TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 91aaba0172dfa1c740bc67a12bc201bad4cd509c / . / library / x509write.c
blob: 5628c29efc231a8ec6e7038d9b819d3824f5c518 [file] [log] [blame]
Andrzej Kurekc508dc22023-07-07 08:20:02 -0400[diff] [blame]1/*
2 * X.509 internal, common functions for writing
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19#include "common.h"
20#if defined(MBEDTLS_X509_CSR_WRITE_C) || defined(MBEDTLS_X509_CRT_WRITE_C)
21
22#include "mbedtls/x509_crt.h"
23#include "mbedtls/asn1write.h"
24#include "mbedtls/error.h"
25#include "mbedtls/oid.h"
26#include "mbedtls/platform.h"
27#include "mbedtls/platform_util.h"
Andrzej Kurekc508dc22023-07-07 08:20:02 -0400[diff] [blame]28
29#include <string.h>
30#include <stdint.h>
31
32#if defined(MBEDTLS_PEM_WRITE_C)
33#include "mbedtls/pem.h"
34#endif /* MBEDTLS_PEM_WRITE_C */
35
36#if defined(MBEDTLS_USE_PSA_CRYPTO)
37#include "psa/crypto.h"
38#include "mbedtls/psa_util.h"
39#include "md_psa.h"
40#endif /* MBEDTLS_USE_PSA_CRYPTO */
41
42#define CHECK_OVERFLOW_ADD(a, b) \
43 do \
44 { \
45 if (a > SIZE_MAX - (b)) \
46 { \
47 return MBEDTLS_ERR_X509_BAD_INPUT_DATA; \
48 } \
49 a += b; \
50 } while (0)
51
52int mbedtls_x509_write_set_san_common(mbedtls_asn1_named_data **extensions,
53 const mbedtls_x509_san_list *san_list)
54{
55 int ret = 0;
56 const mbedtls_x509_san_list *cur;
57 unsigned char *buf;
58 unsigned char *p;
59 size_t len;
60 size_t buflen = 0;
61
62 /* Determine the maximum size of the SubjectAltName list */
63 for (cur = san_list; cur != NULL; cur = cur->next) {
64 /* Calculate size of the required buffer */
65 switch (cur->node.type) {
66 case MBEDTLS_X509_SAN_DNS_NAME:
67 case MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER:
68 case MBEDTLS_X509_SAN_IP_ADDRESS:
69 case MBEDTLS_X509_SAN_RFC822_NAME:
70 /* length of value for each name entry,
71 * maximum 4 bytes for the length field,
72 * 1 byte for the tag/type.
73 */
74 CHECK_OVERFLOW_ADD(buflen, cur->node.san.unstructured_name.len);
75 CHECK_OVERFLOW_ADD(buflen, 4 + 1);
76 break;
77 case MBEDTLS_X509_SAN_DIRECTORY_NAME:
78 {
79 const mbedtls_asn1_named_data *chunk = &cur->node.san.directory_name;
80 while (chunk != NULL) {
81 // Max 4 bytes for length, +1 for tag,
82 // additional 4 max for length, +1 for tag.
83 // See x509_write_name for more information.
84 CHECK_OVERFLOW_ADD(buflen, 4 + 1 + 4 + 1);
85 CHECK_OVERFLOW_ADD(buflen, chunk->oid.len);
86 CHECK_OVERFLOW_ADD(buflen, chunk->val.len);
87 chunk = chunk->next;
88 }
89 CHECK_OVERFLOW_ADD(buflen, 4 + 1);
90 break;
91 }
92 default:
93 /* Not supported - return. */
94 return MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE;
95 }
96 }
97
98 /* Add the extra length field and tag */
99 CHECK_OVERFLOW_ADD(buflen, 4 + 1);
100
101 /* Allocate buffer */
102 buf = mbedtls_calloc(1, buflen);
103 if (buf == NULL) {
104 return MBEDTLS_ERR_ASN1_ALLOC_FAILED;
105 }
106 p = buf + buflen;
107
108 /* Write ASN.1-based structure */
109 cur = san_list;
110 len = 0;
111 while (cur != NULL) {
112 size_t single_san_len = 0;
113 switch (cur->node.type) {
114 case MBEDTLS_X509_SAN_DNS_NAME:
115 case MBEDTLS_X509_SAN_RFC822_NAME:
116 case MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER:
117 case MBEDTLS_X509_SAN_IP_ADDRESS:
118 {
119 const unsigned char *unstructured_name =
120 (const unsigned char *) cur->node.san.unstructured_name.p;
121 size_t unstructured_name_len = cur->node.san.unstructured_name.len;
122
123 MBEDTLS_ASN1_CHK_CLEANUP_ADD(single_san_len,
124 mbedtls_asn1_write_raw_buffer(
125 &p, buf,
126 unstructured_name, unstructured_name_len));
127 MBEDTLS_ASN1_CHK_CLEANUP_ADD(single_san_len, mbedtls_asn1_write_len(
128 &p, buf, unstructured_name_len));
129 MBEDTLS_ASN1_CHK_CLEANUP_ADD(single_san_len,
130 mbedtls_asn1_write_tag(
131 &p, buf,
132 MBEDTLS_ASN1_CONTEXT_SPECIFIC | cur->node.type));
133 }
134 break;
135 case MBEDTLS_X509_SAN_DIRECTORY_NAME:
136 MBEDTLS_ASN1_CHK_CLEANUP_ADD(single_san_len,
137 mbedtls_x509_write_names(&p, buf,
138 (mbedtls_asn1_named_data *) &
139 cur->node
140 .san.directory_name));
141 MBEDTLS_ASN1_CHK_CLEANUP_ADD(single_san_len,
142 mbedtls_asn1_write_len(&p, buf, single_san_len));
143 MBEDTLS_ASN1_CHK_CLEANUP_ADD(single_san_len,
144 mbedtls_asn1_write_tag(&p, buf,
145 MBEDTLS_ASN1_CONTEXT_SPECIFIC |
146 MBEDTLS_ASN1_CONSTRUCTED |
147 MBEDTLS_X509_SAN_DIRECTORY_NAME));
148 break;
149 default:
150 /* Error out on an unsupported SAN */
151 ret = MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE;
152 goto cleanup;
153 }
154 cur = cur->next;
155 /* check for overflow */
156 if (len > SIZE_MAX - single_san_len) {
157 ret = MBEDTLS_ERR_X509_BAD_INPUT_DATA;
158 goto cleanup;
159 }
160 len += single_san_len;
161 }
162
163 MBEDTLS_ASN1_CHK_CLEANUP_ADD(len, mbedtls_asn1_write_len(&p, buf, len));
164 MBEDTLS_ASN1_CHK_CLEANUP_ADD(len,
165 mbedtls_asn1_write_tag(&p, buf,
166 MBEDTLS_ASN1_CONSTRUCTED |
167 MBEDTLS_ASN1_SEQUENCE));
168
169 ret = mbedtls_x509_set_extension(extensions,
170 MBEDTLS_OID_SUBJECT_ALT_NAME,
171 MBEDTLS_OID_SIZE(MBEDTLS_OID_SUBJECT_ALT_NAME),
172 0,
173 buf + buflen - len, len);
174
175 /* If we exceeded the allocated buffer it means that maximum size of the SubjectAltName list
176 * was incorrectly calculated and memory is corrupted. */
177 if (p < buf) {
178 ret = MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
179 }
180cleanup:
181 mbedtls_free(buf);
182 return ret;
183}
184
185#endif /* MBEDTLS_X509_CSR_WRITE_C || MBEDTLS_X509_CRT_WRITE_C */