tls_certificate.c
Go to the documentation of this file.
1 /**
2  * @file tls_certificate.c
3  * @brief Certificate handling
4  *
5  * @section License
6  *
7  * Copyright (C) 2010-2018 Oryx Embedded SARL. All rights reserved.
8  *
9  * This file is part of CycloneSSL Open.
10  *
11  * This program is free software; you can redistribute it and/or
12  * modify it under the terms of the GNU General Public License
13  * as published by the Free Software Foundation; either version 2
14  * of the License, or (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License
22  * along with this program; if not, write to the Free Software Foundation,
23  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
24  *
25  * @author Oryx Embedded SARL (www.oryx-embedded.com)
26  * @version 1.9.0
27  **/
28 
29 //Switch to the appropriate trace level
30 #define TRACE_LEVEL TLS_TRACE_LEVEL
31 
32 //Dependencies
33 #include <string.h>
34 #include <ctype.h>
35 #include "tls.h"
36 #include "tls_certificate.h"
37 #include "tls_misc.h"
38 #include "encoding/asn1.h"
39 #include "encoding/oid.h"
40 #include "certificate/pem_import.h"
43 #include "debug.h"
44 
45 //Check TLS library configuration
46 #if (TLS_SUPPORT == ENABLED)
47 
48 
49 /**
50  * @brief Format certificate chain
51  * @param[in] context Pointer to the TLS context
52  * @param[in] p Output stream where to write the certificate chain
53  * @param[out] written Total number of bytes that have been written
54  * @return Error code
55  **/
56 
58  size_t *written)
59 {
60  error_t error;
61  const char_t *pemCert;
62  size_t pemCertLen;
63  uint8_t *derCert;
64  size_t derCertSize;
65  size_t derCertLen;
66 
67  //Initialize status code
68  error = NO_ERROR;
69 
70  //Length of the certificate list in bytes
71  *written = 0;
72 
73  //Check whether a certificate is available
74  if(context->cert != NULL)
75  {
76  //Point to the certificate chain
77  pemCert = context->cert->certChain;
78  //Get the total length, in bytes, of the certificate chain
79  pemCertLen = context->cert->certChainLen;
80  }
81  else
82  {
83  //If no suitable certificate is available, the message contains
84  //an empty certificate list
85  pemCert = NULL;
86  pemCertLen = 0;
87  }
88 
89  //DER encoded certificate
90  derCert = NULL;
91  derCertSize = 0;
92  derCertLen = 0;
93 
94  //Parse the certificate chain
95  while(pemCertLen > 0)
96  {
97  //Decode PEM certificate
98  error = pemImportCertificate(&pemCert, &pemCertLen,
99  &derCert, &derCertSize, &derCertLen);
100 
101  //Any error to report?
102  if(error)
103  {
104  //End of file detected
105  error = NO_ERROR;
106  break;
107  }
108 
109  //Prevent the buffer from overflowing
110  if((sizeof(TlsCertificateList) + derCertLen + 3) > context->txBufferMaxLen)
111  {
112  //Report an error
113  error = ERROR_MESSAGE_TOO_LONG;
114  break;
115  }
116 
117  //Each certificate is preceded by a 3-byte length field
118  STORE24BE(derCertLen, p);
119  //Copy the current certificate
120  memcpy(p + 3, derCert, derCertLen);
121 
122  //Advance data pointer
123  p += derCertLen + 3;
124  //Adjust the length of the certificate list
125  *written += derCertLen + 3;
126 
127 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
128  //TLS 1.3 currently selected?
129  if(context->version == TLS_VERSION_1_3)
130  {
131  size_t n;
132 
133  //Format the list of extensions for the current CertificateEntry
134  error = tls13FormatCertExtensions(p, &n);
135  //Any error to report?
136  if(error)
137  break;
138 
139  //Advance data pointer
140  p += n;
141  //Adjust the length of the certificate list
142  *written += n;
143  }
144 #endif
145  }
146 
147  //Free previously allocated memory
148  tlsFreeMem(derCert);
149 
150  //Return status code
151  return error;
152 }
153 
154 
155 /**
156  * @brief Format raw public key
157  * @param[in] context Pointer to the TLS context
158  * @param[in] p Output stream where to write the raw public key
159  * @param[out] written Total number of bytes that have been written
160  * @return Error code
161  **/
162 
164  size_t *written)
165 {
166  error_t error;
167 
168  //Initialize status code
169  error = NO_ERROR;
170 
171  //Length of the certificate list in bytes
172  *written = 0;
173 
174 #if (TLS_RAW_PUBLIC_KEY_SUPPORT == ENABLED)
175  //Check whether a certificate is available
176  if(context->cert != NULL)
177  {
178  size_t n;
179  const char_t *pemCert;
180  size_t pemCertLen;
181  uint8_t *derCert;
182  size_t derCertSize;
183  size_t derCertLen;
184  X509CertificateInfo *certInfo;
185 
186  //Point to the certificate chain
187  pemCert = context->cert->certChain;
188  //Get the total length, in bytes, of the certificate chain
189  pemCertLen = context->cert->certChainLen;
190 
191  //DER encoded certificate
192  derCert = NULL;
193  derCertSize = 0;
194  derCertLen = 0;
195 
196  //Start of exception handling block
197  do
198  {
199  //Allocate a memory buffer to store X.509 certificate info
200  certInfo = tlsAllocMem(sizeof(X509CertificateInfo));
201  //Failed to allocate memory?
202  if(certInfo == NULL)
203  {
204  error = ERROR_OUT_OF_MEMORY;
205  break;
206  }
207 
208  //Decode end entity certificate
209  error = pemImportCertificate(&pemCert, &pemCertLen,
210  &derCert, &derCertSize, &derCertLen);
211  //Any error to report?
212  if(error)
213  break;
214 
215  //Parse X.509 certificate
216  error = x509ParseCertificate(derCert, derCertLen, certInfo);
217  //Failed to parse the X.509 certificate?
218  if(error)
219  break;
220 
221  //Retrieve the length of the raw public key
222  n = certInfo->subjectPublicKeyInfo.rawDataLen;
223 
224 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
225  //TLS 1.3 currently selected?
226  if(context->version == TLS_VERSION_1_3)
227  {
228  //The raw public key is preceded by a 3-byte length field
229  STORE24BE(n, p);
230  //Copy the raw public key
231  memcpy(p + 3, certInfo->subjectPublicKeyInfo.rawData, n);
232 
233  //Advance data pointer
234  p += n + 3;
235  //Adjust the length of the certificate list
236  *written += n + 3;
237 
238  //Format the list of extensions for the current CertificateEntry
239  error = tls13FormatCertExtensions(p, &n);
240  //Any error to report?
241  if(error)
242  break;
243 
244  //Advance data pointer
245  p += n;
246  //Adjust the length of the certificate list
247  *written += n;
248  }
249  else
250 #endif
251  {
252  //Copy the raw public key
253  memcpy(p, certInfo->subjectPublicKeyInfo.rawData, n);
254 
255  //Advance data pointer
256  p += n;
257  //Adjust the length of the certificate list
258  *written += n;
259  }
260 
261  //End of exception handling block
262  } while(0);
263 
264  //Release previously allocated memory
265  tlsFreeMem(derCert);
266  tlsFreeMem(certInfo);
267  }
268 #endif
269 
270  //Return status code
271  return error;
272 }
273 
274 
275 /**
276  * @brief Parse certificate chain
277  * @param[in] context Pointer to the TLS context
278  * @param[in] p Input stream where to read the certificate chain
279  * @param[in] length Number of bytes available in the input stream
280  * @return Error code
281  **/
282 
283 error_t tlsParseCertificateList(TlsContext *context, const uint8_t *p,
284  size_t length)
285 {
286  error_t error;
287  uint_t i;
288  size_t n;
289  bool_t validCertChain;
290  const char_t *subjectName;
291  X509CertificateInfo *certInfo;
292  X509CertificateInfo *issuerCertInfo;
293 
294  //Initialize X.509 certificates
295  certInfo = NULL;
296  issuerCertInfo = NULL;
297 
298  //Start of exception handling block
299  do
300  {
301  //Allocate a memory buffer to store X.509 certificate info
302  certInfo = tlsAllocMem(sizeof(X509CertificateInfo));
303  //Failed to allocate memory?
304  if(certInfo == NULL)
305  {
306  //Report an error
307  error = ERROR_OUT_OF_MEMORY;
308  break;
309  }
310 
311  //Allocate a memory buffer to store the parent certificate
312  issuerCertInfo = tlsAllocMem(sizeof(X509CertificateInfo));
313  //Failed to allocate memory?
314  if(issuerCertInfo == NULL)
315  {
316  //Report an error
317  error = ERROR_OUT_OF_MEMORY;
318  break;
319  }
320 
321  //The end-user certificate is preceded by a 3-byte length field
322  if(length < 3)
323  {
324  //Report an error
325  error = ERROR_DECODING_FAILED;
326  break;
327  }
328 
329  //Get the size occupied by the certificate
330  n = LOAD24BE(p);
331  //Jump to the beginning of the DER encoded certificate
332  p += 3;
333  length -= 3;
334 
335  //Malformed Certificate message?
336  if(n > length)
337  {
338  //Report an error
339  error = ERROR_DECODING_FAILED;
340  break;
341  }
342 
343  //Display ASN.1 structure
344  error = asn1DumpObject(p, n, 0);
345  //Any error to report?
346  if(error)
347  break;
348 
349  //Parse end-user certificate
350  error = x509ParseCertificate(p, n, certInfo);
351  //Failed to parse the X.509 certificate?
352  if(error)
353  {
354  //Report an error
355  error = ERROR_DECODING_FAILED;
356  break;
357  }
358 
359  //Check certificate key usage
360  error = tlsCheckKeyUsage(certInfo, context->entity,
361  context->keyExchMethod);
362  //Any error to report?
363  if(error)
364  break;
365 
366  //Extract the public key from the end-user certificate
367  error = tlsReadSubjectPublicKey(context, &certInfo->subjectPublicKeyInfo);
368  //Any error to report?
369  if(error)
370  break;
371 
372 #if (TLS_CLIENT_SUPPORT == ENABLED)
373  //TLS operates as a client?
374  if(context->entity == TLS_CONNECTION_END_CLIENT)
375  {
376  TlsCertificateType certType;
377  TlsSignatureAlgo certSignAlgo;
378  TlsHashAlgo certHashAlgo;
379  TlsNamedGroup namedCurve;
380 
381  //Retrieve the type of the X.509 certificate
382  error = tlsGetCertificateType(certInfo, &certType, &certSignAlgo,
383  &certHashAlgo, &namedCurve);
384  //Unsupported certificate?
385  if(error)
386  break;
387 
388  //Version of TLS prior to TLS 1.3?
389  if(context->version <= TLS_VERSION_1_2)
390  {
391  //ECDSA certificate?
392  if(certType == TLS_CERT_ECDSA_SIGN)
393  {
394  //Make sure the elliptic curve is supported
395  if(tlsGetCurveInfo(context, namedCurve) == NULL)
396  {
397  error = ERROR_BAD_CERTIFICATE;
398  break;
399  }
400  }
401  }
402 
403  //Point to the subject name
404  subjectName = context->serverName;
405 
406  //Check the subject name in the server certificate against the actual
407  //FQDN name that is being requested
408  error = x509CheckSubjectName(certInfo, subjectName);
409  //Any error to report?
410  if(error)
411  {
412  //Debug message
413  TRACE_WARNING("Server name mismatch!\r\n");
414 
415  //Report an error
416  error = ERROR_BAD_CERTIFICATE;
417  break;
418  }
419  }
420  else
421 #endif
422  //TLS operates as a server?
423  {
424  //Do not check name constraints
425  subjectName = NULL;
426  }
427 
428  //Test if the end-user certificate matches a trusted CA
429  validCertChain = tlsIsCertificateValid(certInfo, context->trustedCaList,
430  context->trustedCaListLen, 0, subjectName);
431 
432  //Next certificate
433  p += n;
434  length -= n;
435 
436 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
437  //TLS 1.3 currently selected?
438  if(context->version == TLS_VERSION_1_3)
439  {
440  //Parse the list of extensions for the current CertificateEntry
441  error = tls13ParseCertExtensions(p, length, &n);
442  //Any error to report?
443  if(error)
444  break;
445 
446  //Point to the next field
447  p += n;
448  //Remaining bytes to process
449  length -= n;
450  }
451 #endif
452 
453  //PKIX path validation
454  for(i = 0; length > 0; i++)
455  {
456  //Each intermediate certificate is preceded by a 3-byte length field
457  if(length < 3)
458  {
459  //Report an error
460  error = ERROR_DECODING_FAILED;
461  break;
462  }
463 
464  //Get the size occupied by the certificate
465  n = LOAD24BE(p);
466  //Jump to the beginning of the DER encoded certificate
467  p += 3;
468  //Remaining bytes to process
469  length -= 3;
470 
471  //Malformed Certificate message?
472  if(n > length)
473  {
474  //Report an error
475  error = ERROR_DECODING_FAILED;
476  break;
477  }
478 
479  //Display ASN.1 structure
480  error = asn1DumpObject(p, n, 0);
481  //Any error to report?
482  if(error)
483  break;
484 
485  //Parse intermediate certificate
486  error = x509ParseCertificate(p, n, issuerCertInfo);
487  //Failed to parse the X.509 certificate?
488  if(error)
489  {
490  //Report an error
491  error = ERROR_DECODING_FAILED;
492  break;
493  }
494 
495  //Certificate chain validation in progress?
496  if(!validCertChain)
497  {
498  //Validate current certificate
499  error = x509ValidateCertificate(certInfo, issuerCertInfo, i);
500  //Certificate validation failed?
501  if(error)
502  break;
503 
504  //Check name constraints
505  error = x509CheckNameConstraints(subjectName, issuerCertInfo);
506  //Should the application reject the certificate?
507  if(error)
508  return ERROR_BAD_CERTIFICATE;
509 
510  //Check the version of the certificate
511  if(issuerCertInfo->version < X509_VERSION_3)
512  {
513  //Conforming implementations may choose to reject all version 1
514  //and version 2 intermediate certificates (refer to RFC 5280,
515  //section 6.1.4)
516  error = ERROR_BAD_CERTIFICATE;
517  break;
518  }
519 
520  //Test if the intermediate certificate matches a trusted CA
521  validCertChain = tlsIsCertificateValid(issuerCertInfo,
522  context->trustedCaList, context->trustedCaListLen, i, subjectName);
523  }
524 
525  //Keep track of the issuer certificate
526  *certInfo = *issuerCertInfo;
527 
528  //Next certificate
529  p += n;
530  length -= n;
531 
532 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
533  //TLS 1.3 currently selected?
534  if(context->version == TLS_VERSION_1_3)
535  {
536  //Parse the list of extensions for the current CertificateEntry
537  error = tls13ParseCertExtensions(p, length, &n);
538  //Any error to report?
539  if(error)
540  break;
541 
542  //Point to the next field
543  p += n;
544  //Remaining bytes to process
545  length -= n;
546  }
547 #endif
548  }
549 
550  //Check status code
551  if(!error)
552  {
553  //Certificate chain validation failed?
554  if(!validCertChain)
555  {
556  //A valid certificate chain or partial chain was received, but the
557  //certificate was not accepted because the CA certificate could not
558  //be matched with a known, trusted CA
559  error = ERROR_UNKNOWN_CA;
560  }
561  }
562 
563  //End of exception handling block
564  } while(0);
565 
566  //Free previously allocated memory
567  tlsFreeMem(certInfo);
568  tlsFreeMem(issuerCertInfo);
569 
570  //Return status code
571  return error;
572 }
573 
574 
575 /**
576  * @brief Parse raw public key
577  * @param[in] context Pointer to the TLS context
578  * @param[in] p Input stream where to read the raw public key
579  * @param[in] length Number of bytes available in the input stream
580  * @return Error code
581  **/
582 
583 error_t tlsParseRawPublicKey(TlsContext *context, const uint8_t *p,
584  size_t length)
585 {
586  error_t error;
587 
588 #if (TLS_RAW_PUBLIC_KEY_SUPPORT == ENABLED)
589  //Any registered callback?
590  if(context->rpkVerifyCallback != NULL)
591  {
592  size_t n;
593  size_t rawPublicKeyLen;
594  const uint8_t *rawPublicKey;
595  X509SubjectPublicKeyInfo subjectPublicKeyInfo;
596 
597 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
598  //TLS 1.3 currently selected?
599  if(context->version == TLS_VERSION_1_3)
600  {
601  //The raw public key is preceded by a 3-byte length field
602  if(length < 3)
603  return ERROR_DECODING_FAILED;
604 
605  //Get the size occupied by the raw public key
606  rawPublicKeyLen = LOAD24BE(p);
607  //Advance data pointer
608  p += 3;
609  //Remaining bytes to process
610  length -= 3;
611 
612  //Malformed Certificate message?
613  if(length < rawPublicKeyLen)
614  return ERROR_DECODING_FAILED;
615  }
616  else
617 #endif
618  {
619  //The payload of the Certificate message contains a SubjectPublicKeyInfo
620  //structure
621  rawPublicKeyLen = length;
622  }
623 
624  //Point to the raw public key
625  rawPublicKey = p;
626 
627  //Decode the SubjectPublicKeyInfo structure
628  error = x509ParseSubjectPublicKeyInfo(rawPublicKey, rawPublicKeyLen, &n,
629  &subjectPublicKeyInfo);
630  //Any error to report?
631  if(error)
632  return error;
633 
634  //Advance data pointer
635  p += rawPublicKeyLen;
636  //Remaining bytes to process
637  length -= rawPublicKeyLen;
638 
639 #if (TLS_MAX_VERSION >= TLS_VERSION_1_3 && TLS_MIN_VERSION <= TLS_VERSION_1_3)
640  //TLS 1.3 currently selected?
641  if(context->version == TLS_VERSION_1_3)
642  {
643  //Parse the list of extensions for the current CertificateEntry
644  error = tls13ParseCertExtensions(p, length, &n);
645  //Any error to report?
646  if(error)
647  return error;
648 
649  //Advance data pointer
650  p += n;
651  //Remaining bytes to process
652  length -= n;
653  }
654 #endif
655 
656  //If the RawPublicKey certificate type was negotiated, the certificate
657  //list must contain no more than one CertificateEntry (refer to RFC 8446,
658  //section 4.4.2)
659  if(length != 0)
660  return ERROR_DECODING_FAILED;
661 
662  //Extract the public key from the SubjectPublicKeyInfo structure
663  error = tlsReadSubjectPublicKey(context, &subjectPublicKeyInfo);
664  //Any error to report?
665  if(error)
666  return error;
667 
668  //When raw public keys are used, authentication of the peer is supported
669  //only through authentication of the received SubjectPublicKeyInfo via an
670  //out-of-band method
671  error = context->rpkVerifyCallback(context, rawPublicKey,
672  rawPublicKeyLen);
673  }
674  else
675 #endif
676  {
677  //Report an error
678  error = ERROR_BAD_CERTIFICATE;
679  }
680 
681  //Return status code
682  return error;
683 }
684 
685 
686 /**
687  * @brief Check whether a certificate is acceptable
688  * @param[in] context Pointer to the TLS context
689  * @param[in] cert End entity certificate
690  * @param[in] certTypes List of supported certificate types
691  * @param[in] numCertTypes Size of the list that contains the supported
692  * certificate types
693  * @param[in] signHashAlgos List of signature algorithms that may be used in
694  * digital signatures
695  * @param[in] certSignHashAlgos List of signature algorithms that may be used
696  * in X.509 certificates
697  * @param[in] curveList List of supported elliptic curves
698  * @param[in] certAuthorities List of trusted CA
699  * @return TRUE if the specified certificate conforms to the requirements,
700  * else FALSE
701  **/
702 
704  const uint8_t *certTypes, size_t numCertTypes, const TlsSignHashAlgos *signHashAlgos,
705  const TlsSignHashAlgos *certSignHashAlgos, const TlsSupportedGroupList *curveList,
706  const TlsCertAuthorities *certAuthorities)
707 {
708  size_t i;
709  size_t n;
710  size_t length;
711  bool_t acceptable;
712 
713  //Make sure that a valid certificate has been loaded
714  if(cert->certChain == NULL || cert->certChainLen == 0)
715  return FALSE;
716 
717 #if (TLS_RSA_SIGN_SUPPORT == ENABLED || TLS_RSA_PSS_SIGN_SUPPORT == ENABLED)
718  //RSA certificate?
719  if(cert->type == TLS_CERT_RSA_SIGN)
720  {
721  //This flag tells whether the certificate is acceptable
722  acceptable = TRUE;
723 
724  //Version of TLS prior to TLS 1.2?
725  if(context->version <= TLS_VERSION_1_1)
726  {
727  //the signing algorithm for the certificate must be the same as the
728  //algorithm for the certificate key
729  if(cert->signAlgo != TLS_SIGN_ALGO_RSA)
730  acceptable = FALSE;
731  }
732 
733  //Filter out certificates with unsupported type
734  if(acceptable && certTypes != NULL)
735  {
736  //Loop through the list of supported certificate types
737  for(i = 0, acceptable = FALSE; i < numCertTypes && !acceptable; i++)
738  {
739  //Check whether the certificate type is acceptable
740  if(certTypes[i] == TLS_CERT_RSA_SIGN)
741  {
742  acceptable = TRUE;
743  }
744  }
745  }
746 
747  //Filter out certificates that are not compatible with the supported
748  //signature schemes
749  if(acceptable && signHashAlgos != NULL)
750  {
751  //Retrieve the number of items in the list
752  n = ntohs(signHashAlgos->length) / sizeof(TlsSignHashAlgo);
753 
754  //Loop through the list of supported hash/signature algorithm pairs
755  for(i = 0, acceptable = FALSE; i < n && !acceptable; i++)
756  {
757  uint8_t signAlgo;
758  uint8_t hashAlgo;
759 
760  //Retrieve signature and hash algorithms
761  signAlgo = signHashAlgos->value[i].signature;
762  hashAlgo = signHashAlgos->value[i].hash;
763 
764 #if (TLS_RSA_SIGN_SUPPORT == ENABLED)
765  //RSASSA-PKCS1-v1_5 signature scheme?
766  if(signAlgo == TLS_SIGN_ALGO_RSA &&
767  hashAlgo != TLS_HASH_ALGO_NONE &&
768  context->version <= TLS_VERSION_1_2)
769  {
770  acceptable = TRUE;
771  }
772  else
773 #endif
774 #if (TLS_RSA_PSS_SIGN_SUPPORT == ENABLED && TLS_SHA256_SUPPORT == ENABLED)
775  //RSASSA-PSS RSAE signature scheme with SHA-256?
776  if(signAlgo == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA256 &&
777  hashAlgo == TLS_HASH_ALGO_INTRINSIC &&
778  context->version >= TLS_VERSION_1_2)
779  {
780  acceptable = TRUE;
781  }
782  else
783 #endif
784 #if (TLS_RSA_PSS_SIGN_SUPPORT == ENABLED && TLS_SHA384_SUPPORT == ENABLED)
785  //RSASSA-PSS RSAE signature scheme with SHA-384?
786  if(signAlgo == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA384 &&
787  hashAlgo == TLS_HASH_ALGO_INTRINSIC &&
788  context->version >= TLS_VERSION_1_2)
789  {
790  acceptable = TRUE;
791  }
792  else
793 #endif
794 #if (TLS_RSA_PSS_SIGN_SUPPORT == ENABLED && TLS_SHA512_SUPPORT == ENABLED)
795  //RSASSA-PSS RSAE signature scheme with SHA-512?
796  if(signAlgo == TLS_SIGN_ALGO_RSA_PSS_RSAE_SHA512 &&
797  hashAlgo == TLS_HASH_ALGO_INTRINSIC &&
798  context->version >= TLS_VERSION_1_2)
799  {
800  acceptable = TRUE;
801  }
802  else
803 #endif
804  //Unknown signature scheme?
805  {
806  acceptable = FALSE;
807  }
808  }
809  }
810  }
811  else
812 #endif
813 #if (TLS_RSA_PSS_SIGN_SUPPORT == ENABLED)
814  //RSA-PSS certificate?
815  if(cert->type == TLS_CERT_RSA_PSS_SIGN)
816  {
817  //TLS 1.2 and TLS 1.3 support RSASSA-PSS signature schemes
818  if(context->version >= TLS_VERSION_1_2)
819  {
820  //Filter out certificates that are not compatible with the supported
821  //signature schemes
822  if(signHashAlgos != NULL)
823  {
824  //Retrieve the number of items in the list
825  n = ntohs(signHashAlgos->length) / sizeof(TlsSignHashAlgo);
826 
827  //Loop through the list of supported hash/signature algorithm pairs
828  for(i = 0, acceptable = FALSE; i < n && !acceptable; i++)
829  {
830  uint8_t signAlgo;
831  uint8_t hashAlgo;
832 
833  //Retrieve signature and hash algorithms
834  signAlgo = signHashAlgos->value[i].signature;
835  hashAlgo = signHashAlgos->value[i].hash;
836 
837 #if (TLS_SHA256_SUPPORT == ENABLED)
838  //RSASSA-PSS PSS signature scheme with SHA-256?
839  if(signAlgo == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA256 &&
840  hashAlgo == TLS_HASH_ALGO_INTRINSIC)
841  {
842  acceptable = TRUE;
843  }
844  else
845 #endif
846 #if (TLS_SHA384_SUPPORT == ENABLED)
847  //RSASSA-PSS PSS signature scheme with SHA-384?
848  if(signAlgo == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA384 &&
849  hashAlgo == TLS_HASH_ALGO_INTRINSIC)
850  {
851  acceptable = TRUE;
852  }
853  else
854 #endif
855 #if (TLS_SHA512_SUPPORT == ENABLED)
856  //RSASSA-PSS PSS signature scheme with SHA-512?
857  if(signAlgo == TLS_SIGN_ALGO_RSA_PSS_PSS_SHA512 &&
858  hashAlgo == TLS_HASH_ALGO_INTRINSIC)
859  {
860  acceptable = TRUE;
861  }
862  else
863 #endif
864  //Unknown signature scheme?
865  {
866  acceptable = FALSE;
867  }
868  }
869  }
870  else
871  {
872  //The SignatureAlgorithms extension must be specified (refer to
873  //RFC 8446, section 4.3.2)
874  acceptable = FALSE;
875  }
876  }
877  else
878  {
879  //RSA-PSS is not supported by TLS 1.2 and earlier
880  acceptable = FALSE;
881  }
882  }
883  else
884 #endif
885 #if (TLS_DSA_SIGN_SUPPORT == ENABLED)
886  //DSA certificate?
887  if(cert->type == TLS_CERT_DSS_SIGN)
888  {
889  //Version of TLS prior to TLS 1.3?
890  if(context->version <= TLS_VERSION_1_2)
891  {
892  //This flag tells whether the certificate is acceptable
893  acceptable = TRUE;
894 
895  //Version of TLS prior to TLS 1.2?
896  if(context->version <= TLS_VERSION_1_1)
897  {
898  //the signing algorithm for the certificate must be the same as the
899  //algorithm for the certificate key
900  if(cert->signAlgo != TLS_SIGN_ALGO_DSA)
901  acceptable = FALSE;
902  }
903 
904  //Filter out certificates with unsupported type
905  if(acceptable && certTypes != NULL)
906  {
907  //Loop through the list of supported certificate types
908  for(i = 0, acceptable = FALSE; i < numCertTypes && !acceptable; i++)
909  {
910  //Check whether the certificate type is acceptable
911  if(certTypes[i] == TLS_CERT_DSS_SIGN)
912  {
913  acceptable = TRUE;
914  }
915  }
916  }
917 
918  //Filter out certificates that are not compatible with the supported
919  //signature schemes
920  if(acceptable && signHashAlgos != NULL)
921  {
922  //Retrieve the number of items in the list
923  n = ntohs(signHashAlgos->length) / sizeof(TlsSignHashAlgo);
924 
925  //Loop through the list of supported hash/signature algorithm pairs
926  for(i = 0, acceptable = FALSE; i < n && !acceptable; i++)
927  {
928  //Check whether DSA signature scheme is supported
929  if(signHashAlgos->value[i].signature == TLS_SIGN_ALGO_DSA)
930  {
931  acceptable = TRUE;
932  }
933  }
934  }
935  }
936  else
937  {
938  //TLS 1.3 removes support for DSA certificates
939  acceptable = FALSE;
940  }
941  }
942  else
943 #endif
944 #if (TLS_ECDSA_SIGN_SUPPORT == ENABLED)
945  //ECDSA certificate?
946  if(cert->type == TLS_CERT_ECDSA_SIGN)
947  {
948  //This flag tells whether the certificate is acceptable
949  acceptable = TRUE;
950 
951  //Version of TLS prior to TLS 1.2?
952  if(context->version <= TLS_VERSION_1_1)
953  {
954  //the signing algorithm for the certificate must be the same as the
955  //algorithm for the certificate key
956  if(cert->signAlgo != TLS_SIGN_ALGO_ECDSA)
957  acceptable = FALSE;
958  }
959 
960  //Filter out certificates with unsupported type
961  if(acceptable && certTypes != NULL)
962  {
963  //Loop through the list of supported certificate types
964  for(i = 0, acceptable = FALSE; i < numCertTypes && !acceptable; i++)
965  {
966  //Check whether the certificate type is acceptable
967  if(certTypes[i] == TLS_CERT_ECDSA_SIGN)
968  {
969  acceptable = TRUE;
970  }
971  }
972  }
973 
974  //Version of TLS prior to TLS 1.3?
975  if(context->version <= TLS_VERSION_1_2)
976  {
977  //In versions of TLS prior to TLS 1.3, the EllipticCurves extension is
978  //used to negotiate ECDSA curves (refer to RFC 8446, section 4.2.7)
979  if(acceptable && curveList != NULL)
980  {
981  //Retrieve the number of items in the list
982  n = ntohs(curveList->length) / sizeof(uint16_t);
983 
984  //Loop through the list of supported elliptic curves
985  for(i = 0, acceptable = FALSE; i < n && !acceptable; i++)
986  {
987  //Check whether the elliptic curve is supported
988  if(ntohs(curveList->value[i]) == cert->namedCurve)
989  {
990  acceptable = TRUE;
991  }
992  }
993  }
994  }
995 
996  //Filter out certificates that are not compatible with the supported
997  //signature schemes
998  if(acceptable && signHashAlgos != NULL)
999  {
1000  //Retrieve the number of items in the list
1001  n = ntohs(signHashAlgos->length) / sizeof(TlsSignHashAlgo);
1002 
1003  //Loop through the list of supported hash/signature algorithm pairs
1004  for(i = 0, acceptable = FALSE; i < n && !acceptable; i++)
1005  {
1006  //Check whether ECDSA signature scheme is supported
1007  if(signHashAlgos->value[i].signature == TLS_SIGN_ALGO_ECDSA)
1008  {
1009  acceptable = TRUE;
1010  }
1011  }
1012  }
1013  }
1014  else
1015 #endif
1016 #if (TLS_EDDSA_SIGN_SUPPORT == ENABLED)
1017  //EdDSA certificate?
1018  if(cert->type == TLS_CERT_ED25519_SIGN ||
1019  cert->type == TLS_CERT_ED448_SIGN)
1020  {
1021  //TLS 1.2 and TLS 1.3 support EdDSA signature schemes
1022  if((context->version >= TLS_VERSION_1_2 &&
1023  context->entity == TLS_CONNECTION_END_SERVER) ||
1024  (context->version >= TLS_VERSION_1_3 &&
1025  context->entity == TLS_CONNECTION_END_CLIENT))
1026  {
1027  //This flag tells whether the certificate is acceptable
1028  acceptable = TRUE;
1029 
1030  //Filter out certificates with unsupported type
1031  if(certTypes != NULL)
1032  {
1033  //Loop through the list of supported certificate types
1034  for(i = 0, acceptable = FALSE; i < numCertTypes && !acceptable; i++)
1035  {
1036  //Check whether the certificate type is acceptable
1037  if(certTypes[i] == TLS_CERT_ECDSA_SIGN)
1038  {
1039  acceptable = TRUE;
1040  }
1041  }
1042  }
1043 
1044  //Filter out certificates that are not compatible with the supported
1045  //signature schemes
1046  if(acceptable && signHashAlgos != NULL)
1047  {
1048  //Retrieve the number of items in the list
1049  n = ntohs(signHashAlgos->length) / sizeof(TlsSignHashAlgo);
1050 
1051  //Loop through the list of supported hash/signature algorithm pairs
1052  for(i = 0, acceptable = FALSE; i < n && !acceptable; i++)
1053  {
1054 #if (TLS_ED25519_SUPPORT == ENABLED)
1055  //Ed25519 certificate?
1056  if(cert->type == TLS_CERT_ED25519_SIGN)
1057  {
1058  //Check whether Ed25519 signature scheme is supported
1059  if(signHashAlgos->value[i].signature == TLS_SIGN_ALGO_ED25519 &&
1060  signHashAlgos->value[i].hash == TLS_HASH_ALGO_INTRINSIC)
1061  {
1062  acceptable = TRUE;
1063  }
1064  }
1065  else
1066 #endif
1067 #if (TLS_ED448_SUPPORT == ENABLED)
1068  //Ed448 certificate?
1069  if(cert->type == TLS_CERT_ED448_SIGN)
1070  {
1071  //Check whether Ed448 signature scheme is supported
1072  if(signHashAlgos->value[i].signature == TLS_SIGN_ALGO_ED448 &&
1073  signHashAlgos->value[i].hash == TLS_HASH_ALGO_INTRINSIC)
1074  {
1075  acceptable = TRUE;
1076  }
1077  }
1078  else
1079 #endif
1080  //Unknown certificate type?
1081  {
1082  acceptable = FALSE;
1083  }
1084  }
1085  }
1086  else
1087  {
1088  //The certificate is not acceptable
1089  acceptable = FALSE;
1090  }
1091  }
1092  else
1093  {
1094  //EdDSA is not supported by TLS 1.1 and earlier
1095  acceptable = FALSE;
1096  }
1097  }
1098  else
1099 #endif
1100  //Unsupported certificate type?
1101  {
1102  //The certificate is not acceptable
1103  acceptable = FALSE;
1104  }
1105 
1106  //Filter out certificates that are signed with an unsupported algorithm
1107  if(acceptable && certSignHashAlgos != NULL)
1108  {
1109  //Retrieve the number of items in the list
1110  n = ntohs(certSignHashAlgos->length) / sizeof(TlsSignHashAlgo);
1111 
1112  //Loop through the list of supported hash/signature algorithm pairs
1113  for(i = 0, acceptable = FALSE; i < n && !acceptable; i++)
1114  {
1115  //The certificate must be signed using a valid hash algorithm
1116  if(certSignHashAlgos->value[i].signature == cert->signAlgo &&
1117  certSignHashAlgos->value[i].hash == cert->hashAlgo)
1118  {
1119  acceptable = TRUE;
1120  }
1121  }
1122  }
1123 
1124  //Filter out certificates that are issued by a non trusted CA
1125  if(acceptable && certAuthorities != NULL)
1126  {
1127  //Retrieve the length of the list
1128  length = ntohs(certAuthorities->length);
1129 
1130  //If the certificate authorities list is empty, then the client
1131  //may send any certificate of the appropriate type
1132  if(length > 0)
1133  {
1134  error_t error;
1135  const uint8_t *p;
1136  const char_t *pemCert;
1137  size_t pemCertLen;
1138  uint8_t *derCert;
1139  size_t derCertSize;
1140  size_t derCertLen;
1141  X509CertificateInfo *certInfo;
1142 
1143  //The list of acceptable certificate authorities describes the
1144  //known roots CA
1145  acceptable = FALSE;
1146 
1147  //Point to the first distinguished name
1148  p = certAuthorities->value;
1149 
1150  //Point to the end entity certificate
1151  pemCert = cert->certChain;
1152  //Get the total length, in bytes, of the certificate chain
1153  pemCertLen = cert->certChainLen;
1154 
1155  //DER encoded certificate
1156  derCert = NULL;
1157  derCertSize = 0;
1158  derCertLen = 0;
1159 
1160  //Start of exception handling block
1161  do
1162  {
1163  //Allocate a memory buffer to store X.509 certificate info
1164  certInfo = tlsAllocMem(sizeof(X509CertificateInfo));
1165  //Failed to allocate memory?
1166  if(certInfo == NULL)
1167  break;
1168 
1169  //Point to the last certificate of the chain
1170  do
1171  {
1172  //Read PEM certificates, one by one
1173  error = pemImportCertificate(&pemCert, &pemCertLen,
1174  &derCert, &derCertSize, &derCertLen);
1175 
1176  //Loop as long as necessary
1177  } while(!error);
1178 
1179  //Any error to report?
1180  if(error != ERROR_END_OF_FILE)
1181  break;
1182 
1183  //Parse the last certificate of the chain
1184  error = x509ParseCertificate(derCert, derCertLen, certInfo);
1185  //Failed to parse the X.509 certificate?
1186  if(error)
1187  break;
1188 
1189  //Parse each distinguished name of the list
1190  while(length > 0)
1191  {
1192  //Sanity check
1193  if(length < 2)
1194  break;
1195 
1196  //Each distinguished name is preceded by a 2-byte length field
1197  n = LOAD16BE(p);
1198 
1199  //Make sure the length field is valid
1200  if(length < (n + 2))
1201  break;
1202 
1203  //Check if the distinguished name matches the root CA
1204  if(x509CompareName(p + 2, n, certInfo->issuer.rawData,
1205  certInfo->issuer.rawDataLen))
1206  {
1207  acceptable = TRUE;
1208  break;
1209  }
1210 
1211  //Advance data pointer
1212  p += n + 2;
1213  //Number of bytes left in the list
1214  length -= n + 2;
1215  }
1216 
1217  //End of exception handling block
1218  } while(0);
1219 
1220  //Release previously allocated memory
1221  tlsFreeMem(derCert);
1222  tlsFreeMem(certInfo);
1223  }
1224  }
1225 
1226  //The return value specifies whether all the criteria were matched
1227  return acceptable;
1228 }
1229 
1230 
1231 /**
1232  * @brief Verify certificate against root CAs
1233  * @param[in] certInfo X.509 certificate to be verified
1234  * @param[in] trustedCaList List of trusted CA (PEM format)
1235  * @param[in] trustedCaListLen Total length of the list
1236  * @param[in] pathLength Certificate path length
1237  * @param[in] subjectName Subject name (optional parameter)
1238  * @return TRUE if the certificate is issued by a trusted CA, else FALSE
1239  **/
1240 
1242  const char_t *trustedCaList, size_t trustedCaListLen,
1243  uint_t pathLength, const char_t *subjectName)
1244 {
1245  error_t error;
1246  bool_t valid;
1247  uint8_t *derCert;
1248  size_t derCertSize;
1249  size_t derCertLen;
1250  X509CertificateInfo *caCertInfo;
1251 
1252  //DER encoded certificate
1253  derCert = NULL;
1254  derCertSize = 0;
1255  derCertLen = 0;
1256 
1257  //Allocate a memory buffer to store the root CA
1258  caCertInfo = tlsAllocMem(sizeof(X509CertificateInfo));
1259  //Failed to allocate memory?
1260  if(caCertInfo == NULL)
1261  return FALSE;
1262 
1263  //Check whether certificates should be checked against root CAs
1264  if(trustedCaListLen > 0)
1265  {
1266  //Initialize flag
1267  valid = FALSE;
1268 
1269  //Loop through the root CAs
1270  while(trustedCaListLen > 0)
1271  {
1272  //Decode PEM certificate
1273  error = pemImportCertificate(&trustedCaList, &trustedCaListLen,
1274  &derCert, &derCertSize, &derCertLen);
1275  //Any error to report?
1276  if(error)
1277  break;
1278 
1279  //Parse X.509 certificate
1280  error = x509ParseCertificate(derCert, derCertLen, caCertInfo);
1281 
1282  //Valid CA certificate?
1283  if(!error)
1284  {
1285  //Validate the certificate with the current CA
1286  error = x509ValidateCertificate(certInfo, caCertInfo, pathLength);
1287 
1288  //Certificate validation succeeded?
1289  if(!error)
1290  {
1291  //Check name constraints
1292  error = x509CheckNameConstraints(subjectName, caCertInfo);
1293  }
1294 
1295  //Acceptable name constraints?
1296  if(!error)
1297  {
1298  //The certificate is issued by a trusted CA
1299  valid = TRUE;
1300  //We are done
1301  break;
1302  }
1303  }
1304  }
1305  }
1306  else
1307  {
1308  //Do not check certificates against root CAs
1309  valid = TRUE;
1310  }
1311 
1312  //Free previously allocated memory
1313  tlsFreeMem(derCert);
1314  tlsFreeMem(caCertInfo);
1315 
1316  //The return value specifies whether the certificate is issued by a
1317  //trusted CA
1318  return valid;
1319 }
1320 
1321 
1322 /**
1323  * @brief Retrieve the certificate type
1324  * @param[in] certInfo X.509 certificate
1325  * @param[out] certType Certificate type
1326  * @param[out] certSignAlgo Signature algorithm that has been used to sign the certificate
1327  * @param[out] certHashAlgo Hash algorithm that has been used to sign the certificate
1328  * @param[out] namedCurve Elliptic curve (only for ECDSA certificates)
1329  * @return Error code
1330  **/
1331 
1333  TlsCertificateType *certType, TlsSignatureAlgo *certSignAlgo,
1334  TlsHashAlgo *certHashAlgo, TlsNamedGroup *namedCurve)
1335 {
1336  size_t oidLen;
1337  const uint8_t *oid;
1338 
1339  //Check parameters
1340  if(certInfo == NULL || certType == NULL || certSignAlgo == NULL ||
1341  certHashAlgo == NULL || namedCurve == NULL)
1342  {
1343  //Report an error
1344  return ERROR_INVALID_PARAMETER;
1345  }
1346 
1347  //Point to the public key identifier
1348  oid = certInfo->subjectPublicKeyInfo.oid;
1349  oidLen = certInfo->subjectPublicKeyInfo.oidLen;
1350 
1351 #if (TLS_RSA_SIGN_SUPPORT == ENABLED || TLS_RSA_PSS_SIGN_SUPPORT == ENABLED)
1352  //RSA public key?
1353  if(!oidComp(oid, oidLen, RSA_ENCRYPTION_OID, sizeof(RSA_ENCRYPTION_OID)))
1354  {
1355  //Save certificate type
1356  *certType = TLS_CERT_RSA_SIGN;
1357  //No named curve applicable
1358  *namedCurve = TLS_GROUP_NONE;
1359  }
1360  else
1361 #endif
1362 #if (TLS_RSA_PSS_SIGN_SUPPORT == ENABLED)
1363  //RSA-PSS public key?
1364  if(!oidComp(oid, oidLen, RSASSA_PSS_OID, sizeof(RSASSA_PSS_OID)))
1365  {
1366  //Save certificate type
1367  *certType = TLS_CERT_RSA_PSS_SIGN;
1368  //No named curve applicable
1369  *namedCurve = TLS_GROUP_NONE;
1370  }
1371  else
1372 #endif
1373 #if (TLS_DSA_SIGN_SUPPORT == ENABLED)
1374  //DSA public key?
1375  if(!oidComp(oid, oidLen, DSA_OID, sizeof(DSA_OID)))
1376  {
1377  //Save certificate type
1378  *certType = TLS_CERT_DSS_SIGN;
1379  //No named curve applicable
1380  *namedCurve = TLS_GROUP_NONE;
1381  }
1382  else
1383 #endif
1384 #if (TLS_ECDSA_SIGN_SUPPORT == ENABLED)
1385  //EC public key?
1386  if(!oidComp(oid, oidLen, EC_PUBLIC_KEY_OID, sizeof(EC_PUBLIC_KEY_OID)))
1387  {
1388  const X509EcParameters *params;
1389 
1390  //Point to the EC parameters
1391  params = &certInfo->subjectPublicKeyInfo.ecParams;
1392 
1393  //Save certificate type
1394  *certType = TLS_CERT_ECDSA_SIGN;
1395  //Retrieve the named curve that has been used to generate the EC public key
1396  *namedCurve = tlsGetNamedCurve(params->namedCurve, params->namedCurveLen);
1397  }
1398  else
1399 #endif
1400 #if (TLS_EDDSA_SIGN_SUPPORT == ENABLED)
1401  //Ed25519 public key?
1402  if(!oidComp(oid, oidLen, ED25519_OID, sizeof(ED25519_OID)))
1403  {
1404  //Save certificate type
1405  *certType = TLS_CERT_ED25519_SIGN;
1406  //No named curve applicable
1407  *namedCurve = TLS_GROUP_NONE;
1408  }
1409  else
1410  //Ed448 public key?
1411  if(!oidComp(oid, oidLen, ED448_OID, sizeof(ED448_OID)))
1412  {
1413  //Save certificate type
1414  *certType = TLS_CERT_ED448_SIGN;
1415  //No named curve applicable
1416  *namedCurve = TLS_GROUP_NONE;
1417  }
1418  else
1419 #endif
1420  //Invalid public key?
1421  {
1422  //The certificate does not contain any valid public key
1423  return ERROR_BAD_CERTIFICATE;
1424  }
1425 
1426  //Point to the signature algorithm
1427  oid = certInfo->signatureAlgo.oid;
1428  oidLen = certInfo->signatureAlgo.oidLen;
1429 
1430  //Retrieve the signature algorithm that has been used to sign the certificate
1431  if(oid == NULL || oidLen == 0)
1432  {
1433  //Invalid certificate
1434  return ERROR_BAD_CERTIFICATE;
1435  }
1436 #if (TLS_RSA_SIGN_SUPPORT == ENABLED || TLS_RSA_PSS_SIGN_SUPPORT == ENABLED)
1437  else if(!oidComp(oid, oidLen, MD5_WITH_RSA_ENCRYPTION_OID,
1438  sizeof(MD5_WITH_RSA_ENCRYPTION_OID)))
1439  {
1440  //MD5 with RSA signature algorithm
1441  *certSignAlgo = TLS_SIGN_ALGO_RSA;
1442  *certHashAlgo = TLS_HASH_ALGO_MD5;
1443  }
1444  else if(!oidComp(oid, oidLen, SHA1_WITH_RSA_ENCRYPTION_OID,
1446  {
1447  //SHA-1 with RSA signature algorithm
1448  *certSignAlgo = TLS_SIGN_ALGO_RSA;
1449  *certHashAlgo = TLS_HASH_ALGO_SHA1;
1450  }
1451  else if(!oidComp(oid, oidLen, SHA256_WITH_RSA_ENCRYPTION_OID,
1453  {
1454  //SHA-256 with RSA signature algorithm
1455  *certSignAlgo = TLS_SIGN_ALGO_RSA;
1456  *certHashAlgo = TLS_HASH_ALGO_SHA256;
1457  }
1458  else if(!oidComp(oid, oidLen, SHA384_WITH_RSA_ENCRYPTION_OID,
1460  {
1461  //SHA-384 with RSA signature algorithm
1462  *certSignAlgo = TLS_SIGN_ALGO_RSA;
1463  *certHashAlgo = TLS_HASH_ALGO_SHA384;
1464  }
1465  else if(!oidComp(oid, oidLen, SHA512_WITH_RSA_ENCRYPTION_OID,
1467  {
1468  //SHA-512 with RSA signature algorithm
1469  *certSignAlgo = TLS_SIGN_ALGO_RSA;
1470  *certHashAlgo = TLS_HASH_ALGO_SHA512;
1471  }
1472 #endif
1473 #if (TLS_RSA_PSS_SIGN_SUPPORT == ENABLED && X509_RSA_PSS_SUPPORT == ENABLED)
1474  else if(!oidComp(oid, oidLen, RSASSA_PSS_OID,
1475  sizeof(RSASSA_PSS_OID)))
1476  {
1477  size_t hashAlgoLen;
1478  const uint8_t *hashAlgo;
1479 
1480  //Get the OID of the hash algorithm
1481  hashAlgo = certInfo->signatureAlgo.rsaPssParams.hashAlgo;
1482  hashAlgoLen = certInfo->signatureAlgo.rsaPssParams.hashAlgoLen;
1483 
1484 #if (TLS_SHA256_SUPPORT == ENABLED)
1485  //SHA-256 hash algorithm identifier?
1486  if(!oidComp(hashAlgo, hashAlgoLen, SHA256_OID, sizeof(SHA256_OID)))
1487  {
1488  //RSA-PSS with SHA-256 signature algorithm
1489  *certSignAlgo = TLS_SIGN_ALGO_RSA_PSS_PSS_SHA256;
1490  *certHashAlgo = TLS_HASH_ALGO_INTRINSIC;
1491  }
1492  else
1493 #endif
1494 #if (TLS_SHA384_SUPPORT == ENABLED)
1495  //SHA-384 hash algorithm identifier?
1496  if(!oidComp(hashAlgo, hashAlgoLen, SHA384_OID, sizeof(SHA384_OID)))
1497  {
1498  //RSA-PSS with SHA-384 signature algorithm
1499  *certSignAlgo = TLS_SIGN_ALGO_RSA_PSS_PSS_SHA384;
1500  *certHashAlgo = TLS_HASH_ALGO_INTRINSIC;
1501  }
1502  else
1503 #endif
1504 #if (TLS_SHA512_SUPPORT == ENABLED)
1505  //SHA-512 hash algorithm identifier?
1506  if(!oidComp(hashAlgo, hashAlgoLen, SHA512_OID, sizeof(SHA512_OID)))
1507  {
1508  //RSA-PSS with SHA-512 signature algorithm
1509  *certSignAlgo = TLS_SIGN_ALGO_RSA_PSS_PSS_SHA512;
1510  *certHashAlgo = TLS_HASH_ALGO_INTRINSIC;
1511  }
1512  else
1513 #endif
1514  //Unknown hash algorithm identifier?
1515  {
1516  //The signature algorithm is not supported
1517  return ERROR_BAD_CERTIFICATE;
1518  }
1519  }
1520 #endif
1521 #if (TLS_DSA_SIGN_SUPPORT == ENABLED)
1522  else if(!oidComp(oid, oidLen, DSA_WITH_SHA1_OID,
1523  sizeof(DSA_WITH_SHA1_OID)))
1524  {
1525  //DSA with SHA-1 signature algorithm
1526  *certSignAlgo = TLS_SIGN_ALGO_DSA;
1527  *certHashAlgo = TLS_HASH_ALGO_SHA1;
1528  }
1529  else if(!oidComp(oid, oidLen, DSA_WITH_SHA224_OID,
1530  sizeof(DSA_WITH_SHA224_OID)))
1531  {
1532  //DSA with SHA-224 signature algorithm
1533  *certSignAlgo = TLS_SIGN_ALGO_DSA;
1534  *certHashAlgo = TLS_HASH_ALGO_SHA224;
1535  }
1536  else if(!oidComp(oid, oidLen, DSA_WITH_SHA256_OID,
1537  sizeof(DSA_WITH_SHA256_OID)))
1538  {
1539  //DSA with SHA-256 signature algorithm
1540  *certSignAlgo = TLS_SIGN_ALGO_DSA;
1541  *certHashAlgo = TLS_HASH_ALGO_SHA256;
1542  }
1543 #endif
1544 #if (TLS_ECDSA_SIGN_SUPPORT == ENABLED)
1545  else if(!oidComp(oid, oidLen, ECDSA_WITH_SHA1_OID,
1546  sizeof(ECDSA_WITH_SHA1_OID)))
1547  {
1548  //ECDSA with SHA-1 signature algorithm
1549  *certSignAlgo = TLS_SIGN_ALGO_ECDSA;
1550  *certHashAlgo = TLS_HASH_ALGO_SHA1;
1551  }
1552  else if(!oidComp(oid, oidLen, ECDSA_WITH_SHA224_OID,
1553  sizeof(ECDSA_WITH_SHA224_OID)))
1554  {
1555  //ECDSA with SHA-224 signature algorithm
1556  *certSignAlgo = TLS_SIGN_ALGO_ECDSA;
1557  *certHashAlgo = TLS_HASH_ALGO_SHA224;
1558  }
1559  else if(!oidComp(oid, oidLen, ECDSA_WITH_SHA256_OID,
1560  sizeof(ECDSA_WITH_SHA256_OID)))
1561  {
1562  //ECDSA with SHA-256 signature algorithm
1563  *certSignAlgo = TLS_SIGN_ALGO_ECDSA;
1564  *certHashAlgo = TLS_HASH_ALGO_SHA256;
1565  }
1566  else if(!oidComp(oid, oidLen, ECDSA_WITH_SHA384_OID,
1567  sizeof(ECDSA_WITH_SHA384_OID)))
1568  {
1569  //ECDSA with SHA-384 signature algorithm
1570  *certSignAlgo = TLS_SIGN_ALGO_ECDSA;
1571  *certHashAlgo = TLS_HASH_ALGO_SHA384;
1572  }
1573  else if(!oidComp(oid, oidLen, ECDSA_WITH_SHA512_OID,
1574  sizeof(ECDSA_WITH_SHA512_OID)))
1575  {
1576  //ECDSA with SHA-512 signature algorithm
1577  *certSignAlgo = TLS_SIGN_ALGO_ECDSA;
1578  *certHashAlgo = TLS_HASH_ALGO_SHA512;
1579  }
1580 #endif
1581 #if (TLS_EDDSA_SIGN_SUPPORT == ENABLED)
1582  else if(!oidComp(oid, oidLen, ED25519_OID, sizeof(ED25519_OID)))
1583  {
1584  //Ed25519 signature algorithm
1585  *certSignAlgo = TLS_SIGN_ALGO_ED25519;
1586  *certHashAlgo = TLS_HASH_ALGO_INTRINSIC;
1587  }
1588  else if(!oidComp(oid, oidLen, ED448_OID, sizeof(ED448_OID)))
1589  {
1590  //Ed448 signature algorithm
1591  *certSignAlgo = TLS_SIGN_ALGO_ED448;
1592  *certHashAlgo = TLS_HASH_ALGO_INTRINSIC;
1593  }
1594 #endif
1595  else
1596  {
1597  //The signature algorithm is not supported
1598  return ERROR_BAD_CERTIFICATE;
1599  }
1600 
1601  //X.509 certificate successfully parsed
1602  return NO_ERROR;
1603 }
1604 
1605 
1606 /**
1607  * @brief Extract the subject public key from the received certificate
1608  * @param[in] context Pointer to the TLS context
1609  * @param[in] subjectPublicKeyInfo Pointer to the subject's public key
1610  * @return Error code
1611  **/
1612 
1614  const X509SubjectPublicKeyInfo *subjectPublicKeyInfo)
1615 {
1616  error_t error;
1617  size_t oidLen;
1618  const uint8_t *oid;
1619 
1620  //Retrieve public key identifier
1621  oid = subjectPublicKeyInfo->oid;
1622  oidLen = subjectPublicKeyInfo->oidLen;
1623 
1624 #if (TLS_RSA_SIGN_SUPPORT == ENABLED || TLS_RSA_PSS_SIGN_SUPPORT == ENABLED)
1625  //RSA public key?
1626  if(!oidComp(oid, oidLen, RSA_ENCRYPTION_OID, sizeof(RSA_ENCRYPTION_OID)) ||
1627  !oidComp(oid, oidLen, RSASSA_PSS_OID, sizeof(RSASSA_PSS_OID)))
1628  {
1629  uint_t k;
1630 
1631  //Retrieve the RSA public key
1632  error = x509ReadRsaPublicKey(subjectPublicKeyInfo,
1633  &context->peerRsaPublicKey);
1634 
1635  //Check status code
1636  if(!error)
1637  {
1638  //Get the length of the modulus, in bits
1639  k = mpiGetBitLength(&context->peerRsaPublicKey.n);
1640 
1641  //Applications should also enforce minimum and maximum key sizes (refer
1642  //to RFC 8446, appendix C.2)
1643  if(k < TLS_MIN_RSA_MODULUS_SIZE || k > TLS_MAX_RSA_MODULUS_SIZE)
1644  {
1645  //Report an error
1646  error = ERROR_BAD_CERTIFICATE;
1647  }
1648  }
1649 
1650  //Check status code
1651  if(!error)
1652  {
1653  //RSA or RSA-PSS certificate?
1654  if(!oidComp(oid, oidLen, RSA_ENCRYPTION_OID, sizeof(RSA_ENCRYPTION_OID)))
1655  {
1656  //The certificate contains a valid RSA public key
1657  context->peerCertType = TLS_CERT_RSA_SIGN;
1658  }
1659  else if(!oidComp(oid, oidLen, RSASSA_PSS_OID, sizeof(RSASSA_PSS_OID)))
1660  {
1661  //The certificate contains a valid RSA-PSS public key
1662  context->peerCertType = TLS_CERT_RSA_PSS_SIGN;
1663  }
1664  else
1665  {
1666  //Just for sanity
1667  error = ERROR_BAD_CERTIFICATE;
1668  }
1669  }
1670  }
1671  else
1672 #endif
1673 #if (TLS_DSA_SIGN_SUPPORT == ENABLED)
1674  //DSA public key?
1675  if(!oidComp(oid, oidLen, DSA_OID, sizeof(DSA_OID)))
1676  {
1677  uint_t k;
1678 
1679  //Retrieve the DSA public key
1680  error = x509ReadDsaPublicKey(subjectPublicKeyInfo,
1681  &context->peerDsaPublicKey);
1682 
1683  //Check status code
1684  if(!error)
1685  {
1686  //Get the length of the prime modulus, in bits
1687  k = mpiGetBitLength(&context->peerDsaPublicKey.p);
1688 
1689  //Make sure the prime modulus is acceptable
1690  if(k < TLS_MIN_DSA_MODULUS_SIZE || k > TLS_MAX_DSA_MODULUS_SIZE)
1691  {
1692  //Report an error
1693  error = ERROR_BAD_CERTIFICATE;
1694  }
1695  }
1696 
1697  //Check status code
1698  if(!error)
1699  {
1700  //The certificate contains a valid DSA public key
1701  context->peerCertType = TLS_CERT_DSS_SIGN;
1702  }
1703  }
1704  else
1705 #endif
1706 #if (TLS_ECDSA_SIGN_SUPPORT == ENABLED)
1707  //EC public key?
1708  if(!oidComp(oid, oidLen, EC_PUBLIC_KEY_OID, sizeof(EC_PUBLIC_KEY_OID)))
1709  {
1710  const EcCurveInfo *curveInfo;
1711 
1712  //Retrieve EC domain parameters
1713  curveInfo = x509GetCurveInfo(subjectPublicKeyInfo->ecParams.namedCurve,
1714  subjectPublicKeyInfo->ecParams.namedCurveLen);
1715 
1716  //Make sure the specified elliptic curve is supported
1717  if(curveInfo != NULL)
1718  {
1719  //Load EC domain parameters
1720  error = ecLoadDomainParameters(&context->peerEcParams, curveInfo);
1721 
1722  //Check status code
1723  if(!error)
1724  {
1725  //Retrieve the EC public key
1726  error = ecImport(&context->peerEcParams, &context->peerEcPublicKey,
1727  subjectPublicKeyInfo->ecPublicKey.q, subjectPublicKeyInfo->ecPublicKey.qLen);
1728  }
1729  }
1730  else
1731  {
1732  //The specified elliptic curve is not supported
1733  error = ERROR_BAD_CERTIFICATE;
1734  }
1735 
1736  //Check status code
1737  if(!error)
1738  {
1739  //The certificate contains a valid EC public key
1740  context->peerCertType = TLS_CERT_ECDSA_SIGN;
1741  }
1742  }
1743  else
1744 #endif
1745 #if (TLS_EDDSA_SIGN_SUPPORT == ENABLED)
1746  //Ed25519 or Ed448 public key?
1747  if(!oidComp(oid, oidLen, ED25519_OID, sizeof(ED25519_OID)) ||
1748  !oidComp(oid, oidLen, ED448_OID, sizeof(ED448_OID)))
1749  {
1750  const EcCurveInfo *curveInfo;
1751 
1752  //Retrieve EC domain parameters
1753  curveInfo = x509GetCurveInfo(oid, oidLen);
1754 
1755  //Make sure the specified elliptic curve is supported
1756  if(curveInfo != NULL)
1757  {
1758  //Load EC domain parameters
1759  error = ecLoadDomainParameters(&context->peerEcParams, curveInfo);
1760 
1761  //Check status code
1762  if(!error)
1763  {
1764  //Retrieve the EC public key
1765  error = ecImport(&context->peerEcParams, &context->peerEcPublicKey,
1766  subjectPublicKeyInfo->ecPublicKey.q, subjectPublicKeyInfo->ecPublicKey.qLen);
1767  }
1768  }
1769  else
1770  {
1771  //The specified elliptic curve is not supported
1772  error = ERROR_BAD_CERTIFICATE;
1773  }
1774 
1775  //Check status code
1776  if(!error)
1777  {
1778  //Ed25519 or Ed448 certificate?
1779  if(!oidComp(oid, oidLen, ED25519_OID, sizeof(ED25519_OID)))
1780  {
1781  //The certificate contains a valid Ed25519 public key
1782  context->peerCertType = TLS_CERT_ED25519_SIGN;
1783  }
1784  else if(!oidComp(oid, oidLen, ED448_OID, sizeof(ED448_OID)))
1785  {
1786  //The certificate contains a valid Ed448 public key
1787  context->peerCertType = TLS_CERT_ED448_SIGN;
1788  }
1789  else
1790  {
1791  //Just for sanity
1792  error = ERROR_BAD_CERTIFICATE;
1793  }
1794  }
1795  }
1796  else
1797 #endif
1798  //Invalid public key?
1799  {
1800  //The certificate does not contain any valid public key
1802  }
1803 
1804 #if (TLS_CLIENT_SUPPORT == ENABLED)
1805  //Check status code
1806  if(!error)
1807  {
1808  //TLS operates as a client?
1809  if(context->entity == TLS_CONNECTION_END_CLIENT)
1810  {
1811  //Check key exchange method
1812  if(context->keyExchMethod == TLS_KEY_EXCH_RSA ||
1813  context->keyExchMethod == TLS_KEY_EXCH_DHE_RSA ||
1814  context->keyExchMethod == TLS_KEY_EXCH_ECDHE_RSA ||
1815  context->keyExchMethod == TLS_KEY_EXCH_RSA_PSK)
1816  {
1817  //The client expects a valid RSA certificate whenever the agreed-
1818  //upon key exchange method uses RSA certificates for authentication
1819  if(context->peerCertType != TLS_CERT_RSA_SIGN &&
1820  context->peerCertType != TLS_CERT_RSA_PSS_SIGN)
1821  {
1823  }
1824  }
1825  else if(context->keyExchMethod == TLS_KEY_EXCH_DHE_DSS)
1826  {
1827  //The client expects a valid DSA certificate whenever the agreed-
1828  //upon key exchange method uses DSA certificates for authentication
1829  if(context->peerCertType != TLS_CERT_DSS_SIGN)
1830  {
1832  }
1833  }
1834  else if(context->keyExchMethod == TLS_KEY_EXCH_ECDHE_ECDSA)
1835  {
1836  //The client expects a valid ECDSA certificate whenever the agreed-
1837  //upon key exchange method uses ECDSA certificates for authentication
1838  if(context->peerCertType != TLS_CERT_ECDSA_SIGN &&
1839  context->peerCertType != TLS_CERT_ED25519_SIGN &&
1840  context->peerCertType != TLS_CERT_ED448_SIGN)
1841  {
1843  }
1844  }
1845  else if(context->keyExchMethod == TLS13_KEY_EXCH_DHE ||
1846  context->keyExchMethod == TLS13_KEY_EXCH_ECDHE)
1847  {
1848  //TLS 1.3 removes support for DSA certificates
1849  if(context->peerCertType != TLS_CERT_RSA_SIGN &&
1850  context->peerCertType != TLS_CERT_RSA_PSS_SIGN &&
1851  context->peerCertType != TLS_CERT_ECDSA_SIGN &&
1852  context->peerCertType != TLS_CERT_ED25519_SIGN &&
1853  context->peerCertType != TLS_CERT_ED448_SIGN)
1854  {
1856  }
1857  }
1858  else
1859  {
1860  //Just for sanity
1862  }
1863  }
1864  }
1865 #endif
1866 
1867  //Return status code
1868  return error;
1869 }
1870 
1871 
1872 /**
1873  * @brief Check certificate key usage
1874  * @param[in] certInfo Pointer to the X.509 certificate
1875  * @param[in] entity Specifies whether this entity is considered a client or a server
1876  * @param[in] keyExchMethod TLS key exchange method
1877  * @return Error code
1878  **/
1879 
1881  TlsConnectionEnd entity, TlsKeyExchMethod keyExchMethod)
1882 {
1883  error_t error;
1884 
1885  //Initialize status code
1886  error = NO_ERROR;
1887 
1888 #if (TLS_CERT_KEY_USAGE_SUPPORT == ENABLED)
1889  //Check if the KeyUsage extension is present
1890  if(certInfo->extensions.keyUsage != 0)
1891  {
1892  //Check whether TLS operates as a client or a server
1893  if(entity == TLS_CONNECTION_END_CLIENT)
1894  {
1895  //Check key exchange method
1896  if(keyExchMethod == TLS_KEY_EXCH_RSA ||
1897  keyExchMethod == TLS_KEY_EXCH_RSA_PSK)
1898  {
1899  //The keyEncipherment bit must be asserted when the subject public
1900  //key is used for enciphering private or secret keys
1902  error = ERROR_BAD_CERTIFICATE;
1903  }
1904  else if(keyExchMethod == TLS_KEY_EXCH_DHE_RSA ||
1905  keyExchMethod == TLS_KEY_EXCH_DHE_DSS ||
1906  keyExchMethod == TLS_KEY_EXCH_ECDHE_RSA ||
1907  keyExchMethod == TLS_KEY_EXCH_ECDHE_ECDSA ||
1908  keyExchMethod == TLS13_KEY_EXCH_DHE ||
1909  keyExchMethod == TLS13_KEY_EXCH_ECDHE)
1910  {
1911  //The digitalSignature bit must be asserted when the subject public
1912  //key is used for verifying digital signatures, other than signatures
1913  //on certificates and CRLs
1915  error = ERROR_BAD_CERTIFICATE;
1916  }
1917  else
1918  {
1919  //Just for sanity
1920  }
1921  }
1922  else
1923  {
1924  //The digitalSignature bit must be asserted when the subject public
1925  //key is used for verifying digital signatures, other than signatures
1926  //on certificates and CRLs
1928  error = ERROR_BAD_CERTIFICATE;
1929  }
1930  }
1931 
1932  //Check if the ExtendedKeyUsage extension is present
1933  if(certInfo->extensions.extKeyUsage != 0)
1934  {
1935  //Check whether TLS operates as a client or a server
1936  if(entity == TLS_CONNECTION_END_CLIENT)
1937  {
1938  //Make sure the certificate can be used for server authentication
1940  error = ERROR_BAD_CERTIFICATE;
1941  }
1942  else
1943  {
1944  //Make sure the certificate can be used for client authentication
1946  error = ERROR_BAD_CERTIFICATE;
1947  }
1948  }
1949 #endif
1950 
1951  //Return status code
1952  return error;
1953 }
1954 
1955 #endif
error_t asn1DumpObject(const uint8_t *data, size_t length, uint_t level)
Display an ASN.1 data object.
Definition: asn1.c:478
TLS (Transport Layer Security)
const uint8_t ECDSA_WITH_SHA512_OID[8]
Definition: ecdsa.c:51
TlsKeyExchMethod
Key exchange methods.
Definition: tls.h:1019
size_t certChainLen
Length of the certificate chain.
Definition: tls.h:1864
const char_t * certChain
End entity certificate chain (PEM format)
Definition: tls.h:1863
error_t x509ReadRsaPublicKey(const X509SubjectPublicKeyInfo *subjectPublicKeyInfo, RsaPublicKey *key)
Read a RSA public key.
Definition: x509_common.c:184
char char_t
Definition: compiler_port.h:41
const uint8_t * rawData
Definition: x509_common.h:601
error_t x509ValidateCertificate(const X509CertificateInfo *certInfo, const X509CertificateInfo *issuerCertInfo, uint_t pathLength)
X.509 certificate validation.
const uint8_t ECDSA_WITH_SHA224_OID[8]
Definition: ecdsa.c:45
Debugging facilities.
#define tlsFreeMem(p)
Definition: tls.h:760
EC parameters.
Definition: x509_common.h:577
TlsHashAlgo
Hash algorithms.
Definition: tls.h:1087
error_t ecLoadDomainParameters(EcDomainParameters *params, const EcCurveInfo *curveInfo)
Load EC domain parameters.
Definition: ec.c:91
uint8_t p
Definition: ndp.h:295
error_t tlsReadSubjectPublicKey(TlsContext *context, const X509SubjectPublicKeyInfo *subjectPublicKeyInfo)
Extract the subject public key from the received certificate.
const uint8_t DSA_WITH_SHA256_OID[9]
Definition: dsa.c:55
const uint8_t DSA_WITH_SHA1_OID[7]
Definition: dsa.c:51
error_t tlsFormatRawPublicKey(TlsContext *context, uint8_t *p, size_t *written)
Format raw public key.
const uint8_t SHA384_WITH_RSA_ENCRYPTION_OID[9]
Definition: rsa.c:68
TlsSignatureAlgo
Signature algorithms.
Definition: tls.h:1104
const uint8_t RSASSA_PSS_OID[9]
Definition: rsa.c:86
bool_t tlsIsCertificateValid(const X509CertificateInfo *certInfo, const char_t *trustedCaList, size_t trustedCaListLen, uint_t pathLength, const char_t *subjectName)
Verify certificate against root CAs.
Invalid parameter.
Definition: error.h:45
bool_t x509CompareName(const uint8_t *name1, size_t nameLen1, const uint8_t *name2, size_t nameLen2)
Compare distinguished names.
Elliptic curve parameters.
Definition: ec_curves.h:290
size_t rawDataLen
Definition: x509_common.h:476
X509EcParameters ecParams
Definition: x509_common.h:613
const EcCurveInfo * x509GetCurveInfo(const uint8_t *oid, size_t length)
Get the elliptic curve that matches the specified OID.
Definition: x509_common.c:846
#define TLS_VERSION_1_3
Definition: tls.h:90
X509EcPublicKey ecPublicKey
Definition: x509_common.h:614
error_t ecImport(const EcDomainParameters *params, EcPoint *r, const uint8_t *data, size_t length)
Convert an octet string to an EC point.
Definition: ec.c:208
error_t tlsFormatCertificateList(TlsContext *context, uint8_t *p, size_t *written)
Format certificate chain.
const uint8_t * oid
Definition: x509_common.h:603
const uint8_t * namedCurve
Definition: x509_common.h:579
const uint8_t DSA_WITH_SHA224_OID[9]
Definition: dsa.c:53
error_t x509ReadDsaPublicKey(const X509SubjectPublicKeyInfo *subjectPublicKeyInfo, DsaPublicKey *key)
Read a DSA public key.
Definition: x509_common.c:235
const uint8_t * oid
Definition: x509_common.h:725
__start_packed struct @65 TlsSignHashAlgos
List of signature algorithms.
OID (Object Identifier)
__start_packed struct @66 TlsCertificateList
List of certificates.
__start_packed struct @75 TlsSupportedGroupList
List of supported groups.
#define TRUE
Definition: os_port.h:48
TlsNamedGroup
Named groups.
Definition: tls.h:1195
#define SHA384_OID
Definition: sha384.h:41
#define SHA512_OID
Definition: sha512.h:40
TLS helper functions.
ASN.1 (Abstract Syntax Notation One)
const uint8_t SHA512_WITH_RSA_ENCRYPTION_OID[9]
Definition: rsa.c:70
#define ntohs(value)
Definition: cpu_endian.h:396
const uint8_t ECDSA_WITH_SHA384_OID[8]
Definition: ecdsa.c:49
uint_t mpiGetBitLength(const Mpi *a)
Get the actual length in bits.
Definition: mpi.c:190
__start_packed struct @64 TlsSignHashAlgo
Signature algorithm.
size_t namedCurveLen
Definition: x509_common.h:580
#define LOAD24BE(p)
Definition: cpu_endian.h:179
X509Extensions extensions
Definition: x509_common.h:758
X509Version version
Definition: x509_common.h:752
#define TLS_MAX_RSA_MODULUS_SIZE
Definition: tls.h:699
PEM file import functions.
#define TLS_MAX_DSA_MODULUS_SIZE
Definition: tls.h:713
TlsSignatureAlgo signAlgo
Signature algorithm used to sign the end entity certificate.
Definition: tls.h:1868
const uint8_t ED448_OID[3]
Definition: ec_curves.c:96
#define STORE24BE(a, p)
Definition: cpu_endian.h:255
error_t x509ParseCertificate(const uint8_t *data, size_t length, X509CertificateInfo *certInfo)
Parse a X.509 certificate.
#define LOAD16BE(p)
Definition: cpu_endian.h:168
const uint8_t * q
Definition: x509_common.h:590
#define SHA256_OID
Definition: sha256.h:40
const uint8_t * rawData
Definition: x509_common.h:475
#define TLS_VERSION_1_2
Definition: tls.h:83
X.509 certificate validation.
int_t oidComp(const uint8_t *oid1, size_t oidLen1, const uint8_t *oid2, size_t oidLen2)
Compare object identifiers.
Definition: oid.c:99
error_t pemImportCertificate(const char_t **input, size_t *inputLen, uint8_t **output, size_t *outputSize, size_t *outputLen)
Decode a PEM file containing a certificate.
Definition: pem_import.c:1687
#define TLS_VERSION_1_1
Definition: tls.h:82
const uint8_t SHA1_WITH_RSA_ENCRYPTION_OID[9]
Definition: rsa.c:62
TlsCertificateType
Certificate types.
Definition: tls.h:1064
error_t x509CheckSubjectName(const X509CertificateInfo *certInfo, const char_t *fqdn)
Check whether the certificate matches the specified FQDN.
const uint8_t ED25519_OID[3]
Definition: ec_curves.c:94
Success.
Definition: error.h:42
const uint8_t RSA_ENCRYPTION_OID[9]
Definition: rsa.c:55
TlsHashAlgo hashAlgo
Hash algorithm used to sign the end entity certificate.
Definition: tls.h:1869
Subject public key info.
Definition: x509_common.h:599
error_t
Error codes.
Definition: error.h:40
#define TRACE_WARNING(...)
Definition: debug.h:78
error_t x509ParseSubjectPublicKeyInfo(const uint8_t *data, size_t length, size_t *totalLength, X509SubjectPublicKeyInfo *subjectPublicKeyInfo)
Parse SubjectPublicKeyInfo structure.
unsigned int uint_t
Definition: compiler_port.h:43
error_t x509CheckNameConstraints(const char_t *subjectName, const X509CertificateInfo *certInfo)
Check name constraints.
X509RsaPssParameters rsaPssParams
Definition: x509_common.h:728
__start_packed struct @67 TlsCertAuthorities
List of certificate authorities.
error_t tlsParseRawPublicKey(TlsContext *context, const uint8_t *p, size_t length)
Parse raw public key.
const uint8_t MD5_WITH_RSA_ENCRYPTION_OID[9]
Definition: rsa.c:60
uint8_t extKeyUsage
Definition: x509_common.h:699
X509SignatureAlgoId signatureAlgo
Definition: x509_common.h:759
const uint8_t * hashAlgo
Definition: x509_common.h:713
X.509 certificate.
Definition: x509_common.h:748
error_t tlsCheckKeyUsage(const X509CertificateInfo *certInfo, TlsConnectionEnd entity, TlsKeyExchMethod keyExchMethod)
Check certificate key usage.
Certificate descriptor.
Definition: tls.h:1861
error_t tlsGetCertificateType(const X509CertificateInfo *certInfo, TlsCertificateType *certType, TlsSignatureAlgo *certSignAlgo, TlsHashAlgo *certHashAlgo, TlsNamedGroup *namedCurve)
Retrieve the certificate type.
X509SubjectPublicKeyInfo subjectPublicKeyInfo
Definition: x509_common.h:757
error_t tlsParseCertificateList(TlsContext *context, const uint8_t *p, size_t length)
Parse certificate chain.
TlsConnectionEnd
TLS connection end.
Definition: tls.h:855
const uint8_t ECDSA_WITH_SHA1_OID[7]
Definition: ecdsa.c:43
TlsNamedGroup namedCurve
Named curve used to generate the EC public key.
Definition: tls.h:1870
const uint8_t SHA256_WITH_RSA_ENCRYPTION_OID[9]
Definition: rsa.c:66
bool_t tlsIsCertificateAcceptable(TlsContext *context, const TlsCertDesc *cert, const uint8_t *certTypes, size_t numCertTypes, const TlsSignHashAlgos *signHashAlgos, const TlsSignHashAlgos *certSignHashAlgos, const TlsSupportedGroupList *curveList, const TlsCertAuthorities *certAuthorities)
Check whether a certificate is acceptable.
#define tlsAllocMem(size)
Definition: tls.h:755
X.509 certificate parsing.
TlsCertificateType type
End entity certificate type.
Definition: tls.h:1867
TlsNamedGroup tlsGetNamedCurve(const uint8_t *oid, size_t length)
Get the named curve that matches the specified OID.
Definition: tls_misc.c:1040
uint8_t length
Definition: dtls_misc.h:140
uint8_t n
uint8_t oid[1]
Definition: mib_common.h:184
const EcCurveInfo * tlsGetCurveInfo(TlsContext *context, uint16_t namedCurve)
Get the EC domain parameters that match the specified named curve.
Definition: tls_misc.c:897
const uint8_t DSA_OID[7]
Definition: dsa.c:49
#define FALSE
Definition: os_port.h:44
#define TlsContext
Definition: tls.h:34
int bool_t
Definition: compiler_port.h:47
error_t tls13FormatCertExtensions(uint8_t *p, size_t *written)
error_t tls13ParseCertExtensions(const uint8_t *p, size_t length, size_t *consumed)
const uint8_t ECDSA_WITH_SHA256_OID[8]
Definition: ecdsa.c:47
Certificate handling.
uint16_t keyUsage
Definition: x509_common.h:698
const uint8_t EC_PUBLIC_KEY_OID[7]
Definition: ec.c:45