Commit 9397dcb0 authored by Paul Bakker's avatar Paul Bakker
Browse files

Base X509 certificate writing functinality

parent f451bac0
......@@ -84,6 +84,31 @@ typedef struct _x509_csr
}
x509_csr;
#define X509_CRT_VERSION_1 0
#define X509_CRT_VERSION_2 1
#define X509_CRT_VERSION_3 2
#define X509_RFC5280_MAX_SERIAL_LEN 32
#define X509_RFC5280_UTC_TIME_LEN 15
/**
* Container for writing a certificate (CRT)
*/
typedef struct _x509write_cert
{
int version;
mpi serial;
rsa_context *subject_key;
rsa_context *issuer_key;
x509_req_name *subject;
x509_req_name *issuer;
md_type_t md_alg;
char not_before[X509_RFC5280_UTC_TIME_LEN + 1];
char not_after[X509_RFC5280_UTC_TIME_LEN + 1];
asn1_named_data *extensions;
}
x509write_cert;
/* \} addtogroup x509_module */
/**
......@@ -169,6 +194,125 @@ int x509write_csr_set_extension( x509_csr *ctx,
*/
void x509write_csr_free( x509_csr *ctx );
/**
* \brief Initialize a CRT writing context
*
* \param ctx CRT context to initialize
*/
void x509write_crt_init( x509write_cert *ctx );
/**
* \brief Set the verion for a Certificate
* Default: X509_CRT_VERSION_3
*
* \param ctx CRT context to use
* \param version version to set (X509_CRT_VERSION_1, X509_CRT_VERSION_2 or
* X509_CRT_VERSION_3)
*/
void x509write_crt_set_version( x509write_cert *ctx, int version );
/**
* \brief Set the serial number for a Certificate.
*
* \param ctx CRT context to use
* \param serial serial number to set
*
* \return 0 if successful
*/
int x509write_crt_set_serial( x509write_cert *ctx, const mpi *serial );
/**
* \brief Set the validity period for a Certificate
* Timestamps should be in string format for UTC timezone
* i.e. "YYYYMMDDhhmmss"
* e.g. "20131231235959" for December 31st 2013
* at 23:59:59
*
* \param ctx CRT context to use
* \param not_before not_before timestamp
* \param not_after not_after timestamp
*
* \return 0 if timestamp was parsed successfully, or
* a specific error code
*/
int x509write_crt_set_validity( x509write_cert *ctx, char *not_before,
char *not_after );
/**
* \brief Set the issuer name for a Certificate
* Issuer names should contain a comma-separated list
* of OID types and values:
* e.g. "C=NL,O=Offspark,CN=PolarSSL CA"
*
* \param ctx CRT context to use
* \param issuer_name issuer name to set
*
* \return 0 if issuer name was parsed successfully, or
* a specific error code
*/
int x509write_crt_set_issuer_name( x509write_cert *ctx, char *issuer_name );
/**
* \brief Set the subject name for a Certificate
* Subject names should contain a comma-separated list
* of OID types and values:
* e.g. "C=NL,O=Offspark,CN=PolarSSL Server 1"
*
* \param ctx CRT context to use
* \param subject_name subject name to set
*
* \return 0 if subject name was parsed successfully, or
* a specific error code
*/
int x509write_crt_set_subject_name( x509write_cert *ctx, char *subject_name );
/**
* \brief Set the subject public key for the certificate
*
* \param ctx CRT context to use
* \param rsa RSA public key to include
*/
void x509write_crt_set_subject_key( x509write_cert *ctx, rsa_context *rsa );
/**
* \brief Set the issuer key used for signing the certificate
*
* \param ctx CRT context to use
* \param rsa RSA key to sign with
*/
void x509write_crt_set_issuer_key( x509write_cert *ctx, rsa_context *rsa );
/**
* \brief Set the MD algorithm to use for the signature
* (e.g. POLARSSL_MD_SHA1)
*
* \param ctx CRT context to use
* \param md_ald MD algorithm to use
*/
void x509write_crt_set_md_alg( x509write_cert *ctx, md_type_t md_alg );
/**
* \brief Free the contents of a CRT write context
*
* \param ctx CRT context to free
*/
void x509write_crt_free( x509write_cert *ctx );
/**
* \brief Write a built up certificate to a X509 DER structure
* Note: data is written at the end of the buffer! Use the
* return value to determine where you should start
* using the buffer
*
* \param crt certificate to write away
* \param buf buffer to write to
* \param size size of the buffer
*
* \return length of data written if successful, or a specific
* error code
*/
int x509write_crt_der( x509write_cert *ctx, unsigned char *buf, size_t size );
/**
* \brief Write a RSA public key to a PKCS#1 DER structure
* Note: data is written at the end of the buffer! Use the
......@@ -216,6 +360,17 @@ int x509write_key_der( rsa_context *rsa, unsigned char *buf, size_t size );
int x509write_csr_der( x509_csr *ctx, unsigned char *buf, size_t size );
#if defined(POLARSSL_BASE64_C)
/**
* \brief Write a built up certificate to a X509 PEM string
*
* \param crt certificate to write away
* \param buf buffer to write to
* \param size size of the buffer
*
* \return 0 successful, or a specific error code
*/
int x509write_crt_pem( x509write_cert *ctx, unsigned char *buf, size_t size );
/**
* \brief Write a RSA public key to a PKCS#1 PEM string
*
......
......@@ -45,55 +45,19 @@
#define polarssl_free free
#endif
void x509write_csr_init( x509_csr *ctx )
{
memset( ctx, 0, sizeof(x509_csr) );
}
void x509write_csr_free( x509_csr *ctx )
{
x509_req_name *cur;
asn1_named_data *cur_ext;
while( ( cur = ctx->subject ) != NULL )
{
ctx->subject = cur->next;
polarssl_free( cur );
}
while( ( cur_ext = ctx->extensions ) != NULL )
{
ctx->extensions = cur_ext->next;
asn1_free_named_data( cur_ext );
polarssl_free( cur_ext );
}
memset( ctx, 0, sizeof(x509_csr) );
}
void x509write_csr_set_md_alg( x509_csr *ctx, md_type_t md_alg )
{
ctx->md_alg = md_alg;
}
void x509write_csr_set_rsa_key( x509_csr *ctx, rsa_context *rsa )
{
ctx->rsa = rsa;
}
int x509write_csr_set_subject_name( x509_csr *ctx, char *subject_name )
static int x509write_string_to_names( x509_req_name **head, char *name )
{
int ret = 0;
char *s = subject_name, *c = s;
char *s = name, *c = s;
char *end = s + strlen( s );
char *oid = NULL;
int in_tag = 1;
x509_req_name *cur;
while( ctx->subject )
while( *head != NULL )
{
cur = ctx->subject;
ctx->subject = ctx->subject->next;
cur = *head;
*head = cur->next;
polarssl_free( cur );
}
......@@ -143,8 +107,8 @@ int x509write_csr_set_subject_name( x509_csr *ctx, char *subject_name )
memset( cur, 0, sizeof(x509_req_name) );
cur->next = ctx->subject;
ctx->subject = cur;
cur->next = *head;
*head = cur;
strncpy( cur->oid, oid, strlen( oid ) );
strncpy( cur->name, s, c - s );
......@@ -160,6 +124,47 @@ exit:
return( ret );
}
void x509write_csr_init( x509_csr *ctx )
{
memset( ctx, 0, sizeof(x509_csr) );
}
void x509write_csr_free( x509_csr *ctx )
{
x509_req_name *cur;
asn1_named_data *cur_ext;
while( ( cur = ctx->subject ) != NULL )
{
ctx->subject = cur->next;
polarssl_free( cur );
}
while( ( cur_ext = ctx->extensions ) != NULL )
{
ctx->extensions = cur_ext->next;
asn1_free_named_data( cur_ext );
polarssl_free( cur_ext );
}
memset( ctx, 0, sizeof(x509_csr) );
}
void x509write_csr_set_md_alg( x509_csr *ctx, md_type_t md_alg )
{
ctx->md_alg = md_alg;
}
void x509write_csr_set_rsa_key( x509_csr *ctx, rsa_context *rsa )
{
ctx->rsa = rsa;
}
int x509write_csr_set_subject_name( x509_csr *ctx, char *subject_name )
{
return x509write_string_to_names( &ctx->subject, subject_name );
}
int x509write_csr_set_extension( x509_csr *ctx,
const char *oid, size_t oid_len,
const unsigned char *val, size_t val_len )
......@@ -257,6 +262,94 @@ int x509write_csr_set_ns_cert_type( x509_csr *ctx, unsigned char ns_cert_type )
return( 0 );
}
void x509write_crt_init( x509write_cert *ctx )
{
memset( ctx, 0, sizeof(x509write_cert) );
mpi_init( &ctx->serial );
ctx->version = X509_CRT_VERSION_3;
}
void x509write_crt_free( x509write_cert *ctx )
{
x509_req_name *cur;
asn1_named_data *cur_ext;
mpi_free( &ctx->serial );
while( ( cur = ctx->subject ) != NULL )
{
ctx->subject = cur->next;
polarssl_free( cur );
}
while( ( cur = ctx->issuer ) != NULL )
{
ctx->issuer = cur->next;
polarssl_free( cur );
}
while( ( cur_ext = ctx->extensions ) != NULL )
{
ctx->extensions = cur_ext->next;
asn1_free_named_data( cur_ext );
polarssl_free( cur_ext );
}
memset( ctx, 0, sizeof(x509_csr) );
}
void x509write_crt_set_md_alg( x509write_cert *ctx, md_type_t md_alg )
{
ctx->md_alg = md_alg;
}
void x509write_crt_set_subject_key( x509write_cert *ctx, rsa_context *rsa )
{
ctx->subject_key = rsa;
}
void x509write_crt_set_issuer_key( x509write_cert *ctx, rsa_context *rsa )
{
ctx->issuer_key = rsa;
}
int x509write_crt_set_subject_name( x509write_cert *ctx, char *subject_name )
{
return x509write_string_to_names( &ctx->subject, subject_name );
}
int x509write_crt_set_issuer_name( x509write_cert *ctx, char *issuer_name )
{
return x509write_string_to_names( &ctx->issuer, issuer_name );
}
int x509write_crt_set_serial( x509write_cert *ctx, const mpi *serial )
{
int ret;
if( ( ret = mpi_copy( &ctx->serial, serial ) ) != 0 )
return( ret );
return( 0 );
}
int x509write_crt_set_validity( x509write_cert *ctx, char *not_before,
char *not_after )
{
if( strlen(not_before) != X509_RFC5280_UTC_TIME_LEN - 1 ||
strlen(not_after) != X509_RFC5280_UTC_TIME_LEN - 1 )
{
return( POLARSSL_ERR_X509WRITE_BAD_INPUT_DATA );
}
strncpy( ctx->not_before, not_before, X509_RFC5280_UTC_TIME_LEN );
strncpy( ctx->not_after , not_after , X509_RFC5280_UTC_TIME_LEN );
ctx->not_before[X509_RFC5280_UTC_TIME_LEN - 1] = 'Z';
ctx->not_after[X509_RFC5280_UTC_TIME_LEN - 1] = 'Z';
return( 0 );
}
int x509write_pubkey_der( rsa_context *rsa, unsigned char *buf, size_t size )
{
int ret;
......@@ -344,6 +437,18 @@ int x509write_key_der( rsa_context *rsa, unsigned char *buf, size_t size )
return( len );
}
/*
* RelativeDistinguishedName ::=
* SET OF AttributeTypeAndValue
*
* AttributeTypeAndValue ::= SEQUENCE {
* type AttributeType,
* value AttributeValue }
*
* AttributeType ::= OBJECT IDENTIFIER
*
* AttributeValue ::= ANY DEFINED BY AttributeType
*/
static int x509_write_name( unsigned char **p, unsigned char *start, char *oid,
char *name )
{
......@@ -376,6 +481,25 @@ static int x509_write_name( unsigned char **p, unsigned char *start, char *oid,
return( len );
}
static int x509_write_names( unsigned char **p, unsigned char *start,
x509_req_name *first )
{
int ret;
size_t len = 0;
x509_req_name *cur = first;
while( cur != NULL )
{
ASN1_CHK_ADD( len, x509_write_name( p, start, cur->oid, cur->name ) );
cur = cur->next;
}
ASN1_CHK_ADD( len, asn1_write_len( p, start, len ) );
ASN1_CHK_ADD( len, asn1_write_tag( p, start, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
return( len );
}
static int x509_write_sig( unsigned char **p, unsigned char *start,
const char *oid, unsigned char *sig, size_t size )
{
......@@ -402,6 +526,21 @@ static int x509_write_sig( unsigned char **p, unsigned char *start,
return( len );
}
static int x509_write_time( unsigned char **p, unsigned char *start,
const char *time, size_t size )
{
int ret;
size_t len = 0;
ASN1_CHK_ADD( len, asn1_write_raw_buffer( p, start,
(const unsigned char *) time,
size ) );
ASN1_CHK_ADD( len, asn1_write_len( p, start, len ) );
ASN1_CHK_ADD( len, asn1_write_tag( p, start, ASN1_GENERALIZED_TIME ) );
return( len );
}
int x509write_csr_der( x509_csr *ctx, unsigned char *buf, size_t size )
{
int ret;
......@@ -410,9 +549,8 @@ int x509write_csr_der( x509_csr *ctx, unsigned char *buf, size_t size )
unsigned char hash[64];
unsigned char sig[POLARSSL_MPI_MAX_SIZE];
unsigned char tmp_buf[2048];
size_t sub_len = 0, pub_len = 0, sig_len = 0;
size_t pub_len = 0, sig_len = 0;
size_t len = 0;
x509_req_name *cur = ctx->subject;
asn1_named_data *cur_ext = ctx->extensions;
c = tmp_buf + 2048 - 1;
......@@ -482,16 +620,10 @@ int x509write_csr_der( x509_csr *ctx, unsigned char *buf, size_t size )
ASN1_CHK_ADD( len, asn1_write_len( &c, tmp_buf, pub_len ) );
ASN1_CHK_ADD( len, asn1_write_tag( &c, tmp_buf, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
while( cur != NULL )
{
ASN1_CHK_ADD( sub_len, x509_write_name( &c, tmp_buf, cur->oid, cur->name ) );
cur = cur->next;
}
len += sub_len;
ASN1_CHK_ADD( len, asn1_write_len( &c, tmp_buf, sub_len ) );
ASN1_CHK_ADD( len, asn1_write_tag( &c, tmp_buf, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
/*
* Subject ::= Name
*/
ASN1_CHK_ADD( len, x509_write_names( &c, tmp_buf, ctx->subject ) );
/*
* Version ::= INTEGER { v1(0), v2(1), v3(2) }
......@@ -522,6 +654,123 @@ int x509write_csr_der( x509_csr *ctx, unsigned char *buf, size_t size )
return( len );
}
int x509write_crt_der( x509write_cert *ctx, unsigned char *buf, size_t size )
{
int ret;
const char *sig_oid;
unsigned char *c, *c2;
unsigned char hash[64];
unsigned char sig[POLARSSL_MPI_MAX_SIZE];
unsigned char tmp_buf[2048];
size_t sub_len = 0, pub_len = 0, sig_len = 0;
size_t len = 0;
asn1_named_data *cur_ext = ctx->extensions;
c = tmp_buf + 2048 - 1;
// Generate correct OID
//
ret = oid_get_oid_by_sig_alg( POLARSSL_PK_RSA, ctx->md_alg, &sig_oid );
if( ret != 0 )
return( ret );
/*
* SubjectPublicKeyInfo ::= SEQUENCE {
* algorithm AlgorithmIdentifier,
* subjectPublicKey BIT STRING }
*/
ASN1_CHK_ADD( pub_len, asn1_write_mpi( &c, tmp_buf, &ctx->subject_key->E ) );
ASN1_CHK_ADD( pub_len, asn1_write_mpi( &c, tmp_buf, &ctx->subject_key->N ) );
ASN1_CHK_ADD( pub_len, asn1_write_len( &c, tmp_buf, pub_len ) );
ASN1_CHK_ADD( pub_len, asn1_write_tag( &c, tmp_buf, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
if( c - tmp_buf < 1 )
return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
*--c = 0;
pub_len += 1;
ASN1_CHK_ADD( pub_len, asn1_write_len( &c, tmp_buf, pub_len ) );
ASN1_CHK_ADD( pub_len, asn1_write_tag( &c, tmp_buf, ASN1_BIT_STRING ) );
ASN1_CHK_ADD( pub_len, asn1_write_algorithm_identifier( &c, tmp_buf, OID_PKCS1_RSA ) );
len += pub_len;
ASN1_CHK_ADD( len, asn1_write_len( &c, tmp_buf, pub_len ) );
ASN1_CHK_ADD( len, asn1_write_tag( &c, tmp_buf, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
/*
* Subject ::= Name
*/
ASN1_CHK_ADD( len, x509_write_names( &c, tmp_buf, ctx->subject ) );
/*
* Validity ::= SEQUENCE {
* notBefore Time,
* notAfter Time }
*/
sub_len = 0;
ASN1_CHK_ADD( sub_len, x509_write_time( &c, tmp_buf, ctx->not_after,
X509_RFC5280_UTC_TIME_LEN ) );
ASN1_CHK_ADD( sub_len, x509_write_time( &c, tmp_buf, ctx->not_before,
X509_RFC5280_UTC_TIME_LEN ) );
len += sub_len;
ASN1_CHK_ADD( len, asn1_write_len( &c, tmp_buf, sub_len ) );
ASN1_CHK_ADD( len, asn1_write_tag( &c, tmp_buf, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
/*
* Issuer ::= Name
*/
ASN1_CHK_ADD( len, x509_write_names( &c, tmp_buf, ctx->issuer ) );
/*
* Signature ::= AlgorithmIdentifier
*/
ASN1_CHK_ADD( len, asn1_write_algorithm_identifier( &c, tmp_buf,
sig_oid ) );
/*
* Serial ::= INTEGER
*/
ASN1_CHK_ADD( len, asn1_write_mpi( &c, tmp_buf, &ctx->serial ) );
/*
* Version ::= INTEGER { v1(0), v2(1), v3(2) }
*/
sub_len = 0;
ASN1_CHK_ADD( sub_len, asn1_write_int( &c, tmp_buf, ctx->version ) );
len += sub_len;
ASN1_CHK_ADD( len, asn1_write_len( &c, tmp_buf, sub_len ) );
ASN1_CHK_ADD( len, asn1_write_tag( &c, tmp_buf, ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 0 ) );
ASN1_CHK_ADD( len, asn1_write_len( &c, tmp_buf, len ) );
ASN1_CHK_ADD( len, asn1_write_tag( &c, tmp_buf, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
md( md_info_from_type( ctx->md_alg ), c, len, hash );
rsa_pkcs1_sign( ctx->issuer_key, NULL, NULL, RSA_PRIVATE, ctx->md_alg, 0, hash, sig );
c2 = buf + size - 1;
ASN1_CHK_ADD( sig_len, x509_write_sig( &c2, buf, sig_oid, sig, ctx->issuer_key->len ) );
c2 -= len;
memcpy( c2, c, len );
len += sig_len;
ASN1_CHK_ADD( len, asn1_write_len( &c2, buf, len ) );
ASN1_CHK_ADD( len, asn1_write_tag( &c2, buf, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
return( len );
}
#define PEM_BEGIN_CRT "-----BEGIN CERTIFICATE-----\n"
#define PEM_END_CRT "-----END CERTIFICATE-----\n"
#define PEM_BEGIN_CSR "-----BEGIN CERTIFICATE REQUEST-----\n"
#define PEM_END_CSR "-----END CERTIFICATE REQUEST-----\n"
......@@ -571,6 +820,27 @@ static int x509write_pemify( const char *begin_str, const char *end_str,
return( 0 );
}
int x509write_crt_pem( x509write_cert *crt, unsigned char *buf, size_t size )
{
int ret;
unsigned char output_buf[4096];
if( ( ret = x509write_crt_der( crt, output_buf,
sizeof(output_buf) ) ) < 0 )
{
return( ret );
}
if( ( ret = x509write_pemify( PEM_BEGIN_CRT, PEM_END_CRT,