x509_req.c 9.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316
  1. /* crypto/x509/x509_req.c */
  2. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  3. * All rights reserved.
  4. *
  5. * This package is an SSL implementation written
  6. * by Eric Young (eay@cryptsoft.com).
  7. * The implementation was written so as to conform with Netscapes SSL.
  8. *
  9. * This library is free for commercial and non-commercial use as long as
  10. * the following conditions are aheared to. The following conditions
  11. * apply to all code found in this distribution, be it the RC4, RSA,
  12. * lhash, DES, etc., code; not just the SSL code. The SSL documentation
  13. * included with this distribution is covered by the same copyright terms
  14. * except that the holder is Tim Hudson (tjh@cryptsoft.com).
  15. *
  16. * Copyright remains Eric Young's, and as such any Copyright notices in
  17. * the code are not to be removed.
  18. * If this package is used in a product, Eric Young should be given attribution
  19. * as the author of the parts of the library used.
  20. * This can be in the form of a textual message at program startup or
  21. * in documentation (online or textual) provided with the package.
  22. *
  23. * Redistribution and use in source and binary forms, with or without
  24. * modification, are permitted provided that the following conditions
  25. * are met:
  26. * 1. Redistributions of source code must retain the copyright
  27. * notice, this list of conditions and the following disclaimer.
  28. * 2. Redistributions in binary form must reproduce the above copyright
  29. * notice, this list of conditions and the following disclaimer in the
  30. * documentation and/or other materials provided with the distribution.
  31. * 3. All advertising materials mentioning features or use of this software
  32. * must display the following acknowledgement:
  33. * "This product includes cryptographic software written by
  34. * Eric Young (eay@cryptsoft.com)"
  35. * The word 'cryptographic' can be left out if the rouines from the library
  36. * being used are not cryptographic related :-).
  37. * 4. If you include any Windows specific code (or a derivative thereof) from
  38. * the apps directory (application code) you must include an acknowledgement:
  39. * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  40. *
  41. * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  42. * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  43. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  44. * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  45. * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  46. * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  47. * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  48. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  49. * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  50. * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  51. * SUCH DAMAGE.
  52. *
  53. * The licence and distribution terms for any publically available version or
  54. * derivative of this code cannot be changed. i.e. this code cannot simply be
  55. * copied and put under another distribution licence
  56. * [including the GNU Public Licence.]
  57. */
  58. #include <stdio.h>
  59. #include "cryptlib.h"
  60. #include <openssl/bn.h>
  61. #include <openssl/evp.h>
  62. #include <openssl/asn1.h>
  63. #include <openssl/asn1t.h>
  64. #include <openssl/x509.h>
  65. #include <openssl/objects.h>
  66. #include <openssl/buffer.h>
  67. #include <openssl/pem.h>
  68. X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
  69. {
  70. X509_REQ *ret;
  71. X509_REQ_INFO *ri;
  72. int i;
  73. EVP_PKEY *pktmp;
  74. ret=X509_REQ_new();
  75. if (ret == NULL)
  76. {
  77. X509err(X509_F_X509_TO_X509_REQ,ERR_R_MALLOC_FAILURE);
  78. goto err;
  79. }
  80. ri=ret->req_info;
  81. ri->version->length=1;
  82. ri->version->data=(unsigned char *)OPENSSL_malloc(1);
  83. if (ri->version->data == NULL) goto err;
  84. ri->version->data[0]=0; /* version == 0 */
  85. if (!X509_REQ_set_subject_name(ret,X509_get_subject_name(x)))
  86. goto err;
  87. pktmp = X509_get_pubkey(x);
  88. i=X509_REQ_set_pubkey(ret,pktmp);
  89. EVP_PKEY_free(pktmp);
  90. if (!i) goto err;
  91. if (pkey != NULL)
  92. {
  93. if (!X509_REQ_sign(ret,pkey,md))
  94. goto err;
  95. }
  96. return(ret);
  97. err:
  98. X509_REQ_free(ret);
  99. return(NULL);
  100. }
  101. EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req)
  102. {
  103. if ((req == NULL) || (req->req_info == NULL))
  104. return(NULL);
  105. return(X509_PUBKEY_get(req->req_info->pubkey));
  106. }
  107. int X509_REQ_check_private_key(X509_REQ *x, EVP_PKEY *k)
  108. {
  109. EVP_PKEY *xk=NULL;
  110. int ok=0;
  111. xk=X509_REQ_get_pubkey(x);
  112. switch (EVP_PKEY_cmp(xk, k))
  113. {
  114. case 1:
  115. ok=1;
  116. break;
  117. case 0:
  118. X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,X509_R_KEY_VALUES_MISMATCH);
  119. break;
  120. case -1:
  121. X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,X509_R_KEY_TYPE_MISMATCH);
  122. break;
  123. case -2:
  124. #ifndef OPENSSL_NO_EC
  125. if (k->type == EVP_PKEY_EC)
  126. {
  127. X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY, ERR_R_EC_LIB);
  128. break;
  129. }
  130. #endif
  131. #ifndef OPENSSL_NO_DH
  132. if (k->type == EVP_PKEY_DH)
  133. {
  134. /* No idea */
  135. X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,X509_R_CANT_CHECK_DH_KEY);
  136. break;
  137. }
  138. #endif
  139. X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,X509_R_UNKNOWN_KEY_TYPE);
  140. }
  141. EVP_PKEY_free(xk);
  142. return(ok);
  143. }
  144. /* It seems several organisations had the same idea of including a list of
  145. * extensions in a certificate request. There are at least two OIDs that are
  146. * used and there may be more: so the list is configurable.
  147. */
  148. static int ext_nid_list[] = { NID_ext_req, NID_ms_ext_req, NID_undef};
  149. static int *ext_nids = ext_nid_list;
  150. int X509_REQ_extension_nid(int req_nid)
  151. {
  152. int i, nid;
  153. for(i = 0; ; i++) {
  154. nid = ext_nids[i];
  155. if(nid == NID_undef) return 0;
  156. else if (req_nid == nid) return 1;
  157. }
  158. }
  159. int *X509_REQ_get_extension_nids(void)
  160. {
  161. return ext_nids;
  162. }
  163. void X509_REQ_set_extension_nids(int *nids)
  164. {
  165. ext_nids = nids;
  166. }
  167. STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req)
  168. {
  169. X509_ATTRIBUTE *attr;
  170. ASN1_TYPE *ext = NULL;
  171. int idx, *pnid;
  172. const unsigned char *p;
  173. if ((req == NULL) || (req->req_info == NULL) || !ext_nids)
  174. return(NULL);
  175. for (pnid = ext_nids; *pnid != NID_undef; pnid++)
  176. {
  177. idx = X509_REQ_get_attr_by_NID(req, *pnid, -1);
  178. if (idx == -1)
  179. continue;
  180. attr = X509_REQ_get_attr(req, idx);
  181. if(attr->single) ext = attr->value.single;
  182. else if(sk_ASN1_TYPE_num(attr->value.set))
  183. ext = sk_ASN1_TYPE_value(attr->value.set, 0);
  184. break;
  185. }
  186. if(!ext || (ext->type != V_ASN1_SEQUENCE))
  187. return NULL;
  188. p = ext->value.sequence->data;
  189. return (STACK_OF(X509_EXTENSION) *)
  190. ASN1_item_d2i(NULL, &p, ext->value.sequence->length,
  191. ASN1_ITEM_rptr(X509_EXTENSIONS));
  192. }
  193. /* Add a STACK_OF extensions to a certificate request: allow alternative OIDs
  194. * in case we want to create a non standard one.
  195. */
  196. int X509_REQ_add_extensions_nid(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts,
  197. int nid)
  198. {
  199. ASN1_TYPE *at = NULL;
  200. X509_ATTRIBUTE *attr = NULL;
  201. if(!(at = ASN1_TYPE_new()) ||
  202. !(at->value.sequence = ASN1_STRING_new())) goto err;
  203. at->type = V_ASN1_SEQUENCE;
  204. /* Generate encoding of extensions */
  205. at->value.sequence->length =
  206. ASN1_item_i2d((ASN1_VALUE *)exts,
  207. &at->value.sequence->data,
  208. ASN1_ITEM_rptr(X509_EXTENSIONS));
  209. if(!(attr = X509_ATTRIBUTE_new())) goto err;
  210. if(!(attr->value.set = sk_ASN1_TYPE_new_null())) goto err;
  211. if(!sk_ASN1_TYPE_push(attr->value.set, at)) goto err;
  212. at = NULL;
  213. attr->single = 0;
  214. attr->object = OBJ_nid2obj(nid);
  215. if (!req->req_info->attributes)
  216. {
  217. if (!(req->req_info->attributes = sk_X509_ATTRIBUTE_new_null()))
  218. goto err;
  219. }
  220. if(!sk_X509_ATTRIBUTE_push(req->req_info->attributes, attr)) goto err;
  221. return 1;
  222. err:
  223. X509_ATTRIBUTE_free(attr);
  224. ASN1_TYPE_free(at);
  225. return 0;
  226. }
  227. /* This is the normal usage: use the "official" OID */
  228. int X509_REQ_add_extensions(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts)
  229. {
  230. return X509_REQ_add_extensions_nid(req, exts, NID_ext_req);
  231. }
  232. /* Request attribute functions */
  233. int X509_REQ_get_attr_count(const X509_REQ *req)
  234. {
  235. return X509at_get_attr_count(req->req_info->attributes);
  236. }
  237. int X509_REQ_get_attr_by_NID(const X509_REQ *req, int nid,
  238. int lastpos)
  239. {
  240. return X509at_get_attr_by_NID(req->req_info->attributes, nid, lastpos);
  241. }
  242. int X509_REQ_get_attr_by_OBJ(const X509_REQ *req, ASN1_OBJECT *obj,
  243. int lastpos)
  244. {
  245. return X509at_get_attr_by_OBJ(req->req_info->attributes, obj, lastpos);
  246. }
  247. X509_ATTRIBUTE *X509_REQ_get_attr(const X509_REQ *req, int loc)
  248. {
  249. return X509at_get_attr(req->req_info->attributes, loc);
  250. }
  251. X509_ATTRIBUTE *X509_REQ_delete_attr(X509_REQ *req, int loc)
  252. {
  253. return X509at_delete_attr(req->req_info->attributes, loc);
  254. }
  255. int X509_REQ_add1_attr(X509_REQ *req, X509_ATTRIBUTE *attr)
  256. {
  257. if(X509at_add1_attr(&req->req_info->attributes, attr)) return 1;
  258. return 0;
  259. }
  260. int X509_REQ_add1_attr_by_OBJ(X509_REQ *req,
  261. const ASN1_OBJECT *obj, int type,
  262. const unsigned char *bytes, int len)
  263. {
  264. if(X509at_add1_attr_by_OBJ(&req->req_info->attributes, obj,
  265. type, bytes, len)) return 1;
  266. return 0;
  267. }
  268. int X509_REQ_add1_attr_by_NID(X509_REQ *req,
  269. int nid, int type,
  270. const unsigned char *bytes, int len)
  271. {
  272. if(X509at_add1_attr_by_NID(&req->req_info->attributes, nid,
  273. type, bytes, len)) return 1;
  274. return 0;
  275. }
  276. int X509_REQ_add1_attr_by_txt(X509_REQ *req,
  277. const char *attrname, int type,
  278. const unsigned char *bytes, int len)
  279. {
  280. if(X509at_add1_attr_by_txt(&req->req_info->attributes, attrname,
  281. type, bytes, len)) return 1;
  282. return 0;
  283. }