]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
Added gnutls_x509_crt_set_authority_info_access.
authorNikos Mavrogiannopoulos <nmav@gnutls.org>
Fri, 16 Mar 2012 16:22:26 +0000 (17:22 +0100)
committerNikos Mavrogiannopoulos <nmav@gnutls.org>
Fri, 16 Mar 2012 16:22:26 +0000 (17:22 +0100)
NEWS
lib/includes/gnutls/x509.h
lib/libgnutls.map
lib/x509/x509_write.c
src/certtool-args.def
src/certtool-cfg.c
src/certtool-cfg.h
src/certtool.c

diff --git a/NEWS b/NEWS
index 45c7a6396f0d1c1090de82de3d5311fcb0a5167f..f747ce085c2dc3c396f9cc1d5f57a9a8124af612 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -14,10 +14,11 @@ See the end for copying conditions.
 line option.
 
 ** certtool: The template option allows for setting the domain
-component (DC) option of the distinguished name.
+component (DC) option of the distinguished name, and the ocsp_uri
+as well as the ca_issuers_uri options.
 
 ** API and ABI modifications:
-No changes since last version.
+gnutls_x509_crt_set_authority_info_access: Added
 
 
 * Version 3.0.15 (released 2012-03-02)
index a0b11f14181c133edc686150ce2221436b6fba50..ac6de535957c12ef766823bf95fd19440beb3ede 100644 (file)
@@ -295,6 +295,9 @@ extern "C"
                                      unsigned int *critical);
   int gnutls_x509_crt_set_key_usage (gnutls_x509_crt_t crt,
                                      unsigned int usage);
+  int gnutls_x509_crt_set_authority_info_access (gnutls_x509_crt_t crt,
+                                                int what,
+                                                gnutls_datum_t * data);
 
   int gnutls_x509_crt_get_proxy (gnutls_x509_crt_t cert,
                                  unsigned int *critical,
index 5849918055abd0100ba76846f325b94b9e03083d..519d5fcbd7e1945210b907238d93e894f20bc65e 100644 (file)
@@ -780,6 +780,7 @@ GNUTLS_3_0_0 {
        gnutls_tdb_set_store_commitment_func;
        gnutls_tdb_set_verify_func;
        gnutls_tdb_deinit;
+       gnutls_x509_crt_set_authority_info_access;
 } GNUTLS_2_12;
 
 GNUTLS_PRIVATE {
index 4e3149357bd648d0332af9bc8e22c5b9f300df72..e2a28c4e85c712fda3c9d74e6022790540c5dd93 100644 (file)
@@ -1337,3 +1337,138 @@ gnutls_x509_crt_privkey_sign (gnutls_x509_crt_t crt, gnutls_x509_crt_t issuer,
 
   return 0;
 }
+
+static const char* what_to_oid(int what)
+{
+  switch(what)
+    {
+      case GNUTLS_IA_OCSP_URI:
+        return GNUTLS_OID_AD_OCSP;
+      case GNUTLS_IA_CAISSUERS_URI:
+        return GNUTLS_OID_AD_CAISSUERS;
+      default:
+        return NULL;
+    }
+}
+
+/**
+ * gnutls_x509_crt_set_authority_info_access:
+ * @crt: Holds the certificate
+ * @what: what data to get, a #gnutls_info_access_what_t type.
+ * @data: output data to be freed with gnutls_free().
+ *
+ * This function sets the Authority Information Access (AIA)
+ * extension, see RFC 5280 section 4.2.2.1 for more information.  
+ *
+ * The type of data stored in @data is specified via @what which
+ * should be #gnutls_info_access_what_t values.
+ *
+ * If @what is %GNUTLS_IA_OCSP_URI, @data will hold the OCSP URI.
+ * If @what is %GNUTLS_IA_CAISSUERS_URI, @data will hold the caIssuers
+ * URI.  
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ *   negative error value.
+ *
+ * Since: 3.0
+ **/
+int
+gnutls_x509_crt_set_authority_info_access (gnutls_x509_crt_t crt,
+                                          int what,
+                                          gnutls_datum_t * data)
+{
+  int ret, result;
+  gnutls_datum_t aia = { NULL, 0 };
+  gnutls_datum_t der_data = { NULL, 0 };
+  ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
+  const char* oid;
+  unsigned int c;
+
+  if (crt == NULL)
+    return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+  
+  oid = what_to_oid(what);
+  if (oid == NULL)
+    return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+
+  ret = asn1_create_element (_gnutls_get_pkix (),
+                            "PKIX1.AuthorityInfoAccessSyntax", &c2);
+  if (ret != ASN1_SUCCESS)
+    {
+      gnutls_assert ();
+      return _gnutls_asn2err (ret);
+    }
+
+  ret = _gnutls_x509_crt_get_extension (crt, GNUTLS_OID_AIA, 0, &aia,
+                                       &c);
+  if (ret >= 0) /* decode it */
+    {
+      ret = asn1_der_decoding (&c2, aia.data, aia.size, NULL);
+      if (ret != ASN1_SUCCESS)
+        {
+          gnutls_assert ();
+          ret = _gnutls_asn2err (ret);
+          goto cleanup;
+        }
+    }
+
+  /* generate the extension.
+   */
+  /* 1. create a new element.
+   */
+  result = asn1_write_value (c2, "", "NEW", 1);
+  if (result != ASN1_SUCCESS)
+    {
+      gnutls_assert ();
+      ret = _gnutls_asn2err (result);
+      goto cleanup;
+    }
+
+  /* 2. Add the OID.
+   */
+  result = asn1_write_value (c2, "?LAST.accessMethod", oid, 1);
+  if (result != ASN1_SUCCESS)
+    {
+      gnutls_assert ();
+      ret = _gnutls_asn2err (result);
+      goto cleanup;
+    }
+
+  /* accessLocation is a choice */
+  result = asn1_write_value (c2, "?LAST.accessLocation", "uniformResourceIdentifier", 1);
+  if (result != ASN1_SUCCESS)
+    {
+      gnutls_assert ();
+      ret = _gnutls_asn2err (result);
+      goto cleanup;
+    }
+
+  result = asn1_write_value (c2, "?LAST.accessLocation.uniformResourceIdentifier", data->data, data->size);
+  if (result != ASN1_SUCCESS)
+    {
+      gnutls_assert ();
+      ret = _gnutls_asn2err (result);
+      goto cleanup;
+    }
+
+  ret = _gnutls_x509_der_encode (c2, "", &der_data, 0);
+  if (ret < 0)
+    {
+      gnutls_assert ();
+      goto cleanup;
+    }
+
+  ret = _gnutls_x509_crt_set_extension (crt, GNUTLS_OID_AIA,
+                                        &der_data, 0);
+  if (ret < 0)
+    gnutls_assert ();
+
+  crt->use_extensions = 1;
+
+cleanup:
+  _gnutls_free_datum (&der_data);
+  _gnutls_free_datum(&aia);
+  asn1_delete_structure (&c2);
+  
+  return ret;
+}
index c9726af4962f88078b1ea0a9f6a5913dacae0149..27d14d9b6d145d53761bfe2f2b52319ed0df10d2 100644 (file)
@@ -616,6 +616,12 @@ signing_key
 #path_len = -1
 #path_len = 2
 
+# OCSP URI
+# ocsp_uri = http://my.ocsp.server/ocsp
+
+# CA issuers URI
+# ca_issuers_uri = http://my.ca.issuer
+
 # Options for proxy certificates
 # proxy_policy_language = 1.3.6.1.5.5.7.21.1
 
index f92a5075b926620e299d0b6002e0243ac97620ba..d47ef764ef88237af4998884f4e278261e6f9539 100644 (file)
@@ -88,6 +88,8 @@ typedef struct _cfg_ctx
   int crl_number;
   int crq_extensions;
   char *proxy_policy_language;
+  char **ocsp_uris;
+  char **ca_issuers_uris;
 } cfg_ctx;
 
 cfg_ctx cfg;
@@ -254,6 +256,9 @@ template_parse (const char *template)
   val = optionGetValue(pov, "proxy_policy_language");
   if (val != NULL && val->valType == OPARG_TYPE_STRING)
     cfg.proxy_policy_language = strdup(val->v.strVal);
+
+  READ_MULTI_LINE("ocsp_uri", cfg.ocsp_uris);
+  READ_MULTI_LINE("ca_issuers_uri", cfg.ca_issuers_uris);
   
   READ_BOOLEAN("ca", cfg.ca);
   READ_BOOLEAN("honor_crq_extensions", cfg.crq_extensions);
@@ -704,7 +709,60 @@ get_key_purpose_set (gnutls_x509_crt_t crt)
             }
         }
     }
+}
+
+void
+get_ocsp_issuer_set (gnutls_x509_crt_t crt)
+{
+  int ret, i;
+  gnutls_datum_t uri;
+
+  if (batch)
+    {
+      if (!cfg.ocsp_uris)
+        return;
+      for (i = 0; cfg.ocsp_uris[i] != NULL; i++)
+        {
+          uri.data = cfg.ocsp_uris[i];
+          uri.size = strlen(cfg.ocsp_uris[i]);
+          ret =
+            gnutls_x509_crt_set_authority_info_access (crt, GNUTLS_IA_OCSP_URI,
+                                                       &uri);
+          if (ret < 0)
+            {
+              fprintf (stderr, "set OCSP URI (%s): %s\n",
+                       cfg.ocsp_uris[i], gnutls_strerror (ret));
+              exit (1);
+            }
+        }
+    }
+}
 
+void
+get_ca_issuers_set (gnutls_x509_crt_t crt)
+{
+  int ret, i;
+  gnutls_datum_t uri;
+
+  if (batch)
+    {
+      if (!cfg.ca_issuers_uris)
+        return;
+      for (i = 0; cfg.ca_issuers_uris[i] != NULL; i++)
+        {
+          uri.data = cfg.ca_issuers_uris[i];
+          uri.size = strlen(cfg.ca_issuers_uris[i]);
+          ret =
+            gnutls_x509_crt_set_authority_info_access (crt, GNUTLS_IA_CAISSUERS_URI,
+                                                       &uri);
+          if (ret < 0)
+            {
+              fprintf (stderr, "set CA ISSUERS URI (%s): %s\n",
+                       cfg.ca_issuers_uris[i], gnutls_strerror (ret));
+              exit (1);
+            }
+        }
+    }
 }
 
 
index 9587f8635e0eafa08544cbbe57a8f3adf629a4c1..5181425ae242fbcd700a286bc6151b4a0ee359e0 100644 (file)
@@ -70,6 +70,8 @@ void get_dns_name_set (int type, void *crt);
 void get_email_set (int type, void *crt);
 int get_ipsec_ike_status (void);
 void get_dc_set (int type, void *crt);
+void get_ca_issuers_set (gnutls_x509_crt_t crt);
+void get_ocsp_issuer_set (gnutls_x509_crt_t crt);
 
 void get_cn_crq_set (gnutls_x509_crq_t crq);
 void get_uid_crq_set (gnutls_x509_crq_t crq);
index a8bd26b67c8480c015efa6df8dded774bf136808..df2303304fa87bcc37019f50c97ce059569a7f50 100644 (file)
@@ -584,6 +584,8 @@ generate_certificate (gnutls_privkey_t * ret_key,
                        gnutls_strerror (result));
             }
         }
+      get_ocsp_issuer_set(crt);
+      get_ca_issuers_set(crt);
 
       if (usage != 0)
         {