diff options
author | Christian Grothoff <christian@grothoff.org> | 2008-08-24 22:46:28 +0000 |
---|---|---|
committer | Christian Grothoff <christian@grothoff.org> | 2008-08-24 22:46:28 +0000 |
commit | ad4e7e98b728aaa62505a192f80940f8b8e94ec5 (patch) | |
tree | f661077df39bbac736494537ce6c65c03647635e /src/daemon/https/x509 | |
parent | 12069e288db641aa4558f6d3c5fc605e7ed026a5 (diff) | |
download | libmicrohttpd-ad4e7e98b728aaa62505a192f80940f8b8e94ec5.tar.gz libmicrohttpd-ad4e7e98b728aaa62505a192f80940f8b8e94ec5.zip |
dead
Diffstat (limited to 'src/daemon/https/x509')
-rw-r--r-- | src/daemon/https/x509/Makefile.am | 1 | ||||
-rw-r--r-- | src/daemon/https/x509/crl_write.c | 317 | ||||
-rw-r--r-- | src/daemon/https/x509/x509_write.c | 1095 |
3 files changed, 0 insertions, 1413 deletions
diff --git a/src/daemon/https/x509/Makefile.am b/src/daemon/https/x509/Makefile.am index 3845fea4..f0d05c27 100644 --- a/src/daemon/https/x509/Makefile.am +++ b/src/daemon/https/x509/Makefile.am | |||
@@ -16,7 +16,6 @@ libx509_la_SOURCES = \ | |||
16 | common.c \ | 16 | common.c \ |
17 | crq.c \ | 17 | crq.c \ |
18 | crl.c \ | 18 | crl.c \ |
19 | crl_write.c \ | ||
20 | dn.c \ | 19 | dn.c \ |
21 | dsa.c \ | 20 | dsa.c \ |
22 | extensions.c \ | 21 | extensions.c \ |
diff --git a/src/daemon/https/x509/crl_write.c b/src/daemon/https/x509/crl_write.c deleted file mode 100644 index 5e323be2..00000000 --- a/src/daemon/https/x509/crl_write.c +++ /dev/null | |||
@@ -1,317 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2003, 2004, 2005 Free Software Foundation | ||
3 | * | ||
4 | * Author: Nikos Mavrogiannopoulos | ||
5 | * | ||
6 | * This file is part of GNUTLS. | ||
7 | * | ||
8 | * The GNUTLS library is free software; you can redistribute it and/or | ||
9 | * modify it under the terms of the GNU Lesser General Public License | ||
10 | * as published by the Free Software Foundation; either version 2.1 of | ||
11 | * the License, or (at your option) any later version. | ||
12 | * | ||
13 | * This library is distributed in the hope that it will be useful, but | ||
14 | * WITHOUT ANY WARRANTY; without even the implied warranty of | ||
15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
16 | * Lesser General Public License for more details. | ||
17 | * | ||
18 | * You should have received a copy of the GNU Lesser General Public | ||
19 | * License along with this library; if not, write to the Free Software | ||
20 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, | ||
21 | * USA | ||
22 | * | ||
23 | */ | ||
24 | |||
25 | /* This file contains functions to handle CRL generation. | ||
26 | */ | ||
27 | |||
28 | #include <gnutls_int.h> | ||
29 | |||
30 | #ifdef ENABLE_PKI | ||
31 | |||
32 | #include <gnutls_datum.h> | ||
33 | #include <gnutls_global.h> | ||
34 | #include <gnutls_errors.h> | ||
35 | #include <common.h> | ||
36 | #include <gnutls_x509.h> | ||
37 | #include <x509_b64.h> | ||
38 | #include <crq.h> | ||
39 | #include <dn.h> | ||
40 | #include <mpi.h> | ||
41 | #include <sign.h> | ||
42 | #include <extensions.h> | ||
43 | #include <libtasn1.h> | ||
44 | |||
45 | static void disable_optional_stuff (gnutls_x509_crl_t crl); | ||
46 | |||
47 | /** | ||
48 | * gnutls_x509_crl_set_version - This function will set the CRL version | ||
49 | * @crl: should contain a gnutls_x509_crl_t structure | ||
50 | * @version: holds the version number. For CRLv1 crls must be 1. | ||
51 | * | ||
52 | * This function will set the version of the CRL. This | ||
53 | * must be one for CRL version 1, and so on. The CRLs generated | ||
54 | * by gnutls should have a version number of 2. | ||
55 | * | ||
56 | * Returns 0 on success. | ||
57 | * | ||
58 | **/ | ||
59 | int | ||
60 | gnutls_x509_crl_set_version (gnutls_x509_crl_t crl, unsigned int version) | ||
61 | { | ||
62 | int result; | ||
63 | char null = version; | ||
64 | |||
65 | if (crl == NULL) | ||
66 | { | ||
67 | gnutls_assert (); | ||
68 | return GNUTLS_E_INVALID_REQUEST; | ||
69 | } | ||
70 | |||
71 | null -= 1; | ||
72 | if (null < 0) | ||
73 | null = 0; | ||
74 | |||
75 | result = asn1_write_value (crl->crl, "tbsCertList.version", &null, 1); | ||
76 | if (result != ASN1_SUCCESS) | ||
77 | { | ||
78 | gnutls_assert (); | ||
79 | return mhd_gtls_asn2err (result); | ||
80 | } | ||
81 | |||
82 | return 0; | ||
83 | } | ||
84 | |||
85 | /** | ||
86 | * gnutls_x509_crl_sign2 - This function will sign a CRL with a key | ||
87 | * @crl: should contain a gnutls_x509_crl_t structure | ||
88 | * @issuer: is the certificate of the certificate issuer | ||
89 | * @issuer_key: holds the issuer's private key | ||
90 | * @dig: The message digest to use. GNUTLS_DIG_SHA1 is the safe choice unless you know what you're doing. | ||
91 | * @flags: must be 0 | ||
92 | * | ||
93 | * This function will sign the CRL with the issuer's private key, and | ||
94 | * will copy the issuer's information into the CRL. | ||
95 | * | ||
96 | * This must be the last step in a certificate CRL since all | ||
97 | * the previously set parameters are now signed. | ||
98 | * | ||
99 | * Returns 0 on success. | ||
100 | * | ||
101 | **/ | ||
102 | int | ||
103 | gnutls_x509_crl_sign2 (gnutls_x509_crl_t crl, gnutls_x509_crt_t issuer, | ||
104 | gnutls_x509_privkey_t issuer_key, | ||
105 | enum MHD_GNUTLS_HashAlgorithm dig, unsigned int flags) | ||
106 | { | ||
107 | int result; | ||
108 | |||
109 | if (crl == NULL || issuer == NULL) | ||
110 | { | ||
111 | gnutls_assert (); | ||
112 | return GNUTLS_E_INVALID_REQUEST; | ||
113 | } | ||
114 | |||
115 | /* disable all the unneeded OPTIONAL fields. | ||
116 | */ | ||
117 | disable_optional_stuff (crl); | ||
118 | |||
119 | result = _gnutls_x509_pkix_sign (crl->crl, "tbsCertList", | ||
120 | dig, issuer, issuer_key); | ||
121 | if (result < 0) | ||
122 | { | ||
123 | gnutls_assert (); | ||
124 | return result; | ||
125 | } | ||
126 | |||
127 | return 0; | ||
128 | } | ||
129 | |||
130 | /** | ||
131 | * gnutls_x509_crl_sign - This function will sign a CRL with a key | ||
132 | * @crl: should contain a gnutls_x509_crl_t structure | ||
133 | * @issuer: is the certificate of the certificate issuer | ||
134 | * @issuer_key: holds the issuer's private key | ||
135 | * | ||
136 | * This function is the same a gnutls_x509_crl_sign2() with no flags, and | ||
137 | * SHA1 as the hash algorithm. | ||
138 | * | ||
139 | * Returns 0 on success. | ||
140 | * | ||
141 | **/ | ||
142 | int | ||
143 | gnutls_x509_crl_sign (gnutls_x509_crl_t crl, gnutls_x509_crt_t issuer, | ||
144 | gnutls_x509_privkey_t issuer_key) | ||
145 | { | ||
146 | return gnutls_x509_crl_sign2 (crl, issuer, issuer_key, MHD_GNUTLS_MAC_SHA1, | ||
147 | 0); | ||
148 | } | ||
149 | |||
150 | /** | ||
151 | * gnutls_x509_crl_set_this_update - This function will set the CRL's issuing time | ||
152 | * @crl: should contain a gnutls_x509_crl_t structure | ||
153 | * @act_time: The actual time | ||
154 | * | ||
155 | * This function will set the time this CRL was issued. | ||
156 | * | ||
157 | * Returns 0 on success, or a negative value in case of an error. | ||
158 | * | ||
159 | **/ | ||
160 | int | ||
161 | gnutls_x509_crl_set_this_update (gnutls_x509_crl_t crl, time_t act_time) | ||
162 | { | ||
163 | if (crl == NULL) | ||
164 | { | ||
165 | gnutls_assert (); | ||
166 | return GNUTLS_E_INVALID_REQUEST; | ||
167 | } | ||
168 | |||
169 | return _gnutls_x509_set_time (crl->crl, "tbsCertList.thisUpdate", act_time); | ||
170 | } | ||
171 | |||
172 | /** | ||
173 | * gnutls_x509_crl_set_next_update - This function will set the CRL next update time | ||
174 | * @crl: should contain a gnutls_x509_crl_t structure | ||
175 | * @exp_time: The actual time | ||
176 | * | ||
177 | * This function will set the time this CRL will be updated. | ||
178 | * | ||
179 | * Returns 0 on success, or a negative value in case of an error. | ||
180 | * | ||
181 | **/ | ||
182 | int | ||
183 | gnutls_x509_crl_set_next_update (gnutls_x509_crl_t crl, time_t exp_time) | ||
184 | { | ||
185 | if (crl == NULL) | ||
186 | { | ||
187 | gnutls_assert (); | ||
188 | return GNUTLS_E_INVALID_REQUEST; | ||
189 | } | ||
190 | return _gnutls_x509_set_time (crl->crl, "tbsCertList.nextUpdate", exp_time); | ||
191 | } | ||
192 | |||
193 | /** | ||
194 | * gnutls_x509_crl_set_crt_serial - This function will set a revoked certificate's serial number | ||
195 | * @crl: should contain a gnutls_x509_crl_t structure | ||
196 | * @serial: The revoked certificate's serial number | ||
197 | * @serial_size: Holds the size of the serial field. | ||
198 | * @revocation_time: The time this certificate was revoked | ||
199 | * | ||
200 | * This function will set a revoked certificate's serial number to the CRL. | ||
201 | * | ||
202 | * Returns 0 on success, or a negative value in case of an error. | ||
203 | * | ||
204 | **/ | ||
205 | int | ||
206 | gnutls_x509_crl_set_crt_serial (gnutls_x509_crl_t crl, | ||
207 | const void *serial, size_t serial_size, | ||
208 | time_t revocation_time) | ||
209 | { | ||
210 | int ret; | ||
211 | |||
212 | if (crl == NULL) | ||
213 | { | ||
214 | gnutls_assert (); | ||
215 | return GNUTLS_E_INVALID_REQUEST; | ||
216 | } | ||
217 | |||
218 | ret = | ||
219 | asn1_write_value (crl->crl, "tbsCertList.revokedCertificates", "NEW", 1); | ||
220 | if (ret != ASN1_SUCCESS) | ||
221 | { | ||
222 | gnutls_assert (); | ||
223 | return mhd_gtls_asn2err (ret); | ||
224 | } | ||
225 | |||
226 | ret = | ||
227 | asn1_write_value (crl->crl, | ||
228 | "tbsCertList.revokedCertificates.?LAST.userCertificate", | ||
229 | serial, serial_size); | ||
230 | if (ret != ASN1_SUCCESS) | ||
231 | { | ||
232 | gnutls_assert (); | ||
233 | return mhd_gtls_asn2err (ret); | ||
234 | } | ||
235 | |||
236 | ret = | ||
237 | _gnutls_x509_set_time (crl->crl, | ||
238 | "tbsCertList.revokedCertificates.?LAST.revocationDate", | ||
239 | revocation_time); | ||
240 | if (ret < 0) | ||
241 | { | ||
242 | gnutls_assert (); | ||
243 | return ret; | ||
244 | } | ||
245 | |||
246 | ret = | ||
247 | asn1_write_value (crl->crl, | ||
248 | "tbsCertList.revokedCertificates.?LAST.crlEntryExtensions", | ||
249 | NULL, 0); | ||
250 | if (ret != ASN1_SUCCESS) | ||
251 | { | ||
252 | gnutls_assert (); | ||
253 | return mhd_gtls_asn2err (ret); | ||
254 | } | ||
255 | |||
256 | return 0; | ||
257 | } | ||
258 | |||
259 | /** | ||
260 | * gnutls_x509_crl_set_crt - This function will set a revoked certificate's serial number | ||
261 | * @crl: should contain a gnutls_x509_crl_t structure | ||
262 | * @crt: should contain a gnutls_x509_crt_t structure with the revoked certificate | ||
263 | * @revocation_time: The time this certificate was revoked | ||
264 | * | ||
265 | * This function will set a revoked certificate's serial number to the CRL. | ||
266 | * | ||
267 | * Returns 0 on success, or a negative value in case of an error. | ||
268 | * | ||
269 | **/ | ||
270 | int | ||
271 | gnutls_x509_crl_set_crt (gnutls_x509_crl_t crl, gnutls_x509_crt_t crt, | ||
272 | time_t revocation_time) | ||
273 | { | ||
274 | int ret; | ||
275 | opaque serial[128]; | ||
276 | size_t serial_size; | ||
277 | |||
278 | if (crl == NULL || crt == NULL) | ||
279 | { | ||
280 | gnutls_assert (); | ||
281 | return GNUTLS_E_INVALID_REQUEST; | ||
282 | } | ||
283 | |||
284 | serial_size = sizeof (serial); | ||
285 | ret = gnutls_x509_crt_get_serial (crt, serial, &serial_size); | ||
286 | if (ret < 0) | ||
287 | { | ||
288 | gnutls_assert (); | ||
289 | return ret; | ||
290 | } | ||
291 | |||
292 | ret = | ||
293 | gnutls_x509_crl_set_crt_serial (crl, serial, serial_size, | ||
294 | revocation_time); | ||
295 | if (ret < 0) | ||
296 | { | ||
297 | gnutls_assert (); | ||
298 | return mhd_gtls_asn2err (ret); | ||
299 | } | ||
300 | |||
301 | return 0; | ||
302 | } | ||
303 | |||
304 | |||
305 | /* If OPTIONAL fields have not been initialized then | ||
306 | * disable them. | ||
307 | */ | ||
308 | static void | ||
309 | disable_optional_stuff (gnutls_x509_crl_t crl) | ||
310 | { | ||
311 | |||
312 | asn1_write_value (crl->crl, "tbsCertList.crlExtensions", NULL, 0); | ||
313 | |||
314 | return; | ||
315 | } | ||
316 | |||
317 | #endif /* ENABLE_PKI */ | ||
diff --git a/src/daemon/https/x509/x509_write.c b/src/daemon/https/x509/x509_write.c deleted file mode 100644 index 342e117d..00000000 --- a/src/daemon/https/x509/x509_write.c +++ /dev/null | |||
@@ -1,1095 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2003, 2004, 2005, 2006, 2007 Free Software Foundation | ||
3 | * | ||
4 | * Author: Nikos Mavrogiannopoulos | ||
5 | * | ||
6 | * This file is part of GNUTLS. | ||
7 | * | ||
8 | * The GNUTLS library is free software; you can redistribute it and/or | ||
9 | * modify it under the terms of the GNU Lesser General Public License | ||
10 | * as published by the Free Software Foundation; either version 2.1 of | ||
11 | * the License, or (at your option) any later version. | ||
12 | * | ||
13 | * This library is distributed in the hope that it will be useful, but | ||
14 | * WITHOUT ANY WARRANTY; without even the implied warranty of | ||
15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
16 | * Lesser General Public License for more details. | ||
17 | * | ||
18 | * You should have received a copy of the GNU Lesser General Public | ||
19 | * License along with this library; if not, write to the Free Software | ||
20 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, | ||
21 | * USA | ||
22 | * | ||
23 | */ | ||
24 | |||
25 | /* This file contains functions to handle X.509 certificate generation. | ||
26 | */ | ||
27 | |||
28 | #include <gnutls_int.h> | ||
29 | |||
30 | #ifdef ENABLE_PKI | ||
31 | |||
32 | #include <gnutls_datum.h> | ||
33 | #include <gnutls_global.h> | ||
34 | #include <gnutls_errors.h> | ||
35 | #include <common.h> | ||
36 | #include <gnutls_x509.h> | ||
37 | #include <x509_b64.h> | ||
38 | #include <crq.h> | ||
39 | #include <dn.h> | ||
40 | #include <mpi.h> | ||
41 | #include <sign.h> | ||
42 | #include <extensions.h> | ||
43 | #include <libtasn1.h> | ||
44 | |||
45 | static void disable_optional_stuff (gnutls_x509_crt_t cert); | ||
46 | |||
47 | /** | ||
48 | * gnutls_x509_crt_set_dn_by_oid - This function will set the Certificate request subject's distinguished name | ||
49 | * @crt: should contain a gnutls_x509_crt_t structure | ||
50 | * @oid: holds an Object Identifier in a null terminated string | ||
51 | * @raw_flag: must be 0, or 1 if the data are DER encoded | ||
52 | * @name: a pointer to the name | ||
53 | * @sizeof_name: holds the size of @name | ||
54 | * | ||
55 | * This function will set the part of the name of the Certificate subject, specified | ||
56 | * by the given OID. The input string should be ASCII or UTF-8 encoded. | ||
57 | * | ||
58 | * Some helper macros with popular OIDs can be found in gnutls/x509.h | ||
59 | * With this function you can only set the known OIDs. You can test | ||
60 | * for known OIDs using gnutls_x509_dn_oid_known(). For OIDs that are | ||
61 | * not known (by gnutls) you should properly DER encode your data, and | ||
62 | * call this function with raw_flag set. | ||
63 | * | ||
64 | * Returns 0 on success. | ||
65 | * | ||
66 | **/ | ||
67 | int | ||
68 | gnutls_x509_crt_set_dn_by_oid (gnutls_x509_crt_t crt, const char *oid, | ||
69 | unsigned int raw_flag, const void *name, | ||
70 | unsigned int sizeof_name) | ||
71 | { | ||
72 | if (sizeof_name == 0 || name == NULL || crt == NULL) | ||
73 | { | ||
74 | return GNUTLS_E_INVALID_REQUEST; | ||
75 | } | ||
76 | |||
77 | return _gnutls_x509_set_dn_oid (crt->cert, "tbsCertificate.subject", | ||
78 | oid, raw_flag, name, sizeof_name); | ||
79 | } | ||
80 | |||
81 | /** | ||
82 | * gnutls_x509_crt_set_issuer_dn_by_oid - This function will set the Certificate request issuer's distinguished name | ||
83 | * @crt: should contain a gnutls_x509_crt_t structure | ||
84 | * @oid: holds an Object Identifier in a null terminated string | ||
85 | * @raw_flag: must be 0, or 1 if the data are DER encoded | ||
86 | * @name: a pointer to the name | ||
87 | * @sizeof_name: holds the size of @name | ||
88 | * | ||
89 | * This function will set the part of the name of the Certificate issuer, specified | ||
90 | * by the given OID. The input string should be ASCII or UTF-8 encoded. | ||
91 | * | ||
92 | * Some helper macros with popular OIDs can be found in gnutls/x509.h | ||
93 | * With this function you can only set the known OIDs. You can test | ||
94 | * for known OIDs using gnutls_x509_dn_oid_known(). For OIDs that are | ||
95 | * not known (by gnutls) you should properly DER encode your data, and | ||
96 | * call this function with raw_flag set. | ||
97 | * | ||
98 | * Normally you do not need to call this function, since the signing | ||
99 | * operation will copy the signer's name as the issuer of the certificate. | ||
100 | * | ||
101 | * Returns 0 on success. | ||
102 | * | ||
103 | **/ | ||
104 | int | ||
105 | gnutls_x509_crt_set_issuer_dn_by_oid (gnutls_x509_crt_t crt, | ||
106 | const char *oid, | ||
107 | unsigned int raw_flag, | ||
108 | const void *name, | ||
109 | unsigned int sizeof_name) | ||
110 | { | ||
111 | if (sizeof_name == 0 || name == NULL || crt == NULL) | ||
112 | { | ||
113 | return GNUTLS_E_INVALID_REQUEST; | ||
114 | } | ||
115 | |||
116 | return _gnutls_x509_set_dn_oid (crt->cert, "tbsCertificate.issuer", oid, | ||
117 | raw_flag, name, sizeof_name); | ||
118 | } | ||
119 | |||
120 | /** | ||
121 | * gnutls_x509_crt_set_proxy_dn - Set Proxy Certificate subject's distinguished name | ||
122 | * @crt: a gnutls_x509_crt_t structure with the new proxy cert | ||
123 | * @eecrt: the end entity certificate that will be issuing the proxy | ||
124 | * @raw_flag: must be 0, or 1 if the CN is DER encoded | ||
125 | * @name: a pointer to the CN name, may be NULL (but MUST then be added later) | ||
126 | * @sizeof_name: holds the size of @name | ||
127 | * | ||
128 | * This function will set the subject in @crt to the end entity's | ||
129 | * @eecrt subject name, and add a single Common Name component @name | ||
130 | * of size @sizeof_name. This corresponds to the required proxy | ||
131 | * certificate naming style. Note that if @name is %NULL, you MUST | ||
132 | * set it later by using gnutls_x509_crt_set_dn_by_oid() or similar. | ||
133 | * | ||
134 | * Returns 0 on success. | ||
135 | * | ||
136 | **/ | ||
137 | int | ||
138 | gnutls_x509_crt_set_proxy_dn (gnutls_x509_crt_t crt, gnutls_x509_crt_t eecrt, | ||
139 | unsigned int raw_flag, const void *name, | ||
140 | unsigned int sizeof_name) | ||
141 | { | ||
142 | int result; | ||
143 | |||
144 | if (crt == NULL || eecrt == NULL) | ||
145 | { | ||
146 | return GNUTLS_E_INVALID_REQUEST; | ||
147 | } | ||
148 | |||
149 | result = asn1_copy_node (crt->cert, "tbsCertificate.subject", | ||
150 | eecrt->cert, "tbsCertificate.subject"); | ||
151 | if (result != ASN1_SUCCESS) | ||
152 | { | ||
153 | gnutls_assert (); | ||
154 | return mhd_gtls_asn2err (result); | ||
155 | } | ||
156 | |||
157 | if (name && sizeof_name) | ||
158 | { | ||
159 | return _gnutls_x509_set_dn_oid (crt->cert, "tbsCertificate.subject", | ||
160 | GNUTLS_OID_X520_COMMON_NAME, | ||
161 | raw_flag, name, sizeof_name); | ||
162 | } | ||
163 | |||
164 | return 0; | ||
165 | } | ||
166 | |||
167 | /** | ||
168 | * gnutls_x509_crt_set_version - This function will set the Certificate request version | ||
169 | * @crt: should contain a gnutls_x509_crt_t structure | ||
170 | * @version: holds the version number. For X.509v1 certificates must be 1. | ||
171 | * | ||
172 | * This function will set the version of the certificate. This must | ||
173 | * be one for X.509 version 1, and so on. Plain certificates without | ||
174 | * extensions must have version set to one. | ||
175 | * | ||
176 | * To create well-formed certificates, you must specify version 3 if | ||
177 | * you use any certificate extensions. Extensions are created by | ||
178 | * functions such as gnutls_x509_crt_set_subject_alternative_name or | ||
179 | * gnutls_x509_crt_set_key_usage. | ||
180 | * | ||
181 | * Returns 0 on success. | ||
182 | * | ||
183 | **/ | ||
184 | int | ||
185 | gnutls_x509_crt_set_version (gnutls_x509_crt_t crt, unsigned int version) | ||
186 | { | ||
187 | int result; | ||
188 | unsigned char null = version; | ||
189 | |||
190 | if (crt == NULL) | ||
191 | { | ||
192 | gnutls_assert (); | ||
193 | return GNUTLS_E_INVALID_REQUEST; | ||
194 | } | ||
195 | |||
196 | if (null > 0) | ||
197 | null--; | ||
198 | |||
199 | result = asn1_write_value (crt->cert, "tbsCertificate.version", &null, 1); | ||
200 | if (result != ASN1_SUCCESS) | ||
201 | { | ||
202 | gnutls_assert (); | ||
203 | return mhd_gtls_asn2err (result); | ||
204 | } | ||
205 | |||
206 | return 0; | ||
207 | } | ||
208 | |||
209 | /** | ||
210 | * gnutls_x509_crt_set_key - This function will associate the Certificate with a key | ||
211 | * @crt: should contain a gnutls_x509_crt_t structure | ||
212 | * @key: holds a private key | ||
213 | * | ||
214 | * This function will set the public parameters from the given private key to the | ||
215 | * certificate. Only RSA keys are currently supported. | ||
216 | * | ||
217 | * Returns 0 on success. | ||
218 | * | ||
219 | **/ | ||
220 | int | ||
221 | gnutls_x509_crt_set_key (gnutls_x509_crt_t crt, gnutls_x509_privkey_t key) | ||
222 | { | ||
223 | int result; | ||
224 | |||
225 | if (crt == NULL) | ||
226 | { | ||
227 | gnutls_assert (); | ||
228 | return GNUTLS_E_INVALID_REQUEST; | ||
229 | } | ||
230 | |||
231 | result = _gnutls_x509_encode_and_copy_PKI_params (crt->cert, | ||
232 | "tbsCertificate.subjectPublicKeyInfo", | ||
233 | key->pk_algorithm, | ||
234 | key->params, | ||
235 | key->params_size); | ||
236 | |||
237 | if (result < 0) | ||
238 | { | ||
239 | gnutls_assert (); | ||
240 | return result; | ||
241 | } | ||
242 | |||
243 | return 0; | ||
244 | } | ||
245 | |||
246 | /** | ||
247 | * gnutls_x509_crt_set_crq - This function will associate the Certificate with a request | ||
248 | * @crt: should contain a gnutls_x509_crt_t structure | ||
249 | * @crq: holds a certificate request | ||
250 | * | ||
251 | * This function will set the name and public parameters from the given certificate request to the | ||
252 | * certificate. Only RSA keys are currently supported. | ||
253 | * | ||
254 | * Returns 0 on success. | ||
255 | * | ||
256 | **/ | ||
257 | int | ||
258 | gnutls_x509_crt_set_crq (gnutls_x509_crt_t crt, gnutls_x509_crq_t crq) | ||
259 | { | ||
260 | int result; | ||
261 | int pk_algorithm; | ||
262 | |||
263 | if (crt == NULL || crq == NULL) | ||
264 | { | ||
265 | gnutls_assert (); | ||
266 | return GNUTLS_E_INVALID_REQUEST; | ||
267 | } | ||
268 | |||
269 | pk_algorithm = gnutls_x509_crq_get_pk_algorithm (crq, NULL); | ||
270 | |||
271 | result = asn1_copy_node (crt->cert, "tbsCertificate.subject", | ||
272 | crq->crq, "certificationRequestInfo.subject"); | ||
273 | if (result != ASN1_SUCCESS) | ||
274 | { | ||
275 | gnutls_assert (); | ||
276 | return mhd_gtls_asn2err (result); | ||
277 | } | ||
278 | |||
279 | result = | ||
280 | asn1_copy_node (crt->cert, "tbsCertificate.subjectPublicKeyInfo", | ||
281 | crq->crq, "certificationRequestInfo.subjectPKInfo"); | ||
282 | if (result != ASN1_SUCCESS) | ||
283 | { | ||
284 | gnutls_assert (); | ||
285 | return mhd_gtls_asn2err (result); | ||
286 | } | ||
287 | |||
288 | return 0; | ||
289 | } | ||
290 | |||
291 | /** | ||
292 | * gnutls_x509_crt_set_extension_by_oid - This function will set an arbitrary extension | ||
293 | * @crt: should contain a gnutls_x509_crt_t structure | ||
294 | * @oid: holds an Object Identified in null terminated string | ||
295 | * @buf: a pointer to a DER encoded data | ||
296 | * @sizeof_buf: holds the size of @buf | ||
297 | * @critical: should be non zero if the extension is to be marked as critical | ||
298 | * | ||
299 | * This function will set an the extension, by the specified OID, in the certificate. | ||
300 | * The extension data should be binary data DER encoded. | ||
301 | * | ||
302 | * Returns 0 on success and a negative value in case of an error. | ||
303 | * | ||
304 | **/ | ||
305 | int | ||
306 | gnutls_x509_crt_set_extension_by_oid (gnutls_x509_crt_t crt, | ||
307 | const char *oid, const void *buf, | ||
308 | size_t sizeof_buf, | ||
309 | unsigned int critical) | ||
310 | { | ||
311 | int result; | ||
312 | gnutls_datum_t der_data; | ||
313 | |||
314 | der_data.data = (void *) buf; | ||
315 | der_data.size = sizeof_buf; | ||
316 | |||
317 | if (crt == NULL) | ||
318 | { | ||
319 | gnutls_assert (); | ||
320 | return GNUTLS_E_INVALID_REQUEST; | ||
321 | } | ||
322 | |||
323 | result = _gnutls_x509_crt_set_extension (crt, oid, &der_data, critical); | ||
324 | if (result < 0) | ||
325 | { | ||
326 | gnutls_assert (); | ||
327 | return result; | ||
328 | } | ||
329 | |||
330 | crt->use_extensions = 1; | ||
331 | |||
332 | return 0; | ||
333 | |||
334 | } | ||
335 | |||
336 | /** | ||
337 | * gnutls_x509_crt_set_basic_constraints - This function will set the basicConstraints extension | ||
338 | * @crt: should contain a gnutls_x509_crt_t structure | ||
339 | * @ca: true(1) or false(0). Depending on the Certificate authority status. | ||
340 | * @pathLenConstraint: non-negative values indicate maximum length of path, | ||
341 | * and negative values indicate that the pathLenConstraints field should | ||
342 | * not be present. | ||
343 | * | ||
344 | * This function will set the basicConstraints certificate extension. | ||
345 | * | ||
346 | * Returns 0 on success. | ||
347 | * | ||
348 | **/ | ||
349 | int | ||
350 | gnutls_x509_crt_set_basic_constraints (gnutls_x509_crt_t crt, | ||
351 | unsigned int ca, int pathLenConstraint) | ||
352 | { | ||
353 | int result; | ||
354 | gnutls_datum_t der_data; | ||
355 | |||
356 | if (crt == NULL) | ||
357 | { | ||
358 | gnutls_assert (); | ||
359 | return GNUTLS_E_INVALID_REQUEST; | ||
360 | } | ||
361 | |||
362 | /* generate the extension. | ||
363 | */ | ||
364 | result = _gnutls_x509_ext_gen_basicConstraints (ca, pathLenConstraint, | ||
365 | &der_data); | ||
366 | if (result < 0) | ||
367 | { | ||
368 | gnutls_assert (); | ||
369 | return result; | ||
370 | } | ||
371 | |||
372 | result = _gnutls_x509_crt_set_extension (crt, "2.5.29.19", &der_data, 1); | ||
373 | |||
374 | _gnutls_free_datum (&der_data); | ||
375 | |||
376 | if (result < 0) | ||
377 | { | ||
378 | gnutls_assert (); | ||
379 | return result; | ||
380 | } | ||
381 | |||
382 | crt->use_extensions = 1; | ||
383 | |||
384 | return 0; | ||
385 | } | ||
386 | |||
387 | /** | ||
388 | * gnutls_x509_crt_set_ca_status - This function will set the basicConstraints extension | ||
389 | * @crt: should contain a gnutls_x509_crt_t structure | ||
390 | * @ca: true(1) or false(0). Depending on the Certificate authority status. | ||
391 | * | ||
392 | * This function will set the basicConstraints certificate extension. | ||
393 | * Use gnutls_x509_crt_set_basic_constraints() if you want to control | ||
394 | * the pathLenConstraint field too. | ||
395 | * | ||
396 | * Returns 0 on success. | ||
397 | * | ||
398 | **/ | ||
399 | int | ||
400 | gnutls_x509_crt_set_ca_status (gnutls_x509_crt_t crt, unsigned int ca) | ||
401 | { | ||
402 | return gnutls_x509_crt_set_basic_constraints (crt, ca, -1); | ||
403 | } | ||
404 | |||
405 | /** | ||
406 | * gnutls_x509_crt_set_key_usage - This function will set the keyUsage extension | ||
407 | * @crt: should contain a gnutls_x509_crt_t structure | ||
408 | * @usage: an ORed sequence of the GNUTLS_KEY_* elements. | ||
409 | * | ||
410 | * This function will set the keyUsage certificate extension. | ||
411 | * | ||
412 | * Returns 0 on success. | ||
413 | * | ||
414 | **/ | ||
415 | int | ||
416 | gnutls_x509_crt_set_key_usage (gnutls_x509_crt_t crt, unsigned int usage) | ||
417 | { | ||
418 | int result; | ||
419 | gnutls_datum_t der_data; | ||
420 | |||
421 | if (crt == NULL) | ||
422 | { | ||
423 | gnutls_assert (); | ||
424 | return GNUTLS_E_INVALID_REQUEST; | ||
425 | } | ||
426 | |||
427 | /* generate the extension. | ||
428 | */ | ||
429 | result = _gnutls_x509_ext_gen_keyUsage ((uint16_t) usage, &der_data); | ||
430 | if (result < 0) | ||
431 | { | ||
432 | gnutls_assert (); | ||
433 | return result; | ||
434 | } | ||
435 | |||
436 | result = _gnutls_x509_crt_set_extension (crt, "2.5.29.15", &der_data, 1); | ||
437 | |||
438 | _gnutls_free_datum (&der_data); | ||
439 | |||
440 | if (result < 0) | ||
441 | { | ||
442 | gnutls_assert (); | ||
443 | return result; | ||
444 | } | ||
445 | |||
446 | crt->use_extensions = 1; | ||
447 | |||
448 | return 0; | ||
449 | } | ||
450 | |||
451 | /** | ||
452 | * gnutls_x509_crt_set_subject_alternative_name - This function will set the subject Alternative Name | ||
453 | * @crt: should contain a gnutls_x509_crt_t structure | ||
454 | * @type: is one of the gnutls_x509_subject_alt_name_t enumerations | ||
455 | * @data_string: The data to be set | ||
456 | * | ||
457 | * This function will set the subject alternative name certificate extension. | ||
458 | * | ||
459 | * Returns 0 on success. | ||
460 | * | ||
461 | **/ | ||
462 | int | ||
463 | gnutls_x509_crt_set_subject_alternative_name (gnutls_x509_crt_t crt, | ||
464 | gnutls_x509_subject_alt_name_t | ||
465 | type, const char *data_string) | ||
466 | { | ||
467 | int result; | ||
468 | gnutls_datum_t der_data; | ||
469 | gnutls_datum_t dnsname; | ||
470 | unsigned int critical; | ||
471 | |||
472 | if (crt == NULL) | ||
473 | { | ||
474 | gnutls_assert (); | ||
475 | return GNUTLS_E_INVALID_REQUEST; | ||
476 | } | ||
477 | |||
478 | /* Check if the extension already exists. | ||
479 | */ | ||
480 | result = | ||
481 | _gnutls_x509_crt_get_extension (crt, "2.5.29.17", 0, &dnsname, &critical); | ||
482 | |||
483 | if (result >= 0) | ||
484 | _gnutls_free_datum (&dnsname); | ||
485 | if (result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) | ||
486 | { | ||
487 | gnutls_assert (); | ||
488 | return GNUTLS_E_INVALID_REQUEST; | ||
489 | } | ||
490 | |||
491 | /* generate the extension. | ||
492 | */ | ||
493 | result = | ||
494 | _gnutls_x509_ext_gen_subject_alt_name (type, data_string, &der_data); | ||
495 | if (result < 0) | ||
496 | { | ||
497 | gnutls_assert (); | ||
498 | return result; | ||
499 | } | ||
500 | |||
501 | result = _gnutls_x509_crt_set_extension (crt, "2.5.29.17", &der_data, 0); | ||
502 | |||
503 | _gnutls_free_datum (&der_data); | ||
504 | |||
505 | if (result < 0) | ||
506 | { | ||
507 | gnutls_assert (); | ||
508 | return result; | ||
509 | } | ||
510 | |||
511 | crt->use_extensions = 1; | ||
512 | |||
513 | return 0; | ||
514 | } | ||
515 | |||
516 | /** | ||
517 | * gnutls_x509_crt_set_proxy - Set the proxyCertInfo extension | ||
518 | * @crt: should contain a gnutls_x509_crt_t structure | ||
519 | * @pathLenConstraint: non-negative values indicate maximum length of path, | ||
520 | * and negative values indicate that the pathLenConstraints field should | ||
521 | * not be present. | ||
522 | * @policyLanguage: OID describing the language of @policy. | ||
523 | * @policy: opaque byte array with policy language, can be %NULL | ||
524 | * @sizeof_policy: size of @policy. | ||
525 | * | ||
526 | * This function will set the proxyCertInfo extension. | ||
527 | * | ||
528 | * Returns 0 on success. | ||
529 | * | ||
530 | **/ | ||
531 | int | ||
532 | gnutls_x509_crt_set_proxy (gnutls_x509_crt_t crt, | ||
533 | int pathLenConstraint, | ||
534 | const char *policyLanguage, | ||
535 | const char *policy, size_t sizeof_policy) | ||
536 | { | ||
537 | int result; | ||
538 | gnutls_datum_t der_data; | ||
539 | |||
540 | if (crt == NULL) | ||
541 | { | ||
542 | gnutls_assert (); | ||
543 | return GNUTLS_E_INVALID_REQUEST; | ||
544 | } | ||
545 | |||
546 | /* generate the extension. | ||
547 | */ | ||
548 | result = _gnutls_x509_ext_gen_proxyCertInfo (pathLenConstraint, | ||
549 | policyLanguage, | ||
550 | policy, sizeof_policy, | ||
551 | &der_data); | ||
552 | if (result < 0) | ||
553 | { | ||
554 | gnutls_assert (); | ||
555 | return result; | ||
556 | } | ||
557 | |||
558 | result = _gnutls_x509_crt_set_extension (crt, "1.3.6.1.5.5.7.1.14", | ||
559 | &der_data, 1); | ||
560 | |||
561 | _gnutls_free_datum (&der_data); | ||
562 | |||
563 | if (result < 0) | ||
564 | { | ||
565 | gnutls_assert (); | ||
566 | return result; | ||
567 | } | ||
568 | |||
569 | crt->use_extensions = 1; | ||
570 | |||
571 | return 0; | ||
572 | } | ||
573 | |||
574 | /** | ||
575 | * gnutls_x509_crt_sign2 - This function will sign a certificate with a key | ||
576 | * @crt: should contain a gnutls_x509_crt_t structure | ||
577 | * @issuer: is the certificate of the certificate issuer | ||
578 | * @issuer_key: holds the issuer's private key | ||
579 | * @dig: The message digest to use. GNUTLS_DIG_SHA1 is the safe choice unless you know what you're doing. | ||
580 | * @flags: must be 0 | ||
581 | * | ||
582 | * This function will sign the certificate with the issuer's private key, and | ||
583 | * will copy the issuer's information into the certificate. | ||
584 | * | ||
585 | * This must be the last step in a certificate generation since all | ||
586 | * the previously set parameters are now signed. | ||
587 | * | ||
588 | * Returns 0 on success. | ||
589 | * | ||
590 | **/ | ||
591 | int | ||
592 | gnutls_x509_crt_sign2 (gnutls_x509_crt_t crt, gnutls_x509_crt_t issuer, | ||
593 | gnutls_x509_privkey_t issuer_key, | ||
594 | enum MHD_GNUTLS_HashAlgorithm dig, unsigned int flags) | ||
595 | { | ||
596 | int result; | ||
597 | |||
598 | if (crt == NULL || issuer == NULL || issuer_key == NULL) | ||
599 | { | ||
600 | gnutls_assert (); | ||
601 | return GNUTLS_E_INVALID_REQUEST; | ||
602 | } | ||
603 | |||
604 | /* disable all the unneeded OPTIONAL fields. | ||
605 | */ | ||
606 | disable_optional_stuff (crt); | ||
607 | |||
608 | result = _gnutls_x509_pkix_sign (crt->cert, "tbsCertificate", | ||
609 | dig, issuer, issuer_key); | ||
610 | if (result < 0) | ||
611 | { | ||
612 | gnutls_assert (); | ||
613 | return result; | ||
614 | } | ||
615 | |||
616 | return 0; | ||
617 | } | ||
618 | |||
619 | /** | ||
620 | * gnutls_x509_crt_sign - This function will sign a certificate with a key | ||
621 | * @crt: should contain a gnutls_x509_crt_t structure | ||
622 | * @issuer: is the certificate of the certificate issuer | ||
623 | * @issuer_key: holds the issuer's private key | ||
624 | * | ||
625 | * This function is the same a gnutls_x509_crt_sign2() with no flags, and | ||
626 | * SHA1 as the hash algorithm. | ||
627 | * | ||
628 | * Returns 0 on success. | ||
629 | * | ||
630 | **/ | ||
631 | int | ||
632 | gnutls_x509_crt_sign (gnutls_x509_crt_t crt, gnutls_x509_crt_t issuer, | ||
633 | gnutls_x509_privkey_t issuer_key) | ||
634 | { | ||
635 | return gnutls_x509_crt_sign2 (crt, issuer, issuer_key, MHD_GNUTLS_MAC_SHA1, | ||
636 | 0); | ||
637 | } | ||
638 | |||
639 | /** | ||
640 | * gnutls_x509_crt_set_activation_time - This function will set the Certificate's activation time | ||
641 | * @cert: should contain a gnutls_x509_crt_t structure | ||
642 | * @act_time: The actual time | ||
643 | * | ||
644 | * This function will set the time this Certificate was or will be activated. | ||
645 | * | ||
646 | * Returns 0 on success, or a negative value in case of an error. | ||
647 | * | ||
648 | **/ | ||
649 | int | ||
650 | gnutls_x509_crt_set_activation_time (gnutls_x509_crt_t cert, time_t act_time) | ||
651 | { | ||
652 | if (cert == NULL) | ||
653 | { | ||
654 | gnutls_assert (); | ||
655 | return GNUTLS_E_INVALID_REQUEST; | ||
656 | } | ||
657 | |||
658 | return _gnutls_x509_set_time (cert->cert, | ||
659 | "tbsCertificate.validity.notBefore", | ||
660 | act_time); | ||
661 | } | ||
662 | |||
663 | /** | ||
664 | * gnutls_x509_crt_set_expiration_time - This function will set the Certificate's expiration time | ||
665 | * @cert: should contain a gnutls_x509_crt_t structure | ||
666 | * @exp_time: The actual time | ||
667 | * | ||
668 | * This function will set the time this Certificate will expire. | ||
669 | * | ||
670 | * Returns 0 on success, or a negative value in case of an error. | ||
671 | * | ||
672 | **/ | ||
673 | int | ||
674 | gnutls_x509_crt_set_expiration_time (gnutls_x509_crt_t cert, time_t exp_time) | ||
675 | { | ||
676 | if (cert == NULL) | ||
677 | { | ||
678 | gnutls_assert (); | ||
679 | return GNUTLS_E_INVALID_REQUEST; | ||
680 | } | ||
681 | return _gnutls_x509_set_time (cert->cert, | ||
682 | "tbsCertificate.validity.notAfter", exp_time); | ||
683 | } | ||
684 | |||
685 | /** | ||
686 | * gnutls_x509_crt_set_serial - This function will set the certificate's serial number | ||
687 | * @cert: should contain a gnutls_x509_crt_t structure | ||
688 | * @serial: The serial number | ||
689 | * @serial_size: Holds the size of the serial field. | ||
690 | * | ||
691 | * This function will set the X.509 certificate's serial number. | ||
692 | * Serial is not always a 32 or 64bit number. Some CAs use | ||
693 | * large serial numbers, thus it may be wise to handle it as something | ||
694 | * opaque. | ||
695 | * | ||
696 | * Returns 0 on success, or a negative value in case of an error. | ||
697 | * | ||
698 | **/ | ||
699 | int | ||
700 | gnutls_x509_crt_set_serial (gnutls_x509_crt_t cert, const void *serial, | ||
701 | size_t serial_size) | ||
702 | { | ||
703 | int ret; | ||
704 | |||
705 | if (cert == NULL) | ||
706 | { | ||
707 | gnutls_assert (); | ||
708 | return GNUTLS_E_INVALID_REQUEST; | ||
709 | } | ||
710 | |||
711 | ret = | ||
712 | asn1_write_value (cert->cert, "tbsCertificate.serialNumber", serial, | ||
713 | serial_size); | ||
714 | if (ret != ASN1_SUCCESS) | ||
715 | { | ||
716 | gnutls_assert (); | ||
717 | return mhd_gtls_asn2err (ret); | ||
718 | } | ||
719 | |||
720 | return 0; | ||
721 | |||
722 | } | ||
723 | |||
724 | /* If OPTIONAL fields have not been initialized then | ||
725 | * disable them. | ||
726 | */ | ||
727 | static void | ||
728 | disable_optional_stuff (gnutls_x509_crt_t cert) | ||
729 | { | ||
730 | |||
731 | asn1_write_value (cert->cert, "tbsCertificate.issuerUniqueID", NULL, 0); | ||
732 | |||
733 | asn1_write_value (cert->cert, "tbsCertificate.subjectUniqueID", NULL, 0); | ||
734 | |||
735 | if (cert->use_extensions == 0) | ||
736 | { | ||
737 | _gnutls_x509_log ("Disabling X.509 extensions.\n"); | ||
738 | asn1_write_value (cert->cert, "tbsCertificate.extensions", NULL, 0); | ||
739 | } | ||
740 | |||
741 | return; | ||
742 | } | ||
743 | |||
744 | /** | ||
745 | * gnutls_x509_crt_set_crl_dist_points - This function will set the CRL dist points | ||
746 | * @crt: should contain a gnutls_x509_crt_t structure | ||
747 | * @type: is one of the gnutls_x509_subject_alt_name_t enumerations | ||
748 | * @data_string: The data to be set | ||
749 | * @reason_flags: revocation reasons | ||
750 | * | ||
751 | * This function will set the CRL distribution points certificate extension. | ||
752 | * | ||
753 | * Returns 0 on success. | ||
754 | * | ||
755 | **/ | ||
756 | int | ||
757 | gnutls_x509_crt_set_crl_dist_points (gnutls_x509_crt_t crt, | ||
758 | gnutls_x509_subject_alt_name_t | ||
759 | type, const void *data_string, | ||
760 | unsigned int reason_flags) | ||
761 | { | ||
762 | int result; | ||
763 | gnutls_datum_t der_data; | ||
764 | gnutls_datum_t oldname; | ||
765 | unsigned int critical; | ||
766 | |||
767 | if (crt == NULL) | ||
768 | { | ||
769 | gnutls_assert (); | ||
770 | return GNUTLS_E_INVALID_REQUEST; | ||
771 | } | ||
772 | |||
773 | /* Check if the extension already exists. | ||
774 | */ | ||
775 | result = | ||
776 | _gnutls_x509_crt_get_extension (crt, "2.5.29.31", 0, &oldname, &critical); | ||
777 | |||
778 | if (result >= 0) | ||
779 | _gnutls_free_datum (&oldname); | ||
780 | if (result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) | ||
781 | { | ||
782 | gnutls_assert (); | ||
783 | return GNUTLS_E_INVALID_REQUEST; | ||
784 | } | ||
785 | |||
786 | /* generate the extension. | ||
787 | */ | ||
788 | result = | ||
789 | _gnutls_x509_ext_gen_crl_dist_points (type, data_string, | ||
790 | reason_flags, &der_data); | ||
791 | if (result < 0) | ||
792 | { | ||
793 | gnutls_assert (); | ||
794 | return result; | ||
795 | } | ||
796 | |||
797 | result = _gnutls_x509_crt_set_extension (crt, "2.5.29.31", &der_data, 0); | ||
798 | |||
799 | _gnutls_free_datum (&der_data); | ||
800 | |||
801 | if (result < 0) | ||
802 | { | ||
803 | gnutls_assert (); | ||
804 | return result; | ||
805 | } | ||
806 | |||
807 | crt->use_extensions = 1; | ||
808 | |||
809 | return 0; | ||
810 | } | ||
811 | |||
812 | /** | ||
813 | * gnutls_x509_crt_cpy_crl_dist_points - This function will copy the CRL dist points | ||
814 | * @dst: should contain a gnutls_x509_crt_t structure | ||
815 | * @src: the certificate where the dist points will be copied from | ||
816 | * | ||
817 | * This function will copy the CRL distribution points certificate | ||
818 | * extension, from the source to the destination certificate. | ||
819 | * This may be useful to copy from a CA certificate to issued ones. | ||
820 | * | ||
821 | * Returns 0 on success. | ||
822 | * | ||
823 | **/ | ||
824 | int | ||
825 | gnutls_x509_crt_cpy_crl_dist_points (gnutls_x509_crt_t dst, | ||
826 | gnutls_x509_crt_t src) | ||
827 | { | ||
828 | int result; | ||
829 | gnutls_datum_t der_data; | ||
830 | unsigned int critical; | ||
831 | |||
832 | if (dst == NULL || src == NULL) | ||
833 | { | ||
834 | gnutls_assert (); | ||
835 | return GNUTLS_E_INVALID_REQUEST; | ||
836 | } | ||
837 | |||
838 | /* Check if the extension already exists. | ||
839 | */ | ||
840 | result = | ||
841 | _gnutls_x509_crt_get_extension (src, "2.5.29.31", 0, &der_data, | ||
842 | &critical); | ||
843 | if (result < 0) | ||
844 | { | ||
845 | gnutls_assert (); | ||
846 | return result; | ||
847 | } | ||
848 | |||
849 | result = | ||
850 | _gnutls_x509_crt_set_extension (dst, "2.5.29.31", &der_data, critical); | ||
851 | _gnutls_free_datum (&der_data); | ||
852 | |||
853 | if (result < 0) | ||
854 | { | ||
855 | gnutls_assert (); | ||
856 | return result; | ||
857 | } | ||
858 | |||
859 | dst->use_extensions = 1; | ||
860 | |||
861 | return 0; | ||
862 | } | ||
863 | |||
864 | /** | ||
865 | * gnutls_x509_crt_set_subject_key_id - This function will set the certificate's subject key id | ||
866 | * @cert: should contain a gnutls_x509_crt_t structure | ||
867 | * @id: The key ID | ||
868 | * @id_size: Holds the size of the serial field. | ||
869 | * | ||
870 | * This function will set the X.509 certificate's subject key ID extension. | ||
871 | * | ||
872 | * Returns 0 on success, or a negative value in case of an error. | ||
873 | * | ||
874 | **/ | ||
875 | int | ||
876 | gnutls_x509_crt_set_subject_key_id (gnutls_x509_crt_t cert, | ||
877 | const void *id, size_t id_size) | ||
878 | { | ||
879 | int result; | ||
880 | gnutls_datum_t old_id, der_data; | ||
881 | unsigned int critical; | ||
882 | |||
883 | if (cert == NULL) | ||
884 | { | ||
885 | gnutls_assert (); | ||
886 | return GNUTLS_E_INVALID_REQUEST; | ||
887 | } | ||
888 | |||
889 | /* Check if the extension already exists. | ||
890 | */ | ||
891 | result = | ||
892 | _gnutls_x509_crt_get_extension (cert, "2.5.29.14", 0, &old_id, &critical); | ||
893 | |||
894 | if (result >= 0) | ||
895 | _gnutls_free_datum (&old_id); | ||
896 | if (result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) | ||
897 | { | ||
898 | gnutls_assert (); | ||
899 | return GNUTLS_E_INVALID_REQUEST; | ||
900 | } | ||
901 | |||
902 | /* generate the extension. | ||
903 | */ | ||
904 | result = _gnutls_x509_ext_gen_key_id (id, id_size, &der_data); | ||
905 | if (result < 0) | ||
906 | { | ||
907 | gnutls_assert (); | ||
908 | return result; | ||
909 | } | ||
910 | |||
911 | result = _gnutls_x509_crt_set_extension (cert, "2.5.29.14", &der_data, 0); | ||
912 | |||
913 | _gnutls_free_datum (&der_data); | ||
914 | |||
915 | if (result < 0) | ||
916 | { | ||
917 | gnutls_assert (); | ||
918 | return result; | ||
919 | } | ||
920 | |||
921 | cert->use_extensions = 1; | ||
922 | |||
923 | return 0; | ||
924 | } | ||
925 | |||
926 | /** | ||
927 | * gnutls_x509_crt_set_authority_key_id - This function will set the certificate authority's key id | ||
928 | * @cert: should contain a gnutls_x509_crt_t structure | ||
929 | * @id: The key ID | ||
930 | * @id_size: Holds the size of the serial field. | ||
931 | * | ||
932 | * This function will set the X.509 certificate's authority key ID extension. | ||
933 | * Only the keyIdentifier field can be set with this function. | ||
934 | * | ||
935 | * Returns 0 on success, or a negative value in case of an error. | ||
936 | * | ||
937 | **/ | ||
938 | int | ||
939 | gnutls_x509_crt_set_authority_key_id (gnutls_x509_crt_t cert, | ||
940 | const void *id, size_t id_size) | ||
941 | { | ||
942 | int result; | ||
943 | gnutls_datum_t old_id, der_data; | ||
944 | unsigned int critical; | ||
945 | |||
946 | if (cert == NULL) | ||
947 | { | ||
948 | gnutls_assert (); | ||
949 | return GNUTLS_E_INVALID_REQUEST; | ||
950 | } | ||
951 | |||
952 | /* Check if the extension already exists. | ||
953 | */ | ||
954 | result = | ||
955 | _gnutls_x509_crt_get_extension (cert, "2.5.29.35", 0, &old_id, &critical); | ||
956 | |||
957 | if (result >= 0) | ||
958 | _gnutls_free_datum (&old_id); | ||
959 | if (result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) | ||
960 | { | ||
961 | gnutls_assert (); | ||
962 | return GNUTLS_E_INVALID_REQUEST; | ||
963 | } | ||
964 | |||
965 | /* generate the extension. | ||
966 | */ | ||
967 | result = _gnutls_x509_ext_gen_auth_key_id (id, id_size, &der_data); | ||
968 | if (result < 0) | ||
969 | { | ||
970 | gnutls_assert (); | ||
971 | return result; | ||
972 | } | ||
973 | |||
974 | result = _gnutls_x509_crt_set_extension (cert, "2.5.29.35", &der_data, 0); | ||
975 | |||
976 | _gnutls_free_datum (&der_data); | ||
977 | |||
978 | if (result < 0) | ||
979 | { | ||
980 | gnutls_assert (); | ||
981 | return result; | ||
982 | } | ||
983 | |||
984 | cert->use_extensions = 1; | ||
985 | |||
986 | return 0; | ||
987 | } | ||
988 | |||
989 | /** | ||
990 | * gnutls_x509_crt_set_key_purpose_oid - This function sets the Certificate's key purpose OIDs | ||
991 | * @cert: should contain a gnutls_x509_crt_t structure | ||
992 | * @oid: a pointer to a null terminated string that holds the OID | ||
993 | * @critical: Whether this extension will be critical or not | ||
994 | * | ||
995 | * This function will set the key purpose OIDs of the Certificate. | ||
996 | * These are stored in the Extended Key Usage extension (2.5.29.37) | ||
997 | * See the GNUTLS_KP_* definitions for human readable names. | ||
998 | * | ||
999 | * Subsequent calls to this function will append OIDs to the OID list. | ||
1000 | * | ||
1001 | * On success 0 is returned. | ||
1002 | * | ||
1003 | **/ | ||
1004 | int | ||
1005 | gnutls_x509_crt_set_key_purpose_oid (gnutls_x509_crt_t cert, | ||
1006 | const void *oid, unsigned int critical) | ||
1007 | { | ||
1008 | int result; | ||
1009 | gnutls_datum_t old_id, der_data; | ||
1010 | ASN1_TYPE c2 = ASN1_TYPE_EMPTY; | ||
1011 | |||
1012 | if (cert == NULL) | ||
1013 | { | ||
1014 | gnutls_assert (); | ||
1015 | return GNUTLS_E_INVALID_REQUEST; | ||
1016 | } | ||
1017 | |||
1018 | result = asn1_create_element | ||
1019 | (_gnutls_get_pkix (), "PKIX1.ExtKeyUsageSyntax", &c2); | ||
1020 | if (result != ASN1_SUCCESS) | ||
1021 | { | ||
1022 | gnutls_assert (); | ||
1023 | return mhd_gtls_asn2err (result); | ||
1024 | } | ||
1025 | |||
1026 | /* Check if the extension already exists. | ||
1027 | */ | ||
1028 | result = | ||
1029 | _gnutls_x509_crt_get_extension (cert, "2.5.29.37", 0, &old_id, NULL); | ||
1030 | |||
1031 | if (result >= 0) | ||
1032 | { | ||
1033 | /* decode it. | ||
1034 | */ | ||
1035 | result = asn1_der_decoding (&c2, old_id.data, old_id.size, NULL); | ||
1036 | _gnutls_free_datum (&old_id); | ||
1037 | |||
1038 | if (result != ASN1_SUCCESS) | ||
1039 | { | ||
1040 | gnutls_assert (); | ||
1041 | asn1_delete_structure (&c2); | ||
1042 | return mhd_gtls_asn2err (result); | ||
1043 | } | ||
1044 | |||
1045 | } | ||
1046 | |||
1047 | /* generate the extension. | ||
1048 | */ | ||
1049 | /* 1. create a new element. | ||
1050 | */ | ||
1051 | result = asn1_write_value (c2, "", "NEW", 1); | ||
1052 | if (result != ASN1_SUCCESS) | ||
1053 | { | ||
1054 | gnutls_assert (); | ||
1055 | asn1_delete_structure (&c2); | ||
1056 | return mhd_gtls_asn2err (result); | ||
1057 | } | ||
1058 | |||
1059 | /* 2. Add the OID. | ||
1060 | */ | ||
1061 | result = asn1_write_value (c2, "?LAST", oid, 1); | ||
1062 | if (result != ASN1_SUCCESS) | ||
1063 | { | ||
1064 | gnutls_assert (); | ||
1065 | asn1_delete_structure (&c2); | ||
1066 | return mhd_gtls_asn2err (result); | ||
1067 | } | ||
1068 | |||
1069 | result = _gnutls_x509_der_encode (c2, "", &der_data, 0); | ||
1070 | asn1_delete_structure (&c2); | ||
1071 | |||
1072 | if (result != ASN1_SUCCESS) | ||
1073 | { | ||
1074 | gnutls_assert (); | ||
1075 | return mhd_gtls_asn2err (result); | ||
1076 | } | ||
1077 | |||
1078 | result = _gnutls_x509_crt_set_extension (cert, "2.5.29.37", | ||
1079 | &der_data, critical); | ||
1080 | |||
1081 | _gnutls_free_datum (&der_data); | ||
1082 | |||
1083 | if (result < 0) | ||
1084 | { | ||
1085 | gnutls_assert (); | ||
1086 | return result; | ||
1087 | } | ||
1088 | |||
1089 | cert->use_extensions = 1; | ||
1090 | |||
1091 | return 0; | ||
1092 | |||
1093 | } | ||
1094 | |||
1095 | #endif /* ENABLE_PKI */ | ||