eden-emu/mbedtls
15
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merged major refactoring of x509write module into development

Browse source 
This refactoring adds support for proper CSR writing and X509
certificate generation / signing
This commit is contained in:
Paul Bakker 2013-09-12 11:58:04 +02:00
commit 9013af76a3
27 changed files with 2942 additions and 511 deletions
Download patch file Download diff file Expand all files Collapse all files

337
include/polarssl/x509write.h
View file

@ -60,29 +60,42 @@ extern "C" {
* \{
*/
/**
* Container for CSR named objects
*/
typedef struct _x509_req_name
{
char oid[128];
char name[128];
struct _x509_req_name *next;
}
x509_req_name;
/**
* Container for a CSR
*/
typedef struct _x509_csr
typedef struct _x509write_csr
{
rsa_context *rsa;
x509_req_name *subject;
pk_context *key;
asn1_named_data *subject;
md_type_t md_alg;
asn1_named_data *extensions;
}
x509_csr;
x509write_csr;
#define X509_CRT_VERSION_1 0
#define X509_CRT_VERSION_2 1
#define X509_CRT_VERSION_3 2
#define X509_RFC5280_MAX_SERIAL_LEN 32
#define X509_RFC5280_UTC_TIME_LEN 15
/**
* Container for writing a certificate (CRT)
*/
typedef struct _x509write_cert
{
int version;
mpi serial;
pk_context *subject_key;
pk_context *issuer_key;
asn1_named_data *subject;
asn1_named_data *issuer;
md_type_t md_alg;
char not_before[X509_RFC5280_UTC_TIME_LEN + 1];
char not_after[X509_RFC5280_UTC_TIME_LEN + 1];
asn1_named_data *extensions;
}
x509write_cert;
/* \} name */
/* \} addtogroup x509_module */
@ -92,7 +105,7 @@ x509_csr;
*
* \param ctx CSR context to initialize
*/
void x509write_csr_init( x509_csr *ctx );
void x509write_csr_init( x509write_csr *ctx );
/**
* \brief Set the subject name for a CSR
@ -106,16 +119,16 @@ void x509write_csr_init( x509_csr *ctx );
* \return 0 if subject name was parsed successfully, or
* a specific error code
*/
int x509write_csr_set_subject_name( x509_csr *ctx, char *subject_name );
int x509write_csr_set_subject_name( x509write_csr *ctx, char *subject_name );
/**
* \brief Set the RSA key for a CSR (public key will be included,
* \brief Set the key for a CSR (public key will be included,
* private key used to sign the CSR when writing it)
*
* \param ctx CSR context to use
* \param rsa RSA key to include
* \param key Asymetric key to include
*/
void x509write_csr_set_rsa_key( x509_csr *ctx, rsa_context *rsa );
void x509write_csr_set_key( x509write_csr *ctx, pk_context *key );
/**
* \brief Set the MD algorithm to use for the signature
@ -124,7 +137,7 @@ void x509write_csr_set_rsa_key( x509_csr *ctx, rsa_context *rsa );
* \param ctx CSR context to use
* \param md_alg MD algorithm to use
*/
void x509write_csr_set_md_alg( x509_csr *ctx, md_type_t md_alg );
void x509write_csr_set_md_alg( x509write_csr *ctx, md_type_t md_alg );
/**
* \brief Set the Key Usage Extension flags
@ -135,7 +148,7 @@ void x509write_csr_set_md_alg( x509_csr *ctx, md_type_t md_alg );
*
* \return 0 if successful, or POLARSSL_ERR_X509WRITE_MALLOC_FAILED
*/
int x509write_csr_set_key_usage( x509_csr *ctx, unsigned char key_usage );
int x509write_csr_set_key_usage( x509write_csr *ctx, unsigned char key_usage );
/**
* \brief Set the Netscape Cert Type flags
@ -146,7 +159,8 @@ int x509write_csr_set_key_usage( x509_csr *ctx, unsigned char key_usage );
*
* \return 0 if successful, or POLARSSL_ERR_X509WRITE_MALLOC_FAILED
*/
int x509write_csr_set_ns_cert_type( x509_csr *ctx, unsigned char ns_cert_type );
int x509write_csr_set_ns_cert_type( x509write_csr *ctx,
unsigned char ns_cert_type );
/**
* \brief Generic function to add to or replace an extension in the CSR
@ -159,7 +173,7 @@ int x509write_csr_set_ns_cert_type( x509_csr *ctx, unsigned char ns_cert_type );
*
* \return 0 if successful, or a POLARSSL_ERR_X509WRITE_MALLOC_FAILED
*/
int x509write_csr_set_extension( x509_csr *ctx,
int x509write_csr_set_extension( x509write_csr *ctx,
const char *oid, size_t oid_len,
const unsigned char *val, size_t val_len );
@ -168,37 +182,242 @@ int x509write_csr_set_extension( x509_csr *ctx,
*
* \param ctx CSR context to free
*/
void x509write_csr_free( x509_csr *ctx );
void x509write_csr_free( x509write_csr *ctx );
/**
* \brief Write a RSA public key to a PKCS#1 DER structure
* \brief Initialize a CRT writing context
*
* \param ctx CRT context to initialize
*/
void x509write_crt_init( x509write_cert *ctx );
/**
* \brief Set the verion for a Certificate
* Default: X509_CRT_VERSION_3
*
* \param ctx CRT context to use
* \param version version to set (X509_CRT_VERSION_1, X509_CRT_VERSION_2 or
* X509_CRT_VERSION_3)
*/
void x509write_crt_set_version( x509write_cert *ctx, int version );
/**
* \brief Set the serial number for a Certificate.
*
* \param ctx CRT context to use
* \param serial serial number to set
*
* \return 0 if successful
*/
int x509write_crt_set_serial( x509write_cert *ctx, const mpi *serial );
/**
* \brief Set the validity period for a Certificate
* Timestamps should be in string format for UTC timezone
* i.e. "YYYYMMDDhhmmss"
* e.g. "20131231235959" for December 31st 2013
* at 23:59:59
*
* \param ctx CRT context to use
* \param not_before not_before timestamp
* \param not_after not_after timestamp
*
* \return 0 if timestamp was parsed successfully, or
* a specific error code
*/
int x509write_crt_set_validity( x509write_cert *ctx, char *not_before,
char *not_after );
/**
* \brief Set the issuer name for a Certificate
* Issuer names should contain a comma-separated list
* of OID types and values:
* e.g. "C=NL,O=Offspark,CN=PolarSSL CA"
*
* \param ctx CRT context to use
* \param issuer_name issuer name to set
*
* \return 0 if issuer name was parsed successfully, or
* a specific error code
*/
int x509write_crt_set_issuer_name( x509write_cert *ctx, char *issuer_name );
/**
* \brief Set the subject name for a Certificate
* Subject names should contain a comma-separated list
* of OID types and values:
* e.g. "C=NL,O=Offspark,CN=PolarSSL Server 1"
*
* \param ctx CRT context to use
* \param subject_name subject name to set
*
* \return 0 if subject name was parsed successfully, or
* a specific error code
*/
int x509write_crt_set_subject_name( x509write_cert *ctx, char *subject_name );
/**
* \brief Set the subject public key for the certificate
*
* \param ctx CRT context to use
* \param key public key to include
*/
void x509write_crt_set_subject_key( x509write_cert *ctx, pk_context *key );
/**
* \brief Set the issuer key used for signing the certificate
*
* \param ctx CRT context to use
* \param key private key to sign with
*/
void x509write_crt_set_issuer_key( x509write_cert *ctx, pk_context *key );
/**
* \brief Set the MD algorithm to use for the signature
* (e.g. POLARSSL_MD_SHA1)
*
* \param ctx CRT context to use
* \param md_ald MD algorithm to use
*/
void x509write_crt_set_md_alg( x509write_cert *ctx, md_type_t md_alg );
/**
* \brief Generic function to add to or replace an extension in the
* CRT
*
* \param ctx CRT context to use
* \param oid OID of the extension
* \param oid_len length of the OID
* \param critical if the extension is critical (per the RFC's definition)
* \param val value of the extension OCTET STRING
* \param val_len length of the value data
*
* \return 0 if successful, or a POLARSSL_ERR_X509WRITE_MALLOC_FAILED
*/
int x509write_crt_set_extension( x509write_cert *ctx,
const char *oid, size_t oid_len,
int critical,
const unsigned char *val, size_t val_len );
/**
* \brief Set the basicConstraints extension for a CRT
*
* \param ctx CRT context to use
* \param is_ca is this a CA certificate
* \param max_pathlen maximum length of certificate chains below this
* certificate (only for CA certificates, -1 is
* inlimited)
*
* \return 0 if successful, or a POLARSSL_ERR_X509WRITE_MALLOC_FAILED
*/
int x509write_crt_set_basic_constraints( x509write_cert *ctx,
int is_ca, int max_pathlen );
/**
* \brief Set the subjectKeyIdentifier extension for a CRT
* Requires that x509write_crt_set_subject_key() has been
* called before
*
* \param ctx CRT context to use
*
* \return 0 if successful, or a POLARSSL_ERR_X509WRITE_MALLOC_FAILED
*/
int x509write_crt_set_subject_key_identifier( x509write_cert *ctx );
/**
* \brief Set the authorityKeyIdentifier extension for a CRT
* Requires that x509write_crt_set_issuer_key() has been
* called before
*
* \param ctx CRT context to use
*
* \return 0 if successful, or a POLARSSL_ERR_X509WRITE_MALLOC_FAILED
*/
int x509write_crt_set_authority_key_identifier( x509write_cert *ctx );
/**
* \brief Set the Key Usage Extension flags
* (e.g. KU_DIGITAL_SIGNATURE | KU_KEY_CERT_SIGN)
*
* \param ctx CRT context to use
* \param key_usage key usage flags to set
*
* \return 0 if successful, or POLARSSL_ERR_X509WRITE_MALLOC_FAILED
*/
int x509write_crt_set_key_usage( x509write_cert *ctx, unsigned char key_usage );
/**
* \brief Set the Netscape Cert Type flags
* (e.g. NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_EMAIL)
*
* \param ctx CRT context to use
* \param ns_cert_type Netscape Cert Type flags to set
*
* \return 0 if successful, or POLARSSL_ERR_X509WRITE_MALLOC_FAILED
*/
int x509write_crt_set_ns_cert_type( x509write_cert *ctx,
unsigned char ns_cert_type );
/**
* \brief Free the contents of a CRT write context
*
* \param ctx CRT context to free
*/
void x509write_crt_free( x509write_cert *ctx );
/**
* \brief Write a built up certificate to a X509 DER structure
* Note: data is written at the end of the buffer! Use the
* return value to determine where you should start
* using the buffer
*
* \param rsa RSA to write away
* \param crt certificate to write away
* \param buf buffer to write to
* \param size size of the buffer
* \param f_rng RNG function (for signature, see note)
* \param p_rng RNG parameter
*
* \return length of data written if successful, or a specific
* error code
*
* \note f_rng may be NULL if RSA is used for signature and the
* signature is made offline (otherwise f_rng is desirable
* for countermeasures against timing attacks).
* ECDSA signatures always require a non-NULL f_rng.
*/
int x509write_crt_der( x509write_cert *ctx, unsigned char *buf, size_t size,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng );
/**
* \brief Write a public key to a DER structure
* Note: data is written at the end of the buffer! Use the
* return value to determine where you should start
* using the buffer
*
* \param key public key to write away
* \param buf buffer to write to
* \param size size of the buffer
*
* \return length of data written if successful, or a specific
* error code
*/
int x509write_pubkey_der( rsa_context *rsa, unsigned char *buf, size_t size );
int x509write_pubkey_der( pk_context *key, unsigned char *buf, size_t size );
/**
* \brief Write a RSA key to a PKCS#1 DER structure
* \brief Write a private key to a PKCS#1 or SEC1 DER structure
* Note: data is written at the end of the buffer! Use the
* return value to determine where you should start
* using the buffer
*
* \param rsa RSA to write away
* \param key private to write away
* \param buf buffer to write to
* \param size size of the buffer
*
* \return length of data written if successful, or a specific
* error code
*/
int x509write_key_der( rsa_context *rsa, unsigned char *buf, size_t size );
int x509write_key_der( pk_context *pk, unsigned char *buf, size_t size );
/**
* \brief Write a CSR (Certificate Signing Request) to a
@ -210,34 +429,63 @@ int x509write_key_der( rsa_context *rsa, unsigned char *buf, size_t size );
* \param ctx CSR to write away
* \param buf buffer to write to
* \param size size of the buffer
* \param f_rng RNG function (for signature, see note)
* \param p_rng RNG parameter
*
* \return length of data written if successful, or a specific
* error code
*
* \note f_rng may be NULL if RSA is used for signature and the
* signature is made offline (otherwise f_rng is desirable
* for countermeasures against timing attacks).
* ECDSA signatures always require a non-NULL f_rng.
*/
int x509write_csr_der( x509_csr *ctx, unsigned char *buf, size_t size );
int x509write_csr_der( x509write_csr *ctx, unsigned char *buf, size_t size,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng );
#if defined(POLARSSL_BASE64_C)
/**
* \brief Write a RSA public key to a PKCS#1 PEM string
* \brief Write a built up certificate to a X509 PEM string
*
* \param rsa RSA to write away
* \param crt certificate to write away
* \param buf buffer to write to
* \param size size of the buffer
* \param f_rng RNG function (for signature, see note)
* \param p_rng RNG parameter
*
* \return 0 successful, or a specific error code
*
* \note f_rng may be NULL if RSA is used for signature and the
* signature is made offline (otherwise f_rng is desirable
* for countermeasures against timing attacks).
* ECDSA signatures always require a non-NULL f_rng.
*/
int x509write_pubkey_pem( rsa_context *rsa, unsigned char *buf, size_t size );
int x509write_crt_pem( x509write_cert *ctx, unsigned char *buf, size_t size,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng );
/**
* \brief Write a RSA key to a PKCS#1 PEM string
* \brief Write a public key to a PEM string
*
* \param rsa RSA to write away
* \param key public key to write away
* \param buf buffer to write to
* \param size size of the buffer
*
* \return 0 successful, or a specific error code
*/
int x509write_key_pem( rsa_context *rsa, unsigned char *buf, size_t size );
int x509write_pubkey_pem( pk_context *key, unsigned char *buf, size_t size );
/**
* \brief Write a private key to a PKCS#1 or SEC1 PEM string
*
* \param key private to write away
* \param buf buffer to write to
* \param size size of the buffer
*
* \return 0 successful, or a specific error code
*/
int x509write_key_pem( pk_context *key, unsigned char *buf, size_t size );
/**
* \brief Write a CSR (Certificate Signing Request) to a
@ -246,10 +494,19 @@ int x509write_key_pem( rsa_context *rsa, unsigned char *buf, size_t size );
* \param ctx CSR to write away
* \param buf buffer to write to
* \param size size of the buffer
* \param f_rng RNG function (for signature, see note)
* \param p_rng RNG parameter
*
* \return 0 successful, or a specific error code
*
* \note f_rng may be NULL if RSA is used for signature and the
* signature is made offline (otherwise f_rng is desirable
* for couermeasures against timing attacks).
* ECDSA signatures always require a non-NULL f_rng.
*/
int x509write_csr_pem( x509_csr *ctx, unsigned char *buf, size_t size );
int x509write_csr_pem( x509write_csr *ctx, unsigned char *buf, size_t size,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng );
#endif /* POLARSSL_BASE64_C */
#ifdef __cplusplus