TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / e83ac1d7d1dc8503d150ba836ebadab542fd740f / . / library / x509_create.c
blob: ab87ac71fa919075f1d7def60cfd13b0a08a7352 [file] [log] [blame]
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]1/*
2 * X.509 base functions for creating certificates / CSRs
3 *
Manuel Pégourié-Gonnarda658a402015-01-23 09:45:19 +0000[diff] [blame]4 * Copyright (C) 2006-2014, ARM Limited, All Rights Reserved
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]5 *
Manuel Pégourié-Gonnard860b5162015-01-28 17:12:07 +0000[diff] [blame]6 * This file is part of mbed TLS (https://polarssl.org)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]7 *
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License along
19 * with this program; if not, write to the Free Software Foundation, Inc.,
20 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
21 */
22
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]23#if !defined(POLARSSL_CONFIG_FILE)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]24#include "polarssl/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]25#else
26#include POLARSSL_CONFIG_FILE
27#endif
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]28
29#if defined(POLARSSL_X509_CREATE_C)
30
31#include "polarssl/x509.h"
32#include "polarssl/asn1write.h"
33#include "polarssl/oid.h"
34
Paul Bakker6edcd412013-10-29 15:22:54 +0100[diff] [blame]35#if defined(_MSC_VER) && !defined strncasecmp && !defined(EFIX64) && \
36 !defined(EFI32)
Paul Bakker7b0be682013-10-29 14:24:37 +0100[diff] [blame]37#define strncasecmp _strnicmp
38#endif
39
Manuel Pégourié-Gonnardf3e5c222014-06-12 11:06:36 +0200[diff] [blame]40typedef struct {
41 const char *name;
42 size_t name_len;
43 const char*oid;
44} x509_attr_descriptor_t;
45
46#define ADD_STRLEN( s ) s, sizeof( s ) - 1
47
48static const x509_attr_descriptor_t x509_attrs[] =
49{
50 { ADD_STRLEN( "CN" ), OID_AT_CN },
51 { ADD_STRLEN( "commonName" ), OID_AT_CN },
52 { ADD_STRLEN( "C" ), OID_AT_COUNTRY },
53 { ADD_STRLEN( "countryName" ), OID_AT_COUNTRY },
54 { ADD_STRLEN( "O" ), OID_AT_ORGANIZATION },
55 { ADD_STRLEN( "organizationName" ), OID_AT_ORGANIZATION },
56 { ADD_STRLEN( "L" ), OID_AT_LOCALITY },
57 { ADD_STRLEN( "locality" ), OID_AT_LOCALITY },
58 { ADD_STRLEN( "R" ), OID_PKCS9_EMAIL },
59 { ADD_STRLEN( "OU" ), OID_AT_ORG_UNIT },
60 { ADD_STRLEN( "organizationalUnitName" ), OID_AT_ORG_UNIT },
61 { ADD_STRLEN( "ST" ), OID_AT_STATE },
62 { ADD_STRLEN( "stateOrProvinceName" ), OID_AT_STATE },
63 { ADD_STRLEN( "emailAddress" ), OID_PKCS9_EMAIL },
64 { ADD_STRLEN( "serialNumber" ), OID_AT_SERIAL_NUMBER },
65 { ADD_STRLEN( "postalAddress" ), OID_AT_POSTAL_ADDRESS },
66 { ADD_STRLEN( "postalCode" ), OID_AT_POSTAL_CODE },
67 { ADD_STRLEN( "dnQualifier" ), OID_AT_DN_QUALIFIER },
68 { ADD_STRLEN( "title" ), OID_AT_TITLE },
69 { ADD_STRLEN( "surName" ), OID_AT_SUR_NAME },
70 { ADD_STRLEN( "SN" ), OID_AT_SUR_NAME },
71 { ADD_STRLEN( "givenName" ), OID_AT_GIVEN_NAME },
72 { ADD_STRLEN( "GN" ), OID_AT_GIVEN_NAME },
73 { ADD_STRLEN( "initials" ), OID_AT_INITIALS },
74 { ADD_STRLEN( "pseudonym" ), OID_AT_PSEUDONYM },
75 { ADD_STRLEN( "generationQualifier" ), OID_AT_GENERATION_QUALIFIER },
76 { ADD_STRLEN( "domainComponent" ), OID_DOMAIN_COMPONENT },
77 { ADD_STRLEN( "DC" ), OID_DOMAIN_COMPONENT },
78 { NULL, 0, NULL }
79};
80
81static const char *x509_at_oid_from_name( const char *name, size_t name_len )
82{
83 const x509_attr_descriptor_t *cur;
84
85 for( cur = x509_attrs; cur->name != NULL; cur++ )
86 if( cur->name_len == name_len &&
87 strncasecmp( cur->name, name, name_len ) == 0 )
88 break;
89
90 return( cur->oid );
91}
92
Paul Bakker50dc8502013-10-28 21:19:10 +0100[diff] [blame]93int x509_string_to_names( asn1_named_data **head, const char *name )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]94{
95 int ret = 0;
Paul Bakker50dc8502013-10-28 21:19:10 +0100[diff] [blame]96 const char *s = name, *c = s;
97 const char *end = s + strlen( s );
Paul Bakkerfcc17212013-10-11 09:36:52 +0200[diff] [blame]98 const char *oid = NULL;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]99 int in_tag = 1;
Paul Bakker8dcb2d72014-08-08 12:22:30 +0200[diff] [blame]100 char data[X509_MAX_DN_NAME_SIZE];
101 char *d = data;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]102
103 /* Clear existing chain if present */
104 asn1_free_named_data_list( head );
105
106 while( c <= end )
107 {
108 if( in_tag && *c == '=' )
109 {
Manuel Pégourié-Gonnardf3e5c222014-06-12 11:06:36 +0200[diff] [blame]110 if( ( oid = x509_at_oid_from_name( s, c - s ) ) == NULL )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]111 {
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]112 ret = POLARSSL_ERR_X509_UNKNOWN_OID;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]113 goto exit;
114 }
115
116 s = c + 1;
117 in_tag = 0;
Paul Bakker8dcb2d72014-08-08 12:22:30 +0200[diff] [blame]118 d = data;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]119 }
120
Paul Bakker8dcb2d72014-08-08 12:22:30 +0200[diff] [blame]121 if( !in_tag && *c == '\\' && c != end )
122 {
123 c++;
124
125 /* Check for valid escaped characters */
126 if( c == end || *c != ',' )
127 {
128 ret = POLARSSL_ERR_X509_INVALID_NAME;
129 goto exit;
130 }
131 }
132 else if( !in_tag && ( *c == ',' || c == end ) )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]133 {
Paul Bakkera9c16d22014-04-17 12:42:18 +0200[diff] [blame]134 if( asn1_store_named_data( head, oid, strlen( oid ),
Paul Bakker8dcb2d72014-08-08 12:22:30 +0200[diff] [blame]135 (unsigned char *) data,
136 d - data ) == NULL )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]137 {
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]138 return( POLARSSL_ERR_X509_MALLOC_FAILED );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]139 }
140
141 while( c < end && *(c + 1) == ' ' )
142 c++;
143
144 s = c + 1;
145 in_tag = 1;
146 }
Paul Bakker8dcb2d72014-08-08 12:22:30 +0200[diff] [blame]147
148 if( !in_tag && s != c + 1 )
149 {
150 *(d++) = *c;
151
152 if( d - data == X509_MAX_DN_NAME_SIZE )
153 {
154 ret = POLARSSL_ERR_X509_INVALID_NAME;
155 goto exit;
156 }
157 }
158
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]159 c++;
160 }
161
162exit:
163
164 return( ret );
165}
166
167/* The first byte of the value in the asn1_named_data structure is reserved
168 * to store the critical boolean for us
169 */
170int x509_set_extension( asn1_named_data **head, const char *oid, size_t oid_len,
171 int critical, const unsigned char *val, size_t val_len )
172{
173 asn1_named_data *cur;
174
175 if( ( cur = asn1_store_named_data( head, oid, oid_len,
176 NULL, val_len + 1 ) ) == NULL )
177 {
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]178 return( POLARSSL_ERR_X509_MALLOC_FAILED );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]179 }
180
181 cur->val.p[0] = critical;
182 memcpy( cur->val.p + 1, val, val_len );
183
184 return( 0 );
185}
186
187/*
188 * RelativeDistinguishedName ::=
189 * SET OF AttributeTypeAndValue
190 *
191 * AttributeTypeAndValue ::= SEQUENCE {
192 * type AttributeType,
193 * value AttributeValue }
194 *
195 * AttributeType ::= OBJECT IDENTIFIER
196 *
197 * AttributeValue ::= ANY DEFINED BY AttributeType
198 */
199static int x509_write_name( unsigned char **p, unsigned char *start,
200 const char *oid, size_t oid_len,
201 const unsigned char *name, size_t name_len )
202{
203 int ret;
204 size_t len = 0;
205
206 // Write PrintableString for all except OID_PKCS9_EMAIL
207 //
208 if( OID_SIZE( OID_PKCS9_EMAIL ) == oid_len &&
209 memcmp( oid, OID_PKCS9_EMAIL, oid_len ) == 0 )
210 {
211 ASN1_CHK_ADD( len, asn1_write_ia5_string( p, start,
212 (const char *) name,
213 name_len ) );
214 }
215 else
216 {
217 ASN1_CHK_ADD( len, asn1_write_printable_string( p, start,
218 (const char *) name,
219 name_len ) );
220 }
221
222 // Write OID
223 //
224 ASN1_CHK_ADD( len, asn1_write_oid( p, start, oid, oid_len ) );
225
226 ASN1_CHK_ADD( len, asn1_write_len( p, start, len ) );
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]227 ASN1_CHK_ADD( len, asn1_write_tag( p, start, ASN1_CONSTRUCTED |
228 ASN1_SEQUENCE ) );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]229
230 ASN1_CHK_ADD( len, asn1_write_len( p, start, len ) );
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]231 ASN1_CHK_ADD( len, asn1_write_tag( p, start, ASN1_CONSTRUCTED |
232 ASN1_SET ) );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]233
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]234 return( (int) len );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]235}
236
237int x509_write_names( unsigned char **p, unsigned char *start,
238 asn1_named_data *first )
239{
240 int ret;
241 size_t len = 0;
242 asn1_named_data *cur = first;
243
244 while( cur != NULL )
245 {
246 ASN1_CHK_ADD( len, x509_write_name( p, start, (char *) cur->oid.p,
247 cur->oid.len,
248 cur->val.p, cur->val.len ) );
249 cur = cur->next;
250 }
251
252 ASN1_CHK_ADD( len, asn1_write_len( p, start, len ) );
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]253 ASN1_CHK_ADD( len, asn1_write_tag( p, start, ASN1_CONSTRUCTED |
254 ASN1_SEQUENCE ) );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]255
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]256 return( (int) len );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]257}
258
259int x509_write_sig( unsigned char **p, unsigned char *start,
260 const char *oid, size_t oid_len,
261 unsigned char *sig, size_t size )
262{
263 int ret;
264 size_t len = 0;
265
266 if( *p - start < (int) size + 1 )
267 return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
268
269 len = size;
270 (*p) -= len;
271 memcpy( *p, sig, len );
272
273 *--(*p) = 0;
274 len += 1;
275
276 ASN1_CHK_ADD( len, asn1_write_len( p, start, len ) );
277 ASN1_CHK_ADD( len, asn1_write_tag( p, start, ASN1_BIT_STRING ) );
278
279 // Write OID
280 //
281 ASN1_CHK_ADD( len, asn1_write_algorithm_identifier( p, start, oid,
282 oid_len, 0 ) );
283
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]284 return( (int) len );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]285}
286
287static int x509_write_extension( unsigned char **p, unsigned char *start,
288 asn1_named_data *ext )
289{
290 int ret;
291 size_t len = 0;
292
293 ASN1_CHK_ADD( len, asn1_write_raw_buffer( p, start, ext->val.p + 1,
294 ext->val.len - 1 ) );
295 ASN1_CHK_ADD( len, asn1_write_len( p, start, ext->val.len - 1 ) );
296 ASN1_CHK_ADD( len, asn1_write_tag( p, start, ASN1_OCTET_STRING ) );
297
298 if( ext->val.p[0] != 0 )
299 {
300 ASN1_CHK_ADD( len, asn1_write_bool( p, start, 1 ) );
301 }
302
303 ASN1_CHK_ADD( len, asn1_write_raw_buffer( p, start, ext->oid.p,
304 ext->oid.len ) );
305 ASN1_CHK_ADD( len, asn1_write_len( p, start, ext->oid.len ) );
306 ASN1_CHK_ADD( len, asn1_write_tag( p, start, ASN1_OID ) );
307
308 ASN1_CHK_ADD( len, asn1_write_len( p, start, len ) );
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]309 ASN1_CHK_ADD( len, asn1_write_tag( p, start, ASN1_CONSTRUCTED |
310 ASN1_SEQUENCE ) );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]311
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]312 return( (int) len );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]313}
314
315/*
316 * Extension ::= SEQUENCE {
317 * extnID OBJECT IDENTIFIER,
318 * critical BOOLEAN DEFAULT FALSE,
319 * extnValue OCTET STRING
320 * -- contains the DER encoding of an ASN.1 value
321 * -- corresponding to the extension type identified
322 * -- by extnID
323 * }
324 */
325int x509_write_extensions( unsigned char **p, unsigned char *start,
326 asn1_named_data *first )
327{
328 int ret;
329 size_t len = 0;
330 asn1_named_data *cur_ext = first;
331
332 while( cur_ext != NULL )
333 {
334 ASN1_CHK_ADD( len, x509_write_extension( p, start, cur_ext ) );
335 cur_ext = cur_ext->next;
336 }
337
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]338 return( (int) len );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]339}
340
341#endif /* POLARSSL_X509_CREATE_C */