Add functionality to help making self-signed certificate.

[openssl.git] / crypto / x509 / x509_req.c

diff --git a/crypto/x509/x509_req.c b/crypto/x509/x509_req.c
index 0affa3bf306ad62908701db241f830c2e4f9c5e5..b4ad53431e2d88719db4e4d6b459a1b9c80f822e 100644 (file)
--- a/crypto/x509/x509_req.c
+++ b/crypto/x509/x509_req.c
@@ -113,6 +113,46 @@ EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req)
        return(X509_PUBKEY_get(req->req_info->pubkey));
        }
 
        return(X509_PUBKEY_get(req->req_info->pubkey));
        }
 

+int X509_REQ_check_private_key(X509_REQ *x, EVP_PKEY *k)
+       {
+       EVP_PKEY *xk=NULL;
+       int ok=0;
+
+       xk=X509_REQ_get_pubkey(x);
+       switch (EVP_PKEY_cmp(xk, k))
+               {
+       case 1:
+               ok=1;
+               break;
+       case 0:
+               X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,X509_R_KEY_VALUES_MISMATCH);
+               break;
+       case -1:
+               X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,X509_R_KEY_TYPE_MISMATCH);
+               break;
+       case -2:
+#ifndef OPENSSL_NO_EC
+               if (k->type == EVP_PKEY_EC)
+                       {
+                       X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY, ERR_R_EC_LIB);
+                       break;
+                       }
+#endif
+#ifndef OPENSSL_NO_DH
+               if (k->type == EVP_PKEY_DH)
+                       {
+                       /* No idea */
+                       X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,X509_R_CANT_CHECK_DH_KEY);
+                       break;
+                       }
+#endif
+               X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,X509_R_UNKNOWN_KEY_TYPE);
+               }
+
+       EVP_PKEY_free(xk);
+       return(ok);
+       }
+

 /* It seems several organisations had the same idea of including a list of
  * extensions in a certificate request. There are at least two OIDs that are
  * used and there may be more: so the list is configurable.
 /* It seems several organisations had the same idea of including a list of
  * extensions in a certificate request. There are at least two OIDs that are
  * used and there may be more: so the list is configurable.