TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 6df09578bb7b6340c3a402a9a698a40eb6385356 / . / library / x509_csr.c
blob: bdadec3e3790c6a0c95bdebb9be58c13c6595d38 [file] [log] [blame]
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]1/*
2 * X.509 Certificate Signing Request (CSR) parsing
3 *
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]4 * Copyright (C) 2006-2014, Brainspark B.V.
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8 *
9 * All rights reserved.
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
26 * The ITU-T X.509 standard defines a certificate format for PKI.
27 *
28 * http://www.ietf.org/rfc/rfc3279.txt
29 * http://www.ietf.org/rfc/rfc3280.txt
30 *
31 * ftp://ftp.rsasecurity.com/pub/pkcs/ascii/pkcs-1v2.asc
32 *
33 * http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf
34 * http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
35 */
36
37#include "polarssl/config.h"
38
39#if defined(POLARSSL_X509_CSR_PARSE_C)
40
41#include "polarssl/x509_csr.h"
42#include "polarssl/oid.h"
43#if defined(POLARSSL_PEM_PARSE_C)
44#include "polarssl/pem.h"
45#endif
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]46
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]47#if defined(POLARSSL_PLATFORM_C)
48#include "polarssl/platform.h"
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]49#else
50#define polarssl_malloc malloc
51#define polarssl_free free
52#endif
53
54#include <string.h>
55#include <stdlib.h>
56
Paul Bakkerfa6a6202013-10-28 18:48:30 +0100[diff] [blame]57#if defined(POLARSSL_FS_IO) || defined(EFIX64) || defined(EFI32)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]58#include <stdio.h>
59#endif
60
61/*
62 * Version ::= INTEGER { v1(0) }
63 */
64static int x509_csr_get_version( unsigned char **p,
65 const unsigned char *end,
66 int *ver )
67{
68 int ret;
69
70 if( ( ret = asn1_get_int( p, end, ver ) ) != 0 )
71 {
72 if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
73 {
74 *ver = 0;
75 return( 0 );
76 }
77
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]78 return( POLARSSL_ERR_X509_INVALID_VERSION + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]79 }
80
81 return( 0 );
82}
83
84/*
85 * Parse a CSR
86 */
Paul Bakkerddf26b42013-09-18 13:46:23 +0200[diff] [blame]87int x509_csr_parse( x509_csr *csr, const unsigned char *buf, size_t buflen )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]88{
89 int ret;
90 size_t len;
91 unsigned char *p, *end;
Manuel Pégourié-Gonnard41cae8e2014-01-24 18:47:17 +0100[diff] [blame]92 x509_buf sig_params;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]93#if defined(POLARSSL_PEM_PARSE_C)
94 size_t use_len;
95 pem_context pem;
96#endif
97
98 /*
99 * Check for valid input
100 */
101 if( csr == NULL || buf == NULL )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]102 return( POLARSSL_ERR_X509_BAD_INPUT_DATA );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]103
Paul Bakker369d2eb2013-09-18 11:58:25 +0200[diff] [blame]104 x509_csr_init( csr );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]105
106#if defined(POLARSSL_PEM_PARSE_C)
107 pem_init( &pem );
108 ret = pem_read_buffer( &pem,
109 "-----BEGIN CERTIFICATE REQUEST-----",
110 "-----END CERTIFICATE REQUEST-----",
111 buf, NULL, 0, &use_len );
112
113 if( ret == 0 )
114 {
115 /*
Manuel Pégourié-Gonnard7c593632014-01-20 10:27:13 +0100[diff] [blame]116 * Was PEM encoded, steal PEM buffer
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]117 */
118 p = pem.buf;
119 pem.buf = NULL;
120 len = pem.buflen;
121 pem_free( &pem );
122 }
123 else if( ret != POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
124 {
125 pem_free( &pem );
126 return( ret );
127 }
128 else
129#endif
130 {
131 /*
132 * nope, copy the raw DER data
133 */
134 p = (unsigned char *) polarssl_malloc( len = buflen );
135
136 if( p == NULL )
137 return( POLARSSL_ERR_X509_MALLOC_FAILED );
138
139 memcpy( p, buf, buflen );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]140 }
141
142 csr->raw.p = p;
143 csr->raw.len = len;
144 end = p + len;
145
146 /*
147 * CertificationRequest ::= SEQUENCE {
148 * certificationRequestInfo CertificationRequestInfo,
149 * signatureAlgorithm AlgorithmIdentifier,
150 * signature BIT STRING
151 * }
152 */
153 if( ( ret = asn1_get_tag( &p, end, &len,
154 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
155 {
156 x509_csr_free( csr );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]157 return( POLARSSL_ERR_X509_INVALID_FORMAT );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]158 }
159
160 if( len != (size_t) ( end - p ) )
161 {
162 x509_csr_free( csr );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]163 return( POLARSSL_ERR_X509_INVALID_FORMAT +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]164 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
165 }
166
167 /*
168 * CertificationRequestInfo ::= SEQUENCE {
169 */
170 csr->cri.p = p;
171
172 if( ( ret = asn1_get_tag( &p, end, &len,
173 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
174 {
175 x509_csr_free( csr );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]176 return( POLARSSL_ERR_X509_INVALID_FORMAT + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]177 }
178
179 end = p + len;
180 csr->cri.len = end - csr->cri.p;
181
182 /*
183 * Version ::= INTEGER { v1(0) }
184 */
185 if( ( ret = x509_csr_get_version( &p, end, &csr->version ) ) != 0 )
186 {
187 x509_csr_free( csr );
188 return( ret );
189 }
190
191 csr->version++;
192
193 if( csr->version != 1 )
194 {
195 x509_csr_free( csr );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]196 return( POLARSSL_ERR_X509_UNKNOWN_VERSION );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]197 }
198
199 /*
200 * subject Name
201 */
202 csr->subject_raw.p = p;
203
204 if( ( ret = asn1_get_tag( &p, end, &len,
205 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
206 {
207 x509_csr_free( csr );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]208 return( POLARSSL_ERR_X509_INVALID_FORMAT + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]209 }
210
211 if( ( ret = x509_get_name( &p, p + len, &csr->subject ) ) != 0 )
212 {
213 x509_csr_free( csr );
214 return( ret );
215 }
216
217 csr->subject_raw.len = p - csr->subject_raw.p;
218
219 /*
220 * subjectPKInfo SubjectPublicKeyInfo
221 */
Paul Bakkerda771152013-09-16 22:45:03 +0200[diff] [blame]222 if( ( ret = pk_parse_subpubkey( &p, end, &csr->pk ) ) != 0 )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]223 {
224 x509_csr_free( csr );
225 return( ret );
226 }
227
228 /*
229 * attributes [0] Attributes
230 */
231 if( ( ret = asn1_get_tag( &p, end, &len,
232 ASN1_CONSTRUCTED | ASN1_CONTEXT_SPECIFIC ) ) != 0 )
233 {
234 x509_csr_free( csr );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]235 return( POLARSSL_ERR_X509_INVALID_FORMAT + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]236 }
237 // TODO Parse Attributes / extension requests
238
239 p += len;
240
241 end = csr->raw.p + csr->raw.len;
242
243 /*
244 * signatureAlgorithm AlgorithmIdentifier,
245 * signature BIT STRING
246 */
Manuel Pégourié-Gonnard41cae8e2014-01-24 18:47:17 +0100[diff] [blame]247 if( ( ret = x509_get_alg( &p, end, &csr->sig_oid, &sig_params ) ) != 0 )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]248 {
249 x509_csr_free( csr );
250 return( ret );
251 }
252
Manuel Pégourié-Gonnard5cac5832014-01-24 19:28:43 +0100[diff] [blame]253 if( ( ret = x509_get_sig_alg( &csr->sig_oid, &sig_params,
254 &csr->sig_md, &csr->sig_pk ) ) != 0 )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]255 {
256 x509_csr_free( csr );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]257 return( POLARSSL_ERR_X509_UNKNOWN_SIG_ALG );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]258 }
259
Manuel Pégourié-Gonnard41cae8e2014-01-24 18:47:17 +0100[diff] [blame]260#if defined(POLARSSL_RSASSA_PSS_CERTIFICATES)
Manuel Pégourié-Gonnard5cac5832014-01-24 19:28:43 +0100[diff] [blame]261 memcpy( &csr->sig_params, &sig_params, sizeof( x509_buf ) );
Manuel Pégourié-Gonnard41cae8e2014-01-24 18:47:17 +0100[diff] [blame]262#endif
Manuel Pégourié-Gonnard41cae8e2014-01-24 18:47:17 +0100[diff] [blame]263
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]264 if( ( ret = x509_get_sig( &p, end, &csr->sig ) ) != 0 )
265 {
266 x509_csr_free( csr );
267 return( ret );
268 }
269
270 if( p != end )
271 {
272 x509_csr_free( csr );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]273 return( POLARSSL_ERR_X509_INVALID_FORMAT +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]274 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
275 }
276
277 return( 0 );
278}
279
280#if defined(POLARSSL_FS_IO)
281/*
282 * Load a CSR into the structure
283 */
Paul Bakkerddf26b42013-09-18 13:46:23 +0200[diff] [blame]284int x509_csr_parse_file( x509_csr *csr, const char *path )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]285{
286 int ret;
287 size_t n;
288 unsigned char *buf;
289
290 if ( ( ret = x509_load_file( path, &buf, &n ) ) != 0 )
291 return( ret );
292
Paul Bakkerddf26b42013-09-18 13:46:23 +0200[diff] [blame]293 ret = x509_csr_parse( csr, buf, n );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]294
295 memset( buf, 0, n + 1 );
296 polarssl_free( buf );
297
298 return( ret );
299}
300#endif /* POLARSSL_FS_IO */
301
Paul Bakker6edcd412013-10-29 15:22:54 +0100[diff] [blame]302#if defined(_MSC_VER) && !defined snprintf && !defined(EFIX64) && \
303 !defined(EFI32)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]304#include <stdarg.h>
305
306#if !defined vsnprintf
307#define vsnprintf _vsnprintf
308#endif // vsnprintf
309
310/*
311 * Windows _snprintf and _vsnprintf are not compatible to linux versions.
312 * Result value is not size of buffer needed, but -1 if no fit is possible.
313 *
314 * This fuction tries to 'fix' this by at least suggesting enlarging the
315 * size by 20.
316 */
317static int compat_snprintf(char *str, size_t size, const char *format, ...)
318{
319 va_list ap;
320 int res = -1;
321
322 va_start( ap, format );
323
324 res = vsnprintf( str, size, format, ap );
325
326 va_end( ap );
327
328 // No quick fix possible
329 if ( res < 0 )
330 return( (int) size + 20 );
331
332 return res;
333}
334
335#define snprintf compat_snprintf
336#endif
337
338#define POLARSSL_ERR_DEBUG_BUF_TOO_SMALL -2
339
340#define SAFE_SNPRINTF() \
341{ \
342 if( ret == -1 ) \
343 return( -1 ); \
344 \
345 if ( (unsigned int) ret > n ) { \
346 p[n - 1] = '\0'; \
347 return POLARSSL_ERR_DEBUG_BUF_TOO_SMALL;\
348 } \
349 \
350 n -= (unsigned int) ret; \
351 p += (unsigned int) ret; \
352}
353
354#define BEFORE_COLON 14
355#define BC "14"
356/*
357 * Return an informational string about the CSR.
358 */
Paul Bakkerddf26b42013-09-18 13:46:23 +0200[diff] [blame]359int x509_csr_info( char *buf, size_t size, const char *prefix,
360 const x509_csr *csr )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]361{
362 int ret;
363 size_t n;
364 char *p;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]365 char key_size_str[BEFORE_COLON];
Manuel Pégourié-Gonnard27b93ad2014-01-25 11:50:59 +0100[diff] [blame]366#if defined(POLARSSL_RSASSA_PSS_CERTIFICATES)
367 const x509_buf *sig_params = &csr->sig_params;
368#else
369 const x509_buf *sig_params = NULL;
370#endif
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]371
372 p = buf;
373 n = size;
374
375 ret = snprintf( p, n, "%sCSR version : %d",
376 prefix, csr->version );
377 SAFE_SNPRINTF();
378
379 ret = snprintf( p, n, "\n%ssubject name : ", prefix );
380 SAFE_SNPRINTF();
Paul Bakker86d0c192013-09-18 11:11:02 +0200[diff] [blame]381 ret = x509_dn_gets( p, n, &csr->subject );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]382 SAFE_SNPRINTF();
383
384 ret = snprintf( p, n, "\n%ssigned using : ", prefix );
385 SAFE_SNPRINTF();
386
Manuel Pégourié-Gonnard27b93ad2014-01-25 11:50:59 +0100[diff] [blame]387 ret = x509_sig_alg_gets( p, n, &csr->sig_oid, csr->sig_pk, sig_params );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]388 SAFE_SNPRINTF();
389
390 if( ( ret = x509_key_size_helper( key_size_str, BEFORE_COLON,
391 pk_get_name( &csr->pk ) ) ) != 0 )
392 {
393 return( ret );
394 }
395
396 ret = snprintf( p, n, "\n%s%-" BC "s: %d bits\n", prefix, key_size_str,
397 (int) pk_get_size( &csr->pk ) );
398 SAFE_SNPRINTF();
399
400 return( (int) ( size - n ) );
401}
402
403/*
Paul Bakker369d2eb2013-09-18 11:58:25 +0200[diff] [blame]404 * Initialize a CSR
405 */
406void x509_csr_init( x509_csr *csr )
407{
408 memset( csr, 0, sizeof(x509_csr) );
409}
410
411/*
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]412 * Unallocate all CSR data
413 */
414void x509_csr_free( x509_csr *csr )
415{
416 x509_name *name_cur;
417 x509_name *name_prv;
418
419 if( csr == NULL )
420 return;
421
422 pk_free( &csr->pk );
423
424 name_cur = csr->subject.next;
425 while( name_cur != NULL )
426 {
427 name_prv = name_cur;
428 name_cur = name_cur->next;
429 memset( name_prv, 0, sizeof( x509_name ) );
430 polarssl_free( name_prv );
431 }
432
433 if( csr->raw.p != NULL )
434 {
435 memset( csr->raw.p, 0, csr->raw.len );
436 polarssl_free( csr->raw.p );
437 }
438
439 memset( csr, 0, sizeof( x509_csr ) );
440}
441
442#endif /* POLARSSL_X509_CSR_PARSE_C */