x509_csr.h 9.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301
  1. /**
  2. * \file x509_csr.h
  3. *
  4. * \brief X.509 certificate signing request parsing and writing
  5. *
  6. * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
  7. * SPDX-License-Identifier: GPL-2.0
  8. *
  9. * This program is free software; you can redistribute it and/or modify
  10. * it under the terms of the GNU General Public License as published by
  11. * the Free Software Foundation; either version 2 of the License, or
  12. * (at your option) any later version.
  13. *
  14. * This program is distributed in the hope that it will be useful,
  15. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  16. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  17. * GNU General Public License for more details.
  18. *
  19. * You should have received a copy of the GNU General Public License along
  20. * with this program; if not, write to the Free Software Foundation, Inc.,
  21. * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  22. *
  23. * This file is part of mbed TLS (https://tls.mbed.org)
  24. */
  25. #ifndef MBEDTLS_X509_CSR_H
  26. #define MBEDTLS_X509_CSR_H
  27. #if !defined(MBEDTLS_CONFIG_FILE)
  28. #include "config.h"
  29. #else
  30. #include MBEDTLS_CONFIG_FILE
  31. #endif
  32. #include "x509.h"
  33. #ifdef __cplusplus
  34. extern "C" {
  35. #endif
  36. /**
  37. * \addtogroup x509_module
  38. * \{ */
  39. /**
  40. * \name Structures and functions for X.509 Certificate Signing Requests (CSR)
  41. * \{
  42. */
  43. /**
  44. * Certificate Signing Request (CSR) structure.
  45. */
  46. typedef struct mbedtls_x509_csr
  47. {
  48. mbedtls_x509_buf raw; /**< The raw CSR data (DER). */
  49. mbedtls_x509_buf cri; /**< The raw CertificateRequestInfo body (DER). */
  50. int version; /**< CSR version (1=v1). */
  51. mbedtls_x509_buf subject_raw; /**< The raw subject data (DER). */
  52. mbedtls_x509_name subject; /**< The parsed subject data (named information object). */
  53. mbedtls_pk_context pk; /**< Container for the public key context. */
  54. mbedtls_x509_buf sig_oid;
  55. mbedtls_x509_buf sig;
  56. mbedtls_md_type_t sig_md; /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */
  57. mbedtls_pk_type_t sig_pk; /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */
  58. void *sig_opts; /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */
  59. }
  60. mbedtls_x509_csr;
  61. /**
  62. * Container for writing a CSR
  63. */
  64. typedef struct mbedtls_x509write_csr
  65. {
  66. mbedtls_pk_context *key;
  67. mbedtls_asn1_named_data *subject;
  68. mbedtls_md_type_t md_alg;
  69. mbedtls_asn1_named_data *extensions;
  70. }
  71. mbedtls_x509write_csr;
  72. #if defined(MBEDTLS_X509_CSR_PARSE_C)
  73. /**
  74. * \brief Load a Certificate Signing Request (CSR) in DER format
  75. *
  76. * \note CSR attributes (if any) are currently silently ignored.
  77. *
  78. * \param csr CSR context to fill
  79. * \param buf buffer holding the CRL data
  80. * \param buflen size of the buffer
  81. *
  82. * \return 0 if successful, or a specific X509 error code
  83. */
  84. int mbedtls_x509_csr_parse_der( mbedtls_x509_csr *csr,
  85. const unsigned char *buf, size_t buflen );
  86. /**
  87. * \brief Load a Certificate Signing Request (CSR), DER or PEM format
  88. *
  89. * \note See notes for \c mbedtls_x509_csr_parse_der()
  90. *
  91. * \param csr CSR context to fill
  92. * \param buf buffer holding the CRL data
  93. * \param buflen size of the buffer
  94. * (including the terminating null byte for PEM data)
  95. *
  96. * \return 0 if successful, or a specific X509 or PEM error code
  97. */
  98. int mbedtls_x509_csr_parse( mbedtls_x509_csr *csr, const unsigned char *buf, size_t buflen );
  99. #if defined(MBEDTLS_FS_IO)
  100. /**
  101. * \brief Load a Certificate Signing Request (CSR)
  102. *
  103. * \note See notes for \c mbedtls_x509_csr_parse()
  104. *
  105. * \param csr CSR context to fill
  106. * \param path filename to read the CSR from
  107. *
  108. * \return 0 if successful, or a specific X509 or PEM error code
  109. */
  110. int mbedtls_x509_csr_parse_file( mbedtls_x509_csr *csr, const char *path );
  111. #endif /* MBEDTLS_FS_IO */
  112. /**
  113. * \brief Returns an informational string about the
  114. * CSR.
  115. *
  116. * \param buf Buffer to write to
  117. * \param size Maximum size of buffer
  118. * \param prefix A line prefix
  119. * \param csr The X509 CSR to represent
  120. *
  121. * \return The length of the string written (not including the
  122. * terminated nul byte), or a negative error code.
  123. */
  124. int mbedtls_x509_csr_info( char *buf, size_t size, const char *prefix,
  125. const mbedtls_x509_csr *csr );
  126. /**
  127. * \brief Initialize a CSR
  128. *
  129. * \param csr CSR to initialize
  130. */
  131. void mbedtls_x509_csr_init( mbedtls_x509_csr *csr );
  132. /**
  133. * \brief Unallocate all CSR data
  134. *
  135. * \param csr CSR to free
  136. */
  137. void mbedtls_x509_csr_free( mbedtls_x509_csr *csr );
  138. #endif /* MBEDTLS_X509_CSR_PARSE_C */
  139. /* \} name */
  140. /* \} addtogroup x509_module */
  141. #if defined(MBEDTLS_X509_CSR_WRITE_C)
  142. /**
  143. * \brief Initialize a CSR context
  144. *
  145. * \param ctx CSR context to initialize
  146. */
  147. void mbedtls_x509write_csr_init( mbedtls_x509write_csr *ctx );
  148. /**
  149. * \brief Set the subject name for a CSR
  150. * Subject names should contain a comma-separated list
  151. * of OID types and values:
  152. * e.g. "C=UK,O=ARM,CN=mbed TLS Server 1"
  153. *
  154. * \param ctx CSR context to use
  155. * \param subject_name subject name to set
  156. *
  157. * \return 0 if subject name was parsed successfully, or
  158. * a specific error code
  159. */
  160. int mbedtls_x509write_csr_set_subject_name( mbedtls_x509write_csr *ctx,
  161. const char *subject_name );
  162. /**
  163. * \brief Set the key for a CSR (public key will be included,
  164. * private key used to sign the CSR when writing it)
  165. *
  166. * \param ctx CSR context to use
  167. * \param key Asymetric key to include
  168. */
  169. void mbedtls_x509write_csr_set_key( mbedtls_x509write_csr *ctx, mbedtls_pk_context *key );
  170. /**
  171. * \brief Set the MD algorithm to use for the signature
  172. * (e.g. MBEDTLS_MD_SHA1)
  173. *
  174. * \param ctx CSR context to use
  175. * \param md_alg MD algorithm to use
  176. */
  177. void mbedtls_x509write_csr_set_md_alg( mbedtls_x509write_csr *ctx, mbedtls_md_type_t md_alg );
  178. /**
  179. * \brief Set the Key Usage Extension flags
  180. * (e.g. MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_KEY_CERT_SIGN)
  181. *
  182. * \param ctx CSR context to use
  183. * \param key_usage key usage flags to set
  184. *
  185. * \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
  186. */
  187. int mbedtls_x509write_csr_set_key_usage( mbedtls_x509write_csr *ctx, unsigned char key_usage );
  188. /**
  189. * \brief Set the Netscape Cert Type flags
  190. * (e.g. MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT | MBEDTLS_X509_NS_CERT_TYPE_EMAIL)
  191. *
  192. * \param ctx CSR context to use
  193. * \param ns_cert_type Netscape Cert Type flags to set
  194. *
  195. * \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
  196. */
  197. int mbedtls_x509write_csr_set_ns_cert_type( mbedtls_x509write_csr *ctx,
  198. unsigned char ns_cert_type );
  199. /**
  200. * \brief Generic function to add to or replace an extension in the
  201. * CSR
  202. *
  203. * \param ctx CSR context to use
  204. * \param oid OID of the extension
  205. * \param oid_len length of the OID
  206. * \param val value of the extension OCTET STRING
  207. * \param val_len length of the value data
  208. *
  209. * \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED
  210. */
  211. int mbedtls_x509write_csr_set_extension( mbedtls_x509write_csr *ctx,
  212. const char *oid, size_t oid_len,
  213. const unsigned char *val, size_t val_len );
  214. /**
  215. * \brief Free the contents of a CSR context
  216. *
  217. * \param ctx CSR context to free
  218. */
  219. void mbedtls_x509write_csr_free( mbedtls_x509write_csr *ctx );
  220. /**
  221. * \brief Write a CSR (Certificate Signing Request) to a
  222. * DER structure
  223. * Note: data is written at the end of the buffer! Use the
  224. * return value to determine where you should start
  225. * using the buffer
  226. *
  227. * \param ctx CSR to write away
  228. * \param buf buffer to write to
  229. * \param size size of the buffer
  230. * \param f_rng RNG function (for signature, see note)
  231. * \param p_rng RNG parameter
  232. *
  233. * \return length of data written if successful, or a specific
  234. * error code
  235. *
  236. * \note f_rng may be NULL if RSA is used for signature and the
  237. * signature is made offline (otherwise f_rng is desirable
  238. * for countermeasures against timing attacks).
  239. * ECDSA signatures always require a non-NULL f_rng.
  240. */
  241. int mbedtls_x509write_csr_der( mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size,
  242. int (*f_rng)(void *, unsigned char *, size_t),
  243. void *p_rng );
  244. #if defined(MBEDTLS_PEM_WRITE_C)
  245. /**
  246. * \brief Write a CSR (Certificate Signing Request) to a
  247. * PEM string
  248. *
  249. * \param ctx CSR to write away
  250. * \param buf buffer to write to
  251. * \param size size of the buffer
  252. * \param f_rng RNG function (for signature, see note)
  253. * \param p_rng RNG parameter
  254. *
  255. * \return 0 if successful, or a specific error code
  256. *
  257. * \note f_rng may be NULL if RSA is used for signature and the
  258. * signature is made offline (otherwise f_rng is desirable
  259. * for countermeasures against timing attacks).
  260. * ECDSA signatures always require a non-NULL f_rng.
  261. */
  262. int mbedtls_x509write_csr_pem( mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size,
  263. int (*f_rng)(void *, unsigned char *, size_t),
  264. void *p_rng );
  265. #endif /* MBEDTLS_PEM_WRITE_C */
  266. #endif /* MBEDTLS_X509_CSR_WRITE_C */
  267. #ifdef __cplusplus
  268. }
  269. #endif
  270. #endif /* mbedtls_x509_csr.h */