2
* Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
3
* (Royal Institute of Technology, Stockholm, Sweden).
6
* Redistribution and use in source and binary forms, with or without
7
* modification, are permitted provided that the following conditions
10
* 1. Redistributions of source code must retain the above copyright
11
* notice, this list of conditions and the following disclaimer.
13
* 2. Redistributions in binary form must reproduce the above copyright
14
* notice, this list of conditions and the following disclaimer in the
15
* documentation and/or other materials provided with the distribution.
17
* 3. Neither the name of the Institute nor the names of its contributors
18
* may be used to endorse or promote products derived from this software
19
* without specific prior written permission.
21
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35
#include <pkinit_asn1.h>
39
* @page page_ca Hx509 CA functions
41
* See the library functions here: @ref hx509_ca
46
SubjectPublicKeyInfo spki;
55
unsigned int serial:1;
56
unsigned int domaincontroller:1;
60
int pathLenConstraint; /* both for CA and Proxy */
61
CRLDistributionPoints crldp;
65
* Allocate an to-be-signed certificate object that will be converted
66
* into an certificate.
68
* @param context A hx509 context.
69
* @param tbs returned to-be-signed certicate object, free with
70
* hx509_ca_tbs_free().
72
* @return An hx509 error code, see hx509_get_error_string().
78
hx509_ca_tbs_init(hx509_context context, hx509_ca_tbs *tbs)
80
*tbs = calloc(1, sizeof(**tbs));
84
(*tbs)->subject = NULL;
86
(*tbs)->san.val = NULL;
88
(*tbs)->eku.val = NULL;
89
(*tbs)->pathLenConstraint = 0;
90
(*tbs)->crldp.len = 0;
91
(*tbs)->crldp.val = NULL;
97
* Free an To Be Signed object.
99
* @param tbs object to free.
105
hx509_ca_tbs_free(hx509_ca_tbs *tbs)
107
if (tbs == NULL || *tbs == NULL)
110
free_SubjectPublicKeyInfo(&(*tbs)->spki);
111
free_GeneralNames(&(*tbs)->san);
112
free_ExtKeyUsage(&(*tbs)->eku);
113
der_free_heim_integer(&(*tbs)->serial);
114
free_CRLDistributionPoints(&(*tbs)->crldp);
116
hx509_name_free(&(*tbs)->subject);
118
memset(*tbs, 0, sizeof(**tbs));
124
* Set the absolute time when the certificate is valid from. If not
125
* set the current time will be used.
127
* @param context A hx509 context.
128
* @param tbs object to be signed.
129
* @param t time the certificated will start to be valid
131
* @return An hx509 error code, see hx509_get_error_string().
137
hx509_ca_tbs_set_notBefore(hx509_context context,
146
* Set the absolute time when the certificate is valid to.
148
* @param context A hx509 context.
149
* @param tbs object to be signed.
150
* @param t time when the certificate will expire
152
* @return An hx509 error code, see hx509_get_error_string().
158
hx509_ca_tbs_set_notAfter(hx509_context context,
167
* Set the relative time when the certificiate is going to expire.
169
* @param context A hx509 context.
170
* @param tbs object to be signed.
171
* @param delta seconds to the certificate is going to expire.
173
* @return An hx509 error code, see hx509_get_error_string().
179
hx509_ca_tbs_set_notAfter_lifetime(hx509_context context,
183
return hx509_ca_tbs_set_notAfter(context, tbs, time(NULL) + delta);
186
static const struct units templatebits[] = {
187
{ "ExtendedKeyUsage", HX509_CA_TEMPLATE_EKU },
188
{ "KeyUsage", HX509_CA_TEMPLATE_KU },
189
{ "SPKI", HX509_CA_TEMPLATE_SPKI },
190
{ "notAfter", HX509_CA_TEMPLATE_NOTAFTER },
191
{ "notBefore", HX509_CA_TEMPLATE_NOTBEFORE },
192
{ "serial", HX509_CA_TEMPLATE_SERIAL },
193
{ "subject", HX509_CA_TEMPLATE_SUBJECT },
198
* Make of template units, use to build flags argument to
199
* hx509_ca_tbs_set_template() with parse_units().
201
* @return an units structure.
207
hx509_ca_tbs_template_units(void)
213
* Initialize the to-be-signed certificate object from a template certifiate.
215
* @param context A hx509 context.
216
* @param tbs object to be signed.
217
* @param flags bit field selecting what to copy from the template
219
* @param cert template certificate.
221
* @return An hx509 error code, see hx509_get_error_string().
227
hx509_ca_tbs_set_template(hx509_context context,
234
if (flags & HX509_CA_TEMPLATE_SUBJECT) {
236
hx509_name_free(&tbs->subject);
237
ret = hx509_cert_get_subject(cert, &tbs->subject);
239
hx509_set_error_string(context, 0, ret,
240
"Failed to get subject from template");
244
if (flags & HX509_CA_TEMPLATE_SERIAL) {
245
der_free_heim_integer(&tbs->serial);
246
ret = hx509_cert_get_serialnumber(cert, &tbs->serial);
247
tbs->flags.serial = !ret;
249
hx509_set_error_string(context, 0, ret,
250
"Failed to copy serial number");
254
if (flags & HX509_CA_TEMPLATE_NOTBEFORE)
255
tbs->notBefore = hx509_cert_get_notBefore(cert);
256
if (flags & HX509_CA_TEMPLATE_NOTAFTER)
257
tbs->notAfter = hx509_cert_get_notAfter(cert);
258
if (flags & HX509_CA_TEMPLATE_SPKI) {
259
free_SubjectPublicKeyInfo(&tbs->spki);
260
ret = hx509_cert_get_SPKI(context, cert, &tbs->spki);
261
tbs->flags.key = !ret;
265
if (flags & HX509_CA_TEMPLATE_KU) {
267
ret = _hx509_cert_get_keyusage(context, cert, &ku);
270
tbs->key_usage = KeyUsage2int(ku);
272
if (flags & HX509_CA_TEMPLATE_EKU) {
275
ret = _hx509_cert_get_eku(context, cert, &eku);
278
for (i = 0; i < eku.len; i++) {
279
ret = hx509_ca_tbs_add_eku(context, tbs, &eku.val[i]);
281
free_ExtKeyUsage(&eku);
285
free_ExtKeyUsage(&eku);
291
* Make the to-be-signed certificate object a CA certificate. If the
292
* pathLenConstraint is negative path length constraint is used.
294
* @param context A hx509 context.
295
* @param tbs object to be signed.
296
* @param pathLenConstraint path length constraint, negative, no
299
* @return An hx509 error code, see hx509_get_error_string().
305
hx509_ca_tbs_set_ca(hx509_context context,
307
int pathLenConstraint)
310
tbs->pathLenConstraint = pathLenConstraint;
315
* Make the to-be-signed certificate object a proxy certificate. If the
316
* pathLenConstraint is negative path length constraint is used.
318
* @param context A hx509 context.
319
* @param tbs object to be signed.
320
* @param pathLenConstraint path length constraint, negative, no
323
* @return An hx509 error code, see hx509_get_error_string().
329
hx509_ca_tbs_set_proxy(hx509_context context,
331
int pathLenConstraint)
333
tbs->flags.proxy = 1;
334
tbs->pathLenConstraint = pathLenConstraint;
340
* Make the to-be-signed certificate object a windows domain controller certificate.
342
* @param context A hx509 context.
343
* @param tbs object to be signed.
345
* @return An hx509 error code, see hx509_get_error_string().
351
hx509_ca_tbs_set_domaincontroller(hx509_context context,
354
tbs->flags.domaincontroller = 1;
359
* Set the subject public key info (SPKI) in the to-be-signed certificate
360
* object. SPKI is the public key and key related parameters in the
363
* @param context A hx509 context.
364
* @param tbs object to be signed.
365
* @param spki subject public key info to use for the to-be-signed certificate object.
367
* @return An hx509 error code, see hx509_get_error_string().
373
hx509_ca_tbs_set_spki(hx509_context context,
375
const SubjectPublicKeyInfo *spki)
378
free_SubjectPublicKeyInfo(&tbs->spki);
379
ret = copy_SubjectPublicKeyInfo(spki, &tbs->spki);
380
tbs->flags.key = !ret;
385
* Set the serial number to use for to-be-signed certificate object.
387
* @param context A hx509 context.
388
* @param tbs object to be signed.
389
* @param serialNumber serial number to use for the to-be-signed
390
* certificate object.
392
* @return An hx509 error code, see hx509_get_error_string().
398
hx509_ca_tbs_set_serialnumber(hx509_context context,
400
const heim_integer *serialNumber)
403
der_free_heim_integer(&tbs->serial);
404
ret = der_copy_heim_integer(serialNumber, &tbs->serial);
405
tbs->flags.serial = !ret;
410
* An an extended key usage to the to-be-signed certificate object.
411
* Duplicates will detected and not added.
413
* @param context A hx509 context.
414
* @param tbs object to be signed.
415
* @param oid extended key usage to add.
417
* @return An hx509 error code, see hx509_get_error_string().
423
hx509_ca_tbs_add_eku(hx509_context context,
431
/* search for duplicates */
432
for (i = 0; i < tbs->eku.len; i++) {
433
if (der_heim_oid_cmp(oid, &tbs->eku.val[i]) == 0)
437
ptr = realloc(tbs->eku.val, sizeof(tbs->eku.val[0]) * (tbs->eku.len + 1));
439
hx509_set_error_string(context, 0, ENOMEM, "out of memory");
443
ret = der_copy_oid(oid, &tbs->eku.val[tbs->eku.len]);
445
hx509_set_error_string(context, 0, ret, "out of memory");
453
* Add CRL distribution point URI to the to-be-signed certificate
456
* @param context A hx509 context.
457
* @param tbs object to be signed.
458
* @param uri uri to the CRL.
459
* @param issuername name of the issuer.
461
* @return An hx509 error code, see hx509_get_error_string().
467
hx509_ca_tbs_add_crl_dp_uri(hx509_context context,
470
hx509_name issuername)
472
DistributionPoint dp;
475
memset(&dp, 0, sizeof(dp));
477
dp.distributionPoint = ecalloc(1, sizeof(*dp.distributionPoint));
480
DistributionPointName name;
484
name.element = choice_DistributionPointName_fullName;
485
name.u.fullName.len = 1;
486
name.u.fullName.val = &gn;
488
gn.element = choice_GeneralName_uniformResourceIdentifier;
489
gn.u.uniformResourceIdentifier = rk_UNCONST(uri);
491
ASN1_MALLOC_ENCODE(DistributionPointName,
492
dp.distributionPoint->data,
493
dp.distributionPoint->length,
496
hx509_set_error_string(context, 0, ret,
497
"Failed to encoded DistributionPointName");
500
if (dp.distributionPoint->length != size)
501
_hx509_abort("internal ASN.1 encoder error");
507
* issuername not supported
509
hx509_set_error_string(context, 0, EINVAL,
510
"CRLDistributionPoints.name.issuername not yet supported");
513
GeneralNames *crlissuer;
517
crlissuer = calloc(1, sizeof(*crlissuer));
518
if (crlissuer == NULL) {
521
memset(&gn, 0, sizeof(gn));
523
gn.element = choice_GeneralName_directoryName;
524
ret = hx509_name_to_Name(issuername, &n);
526
hx509_set_error_string(context, 0, ret, "out of memory");
530
gn.u.directoryName.element = n.element;
531
gn.u.directoryName.u.rdnSequence = n.u.rdnSequence;
533
ret = add_GeneralNames(&crlissuer, &gn);
536
hx509_set_error_string(context, 0, ret, "out of memory");
540
dp.cRLIssuer = &crlissuer;
544
ret = add_CRLDistributionPoints(&tbs->crldp, &dp);
546
hx509_set_error_string(context, 0, ret, "out of memory");
551
free_DistributionPoint(&dp);
557
* Add Subject Alternative Name otherName to the to-be-signed
558
* certificate object.
560
* @param context A hx509 context.
561
* @param tbs object to be signed.
562
* @param oid the oid of the OtherName.
563
* @param os data in the other name.
565
* @return An hx509 error code, see hx509_get_error_string().
571
hx509_ca_tbs_add_san_otherName(hx509_context context,
574
const heim_octet_string *os)
578
memset(&gn, 0, sizeof(gn));
579
gn.element = choice_GeneralName_otherName;
580
gn.u.otherName.type_id = *oid;
581
gn.u.otherName.value = *os;
583
return add_GeneralNames(&tbs->san, &gn);
587
* Add Kerberos Subject Alternative Name to the to-be-signed
588
* certificate object. The principal string is a UTF8 string.
590
* @param context A hx509 context.
591
* @param tbs object to be signed.
592
* @param principal Kerberos principal to add to the certificate.
594
* @return An hx509 error code, see hx509_get_error_string().
600
hx509_ca_tbs_add_san_pkinit(hx509_context context,
602
const char *principal)
604
heim_octet_string os;
610
memset(&p, 0, sizeof(p));
612
/* parse principal */
618
/* count number of component */
620
for(str = principal; *str != '\0' && *str != '@'; str++){
622
if(str[1] == '\0' || str[1] == '@') {
623
ret = HX509_PARSING_NAME_FAILED;
624
hx509_set_error_string(context, 0, ret,
625
"trailing \\ in principal name");
629
} else if(*str == '/')
632
p.principalName.name_string.val =
633
calloc(n, sizeof(*p.principalName.name_string.val));
634
if (p.principalName.name_string.val == NULL) {
636
hx509_set_error_string(context, 0, ret, "malloc: out of memory");
639
p.principalName.name_string.len = n;
641
p.principalName.name_type = KRB5_NT_PRINCIPAL;
642
q = s = strdup(principal);
645
hx509_set_error_string(context, 0, ret, "malloc: out of memory");
648
p.realm = strrchr(q, '@');
649
if (p.realm == NULL) {
650
ret = HX509_PARSING_NAME_FAILED;
651
hx509_set_error_string(context, 0, ret, "Missing @ in principal");
658
p.principalName.name_string.val[n++] = q;
665
ASN1_MALLOC_ENCODE(KRB5PrincipalName, os.data, os.length, &p, &size, ret);
667
hx509_set_error_string(context, 0, ret, "Out of memory");
670
if (size != os.length)
671
_hx509_abort("internal ASN.1 encoder error");
673
ret = hx509_ca_tbs_add_san_otherName(context,
679
if (p.principalName.name_string.val)
680
free (p.principalName.name_string.val);
691
add_utf8_san(hx509_context context,
696
const PKIXXmppAddr ustring = (const PKIXXmppAddr)string;
697
heim_octet_string os;
704
ASN1_MALLOC_ENCODE(PKIXXmppAddr, os.data, os.length, &ustring, &size, ret);
706
hx509_set_error_string(context, 0, ret, "Out of memory");
709
if (size != os.length)
710
_hx509_abort("internal ASN.1 encoder error");
712
ret = hx509_ca_tbs_add_san_otherName(context,
722
* Add Microsoft UPN Subject Alternative Name to the to-be-signed
723
* certificate object. The principal string is a UTF8 string.
725
* @param context A hx509 context.
726
* @param tbs object to be signed.
727
* @param principal Microsoft UPN string.
729
* @return An hx509 error code, see hx509_get_error_string().
735
hx509_ca_tbs_add_san_ms_upn(hx509_context context,
737
const char *principal)
739
return add_utf8_san(context, tbs, oid_id_pkinit_ms_san(), principal);
743
* Add a Jabber/XMPP jid Subject Alternative Name to the to-be-signed
744
* certificate object. The jid is an UTF8 string.
746
* @param context A hx509 context.
747
* @param tbs object to be signed.
748
* @param jid string of an a jabber id in UTF8.
750
* @return An hx509 error code, see hx509_get_error_string().
756
hx509_ca_tbs_add_san_jid(hx509_context context,
760
return add_utf8_san(context, tbs, oid_id_pkix_on_xmppAddr(), jid);
765
* Add a Subject Alternative Name hostname to to-be-signed certificate
766
* object. A domain match starts with ., an exact match does not.
768
* Example of a an domain match: .domain.se matches the hostname
771
* @param context A hx509 context.
772
* @param tbs object to be signed.
773
* @param dnsname a hostame.
775
* @return An hx509 error code, see hx509_get_error_string().
781
hx509_ca_tbs_add_san_hostname(hx509_context context,
787
memset(&gn, 0, sizeof(gn));
788
gn.element = choice_GeneralName_dNSName;
789
gn.u.dNSName = rk_UNCONST(dnsname);
791
return add_GeneralNames(&tbs->san, &gn);
795
* Add a Subject Alternative Name rfc822 (email address) to
796
* to-be-signed certificate object.
798
* @param context A hx509 context.
799
* @param tbs object to be signed.
800
* @param rfc822Name a string to a email address.
802
* @return An hx509 error code, see hx509_get_error_string().
808
hx509_ca_tbs_add_san_rfc822name(hx509_context context,
810
const char *rfc822Name)
814
memset(&gn, 0, sizeof(gn));
815
gn.element = choice_GeneralName_rfc822Name;
816
gn.u.rfc822Name = rk_UNCONST(rfc822Name);
818
return add_GeneralNames(&tbs->san, &gn);
822
* Set the subject name of a to-be-signed certificate object.
824
* @param context A hx509 context.
825
* @param tbs object to be signed.
826
* @param subject the name to set a subject.
828
* @return An hx509 error code, see hx509_get_error_string().
834
hx509_ca_tbs_set_subject(hx509_context context,
839
hx509_name_free(&tbs->subject);
840
return hx509_name_copy(context, subject, &tbs->subject);
844
* Expand the the subject name in the to-be-signed certificate object
845
* using hx509_name_expand().
847
* @param context A hx509 context.
848
* @param tbs object to be signed.
849
* @param env enviroment variable to expand variables in the subject
850
* name, see hx509_env_init().
852
* @return An hx509 error code, see hx509_get_error_string().
858
hx509_ca_tbs_subject_expand(hx509_context context,
862
return hx509_name_expand(context, tbs->subject, env);
866
add_extension(hx509_context context,
867
TBSCertificate *tbsc,
870
const heim_octet_string *data)
875
memset(&ext, 0, sizeof(ext));
878
ext.critical = malloc(sizeof(*ext.critical));
879
if (ext.critical == NULL) {
881
hx509_set_error_string(context, 0, ret, "Out of memory");
884
*ext.critical = TRUE;
887
ret = der_copy_oid(oid, &ext.extnID);
889
hx509_set_error_string(context, 0, ret, "Out of memory");
892
ret = der_copy_octet_string(data, &ext.extnValue);
894
hx509_set_error_string(context, 0, ret, "Out of memory");
897
ret = add_Extensions(tbsc->extensions, &ext);
899
hx509_set_error_string(context, 0, ret, "Out of memory");
903
free_Extension(&ext);
908
build_proxy_prefix(hx509_context context, const Name *issuer, Name *subject)
914
ret = copy_Name(issuer, subject);
916
hx509_set_error_string(context, 0, ret,
917
"Failed to copy subject name");
922
asprintf(&tstr, "ts-%lu", (unsigned long)t);
924
hx509_set_error_string(context, 0, ENOMEM,
925
"Failed to copy subject name");
928
/* prefix with CN=<ts>,...*/
929
ret = _hx509_name_modify(context, subject, 1, oid_id_at_commonName(), tstr);
937
ca_sign(hx509_context context,
939
hx509_private_key signer,
940
const AuthorityKeyIdentifier *ai,
941
const Name *issuername,
942
hx509_cert *certificate)
944
heim_octet_string data;
946
TBSCertificate *tbsc;
949
const AlgorithmIdentifier *sigalg;
954
sigalg = _hx509_crypto_default_sig_alg;
956
memset(&c, 0, sizeof(c));
959
* Default values are: Valid since 24h ago, valid one year into
960
* the future, KeyUsage digitalSignature and keyEncipherment set,
961
* and keyCertSign for CA certificates.
963
notBefore = tbs->notBefore;
965
notBefore = time(NULL) - 3600 * 24;
966
notAfter = tbs->notAfter;
968
notAfter = time(NULL) + 3600 * 24 * 365;
970
key_usage = tbs->key_usage;
971
if (key_usage == 0) {
973
memset(&ku, 0, sizeof(ku));
974
ku.digitalSignature = 1;
975
ku.keyEncipherment = 1;
976
key_usage = KeyUsage2int(ku);
981
memset(&ku, 0, sizeof(ku));
984
key_usage |= KeyUsage2int(ku);
991
tbsc = &c.tbsCertificate;
993
if (tbs->flags.key == 0) {
995
hx509_set_error_string(context, 0, ret, "No public key set");
999
* Don't put restrictions on proxy certificate's subject name, it
1000
* will be generated below.
1002
if (!tbs->flags.proxy) {
1003
if (tbs->subject == NULL) {
1004
hx509_set_error_string(context, 0, EINVAL, "No subject name set");
1007
if (hx509_name_is_null_p(tbs->subject) && tbs->san.len == 0) {
1008
hx509_set_error_string(context, 0, EINVAL,
1009
"NULL subject and no SubjectAltNames");
1013
if (tbs->flags.ca && tbs->flags.proxy) {
1014
hx509_set_error_string(context, 0, EINVAL, "Can't be proxy and CA "
1015
"at the same time");
1018
if (tbs->flags.proxy) {
1019
if (tbs->san.len > 0) {
1020
hx509_set_error_string(context, 0, EINVAL,
1021
"Proxy certificate is not allowed "
1022
"to have SubjectAltNames");
1027
/* version [0] Version OPTIONAL, -- EXPLICIT nnn DEFAULT 1, */
1028
tbsc->version = calloc(1, sizeof(*tbsc->version));
1029
if (tbsc->version == NULL) {
1031
hx509_set_error_string(context, 0, ret, "Out of memory");
1034
*tbsc->version = rfc3280_version_3;
1035
/* serialNumber CertificateSerialNumber, */
1036
if (tbs->flags.serial) {
1037
ret = der_copy_heim_integer(&tbs->serial, &tbsc->serialNumber);
1039
hx509_set_error_string(context, 0, ret, "Out of memory");
1043
tbsc->serialNumber.length = 20;
1044
tbsc->serialNumber.data = malloc(tbsc->serialNumber.length);
1045
if (tbsc->serialNumber.data == NULL){
1047
hx509_set_error_string(context, 0, ret, "Out of memory");
1051
RAND_bytes(tbsc->serialNumber.data, tbsc->serialNumber.length);
1052
((unsigned char *)tbsc->serialNumber.data)[0] &= 0x7f;
1054
/* signature AlgorithmIdentifier, */
1055
ret = copy_AlgorithmIdentifier(sigalg, &tbsc->signature);
1057
hx509_set_error_string(context, 0, ret, "Failed to copy sigature alg");
1062
ret = copy_Name(issuername, &tbsc->issuer);
1064
ret = hx509_name_to_Name(tbs->subject, &tbsc->issuer);
1066
hx509_set_error_string(context, 0, ret, "Failed to copy issuer name");
1069
/* validity Validity, */
1070
tbsc->validity.notBefore.element = choice_Time_generalTime;
1071
tbsc->validity.notBefore.u.generalTime = notBefore;
1072
tbsc->validity.notAfter.element = choice_Time_generalTime;
1073
tbsc->validity.notAfter.u.generalTime = notAfter;
1075
if (tbs->flags.proxy) {
1076
ret = build_proxy_prefix(context, &tbsc->issuer, &tbsc->subject);
1080
ret = hx509_name_to_Name(tbs->subject, &tbsc->subject);
1082
hx509_set_error_string(context, 0, ret,
1083
"Failed to copy subject name");
1087
/* subjectPublicKeyInfo SubjectPublicKeyInfo, */
1088
ret = copy_SubjectPublicKeyInfo(&tbs->spki, &tbsc->subjectPublicKeyInfo);
1090
hx509_set_error_string(context, 0, ret, "Failed to copy spki");
1093
/* issuerUniqueID [1] IMPLICIT BIT STRING OPTIONAL */
1094
/* subjectUniqueID [2] IMPLICIT BIT STRING OPTIONAL */
1095
/* extensions [3] EXPLICIT Extensions OPTIONAL */
1096
tbsc->extensions = calloc(1, sizeof(*tbsc->extensions));
1097
if (tbsc->extensions == NULL) {
1099
hx509_set_error_string(context, 0, ret, "Out of memory");
1103
/* Add the text BMP string Domaincontroller to the cert */
1104
if (tbs->flags.domaincontroller) {
1105
data.data = rk_UNCONST("\x1e\x20\x00\x44\x00\x6f\x00\x6d"
1106
"\x00\x61\x00\x69\x00\x6e\x00\x43"
1107
"\x00\x6f\x00\x6e\x00\x74\x00\x72"
1108
"\x00\x6f\x00\x6c\x00\x6c\x00\x65"
1112
ret = add_extension(context, tbsc, 0,
1113
oid_id_ms_cert_enroll_domaincontroller(),
1123
ku = int2KeyUsage(key_usage);
1124
ASN1_MALLOC_ENCODE(KeyUsage, data.data, data.length, &ku, &size, ret);
1126
hx509_set_error_string(context, 0, ret, "Out of memory");
1129
if (size != data.length)
1130
_hx509_abort("internal ASN.1 encoder error");
1131
ret = add_extension(context, tbsc, 1,
1132
oid_id_x509_ce_keyUsage(), &data);
1138
/* add ExtendedKeyUsage */
1139
if (tbs->eku.len > 0) {
1140
ASN1_MALLOC_ENCODE(ExtKeyUsage, data.data, data.length,
1141
&tbs->eku, &size, ret);
1143
hx509_set_error_string(context, 0, ret, "Out of memory");
1146
if (size != data.length)
1147
_hx509_abort("internal ASN.1 encoder error");
1148
ret = add_extension(context, tbsc, 0,
1149
oid_id_x509_ce_extKeyUsage(), &data);
1155
/* add Subject Alternative Name */
1156
if (tbs->san.len > 0) {
1157
ASN1_MALLOC_ENCODE(GeneralNames, data.data, data.length,
1158
&tbs->san, &size, ret);
1160
hx509_set_error_string(context, 0, ret, "Out of memory");
1163
if (size != data.length)
1164
_hx509_abort("internal ASN.1 encoder error");
1165
ret = add_extension(context, tbsc, 0,
1166
oid_id_x509_ce_subjectAltName(),
1173
/* Add Authority Key Identifier */
1175
ASN1_MALLOC_ENCODE(AuthorityKeyIdentifier, data.data, data.length,
1178
hx509_set_error_string(context, 0, ret, "Out of memory");
1181
if (size != data.length)
1182
_hx509_abort("internal ASN.1 encoder error");
1183
ret = add_extension(context, tbsc, 0,
1184
oid_id_x509_ce_authorityKeyIdentifier(),
1191
/* Add Subject Key Identifier */
1193
SubjectKeyIdentifier si;
1194
unsigned char hash[SHA_DIGEST_LENGTH];
1200
SHA1_Update(&m, tbs->spki.subjectPublicKey.data,
1201
tbs->spki.subjectPublicKey.length / 8);
1202
SHA1_Final (hash, &m);
1206
si.length = sizeof(hash);
1208
ASN1_MALLOC_ENCODE(SubjectKeyIdentifier, data.data, data.length,
1211
hx509_set_error_string(context, 0, ret, "Out of memory");
1214
if (size != data.length)
1215
_hx509_abort("internal ASN.1 encoder error");
1216
ret = add_extension(context, tbsc, 0,
1217
oid_id_x509_ce_subjectKeyIdentifier(),
1224
/* Add BasicConstraints */
1226
BasicConstraints bc;
1230
memset(&bc, 0, sizeof(bc));
1232
if (tbs->flags.ca) {
1234
if (tbs->pathLenConstraint >= 0) {
1235
path = tbs->pathLenConstraint;
1236
bc.pathLenConstraint = &path;
1240
ASN1_MALLOC_ENCODE(BasicConstraints, data.data, data.length,
1243
hx509_set_error_string(context, 0, ret, "Out of memory");
1246
if (size != data.length)
1247
_hx509_abort("internal ASN.1 encoder error");
1248
/* Critical if this is a CA */
1249
ret = add_extension(context, tbsc, tbs->flags.ca,
1250
oid_id_x509_ce_basicConstraints(),
1258
if (tbs->flags.proxy) {
1261
memset(&info, 0, sizeof(info));
1263
if (tbs->pathLenConstraint >= 0) {
1264
info.pCPathLenConstraint =
1265
malloc(sizeof(*info.pCPathLenConstraint));
1266
if (info.pCPathLenConstraint == NULL) {
1268
hx509_set_error_string(context, 0, ret, "Out of memory");
1271
*info.pCPathLenConstraint = tbs->pathLenConstraint;
1274
ret = der_copy_oid(oid_id_pkix_ppl_inheritAll(),
1275
&info.proxyPolicy.policyLanguage);
1277
free_ProxyCertInfo(&info);
1278
hx509_set_error_string(context, 0, ret, "Out of memory");
1282
ASN1_MALLOC_ENCODE(ProxyCertInfo, data.data, data.length,
1284
free_ProxyCertInfo(&info);
1286
hx509_set_error_string(context, 0, ret, "Out of memory");
1289
if (size != data.length)
1290
_hx509_abort("internal ASN.1 encoder error");
1291
ret = add_extension(context, tbsc, 0,
1292
oid_id_pkix_pe_proxyCertInfo(),
1299
if (tbs->crldp.len) {
1301
ASN1_MALLOC_ENCODE(CRLDistributionPoints, data.data, data.length,
1302
&tbs->crldp, &size, ret);
1304
hx509_set_error_string(context, 0, ret, "Out of memory");
1307
if (size != data.length)
1308
_hx509_abort("internal ASN.1 encoder error");
1309
ret = add_extension(context, tbsc, FALSE,
1310
oid_id_x509_ce_cRLDistributionPoints(),
1317
ASN1_MALLOC_ENCODE(TBSCertificate, data.data, data.length,tbsc, &size, ret);
1319
hx509_set_error_string(context, 0, ret, "malloc out of memory");
1322
if (data.length != size)
1323
_hx509_abort("internal ASN.1 encoder error");
1325
ret = _hx509_create_signature_bitstring(context,
1329
&c.signatureAlgorithm,
1335
ret = hx509_cert_init(context, &c, certificate);
1339
free_Certificate(&c);
1344
free_Certificate(&c);
1349
get_AuthorityKeyIdentifier(hx509_context context,
1350
const Certificate *certificate,
1351
AuthorityKeyIdentifier *ai)
1353
SubjectKeyIdentifier si;
1356
ret = _hx509_find_extension_subject_key_id(certificate, &si);
1358
ai->keyIdentifier = calloc(1, sizeof(*ai->keyIdentifier));
1359
if (ai->keyIdentifier == NULL) {
1360
free_SubjectKeyIdentifier(&si);
1362
hx509_set_error_string(context, 0, ret, "Out of memory");
1365
ret = der_copy_octet_string(&si, ai->keyIdentifier);
1366
free_SubjectKeyIdentifier(&si);
1368
hx509_set_error_string(context, 0, ret, "Out of memory");
1376
memset(&gn, 0, sizeof(gn));
1377
memset(&gns, 0, sizeof(gns));
1378
memset(&name, 0, sizeof(name));
1380
ai->authorityCertIssuer =
1381
calloc(1, sizeof(*ai->authorityCertIssuer));
1382
if (ai->authorityCertIssuer == NULL) {
1384
hx509_set_error_string(context, 0, ret, "Out of memory");
1387
ai->authorityCertSerialNumber =
1388
calloc(1, sizeof(*ai->authorityCertSerialNumber));
1389
if (ai->authorityCertSerialNumber == NULL) {
1391
hx509_set_error_string(context, 0, ret, "Out of memory");
1396
* XXX unbreak when asn1 compiler handle IMPLICIT
1398
* This is so horrible.
1401
ret = copy_Name(&certificate->tbsCertificate.subject, &name);
1402
if (ai->authorityCertSerialNumber == NULL) {
1404
hx509_set_error_string(context, 0, ret, "Out of memory");
1408
memset(&gn, 0, sizeof(gn));
1409
gn.element = choice_GeneralName_directoryName;
1410
gn.u.directoryName.element =
1411
choice_GeneralName_directoryName_rdnSequence;
1412
gn.u.directoryName.u.rdnSequence = name.u.rdnSequence;
1414
ret = add_GeneralNames(&gns, &gn);
1416
hx509_set_error_string(context, 0, ret, "Out of memory");
1420
ai->authorityCertIssuer->val = gns.val;
1421
ai->authorityCertIssuer->len = gns.len;
1423
ret = der_copy_heim_integer(&certificate->tbsCertificate.serialNumber,
1424
ai->authorityCertSerialNumber);
1425
if (ai->authorityCertSerialNumber == NULL) {
1427
hx509_set_error_string(context, 0, ret, "Out of memory");
1433
free_AuthorityKeyIdentifier(ai);
1439
* Sign a to-be-signed certificate object with a issuer certificate.
1441
* The caller needs to at least have called the following functions on the
1442
* to-be-signed certificate object:
1443
* - hx509_ca_tbs_init()
1444
* - hx509_ca_tbs_set_subject()
1445
* - hx509_ca_tbs_set_spki()
1447
* When done the to-be-signed certificate object should be freed with
1448
* hx509_ca_tbs_free().
1450
* When creating self-signed certificate use hx509_ca_sign_self() instead.
1452
* @param context A hx509 context.
1453
* @param tbs object to be signed.
1454
* @param signer the CA certificate object to sign with (need private key).
1455
* @param certificate return cerificate, free with hx509_cert_free().
1457
* @return An hx509 error code, see hx509_get_error_string().
1463
hx509_ca_sign(hx509_context context,
1466
hx509_cert *certificate)
1468
const Certificate *signer_cert;
1469
AuthorityKeyIdentifier ai;
1472
memset(&ai, 0, sizeof(ai));
1474
signer_cert = _hx509_get_cert(signer);
1476
ret = get_AuthorityKeyIdentifier(context, signer_cert, &ai);
1480
ret = ca_sign(context,
1482
_hx509_cert_private_key(signer),
1484
&signer_cert->tbsCertificate.subject,
1488
free_AuthorityKeyIdentifier(&ai);
1494
* Work just like hx509_ca_sign() but signs it-self.
1496
* @param context A hx509 context.
1497
* @param tbs object to be signed.
1498
* @param signer private key to sign with.
1499
* @param certificate return cerificate, free with hx509_cert_free().
1501
* @return An hx509 error code, see hx509_get_error_string().
1507
hx509_ca_sign_self(hx509_context context,
1509
hx509_private_key signer,
1510
hx509_cert *certificate)
1512
return ca_sign(context,