net-snmp 5.7
|
00001 #ifndef NETSNMP_CERT_UTIL_H 00002 00003 #if defined(NETSNMP_USE_OPENSSL) && defined(HAVE_LIBSSL) 00004 00005 #ifndef HEADER_SSL_H 00006 #error "must include <openssl/ssl.h> before cert_util.h" 00007 #endif 00008 #ifndef HEADER_X509_H 00009 #error "must include <openssl/x509.h> before cert_util.h" 00010 #endif 00011 00012 #ifdef __cplusplus 00013 extern "C" { 00014 #endif 00015 00016 /************************************************************************* 00017 * 00018 * netsnmp_cert structures, defines and function definitions 00019 * 00020 *************************************************************************/ 00021 00022 void netsnmp_certs_init(void); 00023 void netsnmp_certs_agent_init(void); 00024 void netsnmp_certs_shutdown(void); 00025 void netsnmp_certs_load(void); 00026 netsnmp_container *netsnmp_cert_get_trustlist(void); 00027 00028 typedef struct netsnmp_cert_common_s { 00029 char *dir; 00030 char *filename; 00031 00032 u_char type; 00033 u_char allowed_uses; 00034 u_char _pad[2]; /* for future use */ 00035 } netsnmp_cert_common; 00036 00037 typedef struct netsnmp_key_s { 00038 netsnmp_cert_common info; 00039 00040 EVP_PKEY *okey; 00041 struct netsnmp_cert_s *cert; 00042 } netsnmp_key; 00043 00044 typedef struct netsnmp_cert_s { 00045 netsnmp_cert_common info; 00046 00047 X509 *ocert; 00048 netsnmp_key *key; 00049 struct netsnmp_cert_s *issuer_cert; 00050 00051 char *issuer; 00052 char *subject; 00053 char *fingerprint; 00054 char *common_name; 00055 00056 u_char hash_type; 00057 u_char _pad[3]; /* for future use */ 00058 } netsnmp_cert; 00059 00061 enum { NS_CERT_TYPE_UNKNOWN = 0, NS_CERT_TYPE_PEM, NS_CERT_TYPE_DER, 00062 NS_CERT_TYPE_PKCS12, NS_CERT_TYPE_KEY }; 00063 00065 #define NS_CERT_IDENTITY 0x0001 00066 #define NS_CERT_REMOTE_PEER 0x0002 00067 #define NS_CERT_RESERVED1 0x0004 00068 #define NS_CERT_CA 0x0008 00069 00071 #define NS_CERTKEY_DEFAULT 0x000 /* get default from DS store */ 00072 #define NS_CERTKEY_FILE 0x001 /* filename/full path */ 00073 #define NS_CERTKEY_FINGERPRINT 0x002 /* public key fingerprint */ 00074 #define NS_CERTKEY_CA 0x004 /* trusted CA */ 00075 #define NS_CERTKEY_SAN_RFC822 0x008 /* subj alt name: rfc822 */ 00076 #define NS_CERTKEY_SAN_DNS 0x010 /* subj alt name: DNS */ 00077 #define NS_CERTKEY_SAN_IPADDR 0x020 /* subj alt name: IP address */ 00078 #define NS_CERTKEY_COMMON_NAME 0x040 /* common name */ 00079 #define NS_CERTKEY_TARGET_PARAM 0x080 /* tlstmParamsTable */ 00080 #define NS_CERTKEY_TARGET_ADDR 0x100 /* tlstmAddrTable */ 00081 #define NS_CERTKEY_MULTIPLE 0x200 /* try multiple sources */ 00082 00084 #define NS_HASH_NONE 0 00085 #define NS_HASH_MD5 1 00086 #define NS_HASH_SHA1 2 00087 #define NS_HASH_SHA224 3 00088 #define NS_HASH_SHA256 4 00089 #define NS_HASH_SHA384 5 00090 #define NS_HASH_SHA512 6 00091 #define NS_HASH_MAX NS_HASH_SHA512 00092 00094 #define SNMPTLSFINGERPRINT_MAX_LEN 255 00095 00096 /************************************************************************* 00097 * netsnmp_cert function definitions 00098 *************************************************************************/ 00099 00100 netsnmp_cert *netsnmp_cert_find(int what, int where, void *hint); 00101 00102 int netsnmp_cert_check_vb_fingerprint(const netsnmp_variable_list *var); 00103 00104 void netsnmp_fp_lowercase_and_strip_colon(char *fp); 00105 int netsnmp_cert_parse_hash_type(const char *str); 00106 int netsnmp_tls_fingerprint_build(int hash_type, const char *hex_fp, 00107 u_char **tls_fp, size_t *tls_fp_len, 00108 int allow_realloc); 00109 int netsnmp_tls_fingerprint_parse(const u_char *binary_fp, int fp_len, 00110 char **fp_str_ptr, u_int *fp_str_len, 00111 int allow_realloc, u_char *hash_type_ptr); 00112 00113 00114 int netsnmp_cert_trust(SSL_CTX *ctx, netsnmp_cert *thiscert); 00115 int netsnmp_cert_trust_ca(SSL_CTX *ctx, netsnmp_cert *thiscertsrootca); 00116 00117 /************************************************************************* 00118 * 00119 * certificate to Transport Security Name mapping (netsnmp_cert_map) 00120 * 00121 *************************************************************************/ 00122 00123 #define TSNM_tlstmCertSpecified 1 00124 #define TSNM_tlstmCertSANRFC822Name 2 00125 #define TSNM_tlstmCertSANDNSName 3 00126 #define TSNM_tlstmCertSANIpAddress 4 00127 #define TSNM_tlstmCertSANAny 5 00128 #define TSNM_tlstmCertCommonName 6 00129 #define TSNM_tlstmCert_MAX TSNM_tlstmCertCommonName 00130 00131 #define NSCM_FROM_CONFIG 0x0001 00132 #define NSCM_FROM_MIB 0x0002 00133 #define NSCM_NONVOLATILE 0x0004 00134 00135 typedef struct netsnmp_cert_map_s { 00136 int priority; 00137 char *fingerprint; 00138 int mapType; 00139 char *data; 00140 00141 char hashType; 00142 char flags; 00143 00144 X509 *ocert; 00145 } netsnmp_cert_map; 00146 00147 netsnmp_cert_map *netsnmp_cert_map_alloc(char *fp, X509 *ocert); 00148 void netsnmp_cert_map_free(netsnmp_cert_map *cert_map); 00149 int netsnmp_cert_map_add(netsnmp_cert_map *map); 00150 int netsnmp_cert_map_remove(netsnmp_cert_map *map); 00151 netsnmp_cert_map *netsnmp_cert_map_find(netsnmp_cert_map *map); 00152 00153 void netsnmp_cert_map_container_free(netsnmp_container *c); 00154 netsnmp_container *netsnmp_cert_map_container_create(int with_fp); 00155 netsnmp_container *netsnmp_cert_map_container(void); 00156 00157 int netsnmp_cert_get_secname_maps(netsnmp_container *cm); 00158 00159 /************************************************************************* 00160 * 00161 * snmpTlstmParamsTable data 00162 * 00163 *************************************************************************/ 00164 typedef struct snmpTlstmParams_s { 00165 char *name; 00166 char *fingerprint; 00167 char hashType; 00168 u_char flags; 00169 u_char fingerprint_len; 00170 } snmpTlstmParams; 00171 00172 #define TLSTM_PARAMS_FROM_CONFIG 0x01 00173 #define TLSTM_PARAMS_FROM_MIB 0x02 00174 #define TLSTM_PARAMS_NONVOLATILE 0x04 00175 00177 snmpTlstmParams *netsnmp_tlstmParams_create(const char *tag, int hashType, 00178 const char *fp, int fp_len); 00179 void netsnmp_tlstmParams_free(snmpTlstmParams *stp); 00180 snmpTlstmParams *netsnmp_tlstmParams_restore_common(char **line); 00181 00182 netsnmp_container *netsnmp_tlstmParams_container(void); 00183 int netsnmp_tlstmParams_add(snmpTlstmParams *stp); 00184 int netsnmp_tlstmParams_remove(snmpTlstmParams *stp); 00185 snmpTlstmParams *netsnmp_tlstmParams_find(snmpTlstmParams *stp); 00186 00187 /************************************************************************* 00188 * 00189 * snmpTlstmAddrTable data 00190 * 00191 *************************************************************************/ 00192 typedef struct snmpTlstmAddr_s { 00193 char *name; 00194 char *fingerprint; 00195 char *identity; 00196 00197 u_char hashType; 00198 u_char flags; 00199 00200 } snmpTlstmAddr; 00201 00202 #define TLSTM_ADDR_FROM_CONFIG 0x01 00203 #define TLSTM_ADDR_FROM_MIB 0x02 00204 #define TLSTM_ADDR_NONVOLATILE 0x04 00205 00207 int netsnmp_tlstmAddr_restore_common(char **line, char *name, 00208 size_t *name_len, char *id, 00209 size_t *id_len, char *fp, 00210 size_t *fp_len, u_char *ht); 00211 netsnmp_container *netsnmp_tlstmAddr_container(void); 00212 snmpTlstmAddr *netsnmp_tlstmAddr_find(snmpTlstmAddr *entry); 00213 snmpTlstmAddr *netsnmp_tlstmAddr_create(char *targetAddrName); 00214 void netsnmp_tlstmAddr_free(snmpTlstmAddr *entry); 00215 int netsnmp_tlstmAddr_add(snmpTlstmAddr *entry); 00216 int netsnmp_tlstmAddr_remove(snmpTlstmAddr *entry); 00217 char *netsnmp_tlstmAddr_get_serverId(const char *name); 00218 00219 #ifdef __cplusplus 00220 } 00221 #endif 00222 00223 #endif /* defined(NETSNMP_USE_OPENSSL) && defined(HAVE_LIBSSL) */ 00224 00225 #endif /* NETSNMP_CERT_UTIL_H */ 00226