TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 00ab47026bde24fca88362dab620c6ff835606ac / . / library / x509_csr.c
blob: a4b8ad754244a6eb17fbf12fb9299a8ea2620039 [file] [log] [blame]
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]1/*
2 * X.509 Certificate Signing Request (CSR) parsing
3 *
Manuel Pégourié-Gonnarda658a402015-01-23 09:45:19 +0000[diff] [blame]4 * Copyright (C) 2006-2014, ARM Limited, All Rights Reserved
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]5 *
Manuel Pégourié-Gonnard860b5162015-01-28 17:12:07 +0000[diff] [blame]6 * This file is part of mbed TLS (https://polarssl.org)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]7 *
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License along
19 * with this program; if not, write to the Free Software Foundation, Inc.,
20 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
21 */
22/*
23 * The ITU-T X.509 standard defines a certificate format for PKI.
24 *
Manuel Pégourié-Gonnard1c082f32014-06-12 22:34:55 +0200[diff] [blame]25 * http://www.ietf.org/rfc/rfc5280.txt (Certificates and CRLs)
26 * http://www.ietf.org/rfc/rfc3279.txt (Alg IDs for CRLs)
27 * http://www.ietf.org/rfc/rfc2986.txt (CSRs, aka PKCS#10)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]28 *
29 * http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf
30 * http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
31 */
32
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]33#if !defined(POLARSSL_CONFIG_FILE)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]34#include "polarssl/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]35#else
36#include POLARSSL_CONFIG_FILE
37#endif
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]38
39#if defined(POLARSSL_X509_CSR_PARSE_C)
40
41#include "polarssl/x509_csr.h"
42#include "polarssl/oid.h"
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame^]43
44#include <string.h>
45
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]46#if defined(POLARSSL_PEM_PARSE_C)
47#include "polarssl/pem.h"
48#endif
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]49
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]50#if defined(POLARSSL_PLATFORM_C)
51#include "polarssl/platform.h"
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]52#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame^]53#include <stdlib.h>
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]54#define polarssl_malloc malloc
55#define polarssl_free free
56#endif
57
Paul Bakkerfa6a6202013-10-28 18:48:30 +0100[diff] [blame]58#if defined(POLARSSL_FS_IO) || defined(EFIX64) || defined(EFI32)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]59#include <stdio.h>
60#endif
61
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]62/* Implementation that should never be optimized out by the compiler */
63static void polarssl_zeroize( void *v, size_t n ) {
64 volatile unsigned char *p = v; while( n-- ) *p++ = 0;
65}
66
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]67/*
68 * Version ::= INTEGER { v1(0) }
69 */
70static int x509_csr_get_version( unsigned char **p,
71 const unsigned char *end,
72 int *ver )
73{
74 int ret;
75
76 if( ( ret = asn1_get_int( p, end, ver ) ) != 0 )
77 {
78 if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
79 {
80 *ver = 0;
81 return( 0 );
82 }
83
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]84 return( POLARSSL_ERR_X509_INVALID_VERSION + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]85 }
86
87 return( 0 );
88}
89
90/*
Manuel Pégourié-Gonnardf3b47242014-06-16 18:06:48 +0200[diff] [blame]91 * Parse a CSR in DER format
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]92 */
Manuel Pégourié-Gonnardf3b47242014-06-16 18:06:48 +0200[diff] [blame]93int x509_csr_parse_der( x509_csr *csr,
94 const unsigned char *buf, size_t buflen )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]95{
96 int ret;
97 size_t len;
98 unsigned char *p, *end;
Manuel Pégourié-Gonnard39868ee2014-01-24 18:47:17 +0100[diff] [blame]99 x509_buf sig_params;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]100
Manuel Pégourié-Gonnarddddbb1d2014-06-05 17:02:24 +0200[diff] [blame]101 memset( &sig_params, 0, sizeof( x509_buf ) );
102
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]103 /*
104 * Check for valid input
105 */
106 if( csr == NULL || buf == NULL )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]107 return( POLARSSL_ERR_X509_BAD_INPUT_DATA );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]108
Paul Bakker369d2eb2013-09-18 11:58:25 +0200[diff] [blame]109 x509_csr_init( csr );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]110
Manuel Pégourié-Gonnardf3b47242014-06-16 18:06:48 +0200[diff] [blame]111 /*
112 * first copy the raw DER data
113 */
114 p = (unsigned char *) polarssl_malloc( len = buflen );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]115
Manuel Pégourié-Gonnardf3b47242014-06-16 18:06:48 +0200[diff] [blame]116 if( p == NULL )
117 return( POLARSSL_ERR_X509_MALLOC_FAILED );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]118
Manuel Pégourié-Gonnardf3b47242014-06-16 18:06:48 +0200[diff] [blame]119 memcpy( p, buf, buflen );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]120
121 csr->raw.p = p;
122 csr->raw.len = len;
123 end = p + len;
124
125 /*
126 * CertificationRequest ::= SEQUENCE {
127 * certificationRequestInfo CertificationRequestInfo,
128 * signatureAlgorithm AlgorithmIdentifier,
129 * signature BIT STRING
130 * }
131 */
132 if( ( ret = asn1_get_tag( &p, end, &len,
133 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
134 {
135 x509_csr_free( csr );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]136 return( POLARSSL_ERR_X509_INVALID_FORMAT );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]137 }
138
139 if( len != (size_t) ( end - p ) )
140 {
141 x509_csr_free( csr );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]142 return( POLARSSL_ERR_X509_INVALID_FORMAT +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]143 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
144 }
145
146 /*
147 * CertificationRequestInfo ::= SEQUENCE {
148 */
149 csr->cri.p = p;
150
151 if( ( ret = asn1_get_tag( &p, end, &len,
152 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
153 {
154 x509_csr_free( csr );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]155 return( POLARSSL_ERR_X509_INVALID_FORMAT + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]156 }
157
158 end = p + len;
159 csr->cri.len = end - csr->cri.p;
160
161 /*
162 * Version ::= INTEGER { v1(0) }
163 */
164 if( ( ret = x509_csr_get_version( &p, end, &csr->version ) ) != 0 )
165 {
166 x509_csr_free( csr );
167 return( ret );
168 }
169
170 csr->version++;
171
172 if( csr->version != 1 )
173 {
174 x509_csr_free( csr );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]175 return( POLARSSL_ERR_X509_UNKNOWN_VERSION );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]176 }
177
178 /*
179 * subject Name
180 */
181 csr->subject_raw.p = p;
182
183 if( ( ret = asn1_get_tag( &p, end, &len,
184 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
185 {
186 x509_csr_free( csr );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]187 return( POLARSSL_ERR_X509_INVALID_FORMAT + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]188 }
189
190 if( ( ret = x509_get_name( &p, p + len, &csr->subject ) ) != 0 )
191 {
192 x509_csr_free( csr );
193 return( ret );
194 }
195
196 csr->subject_raw.len = p - csr->subject_raw.p;
197
198 /*
199 * subjectPKInfo SubjectPublicKeyInfo
200 */
Paul Bakkerda771152013-09-16 22:45:03 +0200[diff] [blame]201 if( ( ret = pk_parse_subpubkey( &p, end, &csr->pk ) ) != 0 )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]202 {
203 x509_csr_free( csr );
204 return( ret );
205 }
206
207 /*
208 * attributes [0] Attributes
209 */
210 if( ( ret = asn1_get_tag( &p, end, &len,
211 ASN1_CONSTRUCTED | ASN1_CONTEXT_SPECIFIC ) ) != 0 )
212 {
213 x509_csr_free( csr );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]214 return( POLARSSL_ERR_X509_INVALID_FORMAT + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]215 }
216 // TODO Parse Attributes / extension requests
217
218 p += len;
219
220 end = csr->raw.p + csr->raw.len;
221
222 /*
223 * signatureAlgorithm AlgorithmIdentifier,
224 * signature BIT STRING
225 */
Manuel Pégourié-Gonnard39868ee2014-01-24 18:47:17 +0100[diff] [blame]226 if( ( ret = x509_get_alg( &p, end, &csr->sig_oid, &sig_params ) ) != 0 )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]227 {
228 x509_csr_free( csr );
229 return( ret );
230 }
231
Manuel Pégourié-Gonnardcf975a32014-01-24 19:28:43 +0100[diff] [blame]232 if( ( ret = x509_get_sig_alg( &csr->sig_oid, &sig_params,
Manuel Pégourié-Gonnardf75f2f72014-06-05 15:14:28 +0200[diff] [blame]233 &csr->sig_md, &csr->sig_pk,
234 &csr->sig_opts ) ) != 0 )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]235 {
236 x509_csr_free( csr );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]237 return( POLARSSL_ERR_X509_UNKNOWN_SIG_ALG );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]238 }
239
240 if( ( ret = x509_get_sig( &p, end, &csr->sig ) ) != 0 )
241 {
242 x509_csr_free( csr );
243 return( ret );
244 }
245
246 if( p != end )
247 {
248 x509_csr_free( csr );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]249 return( POLARSSL_ERR_X509_INVALID_FORMAT +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]250 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
251 }
252
253 return( 0 );
254}
255
Manuel Pégourié-Gonnardf3b47242014-06-16 18:06:48 +0200[diff] [blame]256/*
257 * Parse a CSR, allowing for PEM or raw DER encoding
258 */
259int x509_csr_parse( x509_csr *csr, const unsigned char *buf, size_t buflen )
260{
261 int ret;
262#if defined(POLARSSL_PEM_PARSE_C)
263 size_t use_len;
264 pem_context pem;
265#endif
266
267 /*
268 * Check for valid input
269 */
270 if( csr == NULL || buf == NULL )
271 return( POLARSSL_ERR_X509_BAD_INPUT_DATA );
272
273#if defined(POLARSSL_PEM_PARSE_C)
274 pem_init( &pem );
275 ret = pem_read_buffer( &pem,
276 "-----BEGIN CERTIFICATE REQUEST-----",
277 "-----END CERTIFICATE REQUEST-----",
278 buf, NULL, 0, &use_len );
279
280 if( ret == 0 )
281 {
282 /*
283 * Was PEM encoded, parse the result
284 */
285 if( ( ret = x509_csr_parse_der( csr, pem.buf, pem.buflen ) ) != 0 )
286 return( ret );
287
288 pem_free( &pem );
289 return( 0 );
290 }
291 else if( ret != POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
292 {
293 pem_free( &pem );
294 return( ret );
295 }
296 else
297#endif /* POLARSSL_PEM_PARSE_C */
298 return( x509_csr_parse_der( csr, buf, buflen ) );
299}
300
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]301#if defined(POLARSSL_FS_IO)
302/*
303 * Load a CSR into the structure
304 */
Paul Bakkerddf26b42013-09-18 13:46:23 +0200[diff] [blame]305int x509_csr_parse_file( x509_csr *csr, const char *path )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]306{
307 int ret;
308 size_t n;
309 unsigned char *buf;
310
Manuel Pégourié-Gonnard9439f932014-11-21 09:49:43 +0100[diff] [blame]311 if( ( ret = pk_load_file( path, &buf, &n ) ) != 0 )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]312 return( ret );
313
Paul Bakkerddf26b42013-09-18 13:46:23 +0200[diff] [blame]314 ret = x509_csr_parse( csr, buf, n );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]315
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]316 polarssl_zeroize( buf, n + 1 );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]317 polarssl_free( buf );
318
319 return( ret );
320}
321#endif /* POLARSSL_FS_IO */
322
Paul Bakker6edcd412013-10-29 15:22:54 +0100[diff] [blame]323#if defined(_MSC_VER) && !defined snprintf && !defined(EFIX64) && \
324 !defined(EFI32)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]325#include <stdarg.h>
326
327#if !defined vsnprintf
328#define vsnprintf _vsnprintf
329#endif // vsnprintf
330
331/*
332 * Windows _snprintf and _vsnprintf are not compatible to linux versions.
333 * Result value is not size of buffer needed, but -1 if no fit is possible.
334 *
335 * This fuction tries to 'fix' this by at least suggesting enlarging the
336 * size by 20.
337 */
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]338static int compat_snprintf( char *str, size_t size, const char *format, ... )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]339{
340 va_list ap;
341 int res = -1;
342
343 va_start( ap, format );
344
345 res = vsnprintf( str, size, format, ap );
346
347 va_end( ap );
348
349 // No quick fix possible
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]350 if( res < 0 )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]351 return( (int) size + 20 );
352
Paul Bakkerd8bb8262014-06-17 14:06:49 +0200[diff] [blame]353 return( res );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]354}
355
356#define snprintf compat_snprintf
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]357#endif /* _MSC_VER && !snprintf && !EFIX64 && !EFI32 */
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]358
359#define POLARSSL_ERR_DEBUG_BUF_TOO_SMALL -2
360
Paul Bakkerd8bb8262014-06-17 14:06:49 +0200[diff] [blame]361#define SAFE_SNPRINTF() \
362{ \
363 if( ret == -1 ) \
364 return( -1 ); \
365 \
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]366 if( (unsigned int) ret > n ) { \
Paul Bakkerd8bb8262014-06-17 14:06:49 +0200[diff] [blame]367 p[n - 1] = '\0'; \
368 return( POLARSSL_ERR_DEBUG_BUF_TOO_SMALL ); \
369 } \
370 \
371 n -= (unsigned int) ret; \
372 p += (unsigned int) ret; \
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]373}
374
375#define BEFORE_COLON 14
376#define BC "14"
377/*
378 * Return an informational string about the CSR.
379 */
Paul Bakkerddf26b42013-09-18 13:46:23 +0200[diff] [blame]380int x509_csr_info( char *buf, size_t size, const char *prefix,
381 const x509_csr *csr )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]382{
383 int ret;
384 size_t n;
385 char *p;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]386 char key_size_str[BEFORE_COLON];
387
388 p = buf;
389 n = size;
390
391 ret = snprintf( p, n, "%sCSR version : %d",
392 prefix, csr->version );
393 SAFE_SNPRINTF();
394
395 ret = snprintf( p, n, "\n%ssubject name : ", prefix );
396 SAFE_SNPRINTF();
Paul Bakker86d0c192013-09-18 11:11:02 +0200[diff] [blame]397 ret = x509_dn_gets( p, n, &csr->subject );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]398 SAFE_SNPRINTF();
399
400 ret = snprintf( p, n, "\n%ssigned using : ", prefix );
401 SAFE_SNPRINTF();
402
Manuel Pégourié-Gonnard91136032014-06-05 15:41:39 +0200[diff] [blame]403 ret = x509_sig_alg_gets( p, n, &csr->sig_oid, csr->sig_pk, csr->sig_md,
Manuel Pégourié-Gonnardbf696d02014-06-05 17:07:30 +0200[diff] [blame]404 csr->sig_opts );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]405 SAFE_SNPRINTF();
406
407 if( ( ret = x509_key_size_helper( key_size_str, BEFORE_COLON,
408 pk_get_name( &csr->pk ) ) ) != 0 )
409 {
410 return( ret );
411 }
412
413 ret = snprintf( p, n, "\n%s%-" BC "s: %d bits\n", prefix, key_size_str,
414 (int) pk_get_size( &csr->pk ) );
415 SAFE_SNPRINTF();
416
417 return( (int) ( size - n ) );
418}
419
420/*
Paul Bakker369d2eb2013-09-18 11:58:25 +0200[diff] [blame]421 * Initialize a CSR
422 */
423void x509_csr_init( x509_csr *csr )
424{
425 memset( csr, 0, sizeof(x509_csr) );
426}
427
428/*
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]429 * Unallocate all CSR data
430 */
431void x509_csr_free( x509_csr *csr )
432{
433 x509_name *name_cur;
434 x509_name *name_prv;
435
436 if( csr == NULL )
437 return;
438
439 pk_free( &csr->pk );
440
Manuel Pégourié-Gonnardd1539b12014-06-06 16:42:37 +0200[diff] [blame]441#if defined(POLARSSL_X509_RSASSA_PSS_SUPPORT)
Manuel Pégourié-Gonnardf75f2f72014-06-05 15:14:28 +0200[diff] [blame]442 polarssl_free( csr->sig_opts );
443#endif
444
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]445 name_cur = csr->subject.next;
446 while( name_cur != NULL )
447 {
448 name_prv = name_cur;
449 name_cur = name_cur->next;
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]450 polarssl_zeroize( name_prv, sizeof( x509_name ) );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]451 polarssl_free( name_prv );
452 }
453
454 if( csr->raw.p != NULL )
455 {
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]456 polarssl_zeroize( csr->raw.p, csr->raw.len );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]457 polarssl_free( csr->raw.p );
458 }
459
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]460 polarssl_zeroize( csr, sizeof( x509_csr ) );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]461}
462
463#endif /* POLARSSL_X509_CSR_PARSE_C */