static void
inf_test_certificate_request_notify_status_cb(GObject* object,
GParamSpec* pspec,
gpointer user_data)
{
InfTestCertificateRequest* test;
InfBrowserStatus status;
gnutls_x509_crq_t crq;
InfRequest* request;
GError* error;
int res;
test = (InfTestCertificateRequest*)user_data;
g_object_get(G_OBJECT(test->browser), "status", &status, NULL);
if(status == INF_BROWSER_OPEN)
{
fprintf(stderr, "Connection established, creating key... (4096 bit)\n");
/* TODO: Some error checking here */
gnutls_x509_privkey_init(&test->key);
gnutls_x509_privkey_generate(test->key, GNUTLS_PK_RSA, 4096, 0);
fprintf(stderr, "Done, sending the certificate request\n");
gnutls_x509_crq_init(&crq);
gnutls_x509_crq_set_key(crq, test->key);
gnutls_x509_crq_set_key_usage(crq, GNUTLS_KEY_DIGITAL_SIGNATURE);
gnutls_x509_crq_set_version(crq, 3);
gnutls_x509_crq_set_dn_by_oid(
crq,
GNUTLS_OID_X520_COMMON_NAME,
0,
"Armin Burgmeier",
strlen("Armin Burgmeier")
);
/* TODO: gnutls_x509_crq_sign2 is deprecated in favour of
* gnutls_x509_crq_privkey_sign, but the latter returns the error code
* GNUTLS_E_UNIMPLEMENTED_FEATURE, so we keep using the deprecated
* version here. */
/*gnutls_x509_crq_privkey_sign(crq, key, GNUTLS_DIG_SHA1, 0);*/
gnutls_x509_crq_sign2(crq, test->key, GNUTLS_DIG_SHA1, 0);
error = NULL;
request = inf_browser_create_acl_account(
INF_BROWSER(object),
crq,
inf_test_certificate_request_finished_cb,
test
);
gnutls_x509_crq_deinit(crq);
}
if(status == INF_BROWSER_CLOSED)
{
if(inf_standalone_io_loop_running(test->io))
inf_standalone_io_loop_quit(test->io);
}
}
int
main (void)
{
gnutls_x509_crq_t crq;
gnutls_x509_privkey_t key;
unsigned char buffer[10 * 1024];
size_t buffer_size = sizeof (buffer);
unsigned int bits;
gnutls_global_init ();
/* Initialize an empty certificate request, and
* an empty private key.
*/
gnutls_x509_crq_init (&crq);
gnutls_x509_privkey_init (&key);
/* Generate an RSA key of moderate security.
*/
bits = gnutls_sec_param_to_pk_bits (GNUTLS_PK_RSA, GNUTLS_SEC_PARAM_NORMAL);
gnutls_x509_privkey_generate (key, GNUTLS_PK_RSA, bits, 0);
/* Add stuff to the distinguished name
*/
gnutls_x509_crq_set_dn_by_oid (crq, GNUTLS_OID_X520_COUNTRY_NAME,
0, "GR", 2);
gnutls_x509_crq_set_dn_by_oid (crq, GNUTLS_OID_X520_COMMON_NAME,
0, "Nikos", strlen ("Nikos"));
/* Set the request version.
*/
gnutls_x509_crq_set_version (crq, 1);
/* Set a challenge password.
*/
gnutls_x509_crq_set_challenge_password (crq, "something to remember here");
/* Associate the request with the private key
*/
gnutls_x509_crq_set_key (crq, key);
/* Self sign the certificate request.
*/
gnutls_x509_crq_sign2 (crq, key, GNUTLS_DIG_SHA1, 0);
/* Export the PEM encoded certificate request, and
* display it.
*/
gnutls_x509_crq_export (crq, GNUTLS_X509_FMT_PEM, buffer, &buffer_size);
printf ("Certificate Request: \n%s", buffer);
/* Export the PEM encoded private key, and
* display it.
*/
buffer_size = sizeof (buffer);
gnutls_x509_privkey_export (key, GNUTLS_X509_FMT_PEM, buffer, &buffer_size);
printf ("\n\nPrivate key: \n%s", buffer);
gnutls_x509_crq_deinit (crq);
gnutls_x509_privkey_deinit (key);
return 0;
}
static gnutls_x509_crq_t generate_crq(void)
{
gnutls_x509_crq_t crq;
gnutls_x509_privkey_t pkey;
const char *err;
int ret;
size_t s = 0;
char smallbuf[10];
gnutls_datum_t out;
unsigned crit;
ret = gnutls_x509_privkey_init(&pkey);
if (ret != 0)
fail("gnutls_x509_privkey_init\n");
ret = gnutls_x509_privkey_import(pkey, &key, GNUTLS_X509_FMT_PEM);
if (ret != 0)
fail("gnutls_x509_privkey_import\n");
ret = gnutls_x509_crq_init(&crq);
if (ret != 0)
fail("gnutls_x509_crq_init\n");
ret = gnutls_x509_crq_set_version(crq, 0);
if (ret != 0)
fail("gnutls_x509_crq_set_version\n");
ret = gnutls_x509_crq_set_key(crq, pkey);
if (ret != 0)
fail("gnutls_x509_crq_set_key\n");
s = 0;
ret = gnutls_x509_crq_get_extension_info(crq, 0, NULL, &s, NULL);
if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
fail("gnutls_x509_crq_get_extension_info\n");
ret = gnutls_x509_crq_set_basic_constraints(crq, 0, 0);
if (ret != 0)
fail("gnutls_x509_crq_set_basic_constraints %d\n", ret);
ret = gnutls_x509_crq_set_key_usage(crq, 0);
if (ret != 0)
fail("gnutls_x509_crq_set_key_usage %d\n", ret);
ret = gnutls_x509_crq_get_challenge_password(crq, NULL, &s);
if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
fail("%d: gnutls_x509_crq_get_challenge_password %d: %s\n",
__LINE__, ret, gnutls_strerror(ret));
ret = gnutls_x509_crq_set_dn(crq, "o = none to\\, mention,cn = nikos", &err);
if (ret < 0) {
fail("gnutls_x509_crq_set_dn: %s, %s\n", gnutls_strerror(ret), err);
}
ret = gnutls_x509_crq_set_challenge_password(crq, "foo");
if (ret != 0)
fail("gnutls_x509_crq_set_challenge_password %d\n", ret);
s = 0;
ret = gnutls_x509_crq_get_challenge_password(crq, NULL, &s);
if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER || s != 4)
fail("%d: gnutls_x509_crq_get_challenge_password %d: %s (passlen: %d)\n", __LINE__, ret, gnutls_strerror(ret), (int) s);
s = 10;
ret = gnutls_x509_crq_get_challenge_password(crq, smallbuf, &s);
if (ret != 0 || s != 3 || strcmp(smallbuf, "foo") != 0)
fail("%d: gnutls_x509_crq_get_challenge_password3 %d/%d/%s\n", __LINE__, ret, (int) s, smallbuf);
s = 0;
ret = gnutls_x509_crq_get_extension_info(crq, 0, NULL, &s, NULL);
if (ret != 0)
fail("gnutls_x509_crq_get_extension_info2\n");
s = 0;
ret = gnutls_x509_crq_get_extension_data(crq, 0, NULL, &s);
if (ret != 0)
fail("gnutls_x509_crq_get_extension_data\n");
ret = gnutls_x509_crq_set_subject_alt_name(crq, GNUTLS_SAN_DNSNAME,
"foo", 3, 1);
if (ret != 0)
fail("gnutls_x509_crq_set_subject_alt_name\n");
ret = gnutls_x509_crq_set_subject_alt_name(crq, GNUTLS_SAN_DNSNAME,
"bar", 3, 1);
if (ret != 0)
fail("gnutls_x509_crq_set_subject_alt_name\n");
ret = gnutls_x509_crq_set_subject_alt_name(crq, GNUTLS_SAN_DNSNAME,
"apa", 3, 0);
if (ret != 0)
fail("gnutls_x509_crq_set_subject_alt_name\n");
ret = gnutls_x509_crq_set_subject_alt_name(crq, GNUTLS_SAN_DNSNAME,
"foo", 3, 1);
if (ret != 0)
fail("gnutls_x509_crq_set_subject_alt_name\n");
ret = gnutls_x509_crq_set_subject_alt_name(crq, GNUTLS_SAN_DNSNAME,
"νίκο.com", strlen("νίκο.com"), GNUTLS_FSAN_APPEND);
if (ret != 0)
fail("gnutls_x509_crq_set_subject_alt_name\n");
s = 0;
ret = gnutls_x509_crq_get_key_purpose_oid(crq, 0, NULL, &s, NULL);
if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
fail("gnutls_x509_crq_get_key_purpose_oid %d\n", ret);
s = 0;
ret =
gnutls_x509_crq_set_key_purpose_oid(crq,
GNUTLS_KP_TLS_WWW_SERVER,
0);
if (ret != 0)
fail("gnutls_x509_crq_set_key_purpose_oid %d\n", ret);
s = 0;
ret = gnutls_x509_crq_get_key_purpose_oid(crq, 0, NULL, &s, NULL);
if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
fail("gnutls_x509_crq_get_key_purpose_oid %d\n", ret);
s = 0;
ret =
gnutls_x509_crq_set_key_purpose_oid(crq,
GNUTLS_KP_TLS_WWW_CLIENT,
1);
if (ret != 0)
fail("gnutls_x509_crq_set_key_purpose_oid2 %d\n", ret);
#define EXT_ID1 "1.2.3.4.5"
#define EXT_ID2 "1.5.3.555555991.5"
#define EXT_DATA1 "\xCA\xFE\xFF"
#define EXT_DATA2 "\xCA\xFE\xFF\xFA\xFE"
/* test writing arbitrary extensions */
ret = gnutls_x509_crq_set_extension_by_oid(crq, EXT_ID1, EXT_DATA1, sizeof(EXT_DATA1)-1, 0);
if (ret != 0)
fail("gnutls_x509_crq_set_extension_by_oid %s\n", gnutls_strerror(ret));
ret = gnutls_x509_crq_set_extension_by_oid(crq, EXT_ID2, EXT_DATA2, sizeof(EXT_DATA2)-1, 1);
if (ret != 0)
fail("gnutls_x509_crq_set_extension_by_oid %s\n", gnutls_strerror(ret));
ret = gnutls_x509_crq_print(crq, GNUTLS_CRT_PRINT_FULL, &out);
if (ret != 0)
fail("gnutls_x509_crq_print\n");
if (debug)
printf("crq: %.*s\n", out.size, out.data);
gnutls_free(out.data);
ret = gnutls_x509_crq_sign2(crq, pkey, GNUTLS_DIG_SHA256, 0);
if (ret < 0)
fail("gnutls_x509_crq_sign2: %s\n", gnutls_strerror(ret));
gnutls_x509_privkey_deinit(pkey);
/* test reading the arb. extensions */
crit = -1;
ret = gnutls_x509_crq_get_extension_by_oid2(crq, EXT_ID1, 0, &out, &crit);
if (ret < 0)
fail("gnutls_x509_crq_get_extension_by_oid2: %s\n", gnutls_strerror(ret));
if (out.size != sizeof(EXT_DATA1)-1 || memcmp(out.data, EXT_DATA1, out.size) != 0) {
fail("ext1 doesn't match\n");
}
if (crit != 0) {
fail("ext1 crit flag doesn't match\n");
}
gnutls_free(out.data);
crit = -1;
ret = gnutls_x509_crq_get_extension_by_oid2(crq, EXT_ID2, 0, &out, &crit);
if (ret < 0)
fail("gnutls_x509_crq_get_extension_by_oid2: %s\n", gnutls_strerror(ret));
if (out.size != sizeof(EXT_DATA2)-1 || memcmp(out.data, EXT_DATA2, out.size) != 0) {
fail("ext2 doesn't match\n");
}
if (crit != 1) {
fail("ext2 crit flag doesn't match\n");
}
gnutls_free(out.data);
return crq;
}
/**
* gnutls_x509_crq_sign - This function will sign a Certificate request with a key
* @crq: should contain a gnutls_x509_crq_t structure
* @key: holds a private key
*
* This function is the same a gnutls_x509_crq_sign2() with no flags, and
* SHA1 as the hash algorithm.
*
* Returns 0 on success.
*
**/
int
gnutls_x509_crq_sign (gnutls_x509_crq_t crq, gnutls_x509_privkey_t key)
{
return gnutls_x509_crq_sign2 (crq, key, GNUTLS_DIG_SHA1, 0);
}