Difference between revisions of "Unit X.509"
From Ultibo.org
(Created page with "Return to Unit Reference === Description === ---- ''To be documented'' === Constants === ---- ''To be documented'' === Type definitions === ---- ''To...") |
|||
| (7 intermediate revisions by the same user not shown) | |||
| Line 5: | Line 5: | ||
---- | ---- | ||
| − | '' | + | '''Ultibo X.509 Interface unit''' |
| + | |||
| + | X.509 is a standard that defines the format of public key certificates. An X.509 certificate contains a public key and an identity (a hostname, or an organization, or an individual), and is either signed by a certificate authority or self-signed. When a certificate is signed by a trusted certificate authority, or validated by other means, someone holding that certificate can rely on the public key it contains to establish secure communications with another party, or validate documents digitally signed by the corresponding private key. | ||
| + | |||
| + | This unit currently only provides the basic functionality required to read and parse an X.509 certificate in DER or PEM format and extract basic information such as the issuer, subject, validity, algorithm and public key. | ||
| + | |||
| + | It is expected that this unit will be expanded to incorporate additional functions over time. | ||
=== Constants === | === Constants === | ||
---- | ---- | ||
| − | '' | + | |
| + | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial; padding-top: 20px; padding-bottom: 15px;"> | ||
| + | <div style="font-size: 14px; padding-left: 12px;">'''X509 specific constants''' <code> X509_* </code></div> | ||
| + | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
| + | {| class="wikitable" style="font-size: 14px; background: white;" | ||
| + | |- | ||
| + | | <code>X509_MAX_NAME_ATTRIBUTES = 20;</code> | ||
| + | | style="width: 50%;"| | ||
| + | |- | ||
| + | | <code>X509_MAX_SERIAL_NUM_LEN = 20;</code> | ||
| + | | | ||
| + | |- | ||
| + | |} | ||
| + | </div></div> | ||
| + | <br /> | ||
| + | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial; padding-top: 20px; padding-bottom: 15px;"> | ||
| + | <div style="font-size: 14px; padding-left: 12px;">'''X509 name attribute''' <code> X509_NAME_ATTR_* </code></div> | ||
| + | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
| + | {| class="wikitable" style="font-size: 14px; background: white;" | ||
| + | |- | ||
| + | | <code>X509_NAME_ATTR_NONE = 0;</code> | ||
| + | | style="width: 50%;"| | ||
| + | |- | ||
| + | | <code>X509_NAME_ATTR_DC = 1;</code> | ||
| + | | | ||
| + | |- | ||
| + | | <code>X509_NAME_ATTR_CN = 2;</code> | ||
| + | | | ||
| + | |- | ||
| + | | <code>X509_NAME_ATTR_C = 3;</code> | ||
| + | | | ||
| + | |- | ||
| + | | <code>X509_NAME_ATTR_L = 4;</code> | ||
| + | | | ||
| + | |- | ||
| + | | <code>X509_NAME_ATTR_ST = 5;</code> | ||
| + | | | ||
| + | |- | ||
| + | | <code>X509_NAME_ATTR_O = 6;</code> | ||
| + | | | ||
| + | |- | ||
| + | | <code>X509_NAME_ATTR_OU = 7;</code> | ||
| + | | | ||
| + | |- | ||
| + | |} | ||
| + | </div></div> | ||
| + | <br /> | ||
| + | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial; padding-top: 20px; padding-bottom: 15px;"> | ||
| + | <div style="font-size: 14px; padding-left: 12px;">'''X509 validate''' <code> X509_VALIDATE_* </code></div> | ||
| + | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
| + | {| class="wikitable" style="font-size: 14px; background: white;" | ||
| + | |- | ||
| + | | <code>X509_VALIDATE_OK = 0;</code> | ||
| + | | style="width: 50%;"| | ||
| + | |- | ||
| + | | <code>X509_VALIDATE_BAD_CERTIFICATE = 1;</code> | ||
| + | | | ||
| + | |- | ||
| + | | <code>X509_VALIDATE_UNSUPPORTED_CERTIFICATE = 2;</code> | ||
| + | | | ||
| + | |- | ||
| + | | <code>X509_VALIDATE_CERTIFICATE_REVOKED = 3;</code> | ||
| + | | | ||
| + | |- | ||
| + | | <code>X509_VALIDATE_CERTIFICATE_EXPIRED = 4;</code> | ||
| + | | | ||
| + | |- | ||
| + | | <code>X509_VALIDATE_CERTIFICATE_UNKNOWN = 5;</code> | ||
| + | | | ||
| + | |- | ||
| + | | <code>X509_VALIDATE_UNKNOWN_CA = 6;</code> | ||
| + | | | ||
| + | |- | ||
| + | |} | ||
| + | </div></div> | ||
| + | <br /> | ||
| + | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial; padding-top: 20px; padding-bottom: 15px;"> | ||
| + | <div style="font-size: 14px; padding-left: 12px;">'''X509 certificate version''' <code> X509_CERT_V* </code></div> | ||
| + | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
| + | {| class="wikitable" style="font-size: 14px; background: white;" | ||
| + | |- | ||
| + | | <code>X509_CERT_V1 = 0;</code> | ||
| + | | style="width: 50%;"| | ||
| + | |- | ||
| + | | <code>X509_CERT_V2 = 1;</code> | ||
| + | | | ||
| + | |- | ||
| + | | <code>X509_CERT_V3 = 2;</code> | ||
| + | | | ||
| + | |- | ||
| + | |} | ||
| + | </div></div> | ||
| + | <br /> | ||
| + | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial; padding-top: 20px; padding-bottom: 15px;"> | ||
| + | <div style="font-size: 14px; padding-left: 12px;">'''X509 certificate extension''' <code> X509_EXT_* </code></div> | ||
| + | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
| + | {| class="wikitable" style="font-size: 14px; background: white;" | ||
| + | |- | ||
| + | | <code>X509_EXT_BASIC_CONSTRAINTS = (1 shl 0);</code> | ||
| + | | style="width: 50%;"| | ||
| + | |- | ||
| + | | <code>X509_EXT_PATH_LEN_CONSTRAINT = (1 shl 1);</code> | ||
| + | | | ||
| + | |- | ||
| + | | <code>X509_EXT_KEY_USAGE = (1 shl 2);</code> | ||
| + | | | ||
| + | |- | ||
| + | | <code>X509_EXT_SUBJECT_ALT_NAME = (1 shl 3);</code> | ||
| + | | | ||
| + | |- | ||
| + | | <code>X509_EXT_ISSUER_ALT_NAME = (1 shl 4);</code> | ||
| + | | | ||
| + | |- | ||
| + | | <code>X509_EXT_EXT_KEY_USAGE = (1 shl 5);</code> | ||
| + | | | ||
| + | |- | ||
| + | |} | ||
| + | </div></div> | ||
| + | <br /> | ||
| + | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial; padding-top: 20px; padding-bottom: 15px;"> | ||
| + | <div style="font-size: 14px; padding-left: 12px;">'''X509 certificate key usage''' <code> X509_KEY_USAGE_* </code></div> | ||
| + | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
| + | {| class="wikitable" style="font-size: 14px; background: white;" | ||
| + | |- | ||
| + | |colspan="2"|Note: RFC5280 Section 4.2.1.3. - Key Usage | ||
| + | |- | ||
| + | | <code>X509_KEY_USAGE_DIGITAL_SIGNATURE = (1 shl 0);</code> | ||
| + | | digitalSignature - The digitalSignature bit is asserted when the subject public key is used for verifying digital signatures, other than signatures on certificates. | ||
| + | |- | ||
| + | | <code>X509_KEY_USAGE_NON_REPUDIATION = (1 shl 1);</code> | ||
| + | | nonRepudiation - The nonRepudiation bit is asserted when the subject public key is used to verify digital signatures, other than signatures on certificates. | ||
| + | |- | ||
| + | | <code>X509_KEY_USAGE_KEY_ENCIPHERMENT = (1 shl 2);</code> | ||
| + | | keyEncipherment - The keyEncipherment bit is asserted when the subject public key is used for enciphering private or secret keys, i.e., for key transport | ||
| + | |- | ||
| + | | <code>X509_KEY_USAGE_DATA_ENCIPHERMENT = (1 shl 3);</code> | ||
| + | | dataEncipherment - The dataEncipherment bit is asserted when the subject public key is used for directly enciphering raw user data without the use of an intermediate symmetric cipher. | ||
| + | |- | ||
| + | | <code>X509_KEY_USAGE_KEY_AGREEMENT = (1 shl 4);</code> | ||
| + | | keyAgreement - The keyAgreement bit is asserted when the subject public key is used for key agreement | ||
| + | |- | ||
| + | | <code>X509_KEY_USAGE_KEY_CERT_SIGN = (1 shl 5);</code> | ||
| + | | keyCertSign - The keyCertSign bit is asserted when the subject public key is used for verifying signatures on public key certificates | ||
| + | |- | ||
| + | | <code>X509_KEY_USAGE_CRL_SIGN = (1 shl 6);</code> | ||
| + | | cRLSign - The cRLSign bit is asserted when the subject public key is used for verifying signatures on certificate revocation lists | ||
| + | |- | ||
| + | | <code>X509_KEY_USAGE_ENCIPHER_ONLY = (1 shl 7);</code> | ||
| + | | encipherOnly - When the encipherOnly bit is asserted and the keyAgreement bit is also set, the subject public key may be used only for enciphering data while performing key agreement. | ||
| + | |- | ||
| + | | <code>X509_KEY_USAGE_DECIPHER_ONLY = (1 shl 8);</code> | ||
| + | | decipherOnly - When the decipherOnly bit is asserted and the keyAgreement bit is also set, the subject public key may be used only for deciphering data while performing key agreement. | ||
| + | |- | ||
| + | |} | ||
| + | </div></div> | ||
| + | <br /> | ||
| + | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial; padding-top: 20px; padding-bottom: 15px;"> | ||
| + | <div style="font-size: 14px; padding-left: 12px;">'''X509 certificate extended key usage''' <code> X509_EXT_KEY_USAGE_* </code></div> | ||
| + | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
| + | {| class="wikitable" style="font-size: 14px; background: white;" | ||
| + | |- | ||
| + | | <code>X509_EXT_KEY_USAGE_ANY = (1 shl 0);</code> | ||
| + | | style="width: 50%;"| | ||
| + | |- | ||
| + | | <code>X509_EXT_KEY_USAGE_SERVER_AUTH = (1 shl 1);</code> | ||
| + | | | ||
| + | |- | ||
| + | | <code>X509_EXT_KEY_USAGE_CLIENT_AUTH = (1 shl 2);</code> | ||
| + | | | ||
| + | |- | ||
| + | | <code>X509_EXT_KEY_USAGE_OCSP = (1 shl 3);</code> | ||
| + | | | ||
| + | |- | ||
| + | |} | ||
| + | </div></div> | ||
| + | <br /> | ||
| + | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial; padding-top: 20px; padding-bottom: 15px;"> | ||
| + | <div style="font-size: 14px; padding-left: 12px;">'''X509 certificate file types''' <code> NAME_* </code></div> | ||
| + | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
| + | {| class="wikitable" style="font-size: 14px; background: white;" | ||
| + | |- | ||
| + | | <code>X509_FILETYPE_PEM = 1;</code> | ||
| + | | style="width: 50%;"| | ||
| + | |- | ||
| + | | <code>X509_FILETYPE_ASN1 = 2;</code> | ||
| + | | | ||
| + | |- | ||
| + | |} | ||
| + | </div></div> | ||
| + | <br /> | ||
=== Type definitions === | === Type definitions === | ||
---- | ---- | ||
| − | '' | + | |
| + | '''X509 serial number''' | ||
| + | |||
| + | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
| + | <code>PX509SerialNumber = ^TX509SerialNumber;</code> | ||
| + | |||
| + | <code>TX509SerialNumber = record</code> | ||
| + | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
| + | {| class="wikitable" style="font-size: 14px; background: white;" | ||
| + | |- | ||
| + | | <code>Value:array[0..X509_MAX_SERIAL_NUM_LEN - 1] of Byte;</code> | ||
| + | | style="width: 50%;"| | ||
| + | |- | ||
| + | | <code>Length:Integer;</code> | ||
| + | | | ||
| + | |- | ||
| + | |colspan="2"| | ||
| + | |- | ||
| + | | <code>function ToString:String;</code> | ||
| + | | | ||
| + | |- | ||
| + | |} | ||
| + | </div></div> | ||
| + | |||
| + | '''X509 name attribute''' | ||
| + | |||
| + | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
| + | <code>PX509NameAttribute = ^TX509NameAttribute;</code> | ||
| + | |||
| + | <code>TX509NameAttribute = record</code> | ||
| + | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
| + | {| class="wikitable" style="font-size: 14px; background: white;" | ||
| + | |- | ||
| + | | <code>Value:String;</code> | ||
| + | | style="width: 50%;"| | ||
| + | |- | ||
| + | | <code>_Type:LongWord;</code> | ||
| + | | | ||
| + | |- | ||
| + | |colspan="2"| | ||
| + | |- | ||
| + | | <code>function ToString:String;</code> | ||
| + | | | ||
| + | |- | ||
| + | |} | ||
| + | </div></div> | ||
| + | |||
| + | '''X509 name attributes''' | ||
| + | |||
| + | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
| + | <code>PX509NameAttributes = ^TX509NameAttributes;</code> | ||
| + | |||
| + | <code>TX509NameAttributes = array[0..X509_MAX_NAME_ATTRIBUTES - 1] of TX509NameAttribute;</code> | ||
| + | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
| + | {| class="wikitable" style="font-size: 14px; background: white;" | ||
| + | |- | ||
| + | | | ||
| + | | style="width: 50%;"| | ||
| + | |- | ||
| + | |} | ||
| + | </div></div> | ||
| + | |||
| + | '''X509 algorithm identifier''' | ||
| + | |||
| + | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
| + | <code>PX509AlgorithmIdentifier = ^TX509AlgorithmIdentifier;</code> | ||
| + | |||
| + | <code>TX509AlgorithmIdentifier = record</code> | ||
| + | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
| + | {| class="wikitable" style="font-size: 14px; background: white;" | ||
| + | |- | ||
| + | | <code>OID:TASN1OID;</code> | ||
| + | | style="width: 50%;"| | ||
| + | |- | ||
| + | |colspan="2"| | ||
| + | |- | ||
| + | | <code>function ToString:String;</code> | ||
| + | | | ||
| + | |- | ||
| + | |} | ||
| + | </div></div> | ||
| + | |||
| + | '''X509 public key''' | ||
| + | |||
| + | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
| + | <code>PX509PublicKey = ^TX509PublicKey;</code> | ||
| + | |||
| + | <code>TX509PublicKey = record</code> | ||
| + | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
| + | {| class="wikitable" style="font-size: 14px; background: white;" | ||
| + | |- | ||
| + | | <code>Algorithm:TX509AlgorithmIdentifier;</code> | ||
| + | | style="width: 50%;"| | ||
| + | |- | ||
| + | | <code>Key:PByte;</code> | ||
| + | | | ||
| + | |- | ||
| + | | <code>Length:Integer;</code> | ||
| + | | | ||
| + | |- | ||
| + | |colspan="2"| | ||
| + | |- | ||
| + | | <code>procedure Release;</code> | ||
| + | | | ||
| + | |- | ||
| + | |colspan="2"| | ||
| + | |- | ||
| + | | <code>function ToString:String;</code> | ||
| + | | | ||
| + | |- | ||
| + | |} | ||
| + | </div></div> | ||
| + | |||
| + | '''X509 private key''' | ||
| + | |||
| + | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
| + | <code>PX509PrivateKey = ^TX509PrivateKey;</code> | ||
| + | |||
| + | <code>TX509PrivateKey = record</code> | ||
| + | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
| + | {| class="wikitable" style="font-size: 14px; background: white;" | ||
| + | |- | ||
| + | |colspan="2"|Note: RFC3447 - Appendix A.1.2 - RSA private key syntax | ||
| + | |- | ||
| + | |colspan="2"| | ||
| + | |- | ||
| + | | <code>Algorithm:TX509AlgorithmIdentifier;</code> | ||
| + | | style="width: 50%;"| | ||
| + | |- | ||
| + | | <code>Key:PByte;</code> | ||
| + | | | ||
| + | |- | ||
| + | | <code>Length:Integer;</code> | ||
| + | | | ||
| + | |- | ||
| + | |colspan="2"| | ||
| + | |- | ||
| + | | <code>procedure Release;</code> | ||
| + | | | ||
| + | |- | ||
| + | |colspan="2"| | ||
| + | |- | ||
| + | | <code>function ToString:String;</code> | ||
| + | | | ||
| + | |- | ||
| + | |} | ||
| + | </div></div> | ||
| + | |||
| + | '''X509 signature''' | ||
| + | |||
| + | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
| + | <code>PX509Signature = ^TX509Signature;</code> | ||
| + | |||
| + | <code>TX509Signature = record</code> | ||
| + | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
| + | {| class="wikitable" style="font-size: 14px; background: white;" | ||
| + | |- | ||
| + | | <code>Algorithm:TX509AlgorithmIdentifier;</code> | ||
| + | | style="width: 50%;"| | ||
| + | |- | ||
| + | | <code>Value:PByte;</code> | ||
| + | | | ||
| + | |- | ||
| + | | <code>Length:Integer;</code> | ||
| + | | | ||
| + | |- | ||
| + | |colspan="2"| | ||
| + | |- | ||
| + | | <code>procedure Release;</code> | ||
| + | | | ||
| + | |- | ||
| + | |} | ||
| + | </div></div> | ||
| + | |||
| + | '''X509 RSA public key''' | ||
| + | |||
| + | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
| + | <code>PX509RSAPublicKey = ^TX509RSAPublicKey;</code> | ||
| + | |||
| + | <code>TX509RSAPublicKey = record</code> | ||
| + | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
| + | {| class="wikitable" style="font-size: 14px; background: white;" | ||
| + | |- | ||
| + | | <code>Modulus:PByte;</code> | ||
| + | | M | ||
| + | |- | ||
| + | | <code>PublicExponent:PByte;</code> | ||
| + | | E | ||
| + | |- | ||
| + | |colspan="2"| | ||
| + | |- | ||
| + | | <code>ModulusLen:Integer;</code> | ||
| + | | | ||
| + | |- | ||
| + | | <code>PublicExponentLen:Integer;</code> | ||
| + | | | ||
| + | |- | ||
| + | |colspan="2"| | ||
| + | |- | ||
| + | | <code>function ImportDER(ABuffer:Pointer; ASize:Integer):Boolean;</code> | ||
| + | | | ||
| + | |- | ||
| + | | <code>procedure Release;</code> | ||
| + | | | ||
| + | |- | ||
| + | |} | ||
| + | </div></div> | ||
| + | |||
| + | '''X509 RSA private key''' | ||
| + | |||
| + | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
| + | <code>PX509RSAPrivateKey = ^TX509RSAPrivateKey;</code> | ||
| + | |||
| + | <code>TX509RSAPrivateKey = record</code> | ||
| + | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
| + | {| class="wikitable" style="font-size: 14px; background: white;" | ||
| + | |- | ||
| + | | <code>Version:Integer;</code> | ||
| + | | | ||
| + | |- | ||
| + | | <code>Modulus:PByte;</code> | ||
| + | | M | ||
| + | |- | ||
| + | | <code>PublicExponent:PByte;</code> | ||
| + | | E | ||
| + | |- | ||
| + | | <code>PrivateExponent:PByte;</code> | ||
| + | | D | ||
| + | |- | ||
| + | | <code>Prime1:PByte;</code> | ||
| + | | P | ||
| + | |- | ||
| + | | <code>Prime2:PByte;</code> | ||
| + | | Q | ||
| + | |- | ||
| + | | <code>Exponent1:PByte;</code> | ||
| + | | D mod (P - 1) | ||
| + | |- | ||
| + | | <code>Exponent2:PByte;</code> | ||
| + | | D mod (Q - 1) | ||
| + | |- | ||
| + | | <code>Coefficient:PByte;</code> | ||
| + | | (Inverse of Q) mod P | ||
| + | |- | ||
| + | |colspan="2"| | ||
| + | |- | ||
| + | | <code>ModulusLen:Integer;</code> | ||
| + | | | ||
| + | |- | ||
| + | | <code>PublicExponentLen:Integer;</code> | ||
| + | | | ||
| + | |- | ||
| + | | <code>PrivateExponentLen:Integer;</code> | ||
| + | | | ||
| + | |- | ||
| + | | <code>Prime1Len:Integer;</code> | ||
| + | | | ||
| + | |- | ||
| + | | <code>Prime2Len:Integer;</code> | ||
| + | | | ||
| + | |- | ||
| + | | <code>Exponent1Len:Integer;</code> | ||
| + | | | ||
| + | |- | ||
| + | | <code>Exponent2Len:Integer;</code> | ||
| + | | | ||
| + | |- | ||
| + | | <code>CoefficientLen:Integer;</code> | ||
| + | | | ||
| + | |- | ||
| + | |colspan="2"| | ||
| + | |- | ||
| + | | <code>function ImportDER(ABuffer:Pointer; ASize:Integer):Boolean;</code> | ||
| + | | | ||
| + | |- | ||
| + | | <code>procedure Release;</code> | ||
| + | | | ||
| + | |- | ||
| + | |} | ||
| + | </div></div> | ||
| + | |||
| + | '''X509 ECDSA public key''' | ||
| + | |||
| + | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
| + | <code>PX509ECDSAPublicKey = ^TX509ECDSAPublicKey;</code> | ||
| + | |||
| + | <code>TX509ECDSAPublicKey = record</code> | ||
| + | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
| + | {| class="wikitable" style="font-size: 14px; background: white;" | ||
| + | |- | ||
| + | | <code>function ImportDER(ABuffer:Pointer; ASize:Integer):Boolean;</code> | ||
| + | | style="width: 50%;"| | ||
| + | |- | ||
| + | | <code>procedure Release;</code> | ||
| + | | | ||
| + | |- | ||
| + | |} | ||
| + | </div></div> | ||
| + | |||
| + | '''X509 ECDSA private key''' | ||
| + | |||
| + | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
| + | <code>PX509ECDSAPrivateKey = ^TX509ECDSAPrivateKey;</code> | ||
| + | |||
| + | <code>TX509ECDSAPrivateKey = record</code> | ||
| + | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
| + | {| class="wikitable" style="font-size: 14px; background: white;" | ||
| + | |- | ||
| + | | <code>function ImportDER(ABuffer:Pointer; ASize:Integer):Boolean;</code> | ||
| + | | style="width: 50%;"| | ||
| + | |- | ||
| + | | <code>procedure Release;</code> | ||
| + | | | ||
| + | |- | ||
| + | |} | ||
| + | </div></div> | ||
| + | <br /> | ||
| + | |||
| + | === Class definitions === | ||
| + | ---- | ||
| + | |||
| + | |||
| + | '''X509 specific classes''' | ||
| + | |||
| + | {| class="wikitable" style="font-size: 14px; text-align: left; width: 100%; height: 50px;" | ||
| + | |- | ||
| + | | [[TX509Name|<code>TX509Name = class(TObject)</code>]] | ||
| + | |- | ||
| + | |} | ||
| + | {| class="wikitable" style="font-size: 14px; text-align: left; width: 100%; height: 50px;" | ||
| + | |- | ||
| + | | [[TX509CertificateList|<code>TX509CertificateList = class(TObject)</code>]] | ||
| + | |- | ||
| + | |} | ||
| + | {| class="wikitable" style="font-size: 14px; text-align: left; width: 100%; height: 50px;" | ||
| + | |- | ||
| + | | [[TX509CertificateChain|<code>TX509CertificateChain = class(TObject)</code>]] | ||
| + | |- | ||
| + | |} | ||
| + | {| class="wikitable" style="font-size: 14px; text-align: left; width: 100%; height: 50px;" | ||
| + | |- | ||
| + | | [[TX509Certificate|<code>TX509Certificate = class(TObject)</code>]] | ||
| + | |- | ||
| + | |} | ||
| + | <br /> | ||
=== Public variables === | === Public variables === | ||
---- | ---- | ||
| − | '' | + | ''None defined'' |
=== Function declarations === | === Function declarations === | ||
---- | ---- | ||
| − | |||
| + | '''X509 helper functions''' | ||
| + | |||
| + | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial; padding-top: 0px; padding-bottom: 15px;"> | ||
| + | <pre style="border: 0; padding-bottom:0px;">function X509NameAttributeTypeToString(AType:LongWord):String;</pre> | ||
| + | <div style="font-size: 14px; padding-left: 12px;">'''Description:''' To be documented</div> | ||
| + | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
| + | {| class="wikitable" style="font-size: 14px; background: white;" | ||
| + | |- | ||
| + | ! Note | ||
| + | | None documented | ||
| + | |- | ||
| + | |} | ||
| + | </div></div> | ||
| + | <br /> | ||
Return to [[Unit_Reference|Unit Reference]] | Return to [[Unit_Reference|Unit Reference]] | ||
Latest revision as of 04:48, 31 August 2021
Return to Unit Reference
Contents
Description
Ultibo X.509 Interface unit
X.509 is a standard that defines the format of public key certificates. An X.509 certificate contains a public key and an identity (a hostname, or an organization, or an individual), and is either signed by a certificate authority or self-signed. When a certificate is signed by a trusted certificate authority, or validated by other means, someone holding that certificate can rely on the public key it contains to establish secure communications with another party, or validate documents digitally signed by the corresponding private key.
This unit currently only provides the basic functionality required to read and parse an X.509 certificate in DER or PEM format and extract basic information such as the issuer, subject, validity, algorithm and public key.
It is expected that this unit will be expanded to incorporate additional functions over time.
Constants
X509 specific constants
X509_* X509_MAX_NAME_ATTRIBUTES = 20;
|
|
X509_MAX_SERIAL_NUM_LEN = 20;
|
X509 name attribute
X509_NAME_ATTR_* X509_NAME_ATTR_NONE = 0;
|
|
X509_NAME_ATTR_DC = 1;
|
|
X509_NAME_ATTR_CN = 2;
|
|
X509_NAME_ATTR_C = 3;
|
|
X509_NAME_ATTR_L = 4;
|
|
X509_NAME_ATTR_ST = 5;
|
|
X509_NAME_ATTR_O = 6;
|
|
X509_NAME_ATTR_OU = 7;
|
X509 validate
X509_VALIDATE_* X509_VALIDATE_OK = 0;
|
|
X509_VALIDATE_BAD_CERTIFICATE = 1;
|
|
X509_VALIDATE_UNSUPPORTED_CERTIFICATE = 2;
|
|
X509_VALIDATE_CERTIFICATE_REVOKED = 3;
|
|
X509_VALIDATE_CERTIFICATE_EXPIRED = 4;
|
|
X509_VALIDATE_CERTIFICATE_UNKNOWN = 5;
|
|
X509_VALIDATE_UNKNOWN_CA = 6;
|
X509 certificate version
X509_CERT_V* X509_CERT_V1 = 0;
|
|
X509_CERT_V2 = 1;
|
|
X509_CERT_V3 = 2;
|
X509 certificate extension
X509_EXT_* X509_EXT_BASIC_CONSTRAINTS = (1 shl 0);
|
|
X509_EXT_PATH_LEN_CONSTRAINT = (1 shl 1);
|
|
X509_EXT_KEY_USAGE = (1 shl 2);
|
|
X509_EXT_SUBJECT_ALT_NAME = (1 shl 3);
|
|
X509_EXT_ISSUER_ALT_NAME = (1 shl 4);
|
|
X509_EXT_EXT_KEY_USAGE = (1 shl 5);
|
X509 certificate key usage
X509_KEY_USAGE_* | Note: RFC5280 Section 4.2.1.3. - Key Usage | |
X509_KEY_USAGE_DIGITAL_SIGNATURE = (1 shl 0);
|
digitalSignature - The digitalSignature bit is asserted when the subject public key is used for verifying digital signatures, other than signatures on certificates. |
X509_KEY_USAGE_NON_REPUDIATION = (1 shl 1);
|
nonRepudiation - The nonRepudiation bit is asserted when the subject public key is used to verify digital signatures, other than signatures on certificates. |
X509_KEY_USAGE_KEY_ENCIPHERMENT = (1 shl 2);
|
keyEncipherment - The keyEncipherment bit is asserted when the subject public key is used for enciphering private or secret keys, i.e., for key transport |
X509_KEY_USAGE_DATA_ENCIPHERMENT = (1 shl 3);
|
dataEncipherment - The dataEncipherment bit is asserted when the subject public key is used for directly enciphering raw user data without the use of an intermediate symmetric cipher. |
X509_KEY_USAGE_KEY_AGREEMENT = (1 shl 4);
|
keyAgreement - The keyAgreement bit is asserted when the subject public key is used for key agreement |
X509_KEY_USAGE_KEY_CERT_SIGN = (1 shl 5);
|
keyCertSign - The keyCertSign bit is asserted when the subject public key is used for verifying signatures on public key certificates |
X509_KEY_USAGE_CRL_SIGN = (1 shl 6);
|
cRLSign - The cRLSign bit is asserted when the subject public key is used for verifying signatures on certificate revocation lists |
X509_KEY_USAGE_ENCIPHER_ONLY = (1 shl 7);
|
encipherOnly - When the encipherOnly bit is asserted and the keyAgreement bit is also set, the subject public key may be used only for enciphering data while performing key agreement. |
X509_KEY_USAGE_DECIPHER_ONLY = (1 shl 8);
|
decipherOnly - When the decipherOnly bit is asserted and the keyAgreement bit is also set, the subject public key may be used only for deciphering data while performing key agreement. |
X509 certificate extended key usage
X509_EXT_KEY_USAGE_* X509_EXT_KEY_USAGE_ANY = (1 shl 0);
|
|
X509_EXT_KEY_USAGE_SERVER_AUTH = (1 shl 1);
|
|
X509_EXT_KEY_USAGE_CLIENT_AUTH = (1 shl 2);
|
|
X509_EXT_KEY_USAGE_OCSP = (1 shl 3);
|
X509 certificate file types
NAME_* X509_FILETYPE_PEM = 1;
|
|
X509_FILETYPE_ASN1 = 2;
|
Type definitions
X509 serial number
PX509SerialNumber = ^TX509SerialNumber;
TX509SerialNumber = record
Value:array[0..X509_MAX_SERIAL_NUM_LEN - 1] of Byte;
|
|
Length:Integer;
|
|
function ToString:String;
|
|
X509 name attribute
PX509NameAttribute = ^TX509NameAttribute;
TX509NameAttribute = record
Value:String;
|
|
_Type:LongWord;
|
|
function ToString:String;
|
|
X509 name attributes
PX509NameAttributes = ^TX509NameAttributes;
TX509NameAttributes = array[0..X509_MAX_NAME_ATTRIBUTES - 1] of TX509NameAttribute;
X509 algorithm identifier
PX509AlgorithmIdentifier = ^TX509AlgorithmIdentifier;
TX509AlgorithmIdentifier = record
OID:TASN1OID;
|
|
function ToString:String;
|
|
X509 public key
PX509PublicKey = ^TX509PublicKey;
TX509PublicKey = record
Algorithm:TX509AlgorithmIdentifier;
|
|
Key:PByte;
|
|
Length:Integer;
|
|
procedure Release;
|
|
function ToString:String;
|
|
X509 private key
PX509PrivateKey = ^TX509PrivateKey;
TX509PrivateKey = record
| Note: RFC3447 - Appendix A.1.2 - RSA private key syntax | |
Algorithm:TX509AlgorithmIdentifier;
|
|
Key:PByte;
|
|
Length:Integer;
|
|
procedure Release;
|
|
function ToString:String;
|
|
X509 signature
PX509Signature = ^TX509Signature;
TX509Signature = record
Algorithm:TX509AlgorithmIdentifier;
|
|
Value:PByte;
|
|
Length:Integer;
|
|
procedure Release;
|
|
X509 RSA public key
PX509RSAPublicKey = ^TX509RSAPublicKey;
TX509RSAPublicKey = record
Modulus:PByte;
|
M |
PublicExponent:PByte;
|
E |
ModulusLen:Integer;
|
|
PublicExponentLen:Integer;
|
|
function ImportDER(ABuffer:Pointer; ASize:Integer):Boolean;
|
|
procedure Release;
|
|
X509 RSA private key
PX509RSAPrivateKey = ^TX509RSAPrivateKey;
TX509RSAPrivateKey = record
Version:Integer;
|
|
Modulus:PByte;
|
M |
PublicExponent:PByte;
|
E |
PrivateExponent:PByte;
|
D |
Prime1:PByte;
|
P |
Prime2:PByte;
|
Q |
Exponent1:PByte;
|
D mod (P - 1) |
Exponent2:PByte;
|
D mod (Q - 1) |
Coefficient:PByte;
|
(Inverse of Q) mod P |
ModulusLen:Integer;
|
|
PublicExponentLen:Integer;
|
|
PrivateExponentLen:Integer;
|
|
Prime1Len:Integer;
|
|
Prime2Len:Integer;
|
|
Exponent1Len:Integer;
|
|
Exponent2Len:Integer;
|
|
CoefficientLen:Integer;
|
|
function ImportDER(ABuffer:Pointer; ASize:Integer):Boolean;
|
|
procedure Release;
|
|
X509 ECDSA public key
PX509ECDSAPublicKey = ^TX509ECDSAPublicKey;
TX509ECDSAPublicKey = record
function ImportDER(ABuffer:Pointer; ASize:Integer):Boolean;
|
|
procedure Release;
|
X509 ECDSA private key
PX509ECDSAPrivateKey = ^TX509ECDSAPrivateKey;
TX509ECDSAPrivateKey = record
function ImportDER(ABuffer:Pointer; ASize:Integer):Boolean;
|
|
procedure Release;
|
Class definitions
X509 specific classes
TX509Name = class(TObject)
|
TX509CertificateList = class(TObject)
|
TX509CertificateChain = class(TObject)
|
TX509Certificate = class(TObject)
|
Public variables
None defined
Function declarations
X509 helper functions
function X509NameAttributeTypeToString(AType:LongWord):String;
Description: To be documented
| Note | None documented |
|---|
Return to Unit Reference
