crypto/x509/x509_req.c

   1 /*
   2  * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
   3  *
   4  * Licensed under the Apache License 2.0 (the "License").  You may not use
   5  * this file except in compliance with the License.  You can obtain a copy
   6  * in the file LICENSE in the source distribution or at
   7  * https://www.openssl.org/source/license.html
   8  */
   9
  10 #include <stdio.h>
  11 #include "internal/cryptlib.h"
  12 #include <openssl/bn.h>
  13 #include <openssl/evp.h>
  14 #include <openssl/asn1.h>
  15 #include <openssl/asn1t.h>
  16 #include <openssl/x509.h>
  17 #include "crypto/x509.h"
  18 #include <openssl/objects.h>
  19 #include <openssl/buffer.h>
  20 #include <openssl/pem.h>
  21
  22 X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
  23 {
  24     X509_REQ *ret;
  25     X509_REQ_INFO *ri;
  26     int i;
  27     EVP_PKEY *pktmp;
  28
  29     ret = X509_REQ_new_ex(x->libctx, x->propq);
  30     if (ret == NULL) {
  31         ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
  32         goto err;
  33     }
  34
  35     ri = &ret->req_info;
  36
  37     ri->version->length = 1;
  38     ri->version->data = OPENSSL_malloc(1);
  39     if (ri->version->data == NULL)
  40         goto err;
  41     ri->version->data[0] = 0;   /* version == 0 */
  42
  43     if (!X509_REQ_set_subject_name(ret, X509_get_subject_name(x)))
  44         goto err;
  45
  46     pktmp = X509_get0_pubkey(x);
  47     if (pktmp == NULL)
  48         goto err;
  49     i = X509_REQ_set_pubkey(ret, pktmp);
  50     if (!i)
  51         goto err;
  52
  53     if (pkey != NULL) {
  54         if (!X509_REQ_sign(ret, pkey, md))
  55             goto err;
  56     }
  57     return ret;
  58  err:
  59     X509_REQ_free(ret);
  60     return NULL;
  61 }
  62
  63 EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req)
  64 {
  65     if (req == NULL)
  66         return NULL;
  67     return X509_PUBKEY_get(req->req_info.pubkey);
  68 }
  69
  70 EVP_PKEY *X509_REQ_get0_pubkey(const X509_REQ *req)
  71 {
  72     if (req == NULL)
  73         return NULL;
  74     return X509_PUBKEY_get0(req->req_info.pubkey);
  75 }
  76
  77 X509_PUBKEY *X509_REQ_get_X509_PUBKEY(X509_REQ *req)
  78 {
  79     return req->req_info.pubkey;
  80 }
  81
  82 int X509_REQ_check_private_key(const X509_REQ *req, EVP_PKEY *pkey)
  83 {
  84     return ossl_x509_check_private_key(X509_REQ_get0_pubkey(req), pkey);
  85 }
  86
  87 /*
  88  * It seems several organisations had the same idea of including a list of
  89  * extensions in a certificate request. There are at least two OIDs that are
  90  * used and there may be more: so the list is configurable.
  91  */
  92
  93 static int ext_nid_list[] = { NID_ext_req, NID_ms_ext_req, NID_undef };
  94
  95 static int *ext_nids = ext_nid_list;
  96
  97 int X509_REQ_extension_nid(int req_nid)
  98 {
  99     int i, nid;
 100
 101     for (i = 0;; i++) {
 102         nid = ext_nids[i];
 103         if (nid == NID_undef)
 104             return 0;
 105         else if (req_nid == nid)
 106             return 1;
 107     }
 108 }
 109
 110 int *X509_REQ_get_extension_nids(void)
 111 {
 112     return ext_nids;
 113 }
 114
 115 void X509_REQ_set_extension_nids(int *nids)
 116 {
 117     ext_nids = nids;
 118 }
 119
 120 STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req)
 121 {
 122     X509_ATTRIBUTE *attr;
 123     ASN1_TYPE *ext = NULL;
 124     int idx, *pnid;
 125     const unsigned char *p;
 126
 127     if (req == NULL || !ext_nids)
 128         return NULL;
 129     for (pnid = ext_nids; *pnid != NID_undef; pnid++) {
 130         idx = X509_REQ_get_attr_by_NID(req, *pnid, -1);
 131         if (idx < 0)
 132             continue;
 133         attr = X509_REQ_get_attr(req, idx);
 134         ext = X509_ATTRIBUTE_get0_type(attr, 0);
 135         break;
 136     }
 137     if (ext == NULL) /* no extensions is not an error */
 138         return sk_X509_EXTENSION_new_null();
 139     if (ext->type != V_ASN1_SEQUENCE) {
 140         ERR_raise(ERR_LIB_X509, X509_R_WRONG_TYPE);
 141         return NULL;
 142     }
 143     p = ext->value.sequence->data;
 144     return (STACK_OF(X509_EXTENSION) *)
 145         ASN1_item_d2i(NULL, &p, ext->value.sequence->length,
 146                       ASN1_ITEM_rptr(X509_EXTENSIONS));
 147 }
 148
 149 /*
 150  * Add a STACK_OF extensions to a certificate request: allow alternative OIDs
 151  * in case we want to create a non standard one.
 152  */
 153 int X509_REQ_add_extensions_nid(X509_REQ *req,
 154                                 const STACK_OF(X509_EXTENSION) *exts, int nid)
 155 {
 156     int extlen;
 157     int rv = 0;
 158     unsigned char *ext = NULL;
 159
 160     /* Generate encoding of extensions */
 161     extlen = ASN1_item_i2d((const ASN1_VALUE *)exts, &ext,
 162                            ASN1_ITEM_rptr(X509_EXTENSIONS));
 163     if (extlen <= 0)
 164         return 0;
 165     rv = X509_REQ_add1_attr_by_NID(req, nid, V_ASN1_SEQUENCE, ext, extlen);
 166     OPENSSL_free(ext);
 167     return rv;
 168 }
 169
 170 /* This is the normal usage: use the "official" OID */
 171 int X509_REQ_add_extensions(X509_REQ *req, const STACK_OF(X509_EXTENSION) *exts)
 172 {
 173     return X509_REQ_add_extensions_nid(req, exts, NID_ext_req);
 174 }
 175
 176 /* Request attribute functions */
 177
 178 int X509_REQ_get_attr_count(const X509_REQ *req)
 179 {
 180     return X509at_get_attr_count(req->req_info.attributes);
 181 }
 182
 183 int X509_REQ_get_attr_by_NID(const X509_REQ *req, int nid, int lastpos)
 184 {
 185     return X509at_get_attr_by_NID(req->req_info.attributes, nid, lastpos);
 186 }
 187
 188 int X509_REQ_get_attr_by_OBJ(const X509_REQ *req, const ASN1_OBJECT *obj,
 189                              int lastpos)
 190 {
 191     return X509at_get_attr_by_OBJ(req->req_info.attributes, obj, lastpos);
 192 }
 193
 194 X509_ATTRIBUTE *X509_REQ_get_attr(const X509_REQ *req, int loc)
 195 {
 196     return X509at_get_attr(req->req_info.attributes, loc);
 197 }
 198
 199 X509_ATTRIBUTE *X509_REQ_delete_attr(X509_REQ *req, int loc)
 200 {
 201     X509_ATTRIBUTE *attr;
 202
 203     if (req == NULL) {
 204         ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER);
 205         return 0;
 206     }
 207     attr = X509at_delete_attr(req->req_info.attributes, loc);
 208     if (attr != NULL)
 209         req->req_info.enc.modified = 1;
 210     return attr;
 211 }
 212
 213 int X509_REQ_add1_attr(X509_REQ *req, X509_ATTRIBUTE *attr)
 214 {
 215     if (req == NULL) {
 216         ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER);
 217         return 0;
 218     }
 219     if (!X509at_add1_attr(&req->req_info.attributes, attr))
 220         return 0;
 221     req->req_info.enc.modified = 1;
 222     return 1;
 223 }
 224
 225 int X509_REQ_add1_attr_by_OBJ(X509_REQ *req,
 226                               const ASN1_OBJECT *obj, int type,
 227                               const unsigned char *bytes, int len)
 228 {
 229     if (req == NULL) {
 230         ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER);
 231         return 0;
 232     }
 233     if (!X509at_add1_attr_by_OBJ(&req->req_info.attributes, obj,
 234                                  type, bytes, len))
 235         return 0;
 236     req->req_info.enc.modified = 1;
 237     return 1;
 238 }
 239
 240 int X509_REQ_add1_attr_by_NID(X509_REQ *req,
 241                               int nid, int type,
 242                               const unsigned char *bytes, int len)
 243 {
 244     if (req == NULL) {
 245         ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER);
 246         return 0;
 247     }
 248     if (!X509at_add1_attr_by_NID(&req->req_info.attributes, nid,
 249                                  type, bytes, len))
 250         return 0;
 251     req->req_info.enc.modified = 1;
 252     return 1;
 253 }
 254
 255 int X509_REQ_add1_attr_by_txt(X509_REQ *req,
 256                               const char *attrname, int type,
 257                               const unsigned char *bytes, int len)
 258 {
 259     if (req == NULL) {
 260         ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER);
 261         return 0;
 262     }
 263     if (!X509at_add1_attr_by_txt(&req->req_info.attributes, attrname,
 264                                  type, bytes, len))
 265         return 0;
 266     req->req_info.enc.modified = 1;
 267     return 1;
 268 }
 269
 270 long X509_REQ_get_version(const X509_REQ *req)
 271 {
 272     return ASN1_INTEGER_get(req->req_info.version);
 273 }
 274
 275 X509_NAME *X509_REQ_get_subject_name(const X509_REQ *req)
 276 {
 277     return req->req_info.subject;
 278 }
 279
 280 void X509_REQ_get0_signature(const X509_REQ *req, const ASN1_BIT_STRING **psig,
 281                              const X509_ALGOR **palg)
 282 {
 283     if (psig != NULL)
 284         *psig = req->signature;
 285     if (palg != NULL)
 286         *palg = &req->sig_alg;
 287 }
 288
 289 void X509_REQ_set0_signature(X509_REQ *req, ASN1_BIT_STRING *psig)
 290 {
 291     if (req->signature)
 292         ASN1_BIT_STRING_free(req->signature);
 293     req->signature = psig;
 294 }
 295
 296 int X509_REQ_set1_signature_algo(X509_REQ *req, X509_ALGOR *palg)
 297 {
 298     return X509_ALGOR_copy(&req->sig_alg, palg);
 299 }
 300
 301 int X509_REQ_get_signature_nid(const X509_REQ *req)
 302 {
 303     return OBJ_obj2nid(req->sig_alg.algorithm);
 304 }
 305
 306 int i2d_re_X509_REQ_tbs(X509_REQ *req, unsigned char **pp)
 307 {
 308     if (req == NULL) {
 309         ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER);
 310         return 0;
 311     }
 312     if (!i2d_X509_REQ_INFO(&req->req_info, pp))
 313         return 0;
 314     req->req_info.enc.modified = 1;
 315     return 1;
 316 }