| blob | 7c65e7d65646524042968f974c941d64a8155a49 |
1 /*
2 * Copyright (C) 2003-2012 Free Software Foundation, Inc.
3 * Author: Nikos Mavrogiannopoulos, Simon Josefsson, Howard Chu
4 *
5 * This file is part of GnuTLS.
6 *
7 * The GnuTLS is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public License
9 * as published by the Free Software Foundation; either version 3 of
10 * the License, or (at your option) any later version.
11 *
12 * This library is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
16 *
17 * You should have received a copy of the GNU Lesser General Public License
18 * along with this program. If not, see <http://www.gnu.org/licenses/>
19 *
20 */
22 /* Functions on X.509 Certificate parsing
23 */
25 #include <gnutls_int.h>
26 #include <gnutls_datum.h>
27 #include <gnutls_global.h>
28 #include <gnutls_errors.h>
29 #include <common.h>
30 #include <gnutls_x509.h>
31 #include <x509_b64.h>
32 #include <x509_int.h>
33 #include <libtasn1.h>
34 #include <gnutls_pk.h>
36 /**
37 * gnutls_x509_crt_init:
38 * @cert: The structure to be initialized
39 *
40 * This function will initialize an X.509 certificate structure.
41 *
42 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
43 * negative error value.
44 **/
45 int
47 {
57 {
61 }
63 /* If you add anything here, be sure to check if it has to be added
64 to gnutls_x509_crt_import as well. */
69 }
71 /*-
72 * _gnutls_x509_crt_cpy - This function copies a gnutls_x509_crt_t structure
73 * @dest: The structure where to copy
74 * @src: The structure to be copied
75 *
76 * This function will copy an X.509 certificate structure.
77 *
78 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
79 * negative error value.
80 -*/
81 int
83 {
87 gnutls_datum_t tmp;
91 {
94 }
98 {
101 }
105 {
109 }
118 {
121 }
124 }
126 /**
127 * gnutls_x509_crt_deinit:
128 * @cert: The structure to be deinitialized
129 *
130 * This function will deinitialize a certificate structure.
131 **/
132 void
134 {
142 }
144 /**
145 * gnutls_x509_crt_import:
146 * @cert: The structure to store the parsed certificate.
147 * @data: The DER or PEM encoded certificate.
148 * @format: One of DER or PEM
149 *
150 * This function will convert the given DER or PEM encoded Certificate
151 * to the native gnutls_x509_crt_t format. The output will be stored
152 * in @cert.
153 *
154 * If the Certificate is PEM encoded it should have a header of "X509
155 * CERTIFICATE", or "CERTIFICATE".
156 *
157 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
158 * negative error value.
159 **/
160 int
163 gnutls_x509_crt_fmt_t format)
164 {
166 gnutls_datum_t _data;
169 {
172 }
177 /* If the Certificate is in PEM format then decode it
178 */
180 {
181 /* Try the first header */
182 result =
186 {
187 /* try for the second header */
188 result =
193 {
196 }
197 }
200 }
203 {
204 /* Any earlier asn1_der_decoding will modify the ASN.1
205 structure, so we need to replace it with a fresh
206 structure. */
212 {
216 }
217 }
221 {
225 }
229 /* Since we do not want to disable any extension
230 */
237 cleanup:
241 }
244 /**
245 * gnutls_x509_crt_get_issuer_dn:
246 * @cert: should contain a #gnutls_x509_crt_t structure
247 * @buf: a pointer to a structure to hold the name (may be null)
248 * @buf_size: initially holds the size of @buf
249 *
250 * This function will copy the name of the Certificate issuer in the
251 * provided buffer. The name will be in the form
252 * "C=xxxx,O=yyyy,CN=zzzz" as described in RFC4514. The output string
253 * will be ASCII or UTF-8 encoded, depending on the certificate data.
254 *
255 * If @buf is null then only the size will be filled.
256 *
257 * Returns: GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not
258 * long enough, and in that case the @buf_size will be updated with
259 * the required size. On success 0 is returned.
260 **/
261 int
264 {
266 {
269 }
273 buf_size);
274 }
276 /**
277 * gnutls_x509_crt_get_issuer_dn_by_oid:
278 * @cert: should contain a #gnutls_x509_crt_t structure
279 * @oid: holds an Object Identified in null terminated string
280 * @indx: In case multiple same OIDs exist in the RDN, this specifies which to send. Use (0) to get the first one.
281 * @raw_flag: If non-zero returns the raw DER data of the DN part.
282 * @buf: a pointer to a structure to hold the name (may be null)
283 * @buf_size: initially holds the size of @buf
284 *
285 * This function will extract the part of the name of the Certificate
286 * issuer specified by the given OID. The output, if the raw flag is not
287 * used, will be encoded as described in RFC4514. Thus a string that is
288 * ASCII or UTF-8 encoded, depending on the certificate data.
289 *
290 * Some helper macros with popular OIDs can be found in gnutls/x509.h
291 * If raw flag is (0), this function will only return known OIDs as
292 * text. Other OIDs will be DER encoded, as described in RFC4514 --
293 * in hex format with a '#' prefix. You can check about known OIDs
294 * using gnutls_x509_dn_oid_known().
295 *
296 * If @buf is null then only the size will be filled. If the @raw_flag
297 * is not specified the output is always null terminated, although the
298 * @buf_size will not include the null character.
299 *
300 * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not
301 * long enough, and in that case the @buf_size will be updated with
302 * the required size. %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE if there
303 * are no data in the current index. On success 0 is returned.
304 **/
305 int
310 {
312 {
315 }
320 }
322 /**
323 * gnutls_x509_crt_get_issuer_dn_oid:
324 * @cert: should contain a #gnutls_x509_crt_t structure
325 * @indx: This specifies which OID to return. Use (0) to get the first one.
326 * @oid: a pointer to a buffer to hold the OID (may be null)
327 * @oid_size: initially holds the size of @oid
328 *
329 * This function will extract the OIDs of the name of the Certificate
330 * issuer specified by the given index.
331 *
332 * If @oid is null then only the size will be filled. The @oid
333 * returned will be null terminated, although @oid_size will not
334 * account for the trailing null.
335 *
336 * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not
337 * long enough, and in that case the @buf_size will be updated with
338 * the required size. %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE if there
339 * are no data in the current index. On success 0 is returned.
340 **/
341 int
344 {
346 {
349 }
354 }
356 /**
357 * gnutls_x509_crt_get_dn:
358 * @cert: should contain a #gnutls_x509_crt_t structure
359 * @buf: a pointer to a structure to hold the name (may be null)
360 * @buf_size: initially holds the size of @buf
361 *
362 * This function will copy the name of the Certificate in the provided
363 * buffer. The name will be in the form "C=xxxx,O=yyyy,CN=zzzz" as
364 * described in RFC4514. The output string will be ASCII or UTF-8
365 * encoded, depending on the certificate data.
366 *
367 * If @buf is null then only the size will be filled.
368 *
369 * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not
370 * long enough, and in that case the @buf_size will be updated
371 * with the required size. On success 0 is returned.
372 **/
373 int
376 {
378 {
381 }
385 buf_size);
386 }
388 /**
389 * gnutls_x509_crt_get_dn_by_oid:
390 * @cert: should contain a #gnutls_x509_crt_t structure
391 * @oid: holds an Object Identified in null terminated string
392 * @indx: In case multiple same OIDs exist in the RDN, this specifies which to send. Use (0) to get the first one.
393 * @raw_flag: If non-zero returns the raw DER data of the DN part.
394 * @buf: a pointer where the DN part will be copied (may be null).
395 * @buf_size: initially holds the size of @buf
396 *
397 * This function will extract the part of the name of the Certificate
398 * subject specified by the given OID. The output, if the raw flag is
399 * not used, will be encoded as described in RFC4514. Thus a string
400 * that is ASCII or UTF-8 encoded, depending on the certificate data.
401 *
402 * Some helper macros with popular OIDs can be found in gnutls/x509.h
403 * If raw flag is (0), this function will only return known OIDs as
404 * text. Other OIDs will be DER encoded, as described in RFC4514 --
405 * in hex format with a '#' prefix. You can check about known OIDs
406 * using gnutls_x509_dn_oid_known().
407 *
408 * If @buf is null then only the size will be filled. If the @raw_flag
409 * is not specified the output is always null terminated, although the
410 * @buf_size will not include the null character.
411 *
412 * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not
413 * long enough, and in that case the @buf_size will be updated with
414 * the required size. %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE if there
415 * are no data in the current index. On success 0 is returned.
416 **/
417 int
421 {
423 {
426 }
431 }
433 /**
434 * gnutls_x509_crt_get_dn_oid:
435 * @cert: should contain a #gnutls_x509_crt_t structure
436 * @indx: This specifies which OID to return. Use (0) to get the first one.
437 * @oid: a pointer to a buffer to hold the OID (may be null)
438 * @oid_size: initially holds the size of @oid
439 *
440 * This function will extract the OIDs of the name of the Certificate
441 * subject specified by the given index.
442 *
443 * If @oid is null then only the size will be filled. The @oid
444 * returned will be null terminated, although @oid_size will not
445 * account for the trailing null.
446 *
447 * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not
448 * long enough, and in that case the @buf_size will be updated with
449 * the required size. %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE if there
450 * are no data in the current index. On success 0 is returned.
451 **/
452 int
455 {
457 {
460 }
465 }
467 /**
468 * gnutls_x509_crt_get_signature_algorithm:
469 * @cert: should contain a #gnutls_x509_crt_t structure
470 *
471 * This function will return a value of the #gnutls_sign_algorithm_t
472 * enumeration that is the signature algorithm that has been used to
473 * sign this certificate.
474 *
475 * Returns: a #gnutls_sign_algorithm_t value, or a negative error code on
476 * error.
477 **/
478 int
480 {
482 }
484 /**
485 * gnutls_x509_crt_get_signature:
486 * @cert: should contain a #gnutls_x509_crt_t structure
487 * @sig: a pointer where the signature part will be copied (may be null).
488 * @sizeof_sig: initially holds the size of @sig
489 *
490 * This function will extract the signature field of a certificate.
491 *
492 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
493 * negative error value. and a negative error code on error.
494 **/
495 int
498 {
504 {
507 }
512 {
515 }
519 {
522 }
527 {
530 }
534 {
537 }
540 }
542 /**
543 * gnutls_x509_crt_get_version:
544 * @cert: should contain a #gnutls_x509_crt_t structure
545 *
546 * This function will return the version of the specified Certificate.
547 *
548 * Returns: version of certificate, or a negative error code on error.
549 **/
550 int
552 {
557 {
560 }
566 {
572 }
575 }
577 /**
578 * gnutls_x509_crt_get_activation_time:
579 * @cert: should contain a #gnutls_x509_crt_t structure
580 *
581 * This function will return the time this Certificate was or will be
582 * activated.
583 *
584 * Returns: activation time, or (time_t)-1 on error.
585 **/
586 time_t
588 {
590 {
593 }
597 }
599 /**
600 * gnutls_x509_crt_get_expiration_time:
601 * @cert: should contain a #gnutls_x509_crt_t structure
602 *
603 * This function will return the time this Certificate was or will be
604 * expired.
605 *
606 * Returns: expiration time, or (time_t)-1 on error.
607 **/
608 time_t
610 {
612 {
615 }
619 }
621 /**
622 * gnutls_x509_crt_get_private_key_usage_period:
623 * @cert: should contain a #gnutls_x509_crt_t structure
624 * @activation: The activation time
625 * @expiration: The expiration time
626 * @critical: the extension status
627 *
628 * This function will return the expiration and activation
629 * times of the private key of the certificate. It relies on
630 * the PKIX extension 2.5.29.16 being present.
631 *
632 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
633 * if the extension is not present, otherwise a negative error value.
634 **/
635 int
636 gnutls_x509_crt_get_private_key_usage_period (gnutls_x509_crt_t cert, time_t* activation, time_t* expiration,
638 {
644 {
647 }
649 ret =
651 critical);
658 result = asn1_create_element
661 {
665 }
669 {
673 }
685 cleanup:
690 }
693 /**
694 * gnutls_x509_crt_get_serial:
695 * @cert: should contain a #gnutls_x509_crt_t structure
696 * @result: The place where the serial number will be copied
697 * @result_size: Holds the size of the result field.
698 *
699 * This function will return the X.509 certificate's serial number.
700 * This is obtained by the X509 Certificate serialNumber field. Serial
701 * is not always a 32 or 64bit number. Some CAs use large serial
702 * numbers, thus it may be wise to handle it as something uint8_t.
703 *
704 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
705 * negative error value.
706 **/
707 int
710 {
714 {
717 }
720 ret =
725 {
728 }
731 }
733 /**
734 * gnutls_x509_crt_get_subject_key_id:
735 * @cert: should contain a #gnutls_x509_crt_t structure
736 * @ret: The place where the identifier will be copied
737 * @ret_size: Holds the size of the result field.
738 * @critical: will be non-zero if the extension is marked as critical (may be null)
739 *
740 * This function will return the X.509v3 certificate's subject key
741 * identifier. This is obtained by the X.509 Subject Key identifier
742 * extension field (2.5.29.14).
743 *
744 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
745 * if the extension is not present, otherwise a negative error value.
746 **/
747 int
750 {
752 gnutls_datum_t id;
756 {
759 }
764 else
770 {
772 }
775 {
778 }
780 result = asn1_create_element
783 {
787 }
793 {
797 }
806 {
808 }
811 {
815 }
818 }
820 static int
823 {
825 gnutls_datum_t id;
830 {
833 }
838 {
840 }
843 {
846 }
848 ret = asn1_create_element
851 {
855 }
861 {
865 }
868 }
870 /**
871 * gnutls_x509_crt_get_authority_key_gn_serial:
872 * @cert: should contain a #gnutls_x509_crt_t structure
873 * @seq: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)
874 * @alt: is the place where the alternative name will be copied to
875 * @alt_size: holds the size of alt.
876 * @alt_type: holds the type of the alternative name (one of gnutls_x509_subject_alt_name_t).
877 * @serial: buffer to store the serial number (may be null)
878 * @serial_size: Holds the size of the serial field (may be null)
879 * @critical: will be non-zero if the extension is marked as critical (may be null)
880 *
881 * This function will return the X.509 authority key
882 * identifier when stored as a general name (authorityCertIssuer)
883 * and serial number.
884 *
885 * Because more than one general names might be stored
886 * @seq can be used as a counter to request them all until
887 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.
888 *
889 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
890 * if the extension is not present, otherwise a negative error value.
891 *
892 * Since: 3.0
893 **/
894 int
895 gnutls_x509_crt_get_authority_key_gn_serial (gnutls_x509_crt_t cert, unsigned int seq, void *alt,
899 {
901 ASN1_TYPE c2;
907 ret =
911 {
914 }
917 {
924 {
927 }
929 }
933 fail:
937 }
939 /**
940 * gnutls_x509_crt_get_authority_key_id:
941 * @cert: should contain a #gnutls_x509_crt_t structure
942 * @id: The place where the identifier will be copied
943 * @id_size: Holds the size of the id field.
944 * @critical: will be non-zero if the extension is marked as critical (may be null)
945 *
946 * This function will return the X.509v3 certificate authority's key
947 * identifier. This is obtained by the X.509 Authority Key
948 * identifier extension field (2.5.29.35). Note that this function
949 * only returns the keyIdentifier field of the extension and
950 * %GNUTLS_E_X509_UNSUPPORTED_EXTENSION, if the extension contains
951 * the name and serial number of the certificate. In that case
952 * gnutls_x509_crt_get_authority_key_gn_serial() may be used.
953 *
954 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
955 * if the extension is not present, otherwise a negative error value.
956 **/
957 int
961 {
963 ASN1_TYPE c2;
979 {
983 }
986 }
988 /**
989 * gnutls_x509_crt_get_pk_algorithm:
990 * @cert: should contain a #gnutls_x509_crt_t structure
991 * @bits: if bits is non null it will hold the size of the parameters' in bits
992 *
993 * This function will return the public key algorithm of an X.509
994 * certificate.
995 *
996 * If bits is non null, it should have enough size to hold the parameters
997 * size in bits. For RSA the bits returned is the modulus.
998 * For DSA the bits returned are of the public
999 * exponent.
1000 *
1001 * Returns: a member of the #gnutls_pk_algorithm_t enumeration on
1002 * success, or a negative error code on error.
1003 **/
1004 int
1006 {
1010 {
1013 }
1018 result =
1021 bits);
1024 {
1027 }
1031 }
1035 {
1039 else
1041 }
1045 /* returns the type and the name on success.
1046 * Type is also returned as a parameter in case of an error.
1047 */
1048 int
1052 {
1057 gnutls_x509_subject_alt_name_t type;
1063 else
1070 {
1072 }
1075 {
1078 }
1083 {
1086 }
1092 {
1095 else
1106 {
1109 }
1112 {
1115 }
1116 else
1117 {
1123 else
1129 {
1132 }
1135 {
1139 result = asn1_create_element
1142 {
1145 }
1149 {
1153 }
1158 {
1163 }
1167 {
1171 }
1174 /* null terminate it */
1176 }
1177 }
1178 }
1180 {
1184 {
1187 }
1188 }
1191 else
1192 {
1203 {
1207 }
1210 {
1213 }
1216 {
1219 {
1223 }
1225 /* null terminate it */
1227 }
1229 }
1232 }
1234 static int
1239 {
1241 gnutls_datum_t dnsname;
1245 {
1248 }
1252 else
1258 {
1260 }
1263 {
1266 }
1274 else
1275 {
1278 }
1281 {
1285 }
1291 {
1295 }
1297 result =
1299 othername_oid);
1304 {
1307 }
1310 }
1312 /**
1313 * gnutls_x509_crt_get_subject_alt_name:
1314 * @cert: should contain a #gnutls_x509_crt_t structure
1315 * @seq: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)
1316 * @san: is the place where the alternative name will be copied to
1317 * @san_size: holds the size of san.
1318 * @critical: will be non-zero if the extension is marked as critical (may be null)
1319 *
1320 * This function retrieves the Alternative Name (2.5.29.17), contained
1321 * in the given certificate in the X509v3 Certificate Extensions.
1322 *
1323 * When the SAN type is otherName, it will extract the data in the
1324 * otherName's value field, and %GNUTLS_SAN_OTHERNAME is returned.
1325 * You may use gnutls_x509_crt_get_subject_alt_othername_oid() to get
1326 * the corresponding OID and the "virtual" SAN types (e.g.,
1327 * %GNUTLS_SAN_OTHERNAME_XMPP).
1328 *
1329 * If an otherName OID is known, the data will be decoded. Otherwise
1330 * the returned data will be DER encoded, and you will have to decode
1331 * it yourself. Currently, only the RFC 3920 id-on-xmppAddr SAN is
1332 * recognized.
1333 *
1334 * Returns: the alternative subject name type on success, one of the
1335 * enumerated #gnutls_x509_subject_alt_name_t. It will return
1336 * %GNUTLS_E_SHORT_MEMORY_BUFFER if @san_size is not large enough to
1337 * hold the value. In that case @san_size will be updated with the
1338 * required size. If the certificate does not have an Alternative
1339 * name with the specified sequence number then
1340 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.
1341 **/
1342 int
1347 {
1350 }
1352 /**
1353 * gnutls_x509_crt_get_issuer_alt_name:
1354 * @cert: should contain a #gnutls_x509_crt_t structure
1355 * @seq: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)
1356 * @ian: is the place where the alternative name will be copied to
1357 * @ian_size: holds the size of ian.
1358 * @critical: will be non-zero if the extension is marked as critical (may be null)
1359 *
1360 * This function retrieves the Issuer Alternative Name (2.5.29.18),
1361 * contained in the given certificate in the X509v3 Certificate
1362 * Extensions.
1363 *
1364 * When the SAN type is otherName, it will extract the data in the
1365 * otherName's value field, and %GNUTLS_SAN_OTHERNAME is returned.
1366 * You may use gnutls_x509_crt_get_subject_alt_othername_oid() to get
1367 * the corresponding OID and the "virtual" SAN types (e.g.,
1368 * %GNUTLS_SAN_OTHERNAME_XMPP).
1369 *
1370 * If an otherName OID is known, the data will be decoded. Otherwise
1371 * the returned data will be DER encoded, and you will have to decode
1372 * it yourself. Currently, only the RFC 3920 id-on-xmppAddr Issuer
1373 * AltName is recognized.
1374 *
1375 * Returns: the alternative issuer name type on success, one of the
1376 * enumerated #gnutls_x509_subject_alt_name_t. It will return
1377 * %GNUTLS_E_SHORT_MEMORY_BUFFER if @ian_size is not large enough
1378 * to hold the value. In that case @ian_size will be updated with
1379 * the required size. If the certificate does not have an
1380 * Alternative name with the specified sequence number then
1381 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.
1382 *
1383 * Since: 2.10.0
1384 **/
1385 int
1390 {
1393 }
1395 /**
1396 * gnutls_x509_crt_get_subject_alt_name2:
1397 * @cert: should contain a #gnutls_x509_crt_t structure
1398 * @seq: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)
1399 * @san: is the place where the alternative name will be copied to
1400 * @san_size: holds the size of ret.
1401 * @san_type: holds the type of the alternative name (one of gnutls_x509_subject_alt_name_t).
1402 * @critical: will be non-zero if the extension is marked as critical (may be null)
1403 *
1404 * This function will return the alternative names, contained in the
1405 * given certificate. It is the same as
1406 * gnutls_x509_crt_get_subject_alt_name() except for the fact that it
1407 * will return the type of the alternative name in @san_type even if
1408 * the function fails for some reason (i.e. the buffer provided is
1409 * not enough).
1410 *
1411 * Returns: the alternative subject name type on success, one of the
1412 * enumerated #gnutls_x509_subject_alt_name_t. It will return
1413 * %GNUTLS_E_SHORT_MEMORY_BUFFER if @san_size is not large enough
1414 * to hold the value. In that case @san_size will be updated with
1415 * the required size. If the certificate does not have an
1416 * Alternative name with the specified sequence number then
1417 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.
1418 **/
1419 int
1425 {
1428 }
1430 /**
1431 * gnutls_x509_crt_get_issuer_alt_name2:
1432 * @cert: should contain a #gnutls_x509_crt_t structure
1433 * @seq: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)
1434 * @ian: is the place where the alternative name will be copied to
1435 * @ian_size: holds the size of ret.
1436 * @ian_type: holds the type of the alternative name (one of gnutls_x509_subject_alt_name_t).
1437 * @critical: will be non-zero if the extension is marked as critical (may be null)
1438 *
1439 * This function will return the alternative names, contained in the
1440 * given certificate. It is the same as
1441 * gnutls_x509_crt_get_issuer_alt_name() except for the fact that it
1442 * will return the type of the alternative name in @ian_type even if
1443 * the function fails for some reason (i.e. the buffer provided is
1444 * not enough).
1445 *
1446 * Returns: the alternative issuer name type on success, one of the
1447 * enumerated #gnutls_x509_subject_alt_name_t. It will return
1448 * %GNUTLS_E_SHORT_MEMORY_BUFFER if @ian_size is not large enough
1449 * to hold the value. In that case @ian_size will be updated with
1450 * the required size. If the certificate does not have an
1451 * Alternative name with the specified sequence number then
1452 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.
1453 *
1454 * Since: 2.10.0
1455 *
1456 **/
1457 int
1463 {
1466 }
1468 /**
1469 * gnutls_x509_crt_get_subject_alt_othername_oid:
1470 * @cert: should contain a #gnutls_x509_crt_t structure
1471 * @seq: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)
1472 * @oid: is the place where the otherName OID will be copied to
1473 * @oid_size: holds the size of ret.
1474 *
1475 * This function will extract the type OID of an otherName Subject
1476 * Alternative Name, contained in the given certificate, and return
1477 * the type as an enumerated element.
1478 *
1479 * This function is only useful if
1480 * gnutls_x509_crt_get_subject_alt_name() returned
1481 * %GNUTLS_SAN_OTHERNAME.
1482 *
1483 * If @oid is null then only the size will be filled. The @oid
1484 * returned will be null terminated, although @oid_size will not
1485 * account for the trailing null.
1486 *
1487 * Returns: the alternative subject name type on success, one of the
1488 * enumerated gnutls_x509_subject_alt_name_t. For supported OIDs, it
1489 * will return one of the virtual (GNUTLS_SAN_OTHERNAME_*) types,
1490 * e.g. %GNUTLS_SAN_OTHERNAME_XMPP, and %GNUTLS_SAN_OTHERNAME for
1491 * unknown OIDs. It will return %GNUTLS_E_SHORT_MEMORY_BUFFER if
1492 * @ian_size is not large enough to hold the value. In that case
1493 * @ian_size will be updated with the required size. If the
1494 * certificate does not have an Alternative name with the specified
1495 * sequence number and with the otherName type then
1496 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.
1497 **/
1498 int
1502 {
1504 }
1506 /**
1507 * gnutls_x509_crt_get_issuer_alt_othername_oid:
1508 * @cert: should contain a #gnutls_x509_crt_t structure
1509 * @seq: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)
1510 * @ret: is the place where the otherName OID will be copied to
1511 * @ret_size: holds the size of ret.
1512 *
1513 * This function will extract the type OID of an otherName Subject
1514 * Alternative Name, contained in the given certificate, and return
1515 * the type as an enumerated element.
1516 *
1517 * If @oid is null then only the size will be filled. The @oid
1518 * returned will be null terminated, although @oid_size will not
1519 * account for the trailing null.
1520 *
1521 * This function is only useful if
1522 * gnutls_x509_crt_get_issuer_alt_name() returned
1523 * %GNUTLS_SAN_OTHERNAME.
1524 *
1525 * Returns: the alternative issuer name type on success, one of the
1526 * enumerated gnutls_x509_subject_alt_name_t. For supported OIDs, it
1527 * will return one of the virtual (GNUTLS_SAN_OTHERNAME_*) types,
1528 * e.g. %GNUTLS_SAN_OTHERNAME_XMPP, and %GNUTLS_SAN_OTHERNAME for
1529 * unknown OIDs. It will return %GNUTLS_E_SHORT_MEMORY_BUFFER if
1530 * @ret_size is not large enough to hold the value. In that case
1531 * @ret_size will be updated with the required size. If the
1532 * certificate does not have an Alternative name with the specified
1533 * sequence number and with the otherName type then
1534 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.
1535 *
1536 * Since: 2.10.0
1537 **/
1538 int
1542 {
1544 }
1546 /**
1547 * gnutls_x509_crt_get_basic_constraints:
1548 * @cert: should contain a #gnutls_x509_crt_t structure
1549 * @critical: will be non-zero if the extension is marked as critical
1550 * @ca: pointer to output integer indicating CA status, may be NULL,
1551 * value is 1 if the certificate CA flag is set, 0 otherwise.
1552 * @pathlen: pointer to output integer indicating path length (may be
1553 * NULL), non-negative error codes indicate a present pathLenConstraint
1554 * field and the actual value, -1 indicate that the field is absent.
1555 *
1556 * This function will read the certificate's basic constraints, and
1557 * return the certificates CA status. It reads the basicConstraints
1558 * X.509 extension (2.5.29.19).
1559 *
1560 * Returns: If the certificate is a CA a positive value will be
1561 * returned, or (0) if the certificate does not have CA flag set. A
1562 * negative error code may be returned in case of errors. If the
1563 * certificate does not contain the basicConstraints extension
1564 * GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
1565 **/
1566 int
1570 {
1572 gnutls_datum_t basicConstraints;
1576 {
1579 }
1584 {
1586 }
1589 {
1592 }
1594 result =
1596 pathlen,
1604 {
1607 }
1610 }
1612 /**
1613 * gnutls_x509_crt_get_ca_status:
1614 * @cert: should contain a #gnutls_x509_crt_t structure
1615 * @critical: will be non-zero if the extension is marked as critical
1616 *
1617 * This function will return certificates CA status, by reading the
1618 * basicConstraints X.509 extension (2.5.29.19). If the certificate is
1619 * a CA a positive value will be returned, or (0) if the certificate
1620 * does not have CA flag set.
1621 *
1622 * Use gnutls_x509_crt_get_basic_constraints() if you want to read the
1623 * pathLenConstraint field too.
1624 *
1625 * Returns: A negative error code may be returned in case of parsing error.
1626 * If the certificate does not contain the basicConstraints extension
1627 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
1628 **/
1629 int
1631 {
1636 }
1638 /**
1639 * gnutls_x509_crt_get_key_usage:
1640 * @cert: should contain a #gnutls_x509_crt_t structure
1641 * @key_usage: where the key usage bits will be stored
1642 * @critical: will be non-zero if the extension is marked as critical
1643 *
1644 * This function will return certificate's key usage, by reading the
1645 * keyUsage X.509 extension (2.5.29.15). The key usage value will ORed
1646 * values of the: %GNUTLS_KEY_DIGITAL_SIGNATURE,
1647 * %GNUTLS_KEY_NON_REPUDIATION, %GNUTLS_KEY_KEY_ENCIPHERMENT,
1648 * %GNUTLS_KEY_DATA_ENCIPHERMENT, %GNUTLS_KEY_KEY_AGREEMENT,
1649 * %GNUTLS_KEY_KEY_CERT_SIGN, %GNUTLS_KEY_CRL_SIGN,
1650 * %GNUTLS_KEY_ENCIPHER_ONLY, %GNUTLS_KEY_DECIPHER_ONLY.
1651 *
1652 * Returns: the certificate key usage, or a negative error code in case of
1653 * parsing error. If the certificate does not contain the keyUsage
1654 * extension %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be
1655 * returned.
1656 **/
1657 int
1661 {
1663 gnutls_datum_t keyUsage;
1667 {
1670 }
1675 {
1677 }
1680 {
1683 }
1692 {
1695 }
1698 }
1700 /**
1701 * gnutls_x509_crt_get_proxy:
1702 * @cert: should contain a #gnutls_x509_crt_t structure
1703 * @critical: will be non-zero if the extension is marked as critical
1704 * @pathlen: pointer to output integer indicating path length (may be
1705 * NULL), non-negative error codes indicate a present pCPathLenConstraint
1706 * field and the actual value, -1 indicate that the field is absent.
1707 * @policyLanguage: output variable with OID of policy language
1708 * @policy: output variable with policy data
1709 * @sizeof_policy: output variable size of policy data
1710 *
1711 * This function will get information from a proxy certificate. It
1712 * reads the ProxyCertInfo X.509 extension (1.3.6.1.5.5.7.1.14).
1713 *
1714 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
1715 * otherwise a negative error code is returned.
1716 **/
1717 int
1723 {
1725 gnutls_datum_t proxyCertInfo;
1728 {
1731 }
1736 {
1738 }
1741 {
1744 }
1747 policyLanguage,
1748 policy,
1749 sizeof_policy,
1754 {
1757 }
1760 }
1762 /**
1763 * gnutls_x509_policy_release:
1764 * @policy: a certificate policy
1765 *
1766 * This function will deinitialize all memory associated with the provided
1767 * @policy. The policy is allocated using gnutls_x509_crt_get_policy().
1768 *
1769 **/
1771 {
1777 }
1780 {
1787 ret = asn1_create_element
1790 {
1794 }
1798 {
1802 }
1807 {
1811 }
1815 {
1819 }
1825 {
1828 }
1835 {
1838 }
1842 }
1843 else
1844 {
1845 /* _gnutls_x509_read_value allows that */
1847 }
1853 cleanup:
1857 }
1859 /**
1860 * gnutls_x509_crt_get_policy:
1861 * @cert: should contain a #gnutls_x509_crt_t structure
1862 * @indx: This specifies which policy to return. Use (0) to get the first one.
1863 * @policy: A pointer to a policy structure.
1864 * @critical: will be non-zero if the extension is marked as critical
1865 *
1866 * This function will extract the certificate policy (extension 2.5.29.32)
1867 * specified by the given index.
1868 *
1869 * The policy returned by this function must be deinitialized by using
1870 * gnutls_x509_policy_release().
1871 *
1872 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
1873 * if the extension is not present, otherwise a negative error value.
1874 **/
1875 int
1879 {
1888 {
1891 }
1898 {
1900 }
1903 {
1906 }
1908 ret = asn1_create_element
1911 {
1915 }
1919 {
1923 }
1926 indx++;
1927 /* create a string like "?1"
1928 */
1937 {
1940 }
1945 {
1946 gnutls_datum_t td;
1957 {
1961 }
1964 {
1969 {
1972 }
1978 }
1980 {
1981 gnutls_datum_t txt;
1987 {
1990 }
1997 {
2000 }
2005 }
2006 else
2011 }
2016 full_cleanup:
2019 cleanup:
2023 }
2026 /**
2027 * gnutls_x509_crt_get_extension_by_oid:
2028 * @cert: should contain a #gnutls_x509_crt_t structure
2029 * @oid: holds an Object Identified in null terminated string
2030 * @indx: In case multiple same OIDs exist in the extensions, this specifies which to send. Use (0) to get the first one.
2031 * @buf: a pointer to a structure to hold the name (may be null)
2032 * @buf_size: initially holds the size of @buf
2033 * @critical: will be non-zero if the extension is marked as critical
2034 *
2035 * This function will return the extension specified by the OID in the
2036 * certificate. The extensions will be returned as binary data DER
2037 * encoded, in the provided buffer.
2038 *
2039 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
2040 * otherwise a negative error code is returned. If the certificate does not
2041 * contain the specified extension
2042 * GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
2043 **/
2044 int
2049 {
2051 gnutls_datum_t output;
2054 {
2057 }
2062 {
2065 }
2068 {
2071 }
2074 {
2078 }
2089 }
2091 /**
2092 * gnutls_x509_crt_get_extension_oid:
2093 * @cert: should contain a #gnutls_x509_crt_t structure
2094 * @indx: Specifies which extension OID to send. Use (0) to get the first one.
2095 * @oid: a pointer to a structure to hold the OID (may be null)
2096 * @oid_size: initially holds the size of @oid
2097 *
2098 * This function will return the requested extension OID in the certificate.
2099 * The extension OID will be stored as a string in the provided buffer.
2100 *
2101 * The @oid returned will be null terminated, although @oid_size will not
2102 * account for the trailing null.
2103 *
2104 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
2105 * otherwise a negative error code is returned. If you have reached the
2106 * last extension available %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
2107 * will be returned.
2108 **/
2109 int
2112 {
2116 {
2119 }
2123 {
2125 }
2129 }
2131 /**
2132 * gnutls_x509_crt_get_extension_info:
2133 * @cert: should contain a #gnutls_x509_crt_t structure
2134 * @indx: Specifies which extension OID to send. Use (0) to get the first one.
2135 * @oid: a pointer to a structure to hold the OID
2136 * @oid_size: initially holds the maximum size of @oid, on return
2137 * holds actual size of @oid.
2138 * @critical: output variable with critical flag, may be NULL.
2139 *
2140 * This function will return the requested extension OID in the
2141 * certificate, and the critical flag for it. The extension OID will
2142 * be stored as a string in the provided buffer. Use
2143 * gnutls_x509_crt_get_extension_data() to extract the data.
2144 *
2145 * If the buffer provided is not long enough to hold the output, then
2146 * @oid_size is updated and %GNUTLS_E_SHORT_MEMORY_BUFFER will be
2147 * returned. The @oid returned will be null terminated, although
2148 * @oid_size will not account for the trailing null.
2149 *
2150 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
2151 * otherwise a negative error code is returned. If you have reached the
2152 * last extension available %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
2153 * will be returned.
2154 **/
2155 int
2159 {
2166 {
2169 }
2181 {
2184 }
2191 {
2194 }
2197 {
2200 else
2202 }
2206 }
2208 /**
2209 * gnutls_x509_crt_get_extension_data:
2210 * @cert: should contain a #gnutls_x509_crt_t structure
2211 * @indx: Specifies which extension OID to send. Use (0) to get the first one.
2212 * @data: a pointer to a structure to hold the data (may be null)
2213 * @sizeof_data: initially holds the size of @oid
2214 *
2215 * This function will return the requested extension data in the
2216 * certificate. The extension data will be stored as a string in the
2217 * provided buffer.
2218 *
2219 * Use gnutls_x509_crt_get_extension_info() to extract the OID and
2220 * critical flag. Use gnutls_x509_crt_get_extension_by_oid() instead,
2221 * if you want to get data indexed by the extension OID rather than
2222 * sequence.
2223 *
2224 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
2225 * otherwise a negative error code is returned. If you have reached the
2226 * last extension available %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
2227 * will be returned.
2228 **/
2229 int
2232 {
2237 {
2240 }
2252 {
2255 }
2258 }
2260 static int
2263 {
2269 /* get the issuer of 'cert'
2270 */
2274 {
2277 }
2279 result =
2282 {
2285 }
2289 {
2294 }
2296 result =
2301 {
2305 }
2313 cleanup:
2317 }
2319 /**
2320 * gnutls_x509_crt_get_raw_issuer_dn:
2321 * @cert: should contain a #gnutls_x509_crt_t structure
2322 * @start: will hold the starting point of the DN
2323 *
2324 * This function will return a pointer to the DER encoded DN structure
2325 * and the length. This points to allocated data that must be free'd using gnutls_free().
2326 *
2327 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
2328 * negative error value.or a negative error code on error.
2329 *
2330 **/
2331 int
2334 {
2336 }
2338 /**
2339 * gnutls_x509_crt_get_raw_dn:
2340 * @cert: should contain a #gnutls_x509_crt_t structure
2341 * @start: will hold the starting point of the DN
2342 *
2343 * This function will return a pointer to the DER encoded DN structure and
2344 * the length. This points to allocated data that must be free'd using gnutls_free().
2345 *
2346 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
2347 * negative error value. or a negative error code on error.
2348 *
2349 **/
2350 int
2352 {
2354 }
2356 static int
2358 {
2363 }
2365 /**
2366 * gnutls_x509_crt_get_subject:
2367 * @cert: should contain a #gnutls_x509_crt_t structure
2368 * @dn: output variable with pointer to uint8_t DN.
2369 *
2370 * Return the Certificate's Subject DN as an uint8_t data type. You
2371 * may use gnutls_x509_dn_get_rdn_ava() to decode the DN.
2372 *
2373 * Note that @dn should be treated as constant. Because points
2374 * into the @cert object, you may not deallocate @cert
2375 * and continue to access @dn.
2376 *
2377 * Returns: Returns 0 on success, or an error code.
2378 **/
2379 int
2381 {
2383 }
2385 /**
2386 * gnutls_x509_crt_get_issuer:
2387 * @cert: should contain a #gnutls_x509_crt_t structure
2388 * @dn: output variable with pointer to uint8_t DN
2389 *
2390 * Return the Certificate's Issuer DN as an uint8_t data type. You may
2391 * use gnutls_x509_dn_get_rdn_ava() to decode the DN.
2392 *
2393 * Note that @dn should be treated as constant. Because points
2394 * into the @cert object, you may not deallocate @cert
2395 * and continue to access @dn.
2396 *
2397 * Returns: Returns 0 on success, or an error code.
2398 **/
2399 int
2401 {
2403 }
2405 /**
2406 * gnutls_x509_dn_get_rdn_ava:
2407 * @dn: input variable with uint8_t DN pointer
2408 * @irdn: index of RDN
2409 * @iava: index of AVA.
2410 * @ava: Pointer to structure which will hold output information.
2411 *
2412 * Get pointers to data within the DN.
2413 *
2414 * Note that @ava will contain pointers into the @dn structure, so you
2415 * should not modify any data or deallocate it. Note also that the DN
2416 * in turn points into the original certificate structure, and thus
2417 * you may not deallocate the certificate and continue to access @dn.
2418 *
2419 * Returns: Returns 0 on success, or an error code.
2420 **/
2421 int
2424 {
2426 ASN1_DATA_NODE vnode;
2433 iava++;
2439 {
2442 }
2447 {
2450 }
2454 {
2457 }
2465 {
2468 }
2472 {
2475 }
2476 /* The value still has the previous tag's length bytes, plus the
2477 * current value's tag and length bytes. Decode them.
2478 */
2484 {
2487 }
2493 {
2496 }
2501 {
2506 {
2509 }
2511 }
2515 }
2517 /**
2518 * gnutls_x509_crt_get_fingerprint:
2519 * @cert: should contain a #gnutls_x509_crt_t structure
2520 * @algo: is a digest algorithm
2521 * @buf: a pointer to a structure to hold the fingerprint (may be null)
2522 * @buf_size: initially holds the size of @buf
2523 *
2524 * This function will calculate and copy the certificate's fingerprint
2525 * in the provided buffer.
2526 *
2527 * If the buffer is null then only the size will be filled.
2528 *
2529 * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is
2530 * not long enough, and in that case the *buf_size will be updated
2531 * with the required size. On success 0 is returned.
2532 **/
2533 int
2535 gnutls_digest_algorithm_t algo,
2537 {
2541 gnutls_datum_t tmp;
2544 {
2546 }
2553 {
2556 }
2561 {
2565 }
2574 }
2576 /**
2577 * gnutls_x509_crt_export:
2578 * @cert: Holds the certificate
2579 * @format: the format of output params. One of PEM or DER.
2580 * @output_data: will contain a certificate PEM or DER encoded
2581 * @output_data_size: holds the size of output_data (and will be
2582 * replaced by the actual size of parameters)
2583 *
2584 * This function will export the certificate to DER or PEM format.
2585 *
2586 * If the buffer provided is not long enough to hold the output, then
2587 * *output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will
2588 * be returned.
2589 *
2590 * If the structure is PEM encoded, it will have a header
2591 * of "BEGIN CERTIFICATE".
2592 *
2593 * Returns: In case of failure a negative error code will be
2594 * returned, and 0 on success.
2595 **/
2596 int
2600 {
2602 {
2605 }
2609 }
2611 /**
2612 * gnutls_x509_crt_export2:
2613 * @cert: Holds the certificate
2614 * @format: the format of output params. One of PEM or DER.
2615 * @out: will contain a certificate PEM or DER encoded
2616 *
2617 * This function will export the certificate to DER or PEM format.
2618 * The output buffer is allocated using gnutls_malloc().
2619 *
2620 * If the structure is PEM encoded, it will have a header
2621 * of "BEGIN CERTIFICATE".
2622 *
2623 * Returns: In case of failure a negative error code will be
2624 * returned, and 0 on success.
2625 *
2626 * Since: 3.1
2627 **/
2628 int
2631 {
2633 {
2636 }
2639 }
2641 int
2645 {
2652 {
2656 }
2664 {
2667 }
2672 cleanup:
2676 }
2678 /**
2679 * gnutls_x509_crt_get_key_id:
2680 * @crt: Holds the certificate
2681 * @flags: should be 0 for now
2682 * @output_data: will contain the key ID
2683 * @output_data_size: holds the size of output_data (and will be
2684 * replaced by the actual size of parameters)
2685 *
2686 * This function will return a unique ID that depends on the public
2687 * key parameters. This ID can be used in checking whether a
2688 * certificate corresponds to the given private key.
2689 *
2690 * If the buffer provided is not long enough to hold the output, then
2691 * *output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will
2692 * be returned. The output will normally be a SHA-1 hash output,
2693 * which is 20 bytes.
2694 *
2695 * Returns: In case of failure a negative error code will be
2696 * returned, and 0 on success.
2697 **/
2698 int
2702 {
2704 gnutls_pk_params_st params;
2707 {
2710 }
2714 {
2717 }
2721 {
2724 }
2731 }
2734 /* This is exactly as gnutls_x509_crt_check_revocation() except that
2735 * it calls func.
2736 */
2737 int
2741 gnutls_verify_output_function func)
2742 {
2750 {
2753 }
2758 /* Step 1. check if issuer's DN match
2759 */
2762 {
2765 }
2769 {
2772 }
2778 {
2779 /* issuers do not match so don't even
2780 * bother checking.
2781 */
2783 }
2785 /* Step 2. Read the certificate's serial number
2786 */
2790 {
2793 }
2795 /* Step 3. cycle through the CRL serials and compare with
2796 * certificate serial we have.
2797 */
2801 {
2804 }
2807 {
2809 ret =
2814 {
2817 }
2820 {
2822 {
2823 /* serials match */
2826 }
2827 }
2828 }
2831 }
2833 }
2836 /**
2837 * gnutls_x509_crt_check_revocation:
2838 * @cert: should contain a #gnutls_x509_crt_t structure
2839 * @crl_list: should contain a list of gnutls_x509_crl_t structures
2840 * @crl_list_length: the length of the crl_list
2841 *
2842 * This function will return check if the given certificate is
2843 * revoked. It is assumed that the CRLs have been verified before.
2844 *
2845 * Returns: 0 if the certificate is NOT revoked, and 1 if it is. A
2846 * negative error code is returned on error.
2847 **/
2848 int
2852 {
2854 }
2856 /**
2857 * gnutls_x509_crt_get_verify_algorithm:
2858 * @crt: Holds the certificate
2859 * @signature: contains the signature
2860 * @hash: The result of the call with the hash algorithm used for signature
2861 *
2862 * This function will read the certifcate and the signed data to
2863 * determine the hash algorithm used to generate the signature.
2864 *
2865 * Deprecated: Use gnutls_pubkey_get_verify_algorithm() instead.
2866 *
2867 * Returns: the 0 if the hash algorithm is found. A negative error code is
2868 * returned on error.
2869 *
2870 * Since: 2.8.0
2871 **/
2872 int
2876 {
2877 gnutls_pk_params_st issuer_params;
2881 {
2884 }
2888 {
2891 }
2894 signature,
2896 NULL),
2899 /* release allocated mpis */
2903 }
2907 /**
2908 * gnutls_x509_crt_get_preferred_hash_algorithm:
2909 * @crt: Holds the certificate
2910 * @hash: The result of the call with the hash algorithm used for signature
2911 * @mand: If non-zero it means that the algorithm MUST use this hash. May be NULL.
2912 *
2913 * This function will read the certifcate and return the appropriate digest
2914 * algorithm to use for signing with this certificate. Some certificates (i.e.
2915 * DSA might not be able to sign without the preferred algorithm).
2916 *
2917 * Deprecated: Please use gnutls_pubkey_get_preferred_hash_algorithm().
2918 *
2919 * Returns: the 0 if the hash algorithm is found. A negative error code is
2920 * returned on error.
2921 *
2922 * Since: 2.12.0
2923 **/
2924 int
2926 gnutls_digest_algorithm_t *
2928 {
2929 gnutls_pk_params_st issuer_params;
2933 {
2936 }
2940 {
2943 }
2945 ret =
2950 /* release allocated mpis */
2954 }
2956 /**
2957 * gnutls_x509_crt_verify_data:
2958 * @crt: Holds the certificate
2959 * @flags: should be 0 for now
2960 * @data: holds the data to be signed
2961 * @signature: contains the signature
2962 *
2963 * This function will verify the given signed data, using the
2964 * parameters from the certificate.
2965 *
2966 * Deprecated. Please use gnutls_pubkey_verify_data().
2967 *
2968 * Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED
2969 * is returned, and zero or positive code on success.
2970 **/
2971 int
2975 {
2979 {
2982 }
2986 {
2989 }
2992 }
2994 /**
2995 * gnutls_x509_crt_verify_hash:
2996 * @crt: Holds the certificate
2997 * @flags: should be 0 for now
2998 * @hash: holds the hash digest to be verified
2999 * @signature: contains the signature
3000 *
3001 * This function will verify the given signed digest, using the
3002 * parameters from the certificate.
3003 *
3004 * Deprecated. Please use gnutls_pubkey_verify_data2() or gnutls_pubkey_verify_hash2().
3005 *
3006 * Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED
3007 * is returned, and zero or positive code on success.
3008 **/
3009 int
3013 {
3014 gnutls_pk_params_st params;
3015 gnutls_digest_algorithm_t algo;
3019 {
3022 }
3028 /* Read the MPI parameters from the issuer's certificate.
3029 */
3030 ret =
3033 {
3036 }
3038 ret =
3042 {
3044 }
3046 /* release all allocated MPIs
3047 */
3051 }
3053 /**
3054 * gnutls_x509_crt_get_crl_dist_points:
3055 * @cert: should contain a #gnutls_x509_crt_t structure
3056 * @seq: specifies the sequence number of the distribution point (0 for the first one, 1 for the second etc.)
3057 * @ret: is the place where the distribution point will be copied to
3058 * @ret_size: holds the size of ret.
3059 * @reason_flags: Revocation reasons. An ORed sequence of flags from %gnutls_x509_crl_reason_flags_t.
3060 * @critical: will be non-zero if the extension is marked as critical (may be null)
3061 *
3062 * This function retrieves the CRL distribution points (2.5.29.31),
3063 * contained in the given certificate in the X509v3 Certificate
3064 * Extensions.
3065 *
3066 * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER and updates @ret_size if
3067 * @ret_size is not enough to hold the distribution point, or the
3068 * type of the distribution point if everything was ok. The type is
3069 * one of the enumerated %gnutls_x509_subject_alt_name_t. If the
3070 * certificate does not have an Alternative name with the specified
3071 * sequence number then %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is
3072 * returned.
3073 **/
3074 int
3080 {
3086 gnutls_x509_subject_alt_name_t type;
3090 {
3093 }
3097 else
3103 result =
3105 critical);
3107 {
3109 }
3112 {
3115 }
3117 result = asn1_create_element
3120 {
3124 }
3130 {
3134 }
3136 /* Return the different names from the first CRLDistr. point.
3137 * The whole thing is a mess.
3138 */
3143 {
3146 }
3151 /* Read the CRL reasons.
3152 */
3154 {
3163 {
3167 }
3170 }
3175 }
3177 /**
3178 * gnutls_x509_crt_get_key_purpose_oid:
3179 * @cert: should contain a #gnutls_x509_crt_t structure
3180 * @indx: This specifies which OID to return. Use (0) to get the first one.
3181 * @oid: a pointer to a buffer to hold the OID (may be null)
3182 * @oid_size: initially holds the size of @oid
3183 * @critical: output flag to indicate criticality of extension
3184 *
3185 * This function will extract the key purpose OIDs of the Certificate
3186 * specified by the given index. These are stored in the Extended Key
3187 * Usage extension (2.5.29.37) See the GNUTLS_KP_* definitions for
3188 * human readable names.
3189 *
3190 * If @oid is null then only the size will be filled. The @oid
3191 * returned will be null terminated, although @oid_size will not
3192 * account for the trailing null.
3193 *
3194 * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is
3195 * not long enough, and in that case the *oid_size will be updated
3196 * with the required size. On success 0 is returned.
3197 **/
3198 int
3202 {
3205 gnutls_datum_t id;
3209 {
3212 }
3216 else
3222 {
3224 }
3227 {
3230 }
3232 result = asn1_create_element
3235 {
3239 }
3245 {
3249 }
3251 indx++;
3252 /* create a string like "?1"
3253 */
3263 {
3265 }
3268 {
3271 }
3275 }
3277 /**
3278 * gnutls_x509_crt_get_pk_rsa_raw:
3279 * @crt: Holds the certificate
3280 * @m: will hold the modulus
3281 * @e: will hold the public exponent
3282 *
3283 * This function will export the RSA public key's parameters found in
3284 * the given structure. The new parameters will be allocated using
3285 * gnutls_malloc() and will be stored in the appropriate datum.
3286 *
3287 * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
3288 **/
3289 int
3292 {
3294 gnutls_pk_params_st params;
3297 {
3300 }
3304 {
3307 }
3311 {
3314 }
3318 {
3321 }
3325 {
3329 }
3333 cleanup:
3336 }
3338 /**
3339 * gnutls_x509_crt_get_pk_dsa_raw:
3340 * @crt: Holds the certificate
3341 * @p: will hold the p
3342 * @q: will hold the q
3343 * @g: will hold the g
3344 * @y: will hold the y
3345 *
3346 * This function will export the DSA public key's parameters found in
3347 * the given certificate. The new parameters will be allocated using
3348 * gnutls_malloc() and will be stored in the appropriate datum.
3349 *
3350 * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
3351 **/
3352 int
3356 {
3358 gnutls_pk_params_st params;
3361 {
3364 }
3368 {
3371 }
3375 {
3378 }
3381 /* P */
3384 {
3387 }
3389 /* Q */
3392 {
3396 }
3399 /* G */
3402 {
3407 }
3410 /* Y */
3413 {
3419 }
3423 cleanup:
3427 }
3429 /**
3430 * gnutls_x509_crt_list_import2:
3431 * @certs: The structures to store the parsed certificate. Must not be initialized.
3432 * @size: It will contain the size of the list.
3433 * @data: The PEM encoded certificate.
3434 * @format: One of DER or PEM.
3435 * @flags: must be (0) or an OR'd sequence of gnutls_certificate_import_flags.
3436 *
3437 * This function will convert the given PEM encoded certificate list
3438 * to the native gnutls_x509_crt_t format. The output will be stored
3439 * in @certs which will be initialized.
3440 *
3441 * If the Certificate is PEM encoded it should have a header of "X509
3442 * CERTIFICATE", or "CERTIFICATE".
3443 *
3444 * Returns: the number of certificates read or a negative error value.
3445 *
3446 * Since: 3.0
3447 **/
3448 int
3453 {
3459 {
3462 }
3464 ret = gnutls_x509_crt_list_import(*certs, &init, data, format, GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED);
3466 {
3469 {
3472 }
3475 }
3478 {
3482 }
3486 }
3489 {
3495 /* check if the X.509 list is ordered */
3497 {
3500 {
3502 {
3506 {
3509 }
3512 {
3515 }
3516 }
3521 {
3524 }
3525 }
3526 }
3530 cleanup:
3532 }
3535 /**
3536 * gnutls_x509_crt_list_import:
3537 * @certs: The structures to store the parsed certificate. Must not be initialized.
3538 * @cert_max: Initially must hold the maximum number of certs. It will be updated with the number of certs available.
3539 * @data: The PEM encoded certificate.
3540 * @format: One of DER or PEM.
3541 * @flags: must be (0) or an OR'd sequence of gnutls_certificate_import_flags.
3542 *
3543 * This function will convert the given PEM encoded certificate list
3544 * to the native gnutls_x509_crt_t format. The output will be stored
3545 * in @certs. They will be automatically initialized.
3546 *
3547 * The flag %GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED will cause
3548 * import to fail if the certificates in the provided buffer are more
3549 * than the available structures. The %GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED
3550 * flag will cause the function to fail if the provided list is not
3551 * sorted from subject to issuer.
3552 *
3553 * If the Certificate is PEM encoded it should have a header of "X509
3554 * CERTIFICATE", or "CERTIFICATE".
3555 *
3556 * Returns: the number of certificates read or a negative error value.
3557 **/
3558 int
3563 {
3566 gnutls_datum_t tmp;
3571 {
3573 {
3576 }
3582 {
3585 }
3589 {
3592 }
3596 }
3598 /* move to the certificate
3599 */
3611 do
3612 {
3614 {
3617 else
3619 }
3622 {
3625 {
3628 }
3633 ret =
3636 {
3639 }
3640 }
3642 /* now we move ptr after the pem header
3643 */
3644 ptr++;
3645 /* find the next certificate (if any)
3646 */
3650 {
3659 }
3660 else
3663 count++;
3664 }
3670 {
3673 {
3676 }
3677 }
3681 else
3684 error:
3688 }
3690 /**
3691 * gnutls_x509_crt_get_subject_unique_id:
3692 * @crt: Holds the certificate
3693 * @buf: user allocated memory buffer, will hold the unique id
3694 * @buf_size: size of user allocated memory buffer (on input), will hold
3695 * actual size of the unique ID on return.
3696 *
3697 * This function will extract the subjectUniqueID value (if present) for
3698 * the given certificate.
3699 *
3700 * If the user allocated memory buffer is not large enough to hold the
3701 * full subjectUniqueID, then a GNUTLS_E_SHORT_MEMORY_BUFFER error will be
3702 * returned, and buf_size will be set to the actual length.
3703 *
3704 * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
3705 **/
3706 int
3709 {
3713 result =
3722 }
3723 else
3724 {
3727 }
3732 }
3734 /**
3735 * gnutls_x509_crt_get_issuer_unique_id:
3736 * @crt: Holds the certificate
3737 * @buf: user allocated memory buffer, will hold the unique id
3738 * @buf_size: size of user allocated memory buffer (on input), will hold
3739 * actual size of the unique ID on return.
3740 *
3741 * This function will extract the issuerUniqueID value (if present) for
3742 * the given certificate.
3743 *
3744 * If the user allocated memory buffer is not large enough to hold the
3745 * full subjectUniqueID, then a GNUTLS_E_SHORT_MEMORY_BUFFER error will be
3746 * returned, and buf_size will be set to the actual length.
3747 *
3748 * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
3749 *
3750 * Since: 2.12.0
3751 **/
3752 int
3755 {
3759 result =
3768 }
3769 else
3770 {
3773 }
3778 }
3780 static int
3785 {
3789 gnutls_datum_t d;
3794 {
3805 /* fall through */
3810 {
3820 {
3823 }
3826 }
3827 /* fall through */
3836 }
3844 {
3847 }
3857 {
3861 }
3864 {
3867 }
3868 else
3872 }
3874 /**
3875 * gnutls_x509_crt_get_authority_info_access:
3876 * @crt: Holds the certificate
3877 * @seq: specifies the sequence number of the access descriptor (0 for the first one, 1 for the second etc.)
3878 * @what: what data to get, a #gnutls_info_access_what_t type.
3879 * @data: output data to be freed with gnutls_free().
3880 * @critical: pointer to output integer that is set to non-0 if the extension is marked as critical (may be %NULL)
3881 *
3882 * This function extracts the Authority Information Access (AIA)
3883 * extension, see RFC 5280 section 4.2.2.1 for more information. The
3884 * AIA extension holds a sequence of AccessDescription (AD) data:
3885 *
3886 * <informalexample><programlisting>
3887 * AuthorityInfoAccessSyntax ::=
3888 * SEQUENCE SIZE (1..MAX) OF AccessDescription
3889 *
3890 * AccessDescription ::= SEQUENCE {
3891 * accessMethod OBJECT IDENTIFIER,
3892 * accessLocation GeneralName }
3893 * </programlisting></informalexample>
3894 *
3895 * The @seq input parameter is used to indicate which member of the
3896 * sequence the caller is interested in. The first member is 0, the
3897 * second member 1 and so on. When the @seq value is out of bounds,
3898 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.
3899 *
3900 * The type of data returned in @data is specified via @what which
3901 * should be #gnutls_info_access_what_t values.
3902 *
3903 * If @what is %GNUTLS_IA_ACCESSMETHOD_OID then @data will hold the
3904 * accessMethod OID (e.g., "1.3.6.1.5.5.7.48.1").
3905 *
3906 * If @what is %GNUTLS_IA_ACCESSLOCATION_GENERALNAME_TYPE, @data will
3907 * hold the accessLocation GeneralName type (e.g.,
3908 * "uniformResourceIdentifier").
3909 *
3910 * If @what is %GNUTLS_IA_URI, @data will hold the accessLocation URI
3911 * data. Requesting this @what value leads to an error if the
3912 * accessLocation is not of the "uniformResourceIdentifier" type.
3913 *
3914 * If @what is %GNUTLS_IA_OCSP_URI, @data will hold the OCSP URI.
3915 * Requesting this @what value leads to an error if the accessMethod
3916 * is not 1.3.6.1.5.5.7.48.1 aka OSCP, or if accessLocation is not of
3917 * the "uniformResourceIdentifier" type.
3918 *
3919 * If @what is %GNUTLS_IA_CAISSUERS_URI, @data will hold the caIssuers
3920 * URI. Requesting this @what value leads to an error if the
3921 * accessMethod is not 1.3.6.1.5.5.7.48.2 aka caIssuers, or if
3922 * accessLocation is not of the "uniformResourceIdentifier" type.
3923 *
3924 * More @what values may be allocated in the future as needed.
3925 *
3926 * If @data is NULL, the function does the same without storing the
3927 * output data, that is, it will set @critical and do error checking
3928 * as usual.
3929 *
3930 * The value of the critical flag is returned in *@critical. Supply a
3931 * NULL @critical if you want the function to make sure the extension
3932 * is non-critical, as required by RFC 5280.
3933 *
3934 * Returns: %GNUTLS_E_SUCCESS on success, %GNUTLS_E_INVALID_REQUEST on
3935 * invalid @crt, %GNUTLS_E_CONSTRAINT_ERROR if the extension is
3936 * incorrectly marked as critical (use a non-NULL @critical to
3937 * override), %GNUTLS_E_UNKNOWN_ALGORITHM if the requested OID does
3938 * not match (e.g., when using %GNUTLS_IA_OCSP_URI), otherwise a
3939 * negative error code.
3940 *
3941 * Since: 3.0
3942 **/
3943 int
3949 {
3951 gnutls_datum_t aia;
3955 {
3958 }
3965 {
3968 }
3976 {
3980 }
3983 /* asn1_print_structure (stdout, c2, "", ASN1_PRINT_ALL); */
3986 {
3990 }
3999 }
4001 /**
4002 * gnutls_x509_crt_set_pin_function:
4003 * @crt: The certificate structure
4004 * @fn: the callback
4005 * @userdata: data associated with the callback
4006 *
4007 * This function will set a callback function to be used when
4008 * it is required to access a protected object. This function overrides
4009 * the global function set using gnutls_pkcs11_set_pin_function().
4010 *
4011 * Note that this callback is currently used only during the import
4012 * of a PKCS #11 certificate with gnutls_x509_crt_import_pkcs11_url().
4013 *
4014 * Since: 3.1.0
4015 *
4016 **/
4019 {
4022 }