/src/mbedtls/library/x509_csr.c
Line | Count | Source |
1 | | /* |
2 | | * X.509 Certificate Signing Request (CSR) parsing |
3 | | * |
4 | | * Copyright The Mbed TLS Contributors |
5 | | * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later |
6 | | */ |
7 | | /* |
8 | | * The ITU-T X.509 standard defines a certificate format for PKI. |
9 | | * |
10 | | * http://www.ietf.org/rfc/rfc5280.txt (Certificates and CRLs) |
11 | | * http://www.ietf.org/rfc/rfc3279.txt (Alg IDs for CRLs) |
12 | | * http://www.ietf.org/rfc/rfc2986.txt (CSRs, aka PKCS#10) |
13 | | * |
14 | | * http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf |
15 | | * http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf |
16 | | */ |
17 | | |
18 | | #include "common.h" |
19 | | |
20 | | #if defined(MBEDTLS_X509_CSR_PARSE_C) |
21 | | |
22 | | #include "mbedtls/x509_csr.h" |
23 | | #include "x509_internal.h" |
24 | | #include "mbedtls/error.h" |
25 | | #include "mbedtls/oid.h" |
26 | | #include "mbedtls/platform_util.h" |
27 | | |
28 | | #include <string.h> |
29 | | |
30 | | #if defined(MBEDTLS_PEM_PARSE_C) |
31 | | #include "mbedtls/pem.h" |
32 | | #endif |
33 | | |
34 | | #include "mbedtls/platform.h" |
35 | | |
36 | | #if defined(MBEDTLS_FS_IO) || defined(EFIX64) || defined(EFI32) |
37 | | #include <stdio.h> |
38 | | #endif |
39 | | |
40 | | /* |
41 | | * Version ::= INTEGER { v1(0) } |
42 | | */ |
43 | | static int x509_csr_get_version(unsigned char **p, |
44 | | const unsigned char *end, |
45 | | int *ver) |
46 | 2.72k | { |
47 | 2.72k | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
48 | | |
49 | 2.72k | if ((ret = mbedtls_asn1_get_int(p, end, ver)) != 0) { |
50 | 788 | if (ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) { |
51 | 671 | *ver = 0; |
52 | 671 | return 0; |
53 | 671 | } |
54 | | |
55 | 117 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_VERSION, ret); |
56 | 788 | } |
57 | | |
58 | 1.93k | return 0; |
59 | 2.72k | } |
60 | | |
61 | | /* |
62 | | * Parse CSR extension requests in DER format |
63 | | */ |
64 | | static int x509_csr_parse_extensions(mbedtls_x509_csr *csr, |
65 | | unsigned char **p, const unsigned char *end, |
66 | | mbedtls_x509_csr_ext_cb_t cb, |
67 | | void *p_ctx) |
68 | 321 | { |
69 | 321 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
70 | 321 | size_t len; |
71 | 321 | unsigned char *end_ext_data, *end_ext_octet; |
72 | | |
73 | 523 | while (*p < end) { |
74 | 428 | mbedtls_x509_buf extn_oid = { 0, 0, NULL }; |
75 | 428 | int is_critical = 0; /* DEFAULT FALSE */ |
76 | 428 | int ext_type = 0; |
77 | | |
78 | | /* Read sequence tag */ |
79 | 428 | if ((ret = mbedtls_asn1_get_tag(p, end, &len, |
80 | 428 | MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { |
81 | 37 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); |
82 | 37 | } |
83 | | |
84 | 391 | end_ext_data = *p + len; |
85 | | |
86 | | /* Get extension ID */ |
87 | 391 | if ((ret = mbedtls_asn1_get_tag(p, end_ext_data, &extn_oid.len, |
88 | 391 | MBEDTLS_ASN1_OID)) != 0) { |
89 | 4 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); |
90 | 4 | } |
91 | | |
92 | 387 | extn_oid.tag = MBEDTLS_ASN1_OID; |
93 | 387 | extn_oid.p = *p; |
94 | 387 | *p += extn_oid.len; |
95 | | |
96 | | /* Get optional critical */ |
97 | 387 | if ((ret = mbedtls_asn1_get_bool(p, end_ext_data, &is_critical)) != 0 && |
98 | 376 | (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG)) { |
99 | 73 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); |
100 | 73 | } |
101 | | |
102 | | /* Data should be octet string type */ |
103 | 314 | if ((ret = mbedtls_asn1_get_tag(p, end_ext_data, &len, |
104 | 314 | MBEDTLS_ASN1_OCTET_STRING)) != 0) { |
105 | 4 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); |
106 | 4 | } |
107 | | |
108 | 310 | end_ext_octet = *p + len; |
109 | | |
110 | 310 | if (end_ext_octet != end_ext_data) { |
111 | 1 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, |
112 | 1 | MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); |
113 | 1 | } |
114 | | |
115 | | /* |
116 | | * Detect supported extensions and skip unsupported extensions |
117 | | */ |
118 | 309 | ret = mbedtls_oid_get_x509_ext_type(&extn_oid, &ext_type); |
119 | | |
120 | 309 | if (ret != 0) { |
121 | | /* Give the callback (if any) a chance to handle the extension */ |
122 | 53 | if (cb != NULL) { |
123 | 0 | ret = cb(p_ctx, csr, &extn_oid, is_critical, *p, end_ext_octet); |
124 | 0 | if (ret != 0 && is_critical) { |
125 | 0 | return ret; |
126 | 0 | } |
127 | 0 | *p = end_ext_octet; |
128 | 0 | continue; |
129 | 0 | } |
130 | | |
131 | | /* No parser found, skip extension */ |
132 | 53 | *p = end_ext_octet; |
133 | | |
134 | 53 | if (is_critical) { |
135 | | /* Data is marked as critical: fail */ |
136 | 1 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, |
137 | 1 | MBEDTLS_ERR_ASN1_UNEXPECTED_TAG); |
138 | 1 | } |
139 | 52 | continue; |
140 | 53 | } |
141 | | |
142 | | /* Forbid repeated extensions */ |
143 | 256 | if ((csr->ext_types & ext_type) != 0) { |
144 | 2 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, |
145 | 2 | MBEDTLS_ERR_ASN1_INVALID_DATA); |
146 | 2 | } |
147 | | |
148 | 254 | csr->ext_types |= ext_type; |
149 | | |
150 | 254 | switch (ext_type) { |
151 | 83 | case MBEDTLS_X509_EXT_KEY_USAGE: |
152 | | /* Parse key usage */ |
153 | 83 | if ((ret = mbedtls_x509_get_key_usage(p, end_ext_data, |
154 | 83 | &csr->key_usage)) != 0) { |
155 | 60 | return ret; |
156 | 60 | } |
157 | 23 | break; |
158 | | |
159 | 100 | case MBEDTLS_X509_EXT_SUBJECT_ALT_NAME: |
160 | | /* Parse subject alt name */ |
161 | 100 | if ((ret = mbedtls_x509_get_subject_alt_name(p, end_ext_data, |
162 | 100 | &csr->subject_alt_names)) != 0) { |
163 | 40 | return ret; |
164 | 40 | } |
165 | 60 | break; |
166 | | |
167 | 60 | case MBEDTLS_X509_EXT_NS_CERT_TYPE: |
168 | | /* Parse netscape certificate type */ |
169 | 37 | if ((ret = mbedtls_x509_get_ns_cert_type(p, end_ext_data, |
170 | 37 | &csr->ns_cert_type)) != 0) { |
171 | 3 | return ret; |
172 | 3 | } |
173 | 34 | break; |
174 | 34 | default: |
175 | | /* |
176 | | * If this is a non-critical extension, which the oid layer |
177 | | * supports, but there isn't an x509 parser for it, |
178 | | * skip the extension. |
179 | | */ |
180 | 34 | if (is_critical) { |
181 | 1 | return MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE; |
182 | 33 | } else { |
183 | 33 | *p = end_ext_octet; |
184 | 33 | } |
185 | 254 | } |
186 | 254 | } |
187 | | |
188 | 95 | if (*p != end) { |
189 | 0 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, |
190 | 0 | MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); |
191 | 0 | } |
192 | | |
193 | 95 | return 0; |
194 | 95 | } |
195 | | |
196 | | /* |
197 | | * Parse CSR attributes in DER format |
198 | | */ |
199 | | static int x509_csr_parse_attributes(mbedtls_x509_csr *csr, |
200 | | const unsigned char *start, const unsigned char *end, |
201 | | mbedtls_x509_csr_ext_cb_t cb, |
202 | | void *p_ctx) |
203 | 594 | { |
204 | 594 | int ret; |
205 | 594 | size_t len; |
206 | 594 | unsigned char *end_attr_data; |
207 | 594 | unsigned char **p = (unsigned char **) &start; |
208 | | |
209 | 917 | while (*p < end) { |
210 | 582 | mbedtls_x509_buf attr_oid = { 0, 0, NULL }; |
211 | | |
212 | 582 | if ((ret = mbedtls_asn1_get_tag(p, end, &len, |
213 | 582 | MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { |
214 | 17 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); |
215 | 17 | } |
216 | 565 | end_attr_data = *p + len; |
217 | | |
218 | | /* Get attribute ID */ |
219 | 565 | if ((ret = mbedtls_asn1_get_tag(p, end_attr_data, &attr_oid.len, |
220 | 565 | MBEDTLS_ASN1_OID)) != 0) { |
221 | 6 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); |
222 | 6 | } |
223 | | |
224 | 559 | attr_oid.tag = MBEDTLS_ASN1_OID; |
225 | 559 | attr_oid.p = *p; |
226 | 559 | *p += attr_oid.len; |
227 | | |
228 | | /* Check that this is an extension-request attribute */ |
229 | 559 | if (MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS9_CSR_EXT_REQ, &attr_oid) == 0) { |
230 | 325 | if ((ret = mbedtls_asn1_get_tag(p, end, &len, |
231 | 325 | MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SET)) != 0) { |
232 | 1 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); |
233 | 1 | } |
234 | | |
235 | 324 | if ((ret = mbedtls_asn1_get_tag(p, end, &len, |
236 | 324 | MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != |
237 | 324 | 0) { |
238 | 3 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); |
239 | 3 | } |
240 | | |
241 | 321 | if ((ret = x509_csr_parse_extensions(csr, p, *p + len, cb, p_ctx)) != 0) { |
242 | 226 | return ret; |
243 | 226 | } |
244 | | |
245 | 95 | if (*p != end_attr_data) { |
246 | 6 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, |
247 | 6 | MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); |
248 | 6 | } |
249 | 95 | } |
250 | | |
251 | 323 | *p = end_attr_data; |
252 | 323 | } |
253 | | |
254 | 335 | if (*p != end) { |
255 | 0 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, |
256 | 0 | MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); |
257 | 0 | } |
258 | | |
259 | 335 | return 0; |
260 | 335 | } |
261 | | |
262 | | /* |
263 | | * Parse a CSR in DER format |
264 | | */ |
265 | | static int mbedtls_x509_csr_parse_der_internal(mbedtls_x509_csr *csr, |
266 | | const unsigned char *buf, size_t buflen, |
267 | | mbedtls_x509_csr_ext_cb_t cb, |
268 | | void *p_ctx) |
269 | 2.94k | { |
270 | 2.94k | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
271 | 2.94k | size_t len; |
272 | 2.94k | unsigned char *p, *end; |
273 | 2.94k | mbedtls_x509_buf sig_params; |
274 | | |
275 | 2.94k | memset(&sig_params, 0, sizeof(mbedtls_x509_buf)); |
276 | | |
277 | | /* |
278 | | * Check for valid input |
279 | | */ |
280 | 2.94k | if (csr == NULL || buf == NULL || buflen == 0) { |
281 | 0 | return MBEDTLS_ERR_X509_BAD_INPUT_DATA; |
282 | 0 | } |
283 | | |
284 | 2.94k | mbedtls_x509_csr_init(csr); |
285 | | |
286 | | /* |
287 | | * first copy the raw DER data |
288 | | */ |
289 | 2.94k | p = mbedtls_calloc(1, len = buflen); |
290 | | |
291 | 2.94k | if (p == NULL) { |
292 | 0 | return MBEDTLS_ERR_X509_ALLOC_FAILED; |
293 | 0 | } |
294 | | |
295 | 2.94k | memcpy(p, buf, buflen); |
296 | | |
297 | 2.94k | csr->raw.p = p; |
298 | 2.94k | csr->raw.len = len; |
299 | 2.94k | end = p + len; |
300 | | |
301 | | /* |
302 | | * CertificationRequest ::= SEQUENCE { |
303 | | * certificationRequestInfo CertificationRequestInfo, |
304 | | * signatureAlgorithm AlgorithmIdentifier, |
305 | | * signature BIT STRING |
306 | | * } |
307 | | */ |
308 | 2.94k | if ((ret = mbedtls_asn1_get_tag(&p, end, &len, |
309 | 2.94k | MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { |
310 | 167 | mbedtls_x509_csr_free(csr); |
311 | 167 | return MBEDTLS_ERR_X509_INVALID_FORMAT; |
312 | 167 | } |
313 | | |
314 | 2.77k | if (len != (size_t) (end - p)) { |
315 | 52 | mbedtls_x509_csr_free(csr); |
316 | 52 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT, |
317 | 52 | MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); |
318 | 52 | } |
319 | | |
320 | | /* |
321 | | * CertificationRequestInfo ::= SEQUENCE { |
322 | | */ |
323 | 2.72k | csr->cri.p = p; |
324 | | |
325 | 2.72k | if ((ret = mbedtls_asn1_get_tag(&p, end, &len, |
326 | 2.72k | MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { |
327 | 6 | mbedtls_x509_csr_free(csr); |
328 | 6 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT, ret); |
329 | 6 | } |
330 | | |
331 | 2.72k | end = p + len; |
332 | 2.72k | csr->cri.len = (size_t) (end - csr->cri.p); |
333 | | |
334 | | /* |
335 | | * Version ::= INTEGER { v1(0) } |
336 | | */ |
337 | 2.72k | if ((ret = x509_csr_get_version(&p, end, &csr->version)) != 0) { |
338 | 117 | mbedtls_x509_csr_free(csr); |
339 | 117 | return ret; |
340 | 117 | } |
341 | | |
342 | 2.60k | if (csr->version != 0) { |
343 | 36 | mbedtls_x509_csr_free(csr); |
344 | 36 | return MBEDTLS_ERR_X509_UNKNOWN_VERSION; |
345 | 36 | } |
346 | | |
347 | 2.56k | csr->version++; |
348 | | |
349 | | /* |
350 | | * subject Name |
351 | | */ |
352 | 2.56k | csr->subject_raw.p = p; |
353 | | |
354 | 2.56k | if ((ret = mbedtls_asn1_get_tag(&p, end, &len, |
355 | 2.56k | MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { |
356 | 21 | mbedtls_x509_csr_free(csr); |
357 | 21 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT, ret); |
358 | 21 | } |
359 | | |
360 | 2.54k | if ((ret = mbedtls_x509_get_name(&p, p + len, &csr->subject)) != 0) { |
361 | 157 | mbedtls_x509_csr_free(csr); |
362 | 157 | return ret; |
363 | 157 | } |
364 | | |
365 | 2.39k | csr->subject_raw.len = (size_t) (p - csr->subject_raw.p); |
366 | | |
367 | | /* |
368 | | * subjectPKInfo SubjectPublicKeyInfo |
369 | | */ |
370 | 2.39k | if ((ret = mbedtls_pk_parse_subpubkey(&p, end, &csr->pk)) != 0) { |
371 | 1.58k | mbedtls_x509_csr_free(csr); |
372 | 1.58k | return ret; |
373 | 1.58k | } |
374 | | |
375 | | /* |
376 | | * attributes [0] Attributes |
377 | | * |
378 | | * The list of possible attributes is open-ended, though RFC 2985 |
379 | | * (PKCS#9) defines a few in section 5.4. We currently don't support any, |
380 | | * so we just ignore them. This is a safe thing to do as the worst thing |
381 | | * that could happen is that we issue a certificate that does not match |
382 | | * the requester's expectations - this cannot cause a violation of our |
383 | | * signature policies. |
384 | | */ |
385 | 808 | if ((ret = mbedtls_asn1_get_tag(&p, end, &len, |
386 | 808 | MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_CONTEXT_SPECIFIC)) != |
387 | 808 | 0) { |
388 | 214 | mbedtls_x509_csr_free(csr); |
389 | 214 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT, ret); |
390 | 214 | } |
391 | | |
392 | 594 | if ((ret = x509_csr_parse_attributes(csr, p, p + len, cb, p_ctx)) != 0) { |
393 | 259 | mbedtls_x509_csr_free(csr); |
394 | 259 | return ret; |
395 | 259 | } |
396 | | |
397 | 335 | p += len; |
398 | | |
399 | 335 | end = csr->raw.p + csr->raw.len; |
400 | | |
401 | | /* |
402 | | * signatureAlgorithm AlgorithmIdentifier, |
403 | | * signature BIT STRING |
404 | | */ |
405 | 335 | if ((ret = mbedtls_x509_get_alg(&p, end, &csr->sig_oid, &sig_params)) != 0) { |
406 | 11 | mbedtls_x509_csr_free(csr); |
407 | 11 | return ret; |
408 | 11 | } |
409 | | |
410 | 324 | if ((ret = mbedtls_x509_get_sig_alg(&csr->sig_oid, &sig_params, |
411 | 324 | &csr->sig_md, &csr->sig_pk, |
412 | 324 | &csr->sig_opts)) != 0) { |
413 | 115 | mbedtls_x509_csr_free(csr); |
414 | 115 | return MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG; |
415 | 115 | } |
416 | | |
417 | 209 | if ((ret = mbedtls_x509_get_sig(&p, end, &csr->sig)) != 0) { |
418 | 10 | mbedtls_x509_csr_free(csr); |
419 | 10 | return ret; |
420 | 10 | } |
421 | | |
422 | 199 | if (p != end) { |
423 | 1 | mbedtls_x509_csr_free(csr); |
424 | 1 | return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT, |
425 | 1 | MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); |
426 | 1 | } |
427 | | |
428 | 198 | return 0; |
429 | 199 | } |
430 | | |
431 | | /* |
432 | | * Parse a CSR in DER format |
433 | | */ |
434 | | int mbedtls_x509_csr_parse_der(mbedtls_x509_csr *csr, |
435 | | const unsigned char *buf, size_t buflen) |
436 | 2.94k | { |
437 | 2.94k | return mbedtls_x509_csr_parse_der_internal(csr, buf, buflen, NULL, NULL); |
438 | 2.94k | } |
439 | | |
440 | | /* |
441 | | * Parse a CSR in DER format with callback for unknown extensions |
442 | | */ |
443 | | int mbedtls_x509_csr_parse_der_with_ext_cb(mbedtls_x509_csr *csr, |
444 | | const unsigned char *buf, size_t buflen, |
445 | | mbedtls_x509_csr_ext_cb_t cb, |
446 | | void *p_ctx) |
447 | 0 | { |
448 | 0 | return mbedtls_x509_csr_parse_der_internal(csr, buf, buflen, cb, p_ctx); |
449 | 0 | } |
450 | | |
451 | | /* |
452 | | * Parse a CSR, allowing for PEM or raw DER encoding |
453 | | */ |
454 | | int mbedtls_x509_csr_parse(mbedtls_x509_csr *csr, const unsigned char *buf, size_t buflen) |
455 | 3.29k | { |
456 | 3.29k | #if defined(MBEDTLS_PEM_PARSE_C) |
457 | 3.29k | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
458 | 3.29k | size_t use_len; |
459 | 3.29k | mbedtls_pem_context pem; |
460 | 3.29k | #endif |
461 | | |
462 | | /* |
463 | | * Check for valid input |
464 | | */ |
465 | 3.29k | if (csr == NULL || buf == NULL || buflen == 0) { |
466 | 0 | return MBEDTLS_ERR_X509_BAD_INPUT_DATA; |
467 | 0 | } |
468 | | |
469 | 3.29k | #if defined(MBEDTLS_PEM_PARSE_C) |
470 | | /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */ |
471 | 3.29k | if (buf[buflen - 1] == '\0') { |
472 | 2.22k | mbedtls_pem_init(&pem); |
473 | 2.22k | ret = mbedtls_pem_read_buffer(&pem, |
474 | 2.22k | "-----BEGIN CERTIFICATE REQUEST-----", |
475 | 2.22k | "-----END CERTIFICATE REQUEST-----", |
476 | 2.22k | buf, NULL, 0, &use_len); |
477 | 2.22k | if (ret == MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) { |
478 | 263 | ret = mbedtls_pem_read_buffer(&pem, |
479 | 263 | "-----BEGIN NEW CERTIFICATE REQUEST-----", |
480 | 263 | "-----END NEW CERTIFICATE REQUEST-----", |
481 | 263 | buf, NULL, 0, &use_len); |
482 | 263 | } |
483 | | |
484 | 2.22k | if (ret == 0) { |
485 | | /* |
486 | | * Was PEM encoded, parse the result |
487 | | */ |
488 | 1.61k | ret = mbedtls_x509_csr_parse_der(csr, pem.buf, pem.buflen); |
489 | 1.61k | } |
490 | | |
491 | 2.22k | mbedtls_pem_free(&pem); |
492 | 2.22k | if (ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) { |
493 | 1.96k | return ret; |
494 | 1.96k | } |
495 | 2.22k | } |
496 | 1.33k | #endif /* MBEDTLS_PEM_PARSE_C */ |
497 | 1.33k | return mbedtls_x509_csr_parse_der(csr, buf, buflen); |
498 | 3.29k | } |
499 | | |
500 | | #if defined(MBEDTLS_FS_IO) |
501 | | /* |
502 | | * Load a CSR into the structure |
503 | | */ |
504 | | int mbedtls_x509_csr_parse_file(mbedtls_x509_csr *csr, const char *path) |
505 | 0 | { |
506 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
507 | 0 | size_t n; |
508 | 0 | unsigned char *buf; |
509 | |
|
510 | 0 | if ((ret = mbedtls_pk_load_file(path, &buf, &n)) != 0) { |
511 | 0 | return ret; |
512 | 0 | } |
513 | | |
514 | 0 | ret = mbedtls_x509_csr_parse(csr, buf, n); |
515 | |
|
516 | 0 | mbedtls_zeroize_and_free(buf, n); |
517 | |
|
518 | 0 | return ret; |
519 | 0 | } |
520 | | #endif /* MBEDTLS_FS_IO */ |
521 | | |
522 | | #if !defined(MBEDTLS_X509_REMOVE_INFO) |
523 | 184 | #define BEFORE_COLON 14 |
524 | | #define BC "14" |
525 | | /* |
526 | | * Return an informational string about the CSR. |
527 | | */ |
528 | | int mbedtls_x509_csr_info(char *buf, size_t size, const char *prefix, |
529 | | const mbedtls_x509_csr *csr) |
530 | 198 | { |
531 | 198 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
532 | 198 | size_t n; |
533 | 198 | char *p; |
534 | 198 | char key_size_str[BEFORE_COLON]; |
535 | | |
536 | 198 | p = buf; |
537 | 198 | n = size; |
538 | | |
539 | 198 | ret = mbedtls_snprintf(p, n, "%sCSR version : %d", |
540 | 198 | prefix, csr->version); |
541 | 198 | MBEDTLS_X509_SAFE_SNPRINTF; |
542 | | |
543 | 198 | ret = mbedtls_snprintf(p, n, "\n%ssubject name : ", prefix); |
544 | 198 | MBEDTLS_X509_SAFE_SNPRINTF; |
545 | 198 | ret = mbedtls_x509_dn_gets(p, n, &csr->subject); |
546 | 198 | MBEDTLS_X509_SAFE_SNPRINTF; |
547 | | |
548 | 184 | ret = mbedtls_snprintf(p, n, "\n%ssigned using : ", prefix); |
549 | 184 | MBEDTLS_X509_SAFE_SNPRINTF; |
550 | | |
551 | 184 | ret = mbedtls_x509_sig_alg_gets(p, n, &csr->sig_oid, csr->sig_pk, csr->sig_md, |
552 | 184 | csr->sig_opts); |
553 | 184 | MBEDTLS_X509_SAFE_SNPRINTF; |
554 | | |
555 | 184 | if ((ret = mbedtls_x509_key_size_helper(key_size_str, BEFORE_COLON, |
556 | 184 | mbedtls_pk_get_name(&csr->pk))) != 0) { |
557 | 0 | return ret; |
558 | 0 | } |
559 | | |
560 | 184 | ret = mbedtls_snprintf(p, n, "\n%s%-" BC "s: %d bits\n", prefix, key_size_str, |
561 | 184 | (int) mbedtls_pk_get_bitlen(&csr->pk)); |
562 | 184 | MBEDTLS_X509_SAFE_SNPRINTF; |
563 | | |
564 | | /* |
565 | | * Optional extensions |
566 | | */ |
567 | | |
568 | 184 | if (csr->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME) { |
569 | 32 | ret = mbedtls_snprintf(p, n, "\n%ssubject alt name :", prefix); |
570 | 32 | MBEDTLS_X509_SAFE_SNPRINTF; |
571 | | |
572 | 32 | if ((ret = mbedtls_x509_info_subject_alt_name(&p, &n, |
573 | 32 | &csr->subject_alt_names, |
574 | 32 | prefix)) != 0) { |
575 | 1 | return ret; |
576 | 1 | } |
577 | 32 | } |
578 | | |
579 | 183 | if (csr->ext_types & MBEDTLS_X509_EXT_NS_CERT_TYPE) { |
580 | 33 | ret = mbedtls_snprintf(p, n, "\n%scert. type : ", prefix); |
581 | 33 | MBEDTLS_X509_SAFE_SNPRINTF; |
582 | | |
583 | 33 | if ((ret = mbedtls_x509_info_cert_type(&p, &n, csr->ns_cert_type)) != 0) { |
584 | 0 | return ret; |
585 | 0 | } |
586 | 33 | } |
587 | | |
588 | 183 | if (csr->ext_types & MBEDTLS_X509_EXT_KEY_USAGE) { |
589 | 17 | ret = mbedtls_snprintf(p, n, "\n%skey usage : ", prefix); |
590 | 17 | MBEDTLS_X509_SAFE_SNPRINTF; |
591 | | |
592 | 17 | if ((ret = mbedtls_x509_info_key_usage(&p, &n, csr->key_usage)) != 0) { |
593 | 0 | return ret; |
594 | 0 | } |
595 | 17 | } |
596 | | |
597 | 183 | if (csr->ext_types != 0) { |
598 | 79 | ret = mbedtls_snprintf(p, n, "\n"); |
599 | 79 | MBEDTLS_X509_SAFE_SNPRINTF; |
600 | 79 | } |
601 | | |
602 | 183 | return (int) (size - n); |
603 | 183 | } |
604 | | #endif /* MBEDTLS_X509_REMOVE_INFO */ |
605 | | |
606 | | /* |
607 | | * Initialize a CSR |
608 | | */ |
609 | | void mbedtls_x509_csr_init(mbedtls_x509_csr *csr) |
610 | 6.23k | { |
611 | 6.23k | memset(csr, 0, sizeof(mbedtls_x509_csr)); |
612 | 6.23k | } |
613 | | |
614 | | /* |
615 | | * Unallocate all CSR data |
616 | | */ |
617 | | void mbedtls_x509_csr_free(mbedtls_x509_csr *csr) |
618 | 6.04k | { |
619 | 6.04k | if (csr == NULL) { |
620 | 0 | return; |
621 | 0 | } |
622 | | |
623 | 6.04k | mbedtls_pk_free(&csr->pk); |
624 | | |
625 | 6.04k | #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) |
626 | 6.04k | mbedtls_free(csr->sig_opts); |
627 | 6.04k | #endif |
628 | | |
629 | 6.04k | mbedtls_asn1_free_named_data_list_shallow(csr->subject.next); |
630 | 6.04k | mbedtls_asn1_sequence_free(csr->subject_alt_names.next); |
631 | | |
632 | 6.04k | if (csr->raw.p != NULL) { |
633 | 2.94k | mbedtls_zeroize_and_free(csr->raw.p, csr->raw.len); |
634 | 2.94k | } |
635 | | |
636 | 6.04k | mbedtls_platform_zeroize(csr, sizeof(mbedtls_x509_csr)); |
637 | 6.04k | } |
638 | | |
639 | | #endif /* MBEDTLS_X509_CSR_PARSE_C */ |