search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
corrected makefile
[gnutls.git] / lib / x509 / x509_write.c
blob4e3149357bd648d0332af9bc8e22c5b9f300df72
1 /*
2 * Copyright (C) 2003-2012 Free Software Foundation, Inc.
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GnuTLS.
7 *
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
20 *
21 */
22
23 /* This file contains functions to handle X.509 certificate generation.
24 */
25
26 #include <gnutls_int.h>
27
28 #include <gnutls_datum.h>
29 #include <gnutls_global.h>
30 #include <gnutls_errors.h>
31 #include <common.h>
32 #include <gnutls_x509.h>
33 #include <x509_b64.h>
34 #include "x509_int.h"
35 #include <libtasn1.h>
36
37 static void disable_optional_stuff (gnutls_x509_crt_t cert);
38
39 /**
40 * gnutls_x509_crt_set_dn_by_oid:
41 * @crt: a certificate of type #gnutls_x509_crt_t
42 * @oid: holds an Object Identifier in a null terminated string
43 * @raw_flag: must be 0, or 1 if the data are DER encoded
44 * @name: a pointer to the name
45 * @sizeof_name: holds the size of @name
46 *
47 * This function will set the part of the name of the Certificate
48 * subject, specified by the given OID. The input string should be
49 * ASCII or UTF-8 encoded.
50 *
51 * Some helper macros with popular OIDs can be found in gnutls/x509.h
52 * With this function you can only set the known OIDs. You can test
53 * for known OIDs using gnutls_x509_dn_oid_known(). For OIDs that are
54 * not known (by gnutls) you should properly DER encode your data,
55 * and call this function with @raw_flag set.
56 *
57 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
58 * negative error value.
59 **/
60 int
61 gnutls_x509_crt_set_dn_by_oid (gnutls_x509_crt_t crt, const char *oid,
62 unsigned int raw_flag, const void *name,
63 unsigned int sizeof_name)
64 {
65 if (sizeof_name == 0 || name == NULL || crt == NULL)
66 {
67 return GNUTLS_E_INVALID_REQUEST;
68 }
69
70 return _gnutls_x509_set_dn_oid (crt->cert, "tbsCertificate.subject",
71 oid, raw_flag, name, sizeof_name);
72 }
73
74 /**
75 * gnutls_x509_crt_set_issuer_dn_by_oid:
76 * @crt: a certificate of type #gnutls_x509_crt_t
77 * @oid: holds an Object Identifier in a null terminated string
78 * @raw_flag: must be 0, or 1 if the data are DER encoded
79 * @name: a pointer to the name
80 * @sizeof_name: holds the size of @name
81 *
82 * This function will set the part of the name of the Certificate
83 * issuer, specified by the given OID. The input string should be
84 * ASCII or UTF-8 encoded.
85 *
86 * Some helper macros with popular OIDs can be found in gnutls/x509.h
87 * With this function you can only set the known OIDs. You can test
88 * for known OIDs using gnutls_x509_dn_oid_known(). For OIDs that are
89 * not known (by gnutls) you should properly DER encode your data,
90 * and call this function with @raw_flag set.
91 *
92 * Normally you do not need to call this function, since the signing
93 * operation will copy the signer's name as the issuer of the
94 * certificate.
95 *
96 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
97 * negative error value.
98 **/
99 int
100 gnutls_x509_crt_set_issuer_dn_by_oid (gnutls_x509_crt_t crt,
101 const char *oid,
102 unsigned int raw_flag,
103 const void *name,
104 unsigned int sizeof_name)
105 {
106 if (sizeof_name == 0 || name == NULL || crt == NULL)
107 {
108 return GNUTLS_E_INVALID_REQUEST;
109 }
110
111 return _gnutls_x509_set_dn_oid (crt->cert, "tbsCertificate.issuer", oid,
112 raw_flag, name, sizeof_name);
113 }
114
115 /**
116 * gnutls_x509_crt_set_proxy_dn:
117 * @crt: a gnutls_x509_crt_t structure with the new proxy cert
118 * @eecrt: the end entity certificate that will be issuing the proxy
119 * @raw_flag: must be 0, or 1 if the CN is DER encoded
120 * @name: a pointer to the CN name, may be NULL (but MUST then be added later)
121 * @sizeof_name: holds the size of @name
122 *
123 * This function will set the subject in @crt to the end entity's
124 * @eecrt subject name, and add a single Common Name component @name
125 * of size @sizeof_name. This corresponds to the required proxy
126 * certificate naming style. Note that if @name is %NULL, you MUST
127 * set it later by using gnutls_x509_crt_set_dn_by_oid() or similar.
128 *
129 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
130 * negative error value.
131 **/
132 int
133 gnutls_x509_crt_set_proxy_dn (gnutls_x509_crt_t crt, gnutls_x509_crt_t eecrt,
134 unsigned int raw_flag, const void *name,
135 unsigned int sizeof_name)
136 {
137 int result;
138
139 if (crt == NULL || eecrt == NULL)
140 {
141 return GNUTLS_E_INVALID_REQUEST;
142 }
143
144 result = asn1_copy_node (crt->cert, "tbsCertificate.subject",
145 eecrt->cert, "tbsCertificate.subject");
146 if (result != ASN1_SUCCESS)
147 {
148 gnutls_assert ();
149 return _gnutls_asn2err (result);
150 }
151
152 if (name && sizeof_name)
153 {
154 return _gnutls_x509_set_dn_oid (crt->cert, "tbsCertificate.subject",
155 GNUTLS_OID_X520_COMMON_NAME,
156 raw_flag, name, sizeof_name);
157 }
158
159 return 0;
160 }
161
162 /**
163 * gnutls_x509_crt_set_version:
164 * @crt: a certificate of type #gnutls_x509_crt_t
165 * @version: holds the version number. For X.509v1 certificates must be 1.
166 *
167 * This function will set the version of the certificate. This must
168 * be one for X.509 version 1, and so on. Plain certificates without
169 * extensions must have version set to one.
170 *
171 * To create well-formed certificates, you must specify version 3 if
172 * you use any certificate extensions. Extensions are created by
173 * functions such as gnutls_x509_crt_set_subject_alt_name()
174 * or gnutls_x509_crt_set_key_usage().
175 *
176 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
177 * negative error value.
178 **/
179 int
180 gnutls_x509_crt_set_version (gnutls_x509_crt_t crt, unsigned int version)
181 {
182 int result;
183 unsigned char null = version;
184
185 if (crt == NULL)
186 {
187 gnutls_assert ();
188 return GNUTLS_E_INVALID_REQUEST;
189 }
190
191 if (null > 0)
192 null--;
193
194 result = asn1_write_value (crt->cert, "tbsCertificate.version", &null, 1);
195 if (result != ASN1_SUCCESS)
196 {
197 gnutls_assert ();
198 return _gnutls_asn2err (result);
199 }
200
201 return 0;
202 }
203
204 /**
205 * gnutls_x509_crt_set_key:
206 * @crt: a certificate of type #gnutls_x509_crt_t
207 * @key: holds a private key
208 *
209 * This function will set the public parameters from the given
210 * private key to the certificate. Only RSA keys are currently
211 * supported.
212 *
213 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
214 * negative error value.
215 *
216 **/
217 int
218 gnutls_x509_crt_set_key (gnutls_x509_crt_t crt, gnutls_x509_privkey_t key)
219 {
220 int result;
221
222 if (crt == NULL)
223 {
224 gnutls_assert ();
225 return GNUTLS_E_INVALID_REQUEST;
226 }
227
228 result = _gnutls_x509_encode_and_copy_PKI_params (crt->cert,
229 "tbsCertificate.subjectPublicKeyInfo",
230 key->pk_algorithm,
231 &key->params);
232
233 if (result < 0)
234 {
235 gnutls_assert ();
236 return result;
237 }
238
239 return 0;
240 }
241
242 /**
243 * gnutls_x509_crt_set_crq:
244 * @crt: a certificate of type #gnutls_x509_crt_t
245 * @crq: holds a certificate request
246 *
247 * This function will set the name and public parameters as well as
248 * the extensions from the given certificate request to the certificate.
249 * Only RSA keys are currently supported.
250 *
251 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
252 * negative error value.
253 **/
254 int
255 gnutls_x509_crt_set_crq (gnutls_x509_crt_t crt, gnutls_x509_crq_t crq)
256 {
257 int result;
258
259 if (crt == NULL || crq == NULL)
260 {
261 gnutls_assert ();
262 return GNUTLS_E_INVALID_REQUEST;
263 }
264
265 result = gnutls_x509_crq_verify(crq, 0);
266 if (result < 0)
267 return gnutls_assert_val(result);
268
269 result = asn1_copy_node (crt->cert, "tbsCertificate.subject",
270 crq->crq, "certificationRequestInfo.subject");
271 if (result != ASN1_SUCCESS)
272 {
273 gnutls_assert ();
274 return _gnutls_asn2err (result);
275 }
276
277 result =
278 asn1_copy_node (crt->cert, "tbsCertificate.subjectPublicKeyInfo",
279 crq->crq, "certificationRequestInfo.subjectPKInfo");
280 if (result != ASN1_SUCCESS)
281 {
282 gnutls_assert ();
283 return _gnutls_asn2err (result);
284 }
285
286 return 0;
287 }
288
289 /**
290 * gnutls_x509_crt_set_crq_extensions:
291 * @crt: a certificate of type #gnutls_x509_crt_t
292 * @crq: holds a certificate request
293 *
294 * This function will set extensions from the given request to the
295 * certificate.
296 *
297 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
298 * negative error value.
299 *
300 * Since: 2.8.0
301 **/
302 int
303 gnutls_x509_crt_set_crq_extensions (gnutls_x509_crt_t crt,
304 gnutls_x509_crq_t crq)
305 {
306 size_t i;
307
308 if (crt == NULL || crq == NULL)
309 {
310 gnutls_assert ();
311 return GNUTLS_E_INVALID_REQUEST;
312 }
313
314 for (i = 0;; i++)
315 {
316 int result;
317 char oid[MAX_OID_SIZE];
318 size_t oid_size;
319 uint8_t *extensions;
320 size_t extensions_size;
321 unsigned int critical;
322 gnutls_datum_t ext;
323
324 oid_size = sizeof (oid);
325 result = gnutls_x509_crq_get_extension_info (crq, i, oid,
326 &oid_size, &critical);
327 if (result < 0)
328 {
329 if (result == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
330 break;
331
332 gnutls_assert ();
333 return result;
334 }
335
336 extensions_size = 0;
337 result = gnutls_x509_crq_get_extension_data (crq, i, NULL,
338 &extensions_size);
339 if (result < 0)
340 {
341 gnutls_assert ();
342 return result;
343 }
344
345 extensions = gnutls_malloc (extensions_size);
346 if (extensions == NULL)
347 {
348 gnutls_assert ();
349 return GNUTLS_E_MEMORY_ERROR;
350 }
351
352 result = gnutls_x509_crq_get_extension_data (crq, i, extensions,
353 &extensions_size);
354 if (result < 0)
355 {
356 gnutls_assert ();
357 gnutls_free (extensions);
358 return result;
359 }
360
361 ext.data = extensions;
362 ext.size = extensions_size;
363
364 result = _gnutls_x509_crt_set_extension (crt, oid, &ext, critical);
365 gnutls_free (extensions);
366 if (result < 0)
367 {
368 gnutls_assert ();
369 return result;
370 }
371 }
372
373 if (i > 0)
374 crt->use_extensions = 1;
375
376 return 0;
377 }
378
379 /**
380 * gnutls_x509_crt_set_extension_by_oid:
381 * @crt: a certificate of type #gnutls_x509_crt_t
382 * @oid: holds an Object Identified in null terminated string
383 * @buf: a pointer to a DER encoded data
384 * @sizeof_buf: holds the size of @buf
385 * @critical: should be non (0) if the extension is to be marked as critical
386 *
387 * This function will set an the extension, by the specified OID, in
388 * the certificate. The extension data should be binary data DER
389 * encoded.
390 *
391 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
392 * negative error value.
393 **/
394 int
395 gnutls_x509_crt_set_extension_by_oid (gnutls_x509_crt_t crt,
396 const char *oid, const void *buf,
397 size_t sizeof_buf,
398 unsigned int critical)
399 {
400 int result;
401 gnutls_datum_t der_data;
402
403 der_data.data = (void *) buf;
404 der_data.size = sizeof_buf;
405
406 if (crt == NULL)
407 {
408 gnutls_assert ();
409 return GNUTLS_E_INVALID_REQUEST;
410 }
411
412 result = _gnutls_x509_crt_set_extension (crt, oid, &der_data, critical);
413 if (result < 0)
414 {
415 gnutls_assert ();
416 return result;
417 }
418
419 crt->use_extensions = 1;
420
421 return 0;
422
423 }
424
425 /**
426 * gnutls_x509_crt_set_basic_constraints:
427 * @crt: a certificate of type #gnutls_x509_crt_t
428 * @ca: true(1) or false(0). Depending on the Certificate authority status.
429 * @pathLenConstraint: non-negative error codes indicate maximum length of path,
430 * and negative error codes indicate that the pathLenConstraints field should
431 * not be present.
432 *
433 * This function will set the basicConstraints certificate extension.
434 *
435 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
436 * negative error value.
437 **/
438 int
439 gnutls_x509_crt_set_basic_constraints (gnutls_x509_crt_t crt,
440 unsigned int ca, int pathLenConstraint)
441 {
442 int result;
443 gnutls_datum_t der_data;
444
445 if (crt == NULL)
446 {
447 gnutls_assert ();
448 return GNUTLS_E_INVALID_REQUEST;
449 }
450
451 /* generate the extension.
452 */
453 result = _gnutls_x509_ext_gen_basicConstraints (ca, pathLenConstraint,
454 &der_data);
455 if (result < 0)
456 {
457 gnutls_assert ();
458 return result;
459 }
460
461 result = _gnutls_x509_crt_set_extension (crt, "2.5.29.19", &der_data, 1);
462
463 _gnutls_free_datum (&der_data);
464
465 if (result < 0)
466 {
467 gnutls_assert ();
468 return result;
469 }
470
471 crt->use_extensions = 1;
472
473 return 0;
474 }
475
476 /**
477 * gnutls_x509_crt_set_ca_status:
478 * @crt: a certificate of type #gnutls_x509_crt_t
479 * @ca: true(1) or false(0). Depending on the Certificate authority status.
480 *
481 * This function will set the basicConstraints certificate extension.
482 * Use gnutls_x509_crt_set_basic_constraints() if you want to control
483 * the pathLenConstraint field too.
484 *
485 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
486 * negative error value.
487 **/
488 int
489 gnutls_x509_crt_set_ca_status (gnutls_x509_crt_t crt, unsigned int ca)
490 {
491 return gnutls_x509_crt_set_basic_constraints (crt, ca, -1);
492 }
493
494 /**
495 * gnutls_x509_crt_set_key_usage:
496 * @crt: a certificate of type #gnutls_x509_crt_t
497 * @usage: an ORed sequence of the GNUTLS_KEY_* elements.
498 *
499 * This function will set the keyUsage certificate extension.
500 *
501 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
502 * negative error value.
503 **/
504 int
505 gnutls_x509_crt_set_key_usage (gnutls_x509_crt_t crt, unsigned int usage)
506 {
507 int result;
508 gnutls_datum_t der_data;
509
510 if (crt == NULL)
511 {
512 gnutls_assert ();
513 return GNUTLS_E_INVALID_REQUEST;
514 }
515
516 /* generate the extension.
517 */
518 result = _gnutls_x509_ext_gen_keyUsage ((uint16_t) usage, &der_data);
519 if (result < 0)
520 {
521 gnutls_assert ();
522 return result;
523 }
524
525 result = _gnutls_x509_crt_set_extension (crt, "2.5.29.15", &der_data, 1);
526
527 _gnutls_free_datum (&der_data);
528
529 if (result < 0)
530 {
531 gnutls_assert ();
532 return result;
533 }
534
535 crt->use_extensions = 1;
536
537 return 0;
538 }
539
540 /**
541 * gnutls_x509_crt_set_subject_alternative_name:
542 * @crt: a certificate of type #gnutls_x509_crt_t
543 * @type: is one of the gnutls_x509_subject_alt_name_t enumerations
544 * @data_string: The data to be set, a (0) terminated string
545 *
546 * This function will set the subject alternative name certificate
547 * extension. This function assumes that data can be expressed as a null
548 * terminated string.
549 *
550 * The name of the function is unfortunate since it is incosistent with
551 * gnutls_x509_crt_get_subject_alt_name().
552 *
553 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
554 * negative error value.
555 **/
556 int
557 gnutls_x509_crt_set_subject_alternative_name (gnutls_x509_crt_t crt,
558 gnutls_x509_subject_alt_name_t
559 type, const char *data_string)
560 {
561 if (crt == NULL)
562 {
563 gnutls_assert ();
564 return GNUTLS_E_INVALID_REQUEST;
565 }
566
567 /* only handle text extensions */
568 if (type != GNUTLS_SAN_DNSNAME && type != GNUTLS_SAN_RFC822NAME &&
569 type != GNUTLS_SAN_URI)
570 {
571 gnutls_assert ();
572 return GNUTLS_E_INVALID_REQUEST;
573 }
574
575 return gnutls_x509_crt_set_subject_alt_name (crt, type, data_string,
576 strlen (data_string),
577 GNUTLS_FSAN_SET);
578 }
579
580 /**
581 * gnutls_x509_crt_set_subject_alt_name:
582 * @crt: a certificate of type #gnutls_x509_crt_t
583 * @type: is one of the gnutls_x509_subject_alt_name_t enumerations
584 * @data: The data to be set
585 * @data_size: The size of data to be set
586 * @flags: GNUTLS_FSAN_SET to clear previous data or GNUTLS_FSAN_APPEND to append.
587 *
588 * This function will set the subject alternative name certificate
589 * extension. It can set the following types:
590 *
591 * %GNUTLS_SAN_DNSNAME: as a text string
592 *
593 * %GNUTLS_SAN_RFC822NAME: as a text string
594 *
595 * %GNUTLS_SAN_URI: as a text string
596 *
597 * %GNUTLS_SAN_IPADDRESS: as a binary IP address (4 or 16 bytes)
598 *
599 * Other values can be set as binary values with the proper DER encoding.
600 *
601 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
602 * negative error value.
603 *
604 * Since: 2.6.0
605 **/
606 int
607 gnutls_x509_crt_set_subject_alt_name (gnutls_x509_crt_t crt,
608 gnutls_x509_subject_alt_name_t type,
609 const void *data,
610 unsigned int data_size,
611 unsigned int flags)
612 {
613 int result;
614 gnutls_datum_t der_data = { NULL, 0 };
615 gnutls_datum_t prev_der_data = { NULL, 0 };
616 unsigned int critical = 0;
617
618 if (crt == NULL)
619 {
620 gnutls_assert ();
621 return GNUTLS_E_INVALID_REQUEST;
622 }
623
624 /* Check if the extension already exists.
625 */
626
627 if (flags == GNUTLS_FSAN_APPEND)
628 {
629 result = _gnutls_x509_crt_get_extension (crt, "2.5.29.17", 0,
630 &prev_der_data, &critical);
631 if (result < 0 && result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
632 {
633 gnutls_assert ();
634 return result;
635 }
636 }
637
638 /* generate the extension.
639 */
640 result = _gnutls_x509_ext_gen_subject_alt_name (type, data, data_size,
641 &prev_der_data, &der_data);
642
643 if (flags == GNUTLS_FSAN_APPEND)
644 _gnutls_free_datum (&prev_der_data);
645
646 if (result < 0)
647 {
648 gnutls_assert ();
649 goto finish;
650 }
651
652 result = _gnutls_x509_crt_set_extension (crt, "2.5.29.17", &der_data,
653 critical);
654
655 _gnutls_free_datum (&der_data);
656
657 if (result < 0)
658 {
659 gnutls_assert ();
660 return result;
661 }
662
663 crt->use_extensions = 1;
664
665 return 0;
666
667 finish:
668 _gnutls_free_datum (&prev_der_data);
669 return result;
670 }
671
672 /**
673 * gnutls_x509_crt_set_proxy:
674 * @crt: a certificate of type #gnutls_x509_crt_t
675 * @pathLenConstraint: non-negative error codes indicate maximum length of path,
676 * and negative error codes indicate that the pathLenConstraints field should
677 * not be present.
678 * @policyLanguage: OID describing the language of @policy.
679 * @policy: uint8_t byte array with policy language, can be %NULL
680 * @sizeof_policy: size of @policy.
681 *
682 * This function will set the proxyCertInfo extension.
683 *
684 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
685 * negative error value.
686 **/
687 int
688 gnutls_x509_crt_set_proxy (gnutls_x509_crt_t crt,
689 int pathLenConstraint,
690 const char *policyLanguage,
691 const char *policy, size_t sizeof_policy)
692 {
693 int result;
694 gnutls_datum_t der_data;
695
696 if (crt == NULL)
697 {
698 gnutls_assert ();
699 return GNUTLS_E_INVALID_REQUEST;
700 }
701
702 /* generate the extension.
703 */
704 result = _gnutls_x509_ext_gen_proxyCertInfo (pathLenConstraint,
705 policyLanguage,
706 policy, sizeof_policy,
707 &der_data);
708 if (result < 0)
709 {
710 gnutls_assert ();
711 return result;
712 }
713
714 result = _gnutls_x509_crt_set_extension (crt, "1.3.6.1.5.5.7.1.14",
715 &der_data, 1);
716
717 _gnutls_free_datum (&der_data);
718
719 if (result < 0)
720 {
721 gnutls_assert ();
722 return result;
723 }
724
725 crt->use_extensions = 1;
726
727 return 0;
728 }
729
730 /**
731 * gnutls_x509_crt_sign2:
732 * @crt: a certificate of type #gnutls_x509_crt_t
733 * @issuer: is the certificate of the certificate issuer
734 * @issuer_key: holds the issuer's private key
735 * @dig: The message digest to use, %GNUTLS_DIG_SHA1 is a safe choice
736 * @flags: must be 0
737 *
738 * This function will sign the certificate with the issuer's private key, and
739 * will copy the issuer's information into the certificate.
740 *
741 * This must be the last step in a certificate generation since all
742 * the previously set parameters are now signed.
743 *
744 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
745 * negative error value.
746 **/
747 int
748 gnutls_x509_crt_sign2 (gnutls_x509_crt_t crt, gnutls_x509_crt_t issuer,
749 gnutls_x509_privkey_t issuer_key,
750 gnutls_digest_algorithm_t dig, unsigned int flags)
751 {
752 int result;
753 gnutls_privkey_t privkey;
754
755 if (crt == NULL || issuer == NULL || issuer_key == NULL)
756 {
757 gnutls_assert ();
758 return GNUTLS_E_INVALID_REQUEST;
759 }
760
761 result = gnutls_privkey_init (&privkey);
762 if (result < 0)
763 {
764 gnutls_assert ();
765 return result;
766 }
767
768 result = gnutls_privkey_import_x509 (privkey, issuer_key, 0);
769 if (result < 0)
770 {
771 gnutls_assert ();
772 goto fail;
773 }
774
775 result = gnutls_x509_crt_privkey_sign (crt, issuer, privkey, dig, flags);
776 if (result < 0)
777 {
778 gnutls_assert ();
779 goto fail;
780 }
781
782 result = 0;
783
784 fail:
785 gnutls_privkey_deinit (privkey);
786
787 return result;
788 }
789
790 /**
791 * gnutls_x509_crt_sign:
792 * @crt: a certificate of type #gnutls_x509_crt_t
793 * @issuer: is the certificate of the certificate issuer
794 * @issuer_key: holds the issuer's private key
795 *
796 * This function is the same a gnutls_x509_crt_sign2() with no flags,
797 * and SHA1 as the hash algorithm.
798 *
799 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
800 * negative error value.
801 **/
802 int
803 gnutls_x509_crt_sign (gnutls_x509_crt_t crt, gnutls_x509_crt_t issuer,
804 gnutls_x509_privkey_t issuer_key)
805 {
806 return gnutls_x509_crt_sign2 (crt, issuer, issuer_key, GNUTLS_DIG_SHA1, 0);
807 }
808
809 /**
810 * gnutls_x509_crt_set_activation_time:
811 * @cert: a certificate of type #gnutls_x509_crt_t
812 * @act_time: The actual time
813 *
814 * This function will set the time this Certificate was or will be
815 * activated.
816 *
817 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
818 * negative error value.
819 **/
820 int
821 gnutls_x509_crt_set_activation_time (gnutls_x509_crt_t cert, time_t act_time)
822 {
823 if (cert == NULL)
824 {
825 gnutls_assert ();
826 return GNUTLS_E_INVALID_REQUEST;
827 }
828
829 return _gnutls_x509_set_time (cert->cert,
830 "tbsCertificate.validity.notBefore",
831 act_time);
832 }
833
834 /**
835 * gnutls_x509_crt_set_expiration_time:
836 * @cert: a certificate of type #gnutls_x509_crt_t
837 * @exp_time: The actual time
838 *
839 * This function will set the time this Certificate will expire.
840 *
841 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
842 * negative error value.
843 **/
844 int
845 gnutls_x509_crt_set_expiration_time (gnutls_x509_crt_t cert, time_t exp_time)
846 {
847 if (cert == NULL)
848 {
849 gnutls_assert ();
850 return GNUTLS_E_INVALID_REQUEST;
851 }
852 return _gnutls_x509_set_time (cert->cert,
853 "tbsCertificate.validity.notAfter", exp_time);
854 }
855
856 /**
857 * gnutls_x509_crt_set_serial:
858 * @cert: a certificate of type #gnutls_x509_crt_t
859 * @serial: The serial number
860 * @serial_size: Holds the size of the serial field.
861 *
862 * This function will set the X.509 certificate's serial number.
863 * Serial is not always a 32 or 64bit number. Some CAs use large
864 * serial numbers, thus it may be wise to handle it as something
865 * uint8_t.
866 *
867 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
868 * negative error value.
869 **/
870 int
871 gnutls_x509_crt_set_serial (gnutls_x509_crt_t cert, const void *serial,
872 size_t serial_size)
873 {
874 int ret;
875
876 if (cert == NULL)
877 {
878 gnutls_assert ();
879 return GNUTLS_E_INVALID_REQUEST;
880 }
881
882 ret =
883 asn1_write_value (cert->cert, "tbsCertificate.serialNumber", serial,
884 serial_size);
885 if (ret != ASN1_SUCCESS)
886 {
887 gnutls_assert ();
888 return _gnutls_asn2err (ret);
889 }
890
891 return 0;
892
893 }
894
895 /* If OPTIONAL fields have not been initialized then
896 * disable them.
897 */
898 static void
899 disable_optional_stuff (gnutls_x509_crt_t cert)
900 {
901
902 asn1_write_value (cert->cert, "tbsCertificate.issuerUniqueID", NULL, 0);
903
904 asn1_write_value (cert->cert, "tbsCertificate.subjectUniqueID", NULL, 0);
905
906 if (cert->use_extensions == 0)
907 {
908 _gnutls_debug_log ("Disabling X.509 extensions.\n");
909 asn1_write_value (cert->cert, "tbsCertificate.extensions", NULL, 0);
910 }
911
912 return;
913 }
914
915 /**
916 * gnutls_x509_crt_set_crl_dist_points:
917 * @crt: a certificate of type #gnutls_x509_crt_t
918 * @type: is one of the gnutls_x509_subject_alt_name_t enumerations
919 * @data_string: The data to be set
920 * @reason_flags: revocation reasons
921 *
922 * This function will set the CRL distribution points certificate extension.
923 *
924 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
925 * negative error value.
926 **/
927 int
928 gnutls_x509_crt_set_crl_dist_points (gnutls_x509_crt_t crt,
929 gnutls_x509_subject_alt_name_t type,
930 const void *data_string,
931 unsigned int reason_flags)
932 {
933 return gnutls_x509_crt_set_crl_dist_points2 (crt, type, data_string,
934 strlen (data_string),
935 reason_flags);
936 }
937
938 /**
939 * gnutls_x509_crt_set_crl_dist_points2:
940 * @crt: a certificate of type #gnutls_x509_crt_t
941 * @type: is one of the gnutls_x509_subject_alt_name_t enumerations
942 * @data: The data to be set
943 * @data_size: The data size
944 * @reason_flags: revocation reasons
945 *
946 * This function will set the CRL distribution points certificate extension.
947 *
948 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
949 * negative error value.
950 *
951 * Since: 2.6.0
952 **/
953 int
954 gnutls_x509_crt_set_crl_dist_points2 (gnutls_x509_crt_t crt,
955 gnutls_x509_subject_alt_name_t type,
956 const void *data,
957 unsigned int data_size,
958 unsigned int reason_flags)
959 {
960 int result;
961 gnutls_datum_t der_data = { NULL, 0 };
962 gnutls_datum_t oldname = { NULL, 0 };
963 unsigned int critical;
964
965 if (crt == NULL)
966 {
967 gnutls_assert ();
968 return GNUTLS_E_INVALID_REQUEST;
969 }
970
971 /* Check if the extension already exists.
972 */
973 result =
974 _gnutls_x509_crt_get_extension (crt, "2.5.29.31", 0, &oldname, &critical);
975
976 _gnutls_free_datum (&oldname);
977
978 if (result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
979 {
980 gnutls_assert ();
981 return GNUTLS_E_INVALID_REQUEST;
982 }
983
984 /* generate the extension.
985 */
986 result =
987 _gnutls_x509_ext_gen_crl_dist_points (type, data, data_size,
988 reason_flags, &der_data);
989 if (result < 0)
990 {
991 gnutls_assert ();
992 return result;
993 }
994
995 result = _gnutls_x509_crt_set_extension (crt, "2.5.29.31", &der_data, 0);
996
997 _gnutls_free_datum (&der_data);
998
999 if (result < 0)
1000 {
1001 gnutls_assert ();
1002 return result;
1003 }
1004
1005 crt->use_extensions = 1;
1006
1007 return 0;
1008
1009 }
1010
1011 /**
1012 * gnutls_x509_crt_cpy_crl_dist_points:
1013 * @dst: a certificate of type #gnutls_x509_crt_t
1014 * @src: the certificate where the dist points will be copied from
1015 *
1016 * This function will copy the CRL distribution points certificate
1017 * extension, from the source to the destination certificate.
1018 * This may be useful to copy from a CA certificate to issued ones.
1019 *
1020 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1021 * negative error value.
1022 **/
1023 int
1024 gnutls_x509_crt_cpy_crl_dist_points (gnutls_x509_crt_t dst,
1025 gnutls_x509_crt_t src)
1026 {
1027 int result;
1028 gnutls_datum_t der_data;
1029 unsigned int critical;
1030
1031 if (dst == NULL || src == NULL)
1032 {
1033 gnutls_assert ();
1034 return GNUTLS_E_INVALID_REQUEST;
1035 }
1036
1037 /* Check if the extension already exists.
1038 */
1039 result =
1040 _gnutls_x509_crt_get_extension (src, "2.5.29.31", 0, &der_data,
1041 &critical);
1042 if (result < 0)
1043 {
1044 gnutls_assert ();
1045 return result;
1046 }
1047
1048 result =
1049 _gnutls_x509_crt_set_extension (dst, "2.5.29.31", &der_data, critical);
1050 _gnutls_free_datum (&der_data);
1051
1052 if (result < 0)
1053 {
1054 gnutls_assert ();
1055 return result;
1056 }
1057
1058 dst->use_extensions = 1;
1059
1060 return 0;
1061 }
1062
1063 /**
1064 * gnutls_x509_crt_set_subject_key_id:
1065 * @cert: a certificate of type #gnutls_x509_crt_t
1066 * @id: The key ID
1067 * @id_size: Holds the size of the serial field.
1068 *
1069 * This function will set the X.509 certificate's subject key ID
1070 * extension.
1071 *
1072 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1073 * negative error value.
1074 **/
1075 int
1076 gnutls_x509_crt_set_subject_key_id (gnutls_x509_crt_t cert,
1077 const void *id, size_t id_size)
1078 {
1079 int result;
1080 gnutls_datum_t old_id, der_data;
1081 unsigned int critical;
1082
1083 if (cert == NULL)
1084 {
1085 gnutls_assert ();
1086 return GNUTLS_E_INVALID_REQUEST;
1087 }
1088
1089 /* Check if the extension already exists.
1090 */
1091 result =
1092 _gnutls_x509_crt_get_extension (cert, "2.5.29.14", 0, &old_id, &critical);
1093
1094 if (result >= 0)
1095 _gnutls_free_datum (&old_id);
1096 if (result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
1097 {
1098 gnutls_assert ();
1099 return GNUTLS_E_INVALID_REQUEST;
1100 }
1101
1102 /* generate the extension.
1103 */
1104 result = _gnutls_x509_ext_gen_key_id (id, id_size, &der_data);
1105 if (result < 0)
1106 {
1107 gnutls_assert ();
1108 return result;
1109 }
1110
1111 result = _gnutls_x509_crt_set_extension (cert, "2.5.29.14", &der_data, 0);
1112
1113 _gnutls_free_datum (&der_data);
1114
1115 if (result < 0)
1116 {
1117 gnutls_assert ();
1118 return result;
1119 }
1120
1121 cert->use_extensions = 1;
1122
1123 return 0;
1124 }
1125
1126 /**
1127 * gnutls_x509_crt_set_authority_key_id:
1128 * @cert: a certificate of type #gnutls_x509_crt_t
1129 * @id: The key ID
1130 * @id_size: Holds the size of the serial field.
1131 *
1132 * This function will set the X.509 certificate's authority key ID extension.
1133 * Only the keyIdentifier field can be set with this function.
1134 *
1135 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1136 * negative error value.
1137 **/
1138 int
1139 gnutls_x509_crt_set_authority_key_id (gnutls_x509_crt_t cert,
1140 const void *id, size_t id_size)
1141 {
1142 int result;
1143 gnutls_datum_t old_id, der_data;
1144 unsigned int critical;
1145
1146 if (cert == NULL)
1147 {
1148 gnutls_assert ();
1149 return GNUTLS_E_INVALID_REQUEST;
1150 }
1151
1152 /* Check if the extension already exists.
1153 */
1154 result =
1155 _gnutls_x509_crt_get_extension (cert, "2.5.29.35", 0, &old_id, &critical);
1156
1157 if (result >= 0)
1158 _gnutls_free_datum (&old_id);
1159 if (result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
1160 {
1161 gnutls_assert ();
1162 return GNUTLS_E_INVALID_REQUEST;
1163 }
1164
1165 /* generate the extension.
1166 */
1167 result = _gnutls_x509_ext_gen_auth_key_id (id, id_size, &der_data);
1168 if (result < 0)
1169 {
1170 gnutls_assert ();
1171 return result;
1172 }
1173
1174 result = _gnutls_x509_crt_set_extension (cert, "2.5.29.35", &der_data, 0);
1175
1176 _gnutls_free_datum (&der_data);
1177
1178 if (result < 0)
1179 {
1180 gnutls_assert ();
1181 return result;
1182 }
1183
1184 cert->use_extensions = 1;
1185
1186 return 0;
1187 }
1188
1189 /**
1190 * gnutls_x509_crt_set_key_purpose_oid:
1191 * @cert: a certificate of type #gnutls_x509_crt_t
1192 * @oid: a pointer to a null terminated string that holds the OID
1193 * @critical: Whether this extension will be critical or not
1194 *
1195 * This function will set the key purpose OIDs of the Certificate.
1196 * These are stored in the Extended Key Usage extension (2.5.29.37)
1197 * See the GNUTLS_KP_* definitions for human readable names.
1198 *
1199 * Subsequent calls to this function will append OIDs to the OID list.
1200 *
1201 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
1202 * otherwise a negative error code is returned.
1203 **/
1204 int
1205 gnutls_x509_crt_set_key_purpose_oid (gnutls_x509_crt_t cert,
1206 const void *oid, unsigned int critical)
1207 {
1208 int result;
1209 gnutls_datum_t old_id, der_data;
1210 ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
1211
1212 if (cert == NULL)
1213 {
1214 gnutls_assert ();
1215 return GNUTLS_E_INVALID_REQUEST;
1216 }
1217
1218 result = asn1_create_element
1219 (_gnutls_get_pkix (), "PKIX1.ExtKeyUsageSyntax", &c2);
1220 if (result != ASN1_SUCCESS)
1221 {
1222 gnutls_assert ();
1223 return _gnutls_asn2err (result);
1224 }
1225
1226 /* Check if the extension already exists.
1227 */
1228 result =
1229 _gnutls_x509_crt_get_extension (cert, "2.5.29.37", 0, &old_id, NULL);
1230
1231 if (result >= 0)
1232 {
1233 /* decode it.
1234 */
1235 result = asn1_der_decoding (&c2, old_id.data, old_id.size, NULL);
1236 _gnutls_free_datum (&old_id);
1237
1238 if (result != ASN1_SUCCESS)
1239 {
1240 gnutls_assert ();
1241 asn1_delete_structure (&c2);
1242 return _gnutls_asn2err (result);
1243 }
1244
1245 }
1246
1247 /* generate the extension.
1248 */
1249 /* 1. create a new element.
1250 */
1251 result = asn1_write_value (c2, "", "NEW", 1);
1252 if (result != ASN1_SUCCESS)
1253 {
1254 gnutls_assert ();
1255 asn1_delete_structure (&c2);
1256 return _gnutls_asn2err (result);
1257 }
1258
1259 /* 2. Add the OID.
1260 */
1261 result = asn1_write_value (c2, "?LAST", oid, 1);
1262 if (result != ASN1_SUCCESS)
1263 {
1264 gnutls_assert ();
1265 asn1_delete_structure (&c2);
1266 return _gnutls_asn2err (result);
1267 }
1268
1269 result = _gnutls_x509_der_encode (c2, "", &der_data, 0);
1270 asn1_delete_structure (&c2);
1271
1272 if (result != ASN1_SUCCESS)
1273 {
1274 gnutls_assert ();
1275 return _gnutls_asn2err (result);
1276 }
1277
1278 result = _gnutls_x509_crt_set_extension (cert, "2.5.29.37",
1279 &der_data, critical);
1280
1281 _gnutls_free_datum (&der_data);
1282
1283 if (result < 0)
1284 {
1285 gnutls_assert ();
1286 return result;
1287 }
1288
1289 cert->use_extensions = 1;
1290
1291 return 0;
1292
1293 }
1294
1295 /**
1296 * gnutls_x509_crt_privkey_sign:
1297 * @crt: a certificate of type #gnutls_x509_crt_t
1298 * @issuer: is the certificate of the certificate issuer
1299 * @issuer_key: holds the issuer's private key
1300 * @dig: The message digest to use, %GNUTLS_DIG_SHA1 is a safe choice
1301 * @flags: must be 0
1302 *
1303 * This function will sign the certificate with the issuer's private key, and
1304 * will copy the issuer's information into the certificate.
1305 *
1306 * This must be the last step in a certificate generation since all
1307 * the previously set parameters are now signed.
1308 *
1309 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1310 * negative error value.
1311 **/
1312 int
1313 gnutls_x509_crt_privkey_sign (gnutls_x509_crt_t crt, gnutls_x509_crt_t issuer,
1314 gnutls_privkey_t issuer_key,
1315 gnutls_digest_algorithm_t dig,
1316 unsigned int flags)
1317 {
1318 int result;
1319
1320 if (crt == NULL || issuer == NULL || issuer_key == NULL)
1321 {
1322 gnutls_assert ();
1323 return GNUTLS_E_INVALID_REQUEST;
1324 }
1325
1326 /* disable all the unneeded OPTIONAL fields.
1327 */
1328 disable_optional_stuff (crt);
1329
1330 result = _gnutls_x509_pkix_sign (crt->cert, "tbsCertificate",
1331 dig, issuer, issuer_key);
1332 if (result < 0)
1333 {
1334 gnutls_assert ();
1335 return result;
1336 }
1337
1338 return 0;
1339 }
Implementation of the SSL/TLS protocol