1
  
2
  
3
  
4
  
5
  
6
  
7
  
8
  
9
  
10
  
11
  
12
  
13
  
14
  
15
  
16
  
17
  
18
  
19
  
20
  
21
  
22
  
23
  
24
  
25
  
26
  
27
  
28
  
29
  
30
  
31
  
32
  
33
  
34
  
35
  
36
  
37
  
38
  
39
  
40
  
41
  
42
  
43
  
44
  
45
  
46
  
47
  
48
  
49
  
50
  
51
  
52
  
53
  
54
  
55
  
56
  
57
  
58
  
59
  
60
  
61
  
62
  
63
  
64
  
65
  
66
  
67
  
68
  
69
  
70
  
71
  
72
  
73
  
74
  
75
  
76
  
77
  
78
  
79
  
80
  
81
  
82
  
83
  
84
  
85
  
86
  
87
  
88
  
89
  
90
  
91
  
92
  
93
  
94
  
95
  
96
  
97
  
98
  
99
  
100
  
101
  
102
  
103
  
104
  
105
  
106
  
107
  
108
  
109
  
110
  
111
  
112
  
113
  
114
  
115
  
116
  
117
  
118
  
119
  
120
  
121
  
122
  
123
  
124
  
125
  
126
  
127
  
128
  
129
  
130
  
131
  
132
  
133
  
134
  
135
  
136
  
137
  
138
  
139
  
140
  
141
  
142
  
143
  
144
  
145
  
146
  
147
  
148
  
149
  
150
  
151
  
152
  
153
  
154
  
155
  
156
  
157
  
158
  
159
  
160
  
161
  
//! Handling of Certificate Signing Requests (PKCS-10, @rfc{2314@}, 
//! @rfc{2986@}) 
 
#pike __REAL_VERSION__ 
// #pragma strict_types 
#require constant(Crypto.RSA) 
 
import Standards.ASN1.Types; 
 
// NOTE: RFC 2314 6.1 says that the tag is IMPLICIT, and 
//       RFC 2986 4.1 says that the tag is EXPLICIT! 
// 
// OpenSSL seems to use IMPLICIT tagging, 
// so this is probably correct. 
//! 
class CRIAttributes 
{ 
  inherit .Certificate.Attributes; 
  int(0..3) cls = 2; 
  int(1..) tag = 0; 
} 
 
// FIXME: Mark as deprecated! 
constant CSR_Attributes = CRIAttributes; 
 
//! CertificationRequestInfo 
//! 
//! This is the data that is signed by @[sign_cri()]. 
class CRI 
{ 
  inherit Sequence; 
 
  //! 
  void `version=(int v) 
  { 
    der = UNDEFINED; 
    if (v != 1) { 
      error("Only version 1 is supported.\n"); 
    } 
    elements[0] = Integer(v-1); 
  } 
  int `version() 
  { 
    return elements[0]->value + 1; 
  } 
 
  //! Certificate subject. 
  void `subject=(Sequence i) 
  { 
    der = UNDEFINED; 
    elements[1] = i; 
  } 
  Sequence `subject() 
  { 
    return elements[1]; 
  } 
 
  //! Public key information. 
  void `keyinfo=(Sequence ki) 
  { 
    der = UNDEFINED; 
    elements[2] = ki; 
  } 
  Sequence `keyinfo() 
  { 
    return elements[2]; 
  } 
 
  //! Subject attributes. 
  void `attributes=(Set|CRIAttributes attrs) 
  { 
    der = UNDEFINED; 
    if ((attrs->type_name != "SET") && 
        (attrs->type_name != "CONSTRUCTED")) { 
      error("Invalid attributes: %O.\n", attrs->type_name); 
    } 
    if ((attrs->get_cls() != 2) || attrs->get_tag() || attrs->raw) { 
      attrs = CRIAttributes(attrs->elements); 
    } 
    elements[3] = attrs; 
  } 
  CRIAttributes `attributes() 
  { 
    return elements[3]; 
  } 
 
  protected void create(Sequence|void asn1) 
  { 
    if (asn1) { 
      if ((asn1->type_name != "SEQUENCE") || 
          (sizeof(asn1->elements) != 4) || 
          (asn1[0]->type_name != "INTEGER") || 
          asn1[0]->value) { 
        error("Invalid CRI."); 
      } 
      elements = asn1->elements; 
      attributes = elements[3]; 
    } else { 
      elements = ({ 
        Integer(0),         // version (v1) 
        Null,                       // subject 
        Null,                       // subjectPKInfo 
        CRIAttributes(({})),    // attributes 
      }); 
    } 
  } 
} 
 
//! Sign a @[CRI] to generate a Certificate Signing Request. 
//! 
//! @param cri 
//!   CertificationRequestInfo to sign. 
//! 
//! @param sign 
//!   Signature to use. Must have a private key set that matches 
//!   the public key in the keyinfo in @[cri]. 
//! 
//! @param hash 
//!   Hash algorithm to use for the signature. 
Sequence sign_cri(CRI cri, Crypto.Sign sign, Crypto.Hash hash) 
{ 
  return Standards.PKCS.Signature.sign(cri, sign, hash); 
} 
 
//! Build a Certificate Signing Request. 
//! 
//! @param sign 
//!   Signature algorithm for the certificate. Both private and 
//!   public keys must be set. 
//! 
//! @param name 
//!   The distinguished name for the certificate. 
//! 
//! @param attributes 
//!   Attributes from PKCS #9 to add to the certificate. 
//! 
//! @param hash 
//!   Hash algoritm to use for the CSR signature. 
//!   Defaults to @[Crypto.SHA256]. 
//! 
//! @note 
//!   Prior to Pike 8.0 this function only supported signing 
//!   with @[Crypto.RSA] and the default (and only) hash was 
//!   @[Crypto.MD5]. 
Sequence build_csr(Crypto.Sign sign, Sequence name, 
                   mapping(string:array(Object)) attributes, 
                   Crypto.Hash|void hash) 
{ 
  Sequence info = Sequence( ({ Integer(0),      // v1 
                               name, 
                               sign->pkcs_public_key(), 
                               CRIAttributes(.Identifiers.attribute_ids, 
                                             attributes) }) ); 
  hash = hash || Crypto.SHA256; 
  return Sequence( ({ info, 
                      sign->pkcs_signature_algorithm_id(hash), 
                      BitString(sign->pkcs_sign(info->get_der(), hash)) 
                   }) ); 
}