summaryrefslogtreecommitdiff
path: root/thirdparty/mbedtls/library/x509write_csr.c
diff options
context:
space:
mode:
Diffstat (limited to 'thirdparty/mbedtls/library/x509write_csr.c')
-rw-r--r--thirdparty/mbedtls/library/x509write_csr.c126
1 files changed, 41 insertions, 85 deletions
diff --git a/thirdparty/mbedtls/library/x509write_csr.c b/thirdparty/mbedtls/library/x509write_csr.c
index 60cf12379f..afda950341 100644
--- a/thirdparty/mbedtls/library/x509write_csr.c
+++ b/thirdparty/mbedtls/library/x509write_csr.c
@@ -2,13 +2,7 @@
* X.509 Certificate Signing Request writing
*
* Copyright The Mbed TLS Contributors
- * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
- *
- * This file is provided under the Apache License 2.0, or the
- * GNU General Public License v2.0 or later.
- *
- * **********
- * Apache License 2.0:
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -21,27 +15,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * **********
- *
- * **********
- * GNU General Public License v2.0 or later:
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * **********
*/
/*
* References:
@@ -49,19 +22,21 @@
* - attributes: PKCS#9 v2.0 aka RFC 2985
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_X509_CSR_WRITE_C)
#include "mbedtls/x509_csr.h"
-#include "mbedtls/oid.h"
#include "mbedtls/asn1write.h"
+#include "mbedtls/error.h"
+#include "mbedtls/oid.h"
#include "mbedtls/platform_util.h"
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#include "psa/crypto.h"
+#include "mbedtls/psa_util.h"
+#endif
+
#include <string.h>
#include <stdlib.h>
@@ -69,16 +44,6 @@
#include "mbedtls/pem.h"
#endif
-/*
- * For the currently used signature algorithms the buffer to store any signature
- * must be at least of size MAX(MBEDTLS_ECDSA_MAX_LEN, MBEDTLS_MPI_MAX_SIZE)
- */
-#if MBEDTLS_ECDSA_MAX_LEN > MBEDTLS_MPI_MAX_SIZE
-#define SIGNATURE_MAX_SIZE MBEDTLS_ECDSA_MAX_LEN
-#else
-#define SIGNATURE_MAX_SIZE MBEDTLS_MPI_MAX_SIZE
-#endif
-
#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
#else
@@ -124,35 +89,17 @@ int mbedtls_x509write_csr_set_extension( mbedtls_x509write_csr *ctx,
0, val, val_len );
}
-static size_t csr_get_unused_bits_for_named_bitstring( unsigned char bitstring,
- size_t bit_offset )
-{
- size_t unused_bits;
-
- /* Count the unused bits removing trailing 0s */
- for( unused_bits = bit_offset; unused_bits < 8; unused_bits++ )
- if( ( ( bitstring >> unused_bits ) & 0x1 ) != 0 )
- break;
-
- return( unused_bits );
-}
-
int mbedtls_x509write_csr_set_key_usage( mbedtls_x509write_csr *ctx, unsigned char key_usage )
{
- unsigned char buf[4];
+ unsigned char buf[4] = {0};
unsigned char *c;
- size_t unused_bits;
- int ret;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
c = buf + 4;
- unused_bits = csr_get_unused_bits_for_named_bitstring( key_usage, 0 );
- ret = mbedtls_asn1_write_bitstring( &c, buf, &key_usage, 8 - unused_bits );
-
- if( ret < 0 )
+ ret = mbedtls_asn1_write_named_bitstring( &c, buf, &key_usage, 8 );
+ if( ret < 3 || ret > 4 )
return( ret );
- else if( ret < 3 || ret > 4 )
- return( MBEDTLS_ERR_X509_INVALID_FORMAT );
ret = mbedtls_x509write_csr_set_extension( ctx, MBEDTLS_OID_KEY_USAGE,
MBEDTLS_OID_SIZE( MBEDTLS_OID_KEY_USAGE ),
@@ -166,22 +113,14 @@ int mbedtls_x509write_csr_set_key_usage( mbedtls_x509write_csr *ctx, unsigned ch
int mbedtls_x509write_csr_set_ns_cert_type( mbedtls_x509write_csr *ctx,
unsigned char ns_cert_type )
{
- unsigned char buf[4];
+ unsigned char buf[4] = {0};
unsigned char *c;
- size_t unused_bits;
- int ret;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
c = buf + 4;
- unused_bits = csr_get_unused_bits_for_named_bitstring( ns_cert_type, 0 );
- ret = mbedtls_asn1_write_bitstring( &c,
- buf,
- &ns_cert_type,
- 8 - unused_bits );
-
- if( ret < 0 )
- return( ret );
- else if( ret < 3 || ret > 4 )
+ ret = mbedtls_asn1_write_named_bitstring( &c, buf, &ns_cert_type, 8 );
+ if( ret < 3 || ret > 4 )
return( ret );
ret = mbedtls_x509write_csr_set_extension( ctx, MBEDTLS_OID_NS_CERT_TYPE,
@@ -200,7 +139,7 @@ static int x509write_csr_der_internal( mbedtls_x509write_csr *ctx,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng )
{
- int ret;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
const char *sig_oid;
size_t sig_oid_len = 0;
unsigned char *c, *c2;
@@ -208,6 +147,11 @@ static int x509write_csr_der_internal( mbedtls_x509write_csr *ctx,
size_t pub_len = 0, sig_and_oid_len = 0, sig_len;
size_t len = 0;
mbedtls_pk_type_t pk_alg;
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_hash_operation_t hash_operation = PSA_HASH_OPERATION_INIT;
+ size_t hash_len;
+ psa_algorithm_t hash_alg = mbedtls_psa_translate_md( ctx->md_alg );
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
/* Write the CSR backwards starting from the end of buf */
c = buf + size;
@@ -273,10 +217,23 @@ static int x509write_csr_der_internal( mbedtls_x509write_csr *ctx,
* Sign the written CSR data into the sig buffer
* Note: hash errors can happen only after an internal error
*/
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ if( psa_hash_setup( &hash_operation, hash_alg ) != PSA_SUCCESS )
+ return( MBEDTLS_ERR_X509_FATAL_ERROR );
+
+ if( psa_hash_update( &hash_operation, c, len ) != PSA_SUCCESS )
+ return( MBEDTLS_ERR_X509_FATAL_ERROR );
+
+ if( psa_hash_finish( &hash_operation, hash, sizeof( hash ), &hash_len )
+ != PSA_SUCCESS )
+ {
+ return( MBEDTLS_ERR_X509_FATAL_ERROR );
+ }
+#else /* MBEDTLS_USE_PSA_CRYPTO */
ret = mbedtls_md( mbedtls_md_info_from_type( ctx->md_alg ), c, len, hash );
if( ret != 0 )
return( ret );
-
+#endif
if( ( ret = mbedtls_pk_sign( ctx->key, ctx->md_alg, hash, 0, sig, &sig_len,
f_rng, p_rng ) ) != 0 )
{
@@ -341,7 +298,7 @@ int mbedtls_x509write_csr_der( mbedtls_x509write_csr *ctx, unsigned char *buf,
int ret;
unsigned char *sig;
- if( ( sig = mbedtls_calloc( 1, SIGNATURE_MAX_SIZE ) ) == NULL )
+ if( ( sig = mbedtls_calloc( 1, MBEDTLS_PK_SIGNATURE_MAX_SIZE ) ) == NULL )
{
return( MBEDTLS_ERR_X509_ALLOC_FAILED );
}
@@ -361,18 +318,17 @@ int mbedtls_x509write_csr_pem( mbedtls_x509write_csr *ctx, unsigned char *buf, s
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng )
{
- int ret;
- unsigned char output_buf[4096];
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t olen = 0;
- if( ( ret = mbedtls_x509write_csr_der( ctx, output_buf, sizeof(output_buf),
+ if( ( ret = mbedtls_x509write_csr_der( ctx, buf, size,
f_rng, p_rng ) ) < 0 )
{
return( ret );
}
if( ( ret = mbedtls_pem_write_buffer( PEM_BEGIN_CSR, PEM_END_CSR,
- output_buf + sizeof(output_buf) - ret,
+ buf + size - ret,
ret, buf, size, &olen ) ) != 0 )
{
return( ret );
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-08 15:30:47 +0000