TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / b9cfaa0c7f41c7adb28755cb7bc46a624e98d3b6 / . / library / x509write_csr.c
blob: febed67d2be9c3f337bf782ce088885b3260e1d2 [file] [log] [blame]
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]1/*
2 * X.509 Certificate Signing Request writing
3 *
4 * Copyright (C) 2006-2013, Brainspark B.V.
5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8 *
9 * All rights reserved.
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
26 * References:
27 * - CSRs: PKCS#10 v1.7 aka RFC 2986
28 * - attributes: PKCS#9 v2.0 aka RFC 2985
29 */
30
31#include "polarssl/config.h"
32
33#if defined(POLARSSL_X509_CSR_WRITE_C)
34
35#include "polarssl/x509_csr.h"
36#include "polarssl/oid.h"
37#include "polarssl/asn1write.h"
38
39#if defined(POLARSSL_PEM_WRITE_C)
40#include "polarssl/pem.h"
41#endif
42
43#include <string.h>
44#include <stdlib.h>
45
46void x509write_csr_init( x509write_csr *ctx )
47{
48 memset( ctx, 0, sizeof(x509write_csr) );
49}
50
51void x509write_csr_free( x509write_csr *ctx )
52{
53 asn1_free_named_data_list( &ctx->subject );
54 asn1_free_named_data_list( &ctx->extensions );
55
56 memset( ctx, 0, sizeof(x509write_csr) );
57}
58
59void x509write_csr_set_md_alg( x509write_csr *ctx, md_type_t md_alg )
60{
61 ctx->md_alg = md_alg;
62}
63
64void x509write_csr_set_key( x509write_csr *ctx, pk_context *key )
65{
66 ctx->key = key;
67}
68
69int x509write_csr_set_subject_name( x509write_csr *ctx, char *subject_name )
70{
Paul Bakker86d0c192013-09-18 11:11:02 +0200[diff] [blame]71 return x509_string_to_names( &ctx->subject, subject_name );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]72}
73
74int x509write_csr_set_extension( x509write_csr *ctx,
75 const char *oid, size_t oid_len,
76 const unsigned char *val, size_t val_len )
77{
78 return x509_set_extension( &ctx->extensions, oid, oid_len,
79 0, val, val_len );
80}
81
82int x509write_csr_set_key_usage( x509write_csr *ctx, unsigned char key_usage )
83{
84 unsigned char buf[4];
85 unsigned char *c;
86 int ret;
87
88 c = buf + 4;
89
90 if( ( ret = asn1_write_bitstring( &c, buf, &key_usage, 7 ) ) != 4 )
91 return( ret );
92
93 ret = x509write_csr_set_extension( ctx, OID_KEY_USAGE,
94 OID_SIZE( OID_KEY_USAGE ),
95 buf, 4 );
96 if( ret != 0 )
97 return( ret );
98
99 return( 0 );
100}
101
102int x509write_csr_set_ns_cert_type( x509write_csr *ctx,
103 unsigned char ns_cert_type )
104{
105 unsigned char buf[4];
106 unsigned char *c;
107 int ret;
108
109 c = buf + 4;
110
111 if( ( ret = asn1_write_bitstring( &c, buf, &ns_cert_type, 8 ) ) != 4 )
112 return( ret );
113
114 ret = x509write_csr_set_extension( ctx, OID_NS_CERT_TYPE,
115 OID_SIZE( OID_NS_CERT_TYPE ),
116 buf, 4 );
117 if( ret != 0 )
118 return( ret );
119
120 return( 0 );
121}
122
123int x509write_csr_der( x509write_csr *ctx, unsigned char *buf, size_t size,
124 int (*f_rng)(void *, unsigned char *, size_t),
125 void *p_rng )
126{
127 int ret;
128 const char *sig_oid;
129 size_t sig_oid_len = 0;
130 unsigned char *c, *c2;
131 unsigned char hash[64];
132 unsigned char sig[POLARSSL_MPI_MAX_SIZE];
133 unsigned char tmp_buf[2048];
134 size_t pub_len = 0, sig_and_oid_len = 0, sig_len;
135 size_t len = 0;
136 pk_type_t pk_alg;
137
138 /*
139 * Prepare data to be signed in tmp_buf
140 */
141 c = tmp_buf + sizeof( tmp_buf );
142
143 ASN1_CHK_ADD( len, x509_write_extensions( &c, tmp_buf, ctx->extensions ) );
144
145 if( len )
146 {
147 ASN1_CHK_ADD( len, asn1_write_len( &c, tmp_buf, len ) );
148 ASN1_CHK_ADD( len, asn1_write_tag( &c, tmp_buf, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
149
150 ASN1_CHK_ADD( len, asn1_write_len( &c, tmp_buf, len ) );
151 ASN1_CHK_ADD( len, asn1_write_tag( &c, tmp_buf, ASN1_CONSTRUCTED | ASN1_SET ) );
152
153 ASN1_CHK_ADD( len, asn1_write_oid( &c, tmp_buf, OID_PKCS9_CSR_EXT_REQ,
154 OID_SIZE( OID_PKCS9_CSR_EXT_REQ ) ) );
155
156 ASN1_CHK_ADD( len, asn1_write_len( &c, tmp_buf, len ) );
157 ASN1_CHK_ADD( len, asn1_write_tag( &c, tmp_buf, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
158 }
159
160 ASN1_CHK_ADD( len, asn1_write_len( &c, tmp_buf, len ) );
161 ASN1_CHK_ADD( len, asn1_write_tag( &c, tmp_buf, ASN1_CONSTRUCTED | ASN1_CONTEXT_SPECIFIC ) );
162
163 ASN1_CHK_ADD( pub_len, pk_write_pubkey_der( ctx->key,
164 tmp_buf, c - tmp_buf ) );
165 c -= pub_len;
166 len += pub_len;
167
168 /*
169 * Subject ::= Name
170 */
171 ASN1_CHK_ADD( len, x509_write_names( &c, tmp_buf, ctx->subject ) );
172
173 /*
174 * Version ::= INTEGER { v1(0), v2(1), v3(2) }
175 */
176 ASN1_CHK_ADD( len, asn1_write_int( &c, tmp_buf, 0 ) );
177
178 ASN1_CHK_ADD( len, asn1_write_len( &c, tmp_buf, len ) );
179 ASN1_CHK_ADD( len, asn1_write_tag( &c, tmp_buf, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
180
181 /*
182 * Prepare signature
183 */
184 md( md_info_from_type( ctx->md_alg ), c, len, hash );
185
186 pk_alg = pk_get_type( ctx->key );
187 if( pk_alg == POLARSSL_PK_ECKEY )
188 pk_alg = POLARSSL_PK_ECDSA;
189
190 if( ( ret = pk_sign( ctx->key, ctx->md_alg, hash, 0, sig, &sig_len,
191 f_rng, p_rng ) ) != 0 ||
192 ( ret = oid_get_oid_by_sig_alg( pk_alg, ctx->md_alg,
193 &sig_oid, &sig_oid_len ) ) != 0 )
194 {
195 return( ret );
196 }
197
198 /*
199 * Write data to output buffer
200 */
201 c2 = buf + size;
202 ASN1_CHK_ADD( sig_and_oid_len, x509_write_sig( &c2, buf,
203 sig_oid, sig_oid_len, sig, sig_len ) );
204
205 c2 -= len;
206 memcpy( c2, c, len );
207
208 len += sig_and_oid_len;
209 ASN1_CHK_ADD( len, asn1_write_len( &c2, buf, len ) );
210 ASN1_CHK_ADD( len, asn1_write_tag( &c2, buf, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
211
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame^]212 return( (int) len );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]213}
214
215#define PEM_BEGIN_CSR "-----BEGIN CERTIFICATE REQUEST-----\n"
216#define PEM_END_CSR "-----END CERTIFICATE REQUEST-----\n"
217
218#if defined(POLARSSL_PEM_WRITE_C)
219int x509write_csr_pem( x509write_csr *ctx, unsigned char *buf, size_t size,
220 int (*f_rng)(void *, unsigned char *, size_t),
221 void *p_rng )
222{
223 int ret;
224 unsigned char output_buf[4096];
225 size_t olen = 0;
226
227 if( ( ret = x509write_csr_der( ctx, output_buf, sizeof(output_buf),
228 f_rng, p_rng ) ) < 0 )
229 {
230 return( ret );
231 }
232
233 if( ( ret = pem_write_buffer( PEM_BEGIN_CSR, PEM_END_CSR,
234 output_buf + sizeof(output_buf) - ret,
235 ret, buf, size, &olen ) ) != 0 )
236 {
237 return( ret );
238 }
239
240 return( 0 );
241}
242#endif /* POLARSSL_PEM_WRITE_C */
243
244#endif /* POLARSSL_X509_CSR_WRITE_C */