TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 31e59400d2956de434e9960c7e5b0fe225bfa0ac / . / library / x509write.c
blob: dffdf74544ff0a001d9fd955f410a5265f4ece06 [file] [log] [blame]
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]1/*
2 * X509 buffer writing functionality
3 *
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200[diff] [blame]4 * Copyright (C) 2006-2013, Brainspark B.V.
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8 *
9 * All rights reserved.
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25
Manuel Pégourié-Gonnardd4eb5b52013-09-11 18:16:20 +0200[diff] [blame]26/*
27 * References:
28 * - certificates: RFC 5280, updated by RFC 6818
29 * - CSRs: PKCS#10 v1.7 aka RFC 2986
30 * - attributes: PKCS#9 v2.0 aka RFC 2985
31 */
32
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]33#include "polarssl/config.h"
34
35#if defined(POLARSSL_X509_WRITE_C)
36
37#include "polarssl/asn1write.h"
38#include "polarssl/x509write.h"
39#include "polarssl/x509.h"
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]40#include "polarssl/md.h"
41#include "polarssl/oid.h"
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]42
Paul Bakker15162a02013-09-06 19:27:21 +0200[diff] [blame]43#include "polarssl/sha1.h"
44
Paul Bakker135f1e92013-08-26 16:54:13 +0200[diff] [blame]45#if defined(POLARSSL_BASE64_C)
46#include "polarssl/base64.h"
47#endif
48
Paul Bakker8eabfc12013-08-25 10:18:25 +0200[diff] [blame]49#if defined(POLARSSL_MEMORY_C)
50#include "polarssl/memory.h"
51#else
52#include <stdlib.h>
53#define polarssl_malloc malloc
54#define polarssl_free free
55#endif
56
Paul Bakker5f45e622013-09-09 12:02:36 +0200[diff] [blame]57static int x509write_string_to_names( asn1_named_data **head, char *name )
Paul Bakker8eabfc12013-08-25 10:18:25 +0200[diff] [blame]58{
59 int ret = 0;
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]60 char *s = name, *c = s;
Paul Bakker8eabfc12013-08-25 10:18:25 +0200[diff] [blame]61 char *end = s + strlen( s );
62 char *oid = NULL;
63 int in_tag = 1;
Paul Bakker5f45e622013-09-09 12:02:36 +0200[diff] [blame]64 asn1_named_data *cur;
Paul Bakker8eabfc12013-08-25 10:18:25 +0200[diff] [blame]65
Manuel Pégourié-Gonnardda7317e2013-09-10 15:52:52 +0200[diff] [blame]66 /* Clear existing chain if present */
67 asn1_free_named_data_list( head );
Paul Bakker8eabfc12013-08-25 10:18:25 +0200[diff] [blame]68
69 while( c <= end )
70 {
71 if( in_tag && *c == '=' )
72 {
73 if( memcmp( s, "CN", 2 ) == 0 && c - s == 2 )
74 oid = OID_AT_CN;
75 else if( memcmp( s, "C", 1 ) == 0 && c - s == 1 )
76 oid = OID_AT_COUNTRY;
77 else if( memcmp( s, "O", 1 ) == 0 && c - s == 1 )
78 oid = OID_AT_ORGANIZATION;
79 else if( memcmp( s, "L", 1 ) == 0 && c - s == 1 )
80 oid = OID_AT_LOCALITY;
81 else if( memcmp( s, "R", 1 ) == 0 && c - s == 1 )
82 oid = OID_PKCS9_EMAIL;
83 else if( memcmp( s, "OU", 2 ) == 0 && c - s == 2 )
84 oid = OID_AT_ORG_UNIT;
85 else if( memcmp( s, "ST", 2 ) == 0 && c - s == 2 )
86 oid = OID_AT_STATE;
87 else
88 {
Paul Bakker0e06c0f2013-08-25 11:21:30 +0200[diff] [blame]89 ret = POLARSSL_ERR_X509WRITE_UNKNOWN_OID;
Paul Bakker8eabfc12013-08-25 10:18:25 +0200[diff] [blame]90 goto exit;
91 }
92
93 s = c + 1;
94 in_tag = 0;
95 }
96
97 if( !in_tag && ( *c == ',' || c == end ) )
98 {
Paul Bakker5f45e622013-09-09 12:02:36 +0200[diff] [blame]99 if( ( cur = asn1_store_named_data( head, oid, strlen( oid ),
100 (unsigned char *) s,
101 c - s ) ) == NULL )
Paul Bakker8eabfc12013-08-25 10:18:25 +0200[diff] [blame]102 {
Paul Bakker5f45e622013-09-09 12:02:36 +0200[diff] [blame]103 return( POLARSSL_ERR_X509WRITE_MALLOC_FAILED );
Paul Bakker8eabfc12013-08-25 10:18:25 +0200[diff] [blame]104 }
105
Paul Bakkerd4bf8702013-09-09 13:59:11 +0200[diff] [blame]106 while( c < end && *(c + 1) == ' ' )
107 c++;
108
Paul Bakker8eabfc12013-08-25 10:18:25 +0200[diff] [blame]109 s = c + 1;
110 in_tag = 1;
111 }
112 c++;
113 }
114
115exit:
116
117 return( ret );
118}
119
Manuel Pégourié-Gonnard3837dae2013-09-12 01:39:07 +0200[diff] [blame]120#if defined(POLARSSL_RSA_C)
Paul Bakker15162a02013-09-06 19:27:21 +0200[diff] [blame]121/*
122 * RSAPublicKey ::= SEQUENCE {
123 * modulus INTEGER, -- n
124 * publicExponent INTEGER -- e
125 * }
126 */
127static int x509_write_rsa_pubkey( unsigned char **p, unsigned char *start,
128 rsa_context *rsa )
129{
130 int ret;
131 size_t len = 0;
132
133 ASN1_CHK_ADD( len, asn1_write_mpi( p, start, &rsa->E ) );
134 ASN1_CHK_ADD( len, asn1_write_mpi( p, start, &rsa->N ) );
135
136 ASN1_CHK_ADD( len, asn1_write_len( p, start, len ) );
137 ASN1_CHK_ADD( len, asn1_write_tag( p, start, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
138
139 return( len );
140}
Manuel Pégourié-Gonnard3837dae2013-09-12 01:39:07 +0200[diff] [blame]141#endif /* POLARSSL_RSA_C */
142
143#if defined(POLARSSL_ECP_C)
144/*
145 * EC public key is an EC point
146 */
147static int x509_write_ec_pubkey( unsigned char **p, unsigned char *start,
148 ecp_keypair *ec )
149{
150 int ret;
151 size_t len = 0;
152 unsigned char buf[POLARSSL_ECP_MAX_PT_LEN];
153
154 if( ( ret = ecp_point_write_binary( &ec->grp, &ec->Q,
155 POLARSSL_ECP_PF_UNCOMPRESSED,
156 &len, buf, sizeof( buf ) ) ) != 0 )
157 {
158 return( ret );
159 }
160
161 if( *p - start < (int) len )
162 return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
163
164 *p -= len;
165 memcpy( *p, buf, len );
166
167 return( len );
168}
169
170/*
171 * ECParameters ::= CHOICE {
172 * namedCurve OBJECT IDENTIFIER
173 * }
174 */
Manuel Pégourié-Gonnardedda9042013-09-12 02:17:54 +0200[diff] [blame]175static int x509_write_ec_param( unsigned char **p, unsigned char *start,
176 ecp_keypair *ec )
Manuel Pégourié-Gonnard3837dae2013-09-12 01:39:07 +0200[diff] [blame]177{
178 int ret;
179 size_t len = 0;
180 const char *oid;
181 size_t oid_len;
182
183 if( ( ret = oid_get_oid_by_ec_grp( ec->grp.id, &oid, &oid_len ) ) != 0 )
184 return( ret );
185
186 ASN1_CHK_ADD( len, asn1_write_oid( p, start, oid, oid_len ) );
187
188 return( len );
189}
190#endif /* POLARSSL_ECP_C */
Paul Bakker15162a02013-09-06 19:27:21 +0200[diff] [blame]191
Paul Bakkercd358032013-09-09 12:08:11 +0200[diff] [blame]192void x509write_csr_init( x509write_csr *ctx )
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]193{
Paul Bakkercd358032013-09-09 12:08:11 +0200[diff] [blame]194 memset( ctx, 0, sizeof(x509write_csr) );
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]195}
196
Paul Bakkercd358032013-09-09 12:08:11 +0200[diff] [blame]197void x509write_csr_free( x509write_csr *ctx )
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]198{
Paul Bakker5f45e622013-09-09 12:02:36 +0200[diff] [blame]199 asn1_free_named_data_list( &ctx->subject );
200 asn1_free_named_data_list( &ctx->extensions );
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]201
Paul Bakkercd358032013-09-09 12:08:11 +0200[diff] [blame]202 memset( ctx, 0, sizeof(x509write_csr) );
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]203}
204
Paul Bakkercd358032013-09-09 12:08:11 +0200[diff] [blame]205void x509write_csr_set_md_alg( x509write_csr *ctx, md_type_t md_alg )
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]206{
207 ctx->md_alg = md_alg;
208}
209
Manuel Pégourié-Gonnardee731792013-09-11 22:48:40 +0200[diff] [blame]210void x509write_csr_set_key( x509write_csr *ctx, pk_context *key )
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]211{
Manuel Pégourié-Gonnardee731792013-09-11 22:48:40 +0200[diff] [blame]212 ctx->key = key;
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]213}
214
Paul Bakkercd358032013-09-09 12:08:11 +0200[diff] [blame]215int x509write_csr_set_subject_name( x509write_csr *ctx, char *subject_name )
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]216{
217 return x509write_string_to_names( &ctx->subject, subject_name );
218}
219
Paul Bakker15162a02013-09-06 19:27:21 +0200[diff] [blame]220/* The first byte of the value in the asn1_named_data structure is reserved
221 * to store the critical boolean for us
222 */
223static int x509_set_extension( asn1_named_data **head,
224 const char *oid, size_t oid_len,
225 int critical,
226 const unsigned char *val, size_t val_len )
Paul Bakkerfde42702013-08-25 14:47:27 +0200[diff] [blame]227{
Paul Bakkere5eae762013-08-26 12:05:14 +0200[diff] [blame]228 asn1_named_data *cur;
Paul Bakkere5eae762013-08-26 12:05:14 +0200[diff] [blame]229
Paul Bakker59ba59f2013-09-09 11:26:00 +0200[diff] [blame]230 if( ( cur = asn1_store_named_data( head, oid, oid_len,
231 NULL, val_len + 1 ) ) == NULL )
Paul Bakkere5eae762013-08-26 12:05:14 +0200[diff] [blame]232 {
Paul Bakker59ba59f2013-09-09 11:26:00 +0200[diff] [blame]233 return( POLARSSL_ERR_X509WRITE_MALLOC_FAILED );
Paul Bakker1c0e5502013-08-26 13:41:01 +0200[diff] [blame]234 }
235
Paul Bakker15162a02013-09-06 19:27:21 +0200[diff] [blame]236 cur->val.p[0] = critical;
237 memcpy( cur->val.p + 1, val, val_len );
Paul Bakker1c0e5502013-08-26 13:41:01 +0200[diff] [blame]238
239 return( 0 );
240}
241
Paul Bakkercd358032013-09-09 12:08:11 +0200[diff] [blame]242int x509write_csr_set_extension( x509write_csr *ctx,
Paul Bakker15162a02013-09-06 19:27:21 +0200[diff] [blame]243 const char *oid, size_t oid_len,
244 const unsigned char *val, size_t val_len )
245{
246 return x509_set_extension( &ctx->extensions, oid, oid_len,
247 0, val, val_len );
248}
249
Paul Bakkercd358032013-09-09 12:08:11 +0200[diff] [blame]250int x509write_csr_set_key_usage( x509write_csr *ctx, unsigned char key_usage )
Paul Bakker1c0e5502013-08-26 13:41:01 +0200[diff] [blame]251{
252 unsigned char buf[4];
253 unsigned char *c;
254 int ret;
255
256 c = buf + 4;
257
Paul Bakker624d03a2013-08-26 14:12:57 +0200[diff] [blame]258 if( ( ret = asn1_write_bitstring( &c, buf, &key_usage, 7 ) ) != 4 )
Paul Bakker1c0e5502013-08-26 13:41:01 +0200[diff] [blame]259 return( ret );
260
261 ret = x509write_csr_set_extension( ctx, OID_KEY_USAGE,
262 OID_SIZE( OID_KEY_USAGE ),
263 buf, 4 );
264 if( ret != 0 )
265 return( ret );
266
267 return( 0 );
268}
269
Paul Bakkercd358032013-09-09 12:08:11 +0200[diff] [blame]270int x509write_csr_set_ns_cert_type( x509write_csr *ctx,
271 unsigned char ns_cert_type )
Paul Bakker1c0e5502013-08-26 13:41:01 +0200[diff] [blame]272{
273 unsigned char buf[4];
274 unsigned char *c;
275 int ret;
276
277 c = buf + 4;
278
279 if( ( ret = asn1_write_bitstring( &c, buf, &ns_cert_type, 8 ) ) != 4 )
280 return( ret );
281
282 ret = x509write_csr_set_extension( ctx, OID_NS_CERT_TYPE,
283 OID_SIZE( OID_NS_CERT_TYPE ),
284 buf, 4 );
285 if( ret != 0 )
286 return( ret );
Paul Bakkere5eae762013-08-26 12:05:14 +0200[diff] [blame]287
288 return( 0 );
Paul Bakkerfde42702013-08-25 14:47:27 +0200[diff] [blame]289}
290
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]291void x509write_crt_init( x509write_cert *ctx )
292{
293 memset( ctx, 0, sizeof(x509write_cert) );
294
295 mpi_init( &ctx->serial );
296 ctx->version = X509_CRT_VERSION_3;
297}
298
299void x509write_crt_free( x509write_cert *ctx )
300{
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]301 mpi_free( &ctx->serial );
302
Paul Bakker5f45e622013-09-09 12:02:36 +0200[diff] [blame]303 asn1_free_named_data_list( &ctx->subject );
304 asn1_free_named_data_list( &ctx->issuer );
305 asn1_free_named_data_list( &ctx->extensions );
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]306
Paul Bakkercd358032013-09-09 12:08:11 +0200[diff] [blame]307 memset( ctx, 0, sizeof(x509write_csr) );
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]308}
309
310void x509write_crt_set_md_alg( x509write_cert *ctx, md_type_t md_alg )
311{
312 ctx->md_alg = md_alg;
313}
314
Manuel Pégourié-Gonnardf38e71a2013-09-12 05:21:54 +0200[diff] [blame]315void x509write_crt_set_subject_key( x509write_cert *ctx, pk_context *key )
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]316{
Manuel Pégourié-Gonnard53c64252013-09-12 05:39:46 +0200[diff] [blame]317 ctx->subject_key = key;
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]318}
319
Manuel Pégourié-Gonnardf38e71a2013-09-12 05:21:54 +0200[diff] [blame]320void x509write_crt_set_issuer_key( x509write_cert *ctx, pk_context *key )
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]321{
Manuel Pégourié-Gonnard53c64252013-09-12 05:39:46 +0200[diff] [blame]322 ctx->issuer_key = key;
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]323}
324
325int x509write_crt_set_subject_name( x509write_cert *ctx, char *subject_name )
326{
327 return x509write_string_to_names( &ctx->subject, subject_name );
328}
329
330int x509write_crt_set_issuer_name( x509write_cert *ctx, char *issuer_name )
331{
332 return x509write_string_to_names( &ctx->issuer, issuer_name );
333}
334
335int x509write_crt_set_serial( x509write_cert *ctx, const mpi *serial )
336{
337 int ret;
338
339 if( ( ret = mpi_copy( &ctx->serial, serial ) ) != 0 )
340 return( ret );
341
342 return( 0 );
343}
344
345int x509write_crt_set_validity( x509write_cert *ctx, char *not_before,
346 char *not_after )
347{
348 if( strlen(not_before) != X509_RFC5280_UTC_TIME_LEN - 1 ||
349 strlen(not_after) != X509_RFC5280_UTC_TIME_LEN - 1 )
350 {
351 return( POLARSSL_ERR_X509WRITE_BAD_INPUT_DATA );
352 }
353 strncpy( ctx->not_before, not_before, X509_RFC5280_UTC_TIME_LEN );
354 strncpy( ctx->not_after , not_after , X509_RFC5280_UTC_TIME_LEN );
355 ctx->not_before[X509_RFC5280_UTC_TIME_LEN - 1] = 'Z';
356 ctx->not_after[X509_RFC5280_UTC_TIME_LEN - 1] = 'Z';
357
358 return( 0 );
359}
360
Paul Bakker15162a02013-09-06 19:27:21 +0200[diff] [blame]361int x509write_crt_set_extension( x509write_cert *ctx,
362 const char *oid, size_t oid_len,
363 int critical,
364 const unsigned char *val, size_t val_len )
365{
366 return x509_set_extension( &ctx->extensions, oid, oid_len,
367 critical, val, val_len );
368}
369
370int x509write_crt_set_basic_constraints( x509write_cert *ctx,
371 int is_ca, int max_pathlen )
372{
373 int ret;
374 unsigned char buf[9];
375 unsigned char *c = buf + sizeof(buf);
376 size_t len = 0;
377
378 memset( buf, 0, sizeof(buf) );
379
380 if( is_ca && max_pathlen > 127 )
381 return( POLARSSL_ERR_X509WRITE_BAD_INPUT_DATA );
382
383 if( is_ca )
384 {
385 if( max_pathlen >= 0 )
386 {
387 ASN1_CHK_ADD( len, asn1_write_int( &c, buf, max_pathlen ) );
388 }
389 ASN1_CHK_ADD( len, asn1_write_bool( &c, buf, 1 ) );
390 }
391
392 ASN1_CHK_ADD( len, asn1_write_len( &c, buf, len ) );
393 ASN1_CHK_ADD( len, asn1_write_tag( &c, buf, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
394
395 return x509write_crt_set_extension( ctx, OID_BASIC_CONSTRAINTS,
396 OID_SIZE( OID_BASIC_CONSTRAINTS ),
397 0, buf + sizeof(buf) - len, len );
398}
399
400int x509write_crt_set_subject_key_identifier( x509write_cert *ctx )
401{
402 int ret;
403 unsigned char buf[POLARSSL_MPI_MAX_SIZE * 2 + 20]; /* tag, length + 2xMPI */
404 unsigned char *c = buf + sizeof(buf);
405 size_t len = 0;
406
Manuel Pégourié-Gonnard53c64252013-09-12 05:39:46 +0200[diff] [blame]407 if( pk_get_type( ctx->subject_key ) != POLARSSL_PK_RSA )
408 return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE );
409
Paul Bakker15162a02013-09-06 19:27:21 +0200[diff] [blame]410 memset( buf, 0, sizeof(buf));
Manuel Pégourié-Gonnard53c64252013-09-12 05:39:46 +0200[diff] [blame]411 ASN1_CHK_ADD( len, x509_write_rsa_pubkey( &c, buf,
412 pk_rsa( *ctx->subject_key ) ) );
Paul Bakker15162a02013-09-06 19:27:21 +0200[diff] [blame]413
414 sha1( buf + sizeof(buf) - len, len, buf + sizeof(buf) - 20 );
415 c = buf + sizeof(buf) - 20;
416 len = 20;
417
418 ASN1_CHK_ADD( len, asn1_write_len( &c, buf, len ) );
419 ASN1_CHK_ADD( len, asn1_write_tag( &c, buf, ASN1_OCTET_STRING ) );
420
421 return x509write_crt_set_extension( ctx, OID_SUBJECT_KEY_IDENTIFIER,
422 OID_SIZE( OID_SUBJECT_KEY_IDENTIFIER ),
423 0, buf + sizeof(buf) - len, len );
424}
425
426int x509write_crt_set_authority_key_identifier( x509write_cert *ctx )
427{
428 int ret;
429 unsigned char buf[POLARSSL_MPI_MAX_SIZE * 2 + 20]; /* tag, length + 2xMPI */
430 unsigned char *c = buf + sizeof(buf);
431 size_t len = 0;
432
Manuel Pégourié-Gonnard53c64252013-09-12 05:39:46 +0200[diff] [blame]433 if( pk_get_type( ctx->issuer_key ) != POLARSSL_PK_RSA )
434 return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE );
435
Paul Bakker15162a02013-09-06 19:27:21 +0200[diff] [blame]436 memset( buf, 0, sizeof(buf));
Manuel Pégourié-Gonnard53c64252013-09-12 05:39:46 +0200[diff] [blame]437 ASN1_CHK_ADD( len, x509_write_rsa_pubkey( &c, buf,
438 pk_rsa( *ctx->issuer_key ) ) );
Paul Bakker15162a02013-09-06 19:27:21 +0200[diff] [blame]439
440 sha1( buf + sizeof(buf) - len, len, buf + sizeof(buf) - 20 );
441 c = buf + sizeof(buf) - 20;
442 len = 20;
443
444 ASN1_CHK_ADD( len, asn1_write_len( &c, buf, len ) );
445 ASN1_CHK_ADD( len, asn1_write_tag( &c, buf, ASN1_CONTEXT_SPECIFIC | 0 ) );
446
447 ASN1_CHK_ADD( len, asn1_write_len( &c, buf, len ) );
448 ASN1_CHK_ADD( len, asn1_write_tag( &c, buf, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
449
450 return x509write_crt_set_extension( ctx, OID_AUTHORITY_KEY_IDENTIFIER,
451 OID_SIZE( OID_AUTHORITY_KEY_IDENTIFIER ),
452 0, buf + sizeof(buf) - len, len );
453}
454
Paul Bakker52be08c2013-09-09 12:37:54 +0200[diff] [blame]455int x509write_crt_set_key_usage( x509write_cert *ctx, unsigned char key_usage )
456{
457 unsigned char buf[4];
458 unsigned char *c;
459 int ret;
460
461 c = buf + 4;
462
463 if( ( ret = asn1_write_bitstring( &c, buf, &key_usage, 7 ) ) != 4 )
464 return( ret );
465
466 ret = x509write_crt_set_extension( ctx, OID_KEY_USAGE,
467 OID_SIZE( OID_KEY_USAGE ),
468 1, buf, 4 );
469 if( ret != 0 )
470 return( ret );
471
472 return( 0 );
473}
474
475int x509write_crt_set_ns_cert_type( x509write_cert *ctx,
476 unsigned char ns_cert_type )
477{
478 unsigned char buf[4];
479 unsigned char *c;
480 int ret;
481
482 c = buf + 4;
483
484 if( ( ret = asn1_write_bitstring( &c, buf, &ns_cert_type, 8 ) ) != 4 )
485 return( ret );
486
487 ret = x509write_crt_set_extension( ctx, OID_NS_CERT_TYPE,
488 OID_SIZE( OID_NS_CERT_TYPE ),
489 0, buf, 4 );
490 if( ret != 0 )
491 return( ret );
492
493 return( 0 );
494}
495
Manuel Pégourié-Gonnarde1f821a2013-09-12 00:59:40 +0200[diff] [blame]496int x509write_pubkey_der( pk_context *key, unsigned char *buf, size_t size )
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]497{
498 int ret;
499 unsigned char *c;
Manuel Pégourié-Gonnardedda9042013-09-12 02:17:54 +0200[diff] [blame]500 size_t len = 0, par_len = 0, oid_len;
501 const char *oid;
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]502
Manuel Pégourié-Gonnard27d87fa2013-09-11 17:33:28 +0200[diff] [blame]503 c = buf + size;
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]504
Manuel Pégourié-Gonnard3837dae2013-09-12 01:39:07 +0200[diff] [blame]505#if defined(POLARSSL_RSA_C)
506 if( pk_get_type( key ) == POLARSSL_PK_RSA )
507 ASN1_CHK_ADD( len, x509_write_rsa_pubkey( &c, buf, pk_rsa( *key ) ) );
508 else
509#endif
510#if defined(POLARSSL_ECP_C)
511 if( pk_get_type( key ) == POLARSSL_PK_ECKEY )
512 ASN1_CHK_ADD( len, x509_write_ec_pubkey( &c, buf, pk_ec( *key ) ) );
513 else
514#endif
515 return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE );
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]516
517 if( c - buf < 1 )
518 return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
519
Paul Bakker8eabfc12013-08-25 10:18:25 +0200[diff] [blame]520 /*
521 * SubjectPublicKeyInfo ::= SEQUENCE {
522 * algorithm AlgorithmIdentifier,
523 * subjectPublicKey BIT STRING }
524 */
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]525 *--c = 0;
526 len += 1;
527
528 ASN1_CHK_ADD( len, asn1_write_len( &c, buf, len ) );
529 ASN1_CHK_ADD( len, asn1_write_tag( &c, buf, ASN1_BIT_STRING ) );
530
Manuel Pégourié-Gonnardedda9042013-09-12 02:17:54 +0200[diff] [blame]531 if( ( ret = oid_get_oid_by_pk_alg( pk_get_type( key ),
532 &oid, &oid_len ) ) != 0 )
533 {
534 return( ret );
535 }
536
Manuel Pégourié-Gonnard3837dae2013-09-12 01:39:07 +0200[diff] [blame]537#if defined(POLARSSL_ECP_C)
538 if( pk_get_type( key ) == POLARSSL_PK_ECKEY )
539 {
Manuel Pégourié-Gonnardedda9042013-09-12 02:17:54 +0200[diff] [blame]540 ASN1_CHK_ADD( par_len, x509_write_ec_param( &c, buf, pk_ec( *key ) ) );
Manuel Pégourié-Gonnard3837dae2013-09-12 01:39:07 +0200[diff] [blame]541 }
Manuel Pégourié-Gonnard3837dae2013-09-12 01:39:07 +0200[diff] [blame]542#endif
Manuel Pégourié-Gonnardedda9042013-09-12 02:17:54 +0200[diff] [blame]543
544 ASN1_CHK_ADD( len, asn1_write_algorithm_identifier( &c, buf, oid, oid_len,
545 par_len ) );
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]546
547 ASN1_CHK_ADD( len, asn1_write_len( &c, buf, len ) );
548 ASN1_CHK_ADD( len, asn1_write_tag( &c, buf, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
549
550 return( len );
551}
552
Manuel Pégourié-Gonnard6de63e42013-09-12 04:59:34 +0200[diff] [blame]553int x509write_key_der( pk_context *key, unsigned char *buf, size_t size )
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]554{
555 int ret;
Manuel Pégourié-Gonnard6de63e42013-09-12 04:59:34 +0200[diff] [blame]556 unsigned char *c = buf + size;
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]557 size_t len = 0;
558
Manuel Pégourié-Gonnard6de63e42013-09-12 04:59:34 +0200[diff] [blame]559#if defined(POLARSSL_RSA_C)
560 if( pk_get_type( key ) == POLARSSL_PK_RSA )
561 {
562 rsa_context *rsa = pk_rsa( *key );
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]563
Manuel Pégourié-Gonnard6de63e42013-09-12 04:59:34 +0200[diff] [blame]564 ASN1_CHK_ADD( len, asn1_write_mpi( &c, buf, &rsa->QP ) );
565 ASN1_CHK_ADD( len, asn1_write_mpi( &c, buf, &rsa->DQ ) );
566 ASN1_CHK_ADD( len, asn1_write_mpi( &c, buf, &rsa->DP ) );
567 ASN1_CHK_ADD( len, asn1_write_mpi( &c, buf, &rsa->Q ) );
568 ASN1_CHK_ADD( len, asn1_write_mpi( &c, buf, &rsa->P ) );
569 ASN1_CHK_ADD( len, asn1_write_mpi( &c, buf, &rsa->D ) );
570 ASN1_CHK_ADD( len, asn1_write_mpi( &c, buf, &rsa->E ) );
571 ASN1_CHK_ADD( len, asn1_write_mpi( &c, buf, &rsa->N ) );
572 ASN1_CHK_ADD( len, asn1_write_int( &c, buf, 0 ) );
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]573
Manuel Pégourié-Gonnard6de63e42013-09-12 04:59:34 +0200[diff] [blame]574 ASN1_CHK_ADD( len, asn1_write_len( &c, buf, len ) );
575 ASN1_CHK_ADD( len, asn1_write_tag( &c, buf, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
576 }
577 else
578#endif
579#if defined(POLARSSL_ECP_C)
580 if( pk_get_type( key ) == POLARSSL_PK_ECKEY )
581 {
582 ecp_keypair *ec = pk_ec( *key );
583 size_t pub_len = 0, par_len = 0;
584
585 /*
586 * RFC 5915, or SEC1 Appendix C.4
587 *
588 * ECPrivateKey ::= SEQUENCE {
589 * version INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
590 * privateKey OCTET STRING,
591 * parameters [0] ECParameters {{ NamedCurve }} OPTIONAL,
592 * publicKey [1] BIT STRING OPTIONAL
593 * }
594 */
595
596 /* publicKey */
597 ASN1_CHK_ADD( pub_len, x509_write_ec_pubkey( &c, buf, ec ) );
598
599 if( c - buf < 1 )
600 return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
601 *--c = 0;
602 pub_len += 1;
603
604 ASN1_CHK_ADD( pub_len, asn1_write_len( &c, buf, pub_len ) );
605 ASN1_CHK_ADD( pub_len, asn1_write_tag( &c, buf, ASN1_BIT_STRING ) );
606
607 ASN1_CHK_ADD( pub_len, asn1_write_len( &c, buf, pub_len ) );
608 ASN1_CHK_ADD( pub_len, asn1_write_tag( &c, buf,
609 ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 1 ) );
610 len += pub_len;
611
612 /* parameters */
613 ASN1_CHK_ADD( par_len, x509_write_ec_param( &c, buf, ec ) );
614
615 ASN1_CHK_ADD( par_len, asn1_write_len( &c, buf, par_len ) );
616 ASN1_CHK_ADD( par_len, asn1_write_tag( &c, buf,
617 ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 0 ) );
618 len += par_len;
619
620 /* privateKey: write as MPI then fix tag */
621 ASN1_CHK_ADD( len, asn1_write_mpi( &c, buf, &ec->d ) );
622 *c = ASN1_OCTET_STRING;
623
624 /* version */
625 ASN1_CHK_ADD( len, asn1_write_int( &c, buf, 1 ) );
626
627 ASN1_CHK_ADD( len, asn1_write_len( &c, buf, len ) );
628 ASN1_CHK_ADD( len, asn1_write_tag( &c, buf, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
629 }
630 else
631#endif
632 return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE );
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]633
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]634 return( len );
635}
636
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]637/*
638 * RelativeDistinguishedName ::=
639 * SET OF AttributeTypeAndValue
640 *
641 * AttributeTypeAndValue ::= SEQUENCE {
642 * type AttributeType,
643 * value AttributeValue }
644 *
645 * AttributeType ::= OBJECT IDENTIFIER
646 *
647 * AttributeValue ::= ANY DEFINED BY AttributeType
648 */
Paul Bakker5f45e622013-09-09 12:02:36 +0200[diff] [blame]649static int x509_write_name( unsigned char **p, unsigned char *start,
650 const char *oid, size_t oid_len,
651 const unsigned char *name, size_t name_len )
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]652{
653 int ret;
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]654 size_t len = 0;
655
Paul Bakker05888152012-02-16 10:26:57 +0000[diff] [blame]656 // Write PrintableString for all except OID_PKCS9_EMAIL
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]657 //
Paul Bakker5f45e622013-09-09 12:02:36 +0200[diff] [blame]658 if( OID_SIZE( OID_PKCS9_EMAIL ) == oid_len &&
659 memcmp( oid, OID_PKCS9_EMAIL, oid_len ) == 0 )
Paul Bakker05888152012-02-16 10:26:57 +0000[diff] [blame]660 {
Paul Bakker5f45e622013-09-09 12:02:36 +0200[diff] [blame]661 ASN1_CHK_ADD( len, asn1_write_ia5_string( p, start,
662 (const char *) name,
663 name_len ) );
Paul Bakker05888152012-02-16 10:26:57 +0000[diff] [blame]664 }
665 else
Paul Bakker5f45e622013-09-09 12:02:36 +0200[diff] [blame]666 {
667 ASN1_CHK_ADD( len, asn1_write_printable_string( p, start,
668 (const char *) name,
669 name_len ) );
670 }
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]671
672 // Write OID
673 //
Paul Bakker5f45e622013-09-09 12:02:36 +0200[diff] [blame]674 ASN1_CHK_ADD( len, asn1_write_oid( p, start, oid, oid_len ) );
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]675
Paul Bakker5f45e622013-09-09 12:02:36 +0200[diff] [blame]676 ASN1_CHK_ADD( len, asn1_write_len( p, start, len ) );
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]677 ASN1_CHK_ADD( len, asn1_write_tag( p, start, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
678
679 ASN1_CHK_ADD( len, asn1_write_len( p, start, len ) );
680 ASN1_CHK_ADD( len, asn1_write_tag( p, start, ASN1_CONSTRUCTED | ASN1_SET ) );
681
682 return( len );
683}
684
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]685static int x509_write_names( unsigned char **p, unsigned char *start,
Paul Bakker5f45e622013-09-09 12:02:36 +0200[diff] [blame]686 asn1_named_data *first )
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]687{
688 int ret;
689 size_t len = 0;
Paul Bakker5f45e622013-09-09 12:02:36 +0200[diff] [blame]690 asn1_named_data *cur = first;
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]691
692 while( cur != NULL )
693 {
Paul Bakker5f45e622013-09-09 12:02:36 +0200[diff] [blame]694 ASN1_CHK_ADD( len, x509_write_name( p, start, (char *) cur->oid.p,
695 cur->oid.len,
696 cur->val.p, cur->val.len ) );
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]697 cur = cur->next;
698 }
699
700 ASN1_CHK_ADD( len, asn1_write_len( p, start, len ) );
701 ASN1_CHK_ADD( len, asn1_write_tag( p, start, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
702
703 return( len );
704}
705
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200[diff] [blame]706static int x509_write_sig( unsigned char **p, unsigned char *start,
Paul Bakker1c3853b2013-09-10 11:43:44 +0200[diff] [blame]707 const char *oid, size_t oid_len,
708 unsigned char *sig, size_t size )
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]709{
710 int ret;
711 size_t len = 0;
712
713 if( *p - start < (int) size + 1 )
714 return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
715
716 len = size;
717 (*p) -= len;
718 memcpy( *p, sig, len );
719
720 *--(*p) = 0;
721 len += 1;
722
723 ASN1_CHK_ADD( len, asn1_write_len( p, start, len ) );
724 ASN1_CHK_ADD( len, asn1_write_tag( p, start, ASN1_BIT_STRING ) );
725
726 // Write OID
727 //
Paul Bakker5f45e622013-09-09 12:02:36 +0200[diff] [blame]728 ASN1_CHK_ADD( len, asn1_write_algorithm_identifier( p, start, oid,
Manuel Pégourié-Gonnardedda9042013-09-12 02:17:54 +0200[diff] [blame]729 oid_len, 0 ) );
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]730
731 return( len );
732}
733
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]734static int x509_write_time( unsigned char **p, unsigned char *start,
735 const char *time, size_t size )
736{
737 int ret;
738 size_t len = 0;
739
Paul Bakker9c208aa2013-09-08 15:44:31 +0200[diff] [blame]740 /*
741 * write ASN1_UTC_TIME if year < 2050 (2 bytes shorter)
742 */
743 if( time[0] == '2' && time[1] == '0' && time [2] < '5' )
744 {
745 ASN1_CHK_ADD( len, asn1_write_raw_buffer( p, start,
746 (const unsigned char *) time + 2,
747 size - 2 ) );
748 ASN1_CHK_ADD( len, asn1_write_len( p, start, len ) );
749 ASN1_CHK_ADD( len, asn1_write_tag( p, start, ASN1_UTC_TIME ) );
750 }
751 else
752 {
753 ASN1_CHK_ADD( len, asn1_write_raw_buffer( p, start,
754 (const unsigned char *) time,
755 size ) );
756 ASN1_CHK_ADD( len, asn1_write_len( p, start, len ) );
757 ASN1_CHK_ADD( len, asn1_write_tag( p, start, ASN1_GENERALIZED_TIME ) );
758 }
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]759
760 return( len );
761}
762
Paul Bakker15162a02013-09-06 19:27:21 +0200[diff] [blame]763static int x509_write_extension( unsigned char **p, unsigned char *start,
764 asn1_named_data *ext )
765{
766 int ret;
767 size_t len = 0;
768
769 ASN1_CHK_ADD( len, asn1_write_raw_buffer( p, start, ext->val.p + 1,
770 ext->val.len - 1 ) );
771 ASN1_CHK_ADD( len, asn1_write_len( p, start, ext->val.len - 1 ) );
772 ASN1_CHK_ADD( len, asn1_write_tag( p, start, ASN1_OCTET_STRING ) );
773
774 if( ext->val.p[0] != 0 )
775 {
776 ASN1_CHK_ADD( len, asn1_write_bool( p, start, 1 ) );
777 }
778
779 ASN1_CHK_ADD( len, asn1_write_raw_buffer( p, start, ext->oid.p,
780 ext->oid.len ) );
781 ASN1_CHK_ADD( len, asn1_write_len( p, start, ext->oid.len ) );
782 ASN1_CHK_ADD( len, asn1_write_tag( p, start, ASN1_OID ) );
783
784 ASN1_CHK_ADD( len, asn1_write_len( p, start, len ) );
785 ASN1_CHK_ADD( len, asn1_write_tag( p, start, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
786
787 return( len );
788}
789
790/*
791 * Extension ::= SEQUENCE {
792 * extnID OBJECT IDENTIFIER,
793 * critical BOOLEAN DEFAULT FALSE,
794 * extnValue OCTET STRING
795 * -- contains the DER encoding of an ASN.1 value
796 * -- corresponding to the extension type identified
797 * -- by extnID
798 * }
799 */
800static int x509_write_extensions( unsigned char **p, unsigned char *start,
801 asn1_named_data *first )
802{
803 int ret;
804 size_t len = 0;
805 asn1_named_data *cur_ext = first;
806
807 while( cur_ext != NULL )
808 {
809 ASN1_CHK_ADD( len, x509_write_extension( p, start, cur_ext ) );
810 cur_ext = cur_ext->next;
811 }
812
813 return( len );
814}
815
Manuel Pégourié-Gonnardee731792013-09-11 22:48:40 +0200[diff] [blame]816int x509write_csr_der( x509write_csr *ctx, unsigned char *buf, size_t size,
817 int (*f_rng)(void *, unsigned char *, size_t),
818 void *p_rng )
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]819{
820 int ret;
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]821 const char *sig_oid;
Paul Bakker1c3853b2013-09-10 11:43:44 +0200[diff] [blame]822 size_t sig_oid_len = 0;
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]823 unsigned char *c, *c2;
Paul Bakker3cac5e02012-02-16 14:08:06 +0000[diff] [blame]824 unsigned char hash[64];
825 unsigned char sig[POLARSSL_MPI_MAX_SIZE];
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]826 unsigned char tmp_buf[2048];
Manuel Pégourié-Gonnard8053da42013-09-11 22:28:30 +0200[diff] [blame]827 size_t pub_len = 0, sig_and_oid_len = 0, sig_len;
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]828 size_t len = 0;
Manuel Pégourié-Gonnard0088c692013-09-12 02:38:04 +0200[diff] [blame]829 pk_type_t pk_alg;
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]830
Manuel Pégourié-Gonnard8053da42013-09-11 22:28:30 +0200[diff] [blame]831 /*
832 * Prepare data to be signed in tmp_buf
833 */
Manuel Pégourié-Gonnard27d87fa2013-09-11 17:33:28 +0200[diff] [blame]834 c = tmp_buf + sizeof( tmp_buf );
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]835
Paul Bakker15162a02013-09-06 19:27:21 +0200[diff] [blame]836 ASN1_CHK_ADD( len, x509_write_extensions( &c, tmp_buf, ctx->extensions ) );
Paul Bakkerfde42702013-08-25 14:47:27 +0200[diff] [blame]837
Paul Bakkere5eae762013-08-26 12:05:14 +0200[diff] [blame]838 if( len )
Paul Bakkerfde42702013-08-25 14:47:27 +0200[diff] [blame]839 {
Paul Bakkere5eae762013-08-26 12:05:14 +0200[diff] [blame]840 ASN1_CHK_ADD( len, asn1_write_len( &c, tmp_buf, len ) );
841 ASN1_CHK_ADD( len, asn1_write_tag( &c, tmp_buf, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
Paul Bakkerfde42702013-08-25 14:47:27 +0200[diff] [blame]842
Paul Bakkere5eae762013-08-26 12:05:14 +0200[diff] [blame]843 ASN1_CHK_ADD( len, asn1_write_len( &c, tmp_buf, len ) );
844 ASN1_CHK_ADD( len, asn1_write_tag( &c, tmp_buf, ASN1_CONSTRUCTED | ASN1_SET ) );
Paul Bakkerfde42702013-08-25 14:47:27 +0200[diff] [blame]845
Paul Bakker5f45e622013-09-09 12:02:36 +0200[diff] [blame]846 ASN1_CHK_ADD( len, asn1_write_oid( &c, tmp_buf, OID_PKCS9_CSR_EXT_REQ,
847 OID_SIZE( OID_PKCS9_CSR_EXT_REQ ) ) );
Paul Bakkerfde42702013-08-25 14:47:27 +0200[diff] [blame]848
Paul Bakkere5eae762013-08-26 12:05:14 +0200[diff] [blame]849 ASN1_CHK_ADD( len, asn1_write_len( &c, tmp_buf, len ) );
850 ASN1_CHK_ADD( len, asn1_write_tag( &c, tmp_buf, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
Paul Bakkerfde42702013-08-25 14:47:27 +0200[diff] [blame]851 }
852
Paul Bakkere5eae762013-08-26 12:05:14 +0200[diff] [blame]853 ASN1_CHK_ADD( len, asn1_write_len( &c, tmp_buf, len ) );
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]854 ASN1_CHK_ADD( len, asn1_write_tag( &c, tmp_buf, ASN1_CONSTRUCTED | ASN1_CONTEXT_SPECIFIC ) );
855
Manuel Pégourié-Gonnarde1f821a2013-09-12 00:59:40 +0200[diff] [blame]856 ASN1_CHK_ADD( pub_len, x509write_pubkey_der( ctx->key,
Manuel Pégourié-Gonnard27d87fa2013-09-11 17:33:28 +0200[diff] [blame]857 tmp_buf, c - tmp_buf ) );
Manuel Pégourié-Gonnard6dcf0bf2013-09-11 13:09:04 +0200[diff] [blame]858 c -= pub_len;
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]859 len += pub_len;
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]860
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]861 /*
862 * Subject ::= Name
863 */
864 ASN1_CHK_ADD( len, x509_write_names( &c, tmp_buf, ctx->subject ) );
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]865
Paul Bakker8eabfc12013-08-25 10:18:25 +0200[diff] [blame]866 /*
867 * Version ::= INTEGER { v1(0), v2(1), v3(2) }
868 */
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]869 ASN1_CHK_ADD( len, asn1_write_int( &c, tmp_buf, 0 ) );
870
871 ASN1_CHK_ADD( len, asn1_write_len( &c, tmp_buf, len ) );
872 ASN1_CHK_ADD( len, asn1_write_tag( &c, tmp_buf, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200[diff] [blame]873
Manuel Pégourié-Gonnard8053da42013-09-11 22:28:30 +0200[diff] [blame]874 /*
875 * Prepare signature
876 */
Paul Bakker8eabfc12013-08-25 10:18:25 +0200[diff] [blame]877 md( md_info_from_type( ctx->md_alg ), c, len, hash );
Paul Bakker3cac5e02012-02-16 14:08:06 +0000[diff] [blame]878
Manuel Pégourié-Gonnard0088c692013-09-12 02:38:04 +0200[diff] [blame]879 pk_alg = pk_get_type( ctx->key );
880 if( pk_alg == POLARSSL_PK_ECKEY )
881 pk_alg = POLARSSL_PK_ECDSA;
882
Manuel Pégourié-Gonnard8053da42013-09-11 22:28:30 +0200[diff] [blame]883 if( ( ret = pk_sign( ctx->key, ctx->md_alg, hash, 0, sig, &sig_len,
Manuel Pégourié-Gonnardee731792013-09-11 22:48:40 +0200[diff] [blame]884 f_rng, p_rng ) ) != 0 ||
Manuel Pégourié-Gonnard0088c692013-09-12 02:38:04 +0200[diff] [blame]885 ( ret = oid_get_oid_by_sig_alg( pk_alg, ctx->md_alg,
Manuel Pégourié-Gonnard8053da42013-09-11 22:28:30 +0200[diff] [blame]886 &sig_oid, &sig_oid_len ) ) != 0 )
887 {
888 return( ret );
889 }
Manuel Pégourié-Gonnard5353a032013-09-11 12:14:26 +0200[diff] [blame]890
Manuel Pégourié-Gonnard8053da42013-09-11 22:28:30 +0200[diff] [blame]891 /*
892 * Write data to output buffer
893 */
Manuel Pégourié-Gonnard27d87fa2013-09-11 17:33:28 +0200[diff] [blame]894 c2 = buf + size;
Manuel Pégourié-Gonnard8053da42013-09-11 22:28:30 +0200[diff] [blame]895 ASN1_CHK_ADD( sig_and_oid_len, x509_write_sig( &c2, buf,
896 sig_oid, sig_oid_len, sig, sig_len ) );
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200[diff] [blame]897
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]898 c2 -= len;
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200[diff] [blame]899 memcpy( c2, c, len );
900
Manuel Pégourié-Gonnard8053da42013-09-11 22:28:30 +0200[diff] [blame]901 len += sig_and_oid_len;
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]902 ASN1_CHK_ADD( len, asn1_write_len( &c2, buf, len ) );
903 ASN1_CHK_ADD( len, asn1_write_tag( &c2, buf, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
904
905 return( len );
906}
907
Manuel Pégourié-Gonnard31e59402013-09-12 05:59:05 +0200[diff] [blame^]908int x509write_crt_der( x509write_cert *ctx, unsigned char *buf, size_t size,
909 int (*f_rng)(void *, unsigned char *, size_t),
910 void *p_rng )
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]911{
912 int ret;
913 const char *sig_oid;
Paul Bakker1c3853b2013-09-10 11:43:44 +0200[diff] [blame]914 size_t sig_oid_len = 0;
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]915 unsigned char *c, *c2;
916 unsigned char hash[64];
917 unsigned char sig[POLARSSL_MPI_MAX_SIZE];
918 unsigned char tmp_buf[2048];
Manuel Pégourié-Gonnard53c64252013-09-12 05:39:46 +0200[diff] [blame]919 size_t sub_len = 0, pub_len = 0, sig_and_oid_len = 0, sig_len;
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]920 size_t len = 0;
Manuel Pégourié-Gonnard53c64252013-09-12 05:39:46 +0200[diff] [blame]921 pk_type_t pk_alg;
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]922
Manuel Pégourié-Gonnard53c64252013-09-12 05:39:46 +0200[diff] [blame]923 /*
924 * Prepare data to be signed in tmp_buf
925 */
Manuel Pégourié-Gonnard27d87fa2013-09-11 17:33:28 +0200[diff] [blame]926 c = tmp_buf + sizeof( tmp_buf );
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]927
Manuel Pégourié-Gonnard53c64252013-09-12 05:39:46 +0200[diff] [blame]928 /* Signature algorithm needed in TBS, and later for actual signature */
929 pk_alg = pk_get_type( ctx->issuer_key );
930 if( pk_alg == POLARSSL_PK_ECKEY )
931 pk_alg = POLARSSL_PK_ECDSA;
932
933 if( ( ret = oid_get_oid_by_sig_alg( pk_alg, ctx->md_alg,
934 &sig_oid, &sig_oid_len ) ) != 0 )
935 {
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]936 return( ret );
Manuel Pégourié-Gonnard53c64252013-09-12 05:39:46 +0200[diff] [blame]937 }
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]938
Paul Bakker15162a02013-09-06 19:27:21 +0200[diff] [blame]939 /*
940 * Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
941 */
942 ASN1_CHK_ADD( len, x509_write_extensions( &c, tmp_buf, ctx->extensions ) );
943 ASN1_CHK_ADD( len, asn1_write_len( &c, tmp_buf, len ) );
944 ASN1_CHK_ADD( len, asn1_write_tag( &c, tmp_buf, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
945 ASN1_CHK_ADD( len, asn1_write_len( &c, tmp_buf, len ) );
946 ASN1_CHK_ADD( len, asn1_write_tag( &c, tmp_buf, ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 3 ) );
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]947
948 /*
Manuel Pégourié-Gonnard6dcf0bf2013-09-11 13:09:04 +0200[diff] [blame]949 * SubjectPublicKeyInfo
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]950 */
Manuel Pégourié-Gonnard53c64252013-09-12 05:39:46 +0200[diff] [blame]951 ASN1_CHK_ADD( pub_len, x509write_pubkey_der( ctx->subject_key,
Manuel Pégourié-Gonnard27d87fa2013-09-11 17:33:28 +0200[diff] [blame]952 tmp_buf, c - tmp_buf ) );
Manuel Pégourié-Gonnard6dcf0bf2013-09-11 13:09:04 +0200[diff] [blame]953 c -= pub_len;
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]954 len += pub_len;
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]955
956 /*
957 * Subject ::= Name
958 */
959 ASN1_CHK_ADD( len, x509_write_names( &c, tmp_buf, ctx->subject ) );
960
961 /*
962 * Validity ::= SEQUENCE {
963 * notBefore Time,
964 * notAfter Time }
965 */
966 sub_len = 0;
967
968 ASN1_CHK_ADD( sub_len, x509_write_time( &c, tmp_buf, ctx->not_after,
969 X509_RFC5280_UTC_TIME_LEN ) );
970
971 ASN1_CHK_ADD( sub_len, x509_write_time( &c, tmp_buf, ctx->not_before,
972 X509_RFC5280_UTC_TIME_LEN ) );
973
974 len += sub_len;
975 ASN1_CHK_ADD( len, asn1_write_len( &c, tmp_buf, sub_len ) );
976 ASN1_CHK_ADD( len, asn1_write_tag( &c, tmp_buf, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
977
978 /*
979 * Issuer ::= Name
980 */
981 ASN1_CHK_ADD( len, x509_write_names( &c, tmp_buf, ctx->issuer ) );
982
983 /*
984 * Signature ::= AlgorithmIdentifier
985 */
986 ASN1_CHK_ADD( len, asn1_write_algorithm_identifier( &c, tmp_buf,
Manuel Pégourié-Gonnardedda9042013-09-12 02:17:54 +0200[diff] [blame]987 sig_oid, strlen( sig_oid ), 0 ) );
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]988
989 /*
990 * Serial ::= INTEGER
991 */
992 ASN1_CHK_ADD( len, asn1_write_mpi( &c, tmp_buf, &ctx->serial ) );
993
994 /*
995 * Version ::= INTEGER { v1(0), v2(1), v3(2) }
996 */
997 sub_len = 0;
998 ASN1_CHK_ADD( sub_len, asn1_write_int( &c, tmp_buf, ctx->version ) );
999 len += sub_len;
1000 ASN1_CHK_ADD( len, asn1_write_len( &c, tmp_buf, sub_len ) );
1001 ASN1_CHK_ADD( len, asn1_write_tag( &c, tmp_buf, ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 0 ) );
1002
1003 ASN1_CHK_ADD( len, asn1_write_len( &c, tmp_buf, len ) );
1004 ASN1_CHK_ADD( len, asn1_write_tag( &c, tmp_buf, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
1005
Manuel Pégourié-Gonnard53c64252013-09-12 05:39:46 +0200[diff] [blame]1006 /*
1007 * Make signature
1008 */
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]1009 md( md_info_from_type( ctx->md_alg ), c, len, hash );
1010
Manuel Pégourié-Gonnard53c64252013-09-12 05:39:46 +0200[diff] [blame]1011 if( ( ret = pk_sign( ctx->issuer_key, ctx->md_alg, hash, 0, sig, &sig_len,
Manuel Pégourié-Gonnard31e59402013-09-12 05:59:05 +0200[diff] [blame^]1012 f_rng, p_rng ) ) != 0 )
Manuel Pégourié-Gonnard53c64252013-09-12 05:39:46 +0200[diff] [blame]1013 {
1014 return( ret );
1015 }
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]1016
Manuel Pégourié-Gonnard53c64252013-09-12 05:39:46 +0200[diff] [blame]1017 /*
1018 * Write data to output buffer
1019 */
Manuel Pégourié-Gonnard27d87fa2013-09-11 17:33:28 +0200[diff] [blame]1020 c2 = buf + size;
Manuel Pégourié-Gonnard53c64252013-09-12 05:39:46 +0200[diff] [blame]1021 ASN1_CHK_ADD( sig_and_oid_len, x509_write_sig( &c2, buf,
1022 sig_oid, sig_oid_len, sig, sig_len ) );
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]1023
1024 c2 -= len;
1025 memcpy( c2, c, len );
1026
Manuel Pégourié-Gonnard53c64252013-09-12 05:39:46 +0200[diff] [blame]1027 len += sig_and_oid_len;
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]1028 ASN1_CHK_ADD( len, asn1_write_len( &c2, buf, len ) );
1029 ASN1_CHK_ADD( len, asn1_write_tag( &c2, buf, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
1030
1031 return( len );
1032}
1033
1034#define PEM_BEGIN_CRT "-----BEGIN CERTIFICATE-----\n"
1035#define PEM_END_CRT "-----END CERTIFICATE-----\n"
1036
Paul Bakkerf3df61a2013-08-26 17:22:23 +0200[diff] [blame]1037#define PEM_BEGIN_CSR "-----BEGIN CERTIFICATE REQUEST-----\n"
1038#define PEM_END_CSR "-----END CERTIFICATE REQUEST-----\n"
1039
1040#define PEM_BEGIN_PUBLIC_KEY "-----BEGIN PUBLIC KEY-----\n"
1041#define PEM_END_PUBLIC_KEY "-----END PUBLIC KEY-----\n"
1042
Manuel Pégourié-Gonnard6de63e42013-09-12 04:59:34 +0200[diff] [blame]1043#define PEM_BEGIN_PRIVATE_KEY_RSA "-----BEGIN RSA PRIVATE KEY-----\n"
1044#define PEM_END_PRIVATE_KEY_RSA "-----END RSA PRIVATE KEY-----\n"
1045#define PEM_BEGIN_PRIVATE_KEY_EC "-----BEGIN EC PRIVATE KEY-----\n"
1046#define PEM_END_PRIVATE_KEY_EC "-----END EC PRIVATE KEY-----\n"
Paul Bakker135f1e92013-08-26 16:54:13 +0200[diff] [blame]1047
1048#if defined(POLARSSL_BASE64_C)
Paul Bakkerf3df61a2013-08-26 17:22:23 +0200[diff] [blame]1049static int x509write_pemify( const char *begin_str, const char *end_str,
1050 const unsigned char *der_data, size_t der_len,
1051 unsigned char *buf, size_t size )
Paul Bakker135f1e92013-08-26 16:54:13 +0200[diff] [blame]1052{
1053 int ret;
Paul Bakker135f1e92013-08-26 16:54:13 +0200[diff] [blame]1054 unsigned char base_buf[4096];
Paul Bakkerf3df61a2013-08-26 17:22:23 +0200[diff] [blame]1055 unsigned char *c = base_buf, *p = buf;
1056 size_t len = 0, olen = sizeof(base_buf);
Paul Bakker135f1e92013-08-26 16:54:13 +0200[diff] [blame]1057
Paul Bakkerf3df61a2013-08-26 17:22:23 +0200[diff] [blame]1058 if( ( ret = base64_encode( base_buf, &olen, der_data, der_len ) ) != 0 )
Paul Bakker135f1e92013-08-26 16:54:13 +0200[diff] [blame]1059 return( ret );
1060
Paul Bakkerf3df61a2013-08-26 17:22:23 +0200[diff] [blame]1061 if( olen + strlen( begin_str ) + strlen( end_str ) +
Paul Bakker135f1e92013-08-26 16:54:13 +0200[diff] [blame]1062 olen / 64 > size )
1063 {
1064 return( POLARSSL_ERR_BASE64_BUFFER_TOO_SMALL );
1065 }
1066
Paul Bakkerf3df61a2013-08-26 17:22:23 +0200[diff] [blame]1067 memcpy( p, begin_str, strlen( begin_str ) );
1068 p += strlen( begin_str );
Paul Bakker135f1e92013-08-26 16:54:13 +0200[diff] [blame]1069
1070 while( olen )
1071 {
1072 len = ( olen > 64 ) ? 64 : olen;
1073 memcpy( p, c, len );
1074 olen -= len;
1075 p += len;
1076 c += len;
1077 *p++ = '\n';
1078 }
1079
Paul Bakkerf3df61a2013-08-26 17:22:23 +0200[diff] [blame]1080 memcpy( p, end_str, strlen( end_str ) );
1081 p += strlen( end_str );
Paul Bakker135f1e92013-08-26 16:54:13 +0200[diff] [blame]1082
1083 *p = '\0';
1084
1085 return( 0 );
1086}
Paul Bakkerf3df61a2013-08-26 17:22:23 +0200[diff] [blame]1087
Manuel Pégourié-Gonnard31e59402013-09-12 05:59:05 +0200[diff] [blame^]1088int x509write_crt_pem( x509write_cert *crt, unsigned char *buf, size_t size,
1089 int (*f_rng)(void *, unsigned char *, size_t),
1090 void *p_rng )
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]1091{
1092 int ret;
1093 unsigned char output_buf[4096];
1094
Manuel Pégourié-Gonnard31e59402013-09-12 05:59:05 +0200[diff] [blame^]1095 if( ( ret = x509write_crt_der( crt, output_buf, sizeof(output_buf),
1096 f_rng, p_rng ) ) < 0 )
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]1097 {
1098 return( ret );
1099 }
1100
1101 if( ( ret = x509write_pemify( PEM_BEGIN_CRT, PEM_END_CRT,
Manuel Pégourié-Gonnard27d87fa2013-09-11 17:33:28 +0200[diff] [blame]1102 output_buf + sizeof(output_buf) - ret,
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]1103 ret, buf, size ) ) != 0 )
1104 {
1105 return( ret );
1106 }
1107
1108 return( 0 );
1109}
1110
Manuel Pégourié-Gonnarde1f821a2013-09-12 00:59:40 +0200[diff] [blame]1111int x509write_pubkey_pem( pk_context *key, unsigned char *buf, size_t size )
Paul Bakkerf3df61a2013-08-26 17:22:23 +0200[diff] [blame]1112{
1113 int ret;
1114 unsigned char output_buf[4096];
1115
Manuel Pégourié-Gonnarde1f821a2013-09-12 00:59:40 +0200[diff] [blame]1116 if( ( ret = x509write_pubkey_der( key, output_buf,
Paul Bakkerf3df61a2013-08-26 17:22:23 +0200[diff] [blame]1117 sizeof(output_buf) ) ) < 0 )
1118 {
1119 return( ret );
1120 }
1121
1122 if( ( ret = x509write_pemify( PEM_BEGIN_PUBLIC_KEY, PEM_END_PUBLIC_KEY,
Manuel Pégourié-Gonnard27d87fa2013-09-11 17:33:28 +0200[diff] [blame]1123 output_buf + sizeof(output_buf) - ret,
Paul Bakkerf3df61a2013-08-26 17:22:23 +0200[diff] [blame]1124 ret, buf, size ) ) != 0 )
1125 {
1126 return( ret );
1127 }
1128
1129 return( 0 );
1130}
1131
Manuel Pégourié-Gonnard6de63e42013-09-12 04:59:34 +0200[diff] [blame]1132int x509write_key_pem( pk_context *key, unsigned char *buf, size_t size )
Paul Bakkerf3df61a2013-08-26 17:22:23 +0200[diff] [blame]1133{
1134 int ret;
1135 unsigned char output_buf[4096];
Manuel Pégourié-Gonnard6de63e42013-09-12 04:59:34 +0200[diff] [blame]1136 char *begin, *end;
Paul Bakkerf3df61a2013-08-26 17:22:23 +0200[diff] [blame]1137
Manuel Pégourié-Gonnard6de63e42013-09-12 04:59:34 +0200[diff] [blame]1138 if( ( ret = x509write_key_der( key, output_buf,
Paul Bakkerf3df61a2013-08-26 17:22:23 +0200[diff] [blame]1139 sizeof(output_buf) ) ) < 0 )
1140 {
1141 return( ret );
1142 }
1143
Manuel Pégourié-Gonnard6de63e42013-09-12 04:59:34 +0200[diff] [blame]1144#if defined(POLARSSL_RSA_C)
1145 if( pk_get_type( key ) == POLARSSL_PK_RSA )
1146 {
1147 begin = PEM_BEGIN_PRIVATE_KEY_RSA;
1148 end = PEM_END_PRIVATE_KEY_RSA;
1149 }
1150 else
1151#endif
1152#if defined(POLARSSL_ECP_C)
1153 if( pk_get_type( key ) == POLARSSL_PK_ECKEY )
1154 {
1155 begin = PEM_BEGIN_PRIVATE_KEY_EC;
1156 end = PEM_END_PRIVATE_KEY_EC;
1157 }
1158 else
1159#endif
1160 return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE );
1161
1162 if( ( ret = x509write_pemify( begin, end,
Manuel Pégourié-Gonnard27d87fa2013-09-11 17:33:28 +0200[diff] [blame]1163 output_buf + sizeof(output_buf) - ret,
Paul Bakkerf3df61a2013-08-26 17:22:23 +0200[diff] [blame]1164 ret, buf, size ) ) != 0 )
1165 {
1166 return( ret );
1167 }
1168
1169 return( 0 );
1170}
1171
Manuel Pégourié-Gonnardee731792013-09-11 22:48:40 +0200[diff] [blame]1172int x509write_csr_pem( x509write_csr *ctx, unsigned char *buf, size_t size,
1173 int (*f_rng)(void *, unsigned char *, size_t),
1174 void *p_rng )
Paul Bakkerf3df61a2013-08-26 17:22:23 +0200[diff] [blame]1175{
1176 int ret;
1177 unsigned char output_buf[4096];
1178
Manuel Pégourié-Gonnardee731792013-09-11 22:48:40 +0200[diff] [blame]1179 if( ( ret = x509write_csr_der( ctx, output_buf, sizeof(output_buf),
1180 f_rng, p_rng ) ) < 0 )
Paul Bakkerf3df61a2013-08-26 17:22:23 +0200[diff] [blame]1181 {
1182 return( ret );
1183 }
1184
1185 if( ( ret = x509write_pemify( PEM_BEGIN_CSR, PEM_END_CSR,
Manuel Pégourié-Gonnard27d87fa2013-09-11 17:33:28 +0200[diff] [blame]1186 output_buf + sizeof(output_buf) - ret,
Paul Bakkerf3df61a2013-08-26 17:22:23 +0200[diff] [blame]1187 ret, buf, size ) ) != 0 )
1188 {
1189 return( ret );
1190 }
1191
1192 return( 0 );
1193}
Paul Bakker135f1e92013-08-26 16:54:13 +0200[diff] [blame]1194#endif /* POLARSSL_BASE64_C */
1195
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]1196#endif