NetBurner 3.5.6
PDF Version
certgen.h
1/*NB_REVISION*/
2
3/*NB_COPYRIGHT*/
4
18#ifndef _CERT_GEN_H
19#define _CERT_GEN_H
20#include <predef.h>
21#include <nettypes.h>
22#include <nbstring.h>
23
24#if defined(NB_SSL_SUPPORTED) || defined(NB_SSH_SUPPORTED)
25
26#include <crypto/ssl.h>
27#include <crypto/wolfssl/wolfcrypt/ecc.h>
28#include <random.h>
29
30#define MAX_CERT_SNAME_LEN 64
31
32// Check for ECC and RSA. If both exist, prefer ECC since it is faster.
33#if defined(HAVE_ECC) && defined(ENABLE_ECCKEY_CREATE)
34#define SSL_KEY_ECC
35#elif defined(ENABLE_RSAKEY_CREATE)
36#define SSL_KEY_RSA
37#endif
38
39
44enum SslKeyType_t
45{
46 SSL_KEY_NONE,
47 SSL_KEY_ECC_SECP192R1 = ECC_SECP192R1,
48 SSL_KEY_ECC_SECP224R1 = ECC_SECP224R1,
49 SSL_KEY_ECC_SECP256R1 = ECC_SECP256R1,
50 SSL_KEY_ECC_SECP384R1 = ECC_SECP384R1,
51 SSL_KEY_ECC_SECP521R1 = ECC_SECP521R1,
52 SSL_KEY_RSA_1024,
53 SSL_KEY_RSA_2048,
54 SSL_KEY_RSA_4096,
55};
56#if defined(SSL_KEY_ECC)
57constexpr SslKeyType_t DEFAULT_KEY_TYPE(SSL_KEY_ECC_SECP256R1);
58#else
59constexpr SslKeyType_t DEFAULT_KEY_TYPE(SSL_KEY_RSA_2048);
60#endif
61
65enum AltNameType_t : char
66{
67 ALT_NAME_TYPE_NONE = 0,
68 ALT_NAME_TYPE_DNS = (char)0x82,
69 ALT_NAME_TYPE_IP = (char)0x87
70};
71
72
94
95
100struct CertGenData
101{
102
103 // Values passed in by EnableOnboardCertificateCreation() and set by the user
104 const char * m_country;
105 const char * m_state;
106 const char * m_locality;
107 const char * m_org;
108 const char * m_unit;
109 const char * m_email;
110 const char *m_commonName;
111 int m_yrsValid;
112 NBString m_altNamesString;
113 /* m_altNamesString format of included alt name
114 A single string, with possibly multiple altnames separated by a comma.
115 You can either incude a tag telling the system what kind of AltName it is...
116 So say you wanted :
117 IP:192.168.1.36 and
118 DNS:demo.netburner.com
119 The following strings would both work:
120 "IP:192.168.1.36,DNS:demo.netburner.com"
121 "192.168.1.36,demo.netburner.com"
122
123 or dual interface IP's...
124
125 "192.168.1.36,10.1.1.35"
126
127 or both V4 and V6....
128 "IP:fe80::203:f4ff:fe0a:447f,192.168.1.36"
129 */
130
131
132
133 // Values set when a cert is generated to monitor its expiration
134 time_t m_certExpTime;
135
136 CertGenData() :
137 m_country(nullptr),
138 m_state(nullptr),
139 m_locality(nullptr),
140 m_org(nullptr),
141 m_unit(nullptr),
142 m_email(nullptr),
143 m_commonName(nullptr),
144 m_yrsValid(1),
145 m_certExpTime(0){}
146};
147
148
149#include <config_obj.h>
150
151extern const char * DEFAULT_CERT_COUNTRY;
152extern const char * DEFAULT_CERT_STATE;
153extern const char * DEFAULT_CERT_LOCALITY;
154extern const char * DEFAULT_CERT_ORG;
155extern const char * DEFAULT_CERT_UNIT;
156extern const char * DEFAULT_CERT_EMAIL;
157extern const char * DEFAULT_CERT_COM_NAME;
158extern const char * DEFAULT_CERT_ALT_NAMES;
159
163class CertData : public config_obj
164{
165 public:
166 config_string m_country;
167 config_string m_state;
168 config_string m_locality;
169 config_string m_org;
170 config_string m_unit;
171 config_string m_email;
172 config_string m_comname;
173 config_string m_altNames;
174 ConfigEndMarker; // No new data members below this line
175 CertGenData * GetDataForCertGen();
176 CertData(const char * Country=DEFAULT_CERT_COUNTRY,
177 const char * State=DEFAULT_CERT_STATE,
178 const char * Locality=DEFAULT_CERT_LOCALITY,
179 const char * Org=DEFAULT_CERT_ORG,
180 const char * Unit=DEFAULT_CERT_UNIT,
181 const char * Email=DEFAULT_CERT_EMAIL,
182 const char * Name=DEFAULT_CERT_COM_NAME,
183 const char * AltNames=DEFAULT_CERT_ALT_NAMES
184 ) : config_obj(sys,"CertData" ,"Object to hold the data for certificate generation"),
185 m_country(Country,"Country"),
186 m_state (State,"State"),
187 m_locality(Locality,"Locality"),
188 m_org(Org,"Org"),
189 m_unit(Unit,"Unit"),
190 m_email(Email,"Email"),
191 m_comname(Name,"Comname"),
192 m_altNames(AltNames,"AltNames")
193 {
194 };
195};
196
197
212extern "C" CertGenReturnCode SSL_CreateNewSelfSignedCert(CertGenData & pGenData);
213
214extern CertGenReturnCode (*SSL_CreateNewCert)(CertGenData & cGenData);
215
227void EnableOnboardCertificateCreation( CertGenReturnCode (*createCertFunc)(CertGenData & cGenData) = SSL_CreateNewSelfSignedCert);
228
229
252void FillInAltNamesASN1(Cert & TheCert,NBString & altNameString);
253
257CertGenReturnCode CheckAndCreateHalCertAndKey();
258
269extern CertGenData * GetDataForCertGen();
270
271#endif /* NB_SSL_SUPPORTED */
272#endif /* #ifdef _CERT_GEN_H */
273
CertData
Definition certgen.h:164
NBString
Lightweight alternative to C++ CString class.
Definition nbstring.h:118
config_obj
Base class used to create configuration objects.
Definition config_obj.h:320
config_string
String Configuration Variable.
Definition config_obj.h:1127
CertGenReturnCode
CertGenReturnCode
Certificate Generation Function Return Codes.
Definition certgen.h:77
FillInAltNamesASN1
void FillInAltNamesASN1(Cert &TheCert, NBString &altNameString)
Helper function used to build ASN1 representation of alt names.
SSL_CreateNewSelfSignedCert
CertGenReturnCode SSL_CreateNewSelfSignedCert(CertGenData &pGenData)
Generates a new self-signed certificate that will be stored on the device.
CheckAndCreateHalCertAndKey
CertGenReturnCode CheckAndCreateHalCertAndKey()
Check for a valid SSL certificate and generate one if not found.
SslKeyType_t
SslKeyType_t
Certificate Generation Key Types.
Definition certgen.h:45
GetDataForCertGen
CertGenData * GetDataForCertGen()
A function to be overridden to pass certificate details to the certificate generator.
Definition SSL/SslOnboardCertGeneration/CompiledCa/src/main.cpp:17
EnableOnboardCertificateCreation
void EnableOnboardCertificateCreation(CertGenReturnCode(*createCertFunc)(CertGenData &cGenData)=SSL_CreateNewSelfSignedCert)
Enables the ability for the module to automatically generate self-signed certificates for use in SSL/...
AltNameType_t
AltNameType_t
Certificate Generation Alternate Name Types.
Definition certgen.h:66
CERT_GEN_RETURN_NOT_REQUIRED
@ CERT_GEN_RETURN_NOT_REQUIRED
Returned when the a new certificate was not required to be generated.
Definition certgen.h:79
CERT_GEN_RETURN_CERT_SAVING_ERROR
@ CERT_GEN_RETURN_CERT_SAVING_ERROR
Returned when the device was unable to properly save the certificate.
Definition certgen.h:89
CERT_GEN_RETURN_CERT_INIT_ERROR
@ CERT_GEN_RETURN_CERT_INIT_ERROR
Returned when the device was unable to initialize the required certificate object.
Definition certgen.h:86
CERT_GEN_RETURN_INVALID_RANDOM
@ CERT_GEN_RETURN_INVALID_RANDOM
Returned when the device was unable to generate a valid random number.
Definition certgen.h:80
CERT_GEN_RETURN_RSA_INIT_ERROR
@ CERT_GEN_RETURN_RSA_INIT_ERROR
Returned when the device was unable to initialize the required RSA object.
Definition certgen.h:84
CERT_GEN_RETURN_CERT_SIGNING_ERROR
@ CERT_GEN_RETURN_CERT_SIGNING_ERROR
Returned when the device was unable to sign the created certificate.
Definition certgen.h:88
CERT_GEN_RETURN_SUCCESS
@ CERT_GEN_RETURN_SUCCESS
Returned when the certificate was successfully generated.
Definition certgen.h:78
CERT_GEN_RETURN_MALLOC_ERROR
@ CERT_GEN_RETURN_MALLOC_ERROR
Returned when the device is unable to malloc enough space to generate the certificate.
Definition certgen.h:81
CERT_GEN_RETURN_CERT_CREATE_ERROR
@ CERT_GEN_RETURN_CERT_CREATE_ERROR
Returned when the device was unable to create the certificate.
Definition certgen.h:87
CERT_GEN_RETURN_KEY_SAVING_ERROR
@ CERT_GEN_RETURN_KEY_SAVING_ERROR
Returned when the device was unable to save the key.
Definition certgen.h:91
CERT_GEN_RETURN_ECC_CREATE_ERROR
@ CERT_GEN_RETURN_ECC_CREATE_ERROR
Returned when the device was unable to create the ECC key.
Definition certgen.h:83
CERT_GEN_RETURN_SET_ISSUER_ERROR
@ CERT_GEN_RETURN_SET_ISSUER_ERROR
Returned when the device was unable to set the issuer if a CA was used.
Definition certgen.h:92
CERT_GEN_RETURN_ECC_INIT_ERROR
@ CERT_GEN_RETURN_ECC_INIT_ERROR
Returned when the device was unable to initialize the required ECC object.
Definition certgen.h:82
CERT_GEN_RETURN_KEY_CONVERT_ERROR
@ CERT_GEN_RETURN_KEY_CONVERT_ERROR
Returned when the device was unable to convert the certificate from PEM to DER format.
Definition certgen.h:90
CERT_GEN_RETURN_RSA_CREATE_ERROR
@ CERT_GEN_RETURN_RSA_CREATE_ERROR
Returned when the device was unable to create the RSA key.
Definition certgen.h:85
SSL_KEY_RSA_1024
@ SSL_KEY_RSA_1024
RSA 1024.
Definition certgen.h:52
SSL_KEY_ECC_SECP224R1
@ SSL_KEY_ECC_SECP224R1
Defined in wolfssl/wolfcrypt/ecc.h.
Definition certgen.h:48
SSL_KEY_ECC_SECP384R1
@ SSL_KEY_ECC_SECP384R1
Defined in wolfssl/wolfcrypt/ecc.h.
Definition certgen.h:50
SSL_KEY_ECC_SECP192R1
@ SSL_KEY_ECC_SECP192R1
Defined in wolfssl/wolfcrypt/ecc.h.
Definition certgen.h:47
SSL_KEY_ECC_SECP521R1
@ SSL_KEY_ECC_SECP521R1
Defined in wolfssl/wolfcrypt/ecc.h.
Definition certgen.h:51
SSL_KEY_RSA_4096
@ SSL_KEY_RSA_4096
RSA 4096.
Definition certgen.h:54
SSL_KEY_RSA_2048
@ SSL_KEY_RSA_2048
RSA 2048.
Definition certgen.h:53
SSL_KEY_ECC_SECP256R1
@ SSL_KEY_ECC_SECP256R1
Defined in wolfssl/wolfcrypt/ecc.h.
Definition certgen.h:49
ALT_NAME_TYPE_IP
@ ALT_NAME_TYPE_IP
IP Address.
Definition certgen.h:69
ALT_NAME_TYPE_NONE
@ ALT_NAME_TYPE_NONE
None.
Definition certgen.h:67
ALT_NAME_TYPE_DNS
@ ALT_NAME_TYPE_DNS
DNS Name.
Definition certgen.h:68
CertGenData
Used to store the information that is passed in when enabling onboard generated certificates,...
Definition certgen.h:101
CertGenData::m_commonName
const char * m_commonName
Common Name.
Definition certgen.h:110
CertGenData::m_altNamesString
NBString m_altNamesString
Alternate names string.
Definition certgen.h:112
CertGenData::m_certExpTime
time_t m_certExpTime
Certificate expiration time.
Definition certgen.h:134
CertGenData::m_yrsValid
int m_yrsValid
Number of years.
Definition certgen.h:111