/src/gnutls/lib/x509/sign.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright (C) 2003-2012 Free Software Foundation, Inc. |
3 | | * |
4 | | * Author: Nikos Mavrogiannopoulos |
5 | | * |
6 | | * This file is part of GnuTLS. |
7 | | * |
8 | | * The GnuTLS is free software; you can redistribute it and/or |
9 | | * modify it under the terms of the GNU Lesser General Public License |
10 | | * as published by the Free Software Foundation; either version 2.1 of |
11 | | * the License, or (at your option) any later version. |
12 | | * |
13 | | * This library is distributed in the hope that it will be useful, but |
14 | | * WITHOUT ANY WARRANTY; without even the implied warranty of |
15 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
16 | | * Lesser General Public License for more details. |
17 | | * |
18 | | * You should have received a copy of the GNU Lesser General Public License |
19 | | * along with this program. If not, see <https://www.gnu.org/licenses/> |
20 | | * |
21 | | */ |
22 | | |
23 | | /* All functions which relate to X.509 certificate signing stuff are |
24 | | * included here |
25 | | */ |
26 | | |
27 | | #include "gnutls_int.h" |
28 | | |
29 | | #include "errors.h" |
30 | | #include <libtasn1.h> |
31 | | #include "global.h" |
32 | | #include "num.h" /* MAX */ |
33 | | #include "tls-sig.h" |
34 | | #include "str.h" |
35 | | #include "datum.h" |
36 | | #include "x509_int.h" |
37 | | #include "common.h" |
38 | | #include <gnutls/abstract.h> |
39 | | #include "pk.h" |
40 | | |
41 | | /* This is the same as the _gnutls_x509_sign, but this one will decode |
42 | | * the asn1_node given, and sign the DER data. Actually used to get the DER |
43 | | * of the TBS and sign it on the fly. |
44 | | */ |
45 | | int _gnutls_x509_get_tbs(asn1_node cert, const char *tbs_name, |
46 | | gnutls_datum_t *tbs) |
47 | 0 | { |
48 | 0 | return _gnutls_x509_der_encode(cert, tbs_name, tbs, 0); |
49 | 0 | } |
50 | | |
51 | | int _gnutls_x509_crt_get_spki_params(gnutls_x509_crt_t crt, |
52 | | const gnutls_x509_spki_st *key_params, |
53 | | gnutls_x509_spki_st *params) |
54 | 0 | { |
55 | 0 | int result; |
56 | 0 | gnutls_x509_spki_st crt_params; |
57 | |
|
58 | 0 | result = _gnutls_x509_crt_read_spki_params(crt, &crt_params); |
59 | 0 | if (result < 0) { |
60 | 0 | gnutls_assert(); |
61 | 0 | return result; |
62 | 0 | } |
63 | | |
64 | 0 | if (crt_params.pk == GNUTLS_PK_RSA_PSS) { |
65 | 0 | if (key_params->pk == GNUTLS_PK_RSA_PSS) { |
66 | 0 | if (crt_params.rsa_pss_dig != key_params->rsa_pss_dig) { |
67 | 0 | gnutls_assert(); |
68 | 0 | return GNUTLS_E_CERTIFICATE_ERROR; |
69 | 0 | } |
70 | | |
71 | 0 | if (crt_params.salt_size < key_params->salt_size) { |
72 | 0 | gnutls_assert(); |
73 | 0 | return GNUTLS_E_CERTIFICATE_ERROR; |
74 | 0 | } |
75 | 0 | } else if (key_params->pk != GNUTLS_PK_RSA && |
76 | 0 | key_params->pk != GNUTLS_PK_UNKNOWN) { |
77 | 0 | gnutls_assert(); |
78 | 0 | return GNUTLS_E_CERTIFICATE_ERROR; |
79 | 0 | } |
80 | 0 | memcpy(params, &crt_params, sizeof(gnutls_x509_spki_st)); |
81 | 0 | } else { |
82 | 0 | memcpy(params, key_params, sizeof(gnutls_x509_spki_st)); |
83 | 0 | } |
84 | | |
85 | 0 | return 0; |
86 | 0 | } |
87 | | |
88 | | /*- |
89 | | * _gnutls_x509_pkix_sign - This function will sign a CRL or a certificate with a key |
90 | | * @src: should contain an asn1_node |
91 | | * @issuer: is the certificate of the certificate issuer |
92 | | * @issuer_key: holds the issuer's private key |
93 | | * |
94 | | * This function will sign a CRL or a certificate with the issuer's private key, and |
95 | | * will copy the issuer's information into the CRL or certificate. |
96 | | * |
97 | | * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a |
98 | | * negative error value. |
99 | | -*/ |
100 | | int _gnutls_x509_pkix_sign(asn1_node src, const char *src_name, |
101 | | gnutls_digest_algorithm_t dig, unsigned int flags, |
102 | | gnutls_x509_crt_t issuer, |
103 | | gnutls_privkey_t issuer_key) |
104 | 0 | { |
105 | 0 | int result; |
106 | 0 | gnutls_datum_t signature; |
107 | 0 | gnutls_datum_t tbs; |
108 | 0 | char name[128]; |
109 | 0 | gnutls_pk_algorithm_t pk; |
110 | 0 | gnutls_x509_spki_st key_params, params; |
111 | 0 | const gnutls_sign_entry_st *se; |
112 | |
|
113 | 0 | pk = gnutls_x509_crt_get_pk_algorithm(issuer, NULL); |
114 | 0 | if (pk == GNUTLS_PK_UNKNOWN) |
115 | 0 | pk = gnutls_privkey_get_pk_algorithm(issuer_key, NULL); |
116 | |
|
117 | 0 | result = _gnutls_privkey_get_spki_params(issuer_key, &key_params); |
118 | 0 | if (result < 0) { |
119 | 0 | gnutls_assert(); |
120 | 0 | return result; |
121 | 0 | } |
122 | | |
123 | 0 | result = _gnutls_x509_crt_get_spki_params(issuer, &key_params, ¶ms); |
124 | 0 | if (result < 0) { |
125 | 0 | gnutls_assert(); |
126 | 0 | return result; |
127 | 0 | } |
128 | | |
129 | 0 | result = _gnutls_privkey_update_spki_params(issuer_key, pk, dig, flags, |
130 | 0 | ¶ms); |
131 | 0 | if (result < 0) { |
132 | 0 | gnutls_assert(); |
133 | 0 | return result; |
134 | 0 | } |
135 | | |
136 | | /* Step 1. Copy the issuer's name into the certificate. |
137 | | */ |
138 | 0 | _gnutls_str_cpy(name, sizeof(name), src_name); |
139 | 0 | _gnutls_str_cat(name, sizeof(name), ".issuer"); |
140 | |
|
141 | 0 | result = asn1_copy_node(src, name, issuer->cert, |
142 | 0 | "tbsCertificate.subject"); |
143 | 0 | if (result != ASN1_SUCCESS) { |
144 | 0 | gnutls_assert(); |
145 | 0 | return _gnutls_asn2err(result); |
146 | 0 | } |
147 | | |
148 | | /* Step 1.5. Write the signature stuff in the tbsCertificate. |
149 | | */ |
150 | 0 | _gnutls_str_cpy(name, sizeof(name), src_name); |
151 | 0 | _gnutls_str_cat(name, sizeof(name), ".signature"); |
152 | |
|
153 | 0 | se = _gnutls_pk_to_sign_entry(params.pk, dig); |
154 | 0 | if (se == NULL) |
155 | 0 | return gnutls_assert_val( |
156 | 0 | GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM); |
157 | | |
158 | 0 | _gnutls_debug_log("signing structure using %s\n", se->name); |
159 | |
|
160 | 0 | result = _gnutls_x509_write_sign_params(src, name, se, ¶ms); |
161 | 0 | if (result < 0) { |
162 | 0 | gnutls_assert(); |
163 | 0 | return result; |
164 | 0 | } |
165 | | |
166 | | /* Step 2. Sign the certificate. |
167 | | */ |
168 | 0 | result = _gnutls_x509_get_tbs(src, src_name, &tbs); |
169 | |
|
170 | 0 | if (result < 0) { |
171 | 0 | gnutls_assert(); |
172 | 0 | return result; |
173 | 0 | } |
174 | | |
175 | 0 | FIX_SIGN_PARAMS(params, flags, dig); |
176 | |
|
177 | 0 | if (_gnutls_pk_is_not_prehashed(params.pk)) { |
178 | 0 | result = privkey_sign_raw_data(issuer_key, se, &tbs, &signature, |
179 | 0 | ¶ms); |
180 | 0 | } else { |
181 | 0 | result = privkey_sign_and_hash_data(issuer_key, se, &tbs, |
182 | 0 | &signature, ¶ms); |
183 | 0 | } |
184 | 0 | gnutls_free(tbs.data); |
185 | |
|
186 | 0 | if (result < 0) { |
187 | 0 | gnutls_assert(); |
188 | 0 | return result; |
189 | 0 | } |
190 | | |
191 | | /* write the signature (bits) |
192 | | */ |
193 | 0 | result = asn1_write_value(src, "signature", signature.data, |
194 | 0 | signature.size * 8); |
195 | |
|
196 | 0 | _gnutls_free_datum(&signature); |
197 | |
|
198 | 0 | if (result != ASN1_SUCCESS) { |
199 | 0 | gnutls_assert(); |
200 | 0 | return _gnutls_asn2err(result); |
201 | 0 | } |
202 | | |
203 | | /* Step 3. Move up and write the AlgorithmIdentifier, which is also |
204 | | * the same. |
205 | | */ |
206 | | |
207 | 0 | result = _gnutls_x509_write_sign_params(src, "signatureAlgorithm", se, |
208 | 0 | ¶ms); |
209 | 0 | if (result < 0) { |
210 | 0 | gnutls_assert(); |
211 | 0 | return result; |
212 | 0 | } |
213 | | |
214 | 0 | return 0; |
215 | 0 | } |