static int server_eku_purpose(gnutls_x509_crt_t cert) { unsigned int i; for (i = 0; ; i++) { char oid[128]; size_t oid_size = sizeof(oid); int res; res = gnutls_x509_crt_get_key_purpose_oid(cert, i, oid, &oid_size, NULL); if (res == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { if (i == 0) { /* No EKU - assume any use allowed */ return 1; } break; } if (res < 0) { wpa_printf(MSG_INFO, "GnuTLS: Failed to get EKU"); return 0; } wpa_printf(MSG_DEBUG, "GnuTLS: Certificate purpose: %s", oid); if (os_strcmp(oid, GNUTLS_KP_TLS_WWW_SERVER) == 0 || os_strcmp(oid, GNUTLS_KP_ANY) == 0) return 1; } return 0; }
/* Returns true if the provided purpose is in accordance with the certificate. */ unsigned _gnutls_check_key_purpose(gnutls_x509_crt_t cert, const char *purpose, unsigned no_any) { char oid[MAX_OID_SIZE]; size_t oid_size; int ret; unsigned critical = 0; unsigned check_obsolete_oids = 0; unsigned i; /* The check_obsolete_oids hack is because of certain very old CA certificates * around which instead of having the GNUTLS_KP_TLS_WWW_SERVER have some old * OIDs for that purpose. Assume these OIDs equal GNUTLS_KP_TLS_WWW_SERVER in * CA certs */ if (strcmp(purpose, GNUTLS_KP_TLS_WWW_SERVER) == 0) { unsigned ca_status; ret = gnutls_x509_crt_get_basic_constraints(cert, NULL, &ca_status, NULL); if (ret < 0) ca_status = 0; if (ca_status) check_obsolete_oids = 1; } for (i=0;;i++) { oid_size = sizeof(oid); ret = gnutls_x509_crt_get_key_purpose_oid(cert, i, oid, &oid_size, &critical); if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { if (i==0) { /* no key purpose in certificate, assume ANY */ return 1; } else { gnutls_assert(); break; } } else if (ret < 0) { gnutls_assert(); break; } if (check_obsolete_oids) { if (strcmp(oid, PURPOSE_NSSGC) == 0) { return 1; } else if (strcmp(oid, PURPOSE_VSGC) == 0) { return 1; } } if (strcmp(oid, purpose) == 0 || (no_any == 0 && strcmp(oid, GNUTLS_KP_ANY) == 0)) { return 1; } _gnutls_debug_log("looking for key purpose '%s', but have '%s'\n", purpose, oid); } return 0; }
void __certificate_properties_fill_cert_ext_ExtKeyUsage (GtkTreeStore *store, GtkTreeIter *parent, gnutls_x509_crt_t *certificate) { gint i; const gint BUFFER_SIZE_MAX = 1024; gchar usage_buffer[BUFFER_SIZE_MAX]; gchar *usage_buffer_iterator = usage_buffer; GtkTreeIter l; for (i = 0;; i++) { gint result; gchar buffer[BUFFER_SIZE_MAX]; gsize buffer_size = BUFFER_SIZE_MAX; const gchar *label = NULL; result = gnutls_x509_crt_get_key_purpose_oid(*certificate, i, buffer, &buffer_size, 0); if (result == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { break; } if (result == GNUTLS_E_SHORT_MEMORY_BUFFER) { fprintf(stderr, "Error: (%s,%d): %s\n", __FILE__, __LINE__, gnutls_strerror(result)); return; } if (result < 0) { fprintf(stderr, "Error: (%s,%d): %s\n", __FILE__, __LINE__, gnutls_strerror(result)); return; } label = __certificate_properties_lookup_oid_label(certificate_properties_oid_label_table, buffer); usage_buffer_iterator += sprintf(usage_buffer_iterator, "%s\n", label); } *(usage_buffer_iterator - 1) = 0; gtk_tree_store_append(store, &l, parent); gtk_tree_store_set(store, &l, CERTIFICATE_PROPERTIES_COL_NAME, _("Value"), CERTIFICATE_PROPERTIES_COL_VALUE, usage_buffer, -1); }
void doit(void) { gnutls_x509_privkey_t pkey; gnutls_x509_crt_t crt; gnutls_x509_crt_t crt2; const char *err = NULL; gnutls_datum_t out; size_t s = 0; int ret; ret = global_init(); if (ret < 0) fail("global_init\n"); gnutls_global_set_time_function(mytime); gnutls_global_set_log_function(tls_log_func); if (debug) gnutls_global_set_log_level(4711); ret = gnutls_x509_crt_init(&crt); if (ret != 0) fail("gnutls_x509_crt_init\n"); ret = gnutls_x509_crt_init(&crt2); if (ret != 0) fail("gnutls_x509_crt_init\n"); ret = gnutls_x509_crt_import(crt2, &server_ecc_cert, GNUTLS_X509_FMT_PEM); if (ret != 0) fail("gnutls_x509_crt_import\n"); ret = gnutls_x509_privkey_init(&pkey); if (ret != 0) fail("gnutls_x509_privkey_init\n"); ret = gnutls_x509_privkey_import(pkey, &key_dat, GNUTLS_X509_FMT_PEM); if (ret != 0) fail("gnutls_x509_privkey_import\n"); /* Setup CRT */ ret = gnutls_x509_crt_set_version(crt, 3); if (ret != 0) fail("gnutls_x509_crt_set_version\n"); ret = gnutls_x509_crt_set_serial(crt, "\x0a\x11\x00", 3); if (ret != 0) fail("gnutls_x509_crt_set_serial\n"); ret = gnutls_x509_crt_set_expiration_time(crt, -1); if (ret != 0) fail("error\n"); ret = gnutls_x509_crt_set_activation_time(crt, mytime(0)); if (ret != 0) fail("error\n"); ret = gnutls_x509_crt_set_key(crt, pkey); if (ret != 0) fail("gnutls_x509_crt_set_key\n"); ret = gnutls_x509_crt_set_basic_constraints(crt, 0, -1); if (ret < 0) { fail("error\n"); } ret = gnutls_x509_crt_set_key_usage(crt, GNUTLS_KEY_DIGITAL_SIGNATURE); if (ret != 0) fail("gnutls_x509_crt_set_key_usage %d\n", ret); ret = gnutls_x509_crt_set_dn(crt, "o = none to\\, mention,cn = nikos", &err); if (ret < 0) { fail("gnutls_x509_crt_set_dn: %s, %s\n", gnutls_strerror(ret), err); } ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_DNSNAME, "foo", 3, 1); if (ret != 0) fail("gnutls_x509_crt_set_subject_alt_name\n"); ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_RFC822NAME, "*****@*****.**", strlen("*****@*****.**"), 1); if (ret != 0) fail("gnutls_x509_crt_set_subject_alt_name\n"); ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_RFC822NAME, "ινβάλιντ@bar.org", strlen("ινβάλιντ@bar.org"), 1); if (ret != GNUTLS_E_INVALID_UTF8_EMAIL) fail("gnutls_x509_crt_set_subject_alt_name\n"); ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_IPADDRESS, "\xc1\x5c\x96\x3", 4, 1); if (ret != 0) fail("gnutls_x509_crt_set_subject_alt_name\n"); ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_IPADDRESS, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01", 16, 1); if (ret != 0) fail("gnutls_x509_crt_set_subject_alt_name\n"); ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_DNSNAME, "apa", 3, 0); if (ret != 0) fail("gnutls_x509_crt_set_subject_alt_name\n"); ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_DNSNAME, "απαλό.com", strlen("απαλό.com"), 1); if (ret != 0) fail("gnutls_x509_crt_set_subject_alt_name\n"); #ifdef HAVE_LIBIDN ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_RFC822NAME, "test@νίκο.org", strlen("test@νίκο.org"), 1); if (ret != 0) fail("gnutls_x509_crt_set_subject_alt_name\n"); #endif s = 0; ret = gnutls_x509_crt_get_key_purpose_oid(crt, 0, NULL, &s, NULL); if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) fail("gnutls_x509_crt_get_key_purpose_oid %d\n", ret); s = 0; ret = gnutls_x509_crt_set_key_purpose_oid(crt, GNUTLS_KP_TLS_WWW_SERVER, 0); if (ret != 0) fail("gnutls_x509_crt_set_key_purpose_oid %d\n", ret); s = 0; ret = gnutls_x509_crt_get_key_purpose_oid(crt, 0, NULL, &s, NULL); if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) fail("gnutls_x509_crt_get_key_purpose_oid %d\n", ret); s = 0; ret = gnutls_x509_crt_set_key_purpose_oid(crt, GNUTLS_KP_TLS_WWW_CLIENT, 1); if (ret != 0) fail("gnutls_x509_crt_set_key_purpose_oid2 %d\n", ret); ret = gnutls_x509_crt_set_issuer_dn(crt, "cn = my CA, o = big\\, and one", &err); if (ret < 0) { fail("gnutls_x509_crt_set_issuer_dn: %s, %s\n", gnutls_strerror(ret), err); } ret = gnutls_x509_crt_sign2(crt, crt, pkey, GNUTLS_DIG_SHA256, 0); if (ret < 0) fail("gnutls_x509_crt_sign2: %s\n", gnutls_strerror(ret)); ret = gnutls_x509_crt_print(crt, GNUTLS_CRT_PRINT_FULL, &out); if (ret != 0) fail("gnutls_x509_crt_print\n"); if (debug) printf("crt: %.*s\n", out.size, out.data); gnutls_free(out.data); s = 0; ret = gnutls_x509_crt_get_extension_info(crt, 0, NULL, &s, NULL); if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) fail("gnutls_x509_crt_get_extension_info2: %s\n", strerror(ret)); s = 0; ret = gnutls_x509_crt_get_extension_data(crt, 0, NULL, &s); if (ret != 0) fail("gnutls_x509_crt_get_extension_data: %s\n", strerror(ret)); ret = gnutls_x509_crt_get_raw_issuer_dn(crt, &out); if (ret < 0 || out.size == 0) fail("gnutls_x509_crt_get_raw_issuer_dn: %s\n", gnutls_strerror(ret)); if (out.size != 45 || memcmp(out.data, "\x30\x2b\x31\x0e\x30\x0c\x06\x03\x55\x04\x03\x13\x05\x6e\x69\x6b\x6f\x73\x31\x19\x30\x17\x06\x03\x55\x04\x0a\x13\x10\x6e\x6f\x6e\x65\x20\x74\x6f\x2c\x20\x6d\x65\x6e\x74\x69\x6f\x6e", 45) != 0) { hexprint(out.data, out.size); fail("issuer DN comparison failed\n"); } gnutls_free(out.data); ret = gnutls_x509_crt_get_raw_dn(crt, &out); if (ret < 0 || out.size == 0) fail("gnutls_x509_crt_get_raw_dn: %s\n", gnutls_strerror(ret)); if (out.size != 45 || memcmp(out.data, "\x30\x2b\x31\x0e\x30\x0c\x06\x03\x55\x04\x03\x13\x05\x6e\x69\x6b\x6f\x73\x31\x19\x30\x17\x06\x03\x55\x04\x0a\x13\x10\x6e\x6f\x6e\x65\x20\x74\x6f\x2c\x20\x6d\x65\x6e\x74\x69\x6f\x6e", 45) != 0) { fail("DN comparison failed\n"); } gnutls_free(out.data); ret = gnutls_x509_crt_equals(crt, crt); if (ret == 0) { fail("equality test failed\n"); } ret = gnutls_x509_crt_equals(crt, crt2); if (ret != 0) { fail("equality test failed\n"); } assert(gnutls_x509_crt_export2(crt, GNUTLS_X509_FMT_PEM, &out) >= 0); #ifdef HAVE_LIBIDN assert(out.size == saved_crt.size); assert(memcmp(out.data, saved_crt.data, out.size)==0); #endif gnutls_free(out.data); gnutls_x509_crt_deinit(crt); gnutls_x509_crt_deinit(crt2); gnutls_x509_privkey_deinit(pkey); gnutls_global_deinit(); }
/** * ntfs_pkcs12_extract_rsa_key */ static ntfs_rsa_private_key ntfs_pkcs12_extract_rsa_key(u8 *pfx, int pfx_size, char *password, char *thumbprint, int thumbprint_size, NTFS_DF_TYPES *df_type) { int err, bag_index, flags; gnutls_datum_t dpfx, dkey; gnutls_pkcs12_t pkcs12 = NULL; gnutls_pkcs12_bag_t bag = NULL; gnutls_x509_privkey_t pkey = NULL; gnutls_x509_crt_t crt = NULL; ntfs_rsa_private_key rsa_key = NULL; char purpose_oid[100]; size_t purpose_oid_size = sizeof(purpose_oid); size_t tp_size = thumbprint_size; BOOL have_thumbprint = FALSE; *df_type = DF_TYPE_UNKNOWN; /* Create a pkcs12 structure. */ err = gnutls_pkcs12_init(&pkcs12); if (err) { ntfs_log_error("Failed to initialize PKCS#12 structure: %s\n", gnutls_strerror(err)); return NULL; } /* Convert the PFX file (DER format) to native pkcs12 format. */ dpfx.data = pfx; dpfx.size = pfx_size; err = gnutls_pkcs12_import(pkcs12, &dpfx, GNUTLS_X509_FMT_DER, 0); if (err) { ntfs_log_error("Failed to convert the PFX file from DER to " "native PKCS#12 format: %s\n", gnutls_strerror(err)); goto err; } /* * Verify that the password is correct and that the key file has not * been tampered with. Note if the password has zero length and the * verification fails, retry with password set to NULL. This is needed * to get passwordless .pfx files generated with Windows XP SP1 (and * probably earlier versions of Windows) to work. */ retry_verify: err = gnutls_pkcs12_verify_mac(pkcs12, password); if (err) { if (err == GNUTLS_E_MAC_VERIFY_FAILED && password && !strlen(password)) { password = NULL; goto retry_verify; } ntfs_log_error("Failed to verify the MAC: %s Is the " "password correct?\n", gnutls_strerror(err)); goto err; } for (bag_index = 0; ; bag_index++) { err = gnutls_pkcs12_bag_init(&bag); if (err) { ntfs_log_error("Failed to initialize PKCS#12 Bag " "structure: %s\n", gnutls_strerror(err)); goto err; } err = gnutls_pkcs12_get_bag(pkcs12, bag_index, bag); if (err) { if (err == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { err = 0; break; } ntfs_log_error("Failed to obtain Bag from PKCS#12 " "structure: %s\n", gnutls_strerror(err)); goto err; } check_again: err = gnutls_pkcs12_bag_get_count(bag); if (err < 0) { ntfs_log_error("Failed to obtain Bag count: %s\n", gnutls_strerror(err)); goto err; } err = gnutls_pkcs12_bag_get_type(bag, 0); if (err < 0) { ntfs_log_error("Failed to determine Bag type: %s\n", gnutls_strerror(err)); goto err; } flags = 0; switch (err) { case GNUTLS_BAG_PKCS8_KEY: flags = GNUTLS_PKCS_PLAIN; case GNUTLS_BAG_PKCS8_ENCRYPTED_KEY: err = gnutls_pkcs12_bag_get_data(bag, 0, &dkey); if (err < 0) { ntfs_log_error("Failed to obtain Bag data: " "%s\n", gnutls_strerror(err)); goto err; } err = gnutls_x509_privkey_init(&pkey); if (err) { ntfs_log_error("Failed to initialized " "private key structure: %s\n", gnutls_strerror(err)); goto err; } /* Decrypt the private key into GNU TLS format. */ err = gnutls_x509_privkey_import_pkcs8(pkey, &dkey, GNUTLS_X509_FMT_DER, password, flags); if (err) { ntfs_log_error("Failed to convert private " "key from DER to GNU TLS " "format: %s\n", gnutls_strerror(err)); goto err; } #if 0 /* * Export the key again, but unencrypted, and output it * to stderr. Note the output has an RSA header so to * compare to openssl pkcs12 -nodes -in myfile.pfx * output need to ignore the part of the key between * the first "MII..." up to the second "MII...". The * actual RSA private key begins at the second "MII..." * and in my testing at least was identical to openssl * output and was also identical both on big and little * endian so gnutls should be endianness safe. */ char *buf = malloc(8192); size_t bufsize = 8192; err = gnutls_x509_privkey_export_pkcs8(pkey, GNUTLS_X509_FMT_PEM, "", GNUTLS_PKCS_PLAIN, buf, &bufsize); if (err) { ntfs_log_error("eek1\n"); exit(1); } ntfs_log_error("%s\n", buf); free(buf); #endif /* Convert the private key to our internal format. */ rsa_key = ntfs_rsa_private_key_import_from_gnutls(pkey); if (!rsa_key) goto err; break; case GNUTLS_BAG_ENCRYPTED: err = gnutls_pkcs12_bag_decrypt(bag, password); if (err) { ntfs_log_error("Failed to decrypt Bag: %s\n", gnutls_strerror(err)); goto err; } goto check_again; case GNUTLS_BAG_CERTIFICATE: err = gnutls_pkcs12_bag_get_data(bag, 0, &dkey); if (err < 0) { ntfs_log_error("Failed to obtain Bag data: " "%s\n", gnutls_strerror(err)); goto err; } err = gnutls_x509_crt_init(&crt); if (err) { ntfs_log_error("Failed to initialize " "certificate structure: %s\n", gnutls_strerror(err)); goto err; } err = gnutls_x509_crt_import(crt, &dkey, GNUTLS_X509_FMT_DER); if (err) { ntfs_log_error("Failed to convert certificate " "from DER to GNU TLS format: " "%s\n", gnutls_strerror(err)); goto err; } err = gnutls_x509_crt_get_key_purpose_oid(crt, 0, purpose_oid, &purpose_oid_size, NULL); if (err) { ntfs_log_error("Failed to get key purpose " "OID: %s\n", gnutls_strerror(err)); goto err; } purpose_oid[purpose_oid_size - 1] = '\0'; if (!strcmp(purpose_oid, NTFS_EFS_CERT_PURPOSE_OID_DRF)) *df_type = DF_TYPE_DRF; else if (!strcmp(purpose_oid, NTFS_EFS_CERT_PURPOSE_OID_DDF)) *df_type = DF_TYPE_DDF; else { ntfs_log_error("Certificate has unknown " "purpose OID %s.\n", purpose_oid); err = EINVAL; goto err; } /* Return the thumbprint to the caller. */ err = gnutls_x509_crt_get_fingerprint(crt, GNUTLS_DIG_SHA1, thumbprint, &tp_size); if (err) { ntfs_log_error("Failed to get thumbprint: " "%s\n", gnutls_strerror(err)); goto err; } if (tp_size != NTFS_SHA1_THUMBPRINT_SIZE) { ntfs_log_error("Invalid thumbprint size %zd. " "Should be %d.\n", tp_size, thumbprint_size); err = EINVAL; goto err; } have_thumbprint = TRUE; gnutls_x509_crt_deinit(crt); crt = NULL; break; default: /* We do not care about other types. */ break; } gnutls_pkcs12_bag_deinit(bag); } err: if (rsa_key && (err || *df_type == DF_TYPE_UNKNOWN || !have_thumbprint)) { if (!err) ntfs_log_error("Key type or thumbprint not found, " "aborting.\n"); ntfs_rsa_private_key_release(rsa_key); rsa_key = NULL; } if (crt) gnutls_x509_crt_deinit(crt); if (pkey) gnutls_x509_privkey_deinit(pkey); if (bag) gnutls_pkcs12_bag_deinit(bag); if (pkcs12) gnutls_pkcs12_deinit(pkcs12); return rsa_key; }
static int qcrypto_tls_creds_check_cert_key_purpose(QCryptoTLSCredsX509 *creds, gnutls_x509_crt_t cert, const char *certFile, bool isServer, Error **errp) { int status; size_t i; unsigned int purposeCritical; unsigned int critical; char *buffer = NULL; size_t size; bool allowClient = false, allowServer = false; critical = 0; for (i = 0; ; i++) { size = 0; status = gnutls_x509_crt_get_key_purpose_oid(cert, i, buffer, &size, NULL); if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { /* If there is no data at all, then we must allow client/server to pass */ if (i == 0) { allowServer = allowClient = true; } break; } if (status != GNUTLS_E_SHORT_MEMORY_BUFFER) { error_setg(errp, "Unable to query certificate %s key purpose: %s", certFile, gnutls_strerror(status)); return -1; } buffer = g_new0(char, size); status = gnutls_x509_crt_get_key_purpose_oid(cert, i, buffer, &size, &purposeCritical); if (status < 0) { trace_qcrypto_tls_creds_x509_check_key_purpose( creds, certFile, status, "<none>", purposeCritical); g_free(buffer); error_setg(errp, "Unable to query certificate %s key purpose: %s", certFile, gnutls_strerror(status)); return -1; } trace_qcrypto_tls_creds_x509_check_key_purpose( creds, certFile, status, buffer, purposeCritical); if (purposeCritical) { critical = true; } if (g_str_equal(buffer, GNUTLS_KP_TLS_WWW_SERVER)) { allowServer = true; } else if (g_str_equal(buffer, GNUTLS_KP_TLS_WWW_CLIENT)) { allowClient = true; } else if (g_str_equal(buffer, GNUTLS_KP_ANY)) { allowServer = allowClient = true; } g_free(buffer); buffer = NULL; } if (isServer) { if (!allowServer) { if (critical) { error_setg(errp, "Certificate %s purpose does not allow " "use with a TLS server", certFile); return -1; } } } else { if (!allowClient) { if (critical) { error_setg(errp, "Certificate %s purpose does not allow use " "with a TLS client", certFile); return -1; } } } return 0; }
void doit(void) { gnutls_x509_privkey_t pkey; gnutls_x509_crt_t crt; gnutls_x509_crt_t crt2; const char *err = NULL; unsigned char buf[64]; gnutls_datum_t out; size_t s = 0; int ret; ret = global_init(); if (ret < 0) fail("global_init\n"); gnutls_global_set_time_function(mytime); gnutls_global_set_log_function(tls_log_func); if (debug) gnutls_global_set_log_level(4711); ret = gnutls_x509_crt_init(&crt); if (ret != 0) fail("gnutls_x509_crt_init\n"); ret = gnutls_x509_crt_init(&crt2); if (ret != 0) fail("gnutls_x509_crt_init\n"); ret = gnutls_x509_crt_import(crt2, &server_ecc_cert, GNUTLS_X509_FMT_PEM); if (ret != 0) fail("gnutls_x509_crt_import\n"); ret = gnutls_x509_privkey_init(&pkey); if (ret != 0) fail("gnutls_x509_privkey_init\n"); ret = gnutls_x509_privkey_import(pkey, &key_dat, GNUTLS_X509_FMT_PEM); if (ret != 0) fail("gnutls_x509_privkey_import\n"); /* Setup CRT */ ret = gnutls_x509_crt_set_version(crt, 3); if (ret != 0) fail("gnutls_x509_crt_set_version\n"); ret = gnutls_x509_crt_set_serial(crt, "\x0a\x11\x00", 3); if (ret != 0) fail("gnutls_x509_crt_set_serial\n"); ret = gnutls_x509_crt_set_expiration_time(crt, -1); if (ret != 0) fail("error\n"); ret = gnutls_x509_crt_set_activation_time(crt, mytime(0)); if (ret != 0) fail("error\n"); ret = gnutls_x509_crt_set_key(crt, pkey); if (ret != 0) fail("gnutls_x509_crt_set_key\n"); ret = gnutls_x509_crt_set_basic_constraints(crt, 0, -1); if (ret < 0) { fail("error\n"); } ret = gnutls_x509_crt_set_key_usage(crt, GNUTLS_KEY_DIGITAL_SIGNATURE); if (ret != 0) fail("gnutls_x509_crt_set_key_usage %d\n", ret); ret = gnutls_x509_crt_set_dn(crt, "o = none to\\, mention,cn = nikos", &err); if (ret < 0) { fail("gnutls_x509_crt_set_dn: %s, %s\n", gnutls_strerror(ret), err); } ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_DNSNAME, "foo", 3, 1); if (ret != 0) fail("gnutls_x509_crt_set_subject_alt_name\n"); ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_RFC822NAME, "*****@*****.**", strlen("*****@*****.**"), 1); if (ret != 0) fail("gnutls_x509_crt_set_subject_alt_name\n"); ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_RFC822NAME, "ινβάλιντ@bar.org", strlen("ινβάλιντ@bar.org"), 1); if (ret != GNUTLS_E_INVALID_UTF8_EMAIL) fail("gnutls_x509_crt_set_subject_alt_name\n"); ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_IPADDRESS, "\xc1\x5c\x96\x3", 4, 1); if (ret != 0) fail("gnutls_x509_crt_set_subject_alt_name\n"); ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_IPADDRESS, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01", 16, 1); if (ret != 0) fail("gnutls_x509_crt_set_subject_alt_name\n"); ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_DNSNAME, "apa", 3, 0); if (ret != 0) fail("gnutls_x509_crt_set_subject_alt_name\n"); ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_DNSNAME, "απαλό.com", strlen("απαλό.com"), 1); #if defined(HAVE_LIBIDN2) || defined(HAVE_LIBIDN) if (ret != 0) fail("gnutls_x509_crt_set_subject_alt_name: %s\n", gnutls_strerror(ret)); ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_RFC822NAME, "test@νίκο.org", strlen("test@νίκο.org"), 1); if (ret != 0) fail("gnutls_x509_crt_set_subject_alt_name\n"); #else if (ret != GNUTLS_E_UNIMPLEMENTED_FEATURE) fail("gnutls_x509_crt_set_subject_alt_name: %s\n", gnutls_strerror(ret)); #endif s = 0; ret = gnutls_x509_crt_get_key_purpose_oid(crt, 0, NULL, &s, NULL); if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) fail("gnutls_x509_crt_get_key_purpose_oid %d\n", ret); s = 0; ret = gnutls_x509_crt_set_key_purpose_oid(crt, GNUTLS_KP_TLS_WWW_SERVER, 0); if (ret != 0) fail("gnutls_x509_crt_set_key_purpose_oid %d\n", ret); s = 0; ret = gnutls_x509_crt_get_key_purpose_oid(crt, 0, NULL, &s, NULL); if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) fail("gnutls_x509_crt_get_key_purpose_oid %d\n", ret); s = 0; ret = gnutls_x509_crt_set_key_purpose_oid(crt, GNUTLS_KP_TLS_WWW_CLIENT, 1); if (ret != 0) fail("gnutls_x509_crt_set_key_purpose_oid2 %d\n", ret); /* in the end this will be ignored as the issuer will be set * by gnutls_x509_crt_sign2() */ ret = gnutls_x509_crt_set_issuer_dn(crt, "cn = my CA, o = big\\, and one", &err); if (ret < 0) { fail("gnutls_x509_crt_set_issuer_dn: %s, %s\n", gnutls_strerror(ret), err); } #define ISSUER_UNIQUE_ID "\x00\x01\x02\x03" #define SUBJECT_UNIQUE_ID "\x04\x03\x02\x01" ret = gnutls_x509_crt_set_issuer_unique_id(crt, ISSUER_UNIQUE_ID, sizeof(ISSUER_UNIQUE_ID)-1); if (ret < 0) fail("error: %s\n", gnutls_strerror(ret)); ret = gnutls_x509_crt_set_subject_unique_id(crt, SUBJECT_UNIQUE_ID, sizeof(SUBJECT_UNIQUE_ID)-1); if (ret < 0) fail("error: %s\n", gnutls_strerror(ret)); /* Sign and finalize the certificate */ ret = gnutls_x509_crt_sign2(crt, crt, pkey, GNUTLS_DIG_SHA256, 0); if (ret < 0) fail("gnutls_x509_crt_sign2: %s\n", gnutls_strerror(ret)); ret = gnutls_x509_crt_print(crt, GNUTLS_CRT_PRINT_FULL, &out); if (ret != 0) fail("gnutls_x509_crt_print\n"); if (debug) printf("crt: %.*s\n", out.size, out.data); gnutls_free(out.data); /* Verify whether selected input is present */ s = 0; ret = gnutls_x509_crt_get_extension_info(crt, 0, NULL, &s, NULL); if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) fail("gnutls_x509_crt_get_extension_info2: %s\n", strerror(ret)); s = 0; ret = gnutls_x509_crt_get_extension_data(crt, 0, NULL, &s); if (ret != 0) fail("gnutls_x509_crt_get_extension_data: %s\n", strerror(ret)); ret = gnutls_x509_crt_get_raw_issuer_dn(crt, &out); if (ret < 0 || out.size == 0) fail("gnutls_x509_crt_get_raw_issuer_dn: %s\n", gnutls_strerror(ret)); if (out.size != 45 || memcmp(out.data, "\x30\x2b\x31\x0e\x30\x0c\x06\x03\x55\x04\x03\x13\x05\x6e\x69\x6b\x6f\x73\x31\x19\x30\x17\x06\x03\x55\x04\x0a\x13\x10\x6e\x6f\x6e\x65\x20\x74\x6f\x2c\x20\x6d\x65\x6e\x74\x69\x6f\x6e", 45) != 0) { hexprint(out.data, out.size); fail("issuer DN comparison failed\n"); } gnutls_free(out.data); s = sizeof(buf); ret = gnutls_x509_crt_get_issuer_unique_id(crt, (void*)buf, &s); if (ret < 0) fail("error: %s\n", gnutls_strerror(ret)); if (s != sizeof(ISSUER_UNIQUE_ID)-1 || memcmp(buf, ISSUER_UNIQUE_ID, s) != 0) { fail("issuer unique id comparison failed\n"); } s = sizeof(buf); ret = gnutls_x509_crt_get_subject_unique_id(crt, (void*)buf, &s); if (ret < 0) fail("error: %s\n", gnutls_strerror(ret)); if (s != sizeof(SUBJECT_UNIQUE_ID)-1 || memcmp(buf, SUBJECT_UNIQUE_ID, s) != 0) { fail("subject unique id comparison failed\n"); } ret = gnutls_x509_crt_get_raw_dn(crt, &out); if (ret < 0 || out.size == 0) fail("gnutls_x509_crt_get_raw_dn: %s\n", gnutls_strerror(ret)); if (out.size != 45 || memcmp(out.data, "\x30\x2b\x31\x0e\x30\x0c\x06\x03\x55\x04\x03\x13\x05\x6e\x69\x6b\x6f\x73\x31\x19\x30\x17\x06\x03\x55\x04\x0a\x13\x10\x6e\x6f\x6e\x65\x20\x74\x6f\x2c\x20\x6d\x65\x6e\x74\x69\x6f\x6e", 45) != 0) { fail("DN comparison failed\n"); } gnutls_free(out.data); ret = gnutls_x509_crt_equals(crt, crt); if (ret == 0) { fail("equality test failed\n"); } ret = gnutls_x509_crt_equals(crt, crt2); if (ret != 0) { fail("equality test failed\n"); } assert(gnutls_x509_crt_export2(crt, GNUTLS_X509_FMT_PEM, &out) >= 0); if (debug) fprintf(stderr, "%s\n", out.data); #if defined(HAVE_LIBIDN2) assert(out.size == saved_crt.size); assert(memcmp(out.data, saved_crt.data, out.size)==0); #endif gnutls_free(out.data); gnutls_x509_crt_deinit(crt); gnutls_x509_crt_deinit(crt2); gnutls_x509_privkey_deinit(pkey); gnutls_global_deinit(); }