Ejemplo n.º 1
0
/**
 * gnutls_x509_crt_set_crq:
 * @crt: a certificate of type #gnutls_x509_crt_t
 * @crq: holds a certificate request
 *
 * This function will set the name and public parameters as well as
 * the extensions from the given certificate request to the certificate. 
 * Only RSA keys are currently supported.
 *
 * Note that this function will only set the @crq if it is self
 * signed and the signature is correct. See gnutls_x509_crq_sign2().
 *
 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
 *   negative error value.
 **/
int gnutls_x509_crt_set_crq(gnutls_x509_crt_t crt, gnutls_x509_crq_t crq)
{
	int result;

	if (crt == NULL || crq == NULL) {
		gnutls_assert();
		return GNUTLS_E_INVALID_REQUEST;
	}

	result = gnutls_x509_crq_verify(crq, 0);
	if (result < 0)
		return gnutls_assert_val(result);

	result = asn1_copy_node(crt->cert, "tbsCertificate.subject",
				crq->crq,
				"certificationRequestInfo.subject");
	if (result != ASN1_SUCCESS) {
		gnutls_assert();
		return _gnutls_asn2err(result);
	}

	result =
	    asn1_copy_node(crt->cert,
			   "tbsCertificate.subjectPublicKeyInfo", crq->crq,
			   "certificationRequestInfo.subjectPKInfo");
	if (result != ASN1_SUCCESS) {
		gnutls_assert();
		return _gnutls_asn2err(result);
	}

	return 0;
}
Ejemplo n.º 2
0
/**
 * gnutls_x509_crt_set_proxy_dn:
 * @crt: a gnutls_x509_crt_t structure with the new proxy cert
 * @eecrt: the end entity certificate that will be issuing the proxy
 * @raw_flag: must be 0, or 1 if the CN is DER encoded
 * @name: a pointer to the CN name, may be NULL (but MUST then be added later)
 * @sizeof_name: holds the size of @name
 *
 * This function will set the subject in @crt to the end entity's
 * @eecrt subject name, and add a single Common Name component @name
 * of size @sizeof_name.  This corresponds to the required proxy
 * certificate naming style.  Note that if @name is %NULL, you MUST
 * set it later by using gnutls_x509_crt_set_dn_by_oid() or similar.
 *
 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
 *   negative error value.
 **/
int
gnutls_x509_crt_set_proxy_dn(gnutls_x509_crt_t crt,
			     gnutls_x509_crt_t eecrt,
			     unsigned int raw_flag, const void *name,
			     unsigned int sizeof_name)
{
	int result;

	if (crt == NULL || eecrt == NULL) {
		return GNUTLS_E_INVALID_REQUEST;
	}

	result = asn1_copy_node(crt->cert, "tbsCertificate.subject",
				eecrt->cert, "tbsCertificate.subject");
	if (result != ASN1_SUCCESS) {
		gnutls_assert();
		return _gnutls_asn2err(result);
	}

	if (name && sizeof_name) {
		return _gnutls_x509_set_dn_oid(crt->cert,
					       "tbsCertificate.subject",
					       GNUTLS_OID_X520_COMMON_NAME,
					       raw_flag, name,
					       sizeof_name);
	}

	return 0;
}
Ejemplo n.º 3
0
/*-
 * _gnutls_x509_pkix_sign - This function will sign a CRL or a certificate with a key
 * @src: should contain an ASN1_TYPE
 * @issuer: is the certificate of the certificate issuer
 * @issuer_key: holds the issuer's private key
 *
 * This function will sign a CRL or a certificate with the issuer's private key, and
 * will copy the issuer's information into the CRL or certificate.
 *
 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
 *   negative error value.
 -*/
int
_gnutls_x509_pkix_sign (ASN1_TYPE src, const char *src_name,
			gnutls_digest_algorithm_t dig,
			gnutls_x509_crt_t issuer,
			gnutls_x509_privkey_t issuer_key)
{
  int result;
  gnutls_datum_t signature;
  char name[128];

  /* Step 1. Copy the issuer's name into the certificate.
   */
  _gnutls_str_cpy (name, sizeof (name), src_name);
  _gnutls_str_cat (name, sizeof (name), ".issuer");

  result = asn1_copy_node (src, name, issuer->cert, "tbsCertificate.subject");
  if (result != ASN1_SUCCESS)
    {
      gnutls_assert ();
      return _gnutls_asn2err (result);
    }

  /* Step 1.5. Write the signature stuff in the tbsCertificate.
   */
  _gnutls_str_cpy (name, sizeof (name), src_name);
  _gnutls_str_cat (name, sizeof (name), ".signature");

  result = _gnutls_x509_write_sig_params (src, name,
					  issuer_key->pk_algorithm, dig,
					  issuer_key->params,
					  issuer_key->params_size);
  if (result < 0)
    {
      gnutls_assert ();
      return result;
    }

  /* Step 2. Sign the certificate.
   */
  result = _gnutls_x509_sign_tbs (src, src_name, dig, issuer_key, &signature);

  if (result < 0)
    {
      gnutls_assert ();
      return result;
    }

  /* write the signature (bits)
   */
  result =
    asn1_write_value (src, "signature", signature.data, signature.size * 8);

  _gnutls_free_datum (&signature);

  if (result != ASN1_SUCCESS)
    {
      gnutls_assert ();
      return _gnutls_asn2err (result);
    }

  /* Step 3. Move up and write the AlgorithmIdentifier, which is also
   * the same. 
   */

  result = _gnutls_x509_write_sig_params (src, "signatureAlgorithm",
					  issuer_key->pk_algorithm, dig,
					  issuer_key->params,
					  issuer_key->params_size);
  if (result < 0)
    {
      gnutls_assert ();
      return result;
    }

  return 0;
}
Ejemplo n.º 4
0
int
main (int argc, char *argv[])
{
  int result;
  char buffer[5 * 1024];
  char buffer2[5 * 1024];
  asn1_node definitions = NULL;
  asn1_node asn1_element = NULL, cpy_node = NULL;
  char errorDescription[ASN1_MAX_ERROR_DESCRIPTION_SIZE];
  FILE *out, *fd;
  int start, end;
  ssize_t size;
  int size2;
  const char *treefile = getenv ("ASN1PKIX");
  const char *derfile = getenv ("ASN1CRLDER");
  int verbose = 0;

  if (argc > 1)
    verbose = 1;

  if (!treefile)
    treefile = "pkix.asn";

  if (!derfile)
    derfile = "crl.der";

  if (verbose)
    {
      printf ("\n\n/****************************************/\n");
      printf ("/*     Test sequence : Test_indefinite  */\n");
      printf ("/****************************************/\n\n");
      printf ("ASN1TREE: %s\n", treefile);
    }

  /* Check version */
  if (asn1_check_version ("0.3.3") == NULL)
    printf ("\nLibrary version check ERROR:\n actual version: %s\n\n",
	    asn1_check_version (NULL));

  result = asn1_parser2tree (treefile, &definitions, errorDescription);
  if (result != ASN1_SUCCESS)
    {
      asn1_perror (result);
      printf ("ErrorDescription = %s\n\n", errorDescription);
      exit (1);
    }

  out = stdout;

  fd = fopen (derfile, "rb");
  if (fd == NULL)
    {
      printf ("Cannot read file %s\n", derfile);
      exit (1);
    }
  size = fread (buffer, 1, sizeof (buffer), fd);
  if (size <= 0)
    {
      printf ("Cannot read from file %s\n", derfile);
      exit (1);
    }

  fclose (fd);

  result =
    asn1_create_element (definitions, "PKIX1.CertificateList", &asn1_element);
  if (result != ASN1_SUCCESS)
    {
      asn1_perror (result);
      printf ("Cannot create CRL element\n");
      exit (1);
    }

  result = asn1_der_decoding (&asn1_element, buffer, size, errorDescription);
  if (result != ASN1_SUCCESS)
    {
      asn1_perror (result);
      printf ("Cannot decode DER data (size %ld)\n", (long) size);
      exit (1);
    }

  /* test asn1_copy_node */
  result =
    asn1_create_element (definitions, "PKIX1.CertificateList", &cpy_node);
  if (result != ASN1_SUCCESS)
    {
      asn1_perror (result);
      printf ("Cannot create CRL element\n");
      exit (1);
    }

  result = asn1_copy_node(cpy_node, "", asn1_element, "");
  if (result != ASN1_SUCCESS)
    {
      asn1_perror (result);
      printf ("Cannot copy node\n");
      exit (1);
    }

  /* test whether the copied node encodes the same */
  size2 = sizeof(buffer2);
  result = asn1_der_coding (cpy_node, "", buffer2, &size2, NULL);
  if (result != ASN1_SUCCESS)
    {
      asn1_perror (result);
      printf ("Cannot encode data (size %ld)\n", (long) size);
      exit (1);
    }
 
  if (size2 != size || memcmp(buffer, buffer2, size) != 0) 
    {
      printf("DER encoded data differ!\n");
      exit(1);
    }

  asn1_delete_structure (&cpy_node);

  /* Test asn1_dup_node */
  cpy_node = asn1_dup_node(asn1_element, "");
  if (cpy_node == NULL)
    {
      printf ("Cannot copy node (dup_node)\n");
      exit (1);
    }

  /* test whether the copied node encodes the same */
  size2 = sizeof(buffer2);
  result = asn1_der_coding (cpy_node, "", buffer2, &size2, NULL);
  if (result != ASN1_SUCCESS)
    {
      asn1_perror (result);
      printf ("Cannot encode data (size %ld)\n", (long) size);
      exit (1);
    }
 
  if (size2 != size || memcmp(buffer, buffer2, size) != 0) 
    {
      printf("DER encoded data differ!\n");
      exit(1);
    }

  result = asn1_der_decoding_startEnd (asn1_element, buffer, size, "tbsCertList.issuer", &start, &end);
  if (result != ASN1_SUCCESS)
    {
      asn1_perror (result);
      printf ("Cannot find start End\n");
      exit (1);
    }
  if (start != 24 && end != 291)
    {
      printf("Error in start and end values for issuer. Have: %d..%d\n", start, end);
      exit(1);
    }

  result = asn1_der_decoding_startEnd (asn1_element, buffer, size, "signature", &start, &end);
  if (result != ASN1_SUCCESS)
    {
      asn1_perror (result);
      printf ("Cannot find start End\n");
      exit (1);
    }
  if (start != 372 && end != 503)
    {
      printf("Error in start and end values for signature. Have: %d..%d\n", start, end);
      exit(1);
    }

  /* Clear the definition structures */
  asn1_delete_structure (&asn1_element);
  asn1_delete_structure (&cpy_node);
  asn1_delete_structure (&definitions);

  if (out != stdout)
    fclose (out);

  exit (0);
}