2 * Copyright (C) 2002, 2003, 2004, 2005, 2007, 2008 Free Software Foundation
4 * Author: Nikos Mavrogiannopoulos
6 * This file is part of GNUTLS-EXTRA.
8 * GNUTLS-EXTRA is free software: you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation, either version 3 of the License, or
11 * (at your option) any later version.
13 * GNUTLS-EXTRA is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>.
22 /* This file includes all functions that were in the 0.5.x and 0.8.x
23 * gnutls API. They are now implemented over the new certificate parsing
27 #include "gnutls_int.h"
29 #include <gnutls_global.h>
30 #include <gnutls_errors.h>
31 #include <string.h> /* memset */
32 #include <x509/x509_int.h>
34 #include <gnutls/x509.h>
35 #include <openssl_compat.h>
38 * gnutls_x509_extract_dn - This function parses an RDN sequence
39 * @idn: should contain a DER encoded RDN sequence
40 * @rdn: a pointer to a structure to hold the name
42 * This function will return the name of the given RDN sequence.
43 * The name will be returned as a gnutls_x509_dn structure.
44 * Returns a negative error code in case of an error.
48 gnutls_x509_extract_dn (const gnutls_datum_t
* idn
, gnutls_x509_dn
* rdn
)
50 ASN1_TYPE dn
= ASN1_TYPE_EMPTY
;
55 asn1_create_element (_gnutls_get_pkix (),
56 "PKIX1.Name", &dn
)) != ASN1_SUCCESS
)
58 return _gnutls_asn2err (result
);
61 result
= asn1_der_decoding (&dn
, idn
->data
, idn
->size
, NULL
);
62 if (result
!= ASN1_SUCCESS
)
64 /* couldn't decode DER */
65 asn1_delete_structure (&dn
);
66 return _gnutls_asn2err (result
);
69 memset (rdn
, 0, sizeof (gnutls_x509_dn
));
71 len
= sizeof (rdn
->country
);
72 _gnutls_x509_parse_dn_oid (dn
, "", GNUTLS_OID_X520_COUNTRY_NAME
, 0, 0,
75 len
= sizeof (rdn
->organization
);
76 _gnutls_x509_parse_dn_oid (dn
, "", GNUTLS_OID_X520_ORGANIZATION_NAME
, 0,
77 0, rdn
->organization
, &len
);
79 len
= sizeof (rdn
->organizational_unit_name
);
80 _gnutls_x509_parse_dn_oid (dn
, "",
81 GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME
, 0,
82 0, rdn
->organizational_unit_name
, &len
);
84 len
= sizeof (rdn
->common_name
);
85 _gnutls_x509_parse_dn_oid (dn
, "", GNUTLS_OID_X520_COMMON_NAME
, 0, 0,
86 rdn
->common_name
, &len
);
88 len
= sizeof (rdn
->locality_name
);
89 _gnutls_x509_parse_dn_oid (dn
, "", GNUTLS_OID_X520_LOCALITY_NAME
, 0, 0,
90 rdn
->locality_name
, &len
);
92 len
= sizeof (rdn
->state_or_province_name
);
93 _gnutls_x509_parse_dn_oid (dn
, "",
94 GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME
, 0, 0,
95 rdn
->state_or_province_name
, &len
);
97 len
= sizeof (rdn
->email
);
98 _gnutls_x509_parse_dn_oid (dn
, "", GNUTLS_OID_PKCS9_EMAIL
, 0, 0,
101 asn1_delete_structure (&dn
);
107 * gnutls_x509_extract_certificate_dn - This function returns the certificate's distinguished name
108 * @cert: should contain an X.509 DER encoded certificate
109 * @ret: a pointer to a structure to hold the peer's name
111 * This function will return the name of the certificate holder. The name is gnutls_x509_dn structure and
112 * is a obtained by the peer's certificate. If the certificate send by the
113 * peer is invalid, or in any other failure this function returns error.
114 * Returns a negative error code in case of an error.
118 gnutls_x509_extract_certificate_dn (const gnutls_datum_t
* cert
,
119 gnutls_x509_dn
* ret
)
121 gnutls_x509_crt_t xcert
;
125 result
= gnutls_x509_crt_init (&xcert
);
129 result
= gnutls_x509_crt_import (xcert
, cert
, GNUTLS_X509_FMT_DER
);
132 gnutls_x509_crt_deinit (xcert
);
136 len
= sizeof (ret
->country
);
137 gnutls_x509_crt_get_dn_by_oid (xcert
, GNUTLS_OID_X520_COUNTRY_NAME
, 0,
138 0, ret
->country
, &len
);
140 len
= sizeof (ret
->organization
);
141 gnutls_x509_crt_get_dn_by_oid (xcert
, GNUTLS_OID_X520_ORGANIZATION_NAME
,
142 0, 0, ret
->organization
, &len
);
144 len
= sizeof (ret
->organizational_unit_name
);
145 gnutls_x509_crt_get_dn_by_oid (xcert
,
146 GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME
,
147 0, 0, ret
->organizational_unit_name
, &len
);
149 len
= sizeof (ret
->common_name
);
150 gnutls_x509_crt_get_dn_by_oid (xcert
, GNUTLS_OID_X520_COMMON_NAME
, 0, 0,
151 ret
->common_name
, &len
);
153 len
= sizeof (ret
->locality_name
);
154 gnutls_x509_crt_get_dn_by_oid (xcert
, GNUTLS_OID_X520_LOCALITY_NAME
, 0,
155 0, ret
->locality_name
, &len
);
157 len
= sizeof (ret
->state_or_province_name
);
158 gnutls_x509_crt_get_dn_by_oid (xcert
,
159 GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME
,
160 0, 0, ret
->state_or_province_name
, &len
);
162 len
= sizeof (ret
->email
);
163 gnutls_x509_crt_get_dn_by_oid (xcert
, GNUTLS_OID_PKCS9_EMAIL
, 0, 0,
166 gnutls_x509_crt_deinit (xcert
);
172 * gnutls_x509_extract_certificate_issuer_dn - This function returns the certificate's issuer distinguished name
173 * @cert: should contain an X.509 DER encoded certificate
174 * @ret: a pointer to a structure to hold the issuer's name
176 * This function will return the name of the issuer stated in the certificate. The name is a gnutls_x509_dn structure and
177 * is a obtained by the peer's certificate. If the certificate send by the
178 * peer is invalid, or in any other failure this function returns error.
179 * Returns a negative error code in case of an error.
183 gnutls_x509_extract_certificate_issuer_dn (const gnutls_datum_t
* cert
,
184 gnutls_x509_dn
* ret
)
186 gnutls_x509_crt_t xcert
;
190 result
= gnutls_x509_crt_init (&xcert
);
194 result
= gnutls_x509_crt_import (xcert
, cert
, GNUTLS_X509_FMT_DER
);
197 gnutls_x509_crt_deinit (xcert
);
201 len
= sizeof (ret
->country
);
202 gnutls_x509_crt_get_issuer_dn_by_oid (xcert
,
203 GNUTLS_OID_X520_COUNTRY_NAME
, 0,
204 0, ret
->country
, &len
);
206 len
= sizeof (ret
->organization
);
207 gnutls_x509_crt_get_issuer_dn_by_oid (xcert
,
208 GNUTLS_OID_X520_ORGANIZATION_NAME
,
209 0, 0, ret
->organization
, &len
);
211 len
= sizeof (ret
->organizational_unit_name
);
212 gnutls_x509_crt_get_issuer_dn_by_oid (xcert
,
213 GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME
,
215 ret
->organizational_unit_name
, &len
);
217 len
= sizeof (ret
->common_name
);
218 gnutls_x509_crt_get_issuer_dn_by_oid (xcert
,
219 GNUTLS_OID_X520_COMMON_NAME
, 0, 0,
220 ret
->common_name
, &len
);
222 len
= sizeof (ret
->locality_name
);
223 gnutls_x509_crt_get_issuer_dn_by_oid (xcert
,
224 GNUTLS_OID_X520_LOCALITY_NAME
, 0,
225 0, ret
->locality_name
, &len
);
227 len
= sizeof (ret
->state_or_province_name
);
228 gnutls_x509_crt_get_issuer_dn_by_oid (xcert
,
229 GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME
,
230 0, 0, ret
->state_or_province_name
,
233 len
= sizeof (ret
->email
);
234 gnutls_x509_crt_get_issuer_dn_by_oid (xcert
, GNUTLS_OID_PKCS9_EMAIL
, 0,
235 0, ret
->email
, &len
);
237 gnutls_x509_crt_deinit (xcert
);
244 * gnutls_x509_extract_certificate_subject_alt_name - This function returns the certificate's alternative name, if any
245 * @cert: should contain an X.509 DER encoded certificate
246 * @seq: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)
247 * @ret: is the place where the alternative name will be copied to
248 * @ret_size: holds the size of ret.
250 * This function will return the alternative names, contained in the
253 * This is specified in X509v3 Certificate Extensions.
254 * GNUTLS will return the Alternative name, or a negative
256 * Returns GNUTLS_E_SHORT_MEMORY_BUFFER if ret_size is not enough to hold the alternative
257 * name, or the type of alternative name if everything was ok. The type is
258 * one of the enumerated GNUTLS_X509_SUBJECT_ALT_NAME.
260 * If the certificate does not have an Alternative name with the specified
261 * sequence number then returns GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
265 gnutls_x509_extract_certificate_subject_alt_name (const gnutls_datum_t
*
267 char *ret
, int *ret_size
)
269 gnutls_x509_crt_t xcert
;
271 size_t size
= *ret_size
;
273 result
= gnutls_x509_crt_init (&xcert
);
277 result
= gnutls_x509_crt_import (xcert
, cert
, GNUTLS_X509_FMT_DER
);
280 gnutls_x509_crt_deinit (xcert
);
285 gnutls_x509_crt_get_subject_alt_name (xcert
, seq
, ret
, &size
, NULL
);
288 gnutls_x509_crt_deinit (xcert
);
294 * gnutls_x509_extract_certificate_ca_status - This function returns the certificate CA status
295 * @cert: should contain an X.509 DER encoded certificate
297 * This function will return certificates CA status, by reading the
298 * basicConstraints X.509 extension. If the certificate is a CA a positive
299 * value will be returned, or zero if the certificate does not have
302 * A negative value may be returned in case of parsing error.
303 * If the certificate does not contain the basicConstraints extension
304 * GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
308 gnutls_x509_extract_certificate_ca_status (const gnutls_datum_t
* cert
)
310 gnutls_x509_crt_t xcert
;
313 result
= gnutls_x509_crt_init (&xcert
);
317 result
= gnutls_x509_crt_import (xcert
, cert
, GNUTLS_X509_FMT_DER
);
320 gnutls_x509_crt_deinit (xcert
);
324 result
= gnutls_x509_crt_get_ca_status (xcert
, NULL
);
326 gnutls_x509_crt_deinit (xcert
);
332 * gnutls_x509_extract_certificate_activation_time - This function returns the peer's certificate activation time
333 * @cert: should contain an X.509 DER encoded certificate
335 * This function will return the certificate's activation time in UNIX time
336 * (ie seconds since 00:00:00 UTC January 1, 1970).
337 * Returns a (time_t) -1 in case of an error.
341 gnutls_x509_extract_certificate_activation_time (const gnutls_datum_t
* cert
)
343 gnutls_x509_crt_t xcert
;
346 result
= gnutls_x509_crt_init (&xcert
);
350 result
= gnutls_x509_crt_import (xcert
, cert
, GNUTLS_X509_FMT_DER
);
353 gnutls_x509_crt_deinit (xcert
);
357 result
= gnutls_x509_crt_get_activation_time (xcert
);
359 gnutls_x509_crt_deinit (xcert
);
365 * gnutls_x509_extract_certificate_expiration_time - This function returns the certificate's expiration time
366 * @cert: should contain an X.509 DER encoded certificate
368 * This function will return the certificate's expiration time in UNIX time
369 * (ie seconds since 00:00:00 UTC January 1, 1970).
370 * Returns a (time_t) -1 in case of an error.
374 gnutls_x509_extract_certificate_expiration_time (const gnutls_datum_t
* cert
)
376 gnutls_x509_crt_t xcert
;
379 result
= gnutls_x509_crt_init (&xcert
);
383 result
= gnutls_x509_crt_import (xcert
, cert
, GNUTLS_X509_FMT_DER
);
386 gnutls_x509_crt_deinit (xcert
);
390 result
= gnutls_x509_crt_get_expiration_time (xcert
);
392 gnutls_x509_crt_deinit (xcert
);
398 * gnutls_x509_extract_certificate_version - This function returns the certificate's version
399 * @cert: is an X.509 DER encoded certificate
401 * This function will return the X.509 certificate's version (1, 2, 3). This is obtained by the X509 Certificate
402 * Version field. Returns a negative value in case of an error.
406 gnutls_x509_extract_certificate_version (const gnutls_datum_t
* cert
)
408 gnutls_x509_crt_t xcert
;
411 result
= gnutls_x509_crt_init (&xcert
);
415 result
= gnutls_x509_crt_import (xcert
, cert
, GNUTLS_X509_FMT_DER
);
418 gnutls_x509_crt_deinit (xcert
);
422 result
= gnutls_x509_crt_get_version (xcert
);
424 gnutls_x509_crt_deinit (xcert
);
431 * gnutls_x509_extract_certificate_serial - This function returns the certificate's serial number
432 * @cert: is an X.509 DER encoded certificate
433 * @result: The place where the serial number will be copied
434 * @result_size: Holds the size of the result field.
436 * This function will return the X.509 certificate's serial number.
437 * This is obtained by the X509 Certificate serialNumber
438 * field. Serial is not always a 32 or 64bit number. Some CAs use
439 * large serial numbers, thus it may be wise to handle it as something
441 * Returns a negative value in case of an error.
445 gnutls_x509_extract_certificate_serial (const gnutls_datum_t
* cert
,
446 char *result
, int *result_size
)
448 gnutls_x509_crt_t xcert
;
449 size_t size
= *result_size
;
452 ret
= gnutls_x509_crt_init (&xcert
);
456 ret
= gnutls_x509_crt_import (xcert
, cert
, GNUTLS_X509_FMT_DER
);
459 gnutls_x509_crt_deinit (xcert
);
463 ret
= gnutls_x509_crt_get_serial (xcert
, result
, &size
);
466 gnutls_x509_crt_deinit (xcert
);
473 * gnutls_x509_extract_certificate_pk_algorithm - This function returns the certificate's PublicKey algorithm
474 * @cert: is a DER encoded X.509 certificate
475 * @bits: if bits is non null it will hold the size of the parameters' in bits
477 * This function will return the public key algorithm of an X.509
480 * If bits is non null, it should have enough size to hold the parameters
481 * size in bits. For RSA the bits returned is the modulus.
482 * For DSA the bits returned are of the public
485 * Returns a member of the gnutls_pk_algorithm_t enumeration on success,
486 * or a negative value on error.
490 gnutls_x509_extract_certificate_pk_algorithm (const gnutls_datum_t
*
493 gnutls_x509_crt_t xcert
;
496 result
= gnutls_x509_crt_init (&xcert
);
500 result
= gnutls_x509_crt_import (xcert
, cert
, GNUTLS_X509_FMT_DER
);
503 gnutls_x509_crt_deinit (xcert
);
507 result
= gnutls_x509_crt_get_pk_algorithm (xcert
, bits
);
509 gnutls_x509_crt_deinit (xcert
);
516 * gnutls_x509_extract_certificate_dn_string - This function returns the certificate's distinguished name
517 * @cert: should contain an X.509 DER encoded certificate
518 * @buf: a pointer to a structure to hold the peer's name
519 * @sizeof_buf: holds the size of 'buf'
520 * @issuer: if non zero, then extract the name of the issuer, instead of the holder
522 * This function will copy the name of the certificate holder in the provided buffer. The name
523 * will be in the form "C=xxxx,O=yyyy,CN=zzzz" as described in RFC2253.
525 * Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not long enough,
530 gnutls_x509_extract_certificate_dn_string (char *buf
,
531 unsigned int sizeof_buf
,
532 const gnutls_datum_t
* cert
,
535 gnutls_x509_crt_t xcert
;
539 result
= gnutls_x509_crt_init (&xcert
);
543 result
= gnutls_x509_crt_import (xcert
, cert
, GNUTLS_X509_FMT_DER
);
546 gnutls_x509_crt_deinit (xcert
);
552 result
= gnutls_x509_crt_get_dn (xcert
, buf
, &size
);
554 result
= gnutls_x509_crt_get_issuer_dn (xcert
, buf
, &size
);
556 gnutls_x509_crt_deinit (xcert
);
562 * gnutls_x509_verify_certificate - This function verifies given certificate list
563 * @cert_list: is the certificate list to be verified
564 * @cert_list_length: holds the number of certificate in cert_list
565 * @CA_list: is the CA list which will be used in verification
566 * @CA_list_length: holds the number of CA certificate in CA_list
567 * @CRL_list: not used
568 * @CRL_list_length: not used
570 * This function will try to verify the given certificate list and return its status (TRUSTED, EXPIRED etc.).
571 * The return value (status) should be one or more of the gnutls_certificate_status_t
572 * enumerated elements bitwise or'd. Note that expiration and activation dates are not checked
573 * by this function, you should check them using the appropriate functions.
575 * This function understands the basicConstraints (2.5.29.19) PKIX extension.
576 * This means that only a certificate authority can sign a certificate.
578 * However you must also check the peer's name in order to check if the verified certificate belongs to the
581 * The return value (status) should be one or more of the gnutls_certificate_status_t
582 * enumerated elements bitwise or'd.
584 * GNUTLS_CERT_INVALID: the peer's certificate is not valid.
586 * GNUTLS_CERT_REVOKED: the certificate has been revoked.
588 * A negative error code is returned in case of an error.
589 * GNUTLS_E_NO_CERTIFICATE_FOUND is returned to indicate that
590 * no certificate was sent by the peer.
595 gnutls_x509_verify_certificate (const gnutls_datum_t
* cert_list
,
596 int cert_list_length
,
597 const gnutls_datum_t
* CA_list
,
599 const gnutls_datum_t
* CRL_list
,
603 gnutls_x509_crt_t
*peer_certificate_list
= NULL
;
604 gnutls_x509_crt_t
*ca_certificate_list
= NULL
;
605 gnutls_x509_crl_t
*crl_list
= NULL
;
606 int peer_certificate_list_size
= 0, i
, x
, ret
;
607 int ca_certificate_list_size
= 0, crl_list_size
= 0;
609 if (cert_list
== NULL
|| cert_list_length
== 0)
610 return GNUTLS_E_NO_CERTIFICATE_FOUND
;
612 /* generate a list of gnutls_certs based on the auth info
615 peer_certificate_list_size
= cert_list_length
;
616 peer_certificate_list
=
617 gnutls_calloc (peer_certificate_list_size
, sizeof (gnutls_x509_crt_t
));
618 if (peer_certificate_list
== NULL
)
621 ret
= GNUTLS_E_MEMORY_ERROR
;
625 ca_certificate_list_size
= CA_list_length
;
626 ca_certificate_list
=
627 gnutls_calloc (ca_certificate_list_size
, sizeof (gnutls_x509_crt_t
));
628 if (ca_certificate_list
== NULL
)
631 ret
= GNUTLS_E_MEMORY_ERROR
;
635 /* allocate memory for CRL
637 crl_list_size
= CRL_list_length
;
638 crl_list
= gnutls_calloc (crl_list_size
, sizeof (gnutls_x509_crl_t
));
639 if (crl_list
== NULL
)
642 ret
= GNUTLS_E_MEMORY_ERROR
;
646 /* convert certA_list to gnutls_cert* list
648 for (i
= 0; i
< peer_certificate_list_size
; i
++)
650 ret
= gnutls_x509_crt_init (&peer_certificate_list
[i
]);
658 gnutls_x509_crt_import (peer_certificate_list
[i
],
659 &cert_list
[i
], GNUTLS_X509_FMT_DER
);
667 /* convert CA_list to gnutls_x509_cert* list
669 for (i
= 0; i
< ca_certificate_list_size
; i
++)
671 ret
= gnutls_x509_crt_init (&ca_certificate_list
[i
]);
679 gnutls_x509_crt_import (ca_certificate_list
[i
],
680 &CA_list
[i
], GNUTLS_X509_FMT_DER
);
689 /* convert CRL_list to gnutls_x509_crl* list
691 for (i
= 0; i
< crl_list_size
; i
++)
693 ret
= gnutls_x509_crl_init (&crl_list
[i
]);
701 gnutls_x509_crl_import (crl_list
[i
],
702 &CRL_list
[i
], GNUTLS_X509_FMT_DER
);
711 /* Verify certificate
714 gnutls_x509_crt_list_verify (peer_certificate_list
,
715 peer_certificate_list_size
,
717 ca_certificate_list_size
, crl_list
,
718 crl_list_size
, 0, &verify
);
730 if (peer_certificate_list
!= NULL
)
731 for (x
= 0; x
< peer_certificate_list_size
; x
++)
733 if (peer_certificate_list
[x
] != NULL
)
734 gnutls_x509_crt_deinit (peer_certificate_list
[x
]);
737 if (ca_certificate_list
!= NULL
)
738 for (x
= 0; x
< ca_certificate_list_size
; x
++)
740 if (ca_certificate_list
[x
] != NULL
)
741 gnutls_x509_crt_deinit (ca_certificate_list
[x
]);
744 if (crl_list
!= NULL
)
745 for (x
= 0; x
< crl_list_size
; x
++)
747 if (crl_list
[x
] != NULL
)
748 gnutls_x509_crl_deinit (crl_list
[x
]);
751 gnutls_free (crl_list
);
754 gnutls_free (ca_certificate_list
);
755 gnutls_free (peer_certificate_list
);
761 * gnutls_x509_extract_key_pk_algorithm - This function returns the keys's PublicKey algorithm
762 * @cert: is a DER encoded private key
764 * This function will return the public key algorithm of a DER encoded private
767 * Returns a member of the gnutls_pk_algorithm_t enumeration on success,
768 * or GNUTLS_E_UNKNOWN_PK_ALGORITHM on error.
772 gnutls_x509_extract_key_pk_algorithm (const gnutls_datum_t
* key
)
774 gnutls_x509_privkey_t pkey
;
777 ret
= gnutls_x509_privkey_init (&pkey
);
784 ret
= gnutls_x509_privkey_import (pkey
, key
, GNUTLS_X509_FMT_DER
);
791 pk
= gnutls_x509_privkey_get_pk_algorithm (pkey
);
793 gnutls_x509_privkey_deinit (pkey
);
800 * gnutls_x509_pkcs7_extract_certificate - This function returns a certificate in a PKCS7 certificate set
801 * @pkcs7_struct: should contain a PKCS7 DER formatted structure
802 * @indx: contains the index of the certificate to extract
803 * @certificate: the contents of the certificate will be copied there
804 * @certificate_size: should hold the size of the certificate
806 * This function will return a certificate of the PKCS7 or RFC2630 certificate set.
807 * Returns 0 on success. If the provided buffer is not long enough,
808 * then GNUTLS_E_SHORT_MEMORY_BUFFER is returned.
810 * After the last certificate has been read GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
815 gnutls_x509_pkcs7_extract_certificate (const gnutls_datum_t
*
816 pkcs7_struct
, int indx
,
818 int *certificate_size
)
820 gnutls_pkcs7_t pkcs7
;
822 size_t size
= *certificate_size
;
824 result
= gnutls_pkcs7_init (&pkcs7
);
828 result
= gnutls_pkcs7_import (pkcs7
, pkcs7_struct
, GNUTLS_X509_FMT_DER
);
831 gnutls_pkcs7_deinit (pkcs7
);
835 result
= gnutls_pkcs7_get_crt_raw (pkcs7
, indx
, certificate
, &size
);
836 *certificate_size
= size
;
838 gnutls_pkcs7_deinit (pkcs7
);