| blob | 75c612abb60ab85a7a64f85c9062f0766c63900c |
1 /*
2 * Copyright (C) 2003-2012 Free Software Foundation, Inc.
3 * Author: Nikos Mavrogiannopoulos, Simon Josefsson, Howard Chu
4 *
5 * This file is part of GnuTLS.
6 *
7 * The GnuTLS is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public License
9 * as published by the Free Software Foundation; either version 3 of
10 * the License, or (at your option) any later version.
11 *
12 * This library is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
16 *
17 * You should have received a copy of the GNU Lesser General Public License
18 * along with this program. If not, see <http://www.gnu.org/licenses/>
19 *
20 */
22 /* Functions on X.509 Certificate parsing
23 */
25 #include <gnutls_int.h>
26 #include <gnutls_datum.h>
27 #include <gnutls_global.h>
28 #include <gnutls_errors.h>
29 #include <common.h>
30 #include <gnutls_x509.h>
31 #include <x509_b64.h>
32 #include <x509_int.h>
33 #include <libtasn1.h>
34 #include <gnutls_pk.h>
36 /**
37 * gnutls_x509_crt_init:
38 * @cert: The structure to be initialized
39 *
40 * This function will initialize an X.509 certificate structure.
41 *
42 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
43 * negative error value.
44 **/
45 int
47 {
57 {
61 }
63 /* If you add anything here, be sure to check if it has to be added
64 to gnutls_x509_crt_import as well. */
69 }
71 /*-
72 * _gnutls_x509_crt_cpy - This function copies a gnutls_x509_crt_t structure
73 * @dest: The structure where to copy
74 * @src: The structure to be copied
75 *
76 * This function will copy an X.509 certificate structure.
77 *
78 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
79 * negative error value.
80 -*/
81 int
83 {
87 gnutls_datum_t tmp;
91 {
94 }
98 {
101 }
105 {
109 }
118 {
121 }
124 }
126 /**
127 * gnutls_x509_crt_deinit:
128 * @cert: The structure to be deinitialized
129 *
130 * This function will deinitialize a certificate structure.
131 **/
132 void
134 {
142 }
144 /**
145 * gnutls_x509_crt_import:
146 * @cert: The structure to store the parsed certificate.
147 * @data: The DER or PEM encoded certificate.
148 * @format: One of DER or PEM
149 *
150 * This function will convert the given DER or PEM encoded Certificate
151 * to the native gnutls_x509_crt_t format. The output will be stored
152 * in @cert.
153 *
154 * If the Certificate is PEM encoded it should have a header of "X509
155 * CERTIFICATE", or "CERTIFICATE".
156 *
157 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
158 * negative error value.
159 **/
160 int
163 gnutls_x509_crt_fmt_t format)
164 {
166 gnutls_datum_t _data;
169 {
172 }
177 /* If the Certificate is in PEM format then decode it
178 */
180 {
181 /* Try the first header */
182 result =
186 {
187 /* try for the second header */
188 result =
193 {
196 }
197 }
200 }
203 {
204 /* Any earlier asn1_der_decoding will modify the ASN.1
205 structure, so we need to replace it with a fresh
206 structure. */
212 {
216 }
217 }
221 {
225 }
229 /* Since we do not want to disable any extension
230 */
237 cleanup:
241 }
244 /**
245 * gnutls_x509_crt_get_issuer_dn:
246 * @cert: should contain a #gnutls_x509_crt_t structure
247 * @buf: a pointer to a structure to hold the name (may be null)
248 * @buf_size: initially holds the size of @buf
249 *
250 * This function will copy the name of the Certificate issuer in the
251 * provided buffer. The name will be in the form
252 * "C=xxxx,O=yyyy,CN=zzzz" as described in RFC4514. The output string
253 * will be ASCII or UTF-8 encoded, depending on the certificate data.
254 *
255 * If @buf is null then only the size will be filled.
256 *
257 * Returns: GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not
258 * long enough, and in that case the @buf_size will be updated with
259 * the required size. On success 0 is returned.
260 **/
261 int
264 {
266 {
269 }
273 buf_size);
274 }
276 /**
277 * gnutls_x509_crt_get_issuer_dn_by_oid:
278 * @cert: should contain a #gnutls_x509_crt_t structure
279 * @oid: holds an Object Identified in null terminated string
280 * @indx: In case multiple same OIDs exist in the RDN, this specifies which to send. Use (0) to get the first one.
281 * @raw_flag: If non (0) returns the raw DER data of the DN part.
282 * @buf: a pointer to a structure to hold the name (may be null)
283 * @buf_size: initially holds the size of @buf
284 *
285 * This function will extract the part of the name of the Certificate
286 * issuer specified by the given OID. The output, if the raw flag is not
287 * used, will be encoded as described in RFC4514. Thus a string that is
288 * ASCII or UTF-8 encoded, depending on the certificate data.
289 *
290 * Some helper macros with popular OIDs can be found in gnutls/x509.h
291 * If raw flag is (0), this function will only return known OIDs as
292 * text. Other OIDs will be DER encoded, as described in RFC4514 --
293 * in hex format with a '#' prefix. You can check about known OIDs
294 * using gnutls_x509_dn_oid_known().
295 *
296 * If @buf is null then only the size will be filled. If the @raw_flag
297 * is not specified the output is always null terminated, although the
298 * @buf_size will not include the null character.
299 *
300 * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not
301 * long enough, and in that case the @buf_size will be updated with
302 * the required size. %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE if there
303 * are no data in the current index. On success 0 is returned.
304 **/
305 int
310 {
312 {
315 }
320 }
322 /**
323 * gnutls_x509_crt_get_issuer_dn_oid:
324 * @cert: should contain a #gnutls_x509_crt_t structure
325 * @indx: This specifies which OID to return. Use (0) to get the first one.
326 * @oid: a pointer to a buffer to hold the OID (may be null)
327 * @oid_size: initially holds the size of @oid
328 *
329 * This function will extract the OIDs of the name of the Certificate
330 * issuer specified by the given index.
331 *
332 * If @oid is null then only the size will be filled. The @oid
333 * returned will be null terminated, although @oid_size will not
334 * account for the trailing null.
335 *
336 * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not
337 * long enough, and in that case the @buf_size will be updated with
338 * the required size. %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE if there
339 * are no data in the current index. On success 0 is returned.
340 **/
341 int
344 {
346 {
349 }
354 }
356 /**
357 * gnutls_x509_crt_get_dn:
358 * @cert: should contain a #gnutls_x509_crt_t structure
359 * @buf: a pointer to a structure to hold the name (may be null)
360 * @buf_size: initially holds the size of @buf
361 *
362 * This function will copy the name of the Certificate in the provided
363 * buffer. The name will be in the form "C=xxxx,O=yyyy,CN=zzzz" as
364 * described in RFC4514. The output string will be ASCII or UTF-8
365 * encoded, depending on the certificate data.
366 *
367 * If @buf is null then only the size will be filled.
368 *
369 * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not
370 * long enough, and in that case the @buf_size will be updated
371 * with the required size. On success 0 is returned.
372 **/
373 int
376 {
378 {
381 }
385 buf_size);
386 }
388 /**
389 * gnutls_x509_crt_get_dn_by_oid:
390 * @cert: should contain a #gnutls_x509_crt_t structure
391 * @oid: holds an Object Identified in null terminated string
392 * @indx: In case multiple same OIDs exist in the RDN, this specifies which to send. Use (0) to get the first one.
393 * @raw_flag: If non (0) returns the raw DER data of the DN part.
394 * @buf: a pointer where the DN part will be copied (may be null).
395 * @buf_size: initially holds the size of @buf
396 *
397 * This function will extract the part of the name of the Certificate
398 * subject specified by the given OID. The output, if the raw flag is
399 * not used, will be encoded as described in RFC4514. Thus a string
400 * that is ASCII or UTF-8 encoded, depending on the certificate data.
401 *
402 * Some helper macros with popular OIDs can be found in gnutls/x509.h
403 * If raw flag is (0), this function will only return known OIDs as
404 * text. Other OIDs will be DER encoded, as described in RFC4514 --
405 * in hex format with a '#' prefix. You can check about known OIDs
406 * using gnutls_x509_dn_oid_known().
407 *
408 * If @buf is null then only the size will be filled. If the @raw_flag
409 * is not specified the output is always null terminated, although the
410 * @buf_size will not include the null character.
411 *
412 * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not
413 * long enough, and in that case the @buf_size will be updated with
414 * the required size. %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE if there
415 * are no data in the current index. On success 0 is returned.
416 **/
417 int
421 {
423 {
426 }
431 }
433 /**
434 * gnutls_x509_crt_get_dn_oid:
435 * @cert: should contain a #gnutls_x509_crt_t structure
436 * @indx: This specifies which OID to return. Use (0) to get the first one.
437 * @oid: a pointer to a buffer to hold the OID (may be null)
438 * @oid_size: initially holds the size of @oid
439 *
440 * This function will extract the OIDs of the name of the Certificate
441 * subject specified by the given index.
442 *
443 * If @oid is null then only the size will be filled. The @oid
444 * returned will be null terminated, although @oid_size will not
445 * account for the trailing null.
446 *
447 * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not
448 * long enough, and in that case the @buf_size will be updated with
449 * the required size. %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE if there
450 * are no data in the current index. On success 0 is returned.
451 **/
452 int
455 {
457 {
460 }
465 }
467 /**
468 * gnutls_x509_crt_get_signature_algorithm:
469 * @cert: should contain a #gnutls_x509_crt_t structure
470 *
471 * This function will return a value of the #gnutls_sign_algorithm_t
472 * enumeration that is the signature algorithm that has been used to
473 * sign this certificate.
474 *
475 * Returns: a #gnutls_sign_algorithm_t value, or a negative error code on
476 * error.
477 **/
478 int
480 {
482 }
484 /**
485 * gnutls_x509_crt_get_signature:
486 * @cert: should contain a #gnutls_x509_crt_t structure
487 * @sig: a pointer where the signature part will be copied (may be null).
488 * @sizeof_sig: initially holds the size of @sig
489 *
490 * This function will extract the signature field of a certificate.
491 *
492 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
493 * negative error value. and a negative error code on error.
494 **/
495 int
498 {
504 {
507 }
512 {
515 }
519 {
522 }
527 {
530 }
534 {
537 }
540 }
542 /**
543 * gnutls_x509_crt_get_version:
544 * @cert: should contain a #gnutls_x509_crt_t structure
545 *
546 * This function will return the version of the specified Certificate.
547 *
548 * Returns: version of certificate, or a negative error code on error.
549 **/
550 int
552 {
557 {
560 }
566 {
572 }
575 }
577 /**
578 * gnutls_x509_crt_get_activation_time:
579 * @cert: should contain a #gnutls_x509_crt_t structure
580 *
581 * This function will return the time this Certificate was or will be
582 * activated.
583 *
584 * Returns: activation time, or (time_t)-1 on error.
585 **/
586 time_t
588 {
590 {
593 }
597 }
599 /**
600 * gnutls_x509_crt_get_expiration_time:
601 * @cert: should contain a #gnutls_x509_crt_t structure
602 *
603 * This function will return the time this Certificate was or will be
604 * expired.
605 *
606 * Returns: expiration time, or (time_t)-1 on error.
607 **/
608 time_t
610 {
612 {
615 }
619 }
621 /**
622 * gnutls_x509_crt_get_private_key_usage_period:
623 * @cert: should contain a #gnutls_x509_crt_t structure
624 * @activation: The activation time
625 * @expiration: The expiration time
626 * @critical: the extension status
627 *
628 * This function will return the expiration and activation
629 * times of the private key of the certificate. It relies on
630 * the PKIX extension 2.5.29.16 being present.
631 *
632 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
633 * if the extension is not present, otherwise a negative error value.
634 **/
635 int
636 gnutls_x509_crt_get_private_key_usage_period (gnutls_x509_crt_t cert, time_t* activation, time_t* expiration,
638 {
644 {
647 }
649 ret =
651 critical);
658 result = asn1_create_element
661 {
665 }
669 {
673 }
685 cleanup:
690 }
693 /**
694 * gnutls_x509_crt_get_serial:
695 * @cert: should contain a #gnutls_x509_crt_t structure
696 * @result: The place where the serial number will be copied
697 * @result_size: Holds the size of the result field.
698 *
699 * This function will return the X.509 certificate's serial number.
700 * This is obtained by the X509 Certificate serialNumber field. Serial
701 * is not always a 32 or 64bit number. Some CAs use large serial
702 * numbers, thus it may be wise to handle it as something uint8_t.
703 *
704 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
705 * negative error value.
706 **/
707 int
710 {
714 {
717 }
720 ret =
725 {
728 }
731 }
733 /**
734 * gnutls_x509_crt_get_subject_key_id:
735 * @cert: should contain a #gnutls_x509_crt_t structure
736 * @ret: The place where the identifier will be copied
737 * @ret_size: Holds the size of the result field.
738 * @critical: will be non (0) if the extension is marked as critical (may be null)
739 *
740 * This function will return the X.509v3 certificate's subject key
741 * identifier. This is obtained by the X.509 Subject Key identifier
742 * extension field (2.5.29.14).
743 *
744 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
745 * if the extension is not present, otherwise a negative error value.
746 **/
747 int
750 {
752 gnutls_datum_t id;
756 {
759 }
764 else
770 {
772 }
775 {
778 }
780 result = asn1_create_element
783 {
787 }
793 {
797 }
806 {
808 }
811 {
815 }
818 }
820 static int
823 {
825 gnutls_datum_t id;
830 {
833 }
838 {
840 }
843 {
846 }
848 ret = asn1_create_element
851 {
855 }
861 {
865 }
868 }
870 /**
871 * gnutls_x509_crt_get_authority_key_gn_serial:
872 * @cert: should contain a #gnutls_x509_crt_t structure
873 * @seq: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)
874 * @alt: is the place where the alternative name will be copied to
875 * @alt_size: holds the size of alt.
876 * @alt_type: holds the type of the alternative name (one of gnutls_x509_subject_alt_name_t).
877 * @serial: buffer to store the serial number (may be null)
878 * @serial_size: Holds the size of the serial field (may be null)
879 * @critical: will be non (0) if the extension is marked as critical (may be null)
880 *
881 * This function will return the X.509 authority key
882 * identifier when stored as a general name (authorityCertIssuer)
883 * and serial number.
884 *
885 * Because more than one general names might be stored
886 * @seq can be used as a counter to request them all until
887 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.
888 *
889 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
890 * if the extension is not present, otherwise a negative error value.
891 *
892 * Since: 3.0
893 **/
894 int
895 gnutls_x509_crt_get_authority_key_gn_serial (gnutls_x509_crt_t cert, unsigned int seq, void *alt,
899 {
901 ASN1_TYPE c2;
907 ret =
911 {
914 }
917 {
924 {
927 }
929 }
933 fail:
937 }
939 /**
940 * gnutls_x509_crt_get_authority_key_id:
941 * @cert: should contain a #gnutls_x509_crt_t structure
942 * @id: The place where the identifier will be copied
943 * @id_size: Holds the size of the id field.
944 * @critical: will be non (0) if the extension is marked as critical (may be null)
945 *
946 * This function will return the X.509v3 certificate authority's key
947 * identifier. This is obtained by the X.509 Authority Key
948 * identifier extension field (2.5.29.35). Note that this function
949 * only returns the keyIdentifier field of the extension and
950 * %GNUTLS_E_X509_UNSUPPORTED_EXTENSION, if the extension contains
951 * the name and serial number of the certificate. In that case
952 * gnutls_x509_crt_get_authority_key_gn_serial() may be used.
953 *
954 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
955 * if the extension is not present, otherwise a negative error value.
956 **/
957 int
961 {
963 ASN1_TYPE c2;
979 {
983 }
986 }
988 /**
989 * gnutls_x509_crt_get_pk_algorithm:
990 * @cert: should contain a #gnutls_x509_crt_t structure
991 * @bits: if bits is non null it will hold the size of the parameters' in bits
992 *
993 * This function will return the public key algorithm of an X.509
994 * certificate.
995 *
996 * If bits is non null, it should have enough size to hold the parameters
997 * size in bits. For RSA the bits returned is the modulus.
998 * For DSA the bits returned are of the public
999 * exponent.
1000 *
1001 * Returns: a member of the #gnutls_pk_algorithm_t enumeration on
1002 * success, or a negative error code on error.
1003 **/
1004 int
1006 {
1010 {
1013 }
1018 result =
1021 bits);
1024 {
1027 }
1031 }
1035 {
1039 else
1041 }
1045 /* returns the type and the name on success.
1046 * Type is also returned as a parameter in case of an error.
1047 */
1048 int
1052 {
1057 gnutls_x509_subject_alt_name_t type;
1063 else
1070 {
1072 }
1075 {
1078 }
1083 {
1086 }
1092 {
1095 else
1106 {
1109 }
1112 {
1115 }
1116 else
1117 {
1123 else
1129 {
1132 }
1135 {
1139 result = asn1_create_element
1142 {
1145 }
1149 {
1153 }
1158 {
1163 }
1167 {
1171 }
1174 /* null terminate it */
1176 }
1177 }
1178 }
1180 {
1184 {
1187 }
1188 }
1191 else
1192 {
1203 {
1207 }
1210 {
1213 }
1216 {
1219 {
1223 }
1225 /* null terminate it */
1227 }
1229 }
1232 }
1234 static int
1239 {
1241 gnutls_datum_t dnsname;
1245 {
1248 }
1252 else
1258 {
1260 }
1263 {
1266 }
1274 else
1275 {
1278 }
1281 {
1285 }
1291 {
1295 }
1297 result =
1299 othername_oid);
1304 {
1307 }
1310 }
1312 /**
1313 * gnutls_x509_crt_get_subject_alt_name:
1314 * @cert: should contain a #gnutls_x509_crt_t structure
1315 * @seq: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)
1316 * @san: is the place where the alternative name will be copied to
1317 * @san_size: holds the size of san.
1318 * @critical: will be non (0) if the extension is marked as critical (may be null)
1319 *
1320 * This function retrieves the Alternative Name (2.5.29.17), contained
1321 * in the given certificate in the X509v3 Certificate Extensions.
1322 *
1323 * When the SAN type is otherName, it will extract the data in the
1324 * otherName's value field, and %GNUTLS_SAN_OTHERNAME is returned.
1325 * You may use gnutls_x509_crt_get_subject_alt_othername_oid() to get
1326 * the corresponding OID and the "virtual" SAN types (e.g.,
1327 * %GNUTLS_SAN_OTHERNAME_XMPP).
1328 *
1329 * If an otherName OID is known, the data will be decoded. Otherwise
1330 * the returned data will be DER encoded, and you will have to decode
1331 * it yourself. Currently, only the RFC 3920 id-on-xmppAddr SAN is
1332 * recognized.
1333 *
1334 * Returns: the alternative subject name type on success, one of the
1335 * enumerated #gnutls_x509_subject_alt_name_t. It will return
1336 * %GNUTLS_E_SHORT_MEMORY_BUFFER if @san_size is not large enough to
1337 * hold the value. In that case @san_size will be updated with the
1338 * required size. If the certificate does not have an Alternative
1339 * name with the specified sequence number then
1340 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.
1341 **/
1342 int
1347 {
1350 }
1352 /**
1353 * gnutls_x509_crt_get_issuer_alt_name:
1354 * @cert: should contain a #gnutls_x509_crt_t structure
1355 * @seq: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)
1356 * @ian: is the place where the alternative name will be copied to
1357 * @ian_size: holds the size of ian.
1358 * @critical: will be non (0) if the extension is marked as critical (may be null)
1359 *
1360 * This function retrieves the Issuer Alternative Name (2.5.29.18),
1361 * contained in the given certificate in the X509v3 Certificate
1362 * Extensions.
1363 *
1364 * When the SAN type is otherName, it will extract the data in the
1365 * otherName's value field, and %GNUTLS_SAN_OTHERNAME is returned.
1366 * You may use gnutls_x509_crt_get_subject_alt_othername_oid() to get
1367 * the corresponding OID and the "virtual" SAN types (e.g.,
1368 * %GNUTLS_SAN_OTHERNAME_XMPP).
1369 *
1370 * If an otherName OID is known, the data will be decoded. Otherwise
1371 * the returned data will be DER encoded, and you will have to decode
1372 * it yourself. Currently, only the RFC 3920 id-on-xmppAddr Issuer
1373 * AltName is recognized.
1374 *
1375 * Returns: the alternative issuer name type on success, one of the
1376 * enumerated #gnutls_x509_subject_alt_name_t. It will return
1377 * %GNUTLS_E_SHORT_MEMORY_BUFFER if @ian_size is not large enough
1378 * to hold the value. In that case @ian_size will be updated with
1379 * the required size. If the certificate does not have an
1380 * Alternative name with the specified sequence number then
1381 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.
1382 *
1383 * Since: 2.10.0
1384 **/
1385 int
1390 {
1393 }
1395 /**
1396 * gnutls_x509_crt_get_subject_alt_name2:
1397 * @cert: should contain a #gnutls_x509_crt_t structure
1398 * @seq: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)
1399 * @san: is the place where the alternative name will be copied to
1400 * @san_size: holds the size of ret.
1401 * @san_type: holds the type of the alternative name (one of gnutls_x509_subject_alt_name_t).
1402 * @critical: will be non (0) if the extension is marked as critical (may be null)
1403 *
1404 * This function will return the alternative names, contained in the
1405 * given certificate. It is the same as
1406 * gnutls_x509_crt_get_subject_alt_name() except for the fact that it
1407 * will return the type of the alternative name in @san_type even if
1408 * the function fails for some reason (i.e. the buffer provided is
1409 * not enough).
1410 *
1411 * Returns: the alternative subject name type on success, one of the
1412 * enumerated #gnutls_x509_subject_alt_name_t. It will return
1413 * %GNUTLS_E_SHORT_MEMORY_BUFFER if @san_size is not large enough
1414 * to hold the value. In that case @san_size will be updated with
1415 * the required size. If the certificate does not have an
1416 * Alternative name with the specified sequence number then
1417 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.
1418 **/
1419 int
1425 {
1428 }
1430 /**
1431 * gnutls_x509_crt_get_issuer_alt_name2:
1432 * @cert: should contain a #gnutls_x509_crt_t structure
1433 * @seq: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)
1434 * @ian: is the place where the alternative name will be copied to
1435 * @ian_size: holds the size of ret.
1436 * @ian_type: holds the type of the alternative name (one of gnutls_x509_subject_alt_name_t).
1437 * @critical: will be non (0) if the extension is marked as critical (may be null)
1438 *
1439 * This function will return the alternative names, contained in the
1440 * given certificate. It is the same as
1441 * gnutls_x509_crt_get_issuer_alt_name() except for the fact that it
1442 * will return the type of the alternative name in @ian_type even if
1443 * the function fails for some reason (i.e. the buffer provided is
1444 * not enough).
1445 *
1446 * Returns: the alternative issuer name type on success, one of the
1447 * enumerated #gnutls_x509_subject_alt_name_t. It will return
1448 * %GNUTLS_E_SHORT_MEMORY_BUFFER if @ian_size is not large enough
1449 * to hold the value. In that case @ian_size will be updated with
1450 * the required size. If the certificate does not have an
1451 * Alternative name with the specified sequence number then
1452 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.
1453 *
1454 * Since: 2.10.0
1455 *
1456 **/
1457 int
1463 {
1466 }
1468 /**
1469 * gnutls_x509_crt_get_subject_alt_othername_oid:
1470 * @cert: should contain a #gnutls_x509_crt_t structure
1471 * @seq: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)
1472 * @oid: is the place where the otherName OID will be copied to
1473 * @oid_size: holds the size of ret.
1474 *
1475 * This function will extract the type OID of an otherName Subject
1476 * Alternative Name, contained in the given certificate, and return
1477 * the type as an enumerated element.
1478 *
1479 * This function is only useful if
1480 * gnutls_x509_crt_get_subject_alt_name() returned
1481 * %GNUTLS_SAN_OTHERNAME.
1482 *
1483 * If @oid is null then only the size will be filled. The @oid
1484 * returned will be null terminated, although @oid_size will not
1485 * account for the trailing null.
1486 *
1487 * Returns: the alternative subject name type on success, one of the
1488 * enumerated gnutls_x509_subject_alt_name_t. For supported OIDs, it
1489 * will return one of the virtual (GNUTLS_SAN_OTHERNAME_*) types,
1490 * e.g. %GNUTLS_SAN_OTHERNAME_XMPP, and %GNUTLS_SAN_OTHERNAME for
1491 * unknown OIDs. It will return %GNUTLS_E_SHORT_MEMORY_BUFFER if
1492 * @ian_size is not large enough to hold the value. In that case
1493 * @ian_size will be updated with the required size. If the
1494 * certificate does not have an Alternative name with the specified
1495 * sequence number and with the otherName type then
1496 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.
1497 **/
1498 int
1502 {
1504 }
1506 /**
1507 * gnutls_x509_crt_get_issuer_alt_othername_oid:
1508 * @cert: should contain a #gnutls_x509_crt_t structure
1509 * @seq: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)
1510 * @ret: is the place where the otherName OID will be copied to
1511 * @ret_size: holds the size of ret.
1512 *
1513 * This function will extract the type OID of an otherName Subject
1514 * Alternative Name, contained in the given certificate, and return
1515 * the type as an enumerated element.
1516 *
1517 * If @oid is null then only the size will be filled. The @oid
1518 * returned will be null terminated, although @oid_size will not
1519 * account for the trailing null.
1520 *
1521 * This function is only useful if
1522 * gnutls_x509_crt_get_issuer_alt_name() returned
1523 * %GNUTLS_SAN_OTHERNAME.
1524 *
1525 * Returns: the alternative issuer name type on success, one of the
1526 * enumerated gnutls_x509_subject_alt_name_t. For supported OIDs, it
1527 * will return one of the virtual (GNUTLS_SAN_OTHERNAME_*) types,
1528 * e.g. %GNUTLS_SAN_OTHERNAME_XMPP, and %GNUTLS_SAN_OTHERNAME for
1529 * unknown OIDs. It will return %GNUTLS_E_SHORT_MEMORY_BUFFER if
1530 * @ret_size is not large enough to hold the value. In that case
1531 * @ret_size will be updated with the required size. If the
1532 * certificate does not have an Alternative name with the specified
1533 * sequence number and with the otherName type then
1534 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.
1535 *
1536 * Since: 2.10.0
1537 **/
1538 int
1542 {
1544 }
1546 /**
1547 * gnutls_x509_crt_get_basic_constraints:
1548 * @cert: should contain a #gnutls_x509_crt_t structure
1549 * @critical: will be non (0) if the extension is marked as critical
1550 * @ca: pointer to output integer indicating CA status, may be NULL,
1551 * value is 1 if the certificate CA flag is set, 0 otherwise.
1552 * @pathlen: pointer to output integer indicating path length (may be
1553 * NULL), non-negative error codes indicate a present pathLenConstraint
1554 * field and the actual value, -1 indicate that the field is absent.
1555 *
1556 * This function will read the certificate's basic constraints, and
1557 * return the certificates CA status. It reads the basicConstraints
1558 * X.509 extension (2.5.29.19).
1559 *
1560 * Returns: If the certificate is a CA a positive value will be
1561 * returned, or (0) if the certificate does not have CA flag set. A
1562 * negative error code may be returned in case of errors. If the
1563 * certificate does not contain the basicConstraints extension
1564 * GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
1565 **/
1566 int
1570 {
1572 gnutls_datum_t basicConstraints;
1576 {
1579 }
1584 {
1586 }
1589 {
1592 }
1594 result =
1596 pathlen,
1604 {
1607 }
1610 }
1612 /**
1613 * gnutls_x509_crt_get_ca_status:
1614 * @cert: should contain a #gnutls_x509_crt_t structure
1615 * @critical: will be non (0) if the extension is marked as critical
1616 *
1617 * This function will return certificates CA status, by reading the
1618 * basicConstraints X.509 extension (2.5.29.19). If the certificate is
1619 * a CA a positive value will be returned, or (0) if the certificate
1620 * does not have CA flag set.
1621 *
1622 * Use gnutls_x509_crt_get_basic_constraints() if you want to read the
1623 * pathLenConstraint field too.
1624 *
1625 * Returns: A negative error code may be returned in case of parsing error.
1626 * If the certificate does not contain the basicConstraints extension
1627 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
1628 **/
1629 int
1631 {
1636 }
1638 /**
1639 * gnutls_x509_crt_get_key_usage:
1640 * @cert: should contain a #gnutls_x509_crt_t structure
1641 * @key_usage: where the key usage bits will be stored
1642 * @critical: will be non (0) if the extension is marked as critical
1643 *
1644 * This function will return certificate's key usage, by reading the
1645 * keyUsage X.509 extension (2.5.29.15). The key usage value will ORed
1646 * values of the: %GNUTLS_KEY_DIGITAL_SIGNATURE,
1647 * %GNUTLS_KEY_NON_REPUDIATION, %GNUTLS_KEY_KEY_ENCIPHERMENT,
1648 * %GNUTLS_KEY_DATA_ENCIPHERMENT, %GNUTLS_KEY_KEY_AGREEMENT,
1649 * %GNUTLS_KEY_KEY_CERT_SIGN, %GNUTLS_KEY_CRL_SIGN,
1650 * %GNUTLS_KEY_ENCIPHER_ONLY, %GNUTLS_KEY_DECIPHER_ONLY.
1651 *
1652 * Returns: the certificate key usage, or a negative error code in case of
1653 * parsing error. If the certificate does not contain the keyUsage
1654 * extension %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be
1655 * returned.
1656 **/
1657 int
1661 {
1663 gnutls_datum_t keyUsage;
1667 {
1670 }
1675 {
1677 }
1680 {
1683 }
1692 {
1695 }
1698 }
1700 /**
1701 * gnutls_x509_crt_get_proxy:
1702 * @cert: should contain a #gnutls_x509_crt_t structure
1703 * @critical: will be non (0) if the extension is marked as critical
1704 * @pathlen: pointer to output integer indicating path length (may be
1705 * NULL), non-negative error codes indicate a present pCPathLenConstraint
1706 * field and the actual value, -1 indicate that the field is absent.
1707 * @policyLanguage: output variable with OID of policy language
1708 * @policy: output variable with policy data
1709 * @sizeof_policy: output variable size of policy data
1710 *
1711 * This function will get information from a proxy certificate. It
1712 * reads the ProxyCertInfo X.509 extension (1.3.6.1.5.5.7.1.14).
1713 *
1714 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
1715 * otherwise a negative error code is returned.
1716 **/
1717 int
1723 {
1725 gnutls_datum_t proxyCertInfo;
1728 {
1731 }
1736 {
1738 }
1741 {
1744 }
1747 policyLanguage,
1748 policy,
1749 sizeof_policy,
1754 {
1757 }
1760 }
1762 /**
1763 * gnutls_certificate_policy_release:
1764 * @policy: a certificate policy
1765 *
1766 * This function will deinitialize all memory associated with the provided
1767 * @policy. The policy is allocated using gnutls_x509_crt_get_policy().
1768 *
1769 **/
1771 {
1777 }
1780 {
1787 ret = asn1_create_element
1790 {
1794 }
1798 {
1802 }
1807 {
1811 }
1815 {
1819 }
1825 {
1828 }
1835 {
1838 }
1842 }
1843 else
1844 {
1845 /* _gnutls_x509_read_value allows that */
1847 }
1852 cleanup:
1856 }
1858 /**
1859 * gnutls_x509_crt_get_policy:
1860 * @cert: should contain a #gnutls_x509_crt_t structure
1861 * @indx: This specifies which policy to return. Use (0) to get the first one.
1862 * @policy: A pointer to a policy structure.
1863 * @critical: will be non (0) if the extension is marked as critical
1864 *
1865 * This function will extract the certificate policy specified by the
1866 * given index.
1867 *
1868 * The policy returned by this function must be deinitialized by using
1869 * gnutls_certificate_policy_release().
1870 *
1871 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
1872 * if the extension is not present, otherwise a negative error value.
1873 **/
1874 int
1875 gnutls_x509_crt_get_policy (gnutls_x509_crt_t crt, int indx, struct gnutls_certificate_policy_st* policy, unsigned int *critical)
1876 {
1885 {
1888 }
1895 {
1897 }
1900 {
1903 }
1905 ret = asn1_create_element
1908 {
1912 }
1916 {
1920 }
1923 indx++;
1924 /* create a string like "?1"
1925 */
1934 {
1937 }
1942 {
1943 gnutls_datum_t td;
1954 {
1958 }
1961 {
1966 {
1969 }
1974 }
1976 {
1981 {
1984 }
1991 {
1994 }
1997 }
1998 else
2003 }
2009 full_cleanup:
2012 cleanup:
2016 }
2019 /**
2020 * gnutls_x509_crt_get_extension_by_oid:
2021 * @cert: should contain a #gnutls_x509_crt_t structure
2022 * @oid: holds an Object Identified in null terminated string
2023 * @indx: In case multiple same OIDs exist in the extensions, this specifies which to send. Use (0) to get the first one.
2024 * @buf: a pointer to a structure to hold the name (may be null)
2025 * @buf_size: initially holds the size of @buf
2026 * @critical: will be non (0) if the extension is marked as critical
2027 *
2028 * This function will return the extension specified by the OID in the
2029 * certificate. The extensions will be returned as binary data DER
2030 * encoded, in the provided buffer.
2031 *
2032 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
2033 * otherwise a negative error code is returned. If the certificate does not
2034 * contain the specified extension
2035 * GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
2036 **/
2037 int
2042 {
2044 gnutls_datum_t output;
2047 {
2050 }
2055 {
2058 }
2061 {
2064 }
2067 {
2071 }
2082 }
2084 /**
2085 * gnutls_x509_crt_get_extension_oid:
2086 * @cert: should contain a #gnutls_x509_crt_t structure
2087 * @indx: Specifies which extension OID to send. Use (0) to get the first one.
2088 * @oid: a pointer to a structure to hold the OID (may be null)
2089 * @oid_size: initially holds the size of @oid
2090 *
2091 * This function will return the requested extension OID in the certificate.
2092 * The extension OID will be stored as a string in the provided buffer.
2093 *
2094 * The @oid returned will be null terminated, although @oid_size will not
2095 * account for the trailing null.
2096 *
2097 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
2098 * otherwise a negative error code is returned. If you have reached the
2099 * last extension available %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
2100 * will be returned.
2101 **/
2102 int
2105 {
2109 {
2112 }
2116 {
2118 }
2122 }
2124 /**
2125 * gnutls_x509_crt_get_extension_info:
2126 * @cert: should contain a #gnutls_x509_crt_t structure
2127 * @indx: Specifies which extension OID to send. Use (0) to get the first one.
2128 * @oid: a pointer to a structure to hold the OID
2129 * @oid_size: initially holds the maximum size of @oid, on return
2130 * holds actual size of @oid.
2131 * @critical: output variable with critical flag, may be NULL.
2132 *
2133 * This function will return the requested extension OID in the
2134 * certificate, and the critical flag for it. The extension OID will
2135 * be stored as a string in the provided buffer. Use
2136 * gnutls_x509_crt_get_extension_data() to extract the data.
2137 *
2138 * If the buffer provided is not long enough to hold the output, then
2139 * @oid_size is updated and %GNUTLS_E_SHORT_MEMORY_BUFFER will be
2140 * returned. The @oid returned will be null terminated, although
2141 * @oid_size will not account for the trailing null.
2142 *
2143 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
2144 * otherwise a negative error code is returned. If you have reached the
2145 * last extension available %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
2146 * will be returned.
2147 **/
2148 int
2152 {
2159 {
2162 }
2174 {
2177 }
2184 {
2187 }
2190 {
2193 else
2195 }
2199 }
2201 /**
2202 * gnutls_x509_crt_get_extension_data:
2203 * @cert: should contain a #gnutls_x509_crt_t structure
2204 * @indx: Specifies which extension OID to send. Use (0) to get the first one.
2205 * @data: a pointer to a structure to hold the data (may be null)
2206 * @sizeof_data: initially holds the size of @oid
2207 *
2208 * This function will return the requested extension data in the
2209 * certificate. The extension data will be stored as a string in the
2210 * provided buffer.
2211 *
2212 * Use gnutls_x509_crt_get_extension_info() to extract the OID and
2213 * critical flag. Use gnutls_x509_crt_get_extension_by_oid() instead,
2214 * if you want to get data indexed by the extension OID rather than
2215 * sequence.
2216 *
2217 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
2218 * otherwise a negative error code is returned. If you have reached the
2219 * last extension available %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
2220 * will be returned.
2221 **/
2222 int
2225 {
2230 {
2233 }
2245 {
2248 }
2251 }
2253 static int
2256 {
2262 /* get the issuer of 'cert'
2263 */
2267 {
2270 }
2272 result =
2275 {
2278 }
2282 {
2287 }
2289 result =
2294 {
2298 }
2306 cleanup:
2310 }
2312 /**
2313 * gnutls_x509_crt_get_raw_issuer_dn:
2314 * @cert: should contain a #gnutls_x509_crt_t structure
2315 * @start: will hold the starting point of the DN
2316 *
2317 * This function will return a pointer to the DER encoded DN structure
2318 * and the length. This points to allocated data that must be free'd using gnutls_free().
2319 *
2320 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
2321 * negative error value.or a negative error code on error.
2322 *
2323 **/
2324 int
2327 {
2329 }
2331 /**
2332 * gnutls_x509_crt_get_raw_dn:
2333 * @cert: should contain a #gnutls_x509_crt_t structure
2334 * @start: will hold the starting point of the DN
2335 *
2336 * This function will return a pointer to the DER encoded DN structure and
2337 * the length. This points to allocated data that must be free'd using gnutls_free().
2338 *
2339 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
2340 * negative error value. or a negative error code on error.
2341 *
2342 **/
2343 int
2345 {
2347 }
2349 static int
2351 {
2356 }
2358 /**
2359 * gnutls_x509_crt_get_subject:
2360 * @cert: should contain a #gnutls_x509_crt_t structure
2361 * @dn: output variable with pointer to uint8_t DN.
2362 *
2363 * Return the Certificate's Subject DN as an uint8_t data type. You
2364 * may use gnutls_x509_dn_get_rdn_ava() to decode the DN.
2365 *
2366 * Note that @dn should be treated as constant. Because points
2367 * into the @cert object, you may not deallocate @cert
2368 * and continue to access @dn.
2369 *
2370 * Returns: Returns 0 on success, or an error code.
2371 **/
2372 int
2374 {
2376 }
2378 /**
2379 * gnutls_x509_crt_get_issuer:
2380 * @cert: should contain a #gnutls_x509_crt_t structure
2381 * @dn: output variable with pointer to uint8_t DN
2382 *
2383 * Return the Certificate's Issuer DN as an uint8_t data type. You may
2384 * use gnutls_x509_dn_get_rdn_ava() to decode the DN.
2385 *
2386 * Note that @dn should be treated as constant. Because points
2387 * into the @cert object, you may not deallocate @cert
2388 * and continue to access @dn.
2389 *
2390 * Returns: Returns 0 on success, or an error code.
2391 **/
2392 int
2394 {
2396 }
2398 /**
2399 * gnutls_x509_dn_get_rdn_ava:
2400 * @dn: input variable with uint8_t DN pointer
2401 * @irdn: index of RDN
2402 * @iava: index of AVA.
2403 * @ava: Pointer to structure which will hold output information.
2404 *
2405 * Get pointers to data within the DN.
2406 *
2407 * Note that @ava will contain pointers into the @dn structure, so you
2408 * should not modify any data or deallocate it. Note also that the DN
2409 * in turn points into the original certificate structure, and thus
2410 * you may not deallocate the certificate and continue to access @dn.
2411 *
2412 * Returns: Returns 0 on success, or an error code.
2413 **/
2414 int
2417 {
2419 ASN1_DATA_NODE vnode;
2426 iava++;
2432 {
2435 }
2440 {
2443 }
2447 {
2450 }
2458 {
2461 }
2465 {
2468 }
2469 /* The value still has the previous tag's length bytes, plus the
2470 * current value's tag and length bytes. Decode them.
2471 */
2477 {
2480 }
2486 {
2489 }
2494 {
2499 {
2502 }
2504 }
2508 }
2510 /**
2511 * gnutls_x509_crt_get_fingerprint:
2512 * @cert: should contain a #gnutls_x509_crt_t structure
2513 * @algo: is a digest algorithm
2514 * @buf: a pointer to a structure to hold the fingerprint (may be null)
2515 * @buf_size: initially holds the size of @buf
2516 *
2517 * This function will calculate and copy the certificate's fingerprint
2518 * in the provided buffer.
2519 *
2520 * If the buffer is null then only the size will be filled.
2521 *
2522 * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is
2523 * not long enough, and in that case the *buf_size will be updated
2524 * with the required size. On success 0 is returned.
2525 **/
2526 int
2528 gnutls_digest_algorithm_t algo,
2530 {
2534 gnutls_datum_t tmp;
2537 {
2539 }
2546 {
2549 }
2554 {
2558 }
2567 }
2569 /**
2570 * gnutls_x509_crt_export:
2571 * @cert: Holds the certificate
2572 * @format: the format of output params. One of PEM or DER.
2573 * @output_data: will contain a certificate PEM or DER encoded
2574 * @output_data_size: holds the size of output_data (and will be
2575 * replaced by the actual size of parameters)
2576 *
2577 * This function will export the certificate to DER or PEM format.
2578 *
2579 * If the buffer provided is not long enough to hold the output, then
2580 * *output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will
2581 * be returned.
2582 *
2583 * If the structure is PEM encoded, it will have a header
2584 * of "BEGIN CERTIFICATE".
2585 *
2586 * Returns: In case of failure a negative error code will be
2587 * returned, and 0 on success.
2588 **/
2589 int
2593 {
2595 {
2598 }
2602 }
2604 /**
2605 * gnutls_x509_crt_export2:
2606 * @cert: Holds the certificate
2607 * @format: the format of output params. One of PEM or DER.
2608 * @out: will contain a certificate PEM or DER encoded
2609 *
2610 * This function will export the certificate to DER or PEM format.
2611 * The output buffer is allocated using gnutls_malloc().
2612 *
2613 * If the structure is PEM encoded, it will have a header
2614 * of "BEGIN CERTIFICATE".
2615 *
2616 * Returns: In case of failure a negative error code will be
2617 * returned, and 0 on success.
2618 *
2619 * Since: 3.1
2620 **/
2621 int
2624 {
2626 {
2629 }
2632 }
2634 int
2638 {
2645 {
2649 }
2657 {
2660 }
2665 cleanup:
2669 }
2671 /**
2672 * gnutls_x509_crt_get_key_id:
2673 * @crt: Holds the certificate
2674 * @flags: should be 0 for now
2675 * @output_data: will contain the key ID
2676 * @output_data_size: holds the size of output_data (and will be
2677 * replaced by the actual size of parameters)
2678 *
2679 * This function will return a unique ID that depends on the public
2680 * key parameters. This ID can be used in checking whether a
2681 * certificate corresponds to the given private key.
2682 *
2683 * If the buffer provided is not long enough to hold the output, then
2684 * *output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will
2685 * be returned. The output will normally be a SHA-1 hash output,
2686 * which is 20 bytes.
2687 *
2688 * Returns: In case of failure a negative error code will be
2689 * returned, and 0 on success.
2690 **/
2691 int
2695 {
2697 gnutls_pk_params_st params;
2700 {
2703 }
2707 {
2710 }
2714 {
2717 }
2724 }
2727 /* This is exactly as gnutls_x509_crt_check_revocation() except that
2728 * it calls func.
2729 */
2730 int
2734 gnutls_verify_output_function func)
2735 {
2743 {
2746 }
2751 /* Step 1. check if issuer's DN match
2752 */
2755 {
2758 }
2762 {
2765 }
2771 {
2772 /* issuers do not match so don't even
2773 * bother checking.
2774 */
2776 }
2778 /* Step 2. Read the certificate's serial number
2779 */
2783 {
2786 }
2788 /* Step 3. cycle through the CRL serials and compare with
2789 * certificate serial we have.
2790 */
2794 {
2797 }
2800 {
2802 ret =
2807 {
2810 }
2813 {
2815 {
2816 /* serials match */
2819 }
2820 }
2821 }
2824 }
2826 }
2829 /**
2830 * gnutls_x509_crt_check_revocation:
2831 * @cert: should contain a #gnutls_x509_crt_t structure
2832 * @crl_list: should contain a list of gnutls_x509_crl_t structures
2833 * @crl_list_length: the length of the crl_list
2834 *
2835 * This function will return check if the given certificate is
2836 * revoked. It is assumed that the CRLs have been verified before.
2837 *
2838 * Returns: 0 if the certificate is NOT revoked, and 1 if it is. A
2839 * negative error code is returned on error.
2840 **/
2841 int
2845 {
2847 }
2849 /**
2850 * gnutls_x509_crt_get_verify_algorithm:
2851 * @crt: Holds the certificate
2852 * @signature: contains the signature
2853 * @hash: The result of the call with the hash algorithm used for signature
2854 *
2855 * This function will read the certifcate and the signed data to
2856 * determine the hash algorithm used to generate the signature.
2857 *
2858 * Deprecated: Use gnutls_pubkey_get_verify_algorithm() instead.
2859 *
2860 * Returns: the 0 if the hash algorithm is found. A negative error code is
2861 * returned on error.
2862 *
2863 * Since: 2.8.0
2864 **/
2865 int
2869 {
2870 gnutls_pk_params_st issuer_params;
2874 {
2877 }
2881 {
2884 }
2887 signature,
2889 NULL),
2892 /* release allocated mpis */
2896 }
2900 /**
2901 * gnutls_x509_crt_get_preferred_hash_algorithm:
2902 * @crt: Holds the certificate
2903 * @hash: The result of the call with the hash algorithm used for signature
2904 * @mand: If non (0) it means that the algorithm MUST use this hash. May be NULL.
2905 *
2906 * This function will read the certifcate and return the appropriate digest
2907 * algorithm to use for signing with this certificate. Some certificates (i.e.
2908 * DSA might not be able to sign without the preferred algorithm).
2909 *
2910 * Deprecated: Please use gnutls_pubkey_get_preferred_hash_algorithm().
2911 *
2912 * Returns: the 0 if the hash algorithm is found. A negative error code is
2913 * returned on error.
2914 *
2915 * Since: 2.12.0
2916 **/
2917 int
2919 gnutls_digest_algorithm_t *
2921 {
2922 gnutls_pk_params_st issuer_params;
2926 {
2929 }
2933 {
2936 }
2938 ret =
2943 /* release allocated mpis */
2947 }
2949 /**
2950 * gnutls_x509_crt_verify_data:
2951 * @crt: Holds the certificate
2952 * @flags: should be 0 for now
2953 * @data: holds the data to be signed
2954 * @signature: contains the signature
2955 *
2956 * This function will verify the given signed data, using the
2957 * parameters from the certificate.
2958 *
2959 * Deprecated. Please use gnutls_pubkey_verify_data().
2960 *
2961 * Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED
2962 * is returned, and zero or positive code on success.
2963 **/
2964 int
2968 {
2972 {
2975 }
2979 {
2982 }
2985 }
2987 /**
2988 * gnutls_x509_crt_verify_hash:
2989 * @crt: Holds the certificate
2990 * @flags: should be 0 for now
2991 * @hash: holds the hash digest to be verified
2992 * @signature: contains the signature
2993 *
2994 * This function will verify the given signed digest, using the
2995 * parameters from the certificate.
2996 *
2997 * Deprecated. Please use gnutls_pubkey_verify_data2() or gnutls_pubkey_verify_hash2().
2998 *
2999 * Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED
3000 * is returned, and zero or positive code on success.
3001 **/
3002 int
3006 {
3007 gnutls_pk_params_st params;
3008 gnutls_digest_algorithm_t algo;
3012 {
3015 }
3021 /* Read the MPI parameters from the issuer's certificate.
3022 */
3023 ret =
3026 {
3029 }
3031 ret =
3035 {
3037 }
3039 /* release all allocated MPIs
3040 */
3044 }
3046 /**
3047 * gnutls_x509_crt_get_crl_dist_points:
3048 * @cert: should contain a #gnutls_x509_crt_t structure
3049 * @seq: specifies the sequence number of the distribution point (0 for the first one, 1 for the second etc.)
3050 * @ret: is the place where the distribution point will be copied to
3051 * @ret_size: holds the size of ret.
3052 * @reason_flags: Revocation reasons. An ORed sequence of flags from %gnutls_x509_crl_reason_flags_t.
3053 * @critical: will be non (0) if the extension is marked as critical (may be null)
3054 *
3055 * This function retrieves the CRL distribution points (2.5.29.31),
3056 * contained in the given certificate in the X509v3 Certificate
3057 * Extensions.
3058 *
3059 * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER and updates @ret_size if
3060 * @ret_size is not enough to hold the distribution point, or the
3061 * type of the distribution point if everything was ok. The type is
3062 * one of the enumerated %gnutls_x509_subject_alt_name_t. If the
3063 * certificate does not have an Alternative name with the specified
3064 * sequence number then %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is
3065 * returned.
3066 **/
3067 int
3073 {
3079 gnutls_x509_subject_alt_name_t type;
3083 {
3086 }
3090 else
3096 result =
3098 critical);
3100 {
3102 }
3105 {
3108 }
3110 result = asn1_create_element
3113 {
3117 }
3123 {
3127 }
3129 /* Return the different names from the first CRLDistr. point.
3130 * The whole thing is a mess.
3131 */
3136 {
3139 }
3144 /* Read the CRL reasons.
3145 */
3147 {
3156 {
3160 }
3163 }
3168 }
3170 /**
3171 * gnutls_x509_crt_get_key_purpose_oid:
3172 * @cert: should contain a #gnutls_x509_crt_t structure
3173 * @indx: This specifies which OID to return. Use (0) to get the first one.
3174 * @oid: a pointer to a buffer to hold the OID (may be null)
3175 * @oid_size: initially holds the size of @oid
3176 * @critical: output flag to indicate criticality of extension
3177 *
3178 * This function will extract the key purpose OIDs of the Certificate
3179 * specified by the given index. These are stored in the Extended Key
3180 * Usage extension (2.5.29.37) See the GNUTLS_KP_* definitions for
3181 * human readable names.
3182 *
3183 * If @oid is null then only the size will be filled. The @oid
3184 * returned will be null terminated, although @oid_size will not
3185 * account for the trailing null.
3186 *
3187 * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is
3188 * not long enough, and in that case the *oid_size will be updated
3189 * with the required size. On success 0 is returned.
3190 **/
3191 int
3195 {
3198 gnutls_datum_t id;
3202 {
3205 }
3209 else
3215 {
3217 }
3220 {
3223 }
3225 result = asn1_create_element
3228 {
3232 }
3238 {
3242 }
3244 indx++;
3245 /* create a string like "?1"
3246 */
3256 {
3258 }
3261 {
3264 }
3268 }
3270 /**
3271 * gnutls_x509_crt_get_pk_rsa_raw:
3272 * @crt: Holds the certificate
3273 * @m: will hold the modulus
3274 * @e: will hold the public exponent
3275 *
3276 * This function will export the RSA public key's parameters found in
3277 * the given structure. The new parameters will be allocated using
3278 * gnutls_malloc() and will be stored in the appropriate datum.
3279 *
3280 * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
3281 **/
3282 int
3285 {
3287 gnutls_pk_params_st params;
3290 {
3293 }
3297 {
3300 }
3304 {
3307 }
3311 {
3314 }
3318 {
3322 }
3326 cleanup:
3329 }
3331 /**
3332 * gnutls_x509_crt_get_pk_dsa_raw:
3333 * @crt: Holds the certificate
3334 * @p: will hold the p
3335 * @q: will hold the q
3336 * @g: will hold the g
3337 * @y: will hold the y
3338 *
3339 * This function will export the DSA public key's parameters found in
3340 * the given certificate. The new parameters will be allocated using
3341 * gnutls_malloc() and will be stored in the appropriate datum.
3342 *
3343 * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
3344 **/
3345 int
3349 {
3351 gnutls_pk_params_st params;
3354 {
3357 }
3361 {
3364 }
3368 {
3371 }
3374 /* P */
3377 {
3380 }
3382 /* Q */
3385 {
3389 }
3392 /* G */
3395 {
3400 }
3403 /* Y */
3406 {
3412 }
3416 cleanup:
3420 }
3422 /**
3423 * gnutls_x509_crt_list_import2:
3424 * @certs: The structures to store the parsed certificate. Must not be initialized.
3425 * @size: It will contain the size of the list.
3426 * @data: The PEM encoded certificate.
3427 * @format: One of DER or PEM.
3428 * @flags: must be (0) or an OR'd sequence of gnutls_certificate_import_flags.
3429 *
3430 * This function will convert the given PEM encoded certificate list
3431 * to the native gnutls_x509_crt_t format. The output will be stored
3432 * in @certs which will be initialized.
3433 *
3434 * If the Certificate is PEM encoded it should have a header of "X509
3435 * CERTIFICATE", or "CERTIFICATE".
3436 *
3437 * Returns: the number of certificates read or a negative error value.
3438 *
3439 * Since: 3.0
3440 **/
3441 int
3446 {
3452 {
3455 }
3457 ret = gnutls_x509_crt_list_import(*certs, &init, data, format, GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED);
3459 {
3462 {
3465 }
3468 }
3471 {
3475 }
3479 }
3482 {
3488 /* check if the X.509 list is ordered */
3490 {
3493 {
3495 {
3499 {
3502 }
3505 {
3508 }
3509 }
3514 {
3517 }
3518 }
3519 }
3523 cleanup:
3525 }
3528 /**
3529 * gnutls_x509_crt_list_import:
3530 * @certs: The structures to store the parsed certificate. Must not be initialized.
3531 * @cert_max: Initially must hold the maximum number of certs. It will be updated with the number of certs available.
3532 * @data: The PEM encoded certificate.
3533 * @format: One of DER or PEM.
3534 * @flags: must be (0) or an OR'd sequence of gnutls_certificate_import_flags.
3535 *
3536 * This function will convert the given PEM encoded certificate list
3537 * to the native gnutls_x509_crt_t format. The output will be stored
3538 * in @certs. They will be automatically initialized.
3539 *
3540 * The flag %GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED will cause
3541 * import to fail if the certificates in the provided buffer are more
3542 * than the available structures. The %GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED
3543 * flag will cause the function to fail if the provided list is not
3544 * sorted from subject to issuer.
3545 *
3546 * If the Certificate is PEM encoded it should have a header of "X509
3547 * CERTIFICATE", or "CERTIFICATE".
3548 *
3549 * Returns: the number of certificates read or a negative error value.
3550 **/
3551 int
3556 {
3559 gnutls_datum_t tmp;
3564 {
3566 {
3569 }
3575 {
3578 }
3582 {
3585 }
3589 }
3591 /* move to the certificate
3592 */
3604 do
3605 {
3607 {
3610 else
3612 }
3615 {
3618 {
3621 }
3626 ret =
3629 {
3632 }
3633 }
3635 /* now we move ptr after the pem header
3636 */
3637 ptr++;
3638 /* find the next certificate (if any)
3639 */
3643 {
3652 }
3653 else
3656 count++;
3657 }
3663 {
3666 {
3669 }
3670 }
3674 else
3677 error:
3681 }
3683 /**
3684 * gnutls_x509_crt_get_subject_unique_id:
3685 * @crt: Holds the certificate
3686 * @buf: user allocated memory buffer, will hold the unique id
3687 * @buf_size: size of user allocated memory buffer (on input), will hold
3688 * actual size of the unique ID on return.
3689 *
3690 * This function will extract the subjectUniqueID value (if present) for
3691 * the given certificate.
3692 *
3693 * If the user allocated memory buffer is not large enough to hold the
3694 * full subjectUniqueID, then a GNUTLS_E_SHORT_MEMORY_BUFFER error will be
3695 * returned, and buf_size will be set to the actual length.
3696 *
3697 * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
3698 **/
3699 int
3702 {
3706 result =
3715 }
3716 else
3717 {
3720 }
3725 }
3727 /**
3728 * gnutls_x509_crt_get_issuer_unique_id:
3729 * @crt: Holds the certificate
3730 * @buf: user allocated memory buffer, will hold the unique id
3731 * @buf_size: size of user allocated memory buffer (on input), will hold
3732 * actual size of the unique ID on return.
3733 *
3734 * This function will extract the issuerUniqueID value (if present) for
3735 * the given certificate.
3736 *
3737 * If the user allocated memory buffer is not large enough to hold the
3738 * full subjectUniqueID, then a GNUTLS_E_SHORT_MEMORY_BUFFER error will be
3739 * returned, and buf_size will be set to the actual length.
3740 *
3741 * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
3742 *
3743 * Since: 2.12.0
3744 **/
3745 int
3748 {
3752 result =
3761 }
3762 else
3763 {
3766 }
3771 }
3773 static int
3778 {
3782 gnutls_datum_t d;
3787 {
3798 /* fall through */
3803 {
3813 {
3816 }
3819 }
3820 /* fall through */
3829 }
3837 {
3840 }
3850 {
3854 }
3857 {
3860 }
3861 else
3865 }
3867 /**
3868 * gnutls_x509_crt_get_authority_info_access:
3869 * @crt: Holds the certificate
3870 * @seq: specifies the sequence number of the access descriptor (0 for the first one, 1 for the second etc.)
3871 * @what: what data to get, a #gnutls_info_access_what_t type.
3872 * @data: output data to be freed with gnutls_free().
3873 * @critical: pointer to output integer that is set to non-0 if the extension is marked as critical (may be %NULL)
3874 *
3875 * This function extracts the Authority Information Access (AIA)
3876 * extension, see RFC 5280 section 4.2.2.1 for more information. The
3877 * AIA extension holds a sequence of AccessDescription (AD) data:
3878 *
3879 * <informalexample><programlisting>
3880 * AuthorityInfoAccessSyntax ::=
3881 * SEQUENCE SIZE (1..MAX) OF AccessDescription
3882 *
3883 * AccessDescription ::= SEQUENCE {
3884 * accessMethod OBJECT IDENTIFIER,
3885 * accessLocation GeneralName }
3886 * </programlisting></informalexample>
3887 *
3888 * The @seq input parameter is used to indicate which member of the
3889 * sequence the caller is interested in. The first member is 0, the
3890 * second member 1 and so on. When the @seq value is out of bounds,
3891 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.
3892 *
3893 * The type of data returned in @data is specified via @what which
3894 * should be #gnutls_info_access_what_t values.
3895 *
3896 * If @what is %GNUTLS_IA_ACCESSMETHOD_OID then @data will hold the
3897 * accessMethod OID (e.g., "1.3.6.1.5.5.7.48.1").
3898 *
3899 * If @what is %GNUTLS_IA_ACCESSLOCATION_GENERALNAME_TYPE, @data will
3900 * hold the accessLocation GeneralName type (e.g.,
3901 * "uniformResourceIdentifier").
3902 *
3903 * If @what is %GNUTLS_IA_URI, @data will hold the accessLocation URI
3904 * data. Requesting this @what value leads to an error if the
3905 * accessLocation is not of the "uniformResourceIdentifier" type.
3906 *
3907 * If @what is %GNUTLS_IA_OCSP_URI, @data will hold the OCSP URI.
3908 * Requesting this @what value leads to an error if the accessMethod
3909 * is not 1.3.6.1.5.5.7.48.1 aka OSCP, or if accessLocation is not of
3910 * the "uniformResourceIdentifier" type.
3911 *
3912 * If @what is %GNUTLS_IA_CAISSUERS_URI, @data will hold the caIssuers
3913 * URI. Requesting this @what value leads to an error if the
3914 * accessMethod is not 1.3.6.1.5.5.7.48.2 aka caIssuers, or if
3915 * accessLocation is not of the "uniformResourceIdentifier" type.
3916 *
3917 * More @what values may be allocated in the future as needed.
3918 *
3919 * If @data is NULL, the function does the same without storing the
3920 * output data, that is, it will set @critical and do error checking
3921 * as usual.
3922 *
3923 * The value of the critical flag is returned in *@critical. Supply a
3924 * NULL @critical if you want the function to make sure the extension
3925 * is non-critical, as required by RFC 5280.
3926 *
3927 * Returns: %GNUTLS_E_SUCCESS on success, %GNUTLS_E_INVALID_REQUEST on
3928 * invalid @crt, %GNUTLS_E_CONSTRAINT_ERROR if the extension is
3929 * incorrectly marked as critical (use a non-NULL @critical to
3930 * override), %GNUTLS_E_UNKNOWN_ALGORITHM if the requested OID does
3931 * not match (e.g., when using %GNUTLS_IA_OCSP_URI), otherwise a
3932 * negative error code.
3933 *
3934 * Since: 3.0
3935 **/
3936 int
3942 {
3944 gnutls_datum_t aia;
3948 {
3951 }
3958 {
3961 }
3969 {
3973 }
3976 /* asn1_print_structure (stdout, c2, "", ASN1_PRINT_ALL); */
3979 {
3983 }
3992 }
3994 /**
3995 * gnutls_x509_crt_set_pin_function:
3996 * @crt: The certificate structure
3997 * @fn: the callback
3998 * @userdata: data associated with the callback
3999 *
4000 * This function will set a callback function to be used when
4001 * it is required to access a protected object. This function overrides
4002 * the global function set using gnutls_pkcs11_set_pin_function().
4003 *
4004 * Note that this callback is currently used only during the import
4005 * of a PKCS #11 certificate with gnutls_x509_crt_import_pkcs11_url().
4006 *
4007 * Since: 3.1.0
4008 *
4009 **/
4012 {
4015 }