X.509 certificates around JUST A PUBLIC key... can it be done?
|
View:
New views
4 Messages
—
Rating Filter:
Alert me
|
 |
X.509 certificates around JUST A PUBLIC key... can it be done?
by Zach C.
::
Rate this Message:
So here's the dilemma.
I am writing a library/interface for the iPhone to work in Linux. I'm currently working on the pairing functionality; I'm trying to repeat the process as exactly as possible to iTunes's implementation. Here's what happens: iTunes asks device for its public key. iPhone responds with its public key. iTunes generates a root certificate (CA certificate) with (root) private key, host certificate (presumably for encrypted communications) with (host) private key, and device certificate, whose public key info is the public key sent by the iPhone. All three certificates are signed with the root private key. iTunes then generates a UUID and sends out a PairRecord containing all three certificates and that UUID as a HostID. The iPhone will then verify the certificates against the root certificate (presumably, or maybe more specifically the public key in the root certificate), and if everything is in order (i.e. the root certificate really was used to sign the others), it will send a "pair successful" message back. I'm fully aware that I can currently generate the Root and Host certificates without a problem in GnuTLS. The problem I'm having, though, is that I *need* to be able to generate a certificate around the public key sent by the iPhone and then sign that certificate with the root private key. I'm wondering if that's possible in GnuTLS... I was considering doing a gnutls_x509_privkey_import_rsa_raw and only setting the modulus and public exponent (however I would get them), but I'm not sure if that would work or if GnuTLS would throw an error out about it. And if it did it properly, whether setting the new "private key" struct on a new certificate would do what I'm describing here. Thanks in advance! :) _______________________________________________ Help-gnutls mailing list Help-gnutls@... http://lists.gnu.org/mailman/listinfo/help-gnutls |
|
|
Re: X.509 certificates around JUST A PUBLIC key... can it be done?
by Nikos Mavrogiannopoulos
::
Rate this Message:
Zach C. wrote:
> I'm fully aware that I can currently generate the Root and Host certificates > without a problem in GnuTLS. The problem I'm having, though, is that I > *need* to be able to generate a certificate around the public key sent by > the iPhone and then sign that certificate with the root private key. I'm > wondering if that's possible in GnuTLS... I was considering doing a > gnutls_x509_privkey_import_rsa_raw and *only* setting the modulus and public > exponent (however I would get them), but I'm not sure if that would work or > if GnuTLS would throw an error out about it. And if it did it properly, > whether setting the new "private key" struct on a new certificate would do > what I'm describing here. It could work but I'm not sure since it was never designed to be like this. The best way would be to try it and see if it works. As I see it the best way for this to work would be to have a gnutls_crq_import_key_raw() that would create a certificate request with these parameters and then you could create a certificate using this request. It is already in my todo list. regards, Nikos _______________________________________________ Help-gnutls mailing list Help-gnutls@... http://lists.gnu.org/mailman/listinfo/help-gnutls |
|
|
Re: X.509 certificates around JUST A PUBLIC key... can it be done?
by Nikos Mavrogiannopoulos
::
Rate this Message:
Zach C. wrote:
> So here's the dilemma. > I'm fully aware that I can currently generate the Root and Host certificates > without a problem in GnuTLS. The problem I'm having, though, is that I > *need* to be able to generate a certificate around the public key sent by > the iPhone and then sign that certificate with the root private key. I'm > wondering if that's possible in GnuTLS... I was considering doing a > gnutls_x509_privkey_import_rsa_raw and *only* setting the modulus and public > exponent (however I would get them), but I'm not sure if that would work or > if GnuTLS would throw an error out about it. And if it did it properly, > whether setting the new "private key" struct on a new certificate would do > what I'm describing here. try if it fits your needs. regards, Nikos diff --git a/lib/x509/crq.c b/lib/x509/crq.c index ff73c40..2eac706 100644 --- a/lib/x509/crq.c +++ b/lib/x509/crq.c @@ -678,6 +678,74 @@ gnutls_x509_crq_set_key (gnutls_x509_crq_t crq, gnutls_x509_privkey_t key) } /** + * gnutls_x509_crq_set_key_rsa_raw - This function will associate the Certificate request with a key + * @crq: should contain a gnutls_x509_crq_t structure + * @m: holds the modulus + * @e: holds the public exponent + * + * This function will set the public parameters from the given private key to the + * request. Only RSA keys are currently supported. + * + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. + * + **/ +int +gnutls_x509_crq_set_key_rsa_raw (gnutls_x509_crq_t crq, + const gnutls_datum_t * m, + const gnutls_datum_t * e) +{ + int result, ret; + size_t siz = 0; + bigint_t temp_params[RSA_PUBLIC_PARAMS]; + + + if (crq == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; + } + + memset(temp_params, 0, sizeof(temp_params)); + + siz = m->size; + if (_gnutls_mpi_scan_nz (&temp_params[0], m->data, siz)) + { + gnutls_assert (); + ret = GNUTLS_E_MPI_SCAN_FAILED; + goto error; + } + + siz = e->size; + if (_gnutls_mpi_scan_nz (&temp_params[1], e->data, siz)) + { + gnutls_assert (); + ret = GNUTLS_E_MPI_SCAN_FAILED; + goto error; + } + + result = _gnutls_x509_encode_and_copy_PKI_params (crq->crq, + "certificationRequestInfo.subjectPKInfo", + GNUTLS_PK_RSA, + temp_params, + RSA_PUBLIC_PARAMS); + + if (result < 0) + { + gnutls_assert (); + ret = result; + goto error; + } + + ret = 0; + +error: + _gnutls_mpi_release (&temp_params[0]); + _gnutls_mpi_release (&temp_params[1]); + return ret; +} + +/** * gnutls_x509_crq_set_challenge_password - This function will set a challenge password * @crq: should contain a gnutls_x509_crq_t structure * @pass: holds a null terminated password _______________________________________________ Help-gnutls mailing list Help-gnutls@... http://lists.gnu.org/mailman/listinfo/help-gnutls |
|
|
Re: X.509 certificates around JUST A PUBLIC key... can it be done?
by Zach C.
::
Rate this Message:
Hate to tell you this, but I managed to wrangle it to working the way
I described using three datum structs, one filled with junk, and gnutls_x509_privkey_rsa_raw. Which I then set onto the cert directly. Worked like a charm. Since the certificate set_key function only ever imports the public exponent and modulus anyway. :) Thanks for the help though :) On Aug 2, 2008, at 3:06 AM, Nikos Mavrogiannopoulos <nmav@...> wrote: > Zach C. wrote: >> So here's the dilemma. >> I'm fully aware that I can currently generate the Root and Host >> certificates >> without a problem in GnuTLS. The problem I'm having, though, is >> that I >> *need* to be able to generate a certificate around the public key >> sent by >> the iPhone and then sign that certificate with the root private >> key. I'm >> wondering if that's possible in GnuTLS... I was considering doing a >> gnutls_x509_privkey_import_rsa_raw and *only* setting the modulus >> and public >> exponent (however I would get them), but I'm not sure if that would >> work or >> if GnuTLS would throw an error out about it. And if it did it >> properly, >> whether setting the new "private key" struct on a new certificate >> would do >> what I'm describing here. > > Actually I sketched a function like that. I'd appreciate if you could > try if it fits your needs. > > regards, > Nikos > diff --git a/lib/x509/crq.c b/lib/x509/crq.c > index ff73c40..2eac706 100644 > --- a/lib/x509/crq.c > +++ b/lib/x509/crq.c > @@ -678,6 +678,74 @@ gnutls_x509_crq_set_key (gnutls_x509_crq_t crq, > gnutls_x509_privkey_t key) > } > > /** > + * gnutls_x509_crq_set_key_rsa_raw - This function will associate > the Certificate request with a key > + * @crq: should contain a gnutls_x509_crq_t structure > + * @m: holds the modulus > + * @e: holds the public exponent > + * > + * This function will set the public parameters from the given > private key to the > + * request. Only RSA keys are currently supported. > + * > + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a > + * negative error value. > + * > + **/ > +int > +gnutls_x509_crq_set_key_rsa_raw (gnutls_x509_crq_t crq, > + const gnutls_datum_t * m, > + const gnutls_datum_t * e) > +{ > + int result, ret; > + size_t siz = 0; > + bigint_t temp_params[RSA_PUBLIC_PARAMS]; > + > + > + if (crq == NULL) > + { > + gnutls_assert (); > + return GNUTLS_E_INVALID_REQUEST; > + } > + > + memset(temp_params, 0, sizeof(temp_params)); > + > + siz = m->size; > + if (_gnutls_mpi_scan_nz (&temp_params[0], m->data, siz)) > + { > + gnutls_assert (); > + ret = GNUTLS_E_MPI_SCAN_FAILED; > + goto error; > + } > + > + siz = e->size; > + if (_gnutls_mpi_scan_nz (&temp_params[1], e->data, siz)) > + { > + gnutls_assert (); > + ret = GNUTLS_E_MPI_SCAN_FAILED; > + goto error; > + } > + > + result = _gnutls_x509_encode_and_copy_PKI_params (crq->crq, > + "certificationRequestInfo.subjectPKInfo", > + GNUTLS_PK_RSA, > + temp_params, > + RSA_PUBLIC_PARAMS); > + > + if (result < 0) > + { > + gnutls_assert (); > + ret = result; > + goto error; > + } > + > + ret = 0; > + > +error: > + _gnutls_mpi_release (&temp_params[0]); > + _gnutls_mpi_release (&temp_params[1]); > + return ret; > +} > + > +/** > * gnutls_x509_crq_set_challenge_password - This function will set > a challenge password > * @crq: should contain a gnutls_x509_crq_t structure > * @pass: holds a null terminated password _______________________________________________ Help-gnutls mailing list Help-gnutls@... http://lists.gnu.org/mailman/listinfo/help-gnutls |
| Free Forum Powered by Nabble | Forum Help |
