TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 1a7550ac6777a92bf67d8130c16314533cf0f892 / . / library / x509write.c
blob: d4861d77d800109799f507c498575fbf3cf6efc9 [file] [log] [blame]
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]1/*
2 * X509 buffer writing functionality
3 *
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200[diff] [blame]4 * Copyright (C) 2006-2013, Brainspark B.V.
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8 *
9 * All rights reserved.
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25
Manuel Pégourié-Gonnardd4eb5b52013-09-11 18:16:20 +0200[diff] [blame]26/*
27 * References:
28 * - certificates: RFC 5280, updated by RFC 6818
29 * - CSRs: PKCS#10 v1.7 aka RFC 2986
30 * - attributes: PKCS#9 v2.0 aka RFC 2985
31 */
32
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]33#include "polarssl/config.h"
34
35#if defined(POLARSSL_X509_WRITE_C)
36
37#include "polarssl/asn1write.h"
38#include "polarssl/x509write.h"
39#include "polarssl/x509.h"
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]40#include "polarssl/md.h"
41#include "polarssl/oid.h"
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]42
Paul Bakker15162a02013-09-06 19:27:21 +0200[diff] [blame]43#include "polarssl/sha1.h"
44
Paul Bakker135f1e92013-08-26 16:54:13 +0200[diff] [blame]45#if defined(POLARSSL_BASE64_C)
46#include "polarssl/base64.h"
47#endif
48
Paul Bakker8eabfc12013-08-25 10:18:25 +0200[diff] [blame]49#if defined(POLARSSL_MEMORY_C)
50#include "polarssl/memory.h"
51#else
52#include <stdlib.h>
53#define polarssl_malloc malloc
54#define polarssl_free free
55#endif
56
Paul Bakker5f45e622013-09-09 12:02:36 +0200[diff] [blame]57static int x509write_string_to_names( asn1_named_data **head, char *name )
Paul Bakker8eabfc12013-08-25 10:18:25 +0200[diff] [blame]58{
59 int ret = 0;
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]60 char *s = name, *c = s;
Paul Bakker8eabfc12013-08-25 10:18:25 +0200[diff] [blame]61 char *end = s + strlen( s );
62 char *oid = NULL;
63 int in_tag = 1;
Paul Bakker5f45e622013-09-09 12:02:36 +0200[diff] [blame]64 asn1_named_data *cur;
Paul Bakker8eabfc12013-08-25 10:18:25 +0200[diff] [blame]65
Manuel Pégourié-Gonnardda7317e2013-09-10 15:52:52 +0200[diff] [blame]66 /* Clear existing chain if present */
67 asn1_free_named_data_list( head );
Paul Bakker8eabfc12013-08-25 10:18:25 +0200[diff] [blame]68
69 while( c <= end )
70 {
71 if( in_tag && *c == '=' )
72 {
73 if( memcmp( s, "CN", 2 ) == 0 && c - s == 2 )
74 oid = OID_AT_CN;
75 else if( memcmp( s, "C", 1 ) == 0 && c - s == 1 )
76 oid = OID_AT_COUNTRY;
77 else if( memcmp( s, "O", 1 ) == 0 && c - s == 1 )
78 oid = OID_AT_ORGANIZATION;
79 else if( memcmp( s, "L", 1 ) == 0 && c - s == 1 )
80 oid = OID_AT_LOCALITY;
81 else if( memcmp( s, "R", 1 ) == 0 && c - s == 1 )
82 oid = OID_PKCS9_EMAIL;
83 else if( memcmp( s, "OU", 2 ) == 0 && c - s == 2 )
84 oid = OID_AT_ORG_UNIT;
85 else if( memcmp( s, "ST", 2 ) == 0 && c - s == 2 )
86 oid = OID_AT_STATE;
87 else
88 {
Paul Bakker0e06c0f2013-08-25 11:21:30 +0200[diff] [blame]89 ret = POLARSSL_ERR_X509WRITE_UNKNOWN_OID;
Paul Bakker8eabfc12013-08-25 10:18:25 +0200[diff] [blame]90 goto exit;
91 }
92
93 s = c + 1;
94 in_tag = 0;
95 }
96
97 if( !in_tag && ( *c == ',' || c == end ) )
98 {
Paul Bakker5f45e622013-09-09 12:02:36 +0200[diff] [blame]99 if( ( cur = asn1_store_named_data( head, oid, strlen( oid ),
100 (unsigned char *) s,
101 c - s ) ) == NULL )
Paul Bakker8eabfc12013-08-25 10:18:25 +0200[diff] [blame]102 {
Paul Bakker5f45e622013-09-09 12:02:36 +0200[diff] [blame]103 return( POLARSSL_ERR_X509WRITE_MALLOC_FAILED );
Paul Bakker8eabfc12013-08-25 10:18:25 +0200[diff] [blame]104 }
105
Paul Bakkerd4bf8702013-09-09 13:59:11 +0200[diff] [blame]106 while( c < end && *(c + 1) == ' ' )
107 c++;
108
Paul Bakker8eabfc12013-08-25 10:18:25 +0200[diff] [blame]109 s = c + 1;
110 in_tag = 1;
111 }
112 c++;
113 }
114
115exit:
116
117 return( ret );
118}
119
Manuel Pégourié-Gonnard3837dae2013-09-12 01:39:07 +0200[diff] [blame]120#if defined(POLARSSL_RSA_C)
Paul Bakker15162a02013-09-06 19:27:21 +0200[diff] [blame]121/*
122 * RSAPublicKey ::= SEQUENCE {
123 * modulus INTEGER, -- n
124 * publicExponent INTEGER -- e
125 * }
126 */
127static int x509_write_rsa_pubkey( unsigned char **p, unsigned char *start,
128 rsa_context *rsa )
129{
130 int ret;
131 size_t len = 0;
132
133 ASN1_CHK_ADD( len, asn1_write_mpi( p, start, &rsa->E ) );
134 ASN1_CHK_ADD( len, asn1_write_mpi( p, start, &rsa->N ) );
135
136 ASN1_CHK_ADD( len, asn1_write_len( p, start, len ) );
137 ASN1_CHK_ADD( len, asn1_write_tag( p, start, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
138
139 return( len );
140}
Manuel Pégourié-Gonnard3837dae2013-09-12 01:39:07 +0200[diff] [blame]141#endif /* POLARSSL_RSA_C */
142
143#if defined(POLARSSL_ECP_C)
144/*
145 * EC public key is an EC point
146 */
147static int x509_write_ec_pubkey( unsigned char **p, unsigned char *start,
148 ecp_keypair *ec )
149{
150 int ret;
151 size_t len = 0;
152 unsigned char buf[POLARSSL_ECP_MAX_PT_LEN];
153
154 if( ( ret = ecp_point_write_binary( &ec->grp, &ec->Q,
155 POLARSSL_ECP_PF_UNCOMPRESSED,
156 &len, buf, sizeof( buf ) ) ) != 0 )
157 {
158 return( ret );
159 }
160
161 if( *p - start < (int) len )
162 return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
163
164 *p -= len;
165 memcpy( *p, buf, len );
166
167 return( len );
168}
169
170/*
171 * ECParameters ::= CHOICE {
172 * namedCurve OBJECT IDENTIFIER
173 * }
174 */
Manuel Pégourié-Gonnardedda9042013-09-12 02:17:54 +0200[diff] [blame]175static int x509_write_ec_param( unsigned char **p, unsigned char *start,
176 ecp_keypair *ec )
Manuel Pégourié-Gonnard3837dae2013-09-12 01:39:07 +0200[diff] [blame]177{
178 int ret;
179 size_t len = 0;
180 const char *oid;
181 size_t oid_len;
182
183 if( ( ret = oid_get_oid_by_ec_grp( ec->grp.id, &oid, &oid_len ) ) != 0 )
184 return( ret );
185
186 ASN1_CHK_ADD( len, asn1_write_oid( p, start, oid, oid_len ) );
187
188 return( len );
189}
190#endif /* POLARSSL_ECP_C */
Paul Bakker15162a02013-09-06 19:27:21 +0200[diff] [blame]191
Manuel Pégourié-Gonnardbb323ff2013-09-12 06:26:54 +0200[diff] [blame]192static int x509_write_pubkey( unsigned char **p, unsigned char *start,
193 const pk_context *key )
194{
195 int ret;
196 size_t len = 0;
197
198#if defined(POLARSSL_RSA_C)
199 if( pk_get_type( key ) == POLARSSL_PK_RSA )
200 ASN1_CHK_ADD( len, x509_write_rsa_pubkey( p, start, pk_rsa( *key ) ) );
201 else
202#endif
203#if defined(POLARSSL_ECP_C)
204 if( pk_get_type( key ) == POLARSSL_PK_ECKEY )
205 ASN1_CHK_ADD( len, x509_write_ec_pubkey( p, start, pk_ec( *key ) ) );
206 else
207#endif
208 return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE );
209
210 return( len );
211}
212
Paul Bakkercd358032013-09-09 12:08:11 +0200[diff] [blame]213void x509write_csr_init( x509write_csr *ctx )
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]214{
Paul Bakkercd358032013-09-09 12:08:11 +0200[diff] [blame]215 memset( ctx, 0, sizeof(x509write_csr) );
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]216}
217
Paul Bakkercd358032013-09-09 12:08:11 +0200[diff] [blame]218void x509write_csr_free( x509write_csr *ctx )
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]219{
Paul Bakker5f45e622013-09-09 12:02:36 +0200[diff] [blame]220 asn1_free_named_data_list( &ctx->subject );
221 asn1_free_named_data_list( &ctx->extensions );
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]222
Paul Bakkercd358032013-09-09 12:08:11 +0200[diff] [blame]223 memset( ctx, 0, sizeof(x509write_csr) );
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]224}
225
Paul Bakkercd358032013-09-09 12:08:11 +0200[diff] [blame]226void x509write_csr_set_md_alg( x509write_csr *ctx, md_type_t md_alg )
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]227{
228 ctx->md_alg = md_alg;
229}
230
Manuel Pégourié-Gonnardee731792013-09-11 22:48:40 +0200[diff] [blame]231void x509write_csr_set_key( x509write_csr *ctx, pk_context *key )
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]232{
Manuel Pégourié-Gonnardee731792013-09-11 22:48:40 +0200[diff] [blame]233 ctx->key = key;
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]234}
235
Paul Bakkercd358032013-09-09 12:08:11 +0200[diff] [blame]236int x509write_csr_set_subject_name( x509write_csr *ctx, char *subject_name )
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]237{
238 return x509write_string_to_names( &ctx->subject, subject_name );
239}
240
Paul Bakker15162a02013-09-06 19:27:21 +0200[diff] [blame]241/* The first byte of the value in the asn1_named_data structure is reserved
242 * to store the critical boolean for us
243 */
244static int x509_set_extension( asn1_named_data **head,
245 const char *oid, size_t oid_len,
246 int critical,
247 const unsigned char *val, size_t val_len )
Paul Bakkerfde42702013-08-25 14:47:27 +0200[diff] [blame]248{
Paul Bakkere5eae762013-08-26 12:05:14 +0200[diff] [blame]249 asn1_named_data *cur;
Paul Bakkere5eae762013-08-26 12:05:14 +0200[diff] [blame]250
Paul Bakker59ba59f2013-09-09 11:26:00 +0200[diff] [blame]251 if( ( cur = asn1_store_named_data( head, oid, oid_len,
252 NULL, val_len + 1 ) ) == NULL )
Paul Bakkere5eae762013-08-26 12:05:14 +0200[diff] [blame]253 {
Paul Bakker59ba59f2013-09-09 11:26:00 +0200[diff] [blame]254 return( POLARSSL_ERR_X509WRITE_MALLOC_FAILED );
Paul Bakker1c0e5502013-08-26 13:41:01 +0200[diff] [blame]255 }
256
Paul Bakker15162a02013-09-06 19:27:21 +0200[diff] [blame]257 cur->val.p[0] = critical;
258 memcpy( cur->val.p + 1, val, val_len );
Paul Bakker1c0e5502013-08-26 13:41:01 +0200[diff] [blame]259
260 return( 0 );
261}
262
Paul Bakkercd358032013-09-09 12:08:11 +0200[diff] [blame]263int x509write_csr_set_extension( x509write_csr *ctx,
Paul Bakker15162a02013-09-06 19:27:21 +0200[diff] [blame]264 const char *oid, size_t oid_len,
265 const unsigned char *val, size_t val_len )
266{
267 return x509_set_extension( &ctx->extensions, oid, oid_len,
268 0, val, val_len );
269}
270
Paul Bakkercd358032013-09-09 12:08:11 +0200[diff] [blame]271int x509write_csr_set_key_usage( x509write_csr *ctx, unsigned char key_usage )
Paul Bakker1c0e5502013-08-26 13:41:01 +0200[diff] [blame]272{
273 unsigned char buf[4];
274 unsigned char *c;
275 int ret;
276
277 c = buf + 4;
278
Paul Bakker624d03a2013-08-26 14:12:57 +0200[diff] [blame]279 if( ( ret = asn1_write_bitstring( &c, buf, &key_usage, 7 ) ) != 4 )
Paul Bakker1c0e5502013-08-26 13:41:01 +0200[diff] [blame]280 return( ret );
281
282 ret = x509write_csr_set_extension( ctx, OID_KEY_USAGE,
283 OID_SIZE( OID_KEY_USAGE ),
284 buf, 4 );
285 if( ret != 0 )
286 return( ret );
287
288 return( 0 );
289}
290
Paul Bakkercd358032013-09-09 12:08:11 +0200[diff] [blame]291int x509write_csr_set_ns_cert_type( x509write_csr *ctx,
292 unsigned char ns_cert_type )
Paul Bakker1c0e5502013-08-26 13:41:01 +0200[diff] [blame]293{
294 unsigned char buf[4];
295 unsigned char *c;
296 int ret;
297
298 c = buf + 4;
299
300 if( ( ret = asn1_write_bitstring( &c, buf, &ns_cert_type, 8 ) ) != 4 )
301 return( ret );
302
303 ret = x509write_csr_set_extension( ctx, OID_NS_CERT_TYPE,
304 OID_SIZE( OID_NS_CERT_TYPE ),
305 buf, 4 );
306 if( ret != 0 )
307 return( ret );
Paul Bakkere5eae762013-08-26 12:05:14 +0200[diff] [blame]308
309 return( 0 );
Paul Bakkerfde42702013-08-25 14:47:27 +0200[diff] [blame]310}
311
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]312void x509write_crt_init( x509write_cert *ctx )
313{
314 memset( ctx, 0, sizeof(x509write_cert) );
315
316 mpi_init( &ctx->serial );
317 ctx->version = X509_CRT_VERSION_3;
318}
319
320void x509write_crt_free( x509write_cert *ctx )
321{
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]322 mpi_free( &ctx->serial );
323
Paul Bakker5f45e622013-09-09 12:02:36 +0200[diff] [blame]324 asn1_free_named_data_list( &ctx->subject );
325 asn1_free_named_data_list( &ctx->issuer );
326 asn1_free_named_data_list( &ctx->extensions );
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]327
Paul Bakkercd358032013-09-09 12:08:11 +0200[diff] [blame]328 memset( ctx, 0, sizeof(x509write_csr) );
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]329}
330
331void x509write_crt_set_md_alg( x509write_cert *ctx, md_type_t md_alg )
332{
333 ctx->md_alg = md_alg;
334}
335
Manuel Pégourié-Gonnardf38e71a2013-09-12 05:21:54 +0200[diff] [blame]336void x509write_crt_set_subject_key( x509write_cert *ctx, pk_context *key )
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]337{
Manuel Pégourié-Gonnard53c64252013-09-12 05:39:46 +0200[diff] [blame]338 ctx->subject_key = key;
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]339}
340
Manuel Pégourié-Gonnardf38e71a2013-09-12 05:21:54 +0200[diff] [blame]341void x509write_crt_set_issuer_key( x509write_cert *ctx, pk_context *key )
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]342{
Manuel Pégourié-Gonnard53c64252013-09-12 05:39:46 +0200[diff] [blame]343 ctx->issuer_key = key;
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]344}
345
346int x509write_crt_set_subject_name( x509write_cert *ctx, char *subject_name )
347{
348 return x509write_string_to_names( &ctx->subject, subject_name );
349}
350
351int x509write_crt_set_issuer_name( x509write_cert *ctx, char *issuer_name )
352{
353 return x509write_string_to_names( &ctx->issuer, issuer_name );
354}
355
356int x509write_crt_set_serial( x509write_cert *ctx, const mpi *serial )
357{
358 int ret;
359
360 if( ( ret = mpi_copy( &ctx->serial, serial ) ) != 0 )
361 return( ret );
362
363 return( 0 );
364}
365
366int x509write_crt_set_validity( x509write_cert *ctx, char *not_before,
367 char *not_after )
368{
369 if( strlen(not_before) != X509_RFC5280_UTC_TIME_LEN - 1 ||
370 strlen(not_after) != X509_RFC5280_UTC_TIME_LEN - 1 )
371 {
372 return( POLARSSL_ERR_X509WRITE_BAD_INPUT_DATA );
373 }
374 strncpy( ctx->not_before, not_before, X509_RFC5280_UTC_TIME_LEN );
375 strncpy( ctx->not_after , not_after , X509_RFC5280_UTC_TIME_LEN );
376 ctx->not_before[X509_RFC5280_UTC_TIME_LEN - 1] = 'Z';
377 ctx->not_after[X509_RFC5280_UTC_TIME_LEN - 1] = 'Z';
378
379 return( 0 );
380}
381
Paul Bakker15162a02013-09-06 19:27:21 +0200[diff] [blame]382int x509write_crt_set_extension( x509write_cert *ctx,
383 const char *oid, size_t oid_len,
384 int critical,
385 const unsigned char *val, size_t val_len )
386{
387 return x509_set_extension( &ctx->extensions, oid, oid_len,
388 critical, val, val_len );
389}
390
391int x509write_crt_set_basic_constraints( x509write_cert *ctx,
392 int is_ca, int max_pathlen )
393{
394 int ret;
395 unsigned char buf[9];
396 unsigned char *c = buf + sizeof(buf);
397 size_t len = 0;
398
399 memset( buf, 0, sizeof(buf) );
400
401 if( is_ca && max_pathlen > 127 )
402 return( POLARSSL_ERR_X509WRITE_BAD_INPUT_DATA );
403
404 if( is_ca )
405 {
406 if( max_pathlen >= 0 )
407 {
408 ASN1_CHK_ADD( len, asn1_write_int( &c, buf, max_pathlen ) );
409 }
410 ASN1_CHK_ADD( len, asn1_write_bool( &c, buf, 1 ) );
411 }
412
413 ASN1_CHK_ADD( len, asn1_write_len( &c, buf, len ) );
414 ASN1_CHK_ADD( len, asn1_write_tag( &c, buf, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
415
416 return x509write_crt_set_extension( ctx, OID_BASIC_CONSTRAINTS,
417 OID_SIZE( OID_BASIC_CONSTRAINTS ),
418 0, buf + sizeof(buf) - len, len );
419}
420
421int x509write_crt_set_subject_key_identifier( x509write_cert *ctx )
422{
423 int ret;
424 unsigned char buf[POLARSSL_MPI_MAX_SIZE * 2 + 20]; /* tag, length + 2xMPI */
425 unsigned char *c = buf + sizeof(buf);
426 size_t len = 0;
427
428 memset( buf, 0, sizeof(buf));
Manuel Pégourié-Gonnardbb323ff2013-09-12 06:26:54 +0200[diff] [blame]429 ASN1_CHK_ADD( len, x509_write_pubkey( &c, buf, ctx->subject_key ) );
Paul Bakker15162a02013-09-06 19:27:21 +0200[diff] [blame]430
431 sha1( buf + sizeof(buf) - len, len, buf + sizeof(buf) - 20 );
432 c = buf + sizeof(buf) - 20;
433 len = 20;
434
435 ASN1_CHK_ADD( len, asn1_write_len( &c, buf, len ) );
436 ASN1_CHK_ADD( len, asn1_write_tag( &c, buf, ASN1_OCTET_STRING ) );
437
438 return x509write_crt_set_extension( ctx, OID_SUBJECT_KEY_IDENTIFIER,
439 OID_SIZE( OID_SUBJECT_KEY_IDENTIFIER ),
440 0, buf + sizeof(buf) - len, len );
441}
442
443int x509write_crt_set_authority_key_identifier( x509write_cert *ctx )
444{
445 int ret;
446 unsigned char buf[POLARSSL_MPI_MAX_SIZE * 2 + 20]; /* tag, length + 2xMPI */
447 unsigned char *c = buf + sizeof(buf);
448 size_t len = 0;
449
450 memset( buf, 0, sizeof(buf));
Manuel Pégourié-Gonnardbb323ff2013-09-12 06:26:54 +0200[diff] [blame]451 ASN1_CHK_ADD( len, x509_write_pubkey( &c, buf, ctx->issuer_key ) );
Paul Bakker15162a02013-09-06 19:27:21 +0200[diff] [blame]452
453 sha1( buf + sizeof(buf) - len, len, buf + sizeof(buf) - 20 );
454 c = buf + sizeof(buf) - 20;
455 len = 20;
456
457 ASN1_CHK_ADD( len, asn1_write_len( &c, buf, len ) );
458 ASN1_CHK_ADD( len, asn1_write_tag( &c, buf, ASN1_CONTEXT_SPECIFIC | 0 ) );
459
460 ASN1_CHK_ADD( len, asn1_write_len( &c, buf, len ) );
461 ASN1_CHK_ADD( len, asn1_write_tag( &c, buf, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
462
463 return x509write_crt_set_extension( ctx, OID_AUTHORITY_KEY_IDENTIFIER,
464 OID_SIZE( OID_AUTHORITY_KEY_IDENTIFIER ),
465 0, buf + sizeof(buf) - len, len );
466}
467
Paul Bakker52be08c2013-09-09 12:37:54 +0200[diff] [blame]468int x509write_crt_set_key_usage( x509write_cert *ctx, unsigned char key_usage )
469{
470 unsigned char buf[4];
471 unsigned char *c;
472 int ret;
473
474 c = buf + 4;
475
476 if( ( ret = asn1_write_bitstring( &c, buf, &key_usage, 7 ) ) != 4 )
477 return( ret );
478
479 ret = x509write_crt_set_extension( ctx, OID_KEY_USAGE,
480 OID_SIZE( OID_KEY_USAGE ),
481 1, buf, 4 );
482 if( ret != 0 )
483 return( ret );
484
485 return( 0 );
486}
487
488int x509write_crt_set_ns_cert_type( x509write_cert *ctx,
489 unsigned char ns_cert_type )
490{
491 unsigned char buf[4];
492 unsigned char *c;
493 int ret;
494
495 c = buf + 4;
496
497 if( ( ret = asn1_write_bitstring( &c, buf, &ns_cert_type, 8 ) ) != 4 )
498 return( ret );
499
500 ret = x509write_crt_set_extension( ctx, OID_NS_CERT_TYPE,
501 OID_SIZE( OID_NS_CERT_TYPE ),
502 0, buf, 4 );
503 if( ret != 0 )
504 return( ret );
505
506 return( 0 );
507}
508
Manuel Pégourié-Gonnarde1f821a2013-09-12 00:59:40 +0200[diff] [blame]509int x509write_pubkey_der( pk_context *key, unsigned char *buf, size_t size )
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]510{
511 int ret;
512 unsigned char *c;
Manuel Pégourié-Gonnardedda9042013-09-12 02:17:54 +0200[diff] [blame]513 size_t len = 0, par_len = 0, oid_len;
514 const char *oid;
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]515
Manuel Pégourié-Gonnard27d87fa2013-09-11 17:33:28 +0200[diff] [blame]516 c = buf + size;
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]517
Manuel Pégourié-Gonnardbb323ff2013-09-12 06:26:54 +0200[diff] [blame]518 ASN1_CHK_ADD( len, x509_write_pubkey( &c, buf, key ) );
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]519
520 if( c - buf < 1 )
521 return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
522
Paul Bakker8eabfc12013-08-25 10:18:25 +0200[diff] [blame]523 /*
524 * SubjectPublicKeyInfo ::= SEQUENCE {
525 * algorithm AlgorithmIdentifier,
526 * subjectPublicKey BIT STRING }
527 */
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]528 *--c = 0;
529 len += 1;
530
531 ASN1_CHK_ADD( len, asn1_write_len( &c, buf, len ) );
532 ASN1_CHK_ADD( len, asn1_write_tag( &c, buf, ASN1_BIT_STRING ) );
533
Manuel Pégourié-Gonnardedda9042013-09-12 02:17:54 +0200[diff] [blame]534 if( ( ret = oid_get_oid_by_pk_alg( pk_get_type( key ),
535 &oid, &oid_len ) ) != 0 )
536 {
537 return( ret );
538 }
539
Manuel Pégourié-Gonnard3837dae2013-09-12 01:39:07 +0200[diff] [blame]540#if defined(POLARSSL_ECP_C)
541 if( pk_get_type( key ) == POLARSSL_PK_ECKEY )
542 {
Manuel Pégourié-Gonnardedda9042013-09-12 02:17:54 +0200[diff] [blame]543 ASN1_CHK_ADD( par_len, x509_write_ec_param( &c, buf, pk_ec( *key ) ) );
Manuel Pégourié-Gonnard3837dae2013-09-12 01:39:07 +0200[diff] [blame]544 }
Manuel Pégourié-Gonnard3837dae2013-09-12 01:39:07 +0200[diff] [blame]545#endif
Manuel Pégourié-Gonnardedda9042013-09-12 02:17:54 +0200[diff] [blame]546
547 ASN1_CHK_ADD( len, asn1_write_algorithm_identifier( &c, buf, oid, oid_len,
548 par_len ) );
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]549
550 ASN1_CHK_ADD( len, asn1_write_len( &c, buf, len ) );
551 ASN1_CHK_ADD( len, asn1_write_tag( &c, buf, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
552
553 return( len );
554}
555
Manuel Pégourié-Gonnard6de63e42013-09-12 04:59:34 +0200[diff] [blame]556int x509write_key_der( pk_context *key, unsigned char *buf, size_t size )
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]557{
558 int ret;
Manuel Pégourié-Gonnard6de63e42013-09-12 04:59:34 +0200[diff] [blame]559 unsigned char *c = buf + size;
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]560 size_t len = 0;
561
Manuel Pégourié-Gonnard6de63e42013-09-12 04:59:34 +0200[diff] [blame]562#if defined(POLARSSL_RSA_C)
563 if( pk_get_type( key ) == POLARSSL_PK_RSA )
564 {
565 rsa_context *rsa = pk_rsa( *key );
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]566
Manuel Pégourié-Gonnard6de63e42013-09-12 04:59:34 +0200[diff] [blame]567 ASN1_CHK_ADD( len, asn1_write_mpi( &c, buf, &rsa->QP ) );
568 ASN1_CHK_ADD( len, asn1_write_mpi( &c, buf, &rsa->DQ ) );
569 ASN1_CHK_ADD( len, asn1_write_mpi( &c, buf, &rsa->DP ) );
570 ASN1_CHK_ADD( len, asn1_write_mpi( &c, buf, &rsa->Q ) );
571 ASN1_CHK_ADD( len, asn1_write_mpi( &c, buf, &rsa->P ) );
572 ASN1_CHK_ADD( len, asn1_write_mpi( &c, buf, &rsa->D ) );
573 ASN1_CHK_ADD( len, asn1_write_mpi( &c, buf, &rsa->E ) );
574 ASN1_CHK_ADD( len, asn1_write_mpi( &c, buf, &rsa->N ) );
575 ASN1_CHK_ADD( len, asn1_write_int( &c, buf, 0 ) );
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]576
Manuel Pégourié-Gonnard6de63e42013-09-12 04:59:34 +0200[diff] [blame]577 ASN1_CHK_ADD( len, asn1_write_len( &c, buf, len ) );
578 ASN1_CHK_ADD( len, asn1_write_tag( &c, buf, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
579 }
580 else
581#endif
582#if defined(POLARSSL_ECP_C)
583 if( pk_get_type( key ) == POLARSSL_PK_ECKEY )
584 {
585 ecp_keypair *ec = pk_ec( *key );
586 size_t pub_len = 0, par_len = 0;
587
588 /*
589 * RFC 5915, or SEC1 Appendix C.4
590 *
591 * ECPrivateKey ::= SEQUENCE {
592 * version INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
593 * privateKey OCTET STRING,
594 * parameters [0] ECParameters {{ NamedCurve }} OPTIONAL,
595 * publicKey [1] BIT STRING OPTIONAL
596 * }
597 */
598
599 /* publicKey */
600 ASN1_CHK_ADD( pub_len, x509_write_ec_pubkey( &c, buf, ec ) );
601
602 if( c - buf < 1 )
603 return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
604 *--c = 0;
605 pub_len += 1;
606
607 ASN1_CHK_ADD( pub_len, asn1_write_len( &c, buf, pub_len ) );
608 ASN1_CHK_ADD( pub_len, asn1_write_tag( &c, buf, ASN1_BIT_STRING ) );
609
610 ASN1_CHK_ADD( pub_len, asn1_write_len( &c, buf, pub_len ) );
611 ASN1_CHK_ADD( pub_len, asn1_write_tag( &c, buf,
612 ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 1 ) );
613 len += pub_len;
614
615 /* parameters */
616 ASN1_CHK_ADD( par_len, x509_write_ec_param( &c, buf, ec ) );
617
618 ASN1_CHK_ADD( par_len, asn1_write_len( &c, buf, par_len ) );
619 ASN1_CHK_ADD( par_len, asn1_write_tag( &c, buf,
620 ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 0 ) );
621 len += par_len;
622
623 /* privateKey: write as MPI then fix tag */
624 ASN1_CHK_ADD( len, asn1_write_mpi( &c, buf, &ec->d ) );
625 *c = ASN1_OCTET_STRING;
626
627 /* version */
628 ASN1_CHK_ADD( len, asn1_write_int( &c, buf, 1 ) );
629
630 ASN1_CHK_ADD( len, asn1_write_len( &c, buf, len ) );
631 ASN1_CHK_ADD( len, asn1_write_tag( &c, buf, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
632 }
633 else
634#endif
635 return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE );
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]636
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]637 return( len );
638}
639
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]640/*
641 * RelativeDistinguishedName ::=
642 * SET OF AttributeTypeAndValue
643 *
644 * AttributeTypeAndValue ::= SEQUENCE {
645 * type AttributeType,
646 * value AttributeValue }
647 *
648 * AttributeType ::= OBJECT IDENTIFIER
649 *
650 * AttributeValue ::= ANY DEFINED BY AttributeType
651 */
Paul Bakker5f45e622013-09-09 12:02:36 +0200[diff] [blame]652static int x509_write_name( unsigned char **p, unsigned char *start,
653 const char *oid, size_t oid_len,
654 const unsigned char *name, size_t name_len )
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]655{
656 int ret;
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]657 size_t len = 0;
658
Paul Bakker05888152012-02-16 10:26:57 +0000[diff] [blame]659 // Write PrintableString for all except OID_PKCS9_EMAIL
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]660 //
Paul Bakker5f45e622013-09-09 12:02:36 +0200[diff] [blame]661 if( OID_SIZE( OID_PKCS9_EMAIL ) == oid_len &&
662 memcmp( oid, OID_PKCS9_EMAIL, oid_len ) == 0 )
Paul Bakker05888152012-02-16 10:26:57 +0000[diff] [blame]663 {
Paul Bakker5f45e622013-09-09 12:02:36 +0200[diff] [blame]664 ASN1_CHK_ADD( len, asn1_write_ia5_string( p, start,
665 (const char *) name,
666 name_len ) );
Paul Bakker05888152012-02-16 10:26:57 +0000[diff] [blame]667 }
668 else
Paul Bakker5f45e622013-09-09 12:02:36 +0200[diff] [blame]669 {
670 ASN1_CHK_ADD( len, asn1_write_printable_string( p, start,
671 (const char *) name,
672 name_len ) );
673 }
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]674
675 // Write OID
676 //
Paul Bakker5f45e622013-09-09 12:02:36 +0200[diff] [blame]677 ASN1_CHK_ADD( len, asn1_write_oid( p, start, oid, oid_len ) );
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]678
Paul Bakker5f45e622013-09-09 12:02:36 +0200[diff] [blame]679 ASN1_CHK_ADD( len, asn1_write_len( p, start, len ) );
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]680 ASN1_CHK_ADD( len, asn1_write_tag( p, start, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
681
682 ASN1_CHK_ADD( len, asn1_write_len( p, start, len ) );
683 ASN1_CHK_ADD( len, asn1_write_tag( p, start, ASN1_CONSTRUCTED | ASN1_SET ) );
684
685 return( len );
686}
687
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]688static int x509_write_names( unsigned char **p, unsigned char *start,
Paul Bakker5f45e622013-09-09 12:02:36 +0200[diff] [blame]689 asn1_named_data *first )
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]690{
691 int ret;
692 size_t len = 0;
Paul Bakker5f45e622013-09-09 12:02:36 +0200[diff] [blame]693 asn1_named_data *cur = first;
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]694
695 while( cur != NULL )
696 {
Paul Bakker5f45e622013-09-09 12:02:36 +0200[diff] [blame]697 ASN1_CHK_ADD( len, x509_write_name( p, start, (char *) cur->oid.p,
698 cur->oid.len,
699 cur->val.p, cur->val.len ) );
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]700 cur = cur->next;
701 }
702
703 ASN1_CHK_ADD( len, asn1_write_len( p, start, len ) );
704 ASN1_CHK_ADD( len, asn1_write_tag( p, start, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
705
706 return( len );
707}
708
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200[diff] [blame]709static int x509_write_sig( unsigned char **p, unsigned char *start,
Paul Bakker1c3853b2013-09-10 11:43:44 +0200[diff] [blame]710 const char *oid, size_t oid_len,
711 unsigned char *sig, size_t size )
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]712{
713 int ret;
714 size_t len = 0;
715
716 if( *p - start < (int) size + 1 )
717 return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
718
719 len = size;
720 (*p) -= len;
721 memcpy( *p, sig, len );
722
723 *--(*p) = 0;
724 len += 1;
725
726 ASN1_CHK_ADD( len, asn1_write_len( p, start, len ) );
727 ASN1_CHK_ADD( len, asn1_write_tag( p, start, ASN1_BIT_STRING ) );
728
729 // Write OID
730 //
Paul Bakker5f45e622013-09-09 12:02:36 +0200[diff] [blame]731 ASN1_CHK_ADD( len, asn1_write_algorithm_identifier( p, start, oid,
Manuel Pégourié-Gonnardedda9042013-09-12 02:17:54 +0200[diff] [blame]732 oid_len, 0 ) );
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]733
734 return( len );
735}
736
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]737static int x509_write_time( unsigned char **p, unsigned char *start,
738 const char *time, size_t size )
739{
740 int ret;
741 size_t len = 0;
742
Paul Bakker9c208aa2013-09-08 15:44:31 +0200[diff] [blame]743 /*
744 * write ASN1_UTC_TIME if year < 2050 (2 bytes shorter)
745 */
746 if( time[0] == '2' && time[1] == '0' && time [2] < '5' )
747 {
748 ASN1_CHK_ADD( len, asn1_write_raw_buffer( p, start,
749 (const unsigned char *) time + 2,
750 size - 2 ) );
751 ASN1_CHK_ADD( len, asn1_write_len( p, start, len ) );
752 ASN1_CHK_ADD( len, asn1_write_tag( p, start, ASN1_UTC_TIME ) );
753 }
754 else
755 {
756 ASN1_CHK_ADD( len, asn1_write_raw_buffer( p, start,
757 (const unsigned char *) time,
758 size ) );
759 ASN1_CHK_ADD( len, asn1_write_len( p, start, len ) );
760 ASN1_CHK_ADD( len, asn1_write_tag( p, start, ASN1_GENERALIZED_TIME ) );
761 }
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]762
763 return( len );
764}
765
Paul Bakker15162a02013-09-06 19:27:21 +0200[diff] [blame]766static int x509_write_extension( unsigned char **p, unsigned char *start,
767 asn1_named_data *ext )
768{
769 int ret;
770 size_t len = 0;
771
772 ASN1_CHK_ADD( len, asn1_write_raw_buffer( p, start, ext->val.p + 1,
773 ext->val.len - 1 ) );
774 ASN1_CHK_ADD( len, asn1_write_len( p, start, ext->val.len - 1 ) );
775 ASN1_CHK_ADD( len, asn1_write_tag( p, start, ASN1_OCTET_STRING ) );
776
777 if( ext->val.p[0] != 0 )
778 {
779 ASN1_CHK_ADD( len, asn1_write_bool( p, start, 1 ) );
780 }
781
782 ASN1_CHK_ADD( len, asn1_write_raw_buffer( p, start, ext->oid.p,
783 ext->oid.len ) );
784 ASN1_CHK_ADD( len, asn1_write_len( p, start, ext->oid.len ) );
785 ASN1_CHK_ADD( len, asn1_write_tag( p, start, ASN1_OID ) );
786
787 ASN1_CHK_ADD( len, asn1_write_len( p, start, len ) );
788 ASN1_CHK_ADD( len, asn1_write_tag( p, start, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
789
790 return( len );
791}
792
793/*
794 * Extension ::= SEQUENCE {
795 * extnID OBJECT IDENTIFIER,
796 * critical BOOLEAN DEFAULT FALSE,
797 * extnValue OCTET STRING
798 * -- contains the DER encoding of an ASN.1 value
799 * -- corresponding to the extension type identified
800 * -- by extnID
801 * }
802 */
803static int x509_write_extensions( unsigned char **p, unsigned char *start,
804 asn1_named_data *first )
805{
806 int ret;
807 size_t len = 0;
808 asn1_named_data *cur_ext = first;
809
810 while( cur_ext != NULL )
811 {
812 ASN1_CHK_ADD( len, x509_write_extension( p, start, cur_ext ) );
813 cur_ext = cur_ext->next;
814 }
815
816 return( len );
817}
818
Manuel Pégourié-Gonnardee731792013-09-11 22:48:40 +0200[diff] [blame]819int x509write_csr_der( x509write_csr *ctx, unsigned char *buf, size_t size,
820 int (*f_rng)(void *, unsigned char *, size_t),
821 void *p_rng )
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]822{
823 int ret;
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]824 const char *sig_oid;
Paul Bakker1c3853b2013-09-10 11:43:44 +0200[diff] [blame]825 size_t sig_oid_len = 0;
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]826 unsigned char *c, *c2;
Paul Bakker3cac5e02012-02-16 14:08:06 +0000[diff] [blame]827 unsigned char hash[64];
828 unsigned char sig[POLARSSL_MPI_MAX_SIZE];
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]829 unsigned char tmp_buf[2048];
Manuel Pégourié-Gonnard8053da42013-09-11 22:28:30 +0200[diff] [blame]830 size_t pub_len = 0, sig_and_oid_len = 0, sig_len;
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]831 size_t len = 0;
Manuel Pégourié-Gonnard0088c692013-09-12 02:38:04 +0200[diff] [blame]832 pk_type_t pk_alg;
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]833
Manuel Pégourié-Gonnard8053da42013-09-11 22:28:30 +0200[diff] [blame]834 /*
835 * Prepare data to be signed in tmp_buf
836 */
Manuel Pégourié-Gonnard27d87fa2013-09-11 17:33:28 +0200[diff] [blame]837 c = tmp_buf + sizeof( tmp_buf );
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]838
Paul Bakker15162a02013-09-06 19:27:21 +0200[diff] [blame]839 ASN1_CHK_ADD( len, x509_write_extensions( &c, tmp_buf, ctx->extensions ) );
Paul Bakkerfde42702013-08-25 14:47:27 +0200[diff] [blame]840
Paul Bakkere5eae762013-08-26 12:05:14 +0200[diff] [blame]841 if( len )
Paul Bakkerfde42702013-08-25 14:47:27 +0200[diff] [blame]842 {
Paul Bakkere5eae762013-08-26 12:05:14 +0200[diff] [blame]843 ASN1_CHK_ADD( len, asn1_write_len( &c, tmp_buf, len ) );
844 ASN1_CHK_ADD( len, asn1_write_tag( &c, tmp_buf, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
Paul Bakkerfde42702013-08-25 14:47:27 +0200[diff] [blame]845
Paul Bakkere5eae762013-08-26 12:05:14 +0200[diff] [blame]846 ASN1_CHK_ADD( len, asn1_write_len( &c, tmp_buf, len ) );
847 ASN1_CHK_ADD( len, asn1_write_tag( &c, tmp_buf, ASN1_CONSTRUCTED | ASN1_SET ) );
Paul Bakkerfde42702013-08-25 14:47:27 +0200[diff] [blame]848
Paul Bakker5f45e622013-09-09 12:02:36 +0200[diff] [blame]849 ASN1_CHK_ADD( len, asn1_write_oid( &c, tmp_buf, OID_PKCS9_CSR_EXT_REQ,
850 OID_SIZE( OID_PKCS9_CSR_EXT_REQ ) ) );
Paul Bakkerfde42702013-08-25 14:47:27 +0200[diff] [blame]851
Paul Bakkere5eae762013-08-26 12:05:14 +0200[diff] [blame]852 ASN1_CHK_ADD( len, asn1_write_len( &c, tmp_buf, len ) );
853 ASN1_CHK_ADD( len, asn1_write_tag( &c, tmp_buf, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
Paul Bakkerfde42702013-08-25 14:47:27 +0200[diff] [blame]854 }
855
Paul Bakkere5eae762013-08-26 12:05:14 +0200[diff] [blame]856 ASN1_CHK_ADD( len, asn1_write_len( &c, tmp_buf, len ) );
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]857 ASN1_CHK_ADD( len, asn1_write_tag( &c, tmp_buf, ASN1_CONSTRUCTED | ASN1_CONTEXT_SPECIFIC ) );
858
Manuel Pégourié-Gonnarde1f821a2013-09-12 00:59:40 +0200[diff] [blame]859 ASN1_CHK_ADD( pub_len, x509write_pubkey_der( ctx->key,
Manuel Pégourié-Gonnard27d87fa2013-09-11 17:33:28 +0200[diff] [blame]860 tmp_buf, c - tmp_buf ) );
Manuel Pégourié-Gonnard6dcf0bf2013-09-11 13:09:04 +0200[diff] [blame]861 c -= pub_len;
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]862 len += pub_len;
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]863
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]864 /*
865 * Subject ::= Name
866 */
867 ASN1_CHK_ADD( len, x509_write_names( &c, tmp_buf, ctx->subject ) );
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]868
Paul Bakker8eabfc12013-08-25 10:18:25 +0200[diff] [blame]869 /*
870 * Version ::= INTEGER { v1(0), v2(1), v3(2) }
871 */
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]872 ASN1_CHK_ADD( len, asn1_write_int( &c, tmp_buf, 0 ) );
873
874 ASN1_CHK_ADD( len, asn1_write_len( &c, tmp_buf, len ) );
875 ASN1_CHK_ADD( len, asn1_write_tag( &c, tmp_buf, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200[diff] [blame]876
Manuel Pégourié-Gonnard8053da42013-09-11 22:28:30 +0200[diff] [blame]877 /*
878 * Prepare signature
879 */
Paul Bakker8eabfc12013-08-25 10:18:25 +0200[diff] [blame]880 md( md_info_from_type( ctx->md_alg ), c, len, hash );
Paul Bakker3cac5e02012-02-16 14:08:06 +0000[diff] [blame]881
Manuel Pégourié-Gonnard0088c692013-09-12 02:38:04 +0200[diff] [blame]882 pk_alg = pk_get_type( ctx->key );
883 if( pk_alg == POLARSSL_PK_ECKEY )
884 pk_alg = POLARSSL_PK_ECDSA;
885
Manuel Pégourié-Gonnard8053da42013-09-11 22:28:30 +0200[diff] [blame]886 if( ( ret = pk_sign( ctx->key, ctx->md_alg, hash, 0, sig, &sig_len,
Manuel Pégourié-Gonnardee731792013-09-11 22:48:40 +0200[diff] [blame]887 f_rng, p_rng ) ) != 0 ||
Manuel Pégourié-Gonnard0088c692013-09-12 02:38:04 +0200[diff] [blame]888 ( ret = oid_get_oid_by_sig_alg( pk_alg, ctx->md_alg,
Manuel Pégourié-Gonnard8053da42013-09-11 22:28:30 +0200[diff] [blame]889 &sig_oid, &sig_oid_len ) ) != 0 )
890 {
891 return( ret );
892 }
Manuel Pégourié-Gonnard5353a032013-09-11 12:14:26 +0200[diff] [blame]893
Manuel Pégourié-Gonnard8053da42013-09-11 22:28:30 +0200[diff] [blame]894 /*
895 * Write data to output buffer
896 */
Manuel Pégourié-Gonnard27d87fa2013-09-11 17:33:28 +0200[diff] [blame]897 c2 = buf + size;
Manuel Pégourié-Gonnard8053da42013-09-11 22:28:30 +0200[diff] [blame]898 ASN1_CHK_ADD( sig_and_oid_len, x509_write_sig( &c2, buf,
899 sig_oid, sig_oid_len, sig, sig_len ) );
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200[diff] [blame]900
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]901 c2 -= len;
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200[diff] [blame]902 memcpy( c2, c, len );
903
Manuel Pégourié-Gonnard8053da42013-09-11 22:28:30 +0200[diff] [blame]904 len += sig_and_oid_len;
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]905 ASN1_CHK_ADD( len, asn1_write_len( &c2, buf, len ) );
906 ASN1_CHK_ADD( len, asn1_write_tag( &c2, buf, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
907
908 return( len );
909}
910
Manuel Pégourié-Gonnard31e59402013-09-12 05:59:05 +0200[diff] [blame]911int x509write_crt_der( x509write_cert *ctx, unsigned char *buf, size_t size,
912 int (*f_rng)(void *, unsigned char *, size_t),
913 void *p_rng )
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]914{
915 int ret;
916 const char *sig_oid;
Paul Bakker1c3853b2013-09-10 11:43:44 +0200[diff] [blame]917 size_t sig_oid_len = 0;
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]918 unsigned char *c, *c2;
919 unsigned char hash[64];
920 unsigned char sig[POLARSSL_MPI_MAX_SIZE];
921 unsigned char tmp_buf[2048];
Manuel Pégourié-Gonnard53c64252013-09-12 05:39:46 +0200[diff] [blame]922 size_t sub_len = 0, pub_len = 0, sig_and_oid_len = 0, sig_len;
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]923 size_t len = 0;
Manuel Pégourié-Gonnard53c64252013-09-12 05:39:46 +0200[diff] [blame]924 pk_type_t pk_alg;
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]925
Manuel Pégourié-Gonnard53c64252013-09-12 05:39:46 +0200[diff] [blame]926 /*
927 * Prepare data to be signed in tmp_buf
928 */
Manuel Pégourié-Gonnard27d87fa2013-09-11 17:33:28 +0200[diff] [blame]929 c = tmp_buf + sizeof( tmp_buf );
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]930
Manuel Pégourié-Gonnard53c64252013-09-12 05:39:46 +0200[diff] [blame]931 /* Signature algorithm needed in TBS, and later for actual signature */
932 pk_alg = pk_get_type( ctx->issuer_key );
933 if( pk_alg == POLARSSL_PK_ECKEY )
934 pk_alg = POLARSSL_PK_ECDSA;
935
936 if( ( ret = oid_get_oid_by_sig_alg( pk_alg, ctx->md_alg,
937 &sig_oid, &sig_oid_len ) ) != 0 )
938 {
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]939 return( ret );
Manuel Pégourié-Gonnard53c64252013-09-12 05:39:46 +0200[diff] [blame]940 }
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]941
Paul Bakker15162a02013-09-06 19:27:21 +0200[diff] [blame]942 /*
943 * Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
944 */
945 ASN1_CHK_ADD( len, x509_write_extensions( &c, tmp_buf, ctx->extensions ) );
946 ASN1_CHK_ADD( len, asn1_write_len( &c, tmp_buf, len ) );
947 ASN1_CHK_ADD( len, asn1_write_tag( &c, tmp_buf, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
948 ASN1_CHK_ADD( len, asn1_write_len( &c, tmp_buf, len ) );
949 ASN1_CHK_ADD( len, asn1_write_tag( &c, tmp_buf, ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 3 ) );
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]950
951 /*
Manuel Pégourié-Gonnard6dcf0bf2013-09-11 13:09:04 +0200[diff] [blame]952 * SubjectPublicKeyInfo
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]953 */
Manuel Pégourié-Gonnard53c64252013-09-12 05:39:46 +0200[diff] [blame]954 ASN1_CHK_ADD( pub_len, x509write_pubkey_der( ctx->subject_key,
Manuel Pégourié-Gonnard27d87fa2013-09-11 17:33:28 +0200[diff] [blame]955 tmp_buf, c - tmp_buf ) );
Manuel Pégourié-Gonnard6dcf0bf2013-09-11 13:09:04 +0200[diff] [blame]956 c -= pub_len;
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]957 len += pub_len;
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]958
959 /*
960 * Subject ::= Name
961 */
962 ASN1_CHK_ADD( len, x509_write_names( &c, tmp_buf, ctx->subject ) );
963
964 /*
965 * Validity ::= SEQUENCE {
966 * notBefore Time,
967 * notAfter Time }
968 */
969 sub_len = 0;
970
971 ASN1_CHK_ADD( sub_len, x509_write_time( &c, tmp_buf, ctx->not_after,
972 X509_RFC5280_UTC_TIME_LEN ) );
973
974 ASN1_CHK_ADD( sub_len, x509_write_time( &c, tmp_buf, ctx->not_before,
975 X509_RFC5280_UTC_TIME_LEN ) );
976
977 len += sub_len;
978 ASN1_CHK_ADD( len, asn1_write_len( &c, tmp_buf, sub_len ) );
979 ASN1_CHK_ADD( len, asn1_write_tag( &c, tmp_buf, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
980
981 /*
982 * Issuer ::= Name
983 */
984 ASN1_CHK_ADD( len, x509_write_names( &c, tmp_buf, ctx->issuer ) );
985
986 /*
987 * Signature ::= AlgorithmIdentifier
988 */
989 ASN1_CHK_ADD( len, asn1_write_algorithm_identifier( &c, tmp_buf,
Manuel Pégourié-Gonnardedda9042013-09-12 02:17:54 +0200[diff] [blame]990 sig_oid, strlen( sig_oid ), 0 ) );
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]991
992 /*
993 * Serial ::= INTEGER
994 */
995 ASN1_CHK_ADD( len, asn1_write_mpi( &c, tmp_buf, &ctx->serial ) );
996
997 /*
998 * Version ::= INTEGER { v1(0), v2(1), v3(2) }
999 */
1000 sub_len = 0;
1001 ASN1_CHK_ADD( sub_len, asn1_write_int( &c, tmp_buf, ctx->version ) );
1002 len += sub_len;
1003 ASN1_CHK_ADD( len, asn1_write_len( &c, tmp_buf, sub_len ) );
1004 ASN1_CHK_ADD( len, asn1_write_tag( &c, tmp_buf, ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 0 ) );
1005
1006 ASN1_CHK_ADD( len, asn1_write_len( &c, tmp_buf, len ) );
1007 ASN1_CHK_ADD( len, asn1_write_tag( &c, tmp_buf, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
1008
Manuel Pégourié-Gonnard53c64252013-09-12 05:39:46 +0200[diff] [blame]1009 /*
1010 * Make signature
1011 */
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]1012 md( md_info_from_type( ctx->md_alg ), c, len, hash );
1013
Manuel Pégourié-Gonnard53c64252013-09-12 05:39:46 +0200[diff] [blame]1014 if( ( ret = pk_sign( ctx->issuer_key, ctx->md_alg, hash, 0, sig, &sig_len,
Manuel Pégourié-Gonnard31e59402013-09-12 05:59:05 +0200[diff] [blame]1015 f_rng, p_rng ) ) != 0 )
Manuel Pégourié-Gonnard53c64252013-09-12 05:39:46 +0200[diff] [blame]1016 {
1017 return( ret );
1018 }
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]1019
Manuel Pégourié-Gonnard53c64252013-09-12 05:39:46 +0200[diff] [blame]1020 /*
1021 * Write data to output buffer
1022 */
Manuel Pégourié-Gonnard27d87fa2013-09-11 17:33:28 +0200[diff] [blame]1023 c2 = buf + size;
Manuel Pégourié-Gonnard53c64252013-09-12 05:39:46 +0200[diff] [blame]1024 ASN1_CHK_ADD( sig_and_oid_len, x509_write_sig( &c2, buf,
1025 sig_oid, sig_oid_len, sig, sig_len ) );
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]1026
1027 c2 -= len;
1028 memcpy( c2, c, len );
1029
Manuel Pégourié-Gonnard53c64252013-09-12 05:39:46 +0200[diff] [blame]1030 len += sig_and_oid_len;
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]1031 ASN1_CHK_ADD( len, asn1_write_len( &c2, buf, len ) );
1032 ASN1_CHK_ADD( len, asn1_write_tag( &c2, buf, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
1033
1034 return( len );
1035}
1036
1037#define PEM_BEGIN_CRT "-----BEGIN CERTIFICATE-----\n"
1038#define PEM_END_CRT "-----END CERTIFICATE-----\n"
1039
Paul Bakkerf3df61a2013-08-26 17:22:23 +0200[diff] [blame]1040#define PEM_BEGIN_CSR "-----BEGIN CERTIFICATE REQUEST-----\n"
1041#define PEM_END_CSR "-----END CERTIFICATE REQUEST-----\n"
1042
1043#define PEM_BEGIN_PUBLIC_KEY "-----BEGIN PUBLIC KEY-----\n"
1044#define PEM_END_PUBLIC_KEY "-----END PUBLIC KEY-----\n"
1045
Manuel Pégourié-Gonnard6de63e42013-09-12 04:59:34 +0200[diff] [blame]1046#define PEM_BEGIN_PRIVATE_KEY_RSA "-----BEGIN RSA PRIVATE KEY-----\n"
1047#define PEM_END_PRIVATE_KEY_RSA "-----END RSA PRIVATE KEY-----\n"
1048#define PEM_BEGIN_PRIVATE_KEY_EC "-----BEGIN EC PRIVATE KEY-----\n"
1049#define PEM_END_PRIVATE_KEY_EC "-----END EC PRIVATE KEY-----\n"
Paul Bakker135f1e92013-08-26 16:54:13 +0200[diff] [blame]1050
1051#if defined(POLARSSL_BASE64_C)
Paul Bakkerf3df61a2013-08-26 17:22:23 +0200[diff] [blame]1052static int x509write_pemify( const char *begin_str, const char *end_str,
1053 const unsigned char *der_data, size_t der_len,
1054 unsigned char *buf, size_t size )
Paul Bakker135f1e92013-08-26 16:54:13 +0200[diff] [blame]1055{
1056 int ret;
Paul Bakker135f1e92013-08-26 16:54:13 +0200[diff] [blame]1057 unsigned char base_buf[4096];
Paul Bakkerf3df61a2013-08-26 17:22:23 +0200[diff] [blame]1058 unsigned char *c = base_buf, *p = buf;
1059 size_t len = 0, olen = sizeof(base_buf);
Paul Bakker135f1e92013-08-26 16:54:13 +0200[diff] [blame]1060
Paul Bakkerf3df61a2013-08-26 17:22:23 +0200[diff] [blame]1061 if( ( ret = base64_encode( base_buf, &olen, der_data, der_len ) ) != 0 )
Paul Bakker135f1e92013-08-26 16:54:13 +0200[diff] [blame]1062 return( ret );
1063
Paul Bakkerf3df61a2013-08-26 17:22:23 +0200[diff] [blame]1064 if( olen + strlen( begin_str ) + strlen( end_str ) +
Paul Bakker135f1e92013-08-26 16:54:13 +0200[diff] [blame]1065 olen / 64 > size )
1066 {
1067 return( POLARSSL_ERR_BASE64_BUFFER_TOO_SMALL );
1068 }
1069
Paul Bakkerf3df61a2013-08-26 17:22:23 +0200[diff] [blame]1070 memcpy( p, begin_str, strlen( begin_str ) );
1071 p += strlen( begin_str );
Paul Bakker135f1e92013-08-26 16:54:13 +0200[diff] [blame]1072
1073 while( olen )
1074 {
1075 len = ( olen > 64 ) ? 64 : olen;
1076 memcpy( p, c, len );
1077 olen -= len;
1078 p += len;
1079 c += len;
1080 *p++ = '\n';
1081 }
1082
Paul Bakkerf3df61a2013-08-26 17:22:23 +0200[diff] [blame]1083 memcpy( p, end_str, strlen( end_str ) );
1084 p += strlen( end_str );
Paul Bakker135f1e92013-08-26 16:54:13 +0200[diff] [blame]1085
1086 *p = '\0';
1087
1088 return( 0 );
1089}
Paul Bakkerf3df61a2013-08-26 17:22:23 +0200[diff] [blame]1090
Manuel Pégourié-Gonnard31e59402013-09-12 05:59:05 +0200[diff] [blame]1091int x509write_crt_pem( x509write_cert *crt, unsigned char *buf, size_t size,
1092 int (*f_rng)(void *, unsigned char *, size_t),
1093 void *p_rng )
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]1094{
1095 int ret;
1096 unsigned char output_buf[4096];
1097
Manuel Pégourié-Gonnard31e59402013-09-12 05:59:05 +0200[diff] [blame]1098 if( ( ret = x509write_crt_der( crt, output_buf, sizeof(output_buf),
1099 f_rng, p_rng ) ) < 0 )
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]1100 {
1101 return( ret );
1102 }
1103
1104 if( ( ret = x509write_pemify( PEM_BEGIN_CRT, PEM_END_CRT,
Manuel Pégourié-Gonnard27d87fa2013-09-11 17:33:28 +0200[diff] [blame]1105 output_buf + sizeof(output_buf) - ret,
Paul Bakker9397dcb2013-09-06 09:55:26 +0200[diff] [blame]1106 ret, buf, size ) ) != 0 )
1107 {
1108 return( ret );
1109 }
1110
1111 return( 0 );
1112}
1113
Manuel Pégourié-Gonnarde1f821a2013-09-12 00:59:40 +0200[diff] [blame]1114int x509write_pubkey_pem( pk_context *key, unsigned char *buf, size_t size )
Paul Bakkerf3df61a2013-08-26 17:22:23 +0200[diff] [blame]1115{
1116 int ret;
1117 unsigned char output_buf[4096];
1118
Manuel Pégourié-Gonnarde1f821a2013-09-12 00:59:40 +0200[diff] [blame]1119 if( ( ret = x509write_pubkey_der( key, output_buf,
Paul Bakkerf3df61a2013-08-26 17:22:23 +0200[diff] [blame]1120 sizeof(output_buf) ) ) < 0 )
1121 {
1122 return( ret );
1123 }
1124
1125 if( ( ret = x509write_pemify( PEM_BEGIN_PUBLIC_KEY, PEM_END_PUBLIC_KEY,
Manuel Pégourié-Gonnard27d87fa2013-09-11 17:33:28 +0200[diff] [blame]1126 output_buf + sizeof(output_buf) - ret,
Paul Bakkerf3df61a2013-08-26 17:22:23 +0200[diff] [blame]1127 ret, buf, size ) ) != 0 )
1128 {
1129 return( ret );
1130 }
1131
1132 return( 0 );
1133}
1134
Manuel Pégourié-Gonnard6de63e42013-09-12 04:59:34 +0200[diff] [blame]1135int x509write_key_pem( pk_context *key, unsigned char *buf, size_t size )
Paul Bakkerf3df61a2013-08-26 17:22:23 +0200[diff] [blame]1136{
1137 int ret;
1138 unsigned char output_buf[4096];
Manuel Pégourié-Gonnard6de63e42013-09-12 04:59:34 +0200[diff] [blame]1139 char *begin, *end;
Paul Bakkerf3df61a2013-08-26 17:22:23 +0200[diff] [blame]1140
Manuel Pégourié-Gonnard6de63e42013-09-12 04:59:34 +0200[diff] [blame]1141 if( ( ret = x509write_key_der( key, output_buf,
Paul Bakkerf3df61a2013-08-26 17:22:23 +0200[diff] [blame]1142 sizeof(output_buf) ) ) < 0 )
1143 {
1144 return( ret );
1145 }
1146
Manuel Pégourié-Gonnard6de63e42013-09-12 04:59:34 +0200[diff] [blame]1147#if defined(POLARSSL_RSA_C)
1148 if( pk_get_type( key ) == POLARSSL_PK_RSA )
1149 {
1150 begin = PEM_BEGIN_PRIVATE_KEY_RSA;
1151 end = PEM_END_PRIVATE_KEY_RSA;
1152 }
1153 else
1154#endif
1155#if defined(POLARSSL_ECP_C)
1156 if( pk_get_type( key ) == POLARSSL_PK_ECKEY )
1157 {
1158 begin = PEM_BEGIN_PRIVATE_KEY_EC;
1159 end = PEM_END_PRIVATE_KEY_EC;
1160 }
1161 else
1162#endif
1163 return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE );
1164
1165 if( ( ret = x509write_pemify( begin, end,
Manuel Pégourié-Gonnard27d87fa2013-09-11 17:33:28 +0200[diff] [blame]1166 output_buf + sizeof(output_buf) - ret,
Paul Bakkerf3df61a2013-08-26 17:22:23 +0200[diff] [blame]1167 ret, buf, size ) ) != 0 )
1168 {
1169 return( ret );
1170 }
1171
1172 return( 0 );
1173}
1174
Manuel Pégourié-Gonnardee731792013-09-11 22:48:40 +0200[diff] [blame]1175int x509write_csr_pem( x509write_csr *ctx, unsigned char *buf, size_t size,
1176 int (*f_rng)(void *, unsigned char *, size_t),
1177 void *p_rng )
Paul Bakkerf3df61a2013-08-26 17:22:23 +0200[diff] [blame]1178{
1179 int ret;
1180 unsigned char output_buf[4096];
1181
Manuel Pégourié-Gonnardee731792013-09-11 22:48:40 +0200[diff] [blame]1182 if( ( ret = x509write_csr_der( ctx, output_buf, sizeof(output_buf),
1183 f_rng, p_rng ) ) < 0 )
Paul Bakkerf3df61a2013-08-26 17:22:23 +0200[diff] [blame]1184 {
1185 return( ret );
1186 }
1187
1188 if( ( ret = x509write_pemify( PEM_BEGIN_CSR, PEM_END_CSR,
Manuel Pégourié-Gonnard27d87fa2013-09-11 17:33:28 +0200[diff] [blame]1189 output_buf + sizeof(output_buf) - ret,
Paul Bakkerf3df61a2013-08-26 17:22:23 +0200[diff] [blame]1190 ret, buf, size ) ) != 0 )
1191 {
1192 return( ret );
1193 }
1194
1195 return( 0 );
1196}
Paul Bakker135f1e92013-08-26 16:54:13 +0200[diff] [blame]1197#endif /* POLARSSL_BASE64_C */
1198
Paul Bakkerbdb912d2012-02-13 23:11:30 +0000[diff] [blame]1199#endif