2 * Copyright (C) 2002, 2003, 2004, 2005, 2007, 2008, 2010 Free Software
5 * Author: Nikos Mavrogiannopoulos
7 * This file is part of GNUTLS-EXTRA.
9 * GNUTLS-EXTRA is free software: you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation, either version 3 of the License, or
12 * (at your option) any later version.
14 * GNUTLS-EXTRA is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with this program. If not, see <http://www.gnu.org/licenses/>.
23 /* This file includes all functions that were in the 0.5.x and 0.8.x
24 * gnutls API. They are now implemented over the new certificate parsing
28 #include "gnutls_int.h"
30 #include <gnutls_global.h>
31 #include <gnutls_errors.h>
32 #include <string.h> /* memset */
33 #include <x509/x509_int.h>
35 #include <gnutls/x509.h>
36 #include <openssl_compat.h>
39 * gnutls_x509_extract_dn - This function parses an RDN sequence
40 * @idn: should contain a DER encoded RDN sequence
41 * @rdn: a pointer to a structure to hold the name
43 * This function will return the name of the given RDN sequence.
44 * The name will be returned as a gnutls_x509_dn structure.
45 * Returns a negative error code in case of an error.
49 gnutls_x509_extract_dn (const gnutls_datum_t
* idn
, gnutls_x509_dn
* rdn
)
51 ASN1_TYPE dn
= ASN1_TYPE_EMPTY
;
56 asn1_create_element (_gnutls_get_pkix (),
57 "PKIX1.Name", &dn
)) != ASN1_SUCCESS
)
59 return _gnutls_asn2err (result
);
62 result
= asn1_der_decoding (&dn
, idn
->data
, idn
->size
, NULL
);
63 if (result
!= ASN1_SUCCESS
)
65 /* couldn't decode DER */
66 asn1_delete_structure (&dn
);
67 return _gnutls_asn2err (result
);
70 memset (rdn
, 0, sizeof (gnutls_x509_dn
));
72 len
= sizeof (rdn
->country
);
73 _gnutls_x509_parse_dn_oid (dn
, "", GNUTLS_OID_X520_COUNTRY_NAME
, 0, 0,
76 len
= sizeof (rdn
->organization
);
77 _gnutls_x509_parse_dn_oid (dn
, "", GNUTLS_OID_X520_ORGANIZATION_NAME
, 0,
78 0, rdn
->organization
, &len
);
80 len
= sizeof (rdn
->organizational_unit_name
);
81 _gnutls_x509_parse_dn_oid (dn
, "",
82 GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME
, 0,
83 0, rdn
->organizational_unit_name
, &len
);
85 len
= sizeof (rdn
->common_name
);
86 _gnutls_x509_parse_dn_oid (dn
, "", GNUTLS_OID_X520_COMMON_NAME
, 0, 0,
87 rdn
->common_name
, &len
);
89 len
= sizeof (rdn
->locality_name
);
90 _gnutls_x509_parse_dn_oid (dn
, "", GNUTLS_OID_X520_LOCALITY_NAME
, 0, 0,
91 rdn
->locality_name
, &len
);
93 len
= sizeof (rdn
->state_or_province_name
);
94 _gnutls_x509_parse_dn_oid (dn
, "",
95 GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME
, 0, 0,
96 rdn
->state_or_province_name
, &len
);
98 len
= sizeof (rdn
->email
);
99 _gnutls_x509_parse_dn_oid (dn
, "", GNUTLS_OID_PKCS9_EMAIL
, 0, 0,
102 asn1_delete_structure (&dn
);
108 * gnutls_x509_extract_certificate_dn - This function returns the certificate's distinguished name
109 * @cert: should contain an X.509 DER encoded certificate
110 * @ret: a pointer to a structure to hold the peer's name
112 * This function will return the name of the certificate holder. The name is gnutls_x509_dn structure and
113 * is a obtained by the peer's certificate. If the certificate send by the
114 * peer is invalid, or in any other failure this function returns error.
115 * Returns a negative error code in case of an error.
119 gnutls_x509_extract_certificate_dn (const gnutls_datum_t
* cert
,
120 gnutls_x509_dn
* ret
)
122 gnutls_x509_crt_t xcert
;
126 result
= gnutls_x509_crt_init (&xcert
);
130 result
= gnutls_x509_crt_import (xcert
, cert
, GNUTLS_X509_FMT_DER
);
133 gnutls_x509_crt_deinit (xcert
);
137 len
= sizeof (ret
->country
);
138 gnutls_x509_crt_get_dn_by_oid (xcert
, GNUTLS_OID_X520_COUNTRY_NAME
, 0,
139 0, ret
->country
, &len
);
141 len
= sizeof (ret
->organization
);
142 gnutls_x509_crt_get_dn_by_oid (xcert
, GNUTLS_OID_X520_ORGANIZATION_NAME
,
143 0, 0, ret
->organization
, &len
);
145 len
= sizeof (ret
->organizational_unit_name
);
146 gnutls_x509_crt_get_dn_by_oid (xcert
,
147 GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME
,
148 0, 0, ret
->organizational_unit_name
, &len
);
150 len
= sizeof (ret
->common_name
);
151 gnutls_x509_crt_get_dn_by_oid (xcert
, GNUTLS_OID_X520_COMMON_NAME
, 0, 0,
152 ret
->common_name
, &len
);
154 len
= sizeof (ret
->locality_name
);
155 gnutls_x509_crt_get_dn_by_oid (xcert
, GNUTLS_OID_X520_LOCALITY_NAME
, 0,
156 0, ret
->locality_name
, &len
);
158 len
= sizeof (ret
->state_or_province_name
);
159 gnutls_x509_crt_get_dn_by_oid (xcert
,
160 GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME
,
161 0, 0, ret
->state_or_province_name
, &len
);
163 len
= sizeof (ret
->email
);
164 gnutls_x509_crt_get_dn_by_oid (xcert
, GNUTLS_OID_PKCS9_EMAIL
, 0, 0,
167 gnutls_x509_crt_deinit (xcert
);
173 * gnutls_x509_extract_certificate_issuer_dn - This function returns the certificate's issuer distinguished name
174 * @cert: should contain an X.509 DER encoded certificate
175 * @ret: a pointer to a structure to hold the issuer's name
177 * This function will return the name of the issuer stated in the certificate. The name is a gnutls_x509_dn structure and
178 * is a obtained by the peer's certificate. If the certificate send by the
179 * peer is invalid, or in any other failure this function returns error.
180 * Returns a negative error code in case of an error.
184 gnutls_x509_extract_certificate_issuer_dn (const gnutls_datum_t
* cert
,
185 gnutls_x509_dn
* ret
)
187 gnutls_x509_crt_t xcert
;
191 result
= gnutls_x509_crt_init (&xcert
);
195 result
= gnutls_x509_crt_import (xcert
, cert
, GNUTLS_X509_FMT_DER
);
198 gnutls_x509_crt_deinit (xcert
);
202 len
= sizeof (ret
->country
);
203 gnutls_x509_crt_get_issuer_dn_by_oid (xcert
,
204 GNUTLS_OID_X520_COUNTRY_NAME
, 0,
205 0, ret
->country
, &len
);
207 len
= sizeof (ret
->organization
);
208 gnutls_x509_crt_get_issuer_dn_by_oid (xcert
,
209 GNUTLS_OID_X520_ORGANIZATION_NAME
,
210 0, 0, ret
->organization
, &len
);
212 len
= sizeof (ret
->organizational_unit_name
);
213 gnutls_x509_crt_get_issuer_dn_by_oid (xcert
,
214 GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME
,
216 ret
->organizational_unit_name
, &len
);
218 len
= sizeof (ret
->common_name
);
219 gnutls_x509_crt_get_issuer_dn_by_oid (xcert
,
220 GNUTLS_OID_X520_COMMON_NAME
, 0, 0,
221 ret
->common_name
, &len
);
223 len
= sizeof (ret
->locality_name
);
224 gnutls_x509_crt_get_issuer_dn_by_oid (xcert
,
225 GNUTLS_OID_X520_LOCALITY_NAME
, 0,
226 0, ret
->locality_name
, &len
);
228 len
= sizeof (ret
->state_or_province_name
);
229 gnutls_x509_crt_get_issuer_dn_by_oid (xcert
,
230 GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME
,
231 0, 0, ret
->state_or_province_name
,
234 len
= sizeof (ret
->email
);
235 gnutls_x509_crt_get_issuer_dn_by_oid (xcert
, GNUTLS_OID_PKCS9_EMAIL
, 0,
236 0, ret
->email
, &len
);
238 gnutls_x509_crt_deinit (xcert
);
245 * gnutls_x509_extract_certificate_subject_alt_name - This function returns the certificate's alternative name, if any
246 * @cert: should contain an X.509 DER encoded certificate
247 * @seq: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)
248 * @ret: is the place where the alternative name will be copied to
249 * @ret_size: holds the size of ret.
251 * This function will return the alternative names, contained in the
254 * This is specified in X509v3 Certificate Extensions.
255 * GNUTLS will return the Alternative name, or a negative
257 * Returns GNUTLS_E_SHORT_MEMORY_BUFFER if ret_size is not enough to hold the alternative
258 * name, or the type of alternative name if everything was ok. The type is
259 * one of the enumerated GNUTLS_X509_SUBJECT_ALT_NAME.
261 * If the certificate does not have an Alternative name with the specified
262 * sequence number then returns GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
266 gnutls_x509_extract_certificate_subject_alt_name (const gnutls_datum_t
*
268 char *ret
, int *ret_size
)
270 gnutls_x509_crt_t xcert
;
272 size_t size
= *ret_size
;
274 result
= gnutls_x509_crt_init (&xcert
);
278 result
= gnutls_x509_crt_import (xcert
, cert
, GNUTLS_X509_FMT_DER
);
281 gnutls_x509_crt_deinit (xcert
);
286 gnutls_x509_crt_get_subject_alt_name (xcert
, seq
, ret
, &size
, NULL
);
289 gnutls_x509_crt_deinit (xcert
);
295 * gnutls_x509_extract_certificate_ca_status - This function returns the certificate CA status
296 * @cert: should contain an X.509 DER encoded certificate
298 * This function will return certificates CA status, by reading the
299 * basicConstraints X.509 extension. If the certificate is a CA a positive
300 * value will be returned, or zero if the certificate does not have
303 * A negative value may be returned in case of parsing error.
304 * If the certificate does not contain the basicConstraints extension
305 * GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
309 gnutls_x509_extract_certificate_ca_status (const gnutls_datum_t
* cert
)
311 gnutls_x509_crt_t xcert
;
314 result
= gnutls_x509_crt_init (&xcert
);
318 result
= gnutls_x509_crt_import (xcert
, cert
, GNUTLS_X509_FMT_DER
);
321 gnutls_x509_crt_deinit (xcert
);
325 result
= gnutls_x509_crt_get_ca_status (xcert
, NULL
);
327 gnutls_x509_crt_deinit (xcert
);
333 * gnutls_x509_extract_certificate_activation_time - This function returns the peer's certificate activation time
334 * @cert: should contain an X.509 DER encoded certificate
336 * This function will return the certificate's activation time in UNIX time
337 * (ie seconds since 00:00:00 UTC January 1, 1970).
338 * Returns a (time_t) -1 in case of an error.
342 gnutls_x509_extract_certificate_activation_time (const gnutls_datum_t
* cert
)
344 gnutls_x509_crt_t xcert
;
347 result
= gnutls_x509_crt_init (&xcert
);
351 result
= gnutls_x509_crt_import (xcert
, cert
, GNUTLS_X509_FMT_DER
);
354 gnutls_x509_crt_deinit (xcert
);
358 result
= gnutls_x509_crt_get_activation_time (xcert
);
360 gnutls_x509_crt_deinit (xcert
);
366 * gnutls_x509_extract_certificate_expiration_time - This function returns the certificate's expiration time
367 * @cert: should contain an X.509 DER encoded certificate
369 * This function will return the certificate's expiration time in UNIX time
370 * (ie seconds since 00:00:00 UTC January 1, 1970).
371 * Returns a (time_t) -1 in case of an error.
375 gnutls_x509_extract_certificate_expiration_time (const gnutls_datum_t
* cert
)
377 gnutls_x509_crt_t xcert
;
380 result
= gnutls_x509_crt_init (&xcert
);
384 result
= gnutls_x509_crt_import (xcert
, cert
, GNUTLS_X509_FMT_DER
);
387 gnutls_x509_crt_deinit (xcert
);
391 result
= gnutls_x509_crt_get_expiration_time (xcert
);
393 gnutls_x509_crt_deinit (xcert
);
399 * gnutls_x509_extract_certificate_version - This function returns the certificate's version
400 * @cert: is an X.509 DER encoded certificate
402 * This function will return the X.509 certificate's version (1, 2, 3). This is obtained by the X509 Certificate
403 * Version field. Returns a negative value in case of an error.
407 gnutls_x509_extract_certificate_version (const gnutls_datum_t
* cert
)
409 gnutls_x509_crt_t xcert
;
412 result
= gnutls_x509_crt_init (&xcert
);
416 result
= gnutls_x509_crt_import (xcert
, cert
, GNUTLS_X509_FMT_DER
);
419 gnutls_x509_crt_deinit (xcert
);
423 result
= gnutls_x509_crt_get_version (xcert
);
425 gnutls_x509_crt_deinit (xcert
);
432 * gnutls_x509_extract_certificate_serial - This function returns the certificate's serial number
433 * @cert: is an X.509 DER encoded certificate
434 * @result: The place where the serial number will be copied
435 * @result_size: Holds the size of the result field.
437 * This function will return the X.509 certificate's serial number.
438 * This is obtained by the X509 Certificate serialNumber
439 * field. Serial is not always a 32 or 64bit number. Some CAs use
440 * large serial numbers, thus it may be wise to handle it as something
442 * Returns a negative value in case of an error.
446 gnutls_x509_extract_certificate_serial (const gnutls_datum_t
* cert
,
447 char *result
, int *result_size
)
449 gnutls_x509_crt_t xcert
;
450 size_t size
= *result_size
;
453 ret
= gnutls_x509_crt_init (&xcert
);
457 ret
= gnutls_x509_crt_import (xcert
, cert
, GNUTLS_X509_FMT_DER
);
460 gnutls_x509_crt_deinit (xcert
);
464 ret
= gnutls_x509_crt_get_serial (xcert
, result
, &size
);
467 gnutls_x509_crt_deinit (xcert
);
474 * gnutls_x509_extract_certificate_pk_algorithm - This function returns the certificate's PublicKey algorithm
475 * @cert: is a DER encoded X.509 certificate
476 * @bits: if bits is non null it will hold the size of the parameters' in bits
478 * This function will return the public key algorithm of an X.509
481 * If bits is non null, it should have enough size to hold the parameters
482 * size in bits. For RSA the bits returned is the modulus.
483 * For DSA the bits returned are of the public
486 * Returns a member of the gnutls_pk_algorithm_t enumeration on success,
487 * or a negative value on error.
491 gnutls_x509_extract_certificate_pk_algorithm (const gnutls_datum_t
*
494 gnutls_x509_crt_t xcert
;
497 result
= gnutls_x509_crt_init (&xcert
);
501 result
= gnutls_x509_crt_import (xcert
, cert
, GNUTLS_X509_FMT_DER
);
504 gnutls_x509_crt_deinit (xcert
);
508 result
= gnutls_x509_crt_get_pk_algorithm (xcert
, bits
);
510 gnutls_x509_crt_deinit (xcert
);
517 * gnutls_x509_extract_certificate_dn_string - This function returns the certificate's distinguished name
518 * @cert: should contain an X.509 DER encoded certificate
519 * @buf: a pointer to a structure to hold the peer's name
520 * @sizeof_buf: holds the size of 'buf'
521 * @issuer: if non zero, then extract the name of the issuer, instead of the holder
523 * This function will copy the name of the certificate holder in the provided buffer. The name
524 * will be in the form "C=xxxx,O=yyyy,CN=zzzz" as described in RFC2253.
526 * Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not long enough,
531 gnutls_x509_extract_certificate_dn_string (char *buf
,
532 unsigned int sizeof_buf
,
533 const gnutls_datum_t
* cert
,
536 gnutls_x509_crt_t xcert
;
540 result
= gnutls_x509_crt_init (&xcert
);
544 result
= gnutls_x509_crt_import (xcert
, cert
, GNUTLS_X509_FMT_DER
);
547 gnutls_x509_crt_deinit (xcert
);
553 result
= gnutls_x509_crt_get_dn (xcert
, buf
, &size
);
555 result
= gnutls_x509_crt_get_issuer_dn (xcert
, buf
, &size
);
557 gnutls_x509_crt_deinit (xcert
);
563 * gnutls_x509_verify_certificate - This function verifies given certificate list
564 * @cert_list: is the certificate list to be verified
565 * @cert_list_length: holds the number of certificate in cert_list
566 * @CA_list: is the CA list which will be used in verification
567 * @CA_list_length: holds the number of CA certificate in CA_list
568 * @CRL_list: not used
569 * @CRL_list_length: not used
571 * This function will try to verify the given certificate list and return its status (TRUSTED, EXPIRED etc.).
572 * The return value (status) should be one or more of the gnutls_certificate_status_t
573 * enumerated elements bitwise or'd. Note that expiration and activation dates are not checked
574 * by this function, you should check them using the appropriate functions.
576 * This function understands the basicConstraints (2.5.29.19) PKIX extension.
577 * This means that only a certificate authority can sign a certificate.
579 * However you must also check the peer's name in order to check if the verified certificate belongs to the
582 * The return value (status) should be one or more of the gnutls_certificate_status_t
583 * enumerated elements bitwise or'd.
585 * GNUTLS_CERT_INVALID: the peer's certificate is not valid.
587 * GNUTLS_CERT_REVOKED: the certificate has been revoked.
589 * A negative error code is returned in case of an error.
590 * GNUTLS_E_NO_CERTIFICATE_FOUND is returned to indicate that
591 * no certificate was sent by the peer.
596 gnutls_x509_verify_certificate (const gnutls_datum_t
* cert_list
,
597 int cert_list_length
,
598 const gnutls_datum_t
* CA_list
,
600 const gnutls_datum_t
* CRL_list
,
604 gnutls_x509_crt_t
*peer_certificate_list
= NULL
;
605 gnutls_x509_crt_t
*ca_certificate_list
= NULL
;
606 gnutls_x509_crl_t
*crl_list
= NULL
;
607 int peer_certificate_list_size
= 0, i
, x
, ret
;
608 int ca_certificate_list_size
= 0, crl_list_size
= 0;
610 if (cert_list
== NULL
|| cert_list_length
== 0)
611 return GNUTLS_E_NO_CERTIFICATE_FOUND
;
613 /* generate a list of gnutls_certs based on the auth info
616 peer_certificate_list_size
= cert_list_length
;
617 peer_certificate_list
=
618 gnutls_calloc (peer_certificate_list_size
, sizeof (gnutls_x509_crt_t
));
619 if (peer_certificate_list
== NULL
)
622 ret
= GNUTLS_E_MEMORY_ERROR
;
626 ca_certificate_list_size
= CA_list_length
;
627 ca_certificate_list
=
628 gnutls_calloc (ca_certificate_list_size
, sizeof (gnutls_x509_crt_t
));
629 if (ca_certificate_list
== NULL
)
632 ret
= GNUTLS_E_MEMORY_ERROR
;
636 /* allocate memory for CRL
638 crl_list_size
= CRL_list_length
;
639 crl_list
= gnutls_calloc (crl_list_size
, sizeof (gnutls_x509_crl_t
));
640 if (crl_list
== NULL
)
643 ret
= GNUTLS_E_MEMORY_ERROR
;
647 /* convert certA_list to gnutls_cert* list
649 for (i
= 0; i
< peer_certificate_list_size
; i
++)
651 ret
= gnutls_x509_crt_init (&peer_certificate_list
[i
]);
659 gnutls_x509_crt_import (peer_certificate_list
[i
],
660 &cert_list
[i
], GNUTLS_X509_FMT_DER
);
668 /* convert CA_list to gnutls_x509_cert* list
670 for (i
= 0; i
< ca_certificate_list_size
; i
++)
672 ret
= gnutls_x509_crt_init (&ca_certificate_list
[i
]);
680 gnutls_x509_crt_import (ca_certificate_list
[i
],
681 &CA_list
[i
], GNUTLS_X509_FMT_DER
);
690 /* convert CRL_list to gnutls_x509_crl* list
692 for (i
= 0; i
< crl_list_size
; i
++)
694 ret
= gnutls_x509_crl_init (&crl_list
[i
]);
702 gnutls_x509_crl_import (crl_list
[i
],
703 &CRL_list
[i
], GNUTLS_X509_FMT_DER
);
712 /* Verify certificate
715 gnutls_x509_crt_list_verify (peer_certificate_list
,
716 peer_certificate_list_size
,
718 ca_certificate_list_size
, crl_list
,
719 crl_list_size
, 0, &verify
);
731 if (peer_certificate_list
!= NULL
)
732 for (x
= 0; x
< peer_certificate_list_size
; x
++)
734 if (peer_certificate_list
[x
] != NULL
)
735 gnutls_x509_crt_deinit (peer_certificate_list
[x
]);
738 if (ca_certificate_list
!= NULL
)
739 for (x
= 0; x
< ca_certificate_list_size
; x
++)
741 if (ca_certificate_list
[x
] != NULL
)
742 gnutls_x509_crt_deinit (ca_certificate_list
[x
]);
745 if (crl_list
!= NULL
)
746 for (x
= 0; x
< crl_list_size
; x
++)
748 if (crl_list
[x
] != NULL
)
749 gnutls_x509_crl_deinit (crl_list
[x
]);
752 gnutls_free (crl_list
);
755 gnutls_free (ca_certificate_list
);
756 gnutls_free (peer_certificate_list
);
762 * gnutls_x509_extract_key_pk_algorithm - This function returns the keys's PublicKey algorithm
763 * @cert: is a DER encoded private key
765 * This function will return the public key algorithm of a DER encoded private
768 * Returns a member of the gnutls_pk_algorithm_t enumeration on success,
769 * or GNUTLS_E_UNKNOWN_PK_ALGORITHM on error.
773 gnutls_x509_extract_key_pk_algorithm (const gnutls_datum_t
* key
)
775 gnutls_x509_privkey_t pkey
;
778 ret
= gnutls_x509_privkey_init (&pkey
);
785 ret
= gnutls_x509_privkey_import (pkey
, key
, GNUTLS_X509_FMT_DER
);
792 pk
= gnutls_x509_privkey_get_pk_algorithm (pkey
);
794 gnutls_x509_privkey_deinit (pkey
);
801 * gnutls_x509_pkcs7_extract_certificate - This function returns a certificate in a PKCS7 certificate set
802 * @pkcs7_struct: should contain a PKCS7 DER formatted structure
803 * @indx: contains the index of the certificate to extract
804 * @certificate: the contents of the certificate will be copied there
805 * @certificate_size: should hold the size of the certificate
807 * This function will return a certificate of the PKCS7 or RFC2630 certificate set.
808 * Returns 0 on success. If the provided buffer is not long enough,
809 * then GNUTLS_E_SHORT_MEMORY_BUFFER is returned.
811 * After the last certificate has been read GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
816 gnutls_x509_pkcs7_extract_certificate (const gnutls_datum_t
*
817 pkcs7_struct
, int indx
,
819 int *certificate_size
)
821 gnutls_pkcs7_t pkcs7
;
823 size_t size
= *certificate_size
;
825 result
= gnutls_pkcs7_init (&pkcs7
);
829 result
= gnutls_pkcs7_import (pkcs7
, pkcs7_struct
, GNUTLS_X509_FMT_DER
);
832 gnutls_pkcs7_deinit (pkcs7
);
836 result
= gnutls_pkcs7_get_crt_raw (pkcs7
, indx
, certificate
, &size
);
837 *certificate_size
= size
;
839 gnutls_pkcs7_deinit (pkcs7
);