TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / cef4ad2509f6c19f6c3e9cf4e6a077bac9d98280 / . / library / x509write_csr.c
blob: 6e7bed4a1584523b6db001f9ed6f07c116e7e95d [file] [log] [blame]
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]1/*
2 * X.509 Certificate Signing Request writing
3 *
4 * Copyright (C) 2006-2013, Brainspark B.V.
5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8 *
9 * All rights reserved.
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
26 * References:
27 * - CSRs: PKCS#10 v1.7 aka RFC 2986
28 * - attributes: PKCS#9 v2.0 aka RFC 2985
29 */
30
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame^]31#if !defined(POLARSSL_CONFIG_FILE)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]32#include "polarssl/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame^]33#else
34#include POLARSSL_CONFIG_FILE
35#endif
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]36
37#if defined(POLARSSL_X509_CSR_WRITE_C)
38
39#include "polarssl/x509_csr.h"
40#include "polarssl/oid.h"
41#include "polarssl/asn1write.h"
42
43#if defined(POLARSSL_PEM_WRITE_C)
44#include "polarssl/pem.h"
45#endif
46
47#include <string.h>
48#include <stdlib.h>
49
50void x509write_csr_init( x509write_csr *ctx )
51{
52 memset( ctx, 0, sizeof(x509write_csr) );
53}
54
55void x509write_csr_free( x509write_csr *ctx )
56{
57 asn1_free_named_data_list( &ctx->subject );
58 asn1_free_named_data_list( &ctx->extensions );
59
60 memset( ctx, 0, sizeof(x509write_csr) );
61}
62
63void x509write_csr_set_md_alg( x509write_csr *ctx, md_type_t md_alg )
64{
65 ctx->md_alg = md_alg;
66}
67
68void x509write_csr_set_key( x509write_csr *ctx, pk_context *key )
69{
70 ctx->key = key;
71}
72
Paul Bakker50dc8502013-10-28 21:19:10 +0100[diff] [blame]73int x509write_csr_set_subject_name( x509write_csr *ctx,
74 const char *subject_name )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]75{
Paul Bakker86d0c192013-09-18 11:11:02 +0200[diff] [blame]76 return x509_string_to_names( &ctx->subject, subject_name );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]77}
78
79int x509write_csr_set_extension( x509write_csr *ctx,
80 const char *oid, size_t oid_len,
81 const unsigned char *val, size_t val_len )
82{
83 return x509_set_extension( &ctx->extensions, oid, oid_len,
84 0, val, val_len );
85}
86
87int x509write_csr_set_key_usage( x509write_csr *ctx, unsigned char key_usage )
88{
89 unsigned char buf[4];
90 unsigned char *c;
91 int ret;
92
93 c = buf + 4;
94
95 if( ( ret = asn1_write_bitstring( &c, buf, &key_usage, 7 ) ) != 4 )
96 return( ret );
97
98 ret = x509write_csr_set_extension( ctx, OID_KEY_USAGE,
99 OID_SIZE( OID_KEY_USAGE ),
100 buf, 4 );
101 if( ret != 0 )
102 return( ret );
103
104 return( 0 );
105}
106
107int x509write_csr_set_ns_cert_type( x509write_csr *ctx,
108 unsigned char ns_cert_type )
109{
110 unsigned char buf[4];
111 unsigned char *c;
112 int ret;
113
114 c = buf + 4;
115
116 if( ( ret = asn1_write_bitstring( &c, buf, &ns_cert_type, 8 ) ) != 4 )
117 return( ret );
118
119 ret = x509write_csr_set_extension( ctx, OID_NS_CERT_TYPE,
120 OID_SIZE( OID_NS_CERT_TYPE ),
121 buf, 4 );
122 if( ret != 0 )
123 return( ret );
124
125 return( 0 );
126}
127
128int x509write_csr_der( x509write_csr *ctx, unsigned char *buf, size_t size,
129 int (*f_rng)(void *, unsigned char *, size_t),
130 void *p_rng )
131{
132 int ret;
133 const char *sig_oid;
134 size_t sig_oid_len = 0;
135 unsigned char *c, *c2;
136 unsigned char hash[64];
137 unsigned char sig[POLARSSL_MPI_MAX_SIZE];
138 unsigned char tmp_buf[2048];
139 size_t pub_len = 0, sig_and_oid_len = 0, sig_len;
140 size_t len = 0;
141 pk_type_t pk_alg;
142
143 /*
144 * Prepare data to be signed in tmp_buf
145 */
146 c = tmp_buf + sizeof( tmp_buf );
147
148 ASN1_CHK_ADD( len, x509_write_extensions( &c, tmp_buf, ctx->extensions ) );
149
150 if( len )
151 {
152 ASN1_CHK_ADD( len, asn1_write_len( &c, tmp_buf, len ) );
153 ASN1_CHK_ADD( len, asn1_write_tag( &c, tmp_buf, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
154
155 ASN1_CHK_ADD( len, asn1_write_len( &c, tmp_buf, len ) );
156 ASN1_CHK_ADD( len, asn1_write_tag( &c, tmp_buf, ASN1_CONSTRUCTED | ASN1_SET ) );
157
158 ASN1_CHK_ADD( len, asn1_write_oid( &c, tmp_buf, OID_PKCS9_CSR_EXT_REQ,
159 OID_SIZE( OID_PKCS9_CSR_EXT_REQ ) ) );
160
161 ASN1_CHK_ADD( len, asn1_write_len( &c, tmp_buf, len ) );
162 ASN1_CHK_ADD( len, asn1_write_tag( &c, tmp_buf, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
163 }
164
165 ASN1_CHK_ADD( len, asn1_write_len( &c, tmp_buf, len ) );
166 ASN1_CHK_ADD( len, asn1_write_tag( &c, tmp_buf, ASN1_CONSTRUCTED | ASN1_CONTEXT_SPECIFIC ) );
167
168 ASN1_CHK_ADD( pub_len, pk_write_pubkey_der( ctx->key,
169 tmp_buf, c - tmp_buf ) );
170 c -= pub_len;
171 len += pub_len;
172
173 /*
174 * Subject ::= Name
175 */
176 ASN1_CHK_ADD( len, x509_write_names( &c, tmp_buf, ctx->subject ) );
177
178 /*
179 * Version ::= INTEGER { v1(0), v2(1), v3(2) }
180 */
181 ASN1_CHK_ADD( len, asn1_write_int( &c, tmp_buf, 0 ) );
182
183 ASN1_CHK_ADD( len, asn1_write_len( &c, tmp_buf, len ) );
184 ASN1_CHK_ADD( len, asn1_write_tag( &c, tmp_buf, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
185
186 /*
187 * Prepare signature
188 */
189 md( md_info_from_type( ctx->md_alg ), c, len, hash );
190
191 pk_alg = pk_get_type( ctx->key );
192 if( pk_alg == POLARSSL_PK_ECKEY )
193 pk_alg = POLARSSL_PK_ECDSA;
194
195 if( ( ret = pk_sign( ctx->key, ctx->md_alg, hash, 0, sig, &sig_len,
196 f_rng, p_rng ) ) != 0 ||
197 ( ret = oid_get_oid_by_sig_alg( pk_alg, ctx->md_alg,
198 &sig_oid, &sig_oid_len ) ) != 0 )
199 {
200 return( ret );
201 }
202
203 /*
204 * Write data to output buffer
205 */
206 c2 = buf + size;
207 ASN1_CHK_ADD( sig_and_oid_len, x509_write_sig( &c2, buf,
208 sig_oid, sig_oid_len, sig, sig_len ) );
209
210 c2 -= len;
211 memcpy( c2, c, len );
212
213 len += sig_and_oid_len;
214 ASN1_CHK_ADD( len, asn1_write_len( &c2, buf, len ) );
215 ASN1_CHK_ADD( len, asn1_write_tag( &c2, buf, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
216
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]217 return( (int) len );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]218}
219
220#define PEM_BEGIN_CSR "-----BEGIN CERTIFICATE REQUEST-----\n"
221#define PEM_END_CSR "-----END CERTIFICATE REQUEST-----\n"
222
223#if defined(POLARSSL_PEM_WRITE_C)
224int x509write_csr_pem( x509write_csr *ctx, unsigned char *buf, size_t size,
225 int (*f_rng)(void *, unsigned char *, size_t),
226 void *p_rng )
227{
228 int ret;
229 unsigned char output_buf[4096];
230 size_t olen = 0;
231
232 if( ( ret = x509write_csr_der( ctx, output_buf, sizeof(output_buf),
233 f_rng, p_rng ) ) < 0 )
234 {
235 return( ret );
236 }
237
238 if( ( ret = pem_write_buffer( PEM_BEGIN_CSR, PEM_END_CSR,
239 output_buf + sizeof(output_buf) - ret,
240 ret, buf, size, &olen ) ) != 0 )
241 {
242 return( ret );
243 }
244
245 return( 0 );
246}
247#endif /* POLARSSL_PEM_WRITE_C */
248
249#endif /* POLARSSL_X509_CSR_WRITE_C */