2 * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free
3 * Software Foundation, Inc.
5 * Author: Nikos Mavrogiannopoulos
7 * This file is part of GnuTLS.
9 * The GnuTLS is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public License
11 * as published by the Free Software Foundation; either version 2.1 of
12 * the License, or (at your option) any later version.
14 * This library is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
19 * You should have received a copy of the GNU Lesser General Public
20 * License along with this library; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
26 /* This file contains functions to handle X.509 certificate generation.
29 #include <gnutls_int.h>
33 #include <gnutls_datum.h>
34 #include <gnutls_global.h>
35 #include <gnutls_errors.h>
37 #include <gnutls_x509.h>
42 static void disable_optional_stuff (gnutls_x509_crt_t cert);
45 * gnutls_x509_crt_set_dn_by_oid:
46 * @crt: a certificate of type #gnutls_x509_crt_t
47 * @oid: holds an Object Identifier in a null terminated string
48 * @raw_flag: must be 0, or 1 if the data are DER encoded
49 * @name: a pointer to the name
50 * @sizeof_name: holds the size of @name
52 * This function will set the part of the name of the Certificate
53 * subject, specified by the given OID. The input string should be
54 * ASCII or UTF-8 encoded.
56 * Some helper macros with popular OIDs can be found in gnutls/x509.h
57 * With this function you can only set the known OIDs. You can test
58 * for known OIDs using gnutls_x509_dn_oid_known(). For OIDs that are
59 * not known (by gnutls) you should properly DER encode your data,
60 * and call this function with @raw_flag set.
62 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
63 * negative error value.
66 gnutls_x509_crt_set_dn_by_oid (gnutls_x509_crt_t crt, const char *oid,
67 unsigned int raw_flag, const void *name,
68 unsigned int sizeof_name)
70 if (sizeof_name == 0 || name == NULL || crt == NULL)
72 return GNUTLS_E_INVALID_REQUEST;
75 return _gnutls_x509_set_dn_oid (crt->cert, "tbsCertificate.subject",
76 oid, raw_flag, name, sizeof_name);
80 * gnutls_x509_crt_set_issuer_dn_by_oid:
81 * @crt: a certificate of type #gnutls_x509_crt_t
82 * @oid: holds an Object Identifier in a null terminated string
83 * @raw_flag: must be 0, or 1 if the data are DER encoded
84 * @name: a pointer to the name
85 * @sizeof_name: holds the size of @name
87 * This function will set the part of the name of the Certificate
88 * issuer, specified by the given OID. The input string should be
89 * ASCII or UTF-8 encoded.
91 * Some helper macros with popular OIDs can be found in gnutls/x509.h
92 * With this function you can only set the known OIDs. You can test
93 * for known OIDs using gnutls_x509_dn_oid_known(). For OIDs that are
94 * not known (by gnutls) you should properly DER encode your data,
95 * and call this function with @raw_flag set.
97 * Normally you do not need to call this function, since the signing
98 * operation will copy the signer's name as the issuer of the
101 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
102 * negative error value.
105 gnutls_x509_crt_set_issuer_dn_by_oid (gnutls_x509_crt_t crt,
107 unsigned int raw_flag,
109 unsigned int sizeof_name)
111 if (sizeof_name == 0 || name == NULL || crt == NULL)
113 return GNUTLS_E_INVALID_REQUEST;
116 return _gnutls_x509_set_dn_oid (crt->cert, "tbsCertificate.issuer", oid,
117 raw_flag, name, sizeof_name);
121 * gnutls_x509_crt_set_proxy_dn:
122 * @crt: a gnutls_x509_crt_t structure with the new proxy cert
123 * @eecrt: the end entity certificate that will be issuing the proxy
124 * @raw_flag: must be 0, or 1 if the CN is DER encoded
125 * @name: a pointer to the CN name, may be NULL (but MUST then be added later)
126 * @sizeof_name: holds the size of @name
128 * This function will set the subject in @crt to the end entity's
129 * @eecrt subject name, and add a single Common Name component @name
130 * of size @sizeof_name. This corresponds to the required proxy
131 * certificate naming style. Note that if @name is %NULL, you MUST
132 * set it later by using gnutls_x509_crt_set_dn_by_oid() or similar.
134 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
135 * negative error value.
138 gnutls_x509_crt_set_proxy_dn (gnutls_x509_crt_t crt, gnutls_x509_crt_t eecrt,
139 unsigned int raw_flag, const void *name,
140 unsigned int sizeof_name)
144 if (crt == NULL || eecrt == NULL)
146 return GNUTLS_E_INVALID_REQUEST;
149 result = asn1_copy_node (crt->cert, "tbsCertificate.subject",
150 eecrt->cert, "tbsCertificate.subject");
151 if (result != ASN1_SUCCESS)
154 return _gnutls_asn2err (result);
157 if (name && sizeof_name)
159 return _gnutls_x509_set_dn_oid (crt->cert, "tbsCertificate.subject",
160 GNUTLS_OID_X520_COMMON_NAME,
161 raw_flag, name, sizeof_name);
168 * gnutls_x509_crt_set_version:
169 * @crt: a certificate of type #gnutls_x509_crt_t
170 * @version: holds the version number. For X.509v1 certificates must be 1.
172 * This function will set the version of the certificate. This must
173 * be one for X.509 version 1, and so on. Plain certificates without
174 * extensions must have version set to one.
176 * To create well-formed certificates, you must specify version 3 if
177 * you use any certificate extensions. Extensions are created by
178 * functions such as gnutls_x509_crt_set_subject_alt_name()
179 * or gnutls_x509_crt_set_key_usage().
181 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
182 * negative error value.
185 gnutls_x509_crt_set_version (gnutls_x509_crt_t crt, unsigned int version)
188 unsigned char null = version;
193 return GNUTLS_E_INVALID_REQUEST;
199 result = asn1_write_value (crt->cert, "tbsCertificate.version", &null, 1);
200 if (result != ASN1_SUCCESS)
203 return _gnutls_asn2err (result);
210 * gnutls_x509_crt_set_key:
211 * @crt: a certificate of type #gnutls_x509_crt_t
212 * @key: holds a private key
214 * This function will set the public parameters from the given
215 * private key to the certificate. Only RSA keys are currently
218 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
219 * negative error value.
223 gnutls_x509_crt_set_key (gnutls_x509_crt_t crt, gnutls_x509_privkey_t key)
230 return GNUTLS_E_INVALID_REQUEST;
233 result = _gnutls_x509_encode_and_copy_PKI_params (crt->cert,
234 "tbsCertificate.subjectPublicKeyInfo",
249 * gnutls_x509_crt_set_crq:
250 * @crt: a certificate of type #gnutls_x509_crt_t
251 * @crq: holds a certificate request
253 * This function will set the name and public parameters as well as
254 * the extensions from the given certificate request to the certificate.
255 * Only RSA keys are currently supported.
257 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
258 * negative error value.
261 gnutls_x509_crt_set_crq (gnutls_x509_crt_t crt, gnutls_x509_crq_t crq)
265 if (crt == NULL || crq == NULL)
268 return GNUTLS_E_INVALID_REQUEST;
271 result = gnutls_x509_crq_verify(crq, 0);
273 return gnutls_assert_val(result);
275 result = asn1_copy_node (crt->cert, "tbsCertificate.subject",
276 crq->crq, "certificationRequestInfo.subject");
277 if (result != ASN1_SUCCESS)
280 return _gnutls_asn2err (result);
284 asn1_copy_node (crt->cert, "tbsCertificate.subjectPublicKeyInfo",
285 crq->crq, "certificationRequestInfo.subjectPKInfo");
286 if (result != ASN1_SUCCESS)
289 return _gnutls_asn2err (result);
296 * gnutls_x509_crt_set_crq_extensions:
297 * @crt: a certificate of type #gnutls_x509_crt_t
298 * @crq: holds a certificate request
300 * This function will set extensions from the given request to the
303 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
304 * negative error value.
309 gnutls_x509_crt_set_crq_extensions (gnutls_x509_crt_t crt,
310 gnutls_x509_crq_t crq)
314 if (crt == NULL || crq == NULL)
317 return GNUTLS_E_INVALID_REQUEST;
323 char oid[MAX_OID_SIZE];
326 size_t extensions_size;
327 unsigned int critical;
330 oid_size = sizeof (oid);
331 result = gnutls_x509_crq_get_extension_info (crq, i, oid,
332 &oid_size, &critical);
335 if (result == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
343 result = gnutls_x509_crq_get_extension_data (crq, i, NULL,
351 extensions = gnutls_malloc (extensions_size);
352 if (extensions == NULL)
355 return GNUTLS_E_MEMORY_ERROR;
358 result = gnutls_x509_crq_get_extension_data (crq, i, extensions,
363 gnutls_free (extensions);
367 ext.data = extensions;
368 ext.size = extensions_size;
370 result = _gnutls_x509_crt_set_extension (crt, oid, &ext, critical);
371 gnutls_free (extensions);
380 crt->use_extensions = 1;
386 * gnutls_x509_crt_set_extension_by_oid:
387 * @crt: a certificate of type #gnutls_x509_crt_t
388 * @oid: holds an Object Identified in null terminated string
389 * @buf: a pointer to a DER encoded data
390 * @sizeof_buf: holds the size of @buf
391 * @critical: should be non zero if the extension is to be marked as critical
393 * This function will set an the extension, by the specified OID, in
394 * the certificate. The extension data should be binary data DER
397 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
398 * negative error value.
401 gnutls_x509_crt_set_extension_by_oid (gnutls_x509_crt_t crt,
402 const char *oid, const void *buf,
404 unsigned int critical)
407 gnutls_datum_t der_data;
409 der_data.data = (void *) buf;
410 der_data.size = sizeof_buf;
415 return GNUTLS_E_INVALID_REQUEST;
418 result = _gnutls_x509_crt_set_extension (crt, oid, &der_data, critical);
425 crt->use_extensions = 1;
432 * gnutls_x509_crt_set_basic_constraints:
433 * @crt: a certificate of type #gnutls_x509_crt_t
434 * @ca: true(1) or false(0). Depending on the Certificate authority status.
435 * @pathLenConstraint: non-negative values indicate maximum length of path,
436 * and negative values indicate that the pathLenConstraints field should
439 * This function will set the basicConstraints certificate extension.
441 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
442 * negative error value.
445 gnutls_x509_crt_set_basic_constraints (gnutls_x509_crt_t crt,
446 unsigned int ca, int pathLenConstraint)
449 gnutls_datum_t der_data;
454 return GNUTLS_E_INVALID_REQUEST;
457 /* generate the extension.
459 result = _gnutls_x509_ext_gen_basicConstraints (ca, pathLenConstraint,
467 result = _gnutls_x509_crt_set_extension (crt, "2.5.29.19", &der_data, 1);
469 _gnutls_free_datum (&der_data);
477 crt->use_extensions = 1;
483 * gnutls_x509_crt_set_ca_status:
484 * @crt: a certificate of type #gnutls_x509_crt_t
485 * @ca: true(1) or false(0). Depending on the Certificate authority status.
487 * This function will set the basicConstraints certificate extension.
488 * Use gnutls_x509_crt_set_basic_constraints() if you want to control
489 * the pathLenConstraint field too.
491 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
492 * negative error value.
495 gnutls_x509_crt_set_ca_status (gnutls_x509_crt_t crt, unsigned int ca)
497 return gnutls_x509_crt_set_basic_constraints (crt, ca, -1);
501 * gnutls_x509_crt_set_key_usage:
502 * @crt: a certificate of type #gnutls_x509_crt_t
503 * @usage: an ORed sequence of the GNUTLS_KEY_* elements.
505 * This function will set the keyUsage certificate extension.
507 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
508 * negative error value.
511 gnutls_x509_crt_set_key_usage (gnutls_x509_crt_t crt, unsigned int usage)
514 gnutls_datum_t der_data;
519 return GNUTLS_E_INVALID_REQUEST;
522 /* generate the extension.
524 result = _gnutls_x509_ext_gen_keyUsage ((uint16_t) usage, &der_data);
531 result = _gnutls_x509_crt_set_extension (crt, "2.5.29.15", &der_data, 1);
533 _gnutls_free_datum (&der_data);
541 crt->use_extensions = 1;
547 * gnutls_x509_crt_set_subject_alternative_name:
548 * @crt: a certificate of type #gnutls_x509_crt_t
549 * @type: is one of the gnutls_x509_subject_alt_name_t enumerations
550 * @data_string: The data to be set, a zero terminated string
552 * This function will set the subject alternative name certificate
553 * extension. This function assumes that data can be expressed as a null
556 * The name of the function is unfortunate since it is incosistent with
557 * gnutls_x509_crt_get_subject_alt_name().
559 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
560 * negative error value.
563 gnutls_x509_crt_set_subject_alternative_name (gnutls_x509_crt_t crt,
564 gnutls_x509_subject_alt_name_t
565 type, const char *data_string)
570 return GNUTLS_E_INVALID_REQUEST;
573 /* only handle text extensions */
574 if (type != GNUTLS_SAN_DNSNAME && type != GNUTLS_SAN_RFC822NAME &&
575 type != GNUTLS_SAN_URI)
578 return GNUTLS_E_INVALID_REQUEST;
581 return gnutls_x509_crt_set_subject_alt_name (crt, type, data_string,
582 strlen (data_string),
587 * gnutls_x509_crt_set_subject_alt_name:
588 * @crt: a certificate of type #gnutls_x509_crt_t
589 * @type: is one of the gnutls_x509_subject_alt_name_t enumerations
590 * @data: The data to be set
591 * @data_size: The size of data to be set
592 * @flags: GNUTLS_FSAN_SET to clear previous data or GNUTLS_FSAN_APPEND to append.
594 * This function will set the subject alternative name certificate
595 * extension. It can set the following types:
597 * &GNUTLS_SAN_DNSNAME: as a text string
599 * &GNUTLS_SAN_RFC822NAME: as a text string
601 * &GNUTLS_SAN_URI: as a text string
603 * &GNUTLS_SAN_IPADDRESS: as a binary IP address (4 or 16 bytes)
605 * Other values can be set as binary values with the proper DER encoding.
607 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
608 * negative error value.
613 gnutls_x509_crt_set_subject_alt_name (gnutls_x509_crt_t crt,
614 gnutls_x509_subject_alt_name_t type,
616 unsigned int data_size,
620 gnutls_datum_t der_data = { NULL, 0 };
621 gnutls_datum_t prev_der_data = { NULL, 0 };
622 unsigned int critical = 0;
627 return GNUTLS_E_INVALID_REQUEST;
630 /* Check if the extension already exists.
633 if (flags == GNUTLS_FSAN_APPEND)
635 result = _gnutls_x509_crt_get_extension (crt, "2.5.29.17", 0,
636 &prev_der_data, &critical);
637 if (result < 0 && result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
644 /* generate the extension.
646 result = _gnutls_x509_ext_gen_subject_alt_name (type, data, data_size,
647 &prev_der_data, &der_data);
649 if (flags == GNUTLS_FSAN_APPEND)
650 _gnutls_free_datum (&prev_der_data);
658 result = _gnutls_x509_crt_set_extension (crt, "2.5.29.17", &der_data,
661 _gnutls_free_datum (&der_data);
669 crt->use_extensions = 1;
674 _gnutls_free_datum (&prev_der_data);
679 * gnutls_x509_crt_set_proxy:
680 * @crt: a certificate of type #gnutls_x509_crt_t
681 * @pathLenConstraint: non-negative values indicate maximum length of path,
682 * and negative values indicate that the pathLenConstraints field should
684 * @policyLanguage: OID describing the language of @policy.
685 * @policy: opaque byte array with policy language, can be %NULL
686 * @sizeof_policy: size of @policy.
688 * This function will set the proxyCertInfo extension.
690 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
691 * negative error value.
694 gnutls_x509_crt_set_proxy (gnutls_x509_crt_t crt,
695 int pathLenConstraint,
696 const char *policyLanguage,
697 const char *policy, size_t sizeof_policy)
700 gnutls_datum_t der_data;
705 return GNUTLS_E_INVALID_REQUEST;
708 /* generate the extension.
710 result = _gnutls_x509_ext_gen_proxyCertInfo (pathLenConstraint,
712 policy, sizeof_policy,
720 result = _gnutls_x509_crt_set_extension (crt, "1.3.6.1.5.5.7.1.14",
723 _gnutls_free_datum (&der_data);
731 crt->use_extensions = 1;
737 * gnutls_x509_crt_sign2:
738 * @crt: a certificate of type #gnutls_x509_crt_t
739 * @issuer: is the certificate of the certificate issuer
740 * @issuer_key: holds the issuer's private key
741 * @dig: The message digest to use, %GNUTLS_DIG_SHA1 is a safe choice
744 * This function will sign the certificate with the issuer's private key, and
745 * will copy the issuer's information into the certificate.
747 * This must be the last step in a certificate generation since all
748 * the previously set parameters are now signed.
750 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
751 * negative error value.
754 gnutls_x509_crt_sign2 (gnutls_x509_crt_t crt, gnutls_x509_crt_t issuer,
755 gnutls_x509_privkey_t issuer_key,
756 gnutls_digest_algorithm_t dig, unsigned int flags)
759 gnutls_privkey_t privkey;
761 if (crt == NULL || issuer == NULL || issuer_key == NULL)
764 return GNUTLS_E_INVALID_REQUEST;
767 result = gnutls_privkey_init (&privkey);
774 result = gnutls_privkey_import_x509 (privkey, issuer_key, 0);
781 result = gnutls_x509_crt_privkey_sign (crt, issuer, privkey, dig, flags);
791 gnutls_privkey_deinit (privkey);
797 * gnutls_x509_crt_sign:
798 * @crt: a certificate of type #gnutls_x509_crt_t
799 * @issuer: is the certificate of the certificate issuer
800 * @issuer_key: holds the issuer's private key
802 * This function is the same a gnutls_x509_crt_sign2() with no flags,
803 * and SHA1 as the hash algorithm.
805 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
806 * negative error value.
809 gnutls_x509_crt_sign (gnutls_x509_crt_t crt, gnutls_x509_crt_t issuer,
810 gnutls_x509_privkey_t issuer_key)
812 return gnutls_x509_crt_sign2 (crt, issuer, issuer_key, GNUTLS_DIG_SHA1, 0);
816 * gnutls_x509_crt_set_activation_time:
817 * @cert: a certificate of type #gnutls_x509_crt_t
818 * @act_time: The actual time
820 * This function will set the time this Certificate was or will be
823 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
824 * negative error value.
827 gnutls_x509_crt_set_activation_time (gnutls_x509_crt_t cert, time_t act_time)
832 return GNUTLS_E_INVALID_REQUEST;
835 return _gnutls_x509_set_time (cert->cert,
836 "tbsCertificate.validity.notBefore",
841 * gnutls_x509_crt_set_expiration_time:
842 * @cert: a certificate of type #gnutls_x509_crt_t
843 * @exp_time: The actual time
845 * This function will set the time this Certificate will expire.
847 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
848 * negative error value.
851 gnutls_x509_crt_set_expiration_time (gnutls_x509_crt_t cert, time_t exp_time)
856 return GNUTLS_E_INVALID_REQUEST;
858 return _gnutls_x509_set_time (cert->cert,
859 "tbsCertificate.validity.notAfter", exp_time);
863 * gnutls_x509_crt_set_serial:
864 * @cert: a certificate of type #gnutls_x509_crt_t
865 * @serial: The serial number
866 * @serial_size: Holds the size of the serial field.
868 * This function will set the X.509 certificate's serial number.
869 * Serial is not always a 32 or 64bit number. Some CAs use large
870 * serial numbers, thus it may be wise to handle it as something
873 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
874 * negative error value.
877 gnutls_x509_crt_set_serial (gnutls_x509_crt_t cert, const void *serial,
885 return GNUTLS_E_INVALID_REQUEST;
889 asn1_write_value (cert->cert, "tbsCertificate.serialNumber", serial,
891 if (ret != ASN1_SUCCESS)
894 return _gnutls_asn2err (ret);
901 /* If OPTIONAL fields have not been initialized then
905 disable_optional_stuff (gnutls_x509_crt_t cert)
908 asn1_write_value (cert->cert, "tbsCertificate.issuerUniqueID", NULL, 0);
910 asn1_write_value (cert->cert, "tbsCertificate.subjectUniqueID", NULL, 0);
912 if (cert->use_extensions == 0)
914 _gnutls_x509_log ("Disabling X.509 extensions.\n");
915 asn1_write_value (cert->cert, "tbsCertificate.extensions", NULL, 0);
922 * gnutls_x509_crt_set_crl_dist_points:
923 * @crt: a certificate of type #gnutls_x509_crt_t
924 * @type: is one of the gnutls_x509_subject_alt_name_t enumerations
925 * @data_string: The data to be set
926 * @reason_flags: revocation reasons
928 * This function will set the CRL distribution points certificate extension.
930 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
931 * negative error value.
934 gnutls_x509_crt_set_crl_dist_points (gnutls_x509_crt_t crt,
935 gnutls_x509_subject_alt_name_t type,
936 const void *data_string,
937 unsigned int reason_flags)
939 return gnutls_x509_crt_set_crl_dist_points2 (crt, type, data_string,
940 strlen (data_string),
945 * gnutls_x509_crt_set_crl_dist_points2:
946 * @crt: a certificate of type #gnutls_x509_crt_t
947 * @type: is one of the gnutls_x509_subject_alt_name_t enumerations
948 * @data: The data to be set
949 * @data_size: The data size
950 * @reason_flags: revocation reasons
952 * This function will set the CRL distribution points certificate extension.
954 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
955 * negative error value.
960 gnutls_x509_crt_set_crl_dist_points2 (gnutls_x509_crt_t crt,
961 gnutls_x509_subject_alt_name_t type,
963 unsigned int data_size,
964 unsigned int reason_flags)
967 gnutls_datum_t der_data = { NULL, 0 };
968 gnutls_datum_t oldname = { NULL, 0 };
969 unsigned int critical;
974 return GNUTLS_E_INVALID_REQUEST;
977 /* Check if the extension already exists.
980 _gnutls_x509_crt_get_extension (crt, "2.5.29.31", 0, &oldname, &critical);
982 _gnutls_free_datum (&oldname);
984 if (result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
987 return GNUTLS_E_INVALID_REQUEST;
990 /* generate the extension.
993 _gnutls_x509_ext_gen_crl_dist_points (type, data, data_size,
994 reason_flags, &der_data);
1001 result = _gnutls_x509_crt_set_extension (crt, "2.5.29.31", &der_data, 0);
1003 _gnutls_free_datum (&der_data);
1011 crt->use_extensions = 1;
1018 * gnutls_x509_crt_cpy_crl_dist_points:
1019 * @dst: a certificate of type #gnutls_x509_crt_t
1020 * @src: the certificate where the dist points will be copied from
1022 * This function will copy the CRL distribution points certificate
1023 * extension, from the source to the destination certificate.
1024 * This may be useful to copy from a CA certificate to issued ones.
1026 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
1027 * negative error value.
1030 gnutls_x509_crt_cpy_crl_dist_points (gnutls_x509_crt_t dst,
1031 gnutls_x509_crt_t src)
1034 gnutls_datum_t der_data;
1035 unsigned int critical;
1037 if (dst == NULL || src == NULL)
1040 return GNUTLS_E_INVALID_REQUEST;
1043 /* Check if the extension already exists.
1046 _gnutls_x509_crt_get_extension (src, "2.5.29.31", 0, &der_data,
1055 _gnutls_x509_crt_set_extension (dst, "2.5.29.31", &der_data, critical);
1056 _gnutls_free_datum (&der_data);
1064 dst->use_extensions = 1;
1070 * gnutls_x509_crt_set_subject_key_id:
1071 * @cert: a certificate of type #gnutls_x509_crt_t
1073 * @id_size: Holds the size of the serial field.
1075 * This function will set the X.509 certificate's subject key ID
1078 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
1079 * negative error value.
1082 gnutls_x509_crt_set_subject_key_id (gnutls_x509_crt_t cert,
1083 const void *id, size_t id_size)
1086 gnutls_datum_t old_id, der_data;
1087 unsigned int critical;
1092 return GNUTLS_E_INVALID_REQUEST;
1095 /* Check if the extension already exists.
1098 _gnutls_x509_crt_get_extension (cert, "2.5.29.14", 0, &old_id, &critical);
1101 _gnutls_free_datum (&old_id);
1102 if (result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
1105 return GNUTLS_E_INVALID_REQUEST;
1108 /* generate the extension.
1110 result = _gnutls_x509_ext_gen_key_id (id, id_size, &der_data);
1117 result = _gnutls_x509_crt_set_extension (cert, "2.5.29.14", &der_data, 0);
1119 _gnutls_free_datum (&der_data);
1127 cert->use_extensions = 1;
1133 * gnutls_x509_crt_set_authority_key_id:
1134 * @cert: a certificate of type #gnutls_x509_crt_t
1136 * @id_size: Holds the size of the serial field.
1138 * This function will set the X.509 certificate's authority key ID extension.
1139 * Only the keyIdentifier field can be set with this function.
1141 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
1142 * negative error value.
1145 gnutls_x509_crt_set_authority_key_id (gnutls_x509_crt_t cert,
1146 const void *id, size_t id_size)
1149 gnutls_datum_t old_id, der_data;
1150 unsigned int critical;
1155 return GNUTLS_E_INVALID_REQUEST;
1158 /* Check if the extension already exists.
1161 _gnutls_x509_crt_get_extension (cert, "2.5.29.35", 0, &old_id, &critical);
1164 _gnutls_free_datum (&old_id);
1165 if (result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
1168 return GNUTLS_E_INVALID_REQUEST;
1171 /* generate the extension.
1173 result = _gnutls_x509_ext_gen_auth_key_id (id, id_size, &der_data);
1180 result = _gnutls_x509_crt_set_extension (cert, "2.5.29.35", &der_data, 0);
1182 _gnutls_free_datum (&der_data);
1190 cert->use_extensions = 1;
1196 * gnutls_x509_crt_set_key_purpose_oid:
1197 * @cert: a certificate of type #gnutls_x509_crt_t
1198 * @oid: a pointer to a null terminated string that holds the OID
1199 * @critical: Whether this extension will be critical or not
1201 * This function will set the key purpose OIDs of the Certificate.
1202 * These are stored in the Extended Key Usage extension (2.5.29.37)
1203 * See the GNUTLS_KP_* definitions for human readable names.
1205 * Subsequent calls to this function will append OIDs to the OID list.
1207 * Returns: On success, %GNUTLS_E_SUCCESS (zero) is returned,
1208 * otherwise an error code is returned.
1211 gnutls_x509_crt_set_key_purpose_oid (gnutls_x509_crt_t cert,
1212 const void *oid, unsigned int critical)
1215 gnutls_datum_t old_id, der_data;
1216 ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
1221 return GNUTLS_E_INVALID_REQUEST;
1224 result = asn1_create_element
1225 (_gnutls_get_pkix (), "PKIX1.ExtKeyUsageSyntax", &c2);
1226 if (result != ASN1_SUCCESS)
1229 return _gnutls_asn2err (result);
1232 /* Check if the extension already exists.
1235 _gnutls_x509_crt_get_extension (cert, "2.5.29.37", 0, &old_id, NULL);
1241 result = asn1_der_decoding (&c2, old_id.data, old_id.size, NULL);
1242 _gnutls_free_datum (&old_id);
1244 if (result != ASN1_SUCCESS)
1247 asn1_delete_structure (&c2);
1248 return _gnutls_asn2err (result);
1253 /* generate the extension.
1255 /* 1. create a new element.
1257 result = asn1_write_value (c2, "", "NEW", 1);
1258 if (result != ASN1_SUCCESS)
1261 asn1_delete_structure (&c2);
1262 return _gnutls_asn2err (result);
1267 result = asn1_write_value (c2, "?LAST", oid, 1);
1268 if (result != ASN1_SUCCESS)
1271 asn1_delete_structure (&c2);
1272 return _gnutls_asn2err (result);
1275 result = _gnutls_x509_der_encode (c2, "", &der_data, 0);
1276 asn1_delete_structure (&c2);
1278 if (result != ASN1_SUCCESS)
1281 return _gnutls_asn2err (result);
1284 result = _gnutls_x509_crt_set_extension (cert, "2.5.29.37",
1285 &der_data, critical);
1287 _gnutls_free_datum (&der_data);
1295 cert->use_extensions = 1;
1302 * gnutls_x509_crt_privkey_sign:
1303 * @crt: a certificate of type #gnutls_x509_crt_t
1304 * @issuer: is the certificate of the certificate issuer
1305 * @issuer_key: holds the issuer's private key
1306 * @dig: The message digest to use, %GNUTLS_DIG_SHA1 is a safe choice
1309 * This function will sign the certificate with the issuer's private key, and
1310 * will copy the issuer's information into the certificate.
1312 * This must be the last step in a certificate generation since all
1313 * the previously set parameters are now signed.
1315 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
1316 * negative error value.
1319 gnutls_x509_crt_privkey_sign (gnutls_x509_crt_t crt, gnutls_x509_crt_t issuer,
1320 gnutls_privkey_t issuer_key,
1321 gnutls_digest_algorithm_t dig,
1326 if (crt == NULL || issuer == NULL || issuer_key == NULL)
1329 return GNUTLS_E_INVALID_REQUEST;
1332 /* disable all the unneeded OPTIONAL fields.
1334 disable_optional_stuff (crt);
1336 result = _gnutls_x509_pkix_sign (crt->cert, "tbsCertificate",
1337 dig, issuer, issuer_key);
1348 #endif /* ENABLE_PKI */