search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
check for either iconv or libiconv.
[gnutls.git] / lib / x509 / crq.c
blob853d1450278f058274332e723de7ca72e312afbf
1 /*
2 * Copyright (C) 2003-2012 Free Software Foundation, Inc.
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GnuTLS.
7 *
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
20 *
21 */
22
23 /* This file contains functions to handle PKCS #10 certificate
24 requests, see RFC 2986.
25 */
26
27 #include <gnutls_int.h>
28
29 #include <gnutls_datum.h>
30 #include <gnutls_global.h>
31 #include <gnutls_errors.h>
32 #include <common.h>
33 #include <gnutls_x509.h>
34 #include <x509_b64.h>
35 #include "x509_int.h"
36 #include <libtasn1.h>
37
38 /**
39 * gnutls_x509_crq_init:
40 * @crq: The structure to be initialized
41 *
42 * This function will initialize a PKCS#10 certificate request
43 * structure.
44 *
45 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
46 * negative error value.
47 **/
48 int
49 gnutls_x509_crq_init (gnutls_x509_crq_t * crq)
50 {
51 int result;
52
53 *crq = gnutls_calloc (1, sizeof (gnutls_x509_crq_int));
54 if (!*crq)
55 return GNUTLS_E_MEMORY_ERROR;
56
57 result = asn1_create_element (_gnutls_get_pkix (),
58 "PKIX1.pkcs-10-CertificationRequest",
59 &((*crq)->crq));
60 if (result != ASN1_SUCCESS)
61 {
62 gnutls_assert ();
63 gnutls_free (*crq);
64 return _gnutls_asn2err (result);
65 }
66
67 return 0;
68 }
69
70 /**
71 * gnutls_x509_crq_deinit:
72 * @crq: The structure to be initialized
73 *
74 * This function will deinitialize a PKCS#10 certificate request
75 * structure.
76 **/
77 void
78 gnutls_x509_crq_deinit (gnutls_x509_crq_t crq)
79 {
80 if (!crq)
81 return;
82
83 if (crq->crq)
84 asn1_delete_structure (&crq->crq);
85
86 gnutls_free (crq);
87 }
88
89 #define PEM_CRQ "NEW CERTIFICATE REQUEST"
90 #define PEM_CRQ2 "CERTIFICATE REQUEST"
91
92 /**
93 * gnutls_x509_crq_import:
94 * @crq: The structure to store the parsed certificate request.
95 * @data: The DER or PEM encoded certificate.
96 * @format: One of DER or PEM
97 *
98 * This function will convert the given DER or PEM encoded certificate
99 * request to a #gnutls_x509_crq_t structure. The output will be
100 * stored in @crq.
101 *
102 * If the Certificate is PEM encoded it should have a header of "NEW
103 * CERTIFICATE REQUEST".
104 *
105 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
106 * negative error value.
107 **/
108 int
109 gnutls_x509_crq_import (gnutls_x509_crq_t crq,
110 const gnutls_datum_t * data,
111 gnutls_x509_crt_fmt_t format)
112 {
113 int result = 0, need_free = 0;
114 gnutls_datum_t _data;
115
116 if (crq == NULL)
117 {
118 gnutls_assert ();
119 return GNUTLS_E_INVALID_REQUEST;
120 }
121
122 _data.data = data->data;
123 _data.size = data->size;
124
125 /* If the Certificate is in PEM format then decode it
126 */
127 if (format == GNUTLS_X509_FMT_PEM)
128 {
129 /* Try the first header */
130 result = _gnutls_fbase64_decode (PEM_CRQ, data->data, data->size, &_data);
131
132 if (result < 0) /* Go for the second header */
133 result =
134 _gnutls_fbase64_decode (PEM_CRQ2, data->data, data->size, &_data);
135
136 if (result < 0)
137 {
138 gnutls_assert ();
139 return result;
140 }
141
142 need_free = 1;
143 }
144
145 result = asn1_der_decoding (&crq->crq, _data.data, _data.size, NULL);
146 if (result != ASN1_SUCCESS)
147 {
148 result = _gnutls_asn2err (result);
149 gnutls_assert ();
150 goto cleanup;
151 }
152
153 result = 0;
154
155 cleanup:
156 if (need_free)
157 _gnutls_free_datum (&_data);
158 return result;
159 }
160
161 /**
162 * gnutls_x509_crq_get_private_key_usage_period:
163 * @cert: should contain a #gnutls_x509_crq_t structure
164 * @activation: The activation time
165 * @expiration: The expiration time
166 * @critical: the extension status
167 *
168 * This function will return the expiration and activation
169 * times of the private key of the certificate.
170 *
171 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
172 * if the extension is not present, otherwise a negative error value.
173 **/
174 int
175 gnutls_x509_crq_get_private_key_usage_period (gnutls_x509_crq_t crq, time_t* activation, time_t* expiration,
176 unsigned int *critical)
177 {
178 int result, ret;
179 ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
180 uint8_t buf[128];
181 size_t buf_size = sizeof (buf);
182
183 if (crq == NULL)
184 {
185 gnutls_assert ();
186 return GNUTLS_E_INVALID_REQUEST;
187 }
188
189 ret = gnutls_x509_crq_get_extension_by_oid (crq, "2.5.29.16", 0,
190 buf, &buf_size, critical);
191 if (ret < 0)
192 return gnutls_assert_val(ret);
193
194 result = asn1_create_element
195 (_gnutls_get_pkix (), "PKIX1.PrivateKeyUsagePeriod", &c2);
196 if (result != ASN1_SUCCESS)
197 {
198 gnutls_assert ();
199 ret = _gnutls_asn2err (result);
200 goto cleanup;
201 }
202
203 result = asn1_der_decoding (&c2, buf, buf_size, NULL);
204 if (result != ASN1_SUCCESS)
205 {
206 gnutls_assert ();
207 ret = _gnutls_asn2err (result);
208 goto cleanup;
209 }
210
211 if (activation)
212 *activation = _gnutls_x509_get_time (c2,
213 "notBefore", 1);
214
215 if (expiration)
216 *expiration = _gnutls_x509_get_time (c2,
217 "notAfter", 1);
218
219 ret = 0;
220
221 cleanup:
222 asn1_delete_structure (&c2);
223
224 return ret;
225 }
226
227
228 /**
229 * gnutls_x509_crq_get_dn:
230 * @crq: should contain a #gnutls_x509_crq_t structure
231 * @buf: a pointer to a structure to hold the name (may be %NULL)
232 * @sizeof_buf: initially holds the size of @buf
233 *
234 * This function will copy the name of the Certificate request subject
235 * to the provided buffer. The name will be in the form
236 * "C=xxxx,O=yyyy,CN=zzzz" as described in RFC 2253. The output string
237 * @buf will be ASCII or UTF-8 encoded, depending on the certificate
238 * data.
239 *
240 * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not
241 * long enough, and in that case the *@sizeof_buf will be updated with
242 * the required size. On success 0 is returned.
243 **/
244 int
245 gnutls_x509_crq_get_dn (gnutls_x509_crq_t crq, char *buf, size_t * sizeof_buf)
246 {
247 if (crq == NULL)
248 {
249 gnutls_assert ();
250 return GNUTLS_E_INVALID_REQUEST;
251 }
252
253 return _gnutls_x509_parse_dn (crq->crq,
254 "certificationRequestInfo.subject.rdnSequence",
255 buf, sizeof_buf);
256 }
257
258 /**
259 * gnutls_x509_crq_get_dn_by_oid:
260 * @crq: should contain a gnutls_x509_crq_t structure
261 * @oid: holds an Object Identified in null terminated string
262 * @indx: In case multiple same OIDs exist in the RDN, this specifies
263 * which to send. Use (0) to get the first one.
264 * @raw_flag: If non-zero returns the raw DER data of the DN part.
265 * @buf: a pointer to a structure to hold the name (may be %NULL)
266 * @sizeof_buf: initially holds the size of @buf
267 *
268 * This function will extract the part of the name of the Certificate
269 * request subject, specified by the given OID. The output will be
270 * encoded as described in RFC2253. The output string will be ASCII
271 * or UTF-8 encoded, depending on the certificate data.
272 *
273 * Some helper macros with popular OIDs can be found in gnutls/x509.h
274 * If raw flag is (0), this function will only return known OIDs as
275 * text. Other OIDs will be DER encoded, as described in RFC2253 --
276 * in hex format with a '\#' prefix. You can check about known OIDs
277 * using gnutls_x509_dn_oid_known().
278 *
279 * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is
280 * not long enough, and in that case the *@sizeof_buf will be
281 * updated with the required size. On success 0 is returned.
282 **/
283 int
284 gnutls_x509_crq_get_dn_by_oid (gnutls_x509_crq_t crq, const char *oid,
285 int indx, unsigned int raw_flag,
286 void *buf, size_t * sizeof_buf)
287 {
288 if (crq == NULL)
289 {
290 gnutls_assert ();
291 return GNUTLS_E_INVALID_REQUEST;
292 }
293
294 return _gnutls_x509_parse_dn_oid
295 (crq->crq,
296 "certificationRequestInfo.subject.rdnSequence",
297 oid, indx, raw_flag, buf, sizeof_buf);
298 }
299
300 /**
301 * gnutls_x509_crq_get_dn_oid:
302 * @crq: should contain a gnutls_x509_crq_t structure
303 * @indx: Specifies which DN OID to send. Use (0) to get the first one.
304 * @oid: a pointer to a structure to hold the name (may be %NULL)
305 * @sizeof_oid: initially holds the size of @oid
306 *
307 * This function will extract the requested OID of the name of the
308 * certificate request subject, specified by the given index.
309 *
310 * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is
311 * not long enough, and in that case the *@sizeof_oid will be
312 * updated with the required size. On success 0 is returned.
313 **/
314 int
315 gnutls_x509_crq_get_dn_oid (gnutls_x509_crq_t crq,
316 int indx, void *oid, size_t * sizeof_oid)
317 {
318 if (crq == NULL)
319 {
320 gnutls_assert ();
321 return GNUTLS_E_INVALID_REQUEST;
322 }
323
324 return _gnutls_x509_get_dn_oid (crq->crq,
325 "certificationRequestInfo.subject.rdnSequence",
326 indx, oid, sizeof_oid);
327 }
328
329 /* Parses an Attribute list in the asn1_struct, and searches for the
330 * given OID. The index indicates the attribute value to be returned.
331 *
332 * If raw==0 only printable data are returned, or
333 * GNUTLS_E_X509_UNSUPPORTED_ATTRIBUTE.
334 *
335 * asn1_attr_name must be a string in the form
336 * "certificationRequestInfo.attributes"
337 *
338 */
339 static int
340 parse_attribute (ASN1_TYPE asn1_struct,
341 const char *attr_name, const char *given_oid, int indx,
342 int raw, char *buf, size_t * sizeof_buf)
343 {
344 int k1, result;
345 char tmpbuffer1[ASN1_MAX_NAME_SIZE];
346 char tmpbuffer3[ASN1_MAX_NAME_SIZE];
347 char value[200];
348 char oid[MAX_OID_SIZE];
349 int len, printable;
350
351 k1 = 0;
352 do
353 {
354
355 k1++;
356 /* create a string like "attribute.?1"
357 */
358 if (attr_name[0] != 0)
359 snprintf (tmpbuffer1, sizeof (tmpbuffer1), "%s.?%u", attr_name, k1);
360 else
361 snprintf (tmpbuffer1, sizeof (tmpbuffer1), "?%u", k1);
362
363 len = sizeof (value) - 1;
364 result = asn1_read_value (asn1_struct, tmpbuffer1, value, &len);
365
366 if (result == ASN1_ELEMENT_NOT_FOUND)
367 {
368 gnutls_assert ();
369 break;
370 }
371
372 if (result != ASN1_VALUE_NOT_FOUND)
373 {
374 gnutls_assert ();
375 result = _gnutls_asn2err (result);
376 goto cleanup;
377 }
378
379 /* Move to the attibute type and values
380 */
381 /* Read the OID
382 */
383 _gnutls_str_cpy (tmpbuffer3, sizeof (tmpbuffer3), tmpbuffer1);
384 _gnutls_str_cat (tmpbuffer3, sizeof (tmpbuffer3), ".type");
385
386 len = sizeof (oid) - 1;
387 result = asn1_read_value (asn1_struct, tmpbuffer3, oid, &len);
388
389 if (result == ASN1_ELEMENT_NOT_FOUND)
390 break;
391 else if (result != ASN1_SUCCESS)
392 {
393 gnutls_assert ();
394 result = _gnutls_asn2err (result);
395 goto cleanup;
396 }
397
398 if (strcmp (oid, given_oid) == 0)
399 { /* Found the OID */
400
401 /* Read the Value
402 */
403 snprintf (tmpbuffer3, sizeof (tmpbuffer3), "%s.values.?%u",
404 tmpbuffer1, indx + 1);
405
406 len = sizeof (value) - 1;
407 result = asn1_read_value (asn1_struct, tmpbuffer3, value, &len);
408
409 if (result != ASN1_SUCCESS)
410 {
411 gnutls_assert ();
412 result = _gnutls_asn2err (result);
413 goto cleanup;
414 }
415
416 if (raw == 0)
417 {
418 printable = _gnutls_x509_oid_data_printable (oid);
419 if (printable == 1)
420 {
421 if ((result =
422 _gnutls_x509_oid_data2string
423 (oid, value, len, buf, sizeof_buf)) < 0)
424 {
425 gnutls_assert ();
426 goto cleanup;
427 }
428 return 0;
429 }
430 else
431 {
432 gnutls_assert ();
433 return GNUTLS_E_X509_UNSUPPORTED_ATTRIBUTE;
434 }
435 }
436 else
437 { /* raw!=0 */
438 if (*sizeof_buf >= (size_t) len && buf != NULL)
439 {
440 *sizeof_buf = len;
441 memcpy (buf, value, len);
442
443 return 0;
444 }
445 else
446 {
447 *sizeof_buf = len;
448 return GNUTLS_E_SHORT_MEMORY_BUFFER;
449 }
450 }
451 }
452
453 }
454 while (1);
455
456 gnutls_assert ();
457
458 result = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
459
460 cleanup:
461 return result;
462 }
463
464 /**
465 * gnutls_x509_crq_get_challenge_password:
466 * @crq: should contain a #gnutls_x509_crq_t structure
467 * @pass: will hold a (0)-terminated password string
468 * @sizeof_pass: Initially holds the size of @pass.
469 *
470 * This function will return the challenge password in the request.
471 * The challenge password is intended to be used for requesting a
472 * revocation of the certificate.
473 *
474 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
475 * negative error value.
476 **/
477 int
478 gnutls_x509_crq_get_challenge_password (gnutls_x509_crq_t crq,
479 char *pass, size_t * sizeof_pass)
480 {
481 if (crq == NULL)
482 {
483 gnutls_assert ();
484 return GNUTLS_E_INVALID_REQUEST;
485 }
486
487 return parse_attribute (crq->crq, "certificationRequestInfo.attributes",
488 "1.2.840.113549.1.9.7", 0, 0, pass, sizeof_pass);
489 }
490
491 /* This function will attempt to set the requested attribute in
492 * the given X509v3 certificate.
493 *
494 * Critical will be either 0 or 1.
495 */
496 static int
497 add_attribute (ASN1_TYPE asn, const char *root, const char *attribute_id,
498 const gnutls_datum_t * ext_data)
499 {
500 int result;
501 char name[ASN1_MAX_NAME_SIZE];
502
503 snprintf (name, sizeof (name), "%s", root);
504
505 /* Add a new attribute in the list.
506 */
507 result = asn1_write_value (asn, name, "NEW", 1);
508 if (result != ASN1_SUCCESS)
509 {
510 gnutls_assert ();
511 return _gnutls_asn2err (result);
512 }
513
514 snprintf (name, sizeof (name), "%s.?LAST.type", root);
515
516 result = asn1_write_value (asn, name, attribute_id, 1);
517 if (result != ASN1_SUCCESS)
518 {
519 gnutls_assert ();
520 return _gnutls_asn2err (result);
521 }
522
523 snprintf (name, sizeof (name), "%s.?LAST.values", root);
524
525 result = asn1_write_value (asn, name, "NEW", 1);
526 if (result != ASN1_SUCCESS)
527 {
528 gnutls_assert ();
529 return _gnutls_asn2err (result);
530 }
531
532 snprintf (name, sizeof (name), "%s.?LAST.values.?LAST", root);
533
534 result = _gnutls_x509_write_value (asn, name, ext_data, 0);
535 if (result < 0)
536 {
537 gnutls_assert ();
538 return result;
539 }
540
541 return 0;
542 }
543
544 /* Overwrite the given attribute (using the index)
545 * index here starts from one.
546 */
547 static int
548 overwrite_attribute (ASN1_TYPE asn, const char *root, unsigned int indx,
549 const gnutls_datum_t * ext_data)
550 {
551 char name[ASN1_MAX_NAME_SIZE], name2[ASN1_MAX_NAME_SIZE];
552 int result;
553
554 snprintf (name, sizeof (name), "%s.?%u", root, indx);
555
556 _gnutls_str_cpy (name2, sizeof (name2), name);
557 _gnutls_str_cat (name2, sizeof (name2), ".values.?LAST");
558
559 result = _gnutls_x509_write_value (asn, name2, ext_data, 0);
560 if (result < 0)
561 {
562 gnutls_assert ();
563 return result;
564 }
565
566
567 return 0;
568 }
569
570 static int
571 set_attribute (ASN1_TYPE asn, const char *root,
572 const char *ext_id, const gnutls_datum_t * ext_data)
573 {
574 int result;
575 int k, len;
576 char name[ASN1_MAX_NAME_SIZE], name2[ASN1_MAX_NAME_SIZE];
577 char extnID[MAX_OID_SIZE];
578
579 /* Find the index of the given attribute.
580 */
581 k = 0;
582 do
583 {
584 k++;
585
586 snprintf (name, sizeof (name), "%s.?%u", root, k);
587
588 len = sizeof (extnID) - 1;
589 result = asn1_read_value (asn, name, extnID, &len);
590
591 /* move to next
592 */
593
594 if (result == ASN1_ELEMENT_NOT_FOUND)
595 {
596 break;
597 }
598
599 do
600 {
601
602 _gnutls_str_cpy (name2, sizeof (name2), name);
603 _gnutls_str_cat (name2, sizeof (name2), ".type");
604
605 len = sizeof (extnID) - 1;
606 result = asn1_read_value (asn, name2, extnID, &len);
607
608 if (result == ASN1_ELEMENT_NOT_FOUND)
609 {
610 gnutls_assert ();
611 break;
612 }
613 else if (result != ASN1_SUCCESS)
614 {
615 gnutls_assert ();
616 return _gnutls_asn2err (result);
617 }
618
619 /* Handle Extension
620 */
621 if (strcmp (extnID, ext_id) == 0)
622 {
623 /* attribute was found
624 */
625 return overwrite_attribute (asn, root, k, ext_data);
626 }
627
628
629 }
630 while (0);
631 }
632 while (1);
633
634 if (result == ASN1_ELEMENT_NOT_FOUND)
635 {
636 return add_attribute (asn, root, ext_id, ext_data);
637 }
638 else
639 {
640 gnutls_assert ();
641 return _gnutls_asn2err (result);
642 }
643
644
645 return 0;
646 }
647
648 /**
649 * gnutls_x509_crq_set_attribute_by_oid:
650 * @crq: should contain a #gnutls_x509_crq_t structure
651 * @oid: holds an Object Identified in (0)-terminated string
652 * @buf: a pointer to a structure that holds the attribute data
653 * @sizeof_buf: holds the size of @buf
654 *
655 * This function will set the attribute in the certificate request
656 * specified by the given Object ID. The attribute must be be DER
657 * encoded.
658 *
659 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
660 * negative error value.
661 **/
662 int
663 gnutls_x509_crq_set_attribute_by_oid (gnutls_x509_crq_t crq,
664 const char *oid, void *buf,
665 size_t sizeof_buf)
666 {
667 gnutls_datum_t data;
668
669 data.data = buf;
670 data.size = sizeof_buf;
671
672 if (crq == NULL)
673 {
674 gnutls_assert ();
675 return GNUTLS_E_INVALID_REQUEST;
676 }
677
678 return set_attribute (crq->crq, "certificationRequestInfo.attributes",
679 oid, &data);
680 }
681
682 /**
683 * gnutls_x509_crq_get_attribute_by_oid:
684 * @crq: should contain a #gnutls_x509_crq_t structure
685 * @oid: holds an Object Identified in (0)-terminated string
686 * @indx: In case multiple same OIDs exist in the attribute list, this
687 * specifies which to send, use (0) to get the first one
688 * @buf: a pointer to a structure to hold the attribute data (may be %NULL)
689 * @sizeof_buf: initially holds the size of @buf
690 *
691 * This function will return the attribute in the certificate request
692 * specified by the given Object ID. The attribute will be DER
693 * encoded.
694 *
695 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
696 * negative error value.
697 **/
698 int
699 gnutls_x509_crq_get_attribute_by_oid (gnutls_x509_crq_t crq,
700 const char *oid, int indx, void *buf,
701 size_t * sizeof_buf)
702 {
703 if (crq == NULL)
704 {
705 gnutls_assert ();
706 return GNUTLS_E_INVALID_REQUEST;
707 }
708
709 return parse_attribute (crq->crq, "certificationRequestInfo.attributes",
710 oid, indx, 1, buf, sizeof_buf);
711 }
712
713 /**
714 * gnutls_x509_crq_set_dn_by_oid:
715 * @crq: should contain a #gnutls_x509_crq_t structure
716 * @oid: holds an Object Identifier in a (0)-terminated string
717 * @raw_flag: must be 0, or 1 if the data are DER encoded
718 * @data: a pointer to the input data
719 * @sizeof_data: holds the size of @data
720 *
721 * This function will set the part of the name of the Certificate
722 * request subject, specified by the given OID. The input string
723 * should be ASCII or UTF-8 encoded.
724 *
725 * Some helper macros with popular OIDs can be found in gnutls/x509.h
726 * With this function you can only set the known OIDs. You can test
727 * for known OIDs using gnutls_x509_dn_oid_known(). For OIDs that are
728 * not known (by gnutls) you should properly DER encode your data, and
729 * call this function with raw_flag set.
730 *
731 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
732 * negative error value.
733 **/
734 int
735 gnutls_x509_crq_set_dn_by_oid (gnutls_x509_crq_t crq, const char *oid,
736 unsigned int raw_flag, const void *data,
737 unsigned int sizeof_data)
738 {
739 if (sizeof_data == 0 || data == NULL || crq == NULL)
740 {
741 return GNUTLS_E_INVALID_REQUEST;
742 }
743
744 return _gnutls_x509_set_dn_oid (crq->crq,
745 "certificationRequestInfo.subject", oid,
746 raw_flag, data, sizeof_data);
747 }
748
749 /**
750 * gnutls_x509_crq_set_version:
751 * @crq: should contain a #gnutls_x509_crq_t structure
752 * @version: holds the version number, for v1 Requests must be 1
753 *
754 * This function will set the version of the certificate request. For
755 * version 1 requests this must be one.
756 *
757 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
758 * negative error value.
759 **/
760 int
761 gnutls_x509_crq_set_version (gnutls_x509_crq_t crq, unsigned int version)
762 {
763 int result;
764 unsigned char null = version;
765
766 if (crq == NULL)
767 {
768 gnutls_assert ();
769 return GNUTLS_E_INVALID_REQUEST;
770 }
771
772 if (null > 0)
773 null--;
774
775 result =
776 asn1_write_value (crq->crq, "certificationRequestInfo.version", &null, 1);
777 if (result != ASN1_SUCCESS)
778 {
779 gnutls_assert ();
780 return _gnutls_asn2err (result);
781 }
782
783 return 0;
784 }
785
786 /**
787 * gnutls_x509_crq_get_version:
788 * @crq: should contain a #gnutls_x509_crq_t structure
789 *
790 * This function will return the version of the specified Certificate
791 * request.
792 *
793 * Returns: version of certificate request, or a negative error code on
794 * error.
795 **/
796 int
797 gnutls_x509_crq_get_version (gnutls_x509_crq_t crq)
798 {
799 uint8_t version[8];
800 int len, result;
801
802 if (crq == NULL)
803 {
804 gnutls_assert ();
805 return GNUTLS_E_INVALID_REQUEST;
806 }
807
808 len = sizeof (version);
809 if ((result =
810 asn1_read_value (crq->crq, "certificationRequestInfo.version",
811 version, &len)) != ASN1_SUCCESS)
812 {
813
814 if (result == ASN1_ELEMENT_NOT_FOUND)
815 return 1; /* the DEFAULT version */
816 gnutls_assert ();
817 return _gnutls_asn2err (result);
818 }
819
820 return (int) version[0] + 1;
821 }
822
823 /**
824 * gnutls_x509_crq_set_key:
825 * @crq: should contain a #gnutls_x509_crq_t structure
826 * @key: holds a private key
827 *
828 * This function will set the public parameters from the given private
829 * key to the request.
830 *
831 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
832 * negative error value.
833 **/
834 int
835 gnutls_x509_crq_set_key (gnutls_x509_crq_t crq, gnutls_x509_privkey_t key)
836 {
837 int result;
838
839 if (crq == NULL)
840 {
841 gnutls_assert ();
842 return GNUTLS_E_INVALID_REQUEST;
843 }
844
845 result = _gnutls_x509_encode_and_copy_PKI_params
846 (crq->crq,
847 "certificationRequestInfo.subjectPKInfo",
848 key->pk_algorithm, &key->params);
849
850 if (result < 0)
851 {
852 gnutls_assert ();
853 return result;
854 }
855
856 return 0;
857 }
858
859 /**
860 * gnutls_x509_crq_get_key_rsa_raw:
861 * @crq: Holds the certificate
862 * @m: will hold the modulus
863 * @e: will hold the public exponent
864 *
865 * This function will export the RSA public key's parameters found in
866 * the given structure. The new parameters will be allocated using
867 * gnutls_malloc() and will be stored in the appropriate datum.
868 *
869 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
870 * negative error value.
871 *
872 * Since: 2.8.0
873 **/
874 int
875 gnutls_x509_crq_get_key_rsa_raw (gnutls_x509_crq_t crq,
876 gnutls_datum_t * m, gnutls_datum_t * e)
877 {
878 int ret;
879 gnutls_pk_params_st params;
880
881 gnutls_pk_params_init(&params);
882
883 if (crq == NULL)
884 {
885 gnutls_assert ();
886 return GNUTLS_E_INVALID_REQUEST;
887 }
888
889 ret = gnutls_x509_crq_get_pk_algorithm (crq, NULL);
890 if (ret != GNUTLS_PK_RSA)
891 {
892 gnutls_assert ();
893 return GNUTLS_E_INVALID_REQUEST;
894 }
895
896 ret = _gnutls_x509_crq_get_mpis (crq, &params);
897 if (ret < 0)
898 {
899 gnutls_assert ();
900 return ret;
901 }
902
903 ret = _gnutls_mpi_dprint (params.params[0], m);
904 if (ret < 0)
905 {
906 gnutls_assert ();
907 goto cleanup;
908 }
909
910 ret = _gnutls_mpi_dprint (params.params[1], e);
911 if (ret < 0)
912 {
913 gnutls_assert ();
914 _gnutls_free_datum (m);
915 goto cleanup;
916 }
917
918 ret = 0;
919
920 cleanup:
921 gnutls_pk_params_release(&params);
922 return ret;
923 }
924
925 /**
926 * gnutls_x509_crq_set_key_rsa_raw:
927 * @crq: should contain a #gnutls_x509_crq_t structure
928 * @m: holds the modulus
929 * @e: holds the public exponent
930 *
931 * This function will set the public parameters from the given private
932 * key to the request. Only RSA keys are currently supported.
933 *
934 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
935 * negative error value.
936 *
937 * Since: 2.6.0
938 **/
939 int
940 gnutls_x509_crq_set_key_rsa_raw (gnutls_x509_crq_t crq,
941 const gnutls_datum_t * m,
942 const gnutls_datum_t * e)
943 {
944 int result, ret;
945 size_t siz = 0;
946 gnutls_pk_params_st temp_params;
947
948 gnutls_pk_params_init(&temp_params);
949
950 if (crq == NULL)
951 {
952 gnutls_assert ();
953 return GNUTLS_E_INVALID_REQUEST;
954 }
955
956 memset (&temp_params, 0, sizeof (temp_params));
957
958 siz = m->size;
959 if (_gnutls_mpi_scan_nz (&temp_params.params[0], m->data, siz))
960 {
961 gnutls_assert ();
962 ret = GNUTLS_E_MPI_SCAN_FAILED;
963 goto error;
964 }
965
966 siz = e->size;
967 if (_gnutls_mpi_scan_nz (&temp_params.params[1], e->data, siz))
968 {
969 gnutls_assert ();
970 ret = GNUTLS_E_MPI_SCAN_FAILED;
971 goto error;
972 }
973
974 temp_params.params_nr = RSA_PUBLIC_PARAMS;
975
976 result = _gnutls_x509_encode_and_copy_PKI_params
977 (crq->crq,
978 "certificationRequestInfo.subjectPKInfo",
979 GNUTLS_PK_RSA, &temp_params);
980
981 if (result < 0)
982 {
983 gnutls_assert ();
984 ret = result;
985 goto error;
986 }
987
988 ret = 0;
989
990 error:
991 gnutls_pk_params_release(&temp_params);
992 return ret;
993 }
994
995 /**
996 * gnutls_x509_crq_set_challenge_password:
997 * @crq: should contain a #gnutls_x509_crq_t structure
998 * @pass: holds a (0)-terminated password
999 *
1000 * This function will set a challenge password to be used when
1001 * revoking the request.
1002 *
1003 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1004 * negative error value.
1005 **/
1006 int
1007 gnutls_x509_crq_set_challenge_password (gnutls_x509_crq_t crq,
1008 const char *pass)
1009 {
1010 int result;
1011
1012 if (crq == NULL)
1013 {
1014 gnutls_assert ();
1015 return GNUTLS_E_INVALID_REQUEST;
1016 }
1017
1018 /* Add the attribute.
1019 */
1020 result = asn1_write_value (crq->crq, "certificationRequestInfo.attributes",
1021 "NEW", 1);
1022 if (result != ASN1_SUCCESS)
1023 {
1024 gnutls_assert ();
1025 return _gnutls_asn2err (result);
1026 }
1027
1028 result = _gnutls_x509_encode_and_write_attribute
1029 ("1.2.840.113549.1.9.7", crq->crq,
1030 "certificationRequestInfo.attributes.?LAST", pass, strlen (pass), 1);
1031 if (result < 0)
1032 {
1033 gnutls_assert ();
1034 return result;
1035 }
1036
1037 return 0;
1038 }
1039
1040 /**
1041 * gnutls_x509_crq_sign2:
1042 * @crq: should contain a #gnutls_x509_crq_t structure
1043 * @key: holds a private key
1044 * @dig: The message digest to use, i.e., %GNUTLS_DIG_SHA1
1045 * @flags: must be 0
1046 *
1047 * This function will sign the certificate request with a private key.
1048 * This must be the same key as the one used in
1049 * gnutls_x509_crt_set_key() since a certificate request is self
1050 * signed.
1051 *
1052 * This must be the last step in a certificate request generation
1053 * since all the previously set parameters are now signed.
1054 *
1055 * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
1056 * %GNUTLS_E_ASN1_VALUE_NOT_FOUND is returned if you didn't set all
1057 * information in the certificate request (e.g., the version using
1058 * gnutls_x509_crq_set_version()).
1059 *
1060 **/
1061 int
1062 gnutls_x509_crq_sign2 (gnutls_x509_crq_t crq, gnutls_x509_privkey_t key,
1063 gnutls_digest_algorithm_t dig, unsigned int flags)
1064 {
1065 int result;
1066 gnutls_privkey_t privkey;
1067
1068 if (crq == NULL)
1069 {
1070 gnutls_assert ();
1071 return GNUTLS_E_INVALID_REQUEST;
1072 }
1073
1074 result = gnutls_privkey_init (&privkey);
1075 if (result < 0)
1076 {
1077 gnutls_assert ();
1078 return result;
1079 }
1080
1081 result = gnutls_privkey_import_x509 (privkey, key, 0);
1082 if (result < 0)
1083 {
1084 gnutls_assert ();
1085 goto fail;
1086 }
1087
1088 result = gnutls_x509_crq_privkey_sign (crq, privkey, dig, flags);
1089 if (result < 0)
1090 {
1091 gnutls_assert ();
1092 goto fail;
1093 }
1094
1095 result = 0;
1096
1097 fail:
1098 gnutls_privkey_deinit (privkey);
1099
1100 return result;
1101 }
1102
1103 /**
1104 * gnutls_x509_crq_sign:
1105 * @crq: should contain a #gnutls_x509_crq_t structure
1106 * @key: holds a private key
1107 *
1108 * This function is the same a gnutls_x509_crq_sign2() with no flags,
1109 * and SHA1 as the hash algorithm.
1110 *
1111 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1112 * negative error value.
1113 *
1114 * Deprecated: Use gnutls_x509_crq_privkey_sign() instead.
1115 */
1116 int
1117 gnutls_x509_crq_sign (gnutls_x509_crq_t crq, gnutls_x509_privkey_t key)
1118 {
1119 return gnutls_x509_crq_sign2 (crq, key, GNUTLS_DIG_SHA1, 0);
1120 }
1121
1122 /**
1123 * gnutls_x509_crq_export:
1124 * @crq: should contain a #gnutls_x509_crq_t structure
1125 * @format: the format of output params. One of PEM or DER.
1126 * @output_data: will contain a certificate request PEM or DER encoded
1127 * @output_data_size: holds the size of output_data (and will be
1128 * replaced by the actual size of parameters)
1129 *
1130 * This function will export the certificate request to a PEM or DER
1131 * encoded PKCS10 structure.
1132 *
1133 * If the buffer provided is not long enough to hold the output, then
1134 * %GNUTLS_E_SHORT_MEMORY_BUFFER will be returned and
1135 * *@output_data_size will be updated.
1136 *
1137 * If the structure is PEM encoded, it will have a header of "BEGIN
1138 * NEW CERTIFICATE REQUEST".
1139 *
1140 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1141 * negative error value.
1142 **/
1143 int
1144 gnutls_x509_crq_export (gnutls_x509_crq_t crq,
1145 gnutls_x509_crt_fmt_t format, void *output_data,
1146 size_t * output_data_size)
1147 {
1148 if (crq == NULL)
1149 {
1150 gnutls_assert ();
1151 return GNUTLS_E_INVALID_REQUEST;
1152 }
1153
1154 return _gnutls_x509_export_int (crq->crq, format, PEM_CRQ,
1155 output_data, output_data_size);
1156 }
1157
1158 /**
1159 * gnutls_x509_crq_export2:
1160 * @crq: should contain a #gnutls_x509_crq_t structure
1161 * @format: the format of output params. One of PEM or DER.
1162 * @out: will contain a certificate request PEM or DER encoded
1163 *
1164 * This function will export the certificate request to a PEM or DER
1165 * encoded PKCS10 structure.
1166 *
1167 * The output buffer is allocated using gnutls_malloc().
1168 *
1169 * If the structure is PEM encoded, it will have a header of "BEGIN
1170 * NEW CERTIFICATE REQUEST".
1171 *
1172 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1173 * negative error value.
1174 *
1175 * Since 3.1.3
1176 **/
1177 int
1178 gnutls_x509_crq_export2 (gnutls_x509_crq_t crq,
1179 gnutls_x509_crt_fmt_t format, gnutls_datum_t *out)
1180 {
1181 if (crq == NULL)
1182 {
1183 gnutls_assert ();
1184 return GNUTLS_E_INVALID_REQUEST;
1185 }
1186
1187 return _gnutls_x509_export_int2 (crq->crq, format, PEM_CRQ, out);
1188 }
1189
1190 /**
1191 * gnutls_x509_crq_get_pk_algorithm:
1192 * @crq: should contain a #gnutls_x509_crq_t structure
1193 * @bits: if bits is non-%NULL it will hold the size of the parameters' in bits
1194 *
1195 * This function will return the public key algorithm of a PKCS#10
1196 * certificate request.
1197 *
1198 * If bits is non-%NULL, it should have enough size to hold the
1199 * parameters size in bits. For RSA the bits returned is the modulus.
1200 * For DSA the bits returned are of the public exponent.
1201 *
1202 * Returns: a member of the #gnutls_pk_algorithm_t enumeration on
1203 * success, or a negative error code on error.
1204 **/
1205 int
1206 gnutls_x509_crq_get_pk_algorithm (gnutls_x509_crq_t crq, unsigned int *bits)
1207 {
1208 int result;
1209
1210 if (crq == NULL)
1211 {
1212 gnutls_assert ();
1213 return GNUTLS_E_INVALID_REQUEST;
1214 }
1215
1216 result = _gnutls_x509_get_pk_algorithm
1217 (crq->crq, "certificationRequestInfo.subjectPKInfo", bits);
1218 if (result < 0)
1219 {
1220 gnutls_assert ();
1221 }
1222
1223 return result;
1224 }
1225
1226 /**
1227 * gnutls_x509_crq_get_attribute_info:
1228 * @crq: should contain a #gnutls_x509_crq_t structure
1229 * @indx: Specifies which attribute OID to send. Use (0) to get the first one.
1230 * @oid: a pointer to a structure to hold the OID
1231 * @sizeof_oid: initially holds the maximum size of @oid, on return
1232 * holds actual size of @oid.
1233 *
1234 * This function will return the requested attribute OID in the
1235 * certificate, and the critical flag for it. The attribute OID will
1236 * be stored as a string in the provided buffer. Use
1237 * gnutls_x509_crq_get_attribute_data() to extract the data.
1238 *
1239 * If the buffer provided is not long enough to hold the output, then
1240 * *@sizeof_oid is updated and %GNUTLS_E_SHORT_MEMORY_BUFFER will be
1241 * returned.
1242 *
1243 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1244 * negative error code in case of an error. If your have reached the
1245 * last extension available %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
1246 * will be returned.
1247 *
1248 * Since: 2.8.0
1249 **/
1250 int
1251 gnutls_x509_crq_get_attribute_info (gnutls_x509_crq_t crq, int indx,
1252 void *oid, size_t * sizeof_oid)
1253 {
1254 int result;
1255 char name[ASN1_MAX_NAME_SIZE];
1256 int len;
1257
1258 if (!crq)
1259 {
1260 gnutls_assert ();
1261 return GNUTLS_E_INVALID_REQUEST;
1262 }
1263
1264 snprintf (name, sizeof (name),
1265 "certificationRequestInfo.attributes.?%u.type", indx + 1);
1266
1267 len = *sizeof_oid;
1268 result = asn1_read_value (crq->crq, name, oid, &len);
1269 *sizeof_oid = len;
1270
1271 if (result == ASN1_ELEMENT_NOT_FOUND)
1272 return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
1273 else if (result < 0)
1274 {
1275 gnutls_assert ();
1276 return _gnutls_asn2err (result);
1277 }
1278
1279 return 0;
1280
1281 }
1282
1283 /**
1284 * gnutls_x509_crq_get_attribute_data:
1285 * @crq: should contain a #gnutls_x509_crq_t structure
1286 * @indx: Specifies which attribute OID to send. Use (0) to get the first one.
1287 * @data: a pointer to a structure to hold the data (may be null)
1288 * @sizeof_data: initially holds the size of @oid
1289 *
1290 * This function will return the requested attribute data in the
1291 * certificate request. The attribute data will be stored as a string in the
1292 * provided buffer.
1293 *
1294 * Use gnutls_x509_crq_get_attribute_info() to extract the OID.
1295 * Use gnutls_x509_crq_get_attribute_by_oid() instead,
1296 * if you want to get data indexed by the attribute OID rather than
1297 * sequence.
1298 *
1299 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1300 * negative error code in case of an error. If your have reached the
1301 * last extension available %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
1302 * will be returned.
1303 *
1304 * Since: 2.8.0
1305 **/
1306 int
1307 gnutls_x509_crq_get_attribute_data (gnutls_x509_crq_t crq, int indx,
1308 void *data, size_t * sizeof_data)
1309 {
1310 int result, len;
1311 char name[ASN1_MAX_NAME_SIZE];
1312
1313 if (!crq)
1314 {
1315 gnutls_assert ();
1316 return GNUTLS_E_INVALID_REQUEST;
1317 }
1318
1319 snprintf (name, sizeof (name),
1320 "certificationRequestInfo.attributes.?%u.values.?1", indx + 1);
1321
1322 len = *sizeof_data;
1323 result = asn1_read_value (crq->crq, name, data, &len);
1324 *sizeof_data = len;
1325
1326 if (result == ASN1_ELEMENT_NOT_FOUND)
1327 return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
1328 else if (result < 0)
1329 {
1330 gnutls_assert ();
1331 return _gnutls_asn2err (result);
1332 }
1333
1334 return 0;
1335 }
1336
1337 /**
1338 * gnutls_x509_crq_get_extension_info:
1339 * @crq: should contain a #gnutls_x509_crq_t structure
1340 * @indx: Specifies which extension OID to send. Use (0) to get the first one.
1341 * @oid: a pointer to a structure to hold the OID
1342 * @sizeof_oid: initially holds the maximum size of @oid, on return
1343 * holds actual size of @oid.
1344 * @critical: output variable with critical flag, may be NULL.
1345 *
1346 * This function will return the requested extension OID in the
1347 * certificate, and the critical flag for it. The extension OID will
1348 * be stored as a string in the provided buffer. Use
1349 * gnutls_x509_crq_get_extension_data() to extract the data.
1350 *
1351 * If the buffer provided is not long enough to hold the output, then
1352 * *@sizeof_oid is updated and %GNUTLS_E_SHORT_MEMORY_BUFFER will be
1353 * returned.
1354 *
1355 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1356 * negative error code in case of an error. If your have reached the
1357 * last extension available %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
1358 * will be returned.
1359 *
1360 * Since: 2.8.0
1361 **/
1362 int
1363 gnutls_x509_crq_get_extension_info (gnutls_x509_crq_t crq, int indx,
1364 void *oid, size_t * sizeof_oid,
1365 unsigned int *critical)
1366 {
1367 int result;
1368 char str_critical[10];
1369 char name[ASN1_MAX_NAME_SIZE];
1370 char *extensions = NULL;
1371 size_t extensions_size = 0;
1372 ASN1_TYPE c2;
1373 int len;
1374
1375 if (!crq)
1376 {
1377 gnutls_assert ();
1378 return GNUTLS_E_INVALID_REQUEST;
1379 }
1380
1381 /* read extensionRequest */
1382 result = gnutls_x509_crq_get_attribute_by_oid (crq, "1.2.840.113549.1.9.14",
1383 0, NULL, &extensions_size);
1384 if (result == GNUTLS_E_SHORT_MEMORY_BUFFER)
1385 {
1386 extensions = gnutls_malloc (extensions_size);
1387 if (extensions == NULL)
1388 {
1389 gnutls_assert ();
1390 return GNUTLS_E_MEMORY_ERROR;
1391 }
1392
1393 result = gnutls_x509_crq_get_attribute_by_oid (crq,
1394 "1.2.840.113549.1.9.14",
1395 0, extensions,
1396 &extensions_size);
1397 }
1398 if (result < 0)
1399 {
1400 gnutls_assert ();
1401 goto out;
1402 }
1403
1404 result = asn1_create_element (_gnutls_get_pkix (), "PKIX1.Extensions", &c2);
1405 if (result != ASN1_SUCCESS)
1406 {
1407 gnutls_assert ();
1408 result = _gnutls_asn2err (result);
1409 goto out;
1410 }
1411
1412 result = asn1_der_decoding (&c2, extensions, extensions_size, NULL);
1413 if (result != ASN1_SUCCESS)
1414 {
1415 gnutls_assert ();
1416 asn1_delete_structure (&c2);
1417 result = _gnutls_asn2err (result);
1418 goto out;
1419 }
1420
1421 snprintf (name, sizeof (name), "?%u.extnID", indx + 1);
1422
1423 len = *sizeof_oid;
1424 result = asn1_read_value (c2, name, oid, &len);
1425 *sizeof_oid = len;
1426
1427 if (result == ASN1_ELEMENT_NOT_FOUND)
1428 {
1429 asn1_delete_structure (&c2);
1430 result = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
1431 goto out;
1432 }
1433 else if (result < 0)
1434 {
1435 gnutls_assert ();
1436 asn1_delete_structure (&c2);
1437 result = _gnutls_asn2err (result);
1438 goto out;
1439 }
1440
1441 snprintf (name, sizeof (name), "?%u.critical", indx + 1);
1442 len = sizeof (str_critical);
1443 result = asn1_read_value (c2, name, str_critical, &len);
1444
1445 asn1_delete_structure (&c2);
1446
1447 if (result < 0)
1448 {
1449 gnutls_assert ();
1450 result = _gnutls_asn2err (result);
1451 goto out;
1452 }
1453
1454 if (critical)
1455 {
1456 if (str_critical[0] == 'T')
1457 *critical = 1;
1458 else
1459 *critical = 0;
1460 }
1461
1462 result = 0;
1463
1464 out:
1465 gnutls_free (extensions);
1466 return result;
1467 }
1468
1469 /**
1470 * gnutls_x509_crq_get_extension_data:
1471 * @crq: should contain a #gnutls_x509_crq_t structure
1472 * @indx: Specifies which extension OID to send. Use (0) to get the first one.
1473 * @data: a pointer to a structure to hold the data (may be null)
1474 * @sizeof_data: initially holds the size of @oid
1475 *
1476 * This function will return the requested extension data in the
1477 * certificate. The extension data will be stored as a string in the
1478 * provided buffer.
1479 *
1480 * Use gnutls_x509_crq_get_extension_info() to extract the OID and
1481 * critical flag. Use gnutls_x509_crq_get_extension_by_oid() instead,
1482 * if you want to get data indexed by the extension OID rather than
1483 * sequence.
1484 *
1485 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1486 * negative error code in case of an error. If your have reached the
1487 * last extension available %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
1488 * will be returned.
1489 *
1490 * Since: 2.8.0
1491 **/
1492 int
1493 gnutls_x509_crq_get_extension_data (gnutls_x509_crq_t crq, int indx,
1494 void *data, size_t * sizeof_data)
1495 {
1496 int result, len;
1497 char name[ASN1_MAX_NAME_SIZE];
1498 unsigned char *extensions;
1499 size_t extensions_size = 0;
1500 ASN1_TYPE c2;
1501
1502 if (!crq)
1503 {
1504 gnutls_assert ();
1505 return GNUTLS_E_INVALID_REQUEST;
1506 }
1507
1508 /* read extensionRequest */
1509 result = gnutls_x509_crq_get_attribute_by_oid (crq, "1.2.840.113549.1.9.14",
1510 0, NULL, &extensions_size);
1511 if (result != GNUTLS_E_SHORT_MEMORY_BUFFER)
1512 {
1513 gnutls_assert ();
1514 if (result == 0)
1515 return GNUTLS_E_INTERNAL_ERROR;
1516 return result;
1517 }
1518
1519 extensions = gnutls_malloc (extensions_size);
1520 if (extensions == NULL)
1521 {
1522 gnutls_assert ();
1523 return GNUTLS_E_MEMORY_ERROR;
1524 }
1525
1526 result = gnutls_x509_crq_get_attribute_by_oid (crq, "1.2.840.113549.1.9.14",
1527 0, extensions,
1528 &extensions_size);
1529 if (result < 0)
1530 {
1531 gnutls_assert ();
1532 return result;
1533 }
1534
1535 result = asn1_create_element (_gnutls_get_pkix (), "PKIX1.Extensions", &c2);
1536 if (result != ASN1_SUCCESS)
1537 {
1538 gnutls_assert ();
1539 gnutls_free (extensions);
1540 return _gnutls_asn2err (result);
1541 }
1542
1543 result = asn1_der_decoding (&c2, extensions, extensions_size, NULL);
1544 gnutls_free (extensions);
1545 if (result != ASN1_SUCCESS)
1546 {
1547 gnutls_assert ();
1548 asn1_delete_structure (&c2);
1549 return _gnutls_asn2err (result);
1550 }
1551
1552 snprintf (name, sizeof (name), "?%u.extnValue", indx + 1);
1553
1554 len = *sizeof_data;
1555 result = asn1_read_value (c2, name, data, &len);
1556 *sizeof_data = len;
1557
1558 asn1_delete_structure (&c2);
1559
1560 if (result == ASN1_ELEMENT_NOT_FOUND)
1561 return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
1562 else if (result < 0)
1563 {
1564 gnutls_assert ();
1565 return _gnutls_asn2err (result);
1566 }
1567
1568 return 0;
1569 }
1570
1571 /**
1572 * gnutls_x509_crq_get_key_usage:
1573 * @crq: should contain a #gnutls_x509_crq_t structure
1574 * @key_usage: where the key usage bits will be stored
1575 * @critical: will be non-zero if the extension is marked as critical
1576 *
1577 * This function will return certificate's key usage, by reading the
1578 * keyUsage X.509 extension (2.5.29.15). The key usage value will
1579 * ORed values of the: %GNUTLS_KEY_DIGITAL_SIGNATURE,
1580 * %GNUTLS_KEY_NON_REPUDIATION, %GNUTLS_KEY_KEY_ENCIPHERMENT,
1581 * %GNUTLS_KEY_DATA_ENCIPHERMENT, %GNUTLS_KEY_KEY_AGREEMENT,
1582 * %GNUTLS_KEY_KEY_CERT_SIGN, %GNUTLS_KEY_CRL_SIGN,
1583 * %GNUTLS_KEY_ENCIPHER_ONLY, %GNUTLS_KEY_DECIPHER_ONLY.
1584 *
1585 * Returns: the certificate key usage, or a negative error code in case of
1586 * parsing error. If the certificate does not contain the keyUsage
1587 * extension %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be
1588 * returned.
1589 *
1590 * Since: 2.8.0
1591 **/
1592 int
1593 gnutls_x509_crq_get_key_usage (gnutls_x509_crq_t crq,
1594 unsigned int *key_usage,
1595 unsigned int *critical)
1596 {
1597 int result;
1598 uint16_t _usage;
1599 uint8_t buf[128];
1600 size_t buf_size = sizeof (buf);
1601
1602 if (crq == NULL)
1603 {
1604 gnutls_assert ();
1605 return GNUTLS_E_INVALID_REQUEST;
1606 }
1607
1608 result = gnutls_x509_crq_get_extension_by_oid (crq, "2.5.29.15", 0,
1609 buf, &buf_size, critical);
1610 if (result < 0)
1611 {
1612 gnutls_assert ();
1613 return result;
1614 }
1615
1616 result = _gnutls_x509_ext_extract_keyUsage (&_usage, buf, buf_size);
1617
1618 *key_usage = _usage;
1619
1620 if (result < 0)
1621 {
1622 gnutls_assert ();
1623 return result;
1624 }
1625
1626 return 0;
1627 }
1628
1629 /**
1630 * gnutls_x509_crq_get_basic_constraints:
1631 * @crq: should contain a #gnutls_x509_crq_t structure
1632 * @critical: will be non-zero if the extension is marked as critical
1633 * @ca: pointer to output integer indicating CA status, may be NULL,
1634 * value is 1 if the certificate CA flag is set, 0 otherwise.
1635 * @pathlen: pointer to output integer indicating path length (may be
1636 * NULL), non-negative error codes indicate a present pathLenConstraint
1637 * field and the actual value, -1 indicate that the field is absent.
1638 *
1639 * This function will read the certificate's basic constraints, and
1640 * return the certificates CA status. It reads the basicConstraints
1641 * X.509 extension (2.5.29.19).
1642 *
1643 * Returns: If the certificate is a CA a positive value will be
1644 * returned, or (0) if the certificate does not have CA flag set.
1645 * A negative error code may be returned in case of errors. If the
1646 * certificate does not contain the basicConstraints extension
1647 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
1648 *
1649 * Since: 2.8.0
1650 **/
1651 int
1652 gnutls_x509_crq_get_basic_constraints (gnutls_x509_crq_t crq,
1653 unsigned int *critical,
1654 unsigned int *ca, int *pathlen)
1655 {
1656 int result;
1657 unsigned int tmp_ca;
1658 uint8_t buf[256];
1659 size_t buf_size = sizeof (buf);
1660
1661 if (crq == NULL)
1662 {
1663 gnutls_assert ();
1664 return GNUTLS_E_INVALID_REQUEST;
1665 }
1666
1667 result = gnutls_x509_crq_get_extension_by_oid (crq, "2.5.29.19", 0,
1668 buf, &buf_size, critical);
1669 if (result < 0)
1670 {
1671 gnutls_assert ();
1672 return result;
1673 }
1674
1675 result =
1676 _gnutls_x509_ext_extract_basicConstraints (&tmp_ca,
1677 pathlen, buf, buf_size);
1678 if (ca)
1679 *ca = tmp_ca;
1680
1681 if (result < 0)
1682 {
1683 gnutls_assert ();
1684 return result;
1685 }
1686
1687 return tmp_ca;
1688 }
1689
1690 static int
1691 get_subject_alt_name (gnutls_x509_crq_t crq,
1692 unsigned int seq, void *ret,
1693 size_t * ret_size, unsigned int *ret_type,
1694 unsigned int *critical, int othername_oid)
1695 {
1696 int result;
1697 ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
1698 gnutls_x509_subject_alt_name_t type;
1699 gnutls_datum_t dnsname = { NULL, 0 };
1700 size_t dns_size = 0;
1701
1702 if (crq == NULL)
1703 {
1704 gnutls_assert ();
1705 return GNUTLS_E_INVALID_REQUEST;
1706 }
1707
1708 if (ret)
1709 memset (ret, 0, *ret_size);
1710 else
1711 *ret_size = 0;
1712
1713 /* Extract extension.
1714 */
1715 result = gnutls_x509_crq_get_extension_by_oid (crq, "2.5.29.17", 0,
1716 NULL, &dns_size, critical);
1717 if (result < 0)
1718 {
1719 gnutls_assert ();
1720 return result;
1721 }
1722
1723 dnsname.size = dns_size;
1724 dnsname.data = gnutls_malloc (dnsname.size);
1725 if (dnsname.data == NULL)
1726 {
1727 gnutls_assert ();
1728 return GNUTLS_E_MEMORY_ERROR;
1729 }
1730
1731 result = gnutls_x509_crq_get_extension_by_oid (crq, "2.5.29.17", 0,
1732 dnsname.data, &dns_size,
1733 critical);
1734 if (result < 0)
1735 {
1736 gnutls_assert ();
1737 gnutls_free (dnsname.data);
1738 return result;
1739 }
1740
1741 result = asn1_create_element
1742 (_gnutls_get_pkix (), "PKIX1.SubjectAltName", &c2);
1743 if (result != ASN1_SUCCESS)
1744 {
1745 gnutls_assert ();
1746 gnutls_free (dnsname.data);
1747 return _gnutls_asn2err (result);
1748 }
1749
1750 result = asn1_der_decoding (&c2, dnsname.data, dnsname.size, NULL);
1751 gnutls_free (dnsname.data);
1752 if (result != ASN1_SUCCESS)
1753 {
1754 gnutls_assert ();
1755 asn1_delete_structure (&c2);
1756 return _gnutls_asn2err (result);
1757 }
1758
1759 result = _gnutls_parse_general_name (c2, "", seq, ret, ret_size,
1760 ret_type, othername_oid);
1761 asn1_delete_structure (&c2);
1762 if (result < 0)
1763 {
1764 return result;
1765 }
1766
1767 type = result;
1768
1769 return type;
1770 }
1771
1772 /**
1773 * gnutls_x509_crq_get_subject_alt_name:
1774 * @crq: should contain a #gnutls_x509_crq_t structure
1775 * @seq: specifies the sequence number of the alt name, 0 for the
1776 * first one, 1 for the second etc.
1777 * @ret: is the place where the alternative name will be copied to
1778 * @ret_size: holds the size of ret.
1779 * @ret_type: holds the #gnutls_x509_subject_alt_name_t name type
1780 * @critical: will be non-zero if the extension is marked as critical
1781 * (may be null)
1782 *
1783 * This function will return the alternative names, contained in the
1784 * given certificate. It is the same as
1785 * gnutls_x509_crq_get_subject_alt_name() except for the fact that it
1786 * will return the type of the alternative name in @ret_type even if
1787 * the function fails for some reason (i.e. the buffer provided is
1788 * not enough).
1789 *
1790 * Returns: the alternative subject name type on success, one of the
1791 * enumerated #gnutls_x509_subject_alt_name_t. It will return
1792 * %GNUTLS_E_SHORT_MEMORY_BUFFER if @ret_size is not large enough to
1793 * hold the value. In that case @ret_size will be updated with the
1794 * required size. If the certificate request does not have an
1795 * Alternative name with the specified sequence number then
1796 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.
1797 *
1798 * Since: 2.8.0
1799 **/
1800 int
1801 gnutls_x509_crq_get_subject_alt_name (gnutls_x509_crq_t crq,
1802 unsigned int seq, void *ret,
1803 size_t * ret_size,
1804 unsigned int *ret_type,
1805 unsigned int *critical)
1806 {
1807 return get_subject_alt_name (crq, seq, ret, ret_size, ret_type, critical,
1808 0);
1809 }
1810
1811 /**
1812 * gnutls_x509_crq_get_subject_alt_othername_oid:
1813 * @crq: should contain a #gnutls_x509_crq_t structure
1814 * @seq: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)
1815 * @ret: is the place where the otherName OID will be copied to
1816 * @ret_size: holds the size of ret.
1817 *
1818 * This function will extract the type OID of an otherName Subject
1819 * Alternative Name, contained in the given certificate, and return
1820 * the type as an enumerated element.
1821 *
1822 * This function is only useful if
1823 * gnutls_x509_crq_get_subject_alt_name() returned
1824 * %GNUTLS_SAN_OTHERNAME.
1825 *
1826 * Returns: the alternative subject name type on success, one of the
1827 * enumerated gnutls_x509_subject_alt_name_t. For supported OIDs,
1828 * it will return one of the virtual (GNUTLS_SAN_OTHERNAME_*) types,
1829 * e.g. %GNUTLS_SAN_OTHERNAME_XMPP, and %GNUTLS_SAN_OTHERNAME for
1830 * unknown OIDs. It will return %GNUTLS_E_SHORT_MEMORY_BUFFER if
1831 * @ret_size is not large enough to hold the value. In that case
1832 * @ret_size will be updated with the required size. If the
1833 * certificate does not have an Alternative name with the specified
1834 * sequence number and with the otherName type then
1835 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.
1836 *
1837 * Since: 2.8.0
1838 **/
1839 int
1840 gnutls_x509_crq_get_subject_alt_othername_oid (gnutls_x509_crq_t crq,
1841 unsigned int seq,
1842 void *ret, size_t * ret_size)
1843 {
1844 return get_subject_alt_name (crq, seq, ret, ret_size, NULL, NULL, 1);
1845 }
1846
1847 /**
1848 * gnutls_x509_crq_get_extension_by_oid:
1849 * @crq: should contain a #gnutls_x509_crq_t structure
1850 * @oid: holds an Object Identified in null terminated string
1851 * @indx: In case multiple same OIDs exist in the extensions, this
1852 * specifies which to send. Use (0) to get the first one.
1853 * @buf: a pointer to a structure to hold the name (may be null)
1854 * @sizeof_buf: initially holds the size of @buf
1855 * @critical: will be non-zero if the extension is marked as critical
1856 *
1857 * This function will return the extension specified by the OID in
1858 * the certificate. The extensions will be returned as binary data
1859 * DER encoded, in the provided buffer.
1860 *
1861 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1862 * negative error code in case of an error. If the certificate does not
1863 * contain the specified extension
1864 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
1865 *
1866 * Since: 2.8.0
1867 **/
1868 int
1869 gnutls_x509_crq_get_extension_by_oid (gnutls_x509_crq_t crq,
1870 const char *oid, int indx,
1871 void *buf, size_t * sizeof_buf,
1872 unsigned int *critical)
1873 {
1874 int result;
1875 unsigned int i;
1876 char _oid[MAX_OID_SIZE];
1877 size_t oid_size;
1878
1879 for (i = 0;; i++)
1880 {
1881 oid_size = sizeof (_oid);
1882 result =
1883 gnutls_x509_crq_get_extension_info (crq, i, _oid, &oid_size,
1884 critical);
1885 if (result < 0)
1886 {
1887 gnutls_assert ();
1888 return result;
1889 }
1890
1891 if (strcmp (oid, _oid) == 0)
1892 { /* found */
1893 if (indx == 0)
1894 return gnutls_x509_crq_get_extension_data (crq, i, buf,
1895 sizeof_buf);
1896 else
1897 indx--;
1898 }
1899 }
1900
1901
1902 return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
1903
1904 }
1905
1906 /**
1907 * gnutls_x509_crq_set_subject_alt_name:
1908 * @crq: a certificate request of type #gnutls_x509_crq_t
1909 * @nt: is one of the #gnutls_x509_subject_alt_name_t enumerations
1910 * @data: The data to be set
1911 * @data_size: The size of data to be set
1912 * @flags: %GNUTLS_FSAN_SET to clear previous data or
1913 * %GNUTLS_FSAN_APPEND to append.
1914 *
1915 * This function will set the subject alternative name certificate
1916 * extension. It can set the following types:
1917 *
1918 * %GNUTLS_SAN_DNSNAME: as a text string
1919 *
1920 * %GNUTLS_SAN_RFC822NAME: as a text string
1921 *
1922 * %GNUTLS_SAN_URI: as a text string
1923 *
1924 * %GNUTLS_SAN_IPADDRESS: as a binary IP address (4 or 16 bytes)
1925 *
1926 * Other values can be set as binary values with the proper DER encoding.
1927 *
1928 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1929 * negative error value.
1930 *
1931 * Since: 2.8.0
1932 **/
1933 int
1934 gnutls_x509_crq_set_subject_alt_name (gnutls_x509_crq_t crq,
1935 gnutls_x509_subject_alt_name_t nt,
1936 const void *data,
1937 unsigned int data_size,
1938 unsigned int flags)
1939 {
1940 int result = 0;
1941 gnutls_datum_t der_data = { NULL, 0 };
1942 gnutls_datum_t prev_der_data = { NULL, 0 };
1943 unsigned int critical = 0;
1944 size_t prev_data_size = 0;
1945
1946 if (crq == NULL)
1947 {
1948 gnutls_assert ();
1949 return GNUTLS_E_INVALID_REQUEST;
1950 }
1951
1952 /* Check if the extension already exists.
1953 */
1954 if (flags == GNUTLS_FSAN_APPEND)
1955 {
1956 result = gnutls_x509_crq_get_extension_by_oid (crq, "2.5.29.17", 0,
1957 NULL, &prev_data_size,
1958 &critical);
1959 prev_der_data.size = prev_data_size;
1960
1961 switch (result)
1962 {
1963 case GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE:
1964 /* Replacing non-existing data means the same as set data. */
1965 break;
1966
1967 case GNUTLS_E_SUCCESS:
1968 prev_der_data.data = gnutls_malloc (prev_der_data.size);
1969 if (prev_der_data.data == NULL)
1970 {
1971 gnutls_assert ();
1972 return GNUTLS_E_MEMORY_ERROR;
1973 }
1974
1975 result = gnutls_x509_crq_get_extension_by_oid (crq, "2.5.29.17", 0,
1976 prev_der_data.data,
1977 &prev_data_size,
1978 &critical);
1979 if (result < 0)
1980 {
1981 gnutls_assert ();
1982 gnutls_free (prev_der_data.data);
1983 return result;
1984 }
1985 break;
1986
1987 default:
1988 gnutls_assert ();
1989 return result;
1990 }
1991 }
1992
1993 /* generate the extension.
1994 */
1995 result = _gnutls_x509_ext_gen_subject_alt_name (nt, data, data_size,
1996 &prev_der_data, &der_data);
1997 gnutls_free (prev_der_data.data);
1998 if (result < 0)
1999 {
2000 gnutls_assert ();
2001 goto finish;
2002 }
2003
2004 result = _gnutls_x509_crq_set_extension (crq, "2.5.29.17", &der_data,
2005 critical);
2006
2007 _gnutls_free_datum (&der_data);
2008
2009 if (result < 0)
2010 {
2011 gnutls_assert ();
2012 return result;
2013 }
2014
2015 return 0;
2016
2017 finish:
2018 return result;
2019 }
2020
2021 /**
2022 * gnutls_x509_crq_set_basic_constraints:
2023 * @crq: a certificate request of type #gnutls_x509_crq_t
2024 * @ca: true(1) or false(0) depending on the Certificate authority status.
2025 * @pathLenConstraint: non-negative error codes indicate maximum length of path,
2026 * and negative error codes indicate that the pathLenConstraints field should
2027 * not be present.
2028 *
2029 * This function will set the basicConstraints certificate extension.
2030 *
2031 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
2032 * negative error value.
2033 *
2034 * Since: 2.8.0
2035 **/
2036 int
2037 gnutls_x509_crq_set_basic_constraints (gnutls_x509_crq_t crq,
2038 unsigned int ca, int pathLenConstraint)
2039 {
2040 int result;
2041 gnutls_datum_t der_data;
2042
2043 if (crq == NULL)
2044 {
2045 gnutls_assert ();
2046 return GNUTLS_E_INVALID_REQUEST;
2047 }
2048
2049 /* generate the extension.
2050 */
2051 result = _gnutls_x509_ext_gen_basicConstraints (ca, pathLenConstraint,
2052 &der_data);
2053 if (result < 0)
2054 {
2055 gnutls_assert ();
2056 return result;
2057 }
2058
2059 result = _gnutls_x509_crq_set_extension (crq, "2.5.29.19", &der_data, 1);
2060
2061 _gnutls_free_datum (&der_data);
2062
2063 if (result < 0)
2064 {
2065 gnutls_assert ();
2066 return result;
2067 }
2068
2069 return 0;
2070 }
2071
2072 /**
2073 * gnutls_x509_crq_set_key_usage:
2074 * @crq: a certificate request of type #gnutls_x509_crq_t
2075 * @usage: an ORed sequence of the GNUTLS_KEY_* elements.
2076 *
2077 * This function will set the keyUsage certificate extension.
2078 *
2079 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
2080 * negative error value.
2081 *
2082 * Since: 2.8.0
2083 **/
2084 int
2085 gnutls_x509_crq_set_key_usage (gnutls_x509_crq_t crq, unsigned int usage)
2086 {
2087 int result;
2088 gnutls_datum_t der_data;
2089
2090 if (crq == NULL)
2091 {
2092 gnutls_assert ();
2093 return GNUTLS_E_INVALID_REQUEST;
2094 }
2095
2096 /* generate the extension.
2097 */
2098 result = _gnutls_x509_ext_gen_keyUsage ((uint16_t) usage, &der_data);
2099 if (result < 0)
2100 {
2101 gnutls_assert ();
2102 return result;
2103 }
2104
2105 result = _gnutls_x509_crq_set_extension (crq, "2.5.29.15", &der_data, 1);
2106
2107 _gnutls_free_datum (&der_data);
2108
2109 if (result < 0)
2110 {
2111 gnutls_assert ();
2112 return result;
2113 }
2114
2115 return 0;
2116 }
2117
2118 /**
2119 * gnutls_x509_crq_get_key_purpose_oid:
2120 * @crq: should contain a #gnutls_x509_crq_t structure
2121 * @indx: This specifies which OID to return, use (0) to get the first one
2122 * @oid: a pointer to a buffer to hold the OID (may be %NULL)
2123 * @sizeof_oid: initially holds the size of @oid
2124 * @critical: output variable with critical flag, may be %NULL.
2125 *
2126 * This function will extract the key purpose OIDs of the Certificate
2127 * specified by the given index. These are stored in the Extended Key
2128 * Usage extension (2.5.29.37). See the GNUTLS_KP_* definitions for
2129 * human readable names.
2130 *
2131 * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is
2132 * not long enough, and in that case the *@sizeof_oid will be
2133 * updated with the required size. On success 0 is returned.
2134 *
2135 * Since: 2.8.0
2136 **/
2137 int
2138 gnutls_x509_crq_get_key_purpose_oid (gnutls_x509_crq_t crq,
2139 int indx, void *oid, size_t * sizeof_oid,
2140 unsigned int *critical)
2141 {
2142 char tmpstr[ASN1_MAX_NAME_SIZE];
2143 int result, len;
2144 gnutls_datum_t prev = { NULL, 0 };
2145 ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
2146 size_t prev_size = 0;
2147
2148 if (oid)
2149 memset (oid, 0, *sizeof_oid);
2150 else
2151 *sizeof_oid = 0;
2152
2153 /* Extract extension.
2154 */
2155 result = gnutls_x509_crq_get_extension_by_oid (crq, "2.5.29.37", 0,
2156 NULL, &prev_size, critical);
2157 prev.size = prev_size;
2158
2159 if (result < 0)
2160 {
2161 gnutls_assert ();
2162 return result;
2163 }
2164
2165 prev.data = gnutls_malloc (prev.size);
2166 if (prev.data == NULL)
2167 {
2168 gnutls_assert ();
2169 return GNUTLS_E_MEMORY_ERROR;
2170 }
2171
2172 result = gnutls_x509_crq_get_extension_by_oid (crq, "2.5.29.37", 0,
2173 prev.data, &prev_size,
2174 critical);
2175 if (result < 0)
2176 {
2177 gnutls_assert ();
2178 gnutls_free (prev.data);
2179 return result;
2180 }
2181
2182 result = asn1_create_element
2183 (_gnutls_get_pkix (), "PKIX1.ExtKeyUsageSyntax", &c2);
2184 if (result != ASN1_SUCCESS)
2185 {
2186 gnutls_assert ();
2187 gnutls_free (prev.data);
2188 return _gnutls_asn2err (result);
2189 }
2190
2191 result = asn1_der_decoding (&c2, prev.data, prev.size, NULL);
2192 gnutls_free (prev.data);
2193 if (result != ASN1_SUCCESS)
2194 {
2195 gnutls_assert ();
2196 asn1_delete_structure (&c2);
2197 return _gnutls_asn2err (result);
2198 }
2199
2200 indx++;
2201 /* create a string like "?1"
2202 */
2203 snprintf (tmpstr, sizeof (tmpstr), "?%u", indx);
2204
2205 len = *sizeof_oid;
2206 result = asn1_read_value (c2, tmpstr, oid, &len);
2207
2208 *sizeof_oid = len;
2209 asn1_delete_structure (&c2);
2210
2211 if (result == ASN1_VALUE_NOT_FOUND || result == ASN1_ELEMENT_NOT_FOUND)
2212 {
2213 return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
2214 }
2215
2216 if (result != ASN1_SUCCESS)
2217 {
2218 if (result != ASN1_MEM_ERROR)
2219 gnutls_assert ();
2220 return _gnutls_asn2err (result);
2221 }
2222
2223 return 0;
2224 }
2225
2226 /**
2227 * gnutls_x509_crq_set_key_purpose_oid:
2228 * @crq: a certificate of type #gnutls_x509_crq_t
2229 * @oid: a pointer to a (0)-terminated string that holds the OID
2230 * @critical: Whether this extension will be critical or not
2231 *
2232 * This function will set the key purpose OIDs of the Certificate.
2233 * These are stored in the Extended Key Usage extension (2.5.29.37)
2234 * See the GNUTLS_KP_* definitions for human readable names.
2235 *
2236 * Subsequent calls to this function will append OIDs to the OID list.
2237 *
2238 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
2239 * negative error value.
2240 *
2241 * Since: 2.8.0
2242 **/
2243 int
2244 gnutls_x509_crq_set_key_purpose_oid (gnutls_x509_crq_t crq,
2245 const void *oid, unsigned int critical)
2246 {
2247 int result;
2248 gnutls_datum_t prev = { NULL, 0 }, der_data;
2249 ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
2250 size_t prev_size = 0;
2251
2252 /* Read existing extension, if there is one.
2253 */
2254 result = gnutls_x509_crq_get_extension_by_oid (crq, "2.5.29.37", 0,
2255 NULL, &prev_size, &critical);
2256 prev.size = prev_size;
2257
2258 switch (result)
2259 {
2260 case GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE:
2261 /* No existing extension, that's fine. */
2262 break;
2263
2264 case GNUTLS_E_SUCCESS:
2265 prev.data = gnutls_malloc (prev.size);
2266 if (prev.data == NULL)
2267 {
2268 gnutls_assert ();
2269 return GNUTLS_E_MEMORY_ERROR;
2270 }
2271
2272 result = gnutls_x509_crq_get_extension_by_oid (crq, "2.5.29.37", 0,
2273 prev.data, &prev_size,
2274 &critical);
2275 if (result < 0)
2276 {
2277 gnutls_assert ();
2278 gnutls_free (prev.data);
2279 return result;
2280 }
2281 break;
2282
2283 default:
2284 gnutls_assert ();
2285 return result;
2286 }
2287
2288 result = asn1_create_element (_gnutls_get_pkix (),
2289 "PKIX1.ExtKeyUsageSyntax", &c2);
2290 if (result != ASN1_SUCCESS)
2291 {
2292 gnutls_assert ();
2293 gnutls_free (prev.data);
2294 return _gnutls_asn2err (result);
2295 }
2296
2297 if (prev.data)
2298 {
2299 /* decode it.
2300 */
2301 result = asn1_der_decoding (&c2, prev.data, prev.size, NULL);
2302 gnutls_free (prev.data);
2303 if (result != ASN1_SUCCESS)
2304 {
2305 gnutls_assert ();
2306 asn1_delete_structure (&c2);
2307 return _gnutls_asn2err (result);
2308 }
2309 }
2310
2311 /* generate the extension.
2312 */
2313 /* 1. create a new element.
2314 */
2315 result = asn1_write_value (c2, "", "NEW", 1);
2316 if (result != ASN1_SUCCESS)
2317 {
2318 gnutls_assert ();
2319 asn1_delete_structure (&c2);
2320 return _gnutls_asn2err (result);
2321 }
2322
2323 /* 2. Add the OID.
2324 */
2325 result = asn1_write_value (c2, "?LAST", oid, 1);
2326 if (result != ASN1_SUCCESS)
2327 {
2328 gnutls_assert ();
2329 asn1_delete_structure (&c2);
2330 return _gnutls_asn2err (result);
2331 }
2332
2333 result = _gnutls_x509_der_encode (c2, "", &der_data, 0);
2334 asn1_delete_structure (&c2);
2335
2336 if (result != ASN1_SUCCESS)
2337 {
2338 gnutls_assert ();
2339 return _gnutls_asn2err (result);
2340 }
2341
2342 result = _gnutls_x509_crq_set_extension (crq, "2.5.29.37",
2343 &der_data, critical);
2344 _gnutls_free_datum (&der_data);
2345 if (result < 0)
2346 {
2347 gnutls_assert ();
2348 return result;
2349 }
2350
2351 return 0;
2352 }
2353
2354 /**
2355 * gnutls_x509_crq_get_key_id:
2356 * @crq: a certificate of type #gnutls_x509_crq_t
2357 * @flags: should be 0 for now
2358 * @output_data: will contain the key ID
2359 * @output_data_size: holds the size of output_data (and will be
2360 * replaced by the actual size of parameters)
2361 *
2362 * This function will return a unique ID that depends on the public key
2363 * parameters. This ID can be used in checking whether a certificate
2364 * corresponds to the given private key.
2365 *
2366 * If the buffer provided is not long enough to hold the output, then
2367 * *@output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will
2368 * be returned. The output will normally be a SHA-1 hash output,
2369 * which is 20 bytes.
2370 *
2371 * Returns: In case of failure a negative error code will be
2372 * returned, and 0 on success.
2373 *
2374 * Since: 2.8.0
2375 **/
2376 int
2377 gnutls_x509_crq_get_key_id (gnutls_x509_crq_t crq, unsigned int flags,
2378 unsigned char *output_data,
2379 size_t * output_data_size)
2380 {
2381 int pk, ret = 0;
2382 gnutls_pk_params_st params;
2383
2384 if (crq == NULL)
2385 {
2386 gnutls_assert ();
2387 return GNUTLS_E_INVALID_REQUEST;
2388 }
2389
2390 pk = gnutls_x509_crq_get_pk_algorithm (crq, NULL);
2391 if (pk < 0)
2392 {
2393 gnutls_assert ();
2394 return pk;
2395 }
2396
2397 ret = _gnutls_x509_crq_get_mpis (crq, &params);
2398 if (ret < 0)
2399 {
2400 gnutls_assert ();
2401 return ret;
2402 }
2403
2404 ret = _gnutls_get_key_id(pk, &params, output_data, output_data_size);
2405
2406 gnutls_pk_params_release(&params);
2407
2408 return ret;
2409 }
2410
2411 /**
2412 * gnutls_x509_crq_privkey_sign:
2413 * @crq: should contain a #gnutls_x509_crq_t structure
2414 * @key: holds a private key
2415 * @dig: The message digest to use, i.e., %GNUTLS_DIG_SHA1
2416 * @flags: must be 0
2417 *
2418 * This function will sign the certificate request with a private key.
2419 * This must be the same key as the one used in
2420 * gnutls_x509_crt_set_key() since a certificate request is self
2421 * signed.
2422 *
2423 * This must be the last step in a certificate request generation
2424 * since all the previously set parameters are now signed.
2425 *
2426 * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
2427 * %GNUTLS_E_ASN1_VALUE_NOT_FOUND is returned if you didn't set all
2428 * information in the certificate request (e.g., the version using
2429 * gnutls_x509_crq_set_version()).
2430 *
2431 * Since: 2.12.0
2432 **/
2433 int
2434 gnutls_x509_crq_privkey_sign (gnutls_x509_crq_t crq, gnutls_privkey_t key,
2435 gnutls_digest_algorithm_t dig,
2436 unsigned int flags)
2437 {
2438 int result;
2439 gnutls_datum_t signature;
2440 gnutls_datum_t tbs;
2441
2442 if (crq == NULL)
2443 {
2444 gnutls_assert ();
2445 return GNUTLS_E_INVALID_REQUEST;
2446 }
2447
2448 /* Make sure version field is set. */
2449 if (gnutls_x509_crq_get_version (crq) == GNUTLS_E_ASN1_VALUE_NOT_FOUND)
2450 {
2451 result = gnutls_x509_crq_set_version (crq, 1);
2452 if (result < 0)
2453 {
2454 gnutls_assert ();
2455 return result;
2456 }
2457 }
2458
2459 /* Step 1. Self sign the request.
2460 */
2461 result = _gnutls_x509_get_tbs (crq->crq, "certificationRequestInfo", &tbs);
2462
2463 if (result < 0)
2464 {
2465 gnutls_assert ();
2466 return result;
2467 }
2468
2469 result = gnutls_privkey_sign_data (key, dig, 0, &tbs, &signature);
2470 gnutls_free (tbs.data);
2471
2472 if (result < 0)
2473 {
2474 gnutls_assert ();
2475 return result;
2476 }
2477
2478 /* Step 2. write the signature (bits)
2479 */
2480 result =
2481 asn1_write_value (crq->crq, "signature", signature.data,
2482 signature.size * 8);
2483
2484 _gnutls_free_datum (&signature);
2485
2486 if (result != ASN1_SUCCESS)
2487 {
2488 gnutls_assert ();
2489 return _gnutls_asn2err (result);
2490 }
2491
2492 /* Step 3. Write the signatureAlgorithm field.
2493 */
2494 result = _gnutls_x509_write_sig_params (crq->crq, "signatureAlgorithm",
2495 gnutls_privkey_get_pk_algorithm
2496 (key, NULL), dig);
2497 if (result < 0)
2498 {
2499 gnutls_assert ();
2500 return result;
2501 }
2502
2503 return 0;
2504 }
2505
2506
2507 /**
2508 * gnutls_x509_crq_verify:
2509 * @crq: is the crq to be verified
2510 * @flags: Flags that may be used to change the verification algorithm. Use OR of the gnutls_certificate_verify_flags enumerations.
2511 *
2512 * This function will verify self signature in the certificate
2513 * request and return its status.
2514 *
2515 * Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED
2516 * is returned, and zero or positive code on success.
2517 *
2518 * Since 2.12.0
2519 **/
2520 int
2521 gnutls_x509_crq_verify (gnutls_x509_crq_t crq,
2522 unsigned int flags)
2523 {
2524 gnutls_datum data = { NULL, 0 };
2525 gnutls_datum signature = { NULL, 0 };
2526 gnutls_pk_params_st params;
2527 gnutls_digest_algorithm_t algo;
2528 int ret;
2529
2530 gnutls_pk_params_init(&params);
2531
2532 ret =
2533 _gnutls_x509_get_signed_data (crq->crq, "certificationRequestInfo", &data);
2534 if (ret < 0)
2535 {
2536 gnutls_assert ();
2537 return ret;
2538 }
2539
2540 ret = _gnutls_x509_get_signature_algorithm(crq->crq, "signatureAlgorithm.algorithm");
2541 if (ret < 0)
2542 {
2543 gnutls_assert ();
2544 goto cleanup;
2545 }
2546
2547 algo = gnutls_sign_get_hash_algorithm(ret);
2548
2549 ret = _gnutls_x509_get_signature (crq->crq, "signature", &signature);
2550 if (ret < 0)
2551 {
2552 gnutls_assert ();
2553 goto cleanup;
2554 }
2555
2556 ret =
2557 _gnutls_x509_crq_get_mpis(crq, &params);
2558 if (ret < 0)
2559 {
2560 gnutls_assert ();
2561 goto cleanup;
2562 }
2563
2564 ret = pubkey_verify_data(gnutls_x509_crq_get_pk_algorithm (crq, NULL), algo,
2565 &data, &signature, &params);
2566 if (ret < 0)
2567 {
2568 gnutls_assert ();
2569 goto cleanup;
2570 }
2571
2572 ret = 0;
2573
2574 cleanup:
2575 _gnutls_free_datum (&data);
2576 _gnutls_free_datum (&signature);
2577 gnutls_pk_params_release(&params);
2578
2579 return ret;
2580 }
2581
2582 /**
2583 * gnutls_x509_crq_set_private_key_usage_period:
2584 * @crq: a certificate of type #gnutls_x509_crq_t
2585 * @activation: The activation time
2586 * @expiration: The expiration time
2587 *
2588 * This function will set the private key usage period extension (2.5.29.16).
2589 *
2590 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
2591 * negative error value.
2592 **/
2593 int
2594 gnutls_x509_crq_set_private_key_usage_period (gnutls_x509_crq_t crq,
2595 time_t activation,
2596 time_t expiration)
2597 {
2598 int result;
2599 gnutls_datum_t der_data;
2600 ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
2601
2602 if (crq == NULL)
2603 {
2604 gnutls_assert ();
2605 return GNUTLS_E_INVALID_REQUEST;
2606 }
2607
2608 result =
2609 asn1_create_element (_gnutls_get_pkix (), "PKIX1.PrivateKeyUsagePeriod", &c2);
2610 if (result != ASN1_SUCCESS)
2611 {
2612 gnutls_assert ();
2613 return _gnutls_asn2err (result);
2614 }
2615
2616 result = _gnutls_x509_set_time (c2,
2617 "notBefore",
2618 activation, 1);
2619 if (result < 0)
2620 {
2621 gnutls_assert();
2622 goto cleanup;
2623 }
2624
2625 result = _gnutls_x509_set_time (c2,
2626 "notAfter",
2627 expiration, 1);
2628 if (result < 0)
2629 {
2630 gnutls_assert();
2631 goto cleanup;
2632 }
2633
2634 result = _gnutls_x509_der_encode (c2, "", &der_data, 0);
2635 if (result < 0)
2636 {
2637 gnutls_assert();
2638 goto cleanup;
2639 }
2640
2641 result = _gnutls_x509_crq_set_extension (crq, "2.5.29.16",
2642 &der_data, 0);
2643
2644 _gnutls_free_datum(&der_data);
2645
2646 cleanup:
2647 asn1_delete_structure (&c2);
2648
2649 return result;
2650 }
Implementation of the SSL/TLS protocol