search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Added function to sort the provided certificate chain prior to verification.
[gnutls.git] / lib / x509 / pkcs7.c
blobff6da727c877ac1539c81727c2d52e44713c1a80
1 /*
2 * Copyright (C) 2003-2012 Free Software Foundation, Inc.
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GnuTLS.
7 *
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
20 *
21 */
22
23 /* Functions that relate on PKCS7 certificate lists parsing.
24 */
25
26 #include <gnutls_int.h>
27 #include <libtasn1.h>
28
29 #include <gnutls_datum.h>
30 #include <gnutls_global.h>
31 #include <gnutls_errors.h>
32 #include <common.h>
33 #include <x509_b64.h>
34
35 #define SIGNED_DATA_OID "1.2.840.113549.1.7.2"
36
37 /* Decodes the PKCS #7 signed data, and returns an ASN1_TYPE,
38 * which holds them. If raw is non null then the raw decoded
39 * data are copied (they are locally allocated) there.
40 */
41 static int
42 _decode_pkcs7_signed_data (ASN1_TYPE pkcs7, ASN1_TYPE * sdata,
43 gnutls_datum_t * raw)
44 {
45 char oid[MAX_OID_SIZE];
46 ASN1_TYPE c2;
47 uint8_t *tmp = NULL;
48 int tmp_size, len, result;
49
50 len = sizeof (oid) - 1;
51 result = asn1_read_value (pkcs7, "contentType", oid, &len);
52 if (result != ASN1_SUCCESS)
53 {
54 gnutls_assert ();
55 return _gnutls_asn2err (result);
56 }
57
58 if (strcmp (oid, SIGNED_DATA_OID) != 0)
59 {
60 gnutls_assert ();
61 _gnutls_debug_log ("Unknown PKCS7 Content OID '%s'\n", oid);
62 return GNUTLS_E_UNKNOWN_PKCS_CONTENT_TYPE;
63 }
64
65 if ((result = asn1_create_element
66 (_gnutls_get_pkix (), "PKIX1.pkcs-7-SignedData", &c2)) != ASN1_SUCCESS)
67 {
68 gnutls_assert ();
69 return _gnutls_asn2err (result);
70 }
71
72 /* the Signed-data has been created, so
73 * decode them.
74 */
75 tmp_size = 0;
76 result = asn1_read_value (pkcs7, "content", NULL, &tmp_size);
77 if (result != ASN1_MEM_ERROR)
78 {
79 gnutls_assert ();
80 result = _gnutls_asn2err (result);
81 goto cleanup;
82 }
83
84 tmp = gnutls_malloc (tmp_size);
85 if (tmp == NULL)
86 {
87 gnutls_assert ();
88 result = GNUTLS_E_MEMORY_ERROR;
89 goto cleanup;
90 }
91
92 result = asn1_read_value (pkcs7, "content", tmp, &tmp_size);
93 if (result != ASN1_SUCCESS)
94 {
95 gnutls_assert ();
96 result = _gnutls_asn2err (result);
97 goto cleanup;
98 }
99
100 /* tmp, tmp_size hold the data and the size of the CertificateSet structure
101 * actually the ANY stuff.
102 */
103
104 /* Step 1. In case of a signed structure extract certificate set.
105 */
106
107 result = asn1_der_decoding (&c2, tmp, tmp_size, NULL);
108 if (result != ASN1_SUCCESS)
109 {
110 gnutls_assert ();
111 result = _gnutls_asn2err (result);
112 goto cleanup;
113 }
114
115 if (raw == NULL)
116 {
117 gnutls_free (tmp);
118 }
119 else
120 {
121 raw->data = tmp;
122 raw->size = tmp_size;
123 }
124
125 *sdata = c2;
126
127 return 0;
128
129 cleanup:
130 if (c2)
131 asn1_delete_structure (&c2);
132 gnutls_free (tmp);
133 return result;
134 }
135
136 /**
137 * gnutls_pkcs7_init:
138 * @pkcs7: The structure to be initialized
139 *
140 * This function will initialize a PKCS7 structure. PKCS7 structures
141 * usually contain lists of X.509 Certificates and X.509 Certificate
142 * revocation lists.
143 *
144 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
145 * negative error value.
146 **/
147 int
148 gnutls_pkcs7_init (gnutls_pkcs7_t * pkcs7)
149 {
150 *pkcs7 = gnutls_calloc (1, sizeof (gnutls_pkcs7_int));
151
152 if (*pkcs7)
153 {
154 int result = asn1_create_element (_gnutls_get_pkix (),
155 "PKIX1.pkcs-7-ContentInfo",
156 &(*pkcs7)->pkcs7);
157 if (result != ASN1_SUCCESS)
158 {
159 gnutls_assert ();
160 gnutls_free (*pkcs7);
161 return _gnutls_asn2err (result);
162 }
163 return 0; /* success */
164 }
165 return GNUTLS_E_MEMORY_ERROR;
166 }
167
168 /**
169 * gnutls_pkcs7_deinit:
170 * @pkcs7: The structure to be initialized
171 *
172 * This function will deinitialize a PKCS7 structure.
173 **/
174 void
175 gnutls_pkcs7_deinit (gnutls_pkcs7_t pkcs7)
176 {
177 if (!pkcs7)
178 return;
179
180 if (pkcs7->pkcs7)
181 asn1_delete_structure (&pkcs7->pkcs7);
182
183 gnutls_free (pkcs7);
184 }
185
186 /**
187 * gnutls_pkcs7_import:
188 * @pkcs7: The structure to store the parsed PKCS7.
189 * @data: The DER or PEM encoded PKCS7.
190 * @format: One of DER or PEM
191 *
192 * This function will convert the given DER or PEM encoded PKCS7 to
193 * the native #gnutls_pkcs7_t format. The output will be stored in
194 * @pkcs7.
195 *
196 * If the PKCS7 is PEM encoded it should have a header of "PKCS7".
197 *
198 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
199 * negative error value.
200 **/
201 int
202 gnutls_pkcs7_import (gnutls_pkcs7_t pkcs7, const gnutls_datum_t * data,
203 gnutls_x509_crt_fmt_t format)
204 {
205 int result = 0, need_free = 0;
206 gnutls_datum_t _data;
207
208 if (pkcs7 == NULL)
209 return GNUTLS_E_INVALID_REQUEST;
210
211 _data.data = data->data;
212 _data.size = data->size;
213
214 /* If the PKCS7 is in PEM format then decode it
215 */
216 if (format == GNUTLS_X509_FMT_PEM)
217 {
218 uint8_t *out;
219
220 result = _gnutls_fbase64_decode (PEM_PKCS7, data->data, data->size,
221 &out);
222
223 if (result <= 0)
224 {
225 if (result == 0)
226 result = GNUTLS_E_INTERNAL_ERROR;
227 gnutls_assert ();
228 return result;
229 }
230
231 _data.data = out;
232 _data.size = result;
233
234 need_free = 1;
235 }
236
237
238 result = asn1_der_decoding (&pkcs7->pkcs7, _data.data, _data.size, NULL);
239 if (result != ASN1_SUCCESS)
240 {
241 result = _gnutls_asn2err (result);
242 gnutls_assert ();
243 goto cleanup;
244 }
245
246 if (need_free)
247 _gnutls_free_datum (&_data);
248
249 return 0;
250
251 cleanup:
252 if (need_free)
253 _gnutls_free_datum (&_data);
254 return result;
255 }
256
257 /**
258 * gnutls_pkcs7_get_crt_raw:
259 * @pkcs7: should contain a gnutls_pkcs7_t structure
260 * @indx: contains the index of the certificate to extract
261 * @certificate: the contents of the certificate will be copied
262 * there (may be null)
263 * @certificate_size: should hold the size of the certificate
264 *
265 * This function will return a certificate of the PKCS7 or RFC2630
266 * certificate set.
267 *
268 * After the last certificate has been read
269 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
270 *
271 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
272 * negative error value. If the provided buffer is not long enough,
273 * then @certificate_size is updated and
274 * %GNUTLS_E_SHORT_MEMORY_BUFFER is returned.
275 **/
276 int
277 gnutls_pkcs7_get_crt_raw (gnutls_pkcs7_t pkcs7,
278 int indx, void *certificate,
279 size_t * certificate_size)
280 {
281 ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
282 int result, len;
283 char root2[ASN1_MAX_NAME_SIZE];
284 char oid[MAX_OID_SIZE];
285 gnutls_datum_t tmp = { NULL, 0 };
286
287 if (certificate_size == NULL || pkcs7 == NULL)
288 return GNUTLS_E_INVALID_REQUEST;
289
290 /* Step 1. decode the signed data.
291 */
292 result = _decode_pkcs7_signed_data (pkcs7->pkcs7, &c2, &tmp);
293 if (result < 0)
294 {
295 gnutls_assert ();
296 return result;
297 }
298
299 /* Step 2. Parse the CertificateSet
300 */
301
302 snprintf (root2, sizeof (root2), "certificates.?%u", indx + 1);
303
304 len = sizeof (oid) - 1;
305
306 result = asn1_read_value (c2, root2, oid, &len);
307
308 if (result == ASN1_VALUE_NOT_FOUND)
309 {
310 result = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
311 goto cleanup;
312 }
313
314 if (result != ASN1_SUCCESS)
315 {
316 gnutls_assert ();
317 result = _gnutls_asn2err (result);
318 goto cleanup;
319 }
320
321 /* if 'Certificate' is the choice found:
322 */
323 if (strcmp (oid, "certificate") == 0)
324 {
325 int start, end;
326
327 result = asn1_der_decoding_startEnd (c2, tmp.data, tmp.size,
328 root2, &start, &end);
329
330 if (result != ASN1_SUCCESS)
331 {
332 gnutls_assert ();
333 result = _gnutls_asn2err (result);
334 goto cleanup;
335 }
336
337 end = end - start + 1;
338
339 if ((unsigned) end > *certificate_size)
340 {
341 *certificate_size = end;
342 result = GNUTLS_E_SHORT_MEMORY_BUFFER;
343 goto cleanup;
344 }
345
346 if (certificate)
347 memcpy (certificate, &tmp.data[start], end);
348
349 *certificate_size = end;
350
351 result = 0;
352
353 }
354 else
355 {
356 result = GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE;
357 }
358
359 cleanup:
360 _gnutls_free_datum (&tmp);
361 if (c2)
362 asn1_delete_structure (&c2);
363 return result;
364 }
365
366 /**
367 * gnutls_pkcs7_get_crt_count:
368 * @pkcs7: should contain a #gnutls_pkcs7_t structure
369 *
370 * This function will return the number of certifcates in the PKCS7
371 * or RFC2630 certificate set.
372 *
373 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
374 * negative error value.
375 **/
376 int
377 gnutls_pkcs7_get_crt_count (gnutls_pkcs7_t pkcs7)
378 {
379 ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
380 int result, count;
381
382 if (pkcs7 == NULL)
383 return GNUTLS_E_INVALID_REQUEST;
384
385 /* Step 1. decode the signed data.
386 */
387 result = _decode_pkcs7_signed_data (pkcs7->pkcs7, &c2, NULL);
388 if (result < 0)
389 {
390 gnutls_assert ();
391 return result;
392 }
393
394 /* Step 2. Count the CertificateSet */
395
396 result = asn1_number_of_elements (c2, "certificates", &count);
397
398 asn1_delete_structure (&c2);
399
400 if (result != ASN1_SUCCESS)
401 {
402 gnutls_assert ();
403 return 0; /* no certificates */
404 }
405
406 return count;
407
408 }
409
410 /**
411 * gnutls_pkcs7_export:
412 * @pkcs7: Holds the pkcs7 structure
413 * @format: the format of output params. One of PEM or DER.
414 * @output_data: will contain a structure PEM or DER encoded
415 * @output_data_size: holds the size of output_data (and will be
416 * replaced by the actual size of parameters)
417 *
418 * This function will export the pkcs7 structure to DER or PEM format.
419 *
420 * If the buffer provided is not long enough to hold the output, then
421 * *@output_data_size is updated and %GNUTLS_E_SHORT_MEMORY_BUFFER
422 * will be returned.
423 *
424 * If the structure is PEM encoded, it will have a header
425 * of "BEGIN PKCS7".
426 *
427 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
428 * negative error value.
429 **/
430 int
431 gnutls_pkcs7_export (gnutls_pkcs7_t pkcs7,
432 gnutls_x509_crt_fmt_t format, void *output_data,
433 size_t * output_data_size)
434 {
435 if (pkcs7 == NULL)
436 return GNUTLS_E_INVALID_REQUEST;
437
438 return _gnutls_x509_export_int (pkcs7->pkcs7, format, PEM_PKCS7,
439 output_data, output_data_size);
440 }
441
442 /* Creates an empty signed data structure in the pkcs7
443 * structure and returns a handle to the signed data.
444 */
445 static int
446 create_empty_signed_data (ASN1_TYPE pkcs7, ASN1_TYPE * sdata)
447 {
448 uint8_t one = 1;
449 int result;
450
451 *sdata = ASN1_TYPE_EMPTY;
452
453 if ((result = asn1_create_element
454 (_gnutls_get_pkix (), "PKIX1.pkcs-7-SignedData",
455 sdata)) != ASN1_SUCCESS)
456 {
457 gnutls_assert ();
458 result = _gnutls_asn2err (result);
459 goto cleanup;
460 }
461
462 /* Use version 1
463 */
464 result = asn1_write_value (*sdata, "version", &one, 1);
465 if (result != ASN1_SUCCESS)
466 {
467 gnutls_assert ();
468 result = _gnutls_asn2err (result);
469 goto cleanup;
470 }
471
472 /* Use no digest algorithms
473 */
474
475 /* id-data */
476 result =
477 asn1_write_value (*sdata, "encapContentInfo.eContentType",
478 "1.2.840.113549.1.7.5", 1);
479 if (result != ASN1_SUCCESS)
480 {
481 gnutls_assert ();
482 result = _gnutls_asn2err (result);
483 goto cleanup;
484 }
485
486 result = asn1_write_value (*sdata, "encapContentInfo.eContent", NULL, 0);
487 if (result != ASN1_SUCCESS)
488 {
489 gnutls_assert ();
490 result = _gnutls_asn2err (result);
491 goto cleanup;
492 }
493
494 /* Add no certificates.
495 */
496
497 /* Add no crls.
498 */
499
500 /* Add no signerInfos.
501 */
502
503 /* Write the content type of the signed data
504 */
505 result = asn1_write_value (pkcs7, "contentType", SIGNED_DATA_OID, 1);
506 if (result != ASN1_SUCCESS)
507 {
508 gnutls_assert ();
509 result = _gnutls_asn2err (result);
510 goto cleanup;
511 }
512
513 return 0;
514
515 cleanup:
516 asn1_delete_structure (sdata);
517 return result;
518
519 }
520
521 /**
522 * gnutls_pkcs7_set_crt_raw:
523 * @pkcs7: should contain a #gnutls_pkcs7_t structure
524 * @crt: the DER encoded certificate to be added
525 *
526 * This function will add a certificate to the PKCS7 or RFC2630
527 * certificate set.
528 *
529 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
530 * negative error value.
531 **/
532 int
533 gnutls_pkcs7_set_crt_raw (gnutls_pkcs7_t pkcs7, const gnutls_datum_t * crt)
534 {
535 ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
536 int result;
537
538 if (pkcs7 == NULL)
539 return GNUTLS_E_INVALID_REQUEST;
540
541 /* Step 1. decode the signed data.
542 */
543 result = _decode_pkcs7_signed_data (pkcs7->pkcs7, &c2, NULL);
544 if (result < 0 && result != GNUTLS_E_ASN1_VALUE_NOT_FOUND)
545 {
546 gnutls_assert ();
547 return result;
548 }
549
550 /* If the signed data are uninitialized
551 * then create them.
552 */
553 if (result == GNUTLS_E_ASN1_VALUE_NOT_FOUND)
554 {
555 /* The pkcs7 structure is new, so create the
556 * signedData.
557 */
558 result = create_empty_signed_data (pkcs7->pkcs7, &c2);
559 if (result < 0)
560 {
561 gnutls_assert ();
562 return result;
563 }
564 }
565
566 /* Step 2. Append the new certificate.
567 */
568
569 result = asn1_write_value (c2, "certificates", "NEW", 1);
570 if (result != ASN1_SUCCESS)
571 {
572 gnutls_assert ();
573 result = _gnutls_asn2err (result);
574 goto cleanup;
575 }
576
577 result = asn1_write_value (c2, "certificates.?LAST", "certificate", 1);
578 if (result != ASN1_SUCCESS)
579 {
580 gnutls_assert ();
581 result = _gnutls_asn2err (result);
582 goto cleanup;
583 }
584
585 result =
586 asn1_write_value (c2, "certificates.?LAST.certificate", crt->data,
587 crt->size);
588 if (result != ASN1_SUCCESS)
589 {
590 gnutls_assert ();
591 result = _gnutls_asn2err (result);
592 goto cleanup;
593 }
594
595 /* Step 3. Replace the old content with the new
596 */
597 result =
598 _gnutls_x509_der_encode_and_copy (c2, "", pkcs7->pkcs7, "content", 0);
599 if (result < 0)
600 {
601 gnutls_assert ();
602 goto cleanup;
603 }
604
605 asn1_delete_structure (&c2);
606
607 return 0;
608
609 cleanup:
610 if (c2)
611 asn1_delete_structure (&c2);
612 return result;
613 }
614
615 /**
616 * gnutls_pkcs7_set_crt:
617 * @pkcs7: should contain a #gnutls_pkcs7_t structure
618 * @crt: the certificate to be copied.
619 *
620 * This function will add a parsed certificate to the PKCS7 or
621 * RFC2630 certificate set. This is a wrapper function over
622 * gnutls_pkcs7_set_crt_raw() .
623 *
624 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
625 * negative error value.
626 **/
627 int
628 gnutls_pkcs7_set_crt (gnutls_pkcs7_t pkcs7, gnutls_x509_crt_t crt)
629 {
630 int ret;
631 gnutls_datum_t data;
632
633 if (pkcs7 == NULL)
634 return GNUTLS_E_INVALID_REQUEST;
635
636 ret = _gnutls_x509_der_encode (crt->cert, "", &data, 0);
637 if (ret < 0)
638 {
639 gnutls_assert ();
640 return ret;
641 }
642
643 ret = gnutls_pkcs7_set_crt_raw (pkcs7, &data);
644
645 _gnutls_free_datum (&data);
646
647 if (ret < 0)
648 {
649 gnutls_assert ();
650 return ret;
651 }
652
653 return 0;
654 }
655
656
657 /**
658 * gnutls_pkcs7_delete_crt:
659 * @pkcs7: should contain a gnutls_pkcs7_t structure
660 * @indx: the index of the certificate to delete
661 *
662 * This function will delete a certificate from a PKCS7 or RFC2630
663 * certificate set. Index starts from 0. Returns 0 on success.
664 *
665 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
666 * negative error value.
667 **/
668 int
669 gnutls_pkcs7_delete_crt (gnutls_pkcs7_t pkcs7, int indx)
670 {
671 ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
672 int result;
673 char root2[ASN1_MAX_NAME_SIZE];
674
675 if (pkcs7 == NULL)
676 return GNUTLS_E_INVALID_REQUEST;
677
678 /* Step 1. Decode the signed data.
679 */
680 result = _decode_pkcs7_signed_data (pkcs7->pkcs7, &c2, NULL);
681 if (result < 0)
682 {
683 gnutls_assert ();
684 return result;
685 }
686
687 /* Step 2. Delete the certificate.
688 */
689
690 snprintf (root2, sizeof (root2), "certificates.?%u", indx + 1);
691
692 result = asn1_write_value (c2, root2, NULL, 0);
693 if (result != ASN1_SUCCESS)
694 {
695 gnutls_assert ();
696 result = _gnutls_asn2err (result);
697 goto cleanup;
698 }
699
700 /* Step 3. Replace the old content with the new
701 */
702 result =
703 _gnutls_x509_der_encode_and_copy (c2, "", pkcs7->pkcs7, "content", 0);
704 if (result < 0)
705 {
706 gnutls_assert ();
707 goto cleanup;
708 }
709
710 asn1_delete_structure (&c2);
711
712 return 0;
713
714 cleanup:
715 if (c2)
716 asn1_delete_structure (&c2);
717 return result;
718 }
719
720 /* Read and write CRLs
721 */
722
723 /**
724 * gnutls_pkcs7_get_crl_raw:
725 * @pkcs7: should contain a #gnutls_pkcs7_t structure
726 * @indx: contains the index of the crl to extract
727 * @crl: the contents of the crl will be copied there (may be null)
728 * @crl_size: should hold the size of the crl
729 *
730 * This function will return a crl of the PKCS7 or RFC2630 crl set.
731 *
732 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
733 * negative error value. If the provided buffer is not long enough,
734 * then @crl_size is updated and %GNUTLS_E_SHORT_MEMORY_BUFFER is
735 * returned. After the last crl has been read
736 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
737 **/
738 int
739 gnutls_pkcs7_get_crl_raw (gnutls_pkcs7_t pkcs7,
740 int indx, void *crl, size_t * crl_size)
741 {
742 ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
743 int result;
744 char root2[ASN1_MAX_NAME_SIZE];
745 gnutls_datum_t tmp = { NULL, 0 };
746 int start, end;
747
748 if (pkcs7 == NULL || crl_size == NULL)
749 return GNUTLS_E_INVALID_REQUEST;
750
751 /* Step 1. decode the signed data.
752 */
753 result = _decode_pkcs7_signed_data (pkcs7->pkcs7, &c2, &tmp);
754 if (result < 0)
755 {
756 gnutls_assert ();
757 return result;
758 }
759
760 /* Step 2. Parse the CertificateSet
761 */
762
763 snprintf (root2, sizeof (root2), "crls.?%u", indx + 1);
764
765 /* Get the raw CRL
766 */
767 result = asn1_der_decoding_startEnd (c2, tmp.data, tmp.size,
768 root2, &start, &end);
769
770 if (result != ASN1_SUCCESS)
771 {
772 gnutls_assert ();
773 result = _gnutls_asn2err (result);
774 goto cleanup;
775 }
776
777 end = end - start + 1;
778
779 if ((unsigned) end > *crl_size)
780 {
781 *crl_size = end;
782 result = GNUTLS_E_SHORT_MEMORY_BUFFER;
783 goto cleanup;
784 }
785
786 if (crl)
787 memcpy (crl, &tmp.data[start], end);
788
789 *crl_size = end;
790
791 result = 0;
792
793 cleanup:
794 _gnutls_free_datum (&tmp);
795 if (c2)
796 asn1_delete_structure (&c2);
797 return result;
798 }
799
800 /**
801 * gnutls_pkcs7_get_crl_count:
802 * @pkcs7: should contain a gnutls_pkcs7_t structure
803 *
804 * This function will return the number of certifcates in the PKCS7
805 * or RFC2630 crl set.
806 *
807 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
808 * negative error value.
809 **/
810 int
811 gnutls_pkcs7_get_crl_count (gnutls_pkcs7_t pkcs7)
812 {
813 ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
814 int result, count;
815
816 if (pkcs7 == NULL)
817 return GNUTLS_E_INVALID_REQUEST;
818
819 /* Step 1. decode the signed data.
820 */
821 result = _decode_pkcs7_signed_data (pkcs7->pkcs7, &c2, NULL);
822 if (result < 0)
823 {
824 gnutls_assert ();
825 return result;
826 }
827
828 /* Step 2. Count the CertificateSet */
829
830 result = asn1_number_of_elements (c2, "crls", &count);
831
832 asn1_delete_structure (&c2);
833
834 if (result != ASN1_SUCCESS)
835 {
836 gnutls_assert ();
837 return 0; /* no crls */
838 }
839
840 return count;
841
842 }
843
844 /**
845 * gnutls_pkcs7_set_crl_raw:
846 * @pkcs7: should contain a #gnutls_pkcs7_t structure
847 * @crl: the DER encoded crl to be added
848 *
849 * This function will add a crl to the PKCS7 or RFC2630 crl set.
850 *
851 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
852 * negative error value.
853 **/
854 int
855 gnutls_pkcs7_set_crl_raw (gnutls_pkcs7_t pkcs7, const gnutls_datum_t * crl)
856 {
857 ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
858 int result;
859
860 if (pkcs7 == NULL)
861 return GNUTLS_E_INVALID_REQUEST;
862
863 /* Step 1. decode the signed data.
864 */
865 result = _decode_pkcs7_signed_data (pkcs7->pkcs7, &c2, NULL);
866 if (result < 0 && result != GNUTLS_E_ASN1_VALUE_NOT_FOUND)
867 {
868 gnutls_assert ();
869 return result;
870 }
871
872 /* If the signed data are uninitialized
873 * then create them.
874 */
875 if (result == GNUTLS_E_ASN1_VALUE_NOT_FOUND)
876 {
877 /* The pkcs7 structure is new, so create the
878 * signedData.
879 */
880 result = create_empty_signed_data (pkcs7->pkcs7, &c2);
881 if (result < 0)
882 {
883 gnutls_assert ();
884 return result;
885 }
886 }
887
888 /* Step 2. Append the new crl.
889 */
890
891 result = asn1_write_value (c2, "crls", "NEW", 1);
892 if (result != ASN1_SUCCESS)
893 {
894 gnutls_assert ();
895 result = _gnutls_asn2err (result);
896 goto cleanup;
897 }
898
899 result = asn1_write_value (c2, "crls.?LAST", crl->data, crl->size);
900 if (result != ASN1_SUCCESS)
901 {
902 gnutls_assert ();
903 result = _gnutls_asn2err (result);
904 goto cleanup;
905 }
906
907 /* Step 3. Replace the old content with the new
908 */
909 result =
910 _gnutls_x509_der_encode_and_copy (c2, "", pkcs7->pkcs7, "content", 0);
911 if (result < 0)
912 {
913 gnutls_assert ();
914 goto cleanup;
915 }
916
917 asn1_delete_structure (&c2);
918
919 return 0;
920
921 cleanup:
922 if (c2)
923 asn1_delete_structure (&c2);
924 return result;
925 }
926
927 /**
928 * gnutls_pkcs7_set_crl:
929 * @pkcs7: should contain a #gnutls_pkcs7_t structure
930 * @crl: the DER encoded crl to be added
931 *
932 * This function will add a parsed CRL to the PKCS7 or RFC2630 crl
933 * set.
934 *
935 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
936 * negative error value.
937 **/
938 int
939 gnutls_pkcs7_set_crl (gnutls_pkcs7_t pkcs7, gnutls_x509_crl_t crl)
940 {
941 int ret;
942 gnutls_datum_t data;
943
944 if (pkcs7 == NULL)
945 return GNUTLS_E_INVALID_REQUEST;
946
947 ret = _gnutls_x509_der_encode (crl->crl, "", &data, 0);
948 if (ret < 0)
949 {
950 gnutls_assert ();
951 return ret;
952 }
953
954 ret = gnutls_pkcs7_set_crl_raw (pkcs7, &data);
955
956 _gnutls_free_datum (&data);
957
958 if (ret < 0)
959 {
960 gnutls_assert ();
961 return ret;
962 }
963
964 return 0;
965 }
966
967 /**
968 * gnutls_pkcs7_delete_crl:
969 * @pkcs7: should contain a #gnutls_pkcs7_t structure
970 * @indx: the index of the crl to delete
971 *
972 * This function will delete a crl from a PKCS7 or RFC2630 crl set.
973 * Index starts from 0. Returns 0 on success.
974 *
975 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
976 * negative error value.
977 **/
978 int
979 gnutls_pkcs7_delete_crl (gnutls_pkcs7_t pkcs7, int indx)
980 {
981 ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
982 int result;
983 char root2[ASN1_MAX_NAME_SIZE];
984
985 if (pkcs7 == NULL)
986 return GNUTLS_E_INVALID_REQUEST;
987
988 /* Step 1. Decode the signed data.
989 */
990 result = _decode_pkcs7_signed_data (pkcs7->pkcs7, &c2, NULL);
991 if (result < 0)
992 {
993 gnutls_assert ();
994 return result;
995 }
996
997 /* Step 2. Delete the crl.
998 */
999
1000 snprintf (root2, sizeof (root2), "crls.?%u", indx + 1);
1001
1002 result = asn1_write_value (c2, root2, NULL, 0);
1003 if (result != ASN1_SUCCESS)
1004 {
1005 gnutls_assert ();
1006 result = _gnutls_asn2err (result);
1007 goto cleanup;
1008 }
1009
1010 /* Step 3. Replace the old content with the new
1011 */
1012 result =
1013 _gnutls_x509_der_encode_and_copy (c2, "", pkcs7->pkcs7, "content", 0);
1014 if (result < 0)
1015 {
1016 gnutls_assert ();
1017 goto cleanup;
1018 }
1019
1020 asn1_delete_structure (&c2);
1021
1022 return 0;
1023
1024 cleanup:
1025 if (c2)
1026 asn1_delete_structure (&c2);
1027 return result;
1028 }
Implementation of the SSL/TLS protocol