TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 27f1caed0284c5e4e6245dafb30375f9567db87e / . / library / x509write_crt.c
blob: 15a1194ed7a951e7f2179efef8a0ce951a93cc3a [file] [log] [blame]
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]1/*
2 * X.509 certificate writing
3 *
4 * Copyright (C) 2006-2013, Brainspark B.V.
5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8 *
9 * All rights reserved.
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
26 * References:
27 * - certificates: RFC 5280, updated by RFC 6818
28 * - CSRs: PKCS#10 v1.7 aka RFC 2986
29 * - attributes: PKCS#9 v2.0 aka RFC 2985
30 */
31
32#include "polarssl/config.h"
33
34#if defined(POLARSSL_X509_CRT_WRITE_C)
35
36#include "polarssl/x509_crt.h"
37#include "polarssl/oid.h"
38#include "polarssl/asn1write.h"
39#include "polarssl/sha1.h"
40
41#if defined(POLARSSL_PEM_WRITE_C)
42#include "polarssl/pem.h"
43#endif /* POLARSSL_PEM_WRITE_C */
44
45void x509write_crt_init( x509write_cert *ctx )
46{
47 memset( ctx, 0, sizeof(x509write_cert) );
48
49 mpi_init( &ctx->serial );
50 ctx->version = X509_CRT_VERSION_3;
51}
52
53void x509write_crt_free( x509write_cert *ctx )
54{
55 mpi_free( &ctx->serial );
56
57 asn1_free_named_data_list( &ctx->subject );
58 asn1_free_named_data_list( &ctx->issuer );
59 asn1_free_named_data_list( &ctx->extensions );
60
61 memset( ctx, 0, sizeof(x509write_cert) );
62}
63
Paul Bakker5191e922013-10-11 10:54:28 +0200[diff] [blame]64void x509write_crt_set_version( x509write_cert *ctx, int version )
65{
66 ctx->version = version;
67}
68
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]69void x509write_crt_set_md_alg( x509write_cert *ctx, md_type_t md_alg )
70{
71 ctx->md_alg = md_alg;
72}
73
74void x509write_crt_set_subject_key( x509write_cert *ctx, pk_context *key )
75{
76 ctx->subject_key = key;
77}
78
79void x509write_crt_set_issuer_key( x509write_cert *ctx, pk_context *key )
80{
81 ctx->issuer_key = key;
82}
83
Paul Bakker50dc8502013-10-28 21:19:10 +0100[diff] [blame]84int x509write_crt_set_subject_name( x509write_cert *ctx,
85 const char *subject_name )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]86{
Paul Bakker86d0c192013-09-18 11:11:02 +0200[diff] [blame]87 return x509_string_to_names( &ctx->subject, subject_name );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]88}
89
Paul Bakker50dc8502013-10-28 21:19:10 +0100[diff] [blame]90int x509write_crt_set_issuer_name( x509write_cert *ctx,
91 const char *issuer_name )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]92{
Paul Bakker86d0c192013-09-18 11:11:02 +0200[diff] [blame]93 return x509_string_to_names( &ctx->issuer, issuer_name );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]94}
95
96int x509write_crt_set_serial( x509write_cert *ctx, const mpi *serial )
97{
98 int ret;
99
100 if( ( ret = mpi_copy( &ctx->serial, serial ) ) != 0 )
101 return( ret );
102
103 return( 0 );
104}
105
Paul Bakker50dc8502013-10-28 21:19:10 +0100[diff] [blame]106int x509write_crt_set_validity( x509write_cert *ctx, const char *not_before,
107 const char *not_after )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]108{
109 if( strlen(not_before) != X509_RFC5280_UTC_TIME_LEN - 1 ||
110 strlen(not_after) != X509_RFC5280_UTC_TIME_LEN - 1 )
111 {
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]112 return( POLARSSL_ERR_X509_BAD_INPUT_DATA );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]113 }
114 strncpy( ctx->not_before, not_before, X509_RFC5280_UTC_TIME_LEN );
115 strncpy( ctx->not_after , not_after , X509_RFC5280_UTC_TIME_LEN );
116 ctx->not_before[X509_RFC5280_UTC_TIME_LEN - 1] = 'Z';
117 ctx->not_after[X509_RFC5280_UTC_TIME_LEN - 1] = 'Z';
118
119 return( 0 );
120}
121
122int x509write_crt_set_extension( x509write_cert *ctx,
123 const char *oid, size_t oid_len,
124 int critical,
125 const unsigned char *val, size_t val_len )
126{
127 return x509_set_extension( &ctx->extensions, oid, oid_len,
128 critical, val, val_len );
129}
130
131int x509write_crt_set_basic_constraints( x509write_cert *ctx,
132 int is_ca, int max_pathlen )
133{
134 int ret;
135 unsigned char buf[9];
136 unsigned char *c = buf + sizeof(buf);
137 size_t len = 0;
138
139 memset( buf, 0, sizeof(buf) );
140
141 if( is_ca && max_pathlen > 127 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]142 return( POLARSSL_ERR_X509_BAD_INPUT_DATA );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]143
144 if( is_ca )
145 {
146 if( max_pathlen >= 0 )
147 {
148 ASN1_CHK_ADD( len, asn1_write_int( &c, buf, max_pathlen ) );
149 }
150 ASN1_CHK_ADD( len, asn1_write_bool( &c, buf, 1 ) );
151 }
152
153 ASN1_CHK_ADD( len, asn1_write_len( &c, buf, len ) );
154 ASN1_CHK_ADD( len, asn1_write_tag( &c, buf, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
155
156 return x509write_crt_set_extension( ctx, OID_BASIC_CONSTRAINTS,
157 OID_SIZE( OID_BASIC_CONSTRAINTS ),
158 0, buf + sizeof(buf) - len, len );
159}
160
Manuel Pégourié-Gonnard3daaf3d2013-10-27 14:22:02 +0100[diff] [blame]161#if defined(POLARSSL_SHA1_C)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]162int x509write_crt_set_subject_key_identifier( x509write_cert *ctx )
163{
164 int ret;
165 unsigned char buf[POLARSSL_MPI_MAX_SIZE * 2 + 20]; /* tag, length + 2xMPI */
166 unsigned char *c = buf + sizeof(buf);
167 size_t len = 0;
168
169 memset( buf, 0, sizeof(buf));
170 ASN1_CHK_ADD( len, pk_write_pubkey( &c, buf, ctx->subject_key ) );
171
172 sha1( buf + sizeof(buf) - len, len, buf + sizeof(buf) - 20 );
173 c = buf + sizeof(buf) - 20;
174 len = 20;
175
176 ASN1_CHK_ADD( len, asn1_write_len( &c, buf, len ) );
177 ASN1_CHK_ADD( len, asn1_write_tag( &c, buf, ASN1_OCTET_STRING ) );
178
179 return x509write_crt_set_extension( ctx, OID_SUBJECT_KEY_IDENTIFIER,
180 OID_SIZE( OID_SUBJECT_KEY_IDENTIFIER ),
181 0, buf + sizeof(buf) - len, len );
182}
183
184int x509write_crt_set_authority_key_identifier( x509write_cert *ctx )
185{
186 int ret;
187 unsigned char buf[POLARSSL_MPI_MAX_SIZE * 2 + 20]; /* tag, length + 2xMPI */
188 unsigned char *c = buf + sizeof(buf);
189 size_t len = 0;
190
191 memset( buf, 0, sizeof(buf));
192 ASN1_CHK_ADD( len, pk_write_pubkey( &c, buf, ctx->issuer_key ) );
193
194 sha1( buf + sizeof(buf) - len, len, buf + sizeof(buf) - 20 );
195 c = buf + sizeof(buf) - 20;
196 len = 20;
197
198 ASN1_CHK_ADD( len, asn1_write_len( &c, buf, len ) );
199 ASN1_CHK_ADD( len, asn1_write_tag( &c, buf, ASN1_CONTEXT_SPECIFIC | 0 ) );
200
201 ASN1_CHK_ADD( len, asn1_write_len( &c, buf, len ) );
202 ASN1_CHK_ADD( len, asn1_write_tag( &c, buf, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
203
204 return x509write_crt_set_extension( ctx, OID_AUTHORITY_KEY_IDENTIFIER,
205 OID_SIZE( OID_AUTHORITY_KEY_IDENTIFIER ),
206 0, buf + sizeof(buf) - len, len );
207}
Manuel Pégourié-Gonnard3daaf3d2013-10-27 14:22:02 +0100[diff] [blame]208#endif /* POLARSSL_SHA1_C */
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]209
210int x509write_crt_set_key_usage( x509write_cert *ctx, unsigned char key_usage )
211{
212 unsigned char buf[4];
213 unsigned char *c;
214 int ret;
215
216 c = buf + 4;
217
218 if( ( ret = asn1_write_bitstring( &c, buf, &key_usage, 7 ) ) != 4 )
219 return( ret );
220
221 ret = x509write_crt_set_extension( ctx, OID_KEY_USAGE,
222 OID_SIZE( OID_KEY_USAGE ),
223 1, buf, 4 );
224 if( ret != 0 )
225 return( ret );
226
227 return( 0 );
228}
229
230int x509write_crt_set_ns_cert_type( x509write_cert *ctx,
231 unsigned char ns_cert_type )
232{
233 unsigned char buf[4];
234 unsigned char *c;
235 int ret;
236
237 c = buf + 4;
238
239 if( ( ret = asn1_write_bitstring( &c, buf, &ns_cert_type, 8 ) ) != 4 )
240 return( ret );
241
242 ret = x509write_crt_set_extension( ctx, OID_NS_CERT_TYPE,
243 OID_SIZE( OID_NS_CERT_TYPE ),
244 0, buf, 4 );
245 if( ret != 0 )
246 return( ret );
247
248 return( 0 );
249}
250
251static int x509_write_time( unsigned char **p, unsigned char *start,
252 const char *time, size_t size )
253{
254 int ret;
255 size_t len = 0;
256
257 /*
258 * write ASN1_UTC_TIME if year < 2050 (2 bytes shorter)
259 */
260 if( time[0] == '2' && time[1] == '0' && time [2] < '5' )
261 {
262 ASN1_CHK_ADD( len, asn1_write_raw_buffer( p, start,
263 (const unsigned char *) time + 2,
264 size - 2 ) );
265 ASN1_CHK_ADD( len, asn1_write_len( p, start, len ) );
266 ASN1_CHK_ADD( len, asn1_write_tag( p, start, ASN1_UTC_TIME ) );
267 }
268 else
269 {
270 ASN1_CHK_ADD( len, asn1_write_raw_buffer( p, start,
271 (const unsigned char *) time,
272 size ) );
273 ASN1_CHK_ADD( len, asn1_write_len( p, start, len ) );
274 ASN1_CHK_ADD( len, asn1_write_tag( p, start, ASN1_GENERALIZED_TIME ) );
275 }
276
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]277 return( (int) len );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]278}
279
280int x509write_crt_der( x509write_cert *ctx, unsigned char *buf, size_t size,
281 int (*f_rng)(void *, unsigned char *, size_t),
282 void *p_rng )
283{
284 int ret;
285 const char *sig_oid;
286 size_t sig_oid_len = 0;
287 unsigned char *c, *c2;
288 unsigned char hash[64];
289 unsigned char sig[POLARSSL_MPI_MAX_SIZE];
290 unsigned char tmp_buf[2048];
291 size_t sub_len = 0, pub_len = 0, sig_and_oid_len = 0, sig_len;
292 size_t len = 0;
293 pk_type_t pk_alg;
294
295 /*
296 * Prepare data to be signed in tmp_buf
297 */
298 c = tmp_buf + sizeof( tmp_buf );
299
300 /* Signature algorithm needed in TBS, and later for actual signature */
301 pk_alg = pk_get_type( ctx->issuer_key );
302 if( pk_alg == POLARSSL_PK_ECKEY )
303 pk_alg = POLARSSL_PK_ECDSA;
304
305 if( ( ret = oid_get_oid_by_sig_alg( pk_alg, ctx->md_alg,
306 &sig_oid, &sig_oid_len ) ) != 0 )
307 {
308 return( ret );
309 }
310
311 /*
312 * Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
313 */
314 ASN1_CHK_ADD( len, x509_write_extensions( &c, tmp_buf, ctx->extensions ) );
315 ASN1_CHK_ADD( len, asn1_write_len( &c, tmp_buf, len ) );
316 ASN1_CHK_ADD( len, asn1_write_tag( &c, tmp_buf, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
317 ASN1_CHK_ADD( len, asn1_write_len( &c, tmp_buf, len ) );
318 ASN1_CHK_ADD( len, asn1_write_tag( &c, tmp_buf, ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 3 ) );
319
320 /*
321 * SubjectPublicKeyInfo
322 */
323 ASN1_CHK_ADD( pub_len, pk_write_pubkey_der( ctx->subject_key,
324 tmp_buf, c - tmp_buf ) );
325 c -= pub_len;
326 len += pub_len;
327
328 /*
329 * Subject ::= Name
330 */
331 ASN1_CHK_ADD( len, x509_write_names( &c, tmp_buf, ctx->subject ) );
332
333 /*
334 * Validity ::= SEQUENCE {
335 * notBefore Time,
336 * notAfter Time }
337 */
338 sub_len = 0;
339
340 ASN1_CHK_ADD( sub_len, x509_write_time( &c, tmp_buf, ctx->not_after,
341 X509_RFC5280_UTC_TIME_LEN ) );
342
343 ASN1_CHK_ADD( sub_len, x509_write_time( &c, tmp_buf, ctx->not_before,
344 X509_RFC5280_UTC_TIME_LEN ) );
345
346 len += sub_len;
347 ASN1_CHK_ADD( len, asn1_write_len( &c, tmp_buf, sub_len ) );
348 ASN1_CHK_ADD( len, asn1_write_tag( &c, tmp_buf, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
349
350 /*
351 * Issuer ::= Name
352 */
353 ASN1_CHK_ADD( len, x509_write_names( &c, tmp_buf, ctx->issuer ) );
354
355 /*
356 * Signature ::= AlgorithmIdentifier
357 */
358 ASN1_CHK_ADD( len, asn1_write_algorithm_identifier( &c, tmp_buf,
359 sig_oid, strlen( sig_oid ), 0 ) );
360
361 /*
362 * Serial ::= INTEGER
363 */
364 ASN1_CHK_ADD( len, asn1_write_mpi( &c, tmp_buf, &ctx->serial ) );
365
366 /*
367 * Version ::= INTEGER { v1(0), v2(1), v3(2) }
368 */
369 sub_len = 0;
370 ASN1_CHK_ADD( sub_len, asn1_write_int( &c, tmp_buf, ctx->version ) );
371 len += sub_len;
372 ASN1_CHK_ADD( len, asn1_write_len( &c, tmp_buf, sub_len ) );
373 ASN1_CHK_ADD( len, asn1_write_tag( &c, tmp_buf, ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 0 ) );
374
375 ASN1_CHK_ADD( len, asn1_write_len( &c, tmp_buf, len ) );
376 ASN1_CHK_ADD( len, asn1_write_tag( &c, tmp_buf, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
377
378 /*
379 * Make signature
380 */
381 md( md_info_from_type( ctx->md_alg ), c, len, hash );
382
383 if( ( ret = pk_sign( ctx->issuer_key, ctx->md_alg, hash, 0, sig, &sig_len,
384 f_rng, p_rng ) ) != 0 )
385 {
386 return( ret );
387 }
388
389 /*
390 * Write data to output buffer
391 */
392 c2 = buf + size;
393 ASN1_CHK_ADD( sig_and_oid_len, x509_write_sig( &c2, buf,
394 sig_oid, sig_oid_len, sig, sig_len ) );
395
396 c2 -= len;
397 memcpy( c2, c, len );
398
399 len += sig_and_oid_len;
400 ASN1_CHK_ADD( len, asn1_write_len( &c2, buf, len ) );
401 ASN1_CHK_ADD( len, asn1_write_tag( &c2, buf, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
402
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]403 return( (int) len );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]404}
405
406#define PEM_BEGIN_CRT "-----BEGIN CERTIFICATE-----\n"
407#define PEM_END_CRT "-----END CERTIFICATE-----\n"
408
409#if defined(POLARSSL_PEM_WRITE_C)
410int x509write_crt_pem( x509write_cert *crt, unsigned char *buf, size_t size,
411 int (*f_rng)(void *, unsigned char *, size_t),
412 void *p_rng )
413{
414 int ret;
415 unsigned char output_buf[4096];
416 size_t olen = 0;
417
418 if( ( ret = x509write_crt_der( crt, output_buf, sizeof(output_buf),
419 f_rng, p_rng ) ) < 0 )
420 {
421 return( ret );
422 }
423
424 if( ( ret = pem_write_buffer( PEM_BEGIN_CRT, PEM_END_CRT,
425 output_buf + sizeof(output_buf) - ret,
426 ret, buf, size, &olen ) ) != 0 )
427 {
428 return( ret );
429 }
430
431 return( 0 );
432}
433#endif /* POLARSSL_PEM_WRITE_C */
434
435#endif /* POLARSSL_X509_CRT_WRITE_C */