tlscert.h

Go to the documentation of this file.

/* 2020-2026 Quantum Resistant Cryptographic Solutions Corporation
 * All Rights Reserved.
 *
 * NOTICE:
 * This software and all accompanying materials are the exclusive property of
 * Quantum Resistant Cryptographic Solutions Corporation (QRCS). The intellectual
 * and technical concepts contained herein are proprietary to QRCS and are
 * protected under applicable Canadian, U.S., and international copyright,
 * patent, and trade secret laws.
 *
 * CRYPTOGRAPHIC ALGORITHMS AND IMPLEMENTATIONS:
 * - This software includes implementations of cryptographic primitives and
 *   algorithms that are standardized or in the public domain, such as AES
 *   and SHA-3, which are not proprietary to QRCS.
 * - This software also includes cryptographic primitives, constructions, and
 *   algorithms designed by QRCS, including but not limited to RCS, SCB, CSX, QMAC, and
 *   related components, which are proprietary to QRCS.
 * - All source code, implementations, protocol compositions, optimizations,
 *   parameter selections, and engineering work contained in this software are
 *   original works of QRCS and are protected under this license.
 *
 * LICENSE AND USE RESTRICTIONS:
 * - This software is licensed under the Quantum Resistant Cryptographic Solutions
 *   Public Research and Evaluation License (QRCS-PREL), 2025-2026.
 * - Permission is granted solely for non-commercial evaluation, academic research,
 *   cryptographic analysis, interoperability testing, and feasibility assessment.
 * - Commercial use, production deployment, commercial redistribution, or
 *   integration into products or services is strictly prohibited without a
 *   separate written license agreement executed with QRCS.
 * - Licensing and authorized distribution are solely at the discretion of QRCS.
 *
 * EXPERIMENTAL CRYPTOGRAPHY NOTICE:
 * Portions of this software may include experimental, novel, or evolving
 * cryptographic designs. Use of this software is entirely at the user's risk.
 *
 * DISCLAIMER:
 * THIS SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 * IMPLIED, INCLUDING BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY, FITNESS
 * FOR A PARTICULAR PURPOSE, SECURITY, OR NON-INFRINGEMENT. QRCS DISCLAIMS ALL
 * LIABILITY FOR ANY DIRECT, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES
 * ARISING FROM THE USE OR MISUSE OF THIS SOFTWARE.
 *
 * FULL LICENSE:
 * This software is subject to the Quantum Resistant Cryptographic Solutions
 * Public Research and Evaluation License (QRCS-PREL), 2025-2026. The complete license terms
 * are provided in the accompanying LICENSE file or at https://www.qrcscorp.ca.
 *
 * Written by: John G. Underhill
 * Contact: contact@qrcscorp.ca
 */
 
#ifndef QSC_TLS_CERT_H
#define QSC_TLS_CERT_H
 
#include "qsccommon.h"
#include "tlstypes.h"
#include "tlserrors.h"
#include "x509types.h"
#include "x509time.h"
#include "x509store.h"
#include "x509verify.h"
 
QSC_CPLUSPLUS_ENABLED_START


typedef struct qsc_tls_certificate_view
{
    const uint8_t* data;    
    size_t datalen;          
} qsc_tls_certificate_view;

typedef struct qsc_tls_certificate_validation_context
{
    const char* hostname;           
    bool clientauth;              
    bool requirepeercertificate;  
} qsc_tls_certificate_validation_context;

typedef bool (*qsc_tls_certificate_chain_validate_callback)(const qsc_tls_certificate_view* chain, size_t chainlength, 
    const qsc_tls_certificate_validation_context* context, void* state);

#define QSC_TLS_CERTIFICATE_FINGERPRINT_SIZE 32U

typedef bool (*qsc_tls_certificate_verify_callback)(qsc_tls_signature_scheme scheme, const uint8_t* input, size_t inputlen, 
    const uint8_t* signature, size_t signaturelen, const qsc_tls_certificate_view* signer, void* state);

typedef bool (*qsc_tls_certificate_sign_callback)(qsc_tls_signature_scheme scheme, const uint8_t* input, size_t inputlen,
    uint8_t* signature, size_t* signaturelen, void* state);

typedef struct qsc_tls_certificate_interface
{
    qsc_tls_certificate_chain_validate_callback validatechain;      
    qsc_tls_certificate_verify_callback verifycertificateverify;  
    void* state;                                                   
} qsc_tls_certificate_interface;

typedef struct qsc_tls_peer_certificate_summary
{
    char subject[QSC_X509_NAME_ATTRIBUTE_STRING_MAX];        
    char issuer[QSC_X509_NAME_ATTRIBUTE_STRING_MAX];      
    char commonname[QSC_X509_NAME_ATTRIBUTE_STRING_MAX];  
    char dnsname[QSC_X509_NAME_ATTRIBUTE_STRING_MAX];        
    qsc_x509_verify_status verifystatus;                
    bool populated;                                    
    bool chainvalid;                                  
    bool hostnamechecked;                            
    bool hostnamevalid;                                
} qsc_tls_peer_certificate_summary;

typedef struct qsc_tls_client_authorization_info
{
    qsc_tls_peer_certificate_summary summary;                
    uint8_t certificatefingerprint[QSC_TLS_CERTIFICATE_FINGERPRINT_SIZE]; 
    size_t certificatefingerprintlen;                  
    qsc_x509_verify_status verifystatus;                
    bool chainvalid;                              
} qsc_tls_client_authorization_info;

typedef bool (*qsc_tls_client_authorization_callback)(const qsc_tls_client_authorization_info* info, void* state);

typedef struct qsc_tls_qsc_x509_context
{
    const qsc_x509_store* truststore;         
    const qsc_x509_certificate* intermediates; 
    size_t intermediatecount;                  
    const qsc_x509_time* validationtime;     
    uint8_t* verifybuffer;                      
    size_t verifybufferlen;                      
    qsc_tls_peer_certificate_summary peersummary;    
    bool rejectunsupportedcriticalextensions;    
    qsc_x509_verify_status lastverifystatus;    
    qsc_tls_alert_description lastalert;      
} qsc_tls_qsc_x509_context;

QSC_EXPORT_API qsc_tls_status qsc_tls_certificate_decode_message(const uint8_t* input, size_t inlen, const uint8_t** requestcontext, size_t* requestcontextlen,
    qsc_tls_certificate_view* chain, size_t chaincapacity, size_t* chainlength);

QSC_EXPORT_API qsc_tls_status qsc_tls_certificate_encode_message(const uint8_t* requestcontext, size_t requestcontextlen, const qsc_tls_certificate_view* chain,
    size_t chainlength, uint8_t* output, size_t outlen, size_t* offset);

QSC_EXPORT_API void qsc_tls_certificate_interface_initialize(qsc_tls_certificate_interface* iface, qsc_tls_certificate_chain_validate_callback validatechain, qsc_tls_certificate_verify_callback verifycertificateverify, void* state);

QSC_EXPORT_API bool qsc_tls_certificate_interface_is_valid(const qsc_tls_certificate_interface* iface);

QSC_EXPORT_API qsc_tls_status qsc_tls_x509_context_initialize(qsc_tls_qsc_x509_context* context, const qsc_x509_store* truststore,
    const qsc_x509_certificate* intermediates, size_t intermediatecount, const qsc_x509_time* validationtime,
    uint8_t* verifybuffer, size_t verifybufferlen);

QSC_EXPORT_API qsc_tls_alert_description qsc_tls_certificate_interface_get_last_alert(const qsc_tls_certificate_interface* iface, bool verifyphase);

QSC_EXPORT_API qsc_tls_status qsc_tls_certificate_interface_initialize_qsc_x509(qsc_tls_certificate_interface* iface, qsc_tls_qsc_x509_context* context);

QSC_EXPORT_API qsc_tls_status qsc_tls_certificate_request_decode(const uint8_t* input, size_t inlen, const uint8_t** requestcontext, size_t* requestcontextlen,
    const uint8_t** extensionsblock, size_t* extensionsblocklen);

QSC_EXPORT_API qsc_tls_status qsc_tls_certificate_request_encode(const uint8_t* requestcontext, size_t requestcontextlen, const uint8_t* extensionsblock,
    size_t extensionsblocklen, uint8_t* output, size_t outlen, size_t* offset);

QSC_EXPORT_API qsc_tls_alert_description qsc_tls_x509_alert_from_verify_status(qsc_x509_verify_status status);

QSC_EXPORT_API qsc_x509_signature_algorithm qsc_tls_x509_signature_algorithm_from_tls(qsc_tls_signature_scheme scheme);

QSC_EXPORT_API bool qsc_tls_x509_validate_chain(const qsc_tls_certificate_view* chain, size_t chainlength,
    const qsc_tls_certificate_validation_context* context, void* state);

QSC_EXPORT_API bool qsc_tls_x509_verify_certificate_verify(qsc_tls_signature_scheme scheme, const uint8_t* input,
    size_t inputlen, const uint8_t* signature, size_t signaturelen, const qsc_tls_certificate_view* signer, void* state);
 
QSC_CPLUSPLUS_ENABLED_END
 
#endif