diff options
| author | Vincent Sanders <vince@kyllikki.org> | 2020-02-23 16:06:52 +0000 |
|---|---|---|
| committer | Vincent Sanders <vince@kyllikki.org> | 2020-02-23 16:23:50 +0000 |
| commit | 0c34d06494afe217ace7460c66df800d457dd2e8 (patch) | |
| tree | 17cc135e3513e7235421502e2e58a2f44ff1a137 /include | |
| parent | 214478fc15a2b9ee67e19e08cf27657c0157037a (diff) | |
| download | netsurf-0c34d06494afe217ace7460c66df800d457dd2e8.tar.gz netsurf-0c34d06494afe217ace7460c66df800d457dd2e8.tar.bz2 | |
Keep the complete certificate chain from a fetch
Instead of extracting information from the X509 certificate chain in
the fetcher the entire chain is propagated in Distinguished Encoding
Rules (DER) format.
This allows all the information contained in a certificate chain to be
retained which can subsequently be presented to the user
Diffstat (limited to 'include')
| -rw-r--r-- | include/netsurf/browser_window.h | 8 | ||||
| -rw-r--r-- | include/netsurf/misc.h | 5 | ||||
| -rw-r--r-- | include/netsurf/ssl_certs.h | 71 |
3 files changed, 63 insertions, 21 deletions
diff --git a/include/netsurf/browser_window.h b/include/netsurf/browser_window.h index 7b2f652e6..e8faa1877 100644 --- a/include/netsurf/browser_window.h +++ b/include/netsurf/browser_window.h @@ -42,7 +42,7 @@ struct form_control; struct nsurl; struct rect; struct redraw_context; -struct ssl_cert_info; +struct cert_chain; enum content_debug; /** @@ -784,11 +784,9 @@ browser_window_page_info_state browser_window_get_page_info_state( * If there is no chain available, this will return NSERROR_NOT_FOUND * * \param bw The browser window - * \param num Pointer to be filled out with chain length - * \param chain Pointer to be filled out with chain base + * \param chain Pointer to be filled out with certificate chain * \return Whether or not the chain is available */ -nserror browser_window_get_ssl_chain(struct browser_window *bw, size_t *num, - struct ssl_cert_info **chain); +nserror browser_window_get_ssl_chain(struct browser_window *bw, struct cert_chain **chain); #endif diff --git a/include/netsurf/misc.h b/include/netsurf/misc.h index 8a7953192..cc0b78dbb 100644 --- a/include/netsurf/misc.h +++ b/include/netsurf/misc.h @@ -27,7 +27,7 @@ struct form_control; struct gui_window; -struct ssl_cert_info; +struct cert_chain; struct nsurl; /** @@ -81,8 +81,7 @@ struct gui_misc_table { * \return NSERROR_OK on sucess else error and cb never called */ nserror (*cert_verify)(struct nsurl *url, - const struct ssl_cert_info *certs, - unsigned long num, + const struct cert_chain *chain, nserror (*cb)(bool proceed, void *pw), void *cbpw); diff --git a/include/netsurf/ssl_certs.h b/include/netsurf/ssl_certs.h index 0444678a8..1aaf485a7 100644 --- a/include/netsurf/ssl_certs.h +++ b/include/netsurf/ssl_certs.h @@ -48,22 +48,67 @@ typedef enum { /** Always the max known ssl certificate error type */ #define SSL_CERT_ERR_MAX_KNOWN SSL_CERT_ERR_HOSTNAME_MISMATCH +/** maximum number of X509 certificates in chain for TLS connection */ +#define MAX_CERT_DEPTH 10 + /** - * ssl certificate information for certificate error message + * X509 certificate chain */ -struct ssl_cert_info { - long version; /**< Certificate version */ - char not_before[32]; /**< Valid from date */ - char not_after[32]; /**< Valid to date */ - int sig_type; /**< Signature type */ - char serialnum[64]; /**< Serial number */ - char issuer[256]; /**< Issuer details */ - char subject[256]; /**< Subject details */ - int cert_type; /**< Certificate type */ - ssl_cert_err err; /**< Whatever is wrong with this certificate */ +struct cert_chain { + /** + * the number of certificates in the chain + * */ + size_t depth; + struct { + /** + * Whatever is wrong with this certificate + */ + ssl_cert_err err; + + /** + * data in Distinguished Encoding Rules (DER) format + */ + uint8_t *der; + + /** + * DER length + */ + size_t der_length; + } certs[MAX_CERT_DEPTH]; }; -/** maximum number of X509 certificates in chain for TLS connection */ -#define MAX_SSL_CERTS 10 +/** + * create new certificate chain + * + * \param dpth the depth to set in the new chain. + * \param chain_out A pointer to recive the new chain. + * \return NSERROR_OK on success or NSERROR_NOMEM on memory exhaustion + */ +nserror cert_chain_alloc(size_t depth, struct cert_chain **chain_out); + +/** + * duplicate a certificate chain + * + * \param src The certificate chain to copy from + * \param dst_out A pointer to recive the duplicated chain + * \return NSERROR_OK on success or NSERROR_NOMEM on memory exhaustion + */ +nserror cert_chain_dup(const struct cert_chain *src, struct cert_chain **dst_out); + +/** + * free a certificate chain + * + * \param chain The certificate chain to free + * \return NSERROR_OK on success + */ +nserror cert_chain_free(struct cert_chain *chain); + +/** + * total number of data bytes in a chain + * + * \param chain The chain to size + * \return the number of bytes used by the chain + */ +size_t cert_chain_size(const struct cert_chain *chain); #endif /* NETSURF_SSL_CERTS_H_ */ |