TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / a658a4051b03ad7d17b3c8d976af2d1caa5e8281 / . / library / x509_create.c
blob: 95d52ab2d7ad8a27ab8e9e4bb1787ba9235ee79f [file] [log] [blame]
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]1/*
2 * X.509 base functions for creating certificates / CSRs
3 *
Manuel Pégourié-Gonnarda658a402015-01-23 09:45:19 +0000[diff] [blame^]4 * Copyright (C) 2006-2014, ARM Limited, All Rights Reserved
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]5 *
Manuel Pégourié-Gonnard967a2a52015-01-22 14:28:16 +0000[diff] [blame]6 * This file is part of mbed TLS (http://www.polarssl.org)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8 *
9 * All rights reserved.
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]26#if !defined(POLARSSL_CONFIG_FILE)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]27#include "polarssl/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]28#else
29#include POLARSSL_CONFIG_FILE
30#endif
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]31
32#if defined(POLARSSL_X509_CREATE_C)
33
34#include "polarssl/x509.h"
35#include "polarssl/asn1write.h"
36#include "polarssl/oid.h"
37
Paul Bakker6edcd412013-10-29 15:22:54 +0100[diff] [blame]38#if defined(_MSC_VER) && !defined strncasecmp && !defined(EFIX64) && \
39 !defined(EFI32)
Paul Bakker7b0be682013-10-29 14:24:37 +0100[diff] [blame]40#define strncasecmp _strnicmp
41#endif
42
Manuel Pégourié-Gonnardf3e5c222014-06-12 11:06:36 +0200[diff] [blame]43typedef struct {
44 const char *name;
45 size_t name_len;
46 const char*oid;
47} x509_attr_descriptor_t;
48
49#define ADD_STRLEN( s ) s, sizeof( s ) - 1
50
51static const x509_attr_descriptor_t x509_attrs[] =
52{
53 { ADD_STRLEN( "CN" ), OID_AT_CN },
54 { ADD_STRLEN( "commonName" ), OID_AT_CN },
55 { ADD_STRLEN( "C" ), OID_AT_COUNTRY },
56 { ADD_STRLEN( "countryName" ), OID_AT_COUNTRY },
57 { ADD_STRLEN( "O" ), OID_AT_ORGANIZATION },
58 { ADD_STRLEN( "organizationName" ), OID_AT_ORGANIZATION },
59 { ADD_STRLEN( "L" ), OID_AT_LOCALITY },
60 { ADD_STRLEN( "locality" ), OID_AT_LOCALITY },
61 { ADD_STRLEN( "R" ), OID_PKCS9_EMAIL },
62 { ADD_STRLEN( "OU" ), OID_AT_ORG_UNIT },
63 { ADD_STRLEN( "organizationalUnitName" ), OID_AT_ORG_UNIT },
64 { ADD_STRLEN( "ST" ), OID_AT_STATE },
65 { ADD_STRLEN( "stateOrProvinceName" ), OID_AT_STATE },
66 { ADD_STRLEN( "emailAddress" ), OID_PKCS9_EMAIL },
67 { ADD_STRLEN( "serialNumber" ), OID_AT_SERIAL_NUMBER },
68 { ADD_STRLEN( "postalAddress" ), OID_AT_POSTAL_ADDRESS },
69 { ADD_STRLEN( "postalCode" ), OID_AT_POSTAL_CODE },
70 { ADD_STRLEN( "dnQualifier" ), OID_AT_DN_QUALIFIER },
71 { ADD_STRLEN( "title" ), OID_AT_TITLE },
72 { ADD_STRLEN( "surName" ), OID_AT_SUR_NAME },
73 { ADD_STRLEN( "SN" ), OID_AT_SUR_NAME },
74 { ADD_STRLEN( "givenName" ), OID_AT_GIVEN_NAME },
75 { ADD_STRLEN( "GN" ), OID_AT_GIVEN_NAME },
76 { ADD_STRLEN( "initials" ), OID_AT_INITIALS },
77 { ADD_STRLEN( "pseudonym" ), OID_AT_PSEUDONYM },
78 { ADD_STRLEN( "generationQualifier" ), OID_AT_GENERATION_QUALIFIER },
79 { ADD_STRLEN( "domainComponent" ), OID_DOMAIN_COMPONENT },
80 { ADD_STRLEN( "DC" ), OID_DOMAIN_COMPONENT },
81 { NULL, 0, NULL }
82};
83
84static const char *x509_at_oid_from_name( const char *name, size_t name_len )
85{
86 const x509_attr_descriptor_t *cur;
87
88 for( cur = x509_attrs; cur->name != NULL; cur++ )
89 if( cur->name_len == name_len &&
90 strncasecmp( cur->name, name, name_len ) == 0 )
91 break;
92
93 return( cur->oid );
94}
95
Paul Bakker50dc8502013-10-28 21:19:10 +0100[diff] [blame]96int x509_string_to_names( asn1_named_data **head, const char *name )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]97{
98 int ret = 0;
Paul Bakker50dc8502013-10-28 21:19:10 +0100[diff] [blame]99 const char *s = name, *c = s;
100 const char *end = s + strlen( s );
Paul Bakkerfcc17212013-10-11 09:36:52 +0200[diff] [blame]101 const char *oid = NULL;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]102 int in_tag = 1;
Paul Bakker8dcb2d72014-08-08 12:22:30 +0200[diff] [blame]103 char data[X509_MAX_DN_NAME_SIZE];
104 char *d = data;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]105
106 /* Clear existing chain if present */
107 asn1_free_named_data_list( head );
108
109 while( c <= end )
110 {
111 if( in_tag && *c == '=' )
112 {
Manuel Pégourié-Gonnardf3e5c222014-06-12 11:06:36 +0200[diff] [blame]113 if( ( oid = x509_at_oid_from_name( s, c - s ) ) == NULL )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]114 {
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]115 ret = POLARSSL_ERR_X509_UNKNOWN_OID;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]116 goto exit;
117 }
118
119 s = c + 1;
120 in_tag = 0;
Paul Bakker8dcb2d72014-08-08 12:22:30 +0200[diff] [blame]121 d = data;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]122 }
123
Paul Bakker8dcb2d72014-08-08 12:22:30 +0200[diff] [blame]124 if( !in_tag && *c == '\\' && c != end )
125 {
126 c++;
127
128 /* Check for valid escaped characters */
129 if( c == end || *c != ',' )
130 {
131 ret = POLARSSL_ERR_X509_INVALID_NAME;
132 goto exit;
133 }
134 }
135 else if( !in_tag && ( *c == ',' || c == end ) )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]136 {
Paul Bakkera9c16d22014-04-17 12:42:18 +0200[diff] [blame]137 if( asn1_store_named_data( head, oid, strlen( oid ),
Paul Bakker8dcb2d72014-08-08 12:22:30 +0200[diff] [blame]138 (unsigned char *) data,
139 d - data ) == NULL )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]140 {
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]141 return( POLARSSL_ERR_X509_MALLOC_FAILED );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]142 }
143
144 while( c < end && *(c + 1) == ' ' )
145 c++;
146
147 s = c + 1;
148 in_tag = 1;
149 }
Paul Bakker8dcb2d72014-08-08 12:22:30 +0200[diff] [blame]150
151 if( !in_tag && s != c + 1 )
152 {
153 *(d++) = *c;
154
155 if( d - data == X509_MAX_DN_NAME_SIZE )
156 {
157 ret = POLARSSL_ERR_X509_INVALID_NAME;
158 goto exit;
159 }
160 }
161
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]162 c++;
163 }
164
165exit:
166
167 return( ret );
168}
169
170/* The first byte of the value in the asn1_named_data structure is reserved
171 * to store the critical boolean for us
172 */
173int x509_set_extension( asn1_named_data **head, const char *oid, size_t oid_len,
174 int critical, const unsigned char *val, size_t val_len )
175{
176 asn1_named_data *cur;
177
178 if( ( cur = asn1_store_named_data( head, oid, oid_len,
179 NULL, val_len + 1 ) ) == NULL )
180 {
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]181 return( POLARSSL_ERR_X509_MALLOC_FAILED );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]182 }
183
184 cur->val.p[0] = critical;
185 memcpy( cur->val.p + 1, val, val_len );
186
187 return( 0 );
188}
189
190/*
191 * RelativeDistinguishedName ::=
192 * SET OF AttributeTypeAndValue
193 *
194 * AttributeTypeAndValue ::= SEQUENCE {
195 * type AttributeType,
196 * value AttributeValue }
197 *
198 * AttributeType ::= OBJECT IDENTIFIER
199 *
200 * AttributeValue ::= ANY DEFINED BY AttributeType
201 */
202static int x509_write_name( unsigned char **p, unsigned char *start,
203 const char *oid, size_t oid_len,
204 const unsigned char *name, size_t name_len )
205{
206 int ret;
207 size_t len = 0;
208
209 // Write PrintableString for all except OID_PKCS9_EMAIL
210 //
211 if( OID_SIZE( OID_PKCS9_EMAIL ) == oid_len &&
212 memcmp( oid, OID_PKCS9_EMAIL, oid_len ) == 0 )
213 {
214 ASN1_CHK_ADD( len, asn1_write_ia5_string( p, start,
215 (const char *) name,
216 name_len ) );
217 }
218 else
219 {
220 ASN1_CHK_ADD( len, asn1_write_printable_string( p, start,
221 (const char *) name,
222 name_len ) );
223 }
224
225 // Write OID
226 //
227 ASN1_CHK_ADD( len, asn1_write_oid( p, start, oid, oid_len ) );
228
229 ASN1_CHK_ADD( len, asn1_write_len( p, start, len ) );
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]230 ASN1_CHK_ADD( len, asn1_write_tag( p, start, ASN1_CONSTRUCTED |
231 ASN1_SEQUENCE ) );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]232
233 ASN1_CHK_ADD( len, asn1_write_len( p, start, len ) );
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]234 ASN1_CHK_ADD( len, asn1_write_tag( p, start, ASN1_CONSTRUCTED |
235 ASN1_SET ) );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]236
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]237 return( (int) len );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]238}
239
240int x509_write_names( unsigned char **p, unsigned char *start,
241 asn1_named_data *first )
242{
243 int ret;
244 size_t len = 0;
245 asn1_named_data *cur = first;
246
247 while( cur != NULL )
248 {
249 ASN1_CHK_ADD( len, x509_write_name( p, start, (char *) cur->oid.p,
250 cur->oid.len,
251 cur->val.p, cur->val.len ) );
252 cur = cur->next;
253 }
254
255 ASN1_CHK_ADD( len, asn1_write_len( p, start, len ) );
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]256 ASN1_CHK_ADD( len, asn1_write_tag( p, start, ASN1_CONSTRUCTED |
257 ASN1_SEQUENCE ) );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]258
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]259 return( (int) len );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]260}
261
262int x509_write_sig( unsigned char **p, unsigned char *start,
263 const char *oid, size_t oid_len,
264 unsigned char *sig, size_t size )
265{
266 int ret;
267 size_t len = 0;
268
269 if( *p - start < (int) size + 1 )
270 return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
271
272 len = size;
273 (*p) -= len;
274 memcpy( *p, sig, len );
275
276 *--(*p) = 0;
277 len += 1;
278
279 ASN1_CHK_ADD( len, asn1_write_len( p, start, len ) );
280 ASN1_CHK_ADD( len, asn1_write_tag( p, start, ASN1_BIT_STRING ) );
281
282 // Write OID
283 //
284 ASN1_CHK_ADD( len, asn1_write_algorithm_identifier( p, start, oid,
285 oid_len, 0 ) );
286
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]287 return( (int) len );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]288}
289
290static int x509_write_extension( unsigned char **p, unsigned char *start,
291 asn1_named_data *ext )
292{
293 int ret;
294 size_t len = 0;
295
296 ASN1_CHK_ADD( len, asn1_write_raw_buffer( p, start, ext->val.p + 1,
297 ext->val.len - 1 ) );
298 ASN1_CHK_ADD( len, asn1_write_len( p, start, ext->val.len - 1 ) );
299 ASN1_CHK_ADD( len, asn1_write_tag( p, start, ASN1_OCTET_STRING ) );
300
301 if( ext->val.p[0] != 0 )
302 {
303 ASN1_CHK_ADD( len, asn1_write_bool( p, start, 1 ) );
304 }
305
306 ASN1_CHK_ADD( len, asn1_write_raw_buffer( p, start, ext->oid.p,
307 ext->oid.len ) );
308 ASN1_CHK_ADD( len, asn1_write_len( p, start, ext->oid.len ) );
309 ASN1_CHK_ADD( len, asn1_write_tag( p, start, ASN1_OID ) );
310
311 ASN1_CHK_ADD( len, asn1_write_len( p, start, len ) );
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]312 ASN1_CHK_ADD( len, asn1_write_tag( p, start, ASN1_CONSTRUCTED |
313 ASN1_SEQUENCE ) );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]314
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]315 return( (int) len );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]316}
317
318/*
319 * Extension ::= SEQUENCE {
320 * extnID OBJECT IDENTIFIER,
321 * critical BOOLEAN DEFAULT FALSE,
322 * extnValue OCTET STRING
323 * -- contains the DER encoding of an ASN.1 value
324 * -- corresponding to the extension type identified
325 * -- by extnID
326 * }
327 */
328int x509_write_extensions( unsigned char **p, unsigned char *start,
329 asn1_named_data *first )
330{
331 int ret;
332 size_t len = 0;
333 asn1_named_data *cur_ext = first;
334
335 while( cur_ext != NULL )
336 {
337 ASN1_CHK_ADD( len, x509_write_extension( p, start, cur_ext ) );
338 cur_ext = cur_ext->next;
339 }
340
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]341 return( (int) len );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]342}
343
344#endif /* POLARSSL_X509_CREATE_C */