/**
* gnutls_x509_crq_sign2 - This function will sign a Certificate request with a key
* @crq: should contain a gnutls_x509_crq_t structure
* @key: holds a private key
* @dig: The message digest to use. GNUTLS_DIG_SHA1 is the safe choice unless you know what you're doing.
* @flags: must be 0
*
* This function will sign the certificate request with a private key.
* This must be the same key as the one used in gnutls_x509_crt_set_key() since a
* certificate request is self signed.
*
* This must be the last step in a certificate request generation since all
* the previously set parameters are now signed.
*
* Returns 0 on success.
*
**/
int
gnutls_x509_crq_sign2 (gnutls_x509_crq_t crq, gnutls_x509_privkey_t key,
gnutls_digest_algorithm_t dig, unsigned int flags)
{
int result;
gnutls_datum_t signature;
if (crq == NULL)
{
gnutls_assert ();
return GNUTLS_E_INVALID_REQUEST;
}
/* Step 1. Self sign the request.
*/
result =
_gnutls_x509_sign_tbs (crq->crq, "certificationRequestInfo",
dig, key, &signature);
if (result < 0)
{
gnutls_assert ();
return result;
}
/* Step 2. write the signature (bits)
*/
result =
asn1_write_value (crq->crq, "signature", signature.data,
signature.size * 8);
_gnutls_free_datum (&signature);
if (result != ASN1_SUCCESS)
{
gnutls_assert ();
return _gnutls_asn2err (result);
}
/* Step 3. Write the signatureAlgorithm field.
*/
result = _gnutls_x509_write_sig_params (crq->crq, "signatureAlgorithm",
key->pk_algorithm, dig, key->params,
key->params_size);
if (result < 0)
{
gnutls_assert ();
return result;
}
return 0;
}
/*-
* _gnutls_x509_pkix_sign - This function will sign a CRL or a certificate with a key
* @src: should contain an ASN1_TYPE
* @issuer: is the certificate of the certificate issuer
* @issuer_key: holds the issuer's private key
*
* This function will sign a CRL or a certificate with the issuer's private key, and
* will copy the issuer's information into the CRL or certificate.
*
* Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
* negative error value.
-*/
int
_gnutls_x509_pkix_sign (ASN1_TYPE src, const char *src_name,
gnutls_digest_algorithm_t dig,
gnutls_x509_crt_t issuer,
gnutls_x509_privkey_t issuer_key)
{
int result;
gnutls_datum_t signature;
char name[128];
/* Step 1. Copy the issuer's name into the certificate.
*/
_gnutls_str_cpy (name, sizeof (name), src_name);
_gnutls_str_cat (name, sizeof (name), ".issuer");
result = asn1_copy_node (src, name, issuer->cert, "tbsCertificate.subject");
if (result != ASN1_SUCCESS)
{
gnutls_assert ();
return _gnutls_asn2err (result);
}
/* Step 1.5. Write the signature stuff in the tbsCertificate.
*/
_gnutls_str_cpy (name, sizeof (name), src_name);
_gnutls_str_cat (name, sizeof (name), ".signature");
result = _gnutls_x509_write_sig_params (src, name,
issuer_key->pk_algorithm, dig,
issuer_key->params,
issuer_key->params_size);
if (result < 0)
{
gnutls_assert ();
return result;
}
/* Step 2. Sign the certificate.
*/
result = _gnutls_x509_sign_tbs (src, src_name, dig, issuer_key, &signature);
if (result < 0)
{
gnutls_assert ();
return result;
}
/* write the signature (bits)
*/
result =
asn1_write_value (src, "signature", signature.data, signature.size * 8);
_gnutls_free_datum (&signature);
if (result != ASN1_SUCCESS)
{
gnutls_assert ();
return _gnutls_asn2err (result);
}
/* Step 3. Move up and write the AlgorithmIdentifier, which is also
* the same.
*/
result = _gnutls_x509_write_sig_params (src, "signatureAlgorithm",
issuer_key->pk_algorithm, dig,
issuer_key->params,
issuer_key->params_size);
if (result < 0)
{
gnutls_assert ();
return result;
}
return 0;
}
