search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Added functions to export structures in an allocated buffer.
[gnutls.git] / lib / x509 / crl.c
blob2565e9c3a7519dbabc4ca43facacdbea60b70b42
1 /*
2 * Copyright (C) 2003-2012 Free Software Foundation, Inc.
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GnuTLS.
7 *
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
20 *
21 */
22
23 #include <gnutls_int.h>
24 #include <libtasn1.h>
25
26 #include <gnutls_datum.h>
27 #include <gnutls_global.h>
28 #include <gnutls_errors.h>
29 #include <common.h>
30 #include <x509_b64.h>
31 #include <x509_int.h>
32 #include <gnutls_x509.h>
33
34 /**
35 * gnutls_x509_crl_init:
36 * @crl: The structure to be initialized
37 *
38 * This function will initialize a CRL structure. CRL stands for
39 * Certificate Revocation List. A revocation list usually contains
40 * lists of certificate serial numbers that have been revoked by an
41 * Authority. The revocation lists are always signed with the
42 * authority's private key.
43 *
44 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
45 * negative error value.
46 **/
47 int
48 gnutls_x509_crl_init (gnutls_x509_crl_t * crl)
49 {
50 *crl = gnutls_calloc (1, sizeof (gnutls_x509_crl_int));
51
52 if (*crl)
53 {
54 int result = asn1_create_element (_gnutls_get_pkix (),
55 "PKIX1.CertificateList",
56 &(*crl)->crl);
57 if (result != ASN1_SUCCESS)
58 {
59 gnutls_assert ();
60 gnutls_free (*crl);
61 return _gnutls_asn2err (result);
62 }
63 return 0; /* success */
64 }
65 return GNUTLS_E_MEMORY_ERROR;
66 }
67
68 /**
69 * gnutls_x509_crl_deinit:
70 * @crl: The structure to be initialized
71 *
72 * This function will deinitialize a CRL structure.
73 **/
74 void
75 gnutls_x509_crl_deinit (gnutls_x509_crl_t crl)
76 {
77 if (!crl)
78 return;
79
80 if (crl->crl)
81 asn1_delete_structure (&crl->crl);
82
83 gnutls_free (crl);
84 }
85
86 /**
87 * gnutls_x509_crl_import:
88 * @crl: The structure to store the parsed CRL.
89 * @data: The DER or PEM encoded CRL.
90 * @format: One of DER or PEM
91 *
92 * This function will convert the given DER or PEM encoded CRL
93 * to the native #gnutls_x509_crl_t format. The output will be stored in 'crl'.
94 *
95 * If the CRL is PEM encoded it should have a header of "X509 CRL".
96 *
97 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
98 * negative error value.
99 **/
100 int
101 gnutls_x509_crl_import (gnutls_x509_crl_t crl,
102 const gnutls_datum_t * data,
103 gnutls_x509_crt_fmt_t format)
104 {
105 int result = 0, need_free = 0;
106 gnutls_datum_t _data;
107
108 _data.data = data->data;
109 _data.size = data->size;
110
111 if (crl == NULL)
112 {
113 gnutls_assert ();
114 return GNUTLS_E_INVALID_REQUEST;
115 }
116
117 /* If the CRL is in PEM format then decode it
118 */
119 if (format == GNUTLS_X509_FMT_PEM)
120 {
121 result = _gnutls_fbase64_decode (PEM_CRL, data->data, data->size, &_data);
122
123 if (result < 0)
124 {
125 gnutls_assert ();
126 return result;
127 }
128
129 need_free = 1;
130 }
131
132
133 result = asn1_der_decoding (&crl->crl, _data.data, _data.size, NULL);
134 if (result != ASN1_SUCCESS)
135 {
136 result = _gnutls_asn2err (result);
137 gnutls_assert ();
138 goto cleanup;
139 }
140
141 if (need_free)
142 _gnutls_free_datum (&_data);
143
144 return 0;
145
146 cleanup:
147 if (need_free)
148 _gnutls_free_datum (&_data);
149 return result;
150 }
151
152
153 /**
154 * gnutls_x509_crl_get_issuer_dn:
155 * @crl: should contain a gnutls_x509_crl_t structure
156 * @buf: a pointer to a structure to hold the peer's name (may be null)
157 * @sizeof_buf: initially holds the size of @buf
158 *
159 * This function will copy the name of the CRL issuer in the provided
160 * buffer. The name will be in the form "C=xxxx,O=yyyy,CN=zzzz" as
161 * described in RFC4514. The output string will be ASCII or UTF-8
162 * encoded, depending on the certificate data.
163 *
164 * If buf is %NULL then only the size will be filled.
165 *
166 * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is
167 * not long enough, and in that case the sizeof_buf will be updated
168 * with the required size, and 0 on success.
169 *
170 **/
171 int
172 gnutls_x509_crl_get_issuer_dn (const gnutls_x509_crl_t crl, char *buf,
173 size_t * sizeof_buf)
174 {
175 if (crl == NULL)
176 {
177 gnutls_assert ();
178 return GNUTLS_E_INVALID_REQUEST;
179 }
180
181 return _gnutls_x509_parse_dn (crl->crl,
182 "tbsCertList.issuer.rdnSequence",
183 buf, sizeof_buf);
184 }
185
186 /**
187 * gnutls_x509_crl_get_issuer_dn_by_oid:
188 * @crl: should contain a gnutls_x509_crl_t structure
189 * @oid: holds an Object Identified in null terminated string
190 * @indx: In case multiple same OIDs exist in the RDN, this specifies which to send. Use (0) to get the first one.
191 * @raw_flag: If non (0) returns the raw DER data of the DN part.
192 * @buf: a pointer to a structure to hold the peer's name (may be null)
193 * @sizeof_buf: initially holds the size of @buf
194 *
195 * This function will extract the part of the name of the CRL issuer
196 * specified by the given OID. The output will be encoded as described
197 * in RFC4514. The output string will be ASCII or UTF-8 encoded,
198 * depending on the certificate data.
199 *
200 * Some helper macros with popular OIDs can be found in gnutls/x509.h
201 * If raw flag is (0), this function will only return known OIDs as
202 * text. Other OIDs will be DER encoded, as described in RFC4514 -- in
203 * hex format with a '#' prefix. You can check about known OIDs
204 * using gnutls_x509_dn_oid_known().
205 *
206 * If buf is null then only the size will be filled.
207 *
208 * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is
209 * not long enough, and in that case the sizeof_buf will be updated
210 * with the required size, and 0 on success.
211 **/
212 int
213 gnutls_x509_crl_get_issuer_dn_by_oid (gnutls_x509_crl_t crl,
214 const char *oid, int indx,
215 unsigned int raw_flag, void *buf,
216 size_t * sizeof_buf)
217 {
218 if (crl == NULL)
219 {
220 gnutls_assert ();
221 return GNUTLS_E_INVALID_REQUEST;
222 }
223
224 return _gnutls_x509_parse_dn_oid (crl->crl,
225 "tbsCertList.issuer.rdnSequence",
226 oid, indx, raw_flag, buf, sizeof_buf);
227 }
228
229 /**
230 * gnutls_x509_crl_get_dn_oid:
231 * @crl: should contain a gnutls_x509_crl_t structure
232 * @indx: Specifies which DN OID to send. Use (0) to get the first one.
233 * @oid: a pointer to a structure to hold the name (may be null)
234 * @sizeof_oid: initially holds the size of 'oid'
235 *
236 * This function will extract the requested OID of the name of the CRL
237 * issuer, specified by the given index.
238 *
239 * If oid is null then only the size will be filled.
240 *
241 * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is
242 * not long enough, and in that case the sizeof_oid will be updated
243 * with the required size. On success 0 is returned.
244 **/
245 int
246 gnutls_x509_crl_get_dn_oid (gnutls_x509_crl_t crl,
247 int indx, void *oid, size_t * sizeof_oid)
248 {
249 if (crl == NULL)
250 {
251 gnutls_assert ();
252 return GNUTLS_E_INVALID_REQUEST;
253 }
254
255 return _gnutls_x509_get_dn_oid (crl->crl,
256 "tbsCertList.issuer.rdnSequence", indx,
257 oid, sizeof_oid);
258 }
259
260
261 /**
262 * gnutls_x509_crl_get_signature_algorithm:
263 * @crl: should contain a #gnutls_x509_crl_t structure
264 *
265 * This function will return a value of the #gnutls_sign_algorithm_t
266 * enumeration that is the signature algorithm.
267 *
268 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
269 * negative error value.
270 **/
271 int
272 gnutls_x509_crl_get_signature_algorithm (gnutls_x509_crl_t crl)
273 {
274 int result;
275 gnutls_datum_t sa;
276
277 if (crl == NULL)
278 {
279 gnutls_assert ();
280 return GNUTLS_E_INVALID_REQUEST;
281 }
282
283 /* Read the signature algorithm. Note that parameters are not
284 * read. They will be read from the issuer's certificate if needed.
285 */
286
287 result =
288 _gnutls_x509_read_value (crl->crl, "signatureAlgorithm.algorithm",
289 &sa, 0);
290
291 if (result < 0)
292 {
293 gnutls_assert ();
294 return result;
295 }
296
297 result = _gnutls_x509_oid2sign_algorithm ((const char *) sa.data);
298
299 _gnutls_free_datum (&sa);
300
301 return result;
302 }
303
304 /**
305 * gnutls_x509_crl_get_signature:
306 * @crl: should contain a gnutls_x509_crl_t structure
307 * @sig: a pointer where the signature part will be copied (may be null).
308 * @sizeof_sig: initially holds the size of @sig
309 *
310 * This function will extract the signature field of a CRL.
311 *
312 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
313 * negative error value. and a negative error code on error.
314 **/
315 int
316 gnutls_x509_crl_get_signature (gnutls_x509_crl_t crl,
317 char *sig, size_t * sizeof_sig)
318 {
319 int result;
320 unsigned int bits;
321 int len;
322
323 if (crl == NULL)
324 {
325 gnutls_assert ();
326 return GNUTLS_E_INVALID_REQUEST;
327 }
328
329 len = 0;
330 result = asn1_read_value (crl->crl, "signature", NULL, &len);
331
332 if (result != ASN1_MEM_ERROR)
333 {
334 gnutls_assert ();
335 return _gnutls_asn2err (result);
336 }
337
338 bits = len;
339 if (bits % 8 != 0)
340 {
341 gnutls_assert ();
342 return GNUTLS_E_CERTIFICATE_ERROR;
343 }
344
345 len = bits / 8;
346
347 if (*sizeof_sig < (unsigned)len)
348 {
349 *sizeof_sig = bits / 8;
350 return GNUTLS_E_SHORT_MEMORY_BUFFER;
351 }
352
353 result = asn1_read_value (crl->crl, "signature", sig, &len);
354 if (result != ASN1_SUCCESS)
355 {
356 gnutls_assert ();
357 return _gnutls_asn2err (result);
358 }
359
360 return 0;
361 }
362
363 /**
364 * gnutls_x509_crl_get_version:
365 * @crl: should contain a #gnutls_x509_crl_t structure
366 *
367 * This function will return the version of the specified CRL.
368 *
369 * Returns: The version number, or a negative error code on error.
370 **/
371 int
372 gnutls_x509_crl_get_version (gnutls_x509_crl_t crl)
373 {
374 uint8_t version[8];
375 int len, result;
376
377 if (crl == NULL)
378 {
379 gnutls_assert ();
380 return GNUTLS_E_INVALID_REQUEST;
381 }
382
383 len = sizeof (version);
384 if ((result =
385 asn1_read_value (crl->crl, "tbsCertList.version", version,
386 &len)) != ASN1_SUCCESS)
387 {
388 gnutls_assert ();
389 return _gnutls_asn2err (result);
390 }
391
392 return (int) version[0] + 1;
393 }
394
395 /**
396 * gnutls_x509_crl_get_this_update:
397 * @crl: should contain a #gnutls_x509_crl_t structure
398 *
399 * This function will return the time this CRL was issued.
400 *
401 * Returns: when the CRL was issued, or (time_t)-1 on error.
402 **/
403 time_t
404 gnutls_x509_crl_get_this_update (gnutls_x509_crl_t crl)
405 {
406 if (crl == NULL)
407 {
408 gnutls_assert ();
409 return (time_t) - 1;
410 }
411
412 return _gnutls_x509_get_time (crl->crl, "tbsCertList.thisUpdate", 0);
413 }
414
415 /**
416 * gnutls_x509_crl_get_next_update:
417 * @crl: should contain a #gnutls_x509_crl_t structure
418 *
419 * This function will return the time the next CRL will be issued.
420 * This field is optional in a CRL so it might be normal to get an
421 * error instead.
422 *
423 * Returns: when the next CRL will be issued, or (time_t)-1 on error.
424 **/
425 time_t
426 gnutls_x509_crl_get_next_update (gnutls_x509_crl_t crl)
427 {
428 if (crl == NULL)
429 {
430 gnutls_assert ();
431 return (time_t) - 1;
432 }
433
434 return _gnutls_x509_get_time (crl->crl, "tbsCertList.nextUpdate", 0);
435 }
436
437 /**
438 * gnutls_x509_crl_get_crt_count:
439 * @crl: should contain a #gnutls_x509_crl_t structure
440 *
441 * This function will return the number of revoked certificates in the
442 * given CRL.
443 *
444 * Returns: number of certificates, a negative error code on failure.
445 **/
446 int
447 gnutls_x509_crl_get_crt_count (gnutls_x509_crl_t crl)
448 {
449
450 int count, result;
451
452 if (crl == NULL)
453 {
454 gnutls_assert ();
455 return GNUTLS_E_INVALID_REQUEST;
456 }
457
458 result =
459 asn1_number_of_elements (crl->crl,
460 "tbsCertList.revokedCertificates", &count);
461
462 if (result != ASN1_SUCCESS)
463 {
464 gnutls_assert ();
465 return 0; /* no certificates */
466 }
467
468 return count;
469 }
470
471 /**
472 * gnutls_x509_crl_get_crt_serial:
473 * @crl: should contain a #gnutls_x509_crl_t structure
474 * @indx: the index of the certificate to extract (starting from 0)
475 * @serial: where the serial number will be copied
476 * @serial_size: initially holds the size of serial
477 * @t: if non null, will hold the time this certificate was revoked
478 *
479 * This function will retrieve the serial number of the specified, by
480 * the index, revoked certificate.
481 *
482 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
483 * negative error value. and a negative error code on error.
484 **/
485 int
486 gnutls_x509_crl_get_crt_serial (gnutls_x509_crl_t crl, int indx,
487 unsigned char *serial,
488 size_t * serial_size, time_t * t)
489 {
490
491 int result, _serial_size;
492 char serial_name[ASN1_MAX_NAME_SIZE];
493 char date_name[ASN1_MAX_NAME_SIZE];
494
495 if (crl == NULL)
496 {
497 gnutls_assert ();
498 return GNUTLS_E_INVALID_REQUEST;
499 }
500
501 snprintf (serial_name, sizeof (serial_name),
502 "tbsCertList.revokedCertificates.?%u.userCertificate", indx + 1);
503 snprintf (date_name, sizeof (date_name),
504 "tbsCertList.revokedCertificates.?%u.revocationDate", indx + 1);
505
506 _serial_size = *serial_size;
507 result = asn1_read_value (crl->crl, serial_name, serial, &_serial_size);
508
509 *serial_size = _serial_size;
510 if (result != ASN1_SUCCESS)
511 {
512 gnutls_assert ();
513 if (result == ASN1_ELEMENT_NOT_FOUND)
514 return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
515 return _gnutls_asn2err (result);
516 }
517
518 if (t)
519 {
520 *t = _gnutls_x509_get_time (crl->crl, date_name, 0);
521 }
522
523 return 0;
524 }
525
526 /**
527 * gnutls_x509_crl_get_raw_issuer_dn:
528 * @crl: should contain a gnutls_x509_crl_t structure
529 * @dn: will hold the starting point of the DN
530 *
531 * This function will return a pointer to the DER encoded DN structure
532 * and the length.
533 *
534 * Returns: a negative error code on error, and (0) on success.
535 *
536 * Since: 2.12.0
537 **/
538 int
539 gnutls_x509_crl_get_raw_issuer_dn (gnutls_x509_crl_t crl,
540 gnutls_datum_t * dn)
541 {
542 ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
543 int result, len1;
544 int start1, end1;
545 gnutls_datum_t crl_signed_data;
546
547 if (crl == NULL)
548 {
549 gnutls_assert ();
550 return GNUTLS_E_INVALID_REQUEST;
551 }
552
553 /* get the issuer of 'crl'
554 */
555 if ((result =
556 asn1_create_element (_gnutls_get_pkix (), "PKIX1.TBSCertList",
557 &c2)) != ASN1_SUCCESS)
558 {
559 gnutls_assert ();
560 return _gnutls_asn2err (result);
561 }
562
563 result =
564 _gnutls_x509_get_signed_data (crl->crl, "tbsCertList", &crl_signed_data);
565 if (result < 0)
566 {
567 gnutls_assert ();
568 goto cleanup;
569 }
570
571 result =
572 asn1_der_decoding (&c2, crl_signed_data.data, crl_signed_data.size, NULL);
573 if (result != ASN1_SUCCESS)
574 {
575 /* couldn't decode DER */
576 gnutls_assert ();
577 asn1_delete_structure (&c2);
578 result = _gnutls_asn2err (result);
579 goto cleanup;
580 }
581
582 result =
583 asn1_der_decoding_startEnd (c2, crl_signed_data.data,
584 crl_signed_data.size, "issuer",
585 &start1, &end1);
586
587 if (result != ASN1_SUCCESS)
588 {
589 gnutls_assert ();
590 result = _gnutls_asn2err (result);
591 goto cleanup;
592 }
593
594 len1 = end1 - start1 + 1;
595
596 _gnutls_set_datum (dn, &crl_signed_data.data[start1], len1);
597
598 result = 0;
599
600 cleanup:
601 asn1_delete_structure (&c2);
602 _gnutls_free_datum (&crl_signed_data);
603 return result;
604 }
605
606 /**
607 * gnutls_x509_crl_export:
608 * @crl: Holds the revocation list
609 * @format: the format of output params. One of PEM or DER.
610 * @output_data: will contain a private key PEM or DER encoded
611 * @output_data_size: holds the size of output_data (and will
612 * be replaced by the actual size of parameters)
613 *
614 * This function will export the revocation list to DER or PEM format.
615 *
616 * If the buffer provided is not long enough to hold the output, then
617 * %GNUTLS_E_SHORT_MEMORY_BUFFER will be returned.
618 *
619 * If the structure is PEM encoded, it will have a header
620 * of "BEGIN X509 CRL".
621 *
622 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
623 * negative error value. and a negative error code on failure.
624 **/
625 int
626 gnutls_x509_crl_export (gnutls_x509_crl_t crl,
627 gnutls_x509_crt_fmt_t format, void *output_data,
628 size_t * output_data_size)
629 {
630 if (crl == NULL)
631 {
632 gnutls_assert ();
633 return GNUTLS_E_INVALID_REQUEST;
634 }
635
636 return _gnutls_x509_export_int (crl->crl, format, PEM_CRL,
637 output_data, output_data_size);
638 }
639
640 /**
641 * gnutls_x509_crl_export2:
642 * @crl: Holds the revocation list
643 * @format: the format of output params. One of PEM or DER.
644 * @out: will contain a private key PEM or DER encoded
645 *
646 * This function will export the revocation list to DER or PEM format.
647 *
648 * The output buffer is allocated using gnutls_malloc().
649 *
650 * If the structure is PEM encoded, it will have a header
651 * of "BEGIN X509 CRL".
652 *
653 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
654 * negative error value. and a negative error code on failure.
655 *
656 * Since 3.1
657 **/
658 int
659 gnutls_x509_crl_export2 (gnutls_x509_crl_t crl,
660 gnutls_x509_crt_fmt_t format, gnutls_datum_t *out)
661 {
662 if (crl == NULL)
663 {
664 gnutls_assert ();
665 return GNUTLS_E_INVALID_REQUEST;
666 }
667
668 return _gnutls_x509_export_int2 (crl->crl, format, PEM_CRL, out);
669 }
670
671 /*-
672 * _gnutls_x509_crl_cpy - This function copies a gnutls_x509_crl_t structure
673 * @dest: The structure where to copy
674 * @src: The structure to be copied
675 *
676 * This function will copy an X.509 certificate structure.
677 *
678 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
679 * negative error value.
680 -*/
681 int
682 _gnutls_x509_crl_cpy (gnutls_x509_crl_t dest, gnutls_x509_crl_t src)
683 {
684 int ret;
685 gnutls_datum_t tmp;
686
687 ret = gnutls_x509_crl_export2 (src, GNUTLS_X509_FMT_DER, &tmp);
688 if (ret < 0)
689 return gnutls_assert_val(ret);
690
691 ret = gnutls_x509_crl_import (dest, &tmp, GNUTLS_X509_FMT_DER);
692
693 gnutls_free (tmp.data);
694
695 if (ret < 0)
696 {
697 gnutls_assert ();
698 return ret;
699 }
700
701 return 0;
702
703 }
704
705 static int
706 _get_authority_key_id (gnutls_x509_crl_t cert, ASN1_TYPE *c2,
707 unsigned int *critical)
708 {
709 int ret;
710 gnutls_datum_t id;
711
712 *c2 = ASN1_TYPE_EMPTY;
713
714 if (cert == NULL)
715 {
716 gnutls_assert ();
717 return GNUTLS_E_INVALID_REQUEST;
718 }
719
720 if ((ret =
721 _gnutls_x509_crl_get_extension (cert, "2.5.29.35", 0, &id,
722 critical)) < 0)
723 {
724 return gnutls_assert_val(ret);
725 }
726
727 if (id.size == 0 || id.data == NULL)
728 {
729 gnutls_assert ();
730 return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
731 }
732
733 ret = asn1_create_element
734 (_gnutls_get_pkix (), "PKIX1.AuthorityKeyIdentifier", c2);
735 if (ret != ASN1_SUCCESS)
736 {
737 gnutls_assert ();
738 _gnutls_free_datum (&id);
739 return _gnutls_asn2err (ret);
740 }
741
742 ret = asn1_der_decoding (c2, id.data, id.size, NULL);
743 _gnutls_free_datum (&id);
744
745 if (ret != ASN1_SUCCESS)
746 {
747 gnutls_assert ();
748 asn1_delete_structure (c2);
749 return _gnutls_asn2err (ret);
750 }
751
752 return 0;
753 }
754
755 /**
756 * gnutls_x509_crl_get_authority_key_gn_serial:
757 * @crl: should contain a #gnutls_x509_crl_t structure
758 * @seq: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)
759 * @alt: is the place where the alternative name will be copied to
760 * @alt_size: holds the size of alt.
761 * @alt_type: holds the type of the alternative name (one of gnutls_x509_subject_alt_name_t).
762 * @serial: buffer to store the serial number (may be null)
763 * @serial_size: Holds the size of the serial field (may be null)
764 * @critical: will be non (0) if the extension is marked as critical (may be null)
765 *
766 * This function will return the X.509 authority key
767 * identifier when stored as a general name (authorityCertIssuer)
768 * and serial number.
769 *
770 * Because more than one general names might be stored
771 * @seq can be used as a counter to request them all until
772 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.
773 *
774 * Returns: Returns 0 on success, or an error code.
775 *
776 * Since: 3.0
777 **/
778 int
779 gnutls_x509_crl_get_authority_key_gn_serial (gnutls_x509_crl_t crl,
780 unsigned int seq,
781 void *alt,
782 size_t * alt_size,
783 unsigned int *alt_type,
784 void* serial,
785 size_t *serial_size,
786 unsigned int *critical)
787 {
788 int ret, result, len;
789 ASN1_TYPE c2;
790
791 ret = _get_authority_key_id(crl, &c2, critical);
792 if (ret < 0)
793 return gnutls_assert_val(ret);
794
795 ret =
796 _gnutls_parse_general_name (c2, "authorityCertIssuer", seq, alt, alt_size, alt_type,
797 0);
798 if (ret < 0)
799 {
800 ret = gnutls_assert_val(ret);
801 goto fail;
802 }
803
804 if (serial)
805 {
806 len = *serial_size;
807 result = asn1_read_value (c2, "authorityCertSerialNumber", serial, &len);
808
809 *serial_size = len;
810
811 if (result < 0)
812 {
813 ret = _gnutls_asn2err(result);
814 goto fail;
815 }
816
817 }
818
819 ret = 0;
820
821 fail:
822 asn1_delete_structure (&c2);
823
824 return ret;
825 }
826
827
828 /**
829 * gnutls_x509_crl_get_authority_key_id:
830 * @crl: should contain a #gnutls_x509_crl_t structure
831 * @id: The place where the identifier will be copied
832 * @id_size: Holds the size of the result field.
833 * @critical: will be non (0) if the extension is marked as critical
834 * (may be null)
835 *
836 * This function will return the CRL authority's key identifier. This
837 * is obtained by the X.509 Authority Key identifier extension field
838 * (2.5.29.35). Note that this function
839 * only returns the keyIdentifier field of the extension and
840 * %GNUTLS_E_X509_UNSUPPORTED_EXTENSION, if the extension contains
841 * the name and serial number of the certificate. In that case
842 * gnutls_x509_crl_get_authority_key_gn_serial() may be used.
843 *
844 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
845 * negative error code in case of an error.
846 *
847 * Since: 2.8.0
848 **/
849 int
850 gnutls_x509_crl_get_authority_key_id (gnutls_x509_crl_t crl, void *id,
851 size_t * id_size,
852 unsigned int *critical)
853 {
854 int result, len, ret;
855 ASN1_TYPE c2;
856
857 ret = _get_authority_key_id(crl, &c2, critical);
858 if (ret < 0)
859 return gnutls_assert_val(ret);
860
861 len = *id_size;
862 result = asn1_read_value (c2, "keyIdentifier", id, &len);
863
864 *id_size = len;
865 asn1_delete_structure (&c2);
866
867 if (result == ASN1_VALUE_NOT_FOUND || result == ASN1_ELEMENT_NOT_FOUND)
868 return gnutls_assert_val(GNUTLS_E_X509_UNSUPPORTED_EXTENSION);
869
870 if (result != ASN1_SUCCESS)
871 {
872 gnutls_assert ();
873 return _gnutls_asn2err (result);
874 }
875
876 return 0;
877 }
878
879 /**
880 * gnutls_x509_crl_get_number:
881 * @crl: should contain a #gnutls_x509_crl_t structure
882 * @ret: The place where the number will be copied
883 * @ret_size: Holds the size of the result field.
884 * @critical: will be non (0) if the extension is marked as critical
885 * (may be null)
886 *
887 * This function will return the CRL number extension. This is
888 * obtained by the CRL Number extension field (2.5.29.20).
889 *
890 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
891 * negative error code in case of an error.
892 *
893 * Since: 2.8.0
894 **/
895 int
896 gnutls_x509_crl_get_number (gnutls_x509_crl_t crl, void *ret,
897 size_t * ret_size, unsigned int *critical)
898 {
899 int result;
900 gnutls_datum_t id;
901
902 if (crl == NULL)
903 {
904 gnutls_assert ();
905 return GNUTLS_E_INVALID_REQUEST;
906 }
907
908
909 if (ret)
910 memset (ret, 0, *ret_size);
911 else
912 *ret_size = 0;
913
914 if ((result =
915 _gnutls_x509_crl_get_extension (crl, "2.5.29.20", 0, &id,
916 critical)) < 0)
917 {
918 return result;
919 }
920
921 if (id.size == 0 || id.data == NULL)
922 {
923 gnutls_assert ();
924 return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
925 }
926
927 result = _gnutls_x509_ext_extract_number (ret, ret_size, id.data, id.size);
928
929 _gnutls_free_datum (&id);
930
931 if (result < 0)
932 {
933 gnutls_assert ();
934 return result;
935 }
936
937 return 0;
938 }
939
940 /**
941 * gnutls_x509_crl_get_extension_oid:
942 * @crl: should contain a #gnutls_x509_crl_t structure
943 * @indx: Specifies which extension OID to send, use (0) to get the first one.
944 * @oid: a pointer to a structure to hold the OID (may be null)
945 * @sizeof_oid: initially holds the size of @oid
946 *
947 * This function will return the requested extension OID in the CRL.
948 * The extension OID will be stored as a string in the provided
949 * buffer.
950 *
951 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
952 * negative error code in case of an error. If your have reached the
953 * last extension available %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
954 * will be returned.
955 *
956 * Since: 2.8.0
957 **/
958 int
959 gnutls_x509_crl_get_extension_oid (gnutls_x509_crl_t crl, int indx,
960 void *oid, size_t * sizeof_oid)
961 {
962 int result;
963
964 if (crl == NULL)
965 {
966 gnutls_assert ();
967 return GNUTLS_E_INVALID_REQUEST;
968 }
969
970 result = _gnutls_x509_crl_get_extension_oid (crl, indx, oid, sizeof_oid);
971 if (result < 0)
972 {
973 return result;
974 }
975
976 return 0;
977
978 }
979
980 /**
981 * gnutls_x509_crl_get_extension_info:
982 * @crl: should contain a #gnutls_x509_crl_t structure
983 * @indx: Specifies which extension OID to send, use (0) to get the first one.
984 * @oid: a pointer to a structure to hold the OID
985 * @sizeof_oid: initially holds the maximum size of @oid, on return
986 * holds actual size of @oid.
987 * @critical: output variable with critical flag, may be NULL.
988 *
989 * This function will return the requested extension OID in the CRL,
990 * and the critical flag for it. The extension OID will be stored as
991 * a string in the provided buffer. Use
992 * gnutls_x509_crl_get_extension_data() to extract the data.
993 *
994 * If the buffer provided is not long enough to hold the output, then
995 * *@sizeof_oid is updated and %GNUTLS_E_SHORT_MEMORY_BUFFER will be
996 * returned.
997 *
998 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
999 * negative error code in case of an error. If your have reached the
1000 * last extension available %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
1001 * will be returned.
1002 *
1003 * Since: 2.8.0
1004 **/
1005 int
1006 gnutls_x509_crl_get_extension_info (gnutls_x509_crl_t crl, int indx,
1007 void *oid, size_t * sizeof_oid,
1008 unsigned int *critical)
1009 {
1010 int result;
1011 char str_critical[10];
1012 char name[ASN1_MAX_NAME_SIZE];
1013 int len;
1014
1015 if (!crl)
1016 {
1017 gnutls_assert ();
1018 return GNUTLS_E_INVALID_REQUEST;
1019 }
1020
1021 snprintf (name, sizeof (name), "tbsCertList.crlExtensions.?%u.extnID",
1022 indx + 1);
1023
1024 len = *sizeof_oid;
1025 result = asn1_read_value (crl->crl, name, oid, &len);
1026 *sizeof_oid = len;
1027
1028 if (result == ASN1_ELEMENT_NOT_FOUND)
1029 return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
1030 else if (result != ASN1_SUCCESS)
1031 {
1032 gnutls_assert ();
1033 return _gnutls_asn2err (result);
1034 }
1035
1036 snprintf (name, sizeof (name), "tbsCertList.crlExtensions.?%u.critical",
1037 indx + 1);
1038 len = sizeof (str_critical);
1039 result = asn1_read_value (crl->crl, name, str_critical, &len);
1040 if (result != ASN1_SUCCESS)
1041 {
1042 gnutls_assert ();
1043 return _gnutls_asn2err (result);
1044 }
1045
1046 if (critical)
1047 {
1048 if (str_critical[0] == 'T')
1049 *critical = 1;
1050 else
1051 *critical = 0;
1052 }
1053
1054 return 0;
1055
1056 }
1057
1058 /**
1059 * gnutls_x509_crl_get_extension_data:
1060 * @crl: should contain a #gnutls_x509_crl_t structure
1061 * @indx: Specifies which extension OID to send. Use (0) to get the first one.
1062 * @data: a pointer to a structure to hold the data (may be null)
1063 * @sizeof_data: initially holds the size of @oid
1064 *
1065 * This function will return the requested extension data in the CRL.
1066 * The extension data will be stored as a string in the provided
1067 * buffer.
1068 *
1069 * Use gnutls_x509_crl_get_extension_info() to extract the OID and
1070 * critical flag. Use gnutls_x509_crl_get_extension_info() instead,
1071 * if you want to get data indexed by the extension OID rather than
1072 * sequence.
1073 *
1074 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1075 * negative error code in case of an error. If your have reached the
1076 * last extension available %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
1077 * will be returned.
1078 *
1079 * Since: 2.8.0
1080 **/
1081 int
1082 gnutls_x509_crl_get_extension_data (gnutls_x509_crl_t crl, int indx,
1083 void *data, size_t * sizeof_data)
1084 {
1085 int result, len;
1086 char name[ASN1_MAX_NAME_SIZE];
1087
1088 if (!crl)
1089 {
1090 gnutls_assert ();
1091 return GNUTLS_E_INVALID_REQUEST;
1092 }
1093
1094 snprintf (name, sizeof (name), "tbsCertList.crlExtensions.?%u.extnValue",
1095 indx + 1);
1096
1097 len = *sizeof_data;
1098 result = asn1_read_value (crl->crl, name, data, &len);
1099 *sizeof_data = len;
1100
1101 if (result == ASN1_ELEMENT_NOT_FOUND)
1102 return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
1103 else if (result < 0)
1104 {
1105 gnutls_assert ();
1106 return _gnutls_asn2err (result);
1107 }
1108
1109 return 0;
1110 }
1111
1112 /**
1113 * gnutls_x509_crl_list_import2:
1114 * @crls: The structures to store the parsed crl list. Must not be initialized.
1115 * @size: It will contain the size of the list.
1116 * @data: The PEM encoded CRL.
1117 * @format: One of DER or PEM.
1118 * @flags: must be (0) or an OR'd sequence of gnutls_certificate_import_flags.
1119 *
1120 * This function will convert the given PEM encoded CRL list
1121 * to the native gnutls_x509_crl_t format. The output will be stored
1122 * in @crls. They will be automatically initialized.
1123 *
1124 * If the Certificate is PEM encoded it should have a header of "X509
1125 * CRL".
1126 *
1127 * Returns: the number of certificates read or a negative error value.
1128 *
1129 * Since: 3.0
1130 **/
1131 int
1132 gnutls_x509_crl_list_import2 (gnutls_x509_crl_t ** crls,
1133 unsigned int * size,
1134 const gnutls_datum_t * data,
1135 gnutls_x509_crt_fmt_t format, unsigned int flags)
1136 {
1137 unsigned int init = 1024;
1138 int ret;
1139
1140 *crls = gnutls_malloc(sizeof(gnutls_x509_crl_t)*init);
1141 if (*crls == NULL)
1142 {
1143 gnutls_assert();
1144 return GNUTLS_E_MEMORY_ERROR;
1145 }
1146
1147 ret = gnutls_x509_crl_list_import(*crls, &init, data, format, GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED);
1148 if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER)
1149 {
1150 *crls = gnutls_realloc_fast(*crls, sizeof(gnutls_x509_crl_t)*init);
1151 if (*crls == NULL)
1152 {
1153 gnutls_assert();
1154 return GNUTLS_E_MEMORY_ERROR;
1155 }
1156
1157 ret = gnutls_x509_crl_list_import(*crls, &init, data, format, flags);
1158 }
1159
1160 if (ret < 0)
1161 {
1162 gnutls_free(*crls);
1163 *crls = NULL;
1164 return ret;
1165 }
1166
1167 *size = init;
1168 return 0;
1169 }
1170
1171 /**
1172 * gnutls_x509_crl_list_import:
1173 * @crls: The structures to store the parsed CRLs. Must not be initialized.
1174 * @crl_max: Initially must hold the maximum number of crls. It will be updated with the number of crls available.
1175 * @data: The PEM encoded CRLs
1176 * @format: One of DER or PEM.
1177 * @flags: must be (0) or an OR'd sequence of gnutls_certificate_import_flags.
1178 *
1179 * This function will convert the given PEM encoded CRL list
1180 * to the native gnutls_x509_crl_t format. The output will be stored
1181 * in @crls. They will be automatically initialized.
1182 *
1183 * If the Certificate is PEM encoded it should have a header of "X509 CRL".
1184 *
1185 * Returns: the number of certificates read or a negative error value.
1186 *
1187 * Since: 3.0
1188 **/
1189 int
1190 gnutls_x509_crl_list_import (gnutls_x509_crl_t * crls,
1191 unsigned int *crl_max,
1192 const gnutls_datum_t * data,
1193 gnutls_x509_crt_fmt_t format, unsigned int flags)
1194 {
1195 int size;
1196 const char *ptr;
1197 gnutls_datum_t tmp;
1198 int ret, nocopy = 0;
1199 unsigned int count = 0, j;
1200
1201 if (format == GNUTLS_X509_FMT_DER)
1202 {
1203 if (*crl_max < 1)
1204 {
1205 *crl_max = 1;
1206 return GNUTLS_E_SHORT_MEMORY_BUFFER;
1207 }
1208
1209 count = 1; /* import only the first one */
1210
1211 ret = gnutls_x509_crl_init (&crls[0]);
1212 if (ret < 0)
1213 {
1214 gnutls_assert ();
1215 goto error;
1216 }
1217
1218 ret = gnutls_x509_crl_import (crls[0], data, format);
1219 if (ret < 0)
1220 {
1221 gnutls_assert ();
1222 goto error;
1223 }
1224
1225 *crl_max = 1;
1226 return 1;
1227 }
1228
1229 /* move to the certificate
1230 */
1231 ptr = memmem (data->data, data->size,
1232 PEM_CRL_SEP, sizeof (PEM_CRL_SEP) - 1);
1233 if (ptr == NULL)
1234 {
1235 gnutls_assert ();
1236 return GNUTLS_E_BASE64_DECODING_ERROR;
1237 }
1238
1239 count = 0;
1240
1241 do
1242 {
1243 if (count >= *crl_max)
1244 {
1245 if (!(flags & GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED))
1246 break;
1247 else
1248 nocopy = 1;
1249 }
1250
1251 if (!nocopy)
1252 {
1253 ret = gnutls_x509_crl_init (&crls[count]);
1254 if (ret < 0)
1255 {
1256 gnutls_assert ();
1257 goto error;
1258 }
1259
1260 tmp.data = (void *) ptr;
1261 tmp.size = data->size - (ptr - (char *) data->data);
1262
1263 ret =
1264 gnutls_x509_crl_import (crls[count], &tmp, GNUTLS_X509_FMT_PEM);
1265 if (ret < 0)
1266 {
1267 gnutls_assert ();
1268 goto error;
1269 }
1270 }
1271
1272 /* now we move ptr after the pem header
1273 */
1274 ptr++;
1275 /* find the next certificate (if any)
1276 */
1277 size = data->size - (ptr - (char *) data->data);
1278
1279 if (size > 0)
1280 {
1281 ptr = memmem (ptr, size, PEM_CRL_SEP, sizeof (PEM_CRL_SEP) - 1);
1282 }
1283 else
1284 ptr = NULL;
1285
1286 count++;
1287 }
1288 while (ptr != NULL);
1289
1290 *crl_max = count;
1291
1292 if (nocopy == 0)
1293 return count;
1294 else
1295 return GNUTLS_E_SHORT_MEMORY_BUFFER;
1296
1297 error:
1298 for (j = 0; j < count; j++)
1299 gnutls_x509_crl_deinit (crls[j]);
1300 return ret;
1301 }
1302
Implementation of the SSL/TLS protocol