/* * Copyright (C) 2003-2012 Free Software Foundation, Inc. * * Author: Nikos Mavrogiannopoulos * * This file is part of GnuTLS. * * The GnuTLS is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public License * as published by the Free Software Foundation; either version 2.1 of * the License, or (at your option) any later version. * * This library is distributed in the hope that it will be useful, but * WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see * */ /* All functions which relate to X.509 certificate signing stuff are * included here */ #include #include #include #include #include /* MAX */ #include #include #include #include #include #include /* This is the same as the _gnutls_x509_sign, but this one will decode * the ASN1_TYPE given, and sign the DER data. Actually used to get the DER * of the TBS and sign it on the fly. */ int _gnutls_x509_get_tbs(ASN1_TYPE cert, const char *tbs_name, gnutls_datum_t * tbs) { int result; uint8_t *buf; int buf_size; buf_size = 0; result = asn1_der_coding(cert, tbs_name, NULL, &buf_size, NULL); if (result != ASN1_MEM_ERROR) { gnutls_assert(); return _gnutls_asn2err(result); } buf = gnutls_malloc(buf_size); if (buf == NULL) { gnutls_assert(); return GNUTLS_E_MEMORY_ERROR; } result = asn1_der_coding(cert, tbs_name, buf, &buf_size, NULL); if (result != ASN1_SUCCESS) { gnutls_assert(); gnutls_free(buf); return _gnutls_asn2err(result); } tbs->data = buf; tbs->size = buf_size; return 0; } /*- * _gnutls_x509_pkix_sign - This function will sign a CRL or a certificate with a key * @src: should contain an ASN1_TYPE * @issuer: is the certificate of the certificate issuer * @issuer_key: holds the issuer's private key * * This function will sign a CRL or a certificate with the issuer's private key, and * will copy the issuer's information into the CRL or certificate. * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. -*/ int _gnutls_x509_pkix_sign(ASN1_TYPE src, const char *src_name, gnutls_digest_algorithm_t dig, gnutls_x509_crt_t issuer, gnutls_privkey_t issuer_key) { int result; gnutls_datum_t signature; gnutls_datum_t tbs; char name[128]; /* Step 1. Copy the issuer's name into the certificate. */ _gnutls_str_cpy(name, sizeof(name), src_name); _gnutls_str_cat(name, sizeof(name), ".issuer"); result = asn1_copy_node(src, name, issuer->cert, "tbsCertificate.subject"); if (result != ASN1_SUCCESS) { gnutls_assert(); return _gnutls_asn2err(result); } /* Step 1.5. Write the signature stuff in the tbsCertificate. */ _gnutls_str_cpy(name, sizeof(name), src_name); _gnutls_str_cat(name, sizeof(name), ".signature"); result = _gnutls_x509_write_sig_params(src, name, gnutls_privkey_get_pk_algorithm (issuer_key, NULL), dig, 0); if (result < 0) { gnutls_assert(); return result; } /* Step 2. Sign the certificate. */ result = _gnutls_x509_get_tbs(src, src_name, &tbs); if (result < 0) { gnutls_assert(); return result; } result = gnutls_privkey_sign_data(issuer_key, dig, 0, &tbs, &signature); gnutls_free(tbs.data); if (result < 0) { gnutls_assert(); return result; } /* write the signature (bits) */ result = asn1_write_value(src, "signature", signature.data, signature.size * 8); _gnutls_free_datum(&signature); if (result != ASN1_SUCCESS) { gnutls_assert(); return _gnutls_asn2err(result); } /* Step 3. Move up and write the AlgorithmIdentifier, which is also * the same. */ result = _gnutls_x509_write_sig_params(src, "signatureAlgorithm", gnutls_privkey_get_pk_algorithm (issuer_key, NULL), dig, 0); if (result < 0) { gnutls_assert(); return result; } return 0; }