| blob | 498eb05d5b2da9bbb3a4a6d1ccc8a1fd1597accf |
1 /*
2 * Copyright (C) 2003-2012 Free Software Foundation, Inc.
3 * Author: Nikos Mavrogiannopoulos, Simon Josefsson, Howard Chu
4 *
5 * This file is part of GnuTLS.
6 *
7 * The GnuTLS is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public License
9 * as published by the Free Software Foundation; either version 3 of
10 * the License, or (at your option) any later version.
11 *
12 * This library is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
16 *
17 * You should have received a copy of the GNU Lesser General Public License
18 * along with this program. If not, see <http://www.gnu.org/licenses/>
19 *
20 */
22 /* Functions on X.509 Certificate parsing
23 */
25 #include <gnutls_int.h>
26 #include <gnutls_datum.h>
27 #include <gnutls_global.h>
28 #include <gnutls_errors.h>
29 #include <common.h>
30 #include <gnutls_x509.h>
31 #include <x509_b64.h>
32 #include <x509_int.h>
33 #include <libtasn1.h>
34 #include <gnutls_pk.h>
36 /**
37 * gnutls_x509_crt_init:
38 * @cert: The structure to be initialized
39 *
40 * This function will initialize an X.509 certificate structure.
41 *
42 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
43 * negative error value.
44 **/
45 int
47 {
57 {
61 }
63 /* If you add anything here, be sure to check if it has to be added
64 to gnutls_x509_crt_import as well. */
69 }
71 /*-
72 * _gnutls_x509_crt_cpy - This function copies a gnutls_x509_crt_t structure
73 * @dest: The structure where to copy
74 * @src: The structure to be copied
75 *
76 * This function will copy an X.509 certificate structure.
77 *
78 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
79 * negative error value.
80 -*/
81 int
83 {
87 gnutls_datum_t tmp;
91 {
94 }
98 {
101 }
105 {
109 }
118 {
121 }
124 }
126 /**
127 * gnutls_x509_crt_deinit:
128 * @cert: The structure to be deinitialized
129 *
130 * This function will deinitialize a certificate structure.
131 **/
132 void
134 {
142 }
144 /**
145 * gnutls_x509_crt_import:
146 * @cert: The structure to store the parsed certificate.
147 * @data: The DER or PEM encoded certificate.
148 * @format: One of DER or PEM
149 *
150 * This function will convert the given DER or PEM encoded Certificate
151 * to the native gnutls_x509_crt_t format. The output will be stored
152 * in @cert.
153 *
154 * If the Certificate is PEM encoded it should have a header of "X509
155 * CERTIFICATE", or "CERTIFICATE".
156 *
157 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
158 * negative error value.
159 **/
160 int
163 gnutls_x509_crt_fmt_t format)
164 {
166 gnutls_datum_t _data;
169 {
172 }
177 /* If the Certificate is in PEM format then decode it
178 */
180 {
183 /* Try the first header */
184 result =
188 {
189 /* try for the second header */
190 result =
195 {
200 }
201 }
207 }
210 {
211 /* Any earlier asn1_der_decoding will modify the ASN.1
212 structure, so we need to replace it with a fresh
213 structure. */
219 {
223 }
224 }
228 {
232 }
234 /* Since we do not want to disable any extension
235 */
242 cleanup:
246 }
249 /**
250 * gnutls_x509_crt_get_issuer_dn:
251 * @cert: should contain a #gnutls_x509_crt_t structure
252 * @buf: a pointer to a structure to hold the name (may be null)
253 * @buf_size: initially holds the size of @buf
254 *
255 * This function will copy the name of the Certificate issuer in the
256 * provided buffer. The name will be in the form
257 * "C=xxxx,O=yyyy,CN=zzzz" as described in RFC4514. The output string
258 * will be ASCII or UTF-8 encoded, depending on the certificate data.
259 *
260 * If @buf is null then only the size will be filled.
261 *
262 * Returns: GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not
263 * long enough, and in that case the @buf_size will be updated with
264 * the required size. On success 0 is returned.
265 **/
266 int
269 {
271 {
274 }
278 buf_size);
279 }
281 /**
282 * gnutls_x509_crt_get_issuer_dn_by_oid:
283 * @cert: should contain a #gnutls_x509_crt_t structure
284 * @oid: holds an Object Identified in null terminated string
285 * @indx: In case multiple same OIDs exist in the RDN, this specifies which to send. Use (0) to get the first one.
286 * @raw_flag: If non (0) returns the raw DER data of the DN part.
287 * @buf: a pointer to a structure to hold the name (may be null)
288 * @buf_size: initially holds the size of @buf
289 *
290 * This function will extract the part of the name of the Certificate
291 * issuer specified by the given OID. The output, if the raw flag is not
292 * used, will be encoded as described in RFC4514. Thus a string that is
293 * ASCII or UTF-8 encoded, depending on the certificate data.
294 *
295 * Some helper macros with popular OIDs can be found in gnutls/x509.h
296 * If raw flag is (0), this function will only return known OIDs as
297 * text. Other OIDs will be DER encoded, as described in RFC4514 --
298 * in hex format with a '#' prefix. You can check about known OIDs
299 * using gnutls_x509_dn_oid_known().
300 *
301 * If @buf is null then only the size will be filled. If the @raw_flag
302 * is not specified the output is always null terminated, although the
303 * @buf_size will not include the null character.
304 *
305 * Returns: GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not
306 * long enough, and in that case the @buf_size will be updated
307 * with the required size. On success 0 is returned.
308 **/
309 int
314 {
316 {
319 }
324 }
326 /**
327 * gnutls_x509_crt_get_issuer_dn_oid:
328 * @cert: should contain a #gnutls_x509_crt_t structure
329 * @indx: This specifies which OID to return. Use (0) to get the first one.
330 * @oid: a pointer to a buffer to hold the OID (may be null)
331 * @oid_size: initially holds the size of @oid
332 *
333 * This function will extract the OIDs of the name of the Certificate
334 * issuer specified by the given index.
335 *
336 * If @oid is null then only the size will be filled. The @oid
337 * returned will be null terminated, although @oid_size will not
338 * account for the trailing null.
339 *
340 * Returns: GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not
341 * long enough, and in that case the @oid_size will be updated
342 * with the required size. On success 0 is returned.
343 **/
344 int
347 {
349 {
352 }
357 }
359 /**
360 * gnutls_x509_crt_get_dn:
361 * @cert: should contain a #gnutls_x509_crt_t structure
362 * @buf: a pointer to a structure to hold the name (may be null)
363 * @buf_size: initially holds the size of @buf
364 *
365 * This function will copy the name of the Certificate in the provided
366 * buffer. The name will be in the form "C=xxxx,O=yyyy,CN=zzzz" as
367 * described in RFC4514. The output string will be ASCII or UTF-8
368 * encoded, depending on the certificate data.
369 *
370 * If @buf is null then only the size will be filled.
371 *
372 * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not
373 * long enough, and in that case the @buf_size will be updated
374 * with the required size. On success 0 is returned.
375 **/
376 int
379 {
381 {
384 }
388 buf_size);
389 }
391 /**
392 * gnutls_x509_crt_get_dn_by_oid:
393 * @cert: should contain a #gnutls_x509_crt_t structure
394 * @oid: holds an Object Identified in null terminated string
395 * @indx: In case multiple same OIDs exist in the RDN, this specifies which to send. Use (0) to get the first one.
396 * @raw_flag: If non (0) returns the raw DER data of the DN part.
397 * @buf: a pointer where the DN part will be copied (may be null).
398 * @buf_size: initially holds the size of @buf
399 *
400 * This function will extract the part of the name of the Certificate
401 * subject specified by the given OID. The output, if the raw flag is
402 * not used, will be encoded as described in RFC4514. Thus a string
403 * that is ASCII or UTF-8 encoded, depending on the certificate data.
404 *
405 * Some helper macros with popular OIDs can be found in gnutls/x509.h
406 * If raw flag is (0), this function will only return known OIDs as
407 * text. Other OIDs will be DER encoded, as described in RFC4514 --
408 * in hex format with a '#' prefix. You can check about known OIDs
409 * using gnutls_x509_dn_oid_known().
410 *
411 * If @buf is null then only the size will be filled. If the @raw_flag
412 * is not specified the output is always null terminated, although the
413 * @buf_size will not include the null character.
414 *
415 * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is
416 * not long enough, and in that case the *buf_size will be updated
417 * with the required size. On success 0 is returned.
418 **/
419 int
423 {
425 {
428 }
433 }
435 /**
436 * gnutls_x509_crt_get_dn_oid:
437 * @cert: should contain a #gnutls_x509_crt_t structure
438 * @indx: This specifies which OID to return. Use (0) to get the first one.
439 * @oid: a pointer to a buffer to hold the OID (may be null)
440 * @oid_size: initially holds the size of @oid
441 *
442 * This function will extract the OIDs of the name of the Certificate
443 * subject specified by the given index.
444 *
445 * If @oid is null then only the size will be filled. The @oid
446 * returned will be null terminated, although @oid_size will not
447 * account for the trailing null.
448 *
449 * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is
450 * not long enough, and in that case the @oid_size will be updated
451 * with the required size. On success 0 is returned.
452 **/
453 int
456 {
458 {
461 }
466 }
468 /**
469 * gnutls_x509_crt_get_signature_algorithm:
470 * @cert: should contain a #gnutls_x509_crt_t structure
471 *
472 * This function will return a value of the #gnutls_sign_algorithm_t
473 * enumeration that is the signature algorithm that has been used to
474 * sign this certificate.
475 *
476 * Returns: a #gnutls_sign_algorithm_t value, or a negative error code on
477 * error.
478 **/
479 int
481 {
483 }
485 /**
486 * gnutls_x509_crt_get_signature:
487 * @cert: should contain a #gnutls_x509_crt_t structure
488 * @sig: a pointer where the signature part will be copied (may be null).
489 * @sizeof_sig: initially holds the size of @sig
490 *
491 * This function will extract the signature field of a certificate.
492 *
493 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
494 * negative error value. and a negative error code on error.
495 **/
496 int
499 {
505 {
508 }
513 {
516 }
520 {
523 }
528 {
531 }
535 {
538 }
541 }
543 /**
544 * gnutls_x509_crt_get_version:
545 * @cert: should contain a #gnutls_x509_crt_t structure
546 *
547 * This function will return the version of the specified Certificate.
548 *
549 * Returns: version of certificate, or a negative error code on error.
550 **/
551 int
553 {
558 {
561 }
567 {
573 }
576 }
578 /**
579 * gnutls_x509_crt_get_activation_time:
580 * @cert: should contain a #gnutls_x509_crt_t structure
581 *
582 * This function will return the time this Certificate was or will be
583 * activated.
584 *
585 * Returns: activation time, or (time_t)-1 on error.
586 **/
587 time_t
589 {
591 {
594 }
598 }
600 /**
601 * gnutls_x509_crt_get_expiration_time:
602 * @cert: should contain a #gnutls_x509_crt_t structure
603 *
604 * This function will return the time this Certificate was or will be
605 * expired.
606 *
607 * Returns: expiration time, or (time_t)-1 on error.
608 **/
609 time_t
611 {
613 {
616 }
620 }
622 /**
623 * gnutls_x509_crt_get_private_key_usage_period:
624 * @cert: should contain a #gnutls_x509_crt_t structure
625 * @activation: The activation time
626 * @expiration: The expiration time
627 * @critical: the extension status
628 *
629 * This function will return the expiration and activation
630 * times of the private key of the certificate. It relies on
631 * the PKIX extension 2.5.29.16 being present.
632 *
633 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
634 * if the extension is not present, otherwise a negative error value.
635 **/
636 int
637 gnutls_x509_crt_get_private_key_usage_period (gnutls_x509_crt_t cert, time_t* activation, time_t* expiration,
639 {
645 {
648 }
650 ret =
652 critical);
659 result = asn1_create_element
662 {
666 }
670 {
674 }
686 cleanup:
691 }
694 /**
695 * gnutls_x509_crt_get_serial:
696 * @cert: should contain a #gnutls_x509_crt_t structure
697 * @result: The place where the serial number will be copied
698 * @result_size: Holds the size of the result field.
699 *
700 * This function will return the X.509 certificate's serial number.
701 * This is obtained by the X509 Certificate serialNumber field. Serial
702 * is not always a 32 or 64bit number. Some CAs use large serial
703 * numbers, thus it may be wise to handle it as something uint8_t.
704 *
705 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
706 * negative error value.
707 **/
708 int
711 {
715 {
718 }
721 ret =
726 {
729 }
732 }
734 /**
735 * gnutls_x509_crt_get_subject_key_id:
736 * @cert: should contain a #gnutls_x509_crt_t structure
737 * @ret: The place where the identifier will be copied
738 * @ret_size: Holds the size of the result field.
739 * @critical: will be non (0) if the extension is marked as critical (may be null)
740 *
741 * This function will return the X.509v3 certificate's subject key
742 * identifier. This is obtained by the X.509 Subject Key identifier
743 * extension field (2.5.29.14).
744 *
745 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
746 * if the extension is not present, otherwise a negative error value.
747 **/
748 int
751 {
753 gnutls_datum_t id;
757 {
760 }
765 else
771 {
773 }
776 {
779 }
781 result = asn1_create_element
784 {
788 }
794 {
798 }
807 {
809 }
812 {
816 }
819 }
821 static int
824 {
826 gnutls_datum_t id;
831 {
834 }
839 {
841 }
844 {
847 }
849 ret = asn1_create_element
852 {
856 }
862 {
866 }
869 }
871 /**
872 * gnutls_x509_crt_get_authority_key_gn_serial:
873 * @cert: should contain a #gnutls_x509_crt_t structure
874 * @seq: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)
875 * @alt: is the place where the alternative name will be copied to
876 * @alt_size: holds the size of alt.
877 * @alt_type: holds the type of the alternative name (one of gnutls_x509_subject_alt_name_t).
878 * @serial: buffer to store the serial number (may be null)
879 * @serial_size: Holds the size of the serial field (may be null)
880 * @critical: will be non (0) if the extension is marked as critical (may be null)
881 *
882 * This function will return the X.509 authority key
883 * identifier when stored as a general name (authorityCertIssuer)
884 * and serial number.
885 *
886 * Because more than one general names might be stored
887 * @seq can be used as a counter to request them all until
888 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.
889 *
890 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
891 * if the extension is not present, otherwise a negative error value.
892 *
893 * Since: 3.0
894 **/
895 int
896 gnutls_x509_crt_get_authority_key_gn_serial (gnutls_x509_crt_t cert, unsigned int seq, void *alt,
900 {
902 ASN1_TYPE c2;
908 ret =
912 {
915 }
918 {
925 {
928 }
930 }
934 fail:
938 }
940 /**
941 * gnutls_x509_crt_get_authority_key_id:
942 * @cert: should contain a #gnutls_x509_crt_t structure
943 * @id: The place where the identifier will be copied
944 * @id_size: Holds the size of the id field.
945 * @critical: will be non (0) if the extension is marked as critical (may be null)
946 *
947 * This function will return the X.509v3 certificate authority's key
948 * identifier. This is obtained by the X.509 Authority Key
949 * identifier extension field (2.5.29.35). Note that this function
950 * only returns the keyIdentifier field of the extension and
951 * %GNUTLS_E_X509_UNSUPPORTED_EXTENSION, if the extension contains
952 * the name and serial number of the certificate. In that case
953 * gnutls_x509_crt_get_authority_key_gn_serial() may be used.
954 *
955 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
956 * if the extension is not present, otherwise a negative error value.
957 **/
958 int
962 {
964 ASN1_TYPE c2;
980 {
984 }
987 }
989 /**
990 * gnutls_x509_crt_get_pk_algorithm:
991 * @cert: should contain a #gnutls_x509_crt_t structure
992 * @bits: if bits is non null it will hold the size of the parameters' in bits
993 *
994 * This function will return the public key algorithm of an X.509
995 * certificate.
996 *
997 * If bits is non null, it should have enough size to hold the parameters
998 * size in bits. For RSA the bits returned is the modulus.
999 * For DSA the bits returned are of the public
1000 * exponent.
1001 *
1002 * Returns: a member of the #gnutls_pk_algorithm_t enumeration on
1003 * success, or a negative error code on error.
1004 **/
1005 int
1007 {
1011 {
1014 }
1019 result =
1022 bits);
1025 {
1028 }
1032 }
1036 {
1040 else
1042 }
1046 /* returns the type and the name on success.
1047 * Type is also returned as a parameter in case of an error.
1048 */
1049 int
1053 {
1058 gnutls_x509_subject_alt_name_t type;
1064 else
1071 {
1073 }
1076 {
1079 }
1084 {
1087 }
1093 {
1096 else
1107 {
1110 }
1113 {
1116 }
1117 else
1118 {
1124 else
1130 {
1133 }
1136 {
1140 result = asn1_create_element
1143 {
1146 }
1150 {
1154 }
1159 {
1164 }
1168 {
1172 }
1175 /* null terminate it */
1177 }
1178 }
1179 }
1181 {
1185 {
1188 }
1189 }
1192 else
1193 {
1204 {
1208 }
1211 {
1214 }
1217 {
1220 {
1224 }
1226 /* null terminate it */
1228 }
1230 }
1233 }
1235 static int
1240 {
1242 gnutls_datum_t dnsname;
1246 {
1249 }
1253 else
1259 {
1261 }
1264 {
1267 }
1275 else
1276 {
1279 }
1282 {
1286 }
1292 {
1296 }
1298 result =
1300 othername_oid);
1305 {
1308 }
1311 }
1313 /**
1314 * gnutls_x509_crt_get_subject_alt_name:
1315 * @cert: should contain a #gnutls_x509_crt_t structure
1316 * @seq: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)
1317 * @san: is the place where the alternative name will be copied to
1318 * @san_size: holds the size of san.
1319 * @critical: will be non (0) if the extension is marked as critical (may be null)
1320 *
1321 * This function retrieves the Alternative Name (2.5.29.17), contained
1322 * in the given certificate in the X509v3 Certificate Extensions.
1323 *
1324 * When the SAN type is otherName, it will extract the data in the
1325 * otherName's value field, and %GNUTLS_SAN_OTHERNAME is returned.
1326 * You may use gnutls_x509_crt_get_subject_alt_othername_oid() to get
1327 * the corresponding OID and the "virtual" SAN types (e.g.,
1328 * %GNUTLS_SAN_OTHERNAME_XMPP).
1329 *
1330 * If an otherName OID is known, the data will be decoded. Otherwise
1331 * the returned data will be DER encoded, and you will have to decode
1332 * it yourself. Currently, only the RFC 3920 id-on-xmppAddr SAN is
1333 * recognized.
1334 *
1335 * Returns: the alternative subject name type on success, one of the
1336 * enumerated #gnutls_x509_subject_alt_name_t. It will return
1337 * %GNUTLS_E_SHORT_MEMORY_BUFFER if @san_size is not large enough to
1338 * hold the value. In that case @san_size will be updated with the
1339 * required size. If the certificate does not have an Alternative
1340 * name with the specified sequence number then
1341 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.
1342 **/
1343 int
1348 {
1351 }
1353 /**
1354 * gnutls_x509_crt_get_issuer_alt_name:
1355 * @cert: should contain a #gnutls_x509_crt_t structure
1356 * @seq: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)
1357 * @ian: is the place where the alternative name will be copied to
1358 * @ian_size: holds the size of ian.
1359 * @critical: will be non (0) if the extension is marked as critical (may be null)
1360 *
1361 * This function retrieves the Issuer Alternative Name (2.5.29.18),
1362 * contained in the given certificate in the X509v3 Certificate
1363 * Extensions.
1364 *
1365 * When the SAN type is otherName, it will extract the data in the
1366 * otherName's value field, and %GNUTLS_SAN_OTHERNAME is returned.
1367 * You may use gnutls_x509_crt_get_subject_alt_othername_oid() to get
1368 * the corresponding OID and the "virtual" SAN types (e.g.,
1369 * %GNUTLS_SAN_OTHERNAME_XMPP).
1370 *
1371 * If an otherName OID is known, the data will be decoded. Otherwise
1372 * the returned data will be DER encoded, and you will have to decode
1373 * it yourself. Currently, only the RFC 3920 id-on-xmppAddr Issuer
1374 * AltName is recognized.
1375 *
1376 * Returns: the alternative issuer name type on success, one of the
1377 * enumerated #gnutls_x509_subject_alt_name_t. It will return
1378 * %GNUTLS_E_SHORT_MEMORY_BUFFER if @ian_size is not large enough
1379 * to hold the value. In that case @ian_size will be updated with
1380 * the required size. If the certificate does not have an
1381 * Alternative name with the specified sequence number then
1382 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.
1383 *
1384 * Since: 2.10.0
1385 **/
1386 int
1391 {
1394 }
1396 /**
1397 * gnutls_x509_crt_get_subject_alt_name2:
1398 * @cert: should contain a #gnutls_x509_crt_t structure
1399 * @seq: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)
1400 * @san: is the place where the alternative name will be copied to
1401 * @san_size: holds the size of ret.
1402 * @san_type: holds the type of the alternative name (one of gnutls_x509_subject_alt_name_t).
1403 * @critical: will be non (0) if the extension is marked as critical (may be null)
1404 *
1405 * This function will return the alternative names, contained in the
1406 * given certificate. It is the same as
1407 * gnutls_x509_crt_get_subject_alt_name() except for the fact that it
1408 * will return the type of the alternative name in @san_type even if
1409 * the function fails for some reason (i.e. the buffer provided is
1410 * not enough).
1411 *
1412 * Returns: the alternative subject name type on success, one of the
1413 * enumerated #gnutls_x509_subject_alt_name_t. It will return
1414 * %GNUTLS_E_SHORT_MEMORY_BUFFER if @san_size is not large enough
1415 * to hold the value. In that case @san_size will be updated with
1416 * the required size. If the certificate does not have an
1417 * Alternative name with the specified sequence number then
1418 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.
1419 **/
1420 int
1426 {
1429 }
1431 /**
1432 * gnutls_x509_crt_get_issuer_alt_name2:
1433 * @cert: should contain a #gnutls_x509_crt_t structure
1434 * @seq: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)
1435 * @ian: is the place where the alternative name will be copied to
1436 * @ian_size: holds the size of ret.
1437 * @ian_type: holds the type of the alternative name (one of gnutls_x509_subject_alt_name_t).
1438 * @critical: will be non (0) if the extension is marked as critical (may be null)
1439 *
1440 * This function will return the alternative names, contained in the
1441 * given certificate. It is the same as
1442 * gnutls_x509_crt_get_issuer_alt_name() except for the fact that it
1443 * will return the type of the alternative name in @ian_type even if
1444 * the function fails for some reason (i.e. the buffer provided is
1445 * not enough).
1446 *
1447 * Returns: the alternative issuer name type on success, one of the
1448 * enumerated #gnutls_x509_subject_alt_name_t. It will return
1449 * %GNUTLS_E_SHORT_MEMORY_BUFFER if @ian_size is not large enough
1450 * to hold the value. In that case @ian_size will be updated with
1451 * the required size. If the certificate does not have an
1452 * Alternative name with the specified sequence number then
1453 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.
1454 *
1455 * Since: 2.10.0
1456 *
1457 **/
1458 int
1464 {
1467 }
1469 /**
1470 * gnutls_x509_crt_get_subject_alt_othername_oid:
1471 * @cert: should contain a #gnutls_x509_crt_t structure
1472 * @seq: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)
1473 * @oid: is the place where the otherName OID will be copied to
1474 * @oid_size: holds the size of ret.
1475 *
1476 * This function will extract the type OID of an otherName Subject
1477 * Alternative Name, contained in the given certificate, and return
1478 * the type as an enumerated element.
1479 *
1480 * This function is only useful if
1481 * gnutls_x509_crt_get_subject_alt_name() returned
1482 * %GNUTLS_SAN_OTHERNAME.
1483 *
1484 * If @oid is null then only the size will be filled. The @oid
1485 * returned will be null terminated, although @oid_size will not
1486 * account for the trailing null.
1487 *
1488 * Returns: the alternative subject name type on success, one of the
1489 * enumerated gnutls_x509_subject_alt_name_t. For supported OIDs, it
1490 * will return one of the virtual (GNUTLS_SAN_OTHERNAME_*) types,
1491 * e.g. %GNUTLS_SAN_OTHERNAME_XMPP, and %GNUTLS_SAN_OTHERNAME for
1492 * unknown OIDs. It will return %GNUTLS_E_SHORT_MEMORY_BUFFER if
1493 * @ian_size is not large enough to hold the value. In that case
1494 * @ian_size will be updated with the required size. If the
1495 * certificate does not have an Alternative name with the specified
1496 * sequence number and with the otherName type then
1497 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.
1498 **/
1499 int
1503 {
1505 }
1507 /**
1508 * gnutls_x509_crt_get_issuer_alt_othername_oid:
1509 * @cert: should contain a #gnutls_x509_crt_t structure
1510 * @seq: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)
1511 * @ret: is the place where the otherName OID will be copied to
1512 * @ret_size: holds the size of ret.
1513 *
1514 * This function will extract the type OID of an otherName Subject
1515 * Alternative Name, contained in the given certificate, and return
1516 * the type as an enumerated element.
1517 *
1518 * If @oid is null then only the size will be filled. The @oid
1519 * returned will be null terminated, although @oid_size will not
1520 * account for the trailing null.
1521 *
1522 * This function is only useful if
1523 * gnutls_x509_crt_get_issuer_alt_name() returned
1524 * %GNUTLS_SAN_OTHERNAME.
1525 *
1526 * Returns: the alternative issuer name type on success, one of the
1527 * enumerated gnutls_x509_subject_alt_name_t. For supported OIDs, it
1528 * will return one of the virtual (GNUTLS_SAN_OTHERNAME_*) types,
1529 * e.g. %GNUTLS_SAN_OTHERNAME_XMPP, and %GNUTLS_SAN_OTHERNAME for
1530 * unknown OIDs. It will return %GNUTLS_E_SHORT_MEMORY_BUFFER if
1531 * @ret_size is not large enough to hold the value. In that case
1532 * @ret_size will be updated with the required size. If the
1533 * certificate does not have an Alternative name with the specified
1534 * sequence number and with the otherName type then
1535 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.
1536 *
1537 * Since: 2.10.0
1538 **/
1539 int
1543 {
1545 }
1547 /**
1548 * gnutls_x509_crt_get_basic_constraints:
1549 * @cert: should contain a #gnutls_x509_crt_t structure
1550 * @critical: will be non (0) if the extension is marked as critical
1551 * @ca: pointer to output integer indicating CA status, may be NULL,
1552 * value is 1 if the certificate CA flag is set, 0 otherwise.
1553 * @pathlen: pointer to output integer indicating path length (may be
1554 * NULL), non-negative error codes indicate a present pathLenConstraint
1555 * field and the actual value, -1 indicate that the field is absent.
1556 *
1557 * This function will read the certificate's basic constraints, and
1558 * return the certificates CA status. It reads the basicConstraints
1559 * X.509 extension (2.5.29.19).
1560 *
1561 * Returns: If the certificate is a CA a positive value will be
1562 * returned, or (0) if the certificate does not have CA flag set. A
1563 * negative error code may be returned in case of errors. If the
1564 * certificate does not contain the basicConstraints extension
1565 * GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
1566 **/
1567 int
1571 {
1573 gnutls_datum_t basicConstraints;
1577 {
1580 }
1585 {
1587 }
1590 {
1593 }
1595 result =
1597 pathlen,
1605 {
1608 }
1611 }
1613 /**
1614 * gnutls_x509_crt_get_ca_status:
1615 * @cert: should contain a #gnutls_x509_crt_t structure
1616 * @critical: will be non (0) if the extension is marked as critical
1617 *
1618 * This function will return certificates CA status, by reading the
1619 * basicConstraints X.509 extension (2.5.29.19). If the certificate is
1620 * a CA a positive value will be returned, or (0) if the certificate
1621 * does not have CA flag set.
1622 *
1623 * Use gnutls_x509_crt_get_basic_constraints() if you want to read the
1624 * pathLenConstraint field too.
1625 *
1626 * Returns: A negative error code may be returned in case of parsing error.
1627 * If the certificate does not contain the basicConstraints extension
1628 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
1629 **/
1630 int
1632 {
1637 }
1639 /**
1640 * gnutls_x509_crt_get_key_usage:
1641 * @cert: should contain a #gnutls_x509_crt_t structure
1642 * @key_usage: where the key usage bits will be stored
1643 * @critical: will be non (0) if the extension is marked as critical
1644 *
1645 * This function will return certificate's key usage, by reading the
1646 * keyUsage X.509 extension (2.5.29.15). The key usage value will ORed
1647 * values of the: %GNUTLS_KEY_DIGITAL_SIGNATURE,
1648 * %GNUTLS_KEY_NON_REPUDIATION, %GNUTLS_KEY_KEY_ENCIPHERMENT,
1649 * %GNUTLS_KEY_DATA_ENCIPHERMENT, %GNUTLS_KEY_KEY_AGREEMENT,
1650 * %GNUTLS_KEY_KEY_CERT_SIGN, %GNUTLS_KEY_CRL_SIGN,
1651 * %GNUTLS_KEY_ENCIPHER_ONLY, %GNUTLS_KEY_DECIPHER_ONLY.
1652 *
1653 * Returns: the certificate key usage, or a negative error code in case of
1654 * parsing error. If the certificate does not contain the keyUsage
1655 * extension %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be
1656 * returned.
1657 **/
1658 int
1662 {
1664 gnutls_datum_t keyUsage;
1668 {
1671 }
1676 {
1678 }
1681 {
1684 }
1693 {
1696 }
1699 }
1701 /**
1702 * gnutls_x509_crt_get_proxy:
1703 * @cert: should contain a #gnutls_x509_crt_t structure
1704 * @critical: will be non (0) if the extension is marked as critical
1705 * @pathlen: pointer to output integer indicating path length (may be
1706 * NULL), non-negative error codes indicate a present pCPathLenConstraint
1707 * field and the actual value, -1 indicate that the field is absent.
1708 * @policyLanguage: output variable with OID of policy language
1709 * @policy: output variable with policy data
1710 * @sizeof_policy: output variable size of policy data
1711 *
1712 * This function will get information from a proxy certificate. It
1713 * reads the ProxyCertInfo X.509 extension (1.3.6.1.5.5.7.1.14).
1714 *
1715 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
1716 * otherwise a negative error code is returned.
1717 **/
1718 int
1724 {
1726 gnutls_datum_t proxyCertInfo;
1729 {
1732 }
1737 {
1739 }
1742 {
1745 }
1748 policyLanguage,
1749 policy,
1750 sizeof_policy,
1755 {
1758 }
1761 }
1763 /**
1764 * gnutls_x509_crt_get_extension_by_oid:
1765 * @cert: should contain a #gnutls_x509_crt_t structure
1766 * @oid: holds an Object Identified in null terminated string
1767 * @indx: In case multiple same OIDs exist in the extensions, this specifies which to send. Use (0) to get the first one.
1768 * @buf: a pointer to a structure to hold the name (may be null)
1769 * @buf_size: initially holds the size of @buf
1770 * @critical: will be non (0) if the extension is marked as critical
1771 *
1772 * This function will return the extension specified by the OID in the
1773 * certificate. The extensions will be returned as binary data DER
1774 * encoded, in the provided buffer.
1775 *
1776 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
1777 * otherwise a negative error code is returned. If the certificate does not
1778 * contain the specified extension
1779 * GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
1780 **/
1781 int
1786 {
1788 gnutls_datum_t output;
1791 {
1794 }
1799 {
1802 }
1805 {
1808 }
1811 {
1815 }
1826 }
1828 /**
1829 * gnutls_x509_crt_get_extension_oid:
1830 * @cert: should contain a #gnutls_x509_crt_t structure
1831 * @indx: Specifies which extension OID to send. Use (0) to get the first one.
1832 * @oid: a pointer to a structure to hold the OID (may be null)
1833 * @oid_size: initially holds the size of @oid
1834 *
1835 * This function will return the requested extension OID in the certificate.
1836 * The extension OID will be stored as a string in the provided buffer.
1837 *
1838 * The @oid returned will be null terminated, although @oid_size will not
1839 * account for the trailing null.
1840 *
1841 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
1842 * otherwise a negative error code is returned. If you have reached the
1843 * last extension available %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
1844 * will be returned.
1845 **/
1846 int
1849 {
1853 {
1856 }
1860 {
1862 }
1866 }
1868 /**
1869 * gnutls_x509_crt_get_extension_info:
1870 * @cert: should contain a #gnutls_x509_crt_t structure
1871 * @indx: Specifies which extension OID to send. Use (0) to get the first one.
1872 * @oid: a pointer to a structure to hold the OID
1873 * @oid_size: initially holds the maximum size of @oid, on return
1874 * holds actual size of @oid.
1875 * @critical: output variable with critical flag, may be NULL.
1876 *
1877 * This function will return the requested extension OID in the
1878 * certificate, and the critical flag for it. The extension OID will
1879 * be stored as a string in the provided buffer. Use
1880 * gnutls_x509_crt_get_extension_data() to extract the data.
1881 *
1882 * If the buffer provided is not long enough to hold the output, then
1883 * @oid_size is updated and %GNUTLS_E_SHORT_MEMORY_BUFFER will be
1884 * returned. The @oid returned will be null terminated, although
1885 * @oid_size will not account for the trailing null.
1886 *
1887 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
1888 * otherwise a negative error code is returned. If you have reached the
1889 * last extension available %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
1890 * will be returned.
1891 **/
1892 int
1896 {
1903 {
1906 }
1918 {
1921 }
1928 {
1931 }
1934 {
1937 else
1939 }
1943 }
1945 /**
1946 * gnutls_x509_crt_get_extension_data:
1947 * @cert: should contain a #gnutls_x509_crt_t structure
1948 * @indx: Specifies which extension OID to send. Use (0) to get the first one.
1949 * @data: a pointer to a structure to hold the data (may be null)
1950 * @sizeof_data: initially holds the size of @oid
1951 *
1952 * This function will return the requested extension data in the
1953 * certificate. The extension data will be stored as a string in the
1954 * provided buffer.
1955 *
1956 * Use gnutls_x509_crt_get_extension_info() to extract the OID and
1957 * critical flag. Use gnutls_x509_crt_get_extension_by_oid() instead,
1958 * if you want to get data indexed by the extension OID rather than
1959 * sequence.
1960 *
1961 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
1962 * otherwise a negative error code is returned. If you have reached the
1963 * last extension available %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
1964 * will be returned.
1965 **/
1966 int
1969 {
1974 {
1977 }
1989 {
1992 }
1995 }
1997 static int
2000 {
2006 /* get the issuer of 'cert'
2007 */
2011 {
2014 }
2016 result =
2019 {
2022 }
2026 {
2031 }
2033 result =
2038 {
2042 }
2050 cleanup:
2054 }
2056 /**
2057 * gnutls_x509_crt_get_raw_issuer_dn:
2058 * @cert: should contain a #gnutls_x509_crt_t structure
2059 * @start: will hold the starting point of the DN
2060 *
2061 * This function will return a pointer to the DER encoded DN structure
2062 * and the length. This points to allocated data that must be free'd using gnutls_free().
2063 *
2064 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
2065 * negative error value.or a negative error code on error.
2066 *
2067 **/
2068 int
2071 {
2073 }
2075 /**
2076 * gnutls_x509_crt_get_raw_dn:
2077 * @cert: should contain a #gnutls_x509_crt_t structure
2078 * @start: will hold the starting point of the DN
2079 *
2080 * This function will return a pointer to the DER encoded DN structure and
2081 * the length. This points to allocated data that must be free'd using gnutls_free().
2082 *
2083 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
2084 * negative error value. or a negative error code on error.
2085 *
2086 **/
2087 int
2089 {
2091 }
2093 static int
2095 {
2100 }
2102 /**
2103 * gnutls_x509_crt_get_subject:
2104 * @cert: should contain a #gnutls_x509_crt_t structure
2105 * @dn: output variable with pointer to uint8_t DN.
2106 *
2107 * Return the Certificate's Subject DN as an uint8_t data type. You
2108 * may use gnutls_x509_dn_get_rdn_ava() to decode the DN.
2109 *
2110 * Note that @dn should be treated as constant. Because points
2111 * into the @cert object, you may not deallocate @cert
2112 * and continue to access @dn.
2113 *
2114 * Returns: Returns 0 on success, or an error code.
2115 **/
2116 int
2118 {
2120 }
2122 /**
2123 * gnutls_x509_crt_get_issuer:
2124 * @cert: should contain a #gnutls_x509_crt_t structure
2125 * @dn: output variable with pointer to uint8_t DN
2126 *
2127 * Return the Certificate's Issuer DN as an uint8_t data type. You may
2128 * use gnutls_x509_dn_get_rdn_ava() to decode the DN.
2129 *
2130 * Note that @dn should be treated as constant. Because points
2131 * into the @cert object, you may not deallocate @cert
2132 * and continue to access @dn.
2133 *
2134 * Returns: Returns 0 on success, or an error code.
2135 **/
2136 int
2138 {
2140 }
2142 /**
2143 * gnutls_x509_dn_get_rdn_ava:
2144 * @dn: input variable with uint8_t DN pointer
2145 * @irdn: index of RDN
2146 * @iava: index of AVA.
2147 * @ava: Pointer to structure which will hold output information.
2148 *
2149 * Get pointers to data within the DN.
2150 *
2151 * Note that @ava will contain pointers into the @dn structure, so you
2152 * should not modify any data or deallocate it. Note also that the DN
2153 * in turn points into the original certificate structure, and thus
2154 * you may not deallocate the certificate and continue to access @dn.
2155 *
2156 * Returns: Returns 0 on success, or an error code.
2157 **/
2158 int
2161 {
2163 ASN1_DATA_NODE vnode;
2170 iava++;
2176 {
2179 }
2184 {
2187 }
2191 {
2194 }
2202 {
2205 }
2209 {
2212 }
2213 /* The value still has the previous tag's length bytes, plus the
2214 * current value's tag and length bytes. Decode them.
2215 */
2221 {
2224 }
2230 {
2233 }
2238 {
2243 {
2246 }
2248 }
2252 }
2254 /**
2255 * gnutls_x509_crt_get_fingerprint:
2256 * @cert: should contain a #gnutls_x509_crt_t structure
2257 * @algo: is a digest algorithm
2258 * @buf: a pointer to a structure to hold the fingerprint (may be null)
2259 * @buf_size: initially holds the size of @buf
2260 *
2261 * This function will calculate and copy the certificate's fingerprint
2262 * in the provided buffer.
2263 *
2264 * If the buffer is null then only the size will be filled.
2265 *
2266 * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is
2267 * not long enough, and in that case the *buf_size will be updated
2268 * with the required size. On success 0 is returned.
2269 **/
2270 int
2272 gnutls_digest_algorithm_t algo,
2274 {
2278 gnutls_datum_t tmp;
2281 {
2283 }
2290 {
2293 }
2298 {
2302 }
2311 }
2313 /**
2314 * gnutls_x509_crt_export:
2315 * @cert: Holds the certificate
2316 * @format: the format of output params. One of PEM or DER.
2317 * @output_data: will contain a certificate PEM or DER encoded
2318 * @output_data_size: holds the size of output_data (and will be
2319 * replaced by the actual size of parameters)
2320 *
2321 * This function will export the certificate to DER or PEM format.
2322 *
2323 * If the buffer provided is not long enough to hold the output, then
2324 * *output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will
2325 * be returned.
2326 *
2327 * If the structure is PEM encoded, it will have a header
2328 * of "BEGIN CERTIFICATE".
2329 *
2330 * Returns: In case of failure a negative error code will be
2331 * returned, and 0 on success.
2332 **/
2333 int
2337 {
2339 {
2342 }
2346 }
2348 int
2352 {
2359 {
2363 }
2371 {
2374 }
2379 cleanup:
2383 }
2385 /**
2386 * gnutls_x509_crt_get_key_id:
2387 * @crt: Holds the certificate
2388 * @flags: should be 0 for now
2389 * @output_data: will contain the key ID
2390 * @output_data_size: holds the size of output_data (and will be
2391 * replaced by the actual size of parameters)
2392 *
2393 * This function will return a unique ID the depends on the public
2394 * key parameters. This ID can be used in checking whether a
2395 * certificate corresponds to the given private key.
2396 *
2397 * If the buffer provided is not long enough to hold the output, then
2398 * *output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will
2399 * be returned. The output will normally be a SHA-1 hash output,
2400 * which is 20 bytes.
2401 *
2402 * Returns: In case of failure a negative error code will be
2403 * returned, and 0 on success.
2404 **/
2405 int
2409 {
2411 gnutls_pk_params_st params;
2414 {
2417 }
2421 {
2424 }
2428 {
2431 }
2438 }
2441 /* This is exactly as gnutls_x509_crt_check_revocation() except that
2442 * it calls func.
2443 */
2444 int
2448 gnutls_verify_output_function func)
2449 {
2457 {
2460 }
2465 /* Step 1. check if issuer's DN match
2466 */
2469 {
2472 }
2476 {
2479 }
2485 {
2486 /* issuers do not match so don't even
2487 * bother checking.
2488 */
2490 }
2492 /* Step 2. Read the certificate's serial number
2493 */
2497 {
2500 }
2502 /* Step 3. cycle through the CRL serials and compare with
2503 * certificate serial we have.
2504 */
2508 {
2511 }
2514 {
2516 ret =
2521 {
2524 }
2527 {
2529 {
2530 /* serials match */
2533 }
2534 }
2535 }
2538 }
2540 }
2543 /**
2544 * gnutls_x509_crt_check_revocation:
2545 * @cert: should contain a #gnutls_x509_crt_t structure
2546 * @crl_list: should contain a list of gnutls_x509_crl_t structures
2547 * @crl_list_length: the length of the crl_list
2548 *
2549 * This function will return check if the given certificate is
2550 * revoked. It is assumed that the CRLs have been verified before.
2551 *
2552 * Returns: 0 if the certificate is NOT revoked, and 1 if it is. A
2553 * negative error code is returned on error.
2554 **/
2555 int
2559 {
2561 }
2563 /**
2564 * gnutls_x509_crt_get_verify_algorithm:
2565 * @crt: Holds the certificate
2566 * @signature: contains the signature
2567 * @hash: The result of the call with the hash algorithm used for signature
2568 *
2569 * This function will read the certifcate and the signed data to
2570 * determine the hash algorithm used to generate the signature.
2571 *
2572 * Deprecated: Use gnutls_pubkey_get_verify_algorithm() instead.
2573 *
2574 * Returns: the 0 if the hash algorithm is found. A negative error code is
2575 * returned on error.
2576 *
2577 * Since: 2.8.0
2578 **/
2579 int
2583 {
2584 gnutls_pk_params_st issuer_params;
2588 {
2591 }
2595 {
2598 }
2601 signature,
2603 NULL),
2606 /* release allocated mpis */
2610 }
2614 /**
2615 * gnutls_x509_crt_get_preferred_hash_algorithm:
2616 * @crt: Holds the certificate
2617 * @hash: The result of the call with the hash algorithm used for signature
2618 * @mand: If non (0) it means that the algorithm MUST use this hash. May be NULL.
2619 *
2620 * This function will read the certifcate and return the appropriate digest
2621 * algorithm to use for signing with this certificate. Some certificates (i.e.
2622 * DSA might not be able to sign without the preferred algorithm).
2623 *
2624 * Deprecated: Please use gnutls_pubkey_get_preferred_hash_algorithm().
2625 *
2626 * Returns: the 0 if the hash algorithm is found. A negative error code is
2627 * returned on error.
2628 *
2629 * Since: 2.12.0
2630 **/
2631 int
2633 gnutls_digest_algorithm_t *
2635 {
2636 gnutls_pk_params_st issuer_params;
2640 {
2643 }
2647 {
2650 }
2652 ret =
2657 /* release allocated mpis */
2661 }
2663 /**
2664 * gnutls_x509_crt_verify_data:
2665 * @crt: Holds the certificate
2666 * @flags: should be 0 for now
2667 * @data: holds the data to be signed
2668 * @signature: contains the signature
2669 *
2670 * This function will verify the given signed data, using the
2671 * parameters from the certificate.
2672 *
2673 * Deprecated. Please use gnutls_pubkey_verify_data().
2674 *
2675 * Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED
2676 * is returned, and zero or positive code on success.
2677 **/
2678 int
2682 {
2686 {
2689 }
2693 {
2696 }
2699 }
2701 /**
2702 * gnutls_x509_crt_verify_hash:
2703 * @crt: Holds the certificate
2704 * @flags: should be 0 for now
2705 * @hash: holds the hash digest to be verified
2706 * @signature: contains the signature
2707 *
2708 * This function will verify the given signed digest, using the
2709 * parameters from the certificate.
2710 *
2711 * Deprecated. Please use gnutls_pubkey_verify_data2() or gnutls_pubkey_verify_hash2().
2712 *
2713 * Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED
2714 * is returned, and zero or positive code on success.
2715 **/
2716 int
2720 {
2721 gnutls_pk_params_st params;
2722 gnutls_digest_algorithm_t algo;
2726 {
2729 }
2735 /* Read the MPI parameters from the issuer's certificate.
2736 */
2737 ret =
2740 {
2743 }
2745 ret =
2749 {
2751 }
2753 /* release all allocated MPIs
2754 */
2758 }
2760 /**
2761 * gnutls_x509_crt_get_crl_dist_points:
2762 * @cert: should contain a #gnutls_x509_crt_t structure
2763 * @seq: specifies the sequence number of the distribution point (0 for the first one, 1 for the second etc.)
2764 * @ret: is the place where the distribution point will be copied to
2765 * @ret_size: holds the size of ret.
2766 * @reason_flags: Revocation reasons flags.
2767 * @critical: will be non (0) if the extension is marked as critical (may be null)
2768 *
2769 * This function retrieves the CRL distribution points (2.5.29.31),
2770 * contained in the given certificate in the X509v3 Certificate
2771 * Extensions.
2772 *
2773 * @reason_flags should be an ORed sequence of
2774 * %GNUTLS_CRL_REASON_UNUSED, %GNUTLS_CRL_REASON_KEY_COMPROMISE,
2775 * %GNUTLS_CRL_REASON_CA_COMPROMISE,
2776 * %GNUTLS_CRL_REASON_AFFILIATION_CHANGED,
2777 * %GNUTLS_CRL_REASON_SUPERSEEDED,
2778 * %GNUTLS_CRL_REASON_CESSATION_OF_OPERATION,
2779 * %GNUTLS_CRL_REASON_CERTIFICATE_HOLD,
2780 * %GNUTLS_CRL_REASON_PRIVILEGE_WITHDRAWN,
2781 * %GNUTLS_CRL_REASON_AA_COMPROMISE, or (0) for all possible reasons.
2782 *
2783 * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER and updates @ret_size if
2784 * @ret_size is not enough to hold the distribution point, or the
2785 * type of the distribution point if everything was ok. The type is
2786 * one of the enumerated %gnutls_x509_subject_alt_name_t. If the
2787 * certificate does not have an Alternative name with the specified
2788 * sequence number then %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is
2789 * returned.
2790 **/
2791 int
2797 {
2803 gnutls_x509_subject_alt_name_t type;
2807 {
2810 }
2814 else
2820 result =
2822 critical);
2824 {
2826 }
2829 {
2832 }
2834 result = asn1_create_element
2837 {
2841 }
2847 {
2851 }
2853 /* Return the different names from the first CRLDistr. point.
2854 * The whole thing is a mess.
2855 */
2860 {
2863 }
2868 /* Read the CRL reasons.
2869 */
2871 {
2880 {
2884 }
2887 }
2892 }
2894 /**
2895 * gnutls_x509_crt_get_key_purpose_oid:
2896 * @cert: should contain a #gnutls_x509_crt_t structure
2897 * @indx: This specifies which OID to return. Use (0) to get the first one.
2898 * @oid: a pointer to a buffer to hold the OID (may be null)
2899 * @oid_size: initially holds the size of @oid
2900 * @critical: output flag to indicate criticality of extension
2901 *
2902 * This function will extract the key purpose OIDs of the Certificate
2903 * specified by the given index. These are stored in the Extended Key
2904 * Usage extension (2.5.29.37) See the GNUTLS_KP_* definitions for
2905 * human readable names.
2906 *
2907 * If @oid is null then only the size will be filled. The @oid
2908 * returned will be null terminated, although @oid_size will not
2909 * account for the trailing null.
2910 *
2911 * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is
2912 * not long enough, and in that case the *oid_size will be updated
2913 * with the required size. On success 0 is returned.
2914 **/
2915 int
2919 {
2922 gnutls_datum_t id;
2926 {
2929 }
2933 else
2939 {
2941 }
2944 {
2947 }
2949 result = asn1_create_element
2952 {
2956 }
2962 {
2966 }
2968 indx++;
2969 /* create a string like "?1"
2970 */
2980 {
2982 }
2985 {
2988 }
2992 }
2994 /**
2995 * gnutls_x509_crt_get_pk_rsa_raw:
2996 * @crt: Holds the certificate
2997 * @m: will hold the modulus
2998 * @e: will hold the public exponent
2999 *
3000 * This function will export the RSA public key's parameters found in
3001 * the given structure. The new parameters will be allocated using
3002 * gnutls_malloc() and will be stored in the appropriate datum.
3003 *
3004 * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
3005 **/
3006 int
3009 {
3011 gnutls_pk_params_st params;
3014 {
3017 }
3021 {
3024 }
3028 {
3031 }
3035 {
3038 }
3042 {
3046 }
3050 cleanup:
3053 }
3055 /**
3056 * gnutls_x509_crt_get_pk_dsa_raw:
3057 * @crt: Holds the certificate
3058 * @p: will hold the p
3059 * @q: will hold the q
3060 * @g: will hold the g
3061 * @y: will hold the y
3062 *
3063 * This function will export the DSA public key's parameters found in
3064 * the given certificate. The new parameters will be allocated using
3065 * gnutls_malloc() and will be stored in the appropriate datum.
3066 *
3067 * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
3068 **/
3069 int
3073 {
3075 gnutls_pk_params_st params;
3078 {
3081 }
3085 {
3088 }
3092 {
3095 }
3098 /* P */
3101 {
3104 }
3106 /* Q */
3109 {
3113 }
3116 /* G */
3119 {
3124 }
3127 /* Y */
3130 {
3136 }
3140 cleanup:
3144 }
3146 /**
3147 * gnutls_x509_crt_list_import2:
3148 * @certs: The structures to store the parsed certificate. Must not be initialized.
3149 * @size: It will contain the size of the list.
3150 * @data: The PEM encoded certificate.
3151 * @format: One of DER or PEM.
3152 * @flags: must be (0) or an OR'd sequence of gnutls_certificate_import_flags.
3153 *
3154 * This function will convert the given PEM encoded certificate list
3155 * to the native gnutls_x509_crt_t format. The output will be stored
3156 * in @certs. They will be automatically initialized.
3157 *
3158 * If the Certificate is PEM encoded it should have a header of "X509
3159 * CERTIFICATE", or "CERTIFICATE".
3160 *
3161 * Returns: the number of certificates read or a negative error value.
3162 *
3163 * Since: 3.0
3164 **/
3165 int
3170 {
3176 {
3179 }
3181 ret = gnutls_x509_crt_list_import(*certs, &init, data, format, GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED);
3183 {
3186 {
3189 }
3192 }
3195 {
3199 }
3203 }
3206 {
3212 /* check if the X.509 list is ordered */
3214 {
3217 {
3219 {
3223 {
3226 }
3229 {
3232 }
3233 }
3238 {
3241 }
3242 }
3243 }
3247 cleanup:
3249 }
3252 /**
3253 * gnutls_x509_crt_list_import:
3254 * @certs: The structures to store the parsed certificate. Must not be initialized.
3255 * @cert_max: Initially must hold the maximum number of certs. It will be updated with the number of certs available.
3256 * @data: The PEM encoded certificate.
3257 * @format: One of DER or PEM.
3258 * @flags: must be (0) or an OR'd sequence of gnutls_certificate_import_flags.
3259 *
3260 * This function will convert the given PEM encoded certificate list
3261 * to the native gnutls_x509_crt_t format. The output will be stored
3262 * in @certs. They will be automatically initialized.
3263 *
3264 * The flag %GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED will cause
3265 * import to fail if the certificates in the provided buffer are more
3266 * than the available structures. The %GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED
3267 * flag will cause the function to fail if the provided list is not
3268 * sorted from subject to issuer.
3269 *
3270 * If the Certificate is PEM encoded it should have a header of "X509
3271 * CERTIFICATE", or "CERTIFICATE".
3272 *
3273 * Returns: the number of certificates read or a negative error value.
3274 **/
3275 int
3280 {
3283 gnutls_datum_t tmp;
3288 {
3290 {
3293 }
3299 {
3302 }
3306 {
3309 }
3313 }
3315 /* move to the certificate
3316 */
3328 do
3329 {
3331 {
3334 else
3336 }
3339 {
3342 {
3345 }
3350 ret =
3353 {
3356 }
3357 }
3359 /* now we move ptr after the pem header
3360 */
3361 ptr++;
3362 /* find the next certificate (if any)
3363 */
3367 {
3376 }
3377 else
3380 count++;
3381 }
3387 {
3390 {
3393 }
3394 }
3398 else
3401 error:
3405 }
3407 /**
3408 * gnutls_x509_crt_get_subject_unique_id:
3409 * @crt: Holds the certificate
3410 * @buf: user allocated memory buffer, will hold the unique id
3411 * @buf_size: size of user allocated memory buffer (on input), will hold
3412 * actual size of the unique ID on return.
3413 *
3414 * This function will extract the subjectUniqueID value (if present) for
3415 * the given certificate.
3416 *
3417 * If the user allocated memory buffer is not large enough to hold the
3418 * full subjectUniqueID, then a GNUTLS_E_SHORT_MEMORY_BUFFER error will be
3419 * returned, and buf_size will be set to the actual length.
3420 *
3421 * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
3422 **/
3423 int
3426 {
3430 result =
3439 }
3440 else
3441 {
3444 }
3449 }
3451 /**
3452 * gnutls_x509_crt_get_issuer_unique_id:
3453 * @crt: Holds the certificate
3454 * @buf: user allocated memory buffer, will hold the unique id
3455 * @buf_size: size of user allocated memory buffer (on input), will hold
3456 * actual size of the unique ID on return.
3457 *
3458 * This function will extract the issuerUniqueID value (if present) for
3459 * the given certificate.
3460 *
3461 * If the user allocated memory buffer is not large enough to hold the
3462 * full subjectUniqueID, then a GNUTLS_E_SHORT_MEMORY_BUFFER error will be
3463 * returned, and buf_size will be set to the actual length.
3464 *
3465 * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
3466 *
3467 * Since: 2.12.0
3468 **/
3469 int
3472 {
3476 result =
3485 }
3486 else
3487 {
3490 }
3495 }
3497 static int
3502 {
3506 gnutls_datum_t d;
3511 {
3522 /* fall through */
3527 {
3537 {
3540 }
3543 }
3544 /* fall through */
3553 }
3561 {
3564 }
3574 {
3578 }
3581 {
3584 }
3585 else
3589 }
3591 /**
3592 * gnutls_x509_crt_get_authority_info_access:
3593 * @crt: Holds the certificate
3594 * @seq: specifies the sequence number of the access descriptor (0 for the first one, 1 for the second etc.)
3595 * @what: what data to get, a #gnutls_info_access_what_t type.
3596 * @data: output data to be freed with gnutls_free().
3597 * @critical: pointer to output integer that is set to non-0 if the extension is marked as critical (may be %NULL)
3598 *
3599 * This function extracts the Authority Information Access (AIA)
3600 * extension, see RFC 5280 section 4.2.2.1 for more information. The
3601 * AIA extension holds a sequence of AccessDescription (AD) data:
3602 *
3603 * <informalexample><programlisting>
3604 * AuthorityInfoAccessSyntax ::=
3605 * SEQUENCE SIZE (1..MAX) OF AccessDescription
3606 *
3607 * AccessDescription ::= SEQUENCE {
3608 * accessMethod OBJECT IDENTIFIER,
3609 * accessLocation GeneralName }
3610 * </programlisting></informalexample>
3611 *
3612 * The @seq input parameter is used to indicate which member of the
3613 * sequence the caller is interested in. The first member is 0, the
3614 * second member 1 and so on. When the @seq value is out of bounds,
3615 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.
3616 *
3617 * The type of data returned in @data is specified via @what which
3618 * should be #gnutls_info_access_what_t values.
3619 *
3620 * If @what is %GNUTLS_IA_ACCESSMETHOD_OID then @data will hold the
3621 * accessMethod OID (e.g., "1.3.6.1.5.5.7.48.1").
3622 *
3623 * If @what is %GNUTLS_IA_ACCESSLOCATION_GENERALNAME_TYPE, @data will
3624 * hold the accessLocation GeneralName type (e.g.,
3625 * "uniformResourceIdentifier").
3626 *
3627 * If @what is %GNUTLS_IA_URI, @data will hold the accessLocation URI
3628 * data. Requesting this @what value leads to an error if the
3629 * accessLocation is not of the "uniformResourceIdentifier" type.
3630 *
3631 * If @what is %GNUTLS_IA_OCSP_URI, @data will hold the OCSP URI.
3632 * Requesting this @what value leads to an error if the accessMethod
3633 * is not 1.3.6.1.5.5.7.48.1 aka OSCP, or if accessLocation is not of
3634 * the "uniformResourceIdentifier" type.
3635 *
3636 * If @what is %GNUTLS_IA_CAISSUERS_URI, @data will hold the caIssuers
3637 * URI. Requesting this @what value leads to an error if the
3638 * accessMethod is not 1.3.6.1.5.5.7.48.2 aka caIssuers, or if
3639 * accessLocation is not of the "uniformResourceIdentifier" type.
3640 *
3641 * More @what values may be allocated in the future as needed.
3642 *
3643 * If @data is NULL, the function does the same without storing the
3644 * output data, that is, it will set @critical and do error checking
3645 * as usual.
3646 *
3647 * The value of the critical flag is returned in *@critical. Supply a
3648 * NULL @critical if you want the function to make sure the extension
3649 * is non-critical, as required by RFC 5280.
3650 *
3651 * Returns: %GNUTLS_E_SUCCESS on success, %GNUTLS_E_INVALID_REQUEST on
3652 * invalid @crt, %GNUTLS_E_CONSTRAINT_ERROR if the extension is
3653 * incorrectly marked as critical (use a non-NULL @critical to
3654 * override), %GNUTLS_E_UNKNOWN_ALGORITHM if the requested OID does
3655 * not match (e.g., when using %GNUTLS_IA_OCSP_URI), otherwise a
3656 * negative error code.
3657 *
3658 * Since: 3.0
3659 **/
3660 int
3666 {
3668 gnutls_datum_t aia;
3672 {
3675 }
3682 {
3685 }
3693 {
3697 }
3700 /* asn1_print_structure (stdout, c2, "", ASN1_PRINT_ALL); */
3703 {
3707 }
3716 }