net-snmp 5.7
cert_util.h
00001 #ifndef NETSNMP_CERT_UTIL_H
00002 
00003 #if defined(NETSNMP_USE_OPENSSL) && defined(HAVE_LIBSSL)
00004 
00005 #ifndef HEADER_SSL_H
00006 #error "must include <openssl/ssl.h> before cert_util.h"
00007 #endif
00008 #ifndef HEADER_X509_H
00009 #error "must include <openssl/x509.h> before cert_util.h"
00010 #endif
00011 
00012 #ifdef  __cplusplus
00013 extern "C" {
00014 #endif
00015 
00016     /*************************************************************************
00017      *
00018      * netsnmp_cert structures, defines and function definitions
00019      *
00020      *************************************************************************/
00021 
00022 void netsnmp_certs_init(void);
00023 void netsnmp_certs_agent_init(void);
00024 void netsnmp_certs_shutdown(void);
00025 void netsnmp_certs_load(void);
00026 netsnmp_container *netsnmp_cert_get_trustlist(void);
00027 
00028     typedef struct netsnmp_cert_common_s {
00029         char           *dir;
00030         char           *filename;
00031         
00032         u_char          type;
00033         u_char          allowed_uses;
00034         u_char          _pad[2]; /* for future use */
00035     } netsnmp_cert_common;
00036 
00037     typedef struct netsnmp_key_s {
00038         netsnmp_cert_common info;
00039 
00040         EVP_PKEY       *okey;
00041         struct netsnmp_cert_s   *cert;
00042     } netsnmp_key;
00043 
00044     typedef struct netsnmp_cert_s {
00045         netsnmp_cert_common info;
00046 
00047         X509           *ocert;
00048         netsnmp_key    *key;
00049         struct netsnmp_cert_s *issuer_cert;
00050 
00051         char           *issuer;
00052         char           *subject;
00053         char           *fingerprint;
00054         char           *common_name;
00055 
00056         u_char          hash_type;
00057         u_char          _pad[3]; /* for future use */
00058     } netsnmp_cert;
00059 
00061     enum { NS_CERT_TYPE_UNKNOWN = 0, NS_CERT_TYPE_PEM, NS_CERT_TYPE_DER,
00062            NS_CERT_TYPE_PKCS12, NS_CERT_TYPE_KEY };
00063 
00065 #define NS_CERT_IDENTITY       0x0001
00066 #define NS_CERT_REMOTE_PEER    0x0002
00067 #define NS_CERT_RESERVED1      0x0004
00068 #define NS_CERT_CA             0x0008
00069 
00071 #define NS_CERTKEY_DEFAULT       0x000 /* get default from DS store */
00072 #define NS_CERTKEY_FILE          0x001 /* filename/full path */
00073 #define NS_CERTKEY_FINGERPRINT   0x002 /* public key fingerprint */
00074 #define NS_CERTKEY_CA            0x004 /* trusted CA */
00075 #define NS_CERTKEY_SAN_RFC822    0x008 /* subj alt name: rfc822 */
00076 #define NS_CERTKEY_SAN_DNS       0x010 /* subj alt name: DNS */
00077 #define NS_CERTKEY_SAN_IPADDR    0x020 /* subj alt name: IP address */
00078 #define NS_CERTKEY_COMMON_NAME   0x040 /* common name */
00079 #define NS_CERTKEY_TARGET_PARAM  0x080 /* tlstmParamsTable */
00080 #define NS_CERTKEY_TARGET_ADDR   0x100 /* tlstmAddrTable */
00081 #define NS_CERTKEY_MULTIPLE      0x200 /* try multiple sources */
00082 
00084 #define NS_HASH_NONE        0
00085 #define NS_HASH_MD5         1
00086 #define NS_HASH_SHA1        2
00087 #define NS_HASH_SHA224      3
00088 #define NS_HASH_SHA256      4
00089 #define NS_HASH_SHA384      5
00090 #define NS_HASH_SHA512      6
00091 #define NS_HASH_MAX         NS_HASH_SHA512
00092 
00094 #define SNMPTLSFINGERPRINT_MAX_LEN   255
00095 
00096     /*************************************************************************
00097      * netsnmp_cert function definitions
00098      *************************************************************************/
00099 
00100     netsnmp_cert *netsnmp_cert_find(int what, int where, void *hint);
00101 
00102     int netsnmp_cert_check_vb_fingerprint(const netsnmp_variable_list *var);
00103 
00104     void netsnmp_fp_lowercase_and_strip_colon(char *fp);
00105     int netsnmp_cert_parse_hash_type(const char *str);
00106     int netsnmp_tls_fingerprint_build(int hash_type, const char *hex_fp,
00107                                       u_char **tls_fp, size_t *tls_fp_len,
00108                                       int allow_realloc);
00109     int netsnmp_tls_fingerprint_parse(const u_char *binary_fp, int fp_len,
00110                                       char **fp_str_ptr, u_int *fp_str_len,
00111                                       int allow_realloc, u_char *hash_type_ptr);
00112 
00113 
00114     int netsnmp_cert_trust(SSL_CTX *ctx, netsnmp_cert *thiscert);
00115     int netsnmp_cert_trust_ca(SSL_CTX *ctx, netsnmp_cert *thiscertsrootca);
00116 
00117     /*************************************************************************
00118      *
00119      *  certificate to Transport Security Name mapping (netsnmp_cert_map)
00120      *
00121      *************************************************************************/
00122 
00123 #define TSNM_tlstmCertSpecified                 1
00124 #define TSNM_tlstmCertSANRFC822Name             2
00125 #define TSNM_tlstmCertSANDNSName                3
00126 #define TSNM_tlstmCertSANIpAddress              4
00127 #define TSNM_tlstmCertSANAny                    5
00128 #define TSNM_tlstmCertCommonName                6
00129 #define TSNM_tlstmCert_MAX                      TSNM_tlstmCertCommonName
00130 
00131 #define NSCM_FROM_CONFIG                        0x0001
00132 #define NSCM_FROM_MIB                           0x0002
00133 #define NSCM_NONVOLATILE                        0x0004
00134 
00135     typedef struct netsnmp_cert_map_s {
00136         int             priority;
00137         char           *fingerprint;
00138         int             mapType;
00139         char           *data;
00140 
00141         char            hashType;
00142         char            flags;
00143 
00144         X509           *ocert;
00145     } netsnmp_cert_map;
00146 
00147     netsnmp_cert_map *netsnmp_cert_map_alloc(char *fp, X509 *ocert);
00148     void netsnmp_cert_map_free(netsnmp_cert_map *cert_map);
00149     int netsnmp_cert_map_add(netsnmp_cert_map *map);
00150     int netsnmp_cert_map_remove(netsnmp_cert_map *map);
00151     netsnmp_cert_map *netsnmp_cert_map_find(netsnmp_cert_map *map);
00152 
00153     void netsnmp_cert_map_container_free(netsnmp_container *c);
00154     netsnmp_container *netsnmp_cert_map_container_create(int with_fp);
00155     netsnmp_container *netsnmp_cert_map_container(void);
00156 
00157     int netsnmp_cert_get_secname_maps(netsnmp_container *cm);
00158 
00159     /*************************************************************************
00160      *
00161      *  snmpTlstmParamsTable data
00162      *
00163      *************************************************************************/
00164     typedef struct snmpTlstmParams_s {
00165         char         *name;
00166         char         *fingerprint;
00167         char          hashType;
00168         u_char        flags;
00169         u_char        fingerprint_len;
00170     } snmpTlstmParams;
00171     
00172 #define TLSTM_PARAMS_FROM_CONFIG          0x01
00173 #define TLSTM_PARAMS_FROM_MIB             0x02
00174 #define TLSTM_PARAMS_NONVOLATILE          0x04
00175 
00177     snmpTlstmParams *netsnmp_tlstmParams_create(const char *tag, int hashType,
00178                                                 const char *fp, int fp_len);
00179     void netsnmp_tlstmParams_free(snmpTlstmParams *stp);
00180     snmpTlstmParams *netsnmp_tlstmParams_restore_common(char **line);
00181 
00182     netsnmp_container *netsnmp_tlstmParams_container(void);
00183     int netsnmp_tlstmParams_add(snmpTlstmParams *stp);
00184     int netsnmp_tlstmParams_remove(snmpTlstmParams *stp);
00185     snmpTlstmParams *netsnmp_tlstmParams_find(snmpTlstmParams *stp);
00186 
00187     /*************************************************************************
00188      *
00189      *  snmpTlstmAddrTable data
00190      *
00191      *************************************************************************/
00192     typedef struct snmpTlstmAddr_s {
00193         char         *name;
00194         char         *fingerprint;
00195         char         *identity;
00196         
00197         u_char        hashType;
00198         u_char        flags;
00199         
00200     } snmpTlstmAddr;
00201 
00202 #define TLSTM_ADDR_FROM_CONFIG          0x01
00203 #define TLSTM_ADDR_FROM_MIB             0x02
00204 #define TLSTM_ADDR_NONVOLATILE          0x04
00205 
00207     int netsnmp_tlstmAddr_restore_common(char **line, char *name,
00208                                          size_t *name_len, char *id,
00209                                          size_t *id_len, char *fp,
00210                                          size_t *fp_len, u_char *ht);
00211     netsnmp_container *netsnmp_tlstmAddr_container(void);
00212     snmpTlstmAddr *netsnmp_tlstmAddr_find(snmpTlstmAddr *entry);
00213     snmpTlstmAddr *netsnmp_tlstmAddr_create(char *targetAddrName);
00214     void netsnmp_tlstmAddr_free(snmpTlstmAddr *entry);
00215     int netsnmp_tlstmAddr_add(snmpTlstmAddr *entry);
00216     int netsnmp_tlstmAddr_remove(snmpTlstmAddr *entry);
00217     char *netsnmp_tlstmAddr_get_serverId(const char *name);
00218 
00219 #ifdef __cplusplus
00220 }
00221 #endif
00222 
00223 #endif /* defined(NETSNMP_USE_OPENSSL) && defined(HAVE_LIBSSL) */
00224 
00225 #endif /* NETSNMP_CERT_UTIL_H */
00226