| blob | 4ece36232787f9e23bb6f06a1563b150dd8dfad2 |
1 /*
2 * Copyright (C) 2003-2012 Free Software Foundation, Inc.
3 * Author: Nikos Mavrogiannopoulos, Simon Josefsson, Howard Chu
4 *
5 * This file is part of GnuTLS.
6 *
7 * The GnuTLS is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public License
9 * as published by the Free Software Foundation; either version 3 of
10 * the License, or (at your option) any later version.
11 *
12 * This library is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
16 *
17 * You should have received a copy of the GNU Lesser General Public License
18 * along with this program. If not, see <http://www.gnu.org/licenses/>
19 *
20 */
22 /* Functions on X.509 Certificate parsing
23 */
25 #include <gnutls_int.h>
26 #include <gnutls_datum.h>
27 #include <gnutls_global.h>
28 #include <gnutls_errors.h>
29 #include <common.h>
30 #include <gnutls_x509.h>
31 #include <x509_b64.h>
32 #include <x509_int.h>
33 #include <libtasn1.h>
34 #include <gnutls_pk.h>
36 /**
37 * gnutls_x509_crt_init:
38 * @cert: The structure to be initialized
39 *
40 * This function will initialize an X.509 certificate structure.
41 *
42 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
43 * negative error value.
44 **/
45 int
47 {
57 {
61 }
63 /* If you add anything here, be sure to check if it has to be added
64 to gnutls_x509_crt_import as well. */
69 }
71 /*-
72 * _gnutls_x509_crt_cpy - This function copies a gnutls_x509_crt_t structure
73 * @dest: The structure where to copy
74 * @src: The structure to be copied
75 *
76 * This function will copy an X.509 certificate structure.
77 *
78 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
79 * negative error value.
80 -*/
81 int
83 {
87 gnutls_datum_t tmp;
91 {
94 }
98 {
101 }
105 {
109 }
118 {
121 }
124 }
126 /**
127 * gnutls_x509_crt_deinit:
128 * @cert: The structure to be deinitialized
129 *
130 * This function will deinitialize a certificate structure.
131 **/
132 void
134 {
142 }
144 /**
145 * gnutls_x509_crt_import:
146 * @cert: The structure to store the parsed certificate.
147 * @data: The DER or PEM encoded certificate.
148 * @format: One of DER or PEM
149 *
150 * This function will convert the given DER or PEM encoded Certificate
151 * to the native gnutls_x509_crt_t format. The output will be stored
152 * in @cert.
153 *
154 * If the Certificate is PEM encoded it should have a header of "X509
155 * CERTIFICATE", or "CERTIFICATE".
156 *
157 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
158 * negative error value.
159 **/
160 int
163 gnutls_x509_crt_fmt_t format)
164 {
166 gnutls_datum_t _data;
169 {
172 }
177 /* If the Certificate is in PEM format then decode it
178 */
180 {
181 /* Try the first header */
182 result =
186 {
187 /* try for the second header */
188 result =
193 {
196 }
197 }
200 }
203 {
204 /* Any earlier asn1_der_decoding will modify the ASN.1
205 structure, so we need to replace it with a fresh
206 structure. */
212 {
216 }
217 }
221 {
225 }
229 /* Since we do not want to disable any extension
230 */
237 cleanup:
241 }
244 /**
245 * gnutls_x509_crt_get_issuer_dn:
246 * @cert: should contain a #gnutls_x509_crt_t structure
247 * @buf: a pointer to a structure to hold the name (may be null)
248 * @buf_size: initially holds the size of @buf
249 *
250 * This function will copy the name of the Certificate issuer in the
251 * provided buffer. The name will be in the form
252 * "C=xxxx,O=yyyy,CN=zzzz" as described in RFC4514. The output string
253 * will be ASCII or UTF-8 encoded, depending on the certificate data.
254 *
255 * If @buf is null then only the size will be filled.
256 *
257 * Returns: GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not
258 * long enough, and in that case the @buf_size will be updated with
259 * the required size. On success 0 is returned.
260 **/
261 int
264 {
266 {
269 }
273 buf_size);
274 }
276 /**
277 * gnutls_x509_crt_get_issuer_dn_by_oid:
278 * @cert: should contain a #gnutls_x509_crt_t structure
279 * @oid: holds an Object Identified in null terminated string
280 * @indx: In case multiple same OIDs exist in the RDN, this specifies which to send. Use (0) to get the first one.
281 * @raw_flag: If non-zero returns the raw DER data of the DN part.
282 * @buf: a pointer to a structure to hold the name (may be null)
283 * @buf_size: initially holds the size of @buf
284 *
285 * This function will extract the part of the name of the Certificate
286 * issuer specified by the given OID. The output, if the raw flag is not
287 * used, will be encoded as described in RFC4514. Thus a string that is
288 * ASCII or UTF-8 encoded, depending on the certificate data.
289 *
290 * Some helper macros with popular OIDs can be found in gnutls/x509.h
291 * If raw flag is (0), this function will only return known OIDs as
292 * text. Other OIDs will be DER encoded, as described in RFC4514 --
293 * in hex format with a '#' prefix. You can check about known OIDs
294 * using gnutls_x509_dn_oid_known().
295 *
296 * If @buf is null then only the size will be filled. If the @raw_flag
297 * is not specified the output is always null terminated, although the
298 * @buf_size will not include the null character.
299 *
300 * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not
301 * long enough, and in that case the @buf_size will be updated with
302 * the required size. %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE if there
303 * are no data in the current index. On success 0 is returned.
304 **/
305 int
310 {
311 gnutls_datum_t td;
315 {
318 }
327 }
329 /**
330 * gnutls_x509_crt_get_issuer_dn_oid:
331 * @cert: should contain a #gnutls_x509_crt_t structure
332 * @indx: This specifies which OID to return. Use (0) to get the first one.
333 * @oid: a pointer to a buffer to hold the OID (may be null)
334 * @oid_size: initially holds the size of @oid
335 *
336 * This function will extract the OIDs of the name of the Certificate
337 * issuer specified by the given index.
338 *
339 * If @oid is null then only the size will be filled. The @oid
340 * returned will be null terminated, although @oid_size will not
341 * account for the trailing null.
342 *
343 * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not
344 * long enough, and in that case the @buf_size will be updated with
345 * the required size. %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE if there
346 * are no data in the current index. On success 0 is returned.
347 **/
348 int
351 {
353 {
356 }
361 }
363 /**
364 * gnutls_x509_crt_get_dn:
365 * @cert: should contain a #gnutls_x509_crt_t structure
366 * @buf: a pointer to a structure to hold the name (may be null)
367 * @buf_size: initially holds the size of @buf
368 *
369 * This function will copy the name of the Certificate in the provided
370 * buffer. The name will be in the form "C=xxxx,O=yyyy,CN=zzzz" as
371 * described in RFC4514. The output string will be ASCII or UTF-8
372 * encoded, depending on the certificate data.
373 *
374 * If @buf is null then only the size will be filled.
375 *
376 * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not
377 * long enough, and in that case the @buf_size will be updated
378 * with the required size. On success 0 is returned.
379 **/
380 int
383 {
385 {
388 }
392 buf_size);
393 }
395 /**
396 * gnutls_x509_crt_get_dn_by_oid:
397 * @cert: should contain a #gnutls_x509_crt_t structure
398 * @oid: holds an Object Identified in null terminated string
399 * @indx: In case multiple same OIDs exist in the RDN, this specifies which to send. Use (0) to get the first one.
400 * @raw_flag: If non-zero returns the raw DER data of the DN part.
401 * @buf: a pointer where the DN part will be copied (may be null).
402 * @buf_size: initially holds the size of @buf
403 *
404 * This function will extract the part of the name of the Certificate
405 * subject specified by the given OID. The output, if the raw flag is
406 * not used, will be encoded as described in RFC4514. Thus a string
407 * that is ASCII or UTF-8 encoded, depending on the certificate data.
408 *
409 * Some helper macros with popular OIDs can be found in gnutls/x509.h
410 * If raw flag is (0), this function will only return known OIDs as
411 * text. Other OIDs will be DER encoded, as described in RFC4514 --
412 * in hex format with a '#' prefix. You can check about known OIDs
413 * using gnutls_x509_dn_oid_known().
414 *
415 * If @buf is null then only the size will be filled. If the @raw_flag
416 * is not specified the output is always null terminated, although the
417 * @buf_size will not include the null character.
418 *
419 * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not
420 * long enough, and in that case the @buf_size will be updated with
421 * the required size. %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE if there
422 * are no data in the current index. On success 0 is returned.
423 **/
424 int
428 {
429 gnutls_datum_t td;
433 {
436 }
445 }
447 /**
448 * gnutls_x509_crt_get_dn_oid:
449 * @cert: should contain a #gnutls_x509_crt_t structure
450 * @indx: This specifies which OID to return. Use (0) to get the first one.
451 * @oid: a pointer to a buffer to hold the OID (may be null)
452 * @oid_size: initially holds the size of @oid
453 *
454 * This function will extract the OIDs of the name of the Certificate
455 * subject specified by the given index.
456 *
457 * If @oid is null then only the size will be filled. The @oid
458 * returned will be null terminated, although @oid_size will not
459 * account for the trailing null.
460 *
461 * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not
462 * long enough, and in that case the @buf_size will be updated with
463 * the required size. %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE if there
464 * are no data in the current index. On success 0 is returned.
465 **/
466 int
469 {
471 {
474 }
479 }
481 /**
482 * gnutls_x509_crt_get_signature_algorithm:
483 * @cert: should contain a #gnutls_x509_crt_t structure
484 *
485 * This function will return a value of the #gnutls_sign_algorithm_t
486 * enumeration that is the signature algorithm that has been used to
487 * sign this certificate.
488 *
489 * Returns: a #gnutls_sign_algorithm_t value, or a negative error code on
490 * error.
491 **/
492 int
494 {
496 }
498 /**
499 * gnutls_x509_crt_get_signature:
500 * @cert: should contain a #gnutls_x509_crt_t structure
501 * @sig: a pointer where the signature part will be copied (may be null).
502 * @sizeof_sig: initially holds the size of @sig
503 *
504 * This function will extract the signature field of a certificate.
505 *
506 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
507 * negative error value. and a negative error code on error.
508 **/
509 int
512 {
518 {
521 }
526 {
529 }
533 {
536 }
541 {
544 }
548 {
551 }
554 }
556 /**
557 * gnutls_x509_crt_get_version:
558 * @cert: should contain a #gnutls_x509_crt_t structure
559 *
560 * This function will return the version of the specified Certificate.
561 *
562 * Returns: version of certificate, or a negative error code on error.
563 **/
564 int
566 {
571 {
574 }
580 {
586 }
589 }
591 /**
592 * gnutls_x509_crt_get_activation_time:
593 * @cert: should contain a #gnutls_x509_crt_t structure
594 *
595 * This function will return the time this Certificate was or will be
596 * activated.
597 *
598 * Returns: activation time, or (time_t)-1 on error.
599 **/
600 time_t
602 {
604 {
607 }
611 }
613 /**
614 * gnutls_x509_crt_get_expiration_time:
615 * @cert: should contain a #gnutls_x509_crt_t structure
616 *
617 * This function will return the time this Certificate was or will be
618 * expired.
619 *
620 * Returns: expiration time, or (time_t)-1 on error.
621 **/
622 time_t
624 {
626 {
629 }
633 }
635 /**
636 * gnutls_x509_crt_get_private_key_usage_period:
637 * @cert: should contain a #gnutls_x509_crt_t structure
638 * @activation: The activation time
639 * @expiration: The expiration time
640 * @critical: the extension status
641 *
642 * This function will return the expiration and activation
643 * times of the private key of the certificate. It relies on
644 * the PKIX extension 2.5.29.16 being present.
645 *
646 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
647 * if the extension is not present, otherwise a negative error value.
648 **/
649 int
650 gnutls_x509_crt_get_private_key_usage_period (gnutls_x509_crt_t cert, time_t* activation, time_t* expiration,
652 {
658 {
661 }
663 ret =
665 critical);
672 result = asn1_create_element
675 {
679 }
683 {
687 }
699 cleanup:
704 }
707 /**
708 * gnutls_x509_crt_get_serial:
709 * @cert: should contain a #gnutls_x509_crt_t structure
710 * @result: The place where the serial number will be copied
711 * @result_size: Holds the size of the result field.
712 *
713 * This function will return the X.509 certificate's serial number.
714 * This is obtained by the X509 Certificate serialNumber field. Serial
715 * is not always a 32 or 64bit number. Some CAs use large serial
716 * numbers, thus it may be wise to handle it as something uint8_t.
717 *
718 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
719 * negative error value.
720 **/
721 int
724 {
728 {
731 }
734 ret =
739 {
742 }
745 }
747 /**
748 * gnutls_x509_crt_get_subject_key_id:
749 * @cert: should contain a #gnutls_x509_crt_t structure
750 * @ret: The place where the identifier will be copied
751 * @ret_size: Holds the size of the result field.
752 * @critical: will be non-zero if the extension is marked as critical (may be null)
753 *
754 * This function will return the X.509v3 certificate's subject key
755 * identifier. This is obtained by the X.509 Subject Key identifier
756 * extension field (2.5.29.14).
757 *
758 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
759 * if the extension is not present, otherwise a negative error value.
760 **/
761 int
764 {
766 gnutls_datum_t id;
770 {
773 }
778 else
784 {
786 }
789 {
792 }
794 result = asn1_create_element
797 {
801 }
807 {
811 }
820 {
822 }
825 {
829 }
832 }
834 static int
837 {
839 gnutls_datum_t id;
844 {
847 }
852 {
854 }
857 {
860 }
862 ret = asn1_create_element
865 {
869 }
875 {
879 }
882 }
884 /**
885 * gnutls_x509_crt_get_authority_key_gn_serial:
886 * @cert: should contain a #gnutls_x509_crt_t structure
887 * @seq: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)
888 * @alt: is the place where the alternative name will be copied to
889 * @alt_size: holds the size of alt.
890 * @alt_type: holds the type of the alternative name (one of gnutls_x509_subject_alt_name_t).
891 * @serial: buffer to store the serial number (may be null)
892 * @serial_size: Holds the size of the serial field (may be null)
893 * @critical: will be non-zero if the extension is marked as critical (may be null)
894 *
895 * This function will return the X.509 authority key
896 * identifier when stored as a general name (authorityCertIssuer)
897 * and serial number.
898 *
899 * Because more than one general names might be stored
900 * @seq can be used as a counter to request them all until
901 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.
902 *
903 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
904 * if the extension is not present, otherwise a negative error value.
905 *
906 * Since: 3.0
907 **/
908 int
909 gnutls_x509_crt_get_authority_key_gn_serial (gnutls_x509_crt_t cert, unsigned int seq, void *alt,
913 {
915 ASN1_TYPE c2;
921 ret =
925 {
928 }
931 {
938 {
941 }
943 }
947 fail:
951 }
953 /**
954 * gnutls_x509_crt_get_authority_key_id:
955 * @cert: should contain a #gnutls_x509_crt_t structure
956 * @id: The place where the identifier will be copied
957 * @id_size: Holds the size of the id field.
958 * @critical: will be non-zero if the extension is marked as critical (may be null)
959 *
960 * This function will return the X.509v3 certificate authority's key
961 * identifier. This is obtained by the X.509 Authority Key
962 * identifier extension field (2.5.29.35). Note that this function
963 * only returns the keyIdentifier field of the extension and
964 * %GNUTLS_E_X509_UNSUPPORTED_EXTENSION, if the extension contains
965 * the name and serial number of the certificate. In that case
966 * gnutls_x509_crt_get_authority_key_gn_serial() may be used.
967 *
968 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
969 * if the extension is not present, otherwise a negative error value.
970 **/
971 int
975 {
977 ASN1_TYPE c2;
993 {
997 }
1000 }
1002 /**
1003 * gnutls_x509_crt_get_pk_algorithm:
1004 * @cert: should contain a #gnutls_x509_crt_t structure
1005 * @bits: if bits is non null it will hold the size of the parameters' in bits
1006 *
1007 * This function will return the public key algorithm of an X.509
1008 * certificate.
1009 *
1010 * If bits is non null, it should have enough size to hold the parameters
1011 * size in bits. For RSA the bits returned is the modulus.
1012 * For DSA the bits returned are of the public
1013 * exponent.
1014 *
1015 * Returns: a member of the #gnutls_pk_algorithm_t enumeration on
1016 * success, or a negative error code on error.
1017 **/
1018 int
1020 {
1024 {
1027 }
1032 result =
1035 bits);
1038 {
1041 }
1045 }
1049 {
1053 else
1055 }
1059 /* returns the type and the name on success.
1060 * Type is also returned as a parameter in case of an error.
1061 */
1062 int
1066 {
1071 gnutls_x509_subject_alt_name_t type;
1077 else
1084 {
1086 }
1089 {
1092 }
1097 {
1100 }
1106 {
1109 else
1120 {
1123 }
1126 {
1129 }
1130 else
1131 {
1137 else
1143 {
1146 }
1149 {
1153 result = asn1_create_element
1156 {
1159 }
1163 {
1167 }
1172 {
1177 }
1181 {
1185 }
1188 /* null terminate it */
1190 }
1191 }
1192 }
1194 {
1198 {
1201 }
1202 }
1205 else
1206 {
1217 {
1221 }
1224 {
1227 }
1230 {
1233 {
1237 }
1239 /* null terminate it */
1241 }
1243 }
1246 }
1248 static int
1253 {
1255 gnutls_datum_t dnsname;
1259 {
1262 }
1266 else
1272 {
1274 }
1277 {
1280 }
1288 else
1289 {
1292 }
1295 {
1299 }
1305 {
1309 }
1311 result =
1313 othername_oid);
1318 {
1321 }
1324 }
1326 /**
1327 * gnutls_x509_crt_get_subject_alt_name:
1328 * @cert: should contain a #gnutls_x509_crt_t structure
1329 * @seq: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)
1330 * @san: is the place where the alternative name will be copied to
1331 * @san_size: holds the size of san.
1332 * @critical: will be non-zero if the extension is marked as critical (may be null)
1333 *
1334 * This function retrieves the Alternative Name (2.5.29.17), contained
1335 * in the given certificate in the X509v3 Certificate Extensions.
1336 *
1337 * When the SAN type is otherName, it will extract the data in the
1338 * otherName's value field, and %GNUTLS_SAN_OTHERNAME is returned.
1339 * You may use gnutls_x509_crt_get_subject_alt_othername_oid() to get
1340 * the corresponding OID and the "virtual" SAN types (e.g.,
1341 * %GNUTLS_SAN_OTHERNAME_XMPP).
1342 *
1343 * If an otherName OID is known, the data will be decoded. Otherwise
1344 * the returned data will be DER encoded, and you will have to decode
1345 * it yourself. Currently, only the RFC 3920 id-on-xmppAddr SAN is
1346 * recognized.
1347 *
1348 * Returns: the alternative subject name type on success, one of the
1349 * enumerated #gnutls_x509_subject_alt_name_t. It will return
1350 * %GNUTLS_E_SHORT_MEMORY_BUFFER if @san_size is not large enough to
1351 * hold the value. In that case @san_size will be updated with the
1352 * required size. If the certificate does not have an Alternative
1353 * name with the specified sequence number then
1354 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.
1355 **/
1356 int
1361 {
1364 }
1366 /**
1367 * gnutls_x509_crt_get_issuer_alt_name:
1368 * @cert: should contain a #gnutls_x509_crt_t structure
1369 * @seq: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)
1370 * @ian: is the place where the alternative name will be copied to
1371 * @ian_size: holds the size of ian.
1372 * @critical: will be non-zero if the extension is marked as critical (may be null)
1373 *
1374 * This function retrieves the Issuer Alternative Name (2.5.29.18),
1375 * contained in the given certificate in the X509v3 Certificate
1376 * Extensions.
1377 *
1378 * When the SAN type is otherName, it will extract the data in the
1379 * otherName's value field, and %GNUTLS_SAN_OTHERNAME is returned.
1380 * You may use gnutls_x509_crt_get_subject_alt_othername_oid() to get
1381 * the corresponding OID and the "virtual" SAN types (e.g.,
1382 * %GNUTLS_SAN_OTHERNAME_XMPP).
1383 *
1384 * If an otherName OID is known, the data will be decoded. Otherwise
1385 * the returned data will be DER encoded, and you will have to decode
1386 * it yourself. Currently, only the RFC 3920 id-on-xmppAddr Issuer
1387 * AltName is recognized.
1388 *
1389 * Returns: the alternative issuer name type on success, one of the
1390 * enumerated #gnutls_x509_subject_alt_name_t. It will return
1391 * %GNUTLS_E_SHORT_MEMORY_BUFFER if @ian_size is not large enough
1392 * to hold the value. In that case @ian_size will be updated with
1393 * the required size. If the certificate does not have an
1394 * Alternative name with the specified sequence number then
1395 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.
1396 *
1397 * Since: 2.10.0
1398 **/
1399 int
1404 {
1407 }
1409 /**
1410 * gnutls_x509_crt_get_subject_alt_name2:
1411 * @cert: should contain a #gnutls_x509_crt_t structure
1412 * @seq: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)
1413 * @san: is the place where the alternative name will be copied to
1414 * @san_size: holds the size of ret.
1415 * @san_type: holds the type of the alternative name (one of gnutls_x509_subject_alt_name_t).
1416 * @critical: will be non-zero if the extension is marked as critical (may be null)
1417 *
1418 * This function will return the alternative names, contained in the
1419 * given certificate. It is the same as
1420 * gnutls_x509_crt_get_subject_alt_name() except for the fact that it
1421 * will return the type of the alternative name in @san_type even if
1422 * the function fails for some reason (i.e. the buffer provided is
1423 * not enough).
1424 *
1425 * Returns: the alternative subject name type on success, one of the
1426 * enumerated #gnutls_x509_subject_alt_name_t. It will return
1427 * %GNUTLS_E_SHORT_MEMORY_BUFFER if @san_size is not large enough
1428 * to hold the value. In that case @san_size will be updated with
1429 * the required size. If the certificate does not have an
1430 * Alternative name with the specified sequence number then
1431 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.
1432 **/
1433 int
1439 {
1442 }
1444 /**
1445 * gnutls_x509_crt_get_issuer_alt_name2:
1446 * @cert: should contain a #gnutls_x509_crt_t structure
1447 * @seq: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)
1448 * @ian: is the place where the alternative name will be copied to
1449 * @ian_size: holds the size of ret.
1450 * @ian_type: holds the type of the alternative name (one of gnutls_x509_subject_alt_name_t).
1451 * @critical: will be non-zero if the extension is marked as critical (may be null)
1452 *
1453 * This function will return the alternative names, contained in the
1454 * given certificate. It is the same as
1455 * gnutls_x509_crt_get_issuer_alt_name() except for the fact that it
1456 * will return the type of the alternative name in @ian_type even if
1457 * the function fails for some reason (i.e. the buffer provided is
1458 * not enough).
1459 *
1460 * Returns: the alternative issuer name type on success, one of the
1461 * enumerated #gnutls_x509_subject_alt_name_t. It will return
1462 * %GNUTLS_E_SHORT_MEMORY_BUFFER if @ian_size is not large enough
1463 * to hold the value. In that case @ian_size will be updated with
1464 * the required size. If the certificate does not have an
1465 * Alternative name with the specified sequence number then
1466 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.
1467 *
1468 * Since: 2.10.0
1469 *
1470 **/
1471 int
1477 {
1480 }
1482 /**
1483 * gnutls_x509_crt_get_subject_alt_othername_oid:
1484 * @cert: should contain a #gnutls_x509_crt_t structure
1485 * @seq: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)
1486 * @oid: is the place where the otherName OID will be copied to
1487 * @oid_size: holds the size of ret.
1488 *
1489 * This function will extract the type OID of an otherName Subject
1490 * Alternative Name, contained in the given certificate, and return
1491 * the type as an enumerated element.
1492 *
1493 * This function is only useful if
1494 * gnutls_x509_crt_get_subject_alt_name() returned
1495 * %GNUTLS_SAN_OTHERNAME.
1496 *
1497 * If @oid is null then only the size will be filled. The @oid
1498 * returned will be null terminated, although @oid_size will not
1499 * account for the trailing null.
1500 *
1501 * Returns: the alternative subject name type on success, one of the
1502 * enumerated gnutls_x509_subject_alt_name_t. For supported OIDs, it
1503 * will return one of the virtual (GNUTLS_SAN_OTHERNAME_*) types,
1504 * e.g. %GNUTLS_SAN_OTHERNAME_XMPP, and %GNUTLS_SAN_OTHERNAME for
1505 * unknown OIDs. It will return %GNUTLS_E_SHORT_MEMORY_BUFFER if
1506 * @ian_size is not large enough to hold the value. In that case
1507 * @ian_size will be updated with the required size. If the
1508 * certificate does not have an Alternative name with the specified
1509 * sequence number and with the otherName type then
1510 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.
1511 **/
1512 int
1516 {
1518 }
1520 /**
1521 * gnutls_x509_crt_get_issuer_alt_othername_oid:
1522 * @cert: should contain a #gnutls_x509_crt_t structure
1523 * @seq: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)
1524 * @ret: is the place where the otherName OID will be copied to
1525 * @ret_size: holds the size of ret.
1526 *
1527 * This function will extract the type OID of an otherName Subject
1528 * Alternative Name, contained in the given certificate, and return
1529 * the type as an enumerated element.
1530 *
1531 * If @oid is null then only the size will be filled. The @oid
1532 * returned will be null terminated, although @oid_size will not
1533 * account for the trailing null.
1534 *
1535 * This function is only useful if
1536 * gnutls_x509_crt_get_issuer_alt_name() returned
1537 * %GNUTLS_SAN_OTHERNAME.
1538 *
1539 * Returns: the alternative issuer name type on success, one of the
1540 * enumerated gnutls_x509_subject_alt_name_t. For supported OIDs, it
1541 * will return one of the virtual (GNUTLS_SAN_OTHERNAME_*) types,
1542 * e.g. %GNUTLS_SAN_OTHERNAME_XMPP, and %GNUTLS_SAN_OTHERNAME for
1543 * unknown OIDs. It will return %GNUTLS_E_SHORT_MEMORY_BUFFER if
1544 * @ret_size is not large enough to hold the value. In that case
1545 * @ret_size will be updated with the required size. If the
1546 * certificate does not have an Alternative name with the specified
1547 * sequence number and with the otherName type then
1548 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.
1549 *
1550 * Since: 2.10.0
1551 **/
1552 int
1556 {
1558 }
1560 /**
1561 * gnutls_x509_crt_get_basic_constraints:
1562 * @cert: should contain a #gnutls_x509_crt_t structure
1563 * @critical: will be non-zero if the extension is marked as critical
1564 * @ca: pointer to output integer indicating CA status, may be NULL,
1565 * value is 1 if the certificate CA flag is set, 0 otherwise.
1566 * @pathlen: pointer to output integer indicating path length (may be
1567 * NULL), non-negative error codes indicate a present pathLenConstraint
1568 * field and the actual value, -1 indicate that the field is absent.
1569 *
1570 * This function will read the certificate's basic constraints, and
1571 * return the certificates CA status. It reads the basicConstraints
1572 * X.509 extension (2.5.29.19).
1573 *
1574 * Returns: If the certificate is a CA a positive value will be
1575 * returned, or (0) if the certificate does not have CA flag set. A
1576 * negative error code may be returned in case of errors. If the
1577 * certificate does not contain the basicConstraints extension
1578 * GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
1579 **/
1580 int
1584 {
1586 gnutls_datum_t basicConstraints;
1590 {
1593 }
1598 {
1600 }
1603 {
1606 }
1608 result =
1610 pathlen,
1618 {
1621 }
1624 }
1626 /**
1627 * gnutls_x509_crt_get_ca_status:
1628 * @cert: should contain a #gnutls_x509_crt_t structure
1629 * @critical: will be non-zero if the extension is marked as critical
1630 *
1631 * This function will return certificates CA status, by reading the
1632 * basicConstraints X.509 extension (2.5.29.19). If the certificate is
1633 * a CA a positive value will be returned, or (0) if the certificate
1634 * does not have CA flag set.
1635 *
1636 * Use gnutls_x509_crt_get_basic_constraints() if you want to read the
1637 * pathLenConstraint field too.
1638 *
1639 * Returns: A negative error code may be returned in case of parsing error.
1640 * If the certificate does not contain the basicConstraints extension
1641 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
1642 **/
1643 int
1645 {
1650 }
1652 /**
1653 * gnutls_x509_crt_get_key_usage:
1654 * @cert: should contain a #gnutls_x509_crt_t structure
1655 * @key_usage: where the key usage bits will be stored
1656 * @critical: will be non-zero if the extension is marked as critical
1657 *
1658 * This function will return certificate's key usage, by reading the
1659 * keyUsage X.509 extension (2.5.29.15). The key usage value will ORed
1660 * values of the: %GNUTLS_KEY_DIGITAL_SIGNATURE,
1661 * %GNUTLS_KEY_NON_REPUDIATION, %GNUTLS_KEY_KEY_ENCIPHERMENT,
1662 * %GNUTLS_KEY_DATA_ENCIPHERMENT, %GNUTLS_KEY_KEY_AGREEMENT,
1663 * %GNUTLS_KEY_KEY_CERT_SIGN, %GNUTLS_KEY_CRL_SIGN,
1664 * %GNUTLS_KEY_ENCIPHER_ONLY, %GNUTLS_KEY_DECIPHER_ONLY.
1665 *
1666 * Returns: the certificate key usage, or a negative error code in case of
1667 * parsing error. If the certificate does not contain the keyUsage
1668 * extension %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be
1669 * returned.
1670 **/
1671 int
1675 {
1677 gnutls_datum_t keyUsage;
1681 {
1684 }
1689 {
1691 }
1694 {
1697 }
1706 {
1709 }
1712 }
1714 /**
1715 * gnutls_x509_crt_get_proxy:
1716 * @cert: should contain a #gnutls_x509_crt_t structure
1717 * @critical: will be non-zero if the extension is marked as critical
1718 * @pathlen: pointer to output integer indicating path length (may be
1719 * NULL), non-negative error codes indicate a present pCPathLenConstraint
1720 * field and the actual value, -1 indicate that the field is absent.
1721 * @policyLanguage: output variable with OID of policy language
1722 * @policy: output variable with policy data
1723 * @sizeof_policy: output variable size of policy data
1724 *
1725 * This function will get information from a proxy certificate. It
1726 * reads the ProxyCertInfo X.509 extension (1.3.6.1.5.5.7.1.14).
1727 *
1728 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
1729 * otherwise a negative error code is returned.
1730 **/
1731 int
1737 {
1739 gnutls_datum_t proxyCertInfo;
1742 {
1745 }
1750 {
1752 }
1755 {
1758 }
1761 policyLanguage,
1762 policy,
1763 sizeof_policy,
1768 {
1771 }
1774 }
1776 /**
1777 * gnutls_x509_policy_release:
1778 * @policy: a certificate policy
1779 *
1780 * This function will deinitialize all memory associated with the provided
1781 * @policy. The policy is allocated using gnutls_x509_crt_get_policy().
1782 *
1783 * Since: 3.1.5
1784 **/
1786 {
1792 }
1795 {
1802 ret = asn1_create_element
1805 {
1809 }
1813 {
1817 }
1822 {
1826 }
1830 {
1834 }
1840 {
1843 }
1850 {
1853 }
1857 }
1858 else
1859 {
1860 /* _gnutls_x509_read_value allows that */
1862 }
1868 cleanup:
1872 }
1874 /**
1875 * gnutls_x509_crt_get_policy:
1876 * @cert: should contain a #gnutls_x509_crt_t structure
1877 * @indx: This specifies which policy to return. Use (0) to get the first one.
1878 * @policy: A pointer to a policy structure.
1879 * @critical: will be non-zero if the extension is marked as critical
1880 *
1881 * This function will extract the certificate policy (extension 2.5.29.32)
1882 * specified by the given index.
1883 *
1884 * The policy returned by this function must be deinitialized by using
1885 * gnutls_x509_policy_release().
1886 *
1887 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
1888 * if the extension is not present, otherwise a negative error value.
1889 *
1890 * Since: 3.1.5
1891 **/
1892 int
1896 {
1905 {
1908 }
1915 {
1917 }
1920 {
1923 }
1925 ret = asn1_create_element
1928 {
1932 }
1936 {
1940 }
1943 indx++;
1944 /* create a string like "?1"
1945 */
1954 {
1957 }
1962 {
1963 gnutls_datum_t td;
1974 {
1978 }
1981 {
1986 {
1989 }
1995 }
1997 {
1998 gnutls_datum_t txt;
2004 {
2007 }
2014 {
2017 }
2022 }
2023 else
2028 }
2033 full_cleanup:
2036 cleanup:
2040 }
2043 /**
2044 * gnutls_x509_crt_get_extension_by_oid:
2045 * @cert: should contain a #gnutls_x509_crt_t structure
2046 * @oid: holds an Object Identified in null terminated string
2047 * @indx: In case multiple same OIDs exist in the extensions, this specifies which to send. Use (0) to get the first one.
2048 * @buf: a pointer to a structure to hold the name (may be null)
2049 * @buf_size: initially holds the size of @buf
2050 * @critical: will be non-zero if the extension is marked as critical
2051 *
2052 * This function will return the extension specified by the OID in the
2053 * certificate. The extensions will be returned as binary data DER
2054 * encoded, in the provided buffer.
2055 *
2056 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
2057 * otherwise a negative error code is returned. If the certificate does not
2058 * contain the specified extension
2059 * GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
2060 **/
2061 int
2066 {
2068 gnutls_datum_t output;
2071 {
2074 }
2079 {
2082 }
2085 {
2088 }
2091 {
2095 }
2106 }
2108 /**
2109 * gnutls_x509_crt_get_extension_oid:
2110 * @cert: should contain a #gnutls_x509_crt_t structure
2111 * @indx: Specifies which extension OID to send. Use (0) to get the first one.
2112 * @oid: a pointer to a structure to hold the OID (may be null)
2113 * @oid_size: initially holds the size of @oid
2114 *
2115 * This function will return the requested extension OID in the certificate.
2116 * The extension OID will be stored as a string in the provided buffer.
2117 *
2118 * The @oid returned will be null terminated, although @oid_size will not
2119 * account for the trailing null.
2120 *
2121 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
2122 * otherwise a negative error code is returned. If you have reached the
2123 * last extension available %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
2124 * will be returned.
2125 **/
2126 int
2129 {
2133 {
2136 }
2140 {
2142 }
2146 }
2148 /**
2149 * gnutls_x509_crt_get_extension_info:
2150 * @cert: should contain a #gnutls_x509_crt_t structure
2151 * @indx: Specifies which extension OID to send. Use (0) to get the first one.
2152 * @oid: a pointer to a structure to hold the OID
2153 * @oid_size: initially holds the maximum size of @oid, on return
2154 * holds actual size of @oid.
2155 * @critical: output variable with critical flag, may be NULL.
2156 *
2157 * This function will return the requested extension OID in the
2158 * certificate, and the critical flag for it. The extension OID will
2159 * be stored as a string in the provided buffer. Use
2160 * gnutls_x509_crt_get_extension_data() to extract the data.
2161 *
2162 * If the buffer provided is not long enough to hold the output, then
2163 * @oid_size is updated and %GNUTLS_E_SHORT_MEMORY_BUFFER will be
2164 * returned. The @oid returned will be null terminated, although
2165 * @oid_size will not account for the trailing null.
2166 *
2167 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
2168 * otherwise a negative error code is returned. If you have reached the
2169 * last extension available %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
2170 * will be returned.
2171 **/
2172 int
2176 {
2183 {
2186 }
2198 {
2201 }
2208 {
2211 }
2214 {
2217 else
2219 }
2223 }
2225 /**
2226 * gnutls_x509_crt_get_extension_data:
2227 * @cert: should contain a #gnutls_x509_crt_t structure
2228 * @indx: Specifies which extension OID to send. Use (0) to get the first one.
2229 * @data: a pointer to a structure to hold the data (may be null)
2230 * @sizeof_data: initially holds the size of @oid
2231 *
2232 * This function will return the requested extension data in the
2233 * certificate. The extension data will be stored as a string in the
2234 * provided buffer.
2235 *
2236 * Use gnutls_x509_crt_get_extension_info() to extract the OID and
2237 * critical flag. Use gnutls_x509_crt_get_extension_by_oid() instead,
2238 * if you want to get data indexed by the extension OID rather than
2239 * sequence.
2240 *
2241 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
2242 * otherwise a negative error code is returned. If you have reached the
2243 * last extension available %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
2244 * will be returned.
2245 **/
2246 int
2249 {
2254 {
2257 }
2269 {
2272 }
2275 }
2277 static int
2280 {
2286 /* get the issuer of 'cert'
2287 */
2291 {
2294 }
2296 result =
2299 {
2302 }
2306 {
2311 }
2313 result =
2318 {
2322 }
2330 cleanup:
2334 }
2336 /**
2337 * gnutls_x509_crt_get_raw_issuer_dn:
2338 * @cert: should contain a #gnutls_x509_crt_t structure
2339 * @start: will hold the starting point of the DN
2340 *
2341 * This function will return a pointer to the DER encoded DN structure
2342 * and the length. This points to allocated data that must be free'd using gnutls_free().
2343 *
2344 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
2345 * negative error value.or a negative error code on error.
2346 *
2347 **/
2348 int
2351 {
2353 }
2355 /**
2356 * gnutls_x509_crt_get_raw_dn:
2357 * @cert: should contain a #gnutls_x509_crt_t structure
2358 * @start: will hold the starting point of the DN
2359 *
2360 * This function will return a pointer to the DER encoded DN structure and
2361 * the length. This points to allocated data that must be free'd using gnutls_free().
2362 *
2363 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
2364 * negative error value. or a negative error code on error.
2365 *
2366 **/
2367 int
2369 {
2371 }
2373 static int
2375 {
2380 }
2382 /**
2383 * gnutls_x509_crt_get_subject:
2384 * @cert: should contain a #gnutls_x509_crt_t structure
2385 * @dn: output variable with pointer to uint8_t DN.
2386 *
2387 * Return the Certificate's Subject DN as a %gnutls_x509_dn_t data type,
2388 * that can be decoded using gnutls_x509_dn_get_rdn_ava().
2389 *
2390 * Note that @dn should be treated as constant. Because it points
2391 * into the @cert object, you should not use @dn after @cert is
2392 * deallocated.
2393 *
2394 * Returns: Returns 0 on success, or an error code.
2395 **/
2396 int
2398 {
2400 }
2402 /**
2403 * gnutls_x509_crt_get_issuer:
2404 * @cert: should contain a #gnutls_x509_crt_t structure
2405 * @dn: output variable with pointer to uint8_t DN
2406 *
2407 * Return the Certificate's Issuer DN as a %gnutls_x509_dn_t data type,
2408 * that can be decoded using gnutls_x509_dn_get_rdn_ava().
2409 *
2410 * Note that @dn should be treated as constant. Because it points
2411 * into the @cert object, you should not use @dn after @cert is
2412 * deallocated.
2413 *
2414 * Returns: Returns 0 on success, or an error code.
2415 **/
2416 int
2418 {
2420 }
2422 /**
2423 * gnutls_x509_dn_get_rdn_ava:
2424 * @dn: a pointer to DN
2425 * @irdn: index of RDN
2426 * @iava: index of AVA.
2427 * @ava: Pointer to structure which will hold output information.
2428 *
2429 * Get pointers to data within the DN. The format of the @ava structure
2430 * is shown below.
2431 *
2432 * struct gnutls_x509_ava_st {
2433 * gnutls_datum_t oid;
2434 * gnutls_datum_t value;
2435 * unsigned long value_tag;
2436 * };
2437 *
2438 * The X.509 distinguished name is a sequence of sequences of strings
2439 * and this is what the @irdn and @iava indexes model.
2440 *
2441 * Note that @ava will contain pointers into the @dn structure which
2442 * in turns points to the original certificate. Thus you should not
2443 * modify any data or deallocate any of those.
2444 *
2445 * This is a low-level function that requires the caller to do the
2446 * value conversions when necessary (e.g. from UCS-2).
2447 *
2448 * Returns: Returns 0 on success, or an error code.
2449 **/
2450 int
2453 {
2455 ASN1_DATA_NODE vnode;
2462 iava++;
2468 {
2471 }
2476 {
2479 }
2483 {
2486 }
2494 {
2497 }
2501 {
2504 }
2505 /* The value still has the previous tag's length bytes, plus the
2506 * current value's tag and length bytes. Decode them.
2507 */
2513 {
2516 }
2522 {
2525 }
2530 {
2535 {
2538 }
2540 }
2544 }
2546 /**
2547 * gnutls_x509_crt_get_fingerprint:
2548 * @cert: should contain a #gnutls_x509_crt_t structure
2549 * @algo: is a digest algorithm
2550 * @buf: a pointer to a structure to hold the fingerprint (may be null)
2551 * @buf_size: initially holds the size of @buf
2552 *
2553 * This function will calculate and copy the certificate's fingerprint
2554 * in the provided buffer.
2555 *
2556 * If the buffer is null then only the size will be filled.
2557 *
2558 * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is
2559 * not long enough, and in that case the *buf_size will be updated
2560 * with the required size. On success 0 is returned.
2561 **/
2562 int
2564 gnutls_digest_algorithm_t algo,
2566 {
2570 gnutls_datum_t tmp;
2573 {
2575 }
2582 {
2585 }
2590 {
2594 }
2603 }
2605 /**
2606 * gnutls_x509_crt_export:
2607 * @cert: Holds the certificate
2608 * @format: the format of output params. One of PEM or DER.
2609 * @output_data: will contain a certificate PEM or DER encoded
2610 * @output_data_size: holds the size of output_data (and will be
2611 * replaced by the actual size of parameters)
2612 *
2613 * This function will export the certificate to DER or PEM format.
2614 *
2615 * If the buffer provided is not long enough to hold the output, then
2616 * *output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will
2617 * be returned.
2618 *
2619 * If the structure is PEM encoded, it will have a header
2620 * of "BEGIN CERTIFICATE".
2621 *
2622 * Returns: In case of failure a negative error code will be
2623 * returned, and 0 on success.
2624 **/
2625 int
2629 {
2631 {
2634 }
2638 }
2640 /**
2641 * gnutls_x509_crt_export2:
2642 * @cert: Holds the certificate
2643 * @format: the format of output params. One of PEM or DER.
2644 * @out: will contain a certificate PEM or DER encoded
2645 *
2646 * This function will export the certificate to DER or PEM format.
2647 * The output buffer is allocated using gnutls_malloc().
2648 *
2649 * If the structure is PEM encoded, it will have a header
2650 * of "BEGIN CERTIFICATE".
2651 *
2652 * Returns: In case of failure a negative error code will be
2653 * returned, and 0 on success.
2654 *
2655 * Since: 3.1
2656 **/
2657 int
2660 {
2662 {
2665 }
2668 }
2670 int
2674 {
2681 {
2685 }
2693 {
2696 }
2701 cleanup:
2705 }
2707 /**
2708 * gnutls_x509_crt_get_key_id:
2709 * @crt: Holds the certificate
2710 * @flags: should be 0 for now
2711 * @output_data: will contain the key ID
2712 * @output_data_size: holds the size of output_data (and will be
2713 * replaced by the actual size of parameters)
2714 *
2715 * This function will return a unique ID that depends on the public
2716 * key parameters. This ID can be used in checking whether a
2717 * certificate corresponds to the given private key.
2718 *
2719 * If the buffer provided is not long enough to hold the output, then
2720 * *output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will
2721 * be returned. The output will normally be a SHA-1 hash output,
2722 * which is 20 bytes.
2723 *
2724 * Returns: In case of failure a negative error code will be
2725 * returned, and 0 on success.
2726 **/
2727 int
2731 {
2733 gnutls_pk_params_st params;
2736 {
2739 }
2743 {
2746 }
2750 {
2753 }
2760 }
2763 /* This is exactly as gnutls_x509_crt_check_revocation() except that
2764 * it calls func.
2765 */
2766 int
2770 gnutls_verify_output_function func)
2771 {
2779 {
2782 }
2787 /* Step 1. check if issuer's DN match
2788 */
2791 {
2794 }
2798 {
2801 }
2807 {
2808 /* issuers do not match so don't even
2809 * bother checking.
2810 */
2812 }
2814 /* Step 2. Read the certificate's serial number
2815 */
2819 {
2822 }
2824 /* Step 3. cycle through the CRL serials and compare with
2825 * certificate serial we have.
2826 */
2830 {
2833 }
2836 {
2838 ret =
2843 {
2846 }
2849 {
2851 {
2852 /* serials match */
2855 }
2856 }
2857 }
2860 }
2862 }
2865 /**
2866 * gnutls_x509_crt_check_revocation:
2867 * @cert: should contain a #gnutls_x509_crt_t structure
2868 * @crl_list: should contain a list of gnutls_x509_crl_t structures
2869 * @crl_list_length: the length of the crl_list
2870 *
2871 * This function will return check if the given certificate is
2872 * revoked. It is assumed that the CRLs have been verified before.
2873 *
2874 * Returns: 0 if the certificate is NOT revoked, and 1 if it is. A
2875 * negative error code is returned on error.
2876 **/
2877 int
2881 {
2883 }
2885 /**
2886 * gnutls_x509_crt_get_verify_algorithm:
2887 * @crt: Holds the certificate
2888 * @signature: contains the signature
2889 * @hash: The result of the call with the hash algorithm used for signature
2890 *
2891 * This function will read the certifcate and the signed data to
2892 * determine the hash algorithm used to generate the signature.
2893 *
2894 * Deprecated: Use gnutls_pubkey_get_verify_algorithm() instead.
2895 *
2896 * Returns: the 0 if the hash algorithm is found. A negative error code is
2897 * returned on error.
2898 *
2899 * Since: 2.8.0
2900 **/
2901 int
2905 {
2906 gnutls_pk_params_st issuer_params;
2910 {
2913 }
2917 {
2920 }
2923 signature,
2925 NULL),
2928 /* release allocated mpis */
2932 }
2936 /**
2937 * gnutls_x509_crt_get_preferred_hash_algorithm:
2938 * @crt: Holds the certificate
2939 * @hash: The result of the call with the hash algorithm used for signature
2940 * @mand: If non-zero it means that the algorithm MUST use this hash. May be NULL.
2941 *
2942 * This function will read the certifcate and return the appropriate digest
2943 * algorithm to use for signing with this certificate. Some certificates (i.e.
2944 * DSA might not be able to sign without the preferred algorithm).
2945 *
2946 * Deprecated: Please use gnutls_pubkey_get_preferred_hash_algorithm().
2947 *
2948 * Returns: the 0 if the hash algorithm is found. A negative error code is
2949 * returned on error.
2950 *
2951 * Since: 2.12.0
2952 **/
2953 int
2955 gnutls_digest_algorithm_t *
2957 {
2958 gnutls_pk_params_st issuer_params;
2962 {
2965 }
2969 {
2972 }
2974 ret =
2979 /* release allocated mpis */
2983 }
2985 /**
2986 * gnutls_x509_crt_verify_data:
2987 * @crt: Holds the certificate
2988 * @flags: should be 0 for now
2989 * @data: holds the data to be signed
2990 * @signature: contains the signature
2991 *
2992 * This function will verify the given signed data, using the
2993 * parameters from the certificate.
2994 *
2995 * Deprecated. Please use gnutls_pubkey_verify_data().
2996 *
2997 * Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED
2998 * is returned, and zero or positive code on success.
2999 **/
3000 int
3004 {
3008 {
3011 }
3015 {
3018 }
3021 }
3023 /**
3024 * gnutls_x509_crt_verify_hash:
3025 * @crt: Holds the certificate
3026 * @flags: should be 0 for now
3027 * @hash: holds the hash digest to be verified
3028 * @signature: contains the signature
3029 *
3030 * This function will verify the given signed digest, using the
3031 * parameters from the certificate.
3032 *
3033 * Deprecated. Please use gnutls_pubkey_verify_data2() or gnutls_pubkey_verify_hash2().
3034 *
3035 * Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED
3036 * is returned, and zero or positive code on success.
3037 **/
3038 int
3042 {
3043 gnutls_pk_params_st params;
3044 gnutls_digest_algorithm_t algo;
3048 {
3051 }
3057 /* Read the MPI parameters from the issuer's certificate.
3058 */
3059 ret =
3062 {
3065 }
3067 ret =
3071 {
3073 }
3075 /* release all allocated MPIs
3076 */
3080 }
3082 /**
3083 * gnutls_x509_crt_get_crl_dist_points:
3084 * @cert: should contain a #gnutls_x509_crt_t structure
3085 * @seq: specifies the sequence number of the distribution point (0 for the first one, 1 for the second etc.)
3086 * @ret: is the place where the distribution point will be copied to
3087 * @ret_size: holds the size of ret.
3088 * @reason_flags: Revocation reasons. An ORed sequence of flags from %gnutls_x509_crl_reason_flags_t.
3089 * @critical: will be non-zero if the extension is marked as critical (may be null)
3090 *
3091 * This function retrieves the CRL distribution points (2.5.29.31),
3092 * contained in the given certificate in the X509v3 Certificate
3093 * Extensions.
3094 *
3095 * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER and updates @ret_size if
3096 * @ret_size is not enough to hold the distribution point, or the
3097 * type of the distribution point if everything was ok. The type is
3098 * one of the enumerated %gnutls_x509_subject_alt_name_t. If the
3099 * certificate does not have an Alternative name with the specified
3100 * sequence number then %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is
3101 * returned.
3102 **/
3103 int
3109 {
3115 gnutls_x509_subject_alt_name_t type;
3119 {
3122 }
3126 else
3132 result =
3134 critical);
3136 {
3138 }
3141 {
3144 }
3146 result = asn1_create_element
3149 {
3153 }
3159 {
3163 }
3165 /* Return the different names from the first CRLDistr. point.
3166 * The whole thing is a mess.
3167 */
3172 {
3175 }
3180 /* Read the CRL reasons.
3181 */
3183 {
3192 {
3196 }
3199 }
3204 }
3206 /**
3207 * gnutls_x509_crt_get_key_purpose_oid:
3208 * @cert: should contain a #gnutls_x509_crt_t structure
3209 * @indx: This specifies which OID to return. Use (0) to get the first one.
3210 * @oid: a pointer to a buffer to hold the OID (may be null)
3211 * @oid_size: initially holds the size of @oid
3212 * @critical: output flag to indicate criticality of extension
3213 *
3214 * This function will extract the key purpose OIDs of the Certificate
3215 * specified by the given index. These are stored in the Extended Key
3216 * Usage extension (2.5.29.37) See the GNUTLS_KP_* definitions for
3217 * human readable names.
3218 *
3219 * If @oid is null then only the size will be filled. The @oid
3220 * returned will be null terminated, although @oid_size will not
3221 * account for the trailing null.
3222 *
3223 * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is
3224 * not long enough, and in that case the *oid_size will be updated
3225 * with the required size. On success 0 is returned.
3226 **/
3227 int
3231 {
3234 gnutls_datum_t id;
3238 {
3241 }
3245 else
3251 {
3253 }
3256 {
3259 }
3261 result = asn1_create_element
3264 {
3268 }
3274 {
3278 }
3280 indx++;
3281 /* create a string like "?1"
3282 */
3292 {
3294 }
3297 {
3300 }
3304 }
3306 /**
3307 * gnutls_x509_crt_get_pk_rsa_raw:
3308 * @crt: Holds the certificate
3309 * @m: will hold the modulus
3310 * @e: will hold the public exponent
3311 *
3312 * This function will export the RSA public key's parameters found in
3313 * the given structure. The new parameters will be allocated using
3314 * gnutls_malloc() and will be stored in the appropriate datum.
3315 *
3316 * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
3317 **/
3318 int
3321 {
3323 gnutls_pk_params_st params;
3326 {
3329 }
3333 {
3336 }
3340 {
3343 }
3347 {
3350 }
3354 {
3358 }
3362 cleanup:
3365 }
3367 /**
3368 * gnutls_x509_crt_get_pk_dsa_raw:
3369 * @crt: Holds the certificate
3370 * @p: will hold the p
3371 * @q: will hold the q
3372 * @g: will hold the g
3373 * @y: will hold the y
3374 *
3375 * This function will export the DSA public key's parameters found in
3376 * the given certificate. The new parameters will be allocated using
3377 * gnutls_malloc() and will be stored in the appropriate datum.
3378 *
3379 * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
3380 **/
3381 int
3385 {
3387 gnutls_pk_params_st params;
3390 {
3393 }
3397 {
3400 }
3404 {
3407 }
3410 /* P */
3413 {
3416 }
3418 /* Q */
3421 {
3425 }
3428 /* G */
3431 {
3436 }
3439 /* Y */
3442 {
3448 }
3452 cleanup:
3456 }
3458 /**
3459 * gnutls_x509_crt_list_import2:
3460 * @certs: The structures to store the parsed certificate. Must not be initialized.
3461 * @size: It will contain the size of the list.
3462 * @data: The PEM encoded certificate.
3463 * @format: One of DER or PEM.
3464 * @flags: must be (0) or an OR'd sequence of gnutls_certificate_import_flags.
3465 *
3466 * This function will convert the given PEM encoded certificate list
3467 * to the native gnutls_x509_crt_t format. The output will be stored
3468 * in @certs which will be initialized.
3469 *
3470 * If the Certificate is PEM encoded it should have a header of "X509
3471 * CERTIFICATE", or "CERTIFICATE".
3472 *
3473 * Returns: the number of certificates read or a negative error value.
3474 *
3475 * Since: 3.0
3476 **/
3477 int
3482 {
3488 {
3491 }
3493 ret = gnutls_x509_crt_list_import(*certs, &init, data, format, GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED);
3495 {
3498 {
3501 }
3504 }
3507 {
3511 }
3515 }
3518 {
3524 /* check if the X.509 list is ordered */
3526 {
3529 {
3531 {
3535 {
3538 }
3541 {
3544 }
3545 }
3550 {
3553 }
3554 }
3555 }
3559 cleanup:
3561 }
3564 /**
3565 * gnutls_x509_crt_list_import:
3566 * @certs: The structures to store the parsed certificate. Must not be initialized.
3567 * @cert_max: Initially must hold the maximum number of certs. It will be updated with the number of certs available.
3568 * @data: The PEM encoded certificate.
3569 * @format: One of DER or PEM.
3570 * @flags: must be (0) or an OR'd sequence of gnutls_certificate_import_flags.
3571 *
3572 * This function will convert the given PEM encoded certificate list
3573 * to the native gnutls_x509_crt_t format. The output will be stored
3574 * in @certs. They will be automatically initialized.
3575 *
3576 * The flag %GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED will cause
3577 * import to fail if the certificates in the provided buffer are more
3578 * than the available structures. The %GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED
3579 * flag will cause the function to fail if the provided list is not
3580 * sorted from subject to issuer.
3581 *
3582 * If the Certificate is PEM encoded it should have a header of "X509
3583 * CERTIFICATE", or "CERTIFICATE".
3584 *
3585 * Returns: the number of certificates read or a negative error value.
3586 **/
3587 int
3592 {
3595 gnutls_datum_t tmp;
3600 {
3602 {
3605 }
3611 {
3614 }
3618 {
3621 }
3625 }
3627 /* move to the certificate
3628 */
3640 do
3641 {
3643 {
3646 else
3648 }
3651 {
3654 {
3657 }
3662 ret =
3665 {
3668 }
3669 }
3671 /* now we move ptr after the pem header
3672 */
3673 ptr++;
3674 /* find the next certificate (if any)
3675 */
3679 {
3688 }
3689 else
3692 count++;
3693 }
3699 {
3702 {
3705 }
3706 }
3710 else
3713 error:
3717 }
3719 /**
3720 * gnutls_x509_crt_get_subject_unique_id:
3721 * @crt: Holds the certificate
3722 * @buf: user allocated memory buffer, will hold the unique id
3723 * @buf_size: size of user allocated memory buffer (on input), will hold
3724 * actual size of the unique ID on return.
3725 *
3726 * This function will extract the subjectUniqueID value (if present) for
3727 * the given certificate.
3728 *
3729 * If the user allocated memory buffer is not large enough to hold the
3730 * full subjectUniqueID, then a GNUTLS_E_SHORT_MEMORY_BUFFER error will be
3731 * returned, and buf_size will be set to the actual length.
3732 *
3733 * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
3734 **/
3735 int
3738 {
3742 result =
3751 }
3752 else
3753 {
3756 }
3761 }
3763 /**
3764 * gnutls_x509_crt_get_issuer_unique_id:
3765 * @crt: Holds the certificate
3766 * @buf: user allocated memory buffer, will hold the unique id
3767 * @buf_size: size of user allocated memory buffer (on input), will hold
3768 * actual size of the unique ID on return.
3769 *
3770 * This function will extract the issuerUniqueID value (if present) for
3771 * the given certificate.
3772 *
3773 * If the user allocated memory buffer is not large enough to hold the
3774 * full subjectUniqueID, then a GNUTLS_E_SHORT_MEMORY_BUFFER error will be
3775 * returned, and buf_size will be set to the actual length.
3776 *
3777 * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
3778 *
3779 * Since: 2.12.0
3780 **/
3781 int
3784 {
3788 result =
3797 }
3798 else
3799 {
3802 }
3807 }
3809 static int
3814 {
3818 gnutls_datum_t d;
3823 {
3834 /* fall through */
3839 {
3849 {
3852 }
3855 }
3856 /* fall through */
3865 }
3873 {
3876 }
3886 {
3890 }
3893 {
3896 }
3897 else
3901 }
3903 /**
3904 * gnutls_x509_crt_get_authority_info_access:
3905 * @crt: Holds the certificate
3906 * @seq: specifies the sequence number of the access descriptor (0 for the first one, 1 for the second etc.)
3907 * @what: what data to get, a #gnutls_info_access_what_t type.
3908 * @data: output data to be freed with gnutls_free().
3909 * @critical: pointer to output integer that is set to non-0 if the extension is marked as critical (may be %NULL)
3910 *
3911 * This function extracts the Authority Information Access (AIA)
3912 * extension, see RFC 5280 section 4.2.2.1 for more information. The
3913 * AIA extension holds a sequence of AccessDescription (AD) data:
3914 *
3915 * <informalexample><programlisting>
3916 * AuthorityInfoAccessSyntax ::=
3917 * SEQUENCE SIZE (1..MAX) OF AccessDescription
3918 *
3919 * AccessDescription ::= SEQUENCE {
3920 * accessMethod OBJECT IDENTIFIER,
3921 * accessLocation GeneralName }
3922 * </programlisting></informalexample>
3923 *
3924 * The @seq input parameter is used to indicate which member of the
3925 * sequence the caller is interested in. The first member is 0, the
3926 * second member 1 and so on. When the @seq value is out of bounds,
3927 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.
3928 *
3929 * The type of data returned in @data is specified via @what which
3930 * should be #gnutls_info_access_what_t values.
3931 *
3932 * If @what is %GNUTLS_IA_ACCESSMETHOD_OID then @data will hold the
3933 * accessMethod OID (e.g., "1.3.6.1.5.5.7.48.1").
3934 *
3935 * If @what is %GNUTLS_IA_ACCESSLOCATION_GENERALNAME_TYPE, @data will
3936 * hold the accessLocation GeneralName type (e.g.,
3937 * "uniformResourceIdentifier").
3938 *
3939 * If @what is %GNUTLS_IA_URI, @data will hold the accessLocation URI
3940 * data. Requesting this @what value leads to an error if the
3941 * accessLocation is not of the "uniformResourceIdentifier" type.
3942 *
3943 * If @what is %GNUTLS_IA_OCSP_URI, @data will hold the OCSP URI.
3944 * Requesting this @what value leads to an error if the accessMethod
3945 * is not 1.3.6.1.5.5.7.48.1 aka OSCP, or if accessLocation is not of
3946 * the "uniformResourceIdentifier" type.
3947 *
3948 * If @what is %GNUTLS_IA_CAISSUERS_URI, @data will hold the caIssuers
3949 * URI. Requesting this @what value leads to an error if the
3950 * accessMethod is not 1.3.6.1.5.5.7.48.2 aka caIssuers, or if
3951 * accessLocation is not of the "uniformResourceIdentifier" type.
3952 *
3953 * More @what values may be allocated in the future as needed.
3954 *
3955 * If @data is NULL, the function does the same without storing the
3956 * output data, that is, it will set @critical and do error checking
3957 * as usual.
3958 *
3959 * The value of the critical flag is returned in *@critical. Supply a
3960 * NULL @critical if you want the function to make sure the extension
3961 * is non-critical, as required by RFC 5280.
3962 *
3963 * Returns: %GNUTLS_E_SUCCESS on success, %GNUTLS_E_INVALID_REQUEST on
3964 * invalid @crt, %GNUTLS_E_CONSTRAINT_ERROR if the extension is
3965 * incorrectly marked as critical (use a non-NULL @critical to
3966 * override), %GNUTLS_E_UNKNOWN_ALGORITHM if the requested OID does
3967 * not match (e.g., when using %GNUTLS_IA_OCSP_URI), otherwise a
3968 * negative error code.
3969 *
3970 * Since: 3.0
3971 **/
3972 int
3978 {
3980 gnutls_datum_t aia;
3984 {
3987 }
3994 {
3997 }
4005 {
4009 }
4012 /* asn1_print_structure (stdout, c2, "", ASN1_PRINT_ALL); */
4015 {
4019 }
4028 }
4030 /**
4031 * gnutls_x509_crt_set_pin_function:
4032 * @crt: The certificate structure
4033 * @fn: the callback
4034 * @userdata: data associated with the callback
4035 *
4036 * This function will set a callback function to be used when
4037 * it is required to access a protected object. This function overrides
4038 * the global function set using gnutls_pkcs11_set_pin_function().
4039 *
4040 * Note that this callback is currently used only during the import
4041 * of a PKCS #11 certificate with gnutls_x509_crt_import_pkcs11_url().
4042 *
4043 * Since: 3.1.0
4044 *
4045 **/
4048 {
4051 }