
   #define X509_SHA224_SUPPORT DISABLED
#elif (X509_SHA224_SUPPORT != ENABLED && X509_SHA224_SUPPORT != DISABLED)
   #error X509_SHA224_SUPPORT parameter is not valid
#endif
 
//SHA-256 hash support
#ifndef X509_SHA256_SUPPORT
   #define X509_SHA256_SUPPORT ENABLED
#elif (X509_SHA256_SUPPORT != ENABLED && X509_SHA256_SUPPORT != DISABLED)
   #error X509_SHA256_SUPPORT parameter is not valid
#endif
 
//SHA-384 hash support
#ifndef X509_SHA384_SUPPORT
   #define X509_SHA384_SUPPORT ENABLED
#elif (X509_SHA384_SUPPORT != ENABLED && X509_SHA384_SUPPORT != DISABLED)
   #error X509_SHA384_SUPPORT parameter is not valid
#endif
 
//SHA-512 hash support
#ifndef X509_SHA512_SUPPORT
   #define X509_SHA512_SUPPORT ENABLED
#elif (X509_SHA512_SUPPORT != ENABLED && X509_SHA512_SUPPORT != DISABLED)
   #error X509_SHA512_SUPPORT parameter is not valid
#endif
 
//SHA3-224 hash support
#ifndef X509_SHA3_224_SUPPORT
   #define X509_SHA3_224_SUPPORT DISABLED
#elif (X509_SHA3_224_SUPPORT != ENABLED && X509_SHA3_224_SUPPORT != DISABLED)
   #error X509_SHA3_224_SUPPORT parameter is not valid
#endif
 
//SHA3-256 hash support
#ifndef X509_SHA3_256_SUPPORT
   #define X509_SHA3_256_SUPPORT DISABLED
#elif (X509_SHA3_256_SUPPORT != ENABLED && X509_SHA3_256_SUPPORT != DISABLED)
   #error X509_SHA3_256_SUPPORT parameter is not valid
#endif
 
//SHA3-384 hash support
#ifndef X509_SHA3_384_SUPPORT
   #define X509_SHA3_384_SUPPORT DISABLED
#elif (X509_SHA3_384_SUPPORT != ENABLED && X509_SHA3_384_SUPPORT != DISABLED)
   #error X509_SHA3_384_SUPPORT parameter is not valid
#endif
 
//SHA3-512 hash support
#ifndef X509_SHA3_512_SUPPORT
   #define X509_SHA3_512_SUPPORT DISABLED
#elif (X509_SHA3_512_SUPPORT != ENABLED && X509_SHA3_512_SUPPORT != DISABLED)
   #error X509_SHA3_512_SUPPORT parameter is not valid
#endif
 
//SM3 hash support
#ifndef X509_SM3_SUPPORT
   #define X509_SM3_SUPPORT DISABLED
#elif (X509_SM3_SUPPORT != ENABLED && X509_SM3_SUPPORT != DISABLED)
   #error X509_SM3_SUPPORT parameter is not valid
#endif
 
//secp112r1 elliptic curve support (weak)
#ifndef X509_SECP112R1_SUPPORT
   #define X509_SECP112R1_SUPPORT DISABLED
#elif (X509_SECP112R1_SUPPORT != ENABLED && X509_SECP112R1_SUPPORT != DISABLED)
   #error X509_SECP112R1_SUPPORT parameter is not valid
#endif
 
//secp112r2 elliptic curve support (weak)
#ifndef X509_SECP112R2_SUPPORT
   #define X509_SECP112R2_SUPPORT DISABLED
#elif (X509_SECP112R2_SUPPORT != ENABLED && X509_SECP112R2_SUPPORT != DISABLED)
   #error X509_SECP112R2_SUPPORT parameter is not valid
#endif
 
//secp128r1 elliptic curve support (weak)
#ifndef X509_SECP128R1_SUPPORT
   #define X509_SECP128R1_SUPPORT DISABLED
#elif (X509_SECP128R1_SUPPORT != ENABLED && X509_SECP128R1_SUPPORT != DISABLED)
   #error X509_SECP128R1_SUPPORT parameter is not valid
#endif
 
//secp128r2 elliptic curve support (weak)
#ifndef X509_SECP128R2_SUPPORT
   #define X509_SECP128R2_SUPPORT DISABLED
#elif (X509_SECP128R2_SUPPORT != ENABLED && X509_SECP128R2_SUPPORT != DISABLED)
   #error X509_SECP128R2_SUPPORT parameter is not valid
#endif
 
//secp160k1 elliptic curve support (weak)
#ifndef X509_SECP160K1_SUPPORT
   #define X509_SECP160K1_SUPPORT DISABLED
#elif (X509_SECP160K1_SUPPORT != ENABLED && X509_SECP160K1_SUPPORT != DISABLED)
   #error X509_SECP160K1_SUPPORT parameter is not valid
#endif
 
//secp160r1 elliptic curve support (weak)
#ifndef X509_SECP160R1_SUPPORT
   #define X509_SECP160R1_SUPPORT DISABLED
#elif (X509_SECP160R1_SUPPORT != ENABLED && X509_SECP160R1_SUPPORT != DISABLED)
   #error X509_SECP160R1_SUPPORT parameter is not valid
#endif
 
//secp160r2 elliptic curve support (weak)
#ifndef X509_SECP160R2_SUPPORT
   #define X509_SECP160R2_SUPPORT DISABLED
#elif (X509_SECP160R2_SUPPORT != ENABLED && X509_SECP160R2_SUPPORT != DISABLED)
   #error X509_SECP160R2_SUPPORT parameter is not valid
#endif
 
//secp192k1 elliptic curve support
#ifndef X509_SECP192K1_SUPPORT
   #define X509_SECP192K1_SUPPORT DISABLED
#elif (X509_SECP192K1_SUPPORT != ENABLED && X509_SECP192K1_SUPPORT != DISABLED)
   #error X509_SECP192K1_SUPPORT parameter is not valid
#endif
 
//secp192r1 elliptic curve support (NIST P-192)
#ifndef X509_SECP192R1_SUPPORT
   #define X509_SECP192R1_SUPPORT DISABLED
#elif (X509_SECP192R1_SUPPORT != ENABLED && X509_SECP192R1_SUPPORT != DISABLED)
   #error X509_SECP192R1_SUPPORT parameter is not valid
#endif
 
//secp224k1 elliptic curve support
#ifndef X509_SECP224K1_SUPPORT
   #define X509_SECP224K1_SUPPORT DISABLED
#elif (X509_SECP224K1_SUPPORT != ENABLED && X509_SECP224K1_SUPPORT != DISABLED)
   #error X509_SECP224K1_SUPPORT parameter is not valid
#endif
 
//secp224r1 elliptic curve support (NIST P-224)
#ifndef X509_SECP224R1_SUPPORT
   #define X509_SECP224R1_SUPPORT DISABLED
#elif (X509_SECP224R1_SUPPORT != ENABLED && X509_SECP224R1_SUPPORT != DISABLED)
   #error X509_SECP224R1_SUPPORT parameter is not valid
#endif
 
//secp256k1 elliptic curve support
#ifndef X509_SECP256K1_SUPPORT
   #define X509_SECP256K1_SUPPORT DISABLED
#elif (X509_SECP256K1_SUPPORT != ENABLED && X509_SECP256K1_SUPPORT != DISABLED)
   #error X509_SECP256K1_SUPPORT parameter is not valid
#endif
 
//secp256r1 elliptic curve support (NIST P-256)
#ifndef X509_SECP256R1_SUPPORT
   #define X509_SECP256R1_SUPPORT ENABLED
#elif (X509_SECP256R1_SUPPORT != ENABLED && X509_SECP256R1_SUPPORT != DISABLED)
   #error X509_SECP256R1_SUPPORT parameter is not valid
#endif
 
//secp384r1 elliptic curve support (NIST P-384)
#ifndef X509_SECP384R1_SUPPORT
   #define X509_SECP384R1_SUPPORT ENABLED
#elif (X509_SECP384R1_SUPPORT != ENABLED && X509_SECP384R1_SUPPORT != DISABLED)
   #error X509_SECP384R1_SUPPORT parameter is not valid
#endif
 
//secp521r1 elliptic curve support (NIST P-521)
#ifndef X509_SECP521R1_SUPPORT
   #define X509_SECP521R1_SUPPORT ENABLED
#elif (X509_SECP521R1_SUPPORT != ENABLED && X509_SECP521R1_SUPPORT != DISABLED)
   #error X509_SECP521R1_SUPPORT parameter is not valid
#endif
 
//brainpoolP160r1 elliptic curve support
#ifndef X509_BRAINPOOLP160R1_SUPPORT
   #define X509_BRAINPOOLP160R1_SUPPORT DISABLED
#elif (X509_BRAINPOOLP160R1_SUPPORT != ENABLED && X509_BRAINPOOLP160R1_SUPPORT != DISABLED)
   #error X509_BRAINPOOLP160R1_SUPPORT parameter is not valid
#endif
 
//brainpoolP192r1 elliptic curve support
#ifndef X509_BRAINPOOLP192R1_SUPPORT
   #define X509_BRAINPOOLP192R1_SUPPORT DISABLED
#elif (X509_BRAINPOOLP192R1_SUPPORT != ENABLED && X509_BRAINPOOLP192R1_SUPPORT != DISABLED)
   #error X509_BRAINPOOLP192R1_SUPPORT parameter is not valid
#endif
 
//brainpoolP224r1 elliptic curve support
#ifndef X509_BRAINPOOLP224R1_SUPPORT
   #define X509_BRAINPOOLP224R1_SUPPORT DISABLED
#elif (X509_BRAINPOOLP224R1_SUPPORT != ENABLED && X509_BRAINPOOLP224R1_SUPPORT != DISABLED)
   #error X509_BRAINPOOLP224R1_SUPPORT parameter is not valid
#endif
 
//brainpoolP256r1 elliptic curve support
#ifndef X509_BRAINPOOLP256R1_SUPPORT
   #define X509_BRAINPOOLP256R1_SUPPORT DISABLED
#elif (X509_BRAINPOOLP256R1_SUPPORT != ENABLED && X509_BRAINPOOLP256R1_SUPPORT != DISABLED)
   #error X509_BRAINPOOLP256R1_SUPPORT parameter is not valid
#endif
 
//brainpoolP320r1 elliptic curve support
#ifndef X509_BRAINPOOLP320R1_SUPPORT
   #define X509_BRAINPOOLP320R1_SUPPORT DISABLED
#elif (X509_BRAINPOOLP320R1_SUPPORT != ENABLED && X509_BRAINPOOLP320R1_SUPPORT != DISABLED)
   #error X509_BRAINPOOLP320R1_SUPPORT parameter is not valid
#endif
 
//brainpoolP384r1 elliptic curve support
#ifndef X509_BRAINPOOLP384R1_SUPPORT
   #define X509_BRAINPOOLP384R1_SUPPORT DISABLED
#elif (X509_BRAINPOOLP384R1_SUPPORT != ENABLED && X509_BRAINPOOLP384R1_SUPPORT != DISABLED)
   #error X509_BRAINPOOLP384R1_SUPPORT parameter is not valid
#endif
 
//brainpoolP512r1 elliptic curve support
#ifndef X509_BRAINPOOLP512R1_SUPPORT
   #define X509_BRAINPOOLP512R1_SUPPORT DISABLED
#elif (X509_BRAINPOOLP512R1_SUPPORT != ENABLED && X509_BRAINPOOLP512R1_SUPPORT != DISABLED)
   #error X509_BRAINPOOLP512R1_SUPPORT parameter is not valid
#endif
 
//SM2 elliptic curve support
#ifndef X509_SM2_SUPPORT
   #define X509_SM2_SUPPORT DISABLED
#elif (X509_SM2_SUPPORT != ENABLED && X509_SM2_SUPPORT != DISABLED)
   #error X509_SM2_SUPPORT parameter is not valid
#endif
 
//Ed25519 elliptic curve support
#ifndef X509_ED25519_SUPPORT
   #define X509_ED25519_SUPPORT DISABLED
#elif (X509_ED25519_SUPPORT != ENABLED && X509_ED25519_SUPPORT != DISABLED)
   #error X509_ED25519_SUPPORT parameter is not valid
#endif
 
//Ed448 elliptic curve support
#ifndef X509_ED448_SUPPORT
   #define X509_ED448_SUPPORT DISABLED
#elif (X509_ED448_SUPPORT != ENABLED && X509_ED448_SUPPORT != DISABLED)
   #error X509_ED448_SUPPORT parameter is not valid
#endif
 
//Minimum acceptable size for RSA modulus
#ifndef X509_MIN_RSA_MODULUS_SIZE
   #define X509_MIN_RSA_MODULUS_SIZE 1024
#elif (X509_MIN_RSA_MODULUS_SIZE < 512)
   #error X509_MIN_RSA_MODULUS_SIZE parameter is not valid
#endif
 
//Maximum acceptable size for RSA modulus
#ifndef X509_MAX_RSA_MODULUS_SIZE
   #define X509_MAX_RSA_MODULUS_SIZE 4096
#elif (X509_MAX_RSA_MODULUS_SIZE < X509_MIN_RSA_MODULUS_SIZE)
   #error X509_MAX_RSA_MODULUS_SIZE parameter is not valid
#endif
 
//Minimum acceptable size for DSA prime modulus
#ifndef X509_MIN_DSA_MODULUS_SIZE
   #define X509_MIN_DSA_MODULUS_SIZE 1024
#elif (X509_MIN_DSA_MODULUS_SIZE < 512)
   #error X509_MIN_DSA_MODULUS_SIZE parameter is not valid
#endif
 
//Maximum acceptable size for DSA prime modulus
#ifndef X509_MAX_DSA_MODULUS_SIZE
   #define X509_MAX_DSA_MODULUS_SIZE 4096
#elif (X509_MAX_DSA_MODULUS_SIZE < X509_MIN_DSA_MODULUS_SIZE)
   #error X509_MAX_DSA_MODULUS_SIZE parameter is not valid
#endif
 
//Default size of serial numbers
#ifndef X509_SERIAL_NUMBER_SIZE
   #define X509_SERIAL_NUMBER_SIZE 20
#elif (X509_SERIAL_NUMBER_SIZE < 1)
   #error X509_SERIAL_NUMBER_SIZE parameter is not valid
#endif
 
//Maximum number of domain components
#ifndef X509_MAX_DOMAIN_COMPONENTS
   #define X509_MAX_DOMAIN_COMPONENTS 4
#elif (X509_MAX_DOMAIN_COMPONENTS < 1)
   #error X509_MAX_DOMAIN_COMPONENTS parameter is not valid
#endif
 
//Maximum number of subject alternative names
#ifndef X509_MAX_SUBJECT_ALT_NAMES
   #define X509_MAX_SUBJECT_ALT_NAMES 4
#elif (X509_MAX_SUBJECT_ALT_NAMES < 1)
   #error X509_MAX_SUBJECT_ALT_NAMES parameter is not valid
#endif
 
//Maximum number of certificate issuers
#ifndef X509_MAX_CERT_ISSUERS
   #define X509_MAX_CERT_ISSUERS 4
#elif (X509_MAX_CERT_ISSUERS < 1)
   #error X509_MAX_CERT_ISSUERS parameter is not valid
#endif
 
//Maximum number of CRL issuers
#ifndef X509_MAX_CRL_ISSUERS
   #define X509_MAX_CRL_ISSUERS 2
#elif (X509_MAX_CRL_ISSUERS < 1)
   #error X509_MAX_CRL_ISSUERS parameter is not valid
#endif
 
//Maximum number of distribution points
#ifndef X509_MAX_DISTR_POINTS
   #define X509_MAX_DISTR_POINTS 2
#elif (X509_MAX_DISTR_POINTS < 1)
   #error X509_MAX_DISTR_POINTS parameter is not valid
#endif
 
//Maximum number of full names
#ifndef X509_MAX_FULL_NAMES
   #define X509_MAX_FULL_NAMES 2
#elif (X509_MAX_FULL_NAMES < 1)
   #error X509_MAX_FULL_NAMES parameter is not valid
#endif
 
//Maximum number of access descriptions
#ifndef X509_MAX_ACCESS_DESCRIPTIONS
   #define X509_MAX_ACCESS_DESCRIPTIONS 2
#elif (X509_MAX_ACCESS_DESCRIPTIONS < 1)
   #error X509_MAX_ACCESS_DESCRIPTIONS parameter is not valid
#endif
 
//Maximum number of custom extensions
#ifndef X509_MAX_CUSTOM_EXTENSIONS
   #define X509_MAX_CUSTOM_EXTENSIONS 2
#elif (X509_MAX_CUSTOM_EXTENSIONS < 1)
   #error X509_MAX_CUSTOM_EXTENSIONS parameter is not valid
#endif
 
//Application specific extensions
#ifndef X509_PRIVATE_EXTENSIONS
   #define X509_PRIVATE_EXTENSIONS
#endif
 
//C++ guard
#ifdef __cplusplus
extern "C" {
#endif
 
 
/**
 * @brief PKCS #1 versions
 **/
 
typedef enum
{
   PKCS1_VERSION_1 = 0
} Pkcs1Version;
 
 
/**
 * @brief PKCS #8 versions
 **/
 
typedef enum
{
   PKCS8_VERSION_1 = 0,
   PKCS8_VERSION_2 = 1
} Pkcs8Version;
 
 
/**
 * @brief X.509 versions
 **/
 
typedef enum
{
   X509_VERSION_1 = 0,
   X509_VERSION_2 = 1,
   X509_VERSION_3 = 2
} X509Version;
 
 
/**
 * @brief Key usage
 **/
 
typedef enum
{
   X509_KEY_USAGE_DIGITAL_SIGNATURE = 0x0001,
   X509_KEY_USAGE_NON_REPUDIATION   = 0x0002,
   X509_KEY_USAGE_KEY_ENCIPHERMENT  = 0x0004,
   X509_KEY_USAGE_DATA_ENCIPHERMENT = 0x0008,
   X509_KEY_USAGE_KEY_AGREEMENT     = 0x0010,
   X509_KEY_USAGE_KEY_CERT_SIGN     = 0x0020,
   X509_KEY_USAGE_CRL_SIGN          = 0x0040,
   X509_KEY_USAGE_ENCIPHER_ONLY     = 0x0080,
   X509_KEY_USAGE_DECIPHER_ONLY     = 0x0100
} X509KeyUsageBitmap;
 
 
/**
 * @brief Extended key usage
 **/
 
typedef enum
{
   X509_EXT_KEY_USAGE_SERVER_AUTH      = 0x00000001,
   X509_EXT_KEY_USAGE_CLIENT_AUTH      = 0x00000002,
   X509_EXT_KEY_USAGE_CODE_SIGNING     = 0x00000004,
   X509_EXT_KEY_USAGE_EMAIL_PROTECTION = 0x00000008,
   X509_EXT_KEY_USAGE_IPSEC_END_SYSTEM = 0x00000010,
   X509_EXT_KEY_USAGE_IPSEC_TUNNEL     = 0x00000020,
   X509_EXT_KEY_USAGE_IPSEC_USER       = 0x00000040,
   X509_EXT_KEY_USAGE_TIME_STAMPING    = 0x00000080,
   X509_EXT_KEY_USAGE_OCSP_SIGNING     = 0x00000100,
   X509_EXT_KEY_USAGE_IPSEC_IKE        = 0x00000200,
   X509_EXT_KEY_USAGE_SSH_CLIENT       = 0x00000400,
   X509_EXT_KEY_USAGE_SSH_SERVER       = 0x00000800,
   X509_EXT_KEY_USAGE_DOC_SIGNING      = 0x00001000,
   X509_EXT_KEY_USAGE_ANY              = 0x00001FFF
} X509ExtKeyUsageBitmap;
 
 
/**
 * @brief General name types
 **/
 
typedef enum
{
   X509_GENERAL_NAME_TYPE_OTHER         = 0,
   X509_GENERAL_NAME_TYPE_RFC822        = 1,
   X509_GENERAL_NAME_TYPE_DNS           = 2,
   X509_GENERAL_NAME_TYPE_X400_ADDRESS  = 3,
   X509_GENERAL_NAME_TYPE_DIRECTORY     = 4,
   X509_GENERAL_NAME_TYPE_EDI_PARTY     = 5,
   X509_GENERAL_NAME_TYPE_URI           = 6,
   X509_GENERAL_NAME_TYPE_IP_ADDRESS    = 7,
   X509_GENERAL_NAME_TYPE_REGISTERED_ID = 8
} X509GeneralNameType;
 
 
/**
 * @brief Netscape certificate types
 **/
 
typedef enum
{
   X509_NS_CERT_TYPE_SSL_CLIENT = 0x01,
   X509_NS_CERT_TYPE_SSL_SERVER = 0x02,
   X509_NS_CERT_TYPE_SSL_CA     = 0x20
} X509NsCertTypeBitmap;
 
 
/**
 * @brief Reason flags
 **/
 
typedef enum
{
   X509_REASON_FLAGS_UNUSED                 = 0x0001,
   X509_REASON_FLAGS_KEY_COMPROMISE         = 0x0002,
   X509_REASON_FLAGS_CA_COMPROMISE          = 0x0004,
   X509_REASON_FLAGS_AFFILIATION_CHANGED    = 0x0008,
   X509_REASON_FLAGS_SUPERSEDED             = 0x0010,
   X509_REASON_FLAGS_CESSATION_OF_OPERATION = 0x0020,
   X509_REASON_FLAGS_CERTIFICATE_HOLD       = 0x0040,
   X509_REASON_FLAGS_PRIVILEGE_WITHDRAWN    = 0x0080,
   X509_REASON_FLAGS_AA_COMPROMISE          = 0x0100
} X509ReasonFlags;
 
 
/**
 * @brief CRL reasons
 **/
 
typedef enum
{
   X509_CRL_REASON_UNSPECIFIED            = 0,
   X509_CRL_REASON_KEY_COMPROMISE         = 1,
   X509_CRL_REASON_CA_COMPROMISE          = 2,
   X509_CRL_REASON_AFFILIATION_CHANGED    = 3,
   X509_CRL_REASON_SUPERSEDED             = 4,
   X509_CRL_REASON_CESSATION_OF_OPERATION = 5,
   X509_CRL_REASON_CERTIFICATE_HOLD       = 6,
   X509_CRL_REMOVE_FROM_CRL               = 8,
   X509_CRL_REASON_PRIVILEGE_WITHDRAWN    = 9,
   X509_CRL_REASON_AA_COMPROMISE          = 10
} X509CrlReasons;
 
 
/**
 * @brief Public Key types
 **/
 
typedef enum
{
   X509_KEY_TYPE_UNKNOWN = 0,
   X509_KEY_TYPE_RSA     = 1,
   X509_KEY_TYPE_RSA_PSS = 2,
   X509_KEY_TYPE_DSA     = 3,
   X509_KEY_TYPE_EC      = 4,
   X509_KEY_TYPE_SM2     = 5,
   X509_KEY_TYPE_X25519  = 6,
   X509_KEY_TYPE_ED25519 = 7,
   X509_KEY_TYPE_X448    = 8,
   X509_KEY_TYPE_ED448   = 9
} X509KeyType;
 
 
/**
 * @brief Signature algorithms
 **/
 
typedef enum
{
   X509_SIGN_ALGO_NONE    = 0,
   X509_SIGN_ALGO_RSA     = 1,
   X509_SIGN_ALGO_RSA_PSS = 2,
   X509_SIGN_ALGO_DSA     = 3,
   X509_SIGN_ALGO_ECDSA   = 4,
   X509_SIGN_ALGO_SM2     = 5,
   X509_SIGN_ALGO_ED25519 = 6,
   X509_SIGN_ALGO_ED448   = 7
} X509SignatureAlgo;
 
 
/**
 * @brief Hash algorithms
 **/
 
typedef enum
{
   X509_HASH_ALGO_NONE     = 0,
   X509_HASH_ALGO_MD5      = 1,
   X509_HASH_ALGO_SHA1     = 2,
   X509_HASH_ALGO_SHA224   = 3,
   X509_HASH_ALGO_SHA256   = 4,
   X509_HASH_ALGO_SHA384   = 5,
   X509_HASH_ALGO_SHA512   = 6,
   X509_HASH_ALGO_SHA3_224 = 7,
   X509_HASH_ALGO_SHA3_256 = 8,
   X509_HASH_ALGO_SHA3_384 = 9,
   X509_HASH_ALGO_SHA3_512 = 10,
   X509_HASH_ALGO_SM3      = 11
} X509HashAlgo;
 
 
/**
 * @brief String
 **/
 
typedef struct
{
   const char_t *value;
   size_t length;
} X509String;
 
 
/**
 * @brief Octet string
 **/
 
typedef struct
{
   const uint8_t *value;
   size_t length;
} X509OctetString;
 
 
/**
 * @brief Serial number
 **/
 
typedef struct
{
   const uint8_t *value;
   size_t length;
} X509SerialNumber;
 
 
/**
 * @brief Issuer or subject name
 **/
 
typedef struct
{
   X509OctetString raw;
   X509String commonName;
   X509String surname;
   X509String serialNumber;
   X509String countryName;
   X509String localityName;
   X509String stateOrProvinceName;
   X509String organizationName;
   X509String organizationalUnitName;
   X509String title;
   X509String name;
   X509String givenName;
   X509String initials;
   X509String generationQualifier;
   X509String dnQualifier;
   X509String pseudonym;
   X509String emailAddress;
   uint_t numDomainComponents;
   X509String domainComponents[X509_MAX_DOMAIN_COMPONENTS];
} X509Name;
 
 
/**
 * @brief Name attribute
 **/
 
typedef struct
{
   X509OctetString oid;
   uint_t type;
   X509String data;
} X509NameAttribute;
 
 
/**
 * @brief Validity
 **/
 
typedef struct
{
   DateTime notBefore;
   DateTime notAfter;
} X509Validity;
 
 
/**
 * @brief Algorithm identifier
 **/
 
typedef struct
{
   X509OctetString oid;
   X509OctetString params;
} X509AlgoId;
 
 
/**
 * @brief RSA public key
 **/
 
typedef struct
{
   X509OctetString n;
   X509OctetString e;
} X509RsaPublicKey;
 
 
/**
 * @brief DSA domain parameters
 **/
 
typedef struct
{
   X509OctetString p;
   X509OctetString q;
   X509OctetString g;
} X509DsaParameters;
 
 
/**
 * @brief DSA public key
 **/
 
typedef struct
{
   X509OctetString y;
} X509DsaPublicKey;
 
 
/**
 * @brief EC parameters
 **/
 
typedef struct
{
   X509OctetString namedCurve;
} X509EcParameters;
 
 
/**
 * @brief EC public key
 **/
 
typedef struct
{
   X509OctetString q;
} X509EcPublicKey;
 
 
/**
 * @brief Subject Public Key Information extension
 **/
 
typedef struct
{
   X509OctetString raw;
   X509OctetString oid;
   X509OctetString rawSubjectPublicKey;
#if (RSA_SUPPORT == ENABLED)
   X509RsaPublicKey rsaPublicKey;
#endif
#if (DSA_SUPPORT == ENABLED)
   X509DsaParameters dsaParams;
   X509DsaPublicKey dsaPublicKey;
#endif
#if (EC_SUPPORT == ENABLED || ED25519_SUPPORT == ENABLED || ED448_SUPPORT == ENABLED)
   X509EcParameters ecParams;
   X509EcPublicKey ecPublicKey;
#endif
} X509SubjectPublicKeyInfo;
 
 
/**
 * @brief Basic Constraints extension
 **/
 
typedef struct
{
   bool_t critical;
   bool_t cA;
   int_t pathLenConstraint;
} X509BasicConstraints;
 
 
/**
 * @brief Name Constraints extension
 **/
 
typedef struct
{
   bool_t critical;
   X509OctetString permittedSubtrees;
   X509OctetString excludedSubtrees;
} X509NameConstraints;
 
 
/**
 * @brief Key Usage extension
 **/
 
typedef struct
{
   bool_t critical;
   uint16_t bitmap;
} X509KeyUsage;
 
 
/**
 * @brief Extended Key Usage extension
 **/
 
typedef struct
{
   bool_t critical;
   uint16_t bitmap;
} X509ExtendedKeyUsage;
 
 
/**
 * @brief General name
 **/
 
typedef struct
{
   X509GeneralNameType type;
   const char_t *value;
   size_t length;
} X509GeneralName;
 
 
/**
 * @brief Subject Alternative Name extension
 **/
 
typedef struct
{
   bool_t critical;
   X509OctetString raw;
   uint_t numGeneralNames;
   X509GeneralName generalNames[X509_MAX_SUBJECT_ALT_NAMES];
} X509SubjectAltName;
 
 
/**
 * @brief Subject Key Identifier extension
 **/
 
typedef struct
{
   bool_t critical;
   const uint8_t *value;
   size_t length;
} X509SubjectKeyId;
 
 
/**
 * @brief Authority Key Identifier extension
 **/
 
typedef struct
{
   bool_t critical;
   X509OctetString keyId;
} X509AuthKeyId;
 
 
/**
 * @brief Distribution Point Name structure
 **/
 
typedef struct
{
   uint_t numFullNames;
   X509GeneralName fullNames[X509_MAX_FULL_NAMES];
   X509NameAttribute relativeName;
} X509DistrPointName;
 
 
/**
 * @brief Distribution Point structure
 **/
 
typedef struct
{
   X509DistrPointName distrPointName;
   uint16_t reasonFlags;
   uint_t numCrlIssuers;
   X509GeneralName crlIssuers[X509_MAX_CRL_ISSUERS];
} X509DistrPoint;
 
 
/**
 * @brief CRL Distribution Points extension
 **/
 
typedef struct
{
   bool_t critical;
   X509OctetString raw;
   uint_t numDistrPoints;
   X509DistrPoint distrPoints[X509_MAX_DISTR_POINTS];
} X509CrlDistrPoints;
 
 
/**
 * @brief Access Description extension
 **/
 
typedef struct
{
   X509OctetString accessMethod;
   X509GeneralName accessLocation;
} X509AccessDescription;
 
 
/**
 * @brief Authority Information Access extension
 **/
 
typedef struct
{
   bool_t critical;
   X509OctetString raw;
   uint_t numAccessDescriptions;
   X509AccessDescription accessDescriptions[X509_MAX_ACCESS_DESCRIPTIONS];
} X509AuthInfoAccess;
 
 
/**
 * @brief PKIX OCSP No Check extension
 **/
 
typedef struct
{
   bool_t critical;
   bool_t present;
} X509PkixOcspNoCheck;
 
 
/**
 * @brief Netscape certificate type
 **/
 
typedef struct
{
   bool_t critical;
   uint8_t bitmap;
} X509NsCertType;
 
 
/**
 * @brief X.509 certificate extension
 **/
 
typedef struct
{
   X509OctetString oid;
   bool_t critical;
   X509OctetString data;
} X509Extension;
 
 
/**
 * @brief X.509 certificate extensions
 **/
 
typedef struct
{
   X509OctetString raw;
   X509BasicConstraints basicConstraints;
   X509NameConstraints nameConstraints;
   X509KeyUsage keyUsage;
   X509ExtendedKeyUsage extKeyUsage;
   X509SubjectAltName subjectAltName;
   X509SubjectKeyId subjectKeyId;
   X509AuthKeyId authKeyId;
   X509CrlDistrPoints crlDistrPoints;
   X509AuthInfoAccess authInfoAccess;
   X509PkixOcspNoCheck pkixOcspNoCheck;
   X509NsCertType nsCertType;
   uint_t numCustomExtensions;
   X509Extension customExtensions[X509_MAX_CUSTOM_EXTENSIONS];
   X509_PRIVATE_EXTENSIONS
} X509Extensions;
 
 
/**
 * @brief RSASSA-PSS parameters
 **/
 
typedef struct
{
   X509OctetString hashAlgo;
   X509OctetString maskGenAlgo;
   X509OctetString maskGenHashAlgo;
   size_t saltLen;
} X509RsaPssParameters;
 
 
/**
 * @brief Signature algorithm identifier
 **/
 
typedef struct
{
   X509OctetString oid;
#if (X509_RSA_PSS_SUPPORT == ENABLED && RSA_SUPPORT == ENABLED)
   X509RsaPssParameters rsaPssParams;
#endif
} X509SignAlgoId;
 
 
/**
 * @brief TBSCertificate structure
 **/
 
typedef struct
{
   X509OctetString raw;
   X509Version version;
   X509SerialNumber serialNumber;
   X509SignAlgoId signatureAlgo;
   X509Name issuer;
   X509Validity validity;
   X509Name subject;
   X509SubjectPublicKeyInfo subjectPublicKeyInfo;
   X509Extensions extensions;
} X509TbsCertificate;
 
 
/**
 * @brief X.509 certificate
 **/
 
typedef struct
{
   X509TbsCertificate tbsCert;
   X509SignAlgoId signatureAlgo;
   X509OctetString signatureValue;
} X509CertInfo;
 
 
/**
 * @brief CRL Reason extension
 **/
 
typedef struct
{
   bool_t critical;
   uint8_t value;
} X509CrlReason;
 
 
/**
 * @brief Invalidity Date extension
 **/
 
typedef struct
{
   bool_t critical;
   DateTime value;
} X509InvalidityDate;
 
 
/**
 * @brief Certificate Issuer extension
 **/
 
typedef struct
{
   bool_t critical;
   X509OctetString raw;
   uint_t numGeneralNames;
   X509GeneralName generalNames[X509_MAX_CERT_ISSUERS];
} X509CertificateIssuer;
 
 
/**
 * @brief CRL entry extensions
 **/
 
typedef struct
{
   X509OctetString raw;
   X509CrlReason reasonCode;
   X509InvalidityDate invalidityDate;
   X509CertificateIssuer certIssuer;
} X509CrlEntryExtensions;
 
 
/**
 * @brief Revoked certificate
 **/
 
typedef struct
{
   X509SerialNumber userCert;
   DateTime revocationDate;
   X509CrlEntryExtensions crlEntryExtensions;
} X509RevokedCertificate;
 
 
/**
 * @brief CRL number
 **/
 
typedef struct
{
   bool_t critical;
   const uint8_t *value;
   size_t length;
} X509CrlNumber;
 
 
/**
 * @brief Delta CRL Indicator extension
 **/
 
typedef struct
{
   bool_t critical;
   X509OctetString baseCrlNumber;
} X509DeltaCrlIndicator;
 
 
/**
 * @brief Issuing Distribution Point extension
 **/
 
typedef struct
{
   bool_t critical;
   X509DistrPointName distributionPoint;
   bool_t onlyContainsUserCerts;
   bool_t onlyContainsCaCerts;
   uint16_t onlySomeReasons;
   bool_t indirectCrl;
   bool_t onlyContainsAttributeCerts;
} X509IssuingDistrPoint;
 
 
/**
 * @brief CRL extensions
 **/
 
typedef struct
{
   X509OctetString raw;
   X509CrlNumber crlNumber;
   X509DeltaCrlIndicator deltaCrlIndicator;
   X509IssuingDistrPoint issuingDistrPoint;
   X509AuthKeyId authKeyId;
} X509CrlExtensions;
 
 
/**
 * @brief TBSCertList structure
 **/
 
typedef struct
{
   X509OctetString raw;
   X509Version version;
   X509SignAlgoId signatureAlgo;
   X509Name issuer;
   DateTime thisUpdate;
   DateTime nextUpdate;
   X509OctetString revokedCerts;
   X509CrlExtensions crlExtensions;
} X509TbsCertList;
 
 
/**
 * @brief CRL (Certificate Revocation List)
 **/
 
typedef struct
{
   X509TbsCertList tbsCertList;
   X509SignAlgoId signatureAlgo;
   X509OctetString signatureValue;
} X509CrlInfo;
 
 
/**
 * @brief PKCS #9 ChallengePassword attribute
 **/
 
typedef struct
{
   const char_t *value;
   size_t length;
} X509ChallengePassword;
 
 
/**
 * @brief CSR attribute
 **/
 
typedef struct
{
   X509OctetString oid;
   X509OctetString data;
} X509Attribute;
 
 
/**
 * @brief CSR attributes
 **/
 
typedef struct
{
   X509OctetString raw;
   X509ChallengePassword challengePwd;
   X509Extensions extensionReq;
} X509Attributes;
 
 
/**
 * @brief CertificationRequestInfo structure
 **/
 
typedef struct
{
   X509OctetString raw;
   X509Version version;
   X509Name subject;
   X509SubjectPublicKeyInfo subjectPublicKeyInfo;
   X509Attributes attributes;
} X509CertRequestInfo;
 
 
/**
 * @brief CSR (Certificate Signing Request)
 **/
 
typedef struct
{
   X509CertRequestInfo certReqInfo;
   X509SignAlgoId signatureAlgo;
   X509OctetString signatureValue;
} X509CsrInfo;
 
 
//X.509 related constants
extern const uint8_t X509_COMMON_NAME_OID[3];
extern const uint8_t X509_SURNAME_OID[3];
extern const uint8_t X509_SERIAL_NUMBER_OID[3];
extern const uint8_t X509_COUNTRY_NAME_OID[3];
extern const uint8_t X509_LOCALITY_NAME_OID[3];
extern const uint8_t X509_STATE_OR_PROVINCE_NAME_OID[3];
extern const uint8_t X509_ORGANIZATION_NAME_OID[3];
extern const uint8_t X509_ORGANIZATIONAL_UNIT_NAME_OID[3];
extern const uint8_t X509_TITLE_OID[3];
extern const uint8_t X509_NAME_OID[3];
extern const uint8_t X509_GIVEN_NAME_OID[3];
extern const uint8_t X509_INITIALS_OID[3];
extern const uint8_t X509_GENERATION_QUALIFIER_OID[3];
extern const uint8_t X509_DN_QUALIFIER_OID[3];
extern const uint8_t X509_PSEUDONYM_OID[3];
extern const uint8_t X509_DOMAIN_COMPONENT_OID[10];
 
extern const uint8_t X509_SUBJECT_DIR_ATTR_OID[3];
extern const uint8_t X509_SUBJECT_KEY_ID_OID[3];
extern const uint8_t X509_KEY_USAGE_OID[3];
extern const uint8_t X509_SUBJECT_ALT_NAME_OID[3];
extern const uint8_t X509_ISSUER_ALT_NAME_OID[3];
extern const uint8_t X509_BASIC_CONSTRAINTS_OID[3];
extern const uint8_t X509_CRL_NUMBER_OID[3];
extern const uint8_t X509_REASON_CODE_OID[3];
extern const uint8_t X509_INVALIDITY_DATE_OID[3];
extern const uint8_t X509_DELTA_CRL_INDICATOR_OID[3];
extern const uint8_t X509_ISSUING_DISTR_POINT_OID[3];
extern const uint8_t X509_CERTIFICATE_ISSUER_OID[3];
extern const uint8_t X509_NAME_CONSTRAINTS_OID[3];
extern const uint8_t X509_CRL_DISTR_POINTS_OID[3];
extern const uint8_t X509_CERTIFICATE_POLICIES_OID[3];
extern const uint8_t X509_POLICY_MAPPINGS_OID[3];
extern const uint8_t X509_AUTHORITY_KEY_ID_OID[3];
extern const uint8_t X509_POLICY_CONSTRAINTS_OID[3];
extern const uint8_t X509_EXTENDED_KEY_USAGE_OID[3];
extern const uint8_t X509_FRESHEST_CRL_OID[3];
extern const uint8_t X509_INHIBIT_ANY_POLICY_OID[3];
extern const uint8_t X509_AUTH_INFO_ACCESS_OID[8];
extern const uint8_t X509_PKIX_OCSP_NO_CHECK_OID[9];
extern const uint8_t X509_NS_CERT_TYPE_OID[9];
 
extern const uint8_t X509_ANY_EXT_KEY_USAGE_OID[4];
extern const uint8_t X509_KP_SERVER_AUTH_OID[8];
extern const uint8_t X509_KP_CLIENT_AUTH_OID[8];
extern const uint8_t X509_KP_CODE_SIGNING_OID[8];
extern const uint8_t X509_KP_EMAIL_PROTECTION_OID[8];
extern const uint8_t X509_KP_IPSEC_END_SYSTEM_OID[8];
extern const uint8_t X509_KP_IPSEC_TUNNEL_OID[8];
extern const uint8_t X509_KP_IPSEC_USER_OID[8];
extern const uint8_t X509_KP_TIME_STAMPING_OID[8];
extern const uint8_t X509_KP_OCSP_SIGNING_OID[8];
extern const uint8_t X509_KP_IPSEC_IKE_OID[8];
extern const uint8_t X509_KP_SSH_CLIENT_OID[8];
extern const uint8_t X509_KP_SSH_SERVER_OID[8];
extern const uint8_t X509_KP_DOC_SIGNING_OID[8];
 
extern const uint8_t X509_AD_CA_ISSUERS[8];
extern const uint8_t X509_AD_OCSP[8];
 
extern const uint8_t X509_EMAIL_ADDRESS_OID[9];
extern const uint8_t X509_CHALLENGE_PASSWORD_OID[9];
extern const uint8_t X509_EXTENSION_REQUEST_OID[9];
 
//X.509 related functions
bool_t x509IsSignAlgoSupported(X509SignatureAlgo signAlgo);
bool_t x509IsHashAlgoSupported(X509HashAlgo hashAlgo);
bool_t x509IsCurveSupported(const uint8_t *oid, size_t length);
 
error_t x509GetSignHashAlgo(const X509SignAlgoId *signAlgoId,
   X509SignatureAlgo *signAlgo, const HashAlgo **hashAlgo);
 
X509KeyType x509GetPublicKeyType(const uint8_t *oid, size_t length);
const EcCurveInfo *x509GetCurveInfo(const uint8_t *oid, size_t length);
 
//C++ guard
#ifdef __cplusplus
}
#endif
 
#endif