2 * Copyright (C) 2003-2012 Free Software Foundation, Inc.
4 * Author: Nikos Mavrogiannopoulos
6 * This file is part of GnuTLS.
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
23 /* This file contains functions to handle X.509 certificate generation.
26 #include <gnutls_int.h>
28 #include <gnutls_datum.h>
29 #include <gnutls_global.h>
30 #include <gnutls_errors.h>
32 #include <gnutls_x509.h>
37 static void disable_optional_stuff (gnutls_x509_crt_t cert
);
40 * gnutls_x509_crt_set_dn_by_oid:
41 * @crt: a certificate of type #gnutls_x509_crt_t
42 * @oid: holds an Object Identifier in a null terminated string
43 * @raw_flag: must be 0, or 1 if the data are DER encoded
44 * @name: a pointer to the name
45 * @sizeof_name: holds the size of @name
47 * This function will set the part of the name of the Certificate
48 * subject, specified by the given OID. The input string should be
49 * ASCII or UTF-8 encoded.
51 * Some helper macros with popular OIDs can be found in gnutls/x509.h
52 * With this function you can only set the known OIDs. You can test
53 * for known OIDs using gnutls_x509_dn_oid_known(). For OIDs that are
54 * not known (by gnutls) you should properly DER encode your data,
55 * and call this function with @raw_flag set.
57 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
58 * negative error value.
61 gnutls_x509_crt_set_dn_by_oid (gnutls_x509_crt_t crt
, const char *oid
,
62 unsigned int raw_flag
, const void *name
,
63 unsigned int sizeof_name
)
65 if (sizeof_name
== 0 || name
== NULL
|| crt
== NULL
)
67 return GNUTLS_E_INVALID_REQUEST
;
70 return _gnutls_x509_set_dn_oid (crt
->cert
, "tbsCertificate.subject",
71 oid
, raw_flag
, name
, sizeof_name
);
75 * gnutls_x509_crt_set_issuer_dn_by_oid:
76 * @crt: a certificate of type #gnutls_x509_crt_t
77 * @oid: holds an Object Identifier in a null terminated string
78 * @raw_flag: must be 0, or 1 if the data are DER encoded
79 * @name: a pointer to the name
80 * @sizeof_name: holds the size of @name
82 * This function will set the part of the name of the Certificate
83 * issuer, specified by the given OID. The input string should be
84 * ASCII or UTF-8 encoded.
86 * Some helper macros with popular OIDs can be found in gnutls/x509.h
87 * With this function you can only set the known OIDs. You can test
88 * for known OIDs using gnutls_x509_dn_oid_known(). For OIDs that are
89 * not known (by gnutls) you should properly DER encode your data,
90 * and call this function with @raw_flag set.
92 * Normally you do not need to call this function, since the signing
93 * operation will copy the signer's name as the issuer of the
96 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
97 * negative error value.
100 gnutls_x509_crt_set_issuer_dn_by_oid (gnutls_x509_crt_t crt
,
102 unsigned int raw_flag
,
104 unsigned int sizeof_name
)
106 if (sizeof_name
== 0 || name
== NULL
|| crt
== NULL
)
108 return GNUTLS_E_INVALID_REQUEST
;
111 return _gnutls_x509_set_dn_oid (crt
->cert
, "tbsCertificate.issuer", oid
,
112 raw_flag
, name
, sizeof_name
);
116 * gnutls_x509_crt_set_proxy_dn:
117 * @crt: a gnutls_x509_crt_t structure with the new proxy cert
118 * @eecrt: the end entity certificate that will be issuing the proxy
119 * @raw_flag: must be 0, or 1 if the CN is DER encoded
120 * @name: a pointer to the CN name, may be NULL (but MUST then be added later)
121 * @sizeof_name: holds the size of @name
123 * This function will set the subject in @crt to the end entity's
124 * @eecrt subject name, and add a single Common Name component @name
125 * of size @sizeof_name. This corresponds to the required proxy
126 * certificate naming style. Note that if @name is %NULL, you MUST
127 * set it later by using gnutls_x509_crt_set_dn_by_oid() or similar.
129 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
130 * negative error value.
133 gnutls_x509_crt_set_proxy_dn (gnutls_x509_crt_t crt
, gnutls_x509_crt_t eecrt
,
134 unsigned int raw_flag
, const void *name
,
135 unsigned int sizeof_name
)
139 if (crt
== NULL
|| eecrt
== NULL
)
141 return GNUTLS_E_INVALID_REQUEST
;
144 result
= asn1_copy_node (crt
->cert
, "tbsCertificate.subject",
145 eecrt
->cert
, "tbsCertificate.subject");
146 if (result
!= ASN1_SUCCESS
)
149 return _gnutls_asn2err (result
);
152 if (name
&& sizeof_name
)
154 return _gnutls_x509_set_dn_oid (crt
->cert
, "tbsCertificate.subject",
155 GNUTLS_OID_X520_COMMON_NAME
,
156 raw_flag
, name
, sizeof_name
);
163 * gnutls_x509_crt_set_version:
164 * @crt: a certificate of type #gnutls_x509_crt_t
165 * @version: holds the version number. For X.509v1 certificates must be 1.
167 * This function will set the version of the certificate. This must
168 * be one for X.509 version 1, and so on. Plain certificates without
169 * extensions must have version set to one.
171 * To create well-formed certificates, you must specify version 3 if
172 * you use any certificate extensions. Extensions are created by
173 * functions such as gnutls_x509_crt_set_subject_alt_name()
174 * or gnutls_x509_crt_set_key_usage().
176 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
177 * negative error value.
180 gnutls_x509_crt_set_version (gnutls_x509_crt_t crt
, unsigned int version
)
183 unsigned char null
= version
;
188 return GNUTLS_E_INVALID_REQUEST
;
194 result
= asn1_write_value (crt
->cert
, "tbsCertificate.version", &null
, 1);
195 if (result
!= ASN1_SUCCESS
)
198 return _gnutls_asn2err (result
);
205 * gnutls_x509_crt_set_key:
206 * @crt: a certificate of type #gnutls_x509_crt_t
207 * @key: holds a private key
209 * This function will set the public parameters from the given
210 * private key to the certificate. Only RSA keys are currently
213 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
214 * negative error value.
218 gnutls_x509_crt_set_key (gnutls_x509_crt_t crt
, gnutls_x509_privkey_t key
)
225 return GNUTLS_E_INVALID_REQUEST
;
228 result
= _gnutls_x509_encode_and_copy_PKI_params (crt
->cert
,
229 "tbsCertificate.subjectPublicKeyInfo",
243 * gnutls_x509_crt_set_crq:
244 * @crt: a certificate of type #gnutls_x509_crt_t
245 * @crq: holds a certificate request
247 * This function will set the name and public parameters as well as
248 * the extensions from the given certificate request to the certificate.
249 * Only RSA keys are currently supported.
251 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
252 * negative error value.
255 gnutls_x509_crt_set_crq (gnutls_x509_crt_t crt
, gnutls_x509_crq_t crq
)
259 if (crt
== NULL
|| crq
== NULL
)
262 return GNUTLS_E_INVALID_REQUEST
;
265 result
= gnutls_x509_crq_verify(crq
, 0);
267 return gnutls_assert_val(result
);
269 result
= asn1_copy_node (crt
->cert
, "tbsCertificate.subject",
270 crq
->crq
, "certificationRequestInfo.subject");
271 if (result
!= ASN1_SUCCESS
)
274 return _gnutls_asn2err (result
);
278 asn1_copy_node (crt
->cert
, "tbsCertificate.subjectPublicKeyInfo",
279 crq
->crq
, "certificationRequestInfo.subjectPKInfo");
280 if (result
!= ASN1_SUCCESS
)
283 return _gnutls_asn2err (result
);
290 * gnutls_x509_crt_set_crq_extensions:
291 * @crt: a certificate of type #gnutls_x509_crt_t
292 * @crq: holds a certificate request
294 * This function will set extensions from the given request to the
297 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
298 * negative error value.
303 gnutls_x509_crt_set_crq_extensions (gnutls_x509_crt_t crt
,
304 gnutls_x509_crq_t crq
)
308 if (crt
== NULL
|| crq
== NULL
)
311 return GNUTLS_E_INVALID_REQUEST
;
317 char oid
[MAX_OID_SIZE
];
320 size_t extensions_size
;
321 unsigned int critical
;
324 oid_size
= sizeof (oid
);
325 result
= gnutls_x509_crq_get_extension_info (crq
, i
, oid
,
326 &oid_size
, &critical
);
329 if (result
== GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
)
337 result
= gnutls_x509_crq_get_extension_data (crq
, i
, NULL
,
345 extensions
= gnutls_malloc (extensions_size
);
346 if (extensions
== NULL
)
349 return GNUTLS_E_MEMORY_ERROR
;
352 result
= gnutls_x509_crq_get_extension_data (crq
, i
, extensions
,
357 gnutls_free (extensions
);
361 ext
.data
= extensions
;
362 ext
.size
= extensions_size
;
364 result
= _gnutls_x509_crt_set_extension (crt
, oid
, &ext
, critical
);
365 gnutls_free (extensions
);
374 crt
->use_extensions
= 1;
380 * gnutls_x509_crt_set_extension_by_oid:
381 * @crt: a certificate of type #gnutls_x509_crt_t
382 * @oid: holds an Object Identified in null terminated string
383 * @buf: a pointer to a DER encoded data
384 * @sizeof_buf: holds the size of @buf
385 * @critical: should be non (0) if the extension is to be marked as critical
387 * This function will set an the extension, by the specified OID, in
388 * the certificate. The extension data should be binary data DER
391 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
392 * negative error value.
395 gnutls_x509_crt_set_extension_by_oid (gnutls_x509_crt_t crt
,
396 const char *oid
, const void *buf
,
398 unsigned int critical
)
401 gnutls_datum_t der_data
;
403 der_data
.data
= (void *) buf
;
404 der_data
.size
= sizeof_buf
;
409 return GNUTLS_E_INVALID_REQUEST
;
412 result
= _gnutls_x509_crt_set_extension (crt
, oid
, &der_data
, critical
);
419 crt
->use_extensions
= 1;
426 * gnutls_x509_crt_set_basic_constraints:
427 * @crt: a certificate of type #gnutls_x509_crt_t
428 * @ca: true(1) or false(0). Depending on the Certificate authority status.
429 * @pathLenConstraint: non-negative error codes indicate maximum length of path,
430 * and negative error codes indicate that the pathLenConstraints field should
433 * This function will set the basicConstraints certificate extension.
435 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
436 * negative error value.
439 gnutls_x509_crt_set_basic_constraints (gnutls_x509_crt_t crt
,
440 unsigned int ca
, int pathLenConstraint
)
443 gnutls_datum_t der_data
;
448 return GNUTLS_E_INVALID_REQUEST
;
451 /* generate the extension.
453 result
= _gnutls_x509_ext_gen_basicConstraints (ca
, pathLenConstraint
,
461 result
= _gnutls_x509_crt_set_extension (crt
, "2.5.29.19", &der_data
, 1);
463 _gnutls_free_datum (&der_data
);
471 crt
->use_extensions
= 1;
477 * gnutls_x509_crt_set_ca_status:
478 * @crt: a certificate of type #gnutls_x509_crt_t
479 * @ca: true(1) or false(0). Depending on the Certificate authority status.
481 * This function will set the basicConstraints certificate extension.
482 * Use gnutls_x509_crt_set_basic_constraints() if you want to control
483 * the pathLenConstraint field too.
485 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
486 * negative error value.
489 gnutls_x509_crt_set_ca_status (gnutls_x509_crt_t crt
, unsigned int ca
)
491 return gnutls_x509_crt_set_basic_constraints (crt
, ca
, -1);
495 * gnutls_x509_crt_set_key_usage:
496 * @crt: a certificate of type #gnutls_x509_crt_t
497 * @usage: an ORed sequence of the GNUTLS_KEY_* elements.
499 * This function will set the keyUsage certificate extension.
501 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
502 * negative error value.
505 gnutls_x509_crt_set_key_usage (gnutls_x509_crt_t crt
, unsigned int usage
)
508 gnutls_datum_t der_data
;
513 return GNUTLS_E_INVALID_REQUEST
;
516 /* generate the extension.
518 result
= _gnutls_x509_ext_gen_keyUsage ((uint16_t) usage
, &der_data
);
525 result
= _gnutls_x509_crt_set_extension (crt
, "2.5.29.15", &der_data
, 1);
527 _gnutls_free_datum (&der_data
);
535 crt
->use_extensions
= 1;
541 * gnutls_x509_crt_set_subject_alternative_name:
542 * @crt: a certificate of type #gnutls_x509_crt_t
543 * @type: is one of the gnutls_x509_subject_alt_name_t enumerations
544 * @data_string: The data to be set, a (0) terminated string
546 * This function will set the subject alternative name certificate
547 * extension. This function assumes that data can be expressed as a null
550 * The name of the function is unfortunate since it is incosistent with
551 * gnutls_x509_crt_get_subject_alt_name().
553 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
554 * negative error value.
557 gnutls_x509_crt_set_subject_alternative_name (gnutls_x509_crt_t crt
,
558 gnutls_x509_subject_alt_name_t
559 type
, const char *data_string
)
564 return GNUTLS_E_INVALID_REQUEST
;
567 /* only handle text extensions */
568 if (type
!= GNUTLS_SAN_DNSNAME
&& type
!= GNUTLS_SAN_RFC822NAME
&&
569 type
!= GNUTLS_SAN_URI
)
572 return GNUTLS_E_INVALID_REQUEST
;
575 return gnutls_x509_crt_set_subject_alt_name (crt
, type
, data_string
,
576 strlen (data_string
),
581 * gnutls_x509_crt_set_subject_alt_name:
582 * @crt: a certificate of type #gnutls_x509_crt_t
583 * @type: is one of the gnutls_x509_subject_alt_name_t enumerations
584 * @data: The data to be set
585 * @data_size: The size of data to be set
586 * @flags: GNUTLS_FSAN_SET to clear previous data or GNUTLS_FSAN_APPEND to append.
588 * This function will set the subject alternative name certificate
589 * extension. It can set the following types:
591 * %GNUTLS_SAN_DNSNAME: as a text string
593 * %GNUTLS_SAN_RFC822NAME: as a text string
595 * %GNUTLS_SAN_URI: as a text string
597 * %GNUTLS_SAN_IPADDRESS: as a binary IP address (4 or 16 bytes)
599 * Other values can be set as binary values with the proper DER encoding.
601 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
602 * negative error value.
607 gnutls_x509_crt_set_subject_alt_name (gnutls_x509_crt_t crt
,
608 gnutls_x509_subject_alt_name_t type
,
610 unsigned int data_size
,
614 gnutls_datum_t der_data
= { NULL
, 0 };
615 gnutls_datum_t prev_der_data
= { NULL
, 0 };
616 unsigned int critical
= 0;
621 return GNUTLS_E_INVALID_REQUEST
;
624 /* Check if the extension already exists.
627 if (flags
== GNUTLS_FSAN_APPEND
)
629 result
= _gnutls_x509_crt_get_extension (crt
, "2.5.29.17", 0,
630 &prev_der_data
, &critical
);
631 if (result
< 0 && result
!= GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
)
638 /* generate the extension.
640 result
= _gnutls_x509_ext_gen_subject_alt_name (type
, data
, data_size
,
641 &prev_der_data
, &der_data
);
643 if (flags
== GNUTLS_FSAN_APPEND
)
644 _gnutls_free_datum (&prev_der_data
);
652 result
= _gnutls_x509_crt_set_extension (crt
, "2.5.29.17", &der_data
,
655 _gnutls_free_datum (&der_data
);
663 crt
->use_extensions
= 1;
668 _gnutls_free_datum (&prev_der_data
);
673 * gnutls_x509_crt_set_proxy:
674 * @crt: a certificate of type #gnutls_x509_crt_t
675 * @pathLenConstraint: non-negative error codes indicate maximum length of path,
676 * and negative error codes indicate that the pathLenConstraints field should
678 * @policyLanguage: OID describing the language of @policy.
679 * @policy: uint8_t byte array with policy language, can be %NULL
680 * @sizeof_policy: size of @policy.
682 * This function will set the proxyCertInfo extension.
684 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
685 * negative error value.
688 gnutls_x509_crt_set_proxy (gnutls_x509_crt_t crt
,
689 int pathLenConstraint
,
690 const char *policyLanguage
,
691 const char *policy
, size_t sizeof_policy
)
694 gnutls_datum_t der_data
;
699 return GNUTLS_E_INVALID_REQUEST
;
702 /* generate the extension.
704 result
= _gnutls_x509_ext_gen_proxyCertInfo (pathLenConstraint
,
706 policy
, sizeof_policy
,
714 result
= _gnutls_x509_crt_set_extension (crt
, "1.3.6.1.5.5.7.1.14",
717 _gnutls_free_datum (&der_data
);
725 crt
->use_extensions
= 1;
731 * gnutls_x509_crt_sign2:
732 * @crt: a certificate of type #gnutls_x509_crt_t
733 * @issuer: is the certificate of the certificate issuer
734 * @issuer_key: holds the issuer's private key
735 * @dig: The message digest to use, %GNUTLS_DIG_SHA1 is a safe choice
738 * This function will sign the certificate with the issuer's private key, and
739 * will copy the issuer's information into the certificate.
741 * This must be the last step in a certificate generation since all
742 * the previously set parameters are now signed.
744 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
745 * negative error value.
748 gnutls_x509_crt_sign2 (gnutls_x509_crt_t crt
, gnutls_x509_crt_t issuer
,
749 gnutls_x509_privkey_t issuer_key
,
750 gnutls_digest_algorithm_t dig
, unsigned int flags
)
753 gnutls_privkey_t privkey
;
755 if (crt
== NULL
|| issuer
== NULL
|| issuer_key
== NULL
)
758 return GNUTLS_E_INVALID_REQUEST
;
761 result
= gnutls_privkey_init (&privkey
);
768 result
= gnutls_privkey_import_x509 (privkey
, issuer_key
, 0);
775 result
= gnutls_x509_crt_privkey_sign (crt
, issuer
, privkey
, dig
, flags
);
785 gnutls_privkey_deinit (privkey
);
791 * gnutls_x509_crt_sign:
792 * @crt: a certificate of type #gnutls_x509_crt_t
793 * @issuer: is the certificate of the certificate issuer
794 * @issuer_key: holds the issuer's private key
796 * This function is the same a gnutls_x509_crt_sign2() with no flags,
797 * and SHA1 as the hash algorithm.
799 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
800 * negative error value.
803 gnutls_x509_crt_sign (gnutls_x509_crt_t crt
, gnutls_x509_crt_t issuer
,
804 gnutls_x509_privkey_t issuer_key
)
806 return gnutls_x509_crt_sign2 (crt
, issuer
, issuer_key
, GNUTLS_DIG_SHA1
, 0);
810 * gnutls_x509_crt_set_activation_time:
811 * @cert: a certificate of type #gnutls_x509_crt_t
812 * @act_time: The actual time
814 * This function will set the time this Certificate was or will be
817 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
818 * negative error value.
821 gnutls_x509_crt_set_activation_time (gnutls_x509_crt_t cert
, time_t act_time
)
826 return GNUTLS_E_INVALID_REQUEST
;
829 return _gnutls_x509_set_time (cert
->cert
,
830 "tbsCertificate.validity.notBefore",
835 * gnutls_x509_crt_set_expiration_time:
836 * @cert: a certificate of type #gnutls_x509_crt_t
837 * @exp_time: The actual time
839 * This function will set the time this Certificate will expire.
841 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
842 * negative error value.
845 gnutls_x509_crt_set_expiration_time (gnutls_x509_crt_t cert
, time_t exp_time
)
850 return GNUTLS_E_INVALID_REQUEST
;
852 return _gnutls_x509_set_time (cert
->cert
,
853 "tbsCertificate.validity.notAfter", exp_time
);
857 * gnutls_x509_crt_set_serial:
858 * @cert: a certificate of type #gnutls_x509_crt_t
859 * @serial: The serial number
860 * @serial_size: Holds the size of the serial field.
862 * This function will set the X.509 certificate's serial number.
863 * Serial is not always a 32 or 64bit number. Some CAs use large
864 * serial numbers, thus it may be wise to handle it as something
867 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
868 * negative error value.
871 gnutls_x509_crt_set_serial (gnutls_x509_crt_t cert
, const void *serial
,
879 return GNUTLS_E_INVALID_REQUEST
;
883 asn1_write_value (cert
->cert
, "tbsCertificate.serialNumber", serial
,
885 if (ret
!= ASN1_SUCCESS
)
888 return _gnutls_asn2err (ret
);
895 /* If OPTIONAL fields have not been initialized then
899 disable_optional_stuff (gnutls_x509_crt_t cert
)
902 asn1_write_value (cert
->cert
, "tbsCertificate.issuerUniqueID", NULL
, 0);
904 asn1_write_value (cert
->cert
, "tbsCertificate.subjectUniqueID", NULL
, 0);
906 if (cert
->use_extensions
== 0)
908 _gnutls_debug_log ("Disabling X.509 extensions.\n");
909 asn1_write_value (cert
->cert
, "tbsCertificate.extensions", NULL
, 0);
916 * gnutls_x509_crt_set_crl_dist_points:
917 * @crt: a certificate of type #gnutls_x509_crt_t
918 * @type: is one of the gnutls_x509_subject_alt_name_t enumerations
919 * @data_string: The data to be set
920 * @reason_flags: revocation reasons
922 * This function will set the CRL distribution points certificate extension.
924 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
925 * negative error value.
928 gnutls_x509_crt_set_crl_dist_points (gnutls_x509_crt_t crt
,
929 gnutls_x509_subject_alt_name_t type
,
930 const void *data_string
,
931 unsigned int reason_flags
)
933 return gnutls_x509_crt_set_crl_dist_points2 (crt
, type
, data_string
,
934 strlen (data_string
),
939 * gnutls_x509_crt_set_crl_dist_points2:
940 * @crt: a certificate of type #gnutls_x509_crt_t
941 * @type: is one of the gnutls_x509_subject_alt_name_t enumerations
942 * @data: The data to be set
943 * @data_size: The data size
944 * @reason_flags: revocation reasons
946 * This function will set the CRL distribution points certificate extension.
948 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
949 * negative error value.
954 gnutls_x509_crt_set_crl_dist_points2 (gnutls_x509_crt_t crt
,
955 gnutls_x509_subject_alt_name_t type
,
957 unsigned int data_size
,
958 unsigned int reason_flags
)
961 gnutls_datum_t der_data
= { NULL
, 0 };
962 gnutls_datum_t oldname
= { NULL
, 0 };
963 unsigned int critical
;
968 return GNUTLS_E_INVALID_REQUEST
;
971 /* Check if the extension already exists.
974 _gnutls_x509_crt_get_extension (crt
, "2.5.29.31", 0, &oldname
, &critical
);
976 _gnutls_free_datum (&oldname
);
978 if (result
!= GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
)
981 return GNUTLS_E_INVALID_REQUEST
;
984 /* generate the extension.
987 _gnutls_x509_ext_gen_crl_dist_points (type
, data
, data_size
,
988 reason_flags
, &der_data
);
995 result
= _gnutls_x509_crt_set_extension (crt
, "2.5.29.31", &der_data
, 0);
997 _gnutls_free_datum (&der_data
);
1005 crt
->use_extensions
= 1;
1012 * gnutls_x509_crt_cpy_crl_dist_points:
1013 * @dst: a certificate of type #gnutls_x509_crt_t
1014 * @src: the certificate where the dist points will be copied from
1016 * This function will copy the CRL distribution points certificate
1017 * extension, from the source to the destination certificate.
1018 * This may be useful to copy from a CA certificate to issued ones.
1020 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1021 * negative error value.
1024 gnutls_x509_crt_cpy_crl_dist_points (gnutls_x509_crt_t dst
,
1025 gnutls_x509_crt_t src
)
1028 gnutls_datum_t der_data
;
1029 unsigned int critical
;
1031 if (dst
== NULL
|| src
== NULL
)
1034 return GNUTLS_E_INVALID_REQUEST
;
1037 /* Check if the extension already exists.
1040 _gnutls_x509_crt_get_extension (src
, "2.5.29.31", 0, &der_data
,
1049 _gnutls_x509_crt_set_extension (dst
, "2.5.29.31", &der_data
, critical
);
1050 _gnutls_free_datum (&der_data
);
1058 dst
->use_extensions
= 1;
1064 * gnutls_x509_crt_set_subject_key_id:
1065 * @cert: a certificate of type #gnutls_x509_crt_t
1067 * @id_size: Holds the size of the serial field.
1069 * This function will set the X.509 certificate's subject key ID
1072 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1073 * negative error value.
1076 gnutls_x509_crt_set_subject_key_id (gnutls_x509_crt_t cert
,
1077 const void *id
, size_t id_size
)
1080 gnutls_datum_t old_id
, der_data
;
1081 unsigned int critical
;
1086 return GNUTLS_E_INVALID_REQUEST
;
1089 /* Check if the extension already exists.
1092 _gnutls_x509_crt_get_extension (cert
, "2.5.29.14", 0, &old_id
, &critical
);
1095 _gnutls_free_datum (&old_id
);
1096 if (result
!= GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
)
1099 return GNUTLS_E_INVALID_REQUEST
;
1102 /* generate the extension.
1104 result
= _gnutls_x509_ext_gen_key_id (id
, id_size
, &der_data
);
1111 result
= _gnutls_x509_crt_set_extension (cert
, "2.5.29.14", &der_data
, 0);
1113 _gnutls_free_datum (&der_data
);
1121 cert
->use_extensions
= 1;
1127 * gnutls_x509_crt_set_authority_key_id:
1128 * @cert: a certificate of type #gnutls_x509_crt_t
1130 * @id_size: Holds the size of the serial field.
1132 * This function will set the X.509 certificate's authority key ID extension.
1133 * Only the keyIdentifier field can be set with this function.
1135 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1136 * negative error value.
1139 gnutls_x509_crt_set_authority_key_id (gnutls_x509_crt_t cert
,
1140 const void *id
, size_t id_size
)
1143 gnutls_datum_t old_id
, der_data
;
1144 unsigned int critical
;
1149 return GNUTLS_E_INVALID_REQUEST
;
1152 /* Check if the extension already exists.
1155 _gnutls_x509_crt_get_extension (cert
, "2.5.29.35", 0, &old_id
, &critical
);
1158 _gnutls_free_datum (&old_id
);
1159 if (result
!= GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
)
1162 return GNUTLS_E_INVALID_REQUEST
;
1165 /* generate the extension.
1167 result
= _gnutls_x509_ext_gen_auth_key_id (id
, id_size
, &der_data
);
1174 result
= _gnutls_x509_crt_set_extension (cert
, "2.5.29.35", &der_data
, 0);
1176 _gnutls_free_datum (&der_data
);
1184 cert
->use_extensions
= 1;
1190 * gnutls_x509_crt_set_key_purpose_oid:
1191 * @cert: a certificate of type #gnutls_x509_crt_t
1192 * @oid: a pointer to a null terminated string that holds the OID
1193 * @critical: Whether this extension will be critical or not
1195 * This function will set the key purpose OIDs of the Certificate.
1196 * These are stored in the Extended Key Usage extension (2.5.29.37)
1197 * See the GNUTLS_KP_* definitions for human readable names.
1199 * Subsequent calls to this function will append OIDs to the OID list.
1201 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
1202 * otherwise a negative error code is returned.
1205 gnutls_x509_crt_set_key_purpose_oid (gnutls_x509_crt_t cert
,
1206 const void *oid
, unsigned int critical
)
1209 gnutls_datum_t old_id
, der_data
;
1210 ASN1_TYPE c2
= ASN1_TYPE_EMPTY
;
1215 return GNUTLS_E_INVALID_REQUEST
;
1218 result
= asn1_create_element
1219 (_gnutls_get_pkix (), "PKIX1.ExtKeyUsageSyntax", &c2
);
1220 if (result
!= ASN1_SUCCESS
)
1223 return _gnutls_asn2err (result
);
1226 /* Check if the extension already exists.
1229 _gnutls_x509_crt_get_extension (cert
, "2.5.29.37", 0, &old_id
, NULL
);
1235 result
= asn1_der_decoding (&c2
, old_id
.data
, old_id
.size
, NULL
);
1236 _gnutls_free_datum (&old_id
);
1238 if (result
!= ASN1_SUCCESS
)
1241 asn1_delete_structure (&c2
);
1242 return _gnutls_asn2err (result
);
1247 /* generate the extension.
1249 /* 1. create a new element.
1251 result
= asn1_write_value (c2
, "", "NEW", 1);
1252 if (result
!= ASN1_SUCCESS
)
1255 asn1_delete_structure (&c2
);
1256 return _gnutls_asn2err (result
);
1261 result
= asn1_write_value (c2
, "?LAST", oid
, 1);
1262 if (result
!= ASN1_SUCCESS
)
1265 asn1_delete_structure (&c2
);
1266 return _gnutls_asn2err (result
);
1269 result
= _gnutls_x509_der_encode (c2
, "", &der_data
, 0);
1270 asn1_delete_structure (&c2
);
1272 if (result
!= ASN1_SUCCESS
)
1275 return _gnutls_asn2err (result
);
1278 result
= _gnutls_x509_crt_set_extension (cert
, "2.5.29.37",
1279 &der_data
, critical
);
1281 _gnutls_free_datum (&der_data
);
1289 cert
->use_extensions
= 1;
1296 * gnutls_x509_crt_privkey_sign:
1297 * @crt: a certificate of type #gnutls_x509_crt_t
1298 * @issuer: is the certificate of the certificate issuer
1299 * @issuer_key: holds the issuer's private key
1300 * @dig: The message digest to use, %GNUTLS_DIG_SHA1 is a safe choice
1303 * This function will sign the certificate with the issuer's private key, and
1304 * will copy the issuer's information into the certificate.
1306 * This must be the last step in a certificate generation since all
1307 * the previously set parameters are now signed.
1309 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1310 * negative error value.
1313 gnutls_x509_crt_privkey_sign (gnutls_x509_crt_t crt
, gnutls_x509_crt_t issuer
,
1314 gnutls_privkey_t issuer_key
,
1315 gnutls_digest_algorithm_t dig
,
1320 if (crt
== NULL
|| issuer
== NULL
|| issuer_key
== NULL
)
1323 return GNUTLS_E_INVALID_REQUEST
;
1326 /* disable all the unneeded OPTIONAL fields.
1328 disable_optional_stuff (crt
);
1330 result
= _gnutls_x509_pkix_sign (crt
->cert
, "tbsCertificate",
1331 dig
, issuer
, issuer_key
);