/src/gnutls/lib/x509/sign.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright (C) 2003-2012 Free Software Foundation, Inc. |
3 | | * |
4 | | * Author: Nikos Mavrogiannopoulos |
5 | | * |
6 | | * This file is part of GnuTLS. |
7 | | * |
8 | | * The GnuTLS is free software; you can redistribute it and/or |
9 | | * modify it under the terms of the GNU Lesser General Public License |
10 | | * as published by the Free Software Foundation; either version 2.1 of |
11 | | * the License, or (at your option) any later version. |
12 | | * |
13 | | * This library is distributed in the hope that it will be useful, but |
14 | | * WITHOUT ANY WARRANTY; without even the implied warranty of |
15 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
16 | | * Lesser General Public License for more details. |
17 | | * |
18 | | * You should have received a copy of the GNU Lesser General Public License |
19 | | * along with this program. If not, see <https://www.gnu.org/licenses/> |
20 | | * |
21 | | */ |
22 | | |
23 | | /* All functions which relate to X.509 certificate signing stuff are |
24 | | * included here |
25 | | */ |
26 | | |
27 | | #include "gnutls_int.h" |
28 | | |
29 | | #include "errors.h" |
30 | | #include <libtasn1.h> |
31 | | #include <global.h> |
32 | | #include <num.h> /* MAX */ |
33 | | #include <tls-sig.h> |
34 | | #include <str.h> |
35 | | #include <datum.h> |
36 | | #include <x509_int.h> |
37 | | #include <common.h> |
38 | | #include <gnutls/abstract.h> |
39 | | #include <pk.h> |
40 | | |
41 | | /* This is the same as the _gnutls_x509_sign, but this one will decode |
42 | | * the asn1_node given, and sign the DER data. Actually used to get the DER |
43 | | * of the TBS and sign it on the fly. |
44 | | */ |
45 | | int |
46 | | _gnutls_x509_get_tbs(asn1_node cert, const char *tbs_name, gnutls_datum_t * tbs) |
47 | 0 | { |
48 | 0 | return _gnutls_x509_der_encode(cert, tbs_name, tbs, 0); |
49 | 0 | } |
50 | | |
51 | | int |
52 | | _gnutls_x509_crt_get_spki_params(gnutls_x509_crt_t crt, |
53 | | const gnutls_x509_spki_st * key_params, |
54 | | gnutls_x509_spki_st * params) |
55 | 0 | { |
56 | 0 | int result; |
57 | 0 | gnutls_x509_spki_st crt_params; |
58 | |
|
59 | 0 | result = _gnutls_x509_crt_read_spki_params(crt, &crt_params); |
60 | 0 | if (result < 0) { |
61 | 0 | gnutls_assert(); |
62 | 0 | return result; |
63 | 0 | } |
64 | | |
65 | 0 | if (crt_params.pk == GNUTLS_PK_RSA_PSS) { |
66 | 0 | if (key_params->pk == GNUTLS_PK_RSA_PSS) { |
67 | 0 | if (crt_params.rsa_pss_dig != key_params->rsa_pss_dig) { |
68 | 0 | gnutls_assert(); |
69 | 0 | return GNUTLS_E_CERTIFICATE_ERROR; |
70 | 0 | } |
71 | | |
72 | 0 | if (crt_params.salt_size < key_params->salt_size) { |
73 | 0 | gnutls_assert(); |
74 | 0 | return GNUTLS_E_CERTIFICATE_ERROR; |
75 | 0 | } |
76 | 0 | } else if (key_params->pk != GNUTLS_PK_RSA |
77 | 0 | && key_params->pk != GNUTLS_PK_UNKNOWN) { |
78 | 0 | gnutls_assert(); |
79 | 0 | return GNUTLS_E_CERTIFICATE_ERROR; |
80 | 0 | } |
81 | 0 | memcpy(params, &crt_params, sizeof(gnutls_x509_spki_st)); |
82 | 0 | } else { |
83 | 0 | memcpy(params, key_params, sizeof(gnutls_x509_spki_st)); |
84 | 0 | } |
85 | | |
86 | 0 | return 0; |
87 | 0 | } |
88 | | |
89 | | /*- |
90 | | * _gnutls_x509_pkix_sign - This function will sign a CRL or a certificate with a key |
91 | | * @src: should contain an asn1_node |
92 | | * @issuer: is the certificate of the certificate issuer |
93 | | * @issuer_key: holds the issuer's private key |
94 | | * |
95 | | * This function will sign a CRL or a certificate with the issuer's private key, and |
96 | | * will copy the issuer's information into the CRL or certificate. |
97 | | * |
98 | | * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a |
99 | | * negative error value. |
100 | | -*/ |
101 | | int |
102 | | _gnutls_x509_pkix_sign(asn1_node src, const char *src_name, |
103 | | gnutls_digest_algorithm_t dig, |
104 | | unsigned int flags, |
105 | | gnutls_x509_crt_t issuer, gnutls_privkey_t issuer_key) |
106 | 0 | { |
107 | 0 | int result; |
108 | 0 | gnutls_datum_t signature; |
109 | 0 | gnutls_datum_t tbs; |
110 | 0 | char name[128]; |
111 | 0 | gnutls_pk_algorithm_t pk; |
112 | 0 | gnutls_x509_spki_st key_params, params; |
113 | 0 | const gnutls_sign_entry_st *se; |
114 | |
|
115 | 0 | pk = gnutls_x509_crt_get_pk_algorithm(issuer, NULL); |
116 | 0 | if (pk == GNUTLS_PK_UNKNOWN) |
117 | 0 | pk = gnutls_privkey_get_pk_algorithm(issuer_key, NULL); |
118 | |
|
119 | 0 | result = _gnutls_privkey_get_spki_params(issuer_key, &key_params); |
120 | 0 | if (result < 0) { |
121 | 0 | gnutls_assert(); |
122 | 0 | return result; |
123 | 0 | } |
124 | | |
125 | 0 | result = _gnutls_x509_crt_get_spki_params(issuer, &key_params, ¶ms); |
126 | 0 | if (result < 0) { |
127 | 0 | gnutls_assert(); |
128 | 0 | return result; |
129 | 0 | } |
130 | | |
131 | 0 | result = _gnutls_privkey_update_spki_params(issuer_key, pk, dig, flags, |
132 | 0 | ¶ms); |
133 | 0 | if (result < 0) { |
134 | 0 | gnutls_assert(); |
135 | 0 | return result; |
136 | 0 | } |
137 | | |
138 | | /* Step 1. Copy the issuer's name into the certificate. |
139 | | */ |
140 | 0 | _gnutls_str_cpy(name, sizeof(name), src_name); |
141 | 0 | _gnutls_str_cat(name, sizeof(name), ".issuer"); |
142 | |
|
143 | 0 | result = |
144 | 0 | asn1_copy_node(src, name, issuer->cert, "tbsCertificate.subject"); |
145 | 0 | if (result != ASN1_SUCCESS) { |
146 | 0 | gnutls_assert(); |
147 | 0 | return _gnutls_asn2err(result); |
148 | 0 | } |
149 | | |
150 | | /* Step 1.5. Write the signature stuff in the tbsCertificate. |
151 | | */ |
152 | 0 | _gnutls_str_cpy(name, sizeof(name), src_name); |
153 | 0 | _gnutls_str_cat(name, sizeof(name), ".signature"); |
154 | |
|
155 | 0 | se = _gnutls_pk_to_sign_entry(params.pk, dig); |
156 | 0 | if (se == NULL) |
157 | 0 | return |
158 | 0 | gnutls_assert_val(GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM); |
159 | | |
160 | 0 | _gnutls_debug_log("signing structure using %s\n", se->name); |
161 | |
|
162 | 0 | result = _gnutls_x509_write_sign_params(src, name, se, ¶ms); |
163 | 0 | if (result < 0) { |
164 | 0 | gnutls_assert(); |
165 | 0 | return result; |
166 | 0 | } |
167 | | |
168 | | /* Step 2. Sign the certificate. |
169 | | */ |
170 | 0 | result = _gnutls_x509_get_tbs(src, src_name, &tbs); |
171 | |
|
172 | 0 | if (result < 0) { |
173 | 0 | gnutls_assert(); |
174 | 0 | return result; |
175 | 0 | } |
176 | | |
177 | 0 | FIX_SIGN_PARAMS(params, flags, dig); |
178 | |
|
179 | 0 | if (_gnutls_pk_is_not_prehashed(params.pk)) { |
180 | 0 | result = |
181 | 0 | privkey_sign_raw_data(issuer_key, se, &tbs, &signature, |
182 | 0 | ¶ms); |
183 | 0 | } else { |
184 | 0 | result = privkey_sign_and_hash_data(issuer_key, se, |
185 | 0 | &tbs, &signature, ¶ms); |
186 | 0 | } |
187 | 0 | gnutls_free(tbs.data); |
188 | |
|
189 | 0 | if (result < 0) { |
190 | 0 | gnutls_assert(); |
191 | 0 | return result; |
192 | 0 | } |
193 | | |
194 | | /* write the signature (bits) |
195 | | */ |
196 | 0 | result = |
197 | 0 | asn1_write_value(src, "signature", signature.data, |
198 | 0 | signature.size * 8); |
199 | |
|
200 | 0 | _gnutls_free_datum(&signature); |
201 | |
|
202 | 0 | if (result != ASN1_SUCCESS) { |
203 | 0 | gnutls_assert(); |
204 | 0 | return _gnutls_asn2err(result); |
205 | 0 | } |
206 | | |
207 | | /* Step 3. Move up and write the AlgorithmIdentifier, which is also |
208 | | * the same. |
209 | | */ |
210 | | |
211 | 0 | result = _gnutls_x509_write_sign_params(src, "signatureAlgorithm", |
212 | 0 | se, ¶ms); |
213 | 0 | if (result < 0) { |
214 | 0 | gnutls_assert(); |
215 | 0 | return result; |
216 | 0 | } |
217 | | |
218 | 0 | return 0; |
219 | 0 | } |