/* self sign */ static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, const EVP_MD *digest, CONF *conf, char *section) { EVP_PKEY *pktmp; pktmp = X509_get_pubkey(x); EVP_PKEY_copy_parameters(pktmp,pkey); EVP_PKEY_save_parameters(pktmp,1); EVP_PKEY_free(pktmp); if (!X509_set_issuer_name(x,X509_get_subject_name(x))) goto err; if (X509_gmtime_adj(X509_get_notBefore(x),0) == NULL) goto err; /* Lets just make it 12:00am GMT, Jan 1 1970 */ /* memcpy(x->cert_info->validity->notBefore,"700101120000Z",13); */ /* 28 days to be certified */ if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days) == NULL) goto err; if (!X509_set_pubkey(x,pkey)) goto err; if (clrext) { while (X509_get_ext_count(x) > 0) X509_delete_ext(x, 0); } if (conf) { X509V3_CTX ctx; X509_set_version(x,2); /* version 3 certificate */ X509V3_set_ctx(&ctx, x, x, NULL, NULL, 0); X509V3_set_nconf(&ctx, conf); if (!X509V3_EXT_add_nconf(conf, &ctx, section, x)) goto err; } if (!X509_sign(x,pkey,digest)) goto err; return 1; err: ERR_print_errors(bio_err); return 0; }
int add_ext( X509 *issuer, X509 *subj, int nid, const char* value ) { X509V3_CTX ctx; X509V3_set_ctx( &ctx, issuer, subj, NULL, NULL, 0 ); X509_EXTENSION *ex = X509V3_EXT_conf_nid( NULL, &ctx, nid, (char *) value ); if( !ex ) { return 0; } // removing old extensions of the same type int loc = -1; while( ( loc = X509_get_ext_by_NID(subj, nid, loc) ) != -1 ){ printf("Removing old extension number %d\n", loc); X509_EXTENSION *old = X509_delete_ext(subj, loc); X509_EXTENSION_free(old); } // adding the new extension X509_add_ext( subj, ex, -1 ); X509_EXTENSION_free( ex ); return 1; }
static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, X509 *x, X509 *xca, EVP_PKEY *pkey, char *serialfile, int create, int days, int clrext, CONF *conf, char *section, ASN1_INTEGER *sno) { int ret=0; ASN1_INTEGER *bs=NULL; X509_STORE_CTX xsc; EVP_PKEY *upkey; upkey = X509_get_pubkey(xca); EVP_PKEY_copy_parameters(upkey,pkey); EVP_PKEY_free(upkey); if(!X509_STORE_CTX_init(&xsc,ctx,x,NULL)) { BIO_printf(bio_err,"Error initialising X509 store\n"); goto end; } if (sno) bs = sno; else if (!(bs = load_serial(CAfile, serialfile, create))) goto end; if (!X509_STORE_add_cert(ctx,x)) goto end; /* NOTE: this certificate can/should be self signed, unless it was * a certificate request in which case it is not. */ X509_STORE_CTX_set_cert(&xsc,x); if (!reqfile && !X509_verify_cert(&xsc)) goto end; if (!X509_check_private_key(xca,pkey)) { BIO_printf(bio_err,"CA certificate and CA private key do not match\n"); goto end; } if (!X509_set_issuer_name(x,X509_get_subject_name(xca))) goto end; if (!X509_set_serialNumber(x,bs)) goto end; if (X509_gmtime_adj(X509_get_notBefore(x),0L) == NULL) goto end; /* hardwired expired */ if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days) == NULL) goto end; if (clrext) { while (X509_get_ext_count(x) > 0) X509_delete_ext(x, 0); } if (conf) { X509V3_CTX ctx2; X509_set_version(x,2); /* version 3 certificate */ X509V3_set_ctx(&ctx2, xca, x, NULL, NULL, 0); X509V3_set_nconf(&ctx2, conf); if (!X509V3_EXT_add_nconf(conf, &ctx2, section, x)) goto end; } if (!X509_sign(x,pkey,digest)) goto end; ret=1; end: X509_STORE_CTX_cleanup(&xsc); if (!ret) ERR_print_errors(bio_err); if (!sno) ASN1_INTEGER_free(bs); return ret; }
int SCT_CTX_set1_cert(SCT_CTX *sctx, X509 *cert, X509 *presigner) { unsigned char *certder = NULL, *preder = NULL; X509 *pretmp = NULL; int certderlen = 0, prederlen = 0; int idx = -1; int poison_ext_is_dup, sct_ext_is_dup; int poison_idx = ct_x509_get_ext(cert, NID_ct_precert_poison, &poison_ext_is_dup); /* Duplicate poison extensions are present - error */ if (poison_ext_is_dup) goto err; /* If *cert doesn't have a poison extension, it isn't a precert */ if (poison_idx == -1) { /* cert isn't a precert, so we shouldn't have a presigner */ if (presigner != NULL) goto err; certderlen = i2d_X509(cert, &certder); if (certderlen < 0) goto err; } /* See if cert has a precert SCTs extension */ idx = ct_x509_get_ext(cert, NID_ct_precert_scts, &sct_ext_is_dup); /* Duplicate SCT extensions are present - error */ if (sct_ext_is_dup) goto err; if (idx >= 0 && poison_idx >= 0) { /* * cert can't both contain SCTs (i.e. have an SCT extension) and be a * precert (i.e. have a poison extension). */ goto err; } if (idx == -1) { idx = poison_idx; } /* * If either a poison or SCT extension is present, remove it before encoding * cert. This, along with ct_x509_cert_fixup(), gets a TBSCertificate (see * RFC5280) from cert, which is what the CT log signed when it produced the * SCT. */ if (idx >= 0) { X509_EXTENSION *ext; /* Take a copy of certificate so we don't modify passed version */ pretmp = X509_dup(cert); if (pretmp == NULL) goto err; ext = X509_delete_ext(pretmp, idx); X509_EXTENSION_free(ext); if (!ct_x509_cert_fixup(pretmp, presigner)) goto err; prederlen = i2d_re_X509_tbs(pretmp, &preder); if (prederlen <= 0) goto err; } X509_free(pretmp); OPENSSL_free(sctx->certder); sctx->certder = certder; sctx->certderlen = certderlen; OPENSSL_free(sctx->preder); sctx->preder = preder; sctx->prederlen = prederlen; return 1; err: OPENSSL_free(certder); OPENSSL_free(preder); X509_free(pretmp); return 0; }