2 * Copyright (C) 2003, 2004, 2005, 2008, 2009, 2010, 2011 Free Software
5 * Author: Nikos Mavrogiannopoulos
7 * This file is part of GnuTLS.
9 * The GnuTLS is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public License
11 * as published by the Free Software Foundation; either version 2.1 of
12 * the License, or (at your option) any later version.
14 * This library is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
19 * You should have received a copy of the GNU Lesser General Public
20 * License along with this library; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
26 /* This file contains functions to handle PKCS #10 certificate
27 requests, see RFC 2986.
30 #include <gnutls_int.h>
34 #include <gnutls_datum.h>
35 #include <gnutls_global.h>
36 #include <gnutls_errors.h>
38 #include <gnutls_x509.h>
44 * gnutls_x509_crq_init:
45 * @crq: The structure to be initialized
47 * This function will initialize a PKCS#10 certificate request
50 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
51 * negative error value.
54 gnutls_x509_crq_init (gnutls_x509_crq_t * crq)
58 *crq = gnutls_calloc (1, sizeof (gnutls_x509_crq_int));
60 return GNUTLS_E_MEMORY_ERROR;
62 result = asn1_create_element (_gnutls_get_pkix (),
63 "PKIX1.pkcs-10-CertificationRequest",
65 if (result != ASN1_SUCCESS)
69 return _gnutls_asn2err (result);
76 * gnutls_x509_crq_deinit:
77 * @crq: The structure to be initialized
79 * This function will deinitialize a PKCS#10 certificate request
83 gnutls_x509_crq_deinit (gnutls_x509_crq_t crq)
89 asn1_delete_structure (&crq->crq);
94 #define PEM_CRQ "NEW CERTIFICATE REQUEST"
95 #define PEM_CRQ2 "CERTIFICATE REQUEST"
98 * gnutls_x509_crq_import:
99 * @crq: The structure to store the parsed certificate request.
100 * @data: The DER or PEM encoded certificate.
101 * @format: One of DER or PEM
103 * This function will convert the given DER or PEM encoded certificate
104 * request to a #gnutls_x509_crq_t structure. The output will be
107 * If the Certificate is PEM encoded it should have a header of "NEW
108 * CERTIFICATE REQUEST".
110 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
111 * negative error value.
114 gnutls_x509_crq_import (gnutls_x509_crq_t crq,
115 const gnutls_datum_t * data,
116 gnutls_x509_crt_fmt_t format)
118 int result = 0, need_free = 0;
119 gnutls_datum_t _data;
124 return GNUTLS_E_INVALID_REQUEST;
127 _data.data = data->data;
128 _data.size = data->size;
130 /* If the Certificate is in PEM format then decode it
132 if (format == GNUTLS_X509_FMT_PEM)
136 /* Try the first header */
137 result = _gnutls_fbase64_decode (PEM_CRQ, data->data, data->size, &out);
139 if (result <= 0) /* Go for the second header */
141 _gnutls_fbase64_decode (PEM_CRQ2, data->data, data->size, &out);
146 result = GNUTLS_E_INTERNAL_ERROR;
157 result = asn1_der_decoding (&crq->crq, _data.data, _data.size, NULL);
158 if (result != ASN1_SUCCESS)
160 result = _gnutls_asn2err (result);
169 _gnutls_free_datum (&_data);
176 * gnutls_x509_crq_get_dn:
177 * @crq: should contain a #gnutls_x509_crq_t structure
178 * @buf: a pointer to a structure to hold the name (may be %NULL)
179 * @sizeof_buf: initially holds the size of @buf
181 * This function will copy the name of the Certificate request subject
182 * to the provided buffer. The name will be in the form
183 * "C=xxxx,O=yyyy,CN=zzzz" as described in RFC 2253. The output string
184 * @buf will be ASCII or UTF-8 encoded, depending on the certificate
187 * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not
188 * long enough, and in that case the *@sizeof_buf will be updated with
189 * the required size. On success 0 is returned.
192 gnutls_x509_crq_get_dn (gnutls_x509_crq_t crq, char *buf, size_t * sizeof_buf)
197 return GNUTLS_E_INVALID_REQUEST;
200 return _gnutls_x509_parse_dn (crq->crq,
201 "certificationRequestInfo.subject.rdnSequence",
206 * gnutls_x509_crq_get_dn_by_oid:
207 * @crq: should contain a gnutls_x509_crq_t structure
208 * @oid: holds an Object Identified in null terminated string
209 * @indx: In case multiple same OIDs exist in the RDN, this specifies
210 * which to send. Use zero to get the first one.
211 * @raw_flag: If non zero returns the raw DER data of the DN part.
212 * @buf: a pointer to a structure to hold the name (may be %NULL)
213 * @sizeof_buf: initially holds the size of @buf
215 * This function will extract the part of the name of the Certificate
216 * request subject, specified by the given OID. The output will be
217 * encoded as described in RFC2253. The output string will be ASCII
218 * or UTF-8 encoded, depending on the certificate data.
220 * Some helper macros with popular OIDs can be found in gnutls/x509.h
221 * If raw flag is zero, this function will only return known OIDs as
222 * text. Other OIDs will be DER encoded, as described in RFC2253 --
223 * in hex format with a '\#' prefix. You can check about known OIDs
224 * using gnutls_x509_dn_oid_known().
226 * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is
227 * not long enough, and in that case the *@sizeof_buf will be
228 * updated with the required size. On success 0 is returned.
231 gnutls_x509_crq_get_dn_by_oid (gnutls_x509_crq_t crq, const char *oid,
232 int indx, unsigned int raw_flag,
233 void *buf, size_t * sizeof_buf)
238 return GNUTLS_E_INVALID_REQUEST;
241 return _gnutls_x509_parse_dn_oid
243 "certificationRequestInfo.subject.rdnSequence",
244 oid, indx, raw_flag, buf, sizeof_buf);
248 * gnutls_x509_crq_get_dn_oid:
249 * @crq: should contain a gnutls_x509_crq_t structure
250 * @indx: Specifies which DN OID to send. Use zero to get the first one.
251 * @oid: a pointer to a structure to hold the name (may be %NULL)
252 * @sizeof_oid: initially holds the size of @oid
254 * This function will extract the requested OID of the name of the
255 * certificate request subject, specified by the given index.
257 * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is
258 * not long enough, and in that case the *@sizeof_oid will be
259 * updated with the required size. On success 0 is returned.
262 gnutls_x509_crq_get_dn_oid (gnutls_x509_crq_t crq,
263 int indx, void *oid, size_t * sizeof_oid)
268 return GNUTLS_E_INVALID_REQUEST;
271 return _gnutls_x509_get_dn_oid (crq->crq,
272 "certificationRequestInfo.subject.rdnSequence",
273 indx, oid, sizeof_oid);
276 /* Parses an Attribute list in the asn1_struct, and searches for the
277 * given OID. The index indicates the attribute value to be returned.
279 * If raw==0 only printable data are returned, or
280 * GNUTLS_E_X509_UNSUPPORTED_ATTRIBUTE.
282 * asn1_attr_name must be a string in the form
283 * "certificationRequestInfo.attributes"
287 parse_attribute (ASN1_TYPE asn1_struct,
288 const char *attr_name, const char *given_oid, int indx,
289 int raw, char *buf, size_t * sizeof_buf)
292 char tmpbuffer1[ASN1_MAX_NAME_SIZE];
293 char tmpbuffer3[ASN1_MAX_NAME_SIZE];
295 char oid[MAX_OID_SIZE];
303 /* create a string like "attribute.?1"
305 if (attr_name[0] != 0)
306 snprintf (tmpbuffer1, sizeof (tmpbuffer1), "%s.?%u", attr_name, k1);
308 snprintf (tmpbuffer1, sizeof (tmpbuffer1), "?%u", k1);
310 len = sizeof (value) - 1;
311 result = asn1_read_value (asn1_struct, tmpbuffer1, value, &len);
313 if (result == ASN1_ELEMENT_NOT_FOUND)
319 if (result != ASN1_VALUE_NOT_FOUND)
322 result = _gnutls_asn2err (result);
326 /* Move to the attibute type and values
330 _gnutls_str_cpy (tmpbuffer3, sizeof (tmpbuffer3), tmpbuffer1);
331 _gnutls_str_cat (tmpbuffer3, sizeof (tmpbuffer3), ".type");
333 len = sizeof (oid) - 1;
334 result = asn1_read_value (asn1_struct, tmpbuffer3, oid, &len);
336 if (result == ASN1_ELEMENT_NOT_FOUND)
338 else if (result != ASN1_SUCCESS)
341 result = _gnutls_asn2err (result);
345 if (strcmp (oid, given_oid) == 0)
346 { /* Found the OID */
350 snprintf (tmpbuffer3, sizeof (tmpbuffer3), "%s.values.?%u",
351 tmpbuffer1, indx + 1);
353 len = sizeof (value) - 1;
354 result = asn1_read_value (asn1_struct, tmpbuffer3, value, &len);
356 if (result != ASN1_SUCCESS)
359 result = _gnutls_asn2err (result);
365 printable = _gnutls_x509_oid_data_printable (oid);
369 _gnutls_x509_oid_data2string
370 (oid, value, len, buf, sizeof_buf)) < 0)
380 return GNUTLS_E_X509_UNSUPPORTED_ATTRIBUTE;
385 if (*sizeof_buf >= (size_t) len && buf != NULL)
388 memcpy (buf, value, len);
395 return GNUTLS_E_SHORT_MEMORY_BUFFER;
405 result = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
412 * gnutls_x509_crq_get_challenge_password:
413 * @crq: should contain a #gnutls_x509_crq_t structure
414 * @pass: will hold a zero-terminated password string
415 * @sizeof_pass: Initially holds the size of @pass.
417 * This function will return the challenge password in the request.
418 * The challenge password is intended to be used for requesting a
419 * revocation of the certificate.
421 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
422 * negative error value.
425 gnutls_x509_crq_get_challenge_password (gnutls_x509_crq_t crq,
426 char *pass, size_t * sizeof_pass)
431 return GNUTLS_E_INVALID_REQUEST;
434 return parse_attribute (crq->crq, "certificationRequestInfo.attributes",
435 "1.2.840.113549.1.9.7", 0, 0, pass, sizeof_pass);
438 /* This function will attempt to set the requested attribute in
439 * the given X509v3 certificate.
441 * Critical will be either 0 or 1.
444 add_attribute (ASN1_TYPE asn, const char *root, const char *attribute_id,
445 const gnutls_datum_t * ext_data)
448 char name[ASN1_MAX_NAME_SIZE];
450 snprintf (name, sizeof (name), "%s", root);
452 /* Add a new attribute in the list.
454 result = asn1_write_value (asn, name, "NEW", 1);
455 if (result != ASN1_SUCCESS)
458 return _gnutls_asn2err (result);
461 snprintf (name, sizeof (name), "%s.?LAST.type", root);
463 result = asn1_write_value (asn, name, attribute_id, 1);
464 if (result != ASN1_SUCCESS)
467 return _gnutls_asn2err (result);
470 snprintf (name, sizeof (name), "%s.?LAST.values", root);
472 result = asn1_write_value (asn, name, "NEW", 1);
473 if (result != ASN1_SUCCESS)
476 return _gnutls_asn2err (result);
479 snprintf (name, sizeof (name), "%s.?LAST.values.?LAST", root);
481 result = _gnutls_x509_write_value (asn, name, ext_data, 0);
491 /* Overwrite the given attribute (using the index)
492 * index here starts from one.
495 overwrite_attribute (ASN1_TYPE asn, const char *root, unsigned int indx,
496 const gnutls_datum_t * ext_data)
498 char name[ASN1_MAX_NAME_SIZE], name2[ASN1_MAX_NAME_SIZE];
501 snprintf (name, sizeof (name), "%s.?%u", root, indx);
503 _gnutls_str_cpy (name2, sizeof (name2), name);
504 _gnutls_str_cat (name2, sizeof (name2), ".values.?LAST");
506 result = _gnutls_x509_write_value (asn, name2, ext_data, 0);
518 set_attribute (ASN1_TYPE asn, const char *root,
519 const char *ext_id, const gnutls_datum_t * ext_data)
523 char name[ASN1_MAX_NAME_SIZE], name2[ASN1_MAX_NAME_SIZE];
524 char extnID[MAX_OID_SIZE];
526 /* Find the index of the given attribute.
533 snprintf (name, sizeof (name), "%s.?%u", root, k);
535 len = sizeof (extnID) - 1;
536 result = asn1_read_value (asn, name, extnID, &len);
541 if (result == ASN1_ELEMENT_NOT_FOUND)
549 _gnutls_str_cpy (name2, sizeof (name2), name);
550 _gnutls_str_cat (name2, sizeof (name2), ".type");
552 len = sizeof (extnID) - 1;
553 result = asn1_read_value (asn, name2, extnID, &len);
555 if (result == ASN1_ELEMENT_NOT_FOUND)
560 else if (result != ASN1_SUCCESS)
563 return _gnutls_asn2err (result);
568 if (strcmp (extnID, ext_id) == 0)
570 /* attribute was found
572 return overwrite_attribute (asn, root, k, ext_data);
581 if (result == ASN1_ELEMENT_NOT_FOUND)
583 return add_attribute (asn, root, ext_id, ext_data);
588 return _gnutls_asn2err (result);
596 * gnutls_x509_crq_set_attribute_by_oid:
597 * @crq: should contain a #gnutls_x509_crq_t structure
598 * @oid: holds an Object Identified in zero-terminated string
599 * @buf: a pointer to a structure that holds the attribute data
600 * @sizeof_buf: holds the size of @buf
602 * This function will set the attribute in the certificate request
603 * specified by the given Object ID. The attribute must be be DER
606 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
607 * negative error value.
610 gnutls_x509_crq_set_attribute_by_oid (gnutls_x509_crq_t crq,
611 const char *oid, void *buf,
617 data.size = sizeof_buf;
622 return GNUTLS_E_INVALID_REQUEST;
625 return set_attribute (crq->crq, "certificationRequestInfo.attributes",
630 * gnutls_x509_crq_get_attribute_by_oid:
631 * @crq: should contain a #gnutls_x509_crq_t structure
632 * @oid: holds an Object Identified in zero-terminated string
633 * @indx: In case multiple same OIDs exist in the attribute list, this
634 * specifies which to send, use zero to get the first one
635 * @buf: a pointer to a structure to hold the attribute data (may be %NULL)
636 * @sizeof_buf: initially holds the size of @buf
638 * This function will return the attribute in the certificate request
639 * specified by the given Object ID. The attribute will be DER
642 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
643 * negative error value.
646 gnutls_x509_crq_get_attribute_by_oid (gnutls_x509_crq_t crq,
647 const char *oid, int indx, void *buf,
653 return GNUTLS_E_INVALID_REQUEST;
656 return parse_attribute (crq->crq, "certificationRequestInfo.attributes",
657 oid, indx, 1, buf, sizeof_buf);
661 * gnutls_x509_crq_set_dn_by_oid:
662 * @crq: should contain a #gnutls_x509_crq_t structure
663 * @oid: holds an Object Identifier in a zero-terminated string
664 * @raw_flag: must be 0, or 1 if the data are DER encoded
665 * @data: a pointer to the input data
666 * @sizeof_data: holds the size of @data
668 * This function will set the part of the name of the Certificate
669 * request subject, specified by the given OID. The input string
670 * should be ASCII or UTF-8 encoded.
672 * Some helper macros with popular OIDs can be found in gnutls/x509.h
673 * With this function you can only set the known OIDs. You can test
674 * for known OIDs using gnutls_x509_dn_oid_known(). For OIDs that are
675 * not known (by gnutls) you should properly DER encode your data, and
676 * call this function with raw_flag set.
678 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
679 * negative error value.
682 gnutls_x509_crq_set_dn_by_oid (gnutls_x509_crq_t crq, const char *oid,
683 unsigned int raw_flag, const void *data,
684 unsigned int sizeof_data)
686 if (sizeof_data == 0 || data == NULL || crq == NULL)
688 return GNUTLS_E_INVALID_REQUEST;
691 return _gnutls_x509_set_dn_oid (crq->crq,
692 "certificationRequestInfo.subject", oid,
693 raw_flag, data, sizeof_data);
697 * gnutls_x509_crq_set_version:
698 * @crq: should contain a #gnutls_x509_crq_t structure
699 * @version: holds the version number, for v1 Requests must be 1
701 * This function will set the version of the certificate request. For
702 * version 1 requests this must be one.
704 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
705 * negative error value.
708 gnutls_x509_crq_set_version (gnutls_x509_crq_t crq, unsigned int version)
711 unsigned char null = version;
716 return GNUTLS_E_INVALID_REQUEST;
723 asn1_write_value (crq->crq, "certificationRequestInfo.version", &null, 1);
724 if (result != ASN1_SUCCESS)
727 return _gnutls_asn2err (result);
734 * gnutls_x509_crq_get_version:
735 * @crq: should contain a #gnutls_x509_crq_t structure
737 * This function will return the version of the specified Certificate
740 * Returns: version of certificate request, or a negative value on
744 gnutls_x509_crq_get_version (gnutls_x509_crq_t crq)
752 return GNUTLS_E_INVALID_REQUEST;
755 len = sizeof (version);
757 asn1_read_value (crq->crq, "certificationRequestInfo.version",
758 version, &len)) != ASN1_SUCCESS)
761 if (result == ASN1_ELEMENT_NOT_FOUND)
762 return 1; /* the DEFAULT version */
764 return _gnutls_asn2err (result);
767 return (int) version[0] + 1;
771 * gnutls_x509_crq_set_key:
772 * @crq: should contain a #gnutls_x509_crq_t structure
773 * @key: holds a private key
775 * This function will set the public parameters from the given private
776 * key to the request. Only RSA keys are currently supported.
778 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
779 * negative error value.
782 gnutls_x509_crq_set_key (gnutls_x509_crq_t crq, gnutls_x509_privkey_t key)
789 return GNUTLS_E_INVALID_REQUEST;
792 result = _gnutls_x509_encode_and_copy_PKI_params
794 "certificationRequestInfo.subjectPKInfo",
795 key->pk_algorithm, key->params, key->params_size);
807 * gnutls_x509_crq_get_key_rsa_raw:
808 * @crq: Holds the certificate
809 * @m: will hold the modulus
810 * @e: will hold the public exponent
812 * This function will export the RSA public key's parameters found in
813 * the given structure. The new parameters will be allocated using
814 * gnutls_malloc() and will be stored in the appropriate datum.
816 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
817 * negative error value.
822 gnutls_x509_crq_get_key_rsa_raw (gnutls_x509_crq_t crq,
823 gnutls_datum_t * m, gnutls_datum_t * e)
826 bigint_t params[MAX_PUBLIC_PARAMS_SIZE];
827 int params_size = MAX_PUBLIC_PARAMS_SIZE;
833 return GNUTLS_E_INVALID_REQUEST;
836 ret = gnutls_x509_crq_get_pk_algorithm (crq, NULL);
837 if (ret != GNUTLS_PK_RSA)
840 return GNUTLS_E_INVALID_REQUEST;
843 ret = _gnutls_x509_crq_get_mpis (crq, params, ¶ms_size);
850 ret = _gnutls_mpi_dprint (params[0], m);
857 ret = _gnutls_mpi_dprint (params[1], e);
861 _gnutls_free_datum (m);
868 for (i = 0; i < params_size; i++)
870 _gnutls_mpi_release (¶ms[i]);
876 * gnutls_x509_crq_set_key_rsa_raw:
877 * @crq: should contain a #gnutls_x509_crq_t structure
878 * @m: holds the modulus
879 * @e: holds the public exponent
881 * This function will set the public parameters from the given private
882 * key to the request. Only RSA keys are currently supported.
884 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
885 * negative error value.
890 gnutls_x509_crq_set_key_rsa_raw (gnutls_x509_crq_t crq,
891 const gnutls_datum_t * m,
892 const gnutls_datum_t * e)
896 bigint_t temp_params[RSA_PUBLIC_PARAMS];
901 return GNUTLS_E_INVALID_REQUEST;
904 memset (temp_params, 0, sizeof (temp_params));
907 if (_gnutls_mpi_scan_nz (&temp_params[0], m->data, siz))
910 ret = GNUTLS_E_MPI_SCAN_FAILED;
915 if (_gnutls_mpi_scan_nz (&temp_params[1], e->data, siz))
918 ret = GNUTLS_E_MPI_SCAN_FAILED;
922 result = _gnutls_x509_encode_and_copy_PKI_params
924 "certificationRequestInfo.subjectPKInfo",
925 GNUTLS_PK_RSA, temp_params, RSA_PUBLIC_PARAMS);
937 _gnutls_mpi_release (&temp_params[0]);
938 _gnutls_mpi_release (&temp_params[1]);
943 * gnutls_x509_crq_set_challenge_password:
944 * @crq: should contain a #gnutls_x509_crq_t structure
945 * @pass: holds a zero-terminated password
947 * This function will set a challenge password to be used when
948 * revoking the request.
950 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
951 * negative error value.
954 gnutls_x509_crq_set_challenge_password (gnutls_x509_crq_t crq,
962 return GNUTLS_E_INVALID_REQUEST;
965 /* Add the attribute.
967 result = asn1_write_value (crq->crq, "certificationRequestInfo.attributes",
969 if (result != ASN1_SUCCESS)
972 return _gnutls_asn2err (result);
975 result = _gnutls_x509_encode_and_write_attribute
976 ("1.2.840.113549.1.9.7", crq->crq,
977 "certificationRequestInfo.attributes.?LAST", pass, strlen (pass), 1);
988 * gnutls_x509_crq_sign2:
989 * @crq: should contain a #gnutls_x509_crq_t structure
990 * @key: holds a private key
991 * @dig: The message digest to use, i.e., %GNUTLS_DIG_SHA1
994 * This function will sign the certificate request with a private key.
995 * This must be the same key as the one used in
996 * gnutls_x509_crt_set_key() since a certificate request is self
999 * This must be the last step in a certificate request generation
1000 * since all the previously set parameters are now signed.
1002 * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error.
1003 * %GNUTLS_E_ASN1_VALUE_NOT_FOUND is returned if you didn't set all
1004 * information in the certificate request (e.g., the version using
1005 * gnutls_x509_crq_set_version()).
1007 * Deprecated: Use gnutls_x509_crq_privkey_sign() instead.
1010 gnutls_x509_crq_sign2 (gnutls_x509_crq_t crq, gnutls_x509_privkey_t key,
1011 gnutls_digest_algorithm_t dig, unsigned int flags)
1014 gnutls_privkey_t privkey;
1019 return GNUTLS_E_INVALID_REQUEST;
1022 result = gnutls_privkey_init (&privkey);
1029 result = gnutls_privkey_import_x509 (privkey, key, 0);
1036 result = gnutls_x509_crq_privkey_sign (crq, privkey, dig, flags);
1046 gnutls_privkey_deinit (privkey);
1052 * gnutls_x509_crq_sign:
1053 * @crq: should contain a #gnutls_x509_crq_t structure
1054 * @key: holds a private key
1056 * This function is the same a gnutls_x509_crq_sign2() with no flags,
1057 * and SHA1 as the hash algorithm.
1059 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
1060 * negative error value.
1062 * Deprecated: Use gnutls_x509_crq_privkey_sign() instead.
1065 gnutls_x509_crq_sign (gnutls_x509_crq_t crq, gnutls_x509_privkey_t key)
1067 return gnutls_x509_crq_sign2 (crq, key, GNUTLS_DIG_SHA1, 0);
1071 * gnutls_x509_crq_export:
1072 * @crq: should contain a #gnutls_x509_crq_t structure
1073 * @format: the format of output params. One of PEM or DER.
1074 * @output_data: will contain a certificate request PEM or DER encoded
1075 * @output_data_size: holds the size of output_data (and will be
1076 * replaced by the actual size of parameters)
1078 * This function will export the certificate request to a PEM or DER
1079 * encoded PKCS10 structure.
1081 * If the buffer provided is not long enough to hold the output, then
1082 * %GNUTLS_E_SHORT_MEMORY_BUFFER will be returned and
1083 * *@output_data_size will be updated.
1085 * If the structure is PEM encoded, it will have a header of "BEGIN
1086 * NEW CERTIFICATE REQUEST".
1088 * Return value: In case of failure a negative value will be
1089 * returned, and 0 on success.
1092 gnutls_x509_crq_export (gnutls_x509_crq_t crq,
1093 gnutls_x509_crt_fmt_t format, void *output_data,
1094 size_t * output_data_size)
1099 return GNUTLS_E_INVALID_REQUEST;
1102 return _gnutls_x509_export_int (crq->crq, format, PEM_CRQ,
1103 output_data, output_data_size);
1107 * gnutls_x509_crq_get_pk_algorithm:
1108 * @crq: should contain a #gnutls_x509_crq_t structure
1109 * @bits: if bits is non-%NULL it will hold the size of the parameters' in bits
1111 * This function will return the public key algorithm of a PKCS#10
1112 * certificate request.
1114 * If bits is non-%NULL, it should have enough size to hold the
1115 * parameters size in bits. For RSA the bits returned is the modulus.
1116 * For DSA the bits returned are of the public exponent.
1118 * Returns: a member of the #gnutls_pk_algorithm_t enumeration on
1119 * success, or a negative value on error.
1122 gnutls_x509_crq_get_pk_algorithm (gnutls_x509_crq_t crq, unsigned int *bits)
1129 return GNUTLS_E_INVALID_REQUEST;
1132 result = _gnutls_x509_get_pk_algorithm
1133 (crq->crq, "certificationRequestInfo.subjectPKInfo", bits);
1143 * gnutls_x509_crq_get_attribute_info:
1144 * @crq: should contain a #gnutls_x509_crq_t structure
1145 * @indx: Specifies which attribute OID to send. Use zero to get the first one.
1146 * @oid: a pointer to a structure to hold the OID
1147 * @sizeof_oid: initially holds the maximum size of @oid, on return
1148 * holds actual size of @oid.
1150 * This function will return the requested attribute OID in the
1151 * certificate, and the critical flag for it. The attribute OID will
1152 * be stored as a string in the provided buffer. Use
1153 * gnutls_x509_crq_get_attribute_data() to extract the data.
1155 * If the buffer provided is not long enough to hold the output, then
1156 * *@sizeof_oid is updated and %GNUTLS_E_SHORT_MEMORY_BUFFER will be
1159 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
1160 * negative value in case of an error. If your have reached the
1161 * last extension available %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
1167 gnutls_x509_crq_get_attribute_info (gnutls_x509_crq_t crq, int indx,
1168 void *oid, size_t * sizeof_oid)
1171 char name[ASN1_MAX_NAME_SIZE];
1177 return GNUTLS_E_INVALID_REQUEST;
1180 snprintf (name, sizeof (name),
1181 "certificationRequestInfo.attributes.?%u.type", indx + 1);
1184 result = asn1_read_value (crq->crq, name, oid, &len);
1187 if (result == ASN1_ELEMENT_NOT_FOUND)
1188 return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
1189 else if (result < 0)
1192 return _gnutls_asn2err (result);
1200 * gnutls_x509_crq_get_attribute_data:
1201 * @crq: should contain a #gnutls_x509_crq_t structure
1202 * @indx: Specifies which attribute OID to send. Use zero to get the first one.
1203 * @data: a pointer to a structure to hold the data (may be null)
1204 * @sizeof_data: initially holds the size of @oid
1206 * This function will return the requested attribute data in the
1207 * certificate request. The attribute data will be stored as a string in the
1210 * Use gnutls_x509_crq_get_attribute_info() to extract the OID.
1211 * Use gnutls_x509_crq_get_attribute_by_oid() instead,
1212 * if you want to get data indexed by the attribute OID rather than
1215 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
1216 * negative value in case of an error. If your have reached the
1217 * last extension available %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
1223 gnutls_x509_crq_get_attribute_data (gnutls_x509_crq_t crq, int indx,
1224 void *data, size_t * sizeof_data)
1227 char name[ASN1_MAX_NAME_SIZE];
1232 return GNUTLS_E_INVALID_REQUEST;
1235 snprintf (name, sizeof (name),
1236 "certificationRequestInfo.attributes.?%u.values.?1", indx + 1);
1239 result = asn1_read_value (crq->crq, name, data, &len);
1242 if (result == ASN1_ELEMENT_NOT_FOUND)
1243 return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
1244 else if (result < 0)
1247 return _gnutls_asn2err (result);
1254 * gnutls_x509_crq_get_extension_info:
1255 * @crq: should contain a #gnutls_x509_crq_t structure
1256 * @indx: Specifies which extension OID to send. Use zero to get the first one.
1257 * @oid: a pointer to a structure to hold the OID
1258 * @sizeof_oid: initially holds the maximum size of @oid, on return
1259 * holds actual size of @oid.
1260 * @critical: output variable with critical flag, may be NULL.
1262 * This function will return the requested extension OID in the
1263 * certificate, and the critical flag for it. The extension OID will
1264 * be stored as a string in the provided buffer. Use
1265 * gnutls_x509_crq_get_extension_data() to extract the data.
1267 * If the buffer provided is not long enough to hold the output, then
1268 * *@sizeof_oid is updated and %GNUTLS_E_SHORT_MEMORY_BUFFER will be
1271 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
1272 * negative value in case of an error. If your have reached the
1273 * last extension available %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
1279 gnutls_x509_crq_get_extension_info (gnutls_x509_crq_t crq, int indx,
1280 void *oid, size_t * sizeof_oid,
1284 char str_critical[10];
1285 char name[ASN1_MAX_NAME_SIZE];
1286 char *extensions = NULL;
1287 size_t extensions_size = 0;
1294 return GNUTLS_E_INVALID_REQUEST;
1297 /* read extensionRequest */
1298 result = gnutls_x509_crq_get_attribute_by_oid (crq, "1.2.840.113549.1.9.14",
1299 0, NULL, &extensions_size);
1300 if (result == GNUTLS_E_SHORT_MEMORY_BUFFER)
1302 extensions = gnutls_malloc (extensions_size);
1303 if (extensions == NULL)
1306 return GNUTLS_E_MEMORY_ERROR;
1309 result = gnutls_x509_crq_get_attribute_by_oid (crq,
1310 "1.2.840.113549.1.9.14",
1320 result = asn1_create_element (_gnutls_get_pkix (), "PKIX1.Extensions", &c2);
1321 if (result != ASN1_SUCCESS)
1324 result = _gnutls_asn2err (result);
1328 result = asn1_der_decoding (&c2, extensions, extensions_size, NULL);
1329 if (result != ASN1_SUCCESS)
1332 asn1_delete_structure (&c2);
1333 result = _gnutls_asn2err (result);
1337 snprintf (name, sizeof (name), "?%u.extnID", indx + 1);
1340 result = asn1_read_value (c2, name, oid, &len);
1343 if (result == ASN1_ELEMENT_NOT_FOUND)
1345 asn1_delete_structure (&c2);
1346 result = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
1349 else if (result < 0)
1352 asn1_delete_structure (&c2);
1353 result = _gnutls_asn2err (result);
1357 snprintf (name, sizeof (name), "?%u.critical", indx + 1);
1358 len = sizeof (str_critical);
1359 result = asn1_read_value (c2, name, str_critical, &len);
1361 asn1_delete_structure (&c2);
1366 result = _gnutls_asn2err (result);
1372 if (str_critical[0] == 'T')
1381 gnutls_free (extensions);
1386 * gnutls_x509_crq_get_extension_data:
1387 * @crq: should contain a #gnutls_x509_crq_t structure
1388 * @indx: Specifies which extension OID to send. Use zero to get the first one.
1389 * @data: a pointer to a structure to hold the data (may be null)
1390 * @sizeof_data: initially holds the size of @oid
1392 * This function will return the requested extension data in the
1393 * certificate. The extension data will be stored as a string in the
1396 * Use gnutls_x509_crq_get_extension_info() to extract the OID and
1397 * critical flag. Use gnutls_x509_crq_get_extension_by_oid() instead,
1398 * if you want to get data indexed by the extension OID rather than
1401 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
1402 * negative value in case of an error. If your have reached the
1403 * last extension available %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
1409 gnutls_x509_crq_get_extension_data (gnutls_x509_crq_t crq, int indx,
1410 void *data, size_t * sizeof_data)
1413 char name[ASN1_MAX_NAME_SIZE];
1414 unsigned char *extensions;
1415 size_t extensions_size = 0;
1421 return GNUTLS_E_INVALID_REQUEST;
1424 /* read extensionRequest */
1425 result = gnutls_x509_crq_get_attribute_by_oid (crq, "1.2.840.113549.1.9.14",
1426 0, NULL, &extensions_size);
1427 if (result != GNUTLS_E_SHORT_MEMORY_BUFFER)
1431 return GNUTLS_E_INTERNAL_ERROR;
1435 extensions = gnutls_malloc (extensions_size);
1436 if (extensions == NULL)
1439 return GNUTLS_E_MEMORY_ERROR;
1442 result = gnutls_x509_crq_get_attribute_by_oid (crq, "1.2.840.113549.1.9.14",
1451 result = asn1_create_element (_gnutls_get_pkix (), "PKIX1.Extensions", &c2);
1452 if (result != ASN1_SUCCESS)
1455 gnutls_free (extensions);
1456 return _gnutls_asn2err (result);
1459 result = asn1_der_decoding (&c2, extensions, extensions_size, NULL);
1460 gnutls_free (extensions);
1461 if (result != ASN1_SUCCESS)
1464 asn1_delete_structure (&c2);
1465 return _gnutls_asn2err (result);
1468 snprintf (name, sizeof (name), "?%u.extnValue", indx + 1);
1471 result = asn1_read_value (c2, name, data, &len);
1474 asn1_delete_structure (&c2);
1476 if (result == ASN1_ELEMENT_NOT_FOUND)
1477 return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
1478 else if (result < 0)
1481 return _gnutls_asn2err (result);
1488 * gnutls_x509_crq_get_key_usage:
1489 * @crq: should contain a #gnutls_x509_crq_t structure
1490 * @key_usage: where the key usage bits will be stored
1491 * @critical: will be non zero if the extension is marked as critical
1493 * This function will return certificate's key usage, by reading the
1494 * keyUsage X.509 extension (2.5.29.15). The key usage value will
1495 * ORed values of the: %GNUTLS_KEY_DIGITAL_SIGNATURE,
1496 * %GNUTLS_KEY_NON_REPUDIATION, %GNUTLS_KEY_KEY_ENCIPHERMENT,
1497 * %GNUTLS_KEY_DATA_ENCIPHERMENT, %GNUTLS_KEY_KEY_AGREEMENT,
1498 * %GNUTLS_KEY_KEY_CERT_SIGN, %GNUTLS_KEY_CRL_SIGN,
1499 * %GNUTLS_KEY_ENCIPHER_ONLY, %GNUTLS_KEY_DECIPHER_ONLY.
1501 * Returns: the certificate key usage, or a negative value in case of
1502 * parsing error. If the certificate does not contain the keyUsage
1503 * extension %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be
1509 gnutls_x509_crq_get_key_usage (gnutls_x509_crq_t crq,
1510 unsigned int *key_usage,
1511 unsigned int *critical)
1516 size_t buf_size = sizeof (buf);
1521 return GNUTLS_E_INVALID_REQUEST;
1524 result = gnutls_x509_crq_get_extension_by_oid (crq, "2.5.29.15", 0,
1525 buf, &buf_size, critical);
1532 result = _gnutls_x509_ext_extract_keyUsage (&_usage, buf, buf_size);
1534 *key_usage = _usage;
1546 * gnutls_x509_crq_get_basic_constraints:
1547 * @crq: should contain a #gnutls_x509_crq_t structure
1548 * @critical: will be non zero if the extension is marked as critical
1549 * @ca: pointer to output integer indicating CA status, may be NULL,
1550 * value is 1 if the certificate CA flag is set, 0 otherwise.
1551 * @pathlen: pointer to output integer indicating path length (may be
1552 * NULL), non-negative values indicate a present pathLenConstraint
1553 * field and the actual value, -1 indicate that the field is absent.
1555 * This function will read the certificate's basic constraints, and
1556 * return the certificates CA status. It reads the basicConstraints
1557 * X.509 extension (2.5.29.19).
1559 * Return value: If the certificate is a CA a positive value will be
1560 * returned, or zero if the certificate does not have CA flag set.
1561 * A negative value may be returned in case of errors. If the
1562 * certificate does not contain the basicConstraints extension
1563 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
1568 gnutls_x509_crq_get_basic_constraints (gnutls_x509_crq_t crq,
1569 unsigned int *critical,
1570 int *ca, int *pathlen)
1575 size_t buf_size = sizeof (buf);
1580 return GNUTLS_E_INVALID_REQUEST;
1583 result = gnutls_x509_crq_get_extension_by_oid (crq, "2.5.29.19", 0,
1584 buf, &buf_size, critical);
1592 _gnutls_x509_ext_extract_basicConstraints (&tmp_ca,
1593 pathlen, buf, buf_size);
1607 get_subject_alt_name (gnutls_x509_crq_t crq,
1608 unsigned int seq, void *ret,
1609 size_t * ret_size, unsigned int *ret_type,
1610 unsigned int *critical, int othername_oid)
1613 ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
1614 gnutls_x509_subject_alt_name_t type;
1615 gnutls_datum_t dnsname = { NULL, 0 };
1616 size_t dns_size = 0;
1621 return GNUTLS_E_INVALID_REQUEST;
1625 memset (ret, 0, *ret_size);
1629 /* Extract extension.
1631 result = gnutls_x509_crq_get_extension_by_oid (crq, "2.5.29.17", 0,
1632 NULL, &dns_size, critical);
1639 dnsname.size = dns_size;
1640 dnsname.data = gnutls_malloc (dnsname.size);
1641 if (dnsname.data == NULL)
1644 return GNUTLS_E_MEMORY_ERROR;
1647 result = gnutls_x509_crq_get_extension_by_oid (crq, "2.5.29.17", 0,
1648 dnsname.data, &dns_size,
1653 gnutls_free (dnsname.data);
1657 result = asn1_create_element
1658 (_gnutls_get_pkix (), "PKIX1.SubjectAltName", &c2);
1659 if (result != ASN1_SUCCESS)
1662 gnutls_free (dnsname.data);
1663 return _gnutls_asn2err (result);
1666 result = asn1_der_decoding (&c2, dnsname.data, dnsname.size, NULL);
1667 gnutls_free (dnsname.data);
1668 if (result != ASN1_SUCCESS)
1671 asn1_delete_structure (&c2);
1672 return _gnutls_asn2err (result);
1675 result = _gnutls_parse_general_name (c2, "", seq, ret, ret_size,
1676 ret_type, othername_oid);
1677 asn1_delete_structure (&c2);
1689 * gnutls_x509_crq_get_subject_alt_name:
1690 * @crq: should contain a #gnutls_x509_crq_t structure
1691 * @seq: specifies the sequence number of the alt name, 0 for the
1692 * first one, 1 for the second etc.
1693 * @ret: is the place where the alternative name will be copied to
1694 * @ret_size: holds the size of ret.
1695 * @ret_type: holds the #gnutls_x509_subject_alt_name_t name type
1696 * @critical: will be non zero if the extension is marked as critical
1699 * This function will return the alternative names, contained in the
1700 * given certificate. It is the same as
1701 * gnutls_x509_crq_get_subject_alt_name() except for the fact that it
1702 * will return the type of the alternative name in @ret_type even if
1703 * the function fails for some reason (i.e. the buffer provided is
1706 * Returns: the alternative subject name type on success, one of the
1707 * enumerated #gnutls_x509_subject_alt_name_t. It will return
1708 * %GNUTLS_E_SHORT_MEMORY_BUFFER if @ret_size is not large enough to
1709 * hold the value. In that case @ret_size will be updated with the
1710 * required size. If the certificate request does not have an
1711 * Alternative name with the specified sequence number then
1712 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.
1717 gnutls_x509_crq_get_subject_alt_name (gnutls_x509_crq_t crq,
1718 unsigned int seq, void *ret,
1720 unsigned int *ret_type,
1721 unsigned int *critical)
1723 return get_subject_alt_name (crq, seq, ret, ret_size, ret_type, critical,
1728 * gnutls_x509_crq_get_subject_alt_othername_oid:
1729 * @crq: should contain a #gnutls_x509_crq_t structure
1730 * @seq: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)
1731 * @ret: is the place where the otherName OID will be copied to
1732 * @ret_size: holds the size of ret.
1734 * This function will extract the type OID of an otherName Subject
1735 * Alternative Name, contained in the given certificate, and return
1736 * the type as an enumerated element.
1738 * This function is only useful if
1739 * gnutls_x509_crq_get_subject_alt_name() returned
1740 * %GNUTLS_SAN_OTHERNAME.
1742 * Returns: the alternative subject name type on success, one of the
1743 * enumerated gnutls_x509_subject_alt_name_t. For supported OIDs,
1744 * it will return one of the virtual (GNUTLS_SAN_OTHERNAME_*) types,
1745 * e.g. %GNUTLS_SAN_OTHERNAME_XMPP, and %GNUTLS_SAN_OTHERNAME for
1746 * unknown OIDs. It will return %GNUTLS_E_SHORT_MEMORY_BUFFER if
1747 * @ret_size is not large enough to hold the value. In that case
1748 * @ret_size will be updated with the required size. If the
1749 * certificate does not have an Alternative name with the specified
1750 * sequence number and with the otherName type then
1751 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.
1756 gnutls_x509_crq_get_subject_alt_othername_oid (gnutls_x509_crq_t crq,
1758 void *ret, size_t * ret_size)
1760 return get_subject_alt_name (crq, seq, ret, ret_size, NULL, NULL, 1);
1764 * gnutls_x509_crq_get_extension_by_oid:
1765 * @crq: should contain a #gnutls_x509_crq_t structure
1766 * @oid: holds an Object Identified in null terminated string
1767 * @indx: In case multiple same OIDs exist in the extensions, this
1768 * specifies which to send. Use zero to get the first one.
1769 * @buf: a pointer to a structure to hold the name (may be null)
1770 * @sizeof_buf: initially holds the size of @buf
1771 * @critical: will be non zero if the extension is marked as critical
1773 * This function will return the extension specified by the OID in
1774 * the certificate. The extensions will be returned as binary data
1775 * DER encoded, in the provided buffer.
1777 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
1778 * negative value in case of an error. If the certificate does not
1779 * contain the specified extension
1780 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
1785 gnutls_x509_crq_get_extension_by_oid (gnutls_x509_crq_t crq,
1786 const char *oid, int indx,
1787 void *buf, size_t * sizeof_buf,
1788 unsigned int *critical)
1792 char _oid[MAX_OID_SIZE];
1797 oid_size = sizeof (_oid);
1799 gnutls_x509_crq_get_extension_info (crq, i, _oid, &oid_size,
1807 if (strcmp (oid, _oid) == 0)
1810 return gnutls_x509_crq_get_extension_data (crq, i, buf,
1818 return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
1823 * gnutls_x509_crq_set_subject_alt_name:
1824 * @crq: a certificate request of type #gnutls_x509_crq_t
1825 * @nt: is one of the #gnutls_x509_subject_alt_name_t enumerations
1826 * @data: The data to be set
1827 * @data_size: The size of data to be set
1828 * @flags: %GNUTLS_FSAN_SET to clear previous data or
1829 * %GNUTLS_FSAN_APPEND to append.
1831 * This function will set the subject alternative name certificate
1832 * extension. It can set the following types:
1834 * &GNUTLS_SAN_DNSNAME: as a text string
1836 * &GNUTLS_SAN_RFC822NAME: as a text string
1838 * &GNUTLS_SAN_URI: as a text string
1840 * &GNUTLS_SAN_IPADDRESS: as a binary IP address (4 or 16 bytes)
1842 * Other values can be set as binary values with the proper DER encoding.
1844 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
1845 * negative error value.
1850 gnutls_x509_crq_set_subject_alt_name (gnutls_x509_crq_t crq,
1851 gnutls_x509_subject_alt_name_t nt,
1853 unsigned int data_size,
1857 gnutls_datum_t der_data = { NULL, 0 };
1858 gnutls_datum_t prev_der_data = { NULL, 0 };
1859 unsigned int critical = 0;
1860 size_t prev_data_size = 0;
1865 return GNUTLS_E_INVALID_REQUEST;
1868 /* Check if the extension already exists.
1870 if (flags == GNUTLS_FSAN_APPEND)
1872 result = gnutls_x509_crq_get_extension_by_oid (crq, "2.5.29.17", 0,
1873 NULL, &prev_data_size,
1875 prev_der_data.size = prev_data_size;
1879 case GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE:
1880 /* Replacing non-existing data means the same as set data. */
1883 case GNUTLS_E_SUCCESS:
1884 prev_der_data.data = gnutls_malloc (prev_der_data.size);
1885 if (prev_der_data.data == NULL)
1888 return GNUTLS_E_MEMORY_ERROR;
1891 result = gnutls_x509_crq_get_extension_by_oid (crq, "2.5.29.17", 0,
1898 gnutls_free (prev_der_data.data);
1909 /* generate the extension.
1911 result = _gnutls_x509_ext_gen_subject_alt_name (nt, data, data_size,
1912 &prev_der_data, &der_data);
1913 gnutls_free (prev_der_data.data);
1920 result = _gnutls_x509_crq_set_extension (crq, "2.5.29.17", &der_data,
1923 _gnutls_free_datum (&der_data);
1938 * gnutls_x509_crq_set_basic_constraints:
1939 * @crq: a certificate request of type #gnutls_x509_crq_t
1940 * @ca: true(1) or false(0) depending on the Certificate authority status.
1941 * @pathLenConstraint: non-negative values indicate maximum length of path,
1942 * and negative values indicate that the pathLenConstraints field should
1945 * This function will set the basicConstraints certificate extension.
1947 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
1948 * negative error value.
1953 gnutls_x509_crq_set_basic_constraints (gnutls_x509_crq_t crq,
1954 unsigned int ca, int pathLenConstraint)
1957 gnutls_datum_t der_data;
1962 return GNUTLS_E_INVALID_REQUEST;
1965 /* generate the extension.
1967 result = _gnutls_x509_ext_gen_basicConstraints (ca, pathLenConstraint,
1975 result = _gnutls_x509_crq_set_extension (crq, "2.5.29.19", &der_data, 1);
1977 _gnutls_free_datum (&der_data);
1989 * gnutls_x509_crq_set_key_usage:
1990 * @crq: a certificate request of type #gnutls_x509_crq_t
1991 * @usage: an ORed sequence of the GNUTLS_KEY_* elements.
1993 * This function will set the keyUsage certificate extension.
1995 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
1996 * negative error value.
2001 gnutls_x509_crq_set_key_usage (gnutls_x509_crq_t crq, unsigned int usage)
2004 gnutls_datum_t der_data;
2009 return GNUTLS_E_INVALID_REQUEST;
2012 /* generate the extension.
2014 result = _gnutls_x509_ext_gen_keyUsage ((uint16_t) usage, &der_data);
2021 result = _gnutls_x509_crq_set_extension (crq, "2.5.29.15", &der_data, 1);
2023 _gnutls_free_datum (&der_data);
2035 * gnutls_x509_crq_get_key_purpose_oid:
2036 * @crq: should contain a #gnutls_x509_crq_t structure
2037 * @indx: This specifies which OID to return, use zero to get the first one
2038 * @oid: a pointer to a buffer to hold the OID (may be %NULL)
2039 * @sizeof_oid: initially holds the size of @oid
2040 * @critical: output variable with critical flag, may be %NULL.
2042 * This function will extract the key purpose OIDs of the Certificate
2043 * specified by the given index. These are stored in the Extended Key
2044 * Usage extension (2.5.29.37). See the GNUTLS_KP_* definitions for
2045 * human readable names.
2047 * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is
2048 * not long enough, and in that case the *@sizeof_oid will be
2049 * updated with the required size. On success 0 is returned.
2054 gnutls_x509_crq_get_key_purpose_oid (gnutls_x509_crq_t crq,
2055 int indx, void *oid, size_t * sizeof_oid,
2056 unsigned int *critical)
2058 char tmpstr[ASN1_MAX_NAME_SIZE];
2060 gnutls_datum_t prev = { NULL, 0 };
2061 ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
2062 size_t prev_size = 0;
2065 memset (oid, 0, *sizeof_oid);
2069 /* Extract extension.
2071 result = gnutls_x509_crq_get_extension_by_oid (crq, "2.5.29.37", 0,
2072 NULL, &prev_size, critical);
2073 prev.size = prev_size;
2081 prev.data = gnutls_malloc (prev.size);
2082 if (prev.data == NULL)
2085 return GNUTLS_E_MEMORY_ERROR;
2088 result = gnutls_x509_crq_get_extension_by_oid (crq, "2.5.29.37", 0,
2089 prev.data, &prev_size,
2094 gnutls_free (prev.data);
2098 result = asn1_create_element
2099 (_gnutls_get_pkix (), "PKIX1.ExtKeyUsageSyntax", &c2);
2100 if (result != ASN1_SUCCESS)
2103 gnutls_free (prev.data);
2104 return _gnutls_asn2err (result);
2107 result = asn1_der_decoding (&c2, prev.data, prev.size, NULL);
2108 gnutls_free (prev.data);
2109 if (result != ASN1_SUCCESS)
2112 asn1_delete_structure (&c2);
2113 return _gnutls_asn2err (result);
2117 /* create a string like "?1"
2119 snprintf (tmpstr, sizeof (tmpstr), "?%u", indx);
2122 result = asn1_read_value (c2, tmpstr, oid, &len);
2125 asn1_delete_structure (&c2);
2127 if (result == ASN1_VALUE_NOT_FOUND || result == ASN1_ELEMENT_NOT_FOUND)
2129 return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
2132 if (result != ASN1_SUCCESS)
2134 if (result != ASN1_MEM_ERROR)
2136 return _gnutls_asn2err (result);
2143 * gnutls_x509_crq_set_key_purpose_oid:
2144 * @crq: a certificate of type #gnutls_x509_crq_t
2145 * @oid: a pointer to a zero-terminated string that holds the OID
2146 * @critical: Whether this extension will be critical or not
2148 * This function will set the key purpose OIDs of the Certificate.
2149 * These are stored in the Extended Key Usage extension (2.5.29.37)
2150 * See the GNUTLS_KP_* definitions for human readable names.
2152 * Subsequent calls to this function will append OIDs to the OID list.
2154 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
2155 * negative error value.
2160 gnutls_x509_crq_set_key_purpose_oid (gnutls_x509_crq_t crq,
2161 const void *oid, unsigned int critical)
2164 gnutls_datum_t prev = { NULL, 0 }, der_data;
2165 ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
2166 size_t prev_size = 0;
2168 /* Read existing extension, if there is one.
2170 result = gnutls_x509_crq_get_extension_by_oid (crq, "2.5.29.37", 0,
2171 NULL, &prev_size, &critical);
2172 prev.size = prev_size;
2176 case GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE:
2177 /* No existing extension, that's fine. */
2180 case GNUTLS_E_SUCCESS:
2181 prev.data = gnutls_malloc (prev.size);
2182 if (prev.data == NULL)
2185 return GNUTLS_E_MEMORY_ERROR;
2188 result = gnutls_x509_crq_get_extension_by_oid (crq, "2.5.29.37", 0,
2189 prev.data, &prev_size,
2194 gnutls_free (prev.data);
2204 result = asn1_create_element (_gnutls_get_pkix (),
2205 "PKIX1.ExtKeyUsageSyntax", &c2);
2206 if (result != ASN1_SUCCESS)
2209 gnutls_free (prev.data);
2210 return _gnutls_asn2err (result);
2217 result = asn1_der_decoding (&c2, prev.data, prev.size, NULL);
2218 gnutls_free (prev.data);
2219 if (result != ASN1_SUCCESS)
2222 asn1_delete_structure (&c2);
2223 return _gnutls_asn2err (result);
2227 /* generate the extension.
2229 /* 1. create a new element.
2231 result = asn1_write_value (c2, "", "NEW", 1);
2232 if (result != ASN1_SUCCESS)
2235 asn1_delete_structure (&c2);
2236 return _gnutls_asn2err (result);
2241 result = asn1_write_value (c2, "?LAST", oid, 1);
2242 if (result != ASN1_SUCCESS)
2245 asn1_delete_structure (&c2);
2246 return _gnutls_asn2err (result);
2249 result = _gnutls_x509_der_encode (c2, "", &der_data, 0);
2250 asn1_delete_structure (&c2);
2252 if (result != ASN1_SUCCESS)
2255 return _gnutls_asn2err (result);
2258 result = _gnutls_x509_crq_set_extension (crq, "2.5.29.37",
2259 &der_data, critical);
2260 _gnutls_free_datum (&der_data);
2271 rsadsa_crq_get_key_id (gnutls_x509_crq_t crq, int pk,
2272 unsigned char *output_data, size_t * output_data_size)
2274 bigint_t params[MAX_PUBLIC_PARAMS_SIZE];
2275 int params_size = MAX_PUBLIC_PARAMS_SIZE;
2277 gnutls_datum_t der = { NULL, 0 };
2280 result = _gnutls_x509_crq_get_mpis (crq, params, ¶ms_size);
2287 if (pk == GNUTLS_PK_RSA)
2289 result = _gnutls_x509_write_rsa_params (params, params_size, &der);
2296 else if (pk == GNUTLS_PK_DSA)
2298 result = _gnutls_x509_write_dsa_public_key (params, params_size, &der);
2306 return GNUTLS_E_INTERNAL_ERROR;
2308 result = _gnutls_hash_init (&hd, GNUTLS_MAC_SHA1);
2315 _gnutls_hash (&hd, der.data, der.size);
2317 _gnutls_hash_deinit (&hd, output_data);
2318 *output_data_size = 20;
2324 _gnutls_free_datum (&der);
2326 /* release all allocated MPIs
2328 for (i = 0; i < params_size; i++)
2330 _gnutls_mpi_release (¶ms[i]);
2336 * gnutls_x509_crq_get_key_id:
2337 * @crq: a certificate of type #gnutls_x509_crq_t
2338 * @flags: should be 0 for now
2339 * @output_data: will contain the key ID
2340 * @output_data_size: holds the size of output_data (and will be
2341 * replaced by the actual size of parameters)
2343 * This function will return a unique ID the depends on the public key
2344 * parameters. This ID can be used in checking whether a certificate
2345 * corresponds to the given private key.
2347 * If the buffer provided is not long enough to hold the output, then
2348 * *@output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will
2349 * be returned. The output will normally be a SHA-1 hash output,
2350 * which is 20 bytes.
2352 * Return value: In case of failure a negative value will be
2353 * returned, and 0 on success.
2358 gnutls_x509_crq_get_key_id (gnutls_x509_crq_t crq, unsigned int flags,
2359 unsigned char *output_data,
2360 size_t * output_data_size)
2363 gnutls_datum_t pubkey;
2368 return GNUTLS_E_INVALID_REQUEST;
2371 if (*output_data_size < 20)
2373 *output_data_size = 20;
2374 return GNUTLS_E_SHORT_MEMORY_BUFFER;
2377 pk = gnutls_x509_crq_get_pk_algorithm (crq, NULL);
2384 if (pk == GNUTLS_PK_RSA || pk == GNUTLS_PK_DSA)
2386 /* This is for compatibility with what GnuTLS has printed for
2387 RSA/DSA before the code below was added. The code below is
2388 applicable to all types, and it would probably be a better
2389 idea to use it for RSA/DSA too, but doing so would break
2390 backwards compatibility. */
2391 return rsadsa_crq_get_key_id (crq, pk, output_data, output_data_size);
2396 asn1_der_coding (crq->crq, "certificationRequestInfo.subjectPKInfo", NULL,
2397 &pubkey.size, NULL);
2398 if (result != ASN1_MEM_ERROR)
2401 return _gnutls_asn2err (result);
2404 pubkey.data = gnutls_malloc (pubkey.size);
2405 if (pubkey.data == NULL)
2408 return GNUTLS_E_MEMORY_ERROR;
2412 asn1_der_coding (crq->crq, "certificationRequestInfo.subjectPKInfo",
2413 pubkey.data, &pubkey.size, NULL);
2414 if (result != ASN1_SUCCESS)
2417 gnutls_free (pubkey.data);
2418 return _gnutls_asn2err (result);
2421 result = gnutls_fingerprint (GNUTLS_DIG_SHA1, &pubkey,
2422 output_data, output_data_size);
2424 gnutls_free (pubkey.data);
2430 * gnutls_x509_crq_privkey_sign:
2431 * @crq: should contain a #gnutls_x509_crq_t structure
2432 * @key: holds a private key
2433 * @dig: The message digest to use, i.e., %GNUTLS_DIG_SHA1
2436 * This function will sign the certificate request with a private key.
2437 * This must be the same key as the one used in
2438 * gnutls_x509_crt_set_key() since a certificate request is self
2441 * This must be the last step in a certificate request generation
2442 * since all the previously set parameters are now signed.
2444 * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error.
2445 * %GNUTLS_E_ASN1_VALUE_NOT_FOUND is returned if you didn't set all
2446 * information in the certificate request (e.g., the version using
2447 * gnutls_x509_crq_set_version()).
2451 gnutls_x509_crq_privkey_sign (gnutls_x509_crq_t crq, gnutls_privkey_t key,
2452 gnutls_digest_algorithm_t dig,
2456 gnutls_datum_t signature;
2462 return GNUTLS_E_INVALID_REQUEST;
2465 /* Make sure version field is set. */
2466 if (gnutls_x509_crq_get_version (crq) == GNUTLS_E_ASN1_VALUE_NOT_FOUND)
2468 result = gnutls_x509_crq_set_version (crq, 1);
2476 /* Step 1. Self sign the request.
2478 result = _gnutls_x509_get_tbs (crq->crq, "certificationRequestInfo", &tbs);
2486 result = gnutls_privkey_sign_data (key, dig, 0, &tbs, &signature);
2487 gnutls_free (tbs.data);
2495 /* Step 2. write the signature (bits)
2498 asn1_write_value (crq->crq, "signature", signature.data,
2499 signature.size * 8);
2501 _gnutls_free_datum (&signature);
2503 if (result != ASN1_SUCCESS)
2506 return _gnutls_asn2err (result);
2509 /* Step 3. Write the signatureAlgorithm field.
2511 result = _gnutls_x509_write_sig_params (crq->crq, "signatureAlgorithm",
2512 gnutls_privkey_get_pk_algorithm
2525 * gnutls_x509_crq_verify:
2526 * @crq: is the crq to be verified
2527 * @flags: Flags that may be used to change the verification algorithm. Use OR of the gnutls_certificate_verify_flags enumerations.
2529 * This function will verify self signature in the certificate
2530 * request and return its status.
2532 * Returns: On success, %GNUTLS_E_SUCCESS is returned, %GNUTLS_E_PK_SIG_VERIFY_FAILED
2533 * if verification failed, otherwise a negative error value.
2536 gnutls_x509_crq_verify (gnutls_x509_crq_t crq,
2539 gnutls_datum data = { NULL, 0 };
2540 gnutls_datum signature = { NULL, 0 };
2541 bigint_t params[MAX_PUBLIC_PARAMS_SIZE];
2542 int ret, params_size = 0, i;
2545 _gnutls_x509_get_signed_data (crq->crq, "certificationRequestInfo", &data);
2552 ret = _gnutls_x509_get_signature (crq->crq, "signature", &signature);
2559 params_size = MAX_PUBLIC_PARAMS_SIZE;
2561 _gnutls_x509_crq_get_mpis(crq, params, ¶ms_size);
2568 ret = pubkey_verify_sig(&data, NULL, &signature,
2569 gnutls_x509_crq_get_pk_algorithm (crq, NULL),
2570 params, params_size);
2580 _gnutls_free_datum (&data);
2581 _gnutls_free_datum (&signature);
2583 for (i = 0; i < params_size; i++)
2585 _gnutls_mpi_release (¶ms[i]);
2591 #endif /* ENABLE_PKI */