TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 449bd8303eed8164b83682d2ce028dca0e49b1fa / . / include / mbedtls / x509_csr.h
blob: 50998c42b2656e5c9879316c14dd6f1344f91bfc [file] [log] [blame]
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]1/**
Simon Butcher5b331b92016-01-03 16:14:14 +0000[diff] [blame]2 * \file x509_csr.h
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]3 *
4 * \brief X.509 certificate signing request parsing and writing
Darryl Greena40a1012018-01-05 15:33:17 +0000[diff] [blame]5 */
6/*
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]7 * Copyright The Mbed TLS Contributors
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]8 * SPDX-License-Identifier: Apache-2.0
9 *
10 * Licensed under the Apache License, Version 2.0 (the "License"); you may
11 * not use this file except in compliance with the License.
12 * You may obtain a copy of the License at
13 *
14 * http://www.apache.org/licenses/LICENSE-2.0
15 *
16 * Unless required by applicable law or agreed to in writing, software
17 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
18 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19 * See the License for the specific language governing permissions and
20 * limitations under the License.
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]21 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]22#ifndef MBEDTLS_X509_CSR_H
23#define MBEDTLS_X509_CSR_H
Mateusz Starzyk846f0212021-05-19 19:44:07 +0200[diff] [blame]24#include "mbedtls/private_access.h"
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]25
Bence Szépkútic662b362021-05-27 11:25:03 +0200[diff] [blame]26#include "mbedtls/build_info.h"
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]27
Jaeden Amero6609aef2019-07-04 20:01:14 +0100[diff] [blame]28#include "mbedtls/x509.h"
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]29
30#ifdef __cplusplus
31extern "C" {
32#endif
33
34/**
35 * \addtogroup x509_module
36 * \{ */
37
38/**
39 * \name Structures and functions for X.509 Certificate Signing Requests (CSR)
40 * \{
41 */
42
43/**
44 * Certificate Signing Request (CSR) structure.
Gilles Peskine842edf42021-08-04 21:56:10 +0200[diff] [blame]45 *
46 * Some fields of this structure are publicly readable. Do not modify
47 * them except via Mbed TLS library functions: the effect of modifying
Gilles Peskine44ffc792021-08-31 22:59:35 +0200[diff] [blame]48 * those fields or the data that those fields point to is unspecified.
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]49 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame^]50typedef struct mbedtls_x509_csr {
Gilles Peskine842edf42021-08-04 21:56:10 +0200[diff] [blame]51 mbedtls_x509_buf raw; /**< The raw CSR data (DER). */
52 mbedtls_x509_buf cri; /**< The raw CertificateRequestInfo body (DER). */
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]53
Gilles Peskine842edf42021-08-04 21:56:10 +0200[diff] [blame]54 int version; /**< CSR version (1=v1). */
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]55
Gilles Peskine842edf42021-08-04 21:56:10 +0200[diff] [blame]56 mbedtls_x509_buf subject_raw; /**< The raw subject data (DER). */
57 mbedtls_x509_name subject; /**< The parsed subject data (named information object). */
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]58
Gilles Peskine842edf42021-08-04 21:56:10 +0200[diff] [blame]59 mbedtls_pk_context pk; /**< Container for the public key context. */
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]60
Gilles Peskine842edf42021-08-04 21:56:10 +0200[diff] [blame]61 mbedtls_x509_buf sig_oid;
Mateusz Starzyk846f0212021-05-19 19:44:07 +0200[diff] [blame]62 mbedtls_x509_buf MBEDTLS_PRIVATE(sig);
63 mbedtls_md_type_t MBEDTLS_PRIVATE(sig_md); /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */
64 mbedtls_pk_type_t MBEDTLS_PRIVATE(sig_pk); /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */
65 void *MBEDTLS_PRIVATE(sig_opts); /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]66}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]67mbedtls_x509_csr;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]68
69/**
70 * Container for writing a CSR
71 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame^]72typedef struct mbedtls_x509write_csr {
Mateusz Starzyk846f0212021-05-19 19:44:07 +0200[diff] [blame]73 mbedtls_pk_context *MBEDTLS_PRIVATE(key);
74 mbedtls_asn1_named_data *MBEDTLS_PRIVATE(subject);
75 mbedtls_md_type_t MBEDTLS_PRIVATE(md_alg);
76 mbedtls_asn1_named_data *MBEDTLS_PRIVATE(extensions);
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]77}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]78mbedtls_x509write_csr;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]79
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]80#if defined(MBEDTLS_X509_CSR_PARSE_C)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]81/**
Manuel Pégourié-Gonnardf3b47242014-06-16 18:06:48 +0200[diff] [blame]82 * \brief Load a Certificate Signing Request (CSR) in DER format
83 *
Manuel Pégourié-Gonnard986bbf22016-02-24 14:36:05 +0000[diff] [blame]84 * \note CSR attributes (if any) are currently silently ignored.
85 *
Manuel Pégourié-Gonnardf3b47242014-06-16 18:06:48 +0200[diff] [blame]86 * \param csr CSR context to fill
87 * \param buf buffer holding the CRL data
88 * \param buflen size of the buffer
89 *
90 * \return 0 if successful, or a specific X509 error code
91 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame^]92int mbedtls_x509_csr_parse_der(mbedtls_x509_csr *csr,
93 const unsigned char *buf, size_t buflen);
Manuel Pégourié-Gonnardf3b47242014-06-16 18:06:48 +0200[diff] [blame]94
95/**
96 * \brief Load a Certificate Signing Request (CSR), DER or PEM format
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]97 *
Manuel Pégourié-Gonnard986bbf22016-02-24 14:36:05 +0000[diff] [blame]98 * \note See notes for \c mbedtls_x509_csr_parse_der()
99 *
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]100 * \param csr CSR context to fill
101 * \param buf buffer holding the CRL data
102 * \param buflen size of the buffer
Manuel Pégourié-Gonnard43b37cb2015-05-12 11:20:10 +0200[diff] [blame]103 * (including the terminating null byte for PEM data)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]104 *
105 * \return 0 if successful, or a specific X509 or PEM error code
106 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame^]107int mbedtls_x509_csr_parse(mbedtls_x509_csr *csr, const unsigned char *buf, size_t buflen);
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]108
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]109#if defined(MBEDTLS_FS_IO)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]110/**
111 * \brief Load a Certificate Signing Request (CSR)
112 *
Manuel Pégourié-Gonnard986bbf22016-02-24 14:36:05 +0000[diff] [blame]113 * \note See notes for \c mbedtls_x509_csr_parse()
114 *
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]115 * \param csr CSR context to fill
116 * \param path filename to read the CSR from
117 *
118 * \return 0 if successful, or a specific X509 or PEM error code
119 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame^]120int mbedtls_x509_csr_parse_file(mbedtls_x509_csr *csr, const char *path);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]121#endif /* MBEDTLS_FS_IO */
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]122
Hanno Becker612a2f12020-10-09 09:19:39 +0100[diff] [blame]123#if !defined(MBEDTLS_X509_REMOVE_INFO)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]124/**
125 * \brief Returns an informational string about the
126 * CSR.
127 *
128 * \param buf Buffer to write to
129 * \param size Maximum size of buffer
130 * \param prefix A line prefix
131 * \param csr The X509 CSR to represent
132 *
Manuel Pégourié-Gonnarde244f9f2015-06-23 12:10:45 +0200[diff] [blame]133 * \return The length of the string written (not including the
134 * terminated nul byte), or a negative error code.
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]135 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame^]136int mbedtls_x509_csr_info(char *buf, size_t size, const char *prefix,
137 const mbedtls_x509_csr *csr);
Hanno Becker88c2bf32019-06-14 17:21:24 +0100[diff] [blame]138#endif /* !MBEDTLS_X509_REMOVE_INFO */
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]139
140/**
Paul Bakker369d2eb2013-09-18 11:58:25 +0200[diff] [blame]141 * \brief Initialize a CSR
142 *
143 * \param csr CSR to initialize
144 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame^]145void mbedtls_x509_csr_init(mbedtls_x509_csr *csr);
Paul Bakker369d2eb2013-09-18 11:58:25 +0200[diff] [blame]146
147/**
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]148 * \brief Unallocate all CSR data
149 *
150 * \param csr CSR to free
151 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame^]152void mbedtls_x509_csr_free(mbedtls_x509_csr *csr);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]153#endif /* MBEDTLS_X509_CSR_PARSE_C */
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]154
Andrzej Kurek38d4fdd2021-12-28 16:22:52 +0100[diff] [blame]155/** \} name Structures and functions for X.509 Certificate Signing Requests (CSR) */
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]156
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]157#if defined(MBEDTLS_X509_CSR_WRITE_C)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]158/**
159 * \brief Initialize a CSR context
160 *
161 * \param ctx CSR context to initialize
162 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame^]163void mbedtls_x509write_csr_init(mbedtls_x509write_csr *ctx);
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]164
165/**
166 * \brief Set the subject name for a CSR
167 * Subject names should contain a comma-separated list
168 * of OID types and values:
Manuel Pégourié-Gonnardb4fe3cb2015-01-22 16:11:05 +0000[diff] [blame]169 * e.g. "C=UK,O=ARM,CN=mbed TLS Server 1"
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]170 *
171 * \param ctx CSR context to use
172 * \param subject_name subject name to set
173 *
174 * \return 0 if subject name was parsed successfully, or
175 * a specific error code
176 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame^]177int mbedtls_x509write_csr_set_subject_name(mbedtls_x509write_csr *ctx,
178 const char *subject_name);
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]179
180/**
181 * \brief Set the key for a CSR (public key will be included,
182 * private key used to sign the CSR when writing it)
183 *
184 * \param ctx CSR context to use
Shaun Case8b0ecbc2021-12-20 21:14:10 -0800[diff] [blame]185 * \param key Asymmetric key to include
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]186 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame^]187void mbedtls_x509write_csr_set_key(mbedtls_x509write_csr *ctx, mbedtls_pk_context *key);
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]188
189/**
190 * \brief Set the MD algorithm to use for the signature
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]191 * (e.g. MBEDTLS_MD_SHA1)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]192 *
193 * \param ctx CSR context to use
194 * \param md_alg MD algorithm to use
195 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame^]196void mbedtls_x509write_csr_set_md_alg(mbedtls_x509write_csr *ctx, mbedtls_md_type_t md_alg);
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]197
198/**
199 * \brief Set the Key Usage Extension flags
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]200 * (e.g. MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_KEY_CERT_SIGN)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]201 *
202 * \param ctx CSR context to use
203 * \param key_usage key usage flags to set
204 *
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200[diff] [blame]205 * \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
Andres Amaya Garciad8233f72018-10-08 19:44:55 +0100[diff] [blame]206 *
207 * \note The <code>decipherOnly</code> flag from the Key Usage
208 * extension is represented by bit 8 (i.e.
209 * <code>0x8000</code>), which cannot typically be represented
210 * in an unsigned char. Therefore, the flag
211 * <code>decipherOnly</code> (i.e.
212 * #MBEDTLS_X509_KU_DECIPHER_ONLY) cannot be set using this
213 * function.
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]214 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame^]215int mbedtls_x509write_csr_set_key_usage(mbedtls_x509write_csr *ctx, unsigned char key_usage);
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]216
217/**
218 * \brief Set the Netscape Cert Type flags
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]219 * (e.g. MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT | MBEDTLS_X509_NS_CERT_TYPE_EMAIL)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]220 *
221 * \param ctx CSR context to use
222 * \param ns_cert_type Netscape Cert Type flags to set
223 *
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200[diff] [blame]224 * \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]225 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame^]226int mbedtls_x509write_csr_set_ns_cert_type(mbedtls_x509write_csr *ctx,
227 unsigned char ns_cert_type);
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]228
229/**
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]230 * \brief Generic function to add to or replace an extension in the
231 * CSR
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]232 *
233 * \param ctx CSR context to use
234 * \param oid OID of the extension
235 * \param oid_len length of the OID
Christoph Reiter95273f42021-01-21 13:31:23 +0100[diff] [blame]236 * \param critical Set to 1 to mark the extension as critical, 0 otherwise.
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]237 * \param val value of the extension OCTET STRING
238 * \param val_len length of the value data
239 *
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200[diff] [blame]240 * \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]241 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame^]242int mbedtls_x509write_csr_set_extension(mbedtls_x509write_csr *ctx,
243 const char *oid, size_t oid_len,
244 int critical,
245 const unsigned char *val, size_t val_len);
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]246
247/**
248 * \brief Free the contents of a CSR context
249 *
250 * \param ctx CSR context to free
251 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame^]252void mbedtls_x509write_csr_free(mbedtls_x509write_csr *ctx);
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]253
254/**
255 * \brief Write a CSR (Certificate Signing Request) to a
256 * DER structure
257 * Note: data is written at the end of the buffer! Use the
258 * return value to determine where you should start
259 * using the buffer
260 *
261 * \param ctx CSR to write away
262 * \param buf buffer to write to
263 * \param size size of the buffer
Manuel Pégourié-Gonnardc305b722021-06-15 11:29:26 +0200[diff] [blame]264 * \param f_rng RNG function. This must not be \c NULL.
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]265 * \param p_rng RNG parameter
266 *
267 * \return length of data written if successful, or a specific
268 * error code
269 *
Manuel Pégourié-Gonnardc305b722021-06-15 11:29:26 +0200[diff] [blame]270 * \note \p f_rng is used for the signature operation.
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]271 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame^]272int mbedtls_x509write_csr_der(mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size,
273 int (*f_rng)(void *, unsigned char *, size_t),
274 void *p_rng);
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]275
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]276#if defined(MBEDTLS_PEM_WRITE_C)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]277/**
278 * \brief Write a CSR (Certificate Signing Request) to a
279 * PEM string
280 *
281 * \param ctx CSR to write away
282 * \param buf buffer to write to
283 * \param size size of the buffer
Manuel Pégourié-Gonnardc305b722021-06-15 11:29:26 +0200[diff] [blame]284 * \param f_rng RNG function. This must not be \c NULL.
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]285 * \param p_rng RNG parameter
286 *
Manuel Pégourié-Gonnard81abefd2015-05-29 12:53:47 +0200[diff] [blame]287 * \return 0 if successful, or a specific error code
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]288 *
Manuel Pégourié-Gonnardc305b722021-06-15 11:29:26 +0200[diff] [blame]289 * \note \p f_rng is used for the signature operation.
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]290 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame^]291int mbedtls_x509write_csr_pem(mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size,
292 int (*f_rng)(void *, unsigned char *, size_t),
293 void *p_rng);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]294#endif /* MBEDTLS_PEM_WRITE_C */
295#endif /* MBEDTLS_X509_CSR_WRITE_C */
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]296
Andrzej Kureka0defed2021-12-30 12:33:31 +0100[diff] [blame]297/** \} addtogroup x509_module */
298
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]299#ifdef __cplusplus
300}
301#endif
302
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]303#endif /* mbedtls_x509_csr.h */