x509_req.c 9.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319
  1. /* crypto/x509/x509_req.c */
  2. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  3. * All rights reserved.
  4. *
  5. * This package is an SSL implementation written
  6. * by Eric Young (eay@cryptsoft.com).
  7. * The implementation was written so as to conform with Netscapes SSL.
  8. *
  9. * This library is free for commercial and non-commercial use as long as
  10. * the following conditions are aheared to. The following conditions
  11. * apply to all code found in this distribution, be it the RC4, RSA,
  12. * lhash, DES, etc., code; not just the SSL code. The SSL documentation
  13. * included with this distribution is covered by the same copyright terms
  14. * except that the holder is Tim Hudson (tjh@cryptsoft.com).
  15. *
  16. * Copyright remains Eric Young's, and as such any Copyright notices in
  17. * the code are not to be removed.
  18. * If this package is used in a product, Eric Young should be given attribution
  19. * as the author of the parts of the library used.
  20. * This can be in the form of a textual message at program startup or
  21. * in documentation (online or textual) provided with the package.
  22. *
  23. * Redistribution and use in source and binary forms, with or without
  24. * modification, are permitted provided that the following conditions
  25. * are met:
  26. * 1. Redistributions of source code must retain the copyright
  27. * notice, this list of conditions and the following disclaimer.
  28. * 2. Redistributions in binary form must reproduce the above copyright
  29. * notice, this list of conditions and the following disclaimer in the
  30. * documentation and/or other materials provided with the distribution.
  31. * 3. All advertising materials mentioning features or use of this software
  32. * must display the following acknowledgement:
  33. * "This product includes cryptographic software written by
  34. * Eric Young (eay@cryptsoft.com)"
  35. * The word 'cryptographic' can be left out if the rouines from the library
  36. * being used are not cryptographic related :-).
  37. * 4. If you include any Windows specific code (or a derivative thereof) from
  38. * the apps directory (application code) you must include an acknowledgement:
  39. * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  40. *
  41. * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  42. * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  43. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  44. * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  45. * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  46. * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  47. * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  48. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  49. * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  50. * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  51. * SUCH DAMAGE.
  52. *
  53. * The licence and distribution terms for any publically available version or
  54. * derivative of this code cannot be changed. i.e. this code cannot simply be
  55. * copied and put under another distribution licence
  56. * [including the GNU Public Licence.]
  57. */
  58. #include <stdio.h>
  59. #include "cryptlib.h"
  60. #include <openssl/bn.h>
  61. #include <openssl/evp.h>
  62. #include <openssl/asn1.h>
  63. #include <openssl/x509.h>
  64. #include <openssl/objects.h>
  65. #include <openssl/buffer.h>
  66. #include <openssl/pem.h>
  67. X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
  68. {
  69. X509_REQ *ret;
  70. X509_REQ_INFO *ri;
  71. int i;
  72. EVP_PKEY *pktmp;
  73. ret=X509_REQ_new();
  74. if (ret == NULL)
  75. {
  76. X509err(X509_F_X509_TO_X509_REQ,ERR_R_MALLOC_FAILURE);
  77. goto err;
  78. }
  79. ri=ret->req_info;
  80. ri->version->length=1;
  81. ri->version->data=(unsigned char *)OPENSSL_malloc(1);
  82. if (ri->version->data == NULL) goto err;
  83. ri->version->data[0]=0; /* version == 0 */
  84. if (!X509_REQ_set_subject_name(ret,X509_get_subject_name(x)))
  85. goto err;
  86. pktmp = X509_get_pubkey(x);
  87. i=X509_REQ_set_pubkey(ret,pktmp);
  88. EVP_PKEY_free(pktmp);
  89. if (!i) goto err;
  90. if (pkey != NULL)
  91. {
  92. if (!X509_REQ_sign(ret,pkey,md))
  93. goto err;
  94. }
  95. return(ret);
  96. err:
  97. X509_REQ_free(ret);
  98. return(NULL);
  99. }
  100. EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req)
  101. {
  102. if ((req == NULL) || (req->req_info == NULL))
  103. return(NULL);
  104. return(X509_PUBKEY_get(req->req_info->pubkey));
  105. }
  106. int X509_REQ_check_private_key(X509_REQ *x, EVP_PKEY *k)
  107. {
  108. EVP_PKEY *xk=NULL;
  109. int ok=0;
  110. xk=X509_REQ_get_pubkey(x);
  111. switch (EVP_PKEY_cmp(xk, k))
  112. {
  113. case 1:
  114. ok=1;
  115. break;
  116. case 0:
  117. X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,X509_R_KEY_VALUES_MISMATCH);
  118. break;
  119. case -1:
  120. X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,X509_R_KEY_TYPE_MISMATCH);
  121. break;
  122. case -2:
  123. #ifndef OPENSSL_NO_EC
  124. if (k->type == EVP_PKEY_EC)
  125. {
  126. X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY, ERR_R_EC_LIB);
  127. break;
  128. }
  129. #endif
  130. #ifndef OPENSSL_NO_DH
  131. if (k->type == EVP_PKEY_DH)
  132. {
  133. /* No idea */
  134. X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,X509_R_CANT_CHECK_DH_KEY);
  135. break;
  136. }
  137. #endif
  138. X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,X509_R_UNKNOWN_KEY_TYPE);
  139. }
  140. EVP_PKEY_free(xk);
  141. return(ok);
  142. }
  143. /* It seems several organisations had the same idea of including a list of
  144. * extensions in a certificate request. There are at least two OIDs that are
  145. * used and there may be more: so the list is configurable.
  146. */
  147. static int ext_nid_list[] = { NID_ext_req, NID_ms_ext_req, NID_undef};
  148. static int *ext_nids = ext_nid_list;
  149. int X509_REQ_extension_nid(int req_nid)
  150. {
  151. int i, nid;
  152. for(i = 0; ; i++) {
  153. nid = ext_nids[i];
  154. if(nid == NID_undef) return 0;
  155. else if (req_nid == nid) return 1;
  156. }
  157. }
  158. int *X509_REQ_get_extension_nids(void)
  159. {
  160. return ext_nids;
  161. }
  162. void X509_REQ_set_extension_nids(int *nids)
  163. {
  164. ext_nids = nids;
  165. }
  166. STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req)
  167. {
  168. X509_ATTRIBUTE *attr;
  169. ASN1_TYPE *ext = NULL;
  170. int idx, *pnid;
  171. const unsigned char *p;
  172. if ((req == NULL) || (req->req_info == NULL) || !ext_nids)
  173. return(NULL);
  174. for (pnid = ext_nids; *pnid != NID_undef; pnid++)
  175. {
  176. idx = X509_REQ_get_attr_by_NID(req, *pnid, -1);
  177. if (idx == -1)
  178. continue;
  179. attr = X509_REQ_get_attr(req, idx);
  180. if(attr->single) ext = attr->value.single;
  181. else if(sk_ASN1_TYPE_num(attr->value.set))
  182. ext = sk_ASN1_TYPE_value(attr->value.set, 0);
  183. break;
  184. }
  185. if(!ext || (ext->type != V_ASN1_SEQUENCE))
  186. return NULL;
  187. p = ext->value.sequence->data;
  188. return d2i_ASN1_SET_OF_X509_EXTENSION(NULL, &p,
  189. ext->value.sequence->length,
  190. d2i_X509_EXTENSION, X509_EXTENSION_free,
  191. V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
  192. }
  193. /* Add a STACK_OF extensions to a certificate request: allow alternative OIDs
  194. * in case we want to create a non standard one.
  195. */
  196. int X509_REQ_add_extensions_nid(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts,
  197. int nid)
  198. {
  199. unsigned char *p = NULL, *q;
  200. long len;
  201. ASN1_TYPE *at = NULL;
  202. X509_ATTRIBUTE *attr = NULL;
  203. if(!(at = ASN1_TYPE_new()) ||
  204. !(at->value.sequence = ASN1_STRING_new())) goto err;
  205. at->type = V_ASN1_SEQUENCE;
  206. /* Generate encoding of extensions */
  207. len = i2d_ASN1_SET_OF_X509_EXTENSION(exts, NULL, i2d_X509_EXTENSION,
  208. V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL, IS_SEQUENCE);
  209. if(!(p = OPENSSL_malloc(len))) goto err;
  210. q = p;
  211. i2d_ASN1_SET_OF_X509_EXTENSION(exts, &q, i2d_X509_EXTENSION,
  212. V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL, IS_SEQUENCE);
  213. at->value.sequence->data = p;
  214. p = NULL;
  215. at->value.sequence->length = len;
  216. if(!(attr = X509_ATTRIBUTE_new())) goto err;
  217. if(!(attr->value.set = sk_ASN1_TYPE_new_null())) goto err;
  218. if(!sk_ASN1_TYPE_push(attr->value.set, at)) goto err;
  219. at = NULL;
  220. attr->single = 0;
  221. attr->object = OBJ_nid2obj(nid);
  222. if(!sk_X509_ATTRIBUTE_push(req->req_info->attributes, attr)) goto err;
  223. return 1;
  224. err:
  225. if(p) OPENSSL_free(p);
  226. X509_ATTRIBUTE_free(attr);
  227. ASN1_TYPE_free(at);
  228. return 0;
  229. }
  230. /* This is the normal usage: use the "official" OID */
  231. int X509_REQ_add_extensions(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts)
  232. {
  233. return X509_REQ_add_extensions_nid(req, exts, NID_ext_req);
  234. }
  235. /* Request attribute functions */
  236. int X509_REQ_get_attr_count(const X509_REQ *req)
  237. {
  238. return X509at_get_attr_count(req->req_info->attributes);
  239. }
  240. int X509_REQ_get_attr_by_NID(const X509_REQ *req, int nid,
  241. int lastpos)
  242. {
  243. return X509at_get_attr_by_NID(req->req_info->attributes, nid, lastpos);
  244. }
  245. int X509_REQ_get_attr_by_OBJ(const X509_REQ *req, ASN1_OBJECT *obj,
  246. int lastpos)
  247. {
  248. return X509at_get_attr_by_OBJ(req->req_info->attributes, obj, lastpos);
  249. }
  250. X509_ATTRIBUTE *X509_REQ_get_attr(const X509_REQ *req, int loc)
  251. {
  252. return X509at_get_attr(req->req_info->attributes, loc);
  253. }
  254. X509_ATTRIBUTE *X509_REQ_delete_attr(X509_REQ *req, int loc)
  255. {
  256. return X509at_delete_attr(req->req_info->attributes, loc);
  257. }
  258. int X509_REQ_add1_attr(X509_REQ *req, X509_ATTRIBUTE *attr)
  259. {
  260. if(X509at_add1_attr(&req->req_info->attributes, attr)) return 1;
  261. return 0;
  262. }
  263. int X509_REQ_add1_attr_by_OBJ(X509_REQ *req,
  264. const ASN1_OBJECT *obj, int type,
  265. const unsigned char *bytes, int len)
  266. {
  267. if(X509at_add1_attr_by_OBJ(&req->req_info->attributes, obj,
  268. type, bytes, len)) return 1;
  269. return 0;
  270. }
  271. int X509_REQ_add1_attr_by_NID(X509_REQ *req,
  272. int nid, int type,
  273. const unsigned char *bytes, int len)
  274. {
  275. if(X509at_add1_attr_by_NID(&req->req_info->attributes, nid,
  276. type, bytes, len)) return 1;
  277. return 0;
  278. }
  279. int X509_REQ_add1_attr_by_txt(X509_REQ *req,
  280. const char *attrname, int type,
  281. const unsigned char *bytes, int len)
  282. {
  283. if(X509at_add1_attr_by_txt(&req->req_info->attributes, attrname,
  284. type, bytes, len)) return 1;
  285. return 0;
  286. }