/**
* gnutls_x509_crt_set_crq:
* @crt: a certificate of type #gnutls_x509_crt_t
* @crq: holds a certificate request
*
* This function will set the name and public parameters as well as
* the extensions from the given certificate request to the certificate.
* Only RSA keys are currently supported.
*
* Note that this function will only set the @crq if it is self
* signed and the signature is correct. See gnutls_x509_crq_sign2().
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int gnutls_x509_crt_set_crq(gnutls_x509_crt_t crt, gnutls_x509_crq_t crq)
{
int result;
if (crt == NULL || crq == NULL) {
gnutls_assert();
return GNUTLS_E_INVALID_REQUEST;
}
result = gnutls_x509_crq_verify(crq, 0);
if (result < 0)
return gnutls_assert_val(result);
result = asn1_copy_node(crt->cert, "tbsCertificate.subject",
crq->crq,
"certificationRequestInfo.subject");
if (result != ASN1_SUCCESS) {
gnutls_assert();
return _gnutls_asn2err(result);
}
result =
asn1_copy_node(crt->cert,
"tbsCertificate.subjectPublicKeyInfo", crq->crq,
"certificationRequestInfo.subjectPKInfo");
if (result != ASN1_SUCCESS) {
gnutls_assert();
return _gnutls_asn2err(result);
}
return 0;
}
/**
* gnutls_x509_crt_set_proxy_dn:
* @crt: a gnutls_x509_crt_t structure with the new proxy cert
* @eecrt: the end entity certificate that will be issuing the proxy
* @raw_flag: must be 0, or 1 if the CN is DER encoded
* @name: a pointer to the CN name, may be NULL (but MUST then be added later)
* @sizeof_name: holds the size of @name
*
* This function will set the subject in @crt to the end entity's
* @eecrt subject name, and add a single Common Name component @name
* of size @sizeof_name. This corresponds to the required proxy
* certificate naming style. Note that if @name is %NULL, you MUST
* set it later by using gnutls_x509_crt_set_dn_by_oid() or similar.
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
gnutls_x509_crt_set_proxy_dn(gnutls_x509_crt_t crt,
gnutls_x509_crt_t eecrt,
unsigned int raw_flag, const void *name,
unsigned int sizeof_name)
{
int result;
if (crt == NULL || eecrt == NULL) {
return GNUTLS_E_INVALID_REQUEST;
}
result = asn1_copy_node(crt->cert, "tbsCertificate.subject",
eecrt->cert, "tbsCertificate.subject");
if (result != ASN1_SUCCESS) {
gnutls_assert();
return _gnutls_asn2err(result);
}
if (name && sizeof_name) {
return _gnutls_x509_set_dn_oid(crt->cert,
"tbsCertificate.subject",
GNUTLS_OID_X520_COMMON_NAME,
raw_flag, name,
sizeof_name);
}
return 0;
}
/*-
* _gnutls_x509_pkix_sign - This function will sign a CRL or a certificate with a key
* @src: should contain an ASN1_TYPE
* @issuer: is the certificate of the certificate issuer
* @issuer_key: holds the issuer's private key
*
* This function will sign a CRL or a certificate with the issuer's private key, and
* will copy the issuer's information into the CRL or certificate.
*
* Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
* negative error value.
-*/
int
_gnutls_x509_pkix_sign (ASN1_TYPE src, const char *src_name,
gnutls_digest_algorithm_t dig,
gnutls_x509_crt_t issuer,
gnutls_x509_privkey_t issuer_key)
{
int result;
gnutls_datum_t signature;
char name[128];
/* Step 1. Copy the issuer's name into the certificate.
*/
_gnutls_str_cpy (name, sizeof (name), src_name);
_gnutls_str_cat (name, sizeof (name), ".issuer");
result = asn1_copy_node (src, name, issuer->cert, "tbsCertificate.subject");
if (result != ASN1_SUCCESS)
{
gnutls_assert ();
return _gnutls_asn2err (result);
}
/* Step 1.5. Write the signature stuff in the tbsCertificate.
*/
_gnutls_str_cpy (name, sizeof (name), src_name);
_gnutls_str_cat (name, sizeof (name), ".signature");
result = _gnutls_x509_write_sig_params (src, name,
issuer_key->pk_algorithm, dig,
issuer_key->params,
issuer_key->params_size);
if (result < 0)
{
gnutls_assert ();
return result;
}
/* Step 2. Sign the certificate.
*/
result = _gnutls_x509_sign_tbs (src, src_name, dig, issuer_key, &signature);
if (result < 0)
{
gnutls_assert ();
return result;
}
/* write the signature (bits)
*/
result =
asn1_write_value (src, "signature", signature.data, signature.size * 8);
_gnutls_free_datum (&signature);
if (result != ASN1_SUCCESS)
{
gnutls_assert ();
return _gnutls_asn2err (result);
}
/* Step 3. Move up and write the AlgorithmIdentifier, which is also
* the same.
*/
result = _gnutls_x509_write_sig_params (src, "signatureAlgorithm",
issuer_key->pk_algorithm, dig,
issuer_key->params,
issuer_key->params_size);
if (result < 0)
{
gnutls_assert ();
return result;
}
return 0;
}
int
main (int argc, char *argv[])
{
int result;
char buffer[5 * 1024];
char buffer2[5 * 1024];
asn1_node definitions = NULL;
asn1_node asn1_element = NULL, cpy_node = NULL;
char errorDescription[ASN1_MAX_ERROR_DESCRIPTION_SIZE];
FILE *out, *fd;
int start, end;
ssize_t size;
int size2;
const char *treefile = getenv ("ASN1PKIX");
const char *derfile = getenv ("ASN1CRLDER");
int verbose = 0;
if (argc > 1)
verbose = 1;
if (!treefile)
treefile = "pkix.asn";
if (!derfile)
derfile = "crl.der";
if (verbose)
{
printf ("\n\n/****************************************/\n");
printf ("/* Test sequence : Test_indefinite */\n");
printf ("/****************************************/\n\n");
printf ("ASN1TREE: %s\n", treefile);
}
/* Check version */
if (asn1_check_version ("0.3.3") == NULL)
printf ("\nLibrary version check ERROR:\n actual version: %s\n\n",
asn1_check_version (NULL));
result = asn1_parser2tree (treefile, &definitions, errorDescription);
if (result != ASN1_SUCCESS)
{
asn1_perror (result);
printf ("ErrorDescription = %s\n\n", errorDescription);
exit (1);
}
out = stdout;
fd = fopen (derfile, "rb");
if (fd == NULL)
{
printf ("Cannot read file %s\n", derfile);
exit (1);
}
size = fread (buffer, 1, sizeof (buffer), fd);
if (size <= 0)
{
printf ("Cannot read from file %s\n", derfile);
exit (1);
}
fclose (fd);
result =
asn1_create_element (definitions, "PKIX1.CertificateList", &asn1_element);
if (result != ASN1_SUCCESS)
{
asn1_perror (result);
printf ("Cannot create CRL element\n");
exit (1);
}
result = asn1_der_decoding (&asn1_element, buffer, size, errorDescription);
if (result != ASN1_SUCCESS)
{
asn1_perror (result);
printf ("Cannot decode DER data (size %ld)\n", (long) size);
exit (1);
}
/* test asn1_copy_node */
result =
asn1_create_element (definitions, "PKIX1.CertificateList", &cpy_node);
if (result != ASN1_SUCCESS)
{
asn1_perror (result);
printf ("Cannot create CRL element\n");
exit (1);
}
result = asn1_copy_node(cpy_node, "", asn1_element, "");
if (result != ASN1_SUCCESS)
{
asn1_perror (result);
printf ("Cannot copy node\n");
exit (1);
}
/* test whether the copied node encodes the same */
size2 = sizeof(buffer2);
result = asn1_der_coding (cpy_node, "", buffer2, &size2, NULL);
if (result != ASN1_SUCCESS)
{
asn1_perror (result);
printf ("Cannot encode data (size %ld)\n", (long) size);
exit (1);
}
if (size2 != size || memcmp(buffer, buffer2, size) != 0)
{
printf("DER encoded data differ!\n");
exit(1);
}
asn1_delete_structure (&cpy_node);
/* Test asn1_dup_node */
cpy_node = asn1_dup_node(asn1_element, "");
if (cpy_node == NULL)
{
printf ("Cannot copy node (dup_node)\n");
exit (1);
}
/* test whether the copied node encodes the same */
size2 = sizeof(buffer2);
result = asn1_der_coding (cpy_node, "", buffer2, &size2, NULL);
if (result != ASN1_SUCCESS)
{
asn1_perror (result);
printf ("Cannot encode data (size %ld)\n", (long) size);
exit (1);
}
if (size2 != size || memcmp(buffer, buffer2, size) != 0)
{
printf("DER encoded data differ!\n");
exit(1);
}
result = asn1_der_decoding_startEnd (asn1_element, buffer, size, "tbsCertList.issuer", &start, &end);
if (result != ASN1_SUCCESS)
{
asn1_perror (result);
printf ("Cannot find start End\n");
exit (1);
}
if (start != 24 && end != 291)
{
printf("Error in start and end values for issuer. Have: %d..%d\n", start, end);
exit(1);
}
result = asn1_der_decoding_startEnd (asn1_element, buffer, size, "signature", &start, &end);
if (result != ASN1_SUCCESS)
{
asn1_perror (result);
printf ("Cannot find start End\n");
exit (1);
}
if (start != 372 && end != 503)
{
printf("Error in start and end values for signature. Have: %d..%d\n", start, end);
exit(1);
}
/* Clear the definition structures */
asn1_delete_structure (&asn1_element);
asn1_delete_structure (&cpy_node);
asn1_delete_structure (&definitions);
if (out != stdout)
fclose (out);
exit (0);
}
