/* Load the Certificate Request. */ gnutls_x509_crq_t load_request (common_info_st * info) { gnutls_x509_crq_t crq; int ret; gnutls_datum_t dat; size_t size; if (!info->request) return NULL; ret = gnutls_x509_crq_init (&crq); if (ret < 0) error (EXIT_FAILURE, 0, "crq_init: %s", gnutls_strerror (ret)); dat.data = read_binary_file (info->request, &size); dat.size = size; if (!dat.data) error (EXIT_FAILURE, errno, "reading --load-request: %s", info->request); ret = gnutls_x509_crq_import (crq, &dat, info->incert_format); if (ret == GNUTLS_E_BASE64_UNEXPECTED_HEADER_ERROR) { error (EXIT_FAILURE, 0, "import error: could not find a valid PEM header"); } free (dat.data); if (ret < 0) error (EXIT_FAILURE, 0, "importing --load-request: %s: %s", info->request, gnutls_strerror (ret)); return crq; }
static gnutls_x509_crq generate_certificate_request(requiem_client_profile_t *cp, requiem_connection_permission_t permission, gnutls_x509_privkey key, unsigned char *buf, size_t *size) { int ret; gnutls_x509_crq crq; ret = gnutls_x509_crq_init(&crq); if ( ret < 0 ) { fprintf(stderr, "error creating certificate request: %s.\n", gnutls_strerror(ret)); return NULL; } ret = gnutls_x509_crq_set_key(crq, key); if ( ret < 0 ) { fprintf(stderr, "error setting certificate request key: %s.\n", gnutls_strerror(ret)); gnutls_x509_crq_deinit(crq); return NULL; } if ( permission ) { ret = snprintf((char *) buf, *size, "%d", (int) permission); ret = gnutls_x509_crq_set_dn_by_oid(crq, GNUTLS_OID_X520_COMMON_NAME, 0, buf, ret); if ( ret < 0 ) { fprintf(stderr, "error setting common name: %s.\n", gnutls_strerror(ret)); return NULL; } } gnutls_x509_crq_set_version(crq, 3); ret = snprintf((char*) buf, *size, "%" REQUIEM_PRIu64, requiem_client_profile_get_analyzerid(cp)); ret = gnutls_x509_crq_set_dn_by_oid(crq, GNUTLS_OID_X520_DN_QUALIFIER, 0, buf, ret); if ( ret < 0 ) { fprintf(stderr, "error setting common name: %s.\n", gnutls_strerror(ret)); return NULL; } ret = gnutls_x509_crq_sign(crq, key); if ( ret < 0 ) { fprintf(stderr, "error signing certificate request: %s.\n", gnutls_strerror(ret)); gnutls_x509_crq_deinit(crq); return NULL; } ret = gnutls_x509_crq_export(crq, GNUTLS_X509_FMT_PEM, buf, size); if ( ret < 0 ) { fprintf(stderr, "error exporting certificate request: %s.\n", gnutls_strerror(ret)); gnutls_x509_crq_deinit(crq); return NULL; } return crq; }
/* Load the Certificate Request. */ gnutls_x509_crq_t load_request(common_info_st * info) { gnutls_x509_crq_t crq; int ret; gnutls_datum_t dat; size_t size; if (!info->request) return NULL; ret = gnutls_x509_crq_init(&crq); if (ret < 0) { fprintf(stderr, "crq_init: %s\n", gnutls_strerror(ret)); exit(1); } dat.data = (void *) read_binary_file(info->request, &size); dat.size = size; if (!dat.data) { fprintf(stderr, "error reading --load-request: %s\n", info->request); exit(1); } ret = gnutls_x509_crq_import(crq, &dat, info->incert_format); if (ret == GNUTLS_E_BASE64_UNEXPECTED_HEADER_ERROR) { fprintf(stderr, "import error: could not find a valid PEM header\n"); exit(1); } free(dat.data); if (ret < 0) { fprintf(stderr, "importing --load-request: %s: %s\n", info->request, gnutls_strerror(ret)); exit(1); } return crq; }
int tls_handle_certificate_request(const char *srcinfo, requiem_client_profile_t *cp, requiem_io_t *fd, gnutls_x509_privkey cakey, gnutls_x509_crt cacrt, gnutls_x509_crt crt) { ssize_t ret; size_t size; char buf[65535]; gnutls_datum data; gnutls_x509_crq crq; unsigned char *rbuf; uint64_t analyzerid; gnutls_x509_crt gencrt; /* * Read the client CRQ and generate a certificate for it. */ requiem_log_debug(1, "Waiting for client certificate request.\n"); ret = requiem_io_read_delimited(fd, &rbuf); if ( ret < 0 ) { requiem_perror(ret, "error receiving client certificate request"); return -1; } data.size = ret; data.data = rbuf; gnutls_x509_crq_init(&crq); gnutls_x509_crq_import(crq, &data, GNUTLS_X509_FMT_PEM); free(rbuf); ret = check_req(srcinfo, fd, crq, &analyzerid); if ( ret < 0 ) return ret; /* * Generate a CA signed certificate for this CRQ. */ requiem_log_debug(1, "Generating signed certificate for client.\n"); gencrt = generate_signed_certificate(cp, analyzerid, cacrt, cakey, crq); if ( ! gencrt ) { fprintf(stderr, "error generating signed certificate for this request.\n"); return -1; } gnutls_x509_crq_deinit(crq); size = sizeof(buf); gnutls_x509_crt_export(gencrt, GNUTLS_X509_FMT_PEM, buf, &size); ret = requiem_io_write_delimited(fd, buf, size); if ( ret < 0 || (size_t) ret != size ) { requiem_perror(ret, "error sending signed certificate"); return -1; } gnutls_x509_crt_deinit(gencrt); /* * write our own certificate back to the client. */ requiem_log_debug(1, "Sending server certificate to client.\n"); size = sizeof(buf); gnutls_x509_crt_export(crt, GNUTLS_X509_FMT_PEM, buf, &size); ret = requiem_io_write_delimited(fd, buf, size); if ( ret < 0 || (size_t) ret != size ) { requiem_perror(ret, "error sending signed certificate"); return -1; } return 0; }
void doit (void) { gnutls_x509_privkey_t pkey; gnutls_privkey_t abs_pkey; gnutls_x509_crq_t crq; size_t pkey_key_id_len; unsigned char *pkey_key_id = NULL; size_t crq_key_id_len; unsigned char *crq_key_id = NULL; gnutls_pk_algorithm_t algorithm; int ret; ret = global_init (); if (ret < 0) fail ("global_init: %d\n", ret); gnutls_global_set_log_function (tls_log_func); if (debug) gnutls_global_set_log_level (4711); for (algorithm = GNUTLS_PK_RSA; algorithm <= GNUTLS_PK_DSA; algorithm++) { ret = gnutls_x509_crq_init (&crq); if (ret < 0) fail ("gnutls_x509_crq_init: %d\n", ret); ret = gnutls_x509_privkey_init (&pkey); if (ret < 0) { fail ("gnutls_x509_privkey_init: %d\n", ret); } ret = gnutls_privkey_init (&abs_pkey); if (ret < 0) { fail ("gnutls_privkey_init: %d\n", ret); } ret = gnutls_x509_privkey_generate (pkey, algorithm, 1024, 0); if (ret < 0) { fail ("gnutls_x509_privkey_generate (rsa): %d\n", ret); } else if (debug) { success ("Key[%s] generation ok: %d\n", gnutls_pk_algorithm_get_name (algorithm), ret); } pkey_key_id_len = 0; ret = gnutls_x509_privkey_get_key_id (pkey, 0, pkey_key_id, &pkey_key_id_len); if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) { fail ("gnutls_x509_privkey_get_key_id incorrectly returns %d\n", ret); } pkey_key_id = malloc (sizeof (unsigned char) * pkey_key_id_len); ret = gnutls_x509_privkey_get_key_id (pkey, 0, pkey_key_id, &pkey_key_id_len); if (ret != GNUTLS_E_SUCCESS) { fail ("gnutls_x509_privkey_get_key_id incorrectly returns %d\n", ret); } ret = gnutls_x509_crq_set_version (crq, 1); if (ret < 0) { fail ("gnutls_x509_crq_set_version: %d\n", ret); } ret = gnutls_x509_crq_set_key (crq, pkey); if (ret < 0) { fail ("gnutls_x509_crq_set_key: %d\n", ret); } ret = gnutls_x509_crq_set_dn_by_oid (crq, GNUTLS_OID_X520_COMMON_NAME, 0, "CN-Test", 7); if (ret < 0) { fail ("gnutls_x509_crq_set_dn_by_oid: %d\n", ret); } ret = gnutls_privkey_import_x509( abs_pkey, pkey, 0); if (ret < 0) { fail ("gnutls_privkey_import_x509: %d\n", ret); } ret = gnutls_x509_crq_privkey_sign (crq, abs_pkey, GNUTLS_DIG_SHA1, 0); if (ret < 0) { fail ("gnutls_x509_crq_sign: %d\n", ret); } ret = gnutls_x509_crq_verify (crq, 0); if (ret < 0) { fail ("gnutls_x509_crq_verify: %d\n", ret); } crq_key_id_len = 0; ret = gnutls_x509_crq_get_key_id (crq, 0, crq_key_id, &crq_key_id_len); if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) { fail ("gnutls_x509_crq_get_key_id incorrectly returns %d\n", ret); } crq_key_id = malloc (sizeof (unsigned char) * crq_key_id_len); ret = gnutls_x509_crq_get_key_id (crq, 0, crq_key_id, &crq_key_id_len); if (ret != GNUTLS_E_SUCCESS) { fail ("gnutls_x509_crq_get_key_id incorrectly returns %d\n", ret); } if (crq_key_id_len == pkey_key_id_len) { ret = memcmp (crq_key_id, pkey_key_id, crq_key_id_len); if (ret == 0) { if (debug) success ("Key ids are identical. OK.\n"); } else { fail ("Key ids differ incorrectly: %d\n", ret); } } else { fail ("Key_id lengths differ incorrectly: %d - %d\n", (int) crq_key_id_len, (int) pkey_key_id_len); } if (pkey_key_id) { free (pkey_key_id); pkey_key_id = NULL; } if (crq_key_id) { free (crq_key_id); crq_key_id = NULL; } gnutls_x509_crq_deinit (crq); gnutls_x509_privkey_deinit (pkey); gnutls_privkey_deinit (abs_pkey); } gnutls_global_deinit (); }
void doit (void) { gnutls_x509_privkey_t pkey; gnutls_x509_crt_t crt; gnutls_x509_crq_t crq; gnutls_datum_t out; size_t s = 0; char smallbuf[10]; int ret; ret = gnutls_global_init (); if (ret < 0) fail ("gnutls_global_init\n"); gnutls_global_set_log_function (tls_log_func); if (debug) gnutls_global_set_log_level (4711); ret = gnutls_x509_crq_init (&crq); if (ret != 0) fail ("gnutls_x509_crq_init\n"); ret = gnutls_x509_privkey_init (&pkey); if (ret != 0) fail ("gnutls_x509_privkey_init\n"); ret = gnutls_x509_crt_init (&crt); if (ret != 0) fail ("gnutls_x509_crt_init\n"); ret = gnutls_x509_privkey_import (pkey, &key, GNUTLS_X509_FMT_PEM); if (ret != 0) fail ("gnutls_x509_privkey_import\n"); ret = gnutls_x509_crq_set_version (crq, 0); if (ret != 0) fail ("gnutls_x509_crq_set_version\n"); ret = gnutls_x509_crq_set_key (crq, pkey); if (ret != 0) fail ("gnutls_x509_crq_set_key\n"); s = 0; ret = gnutls_x509_crq_get_extension_info (crq, 0, NULL, &s, NULL); if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) fail ("gnutls_x509_crq_get_extension_info\n"); ret = gnutls_x509_crq_set_basic_constraints (crq, 0, 0); if (ret != 0) fail ("gnutls_x509_crq_set_basic_constraints %d\n", ret); ret = gnutls_x509_crq_set_key_usage (crq, 0); if (ret != 0) fail ("gnutls_x509_crq_set_key_usage %d\n", ret); ret = gnutls_x509_crq_get_challenge_password (crq, NULL, &s); if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) fail ("gnutls_x509_crq_get_challenge_password %d\n", ret); ret = gnutls_x509_crq_set_challenge_password (crq, "foo"); if (ret != 0) fail ("gnutls_x509_crq_set_challenge_password %d\n", ret); s = 0; ret = gnutls_x509_crq_get_challenge_password (crq, NULL, &s); if (ret != 0 || s != 3) fail ("gnutls_x509_crq_get_challenge_password2 %d/%d\n", ret, (int) s); s = 10; ret = gnutls_x509_crq_get_challenge_password (crq, smallbuf, &s); if (ret != 0 || s != 3 || strcmp (smallbuf, "foo") != 0) fail ("gnutls_x509_crq_get_challenge_password3 %d/%d/%s\n", ret, (int) s, smallbuf); s = 0; ret = gnutls_x509_crq_get_extension_info (crq, 0, NULL, &s, NULL); if (ret != 0) fail ("gnutls_x509_crq_get_extension_info2\n"); s = 0; ret = gnutls_x509_crq_get_extension_data (crq, 0, NULL, &s); if (ret != 0) fail ("gnutls_x509_crq_get_extension_data\n"); ret = gnutls_x509_crq_set_subject_alt_name (crq, GNUTLS_SAN_DNSNAME, "foo", 3, 1); if (ret != 0) fail ("gnutls_x509_crq_set_subject_alt_name\n"); ret = gnutls_x509_crq_set_subject_alt_name (crq, GNUTLS_SAN_DNSNAME, "bar", 3, 1); if (ret != 0) fail ("gnutls_x509_crq_set_subject_alt_name\n"); ret = gnutls_x509_crq_set_subject_alt_name (crq, GNUTLS_SAN_DNSNAME, "apa", 3, 0); if (ret != 0) fail ("gnutls_x509_crq_set_subject_alt_name\n"); ret = gnutls_x509_crq_set_subject_alt_name (crq, GNUTLS_SAN_DNSNAME, "foo", 3, 1); if (ret != 0) fail ("gnutls_x509_crq_set_subject_alt_name\n"); s = 0; ret = gnutls_x509_crq_get_key_purpose_oid (crq, 0, NULL, &s, NULL); if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) fail ("gnutls_x509_crq_get_key_purpose_oid %d\n", ret); s = 0; ret = gnutls_x509_crq_set_key_purpose_oid (crq, GNUTLS_KP_TLS_WWW_SERVER, 0); if (ret != 0) fail ("gnutls_x509_crq_set_key_purpose_oid %d\n", ret); s = 0; ret = gnutls_x509_crq_get_key_purpose_oid (crq, 0, NULL, &s, NULL); if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) fail ("gnutls_x509_crq_get_key_purpose_oid %d\n", ret); s = 0; ret = gnutls_x509_crq_set_key_purpose_oid (crq, GNUTLS_KP_TLS_WWW_CLIENT, 1); if (ret != 0) fail ("gnutls_x509_crq_set_key_purpose_oid2 %d\n", ret); ret = gnutls_x509_crq_print (crq, GNUTLS_CRT_PRINT_FULL, &out); if (ret != 0) fail ("gnutls_x509_crq_print\n"); if (debug) printf ("crq: %.*s\n", out.size, out.data); gnutls_free (out.data); ret = gnutls_x509_crt_set_version (crt, 3); if (ret != 0) fail ("gnutls_x509_crt_set_version\n"); ret = gnutls_x509_crt_set_crq_extensions (crt, crq); if (ret != 0) fail ("gnutls_x509_crt_set_crq_extensions\n"); ret = gnutls_x509_crt_print (crt, GNUTLS_CRT_PRINT_FULL, &out); if (ret != 0) fail ("gnutls_x509_crt_print\n"); if (debug) printf ("crt: %.*s\n", out.size, out.data); gnutls_free (out.data); gnutls_x509_crq_deinit (crq); gnutls_x509_crt_deinit (crt); gnutls_x509_privkey_deinit (pkey); gnutls_global_deinit (); }
static void inf_test_certificate_request_notify_status_cb(GObject* object, GParamSpec* pspec, gpointer user_data) { InfTestCertificateRequest* test; InfBrowserStatus status; gnutls_x509_crq_t crq; InfRequest* request; GError* error; int res; test = (InfTestCertificateRequest*)user_data; g_object_get(G_OBJECT(test->browser), "status", &status, NULL); if(status == INF_BROWSER_OPEN) { fprintf(stderr, "Connection established, creating key... (4096 bit)\n"); /* TODO: Some error checking here */ gnutls_x509_privkey_init(&test->key); gnutls_x509_privkey_generate(test->key, GNUTLS_PK_RSA, 4096, 0); fprintf(stderr, "Done, sending the certificate request\n"); gnutls_x509_crq_init(&crq); gnutls_x509_crq_set_key(crq, test->key); gnutls_x509_crq_set_key_usage(crq, GNUTLS_KEY_DIGITAL_SIGNATURE); gnutls_x509_crq_set_version(crq, 3); gnutls_x509_crq_set_dn_by_oid( crq, GNUTLS_OID_X520_COMMON_NAME, 0, "Armin Burgmeier", strlen("Armin Burgmeier") ); /* TODO: gnutls_x509_crq_sign2 is deprecated in favour of * gnutls_x509_crq_privkey_sign, but the latter returns the error code * GNUTLS_E_UNIMPLEMENTED_FEATURE, so we keep using the deprecated * version here. */ /*gnutls_x509_crq_privkey_sign(crq, key, GNUTLS_DIG_SHA1, 0);*/ gnutls_x509_crq_sign2(crq, test->key, GNUTLS_DIG_SHA1, 0); error = NULL; request = inf_browser_create_acl_account( INF_BROWSER(object), crq, inf_test_certificate_request_finished_cb, test ); gnutls_x509_crq_deinit(crq); } if(status == INF_BROWSER_CLOSED) { if(inf_standalone_io_loop_running(test->io)) inf_standalone_io_loop_quit(test->io); } }
static gnutls_x509_crq_t generate_crq(void) { gnutls_x509_crq_t crq; gnutls_x509_privkey_t pkey; const char *err; int ret; size_t s = 0; char smallbuf[10]; gnutls_datum_t out; unsigned crit; ret = gnutls_x509_privkey_init(&pkey); if (ret != 0) fail("gnutls_x509_privkey_init\n"); ret = gnutls_x509_privkey_import(pkey, &key, GNUTLS_X509_FMT_PEM); if (ret != 0) fail("gnutls_x509_privkey_import\n"); ret = gnutls_x509_crq_init(&crq); if (ret != 0) fail("gnutls_x509_crq_init\n"); ret = gnutls_x509_crq_set_version(crq, 0); if (ret != 0) fail("gnutls_x509_crq_set_version\n"); ret = gnutls_x509_crq_set_key(crq, pkey); if (ret != 0) fail("gnutls_x509_crq_set_key\n"); s = 0; ret = gnutls_x509_crq_get_extension_info(crq, 0, NULL, &s, NULL); if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) fail("gnutls_x509_crq_get_extension_info\n"); ret = gnutls_x509_crq_set_basic_constraints(crq, 0, 0); if (ret != 0) fail("gnutls_x509_crq_set_basic_constraints %d\n", ret); ret = gnutls_x509_crq_set_key_usage(crq, 0); if (ret != 0) fail("gnutls_x509_crq_set_key_usage %d\n", ret); ret = gnutls_x509_crq_get_challenge_password(crq, NULL, &s); if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) fail("%d: gnutls_x509_crq_get_challenge_password %d: %s\n", __LINE__, ret, gnutls_strerror(ret)); ret = gnutls_x509_crq_set_dn(crq, "o = none to\\, mention,cn = nikos", &err); if (ret < 0) { fail("gnutls_x509_crq_set_dn: %s, %s\n", gnutls_strerror(ret), err); } ret = gnutls_x509_crq_set_challenge_password(crq, "foo"); if (ret != 0) fail("gnutls_x509_crq_set_challenge_password %d\n", ret); s = 0; ret = gnutls_x509_crq_get_challenge_password(crq, NULL, &s); if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER || s != 4) fail("%d: gnutls_x509_crq_get_challenge_password %d: %s (passlen: %d)\n", __LINE__, ret, gnutls_strerror(ret), (int) s); s = 10; ret = gnutls_x509_crq_get_challenge_password(crq, smallbuf, &s); if (ret != 0 || s != 3 || strcmp(smallbuf, "foo") != 0) fail("%d: gnutls_x509_crq_get_challenge_password3 %d/%d/%s\n", __LINE__, ret, (int) s, smallbuf); s = 0; ret = gnutls_x509_crq_get_extension_info(crq, 0, NULL, &s, NULL); if (ret != 0) fail("gnutls_x509_crq_get_extension_info2\n"); s = 0; ret = gnutls_x509_crq_get_extension_data(crq, 0, NULL, &s); if (ret != 0) fail("gnutls_x509_crq_get_extension_data\n"); ret = gnutls_x509_crq_set_subject_alt_name(crq, GNUTLS_SAN_DNSNAME, "foo", 3, 1); if (ret != 0) fail("gnutls_x509_crq_set_subject_alt_name\n"); ret = gnutls_x509_crq_set_subject_alt_name(crq, GNUTLS_SAN_DNSNAME, "bar", 3, 1); if (ret != 0) fail("gnutls_x509_crq_set_subject_alt_name\n"); ret = gnutls_x509_crq_set_subject_alt_name(crq, GNUTLS_SAN_DNSNAME, "apa", 3, 0); if (ret != 0) fail("gnutls_x509_crq_set_subject_alt_name\n"); ret = gnutls_x509_crq_set_subject_alt_name(crq, GNUTLS_SAN_DNSNAME, "foo", 3, 1); if (ret != 0) fail("gnutls_x509_crq_set_subject_alt_name\n"); ret = gnutls_x509_crq_set_subject_alt_name(crq, GNUTLS_SAN_DNSNAME, "νίκο.com", strlen("νίκο.com"), GNUTLS_FSAN_APPEND); if (ret != 0) fail("gnutls_x509_crq_set_subject_alt_name\n"); s = 0; ret = gnutls_x509_crq_get_key_purpose_oid(crq, 0, NULL, &s, NULL); if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) fail("gnutls_x509_crq_get_key_purpose_oid %d\n", ret); s = 0; ret = gnutls_x509_crq_set_key_purpose_oid(crq, GNUTLS_KP_TLS_WWW_SERVER, 0); if (ret != 0) fail("gnutls_x509_crq_set_key_purpose_oid %d\n", ret); s = 0; ret = gnutls_x509_crq_get_key_purpose_oid(crq, 0, NULL, &s, NULL); if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) fail("gnutls_x509_crq_get_key_purpose_oid %d\n", ret); s = 0; ret = gnutls_x509_crq_set_key_purpose_oid(crq, GNUTLS_KP_TLS_WWW_CLIENT, 1); if (ret != 0) fail("gnutls_x509_crq_set_key_purpose_oid2 %d\n", ret); #define EXT_ID1 "1.2.3.4.5" #define EXT_ID2 "1.5.3.555555991.5" #define EXT_DATA1 "\xCA\xFE\xFF" #define EXT_DATA2 "\xCA\xFE\xFF\xFA\xFE" /* test writing arbitrary extensions */ ret = gnutls_x509_crq_set_extension_by_oid(crq, EXT_ID1, EXT_DATA1, sizeof(EXT_DATA1)-1, 0); if (ret != 0) fail("gnutls_x509_crq_set_extension_by_oid %s\n", gnutls_strerror(ret)); ret = gnutls_x509_crq_set_extension_by_oid(crq, EXT_ID2, EXT_DATA2, sizeof(EXT_DATA2)-1, 1); if (ret != 0) fail("gnutls_x509_crq_set_extension_by_oid %s\n", gnutls_strerror(ret)); ret = gnutls_x509_crq_print(crq, GNUTLS_CRT_PRINT_FULL, &out); if (ret != 0) fail("gnutls_x509_crq_print\n"); if (debug) printf("crq: %.*s\n", out.size, out.data); gnutls_free(out.data); ret = gnutls_x509_crq_sign2(crq, pkey, GNUTLS_DIG_SHA256, 0); if (ret < 0) fail("gnutls_x509_crq_sign2: %s\n", gnutls_strerror(ret)); gnutls_x509_privkey_deinit(pkey); /* test reading the arb. extensions */ crit = -1; ret = gnutls_x509_crq_get_extension_by_oid2(crq, EXT_ID1, 0, &out, &crit); if (ret < 0) fail("gnutls_x509_crq_get_extension_by_oid2: %s\n", gnutls_strerror(ret)); if (out.size != sizeof(EXT_DATA1)-1 || memcmp(out.data, EXT_DATA1, out.size) != 0) { fail("ext1 doesn't match\n"); } if (crit != 0) { fail("ext1 crit flag doesn't match\n"); } gnutls_free(out.data); crit = -1; ret = gnutls_x509_crq_get_extension_by_oid2(crq, EXT_ID2, 0, &out, &crit); if (ret < 0) fail("gnutls_x509_crq_get_extension_by_oid2: %s\n", gnutls_strerror(ret)); if (out.size != sizeof(EXT_DATA2)-1 || memcmp(out.data, EXT_DATA2, out.size) != 0) { fail("ext2 doesn't match\n"); } if (crit != 1) { fail("ext2 crit flag doesn't match\n"); } gnutls_free(out.data); return crq; }
int main (void) { gnutls_x509_crq_t crq; gnutls_x509_privkey_t key; unsigned char buffer[10 * 1024]; size_t buffer_size = sizeof (buffer); unsigned int bits; gnutls_global_init (); /* Initialize an empty certificate request, and * an empty private key. */ gnutls_x509_crq_init (&crq); gnutls_x509_privkey_init (&key); /* Generate an RSA key of moderate security. */ bits = gnutls_sec_param_to_pk_bits (GNUTLS_PK_RSA, GNUTLS_SEC_PARAM_NORMAL); gnutls_x509_privkey_generate (key, GNUTLS_PK_RSA, bits, 0); /* Add stuff to the distinguished name */ gnutls_x509_crq_set_dn_by_oid (crq, GNUTLS_OID_X520_COUNTRY_NAME, 0, "GR", 2); gnutls_x509_crq_set_dn_by_oid (crq, GNUTLS_OID_X520_COMMON_NAME, 0, "Nikos", strlen ("Nikos")); /* Set the request version. */ gnutls_x509_crq_set_version (crq, 1); /* Set a challenge password. */ gnutls_x509_crq_set_challenge_password (crq, "something to remember here"); /* Associate the request with the private key */ gnutls_x509_crq_set_key (crq, key); /* Self sign the certificate request. */ gnutls_x509_crq_sign2 (crq, key, GNUTLS_DIG_SHA1, 0); /* Export the PEM encoded certificate request, and * display it. */ gnutls_x509_crq_export (crq, GNUTLS_X509_FMT_PEM, buffer, &buffer_size); printf ("Certificate Request: \n%s", buffer); /* Export the PEM encoded private key, and * display it. */ buffer_size = sizeof (buffer); gnutls_x509_privkey_export (key, GNUTLS_X509_FMT_PEM, buffer, &buffer_size); printf ("\n\nPrivate key: \n%s", buffer); gnutls_x509_crq_deinit (crq); gnutls_x509_privkey_deinit (key); return 0; }