void pki_x509req::createReq(pki_key *key, const x509name &dn, const EVP_MD *md, extList el)
{
int bad_nids[] = { NID_subject_key_identifier, NID_authority_key_identifier,
NID_issuer_alt_name, NID_undef };
EVP_PKEY *privkey = NULL;
if (key->isPubKey()) {
my_error(tr("Signing key not valid (public key)"));
return;
}
X509_REQ_set_version(request, 0L);
X509_REQ_set_pubkey(request, key->getPubKey());
setSubject(dn);
pki_openssl_error();
for(int i=0; bad_nids[i] != NID_undef; i++)
el.delByNid(bad_nids[i]);
el.delInvalid();
if (el.count() > 0) {
STACK_OF(X509_EXTENSION) *sk;
sk = el.getStack();
X509_REQ_add_extensions(request, sk);
sk_X509_EXTENSION_pop_free(sk, X509_EXTENSION_free);
}
pki_openssl_error();
privkey = key->decryptKey();
X509_REQ_sign(request, privkey, md);
pki_openssl_error();
EVP_PKEY_free(privkey);
}
int X509V3_EXT_REQ_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section,
X509_REQ *req)
{
X509_EXTENSION *ext;
STACK_OF(X509_EXTENSION) *extlist = NULL;
STACK_OF(CONF_VALUE) *nval;
CONF_VALUE *val;
int i;
if(!(nval = CONF_get_section(conf, section))) return 0;
for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
val = sk_CONF_VALUE_value(nval, i);
if(!(ext = X509V3_EXT_conf(conf, ctx, val->name, val->value)))
return 0;
if(!extlist) extlist = sk_X509_EXTENSION_new_null();
sk_X509_EXTENSION_push(extlist, ext);
}
if(req) i = X509_REQ_add_extensions(req, extlist);
else i = 1;
sk_X509_EXTENSION_pop_free(extlist, X509_EXTENSION_free);
return i;
}
static LUA_FUNCTION(openssl_csr_extensions)
{
X509_REQ *csr = CHECK_OBJECT(1, X509_REQ, "openssl.x509_req");
if (lua_isnone(L, 2))
{
STACK_OF(X509_EXTENSION) *sk = X509_REQ_get_extensions(csr);
if (sk)
{
PUSH_OBJECT(sk, "openssl.stack_of_x509_extension");
}
else
lua_pushnil(L);
return 1;
}
else
{
STACK_OF(X509_EXTENSION) *sk = CHECK_OBJECT(2, STACK_OF(X509_EXTENSION), "openssl.stack_of_x509_extension");
int ret = X509_REQ_add_extensions(csr, sk);
return openssl_pushresult(L, ret);
}
}
/***
set extension of x509_req object
@function extensions
@tparam stack_of_x509_extension extensions
@treturn boolean result true for success
*/
static LUA_FUNCTION(openssl_csr_extensions)
{
X509_REQ *csr = CHECK_OBJECT(1, X509_REQ, "openssl.x509_req");
if (lua_isnone(L, 2))
{
STACK_OF(X509_EXTENSION) *sk = X509_REQ_get_extensions(csr);
if (sk)
{
openssl_sk_x509_extension_totable(L, sk);
sk_X509_EXTENSION_pop_free(sk, X509_EXTENSION_free);
}
else
lua_pushnil(L);
return 1;
}
else
{
STACK_OF(X509_EXTENSION) *sk = openssl_sk_x509_extension_fromtable(L, 2);
int ret = X509_REQ_add_extensions(csr, sk);
sk_X509_EXTENSION_pop_free(sk, X509_EXTENSION_free);
return openssl_pushresult(L, ret);
}
}
TokenError _backend_createRequest(const RegutilInfo *info,
const char *hostname,
const char *password,
char **request, size_t *reqlen) {
// OpenSSL seeds the PRNG automatically, see the manual page for RAND_add.
if (!RAND_status()) {
fprintf(stderr, BINNAME ": no random state!\n");
return TokenError_NoRandomState;
}
// Abort if there are no requests
*request = NULL;
if (!info->pkcs10) return TokenError_Unknown;
// Create certificate requests
bool ok = true;
CertReq *reqs = NULL;
STACK *x509reqs = sk_new_null();
for (const RegutilPKCS10 *pkcs10 = info->pkcs10; pkcs10 != NULL;
pkcs10 = pkcs10->next) {
RSA *rsa = NULL;
EVP_PKEY *privkey = NULL;
X509_NAME *subject = NULL;
X509_REQ *x509req = NULL;
STACK_OF(X509_EXTENSION) *exts = NULL;
// Check the parameters.
// Maximum key size in OpenSSL:
// http://www.mail-archive.com/[email protected]/msg58229.html
if (!pkcs10->subjectDN || pkcs10->keySize < 1024 ||
pkcs10->keySize > 16384)
goto req_error;
// Generate key pair
// FIXME deprecated function
// TODO use OPENSSL_NO_DEPRECATED
rsa = RSA_generate_key(pkcs10->keySize, RSA_F4, NULL, NULL);
if (!rsa) goto req_error;
privkey = EVP_PKEY_new();
if (!privkey) goto req_error;
EVP_PKEY_assign_RSA(privkey, rsa);
// Subject name
subject = certutil_parse_dn(pkcs10->subjectDN, pkcs10->includeFullDN);
if (!subject) goto req_error;
// Create request
x509req = X509_REQ_new();
if (!x509req ||
!X509_REQ_set_version(x509req, 0) ||
!X509_REQ_set_subject_name(x509req, subject) ||
!X509_REQ_set_pubkey(x509req, privkey)) { // yes this is correct(!)
certutil_updateErrorString();
goto req_error;
}
// Set attributes
exts = sk_X509_EXTENSION_new_null();
if (!exts) goto req_error;
X509_EXTENSION *ext = makeKeyUsageExt(pkcs10->keyUsage);
if (!ext || !sk_X509_EXTENSION_push(exts, ext))
goto req_error;
if (!X509_REQ_add_extensions(x509req, exts)) {
certutil_updateErrorString();
goto req_error;
}
exts = NULL;
// Add signature
if (!X509_REQ_sign(x509req, privkey, EVP_sha1())) {
certutil_updateErrorString();
goto req_error;
}
// Store in list
CertReq *req = malloc(sizeof(CertReq));
req->pkcs10 = pkcs10;
req->privkey = privkey;
req->rsa = rsa;
req->x509 = x509req;
req->next = reqs;
reqs = req;
sk_push(x509reqs, (char*)x509req);
continue;
req_error:
// Clean up and set error flag
if (privkey) EVP_PKEY_free(privkey);
else if (rsa) RSA_free(rsa);
X509_NAME_free(subject);
sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
X509_REQ_free(x509req);
ok = false;
}
TokenError error = TokenError_Unknown;
if (ok) {
// Determine filename from certificate name
char *filename = certutil_makeFilename(X509_REQ_get_subject_name(reqs->x509));
// Build the certificate request
request_wrap(x509reqs, request, reqlen);
if (*request && filename) {
// Create the key file in ~/cbt/name.p12
FILE *keyfile = platform_openLocked(filename, Platform_OpenCreate);
if (!keyfile) {
error = TokenError_CantCreateFile;
} else {
error = saveKeys(reqs, hostname, password, keyfile);
if (!platform_closeLocked(keyfile) && !error)
error = TokenError_CantCreateFile;
}
}
if (filename) free(filename);
if (error && *request) free(*request);
}
// Free reqs
while (reqs) {
RSA_free(reqs->rsa); // This free's privkey too
X509_REQ_free(reqs->x509);
CertReq *next = reqs->next;
free(reqs);
reqs = next;
}
sk_free(x509reqs);
return error;
}
static LUA_FUNCTION(openssl_csr_new)
{
X509_REQ *csr = X509_REQ_new();
int i;
int n = lua_gettop(L);
int ret = X509_REQ_set_version(csr, 0L);
for (i = 1; ret == 1 && i <= n; i++)
{
luaL_argcheck(L,
auxiliar_isclass(L, "openssl.stack_of_x509_extension", i) ||
auxiliar_isclass(L, "openssl.stack_of_x509_attribute", i) ||
auxiliar_isclass(L, "openssl.x509_name", i) ||
auxiliar_isclass(L, "openssl.evp_pkey", i),
i, "must be x509_name, stack_of_x509_extension or stack_of_x509_attribute");
if (auxiliar_isclass(L, "openssl.x509_name", i))
{
X509_NAME * subject = CHECK_OBJECT(i, X509_NAME, "openssl.x509_name");
ret = X509_REQ_set_subject_name(csr, subject);
}
if (auxiliar_isclass(L, "openssl.stack_of_x509_attribute", i))
{
int j, m;
STACK_OF(X509_ATTRIBUTE) *attrs = CHECK_OBJECT(i, STACK_OF(X509_ATTRIBUTE), "openssl.stack_of_x509_attribute");
m = sk_X509_ATTRIBUTE_num(attrs);
for (j = 0; ret == 1 && j < m; j++)
{
ret = X509_REQ_add1_attr(csr, sk_X509_ATTRIBUTE_value(attrs, j));
}
}
if (auxiliar_isclass(L, "openssl.stack_of_x509_extension", i))
{
STACK_OF(X509_EXTENSION) *exts =
CHECK_OBJECT(i, STACK_OF(X509_EXTENSION), "openssl.stack_of_x509_extension");
ret = X509_REQ_add_extensions(csr, exts);
}
if (auxiliar_isclass(L, "openssl.evp_pkey", i))
{
EVP_PKEY *pkey;
const EVP_MD *md;
luaL_argcheck(L, i == n || i == n - 1, i, "must is evp_pkey object");
pkey = CHECK_OBJECT(i, EVP_PKEY, "openssl.evp_pkey");
luaL_argcheck(L, openssl_pkey_is_private(pkey), i, "must be private key");
if (i == n - 1)
md = get_digest(L, n);
else
md = EVP_get_digestbyname("sha1");
ret = X509_REQ_set_pubkey(csr, pkey);
if (ret == 1)
{
ret = X509_REQ_sign(csr, pkey, md);
if (ret > 0)
ret = 1;
}
break;
}
};
if (ret == 1)
PUSH_OBJECT(csr, "openssl.x509_req");
else
{
X509_REQ_free(csr);
return openssl_pushresult(L, ret);
}
return 1;
}
int mkreq(X509_REQ **req, EVP_PKEY **pkeyp, int bits, int serial, int days)
{
X509_REQ *x;
EVP_PKEY *pk;
RSA *rsa;
X509_NAME *name=NULL;
STACK_OF(X509_EXTENSION) *exts = NULL;
if ((pk=EVP_PKEY_new()) == NULL)
goto err;
if ((x=X509_REQ_new()) == NULL)
goto err;
rsa=RSA_generate_key(bits,RSA_F4,callback,NULL);
if (!EVP_PKEY_assign_RSA(pk,rsa))
goto err;
rsa=NULL;
X509_REQ_set_pubkey(x,pk);
name=X509_REQ_get_subject_name(x);
/* This function creates and adds the entry, working out the
* correct string type and performing checks on its length.
* Normally we'd check the return value for errors...
*/
X509_NAME_add_entry_by_txt(name,"C",
MBSTRING_ASC, "UK", -1, -1, 0);
X509_NAME_add_entry_by_txt(name,"CN",
MBSTRING_ASC, "OpenSSL Group", -1, -1, 0);
#ifdef REQUEST_EXTENSIONS
/* Certificate requests can contain extensions, which can be used
* to indicate the extensions the requestor would like added to
* their certificate. CAs might ignore them however or even choke
* if they are present.
*/
/* For request extensions they are all packed in a single attribute.
* We save them in a STACK and add them all at once later...
*/
exts = sk_X509_EXTENSION_new_null();
/* Standard extenions */
add_ext(exts, NID_key_usage, "critical,digitalSignature,keyEncipherment");
/* This is a typical use for request extensions: requesting a value for
* subject alternative name.
*/
add_ext(exts, NID_subject_alt_name, "email:[email protected]");
/* Some Netscape specific extensions */
add_ext(exts, NID_netscape_cert_type, "client,email");
#ifdef CUSTOM_EXT
/* Maybe even add our own extension based on existing */
{
int nid;
nid = OBJ_create("1.2.3.4", "MyAlias", "My Test Alias Extension");
X509V3_EXT_add_alias(nid, NID_netscape_comment);
add_ext(x, nid, "example comment alias");
}
#endif
/* Now we've created the extensions we add them to the request */
X509_REQ_add_extensions(x, exts);
sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
#endif
if (!X509_REQ_sign(x,pk,EVP_md5()))
goto err;
*req=x;
*pkeyp=pk;
return(1);
err:
return(0);
}
int32_t HttpsGenCertReq( HttpsCertReqInfo_t *pCertReqInfo,
unsigned char *pPrivbuf,
unsigned char *pCertbuf,
HttpsCertReqParams_t *pParams )
{
EVP_PKEY *pkey = NULL;
HX509Req_t *preq = NULL;
#ifdef OPENSSL_9_7
const EVP_MD *pDigest;
#else
EVP_MD *pDigest = NULL;
#endif /*OPENSSL_9_7*/
int32_t iRetVal;
unsigned char aSubAltName[HTTPS_PARAMS_SUB_NAME_LEN];
bool bFlag = FALSE;
STACK_OF(X509_EXTENSION) *skExtensions = NULL;
X509_EXTENSION *pSubExt = NULL;
unsigned char ucCT;
int32_t uileng;
/**
* Input Validations...
*/
if (pCertReqInfo == NULL)
{
Trace(HTTPS_ID, TRACE_SEVERE,
"HttpsGenCertReq:: Invalid parameters\n");
return OF_FAILURE;
}
/**
* Allocate space for the public-private key pair..
*/
if ((pkey = EVP_PKEY_new()) == NULL)
{
Trace(HTTPS_ID, TRACE_SEVERE,
"HttpsGenCertReq:: MemAlloc failure\n");
return OF_FAILURE;
}
/**
* Generate a public-private key pair..
*/
switch (pCertReqInfo->usCertType)
{
case RSA_MD5:
case RSA_SHA1:
if ((pCertReqInfo->cr_params.rsa_params.usNumBits < MIN_KEY_LENGTH))
{
Trace(HTTPS_ID, TRACE_SEVERE,
"HttpsGenCertReq : Invalid RSA parameters\n");
EVP_PKEY_free(pkey);
return OF_FAILURE;
}
if (!EVP_PKEY_assign_RSA(pkey,
RSA_generate_key(pCertReqInfo->cr_params.rsa_params.usNumBits,
0x10001, NULL, NULL)))
{
Trace(HTTPS_ID, TRACE_SEVERE,
"HttpsGenCertReq: EVP_PKEY assign failed\n");
EVP_PKEY_free(pkey);
return OF_FAILURE;
}
ucCT='r';
if (pCertReqInfo->usCertType == RSA_MD5)
{
pDigest = (EVP_MD *) EVP_md5();
}
else
{
pDigest = (EVP_MD *) EVP_sha1();
}
break;
default:
Trace(HTTPS_ID, TRACE_SEVERE, "HttpsGenCertReq:: Invalid certificate type\n");
EVP_PKEY_free(pkey);
return OF_FAILURE;
}
/**
* Prepare the Certificate Request..
*/
if ((preq = HttpsCertReqNew()) == NULL)
{
Trace(HTTPS_ID, TRACE_SEVERE,
"HttpsGenCertReq:: X509_req_new failed\n");
EVP_PKEY_free(pkey);
return OF_FAILURE;
}
/**
* Version Number..
*/
if (!ASN1_INTEGER_set(preq->req_info->version, 0L))
{
Trace(HTTPS_ID, TRACE_SEVERE,
"HttpsGenCertReq:: ASN1_INTEGER_set failed\n");
HttpsCertReqFree(preq);
EVP_PKEY_free(pkey);
return OF_FAILURE;
}
/**
* Subject Name...Filled with two RDNs...
*/
/**
* RDN # 1 : Country Name...
*/
if (!Httpsadd_DN_object((HX509Name_t *) preq->req_info->subject, NULL,
NULL, (char *) pParams->ucCn, NID_countryName, 2, 2))
{
Trace(HTTPS_ID, TRACE_SEVERE,
"HttpsGenCertReq:: Httpsadd_DN_object failed\n");
HttpsCertReqFree(preq);
EVP_PKEY_free(pkey);
return OF_FAILURE;
}
#ifdef OPENSSL_9_7
if (NID_postalCode == 0)
{
NID_postalCode = OBJ_create("2.5.4.17", "2.5.4.17",
"postal code attribute");
}
#endif
/**
* RDN #New::2: Postal code...
*/
if (!Httpsadd_DN_object((HX509Name_t *) preq->req_info->subject, NULL,
NULL, (char *) pParams->aPostalCode, NID_postalCode, 0,
10))
{
Trace(HTTPS_ID, TRACE_SEVERE,
"HttpsGenCertReq:: Httpsadd_DN_object failed\n");
HttpsCertReqFree(preq);
EVP_PKEY_free(pkey);
return OF_FAILURE;
}
/**
* RDN #3: State..
*/
if (!Httpsadd_DN_object((HX509Name_t *) preq->req_info->subject, NULL,
NULL, (char *) pParams->aState, NID_stateOrProvinceName,
0, 50))
{
Trace(HTTPS_ID, TRACE_SEVERE,
"HttpsGenCertReq:: Httpsadd_DN_object failed\n");
HttpsCertReqFree(preq);
EVP_PKEY_free(pkey);
return OF_FAILURE;
}
/**
* RDN #New::4: Locality Name...
*/
if (!Httpsadd_DN_object((HX509Name_t *) preq->req_info->subject, NULL,
NULL, (char *) pParams->aCity, NID_localityName, 0, 50))
{
Trace(HTTPS_ID, TRACE_SEVERE,
"HttpsGenCertReq:: Httpsadd_DN_object failed\n");
HttpsCertReqFree(preq);
EVP_PKEY_free(pkey);
return OF_FAILURE;
}
/**
* RDN #5 : Organization ..
*/
if (!Httpsadd_DN_object((HX509Name_t *) preq->req_info->subject, NULL,
NULL, (char *) pParams->aOrg, NID_organizationName,
0, 50))
{
Trace(HTTPS_ID, TRACE_SEVERE,
"HttpsGenCertReq:: Httpsadd_DN_object failed\n");
HttpsCertReqFree(preq);
EVP_PKEY_free(pkey);
return OF_FAILURE;
}
/**
* RDN #6 : Department ..
*/
if (!Httpsadd_DN_object((HX509Name_t *) preq->req_info->subject, NULL,
NULL, (char *) pParams->aDept, NID_organizationalUnitName,
0, 50))
{
Trace(HTTPS_ID, TRACE_SEVERE,
"HttpsGenCertReq:: Httpsadd_DN_object failed\n");
HttpsCertReqFree(preq);
EVP_PKEY_free(pkey);
return OF_FAILURE;
}
/**
* RDN #7 : Common Name (Subject)...
*/
if (!Httpsadd_DN_object((HX509Name_t *) preq->req_info->subject, NULL,
NULL, (char *) pParams->ucSub, NID_commonName, 0, 50))
{
Trace(HTTPS_ID, TRACE_SEVERE,
"HttpsGenCertReq:: Httpsadd_DN_object failed\n");
HttpsCertReqFree(preq);
EVP_PKEY_free(pkey);
return OF_FAILURE;
}
of_memset( aSubAltName, 0, HTTPS_PARAMS_SUB_NAME_LEN);
if (strlen((char *) pParams->aIpAddr))
{
of_strcat((char *) aSubAltName, "IP:");
of_strcat((char *) aSubAltName, (char *) pParams->aIpAddr);
bFlag = TRUE;
}
if (strlen((char *) pParams->aEmailId))
{
if (bFlag)
{
of_strcat((char *) aSubAltName, ",email:");
}
else
{
of_strcat((char *) aSubAltName, "email:");
}
of_strcat((char *) aSubAltName, (char *) pParams->aEmailId);
bFlag = TRUE;
}
if (strlen((char *) pParams->aDomain))
{
if (bFlag)
{
of_strcat((char *) aSubAltName, ",DNS:");
}
else
{
of_strcat((char *) aSubAltName, "DNS:");
}
of_strcat((char *) aSubAltName, (char *) pParams->aDomain);
bFlag = TRUE;
}
/**
* Adding subject alt name extension to the request.
*/
if ( of_strlen((char *) aSubAltName))
{
skExtensions = sk_X509_EXTENSION_new_null();
if (skExtensions == NULL)
{
Trace(HTTPS_ID, TRACE_SEVERE,
"HttpsGenCertReq:: sk_X509_EXTENSION_new_null failed\n");
HttpsCertReqFree(preq);
EVP_PKEY_free(pkey);
return OF_FAILURE;
}
pSubExt = X509V3_EXT_conf_nid(NULL, NULL, NID_subject_alt_name,
(char *) aSubAltName);
if (pSubExt)
{
sk_X509_EXTENSION_push(skExtensions, pSubExt);
}
iRetVal = X509_REQ_add_extensions(preq, skExtensions);
if (iRetVal == 0)
{
Trace(HTTPS_ID, TRACE_SEVERE,
"HttpsGenCertReq:: X509_REQ_add_extensions failed\n");
HttpsCertReqFree(preq);
EVP_PKEY_free(pkey);
return OF_FAILURE;
}
sk_X509_EXTENSION_pop_free(skExtensions, X509_EXTENSION_free);
} /* strlen sub alt */
/**
* Set the public key..
*/
if (!X509_REQ_set_pubkey(preq, pkey))
{
Trace(HTTPS_ID, TRACE_SEVERE,
"HttpsGenCertReq:: X509_REQ_sign failed\n");
HttpsCertReqFree(preq);
EVP_PKEY_free(pkey);
return OF_FAILURE;
}
/**
* Sign the CertReq Info..
*/
if (!X509_REQ_sign(preq, pkey, pDigest))
{
Trace(HTTPS_ID, TRACE_SEVERE,
"HttpsGenCertReq:: X509_REQ_sign failed\n");
HttpsCertReqFree(preq);
EVP_PKEY_free(pkey);
return OF_FAILURE;
}
/**
* Write the Private Key into the file...
*/
if (HttpsWritetoFile(pPrivbuf, HTTPS_PRIV_KEY, pkey, ucCT,
pParams->aIdName))
{
Trace(HTTPS_ID, TRACE_SEVERE,
"HttpsGenCertReq:: HttpsWritetoFile failed #1\n");
HttpsCertReqFree(preq);
EVP_PKEY_free(pkey);
return OF_FAILURE;
}
/**
* Write the Certificate Request into the file...
*/
if (HttpsWritetoFile(pCertbuf, HTTPS_CERT_REQ, preq, ucCT,
pParams->aIdName))
{
Trace(HTTPS_ID, TRACE_SEVERE,
"HttpsGenCertReq:: HttpsWritetoFile failed #2\n");
HttpsDeleteCerts(pParams->aIdName, 's');
HttpsCertReqFree(preq);
EVP_PKEY_free(pkey);
return OF_FAILURE;
}
uileng=strlen((char *) pCertbuf);
if (uileng > 2047)
{
Trace(HTTPS_ID, TRACE_SEVERE, "pCertbuf length exceeds 2k\n");
HttpsDeleteCerts(pParams->aIdName, 's');
HttpsCertReqFree(preq);
EVP_PKEY_free(pkey);
return OF_FAILURE;
}
Trace(HTTPS_ID, TRACE_INFO, "Generation of Certificate Request done\n");
HttpsCertReqFree(preq);
EVP_PKEY_free(pkey);
return OF_SUCCESS;
} /* HttpsGenCertReq() */
// reads the request req_filename and creates a modified creq_filename with the commitment extension added
void writeCommitmentCSR(BIGNUM *commitment_c, char *privkey_filename, char *req_filename, char *creq_filename) {
FILE *fp;
/* read in the request */
X509_REQ *req;
if (!(fp = fopen(req_filename, "r")))
critical_error("Error reading request file");
if (!(req = PEM_read_X509_REQ(fp, NULL, NULL, NULL)))
critical_error("Error reading request in file");
fclose(fp);
/* read in the private key */
EVP_PKEY *pkey;
if (!(fp = fopen(privkey_filename, "r")))
critical_error("Error reading private key file");
if (!(pkey = PEM_read_PrivateKey(fp, NULL, NULL, NULL)))
critical_error("Error reading private key in file");
fclose(fp);
/* create the new request */
X509_REQ *creq;
if (!(creq = X509_REQ_new()))
critical_error("Failed to create X509_REQ object");
X509_REQ_set_pubkey(creq, pkey);
// gets subj from initial requests and adds it to new one
X509_NAME *subj = X509_REQ_get_subject_name(req);
if (X509_REQ_set_subject_name(creq, subj) != 1)
critical_error("Error adding subject to request");
// enable the commitment extension handling (retrieve/print as string)
int nid = _commitmentExt_start();
// get extensions stack of original request
STACK_OF(X509_EXTENSION) *extlist = X509_REQ_get_extensions(req);
// if no extensions, create new stack
if (extlist==NULL) {
extlist = sk_X509_EXTENSION_new_null();
} else { // else check that the extension isn't already there (error!)
X509_EXTENSION *tmp = (X509_EXTENSION*) X509V3_get_d2i(extlist, nid, NULL, NULL);
if (tmp!=NULL)
critical_error("Aborting process: CSR already contains commitment extension!\n");
}
// create commitment extension storing C value as a hex string
X509_EXTENSION *exCommitment = (X509_EXTENSION*) X509V3_EXT_conf_nid(NULL, NULL, nid, BN_bn2hex(commitment_c));
if (!exCommitment)
critical_error("error creating commitment extension");
// push commitment extension into stack
sk_X509_EXTENSION_push(extlist, exCommitment);
// assign extensions to the new request
if (!X509_REQ_add_extensions(creq, extlist))
critical_error("Error adding extensions to the request");
sk_X509_EXTENSION_pop_free(extlist, X509_EXTENSION_free);
/////////////////////////////////////////////////////////////////////
/* pick the correct digest and sign the new request */
EVP_MD *digest;
if (EVP_PKEY_type(pkey->type) == EVP_PKEY_DSA)
digest = (EVP_MD*) EVP_dss1();
else if (EVP_PKEY_type(pkey->type) == EVP_PKEY_RSA)
digest = (EVP_MD*) EVP_sha1();
else
critical_error("Error checking public key for a valid digest");
if (!(X509_REQ_sign(creq, pkey, digest)))
critical_error("Error signing request");
/* write the modified request */
if (!(fp = fopen(creq_filename, "w")))
critical_error("Error writing to request file");
if (PEM_write_X509_REQ(fp, creq) != 1)
critical_error("Error while writing request");
fclose(fp);
// cleanup
_commitmentExt_end();
EVP_PKEY_free(pkey);
X509_REQ_free(req);
X509_REQ_free(creq);
}
