2 * Copyright (C) 2002-2012 Free Software Foundation, Inc.
4 * Author: Nikos Mavrogiannopoulos
6 * This file is part of GnuTLS.
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
23 #include <gnutls_int.h>
24 #include "gnutls_auth.h"
25 #include "gnutls_errors.h"
26 #include <auth/cert.h>
27 #include "gnutls_dh.h"
28 #include "gnutls_num.h"
29 #include "gnutls_datum.h"
30 #include <gnutls_pk.h>
31 #include <algorithms.h>
32 #include <gnutls_global.h>
33 #include <gnutls_record.h>
34 #include <gnutls_sig.h>
35 #include <gnutls_state.h>
36 #include <gnutls_pk.h>
37 #include <gnutls_str.h>
40 #include <gnutls_x509.h>
41 #include "x509/common.h"
42 #include "x509/x509_int.h"
43 #include <gnutls_str_array.h>
44 #include "read-file.h"
47 * some x509 certificate parsing functions.
50 /* Check if the number of bits of the key in the certificate
54 check_bits (gnutls_x509_crt_t crt
, unsigned int max_bits
)
59 ret
= gnutls_x509_crt_get_pk_algorithm (crt
, &bits
);
66 if (bits
> max_bits
&& max_bits
> 0)
69 return GNUTLS_E_CONSTRAINT_ERROR
;
76 #define CLEAR_CERTS for(x=0;x<peer_certificate_list_size;x++) { \
77 if (peer_certificate_list[x]) \
78 gnutls_x509_crt_deinit(peer_certificate_list[x]); \
80 gnutls_free( peer_certificate_list)
83 * _gnutls_x509_cert_verify_peers - return the peer's certificate status
84 * @session: is a gnutls session
86 * This function will try to verify the peer's certificate and return its status (TRUSTED, REVOKED etc.).
87 * The return value (status) should be one of the gnutls_certificate_status_t enumerated elements.
88 * However you must also check the peer's name in order to check if the verified certificate belongs to the
89 * actual peer. Returns a negative error code in case of an error, or GNUTLS_E_NO_CERTIFICATE_FOUND if no certificate was sent.
92 _gnutls_x509_cert_verify_peers (gnutls_session_t session
,
95 cert_auth_info_t info
;
96 gnutls_certificate_credentials_t cred
;
97 gnutls_x509_crt_t
*peer_certificate_list
;
98 int peer_certificate_list_size
, i
, x
, ret
;
100 CHECK_AUTH (GNUTLS_CRD_CERTIFICATE
, GNUTLS_E_INVALID_REQUEST
);
102 info
= _gnutls_get_auth_info (session
);
106 return GNUTLS_E_INVALID_REQUEST
;
109 cred
= (gnutls_certificate_credentials_t
)
110 _gnutls_get_cred (session
->key
, GNUTLS_CRD_CERTIFICATE
, NULL
);
114 return GNUTLS_E_INSUFFICIENT_CREDENTIALS
;
117 if (info
->raw_certificate_list
== NULL
|| info
->ncerts
== 0)
118 return GNUTLS_E_NO_CERTIFICATE_FOUND
;
120 if (info
->ncerts
> cred
->verify_depth
&& cred
->verify_depth
> 0)
123 return GNUTLS_E_CONSTRAINT_ERROR
;
126 /* generate a list of gnutls_certs based on the auth info
129 peer_certificate_list_size
= info
->ncerts
;
130 peer_certificate_list
=
131 gnutls_calloc (peer_certificate_list_size
, sizeof (gnutls_x509_crt_t
));
132 if (peer_certificate_list
== NULL
)
135 return GNUTLS_E_MEMORY_ERROR
;
138 for (i
= 0; i
< peer_certificate_list_size
; i
++)
140 ret
= gnutls_x509_crt_init (&peer_certificate_list
[i
]);
149 gnutls_x509_crt_import (peer_certificate_list
[i
],
150 &info
->raw_certificate_list
[i
],
151 GNUTLS_X509_FMT_DER
);
159 ret
= check_bits (peer_certificate_list
[i
], cred
->verify_bits
);
169 /* Verify certificate
172 ret
= gnutls_x509_trust_list_verify_crt (cred
->tlist
, peer_certificate_list
,
173 peer_certificate_list_size
,
174 cred
->verify_flags
| session
->internals
.
175 priorities
.additional_verify_flags
,
190 * Read certificates and private keys, from files, memory etc.
193 /* returns error if the certificate has different algorithm than
194 * the given key parameters.
197 _gnutls_check_key_cert_match (gnutls_certificate_credentials_t res
)
199 int pk
= gnutls_pubkey_get_pk_algorithm(res
->certs
[res
->ncerts
-1].cert_list
[0].pubkey
, NULL
);
201 if (gnutls_privkey_get_pk_algorithm (res
->pkey
[res
->ncerts
- 1], NULL
) !=
205 return GNUTLS_E_CERTIFICATE_KEY_MISMATCH
;
211 /* Returns the name of the certificate of a null name
213 static int get_x509_name(gnutls_x509_crt_t crt
, gnutls_str_array_t
*names
)
216 int i
, ret
= 0, ret2
;
219 for (i
= 0; !(ret
< 0); i
++)
221 max_size
= sizeof(name
);
223 ret
= gnutls_x509_crt_get_subject_alt_name(crt
, i
, name
, &max_size
, NULL
);
224 if (ret
== GNUTLS_SAN_DNSNAME
)
226 ret2
= _gnutls_str_array_append(names
, name
, max_size
);
229 _gnutls_str_array_clear(names
);
230 return gnutls_assert_val(ret2
);
235 max_size
= sizeof(name
);
236 ret
= gnutls_x509_crt_get_dn_by_oid (crt
, OID_X520_COMMON_NAME
, 0, 0, name
, &max_size
);
239 ret
= _gnutls_str_array_append(names
, name
, max_size
);
242 _gnutls_str_array_clear(names
);
243 return gnutls_assert_val(ret
);
250 static int get_x509_name_raw(gnutls_datum_t
*raw
, gnutls_x509_crt_fmt_t type
, gnutls_str_array_t
*names
)
253 gnutls_x509_crt_t crt
;
255 ret
= gnutls_x509_crt_init (&crt
);
262 ret
= gnutls_x509_crt_import (crt
, raw
, type
);
266 gnutls_x509_crt_deinit (crt
);
270 ret
= get_x509_name(crt
, names
);
271 gnutls_x509_crt_deinit (crt
);
275 /* Reads a DER encoded certificate list from memory and stores it to a
276 * gnutls_cert structure. Returns the number of certificates parsed.
279 parse_der_cert_mem (gnutls_certificate_credentials_t res
,
280 const void *input_cert
, int input_cert_size
)
283 gnutls_x509_crt_t crt
;
284 gnutls_pcert_st
*ccert
;
286 gnutls_str_array_t names
;
288 _gnutls_str_array_init(&names
);
290 ccert
= gnutls_malloc (sizeof (*ccert
));
294 return GNUTLS_E_MEMORY_ERROR
;
297 ret
= gnutls_x509_crt_init (&crt
);
304 tmp
.data
= (uint8_t *) input_cert
;
305 tmp
.size
= input_cert_size
;
307 ret
= gnutls_x509_crt_import (crt
, &tmp
, GNUTLS_X509_FMT_DER
);
311 gnutls_x509_crt_deinit (crt
);
315 ret
= get_x509_name(crt
, &names
);
319 gnutls_x509_crt_deinit (crt
);
323 ret
= gnutls_pcert_import_x509 (ccert
, crt
, 0);
324 gnutls_x509_crt_deinit (crt
);
332 ret
= certificate_credential_append_crt_list (res
, names
, ccert
, 1);
342 _gnutls_str_array_clear(&names
);
347 /* Reads a base64 encoded certificate list from memory and stores it to
348 * a gnutls_cert structure. Returns the number of certificate parsed.
351 parse_pem_cert_mem (gnutls_certificate_credentials_t res
,
352 const char *input_cert
, int input_cert_size
)
358 gnutls_pcert_st
*certs
= NULL
;
359 gnutls_str_array_t names
;
361 _gnutls_str_array_init(&names
);
363 /* move to the certificate
365 ptr
= memmem (input_cert
, input_cert_size
,
366 PEM_CERT_SEP
, sizeof (PEM_CERT_SEP
) - 1);
368 ptr
= memmem (input_cert
, input_cert_size
,
369 PEM_CERT_SEP2
, sizeof (PEM_CERT_SEP2
) - 1);
374 return GNUTLS_E_BASE64_DECODING_ERROR
;
376 size
= input_cert_size
- (ptr
- input_cert
);
382 certs
= gnutls_realloc_fast (certs
, (count
+ 1) * sizeof (gnutls_pcert_st
));
387 ret
= GNUTLS_E_MEMORY_ERROR
;
391 tmp
.data
= (void*)ptr
;
396 ret
= get_x509_name_raw(&tmp
, GNUTLS_X509_FMT_PEM
, &names
);
404 ret
= gnutls_pcert_import_x509_raw (&certs
[count
], &tmp
, GNUTLS_X509_FMT_PEM
, 0);
411 /* now we move ptr after the pem header
414 /* find the next certificate (if any)
416 size
= input_cert_size
- (ptr
- input_cert
);
422 ptr3
= memmem (ptr
, size
, PEM_CERT_SEP
, sizeof (PEM_CERT_SEP
) - 1);
424 ptr3
= memmem (ptr
, size
, PEM_CERT_SEP2
,
425 sizeof (PEM_CERT_SEP2
) - 1);
437 ret
= certificate_credential_append_crt_list (res
, names
, certs
, count
);
447 _gnutls_str_array_clear(&names
);
448 for (i
=0;i
<count
;i
++)
449 gnutls_pcert_deinit(&certs
[i
]);
456 /* Reads a DER or PEM certificate from memory
459 read_cert_mem (gnutls_certificate_credentials_t res
, const void *cert
,
460 int cert_size
, gnutls_x509_crt_fmt_t type
)
464 if (type
== GNUTLS_X509_FMT_DER
)
465 ret
= parse_der_cert_mem (res
, cert
, cert_size
);
467 ret
= parse_pem_cert_mem (res
, cert
, cert_size
);
479 _gnutls_x509_raw_privkey_to_privkey (gnutls_privkey_t
* privkey
,
480 const gnutls_datum_t
* raw_key
,
481 gnutls_x509_crt_fmt_t type
)
483 gnutls_x509_privkey_t tmpkey
;
486 ret
= gnutls_x509_privkey_init (&tmpkey
);
493 ret
= gnutls_x509_privkey_import (tmpkey
, raw_key
, type
);
497 gnutls_x509_privkey_deinit (tmpkey
);
501 ret
= gnutls_privkey_init (privkey
);
505 gnutls_x509_privkey_deinit (tmpkey
);
510 gnutls_privkey_import_x509 (*privkey
, tmpkey
,
511 GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE
);
515 gnutls_x509_privkey_deinit (tmpkey
);
516 gnutls_privkey_deinit (*privkey
);
523 /* Reads a PEM encoded PKCS-1 RSA/DSA private key from memory. Type
524 * indicates the certificate format. KEY can be NULL, to indicate
525 * that GnuTLS doesn't know the private key.
528 read_key_mem (gnutls_certificate_credentials_t res
,
529 const void *key
, int key_size
, gnutls_x509_crt_fmt_t type
)
533 gnutls_privkey_t privkey
;
537 tmp
.data
= (uint8_t *) key
;
540 ret
= _gnutls_x509_raw_privkey_to_privkey (&privkey
, &tmp
, type
);
547 ret
= certificate_credentials_append_pkey (res
, privkey
);
551 gnutls_privkey_deinit (privkey
);
559 return GNUTLS_E_INVALID_REQUEST
;
567 /* Reads a private key from a token.
570 read_key_url (gnutls_certificate_credentials_t res
, const char *url
)
573 gnutls_pkcs11_privkey_t key1
= NULL
;
574 gnutls_privkey_t pkey
= NULL
;
576 /* allocate space for the pkey list
579 ret
= gnutls_pkcs11_privkey_init (&key1
);
586 ret
= gnutls_pkcs11_privkey_import_url (key1
, url
, 0);
593 ret
= gnutls_privkey_init (&pkey
);
601 gnutls_privkey_import_pkcs11 (pkey
, key1
,
602 GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE
);
609 ret
= certificate_credentials_append_pkey (res
, pkey
);
620 gnutls_privkey_deinit (pkey
);
623 gnutls_pkcs11_privkey_deinit (key1
);
628 /* Reads a private key from a token.
631 read_cas_url (gnutls_certificate_credentials_t res
, const char *url
)
634 gnutls_x509_crt_t
*xcrt_list
= NULL
;
635 gnutls_pkcs11_obj_t
*pcrt_list
= NULL
;
636 unsigned int pcrt_list_size
= 0;
638 /* FIXME: should we use login? */
640 gnutls_pkcs11_obj_list_import_url (NULL
, &pcrt_list_size
, url
,
641 GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED
, 0);
642 if (ret
< 0 && ret
!= GNUTLS_E_SHORT_MEMORY_BUFFER
)
648 if (pcrt_list_size
== 0)
654 pcrt_list
= gnutls_malloc (sizeof (*pcrt_list
) * pcrt_list_size
);
655 if (pcrt_list
== NULL
)
658 return GNUTLS_E_MEMORY_ERROR
;
662 gnutls_pkcs11_obj_list_import_url (pcrt_list
, &pcrt_list_size
, url
,
663 GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED
, 0);
670 xcrt_list
= gnutls_malloc (sizeof (*xcrt_list
) * pcrt_list_size
);
671 if (xcrt_list
== NULL
)
674 ret
= GNUTLS_E_MEMORY_ERROR
;
679 gnutls_x509_crt_list_import_pkcs11 (xcrt_list
, pcrt_list_size
, pcrt_list
,
681 if (xcrt_list
== NULL
)
684 ret
= GNUTLS_E_MEMORY_ERROR
;
688 ret
= gnutls_x509_trust_list_add_cas(res
->tlist
, xcrt_list
, pcrt_list_size
, 0);
696 gnutls_free (xcrt_list
);
697 gnutls_free (pcrt_list
);
704 /* Reads a private key from a token.
707 read_cert_url (gnutls_certificate_credentials_t res
, const char *url
)
710 gnutls_x509_crt_t crt
;
711 gnutls_pcert_st
*ccert
;
712 gnutls_str_array_t names
;
714 _gnutls_str_array_init(&names
);
716 ccert
= gnutls_malloc (sizeof (*ccert
));
720 return GNUTLS_E_MEMORY_ERROR
;
723 ret
= gnutls_x509_crt_init (&crt
);
730 ret
= gnutls_x509_crt_import_pkcs11_url (crt
, url
, 0);
731 if (ret
== GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
)
733 gnutls_x509_crt_import_pkcs11_url (crt
, url
,
734 GNUTLS_PKCS11_OBJ_FLAG_LOGIN
);
739 gnutls_x509_crt_deinit (crt
);
743 ret
= get_x509_name(crt
, &names
);
747 gnutls_x509_crt_deinit (crt
);
751 ret
= gnutls_pcert_import_x509 (ccert
, crt
, 0);
752 gnutls_x509_crt_deinit (crt
);
760 ret
= certificate_credential_append_crt_list (res
, names
, ccert
, 1);
770 _gnutls_str_array_clear(&names
);
776 /* Reads a certificate file
779 read_cert_file (gnutls_certificate_credentials_t res
,
780 const char *certfile
, gnutls_x509_crt_fmt_t type
)
787 if (strncmp (certfile
, "pkcs11:", 7) == 0)
789 return read_cert_url (res
, certfile
);
791 #endif /* ENABLE_PKCS11 */
793 data
= read_binary_file (certfile
, &size
);
798 return GNUTLS_E_FILE_ERROR
;
801 ret
= read_cert_mem (res
, data
, size
, type
);
810 /* Reads PKCS-1 RSA private key file or a DSA file (in the format openssl
814 read_key_file (gnutls_certificate_credentials_t res
,
815 const char *keyfile
, gnutls_x509_crt_fmt_t type
)
822 if (strncmp (keyfile
, "pkcs11:", 7) == 0)
824 return read_key_url (res
, keyfile
);
826 #endif /* ENABLE_PKCS11 */
828 data
= read_binary_file (keyfile
, &size
);
833 return GNUTLS_E_FILE_ERROR
;
836 ret
= read_key_mem (res
, data
, size
, type
);
843 * gnutls_certificate_set_x509_key_mem:
844 * @res: is a #gnutls_certificate_credentials_t structure.
845 * @cert: contains a certificate list (path) for the specified private key
846 * @key: is the private key, or %NULL
847 * @type: is PEM or DER
849 * This function sets a certificate/private key pair in the
850 * gnutls_certificate_credentials_t structure. This function may be called
851 * more than once, in case multiple keys/certificates exist for the
854 * Note that the keyUsage (2.5.29.15) PKIX extension in X.509 certificates
855 * is supported. This means that certificates intended for signing cannot
856 * be used for ciphersuites that require encryption.
858 * If the certificate and the private key are given in PEM encoding
859 * then the strings that hold their values must be null terminated.
861 * The @key may be %NULL if you are using a sign callback, see
862 * gnutls_sign_callback_set().
864 * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
867 gnutls_certificate_set_x509_key_mem (gnutls_certificate_credentials_t res
,
868 const gnutls_datum_t
* cert
,
869 const gnutls_datum_t
* key
,
870 gnutls_x509_crt_fmt_t type
)
874 /* this should be first
876 if ((ret
= read_key_mem (res
, key
? key
->data
: NULL
,
877 key
? key
->size
: 0, type
)) < 0)
880 if ((ret
= read_cert_mem (res
, cert
->data
, cert
->size
, type
)) < 0)
885 if (key
&& (ret
= _gnutls_check_key_cert_match (res
)) < 0)
894 static int check_if_sorted(gnutls_pcert_st
* crt
, int nr
)
896 gnutls_x509_crt_t x509
;
897 char prev_dn
[MAX_DN
];
899 size_t prev_dn_size
, dn_size
;
902 /* check if the X.509 list is ordered */
903 if (nr
> 1 && crt
[0].type
== GNUTLS_CRT_X509
)
908 ret
= gnutls_x509_crt_init(&x509
);
910 return gnutls_assert_val(ret
);
912 ret
= gnutls_x509_crt_import(x509
, &crt
[i
].cert
, GNUTLS_X509_FMT_DER
);
915 ret
= gnutls_assert_val(ret
);
921 dn_size
= sizeof(dn
);
922 ret
= gnutls_x509_crt_get_dn(x509
, dn
, &dn_size
);
925 ret
= gnutls_assert_val(ret
);
929 if (dn_size
!= prev_dn_size
|| memcmp(dn
, prev_dn
, dn_size
) != 0)
931 ret
= gnutls_assert_val(GNUTLS_E_CERTIFICATE_LIST_UNSORTED
);
936 prev_dn_size
= sizeof(prev_dn
);
937 ret
= gnutls_x509_crt_get_issuer_dn(x509
, prev_dn
, &prev_dn_size
);
940 ret
= gnutls_assert_val(ret
);
944 gnutls_x509_crt_deinit(x509
);
951 gnutls_x509_crt_deinit(x509
);
956 certificate_credential_append_crt_list (gnutls_certificate_credentials_t res
,
957 gnutls_str_array_t names
, gnutls_pcert_st
* crt
, int nr
)
961 ret
= check_if_sorted(crt
, nr
);
963 return gnutls_assert_val(ret
);
965 res
->certs
= gnutls_realloc_fast (res
->certs
,
968 if (res
->certs
== NULL
)
971 return GNUTLS_E_MEMORY_ERROR
;
974 res
->certs
[res
->ncerts
].cert_list
= crt
;
975 res
->certs
[res
->ncerts
].cert_list_length
= nr
;
976 res
->certs
[res
->ncerts
].names
= names
;
983 certificate_credentials_append_pkey (gnutls_certificate_credentials_t res
,
984 gnutls_privkey_t pkey
)
986 res
->pkey
= gnutls_realloc_fast (res
->pkey
,
988 sizeof (gnutls_privkey_t
));
989 if (res
->pkey
== NULL
)
992 return GNUTLS_E_MEMORY_ERROR
;
994 res
->pkey
[res
->ncerts
] = pkey
;
1000 * gnutls_certificate_set_x509_key:
1001 * @res: is a #gnutls_certificate_credentials_t structure.
1002 * @cert_list: contains a certificate list (path) for the specified private key
1003 * @cert_list_size: holds the size of the certificate list
1004 * @key: is a gnutls_x509_privkey_t key
1006 * This function sets a certificate/private key pair in the
1007 * gnutls_certificate_credentials_t structure. This function may be
1008 * called more than once, in case multiple keys/certificates exist for
1009 * the server. For clients that wants to send more than its own end
1010 * entity certificate (e.g., also an intermediate CA cert) then put
1011 * the certificate chain in @cert_list.
1015 * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
1020 gnutls_certificate_set_x509_key (gnutls_certificate_credentials_t res
,
1021 gnutls_x509_crt_t
* cert_list
,
1023 gnutls_x509_privkey_t key
)
1026 gnutls_privkey_t pkey
;
1027 gnutls_pcert_st
*pcerts
= NULL
;
1028 gnutls_str_array_t names
;
1030 _gnutls_str_array_init(&names
);
1032 /* this should be first
1034 ret
= gnutls_privkey_init (&pkey
);
1041 ret
= gnutls_privkey_import_x509 (pkey
, key
, GNUTLS_PRIVKEY_IMPORT_COPY
);
1048 ret
= certificate_credentials_append_pkey (res
, pkey
);
1055 /* load certificates */
1056 pcerts
= gnutls_malloc (sizeof (gnutls_pcert_st
) * cert_list_size
);
1060 return GNUTLS_E_MEMORY_ERROR
;
1063 ret
= get_x509_name(cert_list
[0], &names
);
1065 return gnutls_assert_val(ret
);
1067 for (i
= 0; i
< cert_list_size
; i
++)
1069 ret
= gnutls_pcert_import_x509 (&pcerts
[i
], cert_list
[i
], 0);
1077 ret
= certificate_credential_append_crt_list (res
, names
, pcerts
, cert_list_size
);
1086 if ((ret
= _gnutls_check_key_cert_match (res
)) < 0)
1095 _gnutls_str_array_clear(&names
);
1100 * gnutls_certificate_set_key:
1101 * @res: is a #gnutls_certificate_credentials_t structure.
1102 * @names: is an array of DNS name of the certificate (NULL if none)
1103 * @names_size: holds the size of the names list
1104 * @pcert_list: contains a certificate list (path) for the specified private key
1105 * @pcert_list_size: holds the size of the certificate list
1106 * @key: is a gnutls_x509_privkey_t key
1108 * This function sets a certificate/private key pair in the
1109 * gnutls_certificate_credentials_t structure. This function may be
1110 * called more than once, in case multiple keys/certificates exist for
1111 * the server. For clients that wants to send more than its own end
1112 * entity certificate (e.g., also an intermediate CA cert) then put
1113 * the certificate chain in @pcert_list. The @pcert_list and @key will
1114 * become part of the credentials structure and must not
1115 * be deallocated. They will be automatically deallocated when
1116 * @res is deinitialized.
1118 * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
1123 gnutls_certificate_set_key (gnutls_certificate_credentials_t res
,
1126 gnutls_pcert_st
* pcert_list
,
1127 int pcert_list_size
,
1128 gnutls_privkey_t key
)
1131 gnutls_str_array_t str_names
;
1133 _gnutls_str_array_init(&str_names
);
1135 if (names
!= NULL
&& names_size
> 0)
1137 for (i
=0;i
<names_size
;i
++)
1139 ret
= _gnutls_str_array_append(&str_names
, names
[i
], strlen(names
[i
]));
1142 ret
= gnutls_assert_val(ret
);
1148 ret
= certificate_credentials_append_pkey (res
, key
);
1155 ret
= certificate_credential_append_crt_list (res
, str_names
, pcert_list
, pcert_list_size
);
1164 if ((ret
= _gnutls_check_key_cert_match (res
)) < 0)
1173 _gnutls_str_array_clear(&str_names
);
1178 * gnutls_certificate_set_x509_key_file:
1179 * @res: is a #gnutls_certificate_credentials_t structure.
1180 * @certfile: is a file that containing the certificate list (path) for
1181 * the specified private key, in PKCS7 format, or a list of certificates
1182 * @keyfile: is a file that contains the private key
1183 * @type: is PEM or DER
1185 * This function sets a certificate/private key pair in the
1186 * gnutls_certificate_credentials_t structure. This function may be
1187 * called more than once, in case multiple keys/certificates exist for
1188 * the server. For clients that need to send more than its own end
1189 * entity certificate, e.g., also an intermediate CA cert, then the
1190 * @certfile must contain the ordered certificate chain.
1192 * This function can also accept PKCS #11 URLs at @keyfile and @certfile. In that case it
1193 * will import the private key and certificate indicated by the URLs.
1195 * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
1198 gnutls_certificate_set_x509_key_file (gnutls_certificate_credentials_t res
,
1199 const char *certfile
,
1200 const char *keyfile
,
1201 gnutls_x509_crt_fmt_t type
)
1205 /* this should be first
1207 if ((ret
= read_key_file (res
, keyfile
, type
)) < 0)
1210 if ((ret
= read_cert_file (res
, certfile
, type
)) < 0)
1215 if ((ret
= _gnutls_check_key_cert_match (res
)) < 0)
1225 add_new_crt_to_rdn_seq (gnutls_certificate_credentials_t res
, gnutls_x509_crt_t
* crts
,
1226 unsigned int crt_size
)
1231 unsigned char *newdata
;
1234 /* Add DN of the last added CAs to the RDN sequence
1235 * This will be sent to clients when a certificate
1236 * request message is sent.
1239 /* FIXME: in case of a client it is not needed
1240 * to do that. This would save time and memory.
1241 * However we don't have that information available
1243 * Further, this function is now much more efficient,
1244 * so optimizing that is less important.
1247 for (i
= 0; i
< crt_size
; i
++)
1249 if ((ret
= gnutls_x509_crt_get_raw_dn (crts
[i
], &tmp
)) < 0)
1255 newsize
= res
->x509_rdn_sequence
.size
+ 2 + tmp
.size
;
1256 if (newsize
< res
->x509_rdn_sequence
.size
)
1259 _gnutls_free_datum (&tmp
);
1260 return GNUTLS_E_SHORT_MEMORY_BUFFER
;
1263 newdata
= gnutls_realloc (res
->x509_rdn_sequence
.data
, newsize
);
1264 if (newdata
== NULL
)
1267 _gnutls_free_datum (&tmp
);
1268 return GNUTLS_E_MEMORY_ERROR
;
1271 _gnutls_write_datum16 (newdata
+ res
->x509_rdn_sequence
.size
, tmp
);
1272 _gnutls_free_datum (&tmp
);
1274 res
->x509_rdn_sequence
.size
= newsize
;
1275 res
->x509_rdn_sequence
.data
= newdata
;
1281 /* Returns 0 if it's ok to use the gnutls_kx_algorithm_t with this
1282 * certificate (uses the KeyUsage field).
1285 _gnutls_check_key_usage (const gnutls_pcert_st
* cert
, gnutls_kx_algorithm_t alg
)
1287 unsigned int key_usage
= 0;
1293 return GNUTLS_E_INTERNAL_ERROR
;
1296 if (_gnutls_map_kx_get_cred (alg
, 1) == GNUTLS_CRD_CERTIFICATE
||
1297 _gnutls_map_kx_get_cred (alg
, 0) == GNUTLS_CRD_CERTIFICATE
)
1300 gnutls_pubkey_get_key_usage(cert
->pubkey
, &key_usage
);
1302 encipher_type
= _gnutls_kx_encipher_type (alg
);
1304 if (key_usage
!= 0 && encipher_type
!= CIPHER_IGN
)
1306 /* If key_usage has been set in the certificate
1309 if (encipher_type
== CIPHER_ENCRYPT
)
1311 /* If the key exchange method requires an encipher
1312 * type algorithm, and key's usage does not permit
1313 * encipherment, then fail.
1315 if (!(key_usage
& GNUTLS_KEY_KEY_ENCIPHERMENT
))
1318 return GNUTLS_E_KEY_USAGE_VIOLATION
;
1322 if (encipher_type
== CIPHER_SIGN
)
1324 /* The same as above, but for sign only keys
1326 if (!(key_usage
& GNUTLS_KEY_DIGITAL_SIGNATURE
))
1329 return GNUTLS_E_KEY_USAGE_VIOLATION
;
1338 parse_pem_ca_mem (gnutls_certificate_credentials_t res
,
1339 const uint8_t * input_cert
, int input_cert_size
)
1341 gnutls_x509_crt_t
*x509_cert_list
;
1342 unsigned int x509_ncerts
;
1346 tmp
.data
= (void*)input_cert
;
1347 tmp
.size
= input_cert_size
;
1349 ret
= gnutls_x509_crt_list_import2( &x509_cert_list
, &x509_ncerts
, &tmp
,
1350 GNUTLS_X509_FMT_PEM
, 0);
1357 if ((ret
= add_new_crt_to_rdn_seq (res
, x509_cert_list
, x509_ncerts
)) < 0)
1363 ret
= gnutls_x509_trust_list_add_cas(res
->tlist
, x509_cert_list
, x509_ncerts
, 0);
1371 gnutls_free(x509_cert_list
);
1375 /* Reads a DER encoded certificate list from memory and stores it to a
1376 * gnutls_cert structure. Returns the number of certificates parsed.
1379 parse_der_ca_mem (gnutls_certificate_credentials_t res
,
1380 const void *input_cert
, int input_cert_size
)
1382 gnutls_x509_crt_t crt
;
1386 tmp
.data
= (void*)input_cert
;
1387 tmp
.size
= input_cert_size
;
1389 ret
= gnutls_x509_crt_init( &crt
);
1396 ret
= gnutls_x509_crt_import( crt
, &tmp
, GNUTLS_X509_FMT_DER
);
1403 if ((ret
= add_new_crt_to_rdn_seq (res
, &crt
, 1)) < 0)
1409 ret
= gnutls_x509_trust_list_add_cas(res
->tlist
, &crt
, 1, 0);
1419 gnutls_x509_crt_deinit(crt
);
1424 * gnutls_certificate_set_x509_trust_mem:
1425 * @res: is a #gnutls_certificate_credentials_t structure.
1426 * @ca: is a list of trusted CAs or a DER certificate
1427 * @type: is DER or PEM
1429 * This function adds the trusted CAs in order to verify client or
1430 * server certificates. In case of a client this is not required to be
1431 * called if the certificates are not verified using
1432 * gnutls_certificate_verify_peers2(). This function may be called
1435 * In case of a server the CAs set here will be sent to the client if
1436 * a certificate request is sent. This can be disabled using
1437 * gnutls_certificate_send_x509_rdn_sequence().
1439 * Returns: the number of certificates processed or a negative error code
1443 gnutls_certificate_set_x509_trust_mem (gnutls_certificate_credentials_t res
,
1444 const gnutls_datum_t
* ca
,
1445 gnutls_x509_crt_fmt_t type
)
1449 if (type
== GNUTLS_X509_FMT_DER
)
1450 ret
= parse_der_ca_mem (res
,
1451 ca
->data
, ca
->size
);
1453 ret
= parse_pem_ca_mem (res
,
1454 ca
->data
, ca
->size
);
1456 if (ret
== GNUTLS_E_NO_CERTIFICATE_FOUND
)
1463 * gnutls_certificate_set_x509_trust:
1464 * @res: is a #gnutls_certificate_credentials_t structure.
1465 * @ca_list: is a list of trusted CAs
1466 * @ca_list_size: holds the size of the CA list
1468 * This function adds the trusted CAs in order to verify client
1469 * or server certificates. In case of a client this is not required
1470 * to be called if the certificates are not verified using
1471 * gnutls_certificate_verify_peers2().
1472 * This function may be called multiple times.
1474 * In case of a server the CAs set here will be sent to the client if
1475 * a certificate request is sent. This can be disabled using
1476 * gnutls_certificate_send_x509_rdn_sequence().
1478 * Returns: the number of certificates processed or a negative error code
1484 gnutls_certificate_set_x509_trust (gnutls_certificate_credentials_t res
,
1485 gnutls_x509_crt_t
* ca_list
,
1489 gnutls_x509_crt_t new_list
[ca_list_size
];
1491 for (i
= 0; i
< ca_list_size
; i
++)
1493 ret
= gnutls_x509_crt_init (&new_list
[i
]);
1500 ret
= _gnutls_x509_crt_cpy (new_list
[i
], ca_list
[i
]);
1508 if ((ret
= add_new_crt_to_rdn_seq (res
, new_list
, ca_list_size
)) < 0)
1514 ret
= gnutls_x509_trust_list_add_cas(res
->tlist
, new_list
, ca_list_size
, 0);
1525 gnutls_x509_crt_deinit(new_list
[j
]);
1532 * gnutls_certificate_set_x509_trust_file:
1533 * @cred: is a #gnutls_certificate_credentials_t structure.
1534 * @cafile: is a file containing the list of trusted CAs (DER or PEM list)
1535 * @type: is PEM or DER
1537 * This function adds the trusted CAs in order to verify client or
1538 * server certificates. In case of a client this is not required to
1539 * be called if the certificates are not verified using
1540 * gnutls_certificate_verify_peers2(). This function may be called
1543 * In case of a server the names of the CAs set here will be sent to
1544 * the client if a certificate request is sent. This can be disabled
1545 * using gnutls_certificate_send_x509_rdn_sequence().
1547 * This function can also accept PKCS #11 URLs. In that case it
1548 * will import all certificates that are marked as trusted.
1550 * Returns: number of certificates processed, or a negative error code on
1554 gnutls_certificate_set_x509_trust_file (gnutls_certificate_credentials_t cred
,
1556 gnutls_x509_crt_fmt_t type
)
1562 #ifdef ENABLE_PKCS11
1563 if (strncmp (cafile
, "pkcs11:", 7) == 0)
1565 return read_cas_url (cred
, cafile
);
1569 cas
.data
= (void*)read_binary_file (cafile
, &size
);
1570 if (cas
.data
== NULL
)
1573 return GNUTLS_E_FILE_ERROR
;
1578 ret
= gnutls_certificate_set_x509_trust_mem(cred
, &cas
, type
);
1592 parse_pem_crl_mem (gnutls_x509_trust_list_t tlist
,
1593 const char * input_crl
, unsigned int input_crl_size
)
1595 gnutls_x509_crl_t
*x509_crl_list
;
1596 unsigned int x509_ncrls
;
1600 tmp
.data
= (void*)input_crl
;
1601 tmp
.size
= input_crl_size
;
1603 ret
= gnutls_x509_crl_list_import2( &x509_crl_list
, &x509_ncrls
, &tmp
,
1604 GNUTLS_X509_FMT_PEM
, 0);
1611 ret
= gnutls_x509_trust_list_add_crls(tlist
, x509_crl_list
, x509_ncrls
, 0, 0);
1619 gnutls_free(x509_crl_list
);
1623 /* Reads a DER encoded certificate list from memory and stores it to a
1624 * gnutls_cert structure. Returns the number of certificates parsed.
1627 parse_der_crl_mem (gnutls_x509_trust_list_t tlist
,
1628 const void *input_crl
, unsigned int input_crl_size
)
1630 gnutls_x509_crl_t crl
;
1634 tmp
.data
= (void*)input_crl
;
1635 tmp
.size
= input_crl_size
;
1637 ret
= gnutls_x509_crl_init( &crl
);
1644 ret
= gnutls_x509_crl_import( crl
, &tmp
, GNUTLS_X509_FMT_DER
);
1651 ret
= gnutls_x509_trust_list_add_crls(tlist
, &crl
, 1, 0, 0);
1661 gnutls_x509_crl_deinit(crl
);
1667 /* Reads a DER or PEM CRL from memory
1670 read_crl_mem (gnutls_certificate_credentials_t res
, const void *crl
,
1671 int crl_size
, gnutls_x509_crt_fmt_t type
)
1675 if (type
== GNUTLS_X509_FMT_DER
)
1676 ret
= parse_der_crl_mem (res
->tlist
, crl
, crl_size
);
1678 ret
= parse_pem_crl_mem (res
->tlist
, crl
, crl_size
);
1689 * gnutls_certificate_set_x509_crl_mem:
1690 * @res: is a #gnutls_certificate_credentials_t structure.
1691 * @CRL: is a list of trusted CRLs. They should have been verified before.
1692 * @type: is DER or PEM
1694 * This function adds the trusted CRLs in order to verify client or
1695 * server certificates. In case of a client this is not required to
1696 * be called if the certificates are not verified using
1697 * gnutls_certificate_verify_peers2(). This function may be called
1700 * Returns: number of CRLs processed, or a negative error code on error.
1703 gnutls_certificate_set_x509_crl_mem (gnutls_certificate_credentials_t res
,
1704 const gnutls_datum_t
* CRL
,
1705 gnutls_x509_crt_fmt_t type
)
1707 return read_crl_mem (res
, CRL
->data
, CRL
->size
, type
);
1711 * gnutls_certificate_set_x509_crl:
1712 * @res: is a #gnutls_certificate_credentials_t structure.
1713 * @crl_list: is a list of trusted CRLs. They should have been verified before.
1714 * @crl_list_size: holds the size of the crl_list
1716 * This function adds the trusted CRLs in order to verify client or
1717 * server certificates. In case of a client this is not required to
1718 * be called if the certificates are not verified using
1719 * gnutls_certificate_verify_peers2(). This function may be called
1722 * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
1727 gnutls_certificate_set_x509_crl (gnutls_certificate_credentials_t res
,
1728 gnutls_x509_crl_t
* crl_list
,
1732 gnutls_x509_crl_t new_crl
[crl_list_size
];
1734 for (i
= 0; i
< crl_list_size
; i
++)
1736 ret
= gnutls_x509_crl_init (&new_crl
[i
]);
1743 ret
= _gnutls_x509_crl_cpy (new_crl
[i
], crl_list
[i
]);
1751 ret
= gnutls_x509_trust_list_add_crls(res
->tlist
, new_crl
, crl_list_size
, 0, 0);
1762 gnutls_x509_crl_deinit(new_crl
[j
]);
1768 * gnutls_certificate_set_x509_crl_file:
1769 * @res: is a #gnutls_certificate_credentials_t structure.
1770 * @crlfile: is a file containing the list of verified CRLs (DER or PEM list)
1771 * @type: is PEM or DER
1773 * This function adds the trusted CRLs in order to verify client or server
1774 * certificates. In case of a client this is not required
1775 * to be called if the certificates are not verified using
1776 * gnutls_certificate_verify_peers2().
1777 * This function may be called multiple times.
1779 * Returns: number of CRLs processed or a negative error code on error.
1782 gnutls_certificate_set_x509_crl_file (gnutls_certificate_credentials_t res
,
1783 const char *crlfile
,
1784 gnutls_x509_crt_fmt_t type
)
1788 char *data
= (void*)read_binary_file (crlfile
, &size
);
1793 return GNUTLS_E_FILE_ERROR
;
1796 if (type
== GNUTLS_X509_FMT_DER
)
1797 ret
= parse_der_crl_mem (res
->tlist
, data
, size
);
1799 ret
= parse_pem_crl_mem (res
->tlist
, data
, size
);
1812 #include <gnutls/pkcs12.h>
1815 parse_pkcs12 (gnutls_certificate_credentials_t res
,
1816 gnutls_pkcs12_t p12
,
1817 const char *password
,
1818 gnutls_x509_privkey_t
* key
,
1819 gnutls_x509_crt_t
* cert
, gnutls_x509_crl_t
* crl
)
1821 gnutls_pkcs12_bag_t bag
= NULL
;
1824 size_t cert_id_size
= 0;
1825 size_t key_id_size
= 0;
1826 uint8_t cert_id
[20];
1834 /* find the first private key */
1837 int elements_in_bag
;
1840 ret
= gnutls_pkcs12_bag_init (&bag
);
1848 ret
= gnutls_pkcs12_get_bag (p12
, idx
, bag
);
1849 if (ret
== GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
)
1857 ret
= gnutls_pkcs12_bag_get_type (bag
, 0);
1864 if (ret
== GNUTLS_BAG_ENCRYPTED
)
1866 ret
= gnutls_pkcs12_bag_decrypt (bag
, password
);
1874 elements_in_bag
= gnutls_pkcs12_bag_get_count (bag
);
1875 if (elements_in_bag
< 0)
1881 for (i
= 0; i
< elements_in_bag
; i
++)
1884 gnutls_datum_t data
;
1886 type
= gnutls_pkcs12_bag_get_type (bag
, i
);
1893 ret
= gnutls_pkcs12_bag_get_data (bag
, i
, &data
);
1902 case GNUTLS_BAG_PKCS8_ENCRYPTED_KEY
:
1903 case GNUTLS_BAG_PKCS8_KEY
:
1904 if (*key
!= NULL
) /* too simple to continue */
1910 ret
= gnutls_x509_privkey_init (key
);
1917 ret
= gnutls_x509_privkey_import_pkcs8
1918 (*key
, &data
, GNUTLS_X509_FMT_DER
, password
,
1919 type
== GNUTLS_BAG_PKCS8_KEY
? GNUTLS_PKCS_PLAIN
: 0);
1923 gnutls_x509_privkey_deinit (*key
);
1927 key_id_size
= sizeof (key_id
);
1929 gnutls_x509_privkey_get_key_id (*key
, 0, key_id
,
1934 gnutls_x509_privkey_deinit (*key
);
1938 privkey_ok
= 1; /* break */
1946 gnutls_pkcs12_bag_deinit (bag
);
1948 if (privkey_ok
!= 0) /* private key was found */
1952 if (privkey_ok
== 0) /* no private key */
1955 return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
;
1958 /* now find the corresponding certificate
1964 int elements_in_bag
;
1967 ret
= gnutls_pkcs12_bag_init (&bag
);
1975 ret
= gnutls_pkcs12_get_bag (p12
, idx
, bag
);
1976 if (ret
== GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
)
1984 ret
= gnutls_pkcs12_bag_get_type (bag
, 0);
1991 if (ret
== GNUTLS_BAG_ENCRYPTED
)
1993 ret
= gnutls_pkcs12_bag_decrypt (bag
, password
);
2001 elements_in_bag
= gnutls_pkcs12_bag_get_count (bag
);
2002 if (elements_in_bag
< 0)
2008 for (i
= 0; i
< elements_in_bag
; i
++)
2011 gnutls_datum_t data
;
2013 type
= gnutls_pkcs12_bag_get_type (bag
, i
);
2020 ret
= gnutls_pkcs12_bag_get_data (bag
, i
, &data
);
2029 case GNUTLS_BAG_CERTIFICATE
:
2030 if (*cert
!= NULL
) /* no need to set it again */
2036 ret
= gnutls_x509_crt_init (cert
);
2044 gnutls_x509_crt_import (*cert
, &data
, GNUTLS_X509_FMT_DER
);
2048 gnutls_x509_crt_deinit (*cert
);
2052 /* check if the key id match */
2053 cert_id_size
= sizeof (cert_id
);
2055 gnutls_x509_crt_get_key_id (*cert
, 0, cert_id
, &cert_id_size
);
2059 gnutls_x509_crt_deinit (*cert
);
2063 if (memcmp (cert_id
, key_id
, cert_id_size
) != 0)
2064 { /* they don't match - skip the certificate */
2065 gnutls_x509_crt_deinit (*cert
);
2070 case GNUTLS_BAG_CRL
:
2077 ret
= gnutls_x509_crl_init (crl
);
2084 ret
= gnutls_x509_crl_import (*crl
, &data
, GNUTLS_X509_FMT_DER
);
2088 gnutls_x509_crl_deinit (*crl
);
2093 case GNUTLS_BAG_ENCRYPTED
:
2094 /* XXX Bother to recurse one level down? Unlikely to
2095 use the same password anyway. */
2096 case GNUTLS_BAG_EMPTY
:
2103 gnutls_pkcs12_bag_deinit (bag
);
2110 gnutls_pkcs12_bag_deinit (bag
);
2116 * gnutls_certificate_set_x509_simple_pkcs12_file:
2117 * @res: is a #gnutls_certificate_credentials_t structure.
2118 * @pkcs12file: filename of file containing PKCS#12 blob.
2119 * @type: is PEM or DER of the @pkcs12file.
2120 * @password: optional password used to decrypt PKCS#12 file, bags and keys.
2122 * This function sets a certificate/private key pair and/or a CRL in
2123 * the gnutls_certificate_credentials_t structure. This function may
2124 * be called more than once (in case multiple keys/certificates exist
2127 * PKCS#12 files with a MAC, encrypted bags and PKCS #8
2128 * private keys are supported. However,
2129 * only password based security, and the same password for all
2130 * operations, are supported.
2132 * PKCS#12 file may contain many keys and/or certificates, and there
2133 * is no way to identify which key/certificate pair you want. You
2134 * should make sure the PKCS#12 file only contain one key/certificate
2135 * pair and/or one CRL.
2137 * It is believed that the limitations of this function is acceptable
2138 * for most usage, and that any more flexibility would introduce
2139 * complexity that would make it harder to use this functionality at
2142 * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
2145 gnutls_certificate_set_x509_simple_pkcs12_file
2146 (gnutls_certificate_credentials_t res
, const char *pkcs12file
,
2147 gnutls_x509_crt_fmt_t type
, const char *password
)
2149 gnutls_datum_t p12blob
;
2153 p12blob
.data
= (void*)read_binary_file (pkcs12file
, &size
);
2154 p12blob
.size
= (unsigned int) size
;
2155 if (p12blob
.data
== NULL
)
2158 return GNUTLS_E_FILE_ERROR
;
2162 gnutls_certificate_set_x509_simple_pkcs12_mem (res
, &p12blob
, type
,
2164 free (p12blob
.data
);
2170 * gnutls_certificate_set_x509_simple_pkcs12_mem:
2171 * @res: is a #gnutls_certificate_credentials_t structure.
2172 * @p12blob: the PKCS#12 blob.
2173 * @type: is PEM or DER of the @pkcs12file.
2174 * @password: optional password used to decrypt PKCS#12 file, bags and keys.
2176 * This function sets a certificate/private key pair and/or a CRL in
2177 * the gnutls_certificate_credentials_t structure. This function may
2178 * be called more than once (in case multiple keys/certificates exist
2181 * MAC:ed PKCS#12 files are supported. Encrypted PKCS#12 bags are
2182 * supported. Encrypted PKCS#8 private keys are supported. However,
2183 * only password based security, and the same password for all
2184 * operations, are supported.
2186 * PKCS#12 file may contain many keys and/or certificates, and there
2187 * is no way to identify which key/certificate pair you want. You
2188 * should make sure the PKCS#12 file only contain one key/certificate
2189 * pair and/or one CRL.
2191 * It is believed that the limitations of this function is acceptable
2192 * for most usage, and that any more flexibility would introduce
2193 * complexity that would make it harder to use this functionality at
2196 * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
2201 gnutls_certificate_set_x509_simple_pkcs12_mem
2202 (gnutls_certificate_credentials_t res
, const gnutls_datum_t
* p12blob
,
2203 gnutls_x509_crt_fmt_t type
, const char *password
)
2205 gnutls_pkcs12_t p12
;
2206 gnutls_x509_privkey_t key
= NULL
;
2207 gnutls_x509_crt_t cert
= NULL
;
2208 gnutls_x509_crl_t crl
= NULL
;
2211 ret
= gnutls_pkcs12_init (&p12
);
2218 ret
= gnutls_pkcs12_import (p12
, p12blob
, type
, 0);
2222 gnutls_pkcs12_deinit (p12
);
2228 ret
= gnutls_pkcs12_verify_mac (p12
, password
);
2232 gnutls_pkcs12_deinit (p12
);
2237 ret
= parse_pkcs12 (res
, p12
, password
, &key
, &cert
, &crl
);
2238 gnutls_pkcs12_deinit (p12
);
2247 ret
= gnutls_certificate_set_x509_key (res
, &cert
, 1, key
);
2257 ret
= gnutls_certificate_set_x509_crl (res
, &crl
, 1);
2269 gnutls_x509_crt_deinit (cert
);
2271 gnutls_x509_privkey_deinit (key
);
2273 gnutls_x509_crl_deinit (crl
);
2281 * gnutls_certificate_free_crls:
2282 * @sc: is a #gnutls_certificate_credentials_t structure.
2284 * This function will delete all the CRLs associated
2285 * with the given credentials.
2288 gnutls_certificate_free_crls (gnutls_certificate_credentials_t sc
)
2290 /* do nothing for now */