| blob | 61c85983f611b6a7088f9538b41d27ed63ff91ce |
1 /*
2 * Copyright (C) 2003-2012 Free Software Foundation, Inc.
3 * Author: Nikos Mavrogiannopoulos, Simon Josefsson, Howard Chu
4 *
5 * This file is part of GnuTLS.
6 *
7 * The GnuTLS is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public License
9 * as published by the Free Software Foundation; either version 3 of
10 * the License, or (at your option) any later version.
11 *
12 * This library is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
16 *
17 * You should have received a copy of the GNU Lesser General Public License
18 * along with this program. If not, see <http://www.gnu.org/licenses/>
19 *
20 */
22 /* Functions on X.509 Certificate parsing
23 */
25 #include <gnutls_int.h>
26 #include <gnutls_datum.h>
27 #include <gnutls_global.h>
28 #include <gnutls_errors.h>
29 #include <common.h>
30 #include <gnutls_x509.h>
31 #include <x509_b64.h>
32 #include <x509_int.h>
33 #include <libtasn1.h>
34 #include <gnutls_pk.h>
36 /**
37 * gnutls_x509_crt_init:
38 * @cert: The structure to be initialized
39 *
40 * This function will initialize an X.509 certificate structure.
41 *
42 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
43 * negative error value.
44 **/
45 int
47 {
57 {
61 }
63 /* If you add anything here, be sure to check if it has to be added
64 to gnutls_x509_crt_import as well. */
69 }
71 /*-
72 * _gnutls_x509_crt_cpy - This function copies a gnutls_x509_crt_t structure
73 * @dest: The structure where to copy
74 * @src: The structure to be copied
75 *
76 * This function will copy an X.509 certificate structure.
77 *
78 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
79 * negative error value.
80 -*/
81 int
83 {
87 gnutls_datum_t tmp;
91 {
94 }
98 {
101 }
105 {
109 }
118 {
121 }
124 }
126 /**
127 * gnutls_x509_crt_deinit:
128 * @cert: The structure to be deinitialized
129 *
130 * This function will deinitialize a certificate structure.
131 **/
132 void
134 {
142 }
144 /**
145 * gnutls_x509_crt_import:
146 * @cert: The structure to store the parsed certificate.
147 * @data: The DER or PEM encoded certificate.
148 * @format: One of DER or PEM
149 *
150 * This function will convert the given DER or PEM encoded Certificate
151 * to the native gnutls_x509_crt_t format. The output will be stored
152 * in @cert.
153 *
154 * If the Certificate is PEM encoded it should have a header of "X509
155 * CERTIFICATE", or "CERTIFICATE".
156 *
157 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
158 * negative error value.
159 **/
160 int
163 gnutls_x509_crt_fmt_t format)
164 {
166 gnutls_datum_t _data;
169 {
172 }
177 /* If the Certificate is in PEM format then decode it
178 */
180 {
183 /* Try the first header */
184 result =
188 {
189 /* try for the second header */
190 result =
195 {
200 }
201 }
207 }
210 {
211 /* Any earlier asn1_der_decoding will modify the ASN.1
212 structure, so we need to replace it with a fresh
213 structure. */
219 {
223 }
224 }
228 {
232 }
236 /* Since we do not want to disable any extension
237 */
244 cleanup:
248 }
251 /**
252 * gnutls_x509_crt_get_issuer_dn:
253 * @cert: should contain a #gnutls_x509_crt_t structure
254 * @buf: a pointer to a structure to hold the name (may be null)
255 * @buf_size: initially holds the size of @buf
256 *
257 * This function will copy the name of the Certificate issuer in the
258 * provided buffer. The name will be in the form
259 * "C=xxxx,O=yyyy,CN=zzzz" as described in RFC4514. The output string
260 * will be ASCII or UTF-8 encoded, depending on the certificate data.
261 *
262 * If @buf is null then only the size will be filled.
263 *
264 * Returns: GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not
265 * long enough, and in that case the @buf_size will be updated with
266 * the required size. On success 0 is returned.
267 **/
268 int
271 {
273 {
276 }
280 buf_size);
281 }
283 /**
284 * gnutls_x509_crt_get_issuer_dn_by_oid:
285 * @cert: should contain a #gnutls_x509_crt_t structure
286 * @oid: holds an Object Identified in null terminated string
287 * @indx: In case multiple same OIDs exist in the RDN, this specifies which to send. Use (0) to get the first one.
288 * @raw_flag: If non (0) returns the raw DER data of the DN part.
289 * @buf: a pointer to a structure to hold the name (may be null)
290 * @buf_size: initially holds the size of @buf
291 *
292 * This function will extract the part of the name of the Certificate
293 * issuer specified by the given OID. The output, if the raw flag is not
294 * used, will be encoded as described in RFC4514. Thus a string that is
295 * ASCII or UTF-8 encoded, depending on the certificate data.
296 *
297 * Some helper macros with popular OIDs can be found in gnutls/x509.h
298 * If raw flag is (0), this function will only return known OIDs as
299 * text. Other OIDs will be DER encoded, as described in RFC4514 --
300 * in hex format with a '#' prefix. You can check about known OIDs
301 * using gnutls_x509_dn_oid_known().
302 *
303 * If @buf is null then only the size will be filled. If the @raw_flag
304 * is not specified the output is always null terminated, although the
305 * @buf_size will not include the null character.
306 *
307 * Returns: GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not
308 * long enough, and in that case the @buf_size will be updated
309 * with the required size. On success 0 is returned.
310 **/
311 int
316 {
318 {
321 }
326 }
328 /**
329 * gnutls_x509_crt_get_issuer_dn_oid:
330 * @cert: should contain a #gnutls_x509_crt_t structure
331 * @indx: This specifies which OID to return. Use (0) to get the first one.
332 * @oid: a pointer to a buffer to hold the OID (may be null)
333 * @oid_size: initially holds the size of @oid
334 *
335 * This function will extract the OIDs of the name of the Certificate
336 * issuer specified by the given index.
337 *
338 * If @oid is null then only the size will be filled. The @oid
339 * returned will be null terminated, although @oid_size will not
340 * account for the trailing null.
341 *
342 * Returns: GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not
343 * long enough, and in that case the @oid_size will be updated
344 * with the required size. On success 0 is returned.
345 **/
346 int
349 {
351 {
354 }
359 }
361 /**
362 * gnutls_x509_crt_get_dn:
363 * @cert: should contain a #gnutls_x509_crt_t structure
364 * @buf: a pointer to a structure to hold the name (may be null)
365 * @buf_size: initially holds the size of @buf
366 *
367 * This function will copy the name of the Certificate in the provided
368 * buffer. The name will be in the form "C=xxxx,O=yyyy,CN=zzzz" as
369 * described in RFC4514. The output string will be ASCII or UTF-8
370 * encoded, depending on the certificate data.
371 *
372 * If @buf is null then only the size will be filled.
373 *
374 * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not
375 * long enough, and in that case the @buf_size will be updated
376 * with the required size. On success 0 is returned.
377 **/
378 int
381 {
383 {
386 }
390 buf_size);
391 }
393 /**
394 * gnutls_x509_crt_get_dn_by_oid:
395 * @cert: should contain a #gnutls_x509_crt_t structure
396 * @oid: holds an Object Identified in null terminated string
397 * @indx: In case multiple same OIDs exist in the RDN, this specifies which to send. Use (0) to get the first one.
398 * @raw_flag: If non (0) returns the raw DER data of the DN part.
399 * @buf: a pointer where the DN part will be copied (may be null).
400 * @buf_size: initially holds the size of @buf
401 *
402 * This function will extract the part of the name of the Certificate
403 * subject specified by the given OID. The output, if the raw flag is
404 * not used, will be encoded as described in RFC4514. Thus a string
405 * that is ASCII or UTF-8 encoded, depending on the certificate data.
406 *
407 * Some helper macros with popular OIDs can be found in gnutls/x509.h
408 * If raw flag is (0), this function will only return known OIDs as
409 * text. Other OIDs will be DER encoded, as described in RFC4514 --
410 * in hex format with a '#' prefix. You can check about known OIDs
411 * using gnutls_x509_dn_oid_known().
412 *
413 * If @buf is null then only the size will be filled. If the @raw_flag
414 * is not specified the output is always null terminated, although the
415 * @buf_size will not include the null character.
416 *
417 * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is
418 * not long enough, and in that case the *buf_size will be updated
419 * with the required size. On success 0 is returned.
420 **/
421 int
425 {
427 {
430 }
435 }
437 /**
438 * gnutls_x509_crt_get_dn_oid:
439 * @cert: should contain a #gnutls_x509_crt_t structure
440 * @indx: This specifies which OID to return. Use (0) to get the first one.
441 * @oid: a pointer to a buffer to hold the OID (may be null)
442 * @oid_size: initially holds the size of @oid
443 *
444 * This function will extract the OIDs of the name of the Certificate
445 * subject specified by the given index.
446 *
447 * If @oid is null then only the size will be filled. The @oid
448 * returned will be null terminated, although @oid_size will not
449 * account for the trailing null.
450 *
451 * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is
452 * not long enough, and in that case the @oid_size will be updated
453 * with the required size. On success 0 is returned.
454 **/
455 int
458 {
460 {
463 }
468 }
470 /**
471 * gnutls_x509_crt_get_signature_algorithm:
472 * @cert: should contain a #gnutls_x509_crt_t structure
473 *
474 * This function will return a value of the #gnutls_sign_algorithm_t
475 * enumeration that is the signature algorithm that has been used to
476 * sign this certificate.
477 *
478 * Returns: a #gnutls_sign_algorithm_t value, or a negative error code on
479 * error.
480 **/
481 int
483 {
485 }
487 /**
488 * gnutls_x509_crt_get_signature:
489 * @cert: should contain a #gnutls_x509_crt_t structure
490 * @sig: a pointer where the signature part will be copied (may be null).
491 * @sizeof_sig: initially holds the size of @sig
492 *
493 * This function will extract the signature field of a certificate.
494 *
495 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
496 * negative error value. and a negative error code on error.
497 **/
498 int
501 {
507 {
510 }
515 {
518 }
522 {
525 }
530 {
533 }
537 {
540 }
543 }
545 /**
546 * gnutls_x509_crt_get_version:
547 * @cert: should contain a #gnutls_x509_crt_t structure
548 *
549 * This function will return the version of the specified Certificate.
550 *
551 * Returns: version of certificate, or a negative error code on error.
552 **/
553 int
555 {
560 {
563 }
569 {
575 }
578 }
580 /**
581 * gnutls_x509_crt_get_activation_time:
582 * @cert: should contain a #gnutls_x509_crt_t structure
583 *
584 * This function will return the time this Certificate was or will be
585 * activated.
586 *
587 * Returns: activation time, or (time_t)-1 on error.
588 **/
589 time_t
591 {
593 {
596 }
600 }
602 /**
603 * gnutls_x509_crt_get_expiration_time:
604 * @cert: should contain a #gnutls_x509_crt_t structure
605 *
606 * This function will return the time this Certificate was or will be
607 * expired.
608 *
609 * Returns: expiration time, or (time_t)-1 on error.
610 **/
611 time_t
613 {
615 {
618 }
622 }
624 /**
625 * gnutls_x509_crt_get_private_key_usage_period:
626 * @cert: should contain a #gnutls_x509_crt_t structure
627 * @activation: The activation time
628 * @expiration: The expiration time
629 * @critical: the extension status
630 *
631 * This function will return the expiration and activation
632 * times of the private key of the certificate. It relies on
633 * the PKIX extension 2.5.29.16 being present.
634 *
635 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
636 * if the extension is not present, otherwise a negative error value.
637 **/
638 int
639 gnutls_x509_crt_get_private_key_usage_period (gnutls_x509_crt_t cert, time_t* activation, time_t* expiration,
641 {
647 {
650 }
652 ret =
654 critical);
661 result = asn1_create_element
664 {
668 }
672 {
676 }
688 cleanup:
693 }
696 /**
697 * gnutls_x509_crt_get_serial:
698 * @cert: should contain a #gnutls_x509_crt_t structure
699 * @result: The place where the serial number will be copied
700 * @result_size: Holds the size of the result field.
701 *
702 * This function will return the X.509 certificate's serial number.
703 * This is obtained by the X509 Certificate serialNumber field. Serial
704 * is not always a 32 or 64bit number. Some CAs use large serial
705 * numbers, thus it may be wise to handle it as something uint8_t.
706 *
707 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
708 * negative error value.
709 **/
710 int
713 {
717 {
720 }
723 ret =
728 {
731 }
734 }
736 /**
737 * gnutls_x509_crt_get_subject_key_id:
738 * @cert: should contain a #gnutls_x509_crt_t structure
739 * @ret: The place where the identifier will be copied
740 * @ret_size: Holds the size of the result field.
741 * @critical: will be non (0) if the extension is marked as critical (may be null)
742 *
743 * This function will return the X.509v3 certificate's subject key
744 * identifier. This is obtained by the X.509 Subject Key identifier
745 * extension field (2.5.29.14).
746 *
747 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
748 * if the extension is not present, otherwise a negative error value.
749 **/
750 int
753 {
755 gnutls_datum_t id;
759 {
762 }
767 else
773 {
775 }
778 {
781 }
783 result = asn1_create_element
786 {
790 }
796 {
800 }
809 {
811 }
814 {
818 }
821 }
823 static int
826 {
828 gnutls_datum_t id;
833 {
836 }
841 {
843 }
846 {
849 }
851 ret = asn1_create_element
854 {
858 }
864 {
868 }
871 }
873 /**
874 * gnutls_x509_crt_get_authority_key_gn_serial:
875 * @cert: should contain a #gnutls_x509_crt_t structure
876 * @seq: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)
877 * @alt: is the place where the alternative name will be copied to
878 * @alt_size: holds the size of alt.
879 * @alt_type: holds the type of the alternative name (one of gnutls_x509_subject_alt_name_t).
880 * @serial: buffer to store the serial number (may be null)
881 * @serial_size: Holds the size of the serial field (may be null)
882 * @critical: will be non (0) if the extension is marked as critical (may be null)
883 *
884 * This function will return the X.509 authority key
885 * identifier when stored as a general name (authorityCertIssuer)
886 * and serial number.
887 *
888 * Because more than one general names might be stored
889 * @seq can be used as a counter to request them all until
890 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.
891 *
892 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
893 * if the extension is not present, otherwise a negative error value.
894 *
895 * Since: 3.0
896 **/
897 int
898 gnutls_x509_crt_get_authority_key_gn_serial (gnutls_x509_crt_t cert, unsigned int seq, void *alt,
902 {
904 ASN1_TYPE c2;
910 ret =
914 {
917 }
920 {
927 {
930 }
932 }
936 fail:
940 }
942 /**
943 * gnutls_x509_crt_get_authority_key_id:
944 * @cert: should contain a #gnutls_x509_crt_t structure
945 * @id: The place where the identifier will be copied
946 * @id_size: Holds the size of the id field.
947 * @critical: will be non (0) if the extension is marked as critical (may be null)
948 *
949 * This function will return the X.509v3 certificate authority's key
950 * identifier. This is obtained by the X.509 Authority Key
951 * identifier extension field (2.5.29.35). Note that this function
952 * only returns the keyIdentifier field of the extension and
953 * %GNUTLS_E_X509_UNSUPPORTED_EXTENSION, if the extension contains
954 * the name and serial number of the certificate. In that case
955 * gnutls_x509_crt_get_authority_key_gn_serial() may be used.
956 *
957 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
958 * if the extension is not present, otherwise a negative error value.
959 **/
960 int
964 {
966 ASN1_TYPE c2;
982 {
986 }
989 }
991 /**
992 * gnutls_x509_crt_get_pk_algorithm:
993 * @cert: should contain a #gnutls_x509_crt_t structure
994 * @bits: if bits is non null it will hold the size of the parameters' in bits
995 *
996 * This function will return the public key algorithm of an X.509
997 * certificate.
998 *
999 * If bits is non null, it should have enough size to hold the parameters
1000 * size in bits. For RSA the bits returned is the modulus.
1001 * For DSA the bits returned are of the public
1002 * exponent.
1003 *
1004 * Returns: a member of the #gnutls_pk_algorithm_t enumeration on
1005 * success, or a negative error code on error.
1006 **/
1007 int
1009 {
1013 {
1016 }
1021 result =
1024 bits);
1027 {
1030 }
1034 }
1038 {
1042 else
1044 }
1048 /* returns the type and the name on success.
1049 * Type is also returned as a parameter in case of an error.
1050 */
1051 int
1055 {
1060 gnutls_x509_subject_alt_name_t type;
1066 else
1073 {
1075 }
1078 {
1081 }
1086 {
1089 }
1095 {
1098 else
1109 {
1112 }
1115 {
1118 }
1119 else
1120 {
1126 else
1132 {
1135 }
1138 {
1142 result = asn1_create_element
1145 {
1148 }
1152 {
1156 }
1161 {
1166 }
1170 {
1174 }
1177 /* null terminate it */
1179 }
1180 }
1181 }
1183 {
1187 {
1190 }
1191 }
1194 else
1195 {
1206 {
1210 }
1213 {
1216 }
1219 {
1222 {
1226 }
1228 /* null terminate it */
1230 }
1232 }
1235 }
1237 static int
1242 {
1244 gnutls_datum_t dnsname;
1248 {
1251 }
1255 else
1261 {
1263 }
1266 {
1269 }
1277 else
1278 {
1281 }
1284 {
1288 }
1294 {
1298 }
1300 result =
1302 othername_oid);
1307 {
1310 }
1313 }
1315 /**
1316 * gnutls_x509_crt_get_subject_alt_name:
1317 * @cert: should contain a #gnutls_x509_crt_t structure
1318 * @seq: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)
1319 * @san: is the place where the alternative name will be copied to
1320 * @san_size: holds the size of san.
1321 * @critical: will be non (0) if the extension is marked as critical (may be null)
1322 *
1323 * This function retrieves the Alternative Name (2.5.29.17), contained
1324 * in the given certificate in the X509v3 Certificate Extensions.
1325 *
1326 * When the SAN type is otherName, it will extract the data in the
1327 * otherName's value field, and %GNUTLS_SAN_OTHERNAME is returned.
1328 * You may use gnutls_x509_crt_get_subject_alt_othername_oid() to get
1329 * the corresponding OID and the "virtual" SAN types (e.g.,
1330 * %GNUTLS_SAN_OTHERNAME_XMPP).
1331 *
1332 * If an otherName OID is known, the data will be decoded. Otherwise
1333 * the returned data will be DER encoded, and you will have to decode
1334 * it yourself. Currently, only the RFC 3920 id-on-xmppAddr SAN is
1335 * recognized.
1336 *
1337 * Returns: the alternative subject name type on success, one of the
1338 * enumerated #gnutls_x509_subject_alt_name_t. It will return
1339 * %GNUTLS_E_SHORT_MEMORY_BUFFER if @san_size is not large enough to
1340 * hold the value. In that case @san_size will be updated with the
1341 * required size. If the certificate does not have an Alternative
1342 * name with the specified sequence number then
1343 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.
1344 **/
1345 int
1350 {
1353 }
1355 /**
1356 * gnutls_x509_crt_get_issuer_alt_name:
1357 * @cert: should contain a #gnutls_x509_crt_t structure
1358 * @seq: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)
1359 * @ian: is the place where the alternative name will be copied to
1360 * @ian_size: holds the size of ian.
1361 * @critical: will be non (0) if the extension is marked as critical (may be null)
1362 *
1363 * This function retrieves the Issuer Alternative Name (2.5.29.18),
1364 * contained in the given certificate in the X509v3 Certificate
1365 * Extensions.
1366 *
1367 * When the SAN type is otherName, it will extract the data in the
1368 * otherName's value field, and %GNUTLS_SAN_OTHERNAME is returned.
1369 * You may use gnutls_x509_crt_get_subject_alt_othername_oid() to get
1370 * the corresponding OID and the "virtual" SAN types (e.g.,
1371 * %GNUTLS_SAN_OTHERNAME_XMPP).
1372 *
1373 * If an otherName OID is known, the data will be decoded. Otherwise
1374 * the returned data will be DER encoded, and you will have to decode
1375 * it yourself. Currently, only the RFC 3920 id-on-xmppAddr Issuer
1376 * AltName is recognized.
1377 *
1378 * Returns: the alternative issuer name type on success, one of the
1379 * enumerated #gnutls_x509_subject_alt_name_t. It will return
1380 * %GNUTLS_E_SHORT_MEMORY_BUFFER if @ian_size is not large enough
1381 * to hold the value. In that case @ian_size will be updated with
1382 * the required size. If the certificate does not have an
1383 * Alternative name with the specified sequence number then
1384 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.
1385 *
1386 * Since: 2.10.0
1387 **/
1388 int
1393 {
1396 }
1398 /**
1399 * gnutls_x509_crt_get_subject_alt_name2:
1400 * @cert: should contain a #gnutls_x509_crt_t structure
1401 * @seq: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)
1402 * @san: is the place where the alternative name will be copied to
1403 * @san_size: holds the size of ret.
1404 * @san_type: holds the type of the alternative name (one of gnutls_x509_subject_alt_name_t).
1405 * @critical: will be non (0) if the extension is marked as critical (may be null)
1406 *
1407 * This function will return the alternative names, contained in the
1408 * given certificate. It is the same as
1409 * gnutls_x509_crt_get_subject_alt_name() except for the fact that it
1410 * will return the type of the alternative name in @san_type even if
1411 * the function fails for some reason (i.e. the buffer provided is
1412 * not enough).
1413 *
1414 * Returns: the alternative subject name type on success, one of the
1415 * enumerated #gnutls_x509_subject_alt_name_t. It will return
1416 * %GNUTLS_E_SHORT_MEMORY_BUFFER if @san_size is not large enough
1417 * to hold the value. In that case @san_size will be updated with
1418 * the required size. If the certificate does not have an
1419 * Alternative name with the specified sequence number then
1420 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.
1421 **/
1422 int
1428 {
1431 }
1433 /**
1434 * gnutls_x509_crt_get_issuer_alt_name2:
1435 * @cert: should contain a #gnutls_x509_crt_t structure
1436 * @seq: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)
1437 * @ian: is the place where the alternative name will be copied to
1438 * @ian_size: holds the size of ret.
1439 * @ian_type: holds the type of the alternative name (one of gnutls_x509_subject_alt_name_t).
1440 * @critical: will be non (0) if the extension is marked as critical (may be null)
1441 *
1442 * This function will return the alternative names, contained in the
1443 * given certificate. It is the same as
1444 * gnutls_x509_crt_get_issuer_alt_name() except for the fact that it
1445 * will return the type of the alternative name in @ian_type even if
1446 * the function fails for some reason (i.e. the buffer provided is
1447 * not enough).
1448 *
1449 * Returns: the alternative issuer name type on success, one of the
1450 * enumerated #gnutls_x509_subject_alt_name_t. It will return
1451 * %GNUTLS_E_SHORT_MEMORY_BUFFER if @ian_size is not large enough
1452 * to hold the value. In that case @ian_size will be updated with
1453 * the required size. If the certificate does not have an
1454 * Alternative name with the specified sequence number then
1455 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.
1456 *
1457 * Since: 2.10.0
1458 *
1459 **/
1460 int
1466 {
1469 }
1471 /**
1472 * gnutls_x509_crt_get_subject_alt_othername_oid:
1473 * @cert: should contain a #gnutls_x509_crt_t structure
1474 * @seq: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)
1475 * @oid: is the place where the otherName OID will be copied to
1476 * @oid_size: holds the size of ret.
1477 *
1478 * This function will extract the type OID of an otherName Subject
1479 * Alternative Name, contained in the given certificate, and return
1480 * the type as an enumerated element.
1481 *
1482 * This function is only useful if
1483 * gnutls_x509_crt_get_subject_alt_name() returned
1484 * %GNUTLS_SAN_OTHERNAME.
1485 *
1486 * If @oid is null then only the size will be filled. The @oid
1487 * returned will be null terminated, although @oid_size will not
1488 * account for the trailing null.
1489 *
1490 * Returns: the alternative subject name type on success, one of the
1491 * enumerated gnutls_x509_subject_alt_name_t. For supported OIDs, it
1492 * will return one of the virtual (GNUTLS_SAN_OTHERNAME_*) types,
1493 * e.g. %GNUTLS_SAN_OTHERNAME_XMPP, and %GNUTLS_SAN_OTHERNAME for
1494 * unknown OIDs. It will return %GNUTLS_E_SHORT_MEMORY_BUFFER if
1495 * @ian_size is not large enough to hold the value. In that case
1496 * @ian_size will be updated with the required size. If the
1497 * certificate does not have an Alternative name with the specified
1498 * sequence number and with the otherName type then
1499 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.
1500 **/
1501 int
1505 {
1507 }
1509 /**
1510 * gnutls_x509_crt_get_issuer_alt_othername_oid:
1511 * @cert: should contain a #gnutls_x509_crt_t structure
1512 * @seq: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)
1513 * @ret: is the place where the otherName OID will be copied to
1514 * @ret_size: holds the size of ret.
1515 *
1516 * This function will extract the type OID of an otherName Subject
1517 * Alternative Name, contained in the given certificate, and return
1518 * the type as an enumerated element.
1519 *
1520 * If @oid is null then only the size will be filled. The @oid
1521 * returned will be null terminated, although @oid_size will not
1522 * account for the trailing null.
1523 *
1524 * This function is only useful if
1525 * gnutls_x509_crt_get_issuer_alt_name() returned
1526 * %GNUTLS_SAN_OTHERNAME.
1527 *
1528 * Returns: the alternative issuer name type on success, one of the
1529 * enumerated gnutls_x509_subject_alt_name_t. For supported OIDs, it
1530 * will return one of the virtual (GNUTLS_SAN_OTHERNAME_*) types,
1531 * e.g. %GNUTLS_SAN_OTHERNAME_XMPP, and %GNUTLS_SAN_OTHERNAME for
1532 * unknown OIDs. It will return %GNUTLS_E_SHORT_MEMORY_BUFFER if
1533 * @ret_size is not large enough to hold the value. In that case
1534 * @ret_size will be updated with the required size. If the
1535 * certificate does not have an Alternative name with the specified
1536 * sequence number and with the otherName type then
1537 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.
1538 *
1539 * Since: 2.10.0
1540 **/
1541 int
1545 {
1547 }
1549 /**
1550 * gnutls_x509_crt_get_basic_constraints:
1551 * @cert: should contain a #gnutls_x509_crt_t structure
1552 * @critical: will be non (0) if the extension is marked as critical
1553 * @ca: pointer to output integer indicating CA status, may be NULL,
1554 * value is 1 if the certificate CA flag is set, 0 otherwise.
1555 * @pathlen: pointer to output integer indicating path length (may be
1556 * NULL), non-negative error codes indicate a present pathLenConstraint
1557 * field and the actual value, -1 indicate that the field is absent.
1558 *
1559 * This function will read the certificate's basic constraints, and
1560 * return the certificates CA status. It reads the basicConstraints
1561 * X.509 extension (2.5.29.19).
1562 *
1563 * Returns: If the certificate is a CA a positive value will be
1564 * returned, or (0) if the certificate does not have CA flag set. A
1565 * negative error code may be returned in case of errors. If the
1566 * certificate does not contain the basicConstraints extension
1567 * GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
1568 **/
1569 int
1573 {
1575 gnutls_datum_t basicConstraints;
1579 {
1582 }
1587 {
1589 }
1592 {
1595 }
1597 result =
1599 pathlen,
1607 {
1610 }
1613 }
1615 /**
1616 * gnutls_x509_crt_get_ca_status:
1617 * @cert: should contain a #gnutls_x509_crt_t structure
1618 * @critical: will be non (0) if the extension is marked as critical
1619 *
1620 * This function will return certificates CA status, by reading the
1621 * basicConstraints X.509 extension (2.5.29.19). If the certificate is
1622 * a CA a positive value will be returned, or (0) if the certificate
1623 * does not have CA flag set.
1624 *
1625 * Use gnutls_x509_crt_get_basic_constraints() if you want to read the
1626 * pathLenConstraint field too.
1627 *
1628 * Returns: A negative error code may be returned in case of parsing error.
1629 * If the certificate does not contain the basicConstraints extension
1630 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
1631 **/
1632 int
1634 {
1639 }
1641 /**
1642 * gnutls_x509_crt_get_key_usage:
1643 * @cert: should contain a #gnutls_x509_crt_t structure
1644 * @key_usage: where the key usage bits will be stored
1645 * @critical: will be non (0) if the extension is marked as critical
1646 *
1647 * This function will return certificate's key usage, by reading the
1648 * keyUsage X.509 extension (2.5.29.15). The key usage value will ORed
1649 * values of the: %GNUTLS_KEY_DIGITAL_SIGNATURE,
1650 * %GNUTLS_KEY_NON_REPUDIATION, %GNUTLS_KEY_KEY_ENCIPHERMENT,
1651 * %GNUTLS_KEY_DATA_ENCIPHERMENT, %GNUTLS_KEY_KEY_AGREEMENT,
1652 * %GNUTLS_KEY_KEY_CERT_SIGN, %GNUTLS_KEY_CRL_SIGN,
1653 * %GNUTLS_KEY_ENCIPHER_ONLY, %GNUTLS_KEY_DECIPHER_ONLY.
1654 *
1655 * Returns: the certificate key usage, or a negative error code in case of
1656 * parsing error. If the certificate does not contain the keyUsage
1657 * extension %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be
1658 * returned.
1659 **/
1660 int
1664 {
1666 gnutls_datum_t keyUsage;
1670 {
1673 }
1678 {
1680 }
1683 {
1686 }
1695 {
1698 }
1701 }
1703 /**
1704 * gnutls_x509_crt_get_proxy:
1705 * @cert: should contain a #gnutls_x509_crt_t structure
1706 * @critical: will be non (0) if the extension is marked as critical
1707 * @pathlen: pointer to output integer indicating path length (may be
1708 * NULL), non-negative error codes indicate a present pCPathLenConstraint
1709 * field and the actual value, -1 indicate that the field is absent.
1710 * @policyLanguage: output variable with OID of policy language
1711 * @policy: output variable with policy data
1712 * @sizeof_policy: output variable size of policy data
1713 *
1714 * This function will get information from a proxy certificate. It
1715 * reads the ProxyCertInfo X.509 extension (1.3.6.1.5.5.7.1.14).
1716 *
1717 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
1718 * otherwise a negative error code is returned.
1719 **/
1720 int
1726 {
1728 gnutls_datum_t proxyCertInfo;
1731 {
1734 }
1739 {
1741 }
1744 {
1747 }
1750 policyLanguage,
1751 policy,
1752 sizeof_policy,
1757 {
1760 }
1763 }
1765 /**
1766 * gnutls_x509_crt_get_extension_by_oid:
1767 * @cert: should contain a #gnutls_x509_crt_t structure
1768 * @oid: holds an Object Identified in null terminated string
1769 * @indx: In case multiple same OIDs exist in the extensions, this specifies which to send. Use (0) to get the first one.
1770 * @buf: a pointer to a structure to hold the name (may be null)
1771 * @buf_size: initially holds the size of @buf
1772 * @critical: will be non (0) if the extension is marked as critical
1773 *
1774 * This function will return the extension specified by the OID in the
1775 * certificate. The extensions will be returned as binary data DER
1776 * encoded, in the provided buffer.
1777 *
1778 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
1779 * otherwise a negative error code is returned. If the certificate does not
1780 * contain the specified extension
1781 * GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
1782 **/
1783 int
1788 {
1790 gnutls_datum_t output;
1793 {
1796 }
1801 {
1804 }
1807 {
1810 }
1813 {
1817 }
1828 }
1830 /**
1831 * gnutls_x509_crt_get_extension_oid:
1832 * @cert: should contain a #gnutls_x509_crt_t structure
1833 * @indx: Specifies which extension OID to send. Use (0) to get the first one.
1834 * @oid: a pointer to a structure to hold the OID (may be null)
1835 * @oid_size: initially holds the size of @oid
1836 *
1837 * This function will return the requested extension OID in the certificate.
1838 * The extension OID will be stored as a string in the provided buffer.
1839 *
1840 * The @oid returned will be null terminated, although @oid_size will not
1841 * account for the trailing null.
1842 *
1843 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
1844 * otherwise a negative error code is returned. If you have reached the
1845 * last extension available %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
1846 * will be returned.
1847 **/
1848 int
1851 {
1855 {
1858 }
1862 {
1864 }
1868 }
1870 /**
1871 * gnutls_x509_crt_get_extension_info:
1872 * @cert: should contain a #gnutls_x509_crt_t structure
1873 * @indx: Specifies which extension OID to send. Use (0) to get the first one.
1874 * @oid: a pointer to a structure to hold the OID
1875 * @oid_size: initially holds the maximum size of @oid, on return
1876 * holds actual size of @oid.
1877 * @critical: output variable with critical flag, may be NULL.
1878 *
1879 * This function will return the requested extension OID in the
1880 * certificate, and the critical flag for it. The extension OID will
1881 * be stored as a string in the provided buffer. Use
1882 * gnutls_x509_crt_get_extension_data() to extract the data.
1883 *
1884 * If the buffer provided is not long enough to hold the output, then
1885 * @oid_size is updated and %GNUTLS_E_SHORT_MEMORY_BUFFER will be
1886 * returned. The @oid returned will be null terminated, although
1887 * @oid_size will not account for the trailing null.
1888 *
1889 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
1890 * otherwise a negative error code is returned. If you have reached the
1891 * last extension available %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
1892 * will be returned.
1893 **/
1894 int
1898 {
1905 {
1908 }
1920 {
1923 }
1930 {
1933 }
1936 {
1939 else
1941 }
1945 }
1947 /**
1948 * gnutls_x509_crt_get_extension_data:
1949 * @cert: should contain a #gnutls_x509_crt_t structure
1950 * @indx: Specifies which extension OID to send. Use (0) to get the first one.
1951 * @data: a pointer to a structure to hold the data (may be null)
1952 * @sizeof_data: initially holds the size of @oid
1953 *
1954 * This function will return the requested extension data in the
1955 * certificate. The extension data will be stored as a string in the
1956 * provided buffer.
1957 *
1958 * Use gnutls_x509_crt_get_extension_info() to extract the OID and
1959 * critical flag. Use gnutls_x509_crt_get_extension_by_oid() instead,
1960 * if you want to get data indexed by the extension OID rather than
1961 * sequence.
1962 *
1963 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
1964 * otherwise a negative error code is returned. If you have reached the
1965 * last extension available %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
1966 * will be returned.
1967 **/
1968 int
1971 {
1976 {
1979 }
1991 {
1994 }
1997 }
1999 static int
2002 {
2008 /* get the issuer of 'cert'
2009 */
2013 {
2016 }
2018 result =
2021 {
2024 }
2028 {
2033 }
2035 result =
2040 {
2044 }
2052 cleanup:
2056 }
2058 /**
2059 * gnutls_x509_crt_get_raw_issuer_dn:
2060 * @cert: should contain a #gnutls_x509_crt_t structure
2061 * @start: will hold the starting point of the DN
2062 *
2063 * This function will return a pointer to the DER encoded DN structure
2064 * and the length. This points to allocated data that must be free'd using gnutls_free().
2065 *
2066 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
2067 * negative error value.or a negative error code on error.
2068 *
2069 **/
2070 int
2073 {
2075 }
2077 /**
2078 * gnutls_x509_crt_get_raw_dn:
2079 * @cert: should contain a #gnutls_x509_crt_t structure
2080 * @start: will hold the starting point of the DN
2081 *
2082 * This function will return a pointer to the DER encoded DN structure and
2083 * the length. This points to allocated data that must be free'd using gnutls_free().
2084 *
2085 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
2086 * negative error value. or a negative error code on error.
2087 *
2088 **/
2089 int
2091 {
2093 }
2095 static int
2097 {
2102 }
2104 /**
2105 * gnutls_x509_crt_get_subject:
2106 * @cert: should contain a #gnutls_x509_crt_t structure
2107 * @dn: output variable with pointer to uint8_t DN.
2108 *
2109 * Return the Certificate's Subject DN as an uint8_t data type. You
2110 * may use gnutls_x509_dn_get_rdn_ava() to decode the DN.
2111 *
2112 * Note that @dn should be treated as constant. Because points
2113 * into the @cert object, you may not deallocate @cert
2114 * and continue to access @dn.
2115 *
2116 * Returns: Returns 0 on success, or an error code.
2117 **/
2118 int
2120 {
2122 }
2124 /**
2125 * gnutls_x509_crt_get_issuer:
2126 * @cert: should contain a #gnutls_x509_crt_t structure
2127 * @dn: output variable with pointer to uint8_t DN
2128 *
2129 * Return the Certificate's Issuer DN as an uint8_t data type. You may
2130 * use gnutls_x509_dn_get_rdn_ava() to decode the DN.
2131 *
2132 * Note that @dn should be treated as constant. Because points
2133 * into the @cert object, you may not deallocate @cert
2134 * and continue to access @dn.
2135 *
2136 * Returns: Returns 0 on success, or an error code.
2137 **/
2138 int
2140 {
2142 }
2144 /**
2145 * gnutls_x509_dn_get_rdn_ava:
2146 * @dn: input variable with uint8_t DN pointer
2147 * @irdn: index of RDN
2148 * @iava: index of AVA.
2149 * @ava: Pointer to structure which will hold output information.
2150 *
2151 * Get pointers to data within the DN.
2152 *
2153 * Note that @ava will contain pointers into the @dn structure, so you
2154 * should not modify any data or deallocate it. Note also that the DN
2155 * in turn points into the original certificate structure, and thus
2156 * you may not deallocate the certificate and continue to access @dn.
2157 *
2158 * Returns: Returns 0 on success, or an error code.
2159 **/
2160 int
2163 {
2165 ASN1_DATA_NODE vnode;
2172 iava++;
2178 {
2181 }
2186 {
2189 }
2193 {
2196 }
2204 {
2207 }
2211 {
2214 }
2215 /* The value still has the previous tag's length bytes, plus the
2216 * current value's tag and length bytes. Decode them.
2217 */
2223 {
2226 }
2232 {
2235 }
2240 {
2245 {
2248 }
2250 }
2254 }
2256 /**
2257 * gnutls_x509_crt_get_fingerprint:
2258 * @cert: should contain a #gnutls_x509_crt_t structure
2259 * @algo: is a digest algorithm
2260 * @buf: a pointer to a structure to hold the fingerprint (may be null)
2261 * @buf_size: initially holds the size of @buf
2262 *
2263 * This function will calculate and copy the certificate's fingerprint
2264 * in the provided buffer.
2265 *
2266 * If the buffer is null then only the size will be filled.
2267 *
2268 * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is
2269 * not long enough, and in that case the *buf_size will be updated
2270 * with the required size. On success 0 is returned.
2271 **/
2272 int
2274 gnutls_digest_algorithm_t algo,
2276 {
2280 gnutls_datum_t tmp;
2283 {
2285 }
2292 {
2295 }
2300 {
2304 }
2313 }
2315 /**
2316 * gnutls_x509_crt_export:
2317 * @cert: Holds the certificate
2318 * @format: the format of output params. One of PEM or DER.
2319 * @output_data: will contain a certificate PEM or DER encoded
2320 * @output_data_size: holds the size of output_data (and will be
2321 * replaced by the actual size of parameters)
2322 *
2323 * This function will export the certificate to DER or PEM format.
2324 *
2325 * If the buffer provided is not long enough to hold the output, then
2326 * *output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will
2327 * be returned.
2328 *
2329 * If the structure is PEM encoded, it will have a header
2330 * of "BEGIN CERTIFICATE".
2331 *
2332 * Returns: In case of failure a negative error code will be
2333 * returned, and 0 on success.
2334 **/
2335 int
2339 {
2341 {
2344 }
2348 }
2350 int
2354 {
2361 {
2365 }
2373 {
2376 }
2381 cleanup:
2385 }
2387 /**
2388 * gnutls_x509_crt_get_key_id:
2389 * @crt: Holds the certificate
2390 * @flags: should be 0 for now
2391 * @output_data: will contain the key ID
2392 * @output_data_size: holds the size of output_data (and will be
2393 * replaced by the actual size of parameters)
2394 *
2395 * This function will return a unique ID the depends on the public
2396 * key parameters. This ID can be used in checking whether a
2397 * certificate corresponds to the given private key.
2398 *
2399 * If the buffer provided is not long enough to hold the output, then
2400 * *output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will
2401 * be returned. The output will normally be a SHA-1 hash output,
2402 * which is 20 bytes.
2403 *
2404 * Returns: In case of failure a negative error code will be
2405 * returned, and 0 on success.
2406 **/
2407 int
2411 {
2413 gnutls_pk_params_st params;
2416 {
2419 }
2423 {
2426 }
2430 {
2433 }
2440 }
2443 /* This is exactly as gnutls_x509_crt_check_revocation() except that
2444 * it calls func.
2445 */
2446 int
2450 gnutls_verify_output_function func)
2451 {
2459 {
2462 }
2467 /* Step 1. check if issuer's DN match
2468 */
2471 {
2474 }
2478 {
2481 }
2487 {
2488 /* issuers do not match so don't even
2489 * bother checking.
2490 */
2492 }
2494 /* Step 2. Read the certificate's serial number
2495 */
2499 {
2502 }
2504 /* Step 3. cycle through the CRL serials and compare with
2505 * certificate serial we have.
2506 */
2510 {
2513 }
2516 {
2518 ret =
2523 {
2526 }
2529 {
2531 {
2532 /* serials match */
2535 }
2536 }
2537 }
2540 }
2542 }
2545 /**
2546 * gnutls_x509_crt_check_revocation:
2547 * @cert: should contain a #gnutls_x509_crt_t structure
2548 * @crl_list: should contain a list of gnutls_x509_crl_t structures
2549 * @crl_list_length: the length of the crl_list
2550 *
2551 * This function will return check if the given certificate is
2552 * revoked. It is assumed that the CRLs have been verified before.
2553 *
2554 * Returns: 0 if the certificate is NOT revoked, and 1 if it is. A
2555 * negative error code is returned on error.
2556 **/
2557 int
2561 {
2563 }
2565 /**
2566 * gnutls_x509_crt_get_verify_algorithm:
2567 * @crt: Holds the certificate
2568 * @signature: contains the signature
2569 * @hash: The result of the call with the hash algorithm used for signature
2570 *
2571 * This function will read the certifcate and the signed data to
2572 * determine the hash algorithm used to generate the signature.
2573 *
2574 * Deprecated: Use gnutls_pubkey_get_verify_algorithm() instead.
2575 *
2576 * Returns: the 0 if the hash algorithm is found. A negative error code is
2577 * returned on error.
2578 *
2579 * Since: 2.8.0
2580 **/
2581 int
2585 {
2586 gnutls_pk_params_st issuer_params;
2590 {
2593 }
2597 {
2600 }
2603 signature,
2605 NULL),
2608 /* release allocated mpis */
2612 }
2616 /**
2617 * gnutls_x509_crt_get_preferred_hash_algorithm:
2618 * @crt: Holds the certificate
2619 * @hash: The result of the call with the hash algorithm used for signature
2620 * @mand: If non (0) it means that the algorithm MUST use this hash. May be NULL.
2621 *
2622 * This function will read the certifcate and return the appropriate digest
2623 * algorithm to use for signing with this certificate. Some certificates (i.e.
2624 * DSA might not be able to sign without the preferred algorithm).
2625 *
2626 * Deprecated: Please use gnutls_pubkey_get_preferred_hash_algorithm().
2627 *
2628 * Returns: the 0 if the hash algorithm is found. A negative error code is
2629 * returned on error.
2630 *
2631 * Since: 2.12.0
2632 **/
2633 int
2635 gnutls_digest_algorithm_t *
2637 {
2638 gnutls_pk_params_st issuer_params;
2642 {
2645 }
2649 {
2652 }
2654 ret =
2659 /* release allocated mpis */
2663 }
2665 /**
2666 * gnutls_x509_crt_verify_data:
2667 * @crt: Holds the certificate
2668 * @flags: should be 0 for now
2669 * @data: holds the data to be signed
2670 * @signature: contains the signature
2671 *
2672 * This function will verify the given signed data, using the
2673 * parameters from the certificate.
2674 *
2675 * Deprecated. Please use gnutls_pubkey_verify_data().
2676 *
2677 * Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED
2678 * is returned, and zero or positive code on success.
2679 **/
2680 int
2684 {
2688 {
2691 }
2695 {
2698 }
2701 }
2703 /**
2704 * gnutls_x509_crt_verify_hash:
2705 * @crt: Holds the certificate
2706 * @flags: should be 0 for now
2707 * @hash: holds the hash digest to be verified
2708 * @signature: contains the signature
2709 *
2710 * This function will verify the given signed digest, using the
2711 * parameters from the certificate.
2712 *
2713 * Deprecated. Please use gnutls_pubkey_verify_data2() or gnutls_pubkey_verify_hash2().
2714 *
2715 * Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED
2716 * is returned, and zero or positive code on success.
2717 **/
2718 int
2722 {
2723 gnutls_pk_params_st params;
2724 gnutls_digest_algorithm_t algo;
2728 {
2731 }
2737 /* Read the MPI parameters from the issuer's certificate.
2738 */
2739 ret =
2742 {
2745 }
2747 ret =
2751 {
2753 }
2755 /* release all allocated MPIs
2756 */
2760 }
2762 /**
2763 * gnutls_x509_crt_get_crl_dist_points:
2764 * @cert: should contain a #gnutls_x509_crt_t structure
2765 * @seq: specifies the sequence number of the distribution point (0 for the first one, 1 for the second etc.)
2766 * @ret: is the place where the distribution point will be copied to
2767 * @ret_size: holds the size of ret.
2768 * @reason_flags: Revocation reasons flags.
2769 * @critical: will be non (0) if the extension is marked as critical (may be null)
2770 *
2771 * This function retrieves the CRL distribution points (2.5.29.31),
2772 * contained in the given certificate in the X509v3 Certificate
2773 * Extensions.
2774 *
2775 * @reason_flags should be an ORed sequence of
2776 * %GNUTLS_CRL_REASON_UNUSED, %GNUTLS_CRL_REASON_KEY_COMPROMISE,
2777 * %GNUTLS_CRL_REASON_CA_COMPROMISE,
2778 * %GNUTLS_CRL_REASON_AFFILIATION_CHANGED,
2779 * %GNUTLS_CRL_REASON_SUPERSEEDED,
2780 * %GNUTLS_CRL_REASON_CESSATION_OF_OPERATION,
2781 * %GNUTLS_CRL_REASON_CERTIFICATE_HOLD,
2782 * %GNUTLS_CRL_REASON_PRIVILEGE_WITHDRAWN,
2783 * %GNUTLS_CRL_REASON_AA_COMPROMISE, or (0) for all possible reasons.
2784 *
2785 * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER and updates @ret_size if
2786 * @ret_size is not enough to hold the distribution point, or the
2787 * type of the distribution point if everything was ok. The type is
2788 * one of the enumerated %gnutls_x509_subject_alt_name_t. If the
2789 * certificate does not have an Alternative name with the specified
2790 * sequence number then %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is
2791 * returned.
2792 **/
2793 int
2799 {
2805 gnutls_x509_subject_alt_name_t type;
2809 {
2812 }
2816 else
2822 result =
2824 critical);
2826 {
2828 }
2831 {
2834 }
2836 result = asn1_create_element
2839 {
2843 }
2849 {
2853 }
2855 /* Return the different names from the first CRLDistr. point.
2856 * The whole thing is a mess.
2857 */
2862 {
2865 }
2870 /* Read the CRL reasons.
2871 */
2873 {
2882 {
2886 }
2889 }
2894 }
2896 /**
2897 * gnutls_x509_crt_get_key_purpose_oid:
2898 * @cert: should contain a #gnutls_x509_crt_t structure
2899 * @indx: This specifies which OID to return. Use (0) to get the first one.
2900 * @oid: a pointer to a buffer to hold the OID (may be null)
2901 * @oid_size: initially holds the size of @oid
2902 * @critical: output flag to indicate criticality of extension
2903 *
2904 * This function will extract the key purpose OIDs of the Certificate
2905 * specified by the given index. These are stored in the Extended Key
2906 * Usage extension (2.5.29.37) See the GNUTLS_KP_* definitions for
2907 * human readable names.
2908 *
2909 * If @oid is null then only the size will be filled. The @oid
2910 * returned will be null terminated, although @oid_size will not
2911 * account for the trailing null.
2912 *
2913 * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is
2914 * not long enough, and in that case the *oid_size will be updated
2915 * with the required size. On success 0 is returned.
2916 **/
2917 int
2921 {
2924 gnutls_datum_t id;
2928 {
2931 }
2935 else
2941 {
2943 }
2946 {
2949 }
2951 result = asn1_create_element
2954 {
2958 }
2964 {
2968 }
2970 indx++;
2971 /* create a string like "?1"
2972 */
2982 {
2984 }
2987 {
2990 }
2994 }
2996 /**
2997 * gnutls_x509_crt_get_pk_rsa_raw:
2998 * @crt: Holds the certificate
2999 * @m: will hold the modulus
3000 * @e: will hold the public exponent
3001 *
3002 * This function will export the RSA public key's parameters found in
3003 * the given structure. The new parameters will be allocated using
3004 * gnutls_malloc() and will be stored in the appropriate datum.
3005 *
3006 * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
3007 **/
3008 int
3011 {
3013 gnutls_pk_params_st params;
3016 {
3019 }
3023 {
3026 }
3030 {
3033 }
3037 {
3040 }
3044 {
3048 }
3052 cleanup:
3055 }
3057 /**
3058 * gnutls_x509_crt_get_pk_dsa_raw:
3059 * @crt: Holds the certificate
3060 * @p: will hold the p
3061 * @q: will hold the q
3062 * @g: will hold the g
3063 * @y: will hold the y
3064 *
3065 * This function will export the DSA public key's parameters found in
3066 * the given certificate. The new parameters will be allocated using
3067 * gnutls_malloc() and will be stored in the appropriate datum.
3068 *
3069 * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
3070 **/
3071 int
3075 {
3077 gnutls_pk_params_st params;
3080 {
3083 }
3087 {
3090 }
3094 {
3097 }
3100 /* P */
3103 {
3106 }
3108 /* Q */
3111 {
3115 }
3118 /* G */
3121 {
3126 }
3129 /* Y */
3132 {
3138 }
3142 cleanup:
3146 }
3148 /**
3149 * gnutls_x509_crt_list_import2:
3150 * @certs: The structures to store the parsed certificate. Must not be initialized.
3151 * @size: It will contain the size of the list.
3152 * @data: The PEM encoded certificate.
3153 * @format: One of DER or PEM.
3154 * @flags: must be (0) or an OR'd sequence of gnutls_certificate_import_flags.
3155 *
3156 * This function will convert the given PEM encoded certificate list
3157 * to the native gnutls_x509_crt_t format. The output will be stored
3158 * in @certs. They will be automatically initialized.
3159 *
3160 * If the Certificate is PEM encoded it should have a header of "X509
3161 * CERTIFICATE", or "CERTIFICATE".
3162 *
3163 * Returns: the number of certificates read or a negative error value.
3164 *
3165 * Since: 3.0
3166 **/
3167 int
3172 {
3178 {
3181 }
3183 ret = gnutls_x509_crt_list_import(*certs, &init, data, format, GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED);
3185 {
3188 {
3191 }
3194 }
3197 {
3201 }
3205 }
3208 {
3214 /* check if the X.509 list is ordered */
3216 {
3219 {
3221 {
3225 {
3228 }
3231 {
3234 }
3235 }
3240 {
3243 }
3244 }
3245 }
3249 cleanup:
3251 }
3254 /**
3255 * gnutls_x509_crt_list_import:
3256 * @certs: The structures to store the parsed certificate. Must not be initialized.
3257 * @cert_max: Initially must hold the maximum number of certs. It will be updated with the number of certs available.
3258 * @data: The PEM encoded certificate.
3259 * @format: One of DER or PEM.
3260 * @flags: must be (0) or an OR'd sequence of gnutls_certificate_import_flags.
3261 *
3262 * This function will convert the given PEM encoded certificate list
3263 * to the native gnutls_x509_crt_t format. The output will be stored
3264 * in @certs. They will be automatically initialized.
3265 *
3266 * The flag %GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED will cause
3267 * import to fail if the certificates in the provided buffer are more
3268 * than the available structures. The %GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED
3269 * flag will cause the function to fail if the provided list is not
3270 * sorted from subject to issuer.
3271 *
3272 * If the Certificate is PEM encoded it should have a header of "X509
3273 * CERTIFICATE", or "CERTIFICATE".
3274 *
3275 * Returns: the number of certificates read or a negative error value.
3276 **/
3277 int
3282 {
3285 gnutls_datum_t tmp;
3290 {
3292 {
3295 }
3301 {
3304 }
3308 {
3311 }
3315 }
3317 /* move to the certificate
3318 */
3330 do
3331 {
3333 {
3336 else
3338 }
3341 {
3344 {
3347 }
3352 ret =
3355 {
3358 }
3359 }
3361 /* now we move ptr after the pem header
3362 */
3363 ptr++;
3364 /* find the next certificate (if any)
3365 */
3369 {
3378 }
3379 else
3382 count++;
3383 }
3389 {
3392 {
3395 }
3396 }
3400 else
3403 error:
3407 }
3409 /**
3410 * gnutls_x509_crt_get_subject_unique_id:
3411 * @crt: Holds the certificate
3412 * @buf: user allocated memory buffer, will hold the unique id
3413 * @buf_size: size of user allocated memory buffer (on input), will hold
3414 * actual size of the unique ID on return.
3415 *
3416 * This function will extract the subjectUniqueID value (if present) for
3417 * the given certificate.
3418 *
3419 * If the user allocated memory buffer is not large enough to hold the
3420 * full subjectUniqueID, then a GNUTLS_E_SHORT_MEMORY_BUFFER error will be
3421 * returned, and buf_size will be set to the actual length.
3422 *
3423 * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
3424 **/
3425 int
3428 {
3432 result =
3441 }
3442 else
3443 {
3446 }
3451 }
3453 /**
3454 * gnutls_x509_crt_get_issuer_unique_id:
3455 * @crt: Holds the certificate
3456 * @buf: user allocated memory buffer, will hold the unique id
3457 * @buf_size: size of user allocated memory buffer (on input), will hold
3458 * actual size of the unique ID on return.
3459 *
3460 * This function will extract the issuerUniqueID value (if present) for
3461 * the given certificate.
3462 *
3463 * If the user allocated memory buffer is not large enough to hold the
3464 * full subjectUniqueID, then a GNUTLS_E_SHORT_MEMORY_BUFFER error will be
3465 * returned, and buf_size will be set to the actual length.
3466 *
3467 * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
3468 *
3469 * Since: 2.12.0
3470 **/
3471 int
3474 {
3478 result =
3487 }
3488 else
3489 {
3492 }
3497 }
3499 static int
3504 {
3508 gnutls_datum_t d;
3513 {
3524 /* fall through */
3529 {
3539 {
3542 }
3545 }
3546 /* fall through */
3555 }
3563 {
3566 }
3576 {
3580 }
3583 {
3586 }
3587 else
3591 }
3593 /**
3594 * gnutls_x509_crt_get_authority_info_access:
3595 * @crt: Holds the certificate
3596 * @seq: specifies the sequence number of the access descriptor (0 for the first one, 1 for the second etc.)
3597 * @what: what data to get, a #gnutls_info_access_what_t type.
3598 * @data: output data to be freed with gnutls_free().
3599 * @critical: pointer to output integer that is set to non-0 if the extension is marked as critical (may be %NULL)
3600 *
3601 * This function extracts the Authority Information Access (AIA)
3602 * extension, see RFC 5280 section 4.2.2.1 for more information. The
3603 * AIA extension holds a sequence of AccessDescription (AD) data:
3604 *
3605 * <informalexample><programlisting>
3606 * AuthorityInfoAccessSyntax ::=
3607 * SEQUENCE SIZE (1..MAX) OF AccessDescription
3608 *
3609 * AccessDescription ::= SEQUENCE {
3610 * accessMethod OBJECT IDENTIFIER,
3611 * accessLocation GeneralName }
3612 * </programlisting></informalexample>
3613 *
3614 * The @seq input parameter is used to indicate which member of the
3615 * sequence the caller is interested in. The first member is 0, the
3616 * second member 1 and so on. When the @seq value is out of bounds,
3617 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.
3618 *
3619 * The type of data returned in @data is specified via @what which
3620 * should be #gnutls_info_access_what_t values.
3621 *
3622 * If @what is %GNUTLS_IA_ACCESSMETHOD_OID then @data will hold the
3623 * accessMethod OID (e.g., "1.3.6.1.5.5.7.48.1").
3624 *
3625 * If @what is %GNUTLS_IA_ACCESSLOCATION_GENERALNAME_TYPE, @data will
3626 * hold the accessLocation GeneralName type (e.g.,
3627 * "uniformResourceIdentifier").
3628 *
3629 * If @what is %GNUTLS_IA_URI, @data will hold the accessLocation URI
3630 * data. Requesting this @what value leads to an error if the
3631 * accessLocation is not of the "uniformResourceIdentifier" type.
3632 *
3633 * If @what is %GNUTLS_IA_OCSP_URI, @data will hold the OCSP URI.
3634 * Requesting this @what value leads to an error if the accessMethod
3635 * is not 1.3.6.1.5.5.7.48.1 aka OSCP, or if accessLocation is not of
3636 * the "uniformResourceIdentifier" type.
3637 *
3638 * If @what is %GNUTLS_IA_CAISSUERS_URI, @data will hold the caIssuers
3639 * URI. Requesting this @what value leads to an error if the
3640 * accessMethod is not 1.3.6.1.5.5.7.48.2 aka caIssuers, or if
3641 * accessLocation is not of the "uniformResourceIdentifier" type.
3642 *
3643 * More @what values may be allocated in the future as needed.
3644 *
3645 * If @data is NULL, the function does the same without storing the
3646 * output data, that is, it will set @critical and do error checking
3647 * as usual.
3648 *
3649 * The value of the critical flag is returned in *@critical. Supply a
3650 * NULL @critical if you want the function to make sure the extension
3651 * is non-critical, as required by RFC 5280.
3652 *
3653 * Returns: %GNUTLS_E_SUCCESS on success, %GNUTLS_E_INVALID_REQUEST on
3654 * invalid @crt, %GNUTLS_E_CONSTRAINT_ERROR if the extension is
3655 * incorrectly marked as critical (use a non-NULL @critical to
3656 * override), %GNUTLS_E_UNKNOWN_ALGORITHM if the requested OID does
3657 * not match (e.g., when using %GNUTLS_IA_OCSP_URI), otherwise a
3658 * negative error code.
3659 *
3660 * Since: 3.0
3661 **/
3662 int
3668 {
3670 gnutls_datum_t aia;
3674 {
3677 }
3684 {
3687 }
3695 {
3699 }
3702 /* asn1_print_structure (stdout, c2, "", ASN1_PRINT_ALL); */
3705 {
3709 }
3718 }