/src/gnutls/lib/x509/sign.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright (C) 2003-2012 Free Software Foundation, Inc. |
3 | | * |
4 | | * Author: Nikos Mavrogiannopoulos |
5 | | * |
6 | | * This file is part of GnuTLS. |
7 | | * |
8 | | * The GnuTLS is free software; you can redistribute it and/or |
9 | | * modify it under the terms of the GNU Lesser General Public License |
10 | | * as published by the Free Software Foundation; either version 2.1 of |
11 | | * the License, or (at your option) any later version. |
12 | | * |
13 | | * This library is distributed in the hope that it will be useful, but |
14 | | * WITHOUT ANY WARRANTY; without even the implied warranty of |
15 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
16 | | * Lesser General Public License for more details. |
17 | | * |
18 | | * You should have received a copy of the GNU Lesser General Public License |
19 | | * along with this program. If not, see <https://www.gnu.org/licenses/> |
20 | | * |
21 | | */ |
22 | | |
23 | | /* All functions which relate to X.509 certificate signing stuff are |
24 | | * included here |
25 | | */ |
26 | | |
27 | | #include "gnutls_int.h" |
28 | | |
29 | | #include "errors.h" |
30 | | #include <libtasn1.h> |
31 | | #include "global.h" |
32 | | #include "num.h" /* MAX */ |
33 | | #include "tls-sig.h" |
34 | | #include "str.h" |
35 | | #include "datum.h" |
36 | | #include "x509_int.h" |
37 | | #include "common.h" |
38 | | #include <gnutls/abstract.h> |
39 | | #include "pk.h" |
40 | | |
41 | | /* This is the same as the _gnutls_x509_sign, but this one will decode |
42 | | * the asn1_node given, and sign the DER data. Actually used to get the DER |
43 | | * of the TBS and sign it on the fly. |
44 | | */ |
45 | | int _gnutls_x509_get_tbs(asn1_node cert, const char *tbs_name, |
46 | | gnutls_datum_t *tbs) |
47 | 0 | { |
48 | 0 | return _gnutls_x509_der_encode(cert, tbs_name, tbs, 0); |
49 | 0 | } |
50 | | |
51 | | int _gnutls_x509_crt_get_spki_params(gnutls_x509_crt_t crt, |
52 | | const gnutls_x509_spki_t key_params, |
53 | | gnutls_x509_spki_t params) |
54 | 0 | { |
55 | 0 | int result; |
56 | 0 | gnutls_x509_spki_st crt_params; |
57 | |
|
58 | 0 | result = _gnutls_x509_crt_read_spki_params(crt, &crt_params); |
59 | 0 | if (result < 0) { |
60 | 0 | gnutls_assert(); |
61 | 0 | return result; |
62 | 0 | } |
63 | | |
64 | 0 | if (crt_params.pk == GNUTLS_PK_RSA_PSS) { |
65 | 0 | if (key_params->pk == GNUTLS_PK_RSA_PSS) { |
66 | 0 | if (crt_params.rsa_pss_dig != key_params->rsa_pss_dig) { |
67 | 0 | gnutls_assert(); |
68 | 0 | return GNUTLS_E_CERTIFICATE_ERROR; |
69 | 0 | } |
70 | | |
71 | 0 | if (crt_params.salt_size < key_params->salt_size) { |
72 | 0 | gnutls_assert(); |
73 | 0 | return GNUTLS_E_CERTIFICATE_ERROR; |
74 | 0 | } |
75 | 0 | } else if (key_params->pk != GNUTLS_PK_RSA && |
76 | 0 | key_params->pk != GNUTLS_PK_UNKNOWN) { |
77 | 0 | gnutls_assert(); |
78 | 0 | return GNUTLS_E_CERTIFICATE_ERROR; |
79 | 0 | } |
80 | 0 | result = _gnutls_x509_spki_copy(params, &crt_params); |
81 | 0 | if (result < 0) |
82 | 0 | return gnutls_assert_val(result); |
83 | 0 | } else { |
84 | 0 | result = _gnutls_x509_spki_copy(params, key_params); |
85 | 0 | if (result < 0) |
86 | 0 | return gnutls_assert_val(result); |
87 | 0 | } |
88 | | |
89 | 0 | return 0; |
90 | 0 | } |
91 | | |
92 | | /*- |
93 | | * _gnutls_x509_pkix_sign - This function will sign a CRL or a certificate with a key |
94 | | * @src: should contain an asn1_node |
95 | | * @issuer: is the certificate of the certificate issuer |
96 | | * @issuer_key: holds the issuer's private key |
97 | | * |
98 | | * This function will sign a CRL or a certificate with the issuer's private key, and |
99 | | * will copy the issuer's information into the CRL or certificate. |
100 | | * |
101 | | * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a |
102 | | * negative error value. |
103 | | -*/ |
104 | | int _gnutls_x509_pkix_sign(asn1_node src, const char *src_name, |
105 | | gnutls_digest_algorithm_t dig, unsigned int flags, |
106 | | gnutls_x509_crt_t issuer, |
107 | | gnutls_privkey_t issuer_key) |
108 | 0 | { |
109 | 0 | int result; |
110 | 0 | gnutls_datum_t signature; |
111 | 0 | gnutls_datum_t tbs; |
112 | 0 | char name[128]; |
113 | 0 | gnutls_pk_algorithm_t pk; |
114 | 0 | gnutls_x509_spki_st key_params, params; |
115 | 0 | const gnutls_sign_entry_st *se; |
116 | |
|
117 | 0 | pk = gnutls_x509_crt_get_pk_algorithm(issuer, NULL); |
118 | 0 | if (pk == GNUTLS_PK_UNKNOWN) |
119 | 0 | pk = gnutls_privkey_get_pk_algorithm(issuer_key, NULL); |
120 | |
|
121 | 0 | result = _gnutls_privkey_get_spki_params(issuer_key, &key_params); |
122 | 0 | if (result < 0) { |
123 | 0 | gnutls_assert(); |
124 | 0 | return result; |
125 | 0 | } |
126 | | |
127 | 0 | result = _gnutls_x509_crt_get_spki_params(issuer, &key_params, ¶ms); |
128 | 0 | if (result < 0) { |
129 | 0 | gnutls_assert(); |
130 | 0 | return result; |
131 | 0 | } |
132 | | |
133 | 0 | result = _gnutls_privkey_update_spki_params(issuer_key, pk, dig, flags, |
134 | 0 | ¶ms); |
135 | 0 | if (result < 0) { |
136 | 0 | gnutls_assert(); |
137 | 0 | return result; |
138 | 0 | } |
139 | | |
140 | | /* Step 1. Copy the issuer's name into the certificate. |
141 | | */ |
142 | 0 | _gnutls_str_cpy(name, sizeof(name), src_name); |
143 | 0 | _gnutls_str_cat(name, sizeof(name), ".issuer"); |
144 | |
|
145 | 0 | result = asn1_copy_node(src, name, issuer->cert, |
146 | 0 | "tbsCertificate.subject"); |
147 | 0 | if (result != ASN1_SUCCESS) { |
148 | 0 | gnutls_assert(); |
149 | 0 | return _gnutls_asn2err(result); |
150 | 0 | } |
151 | | |
152 | | /* Step 1.5. Write the signature stuff in the tbsCertificate. |
153 | | */ |
154 | 0 | _gnutls_str_cpy(name, sizeof(name), src_name); |
155 | 0 | _gnutls_str_cat(name, sizeof(name), ".signature"); |
156 | |
|
157 | 0 | se = _gnutls_pk_to_sign_entry(params.pk, dig); |
158 | 0 | if (se == NULL) |
159 | 0 | return gnutls_assert_val( |
160 | 0 | GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM); |
161 | | |
162 | 0 | _gnutls_debug_log("signing structure using %s\n", se->name); |
163 | |
|
164 | 0 | result = _gnutls_x509_write_sign_params(src, name, se, ¶ms); |
165 | 0 | if (result < 0) { |
166 | 0 | gnutls_assert(); |
167 | 0 | return result; |
168 | 0 | } |
169 | | |
170 | | /* Step 2. Sign the certificate. |
171 | | */ |
172 | 0 | result = _gnutls_x509_get_tbs(src, src_name, &tbs); |
173 | |
|
174 | 0 | if (result < 0) { |
175 | 0 | gnutls_assert(); |
176 | 0 | return result; |
177 | 0 | } |
178 | | |
179 | 0 | FIX_SIGN_PARAMS(params, flags, dig); |
180 | |
|
181 | 0 | if (_gnutls_pk_is_not_prehashed(params.pk)) { |
182 | 0 | result = privkey_sign_raw_data(issuer_key, se, &tbs, &signature, |
183 | 0 | ¶ms); |
184 | 0 | } else { |
185 | 0 | result = privkey_sign_and_hash_data(issuer_key, se, &tbs, |
186 | 0 | &signature, ¶ms); |
187 | 0 | } |
188 | 0 | gnutls_free(tbs.data); |
189 | |
|
190 | 0 | if (result < 0) { |
191 | 0 | gnutls_assert(); |
192 | 0 | return result; |
193 | 0 | } |
194 | | |
195 | | /* write the signature (bits) |
196 | | */ |
197 | 0 | result = asn1_write_value(src, "signature", signature.data, |
198 | 0 | signature.size * 8); |
199 | |
|
200 | 0 | _gnutls_free_datum(&signature); |
201 | |
|
202 | 0 | if (result != ASN1_SUCCESS) { |
203 | 0 | gnutls_assert(); |
204 | 0 | return _gnutls_asn2err(result); |
205 | 0 | } |
206 | | |
207 | | /* Step 3. Move up and write the AlgorithmIdentifier, which is also |
208 | | * the same. |
209 | | */ |
210 | | |
211 | 0 | result = _gnutls_x509_write_sign_params(src, "signatureAlgorithm", se, |
212 | 0 | ¶ms); |
213 | 0 | if (result < 0) { |
214 | 0 | gnutls_assert(); |
215 | 0 | return result; |
216 | 0 | } |
217 | | |
218 | 0 | return 0; |
219 | 0 | } |