static gnutls_x509_crt generate_signed_certificate(requiem_client_profile_t *cp,
uint64_t analyzerid,
gnutls_x509_crt ca_crt,
gnutls_x509_privkey ca_key,
gnutls_x509_crq crq)
{
int ret;
gnutls_x509_crt crt;
unsigned char buf[65535];
size_t size = sizeof(buf);
crt = generate_certificate(cp, NULL, generated_certificate_lifetime);
if ( ! crt )
return NULL;
ret = gnutls_x509_crt_set_crq(crt, crq);
if ( ret < 0 ) {
fprintf(stderr, "error associating certificate with CRQ: %s.\n", gnutls_strerror(ret));
goto err;
}
ret = gnutls_x509_crt_set_serial(crt, &analyzerid, sizeof(analyzerid));
if ( ret < 0 ) {
fprintf(stderr, "error setting certificate serial: %s.\n", gnutls_strerror(ret));
goto err;
}
ret = gnutls_x509_crt_get_key_id(ca_crt, 0, buf, &size);
if ( ret < 0 ) {
fprintf(stderr, "error getting CA key ID: %s.\n", gnutls_strerror(ret));
goto err;
}
ret = gnutls_x509_crt_set_authority_key_id(crt, buf, size);
if ( ret < 0 ) {
fprintf(stderr, "error setting authority key ID: %s?\n", gnutls_strerror(ret));
goto err;
}
ret = gnutls_x509_crt_sign(crt, ca_crt, ca_key);
if ( ret < 0 ) {
fprintf(stderr, "error signing certificate: %s.\n", gnutls_strerror(ret));
goto err;
}
return crt;
err:
gnutls_x509_crt_deinit(crt);
return NULL;
}
static void run_set_extensions(gnutls_x509_crq_t crq)
{
gnutls_x509_crt_t crt;
const char *err = NULL;
gnutls_datum_t out;
int ret;
ret = global_init();
if (ret < 0)
fail("global_init\n");
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(4711);
ret = gnutls_x509_crt_init(&crt);
if (ret != 0)
fail("gnutls_x509_crt_init\n");
ret = gnutls_x509_crt_set_crq(crt, crq);
if (ret != 0)
fail("gnutls_x509_crt_set_crq: %s\n", gnutls_strerror(ret));
ret = gnutls_x509_crt_set_issuer_dn(crt, "o = big\\, and one, cn = my CA", &err);
if (ret < 0) {
fail("gnutls_x509_crt_set_issuer_dn: %s, %s\n", gnutls_strerror(ret), err);
}
ret = gnutls_x509_crt_set_version(crt, 3);
if (ret != 0)
fail("gnutls_x509_crt_set_version\n");
ret = gnutls_x509_crt_set_crq_extensions(crt, crq);
if (ret != 0)
fail("gnutls_x509_crt_set_crq_extensions\n");
ret = gnutls_x509_crt_print(crt, GNUTLS_CRT_PRINT_FULL, &out);
if (ret != 0)
fail("gnutls_x509_crt_print\n");
if (debug)
printf("crt: %.*s\n", out.size, out.data);
gnutls_free(out.data);
ret = gnutls_x509_crt_get_raw_issuer_dn(crt, &out);
if (ret < 0 || out.size == 0)
fail("gnutls_x509_crt_get_raw_issuer_dn: %s\n", gnutls_strerror(ret));
if (out.size != 41 ||
memcmp(out.data, "\x30\x27\x31\x0e\x30\x0c\x06\x03\x55\x04\x03\x13\x05\x6d\x79\x20\x43\x41\x31\x15\x30\x13\x06\x03\x55\x04\x0a\x13\x0c\x62\x69\x67\x2c\x20\x61\x6e\x64\x20\x6f\x6e\x65", 41) != 0) {
hexprint(out.data, out.size);
fail("issuer DN comparison failed\n");
}
gnutls_free(out.data);
ret = gnutls_x509_crt_get_raw_dn(crt, &out);
if (ret < 0 || out.size == 0)
fail("gnutls_x509_crt_get_raw_dn: %s\n", gnutls_strerror(ret));
if (out.size != 45 ||
memcmp(out.data, "\x30\x2b\x31\x0e\x30\x0c\x06\x03\x55\x04\x03\x13\x05\x6e\x69\x6b\x6f\x73\x31\x19\x30\x17\x06\x03\x55\x04\x0a\x13\x10\x6e\x6f\x6e\x65\x20\x74\x6f\x2c\x20\x6d\x65\x6e\x74\x69\x6f\x6e", 45) != 0) {
fail("DN comparison failed\n");
}
gnutls_free(out.data);
gnutls_x509_crt_deinit(crt);
gnutls_global_deinit();
}
static void run_set_extension_by_oid(gnutls_x509_crq_t crq)
{
gnutls_x509_crt_t crt;
const char *err = NULL;
size_t oid_size;
gnutls_datum_t out, out2;
unsigned i;
int ret;
char oid[128];
ret = global_init();
if (ret < 0)
fail("global_init\n");
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(4711);
ret = gnutls_x509_crt_init(&crt);
if (ret != 0)
fail("gnutls_x509_crt_init\n");
ret = gnutls_x509_crt_set_crq(crt, crq);
if (ret != 0)
fail("gnutls_x509_crt_set_crq: %s\n", gnutls_strerror(ret));
ret = gnutls_x509_crt_set_issuer_dn(crt, "o = big\\, and one,cn = my CA", &err);
if (ret < 0) {
fail("gnutls_x509_crt_set_issuer_dn: %s, %s\n", gnutls_strerror(ret), err);
}
ret = gnutls_x509_crt_set_version(crt, 3);
if (ret != 0)
fail("gnutls_x509_crt_set_version\n");
ret = gnutls_x509_crt_set_crq_extension_by_oid(crt, crq, GNUTLS_X509EXT_OID_EXTENDED_KEY_USAGE, 0);
if (ret != 0)
fail("gnutls_x509_crt_set_crq_extension_by_oid\n");
oid_size = sizeof(oid);
ret = gnutls_x509_crt_get_extension_info(crt, 0, oid, &oid_size, NULL);
if (ret != 0)
fail("gnutls_x509_crt_get_extension_info\n");
if (strcmp(oid, GNUTLS_X509EXT_OID_EXTENDED_KEY_USAGE) != 0)
fail("strcmp\n");
ret = gnutls_x509_crt_get_extension_data2(crt, 0, &out);
if (ret != 0)
fail("gnutls_x509_crt_get_extension_data2\n");
for (i=0;;i++) {
oid_size = sizeof(oid);
ret = gnutls_x509_crq_get_extension_info(crq, i, oid, &oid_size, NULL);
if (ret < 0)
fail("loop: ext not found: %s\n", gnutls_strerror(ret));
if (strcmp(oid, GNUTLS_X509EXT_OID_EXTENDED_KEY_USAGE) == 0) {
ret = gnutls_x509_crq_get_extension_data2(crq, 3, &out2);
if (ret != 0)
fail("gnutls_x509_crt_get_extension_data2\n");
break;
}
}
if (out.size != out2.size || memcmp(out.data, out2.data, out.size) != 0) {
fail("memcmp %d, %d\n", out.size, out2.size);
}
gnutls_free(out.data);
gnutls_free(out2.data);
oid_size = sizeof(oid);
ret = gnutls_x509_crt_get_extension_info(crt, 1, oid, &oid_size, NULL);
if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
fail("gnutls_x509_crt_get_extension_info\n");
ret = gnutls_x509_crt_get_raw_dn(crt, &out);
if (ret < 0 || out.size == 0)
fail("gnutls_x509_crt_get_raw_dn: %s\n", gnutls_strerror(ret));
if (out.size != 45 ||
memcmp(out.data, "\x30\x2b\x31\x0e\x30\x0c\x06\x03\x55\x04\x03\x13\x05\x6e\x69\x6b\x6f\x73\x31\x19\x30\x17\x06\x03\x55\x04\x0a\x13\x10\x6e\x6f\x6e\x65\x20\x74\x6f\x2c\x20\x6d\x65\x6e\x74\x69\x6f\x6e", 45) != 0) {
fail("DN comparison failed\n");
}
gnutls_free(out.data);
gnutls_x509_crt_deinit(crt);
gnutls_global_deinit();
}
/*!
Set the request that the certificate will be generated from.
*/
bool CertificateBuilder::setRequest(const CertificateRequest &crq)
{
d->errnumber = gnutls_x509_crt_set_crq(d->crt, crq.d->crq);
return GNUTLS_E_SUCCESS == d->errnumber;
}
