in azure-protected-vm-secrets/Linux/OsslX509.cpp [169:218]
std::unique_ptr<X509, decltype(&X509_free)> signCertificate(X509_REQ* req, EVP_PKEY* issuerKey, X509* issuerCert,
long serial, int days, int is_ca, int pathlen = -1) {
std::unique_ptr<X509, decltype(&X509_free)> cert(X509_new(), &X509_free);
// Set version to X509v3
if (X509_set_version(cert.get(), 2) != 1) {
throw OsslError(ERR_get_error(), "Failed to set certificate version");
}
// Set serial number
if (ASN1_INTEGER_set(X509_get_serialNumber(cert.get()), serial) != 1) {
throw OsslError(ERR_get_error(), "Failed to set serial number");
}
// Set validity period
if (X509_gmtime_adj(X509_get_notBefore(cert.get()), 0) == NULL) {
throw OsslError(ERR_get_error(), "Failed to set notBefore time");
}
if (X509_gmtime_adj(X509_get_notAfter(cert.get()), (long)60*60*24*days) == NULL) {
throw OsslError(ERR_get_error(), "Failed to set notAfter time");
}
// Set subject from CSR
if (X509_set_subject_name(cert.get(), X509_REQ_get_subject_name(req)) != 1) {
throw OsslError(ERR_get_error(), "Failed to set subject name");
}
// Set issuer
if (issuerCert == NULL) {
// Self-signed: issuer = subject
if (X509_set_issuer_name(cert.get(), X509_REQ_get_subject_name(req)) != 1) {
throw OsslError(ERR_get_error(), "Failed to set issuer name for self-signed certificate");
}
} else {
if (X509_set_issuer_name(cert.get(), X509_get_subject_name(issuerCert)) != 1) {
throw OsslError(ERR_get_error(), "Failed to set issuer name");
}
}
// Set public key from CSR
EVP_PKEY* pubkey = X509_REQ_get0_pubkey(req);
if (pubkey == NULL || X509_set_pubkey(cert.get(), pubkey) != 1) {
throw OsslError(ERR_get_error(), "Failed to set public key");
}
// Add extensions
try {
addExtensions(cert.get(), (issuerCert == NULL) ? cert.get() : issuerCert, is_ca, pathlen);
} catch (const OsslError& e) {
throw;
}
// Sign the certificate
if (X509_sign(cert.get(), issuerKey, EVP_sha256()) == 0) {
throw OsslError(ERR_get_error(), "Failed to sign certificate");
}
return cert;
}