2 * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include "internal/cryptlib.h"
12 #include <openssl/bn.h>
13 #include <openssl/evp.h>
14 #include <openssl/asn1.h>
15 #include <openssl/asn1t.h>
16 #include <openssl/x509.h>
17 #include "crypto/x509.h"
18 #include <openssl/objects.h>
19 #include <openssl/buffer.h>
20 #include <openssl/pem.h>
22 X509_REQ
*X509_to_X509_REQ(X509
*x
, EVP_PKEY
*pkey
, const EVP_MD
*md
)
31 ERR_raise(ERR_LIB_X509
, ERR_R_MALLOC_FAILURE
);
37 ri
->version
->length
= 1;
38 ri
->version
->data
= OPENSSL_malloc(1);
39 if (ri
->version
->data
== NULL
)
41 ri
->version
->data
[0] = 0; /* version == 0 */
43 if (!X509_REQ_set_subject_name(ret
, X509_get_subject_name(x
)))
46 pktmp
= X509_get0_pubkey(x
);
49 i
= X509_REQ_set_pubkey(ret
, pktmp
);
54 if (!X509_REQ_sign(ret
, pkey
, md
))
63 EVP_PKEY
*X509_REQ_get_pubkey(X509_REQ
*req
)
67 return X509_PUBKEY_get(req
->req_info
.pubkey
);
70 EVP_PKEY
*X509_REQ_get0_pubkey(X509_REQ
*req
)
74 return X509_PUBKEY_get0(req
->req_info
.pubkey
);
77 X509_PUBKEY
*X509_REQ_get_X509_PUBKEY(X509_REQ
*req
)
79 return req
->req_info
.pubkey
;
82 int X509_REQ_check_private_key(X509_REQ
*x
, EVP_PKEY
*k
)
87 xk
= X509_REQ_get_pubkey(x
);
88 switch (EVP_PKEY_eq(xk
, k
)) {
93 ERR_raise(ERR_LIB_X509
, X509_R_KEY_VALUES_MISMATCH
);
96 ERR_raise(ERR_LIB_X509
, X509_R_KEY_TYPE_MISMATCH
);
100 if (EVP_PKEY_id(k
) == EVP_PKEY_EC
) {
101 ERR_raise(ERR_LIB_X509
, ERR_R_EC_LIB
);
105 #ifndef OPENSSL_NO_DH
106 if (EVP_PKEY_id(k
) == EVP_PKEY_DH
) {
108 ERR_raise(ERR_LIB_X509
, X509_R_CANT_CHECK_DH_KEY
);
112 ERR_raise(ERR_LIB_X509
, X509_R_UNKNOWN_KEY_TYPE
);
120 * It seems several organisations had the same idea of including a list of
121 * extensions in a certificate request. There are at least two OIDs that are
122 * used and there may be more: so the list is configurable.
125 static int ext_nid_list
[] = { NID_ext_req
, NID_ms_ext_req
, NID_undef
};
127 static int *ext_nids
= ext_nid_list
;
129 int X509_REQ_extension_nid(int req_nid
)
134 if (nid
== NID_undef
)
136 else if (req_nid
== nid
)
141 int *X509_REQ_get_extension_nids(void)
146 void X509_REQ_set_extension_nids(int *nids
)
151 STACK_OF(X509_EXTENSION
) *X509_REQ_get_extensions(X509_REQ
*req
)
153 X509_ATTRIBUTE
*attr
;
154 ASN1_TYPE
*ext
= NULL
;
156 const unsigned char *p
;
158 if ((req
== NULL
) || !ext_nids
)
160 for (pnid
= ext_nids
; *pnid
!= NID_undef
; pnid
++) {
161 idx
= X509_REQ_get_attr_by_NID(req
, *pnid
, -1);
164 attr
= X509_REQ_get_attr(req
, idx
);
165 ext
= X509_ATTRIBUTE_get0_type(attr
, 0);
168 if (!ext
|| (ext
->type
!= V_ASN1_SEQUENCE
))
170 p
= ext
->value
.sequence
->data
;
171 return (STACK_OF(X509_EXTENSION
) *)
172 ASN1_item_d2i(NULL
, &p
, ext
->value
.sequence
->length
,
173 ASN1_ITEM_rptr(X509_EXTENSIONS
));
177 * Add a STACK_OF extensions to a certificate request: allow alternative OIDs
178 * in case we want to create a non standard one.
181 int X509_REQ_add_extensions_nid(X509_REQ
*req
, STACK_OF(X509_EXTENSION
) *exts
,
186 unsigned char *ext
= NULL
;
187 /* Generate encoding of extensions */
188 extlen
= ASN1_item_i2d((ASN1_VALUE
*)exts
, &ext
,
189 ASN1_ITEM_rptr(X509_EXTENSIONS
));
192 rv
= X509_REQ_add1_attr_by_NID(req
, nid
, V_ASN1_SEQUENCE
, ext
, extlen
);
197 /* This is the normal usage: use the "official" OID */
198 int X509_REQ_add_extensions(X509_REQ
*req
, STACK_OF(X509_EXTENSION
) *exts
)
200 return X509_REQ_add_extensions_nid(req
, exts
, NID_ext_req
);
203 /* Request attribute functions */
205 int X509_REQ_get_attr_count(const X509_REQ
*req
)
207 return X509at_get_attr_count(req
->req_info
.attributes
);
210 int X509_REQ_get_attr_by_NID(const X509_REQ
*req
, int nid
, int lastpos
)
212 return X509at_get_attr_by_NID(req
->req_info
.attributes
, nid
, lastpos
);
215 int X509_REQ_get_attr_by_OBJ(const X509_REQ
*req
, const ASN1_OBJECT
*obj
,
218 return X509at_get_attr_by_OBJ(req
->req_info
.attributes
, obj
, lastpos
);
221 X509_ATTRIBUTE
*X509_REQ_get_attr(const X509_REQ
*req
, int loc
)
223 return X509at_get_attr(req
->req_info
.attributes
, loc
);
226 X509_ATTRIBUTE
*X509_REQ_delete_attr(X509_REQ
*req
, int loc
)
228 return X509at_delete_attr(req
->req_info
.attributes
, loc
);
231 int X509_REQ_add1_attr(X509_REQ
*req
, X509_ATTRIBUTE
*attr
)
233 if (X509at_add1_attr(&req
->req_info
.attributes
, attr
))
238 int X509_REQ_add1_attr_by_OBJ(X509_REQ
*req
,
239 const ASN1_OBJECT
*obj
, int type
,
240 const unsigned char *bytes
, int len
)
242 if (X509at_add1_attr_by_OBJ(&req
->req_info
.attributes
, obj
,
248 int X509_REQ_add1_attr_by_NID(X509_REQ
*req
,
250 const unsigned char *bytes
, int len
)
252 if (X509at_add1_attr_by_NID(&req
->req_info
.attributes
, nid
,
258 int X509_REQ_add1_attr_by_txt(X509_REQ
*req
,
259 const char *attrname
, int type
,
260 const unsigned char *bytes
, int len
)
262 if (X509at_add1_attr_by_txt(&req
->req_info
.attributes
, attrname
,
268 long X509_REQ_get_version(const X509_REQ
*req
)
270 return ASN1_INTEGER_get(req
->req_info
.version
);
273 X509_NAME
*X509_REQ_get_subject_name(const X509_REQ
*req
)
275 return req
->req_info
.subject
;
278 void X509_REQ_get0_signature(const X509_REQ
*req
, const ASN1_BIT_STRING
**psig
,
279 const X509_ALGOR
**palg
)
282 *psig
= req
->signature
;
284 *palg
= &req
->sig_alg
;
287 void X509_REQ_set0_signature(X509_REQ
*req
, ASN1_BIT_STRING
*psig
)
290 ASN1_BIT_STRING_free(req
->signature
);
291 req
->signature
= psig
;
294 int X509_REQ_set1_signature_algo(X509_REQ
*req
, X509_ALGOR
*palg
)
296 return X509_ALGOR_copy(&req
->sig_alg
, palg
);
299 int X509_REQ_get_signature_nid(const X509_REQ
*req
)
301 return OBJ_obj2nid(req
->sig_alg
.algorithm
);
304 int i2d_re_X509_REQ_tbs(X509_REQ
*req
, unsigned char **pp
)
306 req
->req_info
.enc
.modified
= 1;
307 return i2d_X509_REQ_INFO(&req
->req_info
, pp
);