source: azure_iot_hub_mbedtls/trunk/mbedtls-2.16.1/library/x509write_crt.c@ 398

Last change on this file since 398 was 398, checked in by coas-nagasima, 5 years ago

mbedTLS版Azure IoT Hub接続サンプルのソースコードを追加
  • Property svn:eol-style set to native
  • Property svn:mime-type set to text/x-csrc;charset=UTF-8
File size: 17.3 KB
Line 
1/*
2 * X.509 certificate writing
3 *
4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 *
19 * This file is part of mbed TLS (https://tls.mbed.org)
20 */
21/*
22 * References:
23 * - certificates: RFC 5280, updated by RFC 6818
24 * - CSRs: PKCS#10 v1.7 aka RFC 2986
25 * - attributes: PKCS#9 v2.0 aka RFC 2985
26 */
27
28#if !defined(MBEDTLS_CONFIG_FILE)
29#include "mbedtls/config.h"
30#else
31#include MBEDTLS_CONFIG_FILE
32#endif
33
34#if defined(MBEDTLS_X509_CRT_WRITE_C)
35
36#include "mbedtls/x509_crt.h"
37#include "mbedtls/oid.h"
38#include "mbedtls/asn1write.h"
39#include "mbedtls/sha1.h"
40#include "mbedtls/platform_util.h"
41
42#include <string.h>
43
44#if defined(MBEDTLS_PEM_WRITE_C)
45#include "mbedtls/pem.h"
46#endif /* MBEDTLS_PEM_WRITE_C */
47
48void mbedtls_x509write_crt_init( mbedtls_x509write_cert *ctx )
49{
50 memset( ctx, 0, sizeof( mbedtls_x509write_cert ) );
51
52 mbedtls_mpi_init( &ctx->serial );
53 ctx->version = MBEDTLS_X509_CRT_VERSION_3;
54}
55
56void mbedtls_x509write_crt_free( mbedtls_x509write_cert *ctx )
57{
58 mbedtls_mpi_free( &ctx->serial );
59
60 mbedtls_asn1_free_named_data_list( &ctx->subject );
61 mbedtls_asn1_free_named_data_list( &ctx->issuer );
62 mbedtls_asn1_free_named_data_list( &ctx->extensions );
63
64 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_x509write_cert ) );
65}
66
67void mbedtls_x509write_crt_set_version( mbedtls_x509write_cert *ctx, int version )
68{
69 ctx->version = version;
70}
71
72void mbedtls_x509write_crt_set_md_alg( mbedtls_x509write_cert *ctx, mbedtls_md_type_t md_alg )
73{
74 ctx->md_alg = md_alg;
75}
76
77void mbedtls_x509write_crt_set_subject_key( mbedtls_x509write_cert *ctx, mbedtls_pk_context *key )
78{
79 ctx->subject_key = key;
80}
81
82void mbedtls_x509write_crt_set_issuer_key( mbedtls_x509write_cert *ctx, mbedtls_pk_context *key )
83{
84 ctx->issuer_key = key;
85}
86
87int mbedtls_x509write_crt_set_subject_name( mbedtls_x509write_cert *ctx,
88 const char *subject_name )
89{
90 return mbedtls_x509_string_to_names( &ctx->subject, subject_name );
91}
92
93int mbedtls_x509write_crt_set_issuer_name( mbedtls_x509write_cert *ctx,
94 const char *issuer_name )
95{
96 return mbedtls_x509_string_to_names( &ctx->issuer, issuer_name );
97}
98
99int mbedtls_x509write_crt_set_serial( mbedtls_x509write_cert *ctx, const mbedtls_mpi *serial )
100{
101 int ret;
102
103 if( ( ret = mbedtls_mpi_copy( &ctx->serial, serial ) ) != 0 )
104 return( ret );
105
106 return( 0 );
107}
108
109int mbedtls_x509write_crt_set_validity( mbedtls_x509write_cert *ctx, const char *not_before,
110 const char *not_after )
111{
112 if( strlen( not_before ) != MBEDTLS_X509_RFC5280_UTC_TIME_LEN - 1 ||
113 strlen( not_after ) != MBEDTLS_X509_RFC5280_UTC_TIME_LEN - 1 )
114 {
115 return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
116 }
117 strncpy( ctx->not_before, not_before, MBEDTLS_X509_RFC5280_UTC_TIME_LEN );
118 strncpy( ctx->not_after , not_after , MBEDTLS_X509_RFC5280_UTC_TIME_LEN );
119 ctx->not_before[MBEDTLS_X509_RFC5280_UTC_TIME_LEN - 1] = 'Z';
120 ctx->not_after[MBEDTLS_X509_RFC5280_UTC_TIME_LEN - 1] = 'Z';
121
122 return( 0 );
123}
124
125int mbedtls_x509write_crt_set_extension( mbedtls_x509write_cert *ctx,
126 const char *oid, size_t oid_len,
127 int critical,
128 const unsigned char *val, size_t val_len )
129{
130 return mbedtls_x509_set_extension( &ctx->extensions, oid, oid_len,
131 critical, val, val_len );
132}
133
134int mbedtls_x509write_crt_set_basic_constraints( mbedtls_x509write_cert *ctx,
135 int is_ca, int max_pathlen )
136{
137 int ret;
138 unsigned char buf[9];
139 unsigned char *c = buf + sizeof(buf);
140 size_t len = 0;
141
142 memset( buf, 0, sizeof(buf) );
143
144 if( is_ca && max_pathlen > 127 )
145 return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
146
147 if( is_ca )
148 {
149 if( max_pathlen >= 0 )
150 {
151 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_int( &c, buf, max_pathlen ) );
152 }
153 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_bool( &c, buf, 1 ) );
154 }
155
156 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
157 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_CONSTRUCTED |
158 MBEDTLS_ASN1_SEQUENCE ) );
159
160 return mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_BASIC_CONSTRAINTS,
161 MBEDTLS_OID_SIZE( MBEDTLS_OID_BASIC_CONSTRAINTS ),
162 0, buf + sizeof(buf) - len, len );
163}
164
165#if defined(MBEDTLS_SHA1_C)
166int mbedtls_x509write_crt_set_subject_key_identifier( mbedtls_x509write_cert *ctx )
167{
168 int ret;
169 unsigned char buf[MBEDTLS_MPI_MAX_SIZE * 2 + 20]; /* tag, length + 2xMPI */
170 unsigned char *c = buf + sizeof(buf);
171 size_t len = 0;
172
173 memset( buf, 0, sizeof(buf) );
174 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_pk_write_pubkey( &c, buf, ctx->subject_key ) );
175
176 ret = mbedtls_sha1_ret( buf + sizeof( buf ) - len, len,
177 buf + sizeof( buf ) - 20 );
178 if( ret != 0 )
179 return( ret );
180 c = buf + sizeof( buf ) - 20;
181 len = 20;
182
183 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
184 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_OCTET_STRING ) );
185
186 return mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER,
187 MBEDTLS_OID_SIZE( MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER ),
188 0, buf + sizeof(buf) - len, len );
189}
190
191int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert *ctx )
192{
193 int ret;
194 unsigned char buf[MBEDTLS_MPI_MAX_SIZE * 2 + 20]; /* tag, length + 2xMPI */
195 unsigned char *c = buf + sizeof( buf );
196 size_t len = 0;
197
198 memset( buf, 0, sizeof(buf) );
199 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_pk_write_pubkey( &c, buf, ctx->issuer_key ) );
200
201 ret = mbedtls_sha1_ret( buf + sizeof( buf ) - len, len,
202 buf + sizeof( buf ) - 20 );
203 if( ret != 0 )
204 return( ret );
205 c = buf + sizeof( buf ) - 20;
206 len = 20;
207
208 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
209 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC | 0 ) );
210
211 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
212 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_CONSTRUCTED |
213 MBEDTLS_ASN1_SEQUENCE ) );
214
215 return mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER,
216 MBEDTLS_OID_SIZE( MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER ),
217 0, buf + sizeof( buf ) - len, len );
218}
219#endif /* MBEDTLS_SHA1_C */
220
221static size_t crt_get_unused_bits_for_named_bitstring( unsigned char bitstring,
222 size_t bit_offset )
223{
224 size_t unused_bits;
225
226 /* Count the unused bits removing trailing 0s */
227 for( unused_bits = bit_offset; unused_bits < 8; unused_bits++ )
228 if( ( ( bitstring >> unused_bits ) & 0x1 ) != 0 )
229 break;
230
231 return( unused_bits );
232}
233
234int mbedtls_x509write_crt_set_key_usage( mbedtls_x509write_cert *ctx,
235 unsigned int key_usage )
236{
237 unsigned char buf[4], ku;
238 unsigned char *c;
239 int ret;
240 size_t unused_bits;
241 const unsigned int allowed_bits = MBEDTLS_X509_KU_DIGITAL_SIGNATURE |
242 MBEDTLS_X509_KU_NON_REPUDIATION |
243 MBEDTLS_X509_KU_KEY_ENCIPHERMENT |
244 MBEDTLS_X509_KU_DATA_ENCIPHERMENT |
245 MBEDTLS_X509_KU_KEY_AGREEMENT |
246 MBEDTLS_X509_KU_KEY_CERT_SIGN |
247 MBEDTLS_X509_KU_CRL_SIGN;
248
249 /* Check that nothing other than the allowed flags is set */
250 if( ( key_usage & ~allowed_bits ) != 0 )
251 return( MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE );
252
253 c = buf + 4;
254 ku = (unsigned char)key_usage;
255 unused_bits = crt_get_unused_bits_for_named_bitstring( ku, 1 );
256 ret = mbedtls_asn1_write_bitstring( &c, buf, &ku, 8 - unused_bits );
257
258 if( ret < 0 )
259 return( ret );
260 else if( ret < 3 || ret > 4 )
261 return( MBEDTLS_ERR_X509_INVALID_FORMAT );
262
263 ret = mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_KEY_USAGE,
264 MBEDTLS_OID_SIZE( MBEDTLS_OID_KEY_USAGE ),
265 1, c, (size_t)ret );
266 if( ret != 0 )
267 return( ret );
268
269 return( 0 );
270}
271
272int mbedtls_x509write_crt_set_ns_cert_type( mbedtls_x509write_cert *ctx,
273 unsigned char ns_cert_type )
274{
275 unsigned char buf[4];
276 unsigned char *c;
277 size_t unused_bits;
278 int ret;
279
280 c = buf + 4;
281
282 unused_bits = crt_get_unused_bits_for_named_bitstring( ns_cert_type, 0 );
283 ret = mbedtls_asn1_write_bitstring( &c,
284 buf,
285 &ns_cert_type,
286 8 - unused_bits );
287 if( ret < 3 || ret > 4 )
288 return( ret );
289
290 ret = mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_NS_CERT_TYPE,
291 MBEDTLS_OID_SIZE( MBEDTLS_OID_NS_CERT_TYPE ),
292 0, c, (size_t)ret );
293 if( ret != 0 )
294 return( ret );
295
296 return( 0 );
297}
298
299static int x509_write_time( unsigned char **p, unsigned char *start,
300 const char *t, size_t size )
301{
302 int ret;
303 size_t len = 0;
304
305 /*
306 * write MBEDTLS_ASN1_UTC_TIME if year < 2050 (2 bytes shorter)
307 */
308 if( t[0] == '2' && t[1] == '0' && t[2] < '5' )
309 {
310 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_raw_buffer( p, start,
311 (const unsigned char *) t + 2,
312 size - 2 ) );
313 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
314 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_UTC_TIME ) );
315 }
316 else
317 {
318 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_raw_buffer( p, start,
319 (const unsigned char *) t,
320 size ) );
321 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
322 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_GENERALIZED_TIME ) );
323 }
324
325 return( (int) len );
326}
327
328int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size,
329 int (*f_rng)(void *, unsigned char *, size_t),
330 void *p_rng )
331{
332 int ret;
333 const char *sig_oid;
334 size_t sig_oid_len = 0;
335 unsigned char *c, *c2;
336 unsigned char hash[64];
337 unsigned char sig[MBEDTLS_MPI_MAX_SIZE];
338 unsigned char tmp_buf[2048];
339 size_t sub_len = 0, pub_len = 0, sig_and_oid_len = 0, sig_len;
340 size_t len = 0;
341 mbedtls_pk_type_t pk_alg;
342
343 /*
344 * Prepare data to be signed in tmp_buf
345 */
346 c = tmp_buf + sizeof( tmp_buf );
347
348 /* Signature algorithm needed in TBS, and later for actual signature */
349
350 /* There's no direct way of extracting a signature algorithm
351 * (represented as an element of mbedtls_pk_type_t) from a PK instance. */
352 if( mbedtls_pk_can_do( ctx->issuer_key, MBEDTLS_PK_RSA ) )
353 pk_alg = MBEDTLS_PK_RSA;
354 else if( mbedtls_pk_can_do( ctx->issuer_key, MBEDTLS_PK_ECDSA ) )
355 pk_alg = MBEDTLS_PK_ECDSA;
356 else
357 return( MBEDTLS_ERR_X509_INVALID_ALG );
358
359 if( ( ret = mbedtls_oid_get_oid_by_sig_alg( pk_alg, ctx->md_alg,
360 &sig_oid, &sig_oid_len ) ) != 0 )
361 {
362 return( ret );
363 }
364
365 /*
366 * Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
367 */
368
369 /* Only for v3 */
370 if( ctx->version == MBEDTLS_X509_CRT_VERSION_3 )
371 {
372 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_extensions( &c, tmp_buf, ctx->extensions ) );
373 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
374 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
375 MBEDTLS_ASN1_SEQUENCE ) );
376 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
377 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC |
378 MBEDTLS_ASN1_CONSTRUCTED | 3 ) );
379 }
380
381 /*
382 * SubjectPublicKeyInfo
383 */
384 MBEDTLS_ASN1_CHK_ADD( pub_len, mbedtls_pk_write_pubkey_der( ctx->subject_key,
385 tmp_buf, c - tmp_buf ) );
386 c -= pub_len;
387 len += pub_len;
388
389 /*
390 * Subject ::= Name
391 */
392 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_names( &c, tmp_buf, ctx->subject ) );
393
394 /*
395 * Validity ::= SEQUENCE {
396 * notBefore Time,
397 * notAfter Time }
398 */
399 sub_len = 0;
400
401 MBEDTLS_ASN1_CHK_ADD( sub_len, x509_write_time( &c, tmp_buf, ctx->not_after,
402 MBEDTLS_X509_RFC5280_UTC_TIME_LEN ) );
403
404 MBEDTLS_ASN1_CHK_ADD( sub_len, x509_write_time( &c, tmp_buf, ctx->not_before,
405 MBEDTLS_X509_RFC5280_UTC_TIME_LEN ) );
406
407 len += sub_len;
408 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, sub_len ) );
409 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
410 MBEDTLS_ASN1_SEQUENCE ) );
411
412 /*
413 * Issuer ::= Name
414 */
415 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_names( &c, tmp_buf, ctx->issuer ) );
416
417 /*
418 * Signature ::= AlgorithmIdentifier
419 */
420 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_algorithm_identifier( &c, tmp_buf,
421 sig_oid, strlen( sig_oid ), 0 ) );
422
423 /*
424 * Serial ::= INTEGER
425 */
426 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_mpi( &c, tmp_buf, &ctx->serial ) );
427
428 /*
429 * Version ::= INTEGER { v1(0), v2(1), v3(2) }
430 */
431
432 /* Can be omitted for v1 */
433 if( ctx->version != MBEDTLS_X509_CRT_VERSION_1 )
434 {
435 sub_len = 0;
436 MBEDTLS_ASN1_CHK_ADD( sub_len, mbedtls_asn1_write_int( &c, tmp_buf, ctx->version ) );
437 len += sub_len;
438 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, sub_len ) );
439 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC |
440 MBEDTLS_ASN1_CONSTRUCTED | 0 ) );
441 }
442
443 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
444 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
445 MBEDTLS_ASN1_SEQUENCE ) );
446
447 /*
448 * Make signature
449 */
450 if( ( ret = mbedtls_md( mbedtls_md_info_from_type( ctx->md_alg ), c,
451 len, hash ) ) != 0 )
452 {
453 return( ret );
454 }
455
456 if( ( ret = mbedtls_pk_sign( ctx->issuer_key, ctx->md_alg, hash, 0, sig, &sig_len,
457 f_rng, p_rng ) ) != 0 )
458 {
459 return( ret );
460 }
461
462 /*
463 * Write data to output buffer
464 */
465 c2 = buf + size;
466 MBEDTLS_ASN1_CHK_ADD( sig_and_oid_len, mbedtls_x509_write_sig( &c2, buf,
467 sig_oid, sig_oid_len, sig, sig_len ) );
468
469 if( len > (size_t)( c2 - buf ) )
470 return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
471
472 c2 -= len;
473 memcpy( c2, c, len );
474
475 len += sig_and_oid_len;
476 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c2, buf, len ) );
477 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c2, buf, MBEDTLS_ASN1_CONSTRUCTED |
478 MBEDTLS_ASN1_SEQUENCE ) );
479
480 return( (int) len );
481}
482
483#define PEM_BEGIN_CRT "-----BEGIN CERTIFICATE-----\n"
484#define PEM_END_CRT "-----END CERTIFICATE-----\n"
485
486#if defined(MBEDTLS_PEM_WRITE_C)
487int mbedtls_x509write_crt_pem( mbedtls_x509write_cert *crt, unsigned char *buf, size_t size,
488 int (*f_rng)(void *, unsigned char *, size_t),
489 void *p_rng )
490{
491 int ret;
492 unsigned char output_buf[4096];
493 size_t olen = 0;
494
495 if( ( ret = mbedtls_x509write_crt_der( crt, output_buf, sizeof(output_buf),
496 f_rng, p_rng ) ) < 0 )
497 {
498 return( ret );
499 }
500
501 if( ( ret = mbedtls_pem_write_buffer( PEM_BEGIN_CRT, PEM_END_CRT,
502 output_buf + sizeof(output_buf) - ret,
503 ret, buf, size, &olen ) ) != 0 )
504 {
505 return( ret );
506 }
507
508 return( 0 );
509}
510#endif /* MBEDTLS_PEM_WRITE_C */
511
512#endif /* MBEDTLS_X509_CRT_WRITE_C */
Note: See TracBrowser for help on using the repository browser.