2 * Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011
3 * Free Software Foundation, Inc.
5 * Author: Nikos Mavrogiannopoulos
7 * This file is part of GnuTLS.
9 * The GnuTLS is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public License
11 * as published by the Free Software Foundation; either version 3 of
12 * the License, or (at your option) any later version.
14 * This library is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
19 * You should have received a copy of the GNU Lesser General Public License
20 * along with this program. If not, see <http://www.gnu.org/licenses/>
24 #include <gnutls_int.h>
25 #include "gnutls_auth.h"
26 #include "gnutls_errors.h"
27 #include <auth/cert.h>
28 #include "gnutls_dh.h"
29 #include "gnutls_num.h"
30 #include "gnutls_datum.h"
31 #include <gnutls_pk.h>
32 #include <algorithms.h>
33 #include <gnutls_global.h>
34 #include <gnutls_record.h>
35 #include <gnutls_sig.h>
36 #include <gnutls_state.h>
37 #include <gnutls_pk.h>
38 #include <gnutls_str.h>
41 #include <gnutls_x509.h>
42 #include "x509/common.h"
43 #include "x509/x509_int.h"
44 #include <gnutls_str_array.h>
45 #include "read-file.h"
48 * some x509 certificate parsing functions.
51 /* Check if the number of bits of the key in the certificate
55 check_bits (gnutls_x509_crt_t crt
, unsigned int max_bits
)
60 ret
= gnutls_x509_crt_get_pk_algorithm (crt
, &bits
);
67 if (bits
> max_bits
&& max_bits
> 0)
70 return GNUTLS_E_CONSTRAINT_ERROR
;
77 #define CLEAR_CERTS for(x=0;x<peer_certificate_list_size;x++) { \
78 if (peer_certificate_list[x]) \
79 gnutls_x509_crt_deinit(peer_certificate_list[x]); \
81 gnutls_free( peer_certificate_list)
84 * _gnutls_x509_cert_verify_peers - return the peer's certificate status
85 * @session: is a gnutls session
87 * This function will try to verify the peer's certificate and return its status (TRUSTED, REVOKED etc.).
88 * The return value (status) should be one of the gnutls_certificate_status_t enumerated elements.
89 * However you must also check the peer's name in order to check if the verified certificate belongs to the
90 * actual peer. Returns a negative error code in case of an error, or GNUTLS_E_NO_CERTIFICATE_FOUND if no certificate was sent.
93 _gnutls_x509_cert_verify_peers (gnutls_session_t session
,
96 cert_auth_info_t info
;
97 gnutls_certificate_credentials_t cred
;
98 gnutls_x509_crt_t
*peer_certificate_list
;
99 int peer_certificate_list_size
, i
, x
, ret
;
101 CHECK_AUTH (GNUTLS_CRD_CERTIFICATE
, GNUTLS_E_INVALID_REQUEST
);
103 info
= _gnutls_get_auth_info (session
);
107 return GNUTLS_E_INVALID_REQUEST
;
110 cred
= (gnutls_certificate_credentials_t
)
111 _gnutls_get_cred (session
->key
, GNUTLS_CRD_CERTIFICATE
, NULL
);
115 return GNUTLS_E_INSUFFICIENT_CREDENTIALS
;
118 if (info
->raw_certificate_list
== NULL
|| info
->ncerts
== 0)
119 return GNUTLS_E_NO_CERTIFICATE_FOUND
;
121 if (info
->ncerts
> cred
->verify_depth
&& cred
->verify_depth
> 0)
124 return GNUTLS_E_CONSTRAINT_ERROR
;
127 /* generate a list of gnutls_certs based on the auth info
130 peer_certificate_list_size
= info
->ncerts
;
131 peer_certificate_list
=
132 gnutls_calloc (peer_certificate_list_size
, sizeof (gnutls_x509_crt_t
));
133 if (peer_certificate_list
== NULL
)
136 return GNUTLS_E_MEMORY_ERROR
;
139 for (i
= 0; i
< peer_certificate_list_size
; i
++)
141 ret
= gnutls_x509_crt_init (&peer_certificate_list
[i
]);
150 gnutls_x509_crt_import (peer_certificate_list
[i
],
151 &info
->raw_certificate_list
[i
],
152 GNUTLS_X509_FMT_DER
);
160 ret
= check_bits (peer_certificate_list
[i
], cred
->verify_bits
);
170 /* Verify certificate
173 ret
= gnutls_x509_trust_list_verify_crt (cred
->tlist
, peer_certificate_list
,
174 peer_certificate_list_size
,
175 cred
->verify_flags
| session
->internals
.
176 priorities
.additional_verify_flags
,
191 * Read certificates and private keys, from files, memory etc.
194 /* returns error if the certificate has different algorithm than
195 * the given key parameters.
198 _gnutls_check_key_cert_match (gnutls_certificate_credentials_t res
)
200 unsigned int pk
= gnutls_pubkey_get_pk_algorithm(res
->certs
[res
->ncerts
-1].cert_list
[0].pubkey
, NULL
);
202 if (gnutls_privkey_get_pk_algorithm (res
->pkey
[res
->ncerts
- 1], NULL
) !=
206 return GNUTLS_E_CERTIFICATE_KEY_MISMATCH
;
212 /* Returns the name of the certificate of a null name
214 static int get_x509_name(gnutls_x509_crt_t crt
, gnutls_str_array_t
*names
)
217 int i
, ret
= 0, ret2
;
220 for (i
= 0; !(ret
< 0); i
++)
222 max_size
= sizeof(name
);
224 ret
= gnutls_x509_crt_get_subject_alt_name(crt
, i
, name
, &max_size
, NULL
);
225 if (ret
== GNUTLS_SAN_DNSNAME
)
227 ret2
= _gnutls_str_array_append(names
, name
, max_size
);
230 _gnutls_str_array_clear(names
);
231 return gnutls_assert_val(ret2
);
236 max_size
= sizeof(name
);
237 ret
= gnutls_x509_crt_get_dn_by_oid (crt
, OID_X520_COMMON_NAME
, 0, 0, name
, &max_size
);
240 ret
= _gnutls_str_array_append(names
, name
, max_size
);
243 _gnutls_str_array_clear(names
);
244 return gnutls_assert_val(ret
);
251 static int get_x509_name_raw(gnutls_datum_t
*raw
, gnutls_x509_crt_fmt_t type
, gnutls_str_array_t
*names
)
254 gnutls_x509_crt_t crt
;
256 ret
= gnutls_x509_crt_init (&crt
);
263 ret
= gnutls_x509_crt_import (crt
, raw
, type
);
267 gnutls_x509_crt_deinit (crt
);
271 ret
= get_x509_name(crt
, names
);
272 gnutls_x509_crt_deinit (crt
);
276 /* Reads a DER encoded certificate list from memory and stores it to a
277 * gnutls_cert structure. Returns the number of certificates parsed.
280 parse_der_cert_mem (gnutls_certificate_credentials_t res
,
281 const void *input_cert
, int input_cert_size
)
284 gnutls_x509_crt_t crt
;
285 gnutls_pcert_st
*ccert
;
287 gnutls_str_array_t names
;
289 _gnutls_str_array_init(&names
);
291 ccert
= gnutls_malloc (sizeof (*ccert
));
295 return GNUTLS_E_MEMORY_ERROR
;
298 ret
= gnutls_x509_crt_init (&crt
);
305 tmp
.data
= (opaque
*) input_cert
;
306 tmp
.size
= input_cert_size
;
308 ret
= gnutls_x509_crt_import (crt
, &tmp
, GNUTLS_X509_FMT_DER
);
312 gnutls_x509_crt_deinit (crt
);
316 ret
= get_x509_name(crt
, &names
);
320 gnutls_x509_crt_deinit (crt
);
324 ret
= gnutls_pcert_import_x509 (ccert
, crt
, 0);
325 gnutls_x509_crt_deinit (crt
);
333 ret
= certificate_credential_append_crt_list (res
, names
, ccert
, 1);
343 _gnutls_str_array_clear(&names
);
348 /* Reads a base64 encoded certificate list from memory and stores it to
349 * a gnutls_cert structure. Returns the number of certificate parsed.
352 parse_pem_cert_mem (gnutls_certificate_credentials_t res
,
353 const char *input_cert
, int input_cert_size
)
359 gnutls_pcert_st
*certs
= NULL
;
360 gnutls_str_array_t names
;
362 _gnutls_str_array_init(&names
);
364 /* move to the certificate
366 ptr
= memmem (input_cert
, input_cert_size
,
367 PEM_CERT_SEP
, sizeof (PEM_CERT_SEP
) - 1);
369 ptr
= memmem (input_cert
, input_cert_size
,
370 PEM_CERT_SEP2
, sizeof (PEM_CERT_SEP2
) - 1);
375 return GNUTLS_E_BASE64_DECODING_ERROR
;
377 size
= input_cert_size
- (ptr
- input_cert
);
383 certs
= gnutls_realloc_fast (certs
, (count
+ 1) * sizeof (gnutls_pcert_st
));
388 ret
= GNUTLS_E_MEMORY_ERROR
;
392 tmp
.data
= (void*)ptr
;
397 ret
= get_x509_name_raw(&tmp
, GNUTLS_X509_FMT_PEM
, &names
);
405 ret
= gnutls_pcert_import_x509_raw (&certs
[count
], &tmp
, GNUTLS_X509_FMT_PEM
, 0);
412 /* now we move ptr after the pem header
415 /* find the next certificate (if any)
417 size
= input_cert_size
- (ptr
- input_cert
);
423 ptr3
= memmem (ptr
, size
, PEM_CERT_SEP
, sizeof (PEM_CERT_SEP
) - 1);
425 ptr3
= memmem (ptr
, size
, PEM_CERT_SEP2
,
426 sizeof (PEM_CERT_SEP2
) - 1);
438 ret
= certificate_credential_append_crt_list (res
, names
, certs
, count
);
448 _gnutls_str_array_clear(&names
);
449 for (i
=0;i
<count
;i
++)
450 gnutls_pcert_deinit(&certs
[i
]);
457 /* Reads a DER or PEM certificate from memory
460 read_cert_mem (gnutls_certificate_credentials_t res
, const void *cert
,
461 int cert_size
, gnutls_x509_crt_fmt_t type
)
465 if (type
== GNUTLS_X509_FMT_DER
)
466 ret
= parse_der_cert_mem (res
, cert
, cert_size
);
468 ret
= parse_pem_cert_mem (res
, cert
, cert_size
);
480 _gnutls_x509_raw_privkey_to_privkey (gnutls_privkey_t
* privkey
,
481 const gnutls_datum_t
* raw_key
,
482 gnutls_x509_crt_fmt_t type
)
484 gnutls_x509_privkey_t tmpkey
;
487 ret
= gnutls_x509_privkey_init (&tmpkey
);
494 ret
= gnutls_x509_privkey_import (tmpkey
, raw_key
, type
);
498 gnutls_x509_privkey_deinit (tmpkey
);
502 ret
= gnutls_privkey_init (privkey
);
506 gnutls_x509_privkey_deinit (tmpkey
);
511 gnutls_privkey_import_x509 (*privkey
, tmpkey
,
512 GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE
);
516 gnutls_x509_privkey_deinit (tmpkey
);
517 gnutls_privkey_deinit (*privkey
);
524 /* Reads a PEM encoded PKCS-1 RSA/DSA private key from memory. Type
525 * indicates the certificate format. KEY can be NULL, to indicate
526 * that GnuTLS doesn't know the private key.
529 read_key_mem (gnutls_certificate_credentials_t res
,
530 const void *key
, int key_size
, gnutls_x509_crt_fmt_t type
)
534 gnutls_privkey_t privkey
;
538 tmp
.data
= (opaque
*) key
;
541 ret
= _gnutls_x509_raw_privkey_to_privkey (&privkey
, &tmp
, type
);
548 ret
= certificate_credentials_append_pkey (res
, privkey
);
552 gnutls_privkey_deinit (privkey
);
560 return GNUTLS_E_INVALID_REQUEST
;
569 /* Reads a private key from a token.
572 read_key_url (gnutls_certificate_credentials_t res
, const char *url
)
575 gnutls_pkcs11_privkey_t key1
= NULL
;
576 gnutls_privkey_t pkey
= NULL
;
578 /* allocate space for the pkey list
581 ret
= gnutls_pkcs11_privkey_init (&key1
);
588 ret
= gnutls_pkcs11_privkey_import_url (key1
, url
, 0);
595 ret
= gnutls_privkey_init (&pkey
);
603 gnutls_privkey_import_pkcs11 (pkey
, key1
,
604 GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE
);
611 ret
= certificate_credentials_append_pkey (res
, pkey
);
622 gnutls_privkey_deinit (pkey
);
625 gnutls_pkcs11_privkey_deinit (key1
);
630 /* Reads a private key from a token.
633 read_cas_url (gnutls_certificate_credentials_t res
, const char *url
)
636 gnutls_x509_crt_t
*xcrt_list
= NULL
;
637 gnutls_pkcs11_obj_t
*pcrt_list
= NULL
;
638 unsigned int pcrt_list_size
= 0;
640 /* FIXME: should we use login? */
642 gnutls_pkcs11_obj_list_import_url (NULL
, &pcrt_list_size
, url
,
643 GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED
, 0);
644 if (ret
< 0 && ret
!= GNUTLS_E_SHORT_MEMORY_BUFFER
)
650 if (pcrt_list_size
== 0)
656 pcrt_list
= gnutls_malloc (sizeof (*pcrt_list
) * pcrt_list_size
);
657 if (pcrt_list
== NULL
)
660 return GNUTLS_E_MEMORY_ERROR
;
664 gnutls_pkcs11_obj_list_import_url (pcrt_list
, &pcrt_list_size
, url
,
665 GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED
, 0);
672 xcrt_list
= gnutls_malloc (sizeof (*xcrt_list
) * pcrt_list_size
);
673 if (xcrt_list
== NULL
)
676 ret
= GNUTLS_E_MEMORY_ERROR
;
681 gnutls_x509_crt_list_import_pkcs11 (xcrt_list
, pcrt_list_size
, pcrt_list
,
683 if (xcrt_list
== NULL
)
686 ret
= GNUTLS_E_MEMORY_ERROR
;
690 ret
= gnutls_x509_trust_list_add_cas(res
->tlist
, xcrt_list
, pcrt_list_size
, 0);
698 gnutls_free (xcrt_list
);
699 gnutls_free (pcrt_list
);
706 /* Reads a private key from a token.
709 read_cert_url (gnutls_certificate_credentials_t res
, const char *url
)
712 gnutls_x509_crt_t crt
;
713 gnutls_pcert_st
*ccert
;
714 gnutls_str_array_t names
;
716 _gnutls_str_array_init(&names
);
718 ccert
= gnutls_malloc (sizeof (*ccert
));
722 return GNUTLS_E_MEMORY_ERROR
;
725 ret
= gnutls_x509_crt_init (&crt
);
732 ret
= gnutls_x509_crt_import_pkcs11_url (crt
, url
, 0);
733 if (ret
== GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
)
735 gnutls_x509_crt_import_pkcs11_url (crt
, url
,
736 GNUTLS_PKCS11_OBJ_FLAG_LOGIN
);
741 gnutls_x509_crt_deinit (crt
);
745 ret
= get_x509_name(crt
, &names
);
749 gnutls_x509_crt_deinit (crt
);
753 ret
= gnutls_pcert_import_x509 (ccert
, crt
, 0);
754 gnutls_x509_crt_deinit (crt
);
762 ret
= certificate_credential_append_crt_list (res
, names
, ccert
, 1);
772 _gnutls_str_array_clear(&names
);
777 #endif /* ENABLE_PKCS11 */
779 /* Reads a certificate file
782 read_cert_file (gnutls_certificate_credentials_t res
,
783 const char *certfile
, gnutls_x509_crt_fmt_t type
)
790 if (strncmp (certfile
, "pkcs11:", 7) == 0)
792 return read_cert_url (res
, certfile
);
794 #endif /* ENABLE_PKCS11 */
796 data
= read_binary_file (certfile
, &size
);
801 return GNUTLS_E_FILE_ERROR
;
804 ret
= read_cert_mem (res
, data
, size
, type
);
813 /* Reads PKCS-1 RSA private key file or a DSA file (in the format openssl
817 read_key_file (gnutls_certificate_credentials_t res
,
818 const char *keyfile
, gnutls_x509_crt_fmt_t type
)
825 if (strncmp (keyfile
, "pkcs11:", 7) == 0)
827 return read_key_url (res
, keyfile
);
829 #endif /* ENABLE_PKCS11 */
831 data
= read_binary_file (keyfile
, &size
);
836 return GNUTLS_E_FILE_ERROR
;
839 ret
= read_key_mem (res
, data
, size
, type
);
846 * gnutls_certificate_set_x509_key_mem:
847 * @res: is a #gnutls_certificate_credentials_t structure.
848 * @cert: contains a certificate list (path) for the specified private key
849 * @key: is the private key, or %NULL
850 * @type: is PEM or DER
852 * This function sets a certificate/private key pair in the
853 * gnutls_certificate_credentials_t structure. This function may be called
854 * more than once, in case multiple keys/certificates exist for the
857 * Note that the keyUsage (2.5.29.15) PKIX extension in X.509 certificates
858 * is supported. This means that certificates intended for signing cannot
859 * be used for ciphersuites that require encryption.
861 * If the certificate and the private key are given in PEM encoding
862 * then the strings that hold their values must be null terminated.
864 * The @key may be %NULL if you are using a sign callback, see
865 * gnutls_sign_callback_set().
867 * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
870 gnutls_certificate_set_x509_key_mem (gnutls_certificate_credentials_t res
,
871 const gnutls_datum_t
* cert
,
872 const gnutls_datum_t
* key
,
873 gnutls_x509_crt_fmt_t type
)
877 /* this should be first
879 if ((ret
= read_key_mem (res
, key
? key
->data
: NULL
,
880 key
? key
->size
: 0, type
)) < 0)
883 if ((ret
= read_cert_mem (res
, cert
->data
, cert
->size
, type
)) < 0)
888 if (key
&& (ret
= _gnutls_check_key_cert_match (res
)) < 0)
897 static int check_if_sorted(gnutls_pcert_st
* crt
, int nr
)
899 gnutls_x509_crt_t x509
;
900 char prev_dn
[MAX_DN
];
902 size_t prev_dn_size
, dn_size
;
905 /* check if the X.509 list is ordered */
906 if (nr
> 1 && crt
[0].type
== GNUTLS_CRT_X509
)
911 ret
= gnutls_x509_crt_init(&x509
);
913 return gnutls_assert_val(ret
);
915 ret
= gnutls_x509_crt_import(x509
, &crt
[i
].cert
, GNUTLS_X509_FMT_DER
);
918 ret
= gnutls_assert_val(ret
);
924 dn_size
= sizeof(dn
);
925 ret
= gnutls_x509_crt_get_dn(x509
, dn
, &dn_size
);
928 ret
= gnutls_assert_val(ret
);
932 if (dn_size
!= prev_dn_size
|| memcmp(dn
, prev_dn
, dn_size
) != 0)
934 ret
= gnutls_assert_val(GNUTLS_E_CERTIFICATE_LIST_UNSORTED
);
939 prev_dn_size
= sizeof(prev_dn
);
940 ret
= gnutls_x509_crt_get_issuer_dn(x509
, prev_dn
, &prev_dn_size
);
943 ret
= gnutls_assert_val(ret
);
947 gnutls_x509_crt_deinit(x509
);
954 gnutls_x509_crt_deinit(x509
);
959 certificate_credential_append_crt_list (gnutls_certificate_credentials_t res
,
960 gnutls_str_array_t names
, gnutls_pcert_st
* crt
, int nr
)
964 ret
= check_if_sorted(crt
, nr
);
966 return gnutls_assert_val(ret
);
968 res
->certs
= gnutls_realloc_fast (res
->certs
,
971 if (res
->certs
== NULL
)
974 return GNUTLS_E_MEMORY_ERROR
;
977 res
->certs
[res
->ncerts
].cert_list
= crt
;
978 res
->certs
[res
->ncerts
].cert_list_length
= nr
;
979 res
->certs
[res
->ncerts
].names
= names
;
986 certificate_credentials_append_pkey (gnutls_certificate_credentials_t res
,
987 gnutls_privkey_t pkey
)
989 res
->pkey
= gnutls_realloc_fast (res
->pkey
,
991 sizeof (gnutls_privkey_t
));
992 if (res
->pkey
== NULL
)
995 return GNUTLS_E_MEMORY_ERROR
;
997 res
->pkey
[res
->ncerts
] = pkey
;
1003 * gnutls_certificate_set_x509_key:
1004 * @res: is a #gnutls_certificate_credentials_t structure.
1005 * @cert_list: contains a certificate list (path) for the specified private key
1006 * @cert_list_size: holds the size of the certificate list
1007 * @key: is a gnutls_x509_privkey_t key
1009 * This function sets a certificate/private key pair in the
1010 * gnutls_certificate_credentials_t structure. This function may be
1011 * called more than once, in case multiple keys/certificates exist for
1012 * the server. For clients that wants to send more than its own end
1013 * entity certificate (e.g., also an intermediate CA cert) then put
1014 * the certificate chain in @cert_list.
1018 * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
1023 gnutls_certificate_set_x509_key (gnutls_certificate_credentials_t res
,
1024 gnutls_x509_crt_t
* cert_list
,
1026 gnutls_x509_privkey_t key
)
1029 gnutls_privkey_t pkey
;
1030 gnutls_pcert_st
*pcerts
= NULL
;
1031 gnutls_str_array_t names
;
1033 _gnutls_str_array_init(&names
);
1035 /* this should be first
1037 ret
= gnutls_privkey_init (&pkey
);
1044 ret
= gnutls_privkey_import_x509 (pkey
, key
, GNUTLS_PRIVKEY_IMPORT_COPY
);
1051 ret
= certificate_credentials_append_pkey (res
, pkey
);
1058 /* load certificates */
1059 pcerts
= gnutls_malloc (sizeof (gnutls_pcert_st
) * cert_list_size
);
1063 return GNUTLS_E_MEMORY_ERROR
;
1066 ret
= get_x509_name(cert_list
[0], &names
);
1068 return gnutls_assert_val(ret
);
1070 for (i
= 0; i
< cert_list_size
; i
++)
1072 ret
= gnutls_pcert_import_x509 (&pcerts
[i
], cert_list
[i
], 0);
1080 ret
= certificate_credential_append_crt_list (res
, names
, pcerts
, cert_list_size
);
1089 if ((ret
= _gnutls_check_key_cert_match (res
)) < 0)
1098 _gnutls_str_array_clear(&names
);
1103 * gnutls_certificate_set_key:
1104 * @res: is a #gnutls_certificate_credentials_t structure.
1105 * @names: is an array of DNS name of the certificate (NULL if none)
1106 * @names_size: holds the size of the names list
1107 * @pcert_list: contains a certificate list (path) for the specified private key
1108 * @pcert_list_size: holds the size of the certificate list
1109 * @key: is a gnutls_x509_privkey_t key
1111 * This function sets a certificate/private key pair in the
1112 * gnutls_certificate_credentials_t structure. This function may be
1113 * called more than once, in case multiple keys/certificates exist for
1114 * the server. For clients that wants to send more than its own end
1115 * entity certificate (e.g., also an intermediate CA cert) then put
1116 * the certificate chain in @pcert_list. The @pcert_list and @key will
1117 * become part of the credentials structure and must not
1118 * be deallocated. They will be automatically deallocated when
1119 * @res is deinitialized.
1121 * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
1126 gnutls_certificate_set_key (gnutls_certificate_credentials_t res
,
1129 gnutls_pcert_st
* pcert_list
,
1130 int pcert_list_size
,
1131 gnutls_privkey_t key
)
1134 gnutls_str_array_t str_names
;
1136 _gnutls_str_array_init(&str_names
);
1138 if (names
!= NULL
&& names_size
> 0)
1140 for (i
=0;i
<names_size
;i
++)
1142 ret
= _gnutls_str_array_append(&str_names
, names
[i
], strlen(names
[i
]));
1145 ret
= gnutls_assert_val(ret
);
1151 ret
= certificate_credentials_append_pkey (res
, key
);
1158 ret
= certificate_credential_append_crt_list (res
, str_names
, pcert_list
, pcert_list_size
);
1167 if ((ret
= _gnutls_check_key_cert_match (res
)) < 0)
1176 _gnutls_str_array_clear(&str_names
);
1181 * gnutls_certificate_set_x509_key_file:
1182 * @res: is a #gnutls_certificate_credentials_t structure.
1183 * @certfile: is a file that containing the certificate list (path) for
1184 * the specified private key, in PKCS7 format, or a list of certificates
1185 * @keyfile: is a file that contains the private key
1186 * @type: is PEM or DER
1188 * This function sets a certificate/private key pair in the
1189 * gnutls_certificate_credentials_t structure. This function may be
1190 * called more than once, in case multiple keys/certificates exist for
1191 * the server. For clients that need to send more than its own end
1192 * entity certificate, e.g., also an intermediate CA cert, then the
1193 * @certfile must contain the ordered certificate chain.
1195 * This function can also accept PKCS #11 URLs at @keyfile and @certfile. In that case it
1196 * will import the private key and certificate indicated by the URLs.
1198 * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
1201 gnutls_certificate_set_x509_key_file (gnutls_certificate_credentials_t res
,
1202 const char *certfile
,
1203 const char *keyfile
,
1204 gnutls_x509_crt_fmt_t type
)
1208 /* this should be first
1210 if ((ret
= read_key_file (res
, keyfile
, type
)) < 0)
1213 if ((ret
= read_cert_file (res
, certfile
, type
)) < 0)
1218 if ((ret
= _gnutls_check_key_cert_match (res
)) < 0)
1228 add_new_crt_to_rdn_seq (gnutls_certificate_credentials_t res
, gnutls_x509_crt_t
* crts
,
1229 unsigned int crt_size
)
1234 unsigned char *newdata
;
1237 /* Add DN of the last added CAs to the RDN sequence
1238 * This will be sent to clients when a certificate
1239 * request message is sent.
1242 /* FIXME: in case of a client it is not needed
1243 * to do that. This would save time and memory.
1244 * However we don't have that information available
1246 * Further, this function is now much more efficient,
1247 * so optimizing that is less important.
1250 for (i
= 0; i
< crt_size
; i
++)
1252 if ((ret
= gnutls_x509_crt_get_raw_dn (crts
[i
], &tmp
)) < 0)
1258 newsize
= res
->x509_rdn_sequence
.size
+ 2 + tmp
.size
;
1259 if (newsize
< res
->x509_rdn_sequence
.size
)
1262 _gnutls_free_datum (&tmp
);
1263 return GNUTLS_E_SHORT_MEMORY_BUFFER
;
1266 newdata
= gnutls_realloc (res
->x509_rdn_sequence
.data
, newsize
);
1267 if (newdata
== NULL
)
1270 _gnutls_free_datum (&tmp
);
1271 return GNUTLS_E_MEMORY_ERROR
;
1274 _gnutls_write_datum16 (newdata
+ res
->x509_rdn_sequence
.size
, tmp
);
1275 _gnutls_free_datum (&tmp
);
1277 res
->x509_rdn_sequence
.size
= newsize
;
1278 res
->x509_rdn_sequence
.data
= newdata
;
1284 /* Returns 0 if it's ok to use the gnutls_kx_algorithm_t with this
1285 * certificate (uses the KeyUsage field).
1288 _gnutls_check_key_usage (const gnutls_pcert_st
* cert
, gnutls_kx_algorithm_t alg
)
1290 unsigned int key_usage
= 0;
1296 return GNUTLS_E_INTERNAL_ERROR
;
1299 if (_gnutls_map_kx_get_cred (alg
, 1) == GNUTLS_CRD_CERTIFICATE
||
1300 _gnutls_map_kx_get_cred (alg
, 0) == GNUTLS_CRD_CERTIFICATE
)
1303 gnutls_pubkey_get_key_usage(cert
->pubkey
, &key_usage
);
1305 encipher_type
= _gnutls_kx_encipher_type (alg
);
1307 if (key_usage
!= 0 && encipher_type
!= CIPHER_IGN
)
1309 /* If key_usage has been set in the certificate
1312 if (encipher_type
== CIPHER_ENCRYPT
)
1314 /* If the key exchange method requires an encipher
1315 * type algorithm, and key's usage does not permit
1316 * encipherment, then fail.
1318 if (!(key_usage
& GNUTLS_KEY_KEY_ENCIPHERMENT
))
1321 return GNUTLS_E_KEY_USAGE_VIOLATION
;
1325 if (encipher_type
== CIPHER_SIGN
)
1327 /* The same as above, but for sign only keys
1329 if (!(key_usage
& GNUTLS_KEY_DIGITAL_SIGNATURE
))
1332 return GNUTLS_E_KEY_USAGE_VIOLATION
;
1341 parse_pem_ca_mem (gnutls_certificate_credentials_t res
,
1342 const opaque
* input_cert
, int input_cert_size
)
1344 gnutls_x509_crt_t
*x509_cert_list
;
1345 unsigned int x509_ncerts
;
1349 tmp
.data
= (void*)input_cert
;
1350 tmp
.size
= input_cert_size
;
1352 ret
= gnutls_x509_crt_list_import2( &x509_cert_list
, &x509_ncerts
, &tmp
,
1353 GNUTLS_X509_FMT_PEM
, 0);
1360 if ((ret
= add_new_crt_to_rdn_seq (res
, x509_cert_list
, x509_ncerts
)) < 0)
1366 ret
= gnutls_x509_trust_list_add_cas(res
->tlist
, x509_cert_list
, x509_ncerts
, 0);
1374 gnutls_free(x509_cert_list
);
1378 /* Reads a DER encoded certificate list from memory and stores it to a
1379 * gnutls_cert structure. Returns the number of certificates parsed.
1382 parse_der_ca_mem (gnutls_certificate_credentials_t res
,
1383 const void *input_cert
, int input_cert_size
)
1385 gnutls_x509_crt_t crt
;
1389 tmp
.data
= (void*)input_cert
;
1390 tmp
.size
= input_cert_size
;
1392 ret
= gnutls_x509_crt_init( &crt
);
1399 ret
= gnutls_x509_crt_import( crt
, &tmp
, GNUTLS_X509_FMT_DER
);
1406 if ((ret
= add_new_crt_to_rdn_seq (res
, &crt
, 1)) < 0)
1412 ret
= gnutls_x509_trust_list_add_cas(res
->tlist
, &crt
, 1, 0);
1422 gnutls_x509_crt_deinit(crt
);
1427 * gnutls_certificate_set_x509_trust_mem:
1428 * @res: is a #gnutls_certificate_credentials_t structure.
1429 * @ca: is a list of trusted CAs or a DER certificate
1430 * @type: is DER or PEM
1432 * This function adds the trusted CAs in order to verify client or
1433 * server certificates. In case of a client this is not required to be
1434 * called if the certificates are not verified using
1435 * gnutls_certificate_verify_peers2(). This function may be called
1438 * In case of a server the CAs set here will be sent to the client if
1439 * a certificate request is sent. This can be disabled using
1440 * gnutls_certificate_send_x509_rdn_sequence().
1442 * Returns: the number of certificates processed or a negative error code
1446 gnutls_certificate_set_x509_trust_mem (gnutls_certificate_credentials_t res
,
1447 const gnutls_datum_t
* ca
,
1448 gnutls_x509_crt_fmt_t type
)
1452 if (type
== GNUTLS_X509_FMT_DER
)
1453 ret
= parse_der_ca_mem (res
,
1454 ca
->data
, ca
->size
);
1456 ret
= parse_pem_ca_mem (res
,
1457 ca
->data
, ca
->size
);
1459 if (ret
== GNUTLS_E_NO_CERTIFICATE_FOUND
)
1466 * gnutls_certificate_set_x509_trust:
1467 * @res: is a #gnutls_certificate_credentials_t structure.
1468 * @ca_list: is a list of trusted CAs
1469 * @ca_list_size: holds the size of the CA list
1471 * This function adds the trusted CAs in order to verify client
1472 * or server certificates. In case of a client this is not required
1473 * to be called if the certificates are not verified using
1474 * gnutls_certificate_verify_peers2().
1475 * This function may be called multiple times.
1477 * In case of a server the CAs set here will be sent to the client if
1478 * a certificate request is sent. This can be disabled using
1479 * gnutls_certificate_send_x509_rdn_sequence().
1481 * Returns: the number of certificates processed or a negative error code
1487 gnutls_certificate_set_x509_trust (gnutls_certificate_credentials_t res
,
1488 gnutls_x509_crt_t
* ca_list
,
1492 gnutls_x509_crt_t new_list
[ca_list_size
];
1494 for (i
= 0; i
< ca_list_size
; i
++)
1496 ret
= gnutls_x509_crt_init (&new_list
[i
]);
1503 ret
= _gnutls_x509_crt_cpy (new_list
[i
], ca_list
[i
]);
1511 if ((ret
= add_new_crt_to_rdn_seq (res
, new_list
, ca_list_size
)) < 0)
1517 ret
= gnutls_x509_trust_list_add_cas(res
->tlist
, new_list
, ca_list_size
, 0);
1528 gnutls_x509_crt_deinit(new_list
[j
]);
1535 * gnutls_certificate_set_x509_trust_file:
1536 * @cred: is a #gnutls_certificate_credentials_t structure.
1537 * @cafile: is a file containing the list of trusted CAs (DER or PEM list)
1538 * @type: is PEM or DER
1540 * This function adds the trusted CAs in order to verify client or
1541 * server certificates. In case of a client this is not required to
1542 * be called if the certificates are not verified using
1543 * gnutls_certificate_verify_peers2(). This function may be called
1546 * In case of a server the names of the CAs set here will be sent to
1547 * the client if a certificate request is sent. This can be disabled
1548 * using gnutls_certificate_send_x509_rdn_sequence().
1550 * This function can also accept PKCS #11 URLs. In that case it
1551 * will import all certificates that are marked as trusted.
1553 * Returns: number of certificates processed, or a negative error code on
1557 gnutls_certificate_set_x509_trust_file (gnutls_certificate_credentials_t cred
,
1559 gnutls_x509_crt_fmt_t type
)
1565 #ifdef ENABLE_PKCS11
1566 if (strncmp (cafile
, "pkcs11:", 7) == 0)
1568 return read_cas_url (cred
, cafile
);
1572 cas
.data
= read_binary_file (cafile
, &size
);
1573 if (cas
.data
== NULL
)
1576 return GNUTLS_E_FILE_ERROR
;
1581 ret
= gnutls_certificate_set_x509_trust_mem(cred
, &cas
, type
);
1597 parse_pem_crl_mem (gnutls_x509_trust_list_t tlist
,
1598 const opaque
* input_crl
, int input_crl_size
)
1600 gnutls_x509_crl_t
*x509_crl_list
;
1601 unsigned int x509_ncrls
;
1605 tmp
.data
= (void*)input_crl
;
1606 tmp
.size
= input_crl_size
;
1608 ret
= gnutls_x509_crl_list_import2( &x509_crl_list
, &x509_ncrls
, &tmp
,
1609 GNUTLS_X509_FMT_PEM
, 0);
1616 ret
= gnutls_x509_trust_list_add_crls(tlist
, x509_crl_list
, x509_ncrls
, 0, 0);
1624 gnutls_free(x509_crl_list
);
1628 /* Reads a DER encoded certificate list from memory and stores it to a
1629 * gnutls_cert structure. Returns the number of certificates parsed.
1632 parse_der_crl_mem (gnutls_x509_trust_list_t tlist
,
1633 const void *input_crl
, int input_crl_size
)
1635 gnutls_x509_crl_t crl
;
1639 tmp
.data
= (void*)input_crl
;
1640 tmp
.size
= input_crl_size
;
1642 ret
= gnutls_x509_crl_init( &crl
);
1649 ret
= gnutls_x509_crl_import( crl
, &tmp
, GNUTLS_X509_FMT_DER
);
1656 ret
= gnutls_x509_trust_list_add_crls(tlist
, &crl
, 1, 0, 0);
1666 gnutls_x509_crl_deinit(crl
);
1672 /* Reads a DER or PEM CRL from memory
1675 read_crl_mem (gnutls_certificate_credentials_t res
, const void *crl
,
1676 int crl_size
, gnutls_x509_crt_fmt_t type
)
1680 if (type
== GNUTLS_X509_FMT_DER
)
1681 ret
= parse_der_crl_mem (res
->tlist
, crl
, crl_size
);
1683 ret
= parse_pem_crl_mem (res
->tlist
, crl
, crl_size
);
1694 * gnutls_certificate_set_x509_crl_mem:
1695 * @res: is a #gnutls_certificate_credentials_t structure.
1696 * @CRL: is a list of trusted CRLs. They should have been verified before.
1697 * @type: is DER or PEM
1699 * This function adds the trusted CRLs in order to verify client or
1700 * server certificates. In case of a client this is not required to
1701 * be called if the certificates are not verified using
1702 * gnutls_certificate_verify_peers2(). This function may be called
1705 * Returns: number of CRLs processed, or a negative error code on error.
1708 gnutls_certificate_set_x509_crl_mem (gnutls_certificate_credentials_t res
,
1709 const gnutls_datum_t
* CRL
,
1710 gnutls_x509_crt_fmt_t type
)
1712 return read_crl_mem (res
, CRL
->data
, CRL
->size
, type
);
1716 * gnutls_certificate_set_x509_crl:
1717 * @res: is a #gnutls_certificate_credentials_t structure.
1718 * @crl_list: is a list of trusted CRLs. They should have been verified before.
1719 * @crl_list_size: holds the size of the crl_list
1721 * This function adds the trusted CRLs in order to verify client or
1722 * server certificates. In case of a client this is not required to
1723 * be called if the certificates are not verified using
1724 * gnutls_certificate_verify_peers2(). This function may be called
1727 * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
1732 gnutls_certificate_set_x509_crl (gnutls_certificate_credentials_t res
,
1733 gnutls_x509_crl_t
* crl_list
,
1737 gnutls_x509_crl_t new_crl
[crl_list_size
];
1739 for (i
= 0; i
< crl_list_size
; i
++)
1741 ret
= gnutls_x509_crl_init (&new_crl
[i
]);
1748 ret
= _gnutls_x509_crl_cpy (new_crl
[i
], crl_list
[i
]);
1756 ret
= gnutls_x509_trust_list_add_crls(res
->tlist
, new_crl
, crl_list_size
, 0, 0);
1767 gnutls_x509_crl_deinit(new_crl
[j
]);
1773 * gnutls_certificate_set_x509_crl_file:
1774 * @res: is a #gnutls_certificate_credentials_t structure.
1775 * @crlfile: is a file containing the list of verified CRLs (DER or PEM list)
1776 * @type: is PEM or DER
1778 * This function adds the trusted CRLs in order to verify client or server
1779 * certificates. In case of a client this is not required
1780 * to be called if the certificates are not verified using
1781 * gnutls_certificate_verify_peers2().
1782 * This function may be called multiple times.
1784 * Returns: number of CRLs processed or a negative error code on error.
1787 gnutls_certificate_set_x509_crl_file (gnutls_certificate_credentials_t res
,
1788 const char *crlfile
,
1789 gnutls_x509_crt_fmt_t type
)
1793 char *data
= read_binary_file (crlfile
, &size
);
1798 return GNUTLS_E_FILE_ERROR
;
1801 if (type
== GNUTLS_X509_FMT_DER
)
1802 ret
= parse_der_crl_mem (res
->tlist
, data
, size
);
1804 ret
= parse_pem_crl_mem (res
->tlist
, data
, size
);
1817 #include <gnutls/pkcs12.h>
1820 parse_pkcs12 (gnutls_certificate_credentials_t res
,
1821 gnutls_pkcs12_t p12
,
1822 const char *password
,
1823 gnutls_x509_privkey_t
* key
,
1824 gnutls_x509_crt_t
* cert
, gnutls_x509_crl_t
* crl
)
1826 gnutls_pkcs12_bag_t bag
= NULL
;
1829 size_t cert_id_size
= 0;
1830 size_t key_id_size
= 0;
1839 /* find the first private key */
1842 int elements_in_bag
;
1845 ret
= gnutls_pkcs12_bag_init (&bag
);
1853 ret
= gnutls_pkcs12_get_bag (p12
, idx
, bag
);
1854 if (ret
== GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
)
1862 ret
= gnutls_pkcs12_bag_get_type (bag
, 0);
1869 if (ret
== GNUTLS_BAG_ENCRYPTED
)
1871 ret
= gnutls_pkcs12_bag_decrypt (bag
, password
);
1879 elements_in_bag
= gnutls_pkcs12_bag_get_count (bag
);
1880 if (elements_in_bag
< 0)
1886 for (i
= 0; i
< elements_in_bag
; i
++)
1889 gnutls_datum_t data
;
1891 type
= gnutls_pkcs12_bag_get_type (bag
, i
);
1898 ret
= gnutls_pkcs12_bag_get_data (bag
, i
, &data
);
1907 case GNUTLS_BAG_PKCS8_ENCRYPTED_KEY
:
1908 case GNUTLS_BAG_PKCS8_KEY
:
1909 if (*key
!= NULL
) /* too simple to continue */
1915 ret
= gnutls_x509_privkey_init (key
);
1922 ret
= gnutls_x509_privkey_import_pkcs8
1923 (*key
, &data
, GNUTLS_X509_FMT_DER
, password
,
1924 type
== GNUTLS_BAG_PKCS8_KEY
? GNUTLS_PKCS_PLAIN
: 0);
1928 gnutls_x509_privkey_deinit (*key
);
1932 key_id_size
= sizeof (key_id
);
1934 gnutls_x509_privkey_get_key_id (*key
, 0, key_id
,
1939 gnutls_x509_privkey_deinit (*key
);
1943 privkey_ok
= 1; /* break */
1951 gnutls_pkcs12_bag_deinit (bag
);
1953 if (privkey_ok
!= 0) /* private key was found */
1957 if (privkey_ok
== 0) /* no private key */
1960 return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
;
1963 /* now find the corresponding certificate
1969 int elements_in_bag
;
1972 ret
= gnutls_pkcs12_bag_init (&bag
);
1980 ret
= gnutls_pkcs12_get_bag (p12
, idx
, bag
);
1981 if (ret
== GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
)
1989 ret
= gnutls_pkcs12_bag_get_type (bag
, 0);
1996 if (ret
== GNUTLS_BAG_ENCRYPTED
)
1998 ret
= gnutls_pkcs12_bag_decrypt (bag
, password
);
2006 elements_in_bag
= gnutls_pkcs12_bag_get_count (bag
);
2007 if (elements_in_bag
< 0)
2013 for (i
= 0; i
< elements_in_bag
; i
++)
2016 gnutls_datum_t data
;
2018 type
= gnutls_pkcs12_bag_get_type (bag
, i
);
2025 ret
= gnutls_pkcs12_bag_get_data (bag
, i
, &data
);
2034 case GNUTLS_BAG_CERTIFICATE
:
2035 if (*cert
!= NULL
) /* no need to set it again */
2041 ret
= gnutls_x509_crt_init (cert
);
2049 gnutls_x509_crt_import (*cert
, &data
, GNUTLS_X509_FMT_DER
);
2053 gnutls_x509_crt_deinit (*cert
);
2057 /* check if the key id match */
2058 cert_id_size
= sizeof (cert_id
);
2060 gnutls_x509_crt_get_key_id (*cert
, 0, cert_id
, &cert_id_size
);
2064 gnutls_x509_crt_deinit (*cert
);
2068 if (memcmp (cert_id
, key_id
, cert_id_size
) != 0)
2069 { /* they don't match - skip the certificate */
2070 gnutls_x509_crt_deinit (*cert
);
2075 case GNUTLS_BAG_CRL
:
2082 ret
= gnutls_x509_crl_init (crl
);
2089 ret
= gnutls_x509_crl_import (*crl
, &data
, GNUTLS_X509_FMT_DER
);
2093 gnutls_x509_crl_deinit (*crl
);
2098 case GNUTLS_BAG_ENCRYPTED
:
2099 /* XXX Bother to recurse one level down? Unlikely to
2100 use the same password anyway. */
2101 case GNUTLS_BAG_EMPTY
:
2108 gnutls_pkcs12_bag_deinit (bag
);
2115 gnutls_pkcs12_bag_deinit (bag
);
2121 * gnutls_certificate_set_x509_simple_pkcs12_file:
2122 * @res: is a #gnutls_certificate_credentials_t structure.
2123 * @pkcs12file: filename of file containing PKCS#12 blob.
2124 * @type: is PEM or DER of the @pkcs12file.
2125 * @password: optional password used to decrypt PKCS#12 file, bags and keys.
2127 * This function sets a certificate/private key pair and/or a CRL in
2128 * the gnutls_certificate_credentials_t structure. This function may
2129 * be called more than once (in case multiple keys/certificates exist
2132 * MAC:ed PKCS#12 files are supported. Encrypted PKCS#12 bags are
2133 * supported. Encrypted PKCS#8 private keys are supported. However,
2134 * only password based security, and the same password for all
2135 * operations, are supported.
2137 * PKCS#12 file may contain many keys and/or certificates, and there
2138 * is no way to identify which key/certificate pair you want. You
2139 * should make sure the PKCS#12 file only contain one key/certificate
2140 * pair and/or one CRL.
2142 * It is believed that the limitations of this function is acceptable
2143 * for most usage, and that any more flexibility would introduce
2144 * complexity that would make it harder to use this functionality at
2147 * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
2150 gnutls_certificate_set_x509_simple_pkcs12_file
2151 (gnutls_certificate_credentials_t res
, const char *pkcs12file
,
2152 gnutls_x509_crt_fmt_t type
, const char *password
)
2154 gnutls_datum_t p12blob
;
2158 p12blob
.data
= read_binary_file (pkcs12file
, &size
);
2159 p12blob
.size
= (unsigned int) size
;
2160 if (p12blob
.data
== NULL
)
2163 return GNUTLS_E_FILE_ERROR
;
2167 gnutls_certificate_set_x509_simple_pkcs12_mem (res
, &p12blob
, type
,
2169 free (p12blob
.data
);
2175 * gnutls_certificate_set_x509_simple_pkcs12_mem:
2176 * @res: is a #gnutls_certificate_credentials_t structure.
2177 * @p12blob: the PKCS#12 blob.
2178 * @type: is PEM or DER of the @pkcs12file.
2179 * @password: optional password used to decrypt PKCS#12 file, bags and keys.
2181 * This function sets a certificate/private key pair and/or a CRL in
2182 * the gnutls_certificate_credentials_t structure. This function may
2183 * be called more than once (in case multiple keys/certificates exist
2186 * MAC:ed PKCS#12 files are supported. Encrypted PKCS#12 bags are
2187 * supported. Encrypted PKCS#8 private keys are supported. However,
2188 * only password based security, and the same password for all
2189 * operations, are supported.
2191 * PKCS#12 file may contain many keys and/or certificates, and there
2192 * is no way to identify which key/certificate pair you want. You
2193 * should make sure the PKCS#12 file only contain one key/certificate
2194 * pair and/or one CRL.
2196 * It is believed that the limitations of this function is acceptable
2197 * for most usage, and that any more flexibility would introduce
2198 * complexity that would make it harder to use this functionality at
2201 * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
2206 gnutls_certificate_set_x509_simple_pkcs12_mem
2207 (gnutls_certificate_credentials_t res
, const gnutls_datum_t
* p12blob
,
2208 gnutls_x509_crt_fmt_t type
, const char *password
)
2210 gnutls_pkcs12_t p12
;
2211 gnutls_x509_privkey_t key
= NULL
;
2212 gnutls_x509_crt_t cert
= NULL
;
2213 gnutls_x509_crl_t crl
= NULL
;
2216 ret
= gnutls_pkcs12_init (&p12
);
2223 ret
= gnutls_pkcs12_import (p12
, p12blob
, type
, 0);
2227 gnutls_pkcs12_deinit (p12
);
2233 ret
= gnutls_pkcs12_verify_mac (p12
, password
);
2237 gnutls_pkcs12_deinit (p12
);
2242 ret
= parse_pkcs12 (res
, p12
, password
, &key
, &cert
, &crl
);
2243 gnutls_pkcs12_deinit (p12
);
2252 ret
= gnutls_certificate_set_x509_key (res
, &cert
, 1, key
);
2262 ret
= gnutls_certificate_set_x509_crl (res
, &crl
, 1);
2274 gnutls_x509_crt_deinit (cert
);
2276 gnutls_x509_privkey_deinit (key
);
2278 gnutls_x509_crl_deinit (crl
);
2286 * gnutls_certificate_free_crls:
2287 * @sc: is a #gnutls_certificate_credentials_t structure.
2289 * This function will delete all the CRLs associated
2290 * with the given credentials.
2293 gnutls_certificate_free_crls (gnutls_certificate_credentials_t sc
)
2295 /* do nothing for now */