/**
* gnutls_x509_crt_privkey_sign:
* @crt: a certificate of type #gnutls_x509_crt_t
* @issuer: is the certificate of the certificate issuer
* @issuer_key: holds the issuer's private key
* @dig: The message digest to use, %GNUTLS_DIG_SHA1 is a safe choice
* @flags: must be 0
*
* This function will sign the certificate with the issuer's private key, and
* will copy the issuer's information into the certificate.
*
* This must be the last step in a certificate generation since all
* the previously set parameters are now signed.
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
gnutls_x509_crt_privkey_sign(gnutls_x509_crt_t crt,
gnutls_x509_crt_t issuer,
gnutls_privkey_t issuer_key,
gnutls_digest_algorithm_t dig,
unsigned int flags)
{
int result;
if (crt == NULL || issuer == NULL || issuer_key == NULL) {
gnutls_assert();
return GNUTLS_E_INVALID_REQUEST;
}
/* disable all the unneeded OPTIONAL fields.
*/
disable_optional_stuff(crt);
result = _gnutls_x509_pkix_sign(crt->cert, "tbsCertificate",
dig, issuer, issuer_key);
if (result < 0) {
gnutls_assert();
return result;
}
return 0;
}
/**
* gnutls_x509_crl_privkey_sign:
* @crl: should contain a gnutls_x509_crl_t type
* @issuer: is the certificate of the certificate issuer
* @issuer_key: holds the issuer's private key
* @dig: The message digest to use. GNUTLS_DIG_SHA256 is the safe choice unless you know what you're doing.
* @flags: must be 0
*
* This function will sign the CRL with the issuer's private key, and
* will copy the issuer's information into the CRL.
*
* This must be the last step in a certificate CRL since all
* the previously set parameters are now signed.
*
* A known limitation of this function is, that a newly-signed CRL will not
* be fully functional (e.g., for signature verification), until it
* is exported an re-imported.
*
* After GnuTLS 3.6.1 the value of @dig may be %GNUTLS_DIG_UNKNOWN,
* and in that case, a suitable but reasonable for the key algorithm will be selected.
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
*
* Since 2.12.0
**/
int
gnutls_x509_crl_privkey_sign(gnutls_x509_crl_t crl,
gnutls_x509_crt_t issuer,
gnutls_privkey_t issuer_key,
gnutls_digest_algorithm_t dig,
unsigned int flags)
{
int result;
if (crl == NULL || issuer == NULL) {
gnutls_assert();
return GNUTLS_E_INVALID_REQUEST;
}
if (dig == 0) {
result = gnutls_x509_crt_get_preferred_hash_algorithm(issuer, &dig, NULL);
if (result < 0)
return gnutls_assert_val(result);
}
/* disable all the unneeded OPTIONAL fields.
*/
disable_optional_stuff(crl);
result = _gnutls_x509_pkix_sign(crl->crl, "tbsCertList",
dig, 0, issuer, issuer_key);
if (result < 0) {
gnutls_assert();
return result;
}
return 0;
}
