TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / c305b72ed1d54955b81a5a8ad402cc5c05cdacdd / . / include / mbedtls / x509_csr.h
blob: a0f1278e2a01fd079761e00d0aca0b9c605013fd [file] [log] [blame]
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]1/**
Simon Butcher5b331b92016-01-03 16:14:14 +0000[diff] [blame]2 * \file x509_csr.h
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]3 *
4 * \brief X.509 certificate signing request parsing and writing
Darryl Greena40a1012018-01-05 15:33:17 +0000[diff] [blame]5 */
6/*
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]7 * Copyright The Mbed TLS Contributors
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]8 * SPDX-License-Identifier: Apache-2.0
9 *
10 * Licensed under the Apache License, Version 2.0 (the "License"); you may
11 * not use this file except in compliance with the License.
12 * You may obtain a copy of the License at
13 *
14 * http://www.apache.org/licenses/LICENSE-2.0
15 *
16 * Unless required by applicable law or agreed to in writing, software
17 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
18 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19 * See the License for the specific language governing permissions and
20 * limitations under the License.
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]21 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]22#ifndef MBEDTLS_X509_CSR_H
23#define MBEDTLS_X509_CSR_H
Mateusz Starzyk846f0212021-05-19 19:44:07 +0200[diff] [blame]24#include "mbedtls/private_access.h"
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]25
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]26#if !defined(MBEDTLS_CONFIG_FILE)
Jaeden Amero6609aef2019-07-04 20:01:14 +0100[diff] [blame]27#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]28#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]29#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]30#endif
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]31
Jaeden Amero6609aef2019-07-04 20:01:14 +0100[diff] [blame]32#include "mbedtls/x509.h"
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]33
34#ifdef __cplusplus
35extern "C" {
36#endif
37
38/**
39 * \addtogroup x509_module
40 * \{ */
41
42/**
43 * \name Structures and functions for X.509 Certificate Signing Requests (CSR)
44 * \{
45 */
46
47/**
48 * Certificate Signing Request (CSR) structure.
49 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]50typedef struct mbedtls_x509_csr
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]51{
Mateusz Starzyk846f0212021-05-19 19:44:07 +0200[diff] [blame]52 mbedtls_x509_buf MBEDTLS_PRIVATE(raw); /**< The raw CSR data (DER). */
53 mbedtls_x509_buf MBEDTLS_PRIVATE(cri); /**< The raw CertificateRequestInfo body (DER). */
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]54
Mateusz Starzyk846f0212021-05-19 19:44:07 +0200[diff] [blame]55 int MBEDTLS_PRIVATE(version); /**< CSR version (1=v1). */
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]56
Mateusz Starzyk846f0212021-05-19 19:44:07 +0200[diff] [blame]57 mbedtls_x509_buf MBEDTLS_PRIVATE(subject_raw); /**< The raw subject data (DER). */
58 mbedtls_x509_name MBEDTLS_PRIVATE(subject); /**< The parsed subject data (named information object). */
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]59
Mateusz Starzyk846f0212021-05-19 19:44:07 +0200[diff] [blame]60 mbedtls_pk_context MBEDTLS_PRIVATE(pk); /**< Container for the public key context. */
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]61
Mateusz Starzyk846f0212021-05-19 19:44:07 +0200[diff] [blame]62 mbedtls_x509_buf MBEDTLS_PRIVATE(sig_oid);
63 mbedtls_x509_buf MBEDTLS_PRIVATE(sig);
64 mbedtls_md_type_t MBEDTLS_PRIVATE(sig_md); /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */
65 mbedtls_pk_type_t MBEDTLS_PRIVATE(sig_pk); /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */
66 void *MBEDTLS_PRIVATE(sig_opts); /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]67}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]68mbedtls_x509_csr;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]69
70/**
71 * Container for writing a CSR
72 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]73typedef struct mbedtls_x509write_csr
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]74{
Mateusz Starzyk846f0212021-05-19 19:44:07 +0200[diff] [blame]75 mbedtls_pk_context *MBEDTLS_PRIVATE(key);
76 mbedtls_asn1_named_data *MBEDTLS_PRIVATE(subject);
77 mbedtls_md_type_t MBEDTLS_PRIVATE(md_alg);
78 mbedtls_asn1_named_data *MBEDTLS_PRIVATE(extensions);
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]79}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]80mbedtls_x509write_csr;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]81
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]82#if defined(MBEDTLS_X509_CSR_PARSE_C)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]83/**
Manuel Pégourié-Gonnardf3b47242014-06-16 18:06:48 +0200[diff] [blame]84 * \brief Load a Certificate Signing Request (CSR) in DER format
85 *
Manuel Pégourié-Gonnard986bbf22016-02-24 14:36:05 +0000[diff] [blame]86 * \note CSR attributes (if any) are currently silently ignored.
87 *
Manuel Pégourié-Gonnardf3b47242014-06-16 18:06:48 +0200[diff] [blame]88 * \param csr CSR context to fill
89 * \param buf buffer holding the CRL data
90 * \param buflen size of the buffer
91 *
92 * \return 0 if successful, or a specific X509 error code
93 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]94int mbedtls_x509_csr_parse_der( mbedtls_x509_csr *csr,
Manuel Pégourié-Gonnardf3b47242014-06-16 18:06:48 +0200[diff] [blame]95 const unsigned char *buf, size_t buflen );
96
97/**
98 * \brief Load a Certificate Signing Request (CSR), DER or PEM format
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]99 *
Manuel Pégourié-Gonnard986bbf22016-02-24 14:36:05 +0000[diff] [blame]100 * \note See notes for \c mbedtls_x509_csr_parse_der()
101 *
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]102 * \param csr CSR context to fill
103 * \param buf buffer holding the CRL data
104 * \param buflen size of the buffer
Manuel Pégourié-Gonnard43b37cb2015-05-12 11:20:10 +0200[diff] [blame]105 * (including the terminating null byte for PEM data)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]106 *
107 * \return 0 if successful, or a specific X509 or PEM error code
108 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]109int mbedtls_x509_csr_parse( mbedtls_x509_csr *csr, const unsigned char *buf, size_t buflen );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]110
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]111#if defined(MBEDTLS_FS_IO)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]112/**
113 * \brief Load a Certificate Signing Request (CSR)
114 *
Manuel Pégourié-Gonnard986bbf22016-02-24 14:36:05 +0000[diff] [blame]115 * \note See notes for \c mbedtls_x509_csr_parse()
116 *
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]117 * \param csr CSR context to fill
118 * \param path filename to read the CSR from
119 *
120 * \return 0 if successful, or a specific X509 or PEM error code
121 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]122int mbedtls_x509_csr_parse_file( mbedtls_x509_csr *csr, const char *path );
123#endif /* MBEDTLS_FS_IO */
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]124
Hanno Becker612a2f12020-10-09 09:19:39 +0100[diff] [blame]125#if !defined(MBEDTLS_X509_REMOVE_INFO)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]126/**
127 * \brief Returns an informational string about the
128 * CSR.
129 *
130 * \param buf Buffer to write to
131 * \param size Maximum size of buffer
132 * \param prefix A line prefix
133 * \param csr The X509 CSR to represent
134 *
Manuel Pégourié-Gonnarde244f9f2015-06-23 12:10:45 +0200[diff] [blame]135 * \return The length of the string written (not including the
136 * terminated nul byte), or a negative error code.
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]137 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]138int mbedtls_x509_csr_info( char *buf, size_t size, const char *prefix,
139 const mbedtls_x509_csr *csr );
Hanno Becker88c2bf32019-06-14 17:21:24 +0100[diff] [blame]140#endif /* !MBEDTLS_X509_REMOVE_INFO */
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]141
142/**
Paul Bakker369d2eb2013-09-18 11:58:25 +0200[diff] [blame]143 * \brief Initialize a CSR
144 *
145 * \param csr CSR to initialize
146 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]147void mbedtls_x509_csr_init( mbedtls_x509_csr *csr );
Paul Bakker369d2eb2013-09-18 11:58:25 +0200[diff] [blame]148
149/**
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]150 * \brief Unallocate all CSR data
151 *
152 * \param csr CSR to free
153 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]154void mbedtls_x509_csr_free( mbedtls_x509_csr *csr );
155#endif /* MBEDTLS_X509_CSR_PARSE_C */
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]156
157/* \} name */
158/* \} addtogroup x509_module */
159
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]160#if defined(MBEDTLS_X509_CSR_WRITE_C)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]161/**
162 * \brief Initialize a CSR context
163 *
164 * \param ctx CSR context to initialize
165 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]166void mbedtls_x509write_csr_init( mbedtls_x509write_csr *ctx );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]167
168/**
169 * \brief Set the subject name for a CSR
170 * Subject names should contain a comma-separated list
171 * of OID types and values:
Manuel Pégourié-Gonnardb4fe3cb2015-01-22 16:11:05 +0000[diff] [blame]172 * e.g. "C=UK,O=ARM,CN=mbed TLS Server 1"
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]173 *
174 * \param ctx CSR context to use
175 * \param subject_name subject name to set
176 *
177 * \return 0 if subject name was parsed successfully, or
178 * a specific error code
179 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]180int mbedtls_x509write_csr_set_subject_name( mbedtls_x509write_csr *ctx,
Paul Bakker50dc8502013-10-28 21:19:10 +0100[diff] [blame]181 const char *subject_name );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]182
183/**
184 * \brief Set the key for a CSR (public key will be included,
185 * private key used to sign the CSR when writing it)
186 *
187 * \param ctx CSR context to use
188 * \param key Asymetric key to include
189 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]190void mbedtls_x509write_csr_set_key( mbedtls_x509write_csr *ctx, mbedtls_pk_context *key );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]191
192/**
193 * \brief Set the MD algorithm to use for the signature
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]194 * (e.g. MBEDTLS_MD_SHA1)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]195 *
196 * \param ctx CSR context to use
197 * \param md_alg MD algorithm to use
198 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]199void mbedtls_x509write_csr_set_md_alg( mbedtls_x509write_csr *ctx, mbedtls_md_type_t md_alg );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]200
201/**
202 * \brief Set the Key Usage Extension flags
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]203 * (e.g. MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_KEY_CERT_SIGN)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]204 *
205 * \param ctx CSR context to use
206 * \param key_usage key usage flags to set
207 *
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200[diff] [blame]208 * \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
Andres Amaya Garciad8233f72018-10-08 19:44:55 +0100[diff] [blame]209 *
210 * \note The <code>decipherOnly</code> flag from the Key Usage
211 * extension is represented by bit 8 (i.e.
212 * <code>0x8000</code>), which cannot typically be represented
213 * in an unsigned char. Therefore, the flag
214 * <code>decipherOnly</code> (i.e.
215 * #MBEDTLS_X509_KU_DECIPHER_ONLY) cannot be set using this
216 * function.
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]217 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]218int mbedtls_x509write_csr_set_key_usage( mbedtls_x509write_csr *ctx, unsigned char key_usage );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]219
220/**
221 * \brief Set the Netscape Cert Type flags
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]222 * (e.g. MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT | MBEDTLS_X509_NS_CERT_TYPE_EMAIL)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]223 *
224 * \param ctx CSR context to use
225 * \param ns_cert_type Netscape Cert Type flags to set
226 *
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200[diff] [blame]227 * \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]228 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]229int mbedtls_x509write_csr_set_ns_cert_type( mbedtls_x509write_csr *ctx,
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]230 unsigned char ns_cert_type );
231
232/**
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]233 * \brief Generic function to add to or replace an extension in the
234 * CSR
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]235 *
236 * \param ctx CSR context to use
237 * \param oid OID of the extension
238 * \param oid_len length of the OID
Christoph Reiter95273f42021-01-21 13:31:23 +0100[diff] [blame]239 * \param critical Set to 1 to mark the extension as critical, 0 otherwise.
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]240 * \param val value of the extension OCTET STRING
241 * \param val_len length of the value data
242 *
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200[diff] [blame]243 * \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]244 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]245int mbedtls_x509write_csr_set_extension( mbedtls_x509write_csr *ctx,
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]246 const char *oid, size_t oid_len,
Christoph Reiter95273f42021-01-21 13:31:23 +0100[diff] [blame]247 int critical,
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]248 const unsigned char *val, size_t val_len );
249
250/**
251 * \brief Free the contents of a CSR context
252 *
253 * \param ctx CSR context to free
254 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]255void mbedtls_x509write_csr_free( mbedtls_x509write_csr *ctx );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]256
257/**
258 * \brief Write a CSR (Certificate Signing Request) to a
259 * DER structure
260 * Note: data is written at the end of the buffer! Use the
261 * return value to determine where you should start
262 * using the buffer
263 *
264 * \param ctx CSR to write away
265 * \param buf buffer to write to
266 * \param size size of the buffer
Manuel Pégourié-Gonnardc305b722021-06-15 11:29:26 +0200[diff] [blame^]267 * \param f_rng RNG function. This must not be \c NULL.
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]268 * \param p_rng RNG parameter
269 *
270 * \return length of data written if successful, or a specific
271 * error code
272 *
Manuel Pégourié-Gonnardc305b722021-06-15 11:29:26 +0200[diff] [blame^]273 * \note \p f_rng is used for the signature operation.
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]274 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]275int mbedtls_x509write_csr_der( mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size,
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]276 int (*f_rng)(void *, unsigned char *, size_t),
277 void *p_rng );
278
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]279#if defined(MBEDTLS_PEM_WRITE_C)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]280/**
281 * \brief Write a CSR (Certificate Signing Request) to a
282 * PEM string
283 *
284 * \param ctx CSR to write away
285 * \param buf buffer to write to
286 * \param size size of the buffer
Manuel Pégourié-Gonnardc305b722021-06-15 11:29:26 +0200[diff] [blame^]287 * \param f_rng RNG function. This must not be \c NULL.
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]288 * \param p_rng RNG parameter
289 *
Manuel Pégourié-Gonnard81abefd2015-05-29 12:53:47 +0200[diff] [blame]290 * \return 0 if successful, or a specific error code
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]291 *
Manuel Pégourié-Gonnardc305b722021-06-15 11:29:26 +0200[diff] [blame^]292 * \note \p f_rng is used for the signature operation.
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]293 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]294int mbedtls_x509write_csr_pem( mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size,
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]295 int (*f_rng)(void *, unsigned char *, size_t),
296 void *p_rng );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]297#endif /* MBEDTLS_PEM_WRITE_C */
298#endif /* MBEDTLS_X509_CSR_WRITE_C */
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]299
300#ifdef __cplusplus
301}
302#endif
303
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]304#endif /* mbedtls_x509_csr.h */