search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fix some typos.
[heimdal.git] / lib / hx509 / ca.c
bloba574ab5d822e40513ed258e603255175134b1a14
1 /*
2 * Copyright (c) 2006 - 2010 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "hx_locl.h"
35 #include <pkinit_asn1.h>
36
37 /**
38 * @page page_ca Hx509 CA functions
39 *
40 * See the library functions here: @ref hx509_ca
41 */
42
43 struct hx509_ca_tbs {
44 hx509_name subject;
45 SubjectPublicKeyInfo spki;
46 ExtKeyUsage eku;
47 GeneralNames san;
48 unsigned key_usage;
49 heim_integer serial;
50 struct {
51 unsigned int proxy:1;
52 unsigned int ca:1;
53 unsigned int key:1;
54 unsigned int serial:1;
55 unsigned int domaincontroller:1;
56 unsigned int xUniqueID:1;
57 } flags;
58 time_t notBefore;
59 time_t notAfter;
60 int pathLenConstraint; /* both for CA and Proxy */
61 CRLDistributionPoints crldp;
62 heim_bit_string subjectUniqueID;
63 heim_bit_string issuerUniqueID;
64 AlgorithmIdentifier *sigalg;
65 };
66
67 /**
68 * Allocate an to-be-signed certificate object that will be converted
69 * into an certificate.
70 *
71 * @param context A hx509 context.
72 * @param tbs returned to-be-signed certicate object, free with
73 * hx509_ca_tbs_free().
74 *
75 * @return An hx509 error code, see hx509_get_error_string().
76 *
77 * @ingroup hx509_ca
78 */
79
80 int
81 hx509_ca_tbs_init(hx509_context context, hx509_ca_tbs *tbs)
82 {
83 *tbs = calloc(1, sizeof(**tbs));
84 if (*tbs == NULL)
85 return ENOMEM;
86
87 return 0;
88 }
89
90 /**
91 * Free an To Be Signed object.
92 *
93 * @param tbs object to free.
94 *
95 * @ingroup hx509_ca
96 */
97
98 void
99 hx509_ca_tbs_free(hx509_ca_tbs *tbs)
100 {
101 if (tbs == NULL || *tbs == NULL)
102 return;
103
104 free_SubjectPublicKeyInfo(&(*tbs)->spki);
105 free_GeneralNames(&(*tbs)->san);
106 free_ExtKeyUsage(&(*tbs)->eku);
107 der_free_heim_integer(&(*tbs)->serial);
108 free_CRLDistributionPoints(&(*tbs)->crldp);
109 der_free_bit_string(&(*tbs)->subjectUniqueID);
110 der_free_bit_string(&(*tbs)->issuerUniqueID);
111 hx509_name_free(&(*tbs)->subject);
112 if ((*tbs)->sigalg) {
113 free_AlgorithmIdentifier((*tbs)->sigalg);
114 free((*tbs)->sigalg);
115 }
116
117 memset(*tbs, 0, sizeof(**tbs));
118 free(*tbs);
119 *tbs = NULL;
120 }
121
122 /**
123 * Set the absolute time when the certificate is valid from. If not
124 * set the current time will be used.
125 *
126 * @param context A hx509 context.
127 * @param tbs object to be signed.
128 * @param t time the certificated will start to be valid
129 *
130 * @return An hx509 error code, see hx509_get_error_string().
131 *
132 * @ingroup hx509_ca
133 */
134
135 int
136 hx509_ca_tbs_set_notBefore(hx509_context context,
137 hx509_ca_tbs tbs,
138 time_t t)
139 {
140 tbs->notBefore = t;
141 return 0;
142 }
143
144 /**
145 * Set the absolute time when the certificate is valid to.
146 *
147 * @param context A hx509 context.
148 * @param tbs object to be signed.
149 * @param t time when the certificate will expire
150 *
151 * @return An hx509 error code, see hx509_get_error_string().
152 *
153 * @ingroup hx509_ca
154 */
155
156 int
157 hx509_ca_tbs_set_notAfter(hx509_context context,
158 hx509_ca_tbs tbs,
159 time_t t)
160 {
161 tbs->notAfter = t;
162 return 0;
163 }
164
165 /**
166 * Set the relative time when the certificiate is going to expire.
167 *
168 * @param context A hx509 context.
169 * @param tbs object to be signed.
170 * @param delta seconds to the certificate is going to expire.
171 *
172 * @return An hx509 error code, see hx509_get_error_string().
173 *
174 * @ingroup hx509_ca
175 */
176
177 int
178 hx509_ca_tbs_set_notAfter_lifetime(hx509_context context,
179 hx509_ca_tbs tbs,
180 time_t delta)
181 {
182 return hx509_ca_tbs_set_notAfter(context, tbs, time(NULL) + delta);
183 }
184
185 static const struct units templatebits[] = {
186 { "ExtendedKeyUsage", HX509_CA_TEMPLATE_EKU },
187 { "KeyUsage", HX509_CA_TEMPLATE_KU },
188 { "SPKI", HX509_CA_TEMPLATE_SPKI },
189 { "notAfter", HX509_CA_TEMPLATE_NOTAFTER },
190 { "notBefore", HX509_CA_TEMPLATE_NOTBEFORE },
191 { "serial", HX509_CA_TEMPLATE_SERIAL },
192 { "subject", HX509_CA_TEMPLATE_SUBJECT },
193 { NULL, 0 }
194 };
195
196 /**
197 * Make of template units, use to build flags argument to
198 * hx509_ca_tbs_set_template() with parse_units().
199 *
200 * @return an units structure.
201 *
202 * @ingroup hx509_ca
203 */
204
205 const struct units *
206 hx509_ca_tbs_template_units(void)
207 {
208 return templatebits;
209 }
210
211 /**
212 * Initialize the to-be-signed certificate object from a template certifiate.
213 *
214 * @param context A hx509 context.
215 * @param tbs object to be signed.
216 * @param flags bit field selecting what to copy from the template
217 * certifiate.
218 * @param cert template certificate.
219 *
220 * @return An hx509 error code, see hx509_get_error_string().
221 *
222 * @ingroup hx509_ca
223 */
224
225 int
226 hx509_ca_tbs_set_template(hx509_context context,
227 hx509_ca_tbs tbs,
228 int flags,
229 hx509_cert cert)
230 {
231 int ret;
232
233 if (flags & HX509_CA_TEMPLATE_SUBJECT) {
234 if (tbs->subject)
235 hx509_name_free(&tbs->subject);
236 ret = hx509_cert_get_subject(cert, &tbs->subject);
237 if (ret) {
238 hx509_set_error_string(context, 0, ret,
239 "Failed to get subject from template");
240 return ret;
241 }
242 }
243 if (flags & HX509_CA_TEMPLATE_SERIAL) {
244 der_free_heim_integer(&tbs->serial);
245 ret = hx509_cert_get_serialnumber(cert, &tbs->serial);
246 tbs->flags.serial = !ret;
247 if (ret) {
248 hx509_set_error_string(context, 0, ret,
249 "Failed to copy serial number");
250 return ret;
251 }
252 }
253 if (flags & HX509_CA_TEMPLATE_NOTBEFORE)
254 tbs->notBefore = hx509_cert_get_notBefore(cert);
255 if (flags & HX509_CA_TEMPLATE_NOTAFTER)
256 tbs->notAfter = hx509_cert_get_notAfter(cert);
257 if (flags & HX509_CA_TEMPLATE_SPKI) {
258 free_SubjectPublicKeyInfo(&tbs->spki);
259 ret = hx509_cert_get_SPKI(context, cert, &tbs->spki);
260 tbs->flags.key = !ret;
261 if (ret)
262 return ret;
263 }
264 if (flags & HX509_CA_TEMPLATE_KU) {
265 KeyUsage ku;
266 ret = _hx509_cert_get_keyusage(context, cert, &ku);
267 if (ret)
268 return ret;
269 tbs->key_usage = KeyUsage2int(ku);
270 }
271 if (flags & HX509_CA_TEMPLATE_EKU) {
272 ExtKeyUsage eku;
273 size_t i;
274 ret = _hx509_cert_get_eku(context, cert, &eku);
275 if (ret)
276 return ret;
277 for (i = 0; i < eku.len; i++) {
278 ret = hx509_ca_tbs_add_eku(context, tbs, &eku.val[i]);
279 if (ret) {
280 free_ExtKeyUsage(&eku);
281 return ret;
282 }
283 }
284 free_ExtKeyUsage(&eku);
285 }
286 return 0;
287 }
288
289 /**
290 * Make the to-be-signed certificate object a CA certificate. If the
291 * pathLenConstraint is negative path length constraint is used.
292 *
293 * @param context A hx509 context.
294 * @param tbs object to be signed.
295 * @param pathLenConstraint path length constraint, negative, no
296 * constraint.
297 *
298 * @return An hx509 error code, see hx509_get_error_string().
299 *
300 * @ingroup hx509_ca
301 */
302
303 int
304 hx509_ca_tbs_set_ca(hx509_context context,
305 hx509_ca_tbs tbs,
306 int pathLenConstraint)
307 {
308 tbs->flags.ca = 1;
309 tbs->pathLenConstraint = pathLenConstraint;
310 return 0;
311 }
312
313 /**
314 * Make the to-be-signed certificate object a proxy certificate. If the
315 * pathLenConstraint is negative path length constraint is used.
316 *
317 * @param context A hx509 context.
318 * @param tbs object to be signed.
319 * @param pathLenConstraint path length constraint, negative, no
320 * constraint.
321 *
322 * @return An hx509 error code, see hx509_get_error_string().
323 *
324 * @ingroup hx509_ca
325 */
326
327 int
328 hx509_ca_tbs_set_proxy(hx509_context context,
329 hx509_ca_tbs tbs,
330 int pathLenConstraint)
331 {
332 tbs->flags.proxy = 1;
333 tbs->pathLenConstraint = pathLenConstraint;
334 return 0;
335 }
336
337
338 /**
339 * Make the to-be-signed certificate object a windows domain controller certificate.
340 *
341 * @param context A hx509 context.
342 * @param tbs object to be signed.
343 *
344 * @return An hx509 error code, see hx509_get_error_string().
345 *
346 * @ingroup hx509_ca
347 */
348
349 int
350 hx509_ca_tbs_set_domaincontroller(hx509_context context,
351 hx509_ca_tbs tbs)
352 {
353 tbs->flags.domaincontroller = 1;
354 return 0;
355 }
356
357 /**
358 * Set the subject public key info (SPKI) in the to-be-signed certificate
359 * object. SPKI is the public key and key related parameters in the
360 * certificate.
361 *
362 * @param context A hx509 context.
363 * @param tbs object to be signed.
364 * @param spki subject public key info to use for the to-be-signed certificate object.
365 *
366 * @return An hx509 error code, see hx509_get_error_string().
367 *
368 * @ingroup hx509_ca
369 */
370
371 int
372 hx509_ca_tbs_set_spki(hx509_context context,
373 hx509_ca_tbs tbs,
374 const SubjectPublicKeyInfo *spki)
375 {
376 int ret;
377 free_SubjectPublicKeyInfo(&tbs->spki);
378 ret = copy_SubjectPublicKeyInfo(spki, &tbs->spki);
379 tbs->flags.key = !ret;
380 return ret;
381 }
382
383 /**
384 * Set the serial number to use for to-be-signed certificate object.
385 *
386 * @param context A hx509 context.
387 * @param tbs object to be signed.
388 * @param serialNumber serial number to use for the to-be-signed
389 * certificate object.
390 *
391 * @return An hx509 error code, see hx509_get_error_string().
392 *
393 * @ingroup hx509_ca
394 */
395
396 int
397 hx509_ca_tbs_set_serialnumber(hx509_context context,
398 hx509_ca_tbs tbs,
399 const heim_integer *serialNumber)
400 {
401 int ret;
402 der_free_heim_integer(&tbs->serial);
403 ret = der_copy_heim_integer(serialNumber, &tbs->serial);
404 tbs->flags.serial = !ret;
405 return ret;
406 }
407
408 /**
409 * An an extended key usage to the to-be-signed certificate object.
410 * Duplicates will detected and not added.
411 *
412 * @param context A hx509 context.
413 * @param tbs object to be signed.
414 * @param oid extended key usage to add.
415 *
416 * @return An hx509 error code, see hx509_get_error_string().
417 *
418 * @ingroup hx509_ca
419 */
420
421 int
422 hx509_ca_tbs_add_eku(hx509_context context,
423 hx509_ca_tbs tbs,
424 const heim_oid *oid)
425 {
426 void *ptr;
427 int ret;
428 unsigned i;
429
430 /* search for duplicates */
431 for (i = 0; i < tbs->eku.len; i++) {
432 if (der_heim_oid_cmp(oid, &tbs->eku.val[i]) == 0)
433 return 0;
434 }
435
436 ptr = realloc(tbs->eku.val, sizeof(tbs->eku.val[0]) * (tbs->eku.len + 1));
437 if (ptr == NULL) {
438 hx509_set_error_string(context, 0, ENOMEM, "out of memory");
439 return ENOMEM;
440 }
441 tbs->eku.val = ptr;
442 ret = der_copy_oid(oid, &tbs->eku.val[tbs->eku.len]);
443 if (ret) {
444 hx509_set_error_string(context, 0, ret, "out of memory");
445 return ret;
446 }
447 tbs->eku.len += 1;
448 return 0;
449 }
450
451 /**
452 * Add CRL distribution point URI to the to-be-signed certificate
453 * object.
454 *
455 * @param context A hx509 context.
456 * @param tbs object to be signed.
457 * @param uri uri to the CRL.
458 * @param issuername name of the issuer.
459 *
460 * @return An hx509 error code, see hx509_get_error_string().
461 *
462 * @ingroup hx509_ca
463 */
464
465 int
466 hx509_ca_tbs_add_crl_dp_uri(hx509_context context,
467 hx509_ca_tbs tbs,
468 const char *uri,
469 hx509_name issuername)
470 {
471 DistributionPoint dp;
472 int ret;
473
474 memset(&dp, 0, sizeof(dp));
475
476 dp.distributionPoint = ecalloc(1, sizeof(*dp.distributionPoint));
477
478 {
479 DistributionPointName name;
480 GeneralName gn;
481 size_t size;
482
483 name.element = choice_DistributionPointName_fullName;
484 name.u.fullName.len = 1;
485 name.u.fullName.val = &gn;
486
487 gn.element = choice_GeneralName_uniformResourceIdentifier;
488 gn.u.uniformResourceIdentifier.data = rk_UNCONST(uri);
489 gn.u.uniformResourceIdentifier.length = strlen(uri);
490
491 ASN1_MALLOC_ENCODE(DistributionPointName,
492 dp.distributionPoint->data,
493 dp.distributionPoint->length,
494 &name, &size, ret);
495 if (ret) {
496 hx509_set_error_string(context, 0, ret,
497 "Failed to encoded DistributionPointName");
498 goto out;
499 }
500 if (dp.distributionPoint->length != size)
501 _hx509_abort("internal ASN.1 encoder error");
502 }
503
504 if (issuername) {
505 #if 1
506 /**
507 * issuername not supported
508 */
509 hx509_set_error_string(context, 0, EINVAL,
510 "CRLDistributionPoints.name.issuername not yet supported");
511 return EINVAL;
512 #else
513 GeneralNames *crlissuer;
514 GeneralName gn;
515 Name n;
516
517 crlissuer = calloc(1, sizeof(*crlissuer));
518 if (crlissuer == NULL) {
519 return ENOMEM;
520 }
521 memset(&gn, 0, sizeof(gn));
522
523 gn.element = choice_GeneralName_directoryName;
524 ret = hx509_name_to_Name(issuername, &n);
525 if (ret) {
526 hx509_set_error_string(context, 0, ret, "out of memory");
527 goto out;
528 }
529
530 gn.u.directoryName.element = n.element;
531 gn.u.directoryName.u.rdnSequence = n.u.rdnSequence;
532
533 ret = add_GeneralNames(&crlissuer, &gn);
534 free_Name(&n);
535 if (ret) {
536 hx509_set_error_string(context, 0, ret, "out of memory");
537 goto out;
538 }
539
540 dp.cRLIssuer = &crlissuer;
541 #endif
542 }
543
544 ret = add_CRLDistributionPoints(&tbs->crldp, &dp);
545 if (ret) {
546 hx509_set_error_string(context, 0, ret, "out of memory");
547 goto out;
548 }
549
550 out:
551 free_DistributionPoint(&dp);
552
553 return ret;
554 }
555
556 /**
557 * Add Subject Alternative Name otherName to the to-be-signed
558 * certificate object.
559 *
560 * @param context A hx509 context.
561 * @param tbs object to be signed.
562 * @param oid the oid of the OtherName.
563 * @param os data in the other name.
564 *
565 * @return An hx509 error code, see hx509_get_error_string().
566 *
567 * @ingroup hx509_ca
568 */
569
570 int
571 hx509_ca_tbs_add_san_otherName(hx509_context context,
572 hx509_ca_tbs tbs,
573 const heim_oid *oid,
574 const heim_octet_string *os)
575 {
576 GeneralName gn;
577
578 memset(&gn, 0, sizeof(gn));
579 gn.element = choice_GeneralName_otherName;
580 gn.u.otherName.type_id = *oid;
581 gn.u.otherName.value = *os;
582
583 return add_GeneralNames(&tbs->san, &gn);
584 }
585
586 /**
587 * Add Kerberos Subject Alternative Name to the to-be-signed
588 * certificate object. The principal string is a UTF8 string.
589 *
590 * @param context A hx509 context.
591 * @param tbs object to be signed.
592 * @param principal Kerberos principal to add to the certificate.
593 *
594 * @return An hx509 error code, see hx509_get_error_string().
595 *
596 * @ingroup hx509_ca
597 */
598
599 int
600 hx509_ca_tbs_add_san_pkinit(hx509_context context,
601 hx509_ca_tbs tbs,
602 const char *principal)
603 {
604 heim_octet_string os;
605 KRB5PrincipalName p;
606 size_t size;
607 int ret;
608 char *s = NULL;
609
610 memset(&p, 0, sizeof(p));
611
612 /* parse principal */
613 {
614 const char *str;
615 char *q;
616 int n;
617
618 /* count number of component */
619 n = 1;
620 for(str = principal; *str != '\0' && *str != '@'; str++){
621 if(*str=='\\'){
622 if(str[1] == '\0' || str[1] == '@') {
623 ret = HX509_PARSING_NAME_FAILED;
624 hx509_set_error_string(context, 0, ret,
625 "trailing \\ in principal name");
626 goto out;
627 }
628 str++;
629 } else if(*str == '/')
630 n++;
631 }
632 p.principalName.name_string.val =
633 calloc(n, sizeof(*p.principalName.name_string.val));
634 if (p.principalName.name_string.val == NULL) {
635 ret = ENOMEM;
636 hx509_set_error_string(context, 0, ret, "malloc: out of memory");
637 goto out;
638 }
639 p.principalName.name_string.len = n;
640
641 p.principalName.name_type = KRB5_NT_PRINCIPAL;
642 q = s = strdup(principal);
643 if (q == NULL) {
644 ret = ENOMEM;
645 hx509_set_error_string(context, 0, ret, "malloc: out of memory");
646 goto out;
647 }
648 p.realm = strrchr(q, '@');
649 if (p.realm == NULL) {
650 ret = HX509_PARSING_NAME_FAILED;
651 hx509_set_error_string(context, 0, ret, "Missing @ in principal");
652 goto out;
653 };
654 *p.realm++ = '\0';
655
656 n = 0;
657 while (q) {
658 p.principalName.name_string.val[n++] = q;
659 q = strchr(q, '/');
660 if (q)
661 *q++ = '\0';
662 }
663 }
664
665 ASN1_MALLOC_ENCODE(KRB5PrincipalName, os.data, os.length, &p, &size, ret);
666 if (ret) {
667 hx509_set_error_string(context, 0, ret, "Out of memory");
668 goto out;
669 }
670 if (size != os.length)
671 _hx509_abort("internal ASN.1 encoder error");
672
673 ret = hx509_ca_tbs_add_san_otherName(context,
674 tbs,
675 &asn1_oid_id_pkinit_san,
676 &os);
677 free(os.data);
678 out:
679 if (p.principalName.name_string.val)
680 free (p.principalName.name_string.val);
681 if (s)
682 free(s);
683 return ret;
684 }
685
686 /*
687 *
688 */
689
690 static int
691 add_utf8_san(hx509_context context,
692 hx509_ca_tbs tbs,
693 const heim_oid *oid,
694 const char *string)
695 {
696 const PKIXXmppAddr ustring = (const PKIXXmppAddr)(intptr_t)string;
697 heim_octet_string os;
698 size_t size;
699 int ret;
700
701 os.length = 0;
702 os.data = NULL;
703
704 ASN1_MALLOC_ENCODE(PKIXXmppAddr, os.data, os.length, &ustring, &size, ret);
705 if (ret) {
706 hx509_set_error_string(context, 0, ret, "Out of memory");
707 goto out;
708 }
709 if (size != os.length)
710 _hx509_abort("internal ASN.1 encoder error");
711
712 ret = hx509_ca_tbs_add_san_otherName(context,
713 tbs,
714 oid,
715 &os);
716 free(os.data);
717 out:
718 return ret;
719 }
720
721 /**
722 * Add Microsoft UPN Subject Alternative Name to the to-be-signed
723 * certificate object. The principal string is a UTF8 string.
724 *
725 * @param context A hx509 context.
726 * @param tbs object to be signed.
727 * @param principal Microsoft UPN string.
728 *
729 * @return An hx509 error code, see hx509_get_error_string().
730 *
731 * @ingroup hx509_ca
732 */
733
734 int
735 hx509_ca_tbs_add_san_ms_upn(hx509_context context,
736 hx509_ca_tbs tbs,
737 const char *principal)
738 {
739 return add_utf8_san(context, tbs, &asn1_oid_id_pkinit_ms_san, principal);
740 }
741
742 /**
743 * Add a Jabber/XMPP jid Subject Alternative Name to the to-be-signed
744 * certificate object. The jid is an UTF8 string.
745 *
746 * @param context A hx509 context.
747 * @param tbs object to be signed.
748 * @param jid string of an a jabber id in UTF8.
749 *
750 * @return An hx509 error code, see hx509_get_error_string().
751 *
752 * @ingroup hx509_ca
753 */
754
755 int
756 hx509_ca_tbs_add_san_jid(hx509_context context,
757 hx509_ca_tbs tbs,
758 const char *jid)
759 {
760 return add_utf8_san(context, tbs, &asn1_oid_id_pkix_on_xmppAddr, jid);
761 }
762
763
764 /**
765 * Add a Subject Alternative Name hostname to to-be-signed certificate
766 * object. A domain match starts with ., an exact match does not.
767 *
768 * Example of a an domain match: .domain.se matches the hostname
769 * host.domain.se.
770 *
771 * @param context A hx509 context.
772 * @param tbs object to be signed.
773 * @param dnsname a hostame.
774 *
775 * @return An hx509 error code, see hx509_get_error_string().
776 *
777 * @ingroup hx509_ca
778 */
779
780 int
781 hx509_ca_tbs_add_san_hostname(hx509_context context,
782 hx509_ca_tbs tbs,
783 const char *dnsname)
784 {
785 GeneralName gn;
786
787 memset(&gn, 0, sizeof(gn));
788 gn.element = choice_GeneralName_dNSName;
789 gn.u.dNSName.data = rk_UNCONST(dnsname);
790 gn.u.dNSName.length = strlen(dnsname);
791
792 return add_GeneralNames(&tbs->san, &gn);
793 }
794
795 /**
796 * Add a Subject Alternative Name rfc822 (email address) to
797 * to-be-signed certificate object.
798 *
799 * @param context A hx509 context.
800 * @param tbs object to be signed.
801 * @param rfc822Name a string to a email address.
802 *
803 * @return An hx509 error code, see hx509_get_error_string().
804 *
805 * @ingroup hx509_ca
806 */
807
808 int
809 hx509_ca_tbs_add_san_rfc822name(hx509_context context,
810 hx509_ca_tbs tbs,
811 const char *rfc822Name)
812 {
813 GeneralName gn;
814
815 memset(&gn, 0, sizeof(gn));
816 gn.element = choice_GeneralName_rfc822Name;
817 gn.u.rfc822Name.data = rk_UNCONST(rfc822Name);
818 gn.u.rfc822Name.length = strlen(rfc822Name);
819
820 return add_GeneralNames(&tbs->san, &gn);
821 }
822
823 /**
824 * Set the subject name of a to-be-signed certificate object.
825 *
826 * @param context A hx509 context.
827 * @param tbs object to be signed.
828 * @param subject the name to set a subject.
829 *
830 * @return An hx509 error code, see hx509_get_error_string().
831 *
832 * @ingroup hx509_ca
833 */
834
835 int
836 hx509_ca_tbs_set_subject(hx509_context context,
837 hx509_ca_tbs tbs,
838 hx509_name subject)
839 {
840 if (tbs->subject)
841 hx509_name_free(&tbs->subject);
842 return hx509_name_copy(context, subject, &tbs->subject);
843 }
844
845 /**
846 * Set the issuerUniqueID and subjectUniqueID
847 *
848 * These are only supposed to be used considered with version 2
849 * certificates, replaced by the two extensions SubjectKeyIdentifier
850 * and IssuerKeyIdentifier. This function is to allow application
851 * using legacy protocol to issue them.
852 *
853 * @param context A hx509 context.
854 * @param tbs object to be signed.
855 * @param issuerUniqueID to be set
856 * @param subjectUniqueID to be set
857 *
858 * @return An hx509 error code, see hx509_get_error_string().
859 *
860 * @ingroup hx509_ca
861 */
862
863 int
864 hx509_ca_tbs_set_unique(hx509_context context,
865 hx509_ca_tbs tbs,
866 const heim_bit_string *subjectUniqueID,
867 const heim_bit_string *issuerUniqueID)
868 {
869 int ret;
870
871 der_free_bit_string(&tbs->subjectUniqueID);
872 der_free_bit_string(&tbs->issuerUniqueID);
873
874 if (subjectUniqueID) {
875 ret = der_copy_bit_string(subjectUniqueID, &tbs->subjectUniqueID);
876 if (ret)
877 return ret;
878 }
879
880 if (issuerUniqueID) {
881 ret = der_copy_bit_string(issuerUniqueID, &tbs->issuerUniqueID);
882 if (ret)
883 return ret;
884 }
885
886 return 0;
887 }
888
889 /**
890 * Expand the the subject name in the to-be-signed certificate object
891 * using hx509_name_expand().
892 *
893 * @param context A hx509 context.
894 * @param tbs object to be signed.
895 * @param env environment variable to expand variables in the subject
896 * name, see hx509_env_init().
897 *
898 * @return An hx509 error code, see hx509_get_error_string().
899 *
900 * @ingroup hx509_ca
901 */
902
903 int
904 hx509_ca_tbs_subject_expand(hx509_context context,
905 hx509_ca_tbs tbs,
906 hx509_env env)
907 {
908 return hx509_name_expand(context, tbs->subject, env);
909 }
910
911 /**
912 * Set signature algorithm on the to be signed certificate
913 *
914 * @param context A hx509 context.
915 * @param tbs object to be signed.
916 * @param sigalg signature algorithm to use
917 *
918 * @return An hx509 error code, see hx509_get_error_string().
919 *
920 * @ingroup hx509_ca
921 */
922
923 int
924 hx509_ca_tbs_set_signature_algorithm(hx509_context context,
925 hx509_ca_tbs tbs,
926 const AlgorithmIdentifier *sigalg)
927 {
928 int ret;
929
930 tbs->sigalg = calloc(1, sizeof(*tbs->sigalg));
931 if (tbs->sigalg == NULL) {
932 hx509_set_error_string(context, 0, ENOMEM, "Out of memory");
933 return ENOMEM;
934 }
935 ret = copy_AlgorithmIdentifier(sigalg, tbs->sigalg);
936 if (ret) {
937 free(tbs->sigalg);
938 tbs->sigalg = NULL;
939 return ret;
940 }
941 return 0;
942 }
943
944 /*
945 *
946 */
947
948 static int
949 add_extension(hx509_context context,
950 TBSCertificate *tbsc,
951 int critical_flag,
952 const heim_oid *oid,
953 const heim_octet_string *data)
954 {
955 Extension ext;
956 int ret;
957
958 memset(&ext, 0, sizeof(ext));
959
960 if (critical_flag) {
961 ext.critical = malloc(sizeof(*ext.critical));
962 if (ext.critical == NULL) {
963 ret = ENOMEM;
964 hx509_set_error_string(context, 0, ret, "Out of memory");
965 goto out;
966 }
967 *ext.critical = TRUE;
968 }
969
970 ret = der_copy_oid(oid, &ext.extnID);
971 if (ret) {
972 hx509_set_error_string(context, 0, ret, "Out of memory");
973 goto out;
974 }
975 ret = der_copy_octet_string(data, &ext.extnValue);
976 if (ret) {
977 hx509_set_error_string(context, 0, ret, "Out of memory");
978 goto out;
979 }
980 ret = add_Extensions(tbsc->extensions, &ext);
981 if (ret) {
982 hx509_set_error_string(context, 0, ret, "Out of memory");
983 goto out;
984 }
985 out:
986 free_Extension(&ext);
987 return ret;
988 }
989
990 static int
991 build_proxy_prefix(hx509_context context, const Name *issuer, Name *subject)
992 {
993 char *tstr;
994 time_t t;
995 int ret;
996
997 ret = copy_Name(issuer, subject);
998 if (ret) {
999 hx509_set_error_string(context, 0, ret,
1000 "Failed to copy subject name");
1001 return ret;
1002 }
1003
1004 t = time(NULL);
1005 ret = asprintf(&tstr, "ts-%lu", (unsigned long)t);
1006 if (ret == -1 || tstr == NULL) {
1007 hx509_set_error_string(context, 0, ENOMEM,
1008 "Failed to copy subject name");
1009 return ENOMEM;
1010 }
1011 /* prefix with CN=<ts>,...*/
1012 ret = _hx509_name_modify(context, subject, 1, &asn1_oid_id_at_commonName, tstr);
1013 free(tstr);
1014 if (ret)
1015 free_Name(subject);
1016 return ret;
1017 }
1018
1019 static int
1020 ca_sign(hx509_context context,
1021 hx509_ca_tbs tbs,
1022 hx509_private_key signer,
1023 const AuthorityKeyIdentifier *ai,
1024 const Name *issuername,
1025 hx509_cert *certificate)
1026 {
1027 heim_error_t error = NULL;
1028 heim_octet_string data;
1029 Certificate c;
1030 TBSCertificate *tbsc;
1031 size_t size;
1032 int ret;
1033 const AlgorithmIdentifier *sigalg;
1034 time_t notBefore;
1035 time_t notAfter;
1036 unsigned key_usage;
1037
1038 sigalg = tbs->sigalg;
1039 if (sigalg == NULL)
1040 sigalg = _hx509_crypto_default_sig_alg;
1041
1042 memset(&c, 0, sizeof(c));
1043
1044 /*
1045 * Default values are: Valid since 24h ago, valid one year into
1046 * the future, KeyUsage digitalSignature and keyEncipherment set,
1047 * and keyCertSign for CA certificates.
1048 */
1049 notBefore = tbs->notBefore;
1050 if (notBefore == 0)
1051 notBefore = time(NULL) - 3600 * 24;
1052 notAfter = tbs->notAfter;
1053 if (notAfter == 0)
1054 notAfter = time(NULL) + 3600 * 24 * 365;
1055
1056 key_usage = tbs->key_usage;
1057 if (key_usage == 0) {
1058 KeyUsage ku;
1059 memset(&ku, 0, sizeof(ku));
1060 ku.digitalSignature = 1;
1061 ku.keyEncipherment = 1;
1062 key_usage = KeyUsage2int(ku);
1063 }
1064
1065 if (tbs->flags.ca) {
1066 KeyUsage ku;
1067 memset(&ku, 0, sizeof(ku));
1068 ku.keyCertSign = 1;
1069 ku.cRLSign = 1;
1070 key_usage |= KeyUsage2int(ku);
1071 }
1072
1073 /*
1074 *
1075 */
1076
1077 tbsc = &c.tbsCertificate;
1078
1079 if (tbs->flags.key == 0) {
1080 ret = EINVAL;
1081 hx509_set_error_string(context, 0, ret, "No public key set");
1082 return ret;
1083 }
1084 /*
1085 * Don't put restrictions on proxy certificate's subject name, it
1086 * will be generated below.
1087 */
1088 if (!tbs->flags.proxy) {
1089 if (tbs->subject == NULL) {
1090 hx509_set_error_string(context, 0, EINVAL, "No subject name set");
1091 return EINVAL;
1092 }
1093 if (hx509_name_is_null_p(tbs->subject) && tbs->san.len == 0) {
1094 hx509_set_error_string(context, 0, EINVAL,
1095 "NULL subject and no SubjectAltNames");
1096 return EINVAL;
1097 }
1098 }
1099 if (tbs->flags.ca && tbs->flags.proxy) {
1100 hx509_set_error_string(context, 0, EINVAL, "Can't be proxy and CA "
1101 "at the same time");
1102 return EINVAL;
1103 }
1104 if (tbs->flags.proxy) {
1105 if (tbs->san.len > 0) {
1106 hx509_set_error_string(context, 0, EINVAL,
1107 "Proxy certificate is not allowed "
1108 "to have SubjectAltNames");
1109 return EINVAL;
1110 }
1111 }
1112
1113 /* version [0] Version OPTIONAL, -- EXPLICIT nnn DEFAULT 1, */
1114 tbsc->version = calloc(1, sizeof(*tbsc->version));
1115 if (tbsc->version == NULL) {
1116 ret = ENOMEM;
1117 hx509_set_error_string(context, 0, ret, "Out of memory");
1118 goto out;
1119 }
1120 *tbsc->version = rfc3280_version_3;
1121 /* serialNumber CertificateSerialNumber, */
1122 if (tbs->flags.serial) {
1123 ret = der_copy_heim_integer(&tbs->serial, &tbsc->serialNumber);
1124 if (ret) {
1125 hx509_set_error_string(context, 0, ret, "Out of memory");
1126 goto out;
1127 }
1128 } else {
1129 tbsc->serialNumber.length = 20;
1130 tbsc->serialNumber.data = malloc(tbsc->serialNumber.length);
1131 if (tbsc->serialNumber.data == NULL){
1132 ret = ENOMEM;
1133 hx509_set_error_string(context, 0, ret, "Out of memory");
1134 goto out;
1135 }
1136 /* XXX diffrent */
1137 RAND_bytes(tbsc->serialNumber.data, tbsc->serialNumber.length);
1138 ((unsigned char *)tbsc->serialNumber.data)[0] &= 0x7f;
1139 }
1140 /* signature AlgorithmIdentifier, */
1141 ret = copy_AlgorithmIdentifier(sigalg, &tbsc->signature);
1142 if (ret) {
1143 hx509_set_error_string(context, 0, ret, "Failed to copy sigature alg");
1144 goto out;
1145 }
1146 /* issuer Name, */
1147 if (issuername)
1148 ret = copy_Name(issuername, &tbsc->issuer);
1149 else
1150 ret = hx509_name_to_Name(tbs->subject, &tbsc->issuer);
1151 if (ret) {
1152 hx509_set_error_string(context, 0, ret, "Failed to copy issuer name");
1153 goto out;
1154 }
1155 /* validity Validity, */
1156 tbsc->validity.notBefore.element = choice_Time_generalTime;
1157 tbsc->validity.notBefore.u.generalTime = notBefore;
1158 tbsc->validity.notAfter.element = choice_Time_generalTime;
1159 tbsc->validity.notAfter.u.generalTime = notAfter;
1160 /* subject Name, */
1161 if (tbs->flags.proxy) {
1162 ret = build_proxy_prefix(context, &tbsc->issuer, &tbsc->subject);
1163 if (ret)
1164 goto out;
1165 } else {
1166 ret = hx509_name_to_Name(tbs->subject, &tbsc->subject);
1167 if (ret) {
1168 hx509_set_error_string(context, 0, ret,
1169 "Failed to copy subject name");
1170 goto out;
1171 }
1172 }
1173 /* subjectPublicKeyInfo SubjectPublicKeyInfo, */
1174 ret = copy_SubjectPublicKeyInfo(&tbs->spki, &tbsc->subjectPublicKeyInfo);
1175 if (ret) {
1176 hx509_set_error_string(context, 0, ret, "Failed to copy spki");
1177 goto out;
1178 }
1179 /* issuerUniqueID [1] IMPLICIT BIT STRING OPTIONAL */
1180 if (tbs->issuerUniqueID.length) {
1181 tbsc->issuerUniqueID = calloc(1, sizeof(*tbsc->issuerUniqueID));
1182 if (tbsc->issuerUniqueID == NULL) {
1183 ret = ENOMEM;
1184 hx509_set_error_string(context, 0, ret, "Out of memory");
1185 goto out;
1186 }
1187 ret = der_copy_bit_string(&tbs->issuerUniqueID, tbsc->issuerUniqueID);
1188 if (ret) {
1189 hx509_set_error_string(context, 0, ret, "Out of memory");
1190 goto out;
1191 }
1192 }
1193 /* subjectUniqueID [2] IMPLICIT BIT STRING OPTIONAL */
1194 if (tbs->subjectUniqueID.length) {
1195 tbsc->subjectUniqueID = calloc(1, sizeof(*tbsc->subjectUniqueID));
1196 if (tbsc->subjectUniqueID == NULL) {
1197 ret = ENOMEM;
1198 hx509_set_error_string(context, 0, ret, "Out of memory");
1199 goto out;
1200 }
1201
1202 ret = der_copy_bit_string(&tbs->subjectUniqueID, tbsc->subjectUniqueID);
1203 if (ret) {
1204 hx509_set_error_string(context, 0, ret, "Out of memory");
1205 goto out;
1206 }
1207 }
1208
1209 /* extensions [3] EXPLICIT Extensions OPTIONAL */
1210 tbsc->extensions = calloc(1, sizeof(*tbsc->extensions));
1211 if (tbsc->extensions == NULL) {
1212 ret = ENOMEM;
1213 hx509_set_error_string(context, 0, ret, "Out of memory");
1214 goto out;
1215 }
1216
1217 /* Add the text BMP string Domaincontroller to the cert */
1218 if (tbs->flags.domaincontroller) {
1219 data.data = rk_UNCONST("\x1e\x20\x00\x44\x00\x6f\x00\x6d"
1220 "\x00\x61\x00\x69\x00\x6e\x00\x43"
1221 "\x00\x6f\x00\x6e\x00\x74\x00\x72"
1222 "\x00\x6f\x00\x6c\x00\x6c\x00\x65"
1223 "\x00\x72");
1224 data.length = 34;
1225
1226 ret = add_extension(context, tbsc, 0,
1227 &asn1_oid_id_ms_cert_enroll_domaincontroller,
1228 &data);
1229 if (ret)
1230 goto out;
1231 }
1232
1233 /* add KeyUsage */
1234 {
1235 KeyUsage ku;
1236
1237 ku = int2KeyUsage(key_usage);
1238 ASN1_MALLOC_ENCODE(KeyUsage, data.data, data.length, &ku, &size, ret);
1239 if (ret) {
1240 hx509_set_error_string(context, 0, ret, "Out of memory");
1241 goto out;
1242 }
1243 if (size != data.length)
1244 _hx509_abort("internal ASN.1 encoder error");
1245 ret = add_extension(context, tbsc, 1,
1246 &asn1_oid_id_x509_ce_keyUsage, &data);
1247 free(data.data);
1248 if (ret)
1249 goto out;
1250 }
1251
1252 /* add ExtendedKeyUsage */
1253 if (tbs->eku.len > 0) {
1254 ASN1_MALLOC_ENCODE(ExtKeyUsage, data.data, data.length,
1255 &tbs->eku, &size, ret);
1256 if (ret) {
1257 hx509_set_error_string(context, 0, ret, "Out of memory");
1258 goto out;
1259 }
1260 if (size != data.length)
1261 _hx509_abort("internal ASN.1 encoder error");
1262 ret = add_extension(context, tbsc, 0,
1263 &asn1_oid_id_x509_ce_extKeyUsage, &data);
1264 free(data.data);
1265 if (ret)
1266 goto out;
1267 }
1268
1269 /* add Subject Alternative Name */
1270 if (tbs->san.len > 0) {
1271 ASN1_MALLOC_ENCODE(GeneralNames, data.data, data.length,
1272 &tbs->san, &size, ret);
1273 if (ret) {
1274 hx509_set_error_string(context, 0, ret, "Out of memory");
1275 goto out;
1276 }
1277 if (size != data.length)
1278 _hx509_abort("internal ASN.1 encoder error");
1279 ret = add_extension(context, tbsc, 0,
1280 &asn1_oid_id_x509_ce_subjectAltName,
1281 &data);
1282 free(data.data);
1283 if (ret)
1284 goto out;
1285 }
1286
1287 /* Add Authority Key Identifier */
1288 if (ai) {
1289 ASN1_MALLOC_ENCODE(AuthorityKeyIdentifier, data.data, data.length,
1290 ai, &size, ret);
1291 if (ret) {
1292 hx509_set_error_string(context, 0, ret, "Out of memory");
1293 goto out;
1294 }
1295 if (size != data.length)
1296 _hx509_abort("internal ASN.1 encoder error");
1297 ret = add_extension(context, tbsc, 0,
1298 &asn1_oid_id_x509_ce_authorityKeyIdentifier,
1299 &data);
1300 free(data.data);
1301 if (ret)
1302 goto out;
1303 }
1304
1305 /* Add Subject Key Identifier */
1306 {
1307 SubjectKeyIdentifier si;
1308 unsigned char hash[SHA_DIGEST_LENGTH];
1309
1310 {
1311 EVP_MD_CTX *ctx;
1312
1313 ctx = EVP_MD_CTX_create();
1314 EVP_DigestInit_ex(ctx, EVP_sha1(), NULL);
1315 EVP_DigestUpdate(ctx, tbs->spki.subjectPublicKey.data,
1316 tbs->spki.subjectPublicKey.length / 8);
1317 EVP_DigestFinal_ex(ctx, hash, NULL);
1318 EVP_MD_CTX_destroy(ctx);
1319 }
1320
1321 si.data = hash;
1322 si.length = sizeof(hash);
1323
1324 ASN1_MALLOC_ENCODE(SubjectKeyIdentifier, data.data, data.length,
1325 &si, &size, ret);
1326 if (ret) {
1327 hx509_set_error_string(context, 0, ret, "Out of memory");
1328 goto out;
1329 }
1330 if (size != data.length)
1331 _hx509_abort("internal ASN.1 encoder error");
1332 ret = add_extension(context, tbsc, 0,
1333 &asn1_oid_id_x509_ce_subjectKeyIdentifier,
1334 &data);
1335 free(data.data);
1336 if (ret)
1337 goto out;
1338 }
1339
1340 /* Add BasicConstraints */
1341 {
1342 BasicConstraints bc;
1343 int aCA = 1;
1344 unsigned int path;
1345
1346 memset(&bc, 0, sizeof(bc));
1347
1348 if (tbs->flags.ca) {
1349 bc.cA = &aCA;
1350 if (tbs->pathLenConstraint >= 0) {
1351 path = tbs->pathLenConstraint;
1352 bc.pathLenConstraint = &path;
1353 }
1354 }
1355
1356 ASN1_MALLOC_ENCODE(BasicConstraints, data.data, data.length,
1357 &bc, &size, ret);
1358 if (ret) {
1359 hx509_set_error_string(context, 0, ret, "Out of memory");
1360 goto out;
1361 }
1362 if (size != data.length)
1363 _hx509_abort("internal ASN.1 encoder error");
1364 /* Critical if this is a CA */
1365 ret = add_extension(context, tbsc, tbs->flags.ca,
1366 &asn1_oid_id_x509_ce_basicConstraints,
1367 &data);
1368 free(data.data);
1369 if (ret)
1370 goto out;
1371 }
1372
1373 /* add Proxy */
1374 if (tbs->flags.proxy) {
1375 ProxyCertInfo info;
1376
1377 memset(&info, 0, sizeof(info));
1378
1379 if (tbs->pathLenConstraint >= 0) {
1380 info.pCPathLenConstraint =
1381 malloc(sizeof(*info.pCPathLenConstraint));
1382 if (info.pCPathLenConstraint == NULL) {
1383 ret = ENOMEM;
1384 hx509_set_error_string(context, 0, ret, "Out of memory");
1385 goto out;
1386 }
1387 *info.pCPathLenConstraint = tbs->pathLenConstraint;
1388 }
1389
1390 ret = der_copy_oid(&asn1_oid_id_pkix_ppl_inheritAll,
1391 &info.proxyPolicy.policyLanguage);
1392 if (ret) {
1393 free_ProxyCertInfo(&info);
1394 hx509_set_error_string(context, 0, ret, "Out of memory");
1395 goto out;
1396 }
1397
1398 ASN1_MALLOC_ENCODE(ProxyCertInfo, data.data, data.length,
1399 &info, &size, ret);
1400 free_ProxyCertInfo(&info);
1401 if (ret) {
1402 hx509_set_error_string(context, 0, ret, "Out of memory");
1403 goto out;
1404 }
1405 if (size != data.length)
1406 _hx509_abort("internal ASN.1 encoder error");
1407 ret = add_extension(context, tbsc, 0,
1408 &asn1_oid_id_pkix_pe_proxyCertInfo,
1409 &data);
1410 free(data.data);
1411 if (ret)
1412 goto out;
1413 }
1414
1415 if (tbs->crldp.len) {
1416
1417 ASN1_MALLOC_ENCODE(CRLDistributionPoints, data.data, data.length,
1418 &tbs->crldp, &size, ret);
1419 if (ret) {
1420 hx509_set_error_string(context, 0, ret, "Out of memory");
1421 goto out;
1422 }
1423 if (size != data.length)
1424 _hx509_abort("internal ASN.1 encoder error");
1425 ret = add_extension(context, tbsc, FALSE,
1426 &asn1_oid_id_x509_ce_cRLDistributionPoints,
1427 &data);
1428 free(data.data);
1429 if (ret)
1430 goto out;
1431 }
1432
1433 ASN1_MALLOC_ENCODE(TBSCertificate, data.data, data.length,tbsc, &size, ret);
1434 if (ret) {
1435 hx509_set_error_string(context, 0, ret, "malloc out of memory");
1436 goto out;
1437 }
1438 if (data.length != size)
1439 _hx509_abort("internal ASN.1 encoder error");
1440
1441 ret = _hx509_create_signature_bitstring(context,
1442 signer,
1443 sigalg,
1444 &data,
1445 &c.signatureAlgorithm,
1446 &c.signatureValue);
1447 free(data.data);
1448 if (ret)
1449 goto out;
1450
1451 *certificate = hx509_cert_init(context, &c, &error);
1452 if (*certificate == NULL) {
1453 ret = heim_error_get_code(error);
1454 heim_release(error);
1455 goto out;
1456 }
1457
1458 free_Certificate(&c);
1459
1460 return 0;
1461
1462 out:
1463 free_Certificate(&c);
1464 return ret;
1465 }
1466
1467 static int
1468 get_AuthorityKeyIdentifier(hx509_context context,
1469 const Certificate *certificate,
1470 AuthorityKeyIdentifier *ai)
1471 {
1472 SubjectKeyIdentifier si;
1473 int ret;
1474
1475 ret = _hx509_find_extension_subject_key_id(certificate, &si);
1476 if (ret == 0) {
1477 ai->keyIdentifier = calloc(1, sizeof(*ai->keyIdentifier));
1478 if (ai->keyIdentifier == NULL) {
1479 free_SubjectKeyIdentifier(&si);
1480 ret = ENOMEM;
1481 hx509_set_error_string(context, 0, ret, "Out of memory");
1482 goto out;
1483 }
1484 ret = der_copy_octet_string(&si, ai->keyIdentifier);
1485 free_SubjectKeyIdentifier(&si);
1486 if (ret) {
1487 hx509_set_error_string(context, 0, ret, "Out of memory");
1488 goto out;
1489 }
1490 } else {
1491 GeneralNames gns;
1492 GeneralName gn;
1493 Name name;
1494
1495 memset(&gn, 0, sizeof(gn));
1496 memset(&gns, 0, sizeof(gns));
1497 memset(&name, 0, sizeof(name));
1498
1499 ai->authorityCertIssuer =
1500 calloc(1, sizeof(*ai->authorityCertIssuer));
1501 if (ai->authorityCertIssuer == NULL) {
1502 ret = ENOMEM;
1503 hx509_set_error_string(context, 0, ret, "Out of memory");
1504 goto out;
1505 }
1506 ai->authorityCertSerialNumber =
1507 calloc(1, sizeof(*ai->authorityCertSerialNumber));
1508 if (ai->authorityCertSerialNumber == NULL) {
1509 ret = ENOMEM;
1510 hx509_set_error_string(context, 0, ret, "Out of memory");
1511 goto out;
1512 }
1513
1514 /*
1515 * XXX unbreak when asn1 compiler handle IMPLICIT
1516 *
1517 * This is so horrible.
1518 */
1519
1520 ret = copy_Name(&certificate->tbsCertificate.subject, &name);
1521 if (ret) {
1522 hx509_set_error_string(context, 0, ret, "Out of memory");
1523 goto out;
1524 }
1525
1526 memset(&gn, 0, sizeof(gn));
1527 gn.element = choice_GeneralName_directoryName;
1528 gn.u.directoryName.element =
1529 choice_GeneralName_directoryName_rdnSequence;
1530 gn.u.directoryName.u.rdnSequence = name.u.rdnSequence;
1531
1532 ret = add_GeneralNames(&gns, &gn);
1533 if (ret) {
1534 hx509_set_error_string(context, 0, ret, "Out of memory");
1535 goto out;
1536 }
1537
1538 ai->authorityCertIssuer->val = gns.val;
1539 ai->authorityCertIssuer->len = gns.len;
1540
1541 ret = der_copy_heim_integer(&certificate->tbsCertificate.serialNumber,
1542 ai->authorityCertSerialNumber);
1543 if (ai->authorityCertSerialNumber == NULL) {
1544 ret = ENOMEM;
1545 hx509_set_error_string(context, 0, ret, "Out of memory");
1546 goto out;
1547 }
1548 }
1549 out:
1550 if (ret)
1551 free_AuthorityKeyIdentifier(ai);
1552 return ret;
1553 }
1554
1555
1556 /**
1557 * Sign a to-be-signed certificate object with a issuer certificate.
1558 *
1559 * The caller needs to at least have called the following functions on the
1560 * to-be-signed certificate object:
1561 * - hx509_ca_tbs_init()
1562 * - hx509_ca_tbs_set_subject()
1563 * - hx509_ca_tbs_set_spki()
1564 *
1565 * When done the to-be-signed certificate object should be freed with
1566 * hx509_ca_tbs_free().
1567 *
1568 * When creating self-signed certificate use hx509_ca_sign_self() instead.
1569 *
1570 * @param context A hx509 context.
1571 * @param tbs object to be signed.
1572 * @param signer the CA certificate object to sign with (need private key).
1573 * @param certificate return cerificate, free with hx509_cert_free().
1574 *
1575 * @return An hx509 error code, see hx509_get_error_string().
1576 *
1577 * @ingroup hx509_ca
1578 */
1579
1580 int
1581 hx509_ca_sign(hx509_context context,
1582 hx509_ca_tbs tbs,
1583 hx509_cert signer,
1584 hx509_cert *certificate)
1585 {
1586 const Certificate *signer_cert;
1587 AuthorityKeyIdentifier ai;
1588 int ret;
1589
1590 memset(&ai, 0, sizeof(ai));
1591
1592 signer_cert = _hx509_get_cert(signer);
1593
1594 ret = get_AuthorityKeyIdentifier(context, signer_cert, &ai);
1595 if (ret)
1596 goto out;
1597
1598 ret = ca_sign(context,
1599 tbs,
1600 _hx509_cert_private_key(signer),
1601 &ai,
1602 &signer_cert->tbsCertificate.subject,
1603 certificate);
1604
1605 out:
1606 free_AuthorityKeyIdentifier(&ai);
1607
1608 return ret;
1609 }
1610
1611 /**
1612 * Work just like hx509_ca_sign() but signs it-self.
1613 *
1614 * @param context A hx509 context.
1615 * @param tbs object to be signed.
1616 * @param signer private key to sign with.
1617 * @param certificate return cerificate, free with hx509_cert_free().
1618 *
1619 * @return An hx509 error code, see hx509_get_error_string().
1620 *
1621 * @ingroup hx509_ca
1622 */
1623
1624 int
1625 hx509_ca_sign_self(hx509_context context,
1626 hx509_ca_tbs tbs,
1627 hx509_private_key signer,
1628 hx509_cert *certificate)
1629 {
1630 return ca_sign(context,
1631 tbs,
1632 signer,
1633 NULL,
1634 NULL,
1635 certificate);
1636 }
Heimdal