2 * X.509 Certificate Signing Request writing
\r
4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
\r
5 * SPDX-License-Identifier: Apache-2.0
\r
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
\r
8 * not use this file except in compliance with the License.
\r
9 * You may obtain a copy of the License at
\r
11 * http://www.apache.org/licenses/LICENSE-2.0
\r
13 * Unless required by applicable law or agreed to in writing, software
\r
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
\r
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
\r
16 * See the License for the specific language governing permissions and
\r
17 * limitations under the License.
\r
19 * This file is part of mbed TLS (https://tls.mbed.org)
\r
23 * - CSRs: PKCS#10 v1.7 aka RFC 2986
\r
24 * - attributes: PKCS#9 v2.0 aka RFC 2985
\r
27 #if !defined(MBEDTLS_CONFIG_FILE)
\r
28 #include "mbedtls/config.h"
\r
30 #include MBEDTLS_CONFIG_FILE
\r
33 #if defined(MBEDTLS_X509_CSR_WRITE_C)
\r
35 #include "mbedtls/x509_csr.h"
\r
36 #include "mbedtls/oid.h"
\r
37 #include "mbedtls/asn1write.h"
\r
38 #include "mbedtls/platform_util.h"
\r
40 #if defined(MBEDTLS_USE_PSA_CRYPTO)
\r
41 #include "psa/crypto.h"
\r
42 #include "mbedtls/psa_util.h"
\r
48 #if defined(MBEDTLS_PEM_WRITE_C)
\r
49 #include "mbedtls/pem.h"
\r
52 void mbedtls_x509write_csr_init( mbedtls_x509write_csr *ctx )
\r
54 memset( ctx, 0, sizeof( mbedtls_x509write_csr ) );
\r
57 void mbedtls_x509write_csr_free( mbedtls_x509write_csr *ctx )
\r
59 mbedtls_asn1_free_named_data_list( &ctx->subject );
\r
60 mbedtls_asn1_free_named_data_list( &ctx->extensions );
\r
62 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_x509write_csr ) );
\r
65 void mbedtls_x509write_csr_set_md_alg( mbedtls_x509write_csr *ctx, mbedtls_md_type_t md_alg )
\r
67 ctx->md_alg = md_alg;
\r
70 void mbedtls_x509write_csr_set_key( mbedtls_x509write_csr *ctx, mbedtls_pk_context *key )
\r
75 int mbedtls_x509write_csr_set_subject_name( mbedtls_x509write_csr *ctx,
\r
76 const char *subject_name )
\r
78 return mbedtls_x509_string_to_names( &ctx->subject, subject_name );
\r
81 int mbedtls_x509write_csr_set_extension( mbedtls_x509write_csr *ctx,
\r
82 const char *oid, size_t oid_len,
\r
83 const unsigned char *val, size_t val_len )
\r
85 return mbedtls_x509_set_extension( &ctx->extensions, oid, oid_len,
\r
89 int mbedtls_x509write_csr_set_key_usage( mbedtls_x509write_csr *ctx, unsigned char key_usage )
\r
91 unsigned char buf[4];
\r
97 ret = mbedtls_asn1_write_named_bitstring( &c, buf, &key_usage, 8 );
\r
98 if( ret < 3 || ret > 4 )
\r
101 ret = mbedtls_x509write_csr_set_extension( ctx, MBEDTLS_OID_KEY_USAGE,
\r
102 MBEDTLS_OID_SIZE( MBEDTLS_OID_KEY_USAGE ),
\r
110 int mbedtls_x509write_csr_set_ns_cert_type( mbedtls_x509write_csr *ctx,
\r
111 unsigned char ns_cert_type )
\r
113 unsigned char buf[4];
\r
119 ret = mbedtls_asn1_write_named_bitstring( &c, buf, &ns_cert_type, 8 );
\r
120 if( ret < 3 || ret > 4 )
\r
123 ret = mbedtls_x509write_csr_set_extension( ctx, MBEDTLS_OID_NS_CERT_TYPE,
\r
124 MBEDTLS_OID_SIZE( MBEDTLS_OID_NS_CERT_TYPE ),
\r
132 int mbedtls_x509write_csr_der( mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size,
\r
133 int (*f_rng)(void *, unsigned char *, size_t),
\r
137 const char *sig_oid;
\r
138 size_t sig_oid_len = 0;
\r
139 unsigned char *c, *c2;
\r
140 unsigned char hash[64];
\r
141 unsigned char sig[MBEDTLS_MPI_MAX_SIZE];
\r
142 unsigned char tmp_buf[2048];
\r
143 size_t pub_len = 0, sig_and_oid_len = 0, sig_len;
\r
145 mbedtls_pk_type_t pk_alg;
\r
146 #if defined(MBEDTLS_USE_PSA_CRYPTO)
\r
147 psa_hash_operation_t hash_operation = PSA_HASH_OPERATION_INIT;
\r
149 psa_algorithm_t hash_alg = mbedtls_psa_translate_md( ctx->md_alg );
\r
150 #endif /* MBEDTLS_USE_PSA_CRYPTO */
\r
152 * Prepare data to be signed in tmp_buf
\r
154 c = tmp_buf + sizeof( tmp_buf );
\r
156 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_extensions( &c, tmp_buf, ctx->extensions ) );
\r
160 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
\r
161 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
\r
162 MBEDTLS_ASN1_SEQUENCE ) );
\r
164 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
\r
165 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
\r
166 MBEDTLS_ASN1_SET ) );
\r
168 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_oid( &c, tmp_buf, MBEDTLS_OID_PKCS9_CSR_EXT_REQ,
\r
169 MBEDTLS_OID_SIZE( MBEDTLS_OID_PKCS9_CSR_EXT_REQ ) ) );
\r
171 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
\r
172 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
\r
173 MBEDTLS_ASN1_SEQUENCE ) );
\r
176 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
\r
177 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
\r
178 MBEDTLS_ASN1_CONTEXT_SPECIFIC ) );
\r
180 MBEDTLS_ASN1_CHK_ADD( pub_len, mbedtls_pk_write_pubkey_der( ctx->key,
\r
181 tmp_buf, c - tmp_buf ) );
\r
188 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_names( &c, tmp_buf, ctx->subject ) );
\r
191 * Version ::= INTEGER { v1(0), v2(1), v3(2) }
\r
193 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_int( &c, tmp_buf, 0 ) );
\r
195 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
\r
196 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
\r
197 MBEDTLS_ASN1_SEQUENCE ) );
\r
200 * Prepare signature
\r
201 * Note: hash errors can happen only after an internal error
\r
203 #if defined(MBEDTLS_USE_PSA_CRYPTO)
\r
204 if( psa_hash_setup( &hash_operation, hash_alg ) != PSA_SUCCESS )
\r
205 return( MBEDTLS_ERR_X509_FATAL_ERROR );
\r
207 if( psa_hash_update( &hash_operation, c, len ) != PSA_SUCCESS )
\r
208 return( MBEDTLS_ERR_X509_FATAL_ERROR );
\r
210 if( psa_hash_finish( &hash_operation, hash, sizeof( hash ), &hash_len )
\r
213 return( MBEDTLS_ERR_X509_FATAL_ERROR );
\r
215 #else /* MBEDTLS_USE_PSA_CRYPTO */
\r
216 mbedtls_md( mbedtls_md_info_from_type( ctx->md_alg ), c, len, hash );
\r
218 if( ( ret = mbedtls_pk_sign( ctx->key, ctx->md_alg, hash, 0, sig, &sig_len,
\r
219 f_rng, p_rng ) ) != 0 )
\r
224 if( mbedtls_pk_can_do( ctx->key, MBEDTLS_PK_RSA ) )
\r
225 pk_alg = MBEDTLS_PK_RSA;
\r
226 else if( mbedtls_pk_can_do( ctx->key, MBEDTLS_PK_ECDSA ) )
\r
227 pk_alg = MBEDTLS_PK_ECDSA;
\r
229 return( MBEDTLS_ERR_X509_INVALID_ALG );
\r
231 if( ( ret = mbedtls_oid_get_oid_by_sig_alg( pk_alg, ctx->md_alg,
\r
232 &sig_oid, &sig_oid_len ) ) != 0 )
\r
238 * Write data to output buffer
\r
241 MBEDTLS_ASN1_CHK_ADD( sig_and_oid_len, mbedtls_x509_write_sig( &c2, buf,
\r
242 sig_oid, sig_oid_len, sig, sig_len ) );
\r
244 if( len > (size_t)( c2 - buf ) )
\r
245 return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
\r
248 memcpy( c2, c, len );
\r
250 len += sig_and_oid_len;
\r
251 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c2, buf, len ) );
\r
252 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c2, buf, MBEDTLS_ASN1_CONSTRUCTED |
\r
253 MBEDTLS_ASN1_SEQUENCE ) );
\r
255 return( (int) len );
\r
258 #define PEM_BEGIN_CSR "-----BEGIN CERTIFICATE REQUEST-----\n"
\r
259 #define PEM_END_CSR "-----END CERTIFICATE REQUEST-----\n"
\r
261 #if defined(MBEDTLS_PEM_WRITE_C)
\r
262 int mbedtls_x509write_csr_pem( mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size,
\r
263 int (*f_rng)(void *, unsigned char *, size_t),
\r
267 unsigned char output_buf[4096];
\r
270 if( ( ret = mbedtls_x509write_csr_der( ctx, output_buf, sizeof(output_buf),
\r
271 f_rng, p_rng ) ) < 0 )
\r
276 if( ( ret = mbedtls_pem_write_buffer( PEM_BEGIN_CSR, PEM_END_CSR,
\r
277 output_buf + sizeof(output_buf) - ret,
\r
278 ret, buf, size, &olen ) ) != 0 )
\r
285 #endif /* MBEDTLS_PEM_WRITE_C */
\r
287 #endif /* MBEDTLS_X509_CSR_WRITE_C */
\r