2 * Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 #include <pkinit_asn1.h>
36 RCSID("$Id: ca.c 22456 2008-01-15 20:22:53Z lha $");
39 * @page page_ca Hx509 CA functions
41 * See the library functions here: @ref hx509_ca
46 SubjectPublicKeyInfo spki;
55 unsigned int serial:1;
56 unsigned int domaincontroller:1;
60 int pathLenConstraint; /* both for CA and Proxy */
61 CRLDistributionPoints crldp;
65 * Allocate an to-be-signed certificate object that will be converted
66 * into an certificate.
68 * @param context A hx509 context.
69 * @param tbs returned to-be-signed certicate object, free with
70 * hx509_ca_tbs_free().
72 * @return An hx509 error code, see hx509_get_error_string().
78 hx509_ca_tbs_init(hx509_context context, hx509_ca_tbs *tbs)
80 *tbs = calloc(1, sizeof(**tbs));
84 (*tbs)->subject = NULL;
86 (*tbs)->san.val = NULL;
88 (*tbs)->eku.val = NULL;
89 (*tbs)->pathLenConstraint = 0;
90 (*tbs)->crldp.len = 0;
91 (*tbs)->crldp.val = NULL;
97 * Free an To Be Signed object.
99 * @param tbs object to free.
105 hx509_ca_tbs_free(hx509_ca_tbs *tbs)
107 if (tbs == NULL || *tbs == NULL)
110 free_SubjectPublicKeyInfo(&(*tbs)->spki);
111 free_GeneralNames(&(*tbs)->san);
112 free_ExtKeyUsage(&(*tbs)->eku);
113 der_free_heim_integer(&(*tbs)->serial);
114 free_CRLDistributionPoints(&(*tbs)->crldp);
116 hx509_name_free(&(*tbs)->subject);
118 memset(*tbs, 0, sizeof(**tbs));
124 * Set the absolute time when the certificate is valid from. If not
125 * set the current time will be used.
127 * @param context A hx509 context.
128 * @param tbs object to be signed.
129 * @param t time the certificated will start to be valid
131 * @return An hx509 error code, see hx509_get_error_string().
137 hx509_ca_tbs_set_notBefore(hx509_context context,
146 * Set the absolute time when the certificate is valid to.
148 * @param context A hx509 context.
149 * @param tbs object to be signed.
150 * @param t time when the certificate will expire
152 * @return An hx509 error code, see hx509_get_error_string().
158 hx509_ca_tbs_set_notAfter(hx509_context context,
167 * Set the relative time when the certificiate is going to expire.
169 * @param context A hx509 context.
170 * @param tbs object to be signed.
171 * @param delta seconds to the certificate is going to expire.
173 * @return An hx509 error code, see hx509_get_error_string().
179 hx509_ca_tbs_set_notAfter_lifetime(hx509_context context,
183 return hx509_ca_tbs_set_notAfter(context, tbs, time(NULL) + delta);
186 static const struct units templatebits[] = {
187 { "ExtendedKeyUsage", HX509_CA_TEMPLATE_EKU },
188 { "KeyUsage", HX509_CA_TEMPLATE_KU },
189 { "SPKI", HX509_CA_TEMPLATE_SPKI },
190 { "notAfter", HX509_CA_TEMPLATE_NOTAFTER },
191 { "notBefore", HX509_CA_TEMPLATE_NOTBEFORE },
192 { "serial", HX509_CA_TEMPLATE_SERIAL },
193 { "subject", HX509_CA_TEMPLATE_SUBJECT },
198 * Make of template units, use to build flags argument to
199 * hx509_ca_tbs_set_template() with parse_units().
201 * @return an units structure.
207 hx509_ca_tbs_template_units(void)
213 * Initialize the to-be-signed certificate object from a template certifiate.
215 * @param context A hx509 context.
216 * @param tbs object to be signed.
217 * @param flags bit field selecting what to copy from the template
219 * @param cert template certificate.
221 * @return An hx509 error code, see hx509_get_error_string().
227 hx509_ca_tbs_set_template(hx509_context context,
234 if (flags & HX509_CA_TEMPLATE_SUBJECT) {
236 hx509_name_free(&tbs->subject);
237 ret = hx509_cert_get_subject(cert, &tbs->subject);
239 hx509_set_error_string(context, 0, ret,
240 "Failed to get subject from template");
244 if (flags & HX509_CA_TEMPLATE_SERIAL) {
245 der_free_heim_integer(&tbs->serial);
246 ret = hx509_cert_get_serialnumber(cert, &tbs->serial);
247 tbs->flags.serial = !ret;
249 hx509_set_error_string(context, 0, ret,
250 "Failed to copy serial number");
254 if (flags & HX509_CA_TEMPLATE_NOTBEFORE)
255 tbs->notBefore = hx509_cert_get_notBefore(cert);
256 if (flags & HX509_CA_TEMPLATE_NOTAFTER)
257 tbs->notAfter = hx509_cert_get_notAfter(cert);
258 if (flags & HX509_CA_TEMPLATE_SPKI) {
259 free_SubjectPublicKeyInfo(&tbs->spki);
260 ret = hx509_cert_get_SPKI(context, cert, &tbs->spki);
261 tbs->flags.key = !ret;
265 if (flags & HX509_CA_TEMPLATE_KU) {
267 ret = _hx509_cert_get_keyusage(context, cert, &ku);
270 tbs->key_usage = KeyUsage2int(ku);
272 if (flags & HX509_CA_TEMPLATE_EKU) {
275 ret = _hx509_cert_get_eku(context, cert, &eku);
278 for (i = 0; i < eku.len; i++) {
279 ret = hx509_ca_tbs_add_eku(context, tbs, &eku.val[i]);
281 free_ExtKeyUsage(&eku);
285 free_ExtKeyUsage(&eku);
291 * Make the to-be-signed certificate object a CA certificate. If the
292 * pathLenConstraint is negative path length constraint is used.
294 * @param context A hx509 context.
295 * @param tbs object to be signed.
296 * @param pathLenConstraint path length constraint, negative, no
299 * @return An hx509 error code, see hx509_get_error_string().
305 hx509_ca_tbs_set_ca(hx509_context context,
307 int pathLenConstraint)
310 tbs->pathLenConstraint = pathLenConstraint;
315 * Make the to-be-signed certificate object a proxy certificate. If the
316 * pathLenConstraint is negative path length constraint is used.
318 * @param context A hx509 context.
319 * @param tbs object to be signed.
320 * @param pathLenConstraint path length constraint, negative, no
323 * @return An hx509 error code, see hx509_get_error_string().
329 hx509_ca_tbs_set_proxy(hx509_context context,
331 int pathLenConstraint)
333 tbs->flags.proxy = 1;
334 tbs->pathLenConstraint = pathLenConstraint;
340 * Make the to-be-signed certificate object a windows domain controller certificate.
342 * @param context A hx509 context.
343 * @param tbs object to be signed.
345 * @return An hx509 error code, see hx509_get_error_string().
351 hx509_ca_tbs_set_domaincontroller(hx509_context context,
354 tbs->flags.domaincontroller = 1;
359 * Set the subject public key info (SPKI) in the to-be-signed certificate
360 * object. SPKI is the public key and key related parameters in the
363 * @param context A hx509 context.
364 * @param tbs object to be signed.
365 * @param spki subject public key info to use for the to-be-signed certificate object.
367 * @return An hx509 error code, see hx509_get_error_string().
373 hx509_ca_tbs_set_spki(hx509_context context,
375 const SubjectPublicKeyInfo *spki)
378 free_SubjectPublicKeyInfo(&tbs->spki);
379 ret = copy_SubjectPublicKeyInfo(spki, &tbs->spki);
380 tbs->flags.key = !ret;
385 * Set the serial number to use for to-be-signed certificate object.
387 * @param context A hx509 context.
388 * @param tbs object to be signed.
389 * @param serialNumber serial number to use for the to-be-signed
390 * certificate object.
392 * @return An hx509 error code, see hx509_get_error_string().
398 hx509_ca_tbs_set_serialnumber(hx509_context context,
400 const heim_integer *serialNumber)
403 der_free_heim_integer(&tbs->serial);
404 ret = der_copy_heim_integer(serialNumber, &tbs->serial);
405 tbs->flags.serial = !ret;
410 * An an extended key usage to the to-be-signed certificate object.
411 * Duplicates will detected and not added.
413 * @param context A hx509 context.
414 * @param tbs object to be signed.
415 * @param oid extended key usage to add.
417 * @return An hx509 error code, see hx509_get_error_string().
423 hx509_ca_tbs_add_eku(hx509_context context,
431 /* search for duplicates */
432 for (i = 0; i < tbs->eku.len; i++) {
433 if (der_heim_oid_cmp(oid, &tbs->eku.val[i]) == 0)
437 ptr = realloc(tbs->eku.val, sizeof(tbs->eku.val[0]) * (tbs->eku.len + 1));
439 hx509_set_error_string(context, 0, ENOMEM, "out of memory");
443 ret = der_copy_oid(oid, &tbs->eku.val[tbs->eku.len]);
445 hx509_set_error_string(context, 0, ret, "out of memory");
453 * Add CRL distribution point URI to the to-be-signed certificate
456 * @param context A hx509 context.
457 * @param tbs object to be signed.
458 * @param uri uri to the CRL.
459 * @param issuername name of the issuer.
461 * @return An hx509 error code, see hx509_get_error_string().
467 hx509_ca_tbs_add_crl_dp_uri(hx509_context context,
470 hx509_name issuername)
472 DistributionPoint dp;
475 memset(&dp, 0, sizeof(dp));
477 dp.distributionPoint = ecalloc(1, sizeof(*dp.distributionPoint));
480 DistributionPointName name;
484 name.element = choice_DistributionPointName_fullName;
485 name.u.fullName.len = 1;
486 name.u.fullName.val = &gn;
488 gn.element = choice_GeneralName_uniformResourceIdentifier;
489 gn.u.uniformResourceIdentifier = rk_UNCONST(uri);
491 ASN1_MALLOC_ENCODE(DistributionPointName,
492 dp.distributionPoint->data,
493 dp.distributionPoint->length,
496 hx509_set_error_string(context, 0, ret,
497 "Failed to encoded DistributionPointName");
500 if (dp.distributionPoint->length != size)
501 _hx509_abort("internal ASN.1 encoder error");
507 * issuername not supported
509 hx509_set_error_string(context, 0, EINVAL,
510 "CRLDistributionPoints.name.issuername not yet supported");
513 GeneralNames *crlissuer;
517 crlissuer = calloc(1, sizeof(*crlissuer));
518 if (crlissuer == NULL) {
521 memset(&gn, 0, sizeof(gn));
523 gn.element = choice_GeneralName_directoryName;
524 ret = hx509_name_to_Name(issuername, &n);
526 hx509_set_error_string(context, 0, ret, "out of memory");
530 gn.u.directoryName.element = n.element;
531 gn.u.directoryName.u.rdnSequence = n.u.rdnSequence;
533 ret = add_GeneralNames(&crlissuer, &gn);
536 hx509_set_error_string(context, 0, ret, "out of memory");
540 dp.cRLIssuer = &crlissuer;
544 ret = add_CRLDistributionPoints(&tbs->crldp, &dp);
546 hx509_set_error_string(context, 0, ret, "out of memory");
551 free_DistributionPoint(&dp);
557 * Add Subject Alternative Name otherName to the to-be-signed
558 * certificate object.
560 * @param context A hx509 context.
561 * @param tbs object to be signed.
562 * @param oid the oid of the OtherName.
563 * @param os data in the other name.
565 * @return An hx509 error code, see hx509_get_error_string().
571 hx509_ca_tbs_add_san_otherName(hx509_context context,
574 const heim_octet_string *os)
578 memset(&gn, 0, sizeof(gn));
579 gn.element = choice_GeneralName_otherName;
580 gn.u.otherName.type_id = *oid;
581 gn.u.otherName.value = *os;
583 return add_GeneralNames(&tbs->san, &gn);
587 * Add Kerberos Subject Alternative Name to the to-be-signed
588 * certificate object. The principal string is a UTF8 string.
590 * @param context A hx509 context.
591 * @param tbs object to be signed.
592 * @param principal Kerberos principal to add to the certificate.
594 * @return An hx509 error code, see hx509_get_error_string().
600 hx509_ca_tbs_add_san_pkinit(hx509_context context,
602 const char *principal)
604 heim_octet_string os;
610 memset(&p, 0, sizeof(p));
612 /* parse principal */
618 /* count number of component */
620 for(str = principal; *str != '\0' && *str != '@'; str++){
622 if(str[1] == '\0' || str[1] == '@') {
623 ret = HX509_PARSING_NAME_FAILED;
624 hx509_set_error_string(context, 0, ret,
625 "trailing \\ in principal name");
629 } else if(*str == '/')
632 p.principalName.name_string.val =
633 calloc(n, sizeof(*p.principalName.name_string.val));
634 if (p.principalName.name_string.val == NULL) {
636 hx509_set_error_string(context, 0, ret, "malloc: out of memory");
639 p.principalName.name_string.len = n;
641 p.principalName.name_type = KRB5_NT_PRINCIPAL;
642 q = s = strdup(principal);
645 hx509_set_error_string(context, 0, ret, "malloc: out of memory");
648 p.realm = strrchr(q, '@');
649 if (p.realm == NULL) {
650 ret = HX509_PARSING_NAME_FAILED;
651 hx509_set_error_string(context, 0, ret, "Missing @ in principal");
658 p.principalName.name_string.val[n++] = q;
665 ASN1_MALLOC_ENCODE(KRB5PrincipalName, os.data, os.length, &p, &size, ret);
667 hx509_set_error_string(context, 0, ret, "Out of memory");
670 if (size != os.length)
671 _hx509_abort("internal ASN.1 encoder error");
673 ret = hx509_ca_tbs_add_san_otherName(context,
679 if (p.principalName.name_string.val)
680 free (p.principalName.name_string.val);
691 add_utf8_san(hx509_context context,
696 const PKIXXmppAddr ustring = (const PKIXXmppAddr)string;
697 heim_octet_string os;
704 ASN1_MALLOC_ENCODE(PKIXXmppAddr, os.data, os.length, &ustring, &size, ret);
706 hx509_set_error_string(context, 0, ret, "Out of memory");
709 if (size != os.length)
710 _hx509_abort("internal ASN.1 encoder error");
712 ret = hx509_ca_tbs_add_san_otherName(context,
722 * Add Microsoft UPN Subject Alternative Name to the to-be-signed
723 * certificate object. The principal string is a UTF8 string.
725 * @param context A hx509 context.
726 * @param tbs object to be signed.
727 * @param principal Microsoft UPN string.
729 * @return An hx509 error code, see hx509_get_error_string().
735 hx509_ca_tbs_add_san_ms_upn(hx509_context context,
737 const char *principal)
739 return add_utf8_san(context, tbs, oid_id_pkinit_ms_san(), principal);
743 * Add a Jabber/XMPP jid Subject Alternative Name to the to-be-signed
744 * certificate object. The jid is an UTF8 string.
746 * @param context A hx509 context.
747 * @param tbs object to be signed.
748 * @param jid string of an a jabber id in UTF8.
750 * @return An hx509 error code, see hx509_get_error_string().
756 hx509_ca_tbs_add_san_jid(hx509_context context,
760 return add_utf8_san(context, tbs, oid_id_pkix_on_xmppAddr(), jid);
765 * Add a Subject Alternative Name hostname to to-be-signed certificate
766 * object. A domain match starts with ., an exact match does not.
768 * Example of a an domain match: .domain.se matches the hostname
771 * @param context A hx509 context.
772 * @param tbs object to be signed.
773 * @param dnsname a hostame.
775 * @return An hx509 error code, see hx509_get_error_string().
781 hx509_ca_tbs_add_san_hostname(hx509_context context,
787 memset(&gn, 0, sizeof(gn));
788 gn.element = choice_GeneralName_dNSName;
789 gn.u.dNSName = rk_UNCONST(dnsname);
791 return add_GeneralNames(&tbs->san, &gn);
795 * Add a Subject Alternative Name rfc822 (email address) to
796 * to-be-signed certificate object.
798 * @param context A hx509 context.
799 * @param tbs object to be signed.
800 * @param rfc822Name a string to a email address.
802 * @return An hx509 error code, see hx509_get_error_string().
808 hx509_ca_tbs_add_san_rfc822name(hx509_context context,
810 const char *rfc822Name)
814 memset(&gn, 0, sizeof(gn));
815 gn.element = choice_GeneralName_rfc822Name;
816 gn.u.rfc822Name = rk_UNCONST(rfc822Name);
818 return add_GeneralNames(&tbs->san, &gn);
822 * Set the subject name of a to-be-signed certificate object.
824 * @param context A hx509 context.
825 * @param tbs object to be signed.
826 * @param subject the name to set a subject.
828 * @return An hx509 error code, see hx509_get_error_string().
834 hx509_ca_tbs_set_subject(hx509_context context,
839 hx509_name_free(&tbs->subject);
840 return hx509_name_copy(context, subject, &tbs->subject);
844 * Expand the the subject name in the to-be-signed certificate object
845 * using hx509_name_expand().
847 * @param context A hx509 context.
848 * @param tbs object to be signed.
849 * @param env enviroment variable to expand variables in the subject
850 * name, see hx509_env_init().
852 * @return An hx509 error code, see hx509_get_error_string().
858 hx509_ca_tbs_subject_expand(hx509_context context,
862 return hx509_name_expand(context, tbs->subject, env);
866 add_extension(hx509_context context,
867 TBSCertificate *tbsc,
870 const heim_octet_string *data)
875 memset(&ext, 0, sizeof(ext));
878 ext.critical = malloc(sizeof(*ext.critical));
879 if (ext.critical == NULL) {
881 hx509_set_error_string(context, 0, ret, "Out of memory");
884 *ext.critical = TRUE;
887 ret = der_copy_oid(oid, &ext.extnID);
889 hx509_set_error_string(context, 0, ret, "Out of memory");
892 ret = der_copy_octet_string(data, &ext.extnValue);
894 hx509_set_error_string(context, 0, ret, "Out of memory");
897 ret = add_Extensions(tbsc->extensions, &ext);
899 hx509_set_error_string(context, 0, ret, "Out of memory");
903 free_Extension(&ext);
908 build_proxy_prefix(hx509_context context, const Name *issuer, Name *subject)
914 ret = copy_Name(issuer, subject);
916 hx509_set_error_string(context, 0, ret,
917 "Failed to copy subject name");
922 asprintf(&tstr, "ts-%lu", (unsigned long)t);
924 hx509_set_error_string(context, 0, ENOMEM,
925 "Failed to copy subject name");
928 /* prefix with CN=<ts>,...*/
929 ret = _hx509_name_modify(context, subject, 1, oid_id_at_commonName(), tstr);
937 ca_sign(hx509_context context,
939 hx509_private_key signer,
940 const AuthorityKeyIdentifier *ai,
941 const Name *issuername,
942 hx509_cert *certificate)
944 heim_octet_string data;
946 TBSCertificate *tbsc;
949 const AlgorithmIdentifier *sigalg;
954 sigalg = _hx509_crypto_default_sig_alg;
956 memset(&c, 0, sizeof(c));
959 * Default values are: Valid since 24h ago, valid one year into
960 * the future, KeyUsage digitalSignature and keyEncipherment set,
961 * and keyCertSign for CA certificates.
963 notBefore = tbs->notBefore;
965 notBefore = time(NULL) - 3600 * 24;
966 notAfter = tbs->notAfter;
968 notAfter = time(NULL) + 3600 * 24 * 365;
970 key_usage = tbs->key_usage;
971 if (key_usage == 0) {
973 memset(&ku, 0, sizeof(ku));
974 ku.digitalSignature = 1;
975 ku.keyEncipherment = 1;
976 key_usage = KeyUsage2int(ku);
981 memset(&ku, 0, sizeof(ku));
984 key_usage |= KeyUsage2int(ku);
991 tbsc = &c.tbsCertificate;
993 if (tbs->flags.key == 0) {
995 hx509_set_error_string(context, 0, ret, "No public key set");
999 * Don't put restrictions on proxy certificate's subject name, it
1000 * will be generated below.
1002 if (!tbs->flags.proxy) {
1003 if (tbs->subject == NULL) {
1004 hx509_set_error_string(context, 0, EINVAL, "No subject name set");
1007 if (hx509_name_is_null_p(tbs->subject) && tbs->san.len == 0) {
1008 hx509_set_error_string(context, 0, EINVAL,
1009 "NULL subject and no SubjectAltNames");
1013 if (tbs->flags.ca && tbs->flags.proxy) {
1014 hx509_set_error_string(context, 0, EINVAL, "Can't be proxy and CA "
1015 "at the same time");
1018 if (tbs->flags.proxy) {
1019 if (tbs->san.len > 0) {
1020 hx509_set_error_string(context, 0, EINVAL,
1021 "Proxy certificate is not allowed "
1022 "to have SubjectAltNames");
1027 /* version [0] Version OPTIONAL, -- EXPLICIT nnn DEFAULT 1, */
1028 tbsc->version = calloc(1, sizeof(*tbsc->version));
1029 if (tbsc->version == NULL) {
1031 hx509_set_error_string(context, 0, ret, "Out of memory");
1034 *tbsc->version = rfc3280_version_3;
1035 /* serialNumber CertificateSerialNumber, */
1036 if (tbs->flags.serial) {
1037 ret = der_copy_heim_integer(&tbs->serial, &tbsc->serialNumber);
1039 hx509_set_error_string(context, 0, ret, "Out of memory");
1043 tbsc->serialNumber.length = 20;
1044 tbsc->serialNumber.data = malloc(tbsc->serialNumber.length);
1045 if (tbsc->serialNumber.data == NULL){
1047 hx509_set_error_string(context, 0, ret, "Out of memory");
1051 RAND_bytes(tbsc->serialNumber.data, tbsc->serialNumber.length);
1052 ((unsigned char *)tbsc->serialNumber.data)[0] &= 0x7f;
1054 /* signature AlgorithmIdentifier, */
1055 ret = copy_AlgorithmIdentifier(sigalg, &tbsc->signature);
1057 hx509_set_error_string(context, 0, ret, "Failed to copy sigature alg");
1062 ret = copy_Name(issuername, &tbsc->issuer);
1064 ret = hx509_name_to_Name(tbs->subject, &tbsc->issuer);
1066 hx509_set_error_string(context, 0, ret, "Failed to copy issuer name");
1069 /* validity Validity, */
1070 tbsc->validity.notBefore.element = choice_Time_generalTime;
1071 tbsc->validity.notBefore.u.generalTime = notBefore;
1072 tbsc->validity.notAfter.element = choice_Time_generalTime;
1073 tbsc->validity.notAfter.u.generalTime = notAfter;
1075 if (tbs->flags.proxy) {
1076 ret = build_proxy_prefix(context, &tbsc->issuer, &tbsc->subject);
1080 ret = hx509_name_to_Name(tbs->subject, &tbsc->subject);
1082 hx509_set_error_string(context, 0, ret,
1083 "Failed to copy subject name");
1087 /* subjectPublicKeyInfo SubjectPublicKeyInfo, */
1088 ret = copy_SubjectPublicKeyInfo(&tbs->spki, &tbsc->subjectPublicKeyInfo);
1090 hx509_set_error_string(context, 0, ret, "Failed to copy spki");
1093 /* issuerUniqueID [1] IMPLICIT BIT STRING OPTIONAL */
1094 /* subjectUniqueID [2] IMPLICIT BIT STRING OPTIONAL */
1095 /* extensions [3] EXPLICIT Extensions OPTIONAL */
1096 tbsc->extensions = calloc(1, sizeof(*tbsc->extensions));
1097 if (tbsc->extensions == NULL) {
1099 hx509_set_error_string(context, 0, ret, "Out of memory");
1103 /* Add the text BMP string Domaincontroller to the cert */
1104 if (tbs->flags.domaincontroller) {
1105 data.data = rk_UNCONST("\x1e\x20\x00\x44\x00\x6f\x00\x6d"
1106 "\x00\x61\x00\x69\x00\x6e\x00\x43"
1107 "\x00\x6f\x00\x6e\x00\x74\x00\x72"
1108 "\x00\x6f\x00\x6c\x00\x6c\x00\x65"
1112 ret = add_extension(context, tbsc, 0,
1113 oid_id_ms_cert_enroll_domaincontroller(),
1123 ku = int2KeyUsage(key_usage);
1124 ASN1_MALLOC_ENCODE(KeyUsage, data.data, data.length, &ku, &size, ret);
1126 hx509_set_error_string(context, 0, ret, "Out of memory");
1129 if (size != data.length)
1130 _hx509_abort("internal ASN.1 encoder error");
1131 ret = add_extension(context, tbsc, 1,
1132 oid_id_x509_ce_keyUsage(), &data);
1138 /* add ExtendedKeyUsage */
1139 if (tbs->eku.len > 0) {
1140 ASN1_MALLOC_ENCODE(ExtKeyUsage, data.data, data.length,
1141 &tbs->eku, &size, ret);
1143 hx509_set_error_string(context, 0, ret, "Out of memory");
1146 if (size != data.length)
1147 _hx509_abort("internal ASN.1 encoder error");
1148 ret = add_extension(context, tbsc, 0,
1149 oid_id_x509_ce_extKeyUsage(), &data);
1155 /* add Subject Alternative Name */
1156 if (tbs->san.len > 0) {
1157 ASN1_MALLOC_ENCODE(GeneralNames, data.data, data.length,
1158 &tbs->san, &size, ret);
1160 hx509_set_error_string(context, 0, ret, "Out of memory");
1163 if (size != data.length)
1164 _hx509_abort("internal ASN.1 encoder error");
1165 ret = add_extension(context, tbsc, 0,
1166 oid_id_x509_ce_subjectAltName(),
1173 /* Add Authority Key Identifier */
1175 ASN1_MALLOC_ENCODE(AuthorityKeyIdentifier, data.data, data.length,
1178 hx509_set_error_string(context, 0, ret, "Out of memory");
1181 if (size != data.length)
1182 _hx509_abort("internal ASN.1 encoder error");
1183 ret = add_extension(context, tbsc, 0,
1184 oid_id_x509_ce_authorityKeyIdentifier(),
1191 /* Add Subject Key Identifier */
1193 SubjectKeyIdentifier si;
1194 unsigned char hash[SHA_DIGEST_LENGTH];
1200 SHA1_Update(&m, tbs->spki.subjectPublicKey.data,
1201 tbs->spki.subjectPublicKey.length / 8);
1202 SHA1_Final (hash, &m);
1206 si.length = sizeof(hash);
1208 ASN1_MALLOC_ENCODE(SubjectKeyIdentifier, data.data, data.length,
1211 hx509_set_error_string(context, 0, ret, "Out of memory");
1214 if (size != data.length)
1215 _hx509_abort("internal ASN.1 encoder error");
1216 ret = add_extension(context, tbsc, 0,
1217 oid_id_x509_ce_subjectKeyIdentifier(),
1224 /* Add BasicConstraints */
1226 BasicConstraints bc;
1230 memset(&bc, 0, sizeof(bc));
1232 if (tbs->flags.ca) {
1234 if (tbs->pathLenConstraint >= 0) {
1235 path = tbs->pathLenConstraint;
1236 bc.pathLenConstraint = &path;
1240 ASN1_MALLOC_ENCODE(BasicConstraints, data.data, data.length,
1243 hx509_set_error_string(context, 0, ret, "Out of memory");
1246 if (size != data.length)
1247 _hx509_abort("internal ASN.1 encoder error");
1248 /* Critical if this is a CA */
1249 ret = add_extension(context, tbsc, tbs->flags.ca,
1250 oid_id_x509_ce_basicConstraints(),
1258 if (tbs->flags.proxy) {
1261 memset(&info, 0, sizeof(info));
1263 if (tbs->pathLenConstraint >= 0) {
1264 info.pCPathLenConstraint =
1265 malloc(sizeof(*info.pCPathLenConstraint));
1266 if (info.pCPathLenConstraint == NULL) {
1268 hx509_set_error_string(context, 0, ret, "Out of memory");
1271 *info.pCPathLenConstraint = tbs->pathLenConstraint;
1274 ret = der_copy_oid(oid_id_pkix_ppl_inheritAll(),
1275 &info.proxyPolicy.policyLanguage);
1277 free_ProxyCertInfo(&info);
1278 hx509_set_error_string(context, 0, ret, "Out of memory");
1282 ASN1_MALLOC_ENCODE(ProxyCertInfo, data.data, data.length,
1284 free_ProxyCertInfo(&info);
1286 hx509_set_error_string(context, 0, ret, "Out of memory");
1289 if (size != data.length)
1290 _hx509_abort("internal ASN.1 encoder error");
1291 ret = add_extension(context, tbsc, 0,
1292 oid_id_pkix_pe_proxyCertInfo(),
1299 if (tbs->crldp.len) {
1301 ASN1_MALLOC_ENCODE(CRLDistributionPoints, data.data, data.length,
1302 &tbs->crldp, &size, ret);
1304 hx509_set_error_string(context, 0, ret, "Out of memory");
1307 if (size != data.length)
1308 _hx509_abort("internal ASN.1 encoder error");
1309 ret = add_extension(context, tbsc, FALSE,
1310 oid_id_x509_ce_cRLDistributionPoints(),
1317 ASN1_MALLOC_ENCODE(TBSCertificate, data.data, data.length,tbsc, &size, ret);
1319 hx509_set_error_string(context, 0, ret, "malloc out of memory");
1322 if (data.length != size)
1323 _hx509_abort("internal ASN.1 encoder error");
1325 ret = _hx509_create_signature_bitstring(context,
1329 &c.signatureAlgorithm,
1335 ret = hx509_cert_init(context, &c, certificate);
1339 free_Certificate(&c);
1344 free_Certificate(&c);
1349 get_AuthorityKeyIdentifier(hx509_context context,
1350 const Certificate *certificate,
1351 AuthorityKeyIdentifier *ai)
1353 SubjectKeyIdentifier si;
1356 ret = _hx509_find_extension_subject_key_id(certificate, &si);
1358 ai->keyIdentifier = calloc(1, sizeof(*ai->keyIdentifier));
1359 if (ai->keyIdentifier == NULL) {
1360 free_SubjectKeyIdentifier(&si);
1362 hx509_set_error_string(context, 0, ret, "Out of memory");
1365 ret = der_copy_octet_string(&si, ai->keyIdentifier);
1366 free_SubjectKeyIdentifier(&si);
1368 hx509_set_error_string(context, 0, ret, "Out of memory");
1376 memset(&gn, 0, sizeof(gn));
1377 memset(&gns, 0, sizeof(gns));
1378 memset(&name, 0, sizeof(name));
1380 ai->authorityCertIssuer =
1381 calloc(1, sizeof(*ai->authorityCertIssuer));
1382 if (ai->authorityCertIssuer == NULL) {
1384 hx509_set_error_string(context, 0, ret, "Out of memory");
1387 ai->authorityCertSerialNumber =
1388 calloc(1, sizeof(*ai->authorityCertSerialNumber));
1389 if (ai->authorityCertSerialNumber == NULL) {
1391 hx509_set_error_string(context, 0, ret, "Out of memory");
1396 * XXX unbreak when asn1 compiler handle IMPLICIT
1398 * This is so horrible.
1401 ret = copy_Name(&certificate->tbsCertificate.subject, &name);
1402 if (ai->authorityCertSerialNumber == NULL) {
1404 hx509_set_error_string(context, 0, ret, "Out of memory");
1408 memset(&gn, 0, sizeof(gn));
1409 gn.element = choice_GeneralName_directoryName;
1410 gn.u.directoryName.element =
1411 choice_GeneralName_directoryName_rdnSequence;
1412 gn.u.directoryName.u.rdnSequence = name.u.rdnSequence;
1414 ret = add_GeneralNames(&gns, &gn);
1416 hx509_set_error_string(context, 0, ret, "Out of memory");
1420 ai->authorityCertIssuer->val = gns.val;
1421 ai->authorityCertIssuer->len = gns.len;
1423 ret = der_copy_heim_integer(&certificate->tbsCertificate.serialNumber,
1424 ai->authorityCertSerialNumber);
1425 if (ai->authorityCertSerialNumber == NULL) {
1427 hx509_set_error_string(context, 0, ret, "Out of memory");
1433 free_AuthorityKeyIdentifier(ai);
1439 * Sign a to-be-signed certificate object with a issuer certificate.
1441 * The caller needs to at least have called the following functions on the
1442 * to-be-signed certificate object:
1443 * - hx509_ca_tbs_init()
1444 * - hx509_ca_tbs_set_subject()
1445 * - hx509_ca_tbs_set_spki()
1447 * When done the to-be-signed certificate object should be freed with
1448 * hx509_ca_tbs_free().
1450 * When creating self-signed certificate use hx509_ca_sign_self() instead.
1452 * @param context A hx509 context.
1453 * @param tbs object to be signed.
1454 * @param signer the CA certificate object to sign with (need private key).
1455 * @param certificate return cerificate, free with hx509_cert_free().
1457 * @return An hx509 error code, see hx509_get_error_string().
1463 hx509_ca_sign(hx509_context context,
1466 hx509_cert *certificate)
1468 const Certificate *signer_cert;
1469 AuthorityKeyIdentifier ai;
1472 memset(&ai, 0, sizeof(ai));
1474 signer_cert = _hx509_get_cert(signer);
1476 ret = get_AuthorityKeyIdentifier(context, signer_cert, &ai);
1480 ret = ca_sign(context,
1482 _hx509_cert_private_key(signer),
1484 &signer_cert->tbsCertificate.subject,
1488 free_AuthorityKeyIdentifier(&ai);
1494 * Work just like hx509_ca_sign() but signs it-self.
1496 * @param context A hx509 context.
1497 * @param tbs object to be signed.
1498 * @param signer private key to sign with.
1499 * @param certificate return cerificate, free with hx509_cert_free().
1501 * @return An hx509 error code, see hx509_get_error_string().
1507 hx509_ca_sign_self(hx509_context context,
1509 hx509_private_key signer,
1510 hx509_cert *certificate)
1512 return ca_sign(context,