2 * X.509 Certificate Signing Request writing
4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: GPL-2.0
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License along
18 * with this program; if not, write to the Free Software Foundation, Inc.,
19 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
21 * This file is part of mbed TLS (https://tls.mbed.org)
25 * - CSRs: PKCS#10 v1.7 aka RFC 2986
26 * - attributes: PKCS#9 v2.0 aka RFC 2985
29 #if !defined(MBEDTLS_CONFIG_FILE)
30 #include "mbedtls/config.h"
32 #include MBEDTLS_CONFIG_FILE
35 #if defined(MBEDTLS_X509_CSR_WRITE_C)
37 #include "mbedtls/x509_csr.h"
38 #include "mbedtls/oid.h"
39 #include "mbedtls/asn1write.h"
44 #if defined(MBEDTLS_PEM_WRITE_C)
45 #include "mbedtls/pem.h"
48 /* Implementation that should never be optimized out by the compiler */
49 static void mbedtls_zeroize( void *v
, size_t n
) {
50 volatile unsigned char *p
= v
; while( n
-- ) *p
++ = 0;
54 * For the currently used signature algorithms the buffer to store any signature
55 * must be at least of size MAX(MBEDTLS_ECDSA_MAX_LEN, MBEDTLS_MPI_MAX_SIZE)
57 #if MBEDTLS_ECDSA_MAX_LEN > MBEDTLS_MPI_MAX_SIZE
58 #define SIGNATURE_MAX_SIZE MBEDTLS_ECDSA_MAX_LEN
60 #define SIGNATURE_MAX_SIZE MBEDTLS_MPI_MAX_SIZE
63 void mbedtls_x509write_csr_init( mbedtls_x509write_csr
*ctx
)
65 memset( ctx
, 0, sizeof( mbedtls_x509write_csr
) );
68 void mbedtls_x509write_csr_free( mbedtls_x509write_csr
*ctx
)
70 mbedtls_asn1_free_named_data_list( &ctx
->subject
);
71 mbedtls_asn1_free_named_data_list( &ctx
->extensions
);
73 mbedtls_zeroize( ctx
, sizeof( mbedtls_x509write_csr
) );
76 void mbedtls_x509write_csr_set_md_alg( mbedtls_x509write_csr
*ctx
, mbedtls_md_type_t md_alg
)
81 void mbedtls_x509write_csr_set_key( mbedtls_x509write_csr
*ctx
, mbedtls_pk_context
*key
)
86 int mbedtls_x509write_csr_set_subject_name( mbedtls_x509write_csr
*ctx
,
87 const char *subject_name
)
89 return mbedtls_x509_string_to_names( &ctx
->subject
, subject_name
);
92 int mbedtls_x509write_csr_set_extension( mbedtls_x509write_csr
*ctx
,
93 const char *oid
, size_t oid_len
,
94 const unsigned char *val
, size_t val_len
)
96 return mbedtls_x509_set_extension( &ctx
->extensions
, oid
, oid_len
,
100 static size_t csr_get_unused_bits_for_named_bitstring( unsigned char bitstring
,
105 /* Count the unused bits removing trailing 0s */
106 for( unused_bits
= bit_offset
; unused_bits
< 8; unused_bits
++ )
107 if( ( ( bitstring
>> unused_bits
) & 0x1 ) != 0 )
110 return( unused_bits
);
113 int mbedtls_x509write_csr_set_key_usage( mbedtls_x509write_csr
*ctx
, unsigned char key_usage
)
115 unsigned char buf
[4];
122 unused_bits
= csr_get_unused_bits_for_named_bitstring( key_usage
, 0 );
123 ret
= mbedtls_asn1_write_bitstring( &c
, buf
, &key_usage
, 8 - unused_bits
);
127 else if( ret
< 3 || ret
> 4 )
128 return( MBEDTLS_ERR_X509_INVALID_FORMAT
);
130 ret
= mbedtls_x509write_csr_set_extension( ctx
, MBEDTLS_OID_KEY_USAGE
,
131 MBEDTLS_OID_SIZE( MBEDTLS_OID_KEY_USAGE
),
139 int mbedtls_x509write_csr_set_ns_cert_type( mbedtls_x509write_csr
*ctx
,
140 unsigned char ns_cert_type
)
142 unsigned char buf
[4];
149 unused_bits
= csr_get_unused_bits_for_named_bitstring( ns_cert_type
, 0 );
150 ret
= mbedtls_asn1_write_bitstring( &c
,
157 else if( ret
< 3 || ret
> 4 )
160 ret
= mbedtls_x509write_csr_set_extension( ctx
, MBEDTLS_OID_NS_CERT_TYPE
,
161 MBEDTLS_OID_SIZE( MBEDTLS_OID_NS_CERT_TYPE
),
169 int mbedtls_x509write_csr_der( mbedtls_x509write_csr
*ctx
, unsigned char *buf
, size_t size
,
170 int (*f_rng
)(void *, unsigned char *, size_t),
175 size_t sig_oid_len
= 0;
176 unsigned char *c
, *c2
;
177 unsigned char hash
[64];
178 unsigned char sig
[SIGNATURE_MAX_SIZE
];
179 unsigned char tmp_buf
[2048];
180 size_t pub_len
= 0, sig_and_oid_len
= 0, sig_len
;
182 mbedtls_pk_type_t pk_alg
;
185 * Prepare data to be signed in tmp_buf
187 c
= tmp_buf
+ sizeof( tmp_buf
);
189 MBEDTLS_ASN1_CHK_ADD( len
, mbedtls_x509_write_extensions( &c
, tmp_buf
, ctx
->extensions
) );
193 MBEDTLS_ASN1_CHK_ADD( len
, mbedtls_asn1_write_len( &c
, tmp_buf
, len
) );
194 MBEDTLS_ASN1_CHK_ADD( len
, mbedtls_asn1_write_tag( &c
, tmp_buf
, MBEDTLS_ASN1_CONSTRUCTED
|
195 MBEDTLS_ASN1_SEQUENCE
) );
197 MBEDTLS_ASN1_CHK_ADD( len
, mbedtls_asn1_write_len( &c
, tmp_buf
, len
) );
198 MBEDTLS_ASN1_CHK_ADD( len
, mbedtls_asn1_write_tag( &c
, tmp_buf
, MBEDTLS_ASN1_CONSTRUCTED
|
199 MBEDTLS_ASN1_SET
) );
201 MBEDTLS_ASN1_CHK_ADD( len
, mbedtls_asn1_write_oid( &c
, tmp_buf
, MBEDTLS_OID_PKCS9_CSR_EXT_REQ
,
202 MBEDTLS_OID_SIZE( MBEDTLS_OID_PKCS9_CSR_EXT_REQ
) ) );
204 MBEDTLS_ASN1_CHK_ADD( len
, mbedtls_asn1_write_len( &c
, tmp_buf
, len
) );
205 MBEDTLS_ASN1_CHK_ADD( len
, mbedtls_asn1_write_tag( &c
, tmp_buf
, MBEDTLS_ASN1_CONSTRUCTED
|
206 MBEDTLS_ASN1_SEQUENCE
) );
209 MBEDTLS_ASN1_CHK_ADD( len
, mbedtls_asn1_write_len( &c
, tmp_buf
, len
) );
210 MBEDTLS_ASN1_CHK_ADD( len
, mbedtls_asn1_write_tag( &c
, tmp_buf
, MBEDTLS_ASN1_CONSTRUCTED
|
211 MBEDTLS_ASN1_CONTEXT_SPECIFIC
) );
213 MBEDTLS_ASN1_CHK_ADD( pub_len
, mbedtls_pk_write_pubkey_der( ctx
->key
,
214 tmp_buf
, c
- tmp_buf
) );
221 MBEDTLS_ASN1_CHK_ADD( len
, mbedtls_x509_write_names( &c
, tmp_buf
, ctx
->subject
) );
224 * Version ::= INTEGER { v1(0), v2(1), v3(2) }
226 MBEDTLS_ASN1_CHK_ADD( len
, mbedtls_asn1_write_int( &c
, tmp_buf
, 0 ) );
228 MBEDTLS_ASN1_CHK_ADD( len
, mbedtls_asn1_write_len( &c
, tmp_buf
, len
) );
229 MBEDTLS_ASN1_CHK_ADD( len
, mbedtls_asn1_write_tag( &c
, tmp_buf
, MBEDTLS_ASN1_CONSTRUCTED
|
230 MBEDTLS_ASN1_SEQUENCE
) );
235 mbedtls_md( mbedtls_md_info_from_type( ctx
->md_alg
), c
, len
, hash
);
237 if( ( ret
= mbedtls_pk_sign( ctx
->key
, ctx
->md_alg
, hash
, 0, sig
, &sig_len
,
238 f_rng
, p_rng
) ) != 0 )
243 if( mbedtls_pk_can_do( ctx
->key
, MBEDTLS_PK_RSA
) )
244 pk_alg
= MBEDTLS_PK_RSA
;
245 else if( mbedtls_pk_can_do( ctx
->key
, MBEDTLS_PK_ECDSA
) )
246 pk_alg
= MBEDTLS_PK_ECDSA
;
248 return( MBEDTLS_ERR_X509_INVALID_ALG
);
250 if( ( ret
= mbedtls_oid_get_oid_by_sig_alg( pk_alg
, ctx
->md_alg
,
251 &sig_oid
, &sig_oid_len
) ) != 0 )
257 * Write data to output buffer
260 MBEDTLS_ASN1_CHK_ADD( sig_and_oid_len
, mbedtls_x509_write_sig( &c2
, buf
,
261 sig_oid
, sig_oid_len
, sig
, sig_len
) );
263 if( len
> (size_t)( c2
- buf
) )
264 return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL
);
267 memcpy( c2
, c
, len
);
269 len
+= sig_and_oid_len
;
270 MBEDTLS_ASN1_CHK_ADD( len
, mbedtls_asn1_write_len( &c2
, buf
, len
) );
271 MBEDTLS_ASN1_CHK_ADD( len
, mbedtls_asn1_write_tag( &c2
, buf
, MBEDTLS_ASN1_CONSTRUCTED
|
272 MBEDTLS_ASN1_SEQUENCE
) );
277 #define PEM_BEGIN_CSR "-----BEGIN CERTIFICATE REQUEST-----\n"
278 #define PEM_END_CSR "-----END CERTIFICATE REQUEST-----\n"
280 #if defined(MBEDTLS_PEM_WRITE_C)
281 int mbedtls_x509write_csr_pem( mbedtls_x509write_csr
*ctx
, unsigned char *buf
, size_t size
,
282 int (*f_rng
)(void *, unsigned char *, size_t),
286 unsigned char output_buf
[4096];
289 if( ( ret
= mbedtls_x509write_csr_der( ctx
, output_buf
, sizeof(output_buf
),
290 f_rng
, p_rng
) ) < 0 )
295 if( ( ret
= mbedtls_pem_write_buffer( PEM_BEGIN_CSR
, PEM_END_CSR
,
296 output_buf
+ sizeof(output_buf
) - ret
,
297 ret
, buf
, size
, &olen
) ) != 0 )
304 #endif /* MBEDTLS_PEM_WRITE_C */
306 #endif /* MBEDTLS_X509_CSR_WRITE_C */