Milestone 5: deliver embedded RDP sessions and lifecycle hardening

third_party/FreeRDP/include/freerdp/crypto/ber.h

@@ -0,0 +1,164 @@
+/**
+ * FreeRDP: A Remote Desktop Protocol Implementation
+ * ASN.1 Basic Encoding Rules (BER)
+ *
+ * Copyright 2011-2012 Marc-Andre Moreau <marcandre.moreau@gmail.com>
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef FREERDP_CRYPTO_BER_H
+#define FREERDP_CRYPTO_BER_H
+
+#include <freerdp/api.h>
+#include <freerdp/types.h>
+
+#include <winpr/stream.h>
+
+/* BER type */
+
+/* Class - bits 8 and 7 */
+#define BER_CLASS_MASK 0xC0
+#define BER_CLASS_UNIV 0x00 /* 0 0 */
+#define BER_CLASS_APPL 0x40 /* 0 1 */
+#define BER_CLASS_CTXT 0x80 /* 1 0 */
+#define BER_CLASS_PRIV 0xC0 /* 1 1 */
+
+/* P/C - bit 6 */
+#define BER_PC_MASK 0x20
+#define BER_PRIMITIVE 0x00 /* 0 */
+#define BER_CONSTRUCT 0x20 /* 1 */
+
+/* Tag - bits 5 to 1 */
+#define BER_TAG_MASK 0x1F
+#define BER_TAG_BOOLEAN 0x01
+#define BER_TAG_INTEGER 0x02
+#define BER_TAG_BIT_STRING 0x03
+#define BER_TAG_OCTET_STRING 0x04
+#define BER_TAG_OBJECT_IDENFIER 0x06
+#define BER_TAG_ENUMERATED 0x0A
+#define BER_TAG_SEQUENCE 0x10
+#define BER_TAG_SEQUENCE_OF 0x10
+
+#define BER_PC(_pc) (_pc ? BER_CONSTRUCT : BER_PRIMITIVE)
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API BOOL ber_read_length(wStream* s, size_t* length);
+
+	FREERDP_API size_t ber_write_length(wStream* s, size_t length);
+
+	// NOLINTNEXTLINE(bugprone-reserved-identifier,cert-dcl37-c,cert-dcl51-cpp)
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API size_t _ber_sizeof_length(size_t length);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API BOOL ber_read_universal_tag(wStream* s, BYTE tag, BOOL pc);
+
+	FREERDP_API size_t ber_write_universal_tag(wStream* s, BYTE tag, BOOL pc);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API BOOL ber_read_application_tag(wStream* s, BYTE tag, size_t* length);
+
+	FREERDP_API void ber_write_application_tag(wStream* s, BYTE tag, size_t length);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API BOOL ber_read_enumerated(wStream* s, BYTE* enumerated, BYTE count);
+
+	FREERDP_API void ber_write_enumerated(wStream* s, BYTE enumerated, BYTE count);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API BOOL ber_read_contextual_tag(wStream* s, BYTE tag, size_t* length, BOOL pc);
+
+	FREERDP_API size_t ber_write_contextual_tag(wStream* s, BYTE tag, size_t length, BOOL pc);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API size_t ber_sizeof_contextual_tag(size_t length);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API BOOL ber_read_sequence_tag(wStream* s, size_t* length);
+
+	FREERDP_API size_t ber_write_sequence_tag(wStream* s, size_t length);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API size_t ber_sizeof_sequence(size_t length);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API size_t ber_sizeof_sequence_tag(size_t length);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API BOOL ber_read_bit_string(wStream* s, size_t* length, BYTE* padding);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API BOOL ber_read_octet_string_tag(wStream* s, size_t* length);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API BOOL ber_read_octet_string(wStream* s, BYTE** content, size_t* length);
+
+	FREERDP_API size_t ber_write_octet_string_tag(wStream* s, size_t length);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API size_t ber_sizeof_octet_string(size_t length);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API size_t ber_sizeof_contextual_octet_string(size_t length);
+
+	FREERDP_API size_t ber_write_char_to_unicode_octet_string(wStream* s, const char* str);
+
+	FREERDP_API size_t ber_write_contextual_char_to_unicode_octet_string(wStream* s, BYTE tag,
+	                                                                     const char* oct_str);
+
+	FREERDP_API size_t ber_write_octet_string(wStream* s, const BYTE* oct_str, size_t length);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API BOOL ber_read_char_from_unicode_octet_string(wStream* s, char** str);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API BOOL ber_read_unicode_octet_string(wStream* s, LPWSTR* str);
+
+	FREERDP_API size_t ber_write_contextual_octet_string(wStream* s, BYTE tag, const BYTE* oct_str,
+	                                                     size_t length);
+
+	FREERDP_API size_t ber_write_contextual_unicode_octet_string(wStream* s, BYTE tag, LPWSTR str);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API BOOL ber_read_BOOL(wStream* s, BOOL* value);
+
+	FREERDP_API void ber_write_BOOL(wStream* s, BOOL value);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API BOOL ber_read_integer(wStream* s, UINT32* value);
+
+	FREERDP_API size_t ber_write_integer(wStream* s, UINT32 value);
+
+	FREERDP_API size_t ber_write_contextual_integer(wStream* s, BYTE tag, UINT32 value);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API BOOL ber_read_integer_length(wStream* s, size_t* length);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API size_t ber_sizeof_integer(UINT32 value);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API size_t ber_sizeof_contextual_integer(UINT32 value);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* FREERDP_CRYPTO_BER_H */

third_party/FreeRDP/include/freerdp/crypto/certificate.h

@@ -0,0 +1,172 @@
+/**
+ * FreeRDP: A Remote Desktop Protocol Implementation
+ * Certificate Handling
+ *
+ * Copyright 2023 Armin Novak <anovak@thincast.com>
+ * Copyright 2023 Thincast Technologies GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef FREERDP_CRYPTO_CERTIFICATE_H
+#define FREERDP_CRYPTO_CERTIFICATE_H
+
+#include <winpr/crypto.h>
+
+#include <freerdp/api.h>
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
+	enum FREERDP_CERT_PARAM
+	{
+		FREERDP_CERT_RSA_E,
+		FREERDP_CERT_RSA_N
+	};
+
+	typedef struct rdp_certificate rdpCertificate;
+
+	FREERDP_API void freerdp_certificate_free(rdpCertificate* certificate);
+
+	WINPR_ATTR_MALLOC(freerdp_certificate_free, 1)
+	WINPR_ATTR_NODISCARD
+	FREERDP_API rdpCertificate* freerdp_certificate_new(void);
+
+	WINPR_ATTR_MALLOC(freerdp_certificate_free, 1)
+	WINPR_ATTR_NODISCARD
+	FREERDP_API rdpCertificate* freerdp_certificate_new_from_file(const char* file);
+
+	WINPR_ATTR_MALLOC(freerdp_certificate_free, 1)
+	WINPR_ATTR_NODISCARD
+	FREERDP_API rdpCertificate* freerdp_certificate_new_from_pem(const char* pem);
+
+	WINPR_ATTR_MALLOC(freerdp_certificate_free, 1)
+	WINPR_ATTR_NODISCARD
+	FREERDP_API rdpCertificate* freerdp_certificate_new_from_der(const BYTE* data, size_t length);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API BOOL freerdp_certificate_is_rsa(const rdpCertificate* certificate);
+
+	WINPR_ATTR_MALLOC(free, 1)
+	WINPR_ATTR_NODISCARD
+	FREERDP_API char* freerdp_certificate_get_hash(const rdpCertificate* certificate,
+	                                               const char* hash, size_t* plength);
+
+	WINPR_ATTR_MALLOC(free, 1)
+	WINPR_ATTR_NODISCARD
+	FREERDP_API char* freerdp_certificate_get_fingerprint_by_hash(const rdpCertificate* certificate,
+	                                                              const char* hash);
+
+	WINPR_ATTR_MALLOC(free, 1)
+	WINPR_ATTR_NODISCARD
+	FREERDP_API char*
+	freerdp_certificate_get_fingerprint_by_hash_ex(const rdpCertificate* certificate,
+	                                               const char* hash, BOOL separator);
+
+	WINPR_ATTR_MALLOC(free, 1)
+	WINPR_ATTR_NODISCARD
+	FREERDP_API char* freerdp_certificate_get_fingerprint(const rdpCertificate* certificate);
+
+	WINPR_ATTR_MALLOC(free, 1)
+	WINPR_ATTR_NODISCARD
+	FREERDP_API char* freerdp_certificate_get_pem(const rdpCertificate* certificate,
+	                                              size_t* pLength);
+
+	/**
+	 * @brief Get the certificate as PEM string
+	 * @param certificate A certificate instance to query
+	 * @param pLength A pointer to the size in bytes of the PEM string
+	 * @param withCertChain \b TRUE to export a full chain PEM, \b FALSE for only the last
+	 * certificate in the chain
+	 * @return A newly allocated string containing the requested PEM (free to deallocate) or nullptr
+	 * @since version 3.8.0
+	 */
+	WINPR_ATTR_MALLOC(free, 1)
+	WINPR_ATTR_NODISCARD
+	FREERDP_API char* freerdp_certificate_get_pem_ex(const rdpCertificate* certificate,
+	                                                 size_t* pLength, BOOL withCertChain);
+
+	WINPR_ATTR_MALLOC(free, 1)
+	WINPR_ATTR_NODISCARD
+	FREERDP_API BYTE* freerdp_certificate_get_der(const rdpCertificate* certificate,
+	                                              size_t* pLength);
+
+	WINPR_ATTR_MALLOC(free, 1)
+	WINPR_ATTR_NODISCARD
+	FREERDP_API char* freerdp_certificate_get_subject(const rdpCertificate* certificate);
+
+	WINPR_ATTR_MALLOC(free, 1)
+	WINPR_ATTR_NODISCARD
+	FREERDP_API char* freerdp_certificate_get_issuer(const rdpCertificate* certificate);
+
+	WINPR_ATTR_MALLOC(free, 1)
+	WINPR_ATTR_NODISCARD
+	FREERDP_API char* freerdp_certificate_get_upn(const rdpCertificate* certificate);
+
+	WINPR_ATTR_MALLOC(free, 1)
+	WINPR_ATTR_NODISCARD
+	FREERDP_API char* freerdp_certificate_get_email(const rdpCertificate* certificate);
+
+	/**
+	 * @brief return the date string of the certificate validity
+	 * @param certificate The certificate instance to query
+	 * @param startDate \b TRUE return the start date, \b FALSE for the end date
+	 * @return A newly allocated string containing the date, use \b free to deallocate
+	 * @since version 3.8.0
+	 */
+	WINPR_ATTR_MALLOC(free, 1)
+	WINPR_ATTR_NODISCARD
+	FREERDP_API char* freerdp_certificate_get_validity(const rdpCertificate* certificate,
+	                                                   BOOL startDate);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API WINPR_MD_TYPE freerdp_certificate_get_signature_alg(const rdpCertificate* cert);
+
+	WINPR_ATTR_MALLOC(free, 1)
+	WINPR_ATTR_NODISCARD
+	FREERDP_API char* freerdp_certificate_get_common_name(const rdpCertificate* cert,
+	                                                      size_t* plength);
+
+	WINPR_ATTR_MALLOC(free, 1)
+	WINPR_ATTR_NODISCARD
+	FREERDP_API char** freerdp_certificate_get_dns_names(const rdpCertificate* cert, size_t* pcount,
+	                                                     size_t** pplengths);
+	FREERDP_API void freerdp_certificate_free_dns_names(size_t count, size_t* lengths,
+	                                                    char** names);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API BOOL freerdp_certificate_check_eku(const rdpCertificate* certificate, int nid);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API BOOL freerdp_certificate_get_public_key(const rdpCertificate* cert,
+	                                                    BYTE** PublicKey, DWORD* PublicKeyLength);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API BOOL freerdp_certificate_verify(const rdpCertificate* cert,
+	                                            const char* certificate_store_path);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API BOOL freerdp_certificate_is_rdp_security_compatible(const rdpCertificate* cert);
+
+	WINPR_ATTR_MALLOC(free, 1)
+	WINPR_ATTR_NODISCARD
+	FREERDP_API char* freerdp_certificate_get_param(const rdpCertificate* cert,
+	                                                enum FREERDP_CERT_PARAM what, size_t* psize);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* FREERDP_CRYPTO_CERTIFICATE_H */

third_party/FreeRDP/include/freerdp/crypto/certificate_data.h

@@ -0,0 +1,92 @@
+/**
+ * FreeRDP: A Remote Desktop Protocol Implementation
+ * Certificate Handling
+ *
+ * Copyright 2011-2012 Marc-Andre Moreau <marcandre.moreau@gmail.com>
+ * Copyright 2023 Armin Novak <anovak@thincast.com>
+ * Copyright 2023 Thincast Technologies GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef FREERDP_CRYPTO_CERTIFICATE_DATA_H
+#define FREERDP_CRYPTO_CERTIFICATE_DATA_H
+
+#include <freerdp/api.h>
+#include <freerdp/settings.h>
+#include <freerdp/crypto/certificate.h>
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
+	typedef struct rdp_certificate_data rdpCertificateData;
+
+	WINPR_ATTR_MALLOC(free, 1)
+	WINPR_ATTR_NODISCARD
+	FREERDP_API char* freerdp_certificate_data_hash(const char* hostname, UINT16 port);
+
+	FREERDP_API void freerdp_certificate_data_free(rdpCertificateData* data);
+
+	WINPR_ATTR_MALLOC(freerdp_certificate_data_free, 1)
+	WINPR_ATTR_NODISCARD
+	FREERDP_API rdpCertificateData* freerdp_certificate_data_new(const char* hostname, UINT16 port,
+	                                                             const rdpCertificate* xcert);
+
+	WINPR_ATTR_MALLOC(freerdp_certificate_data_free, 1)
+	WINPR_ATTR_NODISCARD
+	FREERDP_API rdpCertificateData* freerdp_certificate_data_new_from_pem(const char* hostname,
+	                                                                      UINT16 port,
+	                                                                      const char* pem,
+	                                                                      size_t length);
+
+	WINPR_ATTR_MALLOC(freerdp_certificate_data_free, 1)
+	WINPR_ATTR_NODISCARD
+	FREERDP_API rdpCertificateData*
+	freerdp_certificate_data_new_from_file(const char* hostname, UINT16 port, const char* file);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API BOOL freerdp_certificate_data_equal(const rdpCertificateData* a,
+	                                                const rdpCertificateData* b);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API const char* freerdp_certificate_data_get_hash(const rdpCertificateData* cert);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API const char* freerdp_certificate_data_get_host(const rdpCertificateData* cert);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API UINT16 freerdp_certificate_data_get_port(const rdpCertificateData* cert);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API const char* freerdp_certificate_data_get_pem(const rdpCertificateData* cert);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API const char* freerdp_certificate_data_get_pem_ex(const rdpCertificateData* cert,
+	                                                            BOOL withFullChain);
+	WINPR_ATTR_NODISCARD
+	FREERDP_API const char* freerdp_certificate_data_get_subject(const rdpCertificateData* cert);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API const char* freerdp_certificate_data_get_issuer(const rdpCertificateData* cert);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API const char*
+	freerdp_certificate_data_get_fingerprint(const rdpCertificateData* cert);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* FREERDP_CRYPTO_CERTIFICATE_DATA_H */

third_party/FreeRDP/include/freerdp/crypto/certificate_store.h

@@ -0,0 +1,93 @@
+/**
+ * FreeRDP: A Remote Desktop Protocol Implementation
+ * Certificate Handling
+ *
+ * Copyright 2011-2012 Marc-Andre Moreau <marcandre.moreau@gmail.com>
+ * Copyright 2023 Armin Novak <anovak@thincast.com>
+ * Copyright 2023 Thincast Technologies GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef FREERDP_CRYPTO_CERTIFICATE_STORE_H
+#define FREERDP_CRYPTO_CERTIFICATE_STORE_H
+
+#include <freerdp/api.h>
+#include <freerdp/settings.h>
+#include <freerdp/crypto/certificate_data.h>
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
+	typedef struct rdp_certificate_store rdpCertificateStore;
+
+	typedef enum
+	{
+		CERT_STORE_NOT_FOUND = 1,
+		CERT_STORE_MATCH = 0,
+		CERT_STORE_MISMATCH = -1
+	} freerdp_certificate_store_result;
+
+	FREERDP_API void freerdp_certificate_store_free(rdpCertificateStore* store);
+
+	WINPR_ATTR_MALLOC(freerdp_certificate_store_free, 1)
+	WINPR_ATTR_NODISCARD
+	FREERDP_API rdpCertificateStore* freerdp_certificate_store_new(const rdpSettings* settings);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API freerdp_certificate_store_result freerdp_certificate_store_contains_data(
+	    rdpCertificateStore* store, const rdpCertificateData* data);
+
+	WINPR_ATTR_MALLOC(freerdp_certificate_data_free, 1)
+	WINPR_ATTR_NODISCARD
+	FREERDP_API rdpCertificateData*
+	freerdp_certificate_store_load_data(rdpCertificateStore* store, const char* host, UINT16 port);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API BOOL freerdp_certificate_store_save_data(rdpCertificateStore* store,
+	                                                     const rdpCertificateData* data);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API BOOL freerdp_certificate_store_remove_data(rdpCertificateStore* store,
+	                                                       const rdpCertificateData* data);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API const char*
+	freerdp_certificate_store_get_certs_path(const rdpCertificateStore* store);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API const char*
+	freerdp_certificate_store_get_hosts_path(const rdpCertificateStore* store);
+
+	/** Query the certificate store path
+	 *
+	 *  @param store The certificate store to query
+	 *  @param host The hostname to look up
+	 *  @param port The port to look up
+	 *
+	 *  @since version 3.0.0
+	 *
+	 *  @return The certificate store file path or \b nullptr
+	 */
+	WINPR_ATTR_MALLOC(free, 1)
+	WINPR_ATTR_NODISCARD
+	FREERDP_API char* freerdp_certificate_store_get_cert_path(const rdpCertificateStore* store,
+	                                                          const char* host, UINT16 port);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* FREERDP_CRYPTO_CERTIFICATE_STORE_H */

third_party/FreeRDP/include/freerdp/crypto/crypto.h

@@ -0,0 +1,80 @@
+/**
+ * FreeRDP: A Remote Desktop Protocol Implementation
+ * Cryptographic Abstraction Layer
+ *
+ * Copyright 2011-2012 Marc-Andre Moreau <marcandre.moreau@gmail.com>
+ * Copyright 2023 Armin Novak <anovak@thincast.com>
+ * Copyright 2023 Thincast Technologies GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef FREERDP_CRYPTO_H
+#define FREERDP_CRYPTO_H
+
+#include <freerdp/api.h>
+#include <freerdp/types.h>
+#include <freerdp/crypto/certificate_data.h>
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+	struct rdp_CertInfo
+	{
+		BYTE* Modulus;
+		DWORD ModulusLength;
+		BYTE exponent[4];
+	};
+	typedef struct rdp_CertInfo rdpCertInfo;
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API char* crypto_base64_encode(const BYTE* WINPR_RESTRICT data, size_t length);
+
+	/** BASE64 encode data
+	 *
+	 *  @param data The data to encode
+	 *  @param length The length of the data in bytes
+	 *  @param withCrLf Option to split the encoded data with CRLF linebreaks
+	 *
+	 *  @since version 3.0.0
+	 *
+	 *  @return The encoded BASE64 string or \b nullptr if failed
+	 */
+	WINPR_ATTR_NODISCARD
+	FREERDP_API char* crypto_base64_encode_ex(const BYTE* WINPR_RESTRICT data, size_t length,
+	                                          BOOL withCrLf);
+
+	FREERDP_API void crypto_base64_decode(const char* WINPR_RESTRICT enc_data, size_t length,
+	                                      BYTE** WINPR_RESTRICT dec_data,
+	                                      size_t* WINPR_RESTRICT res_length);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API char* crypto_base64url_encode(const BYTE* WINPR_RESTRICT data, size_t length);
+	FREERDP_API void crypto_base64url_decode(const char* WINPR_RESTRICT enc_data, size_t length,
+	                                         BYTE** WINPR_RESTRICT dec_data,
+	                                         size_t* WINPR_RESTRICT res_length);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API char* crypto_read_pem(const char* WINPR_RESTRICT filename,
+	                                  size_t* WINPR_RESTRICT plength);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API BOOL crypto_write_pem(const char* WINPR_RESTRICT filename,
+	                                  const char* WINPR_RESTRICT pem, size_t length);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* FREERDP_CRYPTO_H */

third_party/FreeRDP/include/freerdp/crypto/der.h

@@ -0,0 +1,55 @@
+/**
+ * FreeRDP: A Remote Desktop Protocol Implementation
+ * ASN.1 Basic Encoding Rules (DER)
+ *
+ * Copyright 2011 Samsung, Author Jiten Pathy
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef FREERDP_CRYPTO_DER_H
+#define FREERDP_CRYPTO_DER_H
+
+#include <freerdp/config.h>
+#if !defined(WITHOUT_FREERDP_3x_DEPRECATED)
+
+#include <freerdp/crypto/er.h>
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
+	// NOLINTNEXTLINE(bugprone-reserved-identifier,cert-dcl37-c,cert-dcl51-cpp)
+	WINPR_DEPRECATED_VAR("since 3.22.0", FREERDP_API int _der_skip_length(int length));
+	WINPR_DEPRECATED_VAR("since 3.22.0", FREERDP_API int der_write_length(wStream* s, int length));
+	WINPR_DEPRECATED_VAR("since 3.22.0", FREERDP_API int der_get_content_length(int length));
+	WINPR_DEPRECATED_VAR("since 3.22.0", FREERDP_API int der_skip_octet_string(int length));
+	WINPR_DEPRECATED_VAR("since 3.22.0", FREERDP_API int der_skip_sequence_tag(int length));
+	WINPR_DEPRECATED_VAR("since 3.22.0",
+	                     FREERDP_API int der_write_sequence_tag(wStream* s, int length));
+	WINPR_DEPRECATED_VAR("since 3.22.0", FREERDP_API int der_skip_contextual_tag(int length));
+	WINPR_DEPRECATED_VAR("since 3.22.0",
+	                     FREERDP_API int der_write_contextual_tag(wStream* s, BYTE tag, int length,
+	                                                              BOOL pc));
+	WINPR_DEPRECATED_VAR("since 3.22.0",
+	                     FREERDP_API void der_write_octet_string(wStream* s, BYTE* oct_str,
+	                                                             int length));
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
+
+#endif /* FREERDP_CRYPTO_DER_H */

third_party/FreeRDP/include/freerdp/crypto/er.h

@@ -0,0 +1,132 @@
+/**
+ * FreeRDP: A Remote Desktop Protocol Implementation
+ * ASN.1 Encoding Rules (BER/DER common functions)
+ *
+ * Copyright 2011 Marc-Andre Moreau <marcandre.moreau@gmail.com>
+ * Modified by Jiten Pathy
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef FREERDP_CRYPTO_ER_H
+#define FREERDP_CRYPTO_ER_H
+
+#include <freerdp/config.h>
+#if !defined(WITHOUT_FREERDP_3x_DEPRECATED)
+
+#include <freerdp/api.h>
+#include <freerdp/types.h>
+
+#include <winpr/stream.h>
+
+/* ER type */
+
+/* Class - bits 8 and 7 */
+#define ER_CLASS_MASK 0xC0
+#define ER_CLASS_UNIV 0x00 /* 0 0 */
+#define ER_CLASS_APPL 0x40 /* 0 1 */
+#define ER_CLASS_CTXT 0x80 /* 1 0 */
+#define ER_CLASS_PRIV 0xC0 /* 1 1 */
+
+/* P/C - bit 6 */
+#define ER_PC_MASK 0x20
+#define ER_PRIMITIVE 0x00 /* 0 */
+#define ER_CONSTRUCT 0x20 /* 1 */
+
+/* Tag - bits 5 to 1 */
+#define ER_TAG_MASK 0x1F
+#define ER_TAG_BOOLEAN 0x01
+#define ER_TAG_INTEGER 0x02
+#define ER_TAG_BIT_STRING 0x03
+#define ER_TAG_OCTET_STRING 0x04
+#define ER_TAG_OBJECT_IDENTIFIER 0x06
+#define ER_TAG_ENUMERATED 0x0A
+#define ER_TAG_SEQUENCE 0x10
+#define ER_TAG_SEQUENCE_OF 0x10
+#define ER_TAG_GENERAL_STRING 0x1B
+#define ER_TAG_GENERALIZED_TIME 0x18
+
+#define ER_PC(_pc) (_pc ? ER_CONSTRUCT : ER_PRIMITIVE)
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
+	WINPR_DEPRECATED_VAR("since 3.22.0", FREERDP_API void er_read_length(wStream* s, int* length));
+	WINPR_DEPRECATED_VAR("since 3.22.0",
+	                     FREERDP_API int er_write_length(wStream* s, int length, BOOL flag));
+
+	// NOLINTNEXTLINE(bugprone-reserved-identifier,cert-dcl37-c,cert-dcl51-cpp)
+	WINPR_DEPRECATED_VAR("since 3.22.0", FREERDP_API int _er_skip_length(int length));
+	WINPR_DEPRECATED_VAR("since 3.22.0", FREERDP_API int er_get_content_length(int length));
+	WINPR_DEPRECATED_VAR("since 3.22.0",
+	                     FREERDP_API BOOL er_read_universal_tag(wStream* s, BYTE tag, BOOL pc));
+	WINPR_DEPRECATED_VAR("since 3.22.0",
+	                     FREERDP_API void er_write_universal_tag(wStream* s, BYTE tag, BOOL pc));
+	WINPR_DEPRECATED_VAR("since 3.22.0",
+	                     FREERDP_API BOOL er_read_application_tag(wStream* s, BYTE tag,
+	                                                              int* length));
+	WINPR_DEPRECATED_VAR("since 3.22.0",
+	                     FREERDP_API void er_write_application_tag(wStream* s, BYTE tag, int length,
+	                                                               BOOL flag));
+	WINPR_DEPRECATED_VAR("since 3.22.0",
+	                     FREERDP_API BOOL er_read_enumerated(wStream* s, BYTE* enumerated,
+	                                                         BYTE count));
+	WINPR_DEPRECATED_VAR("since 3.22.0",
+	                     FREERDP_API void er_write_enumerated(wStream* s, BYTE enumerated,
+	                                                          BYTE count, BOOL flag));
+	WINPR_DEPRECATED_VAR("since 3.22.0",
+	                     FREERDP_API BOOL er_read_contextual_tag(wStream* s, BYTE tag, int* length,
+	                                                             BOOL pc));
+	WINPR_DEPRECATED_VAR("since 3.22.0",
+	                     FREERDP_API int er_write_contextual_tag(wStream* s, BYTE tag, int length,
+	                                                             BOOL pc, BOOL flag));
+	WINPR_DEPRECATED_VAR("since 3.22.0", FREERDP_API int er_skip_contextual_tag(int length));
+	WINPR_DEPRECATED_VAR("since 3.22.0",
+	                     FREERDP_API BOOL er_read_sequence_tag(wStream* s, int* length));
+	WINPR_DEPRECATED_VAR("since 3.22.0",
+	                     FREERDP_API int er_write_sequence_tag(wStream* s, int length, BOOL flag));
+	WINPR_DEPRECATED_VAR("since 3.22.0", FREERDP_API int er_skip_sequence(int length));
+	WINPR_DEPRECATED_VAR("since 3.22.0", FREERDP_API int er_skip_sequence_tag(int length));
+	WINPR_DEPRECATED_VAR("since 3.22.0",
+	                     FREERDP_API BOOL er_read_bit_string(wStream* s, int* length,
+	                                                         BYTE* padding));
+	WINPR_DEPRECATED_VAR("since 3.22.0",
+	                     FREERDP_API BOOL er_write_bit_string_tag(wStream* s, UINT32 length,
+	                                                              BYTE padding, BOOL flag));
+	WINPR_DEPRECATED_VAR("since 3.22.0",
+	                     FREERDP_API BOOL er_read_octet_string(wStream* s, int* length));
+	WINPR_DEPRECATED_VAR("since 3.22.0",
+	                     FREERDP_API void er_write_octet_string(wStream* s, BYTE* oct_str,
+	                                                            int length, BOOL flag));
+	WINPR_DEPRECATED_VAR("since 3.22.0",
+	                     FREERDP_API int er_write_octet_string_tag(wStream* s, int length,
+	                                                               BOOL flag));
+	WINPR_DEPRECATED_VAR("since 3.22.0", FREERDP_API int er_skip_octet_string(int length));
+	WINPR_DEPRECATED_VAR("since 3.22.0", FREERDP_API BOOL er_read_BOOL(wStream* s, BOOL* value));
+	WINPR_DEPRECATED_VAR("since 3.22.0", FREERDP_API void er_write_BOOL(wStream* s, BOOL value));
+	WINPR_DEPRECATED_VAR("since 3.22.0",
+	                     FREERDP_API BOOL er_read_integer(wStream* s, UINT32* value));
+	WINPR_DEPRECATED_VAR("since 3.22.0", FREERDP_API int er_write_integer(wStream* s, INT32 value));
+	WINPR_DEPRECATED_VAR("since 3.22.0",
+	                     FREERDP_API BOOL er_read_integer_length(wStream* s, int* length));
+	WINPR_DEPRECATED_VAR("since 3.22.0", FREERDP_API int er_skip_integer(INT32 value));
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
+
+#endif /* FREERDP_CRYPTO_ER_H */

third_party/FreeRDP/include/freerdp/crypto/per.h

@@ -0,0 +1,105 @@
+/**
+ * FreeRDP: A Remote Desktop Protocol Implementation
+ * ASN.1 Packed Encoding Rules (BER)
+ *
+ * Copyright 2011-2012 Marc-Andre Moreau <marcandre.moreau@gmail.com>
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef FREERDP_CRYPTO_PER_H
+#define FREERDP_CRYPTO_PER_H
+
+#include <freerdp/api.h>
+
+#include <winpr/stream.h>
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API BOOL per_read_length(wStream* s, UINT16* length);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API BOOL per_write_length(wStream* s, UINT16 length);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API BOOL per_read_choice(wStream* s, BYTE* choice);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API BOOL per_write_choice(wStream* s, BYTE choice);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API BOOL per_read_selection(wStream* s, BYTE* selection);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API BOOL per_write_selection(wStream* s, BYTE selection);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API BOOL per_read_number_of_sets(wStream* s, BYTE* number);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API BOOL per_write_number_of_sets(wStream* s, BYTE number);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API BOOL per_read_padding(wStream* s, UINT16 length);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API BOOL per_write_padding(wStream* s, UINT16 length);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API BOOL per_read_integer(wStream* s, UINT32* integer);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API BOOL per_read_integer16(wStream* s, UINT16* integer, UINT16 min);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API BOOL per_write_integer(wStream* s, UINT32 integer);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API BOOL per_write_integer16(wStream* s, UINT16 integer, UINT16 min);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API BOOL per_read_enumerated(wStream* s, BYTE* enumerated, BYTE count);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API BOOL per_write_enumerated(wStream* s, BYTE enumerated, BYTE count);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API BOOL per_write_object_identifier(wStream* s, const BYTE oid[6]);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API BOOL per_read_object_identifier(wStream* s, const BYTE oid[6]);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API BOOL per_read_octet_string(wStream* s, const BYTE* oct_str, UINT16 length,
+	                                       UINT16 min);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API BOOL per_write_octet_string(wStream* s, const BYTE* oct_str, UINT16 length,
+	                                        UINT16 min);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API BOOL per_read_numeric_string(wStream* s, UINT16 min);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API BOOL per_write_numeric_string(wStream* s, const BYTE* num_str, UINT16 length,
+	                                          UINT16 min);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* FREERDP_CRYPTO_PER_H */

third_party/FreeRDP/include/freerdp/crypto/privatekey.h

@@ -0,0 +1,104 @@
+/**
+ * FreeRDP: A Remote Desktop Protocol Implementation
+ * Private key Handling
+ *
+ * Copyright 2023 Armin Novak <anovak@thincast.com>
+ * Copyright 2023 Thincast Technologies GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef FREERDP_CRYPTO_PRIVATEKEY_H
+#define FREERDP_CRYPTO_PRIVATEKEY_H
+
+#include <freerdp/api.h>
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
+	typedef struct rdp_private_key rdpPrivateKey;
+
+	FREERDP_API void freerdp_key_free(rdpPrivateKey* key);
+
+	WINPR_ATTR_MALLOC(freerdp_key_free, 1)
+	WINPR_ATTR_NODISCARD
+	FREERDP_API rdpPrivateKey* freerdp_key_new(void);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API rdpPrivateKey* freerdp_key_new_from_file(const char* keyfile);
+
+	WINPR_ATTR_MALLOC(freerdp_key_free, 1)
+	WINPR_ATTR_NODISCARD
+	FREERDP_API rdpPrivateKey* freerdp_key_new_from_pem(const char* pem);
+
+	/** @brief Create a private key from file \b keyfile with optional password \b password
+	 *
+	 *  @param keyfile The file to read the key from
+	 *  @param password The optional password the key is enecrypted with, \b nullptr for unencrypted
+	 *  @return An allocated private key, \b nullptr in case of failure.
+	 *  @since version 3.16.0
+	 */
+	WINPR_ATTR_MALLOC(freerdp_key_free, 1)
+	WINPR_ATTR_NODISCARD
+	FREERDP_API rdpPrivateKey* freerdp_key_new_from_file_enc(const char* keyfile,
+	                                                         const char* password);
+
+	/** @brief Create a private key from a PEM file with optional \b password
+	 *
+	 *  @param pem The PEM string to use
+	 *  @param password The optional password, use \b nullptr if no encryption is used.
+	 *  @return An allocated private key, \b nullptr in case of failure.
+	 *  @since version 3.16.0
+	 */
+	WINPR_ATTR_MALLOC(freerdp_key_free, 1)
+	WINPR_ATTR_NODISCARD
+	FREERDP_API rdpPrivateKey* freerdp_key_new_from_pem_enc(const char* pem, const char* password);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API BOOL freerdp_key_is_rsa(const rdpPrivateKey* key);
+
+	WINPR_ATTR_NODISCARD
+	FREERDP_API size_t freerdp_key_get_bits(const rdpPrivateKey* key);
+
+	/** @brief Create a PEM from a private key
+	 *
+	 *  @param key The key to convert
+	 *  @param plen Optional pointer, value set to strlen of the PEM
+	 *  @param password Optional password string. If \b nullptr an unencrypted PEM is written.
+	 *  @return A PEM string or \b nullptr in case of errors
+	 *
+	 *  @since version 3.16.0
+	 */
+	WINPR_ATTR_MALLOC(free, 1)
+	WINPR_ATTR_NODISCARD
+	FREERDP_API char* freerdp_key_get_pem(const rdpPrivateKey* key, size_t* plen,
+	                                      const char* password);
+
+	/** @brief Create a new private key
+	 *
+	 *  @param key The key to initialize
+	 *  @param type The key type (RSA, ...)
+	 *  @param count The number of arguments following, depends on type
+	 *  @return \b TRUE for success, \b FALSE otherwise
+	 *  @since version 3.16.0
+	 */
+	WINPR_ATTR_NODISCARD
+	FREERDP_API BOOL freerdp_key_generate(rdpPrivateKey* key, const char* type, size_t count, ...);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* FREERDP_CRYPTO_PRIVATEKEY_H */