问题
I'm building an X509 using openssl API... I want to sign this certificate using a 3rd party API which receives a char* with the data to sign, (also a few parameters to see which private key to use) and returns the signature.
What I want to ask is if exist a function in openssl which puts the signature, because X509_sign() do a lot of things but needs the privatekey...
I have an approach of doing that but I want to know if I'm missing something in the X509_INFO part and if I'm setting the signature data correctly or I'm missing something.
The certificate is generated correctly but I don't know if I send all the information or if I put the signature correctly.
This is how I'm creating the certificate:
//Setting version
if(X509_set_version(certificate, X509_VERSION) != RETURN_OK)
{
errorHandler->returnError(printer, "Unable to set the version to the certificate.", BUILDING_X509_CERTIFICATE);
goto exitFailure;
}
//Setting serial number
if(ASN1_INTEGER_set(X509_get_serialNumber(certificate), serialNumber) != RETURN_OK)
{
errorHandler->returnError(printer, "Unable to set the serial number to the certificate.", BUILDING_X509_CERTIFICATE);
goto exitFailure;
}
//Setting the subject
if(X509_set_subject_name(certificate, subject) != RETURN_OK)
{
errorHandler->returnError(printer, "Unable to set the subject to the certificate.", BUILDING_X509_CERTIFICATE);
goto exitFailure;
}
//Setting the issuer
if(X509_set_issuer_name(certificate, issuer) != RETURN_OK)
{
errorHandler->returnError(printer, "Unable to set the issuer to the certificate.", BUILDING_X509_CERTIFICATE);
goto exitFailure;
}
//Setting the public key
if(X509_set_pubkey(certificate, subjectPubKey) != RETURN_OK)
{
errorHandler->returnError(printer, "Unable to set the public key to the certificate.", BUILDING_X509_CERTIFICATE);
goto exitFailure;
}
//Setting the not before
if(!X509_gmtime_adj(X509_get_notBefore(certificate), X509_VALIDITY_NOT_BEFORE))
{
errorHandler->returnError(printer, "Unable to set the not before to the certificate.", BUILDING_X509_CERTIFICATE);
goto exitFailure;
}
//Setting the not after
if(!X509_gmtime_adj(X509_get_notAfter(certificate), X509_VALIDITY_NOT_AFTER))
{
errorHandler->returnError(printer, "Unable to set the not after to the certificate.", BUILDING_X509_CERTIFICATE);
goto exitFailure;
}
And this is how I retrieve the CERT_INFO in DER format (The data that I send in my 3rd party API in char*):
//Preparin the data to sign
certificateInfoToSignLenght = i2d_X509_CINF(certificate->cert_info, &certificateInfoToSign);
if(!certificateInfoToSign)
{
errorHandler->returnError(printer, "Unable to convert the certificate info in DER format.", SIGNING_X509_CERTIFICATE);
goto exitFailure;
}
And send it to my 3rd party function which returns me the signature:
sign_binary(&keyID, certificateInfoToSign,
(unsigned int*)&certificateInfoToSignLenght, signature, &signatureLenght,
signaturePublicKey, &signaturePublicKeyLenght);
And finally, I'm setting the signature and the algorithm (The 3rd party API only generate the signature in SHA256withRSA):
//Adding signing algorithm
signatureType = X509_ALGOR_new();
signatureTypeObject = OBJ_nid2obj(DEFAULT_SIGNATURE_ALGORITHM);
if(!signatureTypeObject)
{
errorHandler->returnError(printer, "Unable to create signature algorithm.", SIGNING_X509_CERTIFICATE);
goto exitFailure;
}
signatureType->algorithm = signatureTypeObject;
certificate->sig_alg->algorithm = signatureType->algorithm;
//Adding the signed data to the certificate
certificate->signature->data = new unsigned char[signatureLenght];
memcpy(certificate->signature->data, signature, signatureLenght);
certificate->signature->length = signatureLenght;
if(!certificate->signature->data)
{
errorHandler->returnError(printer, "Unable to append the signature to the certificate.", SIGNING_X509_CERTIFICATE);
goto exitFailure;
}
来源:https://stackoverflow.com/questions/24665900/put-signature-on-a-x509-certificate