2 * Copyright (c) 2006 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 #include <pkcs10_asn1.h>
37 typedef struct abitstring_s
{
42 struct hx509_request_data
{
43 hx509_context context
;
45 SubjectPublicKeyInfo key
;
50 struct abitstring_s authorized_EKUs
;
51 struct abitstring_s authorized_SANs
;
52 uint32_t nunsupported_crit
; /* Count of unsupported critical features requested */
53 uint32_t nunsupported_opt
; /* Count of unsupported optional features requested */
54 uint32_t nauthorized
; /* Count of supported features authorized */
55 uint32_t ca_is_authorized
:1;
56 uint32_t ku_are_authorized
:1;
57 uint32_t include_BasicConstraints
:1;
61 * Allocate and initialize an hx509_request structure representing a PKCS#10
62 * certificate signing request.
64 * @param context An hx509 context.
65 * @param req Where to put the new hx509_request object.
67 * @return An hx509 error code, see hx509_get_error_string().
69 * @ingroup hx509_request
71 HX509_LIB_FUNCTION
int HX509_LIB_CALL
72 hx509_request_init(hx509_context context
, hx509_request
*req
)
74 *req
= calloc(1, sizeof(**req
));
78 (*req
)->context
= context
;
83 * Free a certificate signing request object.
85 * @param req A pointer to the hx509_request to free.
87 * @ingroup hx509_request
89 HX509_LIB_FUNCTION
void HX509_LIB_CALL
90 hx509_request_free(hx509_request
*reqp
)
92 hx509_request req
= *reqp
;
98 hx509_name_free(&req
->name
);
99 free(req
->authorized_EKUs
.feats
);
100 free(req
->authorized_SANs
.feats
);
101 free_SubjectPublicKeyInfo(&req
->key
);
102 free_ExtKeyUsage(&req
->eku
);
103 free_GeneralNames(&req
->san
);
104 free_BasicConstraints(&req
->bc
);
105 memset(req
, 0, sizeof(*req
));
110 * Make the CSR request a CA certificate
112 * @param context An hx509 context.
113 * @param req The hx509_request to alter.
114 * @param pathLenConstraint the pathLenConstraint for the BasicConstraints (optional)
116 * @return An hx509 error code, see hx509_get_error_string().
118 * @ingroup hx509_request
120 HX509_LIB_FUNCTION
int HX509_LIB_CALL
121 hx509_request_set_cA(hx509_context context
,
123 unsigned *pathLenConstraint
)
126 if (pathLenConstraint
) {
127 if (req
->bc
.pathLenConstraint
== NULL
)
128 req
->bc
.pathLenConstraint
= malloc(sizeof(*pathLenConstraint
));
129 if (req
->bc
.pathLenConstraint
== NULL
)
131 *req
->bc
.pathLenConstraint
= *pathLenConstraint
;
137 * Make the CSR request an EE (end-entity, i.e., not a CA) certificate
139 * @param context An hx509 context.
140 * @param req The hx509_request to alter.
142 * @ingroup hx509_request
144 HX509_LIB_FUNCTION
void HX509_LIB_CALL
145 hx509_request_set_eE(hx509_context context
, hx509_request req
)
148 free(req
->bc
.pathLenConstraint
);
149 req
->include_BasicConstraints
= 1;
150 req
->ca_is_authorized
= 0;
154 * Set the subjectName of the CSR.
156 * @param context An hx509 context.
157 * @param req The hx509_request to alter.
158 * @param name The subjectName.
160 * @return An hx509 error code, see hx509_get_error_string().
162 * @ingroup hx509_request
164 HX509_LIB_FUNCTION
int HX509_LIB_CALL
165 hx509_request_set_name(hx509_context context
,
170 hx509_name_free(&req
->name
);
172 int ret
= hx509_name_copy(context
, name
, &req
->name
);
180 * Get the subject name requested by a CSR.
182 * @param context An hx509 context.
183 * @param req The hx509_request object.
184 * @param name Where to put the name.
186 * @return An hx509 error code, see hx509_get_error_string().
188 * @ingroup hx509_request
190 HX509_LIB_FUNCTION
int HX509_LIB_CALL
191 hx509_request_get_name(hx509_context context
,
195 if (req
->name
== NULL
) {
196 hx509_set_error_string(context
, 0, EINVAL
, "Request has no name");
199 return hx509_name_copy(context
, req
->name
, name
);
203 * Set the subject public key requested by a CSR.
205 * @param context An hx509 context.
206 * @param req The hx509_request object.
207 * @param key The public key.
209 * @return An hx509 error code, see hx509_get_error_string().
211 * @ingroup hx509_request
213 HX509_LIB_FUNCTION
int HX509_LIB_CALL
214 hx509_request_set_SubjectPublicKeyInfo(hx509_context context
,
216 const SubjectPublicKeyInfo
*key
)
218 free_SubjectPublicKeyInfo(&req
->key
);
219 return copy_SubjectPublicKeyInfo(key
, &req
->key
);
223 * Get the subject public key requested by a CSR.
225 * @param context An hx509 context.
226 * @param req The hx509_request object.
227 * @param key Where to put the key.
229 * @return An hx509 error code, see hx509_get_error_string().
231 * @ingroup hx509_request
233 HX509_LIB_FUNCTION
int HX509_LIB_CALL
234 hx509_request_get_SubjectPublicKeyInfo(hx509_context context
,
236 SubjectPublicKeyInfo
*key
)
238 return copy_SubjectPublicKeyInfo(&req
->key
, key
);
242 * Set the key usage requested by a CSR.
244 * @param context An hx509 context.
245 * @param req The hx509_request object.
246 * @param ku The key usage.
248 * @return An hx509 error code, see hx509_get_error_string().
250 * @ingroup hx509_request
252 HX509_LIB_FUNCTION
int HX509_LIB_CALL
253 hx509_request_set_ku(hx509_context context
, hx509_request req
, KeyUsage ku
)
255 uint64_t n
= KeyUsage2int(ku
);
257 if ((KeyUsage2int(req
->ku
) & n
) != n
)
258 req
->ku_are_authorized
= 0;
264 * Get the key usage requested by a CSR.
266 * @param context An hx509 context.
267 * @param req The hx509_request object.
268 * @param ku Where to put the key usage.
270 * @return An hx509 error code, see hx509_get_error_string().
272 * @ingroup hx509_request
274 HX509_LIB_FUNCTION
int HX509_LIB_CALL
275 hx509_request_get_ku(hx509_context context
, hx509_request req
, KeyUsage
*ku
)
282 * Add an extended key usage OID to a CSR.
284 * @param context An hx509 context.
285 * @param req The hx509_request object.
286 * @param oid The EKU OID.
288 * @return An hx509 error code, see hx509_get_error_string().
290 * @ingroup hx509_request
292 HX509_LIB_FUNCTION
int HX509_LIB_CALL
293 hx509_request_add_eku(hx509_context context
,
300 val
= realloc(req
->eku
.val
, sizeof(req
->eku
.val
[0]) * (req
->eku
.len
+ 1));
305 ret
= der_copy_oid(oid
, &req
->eku
.val
[req
->eku
.len
]);
315 * Add a GeneralName (Jabber ID) subject alternative name to a CSR.
317 * XXX Make this take a heim_octet_string, not a GeneralName*.
319 * @param context An hx509 context.
320 * @param req The hx509_request object.
321 * @param gn The GeneralName object.
323 * @return An hx509 error code, see hx509_get_error_string().
325 * @ingroup hx509_request
327 HX509_LIB_FUNCTION
int HX509_LIB_CALL
328 hx509_request_add_GeneralName(hx509_context context
,
330 const GeneralName
*gn
)
332 return add_GeneralNames(&req
->san
, gn
);
336 add_utf8_other_san(hx509_context context
,
341 const PKIXXmppAddr us
= (const PKIXXmppAddr
)(uintptr_t)s
;
346 gn
.element
= choice_GeneralName_otherName
;
347 gn
.u
.otherName
.type_id
.length
= 0;
348 gn
.u
.otherName
.type_id
.components
= 0;
349 gn
.u
.otherName
.value
.data
= NULL
;
350 gn
.u
.otherName
.value
.length
= 0;
351 ret
= der_copy_oid(oid
, &gn
.u
.otherName
.type_id
);
353 ASN1_MALLOC_ENCODE(PKIXXmppAddr
, gn
.u
.otherName
.value
.data
,
354 gn
.u
.otherName
.value
.length
, &us
, &size
, ret
);
355 if (ret
== 0 && size
!= gn
.u
.otherName
.value
.length
)
356 _hx509_abort("internal ASN.1 encoder error");
358 ret
= add_GeneralNames(gns
, &gn
);
359 free_GeneralName(&gn
);
361 hx509_set_error_string(context
, 0, ret
, "Out of memory");
366 * Add an xmppAddr (Jabber ID) subject alternative name to a CSR.
368 * @param context An hx509 context.
369 * @param req The hx509_request object.
370 * @param jid The XMPP address.
372 * @return An hx509 error code, see hx509_get_error_string().
374 * @ingroup hx509_request
376 HX509_LIB_FUNCTION
int HX509_LIB_CALL
377 hx509_request_add_xmpp_name(hx509_context context
,
381 return add_utf8_other_san(context
, &req
->san
,
382 &asn1_oid_id_pkix_on_xmppAddr
, jid
);
386 * Add a Microsoft UPN subject alternative name to a CSR.
388 * @param context An hx509 context.
389 * @param req The hx509_request object.
390 * @param hostname The XMPP address.
392 * @return An hx509 error code, see hx509_get_error_string().
394 * @ingroup hx509_request
396 HX509_LIB_FUNCTION
int HX509_LIB_CALL
397 hx509_request_add_ms_upn_name(hx509_context context
,
401 return add_utf8_other_san(context
, &req
->san
, &asn1_oid_id_pkinit_ms_san
,
406 * Add a dNSName (hostname) subject alternative name to a CSR.
408 * @param context An hx509 context.
409 * @param req The hx509_request object.
410 * @param hostname The fully-qualified hostname.
412 * @return An hx509 error code, see hx509_get_error_string().
414 * @ingroup hx509_request
416 HX509_LIB_FUNCTION
int HX509_LIB_CALL
417 hx509_request_add_dns_name(hx509_context context
,
419 const char *hostname
)
423 memset(&name
, 0, sizeof(name
));
424 name
.element
= choice_GeneralName_dNSName
;
425 name
.u
.dNSName
.data
= rk_UNCONST(hostname
);
426 name
.u
.dNSName
.length
= strlen(hostname
);
428 return add_GeneralNames(&req
->san
, &name
);
432 * Add a dnsSRV (_service.hostname) subject alternative name to a CSR.
434 * @param context An hx509 context.
435 * @param req The hx509_request object.
436 * @param dnssrv The DNS SRV name.
438 * @return An hx509 error code, see hx509_get_error_string().
440 * @ingroup hx509_request
442 HX509_LIB_FUNCTION
int HX509_LIB_CALL
443 hx509_request_add_dns_srv(hx509_context context
,
452 memset(&n
, 0, sizeof(n
));
453 memset(&gn
, 0, sizeof(gn
));
454 gn
.element
= choice_GeneralName_otherName
;
455 gn
.u
.otherName
.type_id
.length
= 0;
456 gn
.u
.otherName
.type_id
.components
= 0;
457 gn
.u
.otherName
.value
.data
= NULL
;
458 gn
.u
.otherName
.value
.length
= 0;
459 n
.length
= strlen(dnssrv
);
460 n
.data
= (void *)(uintptr_t)dnssrv
;
461 ASN1_MALLOC_ENCODE(SRVName
,
462 gn
.u
.otherName
.value
.data
,
463 gn
.u
.otherName
.value
.length
, &n
, &size
, ret
);
465 ret
= der_copy_oid(&asn1_oid_id_pkix_on_dnsSRV
, &gn
.u
.otherName
.type_id
);
467 ret
= add_GeneralNames(&req
->san
, &gn
);
468 free_GeneralName(&gn
);
473 * Add an rfc822Name (e-mail address) subject alternative name to a CSR.
475 * @param context An hx509 context.
476 * @param req The hx509_request object.
477 * @param email The e-mail address.
479 * @return An hx509 error code, see hx509_get_error_string().
481 * @ingroup hx509_request
483 HX509_LIB_FUNCTION
int HX509_LIB_CALL
484 hx509_request_add_email(hx509_context context
,
490 memset(&name
, 0, sizeof(name
));
491 name
.element
= choice_GeneralName_rfc822Name
;
492 name
.u
.rfc822Name
.data
= rk_UNCONST(email
);
493 name
.u
.rfc822Name
.length
= strlen(email
);
495 return add_GeneralNames(&req
->san
, &name
);
499 * Add a registeredID (OID) subject alternative name to a CSR.
501 * @param context An hx509 context.
502 * @param req The hx509_request object.
503 * @param oid The OID.
505 * @return An hx509 error code, see hx509_get_error_string().
507 * @ingroup hx509_request
509 HX509_LIB_FUNCTION
int HX509_LIB_CALL
510 hx509_request_add_registered(hx509_context context
,
517 memset(&name
, 0, sizeof(name
));
518 name
.element
= choice_GeneralName_registeredID
;
519 ret
= der_copy_oid(oid
, &name
.u
.registeredID
);
522 ret
= add_GeneralNames(&req
->san
, &name
);
523 free_GeneralName(&name
);
528 * Add a Kerberos V5 principal subject alternative name to a CSR.
530 * @param context An hx509 context.
531 * @param req The hx509_request object.
532 * @param princ The Kerberos principal name.
534 * @return An hx509 error code, see hx509_get_error_string().
536 * @ingroup hx509_request
538 HX509_LIB_FUNCTION
int HX509_LIB_CALL
539 hx509_request_add_pkinit(hx509_context context
,
543 KRB5PrincipalName kn
;
547 memset(&kn
, 0, sizeof(kn
));
548 memset(&gn
, 0, sizeof(gn
));
549 gn
.element
= choice_GeneralName_otherName
;
550 gn
.u
.otherName
.type_id
.length
= 0;
551 gn
.u
.otherName
.type_id
.components
= 0;
552 gn
.u
.otherName
.value
.data
= NULL
;
553 gn
.u
.otherName
.value
.length
= 0;
554 ret
= der_copy_oid(&asn1_oid_id_pkinit_san
, &gn
.u
.otherName
.type_id
);
556 ret
= _hx509_make_pkinit_san(context
, princ
, &gn
.u
.otherName
.value
);
558 ret
= add_GeneralNames(&req
->san
, &gn
);
559 free_GeneralName(&gn
);
563 /* XXX Add DNSSRV and other SANs */
566 get_exts(hx509_context context
,
567 const hx509_request req
,
576 if (req
->bc
.cA
|| req
->include_BasicConstraints
) {
580 * If `!req->bc.cA' then we don't include BasicConstraints unless
581 * hx509_request_set_eE() was called on this request, and in that case
582 * we make this extension non-critical. We do this to emulate Dell
583 * iDRAC CSR-making software.
585 * If `req->bc.cA' then we make the BasicConstraints critical,
588 memset(&e
, 0, sizeof(e
));
589 e
.critical
= req
->bc
.cA
? 1 : 0;
591 ASN1_MALLOC_ENCODE(BasicConstraints
, e
.extnValue
.data
, e
.extnValue
.length
,
592 &req
->bc
, &size
, ret
);
594 ret
= der_copy_oid(&asn1_oid_id_x509_ce_basicConstraints
, &e
.extnID
);
596 ret
= add_Extensions(exts
, &e
);
599 if (KeyUsage2int(req
->ku
)) {
602 memset(&e
, 0, sizeof(e
));
603 /* The critical field needs to be made DEFAULT FALSE... */
606 ASN1_MALLOC_ENCODE(KeyUsage
, e
.extnValue
.data
, e
.extnValue
.length
,
607 &req
->ku
, &size
, ret
);
609 ret
= der_copy_oid(&asn1_oid_id_x509_ce_keyUsage
, &e
.extnID
);
611 ret
= add_Extensions(exts
, &e
);
614 if (ret
== 0 && req
->eku
.len
) {
617 memset(&e
, 0, sizeof(e
));
620 ASN1_MALLOC_ENCODE(ExtKeyUsage
,
621 e
.extnValue
.data
, e
.extnValue
.length
,
622 &req
->eku
, &size
, ret
);
624 ret
= der_copy_oid(&asn1_oid_id_x509_ce_extKeyUsage
, &e
.extnID
);
626 ret
= add_Extensions(exts
, &e
);
629 if (ret
== 0 && req
->san
.len
) {
632 memset(&e
, 0, sizeof(e
));
634 * SANs are critical when the subject Name is empty.
636 * The empty DN check could probably stand to be a function we export.
640 req
->name
->der_name
.element
== choice_Name_rdnSequence
&&
641 req
->name
->der_name
.u
.rdnSequence
.len
== 0)
644 ASN1_MALLOC_ENCODE(GeneralNames
,
645 e
.extnValue
.data
, e
.extnValue
.length
,
649 ret
= der_copy_oid(&asn1_oid_id_x509_ce_subjectAltName
, &e
.extnID
);
651 ret
= add_Extensions(exts
, &e
);
659 * Get the KU/EKUs/SANs set on a request as a DER-encoding of Extensions.
661 * @param context An hx509 context.
662 * @param req The hx509_request object.
663 * @param exts_der Where to put the DER-encoded Extensions.
665 * @return An hx509 error code, see hx509_get_error_string().
667 * @ingroup hx509_request
669 HX509_LIB_FUNCTION
int HX509_LIB_CALL
670 hx509_request_get_exts(hx509_context context
,
671 const hx509_request req
,
672 heim_octet_string
*exts_der
)
678 exts_der
->data
= NULL
;
679 exts_der
->length
= 0;
680 ret
= get_exts(context
, req
, &exts
);
681 if (ret
== 0 && exts
.len
/* Extensions has a min size constraint of 1 */)
682 ASN1_MALLOC_ENCODE(Extensions
, exts_der
->data
, exts_der
->length
,
684 free_Extensions(&exts
);
693 * @param context An hx509 context.
694 * @param req The hx509_request object.
695 * @param signer The private key corresponding to the CSR's subject public key.
696 * @param request Where to put the DER-encoded CSR.
698 * @return An hx509 error code, see hx509_get_error_string().
700 * @ingroup hx509_request
702 HX509_LIB_FUNCTION
int HX509_LIB_CALL
703 hx509_request_to_pkcs10(hx509_context context
,
704 const hx509_request req
,
705 const hx509_private_key signer
,
706 heim_octet_string
*request
)
708 CertificationRequest r
;
710 heim_octet_string data
;
714 request
->data
= NULL
;
720 if (req
->name
== NULL
) {
721 hx509_set_error_string(context
, 0, EINVAL
,
722 "PKCS10 needs to have a subject");
726 memset(&r
, 0, sizeof(r
));
729 r
.certificationRequestInfo
.version
= pkcs10_v1
;
730 ret
= copy_Name(&req
->name
->der_name
,
731 &r
.certificationRequestInfo
.subject
);
733 ret
= copy_SubjectPublicKeyInfo(&req
->key
,
734 &r
.certificationRequestInfo
.subjectPKInfo
);
736 /* Encode extReq attribute with requested Certificate Extensions */
739 ret
= get_exts(context
, req
, &exts
);
740 if (ret
== 0 && exts
.len
) {
741 Attribute
*a
= NULL
; /* Quiet VC */
746 r
.certificationRequestInfo
.attributes
=
747 calloc(1, sizeof(r
.certificationRequestInfo
.attributes
[0]));
748 if (r
.certificationRequestInfo
.attributes
== NULL
)
751 r
.certificationRequestInfo
.attributes
[0].len
= 1;
752 r
.certificationRequestInfo
.attributes
[0].val
=
753 calloc(1, sizeof(r
.certificationRequestInfo
.attributes
[0].val
[0]));
754 if (r
.certificationRequestInfo
.attributes
[0].val
== NULL
)
757 a
= r
.certificationRequestInfo
.attributes
[0].val
;
760 ASN1_MALLOC_ENCODE(Extensions
, extns
.data
, extns
.length
,
763 ret
= der_copy_oid(&asn1_oid_id_pkcs9_extReq
, &a
->type
);
765 ret
= add_AttributeValues(&a
->value
, &extns
);
766 free_heim_any(&extns
);
769 /* Encode CSR body for signing */
771 ASN1_MALLOC_ENCODE(CertificationRequestInfo
, data
.data
, data
.length
,
772 &r
.certificationRequestInfo
, &size
, ret
);
773 if (ret
== 0 && data
.length
!= size
)
776 /* Self-sign CSR body */
778 ret
= _hx509_create_signature_bitstring(context
, signer
,
779 _hx509_crypto_default_sig_alg
,
781 &r
.signatureAlgorithm
,
788 ASN1_MALLOC_ENCODE(CertificationRequest
, request
->data
, request
->length
,
790 if (ret
== 0 && request
->length
!= size
)
793 free_CertificationRequest(&r
);
794 free_Extensions(&exts
);
799 * Parse an encoded CSR and verify its self-signature.
801 * @param context An hx509 context.
802 * @param der The DER-encoded CSR.
803 * @param req Where to put request object.
805 * @return An hx509 error code, see hx509_get_error_string().
807 * @ingroup hx509_request
809 HX509_LIB_FUNCTION
int HX509_LIB_CALL
810 hx509_request_parse_der(hx509_context context
,
811 heim_octet_string
*der
,
814 CertificationRequestInfo
*rinfo
= NULL
;
815 CertificationRequest r
;
816 hx509_cert signer
= NULL
;
821 memset(&exts
, 0, sizeof(exts
));
823 /* Initial setup and decoding of CSR */
824 ret
= hx509_request_init(context
, req
);
827 ret
= decode_CertificationRequest(der
->data
, der
->length
, &r
, &size
);
829 hx509_set_error_string(context
, 0, ret
, "Failed to decode CSR");
834 rinfo
= &r
.certificationRequestInfo
;
837 * Setup a 'signer' for verifying the self-signature for proof of
840 * Sadly we need a "certificate" here because _hx509_verify_signature_*()
841 * functions want one as a signer even though all the verification
842 * functions that use the signer argument only ever use the spki of the
843 * signer certificate.
845 * FIXME Change struct signature_alg's verify_signature's prototype to use
846 * an spki instead of an hx509_cert as the signer! The we won't have
851 memset(&c
, 0, sizeof(c
));
852 c
.tbsCertificate
.subjectPublicKeyInfo
= rinfo
->subjectPKInfo
;
853 if ((signer
= hx509_cert_init(context
, &c
, NULL
)) == NULL
)
857 /* Verify the signature */
859 ret
= _hx509_verify_signature_bitstring(context
, signer
,
860 &r
.signatureAlgorithm
,
864 hx509_set_error_string(context
, 0, ret
,
865 "CSR signature verification failed");
866 hx509_cert_free(signer
);
868 /* Populate the hx509_request */
870 ret
= hx509_request_set_SubjectPublicKeyInfo(context
, *req
,
871 &rinfo
->subjectPKInfo
);
873 ret
= _hx509_name_from_Name(&rinfo
->subject
, &(*req
)->name
);
875 /* Extract KUs, EKUs, and SANs from the CSR's attributes */
876 if (ret
|| !rinfo
->attributes
|| !rinfo
->attributes
[0].len
)
879 for (i
= 0; ret
== 0 && i
< rinfo
->attributes
[0].len
; i
++) {
880 Attribute
*a
= &rinfo
->attributes
[0].val
[i
];
883 /* We only support Extensions request attributes */
884 if (der_heim_oid_cmp(&a
->type
, &asn1_oid_id_pkcs9_extReq
) != 0) {
888 * We need an HX509_TRACE facility for this sort of warning.
890 * We'd put the warning in the context and then allow the caller to
891 * extract and reset the warning.
895 der_print_heim_oid(&a
->type
, '.', &oidstr
);
896 warnx("Unknown or unsupported CSR attribute %s",
897 oidstr
? oidstr
: "<error decoding OID>");
905 ret
= decode_Extensions(av
->data
, av
->length
, &exts
, NULL
);
907 hx509_set_error_string(context
, 0, ret
,
908 "CSR signature verification failed "
909 "due to invalid extReq attribute");
913 for (i
= 0; ret
== 0 && i
< exts
.len
; i
++) {
914 const char *what
= "";
915 Extension
*e
= &exts
.val
[i
];
917 if (der_heim_oid_cmp(&e
->extnID
,
918 &asn1_oid_id_x509_ce_keyUsage
) == 0) {
919 ret
= decode_KeyUsage(e
->extnValue
.data
, e
->extnValue
.length
,
923 * Count all KUs as one requested extension to be authorized,
924 * though the caller will have to check the KU values individually.
926 if (KeyUsage2int((*req
)->ku
) & ~KeyUsage2int(int2KeyUsage(~0ULL))) {
928 (*req
)->nunsupported_crit
++;
930 (*req
)->nunsupported_opt
++;
932 } else if (der_heim_oid_cmp(&e
->extnID
,
933 &asn1_oid_id_x509_ce_extKeyUsage
) == 0) {
934 ret
= decode_ExtKeyUsage(e
->extnValue
.data
, e
->extnValue
.length
,
936 what
= "extKeyUsage";
939 * Count each EKU as a separate requested extension to be
942 } else if (der_heim_oid_cmp(&e
->extnID
,
943 &asn1_oid_id_x509_ce_subjectAltName
) == 0) {
944 ret
= decode_GeneralNames(e
->extnValue
.data
, e
->extnValue
.length
,
946 what
= "subjectAlternativeName";
949 * Count each SAN as a separate requested extension to be
952 } else if (der_heim_oid_cmp(&e
->extnID
,
953 &asn1_oid_id_x509_ce_basicConstraints
) == 0) {
954 (*req
)->include_BasicConstraints
= 1;
955 ret
= decode_BasicConstraints(e
->extnValue
.data
, e
->extnValue
.length
,
961 (*req
)->nunsupported_crit
++;
963 (*req
)->nunsupported_opt
++;
966 * We need an HX509_TRACE facility for this sort of warning.
968 * We'd put the warning in the context and then allow the caller to
969 * extract and reset the warning.
973 der_print_heim_oid(&e
->extnID
, '.', &oidstr
);
974 warnx("Unknown or unsupported CSR extension request %s",
975 oidstr
? oidstr
: "<error decoding OID>");
979 hx509_set_error_string(context
, 0, ret
,
980 "CSR signature verification failed "
981 "due to invalid %s extension", what
);
987 free_CertificationRequest(&r
);
988 free_Extensions(&exts
);
990 hx509_request_free(req
);
995 * Parse an encoded CSR and verify its self-signature.
997 * @param context An hx509 context.
998 * @param csr The name of a store containing the CSR ("PKCS10:/path/to/file")
999 * @param req Where to put request object.
1001 * @return An hx509 error code, see hx509_get_error_string().
1003 * @ingroup hx509_request
1005 HX509_LIB_FUNCTION
int HX509_LIB_CALL
1006 hx509_request_parse(hx509_context context
,
1010 heim_octet_string d
;
1013 /* XXX Add support for PEM */
1014 if (strncmp(csr
, "PKCS10:", 7) != 0) {
1015 hx509_set_error_string(context
, 0, HX509_UNSUPPORTED_OPERATION
,
1016 "CSR location does not start with \"PKCS10:\": %s",
1018 return HX509_UNSUPPORTED_OPERATION
;
1021 ret
= rk_undumpdata(csr
+ 7, &d
.data
, &d
.length
);
1023 hx509_set_error_string(context
, 0, ret
, "Could not read %s", csr
);
1027 ret
= hx509_request_parse_der(context
, &d
, req
);
1030 hx509_set_error_string(context
, HX509_ERROR_APPEND
, ret
,
1031 " (while parsing CSR from %s)", csr
);
1036 * Get some EKU from a CSR. Usable as an iterator.
1038 * @param context An hx509 context.
1039 * @param req The hx509_request object.
1040 * @param idx The index of the EKU (0 for the first) to return
1041 * @param out A pointer to a char * variable where the OID will be placed
1042 * (caller must free with free())
1044 * @return Zero on success, HX509_NO_ITEM if no such item exists (denoting
1045 * iteration end), or an error.
1047 * @ingroup hx509_request
1049 HX509_LIB_FUNCTION
int HX509_LIB_CALL
1050 hx509_request_get_eku(hx509_request req
,
1055 if (idx
>= req
->eku
.len
)
1056 return HX509_NO_ITEM
;
1057 return der_print_heim_oid(&req
->eku
.val
[idx
], '.', out
);
1061 abitstring_check(abitstring a
, size_t n
, int idx
)
1066 return HX509_NO_ITEM
;
1068 bytes
= (idx
+ 1) / CHAR_BIT
+ (((idx
+ 1) % CHAR_BIT
) ? 1 : 0);
1069 if (a
->feat_bytes
< bytes
)
1072 return !!(a
->feats
[idx
/ CHAR_BIT
] & (1UL<<(idx
% CHAR_BIT
)));
1076 * Sets and returns 0 if not already set, -1 if already set. Positive return
1077 * values are system errors.
1080 abitstring_set(abitstring a
, size_t n
, int idx
)
1085 return HX509_NO_ITEM
;
1087 bytes
= n
/ CHAR_BIT
+ ((n
% CHAR_BIT
) ? 1 : 0);
1088 if (a
->feat_bytes
< bytes
) {
1091 if ((tmp
= realloc(a
->feats
, bytes
)) == NULL
)
1093 memset(tmp
+ a
->feat_bytes
, 0, bytes
- a
->feat_bytes
);
1095 a
->feat_bytes
= bytes
;
1098 if (!(a
->feats
[idx
/ CHAR_BIT
] & (1UL<<(idx
% CHAR_BIT
)))) {
1099 a
->feats
[idx
/ CHAR_BIT
] |= 1UL<<(idx
% CHAR_BIT
);
1106 * Resets and returns 0 if not already reset, -1 if already reset. Positive
1107 * return values are system errors.
1110 abitstring_reset(abitstring a
, size_t n
, int idx
)
1115 return HX509_NO_ITEM
;
1117 bytes
= (idx
+ 1) / CHAR_BIT
+ (((idx
+ 1) % CHAR_BIT
) ? 1 : 0);
1118 if (a
->feat_bytes
>= bytes
&&
1119 (a
->feats
[idx
/ CHAR_BIT
] & (1UL<<(idx
% CHAR_BIT
)))) {
1120 a
->feats
[idx
/ CHAR_BIT
] &= ~(1UL<<(idx
% CHAR_BIT
));
1127 authorize_feat(hx509_request req
, abitstring a
, size_t n
, int idx
)
1131 ret
= abitstring_set(a
, n
, idx
);
1144 reject_feat(hx509_request req
, abitstring a
, size_t n
, int idx
)
1148 ret
= abitstring_reset(a
, n
, idx
);
1161 * Authorize issuance of a CA certificate as requested.
1163 * @param req The hx509_request object.
1164 * @param pathLenConstraint the pathLenConstraint for the BasicConstraints (optional)
1166 * @return an hx509 or system error.
1168 * @ingroup hx509_request
1170 HX509_LIB_FUNCTION
int HX509_LIB_CALL
1171 hx509_request_authorize_cA(hx509_request req
, unsigned *pathLenConstraint
)
1175 ret
= hx509_request_set_cA(NULL
, req
, pathLenConstraint
);
1176 req
->ca_is_authorized
++;
1181 * Filter the requested KeyUsage and mark it authorized.
1183 * @param req The hx509_request object.
1184 * @param ku Permitted KeyUsage
1186 * @ingroup hx509_request
1188 HX509_LIB_FUNCTION
void HX509_LIB_CALL
1189 hx509_request_authorize_ku(hx509_request req
, KeyUsage ku
)
1191 (void) hx509_request_set_ku(NULL
, req
, ku
);
1192 req
->ku
= int2KeyUsage(KeyUsage2int(req
->ku
) & KeyUsage2int(ku
));
1193 if (KeyUsage2int(ku
))
1194 req
->ku_are_authorized
= 1;
1198 * Mark a requested EKU as authorized.
1200 * @param req The hx509_request object.
1201 * @param idx The index of an EKU that can be fetched with
1202 * hx509_request_get_eku()
1204 * @return Zero on success, an error otherwise.
1206 * @ingroup hx509_request
1208 HX509_LIB_FUNCTION
int HX509_LIB_CALL
1209 hx509_request_authorize_eku(hx509_request req
, size_t idx
)
1211 return authorize_feat(req
, &req
->authorized_EKUs
, req
->eku
.len
, idx
);
1215 * Mark a requested EKU as not authorized.
1217 * @param req The hx509_request object.
1218 * @param idx The index of an EKU that can be fetched with
1219 * hx509_request_get_eku()
1221 * @return Zero on success, an error otherwise.
1223 * @ingroup hx509_request
1225 HX509_LIB_FUNCTION
int HX509_LIB_CALL
1226 hx509_request_reject_eku(hx509_request req
, size_t idx
)
1228 return reject_feat(req
, &req
->authorized_EKUs
, req
->eku
.len
, idx
);
1232 * Check if an EKU has been marked authorized.
1234 * @param req The hx509_request object.
1235 * @param idx The index of an EKU that can be fetched with
1236 * hx509_request_get_eku()
1238 * @return Non-zero if authorized, zero if not.
1240 * @ingroup hx509_request
1242 HX509_LIB_FUNCTION
int HX509_LIB_CALL
1243 hx509_request_eku_authorized_p(hx509_request req
, size_t idx
)
1245 return abitstring_check(&req
->authorized_EKUs
, req
->eku
.len
, idx
);
1249 * Mark a requested SAN as authorized.
1251 * @param req The hx509_request object.
1252 * @param idx The cursor as modified by a SAN iterator.
1254 * @return Zero on success, an error otherwise.
1256 * @ingroup hx509_request
1258 HX509_LIB_FUNCTION
int HX509_LIB_CALL
1259 hx509_request_authorize_san(hx509_request req
, size_t idx
)
1261 return authorize_feat(req
, &req
->authorized_SANs
, req
->san
.len
, idx
);
1265 * Mark a requested SAN as not authorized.
1267 * @param req The hx509_request object.
1268 * @param idx The cursor as modified by a SAN iterator.
1270 * @return Zero on success, an error otherwise.
1272 * @ingroup hx509_request
1274 HX509_LIB_FUNCTION
int HX509_LIB_CALL
1275 hx509_request_reject_san(hx509_request req
, size_t idx
)
1277 return reject_feat(req
, &req
->authorized_SANs
, req
->san
.len
, idx
);
1281 * Check if a SAN has been marked authorized.
1283 * @param req The hx509_request object.
1284 * @param idx The index of a SAN that can be fetched with
1285 * hx509_request_get_san()
1287 * @return Non-zero if authorized, zero if not.
1289 * @ingroup hx509_request
1291 HX509_LIB_FUNCTION
int HX509_LIB_CALL
1292 hx509_request_san_authorized_p(hx509_request req
, size_t idx
)
1294 return abitstring_check(&req
->authorized_SANs
, req
->san
.len
, idx
);
1298 * Return the count of unsupported requested certificate extensions.
1300 * @param req The hx509_request object.
1301 * @return The number of unsupported certificate extensions requested.
1303 * @ingroup hx509_request
1305 HX509_LIB_FUNCTION
size_t HX509_LIB_CALL
1306 hx509_request_count_unsupported(hx509_request req
)
1308 return req
->nunsupported_crit
;
1312 * Return the count of as-yet unauthorized certificate extensions requested.
1314 * @param req The hx509_request object.
1315 * @return The number of as-yet unauthorized certificate extensions requested.
1317 * @ingroup hx509_request
1319 HX509_LIB_FUNCTION
size_t HX509_LIB_CALL
1320 hx509_request_count_unauthorized(hx509_request req
)
1322 size_t nrequested
= req
->eku
.len
+ req
->san
.len
+
1323 (KeyUsage2int(req
->ku
) ? 1 : 0) + !!req
->bc
.cA
+
1324 req
->nunsupported_crit
;
1326 return nrequested
- (req
->nauthorized
+ req
->ku_are_authorized
+ req
->ca_is_authorized
);
1329 static hx509_san_type
1330 san_map_type(GeneralName
*san
)
1332 static const struct {
1333 const heim_oid
*oid
;
1334 hx509_san_type type
;
1336 { &asn1_oid_id_pkix_on_dnsSRV
, HX509_SAN_TYPE_DNSSRV
},
1337 { &asn1_oid_id_pkinit_san
, HX509_SAN_TYPE_PKINIT
},
1338 { &asn1_oid_id_pkix_on_xmppAddr
, HX509_SAN_TYPE_XMPP
},
1339 { &asn1_oid_id_pkinit_ms_san
, HX509_SAN_TYPE_MS_UPN
},
1340 { &asn1_oid_id_pkix_on_permanentIdentifier
, HX509_SAN_TYPE_PERMANENT_ID
},
1341 { &asn1_oid_id_on_hardwareModuleName
, HX509_SAN_TYPE_HW_MODULE
},
1345 switch (san
->element
) {
1346 case choice_GeneralName_rfc822Name
: return HX509_SAN_TYPE_EMAIL
;
1347 case choice_GeneralName_dNSName
: return HX509_SAN_TYPE_DNSNAME
;
1348 case choice_GeneralName_directoryName
: return HX509_SAN_TYPE_DN
;
1349 case choice_GeneralName_registeredID
: return HX509_SAN_TYPE_REGISTERED_ID
;
1350 case choice_GeneralName_otherName
: {
1351 for (i
= 0; i
< sizeof(map
)/sizeof(map
[0]); i
++)
1352 if (der_heim_oid_cmp(&san
->u
.otherName
.type_id
, map
[i
].oid
) == 0)
1356 default: return HX509_SAN_TYPE_UNSUPPORTED
;
1361 * Return the count of as-yet unauthorized certificate extensions requested.
1363 * @param req The hx509_request object.
1365 * @ingroup hx509_request
1367 HX509_LIB_FUNCTION
size_t HX509_LIB_CALL
1368 hx509_request_get_san(hx509_request req
,
1370 hx509_san_type
*type
,
1373 struct rk_strpool
*pool
= NULL
;
1377 if (idx
>= req
->san
.len
)
1378 return HX509_NO_ITEM
;
1380 san
= &req
->san
.val
[idx
];
1381 switch ((*type
= san_map_type(san
))) {
1382 case HX509_SAN_TYPE_UNSUPPORTED
: return 0;
1383 case HX509_SAN_TYPE_EMAIL
:
1384 *out
= strndup(san
->u
.rfc822Name
.data
,
1385 san
->u
.rfc822Name
.length
);
1387 case HX509_SAN_TYPE_DNSNAME
:
1388 *out
= strndup(san
->u
.dNSName
.data
,
1389 san
->u
.dNSName
.length
);
1391 case HX509_SAN_TYPE_DNSSRV
: {
1396 ret
= decode_SRVName(san
->u
.otherName
.value
.data
,
1397 san
->u
.otherName
.value
.length
, &name
, &size
);
1400 *out
= strndup(name
.data
, name
.length
);
1403 case HX509_SAN_TYPE_PERMANENT_ID
: {
1404 PermanentIdentifier pi
;
1409 ret
= decode_PermanentIdentifier(san
->u
.otherName
.value
.data
,
1410 san
->u
.otherName
.value
.length
,
1412 if (ret
== 0 && pi
.assigner
) {
1413 ret
= der_print_heim_oid(pi
.assigner
, '.', &s
);
1415 (pool
= rk_strpoolprintf(NULL
, "%s", s
)) == NULL
)
1417 } else if (ret
== 0) {
1418 pool
= rk_strpoolprintf(NULL
, "-");
1421 (pool
= rk_strpoolprintf(pool
, "%s%s",
1422 *pi
.identifierValue
? " " : "",
1423 *pi
.identifierValue
? *pi
.identifierValue
: "")) == NULL
)
1425 if (ret
== 0 && (*out
= rk_strpoolcollect(pool
)) == NULL
)
1427 free_PermanentIdentifier(&pi
);
1431 case HX509_SAN_TYPE_HW_MODULE
: {
1432 HardwareModuleName hn
;
1437 ret
= decode_HardwareModuleName(san
->u
.otherName
.value
.data
,
1438 san
->u
.otherName
.value
.length
,
1440 if (ret
== 0 && hn
.hwSerialNum
.length
> 256)
1441 hn
.hwSerialNum
.length
= 256;
1443 ret
= der_print_heim_oid(&hn
.hwType
, '.', &s
);
1445 pool
= rk_strpoolprintf(NULL
, "%s", s
);
1446 if (ret
== 0 && pool
)
1447 pool
= rk_strpoolprintf(pool
, " %.*s",
1448 (int)hn
.hwSerialNum
.length
,
1449 (char *)hn
.hwSerialNum
.data
);
1451 (pool
== NULL
|| (*out
= rk_strpoolcollect(pool
)) == NULL
))
1453 free_HardwareModuleName(&hn
);
1456 case HX509_SAN_TYPE_DN
: {
1459 if (san
->u
.directoryName
.element
== choice_Name_rdnSequence
) {
1460 name
.element
= choice_Name_rdnSequence
;
1461 name
.u
.rdnSequence
= san
->u
.directoryName
.u
.rdnSequence
;
1462 return _hx509_Name_to_string(&name
, out
);
1464 *type
= HX509_SAN_TYPE_UNSUPPORTED
;
1467 case HX509_SAN_TYPE_REGISTERED_ID
:
1468 return der_print_heim_oid(&san
->u
.registeredID
, '.', out
);
1469 case HX509_SAN_TYPE_XMPP
:
1471 case HX509_SAN_TYPE_MS_UPN
: {
1474 ret
= _hx509_unparse_utf8_string_name(req
->context
, &pool
,
1475 &san
->u
.otherName
.value
);
1476 if ((*out
= rk_strpoolcollect(pool
)) == NULL
)
1477 return hx509_enomem(req
->context
);
1480 case HX509_SAN_TYPE_PKINIT
: {
1483 ret
= _hx509_unparse_KRB5PrincipalName(req
->context
, &pool
,
1484 &san
->u
.otherName
.value
);
1485 if ((*out
= rk_strpoolcollect(pool
)) == NULL
)
1486 return hx509_enomem(req
->context
);
1490 *type
= HX509_SAN_TYPE_UNSUPPORTED
;
1499 * Indicate if a CSR requested a CA certificate.
1501 * @param context An hx509 context.
1502 * @param req The hx509_request object.
1504 * @return 1 if the CSR requested CA certificate, 0 otherwise.
1506 * @ingroup hx509_request
1508 HX509_LIB_FUNCTION
int HX509_LIB_CALL
1509 hx509_request_get_cA(hx509_context context
,
1516 * Return the CSR's requested BasicConstraints pathLenConstraint.
1518 * @param context An hx509 context.
1519 * @param req The hx509_request object.
1521 * @return -1 if no pathLenConstraint was requested (or the BasicConstraints
1522 * does not request a CA certificate), or the actual requested
1523 * pathLenConstraint.
1525 * @ingroup hx509_request
1527 HX509_LIB_FUNCTION
int HX509_LIB_CALL
1528 hx509_request_get_cA_pathLenConstraint(hx509_context context
,
1531 if (req
->bc
.cA
&& req
->bc
.pathLenConstraint
&&
1532 *req
->bc
.pathLenConstraint
< INT_MAX
)
1533 return *req
->bc
.pathLenConstraint
;
1540 * @param context An hx509 context.
1541 * @param req The hx509_request object.
1542 * @param f A FILE * to print the CSR to.
1544 * @return An hx509 error code, see hx509_get_error_string().
1546 * @ingroup hx509_request
1548 HX509_LIB_FUNCTION
int HX509_LIB_CALL
1549 hx509_request_print(hx509_context context
, hx509_request req
, FILE *f
)
1557 * It's really unformatunate that we can't reuse more of the
1558 * lib/hx509/print.c infrastructure here, as it's too focused on
1561 * For that matter, it's really annoying that CSRs don't more resemble
1562 * Certificates. Indeed, an ideal CSR would look like this:
1565 * desiredTbsCertificate TBSCertificate,
1566 * attributes [1] SEQUENCE OF Attribute OPTIONAL,
1570 * sigAlg AlgorithmIdentifier,
1571 * signature BIT STRING
1574 * with everything related to the desired certificate in
1575 * desiredTbsCertificate and anything not related to the CSR's contents in
1576 * the 'attributes' field.
1578 * That wouldn't allow one to have optional desired TBSCertificate
1579 * features, but hey. One could express "gimme all or gimme nothing" as an
1580 * attribute, or "gimme what you can", then check what one got.
1582 fprintf(f
, "PKCS#10 CertificationRequest:\n");
1584 if (req
->include_BasicConstraints
) {
1585 fprintf(f
, " cA: %s\n", req
->bc
.cA
? "yes" : "no");
1586 if (req
->bc
.pathLenConstraint
)
1587 fprintf(f
, " pathLenConstraint: %u\n", *req
->bc
.pathLenConstraint
);
1589 fprintf(f
, " pathLenConstraint: unspecified\n");
1593 ret
= hx509_name_to_string(req
->name
, &subject
);
1595 hx509_set_error_string(context
, 0, ret
, "Failed to print name");
1598 fprintf(f
, " name: %s\n", subject
);
1601 /* XXX Use hx509_request_get_ku() accessor */
1602 if ((ku_num
= KeyUsage2int(req
->ku
))) {
1603 const struct units
*u
;
1604 const char *first
= " ";
1606 fprintf(f
, " key usage:");
1607 for (u
= asn1_KeyUsage_units(); u
->name
; ++u
) {
1608 if ((ku_num
& u
->mult
)) {
1609 fprintf(f
, "%s%s", first
, u
->name
);
1615 fprintf(f
, "%s<unknown-KeyUsage-value(s)>", first
);
1619 const char *first
= " ";
1621 fprintf(f
, " eku:");
1622 for (i
= 0; ret
== 0; i
++) {
1624 ret
= hx509_request_get_eku(req
, i
, &s
);
1627 fprintf(f
, "%s{%s}", first
, s
);
1633 if (ret
== HX509_NO_ITEM
)
1635 for (i
= 0; ret
== 0; i
++) {
1636 hx509_san_type san_type
;
1639 ret
= hx509_request_get_san(req
, i
, &san_type
, &s
);
1643 case HX509_SAN_TYPE_EMAIL
:
1644 fprintf(f
, " san: rfc822Name: %s\n", s
);
1646 case HX509_SAN_TYPE_DNSNAME
:
1647 fprintf(f
, " san: dNSName: %s\n", s
);
1649 case HX509_SAN_TYPE_DN
:
1650 fprintf(f
, " san: dn: %s\n", s
);
1652 case HX509_SAN_TYPE_REGISTERED_ID
:
1653 fprintf(f
, " san: registeredID: %s\n", s
);
1655 case HX509_SAN_TYPE_XMPP
:
1656 fprintf(f
, " san: xmpp: %s\n", s
);
1658 case HX509_SAN_TYPE_PKINIT
:
1659 fprintf(f
, " san: pkinit: %s\n", s
);
1661 case HX509_SAN_TYPE_MS_UPN
:
1662 fprintf(f
, " san: ms-upn: %s\n", s
);
1665 fprintf(f
, " san: <SAN type not supported>\n");
1669 if (req
->nunsupported_crit
) {
1670 fprintf(f
, " unsupported_critical_extensions_count: %u\n",
1671 (unsigned)req
->nunsupported_crit
);
1673 if (req
->nunsupported_opt
) {
1674 fprintf(f
, " unsupported_optional_extensions_count: %u\n",
1675 (unsigned)req
->nunsupported_opt
);
1678 if (ret
== HX509_NO_ITEM
)