aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Grothoff <christian@grothoff.org>2008-11-16 05:28:37 +0000
committerChristian Grothoff <christian@grothoff.org>2008-11-16 05:28:37 +0000
commit3e1bc57a79987fd7b39670f3dab340561cc5397f (patch)
treea414060ab7042a41e6707f9c5991e349cbe05b3c
parentcf9ed7910a034b8b38f982a499af0cd7a53754fc (diff)
downloadlibmicrohttpd-3e1bc57a79987fd7b39670f3dab340561cc5397f.tar.gz
libmicrohttpd-3e1bc57a79987fd7b39670f3dab340561cc5397f.zip
dce
-rw-r--r--src/daemon/https/gnutls.h22
-rw-r--r--src/daemon/https/minitasn1/libtasn1.h6
-rw-r--r--src/daemon/https/minitasn1/structure.c104
-rw-r--r--src/daemon/https/tls/gnutls_x509.c247
-rw-r--r--src/daemon/https/x509/common.c105
-rw-r--r--src/daemon/https/x509/common.h5
-rw-r--r--src/daemon/https/x509/x509-api.texi2943
-rw-r--r--src/daemon/https/x509/x509.c81
-rw-r--r--src/daemon/https/x509/x509.h2
9 files changed, 0 insertions, 3515 deletions
diff --git a/src/daemon/https/gnutls.h b/src/daemon/https/gnutls.h
index 87963eb6..c2d5b45e 100644
--- a/src/daemon/https/gnutls.h
+++ b/src/daemon/https/gnutls.h
@@ -459,28 +459,6 @@ extern "C"
459 void MHD__gnutls_certificate_free_ca_names (MHD_gtls_cert_credentials_t sc); 459 void MHD__gnutls_certificate_free_ca_names (MHD_gtls_cert_credentials_t sc);
460 void MHD__gnutls_certificate_free_crls (MHD_gtls_cert_credentials_t sc); 460 void MHD__gnutls_certificate_free_crls (MHD_gtls_cert_credentials_t sc);
461 461
462 int MHD__gnutls_certificate_set_x509_trust_file (MHD_gtls_cert_credentials_t
463 res, const char *CAFILE,
464 MHD_gnutls_x509_crt_fmt_t
465 type);
466 int MHD__gnutls_certificate_set_x509_trust_mem (MHD_gtls_cert_credentials_t
467 res,
468 const MHD_gnutls_datum_t *
469 CA,
470 MHD_gnutls_x509_crt_fmt_t
471 type);
472
473 int MHD__gnutls_certificate_set_x509_crl_file (MHD_gtls_cert_credentials_t
474 res, const char *crlfile,
475 MHD_gnutls_x509_crt_fmt_t
476 type);
477 int MHD__gnutls_certificate_set_x509_crl_mem (MHD_gtls_cert_credentials_t
478 res,
479 const MHD_gnutls_datum_t *
480 CRL,
481 MHD_gnutls_x509_crt_fmt_t
482 type);
483
484 /* 462 /*
485 * CERTFILE is an x509 certificate in PEM form. 463 * CERTFILE is an x509 certificate in PEM form.
486 * KEYFILE is a pkcs-1 private key in PEM form (for RSA keys). 464 * KEYFILE is a pkcs-1 private key in PEM form (for RSA keys).
diff --git a/src/daemon/https/minitasn1/libtasn1.h b/src/daemon/https/minitasn1/libtasn1.h
index fdf0b306..f478d0b7 100644
--- a/src/daemon/https/minitasn1/libtasn1.h
+++ b/src/daemon/https/minitasn1/libtasn1.h
@@ -163,9 +163,6 @@ extern "C"
163 MHD__asn1_retCode MHD__asn1_read_value (ASN1_TYPE root, const char *name, 163 MHD__asn1_retCode MHD__asn1_read_value (ASN1_TYPE root, const char *name,
164 void *ivalue, int *len); 164 void *ivalue, int *len);
165 165
166 MHD__asn1_retCode MHD__asn1_number_of_elements (ASN1_TYPE element,
167 const char *name, int *num);
168
169 MHD__asn1_retCode MHD__asn1_der_coding (ASN1_TYPE element, const char *name, 166 MHD__asn1_retCode MHD__asn1_der_coding (ASN1_TYPE element, const char *name,
170 void *ider, int *len, 167 void *ider, int *len,
171 char *ErrorDescription); 168 char *ErrorDescription);
@@ -180,9 +177,6 @@ extern "C"
180 const char *name_element, 177 const char *name_element,
181 int *start, int *end); 178 int *start, int *end);
182 179
183 const char *MHD__asn1_find_structure_from_oid (ASN1_TYPE definitions,
184 const char *oidValue);
185
186 /* DER utility functions. */ 180 /* DER utility functions. */
187 181
188 int MHD__asn1_get_tag_der (const unsigned char *der, int der_len, 182 int MHD__asn1_get_tag_der (const unsigned char *der, int der_len,
diff --git a/src/daemon/https/minitasn1/structure.c b/src/daemon/https/minitasn1/structure.c
index e0abe594..fdaeea47 100644
--- a/src/daemon/https/minitasn1/structure.c
+++ b/src/daemon/https/minitasn1/structure.c
@@ -583,107 +583,3 @@ MHD__asn1_create_element (ASN1_TYPE definitions, const char *source_name,
583 583
584 return res; 584 return res;
585} 585}
586
587
588/**
589 * MHD__asn1_number_of_elements - Counts the number of elements of a structure.
590 * @element: pointer to the root of an ASN1 structure.
591 * @name: the name of a sub-structure of ROOT.
592 * @num: pointer to an integer where the result will be stored
593 *
594 * Counts the number of elements of a sub-structure called NAME with
595 * names equal to "?1","?2", ...
596 *
597 * Returns:
598 *
599 * ASN1_SUCCESS: Creation OK.
600 *
601 * ASN1_ELEMENT_NOT_FOUND: NAME isn't known.
602 *
603 * ASN1_GENERIC_ERROR: Pointer num equal to NULL.
604 *
605 **/
606MHD__asn1_retCode
607MHD__asn1_number_of_elements (ASN1_TYPE element, const char *name, int *num)
608{
609 node_asn *node, *p;
610
611 if (num == NULL)
612 return ASN1_GENERIC_ERROR;
613
614 *num = 0;
615
616 node = MHD__asn1_find_node (element, name);
617 if (node == NULL)
618 return ASN1_ELEMENT_NOT_FOUND;
619
620 p = node->down;
621
622 while (p)
623 {
624 if ((p->name) && (p->name[0] == '?'))
625 (*num)++;
626 p = p->right;
627 }
628
629 return ASN1_SUCCESS;
630}
631
632
633/**
634 * MHD__asn1_find_structure_from_oid - Locate structure defined by a specific OID.
635 * @definitions: ASN1 definitions
636 * @oidValue: value of the OID to search (e.g. "1.2.3.4").
637 *
638 * Search the structure that is defined just after an OID definition.
639 *
640 * Returns: NULL when OIDVALUE not found, otherwise the pointer to a
641 * constant string that contains the element name defined just
642 * after the OID.
643 *
644 **/
645const char *
646MHD__asn1_find_structure_from_oid (ASN1_TYPE definitions,
647 const char *oidValue)
648{
649 char definitionsName[MAX_NAME_SIZE], name[2 * MAX_NAME_SIZE + 1];
650 char value[MAX_NAME_SIZE];
651 ASN1_TYPE p;
652 int len;
653 MHD__asn1_retCode result;
654
655 if ((definitions == ASN1_TYPE_EMPTY) || (oidValue == NULL))
656 return NULL; /* ASN1_ELEMENT_NOT_FOUND; */
657
658
659 strcpy (definitionsName, definitions->name);
660 strcat (definitionsName, ".");
661
662 /* search the OBJECT_ID into definitions */
663 p = definitions->down;
664 while (p)
665 {
666 if ((type_field (p->type) == TYPE_OBJECT_ID) &&
667 (p->type & CONST_ASSIGN))
668 {
669 strcpy (name, definitionsName);
670 strcat (name, p->name);
671
672 len = MAX_NAME_SIZE;
673 result = MHD__asn1_read_value (definitions, name, value, &len);
674
675 if ((result == ASN1_SUCCESS) && (!strcmp (oidValue, value)))
676 {
677 p = p->right;
678 if (p == NULL) /* reach the end of ASN1 definitions */
679 return NULL; /* ASN1_ELEMENT_NOT_FOUND; */
680
681 return p->name;
682 }
683 }
684 p = p->right;
685 }
686
687 return NULL; /* ASN1_ELEMENT_NOT_FOUND; */
688}
689
diff --git a/src/daemon/https/tls/gnutls_x509.c b/src/daemon/https/tls/gnutls_x509.c
index 1e479fe5..0f8adfaa 100644
--- a/src/daemon/https/tls/gnutls_x509.c
+++ b/src/daemon/https/tls/gnutls_x509.c
@@ -546,69 +546,6 @@ MHD__gnutls_certificate_set_x509_key_mem (MHD_gtls_cert_credentials_t
546 return 0; 546 return 0;
547} 547}
548 548
549static int
550generate_rdn_seq (MHD_gtls_cert_credentials_t res)
551{
552 MHD_gnutls_datum_t tmp;
553 int ret;
554 unsigned size, i;
555 opaque *pdata;
556
557 /* Generate the RDN sequence
558 * This will be sent to clients when a certificate
559 * request message is sent.
560 */
561
562 /* FIXME: in case of a client it is not needed
563 * to do that. This would save time and memory.
564 * However we don't have that information available
565 * here.
566 */
567
568 size = 0;
569 for (i = 0; i < res->x509_ncas; i++)
570 {
571 if ((ret =
572 MHD_gnutls_x509_crt_get_raw_dn (res->x509_ca_list[i], &tmp)) < 0)
573 {
574 MHD_gnutls_assert ();
575 return ret;
576 }
577 size += (2 + tmp.size);
578 MHD__gnutls_free_datum (&tmp);
579 }
580
581 if (res->x509_rdn_sequence.data != NULL)
582 MHD_gnutls_free (res->x509_rdn_sequence.data);
583
584 res->x509_rdn_sequence.data = MHD_gnutls_malloc (size);
585 if (res->x509_rdn_sequence.data == NULL)
586 {
587 MHD_gnutls_assert ();
588 return GNUTLS_E_MEMORY_ERROR;
589 }
590 res->x509_rdn_sequence.size = size;
591
592 pdata = res->x509_rdn_sequence.data;
593
594 for (i = 0; i < res->x509_ncas; i++)
595 {
596 if ((ret =
597 MHD_gnutls_x509_crt_get_raw_dn (res->x509_ca_list[i], &tmp)) < 0)
598 {
599 MHD__gnutls_free_datum (&res->x509_rdn_sequence);
600 MHD_gnutls_assert ();
601 return ret;
602 }
603
604 MHD_gtls_write_datum16 (pdata, tmp);
605 pdata += (2 + tmp.size);
606 MHD__gnutls_free_datum (&tmp);
607 }
608
609 return 0;
610}
611
612/* Returns 0 if it's ok to use the enum MHD_GNUTLS_KeyExchangeAlgorithm with this 549/* Returns 0 if it's ok to use the enum MHD_GNUTLS_KeyExchangeAlgorithm with this
613 * certificate (uses the KeyUsage field). 550 * certificate (uses the KeyUsage field).
614 */ 551 */
@@ -668,187 +605,3 @@ MHD__gnutls_check_key_usage (const MHD_gnutls_cert * cert,
668 605
669 606
670 607
671static int
672parse_pem_ca_mem (MHD_gnutls_x509_crt_t ** cert_list, unsigned *ncerts,
673 const opaque * input_cert, int input_cert_size)
674{
675 int i, size;
676 const opaque *ptr;
677 MHD_gnutls_datum_t tmp;
678 int ret, count;
679
680 /* move to the certificate
681 */
682 ptr = memmem (input_cert, input_cert_size,
683 PEM_CERT_SEP, sizeof (PEM_CERT_SEP) - 1);
684 if (ptr == NULL)
685 ptr = memmem (input_cert, input_cert_size,
686 PEM_CERT_SEP2, sizeof (PEM_CERT_SEP2) - 1);
687
688 if (ptr == NULL)
689 {
690 MHD_gnutls_assert ();
691 return GNUTLS_E_BASE64_DECODING_ERROR;
692 }
693 size = input_cert_size - (ptr - input_cert);
694
695 i = *ncerts + 1;
696 count = 0;
697
698 do
699 {
700
701 *cert_list =
702 (MHD_gnutls_x509_crt_t *) MHD_gtls_realloc_fast (*cert_list,
703 i *
704 sizeof
705 (MHD_gnutls_x509_crt_t));
706
707 if (*cert_list == NULL)
708 {
709 MHD_gnutls_assert ();
710 return GNUTLS_E_MEMORY_ERROR;
711 }
712
713 ret = MHD_gnutls_x509_crt_init (&cert_list[0][i - 1]);
714 if (ret < 0)
715 {
716 MHD_gnutls_assert ();
717 return ret;
718 }
719
720 tmp.data = (opaque *) ptr;
721 tmp.size = size;
722
723 ret =
724 MHD_gnutls_x509_crt_import (cert_list[0][i - 1],
725 &tmp, GNUTLS_X509_FMT_PEM);
726 if (ret < 0)
727 {
728 MHD_gnutls_assert ();
729 return ret;
730 }
731
732 /* now we move ptr after the pem header
733 */
734 ptr++;
735 size--;
736 /* find the next certificate (if any)
737 */
738
739 if (size > 0)
740 {
741 char *ptr3;
742
743 ptr3 = memmem (ptr, size, PEM_CERT_SEP, sizeof (PEM_CERT_SEP) - 1);
744 if (ptr3 == NULL)
745 ptr3 = memmem (ptr, size,
746 PEM_CERT_SEP2, sizeof (PEM_CERT_SEP2) - 1);
747
748 ptr = (const opaque *) ptr3;
749 size = input_cert_size - (ptr - input_cert);
750 }
751 else
752 ptr = NULL;
753
754 i++;
755 count++;
756
757 }
758 while (ptr != NULL);
759
760 *ncerts = i - 1;
761
762 return count;
763}
764
765/* Reads a DER encoded certificate list from memory and stores it to
766 * a MHD_gnutls_cert structure.
767 * returns the number of certificates parsed.
768 */
769static int
770parse_der_ca_mem (MHD_gnutls_x509_crt_t ** cert_list, unsigned *ncerts,
771 const void *input_cert, int input_cert_size)
772{
773 int i;
774 MHD_gnutls_datum_t tmp;
775 int ret;
776
777 i = *ncerts + 1;
778
779 *cert_list =
780 (MHD_gnutls_x509_crt_t *) MHD_gtls_realloc_fast (*cert_list,
781 i *
782 sizeof
783 (MHD_gnutls_x509_crt_t));
784
785 if (*cert_list == NULL)
786 {
787 MHD_gnutls_assert ();
788 return GNUTLS_E_MEMORY_ERROR;
789 }
790
791 tmp.data = (opaque *) input_cert;
792 tmp.size = input_cert_size;
793
794 ret = MHD_gnutls_x509_crt_init (&cert_list[0][i - 1]);
795 if (ret < 0)
796 {
797 MHD_gnutls_assert ();
798 return ret;
799 }
800
801 ret =
802 MHD_gnutls_x509_crt_import (cert_list[0][i - 1], &tmp,
803 GNUTLS_X509_FMT_DER);
804 if (ret < 0)
805 {
806 MHD_gnutls_assert ();
807 return ret;
808 }
809
810 *ncerts = i;
811
812 return 1; /* one certificate parsed */
813}
814
815/**
816 * MHD__gnutls_certificate_set_x509_trust_mem - Used to add trusted CAs in a MHD_gtls_cert_credentials_t structure
817 * @res: is an #MHD_gtls_cert_credentials_t structure.
818 * @ca: is a list of trusted CAs or a DER certificate
819 * @type: is DER or PEM
820 *
821 * This function adds the trusted CAs in order to verify client or
822 * server certificates. In case of a client this is not required to
823 * be called if the certificates are not verified using
824 * MHD_gtls_certificate_verify_peers2(). This function may be called
825 * multiple times.
826 *
827 * In case of a server the CAs set here will be sent to the client if
828 * a certificate request is sent. This can be disabled using
829 * MHD__gnutls_certificate_send_x509_rdn_sequence().
830 *
831 * Returns: the number of certificates processed or a negative value
832 * on error.
833 **/
834int
835MHD__gnutls_certificate_set_x509_trust_mem (MHD_gtls_cert_credentials_t
836 res,
837 const MHD_gnutls_datum_t * ca,
838 MHD_gnutls_x509_crt_fmt_t type)
839{
840 int ret, ret2;
841
842 if (type == GNUTLS_X509_FMT_DER)
843 ret = parse_der_ca_mem (&res->x509_ca_list, &res->x509_ncas,
844 ca->data, ca->size);
845 else
846 ret = parse_pem_ca_mem (&res->x509_ca_list, &res->x509_ncas,
847 ca->data, ca->size);
848
849 if ((ret2 = generate_rdn_seq (res)) < 0)
850 return ret2;
851
852 return ret;
853}
854
diff --git a/src/daemon/https/x509/common.c b/src/daemon/https/x509/common.c
index 9134597e..dd442564 100644
--- a/src/daemon/https/x509/common.c
+++ b/src/daemon/https/x509/common.c
@@ -446,108 +446,3 @@ MHD__gnutls_x509_get_pk_algorithm (ASN1_TYPE src,
446 return algo; 446 return algo;
447} 447}
448 448
449/* Reads the DER signed data from the certificate and allocates space and
450 * returns them into signed_data.
451 */
452int
453MHD__gnutls_x509_get_signed_data (ASN1_TYPE src,
454 const char *src_name,
455 MHD_gnutls_datum_t * signed_data)
456{
457 MHD_gnutls_datum_t der;
458 int start, end, result;
459
460 result = MHD__gnutls_x509_der_encode (src, "", &der, 0);
461 if (result < 0)
462 {
463 MHD_gnutls_assert ();
464 return result;
465 }
466
467 /* Get the signed data
468 */
469 result = MHD__asn1_der_decoding_startEnd (src, der.data, der.size, src_name,
470 &start, &end);
471 if (result != ASN1_SUCCESS)
472 {
473 result = MHD_gtls_asn2err (result);
474 MHD_gnutls_assert ();
475 goto cleanup;
476 }
477
478 result =
479 MHD__gnutls_set_datum (signed_data, &der.data[start], end - start + 1);
480
481 if (result < 0)
482 {
483 MHD_gnutls_assert ();
484 goto cleanup;
485 }
486
487 result = 0;
488
489cleanup:MHD__gnutls_free_datum (&der);
490
491 return result;
492}
493
494/* Reads the DER signature from the certificate and allocates space and
495 * returns them into signed_data.
496 */
497int
498MHD__gnutls_x509_get_signature (ASN1_TYPE src,
499 const char *src_name,
500 MHD_gnutls_datum_t * signature)
501{
502 int bits, result, len;
503
504 signature->data = NULL;
505 signature->size = 0;
506
507 /* Read the signature
508 */
509 bits = 0;
510 result = MHD__asn1_read_value (src, src_name, NULL, &bits);
511
512 if (result != ASN1_MEM_ERROR)
513 {
514 result = MHD_gtls_asn2err (result);
515 MHD_gnutls_assert ();
516 goto cleanup;
517 }
518
519 if (bits % 8 != 0)
520 {
521 MHD_gnutls_assert ();
522 result = GNUTLS_E_CERTIFICATE_ERROR;
523 goto cleanup;
524 }
525
526 len = bits / 8;
527
528 signature->data = MHD_gnutls_malloc (len);
529 if (signature->data == NULL)
530 {
531 MHD_gnutls_assert ();
532 result = GNUTLS_E_MEMORY_ERROR;
533 return result;
534 }
535
536 /* read the bit string of the signature
537 */
538 bits = len;
539 result = MHD__asn1_read_value (src, src_name, signature->data, &bits);
540
541 if (result != ASN1_SUCCESS)
542 {
543 result = MHD_gtls_asn2err (result);
544 MHD_gnutls_assert ();
545 goto cleanup;
546 }
547
548 signature->size = len;
549
550 return 0;
551
552cleanup:return result;
553}
diff --git a/src/daemon/https/x509/common.h b/src/daemon/https/x509/common.h
index 7b8421c7..d78c7cc2 100644
--- a/src/daemon/https/x509/common.h
+++ b/src/daemon/https/x509/common.h
@@ -81,9 +81,4 @@ int MHD__gnutls_x509_get_pk_algorithm (ASN1_TYPE src, const char *src_name,
81int MHD__gnutls_asn1_copy_node (ASN1_TYPE * dst, const char *dst_name, 81int MHD__gnutls_asn1_copy_node (ASN1_TYPE * dst, const char *dst_name,
82 ASN1_TYPE src, const char *src_name); 82 ASN1_TYPE src, const char *src_name);
83 83
84int MHD__gnutls_x509_get_signed_data (ASN1_TYPE src, const char *src_name,
85 MHD_gnutls_datum_t * signed_data);
86int MHD__gnutls_x509_get_signature (ASN1_TYPE src, const char *src_name,
87 MHD_gnutls_datum_t * signature);
88
89#endif 84#endif
diff --git a/src/daemon/https/x509/x509-api.texi b/src/daemon/https/x509/x509-api.texi
deleted file mode 100644
index f4dd35b9..00000000
--- a/src/daemon/https/x509/x509-api.texi
+++ /dev/null
@@ -1,2943 +0,0 @@
1
2@subheading gnutls_x509_crl_init
3@anchor{gnutls_x509_crl_init}
4@deftypefun {int} {gnutls_x509_crl_init} (gnutls_x509_crl_t * @var{crl})
5@var{crl}: The structure to be initialized
6
7This function will initialize a CRL structure. CRL stands for
8Certificate Revocation List. A revocation list usually contains
9lists of certificate serial numbers that have been revoked
10by an Authority. The revocation lists are always signed with
11the authority's private key.
12
13Returns 0 on success.
14@end deftypefun
15
16@subheading gnutls_x509_crl_deinit
17@anchor{gnutls_x509_crl_deinit}
18@deftypefun {void} {gnutls_x509_crl_deinit} (gnutls_x509_crl_t @var{crl})
19@var{crl}: The structure to be initialized
20
21This function will deinitialize a CRL structure.
22@end deftypefun
23
24@subheading gnutls_x509_crl_import
25@anchor{gnutls_x509_crl_import}
26@deftypefun {int} {gnutls_x509_crl_import} (gnutls_x509_crl_t @var{crl}, const gnutls_datum_t * @var{data}, gnutls_x509_crt_fmt_t @var{format})
27@var{crl}: The structure to store the parsed CRL.
28
29@var{data}: The DER or PEM encoded CRL.
30
31@var{format}: One of DER or PEM
32
33This function will convert the given DER or PEM encoded CRL
34to the native gnutls_x509_crl_t format. The output will be stored in 'crl'.
35
36If the CRL is PEM encoded it should have a header of "X509 CRL".
37
38Returns 0 on success.
39@end deftypefun
40
41@subheading gnutls_x509_crl_get_issuer_dn
42@anchor{gnutls_x509_crl_get_issuer_dn}
43@deftypefun {int} {gnutls_x509_crl_get_issuer_dn} (const gnutls_x509_crl_t @var{crl}, char * @var{buf}, size_t * @var{sizeof_buf})
44@var{crl}: should contain a gnutls_x509_crl_t structure
45
46@var{buf}: a pointer to a structure to hold the peer's name (may be null)
47
48@var{sizeof_buf}: initially holds the size of @code{buf}
49
50This function will copy the name of the CRL issuer in the provided buffer. The name
51will be in the form "C=xxxx,O=yyyy,CN=zzzz" as described in RFC2253. The output
52string will be ASCII or UTF-8 encoded, depending on the certificate data.
53
54If buf is null then only the size will be filled.
55
56Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not long enough, and
57in that case the sizeof_buf will be updated with the required size, and
580 on success.
59@end deftypefun
60
61@subheading gnutls_x509_crl_get_issuer_dn_by_oid
62@anchor{gnutls_x509_crl_get_issuer_dn_by_oid}
63@deftypefun {int} {gnutls_x509_crl_get_issuer_dn_by_oid} (gnutls_x509_crl_t @var{crl}, const char * @var{oid}, int @var{indx}, unsigned int @var{raw_flag}, void * @var{buf}, size_t * @var{sizeof_buf})
64@var{crl}: should contain a gnutls_x509_crl_t structure
65
66@var{oid}: holds an Object Identified in null terminated string
67
68@var{indx}: In case multiple same OIDs exist in the RDN, this specifies which to send. Use zero to get the first one.
69
70@var{raw_flag}: If non zero returns the raw DER data of the DN part.
71
72@var{buf}: a pointer to a structure to hold the peer's name (may be null)
73
74@var{sizeof_buf}: initially holds the size of @code{buf}
75
76This function will extract the part of the name of the CRL issuer specified
77by the given OID. The output will be encoded as described in RFC2253. The output
78string will be ASCII or UTF-8 encoded, depending on the certificate data.
79
80Some helper macros with popular OIDs can be found in gnutls/x509.h
81If raw flag is zero, this function will only return known OIDs as text. Other OIDs
82will be DER encoded, as described in RFC2253 -- in hex format with a '\#' prefix.
83You can check about known OIDs using @code{gnutls_x509_dn_oid_known()}.
84
85If buf is null then only the size will be filled.
86
87Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not long enough, and
88in that case the sizeof_buf will be updated with the required size,
89and 0 on success.
90@end deftypefun
91
92@subheading gnutls_x509_crl_get_dn_oid
93@anchor{gnutls_x509_crl_get_dn_oid}
94@deftypefun {int} {gnutls_x509_crl_get_dn_oid} (gnutls_x509_crl_t @var{crl}, int @var{indx}, void * @var{oid}, size_t * @var{sizeof_oid})
95@var{crl}: should contain a gnutls_x509_crl_t structure
96
97@var{indx}: Specifies which DN OID to send. Use zero to get the first one.
98
99@var{oid}: a pointer to a structure to hold the name (may be null)
100
101@var{sizeof_oid}: initially holds the size of 'oid'
102
103This function will extract the requested OID of the name of the CRL issuer, specified
104by the given index.
105
106If oid is null then only the size will be filled.
107
108Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not long enough, and
109in that case the sizeof_oid will be updated with the required size.
110On success 0 is returned.
111@end deftypefun
112
113@subheading gnutls_x509_crl_get_signature_algorithm
114@anchor{gnutls_x509_crl_get_signature_algorithm}
115@deftypefun {int} {gnutls_x509_crl_get_signature_algorithm} (gnutls_x509_crl_t @var{crl})
116@var{crl}: should contain a gnutls_x509_crl_t structure
117
118This function will return a value of the gnutls_sign_algorithm_t enumeration that
119is the signature algorithm.
120
121Returns a negative value on error.
122@end deftypefun
123
124@subheading gnutls_x509_crl_get_signature
125@anchor{gnutls_x509_crl_get_signature}
126@deftypefun {int} {gnutls_x509_crl_get_signature} (gnutls_x509_crl_t @var{crl}, char * @var{sig}, size_t * @var{sizeof_sig})
127@var{crl}: should contain a gnutls_x509_crl_t structure
128
129@var{sig}: a pointer where the signature part will be copied (may be null).
130
131@var{sizeof_sig}: initially holds the size of @code{sig}
132
133This function will extract the signature field of a CRL.
134
135Returns 0 on success, and a negative value on error.
136@end deftypefun
137
138@subheading gnutls_x509_crl_get_version
139@anchor{gnutls_x509_crl_get_version}
140@deftypefun {int} {gnutls_x509_crl_get_version} (gnutls_x509_crl_t @var{crl})
141@var{crl}: should contain a gnutls_x509_crl_t structure
142
143This function will return the version of the specified CRL.
144
145Returns a negative value on error.
146@end deftypefun
147
148@subheading gnutls_x509_crl_get_this_update
149@anchor{gnutls_x509_crl_get_this_update}
150@deftypefun {time_t} {gnutls_x509_crl_get_this_update} (gnutls_x509_crl_t @var{crl})
151@var{crl}: should contain a gnutls_x509_crl_t structure
152
153This function will return the time this CRL was issued.
154
155Returns (time_t)-1 on error.
156@end deftypefun
157
158@subheading gnutls_x509_crl_get_next_update
159@anchor{gnutls_x509_crl_get_next_update}
160@deftypefun {time_t} {gnutls_x509_crl_get_next_update} (gnutls_x509_crl_t @var{crl})
161@var{crl}: should contain a gnutls_x509_crl_t structure
162
163This function will return the time the next CRL will be issued.
164This field is optional in a CRL so it might be normal to get
165an error instead.
166
167Returns (time_t)-1 on error.
168@end deftypefun
169
170@subheading gnutls_x509_crl_get_crt_count
171@anchor{gnutls_x509_crl_get_crt_count}
172@deftypefun {int} {gnutls_x509_crl_get_crt_count} (gnutls_x509_crl_t @var{crl})
173@var{crl}: should contain a gnutls_x509_crl_t structure
174
175This function will return the number of revoked certificates in the
176given CRL.
177
178Returns a negative value on failure.
179@end deftypefun
180
181@subheading gnutls_x509_crl_get_crt_serial
182@anchor{gnutls_x509_crl_get_crt_serial}
183@deftypefun {int} {gnutls_x509_crl_get_crt_serial} (gnutls_x509_crl_t @var{crl}, int @var{indx}, unsigned char * @var{serial}, size_t * @var{serial_size}, time_t * @var{t})
184@var{crl}: should contain a gnutls_x509_crl_t structure
185
186@var{indx}: the index of the certificate to extract (starting from 0)
187
188@var{serial}: where the serial number will be copied
189
190@var{serial_size}: initially holds the size of serial
191
192@var{t}: if non null, will hold the time this certificate was revoked
193
194This function will return the serial number of the specified, by
195the index, revoked certificate.
196
197Returns a negative value on failure.
198@end deftypefun
199
200@subheading gnutls_x509_crl_export
201@anchor{gnutls_x509_crl_export}
202@deftypefun {int} {gnutls_x509_crl_export} (gnutls_x509_crl_t @var{crl}, gnutls_x509_crt_fmt_t @var{format}, void * @var{output_data}, size_t * @var{output_data_size})
203@var{crl}: Holds the revocation list
204
205@var{format}: the format of output params. One of PEM or DER.
206
207@var{output_data}: will contain a private key PEM or DER encoded
208
209@var{output_data_size}: holds the size of output_data (and will be replaced by the actual size of parameters)
210
211This function will export the revocation list to DER or PEM format.
212
213If the buffer provided is not long enough to hold the output, then
214GNUTLS_E_SHORT_MEMORY_BUFFER will be returned.
215
216If the structure is PEM encoded, it will have a header
217of "BEGIN X509 CRL".
218
219Returns 0 on success, and a negative value on failure.
220@end deftypefun
221
222@subheading gnutls_x509_rdn_get
223@anchor{gnutls_x509_rdn_get}
224@deftypefun {int} {gnutls_x509_rdn_get} (const gnutls_datum_t * @var{idn}, char * @var{buf}, size_t * @var{sizeof_buf})
225@var{idn}: should contain a DER encoded RDN sequence
226
227@var{buf}: a pointer to a structure to hold the peer's name
228
229@var{sizeof_buf}: holds the size of @code{buf}
230
231This function will return the name of the given RDN sequence. The
232name will be in the form "C=xxxx,O=yyyy,CN=zzzz" as described in
233RFC2253.
234
235If the provided buffer is not long enough, returns
236GNUTLS_E_SHORT_MEMORY_BUFFER and *sizeof_buf will be updated. On
237success 0 is returned.
238@end deftypefun
239
240@subheading gnutls_x509_rdn_get_by_oid
241@anchor{gnutls_x509_rdn_get_by_oid}
242@deftypefun {int} {gnutls_x509_rdn_get_by_oid} (const gnutls_datum_t * @var{idn}, const char * @var{oid}, int @var{indx}, unsigned int @var{raw_flag}, void * @var{buf}, size_t * @var{sizeof_buf})
243@var{idn}: should contain a DER encoded RDN sequence
244
245@var{oid}: an Object Identifier
246
247@var{indx}: In case multiple same OIDs exist in the RDN indicates which
248to send. Use 0 for the first one.
249
250@var{raw_flag}: If non zero then the raw DER data are returned.
251
252@var{buf}: a pointer to a structure to hold the peer's name
253
254@var{sizeof_buf}: holds the size of @code{buf}
255
256This function will return the name of the given Object identifier,
257of the RDN sequence. The name will be encoded using the rules
258from RFC2253.
259
260Returns GNUTLS_E_SHORT_MEMORY_BUFFER and updates *sizeof_buf if
261the provided buffer is not long enough, and 0 on success.
262@end deftypefun
263
264@subheading gnutls_x509_rdn_get_oid
265@anchor{gnutls_x509_rdn_get_oid}
266@deftypefun {int} {gnutls_x509_rdn_get_oid} (const gnutls_datum_t * @var{idn}, int @var{indx}, void * @var{buf}, size_t * @var{sizeof_buf})
267@var{idn}: should contain a DER encoded RDN sequence
268
269@var{indx}: Indicates which OID to return. Use 0 for the first one.
270
271This function will return the specified Object identifier, of the
272RDN sequence.
273
274Returns GNUTLS_E_SHORT_MEMORY_BUFFER and updates *sizeof_buf if
275the provided buffer is not long enough, and 0 on success.
276@end deftypefun
277
278@subheading gnutls_x509_dn_oid_known
279@anchor{gnutls_x509_dn_oid_known}
280@deftypefun {int} {gnutls_x509_dn_oid_known} (const char * @var{oid})
281@var{oid}: holds an Object Identifier in a null terminated string
282
283This function will inform about known DN OIDs. This is useful since functions
284like @code{gnutls_x509_crt_set_dn_by_oid()} use the information on known
285OIDs to properly encode their input. Object Identifiers that are not
286known are not encoded by these functions, and their input is stored directly
287into the ASN.1 structure. In that case of unknown OIDs, you have
288the responsibility of DER encoding your data.
289
290Returns 1 on known OIDs and 0 otherwise.
291@end deftypefun
292
293@subheading gnutls_x509_crt_init
294@anchor{gnutls_x509_crt_init}
295@deftypefun {int} {gnutls_x509_crt_init} (gnutls_x509_crt_t * @var{cert})
296@var{cert}: The structure to be initialized
297
298This function will initialize an X.509 certificate structure.
299
300Returns 0 on success.
301@end deftypefun
302
303@subheading gnutls_x509_crt_deinit
304@anchor{gnutls_x509_crt_deinit}
305@deftypefun {void} {gnutls_x509_crt_deinit} (gnutls_x509_crt_t @var{cert})
306@var{cert}: The structure to be initialized
307
308This function will deinitialize a CRL structure.
309@end deftypefun
310
311@subheading gnutls_x509_crt_import
312@anchor{gnutls_x509_crt_import}
313@deftypefun {int} {gnutls_x509_crt_import} (gnutls_x509_crt_t @var{cert}, const gnutls_datum_t * @var{data}, gnutls_x509_crt_fmt_t @var{format})
314@var{cert}: The structure to store the parsed certificate.
315
316@var{data}: The DER or PEM encoded certificate.
317
318@var{format}: One of DER or PEM
319
320This function will convert the given DER or PEM encoded Certificate
321to the native gnutls_x509_crt_t format. The output will be stored in @code{cert}.
322
323If the Certificate is PEM encoded it should have a header of "X509 CERTIFICATE", or
324"CERTIFICATE".
325
326Returns 0 on success.
327@end deftypefun
328
329@subheading gnutls_x509_crt_get_issuer_dn
330@anchor{gnutls_x509_crt_get_issuer_dn}
331@deftypefun {int} {gnutls_x509_crt_get_issuer_dn} (gnutls_x509_crt_t @var{cert}, char * @var{buf}, size_t * @var{sizeof_buf})
332@var{cert}: should contain a gnutls_x509_crt_t structure
333
334@var{buf}: a pointer to a structure to hold the name (may be null)
335
336@var{sizeof_buf}: initially holds the size of @code{buf}
337
338This function will copy the name of the Certificate issuer in the
339provided buffer. The name will be in the form
340"C=xxxx,O=yyyy,CN=zzzz" as described in RFC2253. The output string
341will be ASCII or UTF-8 encoded, depending on the certificate data.
342
343If @code{buf} is null then only the size will be filled.
344
345Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not
346long enough, and in that case the *sizeof_buf will be updated with
347the required size. On success 0 is returned.
348@end deftypefun
349
350@subheading gnutls_x509_crt_get_issuer_dn_by_oid
351@anchor{gnutls_x509_crt_get_issuer_dn_by_oid}
352@deftypefun {int} {gnutls_x509_crt_get_issuer_dn_by_oid} (gnutls_x509_crt_t @var{cert}, const char * @var{oid}, int @var{indx}, unsigned int @var{raw_flag}, void * @var{buf}, size_t * @var{sizeof_buf})
353@var{cert}: should contain a gnutls_x509_crt_t structure
354
355@var{oid}: holds an Object Identified in null terminated string
356
357@var{indx}: In case multiple same OIDs exist in the RDN, this specifies which to send. Use zero to get the first one.
358
359@var{raw_flag}: If non zero returns the raw DER data of the DN part.
360
361@var{buf}: a pointer to a structure to hold the name (may be null)
362
363@var{sizeof_buf}: initially holds the size of @code{buf}
364
365This function will extract the part of the name of the Certificate
366issuer specified by the given OID. The output, if the raw flag is not
367used, will be encoded as described in RFC2253. Thus a string that is
368ASCII or UTF-8 encoded, depending on the certificate data.
369
370Some helper macros with popular OIDs can be found in gnutls/x509.h
371If raw flag is zero, this function will only return known OIDs as
372text. Other OIDs will be DER encoded, as described in RFC2253 --
373in hex format with a '\#' prefix. You can check about known OIDs
374using @code{gnutls_x509_dn_oid_known()}.
375
376If @code{buf} is null then only the size will be filled.
377
378Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not
379long enough, and in that case the *sizeof_buf will be updated with
380the required size. On success 0 is returned.
381@end deftypefun
382
383@subheading gnutls_x509_crt_get_issuer_dn_oid
384@anchor{gnutls_x509_crt_get_issuer_dn_oid}
385@deftypefun {int} {gnutls_x509_crt_get_issuer_dn_oid} (gnutls_x509_crt_t @var{cert}, int @var{indx}, void * @var{oid}, size_t * @var{sizeof_oid})
386@var{cert}: should contain a gnutls_x509_crt_t structure
387
388@var{indx}: This specifies which OID to return. Use zero to get the first one.
389
390@var{oid}: a pointer to a buffer to hold the OID (may be null)
391
392@var{sizeof_oid}: initially holds the size of @code{oid}
393
394This function will extract the OIDs of the name of the Certificate
395issuer specified by the given index.
396
397If @code{oid} is null then only the size will be filled.
398
399Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not
400long enough, and in that case the *sizeof_oid will be updated with
401the required size. On success 0 is returned.
402@end deftypefun
403
404@subheading gnutls_x509_crt_get_dn
405@anchor{gnutls_x509_crt_get_dn}
406@deftypefun {int} {gnutls_x509_crt_get_dn} (gnutls_x509_crt_t @var{cert}, char * @var{buf}, size_t * @var{sizeof_buf})
407@var{cert}: should contain a gnutls_x509_crt_t structure
408
409@var{buf}: a pointer to a structure to hold the name (may be null)
410
411@var{sizeof_buf}: initially holds the size of @code{buf}
412
413This function will copy the name of the Certificate in the
414provided buffer. The name will be in the form
415"C=xxxx,O=yyyy,CN=zzzz" as described in RFC2253. The output string
416will be ASCII or UTF-8 encoded, depending on the certificate data.
417
418If @code{buf} is null then only the size will be filled.
419
420Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not
421long enough, and in that case the *sizeof_buf will be updated with
422the required size. On success 0 is returned.
423@end deftypefun
424
425@subheading gnutls_x509_crt_get_dn_by_oid
426@anchor{gnutls_x509_crt_get_dn_by_oid}
427@deftypefun {int} {gnutls_x509_crt_get_dn_by_oid} (gnutls_x509_crt_t @var{cert}, const char * @var{oid}, int @var{indx}, unsigned int @var{raw_flag}, void * @var{buf}, size_t * @var{sizeof_buf})
428@var{cert}: should contain a gnutls_x509_crt_t structure
429
430@var{oid}: holds an Object Identified in null terminated string
431
432@var{indx}: In case multiple same OIDs exist in the RDN, this specifies which to send. Use zero to get the first one.
433
434@var{raw_flag}: If non zero returns the raw DER data of the DN part.
435
436@var{buf}: a pointer where the DN part will be copied (may be null).
437
438@var{sizeof_buf}: initially holds the size of @code{buf}
439
440This function will extract the part of the name of the Certificate
441subject specified by the given OID. The output, if the raw flag is not
442used, will be encoded as described in RFC2253. Thus a string that is
443ASCII or UTF-8 encoded, depending on the certificate data.
444
445Some helper macros with popular OIDs can be found in gnutls/x509.h
446If raw flag is zero, this function will only return known OIDs as
447text. Other OIDs will be DER encoded, as described in RFC2253 --
448in hex format with a '\#' prefix. You can check about known OIDs
449using @code{gnutls_x509_dn_oid_known()}.
450
451If @code{buf} is null then only the size will be filled.
452
453Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not
454long enough, and in that case the *sizeof_buf will be updated with
455the required size. On success 0 is returned.
456@end deftypefun
457
458@subheading gnutls_x509_crt_get_dn_oid
459@anchor{gnutls_x509_crt_get_dn_oid}
460@deftypefun {int} {gnutls_x509_crt_get_dn_oid} (gnutls_x509_crt_t @var{cert}, int @var{indx}, void * @var{oid}, size_t * @var{sizeof_oid})
461@var{cert}: should contain a gnutls_x509_crt_t structure
462
463@var{indx}: This specifies which OID to return. Use zero to get the first one.
464
465@var{oid}: a pointer to a buffer to hold the OID (may be null)
466
467@var{sizeof_oid}: initially holds the size of @code{oid}
468
469This function will extract the OIDs of the name of the Certificate
470subject specified by the given index.
471
472If oid is null then only the size will be filled.
473
474Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not
475long enough, and in that case the *sizeof_oid will be updated with
476the required size. On success 0 is returned.
477@end deftypefun
478
479@subheading gnutls_x509_crt_get_signature_algorithm
480@anchor{gnutls_x509_crt_get_signature_algorithm}
481@deftypefun {int} {gnutls_x509_crt_get_signature_algorithm} (gnutls_x509_crt_t @var{cert})
482@var{cert}: should contain a gnutls_x509_crt_t structure
483
484This function will return a value of the gnutls_sign_algorithm_t enumeration that
485is the signature algorithm.
486
487Returns a negative value on error.
488@end deftypefun
489
490@subheading gnutls_x509_crt_get_signature
491@anchor{gnutls_x509_crt_get_signature}
492@deftypefun {int} {gnutls_x509_crt_get_signature} (gnutls_x509_crt_t @var{cert}, char * @var{sig}, size_t * @var{sizeof_sig})
493@var{cert}: should contain a gnutls_x509_crt_t structure
494
495@var{sig}: a pointer where the signature part will be copied (may be null).
496
497@var{sizeof_sig}: initially holds the size of @code{sig}
498
499This function will extract the signature field of a certificate.
500
501Returns 0 on success, and a negative value on error.
502@end deftypefun
503
504@subheading gnutls_x509_crt_get_version
505@anchor{gnutls_x509_crt_get_version}
506@deftypefun {int} {gnutls_x509_crt_get_version} (gnutls_x509_crt_t @var{cert})
507@var{cert}: should contain a gnutls_x509_crt_t structure
508
509This function will return the version of the specified Certificate.
510
511Returns a negative value on error.
512@end deftypefun
513
514@subheading gnutls_x509_crt_get_activation_time
515@anchor{gnutls_x509_crt_get_activation_time}
516@deftypefun {time_t} {gnutls_x509_crt_get_activation_time} (gnutls_x509_crt_t @var{cert})
517@var{cert}: should contain a gnutls_x509_crt_t structure
518
519This function will return the time this Certificate was or will be activated.
520
521Returns (time_t)-1 on error.
522@end deftypefun
523
524@subheading gnutls_x509_crt_get_expiration_time
525@anchor{gnutls_x509_crt_get_expiration_time}
526@deftypefun {time_t} {gnutls_x509_crt_get_expiration_time} (gnutls_x509_crt_t @var{cert})
527@var{cert}: should contain a gnutls_x509_crt_t structure
528
529This function will return the time this Certificate was or will be expired.
530
531Returns (time_t)-1 on error.
532@end deftypefun
533
534@subheading gnutls_x509_crt_get_serial
535@anchor{gnutls_x509_crt_get_serial}
536@deftypefun {int} {gnutls_x509_crt_get_serial} (gnutls_x509_crt_t @var{cert}, void * @var{result}, size_t * @var{result_size})
537@var{cert}: should contain a gnutls_x509_crt_t structure
538
539@var{result}: The place where the serial number will be copied
540
541@var{result_size}: Holds the size of the result field.
542
543This function will return the X.509 certificate's serial number.
544This is obtained by the X509 Certificate serialNumber
545field. Serial is not always a 32 or 64bit number. Some CAs use
546large serial numbers, thus it may be wise to handle it as something
547opaque.
548
549Returns 0 on success and a negative value in case of an error.
550@end deftypefun
551
552@subheading gnutls_x509_crt_get_subject_key_id
553@anchor{gnutls_x509_crt_get_subject_key_id}
554@deftypefun {int} {gnutls_x509_crt_get_subject_key_id} (gnutls_x509_crt_t @var{cert}, void * @var{ret}, size_t * @var{ret_size}, unsigned int * @var{critical})
555@var{cert}: should contain a gnutls_x509_crt_t structure
556
557@var{ret}: The place where the identifier will be copied
558
559@var{ret_size}: Holds the size of the result field.
560
561@var{critical}: will be non zero if the extension is marked as critical (may be null)
562
563This function will return the X.509v3 certificate's subject key identifier.
564This is obtained by the X.509 Subject Key identifier extension
565field (2.5.29.14).
566
567Returns 0 on success and a negative value in case of an error.
568@end deftypefun
569
570@subheading gnutls_x509_crt_get_authority_key_id
571@anchor{gnutls_x509_crt_get_authority_key_id}
572@deftypefun {int} {gnutls_x509_crt_get_authority_key_id} (gnutls_x509_crt_t @var{cert}, void * @var{ret}, size_t * @var{ret_size}, unsigned int * @var{critical})
573@var{cert}: should contain a gnutls_x509_crt_t structure
574
575@var{critical}: will be non zero if the extension is marked as critical (may be null)
576
577This function will return the X.509v3 certificate authority's key identifier.
578This is obtained by the X.509 Authority Key identifier extension
579field (2.5.29.35). Note that this function only returns the keyIdentifier
580field of the extension.
581
582Returns 0 on success and a negative value in case of an error.
583@end deftypefun
584
585@subheading gnutls_x509_crt_get_pk_algorithm
586@anchor{gnutls_x509_crt_get_pk_algorithm}
587@deftypefun {int} {gnutls_x509_crt_get_pk_algorithm} (gnutls_x509_crt_t @var{cert}, unsigned int * @var{bits})
588@var{cert}: should contain a gnutls_x509_crt_t structure
589
590@var{bits}: if bits is non null it will hold the size of the parameters' in bits
591
592This function will return the public key algorithm of an X.509
593certificate.
594
595If bits is non null, it should have enough size to hold the parameters
596size in bits. For RSA the bits returned is the modulus.
597For DSA the bits returned are of the public
598exponent.
599
600Returns a member of the gnutls_pk_algorithm_t enumeration on success,
601or a negative value on error.
602@end deftypefun
603
604@subheading gnutls_x509_crt_get_subject_alt_name
605@anchor{gnutls_x509_crt_get_subject_alt_name}
606@deftypefun {int} {gnutls_x509_crt_get_subject_alt_name} (gnutls_x509_crt_t @var{cert}, unsigned int @var{seq}, void * @var{ret}, size_t * @var{ret_size}, unsigned int * @var{critical})
607@var{cert}: should contain a gnutls_x509_crt_t structure
608
609@var{seq}: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)
610
611@var{ret}: is the place where the alternative name will be copied to
612
613@var{ret_size}: holds the size of ret.
614
615@var{critical}: will be non zero if the extension is marked as critical (may be null)
616
617This function will return the alternative names, contained in the
618given certificate.
619
620This is specified in X509v3 Certificate Extensions. GNUTLS will
621return the Alternative name (2.5.29.17), or a negative error code.
622
623When the SAN type is otherName, it will extract the data in the
624otherName's value field, and @code{GNUTLS_SAN_OTHERNAME} is returned.
625You may use @code{gnutls_x509_crt_get_subject_alt_othername_oid()} to get
626the corresponding OID and the "virtual" SAN types (e.g.,
627@code{GNUTLS_SAN_OTHERNAME_XMPP}).
628
629If an otherName OID is known, the data will be decoded. Otherwise
630the returned data will be DER encoded, and you will have to decode
631it yourself. Currently, only the RFC 3920 id-on-xmppAddr SAN is
632recognized.
633
634Returns the alternative subject name type on success. The type is
635one of the enumerated gnutls_x509_subject_alt_name_t. It will
636return @code{GNUTLS_E_SHORT_MEMORY_BUFFER} if @code{ret_size} is not large
637enough to hold the value. In that case @code{ret_size} will be updated
638with the required size. If the certificate does not have an
639Alternative name with the specified sequence number then
640@code{GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE} is returned.
641@end deftypefun
642
643@subheading gnutls_x509_crt_get_subject_alt_name2
644@anchor{gnutls_x509_crt_get_subject_alt_name2}
645@deftypefun {int} {gnutls_x509_crt_get_subject_alt_name2} (gnutls_x509_crt_t @var{cert}, unsigned int @var{seq}, void * @var{ret}, size_t * @var{ret_size}, unsigned int* @var{ret_type}, unsigned int * @var{critical})
646@var{cert}: should contain a gnutls_x509_crt_t structure
647
648@var{seq}: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)
649
650@var{ret}: is the place where the alternative name will be copied to
651
652@var{ret_size}: holds the size of ret.
653
654@var{ret_type}: holds the type of the alternative name (one of gnutls_x509_subject_alt_name_t).
655
656@var{critical}: will be non zero if the extension is marked as critical (may be null)
657
658This function will return the alternative names, contained in the
659given certificate. It is the same as @code{gnutls_x509_crt_get_subject_alt_name()}
660except for the fact that it will return the type of the alternative
661name in @code{ret_type} even if the function fails for some reason (i.e.
662the buffer provided is not enough).
663
664The return values are the same as with @code{gnutls_x509_crt_get_subject_alt_name()}.
665@end deftypefun
666
667@subheading gnutls_x509_crt_get_subject_alt_othername_oid
668@anchor{gnutls_x509_crt_get_subject_alt_othername_oid}
669@deftypefun {int} {gnutls_x509_crt_get_subject_alt_othername_oid} (gnutls_x509_crt_t @var{cert}, unsigned int @var{seq}, void * @var{ret}, size_t * @var{ret_size})
670@var{cert}: should contain a gnutls_x509_crt_t structure
671
672@var{seq}: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)
673
674@var{ret}: is the place where the otherName OID will be copied to
675
676@var{ret_size}: holds the size of ret.
677
678This function will extract the type OID of an otherName Subject
679Alternative Name, contained in the given certificate, and return
680the type as an enumerated element.
681
682This function is only useful if
683@code{gnutls_x509_crt_get_subject_alt_name()} returned
684@code{GNUTLS_SAN_OTHERNAME}.
685
686Returns the alternative subject name type on success. The type is
687one of the enumerated gnutls_x509_subject_alt_name_t. For
688supported OIDs, it will return one of the virtual
689(GNUTLS_SAN_OTHERNAME_*) types, e.g. @code{GNUTLS_SAN_OTHERNAME_XMPP},
690and @code{GNUTLS_SAN_OTHERNAME} for unknown OIDs. It will return
691@code{GNUTLS_E_SHORT_MEMORY_BUFFER} if @code{ret_size} is not large enough to
692hold the value. In that case @code{ret_size} will be updated with the
693required size. If the certificate does not have an Alternative
694name with the specified sequence number and with the otherName type
695then @code{GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE} is returned.
696@end deftypefun
697
698@subheading gnutls_x509_crt_get_basic_constraints
699@anchor{gnutls_x509_crt_get_basic_constraints}
700@deftypefun {int} {gnutls_x509_crt_get_basic_constraints} (gnutls_x509_crt_t @var{cert}, unsigned int * @var{critical}, int * @var{ca}, int * @var{pathlen})
701@var{cert}: should contain a gnutls_x509_crt_t structure
702
703@var{critical}: will be non zero if the extension is marked as critical
704
705@var{ca}: pointer to output integer indicating CA status, may be NULL,
706value is 1 if the certificate CA flag is set, 0 otherwise.
707
708@var{pathlen}: pointer to output integer indicating path length (may be
709NULL), non-negative values indicate a present pathLenConstraint
710field and the actual value, -1 indicate that the field is absent.
711
712This function will read the certificate's basic constraints, and
713return the certificates CA status. It reads the basicConstraints
714X.509 extension (2.5.29.19).
715
716@strong{Return value:} If the certificate is a CA a positive value will be
717returned, or zero if the certificate does not have CA flag set. A
718negative value may be returned in case of errors. If the
719certificate does not contain the basicConstraints extension
720GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
721@end deftypefun
722
723@subheading gnutls_x509_crt_get_ca_status
724@anchor{gnutls_x509_crt_get_ca_status}
725@deftypefun {int} {gnutls_x509_crt_get_ca_status} (gnutls_x509_crt_t @var{cert}, unsigned int * @var{critical})
726@var{cert}: should contain a gnutls_x509_crt_t structure
727
728@var{critical}: will be non zero if the extension is marked as critical
729
730This function will return certificates CA status, by reading the
731basicConstraints X.509 extension (2.5.29.19). If the certificate is
732a CA a positive value will be returned, or zero if the certificate
733does not have CA flag set.
734
735Use @code{gnutls_x509_crt_get_basic_constraints()} if you want to read the
736pathLenConstraint field too.
737
738A negative value may be returned in case of parsing error.
739If the certificate does not contain the basicConstraints extension
740GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
741@end deftypefun
742
743@subheading gnutls_x509_crt_get_key_usage
744@anchor{gnutls_x509_crt_get_key_usage}
745@deftypefun {int} {gnutls_x509_crt_get_key_usage} (gnutls_x509_crt_t @var{cert}, unsigned int * @var{key_usage}, unsigned int * @var{critical})
746@var{cert}: should contain a gnutls_x509_crt_t structure
747
748@var{key_usage}: where the key usage bits will be stored
749
750@var{critical}: will be non zero if the extension is marked as critical
751
752This function will return certificate's key usage, by reading the
753keyUsage X.509 extension (2.5.29.15). The key usage value will ORed values of the:
754GNUTLS_KEY_DIGITAL_SIGNATURE, GNUTLS_KEY_NON_REPUDIATION,
755GNUTLS_KEY_KEY_ENCIPHERMENT, GNUTLS_KEY_DATA_ENCIPHERMENT,
756GNUTLS_KEY_KEY_AGREEMENT, GNUTLS_KEY_KEY_CERT_SIGN,
757GNUTLS_KEY_CRL_SIGN, GNUTLS_KEY_ENCIPHER_ONLY,
758GNUTLS_KEY_DECIPHER_ONLY.
759
760A negative value may be returned in case of parsing error.
761If the certificate does not contain the keyUsage extension
762GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
763@end deftypefun
764
765@subheading gnutls_x509_crt_get_proxy
766@anchor{gnutls_x509_crt_get_proxy}
767@deftypefun {int} {gnutls_x509_crt_get_proxy} (gnutls_x509_crt_t @var{cert}, unsigned int * @var{critical}, int * @var{pathlen}, char ** @var{policyLanguage}, char ** @var{policy}, size_t * @var{sizeof_policy})
768@var{cert}: should contain a gnutls_x509_crt_t structure
769
770@var{critical}: will be non zero if the extension is marked as critical
771
772@var{pathlen}: pointer to output integer indicating path length (may be
773NULL), non-negative values indicate a present pCPathLenConstraint
774field and the actual value, -1 indicate that the field is absent.
775
776This function will read the certificate's basic constraints, and
777return the certificates CA status. It reads the basicConstraints
778X.509 extension (2.5.29.19).
779
780@strong{Return value:} If the certificate is a CA a positive value will be
781returned, or zero if the certificate does not have CA flag set. A
782negative value may be returned in case of errors. If the
783certificate does not contain the basicConstraints extension
784GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
785@end deftypefun
786
787@subheading gnutls_x509_crt_get_extension_by_oid
788@anchor{gnutls_x509_crt_get_extension_by_oid}
789@deftypefun {int} {gnutls_x509_crt_get_extension_by_oid} (gnutls_x509_crt_t @var{cert}, const char * @var{oid}, int @var{indx}, void * @var{buf}, size_t * @var{sizeof_buf}, unsigned int * @var{critical})
790@var{cert}: should contain a gnutls_x509_crt_t structure
791
792@var{oid}: holds an Object Identified in null terminated string
793
794@var{indx}: In case multiple same OIDs exist in the extensions, this specifies which to send. Use zero to get the first one.
795
796@var{buf}: a pointer to a structure to hold the name (may be null)
797
798@var{sizeof_buf}: initially holds the size of @code{buf}
799
800@var{critical}: will be non zero if the extension is marked as critical
801
802This function will return the extension specified by the OID in the certificate.
803The extensions will be returned as binary data DER encoded, in the provided
804buffer.
805
806A negative value may be returned in case of parsing error.
807If the certificate does not contain the specified extension
808GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
809@end deftypefun
810
811@subheading gnutls_x509_crt_get_extension_oid
812@anchor{gnutls_x509_crt_get_extension_oid}
813@deftypefun {int} {gnutls_x509_crt_get_extension_oid} (gnutls_x509_crt_t @var{cert}, int @var{indx}, void * @var{oid}, size_t * @var{sizeof_oid})
814@var{cert}: should contain a gnutls_x509_crt_t structure
815
816@var{indx}: Specifies which extension OID to send. Use zero to get the first one.
817
818@var{oid}: a pointer to a structure to hold the OID (may be null)
819
820@var{sizeof_oid}: initially holds the size of @code{oid}
821
822This function will return the requested extension OID in the certificate.
823The extension OID will be stored as a string in the provided buffer.
824
825A negative value may be returned in case of parsing error.
826If your have reached the last extension available
827GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
828@end deftypefun
829
830@subheading gnutls_x509_crt_get_extension_info
831@anchor{gnutls_x509_crt_get_extension_info}
832@deftypefun {int} {gnutls_x509_crt_get_extension_info} (gnutls_x509_crt_t @var{cert}, int @var{indx}, void * @var{oid}, size_t * @var{sizeof_oid}, int * @var{critical})
833@var{cert}: should contain a gnutls_x509_crt_t structure
834
835@var{indx}: Specifies which extension OID to send. Use zero to get the first one.
836
837@var{oid}: a pointer to a structure to hold the OID
838
839@var{sizeof_oid}: initially holds the size of @code{oid}
840
841@var{critical}: output variable with critical flag, may be NULL.
842
843This function will return the requested extension OID in the
844certificate, and the critical flag for it. The extension OID will
845be stored as a string in the provided buffer. Use
846@code{gnutls_x509_crt_get_extension_data()} to extract the data.
847
848Return 0 on success. A negative value may be returned in case of
849parsing error. If you have reached the last extension available
850GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
851@end deftypefun
852
853@subheading gnutls_x509_crt_get_extension_data
854@anchor{gnutls_x509_crt_get_extension_data}
855@deftypefun {int} {gnutls_x509_crt_get_extension_data} (gnutls_x509_crt_t @var{cert}, int @var{indx}, void * @var{data}, size_t * @var{sizeof_data})
856@var{cert}: should contain a gnutls_x509_crt_t structure
857
858@var{indx}: Specifies which extension OID to send. Use zero to get the first one.
859
860@var{data}: a pointer to a structure to hold the data (may be null)
861
862@var{sizeof_data}: initially holds the size of @code{oid}
863
864This function will return the requested extension data in the
865certificate. The extension data will be stored as a string in the
866provided buffer.
867
868Use @code{gnutls_x509_crt_get_extension_info()} to extract the OID and
869critical flag. Use @code{gnutls_x509_crt_get_extension_by_oid()} instead,
870if you want to get data indexed by the extension OID rather than
871sequence.
872
873Return 0 on success. A negative value may be returned in case of
874parsing error. If you have reached the last extension available
875GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
876@end deftypefun
877
878@subheading gnutls_x509_crt_get_raw_issuer_dn
879@anchor{gnutls_x509_crt_get_raw_issuer_dn}
880@deftypefun {int} {gnutls_x509_crt_get_raw_issuer_dn} (gnutls_x509_crt_t @var{cert}, gnutls_datum_t * @var{start})
881@var{cert}: should contain a gnutls_x509_crt_t structure
882
883@var{start}: will hold the starting point of the DN
884
885This function will return a pointer to the DER encoded DN structure
886and the length.
887
888Returns 0 on success or a negative value on error.
889@end deftypefun
890
891@subheading gnutls_x509_crt_get_raw_dn
892@anchor{gnutls_x509_crt_get_raw_dn}
893@deftypefun {int} {gnutls_x509_crt_get_raw_dn} (gnutls_x509_crt_t @var{cert}, gnutls_datum_t * @var{start})
894@var{cert}: should contain a gnutls_x509_crt_t structure
895
896@var{start}: will hold the starting point of the DN
897
898This function will return a pointer to the DER encoded DN structure and
899the length.
900
901Returns 0 on success, or a negative value on error.
902@end deftypefun
903
904@subheading gnutls_x509_crt_get_subject
905@anchor{gnutls_x509_crt_get_subject}
906@deftypefun {int} {gnutls_x509_crt_get_subject} (gnutls_x509_crt_t @var{cert}, gnutls_x509_dn_t * @var{dn})
907@var{cert}: should contain a gnutls_x509_crt_t structure
908
909@var{dn}: output variable with pointer to opaque DN.
910
911Return the Certificate's Subject DN as an opaque data type. You
912may use @code{gnutls_x509_dn_get_rdn_ava()} to decode the DN.
913
914@strong{Returns:} Returns 0 on success, or an error code.
915@end deftypefun
916
917@subheading gnutls_x509_crt_get_issuer
918@anchor{gnutls_x509_crt_get_issuer}
919@deftypefun {int} {gnutls_x509_crt_get_issuer} (gnutls_x509_crt_t @var{cert}, gnutls_x509_dn_t * @var{dn})
920@var{cert}: should contain a gnutls_x509_crt_t structure
921
922@var{dn}: output variable with pointer to opaque DN
923
924Return the Certificate's Issuer DN as an opaque data type. You may
925use @code{gnutls_x509_dn_get_rdn_ava()} to decode the DN.
926
927Note that @code{dn} points into the @code{cert} object, and thus you may not
928deallocate @code{cert} and continue to access @code{dn}.
929
930@strong{Returns:} Returns 0 on success, or an error code.
931@end deftypefun
932
933@subheading gnutls_x509_dn_get_rdn_ava
934@anchor{gnutls_x509_dn_get_rdn_ava}
935@deftypefun {int} {gnutls_x509_dn_get_rdn_ava} (gnutls_x509_dn_t @var{dn}, int @var{irdn}, int @var{iava}, gnutls_x509_ava_st * @var{ava})
936@var{dn}: input variable with opaque DN pointer
937
938@var{irdn}: index of RDN
939
940@var{iava}: index of AVA.
941
942@var{ava}: Pointer to structure which will hold output information.
943
944Get pointers to data within the DN.
945
946Note that @code{ava} will contain pointers into the @code{dn} structure, so you
947should not modify any data or deallocate it. Note also that the DN
948in turn points into the original certificate structure, and thus
949you may not deallocate the certificate and continue to access @code{dn}.
950
951@strong{Returns:} Returns 0 on success, or an error code.
952@end deftypefun
953
954@subheading gnutls_x509_crt_get_fingerprint
955@anchor{gnutls_x509_crt_get_fingerprint}
956@deftypefun {int} {gnutls_x509_crt_get_fingerprint} (gnutls_x509_crt_t @var{cert}, gnutls_digest_algorithm_t @var{algo}, void * @var{buf}, size_t * @var{sizeof_buf})
957@var{cert}: should contain a gnutls_x509_crt_t structure
958
959@var{algo}: is a digest algorithm
960
961@var{buf}: a pointer to a structure to hold the fingerprint (may be null)
962
963@var{sizeof_buf}: initially holds the size of @code{buf}
964
965This function will calculate and copy the certificate's fingerprint
966in the provided buffer.
967
968If the buffer is null then only the size will be filled.
969
970@strong{Returns:} @code{GNUTLS_E_SHORT_MEMORY_BUFFER} if the provided buffer is
971not long enough, and in that case the *sizeof_buf will be updated
972with the required size. On success 0 is returned.
973@end deftypefun
974
975@subheading gnutls_x509_crt_export
976@anchor{gnutls_x509_crt_export}
977@deftypefun {int} {gnutls_x509_crt_export} (gnutls_x509_crt_t @var{cert}, gnutls_x509_crt_fmt_t @var{format}, void * @var{output_data}, size_t * @var{output_data_size})
978@var{cert}: Holds the certificate
979
980@var{format}: the format of output params. One of PEM or DER.
981
982@var{output_data}: will contain a certificate PEM or DER encoded
983
984@var{output_data_size}: holds the size of output_data (and will be
985replaced by the actual size of parameters)
986
987This function will export the certificate to DER or PEM format.
988
989If the buffer provided is not long enough to hold the output, then
990*output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will
991be returned.
992
993If the structure is PEM encoded, it will have a header
994of "BEGIN CERTIFICATE".
995
996@strong{Return value:} In case of failure a negative value will be
997returned, and 0 on success.
998@end deftypefun
999
1000@subheading gnutls_x509_crt_get_key_id
1001@anchor{gnutls_x509_crt_get_key_id}
1002@deftypefun {int} {gnutls_x509_crt_get_key_id} (gnutls_x509_crt_t @var{crt}, unsigned int @var{flags}, unsigned char * @var{output_data}, size_t * @var{output_data_size})
1003@var{crt}: Holds the certificate
1004
1005@var{flags}: should be 0 for now
1006
1007@var{output_data}: will contain the key ID
1008
1009@var{output_data_size}: holds the size of output_data (and will be
1010replaced by the actual size of parameters)
1011
1012This function will return a unique ID the depends on the public
1013key parameters. This ID can be used in checking whether a
1014certificate corresponds to the given private key.
1015
1016If the buffer provided is not long enough to hold the output, then
1017*output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will
1018be returned. The output will normally be a SHA-1 hash output,
1019which is 20 bytes.
1020
1021@strong{Return value:} In case of failure a negative value will be
1022returned, and 0 on success.
1023@end deftypefun
1024
1025@subheading gnutls_x509_crt_check_revocation
1026@anchor{gnutls_x509_crt_check_revocation}
1027@deftypefun {int} {gnutls_x509_crt_check_revocation} (gnutls_x509_crt_t @var{cert}, const gnutls_x509_crl_t * @var{crl_list}, int @var{crl_list_length})
1028@var{cert}: should contain a gnutls_x509_crt_t structure
1029
1030@var{crl_list}: should contain a list of gnutls_x509_crl_t structures
1031
1032@var{crl_list_length}: the length of the crl_list
1033
1034This function will return check if the given certificate is
1035revoked. It is assumed that the CRLs have been verified before.
1036
1037@strong{Returns:} 0 if the certificate is NOT revoked, and 1 if it is. A
1038negative value is returned on error.
1039@end deftypefun
1040
1041@subheading gnutls_x509_crt_verify_data
1042@anchor{gnutls_x509_crt_verify_data}
1043@deftypefun {int} {gnutls_x509_crt_verify_data} (gnutls_x509_crt_t @var{crt}, unsigned int @var{flags}, const gnutls_datum_t * @var{data}, const gnutls_datum_t * @var{signature})
1044@var{crt}: Holds the certificate
1045
1046@var{flags}: should be 0 for now
1047
1048@var{data}: holds the data to be signed
1049
1050@var{signature}: contains the signature
1051
1052This function will verify the given signed data, using the
1053parameters from the certificate.
1054
1055@strong{Returns:} In case of a verification failure 0 is returned, and 1 on
1056success.
1057@end deftypefun
1058
1059@subheading gnutls_x509_crt_get_crl_dist_points
1060@anchor{gnutls_x509_crt_get_crl_dist_points}
1061@deftypefun {int} {gnutls_x509_crt_get_crl_dist_points} (gnutls_x509_crt_t @var{cert}, unsigned int @var{seq}, void * @var{ret}, size_t * @var{ret_size}, unsigned int * @var{reason_flags}, unsigned int * @var{critical})
1062@var{cert}: should contain a gnutls_x509_crt_t structure
1063
1064@var{seq}: specifies the sequence number of the distribution point (0 for the first one, 1 for the second etc.)
1065
1066@var{ret}: is the place where the distribution point will be copied to
1067
1068@var{ret_size}: holds the size of ret.
1069
1070@var{reason_flags}: Revocation reasons flags.
1071
1072@var{critical}: will be non zero if the extension is marked as critical (may be null)
1073
1074This function will return the CRL distribution points (2.5.29.31),
1075contained in the given certificate.
1076
1077@code{reason_flags} should be an ORed sequence of
1078GNUTLS_CRL_REASON_UNUSED, GNUTLS_CRL_REASON_KEY_COMPROMISE,
1079GNUTLS_CRL_REASON_CA_COMPROMISE,
1080GNUTLS_CRL_REASON_AFFILIATION_CHANGED,
1081GNUTLS_CRL_REASON_SUPERSEEDED,
1082GNUTLS_CRL_REASON_CESSATION_OF_OPERATION,
1083GNUTLS_CRL_REASON_CERTIFICATE_HOLD,
1084GNUTLS_CRL_REASON_PRIVILEGE_WITHDRAWN,
1085GNUTLS_CRL_REASON_AA_COMPROMISE, or zero for all possible reasons.
1086
1087This is specified in X509v3 Certificate Extensions. GNUTLS will
1088return the distribution point type, or a negative error code on
1089error.
1090
1091Returns @code{GNUTLS_E_SHORT_MEMORY_BUFFER} and updates &@code{ret_size} if
1092&@code{ret_size} is not enough to hold the distribution point, or the
1093type of the distribution point if everything was ok. The type is
1094one of the enumerated @code{gnutls_x509_subject_alt_name_t}. If the
1095certificate does not have an Alternative name with the specified
1096sequence number then @code{GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE} is
1097returned.
1098@end deftypefun
1099
1100@subheading gnutls_x509_crt_get_key_purpose_oid
1101@anchor{gnutls_x509_crt_get_key_purpose_oid}
1102@deftypefun {int} {gnutls_x509_crt_get_key_purpose_oid} (gnutls_x509_crt_t @var{cert}, int @var{indx}, void * @var{oid}, size_t * @var{sizeof_oid}, unsigned int * @var{critical})
1103@var{cert}: should contain a gnutls_x509_crt_t structure
1104
1105@var{indx}: This specifies which OID to return. Use zero to get the first one.
1106
1107@var{oid}: a pointer to a buffer to hold the OID (may be null)
1108
1109@var{sizeof_oid}: initially holds the size of @code{oid}
1110
1111This function will extract the key purpose OIDs of the Certificate
1112specified by the given index. These are stored in the Extended Key
1113Usage extension (2.5.29.37) See the GNUTLS_KP_* definitions for
1114human readable names.
1115
1116If @code{oid} is null then only the size will be filled.
1117
1118@strong{Returns:} @code{GNUTLS_E_SHORT_MEMORY_BUFFER} if the provided buffer is
1119not long enough, and in that case the *sizeof_oid will be updated
1120with the required size. On success 0 is returned.
1121@end deftypefun
1122
1123@subheading gnutls_x509_crt_get_pk_rsa_raw
1124@anchor{gnutls_x509_crt_get_pk_rsa_raw}
1125@deftypefun {int} {gnutls_x509_crt_get_pk_rsa_raw} (gnutls_x509_crt_t @var{crt}, gnutls_datum_t * @var{m}, gnutls_datum_t * @var{e})
1126@var{crt}: Holds the certificate
1127
1128@var{m}: will hold the modulus
1129
1130@var{e}: will hold the public exponent
1131
1132This function will export the RSA public key's parameters found in
1133the given structure. The new parameters will be allocated using
1134@code{gnutls_malloc()} and will be stored in the appropriate datum.
1135
1136@strong{Returns:} @code{GNUTLS_E_SUCCESS} on success, otherwise an error.
1137@end deftypefun
1138
1139@subheading gnutls_x509_crt_get_pk_dsa_raw
1140@anchor{gnutls_x509_crt_get_pk_dsa_raw}
1141@deftypefun {int} {gnutls_x509_crt_get_pk_dsa_raw} (gnutls_x509_crt_t @var{crt}, gnutls_datum_t * @var{p}, gnutls_datum_t * @var{q}, gnutls_datum_t * @var{g}, gnutls_datum_t * @var{y})
1142@var{crt}: Holds the certificate
1143
1144@var{p}: will hold the p
1145
1146@var{q}: will hold the q
1147
1148@var{g}: will hold the g
1149
1150@var{y}: will hold the y
1151
1152This function will export the DSA public key's parameters found in
1153the given certificate. The new parameters will be allocated using
1154@code{gnutls_malloc()} and will be stored in the appropriate datum.
1155
1156@strong{Returns:} @code{GNUTLS_E_SUCCESS} on success, otherwise an error.
1157@end deftypefun
1158
1159@subheading gnutls_x509_crt_list_import
1160@anchor{gnutls_x509_crt_list_import}
1161@deftypefun {int} {gnutls_x509_crt_list_import} (gnutls_x509_crt_t * @var{certs}, unsigned int * @var{cert_max}, const gnutls_datum_t * @var{data}, gnutls_x509_crt_fmt_t @var{format}, unsigned int @var{flags})
1162@var{certs}: The structures to store the parsed certificate. Must not be initialized.
1163
1164@var{cert_max}: Initially must hold the maximum number of certs. It will be updated with the number of certs available.
1165
1166@var{data}: The PEM encoded certificate.
1167
1168@var{format}: One of DER or PEM.
1169
1170@var{flags}: must be zero or an OR'd sequence of gnutls_certificate_import_flags.
1171
1172This function will convert the given PEM encoded certificate list
1173to the native gnutls_x509_crt_t format. The output will be stored
1174in @code{certs}. They will be automatically initialized.
1175
1176If the Certificate is PEM encoded it should have a header of "X509
1177CERTIFICATE", or "CERTIFICATE".
1178
1179@strong{Returns:} the number of certificates read or a negative error value.
1180@end deftypefun
1181
1182@subheading gnutls_x509_crt_check_hostname
1183@anchor{gnutls_x509_crt_check_hostname}
1184@deftypefun {int} {gnutls_x509_crt_check_hostname} (gnutls_x509_crt_t @var{cert}, const char * @var{hostname})
1185@var{cert}: should contain an gnutls_x509_crt_t structure
1186
1187@var{hostname}: A null terminated string that contains a DNS name
1188
1189This function will check if the given certificate's subject
1190matches the given hostname. This is a basic implementation of the
1191matching described in RFC2818 (HTTPS), which takes into account
1192wildcards, and the DNSName/IPAddress subject alternative name PKIX
1193extension.
1194
1195Returns non zero for a successful match, and zero on failure.
1196@end deftypefun
1197
1198@subheading gnutls_x509_crt_check_issuer
1199@anchor{gnutls_x509_crt_check_issuer}
1200@deftypefun {int} {gnutls_x509_crt_check_issuer} (gnutls_x509_crt_t @var{cert}, gnutls_x509_crt_t @var{issuer})
1201@var{cert}: is the certificate to be checked
1202
1203@var{issuer}: is the certificate of a possible issuer
1204
1205This function will check if the given certificate was issued by the
1206given issuer. It will return true (1) if the given certificate is issued
1207by the given issuer, and false (0) if not.
1208
1209A negative value is returned in case of an error.
1210@end deftypefun
1211
1212@subheading gnutls_x509_crt_list_verify
1213@anchor{gnutls_x509_crt_list_verify}
1214@deftypefun {int} {gnutls_x509_crt_list_verify} (const gnutls_x509_crt_t * @var{cert_list}, int @var{cert_list_length}, const gnutls_x509_crt_t * @var{CA_list}, int @var{CA_list_length}, const gnutls_x509_crl_t * @var{CRL_list}, int @var{CRL_list_length}, unsigned int @var{flags}, unsigned int * @var{verify})
1215@var{cert_list}: is the certificate list to be verified
1216
1217@var{cert_list_length}: holds the number of certificate in cert_list
1218
1219@var{CA_list}: is the CA list which will be used in verification
1220
1221@var{CA_list_length}: holds the number of CA certificate in CA_list
1222
1223@var{CRL_list}: holds a list of CRLs.
1224
1225@var{CRL_list_length}: the length of CRL list.
1226
1227@var{flags}: Flags that may be used to change the verification algorithm. Use OR of the gnutls_certificate_verify_flags enumerations.
1228
1229@var{verify}: will hold the certificate verification output.
1230
1231This function will try to verify the given certificate list and return its status.
1232Note that expiration and activation dates are not checked
1233by this function, you should check them using the appropriate functions.
1234
1235If no flags are specified (0), this function will use the
1236basicConstraints (2.5.29.19) PKIX extension. This means that only a certificate
1237authority is allowed to sign a certificate.
1238
1239You must also check the peer's name in order to check if the verified
1240certificate belongs to the actual peer.
1241
1242The certificate verification output will be put in @code{verify} and will be
1243one or more of the gnutls_certificate_status_t enumerated elements bitwise or'd.
1244For a more detailed verification status use @code{gnutls_x509_crt_verify()} per list
1245element.
1246
1247@strong{GNUTLS_CERT_INVALID:} the certificate chain is not valid.
1248
1249@strong{GNUTLS_CERT_REVOKED:} a certificate in the chain has been revoked.
1250
1251Returns 0 on success and a negative value in case of an error.
1252@end deftypefun
1253
1254@subheading gnutls_x509_crt_verify
1255@anchor{gnutls_x509_crt_verify}
1256@deftypefun {int} {gnutls_x509_crt_verify} (gnutls_x509_crt_t @var{cert}, const gnutls_x509_crt_t * @var{CA_list}, int @var{CA_list_length}, unsigned int @var{flags}, unsigned int * @var{verify})
1257@var{cert}: is the certificate to be verified
1258
1259@var{CA_list}: is one certificate that is considered to be trusted one
1260
1261@var{CA_list_length}: holds the number of CA certificate in CA_list
1262
1263@var{flags}: Flags that may be used to change the verification algorithm. Use OR of the gnutls_certificate_verify_flags enumerations.
1264
1265@var{verify}: will hold the certificate verification output.
1266
1267This function will try to verify the given certificate and return its status.
1268The verification output in this functions cannot be GNUTLS_CERT_NOT_VALID.
1269
1270Returns 0 on success and a negative value in case of an error.
1271@end deftypefun
1272
1273@subheading gnutls_x509_crl_check_issuer
1274@anchor{gnutls_x509_crl_check_issuer}
1275@deftypefun {int} {gnutls_x509_crl_check_issuer} (gnutls_x509_crl_t @var{cert}, gnutls_x509_crt_t @var{issuer})
1276@var{issuer}: is the certificate of a possible issuer
1277
1278This function will check if the given CRL was issued by the
1279given issuer certificate. It will return true (1) if the given CRL was issued
1280by the given issuer, and false (0) if not.
1281
1282A negative value is returned in case of an error.
1283@end deftypefun
1284
1285@subheading gnutls_x509_crl_verify
1286@anchor{gnutls_x509_crl_verify}
1287@deftypefun {int} {gnutls_x509_crl_verify} (gnutls_x509_crl_t @var{crl}, const gnutls_x509_crt_t * @var{CA_list}, int @var{CA_list_length}, unsigned int @var{flags}, unsigned int * @var{verify})
1288@var{crl}: is the crl to be verified
1289
1290@var{CA_list}: is a certificate list that is considered to be trusted one
1291
1292@var{CA_list_length}: holds the number of CA certificates in CA_list
1293
1294@var{flags}: Flags that may be used to change the verification algorithm. Use OR of the gnutls_certificate_verify_flags enumerations.
1295
1296@var{verify}: will hold the crl verification output.
1297
1298This function will try to verify the given crl and return its status.
1299See @code{gnutls_x509_crt_list_verify()} for a detailed description of
1300return values.
1301
1302Returns 0 on success and a negative value in case of an error.
1303@end deftypefun
1304
1305@subheading gnutls_x509_privkey_init
1306@anchor{gnutls_x509_privkey_init}
1307@deftypefun {int} {gnutls_x509_privkey_init} (gnutls_x509_privkey_t * @var{key})
1308@var{key}: The structure to be initialized
1309
1310This function will initialize an private key structure.
1311
1312Returns 0 on success.
1313@end deftypefun
1314
1315@subheading gnutls_x509_privkey_deinit
1316@anchor{gnutls_x509_privkey_deinit}
1317@deftypefun {void} {gnutls_x509_privkey_deinit} (gnutls_x509_privkey_t @var{key})
1318@var{key}: The structure to be initialized
1319
1320This function will deinitialize a private key structure.
1321@end deftypefun
1322
1323@subheading gnutls_x509_privkey_cpy
1324@anchor{gnutls_x509_privkey_cpy}
1325@deftypefun {int} {gnutls_x509_privkey_cpy} (gnutls_x509_privkey_t @var{dst}, gnutls_x509_privkey_t @var{src})
1326@var{dst}: The destination key, which should be initialized.
1327
1328@var{src}: The source key
1329
1330This function will copy a private key from source to destination key.
1331@end deftypefun
1332
1333@subheading gnutls_x509_privkey_import
1334@anchor{gnutls_x509_privkey_import}
1335@deftypefun {int} {gnutls_x509_privkey_import} (gnutls_x509_privkey_t @var{key}, const gnutls_datum_t * @var{data}, gnutls_x509_crt_fmt_t @var{format})
1336@var{key}: The structure to store the parsed key
1337
1338@var{data}: The DER or PEM encoded certificate.
1339
1340@var{format}: One of DER or PEM
1341
1342This function will convert the given DER or PEM encoded key
1343to the native gnutls_x509_privkey_t format. The output will be stored in @code{key} .
1344
1345If the key is PEM encoded it should have a header of "RSA PRIVATE KEY", or
1346"DSA PRIVATE KEY".
1347
1348Returns 0 on success.
1349@end deftypefun
1350
1351@subheading gnutls_x509_privkey_import_rsa_raw
1352@anchor{gnutls_x509_privkey_import_rsa_raw}
1353@deftypefun {int} {gnutls_x509_privkey_import_rsa_raw} (gnutls_x509_privkey_t @var{key}, const gnutls_datum_t * @var{m}, const gnutls_datum_t * @var{e}, const gnutls_datum_t * @var{d}, const gnutls_datum_t * @var{p}, const gnutls_datum_t * @var{q}, const gnutls_datum_t * @var{u})
1354@var{key}: The structure to store the parsed key
1355
1356@var{m}: holds the modulus
1357
1358@var{e}: holds the public exponent
1359
1360@var{d}: holds the private exponent
1361
1362@var{p}: holds the first prime (p)
1363
1364@var{q}: holds the second prime (q)
1365
1366@var{u}: holds the coefficient
1367
1368This function will convert the given RSA raw parameters
1369to the native gnutls_x509_privkey_t format. The output will be stored in @code{key}.
1370@end deftypefun
1371
1372@subheading gnutls_x509_privkey_import_dsa_raw
1373@anchor{gnutls_x509_privkey_import_dsa_raw}
1374@deftypefun {int} {gnutls_x509_privkey_import_dsa_raw} (gnutls_x509_privkey_t @var{key}, const gnutls_datum_t * @var{p}, const gnutls_datum_t * @var{q}, const gnutls_datum_t * @var{g}, const gnutls_datum_t * @var{y}, const gnutls_datum_t * @var{x})
1375@var{key}: The structure to store the parsed key
1376
1377@var{p}: holds the p
1378
1379@var{q}: holds the q
1380
1381@var{g}: holds the g
1382
1383@var{y}: holds the y
1384
1385@var{x}: holds the x
1386
1387This function will convert the given DSA raw parameters
1388to the native gnutls_x509_privkey_t format. The output will be stored in @code{key}.
1389@end deftypefun
1390
1391@subheading gnutls_x509_privkey_get_pk_algorithm
1392@anchor{gnutls_x509_privkey_get_pk_algorithm}
1393@deftypefun {int} {gnutls_x509_privkey_get_pk_algorithm} (gnutls_x509_privkey_t @var{key})
1394@var{key}: should contain a gnutls_x509_privkey_t structure
1395
1396This function will return the public key algorithm of a private
1397key.
1398
1399Returns a member of the gnutls_pk_algorithm_t enumeration on success,
1400or a negative value on error.
1401@end deftypefun
1402
1403@subheading gnutls_x509_privkey_export
1404@anchor{gnutls_x509_privkey_export}
1405@deftypefun {int} {gnutls_x509_privkey_export} (gnutls_x509_privkey_t @var{key}, gnutls_x509_crt_fmt_t @var{format}, void * @var{output_data}, size_t * @var{output_data_size})
1406@var{key}: Holds the key
1407
1408@var{format}: the format of output params. One of PEM or DER.
1409
1410@var{output_data}: will contain a private key PEM or DER encoded
1411
1412@var{output_data_size}: holds the size of output_data (and will be
1413replaced by the actual size of parameters)
1414
1415This function will export the private key to a PKCS1 structure for
1416RSA keys, or an integer sequence for DSA keys. The DSA keys are in
1417the same format with the parameters used by openssl.
1418
1419If the buffer provided is not long enough to hold the output, then
1420*output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will
1421be returned.
1422
1423If the structure is PEM encoded, it will have a header
1424of "BEGIN RSA PRIVATE KEY".
1425
1426@strong{Return value:} In case of failure a negative value will be
1427returned, and 0 on success.
1428@end deftypefun
1429
1430@subheading gnutls_x509_privkey_export_rsa_raw
1431@anchor{gnutls_x509_privkey_export_rsa_raw}
1432@deftypefun {int} {gnutls_x509_privkey_export_rsa_raw} (gnutls_x509_privkey_t @var{key}, gnutls_datum_t * @var{m}, gnutls_datum_t * @var{e}, gnutls_datum_t * @var{d}, gnutls_datum_t * @var{p}, gnutls_datum_t * @var{q}, gnutls_datum_t * @var{u})
1433@var{key}: a structure that holds the rsa parameters
1434
1435@var{m}: will hold the modulus
1436
1437@var{e}: will hold the public exponent
1438
1439@var{d}: will hold the private exponent
1440
1441@var{p}: will hold the first prime (p)
1442
1443@var{q}: will hold the second prime (q)
1444
1445@var{u}: will hold the coefficient
1446
1447This function will export the RSA private key's parameters found in the given
1448structure. The new parameters will be allocated using
1449@code{gnutls_malloc()} and will be stored in the appropriate datum.
1450@end deftypefun
1451
1452@subheading gnutls_x509_privkey_export_dsa_raw
1453@anchor{gnutls_x509_privkey_export_dsa_raw}
1454@deftypefun {int} {gnutls_x509_privkey_export_dsa_raw} (gnutls_x509_privkey_t @var{key}, gnutls_datum_t * @var{p}, gnutls_datum_t * @var{q}, gnutls_datum_t * @var{g}, gnutls_datum_t * @var{y}, gnutls_datum_t * @var{x})
1455@var{p}: will hold the p
1456
1457@var{q}: will hold the q
1458
1459@var{g}: will hold the g
1460
1461@var{y}: will hold the y
1462
1463@var{x}: will hold the x
1464
1465This function will export the DSA private key's parameters found in the given
1466structure. The new parameters will be allocated using
1467@code{gnutls_malloc()} and will be stored in the appropriate datum.
1468@end deftypefun
1469
1470@subheading gnutls_x509_privkey_generate
1471@anchor{gnutls_x509_privkey_generate}
1472@deftypefun {int} {gnutls_x509_privkey_generate} (gnutls_x509_privkey_t @var{key}, gnutls_pk_algorithm_t @var{algo}, unsigned int @var{bits}, unsigned int @var{flags})
1473@var{key}: should contain a gnutls_x509_privkey_t structure
1474
1475@var{algo}: is one of RSA or DSA.
1476
1477@var{bits}: the size of the modulus
1478
1479@var{flags}: unused for now. Must be 0.
1480
1481This function will generate a random private key. Note that
1482this function must be called on an empty private key.
1483
1484Returns 0 on success or a negative value on error.
1485@end deftypefun
1486
1487@subheading gnutls_x509_privkey_get_key_id
1488@anchor{gnutls_x509_privkey_get_key_id}
1489@deftypefun {int} {gnutls_x509_privkey_get_key_id} (gnutls_x509_privkey_t @var{key}, unsigned int @var{flags}, unsigned char * @var{output_data}, size_t * @var{output_data_size})
1490@var{key}: Holds the key
1491
1492@var{flags}: should be 0 for now
1493
1494@var{output_data}: will contain the key ID
1495
1496@var{output_data_size}: holds the size of output_data (and will be
1497replaced by the actual size of parameters)
1498
1499This function will return a unique ID the depends on the public key
1500parameters. This ID can be used in checking whether a certificate
1501corresponds to the given key.
1502
1503If the buffer provided is not long enough to hold the output, then
1504*output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will
1505be returned. The output will normally be a SHA-1 hash output,
1506which is 20 bytes.
1507
1508@strong{Return value:} In case of failure a negative value will be
1509returned, and 0 on success.
1510@end deftypefun
1511
1512@subheading gnutls_x509_privkey_sign_data
1513@anchor{gnutls_x509_privkey_sign_data}
1514@deftypefun {int} {gnutls_x509_privkey_sign_data} (gnutls_x509_privkey_t @var{key}, gnutls_digest_algorithm_t @var{digest}, unsigned int @var{flags}, const gnutls_datum_t * @var{data}, void * @var{signature}, size_t * @var{signature_size})
1515@var{key}: Holds the key
1516
1517@var{digest}: should be MD5 or SHA1
1518
1519@var{flags}: should be 0 for now
1520
1521@var{data}: holds the data to be signed
1522
1523@var{signature}: will contain the signature
1524
1525@var{signature_size}: holds the size of signature (and will be replaced
1526by the new size)
1527
1528This function will sign the given data using a signature algorithm
1529supported by the private key. Signature algorithms are always used
1530together with a hash functions. Different hash functions may be
1531used for the RSA algorithm, but only SHA-1 for the DSA keys.
1532
1533If the buffer provided is not long enough to hold the output, then
1534*signature_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will
1535be returned.
1536
1537In case of failure a negative value will be returned, and
15380 on success.
1539@end deftypefun
1540
1541@subheading gnutls_x509_privkey_sign_hash
1542@anchor{gnutls_x509_privkey_sign_hash}
1543@deftypefun {int} {gnutls_x509_privkey_sign_hash} (gnutls_x509_privkey_t @var{key}, const gnutls_datum_t * @var{hash}, gnutls_datum_t * @var{signature})
1544@var{key}: Holds the key
1545
1546@var{hash}: holds the data to be signed
1547
1548@var{signature}: will contain newly allocated signature
1549
1550This function will sign the given hash using the private key.
1551
1552@strong{Return value:} In case of failure a negative value will be returned,
1553and 0 on success.
1554@end deftypefun
1555
1556@subheading gnutls_x509_privkey_verify_data
1557@anchor{gnutls_x509_privkey_verify_data}
1558@deftypefun {int} {gnutls_x509_privkey_verify_data} (gnutls_x509_privkey_t @var{key}, unsigned int @var{flags}, const gnutls_datum_t * @var{data}, const gnutls_datum_t * @var{signature})
1559@var{key}: Holds the key
1560
1561@var{flags}: should be 0 for now
1562
1563@var{data}: holds the data to be signed
1564
1565@var{signature}: contains the signature
1566
1567This function will verify the given signed data, using the parameters in the
1568private key.
1569
1570In case of a verification failure 0 is returned, and
15711 on success.
1572@end deftypefun
1573
1574@subheading gnutls_x509_privkey_fix
1575@anchor{gnutls_x509_privkey_fix}
1576@deftypefun {int} {gnutls_x509_privkey_fix} (gnutls_x509_privkey_t @var{key})
1577@var{key}: Holds the key
1578
1579This function will recalculate the secondary parameters in a key.
1580In RSA keys, this can be the coefficient and exponent1,2.
1581
1582@strong{Return value:} In case of failure a negative value will be
1583returned, and 0 on success.
1584@end deftypefun
1585
1586@subheading gnutls_pkcs7_init
1587@anchor{gnutls_pkcs7_init}
1588@deftypefun {int} {gnutls_pkcs7_init} (gnutls_pkcs7_t * @var{pkcs7})
1589@var{pkcs7}: The structure to be initialized
1590
1591This function will initialize a PKCS7 structure. PKCS7 structures
1592usually contain lists of X.509 Certificates and X.509 Certificate
1593revocation lists.
1594
1595Returns 0 on success.
1596@end deftypefun
1597
1598@subheading gnutls_pkcs7_deinit
1599@anchor{gnutls_pkcs7_deinit}
1600@deftypefun {void} {gnutls_pkcs7_deinit} (gnutls_pkcs7_t @var{pkcs7})
1601@var{pkcs7}: The structure to be initialized
1602
1603This function will deinitialize a PKCS7 structure.
1604@end deftypefun
1605
1606@subheading gnutls_pkcs7_import
1607@anchor{gnutls_pkcs7_import}
1608@deftypefun {int} {gnutls_pkcs7_import} (gnutls_pkcs7_t @var{pkcs7}, const gnutls_datum_t * @var{data}, gnutls_x509_crt_fmt_t @var{format})
1609@var{pkcs7}: The structure to store the parsed PKCS7.
1610
1611@var{data}: The DER or PEM encoded PKCS7.
1612
1613@var{format}: One of DER or PEM
1614
1615This function will convert the given DER or PEM encoded PKCS7
1616to the native gnutls_pkcs7_t format. The output will be stored in 'pkcs7'.
1617
1618If the PKCS7 is PEM encoded it should have a header of "PKCS7".
1619
1620Returns 0 on success.
1621@end deftypefun
1622
1623@subheading gnutls_pkcs7_get_crt_raw
1624@anchor{gnutls_pkcs7_get_crt_raw}
1625@deftypefun {int} {gnutls_pkcs7_get_crt_raw} (gnutls_pkcs7_t @var{pkcs7}, int @var{indx}, void * @var{certificate}, size_t * @var{certificate_size})
1626@var{indx}: contains the index of the certificate to extract
1627
1628@var{certificate}: the contents of the certificate will be copied there (may be null)
1629
1630@var{certificate_size}: should hold the size of the certificate
1631
1632This function will return a certificate of the PKCS7 or RFC2630 certificate set.
1633Returns 0 on success. If the provided buffer is not long enough,
1634then @code{certificate_size} is updated and GNUTLS_E_SHORT_MEMORY_BUFFER is returned.
1635
1636After the last certificate has been read GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
1637will be returned.
1638@end deftypefun
1639
1640@subheading gnutls_pkcs7_get_crt_count
1641@anchor{gnutls_pkcs7_get_crt_count}
1642@deftypefun {int} {gnutls_pkcs7_get_crt_count} (gnutls_pkcs7_t @var{pkcs7})
1643This function will return the number of certifcates in the PKCS7 or
1644RFC2630 certificate set.
1645
1646Returns a negative value on failure.
1647@end deftypefun
1648
1649@subheading gnutls_pkcs7_export
1650@anchor{gnutls_pkcs7_export}
1651@deftypefun {int} {gnutls_pkcs7_export} (gnutls_pkcs7_t @var{pkcs7}, gnutls_x509_crt_fmt_t @var{format}, void * @var{output_data}, size_t * @var{output_data_size})
1652@var{pkcs7}: Holds the pkcs7 structure
1653
1654@var{format}: the format of output params. One of PEM or DER.
1655
1656@var{output_data}: will contain a structure PEM or DER encoded
1657
1658@var{output_data_size}: holds the size of output_data (and will be
1659replaced by the actual size of parameters)
1660
1661This function will export the pkcs7 structure to DER or PEM format.
1662
1663If the buffer provided is not long enough to hold the output, then
1664*output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will
1665be returned.
1666
1667If the structure is PEM encoded, it will have a header
1668of "BEGIN PKCS7".
1669
1670@strong{Return value:} In case of failure a negative value will be
1671returned, and 0 on success.
1672@end deftypefun
1673
1674@subheading gnutls_pkcs7_set_crt_raw
1675@anchor{gnutls_pkcs7_set_crt_raw}
1676@deftypefun {int} {gnutls_pkcs7_set_crt_raw} (gnutls_pkcs7_t @var{pkcs7}, const gnutls_datum_t * @var{crt})
1677@var{crt}: the DER encoded certificate to be added
1678
1679This function will add a certificate to the PKCS7 or RFC2630 certificate set.
1680Returns 0 on success.
1681@end deftypefun
1682
1683@subheading gnutls_pkcs7_set_crt
1684@anchor{gnutls_pkcs7_set_crt}
1685@deftypefun {int} {gnutls_pkcs7_set_crt} (gnutls_pkcs7_t @var{pkcs7}, gnutls_x509_crt_t @var{crt})
1686@var{crt}: the certificate to be copied.
1687
1688This function will add a parsed certificate to the PKCS7 or RFC2630 certificate set.
1689This is a wrapper function over @code{gnutls_pkcs7_set_crt_raw()} .
1690
1691Returns 0 on success.
1692@end deftypefun
1693
1694@subheading gnutls_pkcs7_delete_crt
1695@anchor{gnutls_pkcs7_delete_crt}
1696@deftypefun {int} {gnutls_pkcs7_delete_crt} (gnutls_pkcs7_t @var{pkcs7}, int @var{indx})
1697@var{indx}: the index of the certificate to delete
1698
1699This function will delete a certificate from a PKCS7 or RFC2630 certificate set.
1700Index starts from 0. Returns 0 on success.
1701@end deftypefun
1702
1703@subheading gnutls_pkcs7_get_crl_raw
1704@anchor{gnutls_pkcs7_get_crl_raw}
1705@deftypefun {int} {gnutls_pkcs7_get_crl_raw} (gnutls_pkcs7_t @var{pkcs7}, int @var{indx}, void * @var{crl}, size_t * @var{crl_size})
1706@var{indx}: contains the index of the crl to extract
1707
1708@var{crl}: the contents of the crl will be copied there (may be null)
1709
1710@var{crl_size}: should hold the size of the crl
1711
1712This function will return a crl of the PKCS7 or RFC2630 crl set.
1713Returns 0 on success. If the provided buffer is not long enough,
1714then @code{crl_size} is updated and GNUTLS_E_SHORT_MEMORY_BUFFER is returned.
1715
1716After the last crl has been read GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
1717will be returned.
1718@end deftypefun
1719
1720@subheading gnutls_pkcs7_get_crl_count
1721@anchor{gnutls_pkcs7_get_crl_count}
1722@deftypefun {int} {gnutls_pkcs7_get_crl_count} (gnutls_pkcs7_t @var{pkcs7})
1723This function will return the number of certifcates in the PKCS7 or
1724RFC2630 crl set.
1725
1726Returns a negative value on failure.
1727@end deftypefun
1728
1729@subheading gnutls_pkcs7_set_crl_raw
1730@anchor{gnutls_pkcs7_set_crl_raw}
1731@deftypefun {int} {gnutls_pkcs7_set_crl_raw} (gnutls_pkcs7_t @var{pkcs7}, const gnutls_datum_t * @var{crl})
1732@var{crl}: the DER encoded crl to be added
1733
1734This function will add a crl to the PKCS7 or RFC2630 crl set.
1735Returns 0 on success.
1736@end deftypefun
1737
1738@subheading gnutls_pkcs7_set_crl
1739@anchor{gnutls_pkcs7_set_crl}
1740@deftypefun {int} {gnutls_pkcs7_set_crl} (gnutls_pkcs7_t @var{pkcs7}, gnutls_x509_crl_t @var{crl})
1741@var{crl}: the DER encoded crl to be added
1742
1743This function will add a parsed crl to the PKCS7 or RFC2630 crl set.
1744Returns 0 on success.
1745@end deftypefun
1746
1747@subheading gnutls_pkcs7_delete_crl
1748@anchor{gnutls_pkcs7_delete_crl}
1749@deftypefun {int} {gnutls_pkcs7_delete_crl} (gnutls_pkcs7_t @var{pkcs7}, int @var{indx})
1750@var{indx}: the index of the crl to delete
1751
1752This function will delete a crl from a PKCS7 or RFC2630 crl set.
1753Index starts from 0. Returns 0 on success.
1754@end deftypefun
1755
1756@subheading gnutls_x509_crq_init
1757@anchor{gnutls_x509_crq_init}
1758@deftypefun {int} {gnutls_x509_crq_init} (gnutls_x509_crq_t * @var{crq})
1759@var{crq}: The structure to be initialized
1760
1761This function will initialize a PKCS10 certificate request structure.
1762
1763Returns 0 on success.
1764@end deftypefun
1765
1766@subheading gnutls_x509_crq_deinit
1767@anchor{gnutls_x509_crq_deinit}
1768@deftypefun {void} {gnutls_x509_crq_deinit} (gnutls_x509_crq_t @var{crq})
1769@var{crq}: The structure to be initialized
1770
1771This function will deinitialize a CRL structure.
1772@end deftypefun
1773
1774@subheading gnutls_x509_crq_import
1775@anchor{gnutls_x509_crq_import}
1776@deftypefun {int} {gnutls_x509_crq_import} (gnutls_x509_crq_t @var{crq}, const gnutls_datum_t * @var{data}, gnutls_x509_crt_fmt_t @var{format})
1777@var{crq}: The structure to store the parsed certificate request.
1778
1779@var{data}: The DER or PEM encoded certificate.
1780
1781@var{format}: One of DER or PEM
1782
1783This function will convert the given DER or PEM encoded Certificate
1784to the native gnutls_x509_crq_t format. The output will be stored in @code{cert}.
1785
1786If the Certificate is PEM encoded it should have a header of "NEW CERTIFICATE REQUEST".
1787
1788Returns 0 on success.
1789@end deftypefun
1790
1791@subheading gnutls_x509_crq_get_dn
1792@anchor{gnutls_x509_crq_get_dn}
1793@deftypefun {int} {gnutls_x509_crq_get_dn} (gnutls_x509_crq_t @var{crq}, char * @var{buf}, size_t * @var{sizeof_buf})
1794@var{crq}: should contain a gnutls_x509_crq_t structure
1795
1796@var{buf}: a pointer to a structure to hold the name (may be null)
1797
1798@var{sizeof_buf}: initially holds the size of @code{buf}
1799
1800This function will copy the name of the Certificate request
1801subject in the provided buffer. The name will be in the form
1802"C=xxxx,O=yyyy,CN=zzzz" as described in RFC2253. The output string
1803will be ASCII or UTF-8 encoded, depending on the certificate data.
1804
1805If @code{buf} is null then only the size will be filled.
1806
1807Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not
1808long enough, and in that case the *sizeof_buf will be updated with
1809the required size. On success 0 is returned.
1810@end deftypefun
1811
1812@subheading gnutls_x509_crq_get_dn_by_oid
1813@anchor{gnutls_x509_crq_get_dn_by_oid}
1814@deftypefun {int} {gnutls_x509_crq_get_dn_by_oid} (gnutls_x509_crq_t @var{crq}, const char * @var{oid}, int @var{indx}, unsigned int @var{raw_flag}, void * @var{buf}, size_t * @var{sizeof_buf})
1815@var{crq}: should contain a gnutls_x509_crq_t structure
1816
1817@var{oid}: holds an Object Identified in null terminated string
1818
1819@var{indx}: In case multiple same OIDs exist in the RDN, this specifies
1820which to send. Use zero to get the first one.
1821
1822@var{raw_flag}: If non zero returns the raw DER data of the DN part.
1823
1824@var{buf}: a pointer to a structure to hold the name (may be null)
1825
1826@var{sizeof_buf}: initially holds the size of @code{buf}
1827
1828This function will extract the part of the name of the Certificate
1829request subject, specified by the given OID. The output will be
1830encoded as described in RFC2253. The output string will be ASCII
1831or UTF-8 encoded, depending on the certificate data.
1832
1833Some helper macros with popular OIDs can be found in gnutls/x509.h
1834If raw flag is zero, this function will only return known OIDs as
1835text. Other OIDs will be DER encoded, as described in RFC2253 --
1836in hex format with a '\#' prefix. You can check about known OIDs
1837using @code{gnutls_x509_dn_oid_known()}.
1838
1839If @code{buf} is null then only the size will be filled.
1840
1841Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not
1842long enough, and in that case the *sizeof_buf will be updated with
1843the required size. On success 0 is returned.
1844@end deftypefun
1845
1846@subheading gnutls_x509_crq_get_dn_oid
1847@anchor{gnutls_x509_crq_get_dn_oid}
1848@deftypefun {int} {gnutls_x509_crq_get_dn_oid} (gnutls_x509_crq_t @var{crq}, int @var{indx}, void * @var{oid}, size_t * @var{sizeof_oid})
1849@var{crq}: should contain a gnutls_x509_crq_t structure
1850
1851@var{indx}: Specifies which DN OID to send. Use zero to get the first one.
1852
1853@var{oid}: a pointer to a structure to hold the name (may be null)
1854
1855@var{sizeof_oid}: initially holds the size of @code{oid}
1856
1857This function will extract the requested OID of the name of the
1858Certificate request subject, specified by the given index.
1859
1860If oid is null then only the size will be filled.
1861
1862Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not
1863long enough, and in that case the *sizeof_oid will be updated with
1864the required size. On success 0 is returned.
1865@end deftypefun
1866
1867@subheading gnutls_x509_crq_get_challenge_password
1868@anchor{gnutls_x509_crq_get_challenge_password}
1869@deftypefun {int} {gnutls_x509_crq_get_challenge_password} (gnutls_x509_crq_t @var{crq}, char * @var{pass}, size_t * @var{sizeof_pass})
1870@var{crq}: should contain a gnutls_x509_crq_t structure
1871
1872@var{pass}: will hold a null terminated password
1873
1874@var{sizeof_pass}: Initially holds the size of @code{pass}.
1875
1876This function will return the challenge password in the
1877request.
1878
1879Returns 0 on success.
1880@end deftypefun
1881
1882@subheading gnutls_x509_crq_set_attribute_by_oid
1883@anchor{gnutls_x509_crq_set_attribute_by_oid}
1884@deftypefun {int} {gnutls_x509_crq_set_attribute_by_oid} (gnutls_x509_crq_t @var{crq}, const char * @var{oid}, void * @var{buf}, size_t @var{sizeof_buf})
1885@var{crq}: should contain a gnutls_x509_crq_t structure
1886
1887@var{oid}: holds an Object Identified in null terminated string
1888
1889@var{buf}: a pointer to a structure that holds the attribute data
1890
1891@var{sizeof_buf}: holds the size of @code{buf}
1892
1893This function will set the attribute in the certificate request specified
1894by the given Object ID. The attribute must be be DER encoded.
1895
1896Returns 0 on success.
1897@end deftypefun
1898
1899@subheading gnutls_x509_crq_get_attribute_by_oid
1900@anchor{gnutls_x509_crq_get_attribute_by_oid}
1901@deftypefun {int} {gnutls_x509_crq_get_attribute_by_oid} (gnutls_x509_crq_t @var{crq}, const char * @var{oid}, int @var{indx}, void * @var{buf}, size_t * @var{sizeof_buf})
1902@var{crq}: should contain a gnutls_x509_crq_t structure
1903
1904@var{oid}: holds an Object Identified in null terminated string
1905
1906@var{indx}: In case multiple same OIDs exist in the attribute list, this specifies
1907which to send. Use zero to get the first one.
1908
1909@var{buf}: a pointer to a structure to hold the attribute data (may be null)
1910
1911@var{sizeof_buf}: initially holds the size of @code{buf}
1912
1913This function will return the attribute in the certificate request specified
1914by the given Object ID. The attribute will be DER encoded.
1915
1916Returns 0 on success.
1917@end deftypefun
1918
1919@subheading gnutls_x509_crq_set_dn_by_oid
1920@anchor{gnutls_x509_crq_set_dn_by_oid}
1921@deftypefun {int} {gnutls_x509_crq_set_dn_by_oid} (gnutls_x509_crq_t @var{crq}, const char * @var{oid}, unsigned int @var{raw_flag}, const void * @var{data}, unsigned int @var{sizeof_data})
1922@var{crq}: should contain a gnutls_x509_crq_t structure
1923
1924@var{oid}: holds an Object Identifier in a null terminated string
1925
1926@var{raw_flag}: must be 0, or 1 if the data are DER encoded
1927
1928@var{data}: a pointer to the input data
1929
1930@var{sizeof_data}: holds the size of @code{data}
1931
1932This function will set the part of the name of the Certificate request subject, specified
1933by the given OID. The input string should be ASCII or UTF-8 encoded.
1934
1935Some helper macros with popular OIDs can be found in gnutls/x509.h
1936With this function you can only set the known OIDs. You can test
1937for known OIDs using @code{gnutls_x509_dn_oid_known()}. For OIDs that are
1938not known (by gnutls) you should properly DER encode your data, and
1939call this function with raw_flag set.
1940
1941Returns 0 on success.
1942@end deftypefun
1943
1944@subheading gnutls_x509_crq_set_version
1945@anchor{gnutls_x509_crq_set_version}
1946@deftypefun {int} {gnutls_x509_crq_set_version} (gnutls_x509_crq_t @var{crq}, unsigned int @var{version})
1947@var{crq}: should contain a gnutls_x509_crq_t structure
1948
1949@var{version}: holds the version number. For v1 Requests must be 1.
1950
1951This function will set the version of the certificate request. For
1952version 1 requests this must be one.
1953
1954Returns 0 on success.
1955@end deftypefun
1956
1957@subheading gnutls_x509_crq_get_version
1958@anchor{gnutls_x509_crq_get_version}
1959@deftypefun {int} {gnutls_x509_crq_get_version} (gnutls_x509_crq_t @var{crq})
1960@var{crq}: should contain a gnutls_x509_crq_t structure
1961
1962This function will return the version of the specified Certificate request.
1963
1964Returns a negative value on error.
1965@end deftypefun
1966
1967@subheading gnutls_x509_crq_set_key
1968@anchor{gnutls_x509_crq_set_key}
1969@deftypefun {int} {gnutls_x509_crq_set_key} (gnutls_x509_crq_t @var{crq}, gnutls_x509_privkey_t @var{key})
1970@var{crq}: should contain a gnutls_x509_crq_t structure
1971
1972@var{key}: holds a private key
1973
1974This function will set the public parameters from the given private key to the
1975request. Only RSA keys are currently supported.
1976
1977Returns 0 on success.
1978@end deftypefun
1979
1980@subheading gnutls_x509_crq_set_challenge_password
1981@anchor{gnutls_x509_crq_set_challenge_password}
1982@deftypefun {int} {gnutls_x509_crq_set_challenge_password} (gnutls_x509_crq_t @var{crq}, const char * @var{pass})
1983@var{crq}: should contain a gnutls_x509_crq_t structure
1984
1985@var{pass}: holds a null terminated password
1986
1987This function will set a challenge password to be used when revoking the request.
1988
1989Returns 0 on success.
1990@end deftypefun
1991
1992@subheading gnutls_x509_crq_sign2
1993@anchor{gnutls_x509_crq_sign2}
1994@deftypefun {int} {gnutls_x509_crq_sign2} (gnutls_x509_crq_t @var{crq}, gnutls_x509_privkey_t @var{key}, gnutls_digest_algorithm_t @var{dig}, unsigned int @var{flags})
1995@var{crq}: should contain a gnutls_x509_crq_t structure
1996
1997@var{key}: holds a private key
1998
1999@var{dig}: The message digest to use. GNUTLS_DIG_SHA1 is the safe choice unless you know what you're doing.
2000
2001@var{flags}: must be 0
2002
2003This function will sign the certificate request with a private key.
2004This must be the same key as the one used in @code{gnutls_x509_crt_set_key()} since a
2005certificate request is self signed.
2006
2007This must be the last step in a certificate request generation since all
2008the previously set parameters are now signed.
2009
2010Returns 0 on success.
2011@end deftypefun
2012
2013@subheading gnutls_x509_crq_sign
2014@anchor{gnutls_x509_crq_sign}
2015@deftypefun {int} {gnutls_x509_crq_sign} (gnutls_x509_crq_t @var{crq}, gnutls_x509_privkey_t @var{key})
2016@var{crq}: should contain a gnutls_x509_crq_t structure
2017
2018@var{key}: holds a private key
2019
2020This function is the same a @code{gnutls_x509_crq_sign2()} with no flags, and
2021SHA1 as the hash algorithm.
2022
2023Returns 0 on success.
2024@end deftypefun
2025
2026@subheading gnutls_x509_crq_export
2027@anchor{gnutls_x509_crq_export}
2028@deftypefun {int} {gnutls_x509_crq_export} (gnutls_x509_crq_t @var{crq}, gnutls_x509_crt_fmt_t @var{format}, void * @var{output_data}, size_t * @var{output_data_size})
2029@var{crq}: Holds the request
2030
2031@var{format}: the format of output params. One of PEM or DER.
2032
2033@var{output_data}: will contain a certificate request PEM or DER encoded
2034
2035@var{output_data_size}: holds the size of output_data (and will be
2036replaced by the actual size of parameters)
2037
2038This function will export the certificate request to a PKCS10
2039
2040If the buffer provided is not long enough to hold the output, then
2041GNUTLS_E_SHORT_MEMORY_BUFFER will be returned and
2042*output_data_size will be updated.
2043
2044If the structure is PEM encoded, it will have a header of "BEGIN
2045NEW CERTIFICATE REQUEST".
2046
2047@strong{Return value:} In case of failure a negative value will be
2048returned, and 0 on success.
2049@end deftypefun
2050
2051@subheading gnutls_x509_crq_get_pk_algorithm
2052@anchor{gnutls_x509_crq_get_pk_algorithm}
2053@deftypefun {int} {gnutls_x509_crq_get_pk_algorithm} (gnutls_x509_crq_t @var{crq}, unsigned int * @var{bits})
2054@var{crq}: should contain a gnutls_x509_crq_t structure
2055
2056@var{bits}: if bits is non null it will hold the size of the parameters' in bits
2057
2058This function will return the public key algorithm of a PKCS \@code{10}
2059certificate request.
2060
2061If bits is non null, it should have enough size to hold the parameters
2062size in bits. For RSA the bits returned is the modulus.
2063For DSA the bits returned are of the public
2064exponent.
2065
2066Returns a member of the gnutls_pk_algorithm_t enumeration on success,
2067or a negative value on error.
2068@end deftypefun
2069
2070@subheading gnutls_x509_privkey_export_pkcs8
2071@anchor{gnutls_x509_privkey_export_pkcs8}
2072@deftypefun {int} {gnutls_x509_privkey_export_pkcs8} (gnutls_x509_privkey_t @var{key}, gnutls_x509_crt_fmt_t @var{format}, const char * @var{password}, unsigned int @var{flags}, void * @var{output_data}, size_t * @var{output_data_size})
2073@var{key}: Holds the key
2074
2075@var{format}: the format of output params. One of PEM or DER.
2076
2077@var{password}: the password that will be used to encrypt the key.
2078
2079@var{flags}: an ORed sequence of gnutls_pkcs_encrypt_flags_t
2080
2081@var{output_data}: will contain a private key PEM or DER encoded
2082
2083@var{output_data_size}: holds the size of output_data (and will be
2084replaced by the actual size of parameters)
2085
2086This function will export the private key to a PKCS8 structure.
2087Both RSA and DSA keys can be exported. For DSA keys we use
2088PKCS @code{11} definitions. If the flags do not specify the encryption
2089cipher, then the default 3DES (PBES2) will be used.
2090
2091The @code{password} can be either ASCII or UTF-8 in the default PBES2
2092encryption schemas, or ASCII for the PKCS12 schemas.
2093
2094If the buffer provided is not long enough to hold the output, then
2095*output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will
2096be returned.
2097
2098If the structure is PEM encoded, it will have a header
2099of "BEGIN ENCRYPTED PRIVATE KEY" or "BEGIN PRIVATE KEY" if
2100encryption is not used.
2101
2102@strong{Return value:} In case of failure a negative value will be
2103returned, and 0 on success.
2104@end deftypefun
2105
2106@subheading gnutls_x509_privkey_import_pkcs8
2107@anchor{gnutls_x509_privkey_import_pkcs8}
2108@deftypefun {int} {gnutls_x509_privkey_import_pkcs8} (gnutls_x509_privkey_t @var{key}, const gnutls_datum_t * @var{data}, gnutls_x509_crt_fmt_t @var{format}, const char * @var{password}, unsigned int @var{flags})
2109@var{key}: The structure to store the parsed key
2110
2111@var{data}: The DER or PEM encoded key.
2112
2113@var{format}: One of DER or PEM
2114
2115@var{password}: the password to decrypt the key (if it is encrypted).
2116
2117@var{flags}: 0 if encrypted or GNUTLS_PKCS_PLAIN if not encrypted.
2118
2119This function will convert the given DER or PEM encoded PKCS8 2.0 encrypted key
2120to the native gnutls_x509_privkey_t format. The output will be stored in @code{key}.
2121Both RSA and DSA keys can be imported, and flags can only be used to indicate
2122an unencrypted key.
2123
2124The @code{password} can be either ASCII or UTF-8 in the default PBES2
2125encryption schemas, or ASCII for the PKCS12 schemas.
2126
2127If the Certificate is PEM encoded it should have a header of "ENCRYPTED PRIVATE KEY",
2128or "PRIVATE KEY". You only need to specify the flags if the key is DER encoded, since
2129in that case the encryption status cannot be auto-detected.
2130
2131Returns 0 on success.
2132@end deftypefun
2133
2134@subheading gnutls_pkcs12_init
2135@anchor{gnutls_pkcs12_init}
2136@deftypefun {int} {gnutls_pkcs12_init} (gnutls_pkcs12_t * @var{pkcs12})
2137@var{pkcs12}: The structure to be initialized
2138
2139This function will initialize a PKCS12 structure. PKCS12 structures
2140usually contain lists of X.509 Certificates and X.509 Certificate
2141revocation lists.
2142
2143Returns 0 on success.
2144@end deftypefun
2145
2146@subheading gnutls_pkcs12_deinit
2147@anchor{gnutls_pkcs12_deinit}
2148@deftypefun {void} {gnutls_pkcs12_deinit} (gnutls_pkcs12_t @var{pkcs12})
2149@var{pkcs12}: The structure to be initialized
2150
2151This function will deinitialize a PKCS12 structure.
2152@end deftypefun
2153
2154@subheading gnutls_pkcs12_import
2155@anchor{gnutls_pkcs12_import}
2156@deftypefun {int} {gnutls_pkcs12_import} (gnutls_pkcs12_t @var{pkcs12}, const gnutls_datum_t * @var{data}, gnutls_x509_crt_fmt_t @var{format}, unsigned int @var{flags})
2157@var{pkcs12}: The structure to store the parsed PKCS12.
2158
2159@var{data}: The DER or PEM encoded PKCS12.
2160
2161@var{format}: One of DER or PEM
2162
2163@var{flags}: an ORed sequence of gnutls_privkey_pkcs8_flags
2164
2165This function will convert the given DER or PEM encoded PKCS12
2166to the native gnutls_pkcs12_t format. The output will be stored in 'pkcs12'.
2167
2168If the PKCS12 is PEM encoded it should have a header of "PKCS12".
2169
2170Returns 0 on success.
2171@end deftypefun
2172
2173@subheading gnutls_pkcs12_export
2174@anchor{gnutls_pkcs12_export}
2175@deftypefun {int} {gnutls_pkcs12_export} (gnutls_pkcs12_t @var{pkcs12}, gnutls_x509_crt_fmt_t @var{format}, void * @var{output_data}, size_t * @var{output_data_size})
2176@var{pkcs12}: Holds the pkcs12 structure
2177
2178@var{format}: the format of output params. One of PEM or DER.
2179
2180@var{output_data}: will contain a structure PEM or DER encoded
2181
2182@var{output_data_size}: holds the size of output_data (and will be
2183replaced by the actual size of parameters)
2184
2185This function will export the pkcs12 structure to DER or PEM format.
2186
2187If the buffer provided is not long enough to hold the output, then
2188*output_data_size will be updated and GNUTLS_E_SHORT_MEMORY_BUFFER
2189will be returned.
2190
2191If the structure is PEM encoded, it will have a header
2192of "BEGIN PKCS12".
2193
2194@strong{Return value:} In case of failure a negative value will be
2195returned, and 0 on success.
2196@end deftypefun
2197
2198@subheading gnutls_pkcs12_get_bag
2199@anchor{gnutls_pkcs12_get_bag}
2200@deftypefun {int} {gnutls_pkcs12_get_bag} (gnutls_pkcs12_t @var{pkcs12}, int @var{indx}, gnutls_pkcs12_bag_t @var{bag})
2201@var{pkcs12}: should contain a gnutls_pkcs12_t structure
2202
2203@var{indx}: contains the index of the bag to extract
2204
2205@var{bag}: An initialized bag, where the contents of the bag will be copied
2206
2207This function will return a Bag from the PKCS12 structure.
2208Returns 0 on success.
2209
2210After the last Bag has been read GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
2211will be returned.
2212@end deftypefun
2213
2214@subheading gnutls_pkcs12_set_bag
2215@anchor{gnutls_pkcs12_set_bag}
2216@deftypefun {int} {gnutls_pkcs12_set_bag} (gnutls_pkcs12_t @var{pkcs12}, gnutls_pkcs12_bag_t @var{bag})
2217@var{pkcs12}: should contain a gnutls_pkcs12_t structure
2218
2219@var{bag}: An initialized bag
2220
2221This function will insert a Bag into the PKCS12 structure.
2222Returns 0 on success.
2223@end deftypefun
2224
2225@subheading gnutls_pkcs12_generate_mac
2226@anchor{gnutls_pkcs12_generate_mac}
2227@deftypefun {int} {gnutls_pkcs12_generate_mac} (gnutls_pkcs12_t @var{pkcs12}, const char * @var{pass})
2228@var{pkcs12}: should contain a gnutls_pkcs12_t structure
2229
2230@var{pass}: The password for the MAC
2231
2232This function will generate a MAC for the PKCS12 structure.
2233Returns 0 on success.
2234@end deftypefun
2235
2236@subheading gnutls_pkcs12_verify_mac
2237@anchor{gnutls_pkcs12_verify_mac}
2238@deftypefun {int} {gnutls_pkcs12_verify_mac} (gnutls_pkcs12_t @var{pkcs12}, const char * @var{pass})
2239@var{pkcs12}: should contain a gnutls_pkcs12_t structure
2240
2241@var{pass}: The password for the MAC
2242
2243This function will verify the MAC for the PKCS12 structure.
2244Returns 0 on success.
2245@end deftypefun
2246
2247@subheading gnutls_pkcs12_bag_init
2248@anchor{gnutls_pkcs12_bag_init}
2249@deftypefun {int} {gnutls_pkcs12_bag_init} (gnutls_pkcs12_bag_t * @var{bag})
2250@var{bag}: The structure to be initialized
2251
2252This function will initialize a PKCS12 bag structure. PKCS12 Bags
2253usually contain private keys, lists of X.509 Certificates and X.509 Certificate
2254revocation lists.
2255
2256Returns 0 on success.
2257@end deftypefun
2258
2259@subheading gnutls_pkcs12_bag_deinit
2260@anchor{gnutls_pkcs12_bag_deinit}
2261@deftypefun {void} {gnutls_pkcs12_bag_deinit} (gnutls_pkcs12_bag_t @var{bag})
2262@var{bag}: The structure to be initialized
2263
2264This function will deinitialize a PKCS12 Bag structure.
2265@end deftypefun
2266
2267@subheading gnutls_pkcs12_bag_get_type
2268@anchor{gnutls_pkcs12_bag_get_type}
2269@deftypefun {gnutls_pkcs12_bag_type_t} {gnutls_pkcs12_bag_get_type} (gnutls_pkcs12_bag_t @var{bag}, int @var{indx})
2270@var{bag}: The bag
2271
2272@var{indx}: The element of the bag to get the type
2273
2274This function will return the bag's type. One of the gnutls_pkcs12_bag_type_t
2275enumerations.
2276@end deftypefun
2277
2278@subheading gnutls_pkcs12_bag_get_count
2279@anchor{gnutls_pkcs12_bag_get_count}
2280@deftypefun {int} {gnutls_pkcs12_bag_get_count} (gnutls_pkcs12_bag_t @var{bag})
2281@var{bag}: The bag
2282
2283This function will return the number of the elements withing the bag.
2284@end deftypefun
2285
2286@subheading gnutls_pkcs12_bag_get_data
2287@anchor{gnutls_pkcs12_bag_get_data}
2288@deftypefun {int} {gnutls_pkcs12_bag_get_data} (gnutls_pkcs12_bag_t @var{bag}, int @var{indx}, gnutls_datum_t * @var{data})
2289@var{bag}: The bag
2290
2291@var{indx}: The element of the bag to get the data from
2292
2293@var{data}: where the bag's data will be. Should be treated as constant.
2294
2295This function will return the bag's data. The data is a constant
2296that is stored into the bag. Should not be accessed after the bag
2297is deleted.
2298
2299Returns 0 on success and a negative error code on error.
2300@end deftypefun
2301
2302@subheading gnutls_pkcs12_bag_set_data
2303@anchor{gnutls_pkcs12_bag_set_data}
2304@deftypefun {int} {gnutls_pkcs12_bag_set_data} (gnutls_pkcs12_bag_t @var{bag}, gnutls_pkcs12_bag_type_t @var{type}, const gnutls_datum_t * @var{data})
2305@var{bag}: The bag
2306
2307@var{type}: The data's type
2308
2309@var{data}: the data to be copied.
2310
2311This function will insert the given data of the given type into the
2312bag.
2313
2314Returns the index of the added bag on success, or a negative
2315value on error.
2316@end deftypefun
2317
2318@subheading gnutls_pkcs12_bag_set_crt
2319@anchor{gnutls_pkcs12_bag_set_crt}
2320@deftypefun {int} {gnutls_pkcs12_bag_set_crt} (gnutls_pkcs12_bag_t @var{bag}, gnutls_x509_crt_t @var{crt})
2321@var{bag}: The bag
2322
2323@var{crt}: the certificate to be copied.
2324
2325This function will insert the given certificate into the
2326bag. This is just a wrapper over @code{gnutls_pkcs12_bag_set_data()}.
2327
2328Returns the index of the added bag on success, or a negative
2329value on failure.
2330@end deftypefun
2331
2332@subheading gnutls_pkcs12_bag_set_crl
2333@anchor{gnutls_pkcs12_bag_set_crl}
2334@deftypefun {int} {gnutls_pkcs12_bag_set_crl} (gnutls_pkcs12_bag_t @var{bag}, gnutls_x509_crl_t @var{crl})
2335@var{bag}: The bag
2336
2337@var{crl}: the CRL to be copied.
2338
2339This function will insert the given CRL into the
2340bag. This is just a wrapper over @code{gnutls_pkcs12_bag_set_data()}.
2341
2342Returns the index of the added bag on success, or a negative
2343value on failure.
2344@end deftypefun
2345
2346@subheading gnutls_pkcs12_bag_set_key_id
2347@anchor{gnutls_pkcs12_bag_set_key_id}
2348@deftypefun {int} {gnutls_pkcs12_bag_set_key_id} (gnutls_pkcs12_bag_t @var{bag}, int @var{indx}, const gnutls_datum_t * @var{id})
2349@var{bag}: The bag
2350
2351@var{indx}: The bag's element to add the id
2352
2353@var{id}: the ID
2354
2355This function will add the given key ID, to the specified, by the index, bag
2356element. The key ID will be encoded as a 'Local key identifier' bag attribute,
2357which is usually used to distinguish the local private key and the certificate pair.
2358
2359Returns 0 on success, or a negative value on error.
2360@end deftypefun
2361
2362@subheading gnutls_pkcs12_bag_get_key_id
2363@anchor{gnutls_pkcs12_bag_get_key_id}
2364@deftypefun {int} {gnutls_pkcs12_bag_get_key_id} (gnutls_pkcs12_bag_t @var{bag}, int @var{indx}, gnutls_datum_t * @var{id})
2365@var{bag}: The bag
2366
2367@var{indx}: The bag's element to add the id
2368
2369@var{id}: where the ID will be copied (to be treated as const)
2370
2371This function will return the key ID, of the specified bag element.
2372The key ID is usually used to distinguish the local private key and the certificate pair.
2373
2374Returns 0 on success, or a negative value on error.
2375@end deftypefun
2376
2377@subheading gnutls_pkcs12_bag_get_friendly_name
2378@anchor{gnutls_pkcs12_bag_get_friendly_name}
2379@deftypefun {int} {gnutls_pkcs12_bag_get_friendly_name} (gnutls_pkcs12_bag_t @var{bag}, int @var{indx}, char ** @var{name})
2380@var{bag}: The bag
2381
2382@var{indx}: The bag's element to add the id
2383
2384@var{name}: will hold a pointer to the name (to be treated as const)
2385
2386This function will return the friendly name, of the specified bag element.
2387The key ID is usually used to distinguish the local private key and the certificate pair.
2388
2389Returns 0 on success, or a negative value on error.
2390@end deftypefun
2391
2392@subheading gnutls_pkcs12_bag_set_friendly_name
2393@anchor{gnutls_pkcs12_bag_set_friendly_name}
2394@deftypefun {int} {gnutls_pkcs12_bag_set_friendly_name} (gnutls_pkcs12_bag_t @var{bag}, int @var{indx}, const char * @var{name})
2395@var{bag}: The bag
2396
2397@var{indx}: The bag's element to add the id
2398
2399@var{name}: the name
2400
2401This function will add the given key friendly name, to the specified, by the index, bag
2402element. The name will be encoded as a 'Friendly name' bag attribute,
2403which is usually used to set a user name to the local private key and the certificate pair.
2404
2405Returns 0 on success, or a negative value on error.
2406@end deftypefun
2407
2408@subheading gnutls_pkcs12_bag_decrypt
2409@anchor{gnutls_pkcs12_bag_decrypt}
2410@deftypefun {int} {gnutls_pkcs12_bag_decrypt} (gnutls_pkcs12_bag_t @var{bag}, const char * @var{pass})
2411@var{bag}: The bag
2412
2413@var{pass}: The password used for encryption. This can only be ASCII.
2414
2415This function will decrypt the given encrypted bag and return 0 on success.
2416@end deftypefun
2417
2418@subheading gnutls_pkcs12_bag_encrypt
2419@anchor{gnutls_pkcs12_bag_encrypt}
2420@deftypefun {int} {gnutls_pkcs12_bag_encrypt} (gnutls_pkcs12_bag_t @var{bag}, const char * @var{pass}, unsigned int @var{flags})
2421@var{bag}: The bag
2422
2423@var{pass}: The password used for encryption. This can only be ASCII.
2424
2425@var{flags}: should be one of gnutls_pkcs_encrypt_flags_t elements bitwise or'd
2426
2427This function will encrypt the given bag and return 0 on success.
2428@end deftypefun
2429
2430@subheading gnutls_x509_crt_set_dn_by_oid
2431@anchor{gnutls_x509_crt_set_dn_by_oid}
2432@deftypefun {int} {gnutls_x509_crt_set_dn_by_oid} (gnutls_x509_crt_t @var{crt}, const char * @var{oid}, unsigned int @var{raw_flag}, const void * @var{name}, unsigned int @var{sizeof_name})
2433@var{crt}: should contain a gnutls_x509_crt_t structure
2434
2435@var{oid}: holds an Object Identifier in a null terminated string
2436
2437@var{raw_flag}: must be 0, or 1 if the data are DER encoded
2438
2439@var{name}: a pointer to the name
2440
2441@var{sizeof_name}: holds the size of @code{name}
2442
2443This function will set the part of the name of the Certificate subject, specified
2444by the given OID. The input string should be ASCII or UTF-8 encoded.
2445
2446Some helper macros with popular OIDs can be found in gnutls/x509.h
2447With this function you can only set the known OIDs. You can test
2448for known OIDs using @code{gnutls_x509_dn_oid_known()}. For OIDs that are
2449not known (by gnutls) you should properly DER encode your data, and
2450call this function with raw_flag set.
2451
2452Returns 0 on success.
2453@end deftypefun
2454
2455@subheading gnutls_x509_crt_set_issuer_dn_by_oid
2456@anchor{gnutls_x509_crt_set_issuer_dn_by_oid}
2457@deftypefun {int} {gnutls_x509_crt_set_issuer_dn_by_oid} (gnutls_x509_crt_t @var{crt}, const char * @var{oid}, unsigned int @var{raw_flag}, const void * @var{name}, unsigned int @var{sizeof_name})
2458@var{crt}: should contain a gnutls_x509_crt_t structure
2459
2460@var{oid}: holds an Object Identifier in a null terminated string
2461
2462@var{raw_flag}: must be 0, or 1 if the data are DER encoded
2463
2464@var{name}: a pointer to the name
2465
2466@var{sizeof_name}: holds the size of @code{name}
2467
2468This function will set the part of the name of the Certificate issuer, specified
2469by the given OID. The input string should be ASCII or UTF-8 encoded.
2470
2471Some helper macros with popular OIDs can be found in gnutls/x509.h
2472With this function you can only set the known OIDs. You can test
2473for known OIDs using @code{gnutls_x509_dn_oid_known()}. For OIDs that are
2474not known (by gnutls) you should properly DER encode your data, and
2475call this function with raw_flag set.
2476
2477Normally you do not need to call this function, since the signing
2478operation will copy the signer's name as the issuer of the certificate.
2479
2480Returns 0 on success.
2481@end deftypefun
2482
2483@subheading gnutls_x509_crt_set_proxy_dn
2484@anchor{gnutls_x509_crt_set_proxy_dn}
2485@deftypefun {int} {gnutls_x509_crt_set_proxy_dn} (gnutls_x509_crt_t @var{crt}, gnutls_x509_crt_t @var{eecrt}, unsigned int @var{raw_flag}, const void * @var{name}, unsigned int @var{sizeof_name})
2486@var{crt}: a gnutls_x509_crt_t structure with the new proxy cert
2487
2488@var{eecrt}: the end entity certificate that will be issuing the proxy
2489
2490@var{raw_flag}: must be 0, or 1 if the CN is DER encoded
2491
2492@var{name}: a pointer to the CN name, may be NULL (but MUST then be added later)
2493
2494@var{sizeof_name}: holds the size of @code{name}
2495
2496This function will set the subject in @code{crt} to the end entity's
2497@code{eecrt} subject name, and add a single Common Name component @code{name}
2498of size @code{sizeof_name}. This corresponds to the required proxy
2499certificate naming style. Note that if @code{name} is @code{NULL}, you MUST
2500set it later by using @code{gnutls_x509_crt_set_dn_by_oid()} or similar.
2501
2502Returns 0 on success.
2503@end deftypefun
2504
2505@subheading gnutls_x509_crt_set_version
2506@anchor{gnutls_x509_crt_set_version}
2507@deftypefun {int} {gnutls_x509_crt_set_version} (gnutls_x509_crt_t @var{crt}, unsigned int @var{version})
2508@var{crt}: should contain a gnutls_x509_crt_t structure
2509
2510@var{version}: holds the version number. For X.509v1 certificates must be 1.
2511
2512This function will set the version of the certificate. This must
2513be one for X.509 version 1, and so on. Plain certificates without
2514extensions must have version set to one.
2515
2516To create well-formed certificates, you must specify version 3 if
2517you use any certificate extensions. Extensions are created by
2518functions such as gnutls_x509_crt_set_subject_alternative_name or
2519gnutls_x509_crt_set_key_usage.
2520
2521Returns 0 on success.
2522@end deftypefun
2523
2524@subheading gnutls_x509_crt_set_key
2525@anchor{gnutls_x509_crt_set_key}
2526@deftypefun {int} {gnutls_x509_crt_set_key} (gnutls_x509_crt_t @var{crt}, gnutls_x509_privkey_t @var{key})
2527@var{crt}: should contain a gnutls_x509_crt_t structure
2528
2529@var{key}: holds a private key
2530
2531This function will set the public parameters from the given private key to the
2532certificate. Only RSA keys are currently supported.
2533
2534Returns 0 on success.
2535@end deftypefun
2536
2537@subheading gnutls_x509_crt_set_crq
2538@anchor{gnutls_x509_crt_set_crq}
2539@deftypefun {int} {gnutls_x509_crt_set_crq} (gnutls_x509_crt_t @var{crt}, gnutls_x509_crq_t @var{crq})
2540@var{crt}: should contain a gnutls_x509_crt_t structure
2541
2542@var{crq}: holds a certificate request
2543
2544This function will set the name and public parameters from the given certificate request to the
2545certificate. Only RSA keys are currently supported.
2546
2547Returns 0 on success.
2548@end deftypefun
2549
2550@subheading gnutls_x509_crt_set_extension_by_oid
2551@anchor{gnutls_x509_crt_set_extension_by_oid}
2552@deftypefun {int} {gnutls_x509_crt_set_extension_by_oid} (gnutls_x509_crt_t @var{crt}, const char * @var{oid}, const void * @var{buf}, size_t @var{sizeof_buf}, unsigned int @var{critical})
2553@var{crt}: should contain a gnutls_x509_crt_t structure
2554
2555@var{oid}: holds an Object Identified in null terminated string
2556
2557@var{buf}: a pointer to a DER encoded data
2558
2559@var{sizeof_buf}: holds the size of @code{buf}
2560
2561@var{critical}: should be non zero if the extension is to be marked as critical
2562
2563This function will set an the extension, by the specified OID, in the certificate.
2564The extension data should be binary data DER encoded.
2565
2566Returns 0 on success and a negative value in case of an error.
2567@end deftypefun
2568
2569@subheading gnutls_x509_crt_set_basic_constraints
2570@anchor{gnutls_x509_crt_set_basic_constraints}
2571@deftypefun {int} {gnutls_x509_crt_set_basic_constraints} (gnutls_x509_crt_t @var{crt}, unsigned int @var{ca}, int @var{pathLenConstraint})
2572@var{crt}: should contain a gnutls_x509_crt_t structure
2573
2574@var{ca}: true(1) or false(0). Depending on the Certificate authority status.
2575
2576@var{pathLenConstraint}: non-negative values indicate maximum length of path,
2577and negative values indicate that the pathLenConstraints field should
2578not be present.
2579
2580This function will set the basicConstraints certificate extension.
2581
2582Returns 0 on success.
2583@end deftypefun
2584
2585@subheading gnutls_x509_crt_set_ca_status
2586@anchor{gnutls_x509_crt_set_ca_status}
2587@deftypefun {int} {gnutls_x509_crt_set_ca_status} (gnutls_x509_crt_t @var{crt}, unsigned int @var{ca})
2588@var{crt}: should contain a gnutls_x509_crt_t structure
2589
2590@var{ca}: true(1) or false(0). Depending on the Certificate authority status.
2591
2592This function will set the basicConstraints certificate extension.
2593Use @code{gnutls_x509_crt_set_basic_constraints()} if you want to control
2594the pathLenConstraint field too.
2595
2596Returns 0 on success.
2597@end deftypefun
2598
2599@subheading gnutls_x509_crt_set_key_usage
2600@anchor{gnutls_x509_crt_set_key_usage}
2601@deftypefun {int} {gnutls_x509_crt_set_key_usage} (gnutls_x509_crt_t @var{crt}, unsigned int @var{usage})
2602@var{crt}: should contain a gnutls_x509_crt_t structure
2603
2604@var{usage}: an ORed sequence of the GNUTLS_KEY_* elements.
2605
2606This function will set the keyUsage certificate extension.
2607
2608Returns 0 on success.
2609@end deftypefun
2610
2611@subheading gnutls_x509_crt_set_subject_alternative_name
2612@anchor{gnutls_x509_crt_set_subject_alternative_name}
2613@deftypefun {int} {gnutls_x509_crt_set_subject_alternative_name} (gnutls_x509_crt_t @var{crt}, gnutls_x509_subject_alt_name_t @var{type}, const char * @var{data_string})
2614@var{crt}: should contain a gnutls_x509_crt_t structure
2615
2616@var{type}: is one of the gnutls_x509_subject_alt_name_t enumerations
2617
2618@var{data_string}: The data to be set
2619
2620This function will set the subject alternative name certificate extension.
2621
2622Returns 0 on success.
2623@end deftypefun
2624
2625@subheading gnutls_x509_crt_set_proxy
2626@anchor{gnutls_x509_crt_set_proxy}
2627@deftypefun {int} {gnutls_x509_crt_set_proxy} (gnutls_x509_crt_t @var{crt}, int @var{pathLenConstraint}, const char * @var{policyLanguage}, const char * @var{policy}, size_t @var{sizeof_policy})
2628@var{crt}: should contain a gnutls_x509_crt_t structure
2629
2630@var{pathLenConstraint}: non-negative values indicate maximum length of path,
2631and negative values indicate that the pathLenConstraints field should
2632not be present.
2633
2634@var{policyLanguage}: OID describing the language of @code{policy}.
2635
2636@var{policy}: opaque byte array with policy language, can be @code{NULL}
2637
2638@var{sizeof_policy}: size of @code{policy}.
2639
2640This function will set the proxyCertInfo extension.
2641
2642Returns 0 on success.
2643@end deftypefun
2644
2645@subheading gnutls_x509_crt_sign2
2646@anchor{gnutls_x509_crt_sign2}
2647@deftypefun {int} {gnutls_x509_crt_sign2} (gnutls_x509_crt_t @var{crt}, gnutls_x509_crt_t @var{issuer}, gnutls_x509_privkey_t @var{issuer_key}, gnutls_digest_algorithm_t @var{dig}, unsigned int @var{flags})
2648@var{crt}: should contain a gnutls_x509_crt_t structure
2649
2650@var{issuer}: is the certificate of the certificate issuer
2651
2652@var{issuer_key}: holds the issuer's private key
2653
2654@var{dig}: The message digest to use. GNUTLS_DIG_SHA1 is the safe choice unless you know what you're doing.
2655
2656@var{flags}: must be 0
2657
2658This function will sign the certificate with the issuer's private key, and
2659will copy the issuer's information into the certificate.
2660
2661This must be the last step in a certificate generation since all
2662the previously set parameters are now signed.
2663
2664Returns 0 on success.
2665@end deftypefun
2666
2667@subheading gnutls_x509_crt_sign
2668@anchor{gnutls_x509_crt_sign}
2669@deftypefun {int} {gnutls_x509_crt_sign} (gnutls_x509_crt_t @var{crt}, gnutls_x509_crt_t @var{issuer}, gnutls_x509_privkey_t @var{issuer_key})
2670@var{crt}: should contain a gnutls_x509_crt_t structure
2671
2672@var{issuer}: is the certificate of the certificate issuer
2673
2674@var{issuer_key}: holds the issuer's private key
2675
2676This function is the same a @code{gnutls_x509_crt_sign2()} with no flags, and
2677SHA1 as the hash algorithm.
2678
2679Returns 0 on success.
2680@end deftypefun
2681
2682@subheading gnutls_x509_crt_set_activation_time
2683@anchor{gnutls_x509_crt_set_activation_time}
2684@deftypefun {int} {gnutls_x509_crt_set_activation_time} (gnutls_x509_crt_t @var{cert}, time_t @var{act_time})
2685@var{cert}: should contain a gnutls_x509_crt_t structure
2686
2687@var{act_time}: The actual time
2688
2689This function will set the time this Certificate was or will be activated.
2690
2691Returns 0 on success, or a negative value in case of an error.
2692@end deftypefun
2693
2694@subheading gnutls_x509_crt_set_expiration_time
2695@anchor{gnutls_x509_crt_set_expiration_time}
2696@deftypefun {int} {gnutls_x509_crt_set_expiration_time} (gnutls_x509_crt_t @var{cert}, time_t @var{exp_time})
2697@var{cert}: should contain a gnutls_x509_crt_t structure
2698
2699@var{exp_time}: The actual time
2700
2701This function will set the time this Certificate will expire.
2702
2703Returns 0 on success, or a negative value in case of an error.
2704@end deftypefun
2705
2706@subheading gnutls_x509_crt_set_serial
2707@anchor{gnutls_x509_crt_set_serial}
2708@deftypefun {int} {gnutls_x509_crt_set_serial} (gnutls_x509_crt_t @var{cert}, const void * @var{serial}, size_t @var{serial_size})
2709@var{cert}: should contain a gnutls_x509_crt_t structure
2710
2711@var{serial}: The serial number
2712
2713@var{serial_size}: Holds the size of the serial field.
2714
2715This function will set the X.509 certificate's serial number.
2716Serial is not always a 32 or 64bit number. Some CAs use
2717large serial numbers, thus it may be wise to handle it as something
2718opaque.
2719
2720Returns 0 on success, or a negative value in case of an error.
2721@end deftypefun
2722
2723@subheading gnutls_x509_crt_set_crl_dist_points
2724@anchor{gnutls_x509_crt_set_crl_dist_points}
2725@deftypefun {int} {gnutls_x509_crt_set_crl_dist_points} (gnutls_x509_crt_t @var{crt}, gnutls_x509_subject_alt_name_t @var{type}, const void * @var{data_string}, unsigned int @var{reason_flags})
2726@var{crt}: should contain a gnutls_x509_crt_t structure
2727
2728@var{type}: is one of the gnutls_x509_subject_alt_name_t enumerations
2729
2730@var{data_string}: The data to be set
2731
2732@var{reason_flags}: revocation reasons
2733
2734This function will set the CRL distribution points certificate extension.
2735
2736Returns 0 on success.
2737@end deftypefun
2738
2739@subheading gnutls_x509_crt_cpy_crl_dist_points
2740@anchor{gnutls_x509_crt_cpy_crl_dist_points}
2741@deftypefun {int} {gnutls_x509_crt_cpy_crl_dist_points} (gnutls_x509_crt_t @var{dst}, gnutls_x509_crt_t @var{src})
2742@var{dst}: should contain a gnutls_x509_crt_t structure
2743
2744@var{src}: the certificate where the dist points will be copied from
2745
2746This function will copy the CRL distribution points certificate
2747extension, from the source to the destination certificate.
2748This may be useful to copy from a CA certificate to issued ones.
2749
2750Returns 0 on success.
2751@end deftypefun
2752
2753@subheading gnutls_x509_crt_set_subject_key_id
2754@anchor{gnutls_x509_crt_set_subject_key_id}
2755@deftypefun {int} {gnutls_x509_crt_set_subject_key_id} (gnutls_x509_crt_t @var{cert}, const void * @var{id}, size_t @var{id_size})
2756@var{cert}: should contain a gnutls_x509_crt_t structure
2757
2758@var{id}: The key ID
2759
2760@var{id_size}: Holds the size of the serial field.
2761
2762This function will set the X.509 certificate's subject key ID extension.
2763
2764Returns 0 on success, or a negative value in case of an error.
2765@end deftypefun
2766
2767@subheading gnutls_x509_crt_set_authority_key_id
2768@anchor{gnutls_x509_crt_set_authority_key_id}
2769@deftypefun {int} {gnutls_x509_crt_set_authority_key_id} (gnutls_x509_crt_t @var{cert}, const void * @var{id}, size_t @var{id_size})
2770@var{cert}: should contain a gnutls_x509_crt_t structure
2771
2772@var{id}: The key ID
2773
2774@var{id_size}: Holds the size of the serial field.
2775
2776This function will set the X.509 certificate's authority key ID extension.
2777Only the keyIdentifier field can be set with this function.
2778
2779Returns 0 on success, or a negative value in case of an error.
2780@end deftypefun
2781
2782@subheading gnutls_x509_crt_set_key_purpose_oid
2783@anchor{gnutls_x509_crt_set_key_purpose_oid}
2784@deftypefun {int} {gnutls_x509_crt_set_key_purpose_oid} (gnutls_x509_crt_t @var{cert}, const void * @var{oid}, unsigned int @var{critical})
2785@var{cert}: should contain a gnutls_x509_crt_t structure
2786
2787@var{oid}: a pointer to a null terminated string that holds the OID
2788
2789@var{critical}: Whether this extension will be critical or not
2790
2791This function will set the key purpose OIDs of the Certificate.
2792These are stored in the Extended Key Usage extension (2.5.29.37)
2793See the GNUTLS_KP_* definitions for human readable names.
2794
2795Subsequent calls to this function will append OIDs to the OID list.
2796
2797On success 0 is returned.
2798@end deftypefun
2799
2800@subheading gnutls_x509_crl_set_version
2801@anchor{gnutls_x509_crl_set_version}
2802@deftypefun {int} {gnutls_x509_crl_set_version} (gnutls_x509_crl_t @var{crl}, unsigned int @var{version})
2803@var{crl}: should contain a gnutls_x509_crl_t structure
2804
2805@var{version}: holds the version number. For CRLv1 crls must be 1.
2806
2807This function will set the version of the CRL. This
2808must be one for CRL version 1, and so on. The CRLs generated
2809by gnutls should have a version number of 2.
2810
2811Returns 0 on success.
2812@end deftypefun
2813
2814@subheading gnutls_x509_crl_sign2
2815@anchor{gnutls_x509_crl_sign2}
2816@deftypefun {int} {gnutls_x509_crl_sign2} (gnutls_x509_crl_t @var{crl}, gnutls_x509_crt_t @var{issuer}, gnutls_x509_privkey_t @var{issuer_key}, gnutls_digest_algorithm_t @var{dig}, unsigned int @var{flags})
2817@var{crl}: should contain a gnutls_x509_crl_t structure
2818
2819@var{issuer}: is the certificate of the certificate issuer
2820
2821@var{issuer_key}: holds the issuer's private key
2822
2823@var{dig}: The message digest to use. GNUTLS_DIG_SHA1 is the safe choice unless you know what you're doing.
2824
2825@var{flags}: must be 0
2826
2827This function will sign the CRL with the issuer's private key, and
2828will copy the issuer's information into the CRL.
2829
2830This must be the last step in a certificate CRL since all
2831the previously set parameters are now signed.
2832
2833Returns 0 on success.
2834@end deftypefun
2835
2836@subheading gnutls_x509_crl_sign
2837@anchor{gnutls_x509_crl_sign}
2838@deftypefun {int} {gnutls_x509_crl_sign} (gnutls_x509_crl_t @var{crl}, gnutls_x509_crt_t @var{issuer}, gnutls_x509_privkey_t @var{issuer_key})
2839@var{crl}: should contain a gnutls_x509_crl_t structure
2840
2841@var{issuer}: is the certificate of the certificate issuer
2842
2843@var{issuer_key}: holds the issuer's private key
2844
2845This function is the same a @code{gnutls_x509_crl_sign2()} with no flags, and
2846SHA1 as the hash algorithm.
2847
2848Returns 0 on success.
2849@end deftypefun
2850
2851@subheading gnutls_x509_crl_set_this_update
2852@anchor{gnutls_x509_crl_set_this_update}
2853@deftypefun {int} {gnutls_x509_crl_set_this_update} (gnutls_x509_crl_t @var{crl}, time_t @var{act_time})
2854@var{crl}: should contain a gnutls_x509_crl_t structure
2855
2856@var{act_time}: The actual time
2857
2858This function will set the time this CRL was issued.
2859
2860Returns 0 on success, or a negative value in case of an error.
2861@end deftypefun
2862
2863@subheading gnutls_x509_crl_set_next_update
2864@anchor{gnutls_x509_crl_set_next_update}
2865@deftypefun {int} {gnutls_x509_crl_set_next_update} (gnutls_x509_crl_t @var{crl}, time_t @var{exp_time})
2866@var{crl}: should contain a gnutls_x509_crl_t structure
2867
2868@var{exp_time}: The actual time
2869
2870This function will set the time this CRL will be updated.
2871
2872Returns 0 on success, or a negative value in case of an error.
2873@end deftypefun
2874
2875@subheading gnutls_x509_crl_set_crt_serial
2876@anchor{gnutls_x509_crl_set_crt_serial}
2877@deftypefun {int} {gnutls_x509_crl_set_crt_serial} (gnutls_x509_crl_t @var{crl}, const void * @var{serial}, size_t @var{serial_size}, time_t @var{revocation_time})
2878@var{crl}: should contain a gnutls_x509_crl_t structure
2879
2880@var{serial}: The revoked certificate's serial number
2881
2882@var{serial_size}: Holds the size of the serial field.
2883
2884@var{revocation_time}: The time this certificate was revoked
2885
2886This function will set a revoked certificate's serial number to the CRL.
2887
2888Returns 0 on success, or a negative value in case of an error.
2889@end deftypefun
2890
2891@subheading gnutls_x509_crl_set_crt
2892@anchor{gnutls_x509_crl_set_crt}
2893@deftypefun {int} {gnutls_x509_crl_set_crt} (gnutls_x509_crl_t @var{crl}, gnutls_x509_crt_t @var{crt}, time_t @var{revocation_time})
2894@var{crl}: should contain a gnutls_x509_crl_t structure
2895
2896@var{crt}: should contain a gnutls_x509_crt_t structure with the revoked certificate
2897
2898@var{revocation_time}: The time this certificate was revoked
2899
2900This function will set a revoked certificate's serial number to the CRL.
2901
2902Returns 0 on success, or a negative value in case of an error.
2903@end deftypefun
2904
2905@subheading gnutls_x509_crt_print
2906@anchor{gnutls_x509_crt_print}
2907@deftypefun {int} {gnutls_x509_crt_print} (gnutls_x509_crt_t @var{cert}, gnutls_certificate_print_formats_t @var{format}, gnutls_datum_t * @var{out})
2908@var{cert}: The structure to be printed
2909
2910@var{format}: Indicate the format to use
2911
2912@var{out}: Newly allocated datum with zero terminated string.
2913
2914This function will pretty print a X.509 certificate, suitable for
2915display to a human.
2916
2917If the format is @code{GNUTLS_X509_CRT_FULL} then all fields of the
2918certificate will be output, on multiple lines. The
2919@code{GNUTLS_X509_CRT_ONELINE} format will generate one line with some
2920selected fields, which is useful for logging purposes.
2921
2922The output @code{out} needs to be deallocate using @code{gnutls_free()}.
2923
2924Returns 0 on success.
2925@end deftypefun
2926
2927@subheading gnutls_x509_crl_print
2928@anchor{gnutls_x509_crl_print}
2929@deftypefun {int} {gnutls_x509_crl_print} (gnutls_x509_crl_t @var{crl}, gnutls_certificate_print_formats_t @var{format}, gnutls_datum_t * @var{out})
2930@var{crl}: The structure to be printed
2931
2932@var{format}: Indicate the format to use
2933
2934@var{out}: Newly allocated datum with zero terminated string.
2935
2936This function will pretty print a X.509 certificate revocation
2937list, suitable for display to a human.
2938
2939The output @code{out} needs to be deallocate using @code{gnutls_free()}.
2940
2941Returns 0 on success.
2942@end deftypefun
2943
diff --git a/src/daemon/https/x509/x509.c b/src/daemon/https/x509/x509.c
index 2fa84551..2b624986 100644
--- a/src/daemon/https/x509/x509.c
+++ b/src/daemon/https/x509/x509.c
@@ -328,87 +328,6 @@ MHD_gnutls_x509_crt_get_key_usage (MHD_gnutls_x509_crt_t cert,
328} 328}
329 329
330 330
331static int
332MHD__gnutls_x509_crt_get_raw_dn2 (MHD_gnutls_x509_crt_t cert,
333 const char *whom,
334 MHD_gnutls_datum_t * start)
335{
336 ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
337 int result, len1;
338 int start1, end1;
339 MHD_gnutls_datum_t signed_data = { NULL,
340 0
341 };
342
343 /* get the issuer of 'cert'
344 */
345 if ((result =
346 MHD__asn1_create_element (MHD__gnutls_get_pkix (),
347 "PKIX1.TBSCertificate",
348 &c2)) != ASN1_SUCCESS)
349 {
350 MHD_gnutls_assert ();
351 return MHD_gtls_asn2err (result);
352 }
353
354 result = MHD__gnutls_x509_get_signed_data (cert->cert, "tbsCertificate",
355 &signed_data);
356 if (result < 0)
357 {
358 MHD_gnutls_assert ();
359 goto cleanup;
360 }
361
362 result =
363 MHD__asn1_der_decoding (&c2, signed_data.data, signed_data.size, NULL);
364 if (result != ASN1_SUCCESS)
365 {
366 MHD_gnutls_assert ();
367 MHD__asn1_delete_structure (&c2);
368 result = MHD_gtls_asn2err (result);
369 goto cleanup;
370 }
371
372 result =
373 MHD__asn1_der_decoding_startEnd (c2, signed_data.data, signed_data.size,
374 whom, &start1, &end1);
375
376 if (result != ASN1_SUCCESS)
377 {
378 MHD_gnutls_assert ();
379 result = MHD_gtls_asn2err (result);
380 goto cleanup;
381 }
382
383 len1 = end1 - start1 + 1;
384
385 MHD__gnutls_set_datum (start, &signed_data.data[start1], len1);
386
387 result = 0;
388
389cleanup:MHD__asn1_delete_structure (&c2);
390 MHD__gnutls_free_datum (&signed_data);
391 return result;
392}
393
394/**
395 * MHD_gnutls_x509_crt_get_raw_dn - This function returns the subject's DN DER encoded
396 * @cert: should contain a MHD_gnutls_x509_crt_t structure
397 * @start: will hold the starting point of the DN
398 *
399 * This function will return a pointer to the DER encoded DN structure and
400 * the length.
401 *
402 * Returns 0 on success, or a negative value on error.
403 *
404 **/
405int
406MHD_gnutls_x509_crt_get_raw_dn (MHD_gnutls_x509_crt_t cert,
407 MHD_gnutls_datum_t * start)
408{
409 return MHD__gnutls_x509_crt_get_raw_dn2 (cert, "subject", start);
410}
411
412/** 331/**
413 * MHD_gnutls_x509_crt_export - This function will export the certificate 332 * MHD_gnutls_x509_crt_export - This function will export the certificate
414 * @cert: Holds the certificate 333 * @cert: Holds the certificate
diff --git a/src/daemon/https/x509/x509.h b/src/daemon/https/x509/x509.h
index 11628186..b3221606 100644
--- a/src/daemon/https/x509/x509.h
+++ b/src/daemon/https/x509/x509.h
@@ -193,8 +193,6 @@ extern "C"
193 format, MHD_gnutls_datum_t * out); 193 format, MHD_gnutls_datum_t * out);
194/* Access to internal Certificate fields. 194/* Access to internal Certificate fields.
195 */ 195 */
196 int MHD_gnutls_x509_crt_get_raw_dn (MHD_gnutls_x509_crt_t cert,
197 MHD_gnutls_datum_t * start);
198 196
199 typedef void *MHD_gnutls_x509_dn_t; 197 typedef void *MHD_gnutls_x509_dn_t;
200 198