est_client_misc.c
Go to the documentation of this file.
1 /**
2  * @file est_client_misc.c
3  * @brief Helper functions for EST client
4  *
5  * @section License
6  *
7  * SPDX-License-Identifier: GPL-2.0-or-later
8  *
9  * Copyright (C) 2024-2025 Oryx Embedded SARL. All rights reserved.
10  *
11  * This file is part of CycloneEST Open.
12  *
13  * This program is free software; you can redistribute it and/or
14  * modify it under the terms of the GNU General Public License
15  * as published by the Free Software Foundation; either version 2
16  * of the License, or (at your option) any later version.
17  *
18  * This program is distributed in the hope that it will be useful,
19  * but WITHOUT ANY WARRANTY; without even the implied warranty of
20  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21  * GNU General Public License for more details.
22  *
23  * You should have received a copy of the GNU General Public License
24  * along with this program; if not, write to the Free Software Foundation,
25  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
26  *
27  * @author Oryx Embedded SARL (www.oryx-embedded.com)
28  * @version 2.5.4
29  **/
30 
31 //Switch to the appropriate trace level
32 #define TRACE_LEVEL EST_TRACE_LEVEL
33 
34 //Dependencies
35 #include "est/est_client.h"
36 #include "est/est_client_misc.h"
37 #include "pkix/x509_cert_parse.h"
38 #include "pkix/x509_cert_create.h"
39 #include "cipher/cipher_algorithms.h"
40 #include "debug.h"
41 
42 //Check crypto library configuration
43 #if (EST_CLIENT_SUPPORT == ENABLED)
44 
45 
46 /**
47  * @brief Generate PKCS #10 certificate request
48  * @param[in] context Pointer to the EST client context
49  * @return Error code
50  **/
51 
52 error_t estClientGenerateCsr(EstClientContext *context)
53 {
54  error_t error;
55  size_t n;
56  char_t buffer[64];
57 
58  //Any registered callback?
59  if(context->csrGenCallback != NULL)
60  {
61  //The client generating the CSR obtains the "tls-unique" value from the TLS
62  //subsystem as described in RFC 5929 (refer to RFC 7030, section 3.5)
63  error = tlsExportChannelBinding(context->httpClientContext.tlsContext,
64  "tls-unique", (uint8_t *) buffer, &n);
65 
66  //For (D)TLS 1.3, Appendix C.5 of RFC 8446 describes the lack of channel
67  //bindings similar to "tls-unique"
68  if(error == ERROR_INVALID_VERSION)
69  {
70  //"tls-exporter" can be used instead to derive a 32-byte tls-exporter
71  //binding from the (D)TLS 1.3 master secret (refer to RFC 9148,
72  //section 3)
73  error = tlsExportChannelBinding(context->httpClientContext.tlsContext,
74  "tls-exporter", (uint8_t *) buffer, &n);
75  }
76 
77  //Check status code
78  if(!error)
79  {
80  //The "tls-unique" value is base64 encoded
81  base64Encode(buffer, n, buffer, &n);
82 
83  //The resulting string is placed in the certification request
84  //challenge-password field
85  error = context->csrGenCallback(context, buffer, context->csr,
86  EST_CLIENT_MAX_CSR_LEN, &context->csrLen);
87  }
88  }
89  else
90  {
91  //Report an error
92  error = ERROR_INVALID_CSR;
93  }
94 
95  //Return status code
96  return error;
97 }
98 
99 
100 /**
101  * @brief TLS initialization
102  * @param[in] httpClientContext Pointer to the HTTP client context
103  * @param[in] tlsContext Pointer to the TLS context
104  * @param[in] param Pointer to the EST client context
105  * @return Error code
106  **/
107 
108 error_t estClientInitTlsContext(HttpClientContext *httpClientContext,
109  TlsContext *tlsContext, void *param)
110 {
111  error_t error;
112  EstClientContext *context;
113 
114  //Point to the EST client context
115  context = (EstClientContext *) param;
116 
117  //TLS 1.1 (or a later version) must be used for all EST communications
118  //(refer to RFC 7030, section 3.3)
119  error = tlsSetVersion(tlsContext, TLS_VERSION_1_1, TLS_VERSION_1_3);
120 
121  //Check status code
122  if(!error)
123  {
124  //Set the PRNG algorithm to be used
125  error = tlsSetPrng(tlsContext, context->prngAlgo, context->prngContext);
126  }
127 
128  //If the client disables the implicit TA database, and if the EST server
129  //certificate was verified using an implicit TA database entry, then the
130  //client must include the "Trusted CA Indication" extension in future TLS
131  //sessions (refer to RFC 7030, section 4.1.3)
132  if(context->useExplicitTa)
133  {
134 #if (TLS_TRUSTED_CA_KEYS_SUPPORT == ENABLED)
135  //Check status code
136  if(!error)
137  {
138  //The "Trusted CA Indication" extension indicates to the server that
139  //only an EST server certificate authenticatable by the explicit TA
140  //database entry is now acceptable
141  error = tlsEnableTrustedCaKeys(tlsContext, TRUE);
142  }
143 #endif
144 
145 #if (TLS_CERT_AUTHORITIES_SUPPORT == ENABLED)
146  //Check status code
147  if(!error)
148  {
149  //The "trusted_ca_keys" extension is not used in TLS 1.3
150  error = tlsEnableCertAuthorities(tlsContext, TRUE);
151  }
152 #endif
153  }
154 
155  //Check status code
156  if(!error)
157  {
158  //Perform TLS related initialization
159  if(context->tlsInitCallback != NULL)
160  {
161  //Invoke callback function
162  error = context->tlsInitCallback(context, tlsContext);
163  }
164  else
165  {
166  //Report an error
167  error = ERROR_FAILURE;
168  }
169  }
170 
171  //Check status code
172  if(!error)
173  {
174  //The EST client implicit or explicit TA database is used to validate the
175  //EST server certificate
176  error = tlsSetTrustedCaList(tlsContext, context->caCerts,
177  context->caCertsLen);
178  }
179 
180  //Return status code
181  return error;
182 }
183 
184 #endif
x509_cert_parse.h
X.509 certificate parsing.
tlsExportChannelBinding
error_t tlsExportChannelBinding(TlsContext *context, const char_t *type, uint8_t *output, size_t *length)
Export channel binding value.
Definition: tls.c:2037
estClientInitTlsContext
error_t estClientInitTlsContext(HttpClientContext *httpClientContext, TlsContext *tlsContext, void *param)
TLS initialization.
Definition: est_client_misc.c:108
est_client.h
EST client.
tlsEnableCertAuthorities
error_t tlsEnableCertAuthorities(TlsContext *context, bool_t enabled)
Enable CertificateAuthorities extension.
Definition: tls.c:1470
TRUE
#define TRUE
Definition: os_port.h:50
cipher_algorithms.h
Collection of AEAD algorithms.
base64Encode
void base64Encode(const void *input, size_t inputLen, char_t *output, size_t *outputLen)
Base64 encoding algorithm.
Definition: base64.c:142
tlsEnableTrustedCaKeys
error_t tlsEnableTrustedCaKeys(TlsContext *context, bool_t enabled)
Enable TrustedCaKeys extension.
Definition: tls.c:1443
ERROR_INVALID_VERSION
@ ERROR_INVALID_VERSION
Definition: error.h:118
tlsSetVersion
error_t tlsSetVersion(TlsContext *context, uint16_t versionMin, uint16_t versionMax)
Set minimum and maximum versions permitted.
Definition: tls.c:295
HttpClientContext
#define HttpClientContext
Definition: http_client.h:198
x509_cert_create.h
X.509 certificate generation.
TlsContext
#define TlsContext
Definition: tls.h:36
error_t
error_t
Error codes.
Definition: error.h:43
est_client_misc.h
Helper functions for EST client.
ERROR_FAILURE
@ ERROR_FAILURE
Generic error code.
Definition: error.h:45
TLS_VERSION_1_3
#define TLS_VERSION_1_3
Definition: tls.h:97
EST_CLIENT_MAX_CSR_LEN
#define EST_CLIENT_MAX_CSR_LEN
Definition: est_client.h:133
ERROR_INVALID_CSR
@ ERROR_INVALID_CSR
Definition: error.h:309
estClientGenerateCsr
error_t estClientGenerateCsr(EstClientContext *context)
Generate PKCS #10 certificate request.
Definition: est_client_misc.c:52
char_t
char char_t
Definition: compiler_port.h:55
TLS_VERSION_1_1
#define TLS_VERSION_1_1
Definition: tls.h:95
n
uint8_t n
Definition: dhcpv6_common.h:416
tlsSetPrng
error_t tlsSetPrng(TlsContext *context, const PrngAlgo *prngAlgo, void *prngContext)
Set the pseudo-random number generator to be used.
Definition: tls.c:390
tlsSetTrustedCaList
error_t tlsSetTrustedCaList(TlsContext *context, const char_t *trustedCaList, size_t length)
Import a trusted CA list.
Definition: tls.c:1214
EstClientContext
#define EstClientContext
Definition: est_client.h:159
debug.h
Debugging facilities.