projects / platform / upstream / iotivity.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Imported Upstream version 1.1.0
[platform/upstream/iotivity.git] / resource / csdk / security / provisioning / ck_manager / src / cert_generator.c
1 /******************************************************************
2  *
3  * Copyright 2015 Samsung Electronics All Rights Reserved.
4  *
5  *
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  *      LICENSE-2.0" target="_blank">http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  *
19
20  ******************************************************************/
21
22
23 #include "cert_generator.h"
24 #include "ckm_info.h"
25 #include "pki.h"
26 #include "oic_malloc.h"
27
28 //ecdsa-with-SHA256 1.2.840.10045.4.3.2 [RFC5759]
29 static const uint8_t g_ECDSA_WITH_SHA256_OID[] = {0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02};
30
31 //Elliptic Curve Digital Signature Algorithm (ECDSA) 1.2.840.10045.2.1 [RFC7250]
32 static const uint8_t g_EC_PUBLIC_KEY_OID[] = {0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01};
33
34 //secp256r1 1.2.840.10045.3.1.7 [RFC5656]
35 static const uint8_t g_PRIME_256_V1_OID[] = {0x2A, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07};
36
37 //commonName 2.5.4.3 [RFC2256]
38 static const uint8_t g_COMMON_NAME_OID[] = {0x55, 0x04, 0x03};
39
40
41 PKIError GenerateCertificate (const UTF8String_t *subjectName, const UTF8String_t *issuerName,
42                         const UTCTime_t *notBefore, const UTCTime_t *notAfter,
43                         const BIT_STRING_t *subjectPublicKey, const BIT_STRING_t *issuerPrivateKey,
44                         ByteArray *encodedCertificate)
45 {
46     FUNCTION_INIT();
47     asn_enc_rval_t ec; /* Encoder return value */
48     Certificate_t *certificate                  = NULL; /* Type to encode */
49     AttributeTypeAndValue_t *issuerTypeAndValue    = NULL;
50     AttributeTypeAndValue_t *subjectTypeAndValue   = NULL;
51     RelativeDistinguishedName_t *issuerRDN         = NULL;
52     RelativeDistinguishedName_t *subjectRDN        = NULL;
53     uint8_t *uint8Pointer                       = NULL;
54     ByteArray tbs                               = BYTE_ARRAY_INITIALIZER;
55     uint8_t signature[SIGN_FULL_SIZE];
56     uint8_t sha256[SHA_256_HASH_LEN];
57     uint8_t tbsDer[ISSUER_MAX_CERT_SIZE];
58     long serialNumber = 0;
59
60     CHECK_NULL(subjectName, ISSUER_X509_NULL_PASSED);
61     CHECK_NULL(issuerName, ISSUER_X509_NULL_PASSED);
62     CHECK_NULL(notBefore, ISSUER_X509_NULL_PASSED);
63     CHECK_NULL(notAfter, ISSUER_X509_NULL_PASSED);
64     CHECK_NULL(subjectPublicKey, ISSUER_X509_NULL_PASSED);
65     CHECK_NULL(issuerPrivateKey, ISSUER_X509_NULL_PASSED);
66     CHECK_NULL_BYTE_ARRAY_PTR(encodedCertificate, ISSUER_X509_NULL_PASSED);
67     CHECK_LESS_EQUAL(ISSUER_MAX_CERT_SIZE, encodedCertificate->len,
68                      ISSUER_X509_WRONG_BYTE_ARRAY_LEN);
69
70     /* Allocate the memory */
71     certificate      = OICCalloc(1, sizeof(Certificate_t)); // not malloc!
72     CHECK_NULL(certificate, ISSUER_X509_MEMORY_ALLOC_FAILED);
73
74     issuerTypeAndValue  = OICCalloc(1, sizeof(AttributeTypeAndValue_t));
75     CHECK_NULL(issuerTypeAndValue, ISSUER_X509_MEMORY_ALLOC_FAILED);
76
77     issuerRDN           = OICCalloc(1, sizeof(RelativeDistinguishedName_t));
78     CHECK_NULL(issuerRDN, ISSUER_X509_MEMORY_ALLOC_FAILED);
79
80     subjectTypeAndValue = OICCalloc(1, sizeof(AttributeTypeAndValue_t));
81     CHECK_NULL(subjectTypeAndValue, ISSUER_X509_MEMORY_ALLOC_FAILED);
82
83     subjectRDN          = OICCalloc(1, sizeof(RelativeDistinguishedName_t));
84     CHECK_NULL(subjectRDN, ISSUER_X509_MEMORY_ALLOC_FAILED);
85
86     //set issuer name
87     issuerTypeAndValue->value = *issuerName;
88     issuerTypeAndValue->type.buf = (uint8_t *)g_COMMON_NAME_OID;   //2.5.4.3
89     issuerTypeAndValue->type.size = sizeof(g_COMMON_NAME_OID) / sizeof(g_COMMON_NAME_OID[0]);
90     ASN_SET_ADD(issuerRDN, issuerTypeAndValue);
91     ASN_SEQUENCE_ADD(&(certificate->tbsCertificate.issuer), issuerRDN);
92
93     //set subject name
94     subjectTypeAndValue->value = *subjectName;
95     subjectTypeAndValue->type.buf = (uint8_t *)g_COMMON_NAME_OID;  //2.5.4.3
96     subjectTypeAndValue->type.size = sizeof(g_COMMON_NAME_OID) / sizeof(g_COMMON_NAME_OID[0]);
97     ASN_SET_ADD(subjectRDN, subjectTypeAndValue);
98     ASN_SEQUENCE_ADD(&(certificate->tbsCertificate.subject), subjectRDN);
99
100     //set validity
101     certificate->tbsCertificate.validity.notBefore = *notBefore;
102     certificate->tbsCertificate.validity.notAfter  = *notAfter;
103
104     //set X.509 certificate version
105     certificate->tbsCertificate.version = X509_V2;
106
107     //set serial number
108     certificate->tbsCertificate.serialNumber = 0;
109
110     CHECK_CALL(InitCKMInfo);
111     CHECK_CALL(GetNextSerialNumber, &serialNumber);
112     certificate->tbsCertificate.serialNumber = serialNumber;
113     serialNumber++;
114     CHECK_CALL(SetNextSerialNumber, serialNumber);
115     CHECK_CALL(SaveCKMInfo);
116
117     //set signature algorithm in TBS
118     certificate->tbsCertificate.signature.algorithm.buf =
119         (uint8_t *)g_ECDSA_WITH_SHA256_OID;    //1.2.840.10045.4.3.2
120     certificate->tbsCertificate.signature.algorithm.size =
121         sizeof(g_ECDSA_WITH_SHA256_OID) / sizeof(g_ECDSA_WITH_SHA256_OID[0]);
122     certificate->tbsCertificate.signature.nul = OICCalloc(1, sizeof(NULL_t));
123     CHECK_NULL(certificate->tbsCertificate.signature.nul, ISSUER_X509_MEMORY_ALLOC_FAILED);
124
125     //set subject Public Key algorithm
126     certificate->tbsCertificate.subjectPublicKeyInfo.algorithm.algorithm.buf =
127         (uint8_t *)g_EC_PUBLIC_KEY_OID;   //1.2.840.10045.2.1
128     certificate->tbsCertificate.subjectPublicKeyInfo.algorithm.algorithm.size =
129         sizeof(g_EC_PUBLIC_KEY_OID) / sizeof(g_EC_PUBLIC_KEY_OID[0]);
130
131     //set subject Public Key curve
132     certificate->tbsCertificate.subjectPublicKeyInfo.algorithm.id_ecPublicKey =
133         OICCalloc(1, sizeof(OBJECT_IDENTIFIER_t));
134     CHECK_NULL(certificate->tbsCertificate.subjectPublicKeyInfo.algorithm.id_ecPublicKey,
135                ISSUER_X509_MEMORY_ALLOC_FAILED);
136     certificate->tbsCertificate.subjectPublicKeyInfo.algorithm.id_ecPublicKey->buf =
137         (uint8_t *)g_PRIME_256_V1_OID;  //1.2.840.10045.3.1.7
138     certificate->tbsCertificate.subjectPublicKeyInfo.algorithm.id_ecPublicKey->size =
139         sizeof(g_PRIME_256_V1_OID) / sizeof(g_PRIME_256_V1_OID[0]);
140
141     //set subject Public Key
142     certificate->tbsCertificate.subjectPublicKeyInfo.subjectPublicKey = *subjectPublicKey;
143
144     //set signature algorithm
145     certificate->signatureAlgorithm.algorithm.buf = (uint8_t *)g_ECDSA_WITH_SHA256_OID;
146     certificate->signatureAlgorithm.algorithm.size =
147         sizeof(g_ECDSA_WITH_SHA256_OID) / sizeof(g_ECDSA_WITH_SHA256_OID[0]);
148     certificate->signatureAlgorithm.nul = OICCalloc(1, sizeof(NULL_t));
149     CHECK_NULL(certificate->signatureAlgorithm.nul, ISSUER_X509_MEMORY_ALLOC_FAILED);
150
151     //encode TBS to DER
152     ec = der_encode_to_buffer(&asn_DEF_TBSCertificate, &(certificate->tbsCertificate),
153                               tbsDer, ISSUER_MAX_CERT_SIZE);
154     CHECK_COND(ec.encoded > 0, ISSUER_X509_DER_ENCODE_FAIL);
155     tbs.len = ec.encoded;
156     tbs.data = tbsDer;
157     GET_SHA_256(tbs, sha256);
158     CHECK_COND(uECC_sign((issuerPrivateKey->buf) + 1, sha256, signature),
159                ISSUER_X509_SIGNATURE_FAIL);
160             //additional byte for ASN1_UNCOMPRESSED_KEY_ID
161
162     // ECDSA-Sig-Value ::= SEQUENCE { r INTEGER, s INTEGER } (RFC 5480)
163     certificate->signatureValue.size = SIGN_FULL_SIZE + 6;// size for SEQUENCE ID + 2 * INTEGER ID
164
165     // if first byte of positive INTEGER exceed 127 add 0 byte before
166     if (signature[0] > 127)
167     {
168         certificate->signatureValue.size ++;
169     }
170
171     // if first byte of positive INTEGER exceed 127 add 0 byte before
172     if (signature[SIGN_R_LEN] > 127)
173     {
174         certificate->signatureValue.size ++;
175     }
176     certificate->signatureValue.buf = OICCalloc(certificate->signatureValue.size, sizeof(uint8_t));
177     CHECK_NULL(certificate->signatureValue.buf, ISSUER_X509_MEMORY_ALLOC_FAILED);
178     *(certificate->signatureValue.buf) = (12 << 2); //ASN.1 SEQUENCE ID
179     *(certificate->signatureValue.buf + 1) = certificate->signatureValue.size - 2;
180     //ASN.1 SEQUENCE size
181
182     uint8Pointer = certificate->signatureValue.buf + 2; //skip SEQUENCE ID and size
183     *uint8Pointer = (2 << 0); //ASN.1 INTEGER ID
184
185     // if first byte of positive INTEGER exceed 127 add 0 byte before
186     if (signature[0] > 127)
187     {
188         *(uint8Pointer + 1) = SIGN_R_LEN + 1; //ASN.1 INTEGER size
189         uint8Pointer += 3; //skip INTEGER ID and size
190     }
191     else
192     {
193         *(uint8Pointer + 1) = SIGN_R_LEN; //ASN.1 INTEGER SIZE
194         uint8Pointer += 2; //skip INTEGER ID and size
195     }
196     memcpy(uint8Pointer, signature, SIGN_R_LEN);
197
198     uint8Pointer += SIGN_R_LEN; //skip first part of signature
199     *uint8Pointer = (2 << 0);   //ASN.1 INTEGER ID
200
201     // if first byte of positive INTEGER exceed 127 add 0 byte before
202     if (signature [SIGN_R_LEN] > 127)
203     {
204         *(uint8Pointer + 1) = SIGN_S_LEN + 1; //ASN.1 INTEGER size
205         uint8Pointer += 3; //skip INTEGER ID and size
206     }
207     else
208     {
209         *(uint8Pointer + 1) = SIGN_S_LEN; //ASN.1 INTEGER size
210         uint8Pointer += 2; //skip INTEGER ID and size
211     }
212     memcpy(uint8Pointer, signature + SIGN_R_LEN, SIGN_S_LEN);
213
214     ec = der_encode_to_buffer(&asn_DEF_Certificate, certificate,
215                               encodedCertificate->data, ISSUER_MAX_CERT_SIZE);
216     CHECK_COND(ec.encoded > 0, ISSUER_X509_DER_ENCODE_FAIL);
217     encodedCertificate->len = ec.encoded;
218
219     FUNCTION_CLEAR(
220         if (issuerTypeAndValue)
221         {
222             issuerTypeAndValue->value.buf = NULL;
223             issuerTypeAndValue->type.buf  = NULL;
224         }
225         if (subjectTypeAndValue)
226         {
227             subjectTypeAndValue->value.buf = NULL;
228             subjectTypeAndValue->type.buf  = NULL;
229         }
230         if (certificate)
231         {
232             certificate->tbsCertificate.validity.notBefore.buf                             = NULL;
233             certificate->tbsCertificate.validity.notAfter.buf                              = NULL;
234             certificate->tbsCertificate.subjectPublicKeyInfo.subjectPublicKey.buf          = NULL;
235             certificate->tbsCertificate.signature.algorithm.buf                            = NULL;
236             certificate->tbsCertificate.subjectPublicKeyInfo.algorithm.algorithm.buf       = NULL;
237             if (certificate->tbsCertificate.subjectPublicKeyInfo.algorithm.id_ecPublicKey)
238             {
239                 certificate->tbsCertificate.subjectPublicKeyInfo.algorithm.id_ecPublicKey->buf = NULL;
240             }
241             certificate->signatureAlgorithm.algorithm.buf                                  = NULL;
242         }
243         ASN_STRUCT_FREE(asn_DEF_Certificate, certificate);
244         certificate = NULL;
245     );
246 }
Domain: Network & Connectivity / IoT Connectivity;