d76a26e086
Keep applying the windows entropy patch (UWP support).
Remove no longer needed padlock patch.
Update thirdparty README to reflect changes, and new source inclusion
criteria.
(cherry picked from commit e375cbd094
)
341 lines
11 KiB
C
341 lines
11 KiB
C
/*
|
|
* X.509 Certificate Signing Request writing
|
|
*
|
|
* Copyright The Mbed TLS Contributors
|
|
* SPDX-License-Identifier: Apache-2.0
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
* not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
/*
|
|
* References:
|
|
* - CSRs: PKCS#10 v1.7 aka RFC 2986
|
|
* - attributes: PKCS#9 v2.0 aka RFC 2985
|
|
*/
|
|
|
|
#include "common.h"
|
|
|
|
#if defined(MBEDTLS_X509_CSR_WRITE_C)
|
|
|
|
#include "mbedtls/x509_csr.h"
|
|
#include "mbedtls/asn1write.h"
|
|
#include "mbedtls/error.h"
|
|
#include "mbedtls/oid.h"
|
|
#include "mbedtls/platform_util.h"
|
|
|
|
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
|
#include "psa/crypto.h"
|
|
#include "mbedtls/psa_util.h"
|
|
#endif
|
|
|
|
#include <string.h>
|
|
#include <stdlib.h>
|
|
|
|
#if defined(MBEDTLS_PEM_WRITE_C)
|
|
#include "mbedtls/pem.h"
|
|
#endif
|
|
|
|
#if defined(MBEDTLS_PLATFORM_C)
|
|
#include "mbedtls/platform.h"
|
|
#else
|
|
#include <stdlib.h>
|
|
#define mbedtls_calloc calloc
|
|
#define mbedtls_free free
|
|
#endif
|
|
|
|
void mbedtls_x509write_csr_init( mbedtls_x509write_csr *ctx )
|
|
{
|
|
memset( ctx, 0, sizeof( mbedtls_x509write_csr ) );
|
|
}
|
|
|
|
void mbedtls_x509write_csr_free( mbedtls_x509write_csr *ctx )
|
|
{
|
|
mbedtls_asn1_free_named_data_list( &ctx->subject );
|
|
mbedtls_asn1_free_named_data_list( &ctx->extensions );
|
|
|
|
mbedtls_platform_zeroize( ctx, sizeof( mbedtls_x509write_csr ) );
|
|
}
|
|
|
|
void mbedtls_x509write_csr_set_md_alg( mbedtls_x509write_csr *ctx, mbedtls_md_type_t md_alg )
|
|
{
|
|
ctx->md_alg = md_alg;
|
|
}
|
|
|
|
void mbedtls_x509write_csr_set_key( mbedtls_x509write_csr *ctx, mbedtls_pk_context *key )
|
|
{
|
|
ctx->key = key;
|
|
}
|
|
|
|
int mbedtls_x509write_csr_set_subject_name( mbedtls_x509write_csr *ctx,
|
|
const char *subject_name )
|
|
{
|
|
return mbedtls_x509_string_to_names( &ctx->subject, subject_name );
|
|
}
|
|
|
|
int mbedtls_x509write_csr_set_extension( mbedtls_x509write_csr *ctx,
|
|
const char *oid, size_t oid_len,
|
|
const unsigned char *val, size_t val_len )
|
|
{
|
|
return mbedtls_x509_set_extension( &ctx->extensions, oid, oid_len,
|
|
0, val, val_len );
|
|
}
|
|
|
|
int mbedtls_x509write_csr_set_key_usage( mbedtls_x509write_csr *ctx, unsigned char key_usage )
|
|
{
|
|
unsigned char buf[4] = {0};
|
|
unsigned char *c;
|
|
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
|
|
|
c = buf + 4;
|
|
|
|
ret = mbedtls_asn1_write_named_bitstring( &c, buf, &key_usage, 8 );
|
|
if( ret < 3 || ret > 4 )
|
|
return( ret );
|
|
|
|
ret = mbedtls_x509write_csr_set_extension( ctx, MBEDTLS_OID_KEY_USAGE,
|
|
MBEDTLS_OID_SIZE( MBEDTLS_OID_KEY_USAGE ),
|
|
c, (size_t)ret );
|
|
if( ret != 0 )
|
|
return( ret );
|
|
|
|
return( 0 );
|
|
}
|
|
|
|
int mbedtls_x509write_csr_set_ns_cert_type( mbedtls_x509write_csr *ctx,
|
|
unsigned char ns_cert_type )
|
|
{
|
|
unsigned char buf[4] = {0};
|
|
unsigned char *c;
|
|
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
|
|
|
c = buf + 4;
|
|
|
|
ret = mbedtls_asn1_write_named_bitstring( &c, buf, &ns_cert_type, 8 );
|
|
if( ret < 3 || ret > 4 )
|
|
return( ret );
|
|
|
|
ret = mbedtls_x509write_csr_set_extension( ctx, MBEDTLS_OID_NS_CERT_TYPE,
|
|
MBEDTLS_OID_SIZE( MBEDTLS_OID_NS_CERT_TYPE ),
|
|
c, (size_t)ret );
|
|
if( ret != 0 )
|
|
return( ret );
|
|
|
|
return( 0 );
|
|
}
|
|
|
|
static int x509write_csr_der_internal( mbedtls_x509write_csr *ctx,
|
|
unsigned char *buf,
|
|
size_t size,
|
|
unsigned char *sig,
|
|
int (*f_rng)(void *, unsigned char *, size_t),
|
|
void *p_rng )
|
|
{
|
|
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
|
const char *sig_oid;
|
|
size_t sig_oid_len = 0;
|
|
unsigned char *c, *c2;
|
|
unsigned char hash[64];
|
|
size_t pub_len = 0, sig_and_oid_len = 0, sig_len;
|
|
size_t len = 0;
|
|
mbedtls_pk_type_t pk_alg;
|
|
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
|
psa_hash_operation_t hash_operation = PSA_HASH_OPERATION_INIT;
|
|
size_t hash_len;
|
|
psa_algorithm_t hash_alg = mbedtls_psa_translate_md( ctx->md_alg );
|
|
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
|
|
|
/* Write the CSR backwards starting from the end of buf */
|
|
c = buf + size;
|
|
|
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_extensions( &c, buf,
|
|
ctx->extensions ) );
|
|
|
|
if( len )
|
|
{
|
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
|
|
MBEDTLS_ASN1_CHK_ADD( len,
|
|
mbedtls_asn1_write_tag(
|
|
&c, buf,
|
|
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) );
|
|
|
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
|
|
MBEDTLS_ASN1_CHK_ADD( len,
|
|
mbedtls_asn1_write_tag(
|
|
&c, buf,
|
|
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SET ) );
|
|
|
|
MBEDTLS_ASN1_CHK_ADD( len,
|
|
mbedtls_asn1_write_oid(
|
|
&c, buf, MBEDTLS_OID_PKCS9_CSR_EXT_REQ,
|
|
MBEDTLS_OID_SIZE( MBEDTLS_OID_PKCS9_CSR_EXT_REQ ) ) );
|
|
|
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
|
|
MBEDTLS_ASN1_CHK_ADD( len,
|
|
mbedtls_asn1_write_tag(
|
|
&c, buf,
|
|
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) );
|
|
}
|
|
|
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
|
|
MBEDTLS_ASN1_CHK_ADD( len,
|
|
mbedtls_asn1_write_tag(
|
|
&c, buf,
|
|
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_CONTEXT_SPECIFIC ) );
|
|
|
|
MBEDTLS_ASN1_CHK_ADD( pub_len, mbedtls_pk_write_pubkey_der( ctx->key,
|
|
buf, c - buf ) );
|
|
c -= pub_len;
|
|
len += pub_len;
|
|
|
|
/*
|
|
* Subject ::= Name
|
|
*/
|
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_names( &c, buf,
|
|
ctx->subject ) );
|
|
|
|
/*
|
|
* Version ::= INTEGER { v1(0), v2(1), v3(2) }
|
|
*/
|
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_int( &c, buf, 0 ) );
|
|
|
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
|
|
MBEDTLS_ASN1_CHK_ADD( len,
|
|
mbedtls_asn1_write_tag(
|
|
&c, buf,
|
|
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) );
|
|
|
|
/*
|
|
* Sign the written CSR data into the sig buffer
|
|
* Note: hash errors can happen only after an internal error
|
|
*/
|
|
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
|
if( psa_hash_setup( &hash_operation, hash_alg ) != PSA_SUCCESS )
|
|
return( MBEDTLS_ERR_X509_FATAL_ERROR );
|
|
|
|
if( psa_hash_update( &hash_operation, c, len ) != PSA_SUCCESS )
|
|
return( MBEDTLS_ERR_X509_FATAL_ERROR );
|
|
|
|
if( psa_hash_finish( &hash_operation, hash, sizeof( hash ), &hash_len )
|
|
!= PSA_SUCCESS )
|
|
{
|
|
return( MBEDTLS_ERR_X509_FATAL_ERROR );
|
|
}
|
|
#else /* MBEDTLS_USE_PSA_CRYPTO */
|
|
ret = mbedtls_md( mbedtls_md_info_from_type( ctx->md_alg ), c, len, hash );
|
|
if( ret != 0 )
|
|
return( ret );
|
|
#endif
|
|
if( ( ret = mbedtls_pk_sign( ctx->key, ctx->md_alg, hash, 0, sig, &sig_len,
|
|
f_rng, p_rng ) ) != 0 )
|
|
{
|
|
return( ret );
|
|
}
|
|
|
|
if( mbedtls_pk_can_do( ctx->key, MBEDTLS_PK_RSA ) )
|
|
pk_alg = MBEDTLS_PK_RSA;
|
|
else if( mbedtls_pk_can_do( ctx->key, MBEDTLS_PK_ECDSA ) )
|
|
pk_alg = MBEDTLS_PK_ECDSA;
|
|
else
|
|
return( MBEDTLS_ERR_X509_INVALID_ALG );
|
|
|
|
if( ( ret = mbedtls_oid_get_oid_by_sig_alg( pk_alg, ctx->md_alg,
|
|
&sig_oid, &sig_oid_len ) ) != 0 )
|
|
{
|
|
return( ret );
|
|
}
|
|
|
|
/*
|
|
* Move the written CSR data to the start of buf to create space for
|
|
* writing the signature into buf.
|
|
*/
|
|
memmove( buf, c, len );
|
|
|
|
/*
|
|
* Write sig and its OID into buf backwards from the end of buf.
|
|
* Note: mbedtls_x509_write_sig will check for c2 - ( buf + len ) < sig_len
|
|
* and return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL if needed.
|
|
*/
|
|
c2 = buf + size;
|
|
MBEDTLS_ASN1_CHK_ADD( sig_and_oid_len,
|
|
mbedtls_x509_write_sig( &c2, buf + len, sig_oid, sig_oid_len,
|
|
sig, sig_len ) );
|
|
|
|
/*
|
|
* Compact the space between the CSR data and signature by moving the
|
|
* CSR data to the start of the signature.
|
|
*/
|
|
c2 -= len;
|
|
memmove( c2, buf, len );
|
|
|
|
/* ASN encode the total size and tag the CSR data with it. */
|
|
len += sig_and_oid_len;
|
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c2, buf, len ) );
|
|
MBEDTLS_ASN1_CHK_ADD( len,
|
|
mbedtls_asn1_write_tag(
|
|
&c2, buf,
|
|
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) );
|
|
|
|
/* Zero the unused bytes at the start of buf */
|
|
memset( buf, 0, c2 - buf);
|
|
|
|
return( (int) len );
|
|
}
|
|
|
|
int mbedtls_x509write_csr_der( mbedtls_x509write_csr *ctx, unsigned char *buf,
|
|
size_t size,
|
|
int (*f_rng)(void *, unsigned char *, size_t),
|
|
void *p_rng )
|
|
{
|
|
int ret;
|
|
unsigned char *sig;
|
|
|
|
if( ( sig = mbedtls_calloc( 1, MBEDTLS_PK_SIGNATURE_MAX_SIZE ) ) == NULL )
|
|
{
|
|
return( MBEDTLS_ERR_X509_ALLOC_FAILED );
|
|
}
|
|
|
|
ret = x509write_csr_der_internal( ctx, buf, size, sig, f_rng, p_rng );
|
|
|
|
mbedtls_free( sig );
|
|
|
|
return( ret );
|
|
}
|
|
|
|
#define PEM_BEGIN_CSR "-----BEGIN CERTIFICATE REQUEST-----\n"
|
|
#define PEM_END_CSR "-----END CERTIFICATE REQUEST-----\n"
|
|
|
|
#if defined(MBEDTLS_PEM_WRITE_C)
|
|
int mbedtls_x509write_csr_pem( mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size,
|
|
int (*f_rng)(void *, unsigned char *, size_t),
|
|
void *p_rng )
|
|
{
|
|
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
|
size_t olen = 0;
|
|
|
|
if( ( ret = mbedtls_x509write_csr_der( ctx, buf, size,
|
|
f_rng, p_rng ) ) < 0 )
|
|
{
|
|
return( ret );
|
|
}
|
|
|
|
if( ( ret = mbedtls_pem_write_buffer( PEM_BEGIN_CSR, PEM_END_CSR,
|
|
buf + size - ret,
|
|
ret, buf, size, &olen ) ) != 0 )
|
|
{
|
|
return( ret );
|
|
}
|
|
|
|
return( 0 );
|
|
}
|
|
#endif /* MBEDTLS_PEM_WRITE_C */
|
|
|
|
#endif /* MBEDTLS_X509_CSR_WRITE_C */
|