/**
* OpenSSL certificate store
*
* @file cert_util.h
*
* @author Russ Kubik
* @date 2016-05-11
* @copyright Copyright (c) 2016 Cisco Systems, Inc.
*
* @section DESCRIPTION
* OpenSSL certificate store
*/
#ifndef _CERT_UTIL_H
#define _CERT_UTIL_H
#include <openssl/x509.h>
#include <curl/curl.h>
#include "clamav.h"
/* As defined by ub-common-name in https://www.ietf.org/rfc/rfc3280.txt */
#define X509_COMMON_NAME_MAX_LEN (64)
/**
* @brief Load system and trusted root certificates into memory. Any errors
* while loading trusted certificates will be ignored. If error checking
* is required for trusted certificates please use cert_store_set_trusted
* directly.
*
* @details To load the certificate store with system certificates only pass
* NULL for trusted_certs and 0 (zero) for trusted_cert_count. The
* certificates store will then only load root certificates from the
* system and skip setting trusted certificates (which are
* optional and can be set later with cert_store_set_trusted).
*
* @param[in] trusted_certs - List of X509 trusted root certificates (NULL for
* empty or no trusted certificates)
* @param[in] trusted_cert_count - Number of trusted root certificates (0 for
* empty or no trusted certificates)
*
* @return 0 on success or if the cert store is already loaded, -1 on error
*/
cl_error_t cert_store_load(X509 **trusted_certs, size_t trusted_cert_count);
/**
* @brief Free system and trusted root certificates.
*/
void cert_store_unload(void);
/**
* @brief Set trusted root certificates in the cert store. If trusted
* certificates already exist then they are removed.
*
* @param[in] trusted_certs - List of trusted X509 root certificates
* @param[in] trusted_cert_count - Number of trusted X509 root certificates
*
* @return 0 on success or -1 on error
*/
cl_error_t cert_store_set_trusted(X509 **trusted_certs, size_t trusted_cert_count);
/**
* @brief Remove trusted root certificates from the cert store.
*
* @return a count of how many trusted certificates were removed. 0 (zero) will
* be returned if the cert store is not initialized
*/
size_t cert_store_remove_trusted(void);
/**
* @brief Export all system and trusted root certificates from the cert store
* into an SSL X509_STORE. The additional_ca_cert will also be exported
* if provided (not NULL).
*
* @param[out] store - SSL X509 store context
* @param[in] additional_ca_cert - additional CA certificate to append (if not
* NULL)
*/
void cert_store_export_certs(X509_STORE *store, X509 *additional_ca_cert);
/**
* @brief Export all system and trusted root certificates from the cert store as
* a null-terminated string. Certificates within the string will be
* PEM-encoded.
*
* @details An example user of this method is the EST library which, as part of
* its initialization, will ensure that the length of the CA chain
* matches a given length.
*
* @link common/est/src/src/est_client.c
*
* @param[out] cert_data - Root CA certificate PEM buffer
* @param[out] cert_data_len - Length of cert_data buffer
* @param[in] additional_ca_cert - an additional CA certificate to append
*
* @return 0 on success, -1 on error
*/
cl_error_t cert_store_export_pem(char **cert_data,
int *cert_data_len,
X509 *additional_ca_cert);
/**
* @brief Add certificates to X509 store. Duplicate certificates are skipped
* and errors are printed to the log.
*
* @param[in] store - Pointer to X509 store
* @param[in] certs - List of X509 certificates
* @param[in] cert_count - Number of X509 certificates
*/
void cert_fill_X509_store(X509_STORE *store, X509 **certs, size_t cert_count);
/**
* @brief Callback function for libcurl to verify certificates for HTTPS connections.
*
* @param[in] curl - handle for curl connection.
* @param[in] ssl_ctx - List of X509 certificates
* @param[in] userptr - Number of X509 certificates
*/
CURLcode sslctx_function(CURL *curl, void *ssl_ctx, void *userptr);
#endif