search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Check the key usage bits during certificate verification.
[gnutls.git] / lib / x509 / x509_write.c
blob40cd55ba8807251d4bd3a4125e3d17b1b1a72dde
1 /*
2 * Copyright (C) 2003-2012 Free Software Foundation, Inc.
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GnuTLS.
7 *
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
20 *
21 */
22
23 /* This file contains functions to handle X.509 certificate generation.
24 */
25
26 #include <gnutls_int.h>
27
28 #include <gnutls_datum.h>
29 #include <gnutls_global.h>
30 #include <gnutls_errors.h>
31 #include <common.h>
32 #include <gnutls_x509.h>
33 #include <x509_b64.h>
34 #include "x509_int.h"
35 #include <libtasn1.h>
36
37 static void disable_optional_stuff (gnutls_x509_crt_t cert);
38
39 /**
40 * gnutls_x509_crt_set_dn_by_oid:
41 * @crt: a certificate of type #gnutls_x509_crt_t
42 * @oid: holds an Object Identifier in a null terminated string
43 * @raw_flag: must be 0, or 1 if the data are DER encoded
44 * @name: a pointer to the name
45 * @sizeof_name: holds the size of @name
46 *
47 * This function will set the part of the name of the Certificate
48 * subject, specified by the given OID. The input string should be
49 * ASCII or UTF-8 encoded.
50 *
51 * Some helper macros with popular OIDs can be found in gnutls/x509.h
52 * With this function you can only set the known OIDs. You can test
53 * for known OIDs using gnutls_x509_dn_oid_known(). For OIDs that are
54 * not known (by gnutls) you should properly DER encode your data,
55 * and call this function with @raw_flag set.
56 *
57 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
58 * negative error value.
59 **/
60 int
61 gnutls_x509_crt_set_dn_by_oid (gnutls_x509_crt_t crt, const char *oid,
62 unsigned int raw_flag, const void *name,
63 unsigned int sizeof_name)
64 {
65 if (sizeof_name == 0 || name == NULL || crt == NULL)
66 {
67 return GNUTLS_E_INVALID_REQUEST;
68 }
69
70 return _gnutls_x509_set_dn_oid (crt->cert, "tbsCertificate.subject",
71 oid, raw_flag, name, sizeof_name);
72 }
73
74 /**
75 * gnutls_x509_crt_set_issuer_dn_by_oid:
76 * @crt: a certificate of type #gnutls_x509_crt_t
77 * @oid: holds an Object Identifier in a null terminated string
78 * @raw_flag: must be 0, or 1 if the data are DER encoded
79 * @name: a pointer to the name
80 * @sizeof_name: holds the size of @name
81 *
82 * This function will set the part of the name of the Certificate
83 * issuer, specified by the given OID. The input string should be
84 * ASCII or UTF-8 encoded.
85 *
86 * Some helper macros with popular OIDs can be found in gnutls/x509.h
87 * With this function you can only set the known OIDs. You can test
88 * for known OIDs using gnutls_x509_dn_oid_known(). For OIDs that are
89 * not known (by gnutls) you should properly DER encode your data,
90 * and call this function with @raw_flag set.
91 *
92 * Normally you do not need to call this function, since the signing
93 * operation will copy the signer's name as the issuer of the
94 * certificate.
95 *
96 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
97 * negative error value.
98 **/
99 int
100 gnutls_x509_crt_set_issuer_dn_by_oid (gnutls_x509_crt_t crt,
101 const char *oid,
102 unsigned int raw_flag,
103 const void *name,
104 unsigned int sizeof_name)
105 {
106 if (sizeof_name == 0 || name == NULL || crt == NULL)
107 {
108 return GNUTLS_E_INVALID_REQUEST;
109 }
110
111 return _gnutls_x509_set_dn_oid (crt->cert, "tbsCertificate.issuer", oid,
112 raw_flag, name, sizeof_name);
113 }
114
115 /**
116 * gnutls_x509_crt_set_proxy_dn:
117 * @crt: a gnutls_x509_crt_t structure with the new proxy cert
118 * @eecrt: the end entity certificate that will be issuing the proxy
119 * @raw_flag: must be 0, or 1 if the CN is DER encoded
120 * @name: a pointer to the CN name, may be NULL (but MUST then be added later)
121 * @sizeof_name: holds the size of @name
122 *
123 * This function will set the subject in @crt to the end entity's
124 * @eecrt subject name, and add a single Common Name component @name
125 * of size @sizeof_name. This corresponds to the required proxy
126 * certificate naming style. Note that if @name is %NULL, you MUST
127 * set it later by using gnutls_x509_crt_set_dn_by_oid() or similar.
128 *
129 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
130 * negative error value.
131 **/
132 int
133 gnutls_x509_crt_set_proxy_dn (gnutls_x509_crt_t crt, gnutls_x509_crt_t eecrt,
134 unsigned int raw_flag, const void *name,
135 unsigned int sizeof_name)
136 {
137 int result;
138
139 if (crt == NULL || eecrt == NULL)
140 {
141 return GNUTLS_E_INVALID_REQUEST;
142 }
143
144 result = asn1_copy_node (crt->cert, "tbsCertificate.subject",
145 eecrt->cert, "tbsCertificate.subject");
146 if (result != ASN1_SUCCESS)
147 {
148 gnutls_assert ();
149 return _gnutls_asn2err (result);
150 }
151
152 if (name && sizeof_name)
153 {
154 return _gnutls_x509_set_dn_oid (crt->cert, "tbsCertificate.subject",
155 GNUTLS_OID_X520_COMMON_NAME,
156 raw_flag, name, sizeof_name);
157 }
158
159 return 0;
160 }
161
162 /**
163 * gnutls_x509_crt_set_version:
164 * @crt: a certificate of type #gnutls_x509_crt_t
165 * @version: holds the version number. For X.509v1 certificates must be 1.
166 *
167 * This function will set the version of the certificate. This must
168 * be one for X.509 version 1, and so on. Plain certificates without
169 * extensions must have version set to one.
170 *
171 * To create well-formed certificates, you must specify version 3 if
172 * you use any certificate extensions. Extensions are created by
173 * functions such as gnutls_x509_crt_set_subject_alt_name()
174 * or gnutls_x509_crt_set_key_usage().
175 *
176 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
177 * negative error value.
178 **/
179 int
180 gnutls_x509_crt_set_version (gnutls_x509_crt_t crt, unsigned int version)
181 {
182 int result;
183 unsigned char null = version;
184
185 if (crt == NULL)
186 {
187 gnutls_assert ();
188 return GNUTLS_E_INVALID_REQUEST;
189 }
190
191 if (null > 0)
192 null--;
193
194 result = asn1_write_value (crt->cert, "tbsCertificate.version", &null, 1);
195 if (result != ASN1_SUCCESS)
196 {
197 gnutls_assert ();
198 return _gnutls_asn2err (result);
199 }
200
201 return 0;
202 }
203
204 /**
205 * gnutls_x509_crt_set_key:
206 * @crt: a certificate of type #gnutls_x509_crt_t
207 * @key: holds a private key
208 *
209 * This function will set the public parameters from the given
210 * private key to the certificate. Only RSA keys are currently
211 * supported.
212 *
213 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
214 * negative error value.
215 *
216 **/
217 int
218 gnutls_x509_crt_set_key (gnutls_x509_crt_t crt, gnutls_x509_privkey_t key)
219 {
220 int result;
221
222 if (crt == NULL)
223 {
224 gnutls_assert ();
225 return GNUTLS_E_INVALID_REQUEST;
226 }
227
228 result = _gnutls_x509_encode_and_copy_PKI_params (crt->cert,
229 "tbsCertificate.subjectPublicKeyInfo",
230 key->pk_algorithm,
231 &key->params);
232
233 if (result < 0)
234 {
235 gnutls_assert ();
236 return result;
237 }
238
239 return 0;
240 }
241
242 /**
243 * gnutls_x509_crt_set_crq:
244 * @crt: a certificate of type #gnutls_x509_crt_t
245 * @crq: holds a certificate request
246 *
247 * This function will set the name and public parameters as well as
248 * the extensions from the given certificate request to the certificate.
249 * Only RSA keys are currently supported.
250 *
251 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
252 * negative error value.
253 **/
254 int
255 gnutls_x509_crt_set_crq (gnutls_x509_crt_t crt, gnutls_x509_crq_t crq)
256 {
257 int result;
258
259 if (crt == NULL || crq == NULL)
260 {
261 gnutls_assert ();
262 return GNUTLS_E_INVALID_REQUEST;
263 }
264
265 result = gnutls_x509_crq_verify(crq, 0);
266 if (result < 0)
267 return gnutls_assert_val(result);
268
269 result = asn1_copy_node (crt->cert, "tbsCertificate.subject",
270 crq->crq, "certificationRequestInfo.subject");
271 if (result != ASN1_SUCCESS)
272 {
273 gnutls_assert ();
274 return _gnutls_asn2err (result);
275 }
276
277 result =
278 asn1_copy_node (crt->cert, "tbsCertificate.subjectPublicKeyInfo",
279 crq->crq, "certificationRequestInfo.subjectPKInfo");
280 if (result != ASN1_SUCCESS)
281 {
282 gnutls_assert ();
283 return _gnutls_asn2err (result);
284 }
285
286 return 0;
287 }
288
289 /**
290 * gnutls_x509_crt_set_crq_extensions:
291 * @crt: a certificate of type #gnutls_x509_crt_t
292 * @crq: holds a certificate request
293 *
294 * This function will set extensions from the given request to the
295 * certificate.
296 *
297 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
298 * negative error value.
299 *
300 * Since: 2.8.0
301 **/
302 int
303 gnutls_x509_crt_set_crq_extensions (gnutls_x509_crt_t crt,
304 gnutls_x509_crq_t crq)
305 {
306 size_t i;
307
308 if (crt == NULL || crq == NULL)
309 {
310 gnutls_assert ();
311 return GNUTLS_E_INVALID_REQUEST;
312 }
313
314 for (i = 0;; i++)
315 {
316 int result;
317 char oid[MAX_OID_SIZE];
318 size_t oid_size;
319 uint8_t *extensions;
320 size_t extensions_size;
321 unsigned int critical;
322 gnutls_datum_t ext;
323
324 oid_size = sizeof (oid);
325 result = gnutls_x509_crq_get_extension_info (crq, i, oid,
326 &oid_size, &critical);
327 if (result < 0)
328 {
329 if (result == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
330 break;
331
332 gnutls_assert ();
333 return result;
334 }
335
336 extensions_size = 0;
337 result = gnutls_x509_crq_get_extension_data (crq, i, NULL,
338 &extensions_size);
339 if (result < 0)
340 {
341 gnutls_assert ();
342 return result;
343 }
344
345 extensions = gnutls_malloc (extensions_size);
346 if (extensions == NULL)
347 {
348 gnutls_assert ();
349 return GNUTLS_E_MEMORY_ERROR;
350 }
351
352 result = gnutls_x509_crq_get_extension_data (crq, i, extensions,
353 &extensions_size);
354 if (result < 0)
355 {
356 gnutls_assert ();
357 gnutls_free (extensions);
358 return result;
359 }
360
361 ext.data = extensions;
362 ext.size = extensions_size;
363
364 result = _gnutls_x509_crt_set_extension (crt, oid, &ext, critical);
365 gnutls_free (extensions);
366 if (result < 0)
367 {
368 gnutls_assert ();
369 return result;
370 }
371 }
372
373 if (i > 0)
374 crt->use_extensions = 1;
375
376 return 0;
377 }
378
379 /**
380 * gnutls_x509_crt_set_extension_by_oid:
381 * @crt: a certificate of type #gnutls_x509_crt_t
382 * @oid: holds an Object Identified in null terminated string
383 * @buf: a pointer to a DER encoded data
384 * @sizeof_buf: holds the size of @buf
385 * @critical: should be non (0) if the extension is to be marked as critical
386 *
387 * This function will set an the extension, by the specified OID, in
388 * the certificate. The extension data should be binary data DER
389 * encoded.
390 *
391 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
392 * negative error value.
393 **/
394 int
395 gnutls_x509_crt_set_extension_by_oid (gnutls_x509_crt_t crt,
396 const char *oid, const void *buf,
397 size_t sizeof_buf,
398 unsigned int critical)
399 {
400 int result;
401 gnutls_datum_t der_data;
402
403 der_data.data = (void *) buf;
404 der_data.size = sizeof_buf;
405
406 if (crt == NULL)
407 {
408 gnutls_assert ();
409 return GNUTLS_E_INVALID_REQUEST;
410 }
411
412 result = _gnutls_x509_crt_set_extension (crt, oid, &der_data, critical);
413 if (result < 0)
414 {
415 gnutls_assert ();
416 return result;
417 }
418
419 crt->use_extensions = 1;
420
421 return 0;
422
423 }
424
425 /**
426 * gnutls_x509_crt_set_basic_constraints:
427 * @crt: a certificate of type #gnutls_x509_crt_t
428 * @ca: true(1) or false(0). Depending on the Certificate authority status.
429 * @pathLenConstraint: non-negative error codes indicate maximum length of path,
430 * and negative error codes indicate that the pathLenConstraints field should
431 * not be present.
432 *
433 * This function will set the basicConstraints certificate extension.
434 *
435 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
436 * negative error value.
437 **/
438 int
439 gnutls_x509_crt_set_basic_constraints (gnutls_x509_crt_t crt,
440 unsigned int ca, int pathLenConstraint)
441 {
442 int result;
443 gnutls_datum_t der_data;
444
445 if (crt == NULL)
446 {
447 gnutls_assert ();
448 return GNUTLS_E_INVALID_REQUEST;
449 }
450
451 /* generate the extension.
452 */
453 result = _gnutls_x509_ext_gen_basicConstraints (ca, pathLenConstraint,
454 &der_data);
455 if (result < 0)
456 {
457 gnutls_assert ();
458 return result;
459 }
460
461 result = _gnutls_x509_crt_set_extension (crt, "2.5.29.19", &der_data, 1);
462
463 _gnutls_free_datum (&der_data);
464
465 if (result < 0)
466 {
467 gnutls_assert ();
468 return result;
469 }
470
471 crt->use_extensions = 1;
472
473 return 0;
474 }
475
476 /**
477 * gnutls_x509_crt_set_ca_status:
478 * @crt: a certificate of type #gnutls_x509_crt_t
479 * @ca: true(1) or false(0). Depending on the Certificate authority status.
480 *
481 * This function will set the basicConstraints certificate extension.
482 * Use gnutls_x509_crt_set_basic_constraints() if you want to control
483 * the pathLenConstraint field too.
484 *
485 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
486 * negative error value.
487 **/
488 int
489 gnutls_x509_crt_set_ca_status (gnutls_x509_crt_t crt, unsigned int ca)
490 {
491 return gnutls_x509_crt_set_basic_constraints (crt, ca, -1);
492 }
493
494 /**
495 * gnutls_x509_crt_set_key_usage:
496 * @crt: a certificate of type #gnutls_x509_crt_t
497 * @usage: an ORed sequence of the GNUTLS_KEY_* elements.
498 *
499 * This function will set the keyUsage certificate extension.
500 *
501 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
502 * negative error value.
503 **/
504 int
505 gnutls_x509_crt_set_key_usage (gnutls_x509_crt_t crt, unsigned int usage)
506 {
507 int result;
508 gnutls_datum_t der_data;
509
510 if (crt == NULL)
511 {
512 gnutls_assert ();
513 return GNUTLS_E_INVALID_REQUEST;
514 }
515
516 /* generate the extension.
517 */
518 result = _gnutls_x509_ext_gen_keyUsage ((uint16_t) usage, &der_data);
519 if (result < 0)
520 {
521 gnutls_assert ();
522 return result;
523 }
524
525 result = _gnutls_x509_crt_set_extension (crt, "2.5.29.15", &der_data, 1);
526
527 _gnutls_free_datum (&der_data);
528
529 if (result < 0)
530 {
531 gnutls_assert ();
532 return result;
533 }
534
535 crt->use_extensions = 1;
536
537 return 0;
538 }
539
540 /**
541 * gnutls_x509_crt_set_subject_alternative_name:
542 * @crt: a certificate of type #gnutls_x509_crt_t
543 * @type: is one of the gnutls_x509_subject_alt_name_t enumerations
544 * @data_string: The data to be set, a (0) terminated string
545 *
546 * This function will set the subject alternative name certificate
547 * extension. This function assumes that data can be expressed as a null
548 * terminated string.
549 *
550 * The name of the function is unfortunate since it is incosistent with
551 * gnutls_x509_crt_get_subject_alt_name().
552 *
553 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
554 * negative error value.
555 **/
556 int
557 gnutls_x509_crt_set_subject_alternative_name (gnutls_x509_crt_t crt,
558 gnutls_x509_subject_alt_name_t
559 type, const char *data_string)
560 {
561 if (crt == NULL)
562 {
563 gnutls_assert ();
564 return GNUTLS_E_INVALID_REQUEST;
565 }
566
567 /* only handle text extensions */
568 if (type != GNUTLS_SAN_DNSNAME && type != GNUTLS_SAN_RFC822NAME &&
569 type != GNUTLS_SAN_URI)
570 {
571 gnutls_assert ();
572 return GNUTLS_E_INVALID_REQUEST;
573 }
574
575 return gnutls_x509_crt_set_subject_alt_name (crt, type, data_string,
576 strlen (data_string),
577 GNUTLS_FSAN_SET);
578 }
579
580 /**
581 * gnutls_x509_crt_set_subject_alt_name:
582 * @crt: a certificate of type #gnutls_x509_crt_t
583 * @type: is one of the gnutls_x509_subject_alt_name_t enumerations
584 * @data: The data to be set
585 * @data_size: The size of data to be set
586 * @flags: GNUTLS_FSAN_SET to clear previous data or GNUTLS_FSAN_APPEND to append.
587 *
588 * This function will set the subject alternative name certificate
589 * extension. It can set the following types:
590 *
591 * %GNUTLS_SAN_DNSNAME: as a text string
592 *
593 * %GNUTLS_SAN_RFC822NAME: as a text string
594 *
595 * %GNUTLS_SAN_URI: as a text string
596 *
597 * %GNUTLS_SAN_IPADDRESS: as a binary IP address (4 or 16 bytes)
598 *
599 * Other values can be set as binary values with the proper DER encoding.
600 *
601 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
602 * negative error value.
603 *
604 * Since: 2.6.0
605 **/
606 int
607 gnutls_x509_crt_set_subject_alt_name (gnutls_x509_crt_t crt,
608 gnutls_x509_subject_alt_name_t type,
609 const void *data,
610 unsigned int data_size,
611 unsigned int flags)
612 {
613 int result;
614 gnutls_datum_t der_data = { NULL, 0 };
615 gnutls_datum_t prev_der_data = { NULL, 0 };
616 unsigned int critical = 0;
617
618 if (crt == NULL)
619 {
620 gnutls_assert ();
621 return GNUTLS_E_INVALID_REQUEST;
622 }
623
624 /* Check if the extension already exists.
625 */
626
627 if (flags == GNUTLS_FSAN_APPEND)
628 {
629 result = _gnutls_x509_crt_get_extension (crt, "2.5.29.17", 0,
630 &prev_der_data, &critical);
631 if (result < 0 && result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
632 {
633 gnutls_assert ();
634 return result;
635 }
636 }
637
638 /* generate the extension.
639 */
640 result = _gnutls_x509_ext_gen_subject_alt_name (type, data, data_size,
641 &prev_der_data, &der_data);
642
643 if (flags == GNUTLS_FSAN_APPEND)
644 _gnutls_free_datum (&prev_der_data);
645
646 if (result < 0)
647 {
648 gnutls_assert ();
649 goto finish;
650 }
651
652 result = _gnutls_x509_crt_set_extension (crt, "2.5.29.17", &der_data,
653 critical);
654
655 _gnutls_free_datum (&der_data);
656
657 if (result < 0)
658 {
659 gnutls_assert ();
660 return result;
661 }
662
663 crt->use_extensions = 1;
664
665 return 0;
666
667 finish:
668 _gnutls_free_datum (&prev_der_data);
669 return result;
670 }
671
672 /**
673 * gnutls_x509_crt_set_proxy:
674 * @crt: a certificate of type #gnutls_x509_crt_t
675 * @pathLenConstraint: non-negative error codes indicate maximum length of path,
676 * and negative error codes indicate that the pathLenConstraints field should
677 * not be present.
678 * @policyLanguage: OID describing the language of @policy.
679 * @policy: uint8_t byte array with policy language, can be %NULL
680 * @sizeof_policy: size of @policy.
681 *
682 * This function will set the proxyCertInfo extension.
683 *
684 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
685 * negative error value.
686 **/
687 int
688 gnutls_x509_crt_set_proxy (gnutls_x509_crt_t crt,
689 int pathLenConstraint,
690 const char *policyLanguage,
691 const char *policy, size_t sizeof_policy)
692 {
693 int result;
694 gnutls_datum_t der_data;
695
696 if (crt == NULL)
697 {
698 gnutls_assert ();
699 return GNUTLS_E_INVALID_REQUEST;
700 }
701
702 /* generate the extension.
703 */
704 result = _gnutls_x509_ext_gen_proxyCertInfo (pathLenConstraint,
705 policyLanguage,
706 policy, sizeof_policy,
707 &der_data);
708 if (result < 0)
709 {
710 gnutls_assert ();
711 return result;
712 }
713
714 result = _gnutls_x509_crt_set_extension (crt, "1.3.6.1.5.5.7.1.14",
715 &der_data, 1);
716
717 _gnutls_free_datum (&der_data);
718
719 if (result < 0)
720 {
721 gnutls_assert ();
722 return result;
723 }
724
725 crt->use_extensions = 1;
726
727 return 0;
728 }
729
730 /**
731 * gnutls_x509_crt_set_private_key_usage_period:
732 * @crt: a certificate of type #gnutls_x509_crt_t
733 * @activation: The activation time
734 * @expiration: The expiration time
735 *
736 * This function will set the private key usage period extension (2.5.29.16).
737 *
738 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
739 * negative error value.
740 **/
741 int
742 gnutls_x509_crt_set_private_key_usage_period (gnutls_x509_crt_t crt,
743 time_t activation,
744 time_t expiration)
745 {
746 int result;
747 gnutls_datum_t der_data;
748 ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
749
750 if (crt == NULL)
751 {
752 gnutls_assert ();
753 return GNUTLS_E_INVALID_REQUEST;
754 }
755
756 result =
757 asn1_create_element (_gnutls_get_pkix (), "PKIX1.PrivateKeyUsagePeriod", &c2);
758 if (result != ASN1_SUCCESS)
759 {
760 gnutls_assert ();
761 return _gnutls_asn2err (result);
762 }
763
764 result = _gnutls_x509_set_time (c2,
765 "notBefore",
766 activation, 1);
767 if (result < 0)
768 {
769 gnutls_assert();
770 goto cleanup;
771 }
772
773 result = _gnutls_x509_set_time (c2,
774 "notAfter",
775 expiration, 1);
776 if (result < 0)
777 {
778 gnutls_assert();
779 goto cleanup;
780 }
781
782 result = _gnutls_x509_der_encode (c2, "", &der_data, 0);
783 if (result < 0)
784 {
785 gnutls_assert();
786 goto cleanup;
787 }
788
789 result = _gnutls_x509_crt_set_extension (crt, "2.5.29.16",
790 &der_data, 0);
791
792 _gnutls_free_datum(&der_data);
793
794 crt->use_extensions = 1;
795
796 cleanup:
797 asn1_delete_structure (&c2);
798
799 return result;
800 }
801
802 /**
803 * gnutls_x509_crt_sign2:
804 * @crt: a certificate of type #gnutls_x509_crt_t
805 * @issuer: is the certificate of the certificate issuer
806 * @issuer_key: holds the issuer's private key
807 * @dig: The message digest to use, %GNUTLS_DIG_SHA1 is a safe choice
808 * @flags: must be 0
809 *
810 * This function will sign the certificate with the issuer's private key, and
811 * will copy the issuer's information into the certificate.
812 *
813 * This must be the last step in a certificate generation since all
814 * the previously set parameters are now signed.
815 *
816 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
817 * negative error value.
818 **/
819 int
820 gnutls_x509_crt_sign2 (gnutls_x509_crt_t crt, gnutls_x509_crt_t issuer,
821 gnutls_x509_privkey_t issuer_key,
822 gnutls_digest_algorithm_t dig, unsigned int flags)
823 {
824 int result;
825 gnutls_privkey_t privkey;
826
827 if (crt == NULL || issuer == NULL || issuer_key == NULL)
828 {
829 gnutls_assert ();
830 return GNUTLS_E_INVALID_REQUEST;
831 }
832
833 result = gnutls_privkey_init (&privkey);
834 if (result < 0)
835 {
836 gnutls_assert ();
837 return result;
838 }
839
840 result = gnutls_privkey_import_x509 (privkey, issuer_key, 0);
841 if (result < 0)
842 {
843 gnutls_assert ();
844 goto fail;
845 }
846
847 result = gnutls_x509_crt_privkey_sign (crt, issuer, privkey, dig, flags);
848 if (result < 0)
849 {
850 gnutls_assert ();
851 goto fail;
852 }
853
854 result = 0;
855
856 fail:
857 gnutls_privkey_deinit (privkey);
858
859 return result;
860 }
861
862 /**
863 * gnutls_x509_crt_sign:
864 * @crt: a certificate of type #gnutls_x509_crt_t
865 * @issuer: is the certificate of the certificate issuer
866 * @issuer_key: holds the issuer's private key
867 *
868 * This function is the same a gnutls_x509_crt_sign2() with no flags,
869 * and SHA1 as the hash algorithm.
870 *
871 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
872 * negative error value.
873 **/
874 int
875 gnutls_x509_crt_sign (gnutls_x509_crt_t crt, gnutls_x509_crt_t issuer,
876 gnutls_x509_privkey_t issuer_key)
877 {
878 return gnutls_x509_crt_sign2 (crt, issuer, issuer_key, GNUTLS_DIG_SHA1, 0);
879 }
880
881 /**
882 * gnutls_x509_crt_set_activation_time:
883 * @cert: a certificate of type #gnutls_x509_crt_t
884 * @act_time: The actual time
885 *
886 * This function will set the time this Certificate was or will be
887 * activated.
888 *
889 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
890 * negative error value.
891 **/
892 int
893 gnutls_x509_crt_set_activation_time (gnutls_x509_crt_t cert, time_t act_time)
894 {
895 if (cert == NULL)
896 {
897 gnutls_assert ();
898 return GNUTLS_E_INVALID_REQUEST;
899 }
900
901 return _gnutls_x509_set_time (cert->cert,
902 "tbsCertificate.validity.notBefore",
903 act_time, 0);
904 }
905
906 /**
907 * gnutls_x509_crt_set_expiration_time:
908 * @cert: a certificate of type #gnutls_x509_crt_t
909 * @exp_time: The actual time
910 *
911 * This function will set the time this Certificate will expire.
912 *
913 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
914 * negative error value.
915 **/
916 int
917 gnutls_x509_crt_set_expiration_time (gnutls_x509_crt_t cert, time_t exp_time)
918 {
919 if (cert == NULL)
920 {
921 gnutls_assert ();
922 return GNUTLS_E_INVALID_REQUEST;
923 }
924 return _gnutls_x509_set_time (cert->cert,
925 "tbsCertificate.validity.notAfter", exp_time, 0);
926 }
927
928 /**
929 * gnutls_x509_crt_set_serial:
930 * @cert: a certificate of type #gnutls_x509_crt_t
931 * @serial: The serial number
932 * @serial_size: Holds the size of the serial field.
933 *
934 * This function will set the X.509 certificate's serial number.
935 * Serial is not always a 32 or 64bit number. Some CAs use large
936 * serial numbers, thus it may be wise to handle it as something
937 * uint8_t.
938 *
939 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
940 * negative error value.
941 **/
942 int
943 gnutls_x509_crt_set_serial (gnutls_x509_crt_t cert, const void *serial,
944 size_t serial_size)
945 {
946 int ret;
947
948 if (cert == NULL)
949 {
950 gnutls_assert ();
951 return GNUTLS_E_INVALID_REQUEST;
952 }
953
954 ret =
955 asn1_write_value (cert->cert, "tbsCertificate.serialNumber", serial,
956 serial_size);
957 if (ret != ASN1_SUCCESS)
958 {
959 gnutls_assert ();
960 return _gnutls_asn2err (ret);
961 }
962
963 return 0;
964
965 }
966
967 /* If OPTIONAL fields have not been initialized then
968 * disable them.
969 */
970 static void
971 disable_optional_stuff (gnutls_x509_crt_t cert)
972 {
973
974 asn1_write_value (cert->cert, "tbsCertificate.issuerUniqueID", NULL, 0);
975
976 asn1_write_value (cert->cert, "tbsCertificate.subjectUniqueID", NULL, 0);
977
978 if (cert->use_extensions == 0)
979 {
980 _gnutls_debug_log ("Disabling X.509 extensions.\n");
981 asn1_write_value (cert->cert, "tbsCertificate.extensions", NULL, 0);
982 }
983
984 return;
985 }
986
987 /**
988 * gnutls_x509_crt_set_crl_dist_points:
989 * @crt: a certificate of type #gnutls_x509_crt_t
990 * @type: is one of the gnutls_x509_subject_alt_name_t enumerations
991 * @data_string: The data to be set
992 * @reason_flags: revocation reasons
993 *
994 * This function will set the CRL distribution points certificate extension.
995 *
996 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
997 * negative error value.
998 **/
999 int
1000 gnutls_x509_crt_set_crl_dist_points (gnutls_x509_crt_t crt,
1001 gnutls_x509_subject_alt_name_t type,
1002 const void *data_string,
1003 unsigned int reason_flags)
1004 {
1005 return gnutls_x509_crt_set_crl_dist_points2 (crt, type, data_string,
1006 strlen (data_string),
1007 reason_flags);
1008 }
1009
1010 /**
1011 * gnutls_x509_crt_set_crl_dist_points2:
1012 * @crt: a certificate of type #gnutls_x509_crt_t
1013 * @type: is one of the gnutls_x509_subject_alt_name_t enumerations
1014 * @data: The data to be set
1015 * @data_size: The data size
1016 * @reason_flags: revocation reasons
1017 *
1018 * This function will set the CRL distribution points certificate extension.
1019 *
1020 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1021 * negative error value.
1022 *
1023 * Since: 2.6.0
1024 **/
1025 int
1026 gnutls_x509_crt_set_crl_dist_points2 (gnutls_x509_crt_t crt,
1027 gnutls_x509_subject_alt_name_t type,
1028 const void *data,
1029 unsigned int data_size,
1030 unsigned int reason_flags)
1031 {
1032 int result;
1033 gnutls_datum_t der_data = { NULL, 0 };
1034 gnutls_datum_t oldname = { NULL, 0 };
1035 unsigned int critical;
1036
1037 if (crt == NULL)
1038 {
1039 gnutls_assert ();
1040 return GNUTLS_E_INVALID_REQUEST;
1041 }
1042
1043 /* Check if the extension already exists.
1044 */
1045 result =
1046 _gnutls_x509_crt_get_extension (crt, "2.5.29.31", 0, &oldname, &critical);
1047
1048 _gnutls_free_datum (&oldname);
1049
1050 if (result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
1051 {
1052 gnutls_assert ();
1053 return GNUTLS_E_INVALID_REQUEST;
1054 }
1055
1056 /* generate the extension.
1057 */
1058 result =
1059 _gnutls_x509_ext_gen_crl_dist_points (type, data, data_size,
1060 reason_flags, &der_data);
1061 if (result < 0)
1062 {
1063 gnutls_assert ();
1064 return result;
1065 }
1066
1067 result = _gnutls_x509_crt_set_extension (crt, "2.5.29.31", &der_data, 0);
1068
1069 _gnutls_free_datum (&der_data);
1070
1071 if (result < 0)
1072 {
1073 gnutls_assert ();
1074 return result;
1075 }
1076
1077 crt->use_extensions = 1;
1078
1079 return 0;
1080
1081 }
1082
1083 /**
1084 * gnutls_x509_crt_cpy_crl_dist_points:
1085 * @dst: a certificate of type #gnutls_x509_crt_t
1086 * @src: the certificate where the dist points will be copied from
1087 *
1088 * This function will copy the CRL distribution points certificate
1089 * extension, from the source to the destination certificate.
1090 * This may be useful to copy from a CA certificate to issued ones.
1091 *
1092 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1093 * negative error value.
1094 **/
1095 int
1096 gnutls_x509_crt_cpy_crl_dist_points (gnutls_x509_crt_t dst,
1097 gnutls_x509_crt_t src)
1098 {
1099 int result;
1100 gnutls_datum_t der_data;
1101 unsigned int critical;
1102
1103 if (dst == NULL || src == NULL)
1104 {
1105 gnutls_assert ();
1106 return GNUTLS_E_INVALID_REQUEST;
1107 }
1108
1109 /* Check if the extension already exists.
1110 */
1111 result =
1112 _gnutls_x509_crt_get_extension (src, "2.5.29.31", 0, &der_data,
1113 &critical);
1114 if (result < 0)
1115 {
1116 gnutls_assert ();
1117 return result;
1118 }
1119
1120 result =
1121 _gnutls_x509_crt_set_extension (dst, "2.5.29.31", &der_data, critical);
1122 _gnutls_free_datum (&der_data);
1123
1124 if (result < 0)
1125 {
1126 gnutls_assert ();
1127 return result;
1128 }
1129
1130 dst->use_extensions = 1;
1131
1132 return 0;
1133 }
1134
1135 /**
1136 * gnutls_x509_crt_set_subject_key_id:
1137 * @cert: a certificate of type #gnutls_x509_crt_t
1138 * @id: The key ID
1139 * @id_size: Holds the size of the serial field.
1140 *
1141 * This function will set the X.509 certificate's subject key ID
1142 * extension.
1143 *
1144 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1145 * negative error value.
1146 **/
1147 int
1148 gnutls_x509_crt_set_subject_key_id (gnutls_x509_crt_t cert,
1149 const void *id, size_t id_size)
1150 {
1151 int result;
1152 gnutls_datum_t old_id, der_data;
1153 unsigned int critical;
1154
1155 if (cert == NULL)
1156 {
1157 gnutls_assert ();
1158 return GNUTLS_E_INVALID_REQUEST;
1159 }
1160
1161 /* Check if the extension already exists.
1162 */
1163 result =
1164 _gnutls_x509_crt_get_extension (cert, "2.5.29.14", 0, &old_id, &critical);
1165
1166 if (result >= 0)
1167 _gnutls_free_datum (&old_id);
1168 if (result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
1169 {
1170 gnutls_assert ();
1171 return GNUTLS_E_INVALID_REQUEST;
1172 }
1173
1174 /* generate the extension.
1175 */
1176 result = _gnutls_x509_ext_gen_key_id (id, id_size, &der_data);
1177 if (result < 0)
1178 {
1179 gnutls_assert ();
1180 return result;
1181 }
1182
1183 result = _gnutls_x509_crt_set_extension (cert, "2.5.29.14", &der_data, 0);
1184
1185 _gnutls_free_datum (&der_data);
1186
1187 if (result < 0)
1188 {
1189 gnutls_assert ();
1190 return result;
1191 }
1192
1193 cert->use_extensions = 1;
1194
1195 return 0;
1196 }
1197
1198 /**
1199 * gnutls_x509_crt_set_authority_key_id:
1200 * @cert: a certificate of type #gnutls_x509_crt_t
1201 * @id: The key ID
1202 * @id_size: Holds the size of the serial field.
1203 *
1204 * This function will set the X.509 certificate's authority key ID extension.
1205 * Only the keyIdentifier field can be set with this function.
1206 *
1207 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1208 * negative error value.
1209 **/
1210 int
1211 gnutls_x509_crt_set_authority_key_id (gnutls_x509_crt_t cert,
1212 const void *id, size_t id_size)
1213 {
1214 int result;
1215 gnutls_datum_t old_id, der_data;
1216 unsigned int critical;
1217
1218 if (cert == NULL)
1219 {
1220 gnutls_assert ();
1221 return GNUTLS_E_INVALID_REQUEST;
1222 }
1223
1224 /* Check if the extension already exists.
1225 */
1226 result =
1227 _gnutls_x509_crt_get_extension (cert, "2.5.29.35", 0, &old_id, &critical);
1228
1229 if (result >= 0)
1230 _gnutls_free_datum (&old_id);
1231 if (result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
1232 {
1233 gnutls_assert ();
1234 return GNUTLS_E_INVALID_REQUEST;
1235 }
1236
1237 /* generate the extension.
1238 */
1239 result = _gnutls_x509_ext_gen_auth_key_id (id, id_size, &der_data);
1240 if (result < 0)
1241 {
1242 gnutls_assert ();
1243 return result;
1244 }
1245
1246 result = _gnutls_x509_crt_set_extension (cert, "2.5.29.35", &der_data, 0);
1247
1248 _gnutls_free_datum (&der_data);
1249
1250 if (result < 0)
1251 {
1252 gnutls_assert ();
1253 return result;
1254 }
1255
1256 cert->use_extensions = 1;
1257
1258 return 0;
1259 }
1260
1261 /**
1262 * gnutls_x509_crt_set_key_purpose_oid:
1263 * @cert: a certificate of type #gnutls_x509_crt_t
1264 * @oid: a pointer to a null terminated string that holds the OID
1265 * @critical: Whether this extension will be critical or not
1266 *
1267 * This function will set the key purpose OIDs of the Certificate.
1268 * These are stored in the Extended Key Usage extension (2.5.29.37)
1269 * See the GNUTLS_KP_* definitions for human readable names.
1270 *
1271 * Subsequent calls to this function will append OIDs to the OID list.
1272 *
1273 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
1274 * otherwise a negative error code is returned.
1275 **/
1276 int
1277 gnutls_x509_crt_set_key_purpose_oid (gnutls_x509_crt_t cert,
1278 const void *oid, unsigned int critical)
1279 {
1280 int result;
1281 gnutls_datum_t old_id, der_data;
1282 ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
1283
1284 if (cert == NULL)
1285 {
1286 gnutls_assert ();
1287 return GNUTLS_E_INVALID_REQUEST;
1288 }
1289
1290 result = asn1_create_element
1291 (_gnutls_get_pkix (), "PKIX1.ExtKeyUsageSyntax", &c2);
1292 if (result != ASN1_SUCCESS)
1293 {
1294 gnutls_assert ();
1295 return _gnutls_asn2err (result);
1296 }
1297
1298 /* Check if the extension already exists.
1299 */
1300 result =
1301 _gnutls_x509_crt_get_extension (cert, "2.5.29.37", 0, &old_id, NULL);
1302
1303 if (result >= 0)
1304 {
1305 /* decode it.
1306 */
1307 result = asn1_der_decoding (&c2, old_id.data, old_id.size, NULL);
1308 _gnutls_free_datum (&old_id);
1309
1310 if (result != ASN1_SUCCESS)
1311 {
1312 gnutls_assert ();
1313 asn1_delete_structure (&c2);
1314 return _gnutls_asn2err (result);
1315 }
1316
1317 }
1318
1319 /* generate the extension.
1320 */
1321 /* 1. create a new element.
1322 */
1323 result = asn1_write_value (c2, "", "NEW", 1);
1324 if (result != ASN1_SUCCESS)
1325 {
1326 gnutls_assert ();
1327 asn1_delete_structure (&c2);
1328 return _gnutls_asn2err (result);
1329 }
1330
1331 /* 2. Add the OID.
1332 */
1333 result = asn1_write_value (c2, "?LAST", oid, 1);
1334 if (result != ASN1_SUCCESS)
1335 {
1336 gnutls_assert ();
1337 asn1_delete_structure (&c2);
1338 return _gnutls_asn2err (result);
1339 }
1340
1341 result = _gnutls_x509_der_encode (c2, "", &der_data, 0);
1342 asn1_delete_structure (&c2);
1343
1344 if (result != ASN1_SUCCESS)
1345 {
1346 gnutls_assert ();
1347 return _gnutls_asn2err (result);
1348 }
1349
1350 result = _gnutls_x509_crt_set_extension (cert, "2.5.29.37",
1351 &der_data, critical);
1352
1353 _gnutls_free_datum (&der_data);
1354
1355 if (result < 0)
1356 {
1357 gnutls_assert ();
1358 return result;
1359 }
1360
1361 cert->use_extensions = 1;
1362
1363 return 0;
1364
1365 }
1366
1367 /**
1368 * gnutls_x509_crt_privkey_sign:
1369 * @crt: a certificate of type #gnutls_x509_crt_t
1370 * @issuer: is the certificate of the certificate issuer
1371 * @issuer_key: holds the issuer's private key
1372 * @dig: The message digest to use, %GNUTLS_DIG_SHA1 is a safe choice
1373 * @flags: must be 0
1374 *
1375 * This function will sign the certificate with the issuer's private key, and
1376 * will copy the issuer's information into the certificate.
1377 *
1378 * This must be the last step in a certificate generation since all
1379 * the previously set parameters are now signed.
1380 *
1381 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1382 * negative error value.
1383 **/
1384 int
1385 gnutls_x509_crt_privkey_sign (gnutls_x509_crt_t crt, gnutls_x509_crt_t issuer,
1386 gnutls_privkey_t issuer_key,
1387 gnutls_digest_algorithm_t dig,
1388 unsigned int flags)
1389 {
1390 int result;
1391
1392 if (crt == NULL || issuer == NULL || issuer_key == NULL)
1393 {
1394 gnutls_assert ();
1395 return GNUTLS_E_INVALID_REQUEST;
1396 }
1397
1398 /* disable all the unneeded OPTIONAL fields.
1399 */
1400 disable_optional_stuff (crt);
1401
1402 result = _gnutls_x509_pkix_sign (crt->cert, "tbsCertificate",
1403 dig, issuer, issuer_key);
1404 if (result < 0)
1405 {
1406 gnutls_assert ();
1407 return result;
1408 }
1409
1410 return 0;
1411 }
1412
1413 static const char* what_to_oid(int what)
1414 {
1415 switch(what)
1416 {
1417 case GNUTLS_IA_OCSP_URI:
1418 return GNUTLS_OID_AD_OCSP;
1419 case GNUTLS_IA_CAISSUERS_URI:
1420 return GNUTLS_OID_AD_CAISSUERS;
1421 default:
1422 return NULL;
1423 }
1424 }
1425
1426 /**
1427 * gnutls_x509_crt_set_authority_info_access:
1428 * @crt: Holds the certificate
1429 * @what: what data to get, a #gnutls_info_access_what_t type.
1430 * @data: output data to be freed with gnutls_free().
1431 *
1432 * This function sets the Authority Information Access (AIA)
1433 * extension, see RFC 5280 section 4.2.2.1 for more information.
1434 *
1435 * The type of data stored in @data is specified via @what which
1436 * should be #gnutls_info_access_what_t values.
1437 *
1438 * If @what is %GNUTLS_IA_OCSP_URI, @data will hold the OCSP URI.
1439 * If @what is %GNUTLS_IA_CAISSUERS_URI, @data will hold the caIssuers
1440 * URI.
1441 *
1442 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1443 * negative error value.
1444 *
1445 * Since: 3.0
1446 **/
1447 int
1448 gnutls_x509_crt_set_authority_info_access (gnutls_x509_crt_t crt,
1449 int what,
1450 gnutls_datum_t * data)
1451 {
1452 int ret, result;
1453 gnutls_datum_t aia = { NULL, 0 };
1454 gnutls_datum_t der_data = { NULL, 0 };
1455 ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
1456 const char* oid;
1457 unsigned int c;
1458
1459 if (crt == NULL)
1460 return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
1461
1462 oid = what_to_oid(what);
1463 if (oid == NULL)
1464 return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
1465
1466 ret = asn1_create_element (_gnutls_get_pkix (),
1467 "PKIX1.AuthorityInfoAccessSyntax", &c2);
1468 if (ret != ASN1_SUCCESS)
1469 {
1470 gnutls_assert ();
1471 return _gnutls_asn2err (ret);
1472 }
1473
1474 ret = _gnutls_x509_crt_get_extension (crt, GNUTLS_OID_AIA, 0, &aia,
1475 &c);
1476 if (ret >= 0) /* decode it */
1477 {
1478 ret = asn1_der_decoding (&c2, aia.data, aia.size, NULL);
1479 if (ret != ASN1_SUCCESS)
1480 {
1481 gnutls_assert ();
1482 ret = _gnutls_asn2err (ret);
1483 goto cleanup;
1484 }
1485 }
1486
1487 /* generate the extension.
1488 */
1489 /* 1. create a new element.
1490 */
1491 result = asn1_write_value (c2, "", "NEW", 1);
1492 if (result != ASN1_SUCCESS)
1493 {
1494 gnutls_assert ();
1495 ret = _gnutls_asn2err (result);
1496 goto cleanup;
1497 }
1498
1499 /* 2. Add the OID.
1500 */
1501 result = asn1_write_value (c2, "?LAST.accessMethod", oid, 1);
1502 if (result != ASN1_SUCCESS)
1503 {
1504 gnutls_assert ();
1505 ret = _gnutls_asn2err (result);
1506 goto cleanup;
1507 }
1508
1509 /* accessLocation is a choice */
1510 result = asn1_write_value (c2, "?LAST.accessLocation", "uniformResourceIdentifier", 1);
1511 if (result != ASN1_SUCCESS)
1512 {
1513 gnutls_assert ();
1514 ret = _gnutls_asn2err (result);
1515 goto cleanup;
1516 }
1517
1518 result = asn1_write_value (c2, "?LAST.accessLocation.uniformResourceIdentifier", data->data, data->size);
1519 if (result != ASN1_SUCCESS)
1520 {
1521 gnutls_assert ();
1522 ret = _gnutls_asn2err (result);
1523 goto cleanup;
1524 }
1525
1526 ret = _gnutls_x509_der_encode (c2, "", &der_data, 0);
1527 if (ret < 0)
1528 {
1529 gnutls_assert ();
1530 goto cleanup;
1531 }
1532
1533 ret = _gnutls_x509_crt_set_extension (crt, GNUTLS_OID_AIA,
1534 &der_data, 0);
1535 if (ret < 0)
1536 gnutls_assert ();
1537
1538 crt->use_extensions = 1;
1539
1540 cleanup:
1541 _gnutls_free_datum (&der_data);
1542 _gnutls_free_datum(&aia);
1543 asn1_delete_structure (&c2);
1544
1545 return ret;
1546 }
Implementation of the SSL/TLS protocol