136
136
/* Try the first header */
137
137
result = _gnutls_fbase64_decode (PEM_CRQ, data->data, data->size, &out);
139
if (result <= 0) /* Go for the second header */
141
_gnutls_fbase64_decode (PEM_CRQ2, data->data, data->size, &out);
139
if (result <= 0) /* Go for the second header */
141
_gnutls_fbase64_decode (PEM_CRQ2, data->data, data->size, &out);
146
result = GNUTLS_E_INTERNAL_ERROR;
146
result = GNUTLS_E_INTERNAL_ERROR;
151
151
_data.data = out;
152
152
_data.size = result;
303
303
/* create a string like "attribute.?1"
305
305
if (attr_name[0] != 0)
306
snprintf (tmpbuffer1, sizeof (tmpbuffer1), "%s.?%u", attr_name, k1);
306
snprintf (tmpbuffer1, sizeof (tmpbuffer1), "%s.?%u", attr_name, k1);
308
snprintf (tmpbuffer1, sizeof (tmpbuffer1), "?%u", k1);
308
snprintf (tmpbuffer1, sizeof (tmpbuffer1), "?%u", k1);
310
310
len = sizeof (value) - 1;
311
311
result = asn1_read_value (asn1_struct, tmpbuffer1, value, &len);
313
313
if (result == ASN1_ELEMENT_NOT_FOUND)
319
319
if (result != ASN1_VALUE_NOT_FOUND)
322
result = _gnutls_asn2err (result);
322
result = _gnutls_asn2err (result);
326
326
/* Move to the attibute type and values
334
334
result = asn1_read_value (asn1_struct, tmpbuffer3, oid, &len);
336
336
if (result == ASN1_ELEMENT_NOT_FOUND)
338
338
else if (result != ASN1_SUCCESS)
341
result = _gnutls_asn2err (result);
341
result = _gnutls_asn2err (result);
345
345
if (strcmp (oid, given_oid) == 0)
346
{ /* Found the OID */
350
snprintf (tmpbuffer3, sizeof (tmpbuffer3), "%s.values.?%u",
351
tmpbuffer1, indx + 1);
353
len = sizeof (value) - 1;
354
result = asn1_read_value (asn1_struct, tmpbuffer3, value, &len);
356
if (result != ASN1_SUCCESS)
359
result = _gnutls_asn2err (result);
365
printable = _gnutls_x509_oid_data_printable (oid);
369
_gnutls_x509_oid_data2string
370
(oid, value, len, buf, sizeof_buf)) < 0)
380
return GNUTLS_E_X509_UNSUPPORTED_ATTRIBUTE;
385
if (*sizeof_buf >= (size_t) len && buf != NULL)
388
memcpy (buf, value, len);
395
return GNUTLS_E_SHORT_MEMORY_BUFFER;
346
{ /* Found the OID */
350
snprintf (tmpbuffer3, sizeof (tmpbuffer3), "%s.values.?%u",
351
tmpbuffer1, indx + 1);
353
len = sizeof (value) - 1;
354
result = asn1_read_value (asn1_struct, tmpbuffer3, value, &len);
356
if (result != ASN1_SUCCESS)
359
result = _gnutls_asn2err (result);
365
printable = _gnutls_x509_oid_data_printable (oid);
369
_gnutls_x509_oid_data2string
370
(oid, value, len, buf, sizeof_buf)) < 0)
380
return GNUTLS_E_X509_UNSUPPORTED_ATTRIBUTE;
385
if (*sizeof_buf >= (size_t) len && buf != NULL)
388
memcpy (buf, value, len);
395
return GNUTLS_E_SHORT_MEMORY_BUFFER;
541
541
if (result == ASN1_ELEMENT_NOT_FOUND)
549
_gnutls_str_cpy (name2, sizeof (name2), name);
550
_gnutls_str_cat (name2, sizeof (name2), ".type");
552
len = sizeof (extnID) - 1;
553
result = asn1_read_value (asn, name2, extnID, &len);
555
if (result == ASN1_ELEMENT_NOT_FOUND)
560
else if (result != ASN1_SUCCESS)
563
return _gnutls_asn2err (result);
568
if (strcmp (extnID, ext_id) == 0)
570
/* attribute was found
572
return overwrite_attribute (asn, root, k, ext_data);
549
_gnutls_str_cpy (name2, sizeof (name2), name);
550
_gnutls_str_cat (name2, sizeof (name2), ".type");
552
len = sizeof (extnID) - 1;
553
result = asn1_read_value (asn, name2, extnID, &len);
555
if (result == ASN1_ELEMENT_NOT_FOUND)
560
else if (result != ASN1_SUCCESS)
563
return _gnutls_asn2err (result);
568
if (strcmp (extnID, ext_id) == 0)
570
/* attribute was found
572
return overwrite_attribute (asn, root, k, ext_data);
1018
1019
return GNUTLS_E_INVALID_REQUEST;
1021
/* Make sure version field is set. */
1022
if (gnutls_x509_crq_get_version (crq) == GNUTLS_E_ASN1_VALUE_NOT_FOUND)
1024
result = gnutls_x509_crq_set_version (crq, 1);
1032
/* Step 1. Self sign the request.
1035
_gnutls_x509_sign_tbs (crq->crq, "certificationRequestInfo",
1036
dig, key, &signature);
1044
/* Step 2. write the signature (bits)
1047
asn1_write_value (crq->crq, "signature", signature.data,
1048
signature.size * 8);
1050
_gnutls_free_datum (&signature);
1052
if (result != ASN1_SUCCESS)
1055
return _gnutls_asn2err (result);
1058
/* Step 3. Write the signatureAlgorithm field.
1060
result = _gnutls_x509_write_sig_params (crq->crq, "signatureAlgorithm",
1061
key->pk_algorithm, dig, key->params,
1022
result = gnutls_privkey_init (&privkey);
1029
result = gnutls_privkey_import_x509 (privkey, key, 0);
1036
result = gnutls_x509_crq_privkey_sign (crq, privkey, dig, flags);
1046
gnutls_privkey_deinit (privkey);
1626
1607
get_subject_alt_name (gnutls_x509_crq_t crq,
1627
unsigned int seq, void *ret,
1628
size_t * ret_size, unsigned int *ret_type,
1629
unsigned int *critical, int othername_oid)
1608
unsigned int seq, void *ret,
1609
size_t * ret_size, unsigned int *ret_type,
1610
unsigned int *critical, int othername_oid)
1632
1613
ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
1816
1797
oid_size = sizeof (_oid);
1818
gnutls_x509_crq_get_extension_info (crq, i, _oid, &oid_size,
1799
gnutls_x509_crq_get_extension_info (crq, i, _oid, &oid_size,
1820
1801
if (result < 0)
1826
1807
if (strcmp (oid, _oid) == 0)
1829
return gnutls_x509_crq_get_extension_data (crq, i, buf,
1810
return gnutls_x509_crq_get_extension_data (crq, i, buf,
1889
1870
if (flags == GNUTLS_FSAN_APPEND)
1891
1872
result = gnutls_x509_crq_get_extension_by_oid (crq, "2.5.29.17", 0,
1892
NULL, &prev_data_size,
1873
NULL, &prev_data_size,
1894
1875
prev_der_data.size = prev_data_size;
1896
1877
switch (result)
1898
case GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE:
1899
/* Replacing non-existing data means the same as set data. */
1902
case GNUTLS_E_SUCCESS:
1903
prev_der_data.data = gnutls_malloc (prev_der_data.size);
1904
if (prev_der_data.data == NULL)
1907
return GNUTLS_E_MEMORY_ERROR;
1910
result = gnutls_x509_crq_get_extension_by_oid (crq, "2.5.29.17", 0,
1917
gnutls_free (prev_der_data.data);
1879
case GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE:
1880
/* Replacing non-existing data means the same as set data. */
1883
case GNUTLS_E_SUCCESS:
1884
prev_der_data.data = gnutls_malloc (prev_der_data.size);
1885
if (prev_der_data.data == NULL)
1888
return GNUTLS_E_MEMORY_ERROR;
1891
result = gnutls_x509_crq_get_extension_by_oid (crq, "2.5.29.17", 0,
1898
gnutls_free (prev_der_data.data);
1928
1909
/* generate the extension.
1930
1911
result = _gnutls_x509_ext_gen_subject_alt_name (nt, data, data_size,
1931
&prev_der_data, &der_data);
1912
&prev_der_data, &der_data);
1932
1913
gnutls_free (prev_der_data.data);
1933
1914
if (result < 0)
2440
2421
result = gnutls_fingerprint (GNUTLS_DIG_SHA1, &pubkey,
2441
output_data, output_data_size);
2422
output_data, output_data_size);
2443
2424
gnutls_free (pubkey.data);
2430
* gnutls_x509_crq_privkey_sign:
2431
* @crq: should contain a #gnutls_x509_crq_t structure
2432
* @key: holds a private key
2433
* @dig: The message digest to use, i.e., %GNUTLS_DIG_SHA1
2436
* This function will sign the certificate request with a private key.
2437
* This must be the same key as the one used in
2438
* gnutls_x509_crt_set_key() since a certificate request is self
2441
* This must be the last step in a certificate request generation
2442
* since all the previously set parameters are now signed.
2444
* Returns: %GNUTLS_E_SUCCESS on success, otherwise an error.
2445
* %GNUTLS_E_ASN1_VALUE_NOT_FOUND is returned if you didn't set all
2446
* information in the certificate request (e.g., the version using
2447
* gnutls_x509_crq_set_version()).
2451
gnutls_x509_crq_privkey_sign (gnutls_x509_crq_t crq, gnutls_privkey_t key,
2452
gnutls_digest_algorithm_t dig,
2456
gnutls_datum_t signature;
2462
return GNUTLS_E_INVALID_REQUEST;
2465
/* Make sure version field is set. */
2466
if (gnutls_x509_crq_get_version (crq) == GNUTLS_E_ASN1_VALUE_NOT_FOUND)
2468
result = gnutls_x509_crq_set_version (crq, 1);
2476
/* Step 1. Self sign the request.
2478
result = _gnutls_x509_get_tbs (crq->crq, "certificationRequestInfo", &tbs);
2486
result = gnutls_privkey_sign_data (key, dig, 0, &tbs, &signature);
2487
gnutls_free (tbs.data);
2495
/* Step 2. write the signature (bits)
2498
asn1_write_value (crq->crq, "signature", signature.data,
2499
signature.size * 8);
2501
_gnutls_free_datum (&signature);
2503
if (result != ASN1_SUCCESS)
2506
return _gnutls_asn2err (result);
2509
/* Step 3. Write the signatureAlgorithm field.
2511
result = _gnutls_x509_write_sig_params (crq->crq, "signatureAlgorithm",
2512
gnutls_privkey_get_pk_algorithm
2525
* gnutls_x509_crq_verify:
2526
* @crq: is the crq to be verified
2527
* @flags: Flags that may be used to change the verification algorithm. Use OR of the gnutls_certificate_verify_flags enumerations.
2529
* This function will verify self signature in the certificate
2530
* request and return its status.
2532
* Returns: On success, %GNUTLS_E_SUCCESS is returned, %GNUTLS_E_PK_SIG_VERIFY_FAILED
2533
* if verification failed, otherwise a negative error value.
2536
gnutls_x509_crq_verify (gnutls_x509_crq_t crq,
2539
gnutls_datum data = { NULL, 0 };
2540
gnutls_datum signature = { NULL, 0 };
2541
bigint_t params[MAX_PUBLIC_PARAMS_SIZE];
2542
int ret, params_size = 0, i;
2545
_gnutls_x509_get_signed_data (crq->crq, "certificationRequestInfo", &data);
2552
ret = _gnutls_x509_get_signature (crq->crq, "signature", &signature);
2559
params_size = MAX_PUBLIC_PARAMS_SIZE;
2561
_gnutls_x509_crq_get_mpis(crq, params, ¶ms_size);
2568
ret = pubkey_verify_sig(&data, NULL, &signature,
2569
gnutls_x509_crq_get_pk_algorithm (crq, NULL),
2570
params, params_size);
2580
_gnutls_free_datum (&data);
2581
_gnutls_free_datum (&signature);
2583
for (i = 0; i < params_size; i++)
2585
_gnutls_mpi_release (¶ms[i]);
2449
2591
#endif /* ENABLE_PKI */