static void
inf_test_certificate_request_notify_status_cb(GObject* object,
                                              GParamSpec* pspec,
                                              gpointer user_data)
{
  InfTestCertificateRequest* test;
  InfBrowserStatus status;
  gnutls_x509_crq_t crq;
  InfRequest* request;
  GError* error;
  int res;

  test = (InfTestCertificateRequest*)user_data;
  g_object_get(G_OBJECT(test->browser), "status", &status, NULL);

  if(status == INF_BROWSER_OPEN)
  {
    fprintf(stderr, "Connection established, creating key... (4096 bit)\n");

    /* TODO: Some error checking here */
    gnutls_x509_privkey_init(&test->key);
    gnutls_x509_privkey_generate(test->key, GNUTLS_PK_RSA, 4096, 0);

    fprintf(stderr, "Done, sending the certificate request\n");

    gnutls_x509_crq_init(&crq);

    gnutls_x509_crq_set_key(crq, test->key);
    gnutls_x509_crq_set_key_usage(crq, GNUTLS_KEY_DIGITAL_SIGNATURE);
    gnutls_x509_crq_set_version(crq, 3);

    gnutls_x509_crq_set_dn_by_oid(
      crq,
      GNUTLS_OID_X520_COMMON_NAME,
      0,
      "Armin Burgmeier",
      strlen("Armin Burgmeier")
    );

    /* TODO: gnutls_x509_crq_sign2 is deprecated in favour of
     * gnutls_x509_crq_privkey_sign, but the latter returns the error code
     * GNUTLS_E_UNIMPLEMENTED_FEATURE, so we keep using the deprecated
     * version here. */
    /*gnutls_x509_crq_privkey_sign(crq, key, GNUTLS_DIG_SHA1, 0);*/
    gnutls_x509_crq_sign2(crq, test->key, GNUTLS_DIG_SHA1, 0);

    error = NULL;
    request = inf_browser_create_acl_account(
      INF_BROWSER(object),
      crq,
      inf_test_certificate_request_finished_cb,
      test
    );

    gnutls_x509_crq_deinit(crq);
  }

  if(status == INF_BROWSER_CLOSED)
  {
    if(inf_standalone_io_loop_running(test->io))
      inf_standalone_io_loop_quit(test->io);
  }
}
Ejemplo n.º 2
0
int
main (void)
{
  gnutls_x509_crq_t crq;
  gnutls_x509_privkey_t key;
  unsigned char buffer[10 * 1024];
  size_t buffer_size = sizeof (buffer);
  unsigned int bits;

  gnutls_global_init ();

  /* Initialize an empty certificate request, and
   * an empty private key.
   */
  gnutls_x509_crq_init (&crq);

  gnutls_x509_privkey_init (&key);

  /* Generate an RSA key of moderate security.
   */
  bits = gnutls_sec_param_to_pk_bits (GNUTLS_PK_RSA, GNUTLS_SEC_PARAM_NORMAL);
  gnutls_x509_privkey_generate (key, GNUTLS_PK_RSA, bits, 0);

  /* Add stuff to the distinguished name
   */
  gnutls_x509_crq_set_dn_by_oid (crq, GNUTLS_OID_X520_COUNTRY_NAME,
                                 0, "GR", 2);

  gnutls_x509_crq_set_dn_by_oid (crq, GNUTLS_OID_X520_COMMON_NAME,
                                 0, "Nikos", strlen ("Nikos"));

  /* Set the request version.
   */
  gnutls_x509_crq_set_version (crq, 1);

  /* Set a challenge password.
   */
  gnutls_x509_crq_set_challenge_password (crq, "something to remember here");

  /* Associate the request with the private key
   */
  gnutls_x509_crq_set_key (crq, key);

  /* Self sign the certificate request.
   */
  gnutls_x509_crq_sign2 (crq, key, GNUTLS_DIG_SHA1, 0);

  /* Export the PEM encoded certificate request, and
   * display it.
   */
  gnutls_x509_crq_export (crq, GNUTLS_X509_FMT_PEM, buffer, &buffer_size);

  printf ("Certificate Request: \n%s", buffer);


  /* Export the PEM encoded private key, and
   * display it.
   */
  buffer_size = sizeof (buffer);
  gnutls_x509_privkey_export (key, GNUTLS_X509_FMT_PEM, buffer, &buffer_size);

  printf ("\n\nPrivate key: \n%s", buffer);

  gnutls_x509_crq_deinit (crq);
  gnutls_x509_privkey_deinit (key);

  return 0;

}
Ejemplo n.º 3
0
static gnutls_x509_crq_t generate_crq(void)
{
	gnutls_x509_crq_t crq;
	gnutls_x509_privkey_t pkey;
	const char *err;
	int ret;
	size_t s = 0;
	char smallbuf[10];
	gnutls_datum_t out;
	unsigned crit;

	ret = gnutls_x509_privkey_init(&pkey);
	if (ret != 0)
		fail("gnutls_x509_privkey_init\n");

	ret = gnutls_x509_privkey_import(pkey, &key, GNUTLS_X509_FMT_PEM);
	if (ret != 0)
		fail("gnutls_x509_privkey_import\n");

	ret = gnutls_x509_crq_init(&crq);
	if (ret != 0)
		fail("gnutls_x509_crq_init\n");

	ret = gnutls_x509_crq_set_version(crq, 0);
	if (ret != 0)
		fail("gnutls_x509_crq_set_version\n");

	ret = gnutls_x509_crq_set_key(crq, pkey);
	if (ret != 0)
		fail("gnutls_x509_crq_set_key\n");

	s = 0;
	ret = gnutls_x509_crq_get_extension_info(crq, 0, NULL, &s, NULL);
	if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
		fail("gnutls_x509_crq_get_extension_info\n");

	ret = gnutls_x509_crq_set_basic_constraints(crq, 0, 0);
	if (ret != 0)
		fail("gnutls_x509_crq_set_basic_constraints %d\n", ret);

	ret = gnutls_x509_crq_set_key_usage(crq, 0);
	if (ret != 0)
		fail("gnutls_x509_crq_set_key_usage %d\n", ret);

	ret = gnutls_x509_crq_get_challenge_password(crq, NULL, &s);
	if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
		fail("%d: gnutls_x509_crq_get_challenge_password %d: %s\n",
		     __LINE__, ret, gnutls_strerror(ret));

	ret = gnutls_x509_crq_set_dn(crq, "o = none to\\, mention,cn = nikos", &err);
	if (ret < 0) {
		fail("gnutls_x509_crq_set_dn: %s, %s\n", gnutls_strerror(ret), err);
	}

	ret = gnutls_x509_crq_set_challenge_password(crq, "foo");
	if (ret != 0)
		fail("gnutls_x509_crq_set_challenge_password %d\n", ret);

	s = 0;
	ret = gnutls_x509_crq_get_challenge_password(crq, NULL, &s);
	if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER || s != 4)
		fail("%d: gnutls_x509_crq_get_challenge_password %d: %s (passlen: %d)\n", __LINE__, ret, gnutls_strerror(ret), (int) s);

	s = 10;
	ret = gnutls_x509_crq_get_challenge_password(crq, smallbuf, &s);
	if (ret != 0 || s != 3 || strcmp(smallbuf, "foo") != 0)
		fail("%d: gnutls_x509_crq_get_challenge_password3 %d/%d/%s\n", __LINE__, ret, (int) s, smallbuf);

	s = 0;
	ret = gnutls_x509_crq_get_extension_info(crq, 0, NULL, &s, NULL);
	if (ret != 0)
		fail("gnutls_x509_crq_get_extension_info2\n");

	s = 0;
	ret = gnutls_x509_crq_get_extension_data(crq, 0, NULL, &s);
	if (ret != 0)
		fail("gnutls_x509_crq_get_extension_data\n");

	ret = gnutls_x509_crq_set_subject_alt_name(crq, GNUTLS_SAN_DNSNAME,
						   "foo", 3, 1);
	if (ret != 0)
		fail("gnutls_x509_crq_set_subject_alt_name\n");

	ret = gnutls_x509_crq_set_subject_alt_name(crq, GNUTLS_SAN_DNSNAME,
						   "bar", 3, 1);
	if (ret != 0)
		fail("gnutls_x509_crq_set_subject_alt_name\n");

	ret = gnutls_x509_crq_set_subject_alt_name(crq, GNUTLS_SAN_DNSNAME,
						   "apa", 3, 0);
	if (ret != 0)
		fail("gnutls_x509_crq_set_subject_alt_name\n");

	ret = gnutls_x509_crq_set_subject_alt_name(crq, GNUTLS_SAN_DNSNAME,
						   "foo", 3, 1);
	if (ret != 0)
		fail("gnutls_x509_crq_set_subject_alt_name\n");

	ret = gnutls_x509_crq_set_subject_alt_name(crq, GNUTLS_SAN_DNSNAME,
						   "νίκο.com", strlen("νίκο.com"), GNUTLS_FSAN_APPEND);
	if (ret != 0)
		fail("gnutls_x509_crq_set_subject_alt_name\n");

	s = 0;
	ret = gnutls_x509_crq_get_key_purpose_oid(crq, 0, NULL, &s, NULL);
	if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
		fail("gnutls_x509_crq_get_key_purpose_oid %d\n", ret);

	s = 0;
	ret =
	    gnutls_x509_crq_set_key_purpose_oid(crq,
						GNUTLS_KP_TLS_WWW_SERVER,
						0);
	if (ret != 0)
		fail("gnutls_x509_crq_set_key_purpose_oid %d\n", ret);

	s = 0;
	ret = gnutls_x509_crq_get_key_purpose_oid(crq, 0, NULL, &s, NULL);
	if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
		fail("gnutls_x509_crq_get_key_purpose_oid %d\n", ret);

	s = 0;
	ret =
	    gnutls_x509_crq_set_key_purpose_oid(crq,
						GNUTLS_KP_TLS_WWW_CLIENT,
						1);
	if (ret != 0)
		fail("gnutls_x509_crq_set_key_purpose_oid2 %d\n", ret);

#define EXT_ID1 "1.2.3.4.5"
#define EXT_ID2 "1.5.3.555555991.5"
#define EXT_DATA1 "\xCA\xFE\xFF"
#define EXT_DATA2 "\xCA\xFE\xFF\xFA\xFE"
	/* test writing arbitrary extensions */
	ret = gnutls_x509_crq_set_extension_by_oid(crq, EXT_ID1, EXT_DATA1, sizeof(EXT_DATA1)-1, 0);
	if (ret != 0)
		fail("gnutls_x509_crq_set_extension_by_oid %s\n", gnutls_strerror(ret));

	ret = gnutls_x509_crq_set_extension_by_oid(crq, EXT_ID2, EXT_DATA2, sizeof(EXT_DATA2)-1, 1);
	if (ret != 0)
		fail("gnutls_x509_crq_set_extension_by_oid %s\n", gnutls_strerror(ret));

	ret = gnutls_x509_crq_print(crq, GNUTLS_CRT_PRINT_FULL, &out);
	if (ret != 0)
		fail("gnutls_x509_crq_print\n");
	if (debug)
		printf("crq: %.*s\n", out.size, out.data);
	gnutls_free(out.data);

	ret = gnutls_x509_crq_sign2(crq, pkey, GNUTLS_DIG_SHA256, 0);
	if (ret < 0)
		fail("gnutls_x509_crq_sign2: %s\n", gnutls_strerror(ret));

	gnutls_x509_privkey_deinit(pkey);

	/* test reading the arb. extensions */
	crit = -1;
	ret = gnutls_x509_crq_get_extension_by_oid2(crq, EXT_ID1, 0, &out, &crit);
	if (ret < 0)
		fail("gnutls_x509_crq_get_extension_by_oid2: %s\n", gnutls_strerror(ret));

	if (out.size != sizeof(EXT_DATA1)-1 || memcmp(out.data, EXT_DATA1, out.size) != 0) {
		fail("ext1 doesn't match\n");
	}
	if (crit != 0) {
		fail("ext1 crit flag doesn't match\n");
	}
	gnutls_free(out.data);

	crit = -1;
	ret = gnutls_x509_crq_get_extension_by_oid2(crq, EXT_ID2, 0, &out, &crit);
	if (ret < 0)
		fail("gnutls_x509_crq_get_extension_by_oid2: %s\n", gnutls_strerror(ret));

	if (out.size != sizeof(EXT_DATA2)-1 || memcmp(out.data, EXT_DATA2, out.size) != 0) {
		fail("ext2 doesn't match\n");
	}
	if (crit != 1) {
		fail("ext2 crit flag doesn't match\n");
	}

	gnutls_free(out.data);

	return crq;
}
Ejemplo n.º 4
0
/**
  * gnutls_x509_crq_sign - This function will sign a Certificate request with a key
  * @crq: should contain a gnutls_x509_crq_t structure
  * @key: holds a private key
  *
  * This function is the same a gnutls_x509_crq_sign2() with no flags, and
  * SHA1 as the hash algorithm.
  *
  * Returns 0 on success.
  *
  **/
int
gnutls_x509_crq_sign (gnutls_x509_crq_t crq, gnutls_x509_privkey_t key)
{
    return gnutls_x509_crq_sign2 (crq, key, GNUTLS_DIG_SHA1, 0);
}