Unit X.509

From Ultibo.org
Revision as of 04:48, 31 August 2021 by Ultibo (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Return to Unit Reference


Description


Ultibo X.509 Interface unit

X.509 is a standard that defines the format of public key certificates. An X.509 certificate contains a public key and an identity (a hostname, or an organization, or an individual), and is either signed by a certificate authority or self-signed. When a certificate is signed by a trusted certificate authority, or validated by other means, someone holding that certificate can rely on the public key it contains to establish secure communications with another party, or validate documents digitally signed by the corresponding private key.

This unit currently only provides the basic functionality required to read and parse an X.509 certificate in DER or PEM format and extract basic information such as the issuer, subject, validity, algorithm and public key.

It is expected that this unit will be expanded to incorporate additional functions over time.

Constants



X509 specific constants X509_*
X509_MAX_NAME_ATTRIBUTES = 20;  
X509_MAX_SERIAL_NUM_LEN = 20;  


X509 name attribute X509_NAME_ATTR_*
X509_NAME_ATTR_NONE = 0;  
X509_NAME_ATTR_DC = 1;  
X509_NAME_ATTR_CN = 2;  
X509_NAME_ATTR_C = 3;  
X509_NAME_ATTR_L = 4;  
X509_NAME_ATTR_ST = 5;  
X509_NAME_ATTR_O = 6;  
X509_NAME_ATTR_OU = 7;  


X509 validate X509_VALIDATE_*
X509_VALIDATE_OK = 0;  
X509_VALIDATE_BAD_CERTIFICATE = 1;  
X509_VALIDATE_UNSUPPORTED_CERTIFICATE = 2;  
X509_VALIDATE_CERTIFICATE_REVOKED = 3;  
X509_VALIDATE_CERTIFICATE_EXPIRED = 4;  
X509_VALIDATE_CERTIFICATE_UNKNOWN = 5;  
X509_VALIDATE_UNKNOWN_CA = 6;  


X509 certificate version X509_CERT_V*
X509_CERT_V1 = 0;  
X509_CERT_V2 = 1;  
X509_CERT_V3 = 2;  


X509 certificate extension X509_EXT_*
X509_EXT_BASIC_CONSTRAINTS = (1 shl 0);  
X509_EXT_PATH_LEN_CONSTRAINT = (1 shl 1);  
X509_EXT_KEY_USAGE = (1 shl 2);  
X509_EXT_SUBJECT_ALT_NAME = (1 shl 3);  
X509_EXT_ISSUER_ALT_NAME = (1 shl 4);  
X509_EXT_EXT_KEY_USAGE = (1 shl 5);  


X509 certificate key usage X509_KEY_USAGE_*
Note: RFC5280 Section 4.2.1.3. - Key Usage
X509_KEY_USAGE_DIGITAL_SIGNATURE = (1 shl 0); digitalSignature - The digitalSignature bit is asserted when the subject public key is used for verifying digital signatures, other than signatures on certificates.
X509_KEY_USAGE_NON_REPUDIATION = (1 shl 1); nonRepudiation - The nonRepudiation bit is asserted when the subject public key is used to verify digital signatures, other than signatures on certificates.
X509_KEY_USAGE_KEY_ENCIPHERMENT = (1 shl 2); keyEncipherment - The keyEncipherment bit is asserted when the subject public key is used for enciphering private or secret keys, i.e., for key transport
X509_KEY_USAGE_DATA_ENCIPHERMENT = (1 shl 3); dataEncipherment - The dataEncipherment bit is asserted when the subject public key is used for directly enciphering raw user data without the use of an intermediate symmetric cipher.
X509_KEY_USAGE_KEY_AGREEMENT = (1 shl 4); keyAgreement - The keyAgreement bit is asserted when the subject public key is used for key agreement
X509_KEY_USAGE_KEY_CERT_SIGN = (1 shl 5); keyCertSign - The keyCertSign bit is asserted when the subject public key is used for verifying signatures on public key certificates
X509_KEY_USAGE_CRL_SIGN = (1 shl 6); cRLSign - The cRLSign bit is asserted when the subject public key is used for verifying signatures on certificate revocation lists
X509_KEY_USAGE_ENCIPHER_ONLY = (1 shl 7); encipherOnly - When the encipherOnly bit is asserted and the keyAgreement bit is also set, the subject public key may be used only for enciphering data while performing key agreement.
X509_KEY_USAGE_DECIPHER_ONLY = (1 shl 8); decipherOnly - When the decipherOnly bit is asserted and the keyAgreement bit is also set, the subject public key may be used only for deciphering data while performing key agreement.


X509 certificate extended key usage X509_EXT_KEY_USAGE_*
X509_EXT_KEY_USAGE_ANY = (1 shl 0);  
X509_EXT_KEY_USAGE_SERVER_AUTH = (1 shl 1);  
X509_EXT_KEY_USAGE_CLIENT_AUTH = (1 shl 2);  
X509_EXT_KEY_USAGE_OCSP = (1 shl 3);  


X509 certificate file types NAME_*
X509_FILETYPE_PEM = 1;  
X509_FILETYPE_ASN1 = 2;  


Type definitions



X509 serial number

PX509SerialNumber = ^TX509SerialNumber;

TX509SerialNumber = record

Value:array[0..X509_MAX_SERIAL_NUM_LEN - 1] of Byte;  
Length:Integer;  
 
function ToString:String;  

X509 name attribute

PX509NameAttribute = ^TX509NameAttribute;

TX509NameAttribute = record

Value:String;  
_Type:LongWord;  
 
function ToString:String;  

X509 name attributes

PX509NameAttributes = ^TX509NameAttributes;

TX509NameAttributes = array[0..X509_MAX_NAME_ATTRIBUTES - 1] of TX509NameAttribute;

   

X509 algorithm identifier

PX509AlgorithmIdentifier = ^TX509AlgorithmIdentifier;

TX509AlgorithmIdentifier = record

OID:TASN1OID;  
 
function ToString:String;  

X509 public key

PX509PublicKey = ^TX509PublicKey;

TX509PublicKey = record

Algorithm:TX509AlgorithmIdentifier;  
Key:PByte;  
Length:Integer;  
 
procedure Release;  
 
function ToString:String;  

X509 private key

PX509PrivateKey = ^TX509PrivateKey;

TX509PrivateKey = record

Note: RFC3447 - Appendix A.1.2 - RSA private key syntax
 
Algorithm:TX509AlgorithmIdentifier;  
Key:PByte;  
Length:Integer;  
 
procedure Release;  
 
function ToString:String;  

X509 signature

PX509Signature = ^TX509Signature;

TX509Signature = record

Algorithm:TX509AlgorithmIdentifier;  
Value:PByte;  
Length:Integer;  
 
procedure Release;  

X509 RSA public key

PX509RSAPublicKey = ^TX509RSAPublicKey;

TX509RSAPublicKey = record

Modulus:PByte; M
PublicExponent:PByte; E
 
ModulusLen:Integer;  
PublicExponentLen:Integer;  
 
function ImportDER(ABuffer:Pointer; ASize:Integer):Boolean;  
procedure Release;  

X509 RSA private key

PX509RSAPrivateKey = ^TX509RSAPrivateKey;

TX509RSAPrivateKey = record

Version:Integer;  
Modulus:PByte; M
PublicExponent:PByte; E
PrivateExponent:PByte; D
Prime1:PByte; P
Prime2:PByte; Q
Exponent1:PByte; D mod (P - 1)
Exponent2:PByte; D mod (Q - 1)
Coefficient:PByte; (Inverse of Q) mod P
 
ModulusLen:Integer;  
PublicExponentLen:Integer;  
PrivateExponentLen:Integer;  
Prime1Len:Integer;  
Prime2Len:Integer;  
Exponent1Len:Integer;  
Exponent2Len:Integer;  
CoefficientLen:Integer;  
 
function ImportDER(ABuffer:Pointer; ASize:Integer):Boolean;  
procedure Release;  

X509 ECDSA public key

PX509ECDSAPublicKey = ^TX509ECDSAPublicKey;

TX509ECDSAPublicKey = record

function ImportDER(ABuffer:Pointer; ASize:Integer):Boolean;  
procedure Release;  

X509 ECDSA private key

PX509ECDSAPrivateKey = ^TX509ECDSAPrivateKey;

TX509ECDSAPrivateKey = record

function ImportDER(ABuffer:Pointer; ASize:Integer):Boolean;  
procedure Release;  


Class definitions



X509 specific classes

TX509Name = class(TObject)
TX509CertificateList = class(TObject)
TX509CertificateChain = class(TObject)
TX509Certificate = class(TObject)


Public variables


None defined

Function declarations



X509 helper functions

function X509NameAttributeTypeToString(AType:LongWord):String;
Description: To be documented
Note None documented


Return to Unit Reference