[Help-gnutls] X.509 certificates around JUST A PUBLIC key... can it be done?

Sat Aug 2 17:16:57 CEST 2008

Hate to tell you this, but I managed to wrangle it to working the way  
I described using three datum structs, one filled with junk, and  
gnutls_x509_privkey_rsa_raw. Which I then set onto the cert directly.  
Worked like a charm. Since the certificate set_key function only ever  
imports the public exponent and modulus anyway. :)

Thanks for the help though :)

On Aug 2, 2008, at 3:06 AM, Nikos Mavrogiannopoulos <nmav at gnutls.org>  
wrote:

> Zach C. wrote:
>> So here's the dilemma.
>> I'm fully aware that I can currently generate the Root and Host  
>> certificates
>> without a problem in GnuTLS. The problem I'm having, though, is  
>> that I
>> *need* to be able to generate a certificate around the public key  
>> sent by
>> the iPhone and then sign that certificate with the root private  
>> key. I'm
>> wondering if that's possible in GnuTLS... I was considering doing a
>> gnutls_x509_privkey_import_rsa_raw and *only* setting the modulus  
>> and public
>> exponent (however I would get them), but I'm not sure if that would  
>> work or
>> if GnuTLS would throw an error out about it. And if it did it  
>> properly,
>> whether setting the new "private key" struct on a new certificate  
>> would do
>> what I'm describing here.
>
> Actually I sketched a function like that. I'd appreciate if you could
> try if it fits your needs.
>
> regards,
> Nikos
> diff --git a/lib/x509/crq.c b/lib/x509/crq.c
> index ff73c40..2eac706 100644
> --- a/lib/x509/crq.c
> +++ b/lib/x509/crq.c
> @@ -678,6 +678,74 @@ gnutls_x509_crq_set_key (gnutls_x509_crq_t crq,  
> gnutls_x509_privkey_t key)
> }
>
> /**
> +  * gnutls_x509_crq_set_key_rsa_raw - This function will associate  
> the Certificate request with a key
> +  * @crq: should contain a gnutls_x509_crq_t structure
> +  * @m: holds the modulus
> +  * @e: holds the public exponent
> +  *
> +  * This function will set the public parameters from the given  
> private key to the
> +  * request. Only RSA keys are currently supported.
> +  *
> +  * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
> +  *   negative error value.
> +  *
> +  **/
> +int
> +gnutls_x509_crq_set_key_rsa_raw (gnutls_x509_crq_t crq,
> +                    const gnutls_datum_t * m,
> +                    const gnutls_datum_t * e)
> +{
> +  int result, ret;
> +  size_t siz = 0;
> +  bigint_t temp_params[RSA_PUBLIC_PARAMS];
> +
> +
> +  if (crq == NULL)
> +    {
> +      gnutls_assert ();
> +      return GNUTLS_E_INVALID_REQUEST;
> +    }
> +
> +  memset(temp_params, 0, sizeof(temp_params));
> +
> +  siz = m->size;
> +  if (_gnutls_mpi_scan_nz (&temp_params[0], m->data, siz))
> +    {
> +      gnutls_assert ();
> +      ret = GNUTLS_E_MPI_SCAN_FAILED;
> +      goto error;
> +    }
> +
> +  siz = e->size;
> +  if (_gnutls_mpi_scan_nz (&temp_params[1], e->data, siz))
> +    {
> +      gnutls_assert ();
> +      ret = GNUTLS_E_MPI_SCAN_FAILED;
> +      goto error;
> +    }
> +
> +  result = _gnutls_x509_encode_and_copy_PKI_params (crq->crq,
> +                            "certificationRequestInfo.subjectPKInfo",
> +                            GNUTLS_PK_RSA,
> +                            temp_params,
> +                            RSA_PUBLIC_PARAMS);
> +
> +  if (result < 0)
> +    {
> +      gnutls_assert ();
> +      ret = result;
> +      goto error;
> +    }
> +
> +  ret = 0;
> +
> +error:
> +    _gnutls_mpi_release (&temp_params[0]);
> +    _gnutls_mpi_release (&temp_params[1]);
> +    return ret;
> +}
> +
> +/**
>   * gnutls_x509_crq_set_challenge_password - This function will set  
> a challenge password
>   * @crq: should contain a gnutls_x509_crq_t structure
>   * @pass: holds a null terminated password