tls_certificate.c
Go to the documentation of this file.
1 /**
2  * @file tls_certificate.c
3  * @brief Certificate handling
4  *
5  * @section License
6  *
7  * SPDX-License-Identifier: GPL-2.0-or-later
8  *
9  * Copyright (C) 2010-2019 Oryx Embedded SARL. All rights reserved.
10  *
11  * This file is part of CycloneSSL Open.
12  *
13  * This program is free software; you can redistribute it and/or
14  * modify it under the terms of the GNU General Public License
15  * as published by the Free Software Foundation; either version 2
16  * of the License, or (at your option) any later version.
17  *
18  * This program is distributed in the hope that it will be useful,
19  * but WITHOUT ANY WARRANTY; without even the implied warranty of
20  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21  * GNU General Public License for more details.
22  *
23  * You should have received a copy of the GNU General Public License
24  * along with this program; if not, write to the Free Software Foundation,
25  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
26  *
27  * @author Oryx Embedded SARL (www.oryx-embedded.com)
28  * @version 1.9.6
29  **/
30 
31 //Switch to the appropriate trace level
32 #define TRACE_LEVEL TLS_TRACE_LEVEL
33 
34 //Dependencies
35 #include <string.h>
36 #include <ctype.h>
37 #include "tls.h"
38 #include "tls_certificate.h"
39 #include "tls_misc.h"
40 #include "encoding/asn1.h"
41 #include "encoding/oid.h"
42 #include "pkix/pem_import.h"
43 #include "pkix/x509_cert_parse.h"
45 #include "pkix/x509_key_parse.h"
46 #include "debug.h"
47 
48 //Check TLS library configuration
49 #if (TLS_SUPPORT == ENABLED)
50 
51 
52 /**
53  * @brief Format certificate chain
54  * @param[in] context Pointer to the TLS context
55  * @param[in] p Output stream where to write the certificate chain
56  * @param[out] written Total number of bytes that have been written
57  * @return Error code
58  **/
59 
61  size_t *written)
62 {
63  error_t error;
64  size_t m;
65  size_t n;
66  size_t certChainLen;
67  const char_t *certChain;
68 
69  //Initialize status code
70  error = NO_ERROR;
71 
72  //Length of the certificate list in bytes
73  *written = 0;
74 
75  //Check whether a certificate is available
76  if(context->cert != NULL)
77  {
78  //Point to the certificate chain
79  certChain = context->cert->certChain;
80  //Get the total length, in bytes, of the certificate chain
81  certChainLen = context->cert->certChainLen;
82  }
83  else
84  {
85  //If no suitable certificate is available, the message contains an
86  //empty certificate list
87  certChain = NULL;
88  certChainLen = 0;
89  }
90 
91  //Parse the certificate chain
92  while(certChainLen > 0)
93  {
94  //The first pass calculates the length of the DER-encoded certificate
95  error = pemImportCertificate(certChain, certChainLen, NULL, &n, NULL);
96 
97  //End of file detected?
98  if(error)
99  {
100  //Exit immediately
101  error = NO_ERROR;
102  break;
103  }
104 
105  //Buffer overflow?
106  if((*written + n + 3) > context->txBufferMaxLen)
107  {
108  //Report an error
109  error = ERROR_MESSAGE_TOO_LONG;
110  break;
111  }
112 
113  //Each certificate is preceded by a 3-byte length field
114  STORE24BE(n, p);
115 
116  //The second pass decodes the PEM certificate
117  error = pemImportCertificate(certChain, certChainLen, p + 3, &n, &m);
118  //Any error to report?
119  if(error)
120  break;
121 
122  //Advance read pointer
123  certChain += m;
124  certChainLen -= m;
125 
126  //Advance write pointer
127  p += n + 3;
128  *written += n + 3;
129 
130 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
131  //TLS 1.3 currently selected?
132  if(context->version == TLS_VERSION_1_3)
133  {
134  //Format the list of extensions for the current CertificateEntry
135  error = tls13FormatCertExtensions(p, &n);
136  //Any error to report?
137  if(error)
138  break;
139 
140  //Advance write pointer
141  p += n;
142  *written += n;
143  }
144 #endif
145  }
146 
147  //Return status code
148  return error;
149 }
150 
151 
152 /**
153  * @brief Format raw public key
154  * @param[in] context Pointer to the TLS context
155  * @param[in] p Output stream where to write the raw public key
156  * @param[out] written Total number of bytes that have been written
157  * @return Error code
158  **/
159 
161  size_t *written)
162 {
163  error_t error;
164 
165  //Initialize status code
166  error = NO_ERROR;
167 
168  //Length of the certificate list in bytes
169  *written = 0;
170 
171 #if (TLS_RAW_PUBLIC_KEY_SUPPORT == ENABLED)
172  //Check whether a certificate is available
173  if(context->cert != NULL)
174  {
175  size_t n;
176  uint8_t *derCert;
177  size_t derCertLen;
178  X509CertificateInfo *certInfo;
179 
180  //Initialize variables
181  derCert = NULL;
182  certInfo = NULL;
183 
184  //Start of exception handling block
185  do
186  {
187  //The first pass calculates the length of the DER-encoded certificate
188  error = pemImportCertificate(context->cert->certChain,
189  context->cert->certChainLen, NULL, &derCertLen, NULL);
190  //Any error to report?
191  if(error)
192  break;
193 
194  //Allocate a memory buffer to hold the DER-encoded certificate
195  derCert = tlsAllocMem(derCertLen);
196  //Failed to allocate memory?
197  if(derCert == NULL)
198  {
199  error = ERROR_OUT_OF_MEMORY;
200  break;
201  }
202 
203  //The second pass decodes the PEM certificate
204  error = pemImportCertificate(context->cert->certChain,
205  context->cert->certChainLen, derCert, &derCertLen, NULL);
206  //Any error to report?
207  if(error)
208  break;
209 
210  //Allocate a memory buffer to store X.509 certificate info
211  certInfo = tlsAllocMem(sizeof(X509CertificateInfo));
212  //Failed to allocate memory?
213  if(certInfo == NULL)
214  {
215  error = ERROR_OUT_OF_MEMORY;
216  break;
217  }
218 
219  //Parse X.509 certificate
220  error = x509ParseCertificate(derCert, derCertLen, certInfo);
221  //Failed to parse the X.509 certificate?
222  if(error)
223  break;
224 
225  //Retrieve the length of the raw public key
227 
228 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
229  //TLS 1.3 currently selected?
230  if(context->version == TLS_VERSION_1_3)
231  {
232  //The raw public key is preceded by a 3-byte length field
233  STORE24BE(n, p);
234  //Copy the raw public key
235  memcpy(p + 3, certInfo->tbsCert.subjectPublicKeyInfo.rawData, n);
236 
237  //Advance data pointer
238  p += n + 3;
239  //Adjust the length of the certificate list
240  *written += n + 3;
241 
242  //Format the list of extensions for the current CertificateEntry
243  error = tls13FormatCertExtensions(p, &n);
244  //Any error to report?
245  if(error)
246  break;
247 
248  //Advance data pointer
249  p += n;
250  //Adjust the length of the certificate list
251  *written += n;
252  }
253  else
254 #endif
255  {
256  //Copy the raw public key
257  memcpy(p, certInfo->tbsCert.subjectPublicKeyInfo.rawData, n);
258 
259  //Advance data pointer
260  p += n;
261  //Adjust the length of the certificate list
262  *written += n;
263  }
264 
265  //End of exception handling block
266  } while(0);
267 
268  //Release previously allocated memory
269  tlsFreeMem(derCert);
270  tlsFreeMem(certInfo);
271  }
272 #endif
273 
274  //Return status code
275  return error;
276 }
277 
278 
279 /**
280  * @brief Parse certificate chain
281  * @param[in] context Pointer to the TLS context
282  * @param[in] p Input stream where to read the certificate chain
283  * @param[in] length Number of bytes available in the input stream
284  * @return Error code
285  **/
286 
287 error_t tlsParseCertificateList(TlsContext *context, const uint8_t *p,
288  size_t length)
289 {
290  error_t error;
291  error_t certValidResult;
292  uint_t i;
293  size_t n;
294  const char_t *subjectName;
295  X509CertificateInfo *certInfo;
296  X509CertificateInfo *issuerCertInfo;
297 
298  //Initialize X.509 certificates
299  certInfo = NULL;
300  issuerCertInfo = NULL;
301 
302  //Start of exception handling block
303  do
304  {
305  //Allocate a memory buffer to store X.509 certificate info
306  certInfo = tlsAllocMem(sizeof(X509CertificateInfo));
307  //Failed to allocate memory?
308  if(certInfo == NULL)
309  {
310  //Report an error
311  error = ERROR_OUT_OF_MEMORY;
312  break;
313  }
314 
315  //Allocate a memory buffer to store the parent certificate
316  issuerCertInfo = tlsAllocMem(sizeof(X509CertificateInfo));
317  //Failed to allocate memory?
318  if(issuerCertInfo == NULL)
319  {
320  //Report an error
321  error = ERROR_OUT_OF_MEMORY;
322  break;
323  }
324 
325  //The end-user certificate is preceded by a 3-byte length field
326  if(length < 3)
327  {
328  //Report an error
329  error = ERROR_DECODING_FAILED;
330  break;
331  }
332 
333  //Get the size occupied by the certificate
334  n = LOAD24BE(p);
335  //Jump to the beginning of the DER-encoded certificate
336  p += 3;
337  length -= 3;
338 
339  //Malformed Certificate message?
340  if(n > length)
341  {
342  //Report an error
343  error = ERROR_DECODING_FAILED;
344  break;
345  }
346 
347  //Display ASN.1 structure
348  error = asn1DumpObject(p, n, 0);
349  //Any error to report?
350  if(error)
351  break;
352 
353  //Parse end-user certificate
354  error = x509ParseCertificate(p, n, certInfo);
355  //Failed to parse the X.509 certificate?
356  if(error)
357  {
358  //Report an error
359  error = ERROR_DECODING_FAILED;
360  break;
361  }
362 
363  //Check certificate key usage
364  error = tlsCheckKeyUsage(certInfo, context->entity,
365  context->keyExchMethod);
366  //Any error to report?
367  if(error)
368  break;
369 
370  //Extract the public key from the end-user certificate
371  error = tlsReadSubjectPublicKey(context,
372  &certInfo->tbsCert.subjectPublicKeyInfo);
373  //Any error to report?
374  if(error)
375  break;
376 
377 #if (TLS_CLIENT_SUPPORT == ENABLED)
378  //Client mode?
379  if(context->entity == TLS_CONNECTION_END_CLIENT)
380  {
381  TlsCertificateType certType;
382  TlsSignatureAlgo certSignAlgo;
383  TlsHashAlgo certHashAlgo;
384  TlsNamedGroup namedCurve;
385 
386  //Retrieve the type of the X.509 certificate
387  error = tlsGetCertificateType(certInfo, &certType, &certSignAlgo,
388  &certHashAlgo, &namedCurve);
389  //Unsupported certificate?
390  if(error)
391  break;
392 
393  //Version of TLS prior to TLS 1.3?
394  if(context->version <= TLS_VERSION_1_2)
395  {
396  //ECDSA certificate?
397  if(certType == TLS_CERT_ECDSA_SIGN)
398  {
399  //Make sure the elliptic curve is supported
400  if(tlsGetCurveInfo(context, namedCurve) == NULL)
401  {
402  error = ERROR_BAD_CERTIFICATE;
403  break;
404  }
405  }
406  }
407 
408  //Point to the subject name
409  subjectName = context->serverName;
410 
411  //Check the subject name in the server certificate against the actual
412  //FQDN name that is being requested
413  error = x509CheckSubjectName(certInfo, subjectName);
414  //Any error to report?
415  if(error)
416  {
417  //Debug message
418  TRACE_WARNING("Server name mismatch!\r\n");
419 
420  //Report an error
421  error = ERROR_BAD_CERTIFICATE;
422  break;
423  }
424  }
425  else
426 #endif
427  //Server mode?
428  {
429  //Do not check name constraints
430  subjectName = NULL;
431  }
432 
433  //Check if the end-user certificate can be matched with a trusted CA
434  certValidResult = tlsValidateCertificate(context, certInfo, 0,
435  subjectName);
436 
437  //Check validation result
438  if(certValidResult != NO_ERROR && certValidResult != ERROR_UNKNOWN_CA)
439  {
440  //Report an error
441  error = ERROR_BAD_CERTIFICATE;
442  break;
443  }
444 
445  //Next certificate
446  p += n;
447  length -= n;
448 
449 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
450  //TLS 1.3 currently selected?
451  if(context->version == TLS_VERSION_1_3)
452  {
453  //Parse the list of extensions for the current CertificateEntry
454  error = tls13ParseCertExtensions(p, length, &n);
455  //Any error to report?
456  if(error)
457  break;
458 
459  //Point to the next field
460  p += n;
461  //Remaining bytes to process
462  length -= n;
463  }
464 #endif
465 
466  //PKIX path validation
467  for(i = 0; length > 0; i++)
468  {
469  //Each intermediate certificate is preceded by a 3-byte length field
470  if(length < 3)
471  {
472  //Report an error
473  error = ERROR_DECODING_FAILED;
474  break;
475  }
476 
477  //Get the size occupied by the certificate
478  n = LOAD24BE(p);
479  //Jump to the beginning of the DER-encoded certificate
480  p += 3;
481  //Remaining bytes to process
482  length -= 3;
483 
484  //Malformed Certificate message?
485  if(n > length)
486  {
487  //Report an error
488  error = ERROR_DECODING_FAILED;
489  break;
490  }
491 
492  //Display ASN.1 structure
493  error = asn1DumpObject(p, n, 0);
494  //Any error to report?
495  if(error)
496  break;
497 
498  //Parse intermediate certificate
499  error = x509ParseCertificate(p, n, issuerCertInfo);
500  //Failed to parse the X.509 certificate?
501  if(error)
502  {
503  //Report an error
504  error = ERROR_DECODING_FAILED;
505  break;
506  }
507 
508  //Certificate chain validation in progress?
509  if(certValidResult == ERROR_UNKNOWN_CA)
510  {
511  //Validate current certificate
512  error = x509ValidateCertificate(certInfo, issuerCertInfo, i);
513  //Certificate validation failed?
514  if(error)
515  break;
516 
517  //Check name constraints
518  error = x509CheckNameConstraints(subjectName, issuerCertInfo);
519  //Should the application reject the certificate?
520  if(error)
521  return ERROR_BAD_CERTIFICATE;
522 
523  //Check the version of the certificate
524  if(issuerCertInfo->tbsCert.version < X509_VERSION_3)
525  {
526  //Conforming implementations may choose to reject all version 1
527  //and version 2 intermediate certificates (refer to RFC 5280,
528  //section 6.1.4)
529  error = ERROR_BAD_CERTIFICATE;
530  break;
531  }
532 
533  //Check if the intermediate certificate can be matched with a
534  //trusted CA
535  certValidResult = tlsValidateCertificate(context, issuerCertInfo,
536  i, subjectName);
537 
538  //Check validation result
539  if(certValidResult != NO_ERROR && certValidResult != ERROR_UNKNOWN_CA)
540  {
541  //Report an error
542  error = ERROR_BAD_CERTIFICATE;
543  break;
544  }
545  }
546 
547  //Keep track of the issuer certificate
548  *certInfo = *issuerCertInfo;
549 
550  //Next certificate
551  p += n;
552  length -= n;
553 
554 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
555  //TLS 1.3 currently selected?
556  if(context->version == TLS_VERSION_1_3)
557  {
558  //Parse the list of extensions for the current CertificateEntry
559  error = tls13ParseCertExtensions(p, length, &n);
560  //Any error to report?
561  if(error)
562  break;
563 
564  //Point to the next field
565  p += n;
566  //Remaining bytes to process
567  length -= n;
568  }
569 #endif
570  }
571 
572  //Certificate chain validation failed?
573  if(error == NO_ERROR && certValidResult != NO_ERROR)
574  {
575  //A valid certificate chain or partial chain was received, but the
576  //certificate was not accepted because the CA certificate could not
577  //be matched with a known, trusted CA
578  error = ERROR_UNKNOWN_CA;
579  }
580 
581  //End of exception handling block
582  } while(0);
583 
584  //Free previously allocated memory
585  tlsFreeMem(certInfo);
586  tlsFreeMem(issuerCertInfo);
587 
588  //Return status code
589  return error;
590 }
591 
592 
593 /**
594  * @brief Parse raw public key
595  * @param[in] context Pointer to the TLS context
596  * @param[in] p Input stream where to read the raw public key
597  * @param[in] length Number of bytes available in the input stream
598  * @return Error code
599  **/
600 
601 error_t tlsParseRawPublicKey(TlsContext *context, const uint8_t *p,
602  size_t length)
603 {
604  error_t error;
605 
606 #if (TLS_RAW_PUBLIC_KEY_SUPPORT == ENABLED)
607  //Any registered callback?
608  if(context->rpkVerifyCallback != NULL)
609  {
610  size_t n;
611  size_t rawPublicKeyLen;
612  const uint8_t *rawPublicKey;
613  X509SubjectPublicKeyInfo subjectPublicKeyInfo;
614 
615 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
616  //TLS 1.3 currently selected?
617  if(context->version == TLS_VERSION_1_3)
618  {
619  //The raw public key is preceded by a 3-byte length field
620  if(length < 3)
621  return ERROR_DECODING_FAILED;
622 
623  //Get the size occupied by the raw public key
624  rawPublicKeyLen = LOAD24BE(p);
625  //Advance data pointer
626  p += 3;
627  //Remaining bytes to process
628  length -= 3;
629 
630  //Malformed Certificate message?
631  if(length < rawPublicKeyLen)
632  return ERROR_DECODING_FAILED;
633  }
634  else
635 #endif
636  {
637  //The payload of the Certificate message contains a SubjectPublicKeyInfo
638  //structure
639  rawPublicKeyLen = length;
640  }
641 
642  //Point to the raw public key
643  rawPublicKey = p;
644 
645  //Decode the SubjectPublicKeyInfo structure
646  error = x509ParseSubjectPublicKeyInfo(rawPublicKey, rawPublicKeyLen, &n,
647  &subjectPublicKeyInfo);
648  //Any error to report?
649  if(error)
650  return error;
651 
652  //Advance data pointer
653  p += rawPublicKeyLen;
654  //Remaining bytes to process
655  length -= rawPublicKeyLen;
656 
657 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
658  //TLS 1.3 currently selected?
659  if(context->version == TLS_VERSION_1_3)
660  {
661  //Parse the list of extensions for the current CertificateEntry
662  error = tls13ParseCertExtensions(p, length, &n);
663  //Any error to report?
664  if(error)
665  return error;
666 
667  //Advance data pointer
668  p += n;
669  //Remaining bytes to process
670  length -= n;
671  }
672 #endif
673 
674  //If the RawPublicKey certificate type was negotiated, the certificate
675  //list must contain no more than one CertificateEntry (refer to RFC 8446,
676  //section 4.4.2)
677  if(length != 0)
678  return ERROR_DECODING_FAILED;
679 
680  //Extract the public key from the SubjectPublicKeyInfo structure
681  error = tlsReadSubjectPublicKey(context, &subjectPublicKeyInfo);
682  //Any error to report?
683  if(error)
684  return error;
685 
686  //When raw public keys are used, authentication of the peer is supported
687  //only through authentication of the received SubjectPublicKeyInfo via an
688  //out-of-band method
689  error = context->rpkVerifyCallback(context, rawPublicKey,
690  rawPublicKeyLen);
691  }
692  else
693 #endif
694  {
695  //Report an error
696  error = ERROR_BAD_CERTIFICATE;
697  }
698 
699  //Return status code
700  return error;
701 }
702 
703 
704 /**
705  * @brief Check whether a certificate is acceptable
706  * @param[in] context Pointer to the TLS context
707  * @param[in] cert End entity certificate
708  * @param[in] certTypes List of supported certificate types
709  * @param[in] numCertTypes Size of the list that contains the supported
710  * certificate types
711  * @param[in] signHashAlgos List of signature algorithms that may be used in
712  * digital signatures
713  * @param[in] certSignHashAlgos List of signature algorithms that may be used
714  * in X.509 certificates
715  * @param[in] curveList List of supported elliptic curves
716  * @param[in] certAuthorities List of trusted CA
717  * @return TRUE if the specified certificate conforms to the requirements,
718  * else FALSE
719  **/
720 
722  const uint8_t *certTypes, size_t numCertTypes, const TlsSignHashAlgos *signHashAlgos,
723  const TlsSignHashAlgos *certSignHashAlgos, const TlsSupportedGroupList *curveList,
724  const TlsCertAuthorities *certAuthorities)
725 {
726  size_t i;
727  size_t n;
728  size_t length;
729  bool_t acceptable;
730 
731  //Make sure that a valid certificate has been loaded
732  if(cert->certChain == NULL || cert->certChainLen == 0)
733  return FALSE;
734 
735 #if (TLS_RSA_SIGN_SUPPORT == ENABLED || TLS_RSA_PSS_SIGN_SUPPORT == ENABLED)
736  //RSA certificate?
737  if(cert->type == TLS_CERT_RSA_SIGN)
738  {
739  //This flag tells whether the certificate is acceptable
740  acceptable = TRUE;
741 
742  //Version of TLS prior to TLS 1.2?
743  if(context->version <= TLS_VERSION_1_1)
744  {
745  //the signing algorithm for the certificate must be the same as the
746  //algorithm for the certificate key
747  if(cert->signAlgo != TLS_SIGN_ALGO_RSA)
748  acceptable = FALSE;
749  }
750 
751  //Filter out certificates with unsupported type
752  if(acceptable && certTypes != NULL)
753  {
754  //Loop through the list of supported certificate types
755  for(i = 0, acceptable = FALSE; i < numCertTypes && !acceptable; i++)
756  {
757  //Check whether the certificate type is acceptable
758  if(certTypes[i] == TLS_CERT_RSA_SIGN)
759  {
760  acceptable = TRUE;
761  }
762  }
763  }
764 
765  //Filter out certificates that are not compatible with the supported
766  //signature schemes
767  if(acceptable && signHashAlgos != NULL)
768  {
769  //Retrieve the number of items in the list
770  n = ntohs(signHashAlgos->length) / sizeof(TlsSignHashAlgo);
771 
772  //Loop through the list of supported hash/signature algorithm pairs
773  for(i = 0, acceptable = FALSE; i < n && !acceptable; i++)
774  {
775  uint8_t signAlgo;
776  uint8_t hashAlgo;
777 
778  //Retrieve signature and hash algorithms
779  signAlgo = signHashAlgos->value[i].signature;
780  hashAlgo = signHashAlgos->value[i].hash;
781 
782 #if (TLS_RSA_SIGN_SUPPORT == ENABLED)
783  //RSASSA-PKCS1-v1_5 signature scheme?
784  if(signAlgo == TLS_SIGN_ALGO_RSA &&
785  hashAlgo != TLS_HASH_ALGO_NONE &&
786  context->version <= TLS_VERSION_1_2)
787  {
788  acceptable = TRUE;
789  }
790  else
791 #endif
792 #if (TLS_RSA_PSS_SIGN_SUPPORT == ENABLED && TLS_SHA256_SUPPORT == ENABLED)
793  //RSASSA-PSS RSAE signature scheme with SHA-256?
794  if(signAlgo == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA256 &&
795  hashAlgo == TLS_HASH_ALGO_INTRINSIC &&
796  context->version >= TLS_VERSION_1_2)
797  {
798  acceptable = TRUE;
799  }
800  else
801 #endif
802 #if (TLS_RSA_PSS_SIGN_SUPPORT == ENABLED && TLS_SHA384_SUPPORT == ENABLED)
803  //RSASSA-PSS RSAE signature scheme with SHA-384?
804  if(signAlgo == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA384 &&
805  hashAlgo == TLS_HASH_ALGO_INTRINSIC &&
806  context->version >= TLS_VERSION_1_2)
807  {
808  acceptable = TRUE;
809  }
810  else
811 #endif
812 #if (TLS_RSA_PSS_SIGN_SUPPORT == ENABLED && TLS_SHA512_SUPPORT == ENABLED)
813  //RSASSA-PSS RSAE signature scheme with SHA-512?
814  if(signAlgo == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA512 &&
815  hashAlgo == TLS_HASH_ALGO_INTRINSIC &&
816  context->version >= TLS_VERSION_1_2)
817  {
818  acceptable = TRUE;
819  }
820  else
821 #endif
822  //Unknown signature scheme?
823  {
824  acceptable = FALSE;
825  }
826  }
827  }
828  }
829  else
830 #endif
831 #if (TLS_RSA_PSS_SIGN_SUPPORT == ENABLED)
832  //RSA-PSS certificate?
833  if(cert->type == TLS_CERT_RSA_PSS_SIGN)
834  {
835  //TLS 1.2 and TLS 1.3 support RSASSA-PSS signature schemes
836  if(context->version >= TLS_VERSION_1_2)
837  {
838  //Filter out certificates that are not compatible with the supported
839  //signature schemes
840  if(signHashAlgos != NULL)
841  {
842  //Retrieve the number of items in the list
843  n = ntohs(signHashAlgos->length) / sizeof(TlsSignHashAlgo);
844 
845  //Loop through the list of supported hash/signature algorithm pairs
846  for(i = 0, acceptable = FALSE; i < n && !acceptable; i++)
847  {
848  uint8_t signAlgo;
849  uint8_t hashAlgo;
850 
851  //Retrieve signature and hash algorithms
852  signAlgo = signHashAlgos->value[i].signature;
853  hashAlgo = signHashAlgos->value[i].hash;
854 
855 #if (TLS_SHA256_SUPPORT == ENABLED)
856  //RSASSA-PSS PSS signature scheme with SHA-256?
857  if(signAlgo == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA256 &&
858  hashAlgo == TLS_HASH_ALGO_INTRINSIC)
859  {
860  acceptable = TRUE;
861  }
862  else
863 #endif
864 #if (TLS_SHA384_SUPPORT == ENABLED)
865  //RSASSA-PSS PSS signature scheme with SHA-384?
866  if(signAlgo == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA384 &&
867  hashAlgo == TLS_HASH_ALGO_INTRINSIC)
868  {
869  acceptable = TRUE;
870  }
871  else
872 #endif
873 #if (TLS_SHA512_SUPPORT == ENABLED)
874  //RSASSA-PSS PSS signature scheme with SHA-512?
875  if(signAlgo == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA512 &&
876  hashAlgo == TLS_HASH_ALGO_INTRINSIC)
877  {
878  acceptable = TRUE;
879  }
880  else
881 #endif
882  //Unknown signature scheme?
883  {
884  acceptable = FALSE;
885  }
886  }
887  }
888  else
889  {
890  //The SignatureAlgorithms extension must be specified (refer to
891  //RFC 8446, section 4.3.2)
892  acceptable = FALSE;
893  }
894  }
895  else
896  {
897  //RSA-PSS is not supported by TLS 1.2 and earlier
898  acceptable = FALSE;
899  }
900  }
901  else
902 #endif
903 #if (TLS_DSA_SIGN_SUPPORT == ENABLED)
904  //DSA certificate?
905  if(cert->type == TLS_CERT_DSS_SIGN)
906  {
907  //Version of TLS prior to TLS 1.3?
908  if(context->version <= TLS_VERSION_1_2)
909  {
910  //This flag tells whether the certificate is acceptable
911  acceptable = TRUE;
912 
913  //Version of TLS prior to TLS 1.2?
914  if(context->version <= TLS_VERSION_1_1)
915  {
916  //the signing algorithm for the certificate must be the same as the
917  //algorithm for the certificate key
918  if(cert->signAlgo != TLS_SIGN_ALGO_DSA)
919  acceptable = FALSE;
920  }
921 
922  //Filter out certificates with unsupported type
923  if(acceptable && certTypes != NULL)
924  {
925  //Loop through the list of supported certificate types
926  for(i = 0, acceptable = FALSE; i < numCertTypes && !acceptable; i++)
927  {
928  //Check whether the certificate type is acceptable
929  if(certTypes[i] == TLS_CERT_DSS_SIGN)
930  {
931  acceptable = TRUE;
932  }
933  }
934  }
935 
936  //Filter out certificates that are not compatible with the supported
937  //signature schemes
938  if(acceptable && signHashAlgos != NULL)
939  {
940  //Retrieve the number of items in the list
941  n = ntohs(signHashAlgos->length) / sizeof(TlsSignHashAlgo);
942 
943  //Loop through the list of supported hash/signature algorithm pairs
944  for(i = 0, acceptable = FALSE; i < n && !acceptable; i++)
945  {
946  //Check whether DSA signature scheme is supported
947  if(signHashAlgos->value[i].signature == TLS_SIGN_ALGO_DSA)
948  {
949  acceptable = TRUE;
950  }
951  }
952  }
953  }
954  else
955  {
956  //TLS 1.3 removes support for DSA certificates
957  acceptable = FALSE;
958  }
959  }
960  else
961 #endif
962 #if (TLS_ECDSA_SIGN_SUPPORT == ENABLED)
963  //ECDSA certificate?
964  if(cert->type == TLS_CERT_ECDSA_SIGN)
965  {
966  //This flag tells whether the certificate is acceptable
967  acceptable = TRUE;
968 
969  //Version of TLS prior to TLS 1.2?
970  if(context->version <= TLS_VERSION_1_1)
971  {
972  //the signing algorithm for the certificate must be the same as the
973  //algorithm for the certificate key
974  if(cert->signAlgo != TLS_SIGN_ALGO_ECDSA)
975  acceptable = FALSE;
976  }
977 
978  //Filter out certificates with unsupported type
979  if(acceptable && certTypes != NULL)
980  {
981  //Loop through the list of supported certificate types
982  for(i = 0, acceptable = FALSE; i < numCertTypes && !acceptable; i++)
983  {
984  //Check whether the certificate type is acceptable
985  if(certTypes[i] == TLS_CERT_ECDSA_SIGN)
986  {
987  acceptable = TRUE;
988  }
989  }
990  }
991 
992  //Version of TLS prior to TLS 1.3?
993  if(context->version <= TLS_VERSION_1_2)
994  {
995  //In versions of TLS prior to TLS 1.3, the EllipticCurves extension is
996  //used to negotiate ECDSA curves (refer to RFC 8446, section 4.2.7)
997  if(acceptable && curveList != NULL)
998  {
999  //Retrieve the number of items in the list
1000  n = ntohs(curveList->length) / sizeof(uint16_t);
1001 
1002  //Loop through the list of supported elliptic curves
1003  for(i = 0, acceptable = FALSE; i < n && !acceptable; i++)
1004  {
1005  //Check whether the elliptic curve is supported
1006  if(ntohs(curveList->value[i]) == cert->namedCurve)
1007  {
1008  acceptable = TRUE;
1009  }
1010  }
1011  }
1012  }
1013 
1014  //Filter out certificates that are not compatible with the supported
1015  //signature schemes
1016  if(acceptable && signHashAlgos != NULL)
1017  {
1018  //Retrieve the number of items in the list
1019  n = ntohs(signHashAlgos->length) / sizeof(TlsSignHashAlgo);
1020 
1021  //Loop through the list of supported hash/signature algorithm pairs
1022  for(i = 0, acceptable = FALSE; i < n && !acceptable; i++)
1023  {
1024  //Check whether ECDSA signature scheme is supported
1025  if(signHashAlgos->value[i].signature == TLS_SIGN_ALGO_ECDSA)
1026  {
1027  acceptable = TRUE;
1028  }
1029  }
1030  }
1031  }
1032  else
1033 #endif
1034 #if (TLS_EDDSA_SIGN_SUPPORT == ENABLED)
1035  //EdDSA certificate?
1036  if(cert->type == TLS_CERT_ED25519_SIGN ||
1037  cert->type == TLS_CERT_ED448_SIGN)
1038  {
1039  //TLS 1.2 and TLS 1.3 support EdDSA signature schemes
1040  if((context->version >= TLS_VERSION_1_2 &&
1041  context->entity == TLS_CONNECTION_END_SERVER) ||
1042  (context->version >= TLS_VERSION_1_3 &&
1043  context->entity == TLS_CONNECTION_END_CLIENT))
1044  {
1045  //This flag tells whether the certificate is acceptable
1046  acceptable = TRUE;
1047 
1048  //Filter out certificates with unsupported type
1049  if(certTypes != NULL)
1050  {
1051  //Loop through the list of supported certificate types
1052  for(i = 0, acceptable = FALSE; i < numCertTypes && !acceptable; i++)
1053  {
1054  //Check whether the certificate type is acceptable
1055  if(certTypes[i] == TLS_CERT_ECDSA_SIGN)
1056  {
1057  acceptable = TRUE;
1058  }
1059  }
1060  }
1061 
1062  //Filter out certificates that are not compatible with the supported
1063  //signature schemes
1064  if(acceptable && signHashAlgos != NULL)
1065  {
1066  //Retrieve the number of items in the list
1067  n = ntohs(signHashAlgos->length) / sizeof(TlsSignHashAlgo);
1068 
1069  //Loop through the list of supported hash/signature algorithm pairs
1070  for(i = 0, acceptable = FALSE; i < n && !acceptable; i++)
1071  {
1072 #if (TLS_ED25519_SUPPORT == ENABLED)
1073  //Ed25519 certificate?
1074  if(cert->type == TLS_CERT_ED25519_SIGN)
1075  {
1076  //Check whether Ed25519 signature scheme is supported
1077  if(signHashAlgos->value[i].signature == TLS_SIGN_ALGO_ED25519 &&
1078  signHashAlgos->value[i].hash == TLS_HASH_ALGO_INTRINSIC)
1079  {
1080  acceptable = TRUE;
1081  }
1082  }
1083  else
1084 #endif
1085 #if (TLS_ED448_SUPPORT == ENABLED)
1086  //Ed448 certificate?
1087  if(cert->type == TLS_CERT_ED448_SIGN)
1088  {
1089  //Check whether Ed448 signature scheme is supported
1090  if(signHashAlgos->value[i].signature == TLS_SIGN_ALGO_ED448 &&
1091  signHashAlgos->value[i].hash == TLS_HASH_ALGO_INTRINSIC)
1092  {
1093  acceptable = TRUE;
1094  }
1095  }
1096  else
1097 #endif
1098  //Unknown certificate type?
1099  {
1100  acceptable = FALSE;
1101  }
1102  }
1103  }
1104  else
1105  {
1106  //The certificate is not acceptable
1107  acceptable = FALSE;
1108  }
1109  }
1110  else
1111  {
1112  //EdDSA is not supported by TLS 1.1 and earlier
1113  acceptable = FALSE;
1114  }
1115  }
1116  else
1117 #endif
1118  //Unsupported certificate type?
1119  {
1120  //The certificate is not acceptable
1121  acceptable = FALSE;
1122  }
1123 
1124  //Filter out certificates that are signed with an unsupported algorithm
1125  if(acceptable && certSignHashAlgos != NULL)
1126  {
1127  //Retrieve the number of items in the list
1128  n = ntohs(certSignHashAlgos->length) / sizeof(TlsSignHashAlgo);
1129 
1130  //Loop through the list of supported hash/signature algorithm pairs
1131  for(i = 0, acceptable = FALSE; i < n && !acceptable; i++)
1132  {
1133  //The certificate must be signed using a valid hash algorithm
1134  if(certSignHashAlgos->value[i].signature == cert->signAlgo &&
1135  certSignHashAlgos->value[i].hash == cert->hashAlgo)
1136  {
1137  acceptable = TRUE;
1138  }
1139  }
1140  }
1141 
1142  //Filter out certificates that are issued by a non trusted CA
1143  if(acceptable && certAuthorities != NULL)
1144  {
1145  //Retrieve the length of the list
1146  length = ntohs(certAuthorities->length);
1147 
1148  //If the certificate authorities list is empty, then the client
1149  //may send any certificate of the appropriate type
1150  if(length > 0)
1151  {
1152  error_t error;
1153  size_t pemCertLen;
1154  const char_t *certChain;
1155  size_t certChainLen;
1156  uint8_t *derCert;
1157  size_t derCertLen;
1158  X509CertificateInfo *certInfo;
1159 
1160  //The list of acceptable certificate authorities describes the
1161  //known roots CA
1162  acceptable = FALSE;
1163 
1164  //Point to the end entity certificate
1165  certChain = cert->certChain;
1166  //Get the total length, in bytes, of the certificate chain
1167  certChainLen = cert->certChainLen;
1168 
1169  //Allocate a memory buffer to store X.509 certificate info
1170  certInfo = tlsAllocMem(sizeof(X509CertificateInfo));
1171 
1172  //Successful memory allocation?
1173  if(certInfo != NULL)
1174  {
1175  //Parse the certificate chain
1176  while(certChainLen > 0 && !acceptable)
1177  {
1178  //The first pass calculates the length of the DER-encoded
1179  //certificate
1180  error = pemImportCertificate(certChain, certChainLen, NULL,
1181  &derCertLen, &pemCertLen);
1182 
1183  //Check status code
1184  if(!error)
1185  {
1186  //Allocate a memory buffer to hold the DER-encoded certificate
1187  derCert = tlsAllocMem(derCertLen);
1188 
1189  //Successful memory allocation?
1190  if(derCert != NULL)
1191  {
1192  //The second pass decodes the PEM certificate
1193  error = pemImportCertificate(certChain, certChainLen,
1194  derCert, &derCertLen, NULL);
1195 
1196  //Check status code
1197  if(!error)
1198  {
1199  //Parse X.509 certificate
1200  error = x509ParseCertificate(derCert, derCertLen,
1201  certInfo);
1202  }
1203 
1204  //Check status code
1205  if(!error)
1206  {
1207  //Parse each distinguished name of the list
1208  for(i = 0; i < length; i += n + 2)
1209  {
1210  //Sanity check
1211  if((i + 2) > length)
1212  break;
1213 
1214  //Each distinguished name is preceded by a 2-byte
1215  //length field
1216  n = LOAD16BE(certAuthorities->value + i);
1217 
1218  //Make sure the length field is valid
1219  if((i + n + 2) > length)
1220  break;
1221 
1222  //Check if the distinguished name matches the root CA
1223  if(x509CompareName(certAuthorities->value + i + 2, n,
1224  certInfo->tbsCert.issuer.rawData,
1225  certInfo->tbsCert.issuer.rawDataLen))
1226  {
1227  acceptable = TRUE;
1228  break;
1229  }
1230  }
1231  }
1232 
1233  //Free previously allocated memory
1234  tlsFreeMem(derCert);
1235  }
1236 
1237  //Advance read pointer
1238  certChain += pemCertLen;
1239  certChainLen -= pemCertLen;
1240  }
1241  else
1242  {
1243  //No more CA certificates in the list
1244  break;
1245  }
1246  }
1247 
1248  //Free previously allocated memory
1249  tlsFreeMem(certInfo);
1250  }
1251  }
1252  }
1253 
1254  //The return value specifies whether all the criteria were matched
1255  return acceptable;
1256 }
1257 
1258 
1259 /**
1260  * @brief Verify certificate against root CAs
1261  * @param[in] context Pointer to the TLS context
1262  * @param[in] certInfo X.509 certificate to be verified
1263  * @param[in] pathLen Certificate path length
1264  * @param[in] subjectName Subject name (optional parameter)
1265  * @return Error code
1266  **/
1267 
1269  const X509CertificateInfo *certInfo, uint_t pathLen,
1270  const char_t *subjectName)
1271 {
1272  error_t error;
1273  size_t pemCertLen;
1274  const char_t *trustedCaList;
1275  size_t trustedCaListLen;
1276  uint8_t *derCert;
1277  size_t derCertLen;
1278  X509CertificateInfo *caCertInfo;
1279 
1280  //Initialize status code
1281  error = ERROR_UNKNOWN_CA;
1282 
1283  //Any registered callback?
1284  if(context->certVerifyCallback != NULL)
1285  {
1286  //Invoke user callback function
1287  error = context->certVerifyCallback(context, certInfo, pathLen,
1288  context->certVerifyParam);
1289  }
1290 
1291  //Unknown certification authority?
1292  if(error == ERROR_UNKNOWN_CA)
1293  {
1294  //Check whether the certificate should be checked against root CAs
1295  if(context->trustedCaListLen > 0)
1296  {
1297  //Point to the first trusted CA certificate
1298  trustedCaList = context->trustedCaList;
1299  //Get the total length, in bytes, of the trusted CA list
1300  trustedCaListLen = context->trustedCaListLen;
1301 
1302  //Allocate a memory buffer to store X.509 certificate info
1303  caCertInfo = tlsAllocMem(sizeof(X509CertificateInfo));
1304 
1305  //Successful memory allocation?
1306  if(caCertInfo != NULL)
1307  {
1308  //Loop through the list of trusted CA certificates
1309  while(trustedCaListLen > 0 && error == ERROR_UNKNOWN_CA)
1310  {
1311  //The first pass calculates the length of the DER-encoded
1312  //certificate
1313  error = pemImportCertificate(trustedCaList, trustedCaListLen,
1314  NULL, &derCertLen, &pemCertLen);
1315 
1316  //Check status code
1317  if(!error)
1318  {
1319  //Allocate a memory buffer to hold the DER-encoded certificate
1320  derCert = tlsAllocMem(derCertLen);
1321 
1322  //Successful memory allocation?
1323  if(derCert != NULL)
1324  {
1325  //The second pass decodes the PEM certificate
1326  error = pemImportCertificate(trustedCaList,
1327  trustedCaListLen, derCert, &derCertLen, NULL);
1328 
1329  //Check status code
1330  if(!error)
1331  {
1332  //Parse X.509 certificate
1333  error = x509ParseCertificate(derCert, derCertLen,
1334  caCertInfo);
1335  }
1336 
1337  //Check status code
1338  if(!error)
1339  {
1340  //Validate the certificate with the current CA
1341  error = x509ValidateCertificate(certInfo, caCertInfo,
1342  pathLen);
1343  }
1344 
1345  //Check status code
1346  if(!error)
1347  {
1348  //Check name constraints
1349  error = x509CheckNameConstraints(subjectName, caCertInfo);
1350  }
1351 
1352  //Check status code
1353  if(!error)
1354  {
1355  //The certificate is issued by a trusted CA
1356  error = NO_ERROR;
1357  }
1358  else
1359  {
1360  //The certificate cannot be matched with the current CA
1361  error = ERROR_UNKNOWN_CA;
1362  }
1363 
1364  //Free previously allocated memory
1365  tlsFreeMem(derCert);
1366  }
1367  else
1368  {
1369  //Failed to allocate memory
1370  error = ERROR_OUT_OF_MEMORY;
1371  }
1372 
1373  //Advance read pointer
1374  trustedCaList += pemCertLen;
1375  trustedCaListLen -= pemCertLen;
1376  }
1377  else
1378  {
1379  //No more CA certificates in the list
1380  trustedCaListLen = 0;
1381  error = ERROR_UNKNOWN_CA;
1382  }
1383  }
1384 
1385  //Free previously allocated memory
1386  tlsFreeMem(caCertInfo);
1387  }
1388  else
1389  {
1390  //Failed to allocate memory
1391  error = ERROR_OUT_OF_MEMORY;
1392  }
1393  }
1394  else
1395  {
1396  //Do not check the certificate against root CAs
1397  error = NO_ERROR;
1398  }
1399  }
1400 
1401  //Return status code
1402  return error;
1403 }
1404 
1405 
1406 /**
1407  * @brief Retrieve the certificate type
1408  * @param[in] certInfo X.509 certificate
1409  * @param[out] certType Certificate type
1410  * @param[out] certSignAlgo Signature algorithm that has been used to sign the certificate
1411  * @param[out] certHashAlgo Hash algorithm that has been used to sign the certificate
1412  * @param[out] namedCurve Elliptic curve (only for ECDSA certificates)
1413  * @return Error code
1414  **/
1415 
1417  TlsCertificateType *certType, TlsSignatureAlgo *certSignAlgo,
1418  TlsHashAlgo *certHashAlgo, TlsNamedGroup *namedCurve)
1419 {
1420  size_t oidLen;
1421  const uint8_t *oid;
1422 
1423  //Check parameters
1424  if(certInfo == NULL || certType == NULL || certSignAlgo == NULL ||
1425  certHashAlgo == NULL || namedCurve == NULL)
1426  {
1427  //Report an error
1428  return ERROR_INVALID_PARAMETER;
1429  }
1430 
1431  //Point to the public key identifier
1432  oid = certInfo->tbsCert.subjectPublicKeyInfo.oid;
1433  oidLen = certInfo->tbsCert.subjectPublicKeyInfo.oidLen;
1434 
1435 #if (TLS_RSA_SIGN_SUPPORT == ENABLED || TLS_RSA_PSS_SIGN_SUPPORT == ENABLED)
1436  //RSA public key?
1437  if(!oidComp(oid, oidLen, RSA_ENCRYPTION_OID, sizeof(RSA_ENCRYPTION_OID)))
1438  {
1439  //Save certificate type
1440  *certType = TLS_CERT_RSA_SIGN;
1441  //No named curve applicable
1442  *namedCurve = TLS_GROUP_NONE;
1443  }
1444  else
1445 #endif
1446 #if (TLS_RSA_PSS_SIGN_SUPPORT == ENABLED)
1447  //RSA-PSS public key?
1448  if(!oidComp(oid, oidLen, RSASSA_PSS_OID, sizeof(RSASSA_PSS_OID)))
1449  {
1450  //Save certificate type
1451  *certType = TLS_CERT_RSA_PSS_SIGN;
1452  //No named curve applicable
1453  *namedCurve = TLS_GROUP_NONE;
1454  }
1455  else
1456 #endif
1457 #if (TLS_DSA_SIGN_SUPPORT == ENABLED)
1458  //DSA public key?
1459  if(!oidComp(oid, oidLen, DSA_OID, sizeof(DSA_OID)))
1460  {
1461  //Save certificate type
1462  *certType = TLS_CERT_DSS_SIGN;
1463  //No named curve applicable
1464  *namedCurve = TLS_GROUP_NONE;
1465  }
1466  else
1467 #endif
1468 #if (TLS_ECDSA_SIGN_SUPPORT == ENABLED)
1469  //EC public key?
1470  if(!oidComp(oid, oidLen, EC_PUBLIC_KEY_OID, sizeof(EC_PUBLIC_KEY_OID)))
1471  {
1472  const X509EcParameters *params;
1473 
1474  //Point to the EC parameters
1475  params = &certInfo->tbsCert.subjectPublicKeyInfo.ecParams;
1476 
1477  //Save certificate type
1478  *certType = TLS_CERT_ECDSA_SIGN;
1479  //Retrieve the named curve that has been used to generate the EC public key
1480  *namedCurve = tlsGetNamedCurve(params->namedCurve, params->namedCurveLen);
1481  }
1482  else
1483 #endif
1484 #if (TLS_EDDSA_SIGN_SUPPORT == ENABLED)
1485  //Ed25519 public key?
1486  if(!oidComp(oid, oidLen, ED25519_OID, sizeof(ED25519_OID)))
1487  {
1488  //Save certificate type
1489  *certType = TLS_CERT_ED25519_SIGN;
1490  //No named curve applicable
1491  *namedCurve = TLS_GROUP_NONE;
1492  }
1493  else
1494  //Ed448 public key?
1495  if(!oidComp(oid, oidLen, ED448_OID, sizeof(ED448_OID)))
1496  {
1497  //Save certificate type
1498  *certType = TLS_CERT_ED448_SIGN;
1499  //No named curve applicable
1500  *namedCurve = TLS_GROUP_NONE;
1501  }
1502  else
1503 #endif
1504  //Invalid public key?
1505  {
1506  //The certificate does not contain any valid public key
1507  return ERROR_BAD_CERTIFICATE;
1508  }
1509 
1510  //Point to the signature algorithm
1511  oid = certInfo->signatureAlgo.oid;
1512  oidLen = certInfo->signatureAlgo.oidLen;
1513 
1514  //Retrieve the signature algorithm that has been used to sign the certificate
1515  if(oid == NULL || oidLen == 0)
1516  {
1517  //Invalid certificate
1518  return ERROR_BAD_CERTIFICATE;
1519  }
1520 #if (TLS_RSA_SIGN_SUPPORT == ENABLED || TLS_RSA_PSS_SIGN_SUPPORT == ENABLED)
1521  else if(!oidComp(oid, oidLen, MD5_WITH_RSA_ENCRYPTION_OID,
1522  sizeof(MD5_WITH_RSA_ENCRYPTION_OID)))
1523  {
1524  //MD5 with RSA signature algorithm
1525  *certSignAlgo = TLS_SIGN_ALGO_RSA;
1526  *certHashAlgo = TLS_HASH_ALGO_MD5;
1527  }
1528  else if(!oidComp(oid, oidLen, SHA1_WITH_RSA_ENCRYPTION_OID,
1530  {
1531  //SHA-1 with RSA signature algorithm
1532  *certSignAlgo = TLS_SIGN_ALGO_RSA;
1533  *certHashAlgo = TLS_HASH_ALGO_SHA1;
1534  }
1535  else if(!oidComp(oid, oidLen, SHA256_WITH_RSA_ENCRYPTION_OID,
1537  {
1538  //SHA-256 with RSA signature algorithm
1539  *certSignAlgo = TLS_SIGN_ALGO_RSA;
1540  *certHashAlgo = TLS_HASH_ALGO_SHA256;
1541  }
1542  else if(!oidComp(oid, oidLen, SHA384_WITH_RSA_ENCRYPTION_OID,
1544  {
1545  //SHA-384 with RSA signature algorithm
1546  *certSignAlgo = TLS_SIGN_ALGO_RSA;
1547  *certHashAlgo = TLS_HASH_ALGO_SHA384;
1548  }
1549  else if(!oidComp(oid, oidLen, SHA512_WITH_RSA_ENCRYPTION_OID,
1551  {
1552  //SHA-512 with RSA signature algorithm
1553  *certSignAlgo = TLS_SIGN_ALGO_RSA;
1554  *certHashAlgo = TLS_HASH_ALGO_SHA512;
1555  }
1556 #endif
1557 #if (TLS_RSA_PSS_SIGN_SUPPORT == ENABLED && X509_RSA_PSS_SUPPORT == ENABLED)
1558  else if(!oidComp(oid, oidLen, RSASSA_PSS_OID,
1559  sizeof(RSASSA_PSS_OID)))
1560  {
1561  size_t hashAlgoLen;
1562  const uint8_t *hashAlgo;
1563 
1564  //Get the OID of the hash algorithm
1565  hashAlgo = certInfo->signatureAlgo.rsaPssParams.hashAlgo;
1566  hashAlgoLen = certInfo->signatureAlgo.rsaPssParams.hashAlgoLen;
1567 
1568 #if (TLS_SHA256_SUPPORT == ENABLED)
1569  //SHA-256 hash algorithm identifier?
1570  if(!oidComp(hashAlgo, hashAlgoLen, SHA256_OID, sizeof(SHA256_OID)))
1571  {
1572  //RSA-PSS with SHA-256 signature algorithm
1573  *certSignAlgo = TLS_SIGN_ALGO_RSA_PSS_PSS_SHA256;
1574  *certHashAlgo = TLS_HASH_ALGO_INTRINSIC;
1575  }
1576  else
1577 #endif
1578 #if (TLS_SHA384_SUPPORT == ENABLED)
1579  //SHA-384 hash algorithm identifier?
1580  if(!oidComp(hashAlgo, hashAlgoLen, SHA384_OID, sizeof(SHA384_OID)))
1581  {
1582  //RSA-PSS with SHA-384 signature algorithm
1583  *certSignAlgo = TLS_SIGN_ALGO_RSA_PSS_PSS_SHA384;
1584  *certHashAlgo = TLS_HASH_ALGO_INTRINSIC;
1585  }
1586  else
1587 #endif
1588 #if (TLS_SHA512_SUPPORT == ENABLED)
1589  //SHA-512 hash algorithm identifier?
1590  if(!oidComp(hashAlgo, hashAlgoLen, SHA512_OID, sizeof(SHA512_OID)))
1591  {
1592  //RSA-PSS with SHA-512 signature algorithm
1593  *certSignAlgo = TLS_SIGN_ALGO_RSA_PSS_PSS_SHA512;
1594  *certHashAlgo = TLS_HASH_ALGO_INTRINSIC;
1595  }
1596  else
1597 #endif
1598  //Unknown hash algorithm identifier?
1599  {
1600  //The signature algorithm is not supported
1601  return ERROR_BAD_CERTIFICATE;
1602  }
1603  }
1604 #endif
1605 #if (TLS_DSA_SIGN_SUPPORT == ENABLED)
1606  else if(!oidComp(oid, oidLen, DSA_WITH_SHA1_OID,
1607  sizeof(DSA_WITH_SHA1_OID)))
1608  {
1609  //DSA with SHA-1 signature algorithm
1610  *certSignAlgo = TLS_SIGN_ALGO_DSA;
1611  *certHashAlgo = TLS_HASH_ALGO_SHA1;
1612  }
1613  else if(!oidComp(oid, oidLen, DSA_WITH_SHA224_OID,
1614  sizeof(DSA_WITH_SHA224_OID)))
1615  {
1616  //DSA with SHA-224 signature algorithm
1617  *certSignAlgo = TLS_SIGN_ALGO_DSA;
1618  *certHashAlgo = TLS_HASH_ALGO_SHA224;
1619  }
1620  else if(!oidComp(oid, oidLen, DSA_WITH_SHA256_OID,
1621  sizeof(DSA_WITH_SHA256_OID)))
1622  {
1623  //DSA with SHA-256 signature algorithm
1624  *certSignAlgo = TLS_SIGN_ALGO_DSA;
1625  *certHashAlgo = TLS_HASH_ALGO_SHA256;
1626  }
1627 #endif
1628 #if (TLS_ECDSA_SIGN_SUPPORT == ENABLED)
1629  else if(!oidComp(oid, oidLen, ECDSA_WITH_SHA1_OID,
1630  sizeof(ECDSA_WITH_SHA1_OID)))
1631  {
1632  //ECDSA with SHA-1 signature algorithm
1633  *certSignAlgo = TLS_SIGN_ALGO_ECDSA;
1634  *certHashAlgo = TLS_HASH_ALGO_SHA1;
1635  }
1636  else if(!oidComp(oid, oidLen, ECDSA_WITH_SHA224_OID,
1637  sizeof(ECDSA_WITH_SHA224_OID)))
1638  {
1639  //ECDSA with SHA-224 signature algorithm
1640  *certSignAlgo = TLS_SIGN_ALGO_ECDSA;
1641  *certHashAlgo = TLS_HASH_ALGO_SHA224;
1642  }
1643  else if(!oidComp(oid, oidLen, ECDSA_WITH_SHA256_OID,
1644  sizeof(ECDSA_WITH_SHA256_OID)))
1645  {
1646  //ECDSA with SHA-256 signature algorithm
1647  *certSignAlgo = TLS_SIGN_ALGO_ECDSA;
1648  *certHashAlgo = TLS_HASH_ALGO_SHA256;
1649  }
1650  else if(!oidComp(oid, oidLen, ECDSA_WITH_SHA384_OID,
1651  sizeof(ECDSA_WITH_SHA384_OID)))
1652  {
1653  //ECDSA with SHA-384 signature algorithm
1654  *certSignAlgo = TLS_SIGN_ALGO_ECDSA;
1655  *certHashAlgo = TLS_HASH_ALGO_SHA384;
1656  }
1657  else if(!oidComp(oid, oidLen, ECDSA_WITH_SHA512_OID,
1658  sizeof(ECDSA_WITH_SHA512_OID)))
1659  {
1660  //ECDSA with SHA-512 signature algorithm
1661  *certSignAlgo = TLS_SIGN_ALGO_ECDSA;
1662  *certHashAlgo = TLS_HASH_ALGO_SHA512;
1663  }
1664 #endif
1665 #if (TLS_EDDSA_SIGN_SUPPORT == ENABLED)
1666  else if(!oidComp(oid, oidLen, ED25519_OID, sizeof(ED25519_OID)))
1667  {
1668  //Ed25519 signature algorithm
1669  *certSignAlgo = TLS_SIGN_ALGO_ED25519;
1670  *certHashAlgo = TLS_HASH_ALGO_INTRINSIC;
1671  }
1672  else if(!oidComp(oid, oidLen, ED448_OID, sizeof(ED448_OID)))
1673  {
1674  //Ed448 signature algorithm
1675  *certSignAlgo = TLS_SIGN_ALGO_ED448;
1676  *certHashAlgo = TLS_HASH_ALGO_INTRINSIC;
1677  }
1678 #endif
1679  else
1680  {
1681  //The signature algorithm is not supported
1682  return ERROR_BAD_CERTIFICATE;
1683  }
1684 
1685  //X.509 certificate successfully parsed
1686  return NO_ERROR;
1687 }
1688 
1689 
1690 /**
1691  * @brief Extract the subject public key from the received certificate
1692  * @param[in] context Pointer to the TLS context
1693  * @param[in] subjectPublicKeyInfo Pointer to the subject's public key
1694  * @return Error code
1695  **/
1696 
1698  const X509SubjectPublicKeyInfo *subjectPublicKeyInfo)
1699 {
1700  error_t error;
1701  size_t oidLen;
1702  const uint8_t *oid;
1703 
1704  //Retrieve public key identifier
1705  oid = subjectPublicKeyInfo->oid;
1706  oidLen = subjectPublicKeyInfo->oidLen;
1707 
1708 #if (TLS_RSA_SIGN_SUPPORT == ENABLED || TLS_RSA_PSS_SIGN_SUPPORT == ENABLED)
1709  //RSA public key?
1710  if(!oidComp(oid, oidLen, RSA_ENCRYPTION_OID, sizeof(RSA_ENCRYPTION_OID)) ||
1711  !oidComp(oid, oidLen, RSASSA_PSS_OID, sizeof(RSASSA_PSS_OID)))
1712  {
1713  uint_t k;
1714 
1715  //Import the RSA public key
1716  error = x509ImportRsaPublicKey(subjectPublicKeyInfo,
1717  &context->peerRsaPublicKey);
1718 
1719  //Check status code
1720  if(!error)
1721  {
1722  //Get the length of the modulus, in bits
1723  k = mpiGetBitLength(&context->peerRsaPublicKey.n);
1724 
1725  //Applications should also enforce minimum and maximum key sizes (refer
1726  //to RFC 8446, appendix C.2)
1727  if(k < TLS_MIN_RSA_MODULUS_SIZE || k > TLS_MAX_RSA_MODULUS_SIZE)
1728  {
1729  //Report an error
1730  error = ERROR_BAD_CERTIFICATE;
1731  }
1732  }
1733 
1734  //Check status code
1735  if(!error)
1736  {
1737  //RSA or RSA-PSS certificate?
1738  if(!oidComp(oid, oidLen, RSA_ENCRYPTION_OID, sizeof(RSA_ENCRYPTION_OID)))
1739  {
1740  //The certificate contains a valid RSA public key
1741  context->peerCertType = TLS_CERT_RSA_SIGN;
1742  }
1743  else if(!oidComp(oid, oidLen, RSASSA_PSS_OID, sizeof(RSASSA_PSS_OID)))
1744  {
1745  //The certificate contains a valid RSA-PSS public key
1746  context->peerCertType = TLS_CERT_RSA_PSS_SIGN;
1747  }
1748  else
1749  {
1750  //Just for sanity
1751  error = ERROR_BAD_CERTIFICATE;
1752  }
1753  }
1754  }
1755  else
1756 #endif
1757 #if (TLS_DSA_SIGN_SUPPORT == ENABLED)
1758  //DSA public key?
1759  if(!oidComp(oid, oidLen, DSA_OID, sizeof(DSA_OID)))
1760  {
1761  uint_t k;
1762 
1763  //Import the DSA public key
1764  error = x509ImportDsaPublicKey(subjectPublicKeyInfo,
1765  &context->peerDsaPublicKey);
1766 
1767  //Check status code
1768  if(!error)
1769  {
1770  //Get the length of the prime modulus, in bits
1771  k = mpiGetBitLength(&context->peerDsaPublicKey.p);
1772 
1773  //Make sure the prime modulus is acceptable
1774  if(k < TLS_MIN_DSA_MODULUS_SIZE || k > TLS_MAX_DSA_MODULUS_SIZE)
1775  {
1776  //Report an error
1777  error = ERROR_BAD_CERTIFICATE;
1778  }
1779  }
1780 
1781  //Check status code
1782  if(!error)
1783  {
1784  //The certificate contains a valid DSA public key
1785  context->peerCertType = TLS_CERT_DSS_SIGN;
1786  }
1787  }
1788  else
1789 #endif
1790 #if (TLS_ECDSA_SIGN_SUPPORT == ENABLED)
1791  //EC public key?
1792  if(!oidComp(oid, oidLen, EC_PUBLIC_KEY_OID, sizeof(EC_PUBLIC_KEY_OID)))
1793  {
1794  const EcCurveInfo *curveInfo;
1795 
1796  //Retrieve EC domain parameters
1797  curveInfo = x509GetCurveInfo(subjectPublicKeyInfo->ecParams.namedCurve,
1798  subjectPublicKeyInfo->ecParams.namedCurveLen);
1799 
1800  //Make sure the specified elliptic curve is supported
1801  if(curveInfo != NULL)
1802  {
1803  //Load EC domain parameters
1804  error = ecLoadDomainParameters(&context->peerEcParams, curveInfo);
1805 
1806  //Check status code
1807  if(!error)
1808  {
1809  //Retrieve the EC public key
1810  error = ecImport(&context->peerEcParams, &context->peerEcPublicKey,
1811  subjectPublicKeyInfo->ecPublicKey.q, subjectPublicKeyInfo->ecPublicKey.qLen);
1812  }
1813  }
1814  else
1815  {
1816  //The specified elliptic curve is not supported
1817  error = ERROR_BAD_CERTIFICATE;
1818  }
1819 
1820  //Check status code
1821  if(!error)
1822  {
1823  //The certificate contains a valid EC public key
1824  context->peerCertType = TLS_CERT_ECDSA_SIGN;
1825  }
1826  }
1827  else
1828 #endif
1829 #if (TLS_EDDSA_SIGN_SUPPORT == ENABLED)
1830  //Ed25519 or Ed448 public key?
1831  if(!oidComp(oid, oidLen, ED25519_OID, sizeof(ED25519_OID)) ||
1832  !oidComp(oid, oidLen, ED448_OID, sizeof(ED448_OID)))
1833  {
1834  const EcCurveInfo *curveInfo;
1835 
1836  //Retrieve EC domain parameters
1837  curveInfo = x509GetCurveInfo(oid, oidLen);
1838 
1839  //Make sure the specified elliptic curve is supported
1840  if(curveInfo != NULL)
1841  {
1842  //Load EC domain parameters
1843  error = ecLoadDomainParameters(&context->peerEcParams, curveInfo);
1844 
1845  //Check status code
1846  if(!error)
1847  {
1848  //Retrieve the EC public key
1849  error = ecImport(&context->peerEcParams, &context->peerEcPublicKey,
1850  subjectPublicKeyInfo->ecPublicKey.q, subjectPublicKeyInfo->ecPublicKey.qLen);
1851  }
1852  }
1853  else
1854  {
1855  //The specified elliptic curve is not supported
1856  error = ERROR_BAD_CERTIFICATE;
1857  }
1858 
1859  //Check status code
1860  if(!error)
1861  {
1862  //Ed25519 or Ed448 certificate?
1863  if(!oidComp(oid, oidLen, ED25519_OID, sizeof(ED25519_OID)))
1864  {
1865  //The certificate contains a valid Ed25519 public key
1866  context->peerCertType = TLS_CERT_ED25519_SIGN;
1867  }
1868  else if(!oidComp(oid, oidLen, ED448_OID, sizeof(ED448_OID)))
1869  {
1870  //The certificate contains a valid Ed448 public key
1871  context->peerCertType = TLS_CERT_ED448_SIGN;
1872  }
1873  else
1874  {
1875  //Just for sanity
1876  error = ERROR_BAD_CERTIFICATE;
1877  }
1878  }
1879  }
1880  else
1881 #endif
1882  //Invalid public key?
1883  {
1884  //The certificate does not contain any valid public key
1886  }
1887 
1888 #if (TLS_CLIENT_SUPPORT == ENABLED)
1889  //Check status code
1890  if(!error)
1891  {
1892  //Client mode?
1893  if(context->entity == TLS_CONNECTION_END_CLIENT)
1894  {
1895  //Check key exchange method
1896  if(context->keyExchMethod == TLS_KEY_EXCH_RSA ||
1897  context->keyExchMethod == TLS_KEY_EXCH_DHE_RSA ||
1898  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_RSA ||
1899  context->keyExchMethod == TLS_KEY_EXCH_RSA_PSK)
1900  {
1901  //The client expects a valid RSA certificate whenever the agreed-
1902  //upon key exchange method uses RSA certificates for authentication
1903  if(context->peerCertType != TLS_CERT_RSA_SIGN &&
1904  context->peerCertType != TLS_CERT_RSA_PSS_SIGN)
1905  {
1907  }
1908  }
1909  else if(context->keyExchMethod == TLS_KEY_EXCH_DHE_DSS)
1910  {
1911  //The client expects a valid DSA certificate whenever the agreed-
1912  //upon key exchange method uses DSA certificates for authentication
1913  if(context->peerCertType != TLS_CERT_DSS_SIGN)
1914  {
1916  }
1917  }
1918  else if(context->keyExchMethod == TLS_KEY_EXCH_ECDHE_ECDSA)
1919  {
1920  //The client expects a valid ECDSA certificate whenever the agreed-
1921  //upon key exchange method uses ECDSA certificates for authentication
1922  if(context->peerCertType != TLS_CERT_ECDSA_SIGN &&
1923  context->peerCertType != TLS_CERT_ED25519_SIGN &&
1924  context->peerCertType != TLS_CERT_ED448_SIGN)
1925  {
1927  }
1928  }
1929  else if(context->keyExchMethod == TLS13_KEY_EXCH_DHE ||
1930  context->keyExchMethod == TLS13_KEY_EXCH_ECDHE)
1931  {
1932  //TLS 1.3 removes support for DSA certificates
1933  if(context->peerCertType != TLS_CERT_RSA_SIGN &&
1934  context->peerCertType != TLS_CERT_RSA_PSS_SIGN &&
1935  context->peerCertType != TLS_CERT_ECDSA_SIGN &&
1936  context->peerCertType != TLS_CERT_ED25519_SIGN &&
1937  context->peerCertType != TLS_CERT_ED448_SIGN)
1938  {
1940  }
1941  }
1942  else
1943  {
1944  //Just for sanity
1946  }
1947  }
1948  }
1949 #endif
1950 
1951  //Return status code
1952  return error;
1953 }
1954 
1955 
1956 /**
1957  * @brief Check certificate key usage
1958  * @param[in] certInfo Pointer to the X.509 certificate
1959  * @param[in] entity Specifies whether this entity is considered a client or a server
1960  * @param[in] keyExchMethod TLS key exchange method
1961  * @return Error code
1962  **/
1963 
1965  TlsConnectionEnd entity, TlsKeyExchMethod keyExchMethod)
1966 {
1967 #if (TLS_CERT_KEY_USAGE_SUPPORT == ENABLED)
1968  error_t error;
1969  const X509KeyUsage *keyUsage;
1970  const X509ExtendedKeyUsage *extKeyUsage;
1971 
1972  //Initialize status code
1973  error = NO_ERROR;
1974 
1975  //Point to the KeyUsage extension
1976  keyUsage = &certInfo->tbsCert.extensions.keyUsage;
1977 
1978  //Check if the KeyUsage extension is present
1979  if(keyUsage->bitmap != 0)
1980  {
1981  //Check whether TLS operates as a client or a server
1982  if(entity == TLS_CONNECTION_END_CLIENT)
1983  {
1984  //Check key exchange method
1985  if(keyExchMethod == TLS_KEY_EXCH_RSA ||
1986  keyExchMethod == TLS_KEY_EXCH_RSA_PSK)
1987  {
1988  //The keyEncipherment bit must be asserted when the subject public
1989  //key is used for enciphering private or secret keys
1990  if((keyUsage->bitmap & X509_KEY_USAGE_KEY_ENCIPHERMENT) == 0)
1991  error = ERROR_BAD_CERTIFICATE;
1992  }
1993  else if(keyExchMethod == TLS_KEY_EXCH_DHE_RSA ||
1994  keyExchMethod == TLS_KEY_EXCH_DHE_DSS ||
1995  keyExchMethod == TLS_KEY_EXCH_ECDHE_RSA ||
1996  keyExchMethod == TLS_KEY_EXCH_ECDHE_ECDSA ||
1997  keyExchMethod == TLS13_KEY_EXCH_DHE ||
1998  keyExchMethod == TLS13_KEY_EXCH_ECDHE)
1999  {
2000  //The digitalSignature bit must be asserted when the subject public
2001  //key is used for verifying digital signatures, other than signatures
2002  //on certificates and CRLs
2003  if((keyUsage->bitmap & X509_KEY_USAGE_DIGITAL_SIGNATURE) == 0)
2004  error = ERROR_BAD_CERTIFICATE;
2005  }
2006  else
2007  {
2008  //Just for sanity
2009  }
2010  }
2011  else
2012  {
2013  //The digitalSignature bit must be asserted when the subject public
2014  //key is used for verifying digital signatures, other than signatures
2015  //on certificates and CRLs
2016  if((keyUsage->bitmap & X509_KEY_USAGE_DIGITAL_SIGNATURE) == 0)
2017  error = ERROR_BAD_CERTIFICATE;
2018  }
2019  }
2020 
2021  //Point to the ExtendedKeyUsage extension
2022  extKeyUsage = &certInfo->tbsCert.extensions.extKeyUsage;
2023 
2024  //Check if the ExtendedKeyUsage extension is present
2025  if(extKeyUsage->bitmap != 0)
2026  {
2027  //Check whether TLS operates as a client or a server
2028  if(entity == TLS_CONNECTION_END_CLIENT)
2029  {
2030  //Make sure the certificate can be used for server authentication
2031  if((extKeyUsage->bitmap & X509_EXT_KEY_USAGE_SERVER_AUTH) == 0)
2032  error = ERROR_BAD_CERTIFICATE;
2033  }
2034  else
2035  {
2036  //Make sure the certificate can be used for client authentication
2037  if((extKeyUsage->bitmap & X509_EXT_KEY_USAGE_CLIENT_AUTH) == 0)
2038  error = ERROR_BAD_CERTIFICATE;
2039  }
2040  }
2041 
2042  //Return status code
2043  return error;
2044 #else
2045  //Do not check key usage
2046  return NO_ERROR;
2047 #endif
2048 }
2049 
2050 #endif
#define tlsAllocMem(size)
Definition: tls.h:757
@ TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA256
Definition: tls.h:1115
@ TLS_SIGN_ALGO_DSA
Definition: tls.h:1113
TLS helper functions.
bool_t tlsIsCertificateAcceptable(TlsContext *context, const TlsCertDesc *cert, const uint8_t *certTypes, size_t numCertTypes, const TlsSignHashAlgos *signHashAlgos, const TlsSignHashAlgos *certSignHashAlgos, const TlsSupportedGroupList *curveList, const TlsCertAuthorities *certAuthorities)
Check whether a certificate is acceptable.
X.509 certificate parsing.
uint8_t length
Definition: dtls_misc.h:149
const uint8_t * oid
Definition: x509_common.h:698
const uint8_t * oid
Definition: x509_common.h:878
int bool_t
Definition: compiler_port.h:49
#define SHA512_OID
Definition: sha512.h:44
const uint8_t DSA_WITH_SHA224_OID[9]
Definition: dsa.c:55
const EcCurveInfo * x509GetCurveInfo(const uint8_t *oid, size_t length)
Get the elliptic curve that matches the specified OID.
Definition: x509_common.c:860
const uint8_t MD5_WITH_RSA_ENCRYPTION_OID[9]
Definition: rsa.c:62
const uint8_t SHA512_WITH_RSA_ENCRYPTION_OID[9]
Definition: rsa.c:72
error_t x509ImportRsaPublicKey(const X509SubjectPublicKeyInfo *publicKeyInfo, RsaPublicKey *publicKey)
Import an RSA public key.
#define TLS_MAX_DSA_MODULUS_SIZE
Definition: tls.h:715
error_t ecImport(const EcDomainParameters *params, EcPoint *r, const uint8_t *data, size_t length)
Convert an octet string to an EC point.
Definition: ec.c:214
X509Extensions extensions
Definition: x509_common.h:912
error_t x509ParseSubjectPublicKeyInfo(const uint8_t *data, size_t length, size_t *totalLength, X509SubjectPublicKeyInfo *publicKeyInfo)
Parse SubjectPublicKeyInfo structure.
OID (Object Identifier)
uint8_t p
Definition: ndp.h:298
X509KeyUsage keyUsage
Definition: x509_common.h:847
TlsConnectionEnd
TLS connection end.
Definition: tls.h:859
#define TRUE
Definition: os_port.h:50
@ TLS_SIGN_ALGO_RSA_PSS_PSS_SHA384
Definition: tls.h:1121
size_t rawDataLen
Definition: x509_common.h:571
X509RsaPssParameters rsaPssParams
Definition: x509_common.h:881
const uint8_t EC_PUBLIC_KEY_OID[7]
Definition: ec.c:47
TlsHashAlgo hashAlgo
Hash algorithm used to sign the end entity certificate.
Definition: tls.h:1885
TlsCertificateType type
End entity certificate type.
Definition: tls.h:1883
X.509 certificate.
Definition: x509_common.h:920
error_t tls13ParseCertExtensions(const uint8_t *p, size_t length, size_t *consumed)
X509EcParameters ecParams
Definition: x509_common.h:708
@ TLS_HASH_ALGO_SHA1
Definition: tls.h:1096
X509ExtendedKeyUsage extKeyUsage
Definition: x509_common.h:848
error_t asn1DumpObject(const uint8_t *data, size_t length, uint_t level)
Display an ASN.1 data object.
Definition: asn1.c:690
TlsHashAlgo
Hash algorithms.
Definition: tls.h:1092
@ ERROR_OUT_OF_MEMORY
Definition: error.h:63
@ TLS13_KEY_EXCH_ECDHE
Definition: tls.h:1046
@ TLS_CERT_DSS_SIGN
Definition: tls.h:1073
const uint8_t * q
Definition: x509_common.h:685
@ X509_EXT_KEY_USAGE_CLIENT_AUTH
Definition: x509_common.h:423
@ ERROR_UNSUPPORTED_CERTIFICATE
Definition: error.h:231
@ TLS_SIGN_ALGO_RSA_PSS_PSS_SHA512
Definition: tls.h:1122
error_t tlsReadSubjectPublicKey(TlsContext *context, const X509SubjectPublicKeyInfo *subjectPublicKeyInfo)
Extract the subject public key from the received certificate.
const uint8_t RSASSA_PSS_OID[9]
Definition: rsa.c:88
const uint8_t ECDSA_WITH_SHA256_OID[8]
Definition: ecdsa.c:49
int_t oidComp(const uint8_t *oid1, size_t oidLen1, const uint8_t *oid2, size_t oidLen2)
Compare object identifiers.
Definition: oid.c:101
@ TLS_SIGN_ALGO_ED448
Definition: tls.h:1119
@ TLS_HASH_ALGO_NONE
Definition: tls.h:1094
@ TLS_HASH_ALGO_SHA224
Definition: tls.h:1097
@ TLS_KEY_EXCH_RSA
Definition: tls.h:1027
const uint8_t DSA_OID[7]
Definition: dsa.c:51
bool_t x509CompareName(const uint8_t *name1, size_t nameLen1, const uint8_t *name2, size_t nameLen2)
Compare distinguished names.
#define SHA256_OID
Definition: sha256.h:44
const uint8_t SHA384_WITH_RSA_ENCRYPTION_OID[9]
Definition: rsa.c:70
error_t x509CheckNameConstraints(const char_t *subjectName, const X509CertificateInfo *certInfo)
Check name constraints.
error_t tlsCheckKeyUsage(const X509CertificateInfo *certInfo, TlsConnectionEnd entity, TlsKeyExchMethod keyExchMethod)
Check certificate key usage.
@ TLS_HASH_ALGO_SHA512
Definition: tls.h:1100
@ TLS_KEY_EXCH_ECDHE_ECDSA
Definition: tls.h:1036
error_t ecLoadDomainParameters(EcDomainParameters *params, const EcCurveInfo *curveInfo)
Load EC domain parameters.
Definition: ec.c:93
@ TLS_KEY_EXCH_ECDHE_RSA
Definition: tls.h:1034
size_t certChainLen
Length of the certificate chain.
Definition: tls.h:1880
#define FALSE
Definition: os_port.h:46
error_t pemImportCertificate(const char_t *input, size_t inputLen, uint8_t *output, size_t *outputLen, size_t *consumed)
Decode a PEM file containing a certificate.
Definition: pem_import.c:60
Elliptic curve parameters.
Definition: ec_curves.h:292
PEM file import functions.
@ ERROR_INVALID_PARAMETER
Invalid parameter.
Definition: error.h:47
__start_packed struct @65 TlsSignHashAlgos
List of signature algorithms.
error_t x509ImportDsaPublicKey(const X509SubjectPublicKeyInfo *publicKeyInfo, DsaPublicKey *publicKey)
Import a DSA public key.
#define TlsContext
Definition: tls.h:36
error_t
Error codes.
Definition: error.h:42
EC parameters.
Definition: x509_common.h:672
@ TLS_CERT_ED25519_SIGN
Definition: tls.h:1083
@ TLS_CONNECTION_END_SERVER
Definition: tls.h:862
TlsKeyExchMethod
Key exchange methods.
Definition: tls.h:1024
Extended key usage.
Definition: x509_common.h:755
#define TLS_VERSION_1_2
Definition: tls.h:94
@ TLS_GROUP_NONE
Definition: tls.h:1207
const uint8_t * rawData
Definition: x509_common.h:696
X509Version version
Definition: x509_common.h:905
@ TLS13_KEY_EXCH_DHE
Definition: tls.h:1045
@ TLS_HASH_ALGO_INTRINSIC
Definition: tls.h:1101
#define TLS_VERSION_1_3
Definition: tls.h:95
@ TLS_HASH_ALGO_SHA384
Definition: tls.h:1099
__start_packed struct @67 TlsCertAuthorities
List of certificate authorities.
@ TLS_CERT_RSA_PSS_SIGN
Definition: tls.h:1082
@ X509_VERSION_3
Definition: x509_common.h:394
const uint8_t ECDSA_WITH_SHA384_OID[8]
Definition: ecdsa.c:51
uint8_t oid[1]
Definition: mib_common.h:186
@ ERROR_BAD_CERTIFICATE
Definition: error.h:230
@ TLS_SIGN_ALGO_ED25519
Definition: tls.h:1118
@ TLS_HASH_ALGO_SHA256
Definition: tls.h:1098
@ TLS_CERT_ED448_SIGN
Definition: tls.h:1084
error_t tlsFormatRawPublicKey(TlsContext *context, uint8_t *p, size_t *written)
Format raw public key.
@ X509_EXT_KEY_USAGE_SERVER_AUTH
Definition: x509_common.h:422
@ TLS_CERT_RSA_SIGN
Definition: tls.h:1072
@ X509_KEY_USAGE_DIGITAL_SIGNATURE
Definition: x509_common.h:404
const uint8_t * rawData
Definition: x509_common.h:570
TlsNamedGroup tlsGetNamedCurve(const uint8_t *oid, size_t length)
Get the named curve that matches the specified OID.
Definition: tls_misc.c:1036
size_t namedCurveLen
Definition: x509_common.h:675
@ ERROR_MESSAGE_TOO_LONG
Definition: error.h:134
uint16_t bitmap
Definition: x509_common.h:747
error_t tlsValidateCertificate(TlsContext *context, const X509CertificateInfo *certInfo, uint_t pathLen, const char_t *subjectName)
Verify certificate against root CAs.
const uint8_t ECDSA_WITH_SHA1_OID[7]
Definition: ecdsa.c:45
const uint8_t ECDSA_WITH_SHA224_OID[8]
Definition: ecdsa.c:47
const uint8_t SHA256_WITH_RSA_ENCRYPTION_OID[9]
Definition: rsa.c:68
TlsCertificateType
Certificate types.
Definition: tls.h:1069
const uint8_t ED448_OID[3]
Definition: ec_curves.c:98
error_t tlsFormatCertificateList(TlsContext *context, uint8_t *p, size_t *written)
Format certificate chain.
uint_t mpiGetBitLength(const Mpi *a)
Get the actual length in bits.
Definition: mpi.c:195
@ TLS_HASH_ALGO_MD5
Definition: tls.h:1095
Certificate descriptor.
Definition: tls.h:1877
const uint8_t ECDSA_WITH_SHA512_OID[8]
Definition: ecdsa.c:53
const uint8_t ED25519_OID[3]
Definition: ec_curves.c:96
const uint8_t RSA_ENCRYPTION_OID[9]
Definition: rsa.c:57
@ TLS_KEY_EXCH_RSA_PSK
Definition: tls.h:1039
#define ntohs(value)
Definition: cpu_endian.h:398
#define TRACE_WARNING(...)
Definition: debug.h:84
error_t tlsParseCertificateList(TlsContext *context, const uint8_t *p, size_t length)
Parse certificate chain.
TlsSignatureAlgo signAlgo
Signature algorithm used to sign the end entity certificate.
Definition: tls.h:1884
char char_t
Definition: compiler_port.h:43
#define TLS_VERSION_1_1
Definition: tls.h:93
__start_packed struct @64 TlsSignHashAlgo
Signature algorithm.
error_t tlsParseRawPublicKey(TlsContext *context, const uint8_t *p, size_t length)
Parse raw public key.
uint8_t m
Definition: ndp.h:302
uint8_t n
Subject public key information.
Definition: x509_common.h:694
@ TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA512
Definition: tls.h:1117
@ TLS_SIGN_ALGO_RSA_PSS_PSS_SHA256
Definition: tls.h:1120
#define TLS_MAX_RSA_MODULUS_SIZE
Definition: tls.h:701
#define LOAD24BE(p)
Definition: cpu_endian.h:181
TlsSignatureAlgo
Signature algorithms.
Definition: tls.h:1109
const uint8_t DSA_WITH_SHA1_OID[7]
Definition: dsa.c:53
@ TLS_CONNECTION_END_CLIENT
Definition: tls.h:861
const uint8_t DSA_WITH_SHA256_OID[9]
Definition: dsa.c:57
Certificate handling.
__start_packed struct @75 TlsSupportedGroupList
List of supported groups.
const EcCurveInfo * tlsGetCurveInfo(TlsContext *context, uint16_t namedCurve)
Get the EC domain parameters that match the specified named curve.
Definition: tls_misc.c:890
TLS (Transport Layer Security)
@ TLS_SIGN_ALGO_RSA
Definition: tls.h:1112
error_t x509ValidateCertificate(const X509CertificateInfo *certInfo, const X509CertificateInfo *issuerCertInfo, uint_t pathLen)
X.509 certificate validation.
X.509 certificate validation.
#define STORE24BE(a, p)
Definition: cpu_endian.h:257
@ TLS_CERT_ECDSA_SIGN
Definition: tls.h:1079
@ TLS_KEY_EXCH_DHE_DSS
Definition: tls.h:1031
@ ERROR_UNKNOWN_CA
Definition: error.h:234
error_t x509ParseCertificate(const uint8_t *data, size_t length, X509CertificateInfo *certInfo)
Parse a X.509 certificate.
X509SignatureAlgoId signatureAlgo
Definition: x509_common.h:923
const char_t * certChain
End entity certificate chain (PEM format)
Definition: tls.h:1879
Parsing of ASN.1 encoded keys.
TlsNamedGroup
Named groups.
Definition: tls.h:1205
@ ERROR_DECODING_FAILED
Definition: error.h:235
unsigned int uint_t
Definition: compiler_port.h:45
#define LOAD16BE(p)
Definition: cpu_endian.h:170
#define tlsFreeMem(p)
Definition: tls.h:762
@ X509_KEY_USAGE_KEY_ENCIPHERMENT
Definition: x509_common.h:406
X509EcPublicKey ecPublicKey
Definition: x509_common.h:709
X509SubjectPublicKeyInfo subjectPublicKeyInfo
Definition: x509_common.h:911
@ TLS_SIGN_ALGO_ECDSA
Definition: tls.h:1114
@ TLS_KEY_EXCH_DHE_RSA
Definition: tls.h:1029
const uint8_t * namedCurve
Definition: x509_common.h:674
#define SHA384_OID
Definition: sha384.h:45
const uint8_t SHA1_WITH_RSA_ENCRYPTION_OID[9]
Definition: rsa.c:64
@ TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA384
Definition: tls.h:1116
TlsNamedGroup namedCurve
Named curve used to generate the EC public key.
Definition: tls.h:1886
X509TbsCertificate tbsCert
Definition: x509_common.h:922
@ NO_ERROR
Success.
Definition: error.h:44
error_t tls13FormatCertExtensions(uint8_t *p, size_t *written)
Debugging facilities.
ASN.1 (Abstract Syntax Notation One)
const uint8_t * hashAlgo
Definition: x509_common.h:862
Key usage.
Definition: x509_common.h:744
error_t tlsGetCertificateType(const X509CertificateInfo *certInfo, TlsCertificateType *certType, TlsSignatureAlgo *certSignAlgo, TlsHashAlgo *certHashAlgo, TlsNamedGroup *namedCurve)
Retrieve the certificate type.
error_t x509CheckSubjectName(const X509CertificateInfo *certInfo, const char_t *fqdn)
Check whether the certificate matches the specified FQDN.