@subheading gnutls_x509_crl_init @anchor{gnutls_x509_crl_init} @deftypefun {int} {gnutls_x509_crl_init} (gnutls_x509_crl_t * @var{crl}) @var{crl}: The structure to be initialized This function will initialize a CRL structure. CRL stands for Certificate Revocation List. A revocation list usually contains lists of certificate serial numbers that have been revoked by an Authority. The revocation lists are always signed with the authority's private key. Returns 0 on success. @end deftypefun @subheading gnutls_x509_crl_deinit @anchor{gnutls_x509_crl_deinit} @deftypefun {void} {gnutls_x509_crl_deinit} (gnutls_x509_crl_t @var{crl}) @var{crl}: The structure to be initialized This function will deinitialize a CRL structure. @end deftypefun @subheading gnutls_x509_crl_import @anchor{gnutls_x509_crl_import} @deftypefun {int} {gnutls_x509_crl_import} (gnutls_x509_crl_t @var{crl}, const gnutls_datum_t * @var{data}, gnutls_x509_crt_fmt_t @var{format}) @var{crl}: The structure to store the parsed CRL. @var{data}: The DER or PEM encoded CRL. @var{format}: One of DER or PEM This function will convert the given DER or PEM encoded CRL to the native gnutls_x509_crl_t format. The output will be stored in 'crl'. If the CRL is PEM encoded it should have a header of "X509 CRL". Returns 0 on success. @end deftypefun @subheading gnutls_x509_crl_get_issuer_dn @anchor{gnutls_x509_crl_get_issuer_dn} @deftypefun {int} {gnutls_x509_crl_get_issuer_dn} (const gnutls_x509_crl_t @var{crl}, char * @var{buf}, size_t * @var{sizeof_buf}) @var{crl}: should contain a gnutls_x509_crl_t structure @var{buf}: a pointer to a structure to hold the peer's name (may be null) @var{sizeof_buf}: initially holds the size of @code{buf} This function will copy the name of the CRL issuer in the provided buffer. The name will be in the form "C=xxxx,O=yyyy,CN=zzzz" as described in RFC2253. The output string will be ASCII or UTF-8 encoded, depending on the certificate data. If buf is null then only the size will be filled. Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not long enough, and in that case the sizeof_buf will be updated with the required size, and 0 on success. @end deftypefun @subheading gnutls_x509_crl_get_issuer_dn_by_oid @anchor{gnutls_x509_crl_get_issuer_dn_by_oid} @deftypefun {int} {gnutls_x509_crl_get_issuer_dn_by_oid} (gnutls_x509_crl_t @var{crl}, const char * @var{oid}, int @var{indx}, unsigned int @var{raw_flag}, void * @var{buf}, size_t * @var{sizeof_buf}) @var{crl}: should contain a gnutls_x509_crl_t structure @var{oid}: holds an Object Identified in null terminated string @var{indx}: In case multiple same OIDs exist in the RDN, this specifies which to send. Use zero to get the first one. @var{raw_flag}: If non zero returns the raw DER data of the DN part. @var{buf}: a pointer to a structure to hold the peer's name (may be null) @var{sizeof_buf}: initially holds the size of @code{buf} This function will extract the part of the name of the CRL issuer specified by the given OID. The output will be encoded as described in RFC2253. The output string will be ASCII or UTF-8 encoded, depending on the certificate data. Some helper macros with popular OIDs can be found in gnutls/x509.h If raw flag is zero, this function will only return known OIDs as text. Other OIDs will be DER encoded, as described in RFC2253 -- in hex format with a '\#' prefix. You can check about known OIDs using @code{gnutls_x509_dn_oid_known()}. If buf is null then only the size will be filled. Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not long enough, and in that case the sizeof_buf will be updated with the required size, and 0 on success. @end deftypefun @subheading gnutls_x509_crl_get_dn_oid @anchor{gnutls_x509_crl_get_dn_oid} @deftypefun {int} {gnutls_x509_crl_get_dn_oid} (gnutls_x509_crl_t @var{crl}, int @var{indx}, void * @var{oid}, size_t * @var{sizeof_oid}) @var{crl}: should contain a gnutls_x509_crl_t structure @var{indx}: Specifies which DN OID to send. Use zero to get the first one. @var{oid}: a pointer to a structure to hold the name (may be null) @var{sizeof_oid}: initially holds the size of 'oid' This function will extract the requested OID of the name of the CRL issuer, specified by the given index. If oid is null then only the size will be filled. Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not long enough, and in that case the sizeof_oid will be updated with the required size. On success 0 is returned. @end deftypefun @subheading gnutls_x509_crl_get_signature_algorithm @anchor{gnutls_x509_crl_get_signature_algorithm} @deftypefun {int} {gnutls_x509_crl_get_signature_algorithm} (gnutls_x509_crl_t @var{crl}) @var{crl}: should contain a gnutls_x509_crl_t structure This function will return a value of the gnutls_sign_algorithm_t enumeration that is the signature algorithm. Returns a negative value on error. @end deftypefun @subheading gnutls_x509_crl_get_signature @anchor{gnutls_x509_crl_get_signature} @deftypefun {int} {gnutls_x509_crl_get_signature} (gnutls_x509_crl_t @var{crl}, char * @var{sig}, size_t * @var{sizeof_sig}) @var{crl}: should contain a gnutls_x509_crl_t structure @var{sig}: a pointer where the signature part will be copied (may be null). @var{sizeof_sig}: initially holds the size of @code{sig} This function will extract the signature field of a CRL. Returns 0 on success, and a negative value on error. @end deftypefun @subheading gnutls_x509_crl_get_version @anchor{gnutls_x509_crl_get_version} @deftypefun {int} {gnutls_x509_crl_get_version} (gnutls_x509_crl_t @var{crl}) @var{crl}: should contain a gnutls_x509_crl_t structure This function will return the version of the specified CRL. Returns a negative value on error. @end deftypefun @subheading gnutls_x509_crl_get_this_update @anchor{gnutls_x509_crl_get_this_update} @deftypefun {time_t} {gnutls_x509_crl_get_this_update} (gnutls_x509_crl_t @var{crl}) @var{crl}: should contain a gnutls_x509_crl_t structure This function will return the time this CRL was issued. Returns (time_t)-1 on error. @end deftypefun @subheading gnutls_x509_crl_get_next_update @anchor{gnutls_x509_crl_get_next_update} @deftypefun {time_t} {gnutls_x509_crl_get_next_update} (gnutls_x509_crl_t @var{crl}) @var{crl}: should contain a gnutls_x509_crl_t structure This function will return the time the next CRL will be issued. This field is optional in a CRL so it might be normal to get an error instead. Returns (time_t)-1 on error. @end deftypefun @subheading gnutls_x509_crl_get_crt_count @anchor{gnutls_x509_crl_get_crt_count} @deftypefun {int} {gnutls_x509_crl_get_crt_count} (gnutls_x509_crl_t @var{crl}) @var{crl}: should contain a gnutls_x509_crl_t structure This function will return the number of revoked certificates in the given CRL. Returns a negative value on failure. @end deftypefun @subheading gnutls_x509_crl_get_crt_serial @anchor{gnutls_x509_crl_get_crt_serial} @deftypefun {int} {gnutls_x509_crl_get_crt_serial} (gnutls_x509_crl_t @var{crl}, int @var{indx}, unsigned char * @var{serial}, size_t * @var{serial_size}, time_t * @var{t}) @var{crl}: should contain a gnutls_x509_crl_t structure @var{indx}: the index of the certificate to extract (starting from 0) @var{serial}: where the serial number will be copied @var{serial_size}: initially holds the size of serial @var{t}: if non null, will hold the time this certificate was revoked This function will return the serial number of the specified, by the index, revoked certificate. Returns a negative value on failure. @end deftypefun @subheading gnutls_x509_crl_export @anchor{gnutls_x509_crl_export} @deftypefun {int} {gnutls_x509_crl_export} (gnutls_x509_crl_t @var{crl}, gnutls_x509_crt_fmt_t @var{format}, void * @var{output_data}, size_t * @var{output_data_size}) @var{crl}: Holds the revocation list @var{format}: the format of output params. One of PEM or DER. @var{output_data}: will contain a private key PEM or DER encoded @var{output_data_size}: holds the size of output_data (and will be replaced by the actual size of parameters) This function will export the revocation list to DER or PEM format. If the buffer provided is not long enough to hold the output, then GNUTLS_E_SHORT_MEMORY_BUFFER will be returned. If the structure is PEM encoded, it will have a header of "BEGIN X509 CRL". Returns 0 on success, and a negative value on failure. @end deftypefun @subheading gnutls_x509_rdn_get @anchor{gnutls_x509_rdn_get} @deftypefun {int} {gnutls_x509_rdn_get} (const gnutls_datum_t * @var{idn}, char * @var{buf}, size_t * @var{sizeof_buf}) @var{idn}: should contain a DER encoded RDN sequence @var{buf}: a pointer to a structure to hold the peer's name @var{sizeof_buf}: holds the size of @code{buf} This function will return the name of the given RDN sequence. The name will be in the form "C=xxxx,O=yyyy,CN=zzzz" as described in RFC2253. If the provided buffer is not long enough, returns GNUTLS_E_SHORT_MEMORY_BUFFER and *sizeof_buf will be updated. On success 0 is returned. @end deftypefun @subheading gnutls_x509_rdn_get_by_oid @anchor{gnutls_x509_rdn_get_by_oid} @deftypefun {int} {gnutls_x509_rdn_get_by_oid} (const gnutls_datum_t * @var{idn}, const char * @var{oid}, int @var{indx}, unsigned int @var{raw_flag}, void * @var{buf}, size_t * @var{sizeof_buf}) @var{idn}: should contain a DER encoded RDN sequence @var{oid}: an Object Identifier @var{indx}: In case multiple same OIDs exist in the RDN indicates which to send. Use 0 for the first one. @var{raw_flag}: If non zero then the raw DER data are returned. @var{buf}: a pointer to a structure to hold the peer's name @var{sizeof_buf}: holds the size of @code{buf} This function will return the name of the given Object identifier, of the RDN sequence. The name will be encoded using the rules from RFC2253. Returns GNUTLS_E_SHORT_MEMORY_BUFFER and updates *sizeof_buf if the provided buffer is not long enough, and 0 on success. @end deftypefun @subheading gnutls_x509_rdn_get_oid @anchor{gnutls_x509_rdn_get_oid} @deftypefun {int} {gnutls_x509_rdn_get_oid} (const gnutls_datum_t * @var{idn}, int @var{indx}, void * @var{buf}, size_t * @var{sizeof_buf}) @var{idn}: should contain a DER encoded RDN sequence @var{indx}: Indicates which OID to return. Use 0 for the first one. This function will return the specified Object identifier, of the RDN sequence. Returns GNUTLS_E_SHORT_MEMORY_BUFFER and updates *sizeof_buf if the provided buffer is not long enough, and 0 on success. @end deftypefun @subheading gnutls_x509_dn_oid_known @anchor{gnutls_x509_dn_oid_known} @deftypefun {int} {gnutls_x509_dn_oid_known} (const char * @var{oid}) @var{oid}: holds an Object Identifier in a null terminated string This function will inform about known DN OIDs. This is useful since functions like @code{gnutls_x509_crt_set_dn_by_oid()} use the information on known OIDs to properly encode their input. Object Identifiers that are not known are not encoded by these functions, and their input is stored directly into the ASN.1 structure. In that case of unknown OIDs, you have the responsibility of DER encoding your data. Returns 1 on known OIDs and 0 otherwise. @end deftypefun @subheading gnutls_x509_crt_init @anchor{gnutls_x509_crt_init} @deftypefun {int} {gnutls_x509_crt_init} (gnutls_x509_crt_t * @var{cert}) @var{cert}: The structure to be initialized This function will initialize an X.509 certificate structure. Returns 0 on success. @end deftypefun @subheading gnutls_x509_crt_deinit @anchor{gnutls_x509_crt_deinit} @deftypefun {void} {gnutls_x509_crt_deinit} (gnutls_x509_crt_t @var{cert}) @var{cert}: The structure to be initialized This function will deinitialize a CRL structure. @end deftypefun @subheading gnutls_x509_crt_import @anchor{gnutls_x509_crt_import} @deftypefun {int} {gnutls_x509_crt_import} (gnutls_x509_crt_t @var{cert}, const gnutls_datum_t * @var{data}, gnutls_x509_crt_fmt_t @var{format}) @var{cert}: The structure to store the parsed certificate. @var{data}: The DER or PEM encoded certificate. @var{format}: One of DER or PEM This function will convert the given DER or PEM encoded Certificate to the native gnutls_x509_crt_t format. The output will be stored in @code{cert}. If the Certificate is PEM encoded it should have a header of "X509 CERTIFICATE", or "CERTIFICATE". Returns 0 on success. @end deftypefun @subheading gnutls_x509_crt_get_issuer_dn @anchor{gnutls_x509_crt_get_issuer_dn} @deftypefun {int} {gnutls_x509_crt_get_issuer_dn} (gnutls_x509_crt_t @var{cert}, char * @var{buf}, size_t * @var{sizeof_buf}) @var{cert}: should contain a gnutls_x509_crt_t structure @var{buf}: a pointer to a structure to hold the name (may be null) @var{sizeof_buf}: initially holds the size of @code{buf} This function will copy the name of the Certificate issuer in the provided buffer. The name will be in the form "C=xxxx,O=yyyy,CN=zzzz" as described in RFC2253. The output string will be ASCII or UTF-8 encoded, depending on the certificate data. If @code{buf} is null then only the size will be filled. Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not long enough, and in that case the *sizeof_buf will be updated with the required size. On success 0 is returned. @end deftypefun @subheading gnutls_x509_crt_get_issuer_dn_by_oid @anchor{gnutls_x509_crt_get_issuer_dn_by_oid} @deftypefun {int} {gnutls_x509_crt_get_issuer_dn_by_oid} (gnutls_x509_crt_t @var{cert}, const char * @var{oid}, int @var{indx}, unsigned int @var{raw_flag}, void * @var{buf}, size_t * @var{sizeof_buf}) @var{cert}: should contain a gnutls_x509_crt_t structure @var{oid}: holds an Object Identified in null terminated string @var{indx}: In case multiple same OIDs exist in the RDN, this specifies which to send. Use zero to get the first one. @var{raw_flag}: If non zero returns the raw DER data of the DN part. @var{buf}: a pointer to a structure to hold the name (may be null) @var{sizeof_buf}: initially holds the size of @code{buf} This function will extract the part of the name of the Certificate issuer specified by the given OID. The output, if the raw flag is not used, will be encoded as described in RFC2253. Thus a string that is ASCII or UTF-8 encoded, depending on the certificate data. Some helper macros with popular OIDs can be found in gnutls/x509.h If raw flag is zero, this function will only return known OIDs as text. Other OIDs will be DER encoded, as described in RFC2253 -- in hex format with a '\#' prefix. You can check about known OIDs using @code{gnutls_x509_dn_oid_known()}. If @code{buf} is null then only the size will be filled. Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not long enough, and in that case the *sizeof_buf will be updated with the required size. On success 0 is returned. @end deftypefun @subheading gnutls_x509_crt_get_issuer_dn_oid @anchor{gnutls_x509_crt_get_issuer_dn_oid} @deftypefun {int} {gnutls_x509_crt_get_issuer_dn_oid} (gnutls_x509_crt_t @var{cert}, int @var{indx}, void * @var{oid}, size_t * @var{sizeof_oid}) @var{cert}: should contain a gnutls_x509_crt_t structure @var{indx}: This specifies which OID to return. Use zero to get the first one. @var{oid}: a pointer to a buffer to hold the OID (may be null) @var{sizeof_oid}: initially holds the size of @code{oid} This function will extract the OIDs of the name of the Certificate issuer specified by the given index. If @code{oid} is null then only the size will be filled. Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not long enough, and in that case the *sizeof_oid will be updated with the required size. On success 0 is returned. @end deftypefun @subheading gnutls_x509_crt_get_dn @anchor{gnutls_x509_crt_get_dn} @deftypefun {int} {gnutls_x509_crt_get_dn} (gnutls_x509_crt_t @var{cert}, char * @var{buf}, size_t * @var{sizeof_buf}) @var{cert}: should contain a gnutls_x509_crt_t structure @var{buf}: a pointer to a structure to hold the name (may be null) @var{sizeof_buf}: initially holds the size of @code{buf} This function will copy the name of the Certificate in the provided buffer. The name will be in the form "C=xxxx,O=yyyy,CN=zzzz" as described in RFC2253. The output string will be ASCII or UTF-8 encoded, depending on the certificate data. If @code{buf} is null then only the size will be filled. Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not long enough, and in that case the *sizeof_buf will be updated with the required size. On success 0 is returned. @end deftypefun @subheading gnutls_x509_crt_get_dn_by_oid @anchor{gnutls_x509_crt_get_dn_by_oid} @deftypefun {int} {gnutls_x509_crt_get_dn_by_oid} (gnutls_x509_crt_t @var{cert}, const char * @var{oid}, int @var{indx}, unsigned int @var{raw_flag}, void * @var{buf}, size_t * @var{sizeof_buf}) @var{cert}: should contain a gnutls_x509_crt_t structure @var{oid}: holds an Object Identified in null terminated string @var{indx}: In case multiple same OIDs exist in the RDN, this specifies which to send. Use zero to get the first one. @var{raw_flag}: If non zero returns the raw DER data of the DN part. @var{buf}: a pointer where the DN part will be copied (may be null). @var{sizeof_buf}: initially holds the size of @code{buf} This function will extract the part of the name of the Certificate subject specified by the given OID. The output, if the raw flag is not used, will be encoded as described in RFC2253. Thus a string that is ASCII or UTF-8 encoded, depending on the certificate data. Some helper macros with popular OIDs can be found in gnutls/x509.h If raw flag is zero, this function will only return known OIDs as text. Other OIDs will be DER encoded, as described in RFC2253 -- in hex format with a '\#' prefix. You can check about known OIDs using @code{gnutls_x509_dn_oid_known()}. If @code{buf} is null then only the size will be filled. Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not long enough, and in that case the *sizeof_buf will be updated with the required size. On success 0 is returned. @end deftypefun @subheading gnutls_x509_crt_get_dn_oid @anchor{gnutls_x509_crt_get_dn_oid} @deftypefun {int} {gnutls_x509_crt_get_dn_oid} (gnutls_x509_crt_t @var{cert}, int @var{indx}, void * @var{oid}, size_t * @var{sizeof_oid}) @var{cert}: should contain a gnutls_x509_crt_t structure @var{indx}: This specifies which OID to return. Use zero to get the first one. @var{oid}: a pointer to a buffer to hold the OID (may be null) @var{sizeof_oid}: initially holds the size of @code{oid} This function will extract the OIDs of the name of the Certificate subject specified by the given index. If oid is null then only the size will be filled. Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not long enough, and in that case the *sizeof_oid will be updated with the required size. On success 0 is returned. @end deftypefun @subheading gnutls_x509_crt_get_signature_algorithm @anchor{gnutls_x509_crt_get_signature_algorithm} @deftypefun {int} {gnutls_x509_crt_get_signature_algorithm} (gnutls_x509_crt_t @var{cert}) @var{cert}: should contain a gnutls_x509_crt_t structure This function will return a value of the gnutls_sign_algorithm_t enumeration that is the signature algorithm. Returns a negative value on error. @end deftypefun @subheading gnutls_x509_crt_get_signature @anchor{gnutls_x509_crt_get_signature} @deftypefun {int} {gnutls_x509_crt_get_signature} (gnutls_x509_crt_t @var{cert}, char * @var{sig}, size_t * @var{sizeof_sig}) @var{cert}: should contain a gnutls_x509_crt_t structure @var{sig}: a pointer where the signature part will be copied (may be null). @var{sizeof_sig}: initially holds the size of @code{sig} This function will extract the signature field of a certificate. Returns 0 on success, and a negative value on error. @end deftypefun @subheading gnutls_x509_crt_get_version @anchor{gnutls_x509_crt_get_version} @deftypefun {int} {gnutls_x509_crt_get_version} (gnutls_x509_crt_t @var{cert}) @var{cert}: should contain a gnutls_x509_crt_t structure This function will return the version of the specified Certificate. Returns a negative value on error. @end deftypefun @subheading gnutls_x509_crt_get_activation_time @anchor{gnutls_x509_crt_get_activation_time} @deftypefun {time_t} {gnutls_x509_crt_get_activation_time} (gnutls_x509_crt_t @var{cert}) @var{cert}: should contain a gnutls_x509_crt_t structure This function will return the time this Certificate was or will be activated. Returns (time_t)-1 on error. @end deftypefun @subheading gnutls_x509_crt_get_expiration_time @anchor{gnutls_x509_crt_get_expiration_time} @deftypefun {time_t} {gnutls_x509_crt_get_expiration_time} (gnutls_x509_crt_t @var{cert}) @var{cert}: should contain a gnutls_x509_crt_t structure This function will return the time this Certificate was or will be expired. Returns (time_t)-1 on error. @end deftypefun @subheading gnutls_x509_crt_get_serial @anchor{gnutls_x509_crt_get_serial} @deftypefun {int} {gnutls_x509_crt_get_serial} (gnutls_x509_crt_t @var{cert}, void * @var{result}, size_t * @var{result_size}) @var{cert}: should contain a gnutls_x509_crt_t structure @var{result}: The place where the serial number will be copied @var{result_size}: Holds the size of the result field. This function will return the X.509 certificate's serial number. This is obtained by the X509 Certificate serialNumber field. Serial is not always a 32 or 64bit number. Some CAs use large serial numbers, thus it may be wise to handle it as something opaque. Returns 0 on success and a negative value in case of an error. @end deftypefun @subheading gnutls_x509_crt_get_subject_key_id @anchor{gnutls_x509_crt_get_subject_key_id} @deftypefun {int} {gnutls_x509_crt_get_subject_key_id} (gnutls_x509_crt_t @var{cert}, void * @var{ret}, size_t * @var{ret_size}, unsigned int * @var{critical}) @var{cert}: should contain a gnutls_x509_crt_t structure @var{ret}: The place where the identifier will be copied @var{ret_size}: Holds the size of the result field. @var{critical}: will be non zero if the extension is marked as critical (may be null) This function will return the X.509v3 certificate's subject key identifier. This is obtained by the X.509 Subject Key identifier extension field (2.5.29.14). Returns 0 on success and a negative value in case of an error. @end deftypefun @subheading gnutls_x509_crt_get_authority_key_id @anchor{gnutls_x509_crt_get_authority_key_id} @deftypefun {int} {gnutls_x509_crt_get_authority_key_id} (gnutls_x509_crt_t @var{cert}, void * @var{ret}, size_t * @var{ret_size}, unsigned int * @var{critical}) @var{cert}: should contain a gnutls_x509_crt_t structure @var{critical}: will be non zero if the extension is marked as critical (may be null) This function will return the X.509v3 certificate authority's key identifier. This is obtained by the X.509 Authority Key identifier extension field (2.5.29.35). Note that this function only returns the keyIdentifier field of the extension. Returns 0 on success and a negative value in case of an error. @end deftypefun @subheading gnutls_x509_crt_get_pk_algorithm @anchor{gnutls_x509_crt_get_pk_algorithm} @deftypefun {int} {gnutls_x509_crt_get_pk_algorithm} (gnutls_x509_crt_t @var{cert}, unsigned int * @var{bits}) @var{cert}: should contain a gnutls_x509_crt_t structure @var{bits}: if bits is non null it will hold the size of the parameters' in bits This function will return the public key algorithm of an X.509 certificate. If bits is non null, it should have enough size to hold the parameters size in bits. For RSA the bits returned is the modulus. For DSA the bits returned are of the public exponent. Returns a member of the gnutls_pk_algorithm_t enumeration on success, or a negative value on error. @end deftypefun @subheading gnutls_x509_crt_get_subject_alt_name @anchor{gnutls_x509_crt_get_subject_alt_name} @deftypefun {int} {gnutls_x509_crt_get_subject_alt_name} (gnutls_x509_crt_t @var{cert}, unsigned int @var{seq}, void * @var{ret}, size_t * @var{ret_size}, unsigned int * @var{critical}) @var{cert}: should contain a gnutls_x509_crt_t structure @var{seq}: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.) @var{ret}: is the place where the alternative name will be copied to @var{ret_size}: holds the size of ret. @var{critical}: will be non zero if the extension is marked as critical (may be null) This function will return the alternative names, contained in the given certificate. This is specified in X509v3 Certificate Extensions. GNUTLS will return the Alternative name (2.5.29.17), or a negative error code. When the SAN type is otherName, it will extract the data in the otherName's value field, and @code{GNUTLS_SAN_OTHERNAME} is returned. You may use @code{gnutls_x509_crt_get_subject_alt_othername_oid()} to get the corresponding OID and the "virtual" SAN types (e.g., @code{GNUTLS_SAN_OTHERNAME_XMPP}). If an otherName OID is known, the data will be decoded. Otherwise the returned data will be DER encoded, and you will have to decode it yourself. Currently, only the RFC 3920 id-on-xmppAddr SAN is recognized. Returns the alternative subject name type on success. The type is one of the enumerated gnutls_x509_subject_alt_name_t. It will return @code{GNUTLS_E_SHORT_MEMORY_BUFFER} if @code{ret_size} is not large enough to hold the value. In that case @code{ret_size} will be updated with the required size. If the certificate does not have an Alternative name with the specified sequence number then @code{GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE} is returned. @end deftypefun @subheading gnutls_x509_crt_get_subject_alt_name2 @anchor{gnutls_x509_crt_get_subject_alt_name2} @deftypefun {int} {gnutls_x509_crt_get_subject_alt_name2} (gnutls_x509_crt_t @var{cert}, unsigned int @var{seq}, void * @var{ret}, size_t * @var{ret_size}, unsigned int* @var{ret_type}, unsigned int * @var{critical}) @var{cert}: should contain a gnutls_x509_crt_t structure @var{seq}: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.) @var{ret}: is the place where the alternative name will be copied to @var{ret_size}: holds the size of ret. @var{ret_type}: holds the type of the alternative name (one of gnutls_x509_subject_alt_name_t). @var{critical}: will be non zero if the extension is marked as critical (may be null) This function will return the alternative names, contained in the given certificate. It is the same as @code{gnutls_x509_crt_get_subject_alt_name()} except for the fact that it will return the type of the alternative name in @code{ret_type} even if the function fails for some reason (i.e. the buffer provided is not enough). The return values are the same as with @code{gnutls_x509_crt_get_subject_alt_name()}. @end deftypefun @subheading gnutls_x509_crt_get_subject_alt_othername_oid @anchor{gnutls_x509_crt_get_subject_alt_othername_oid} @deftypefun {int} {gnutls_x509_crt_get_subject_alt_othername_oid} (gnutls_x509_crt_t @var{cert}, unsigned int @var{seq}, void * @var{ret}, size_t * @var{ret_size}) @var{cert}: should contain a gnutls_x509_crt_t structure @var{seq}: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.) @var{ret}: is the place where the otherName OID will be copied to @var{ret_size}: holds the size of ret. This function will extract the type OID of an otherName Subject Alternative Name, contained in the given certificate, and return the type as an enumerated element. This function is only useful if @code{gnutls_x509_crt_get_subject_alt_name()} returned @code{GNUTLS_SAN_OTHERNAME}. Returns the alternative subject name type on success. The type is one of the enumerated gnutls_x509_subject_alt_name_t. For supported OIDs, it will return one of the virtual (GNUTLS_SAN_OTHERNAME_*) types, e.g. @code{GNUTLS_SAN_OTHERNAME_XMPP}, and @code{GNUTLS_SAN_OTHERNAME} for unknown OIDs. It will return @code{GNUTLS_E_SHORT_MEMORY_BUFFER} if @code{ret_size} is not large enough to hold the value. In that case @code{ret_size} will be updated with the required size. If the certificate does not have an Alternative name with the specified sequence number and with the otherName type then @code{GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE} is returned. @end deftypefun @subheading gnutls_x509_crt_get_basic_constraints @anchor{gnutls_x509_crt_get_basic_constraints} @deftypefun {int} {gnutls_x509_crt_get_basic_constraints} (gnutls_x509_crt_t @var{cert}, unsigned int * @var{critical}, int * @var{ca}, int * @var{pathlen}) @var{cert}: should contain a gnutls_x509_crt_t structure @var{critical}: will be non zero if the extension is marked as critical @var{ca}: pointer to output integer indicating CA status, may be NULL, value is 1 if the certificate CA flag is set, 0 otherwise. @var{pathlen}: pointer to output integer indicating path length (may be NULL), non-negative values indicate a present pathLenConstraint field and the actual value, -1 indicate that the field is absent. This function will read the certificate's basic constraints, and return the certificates CA status. It reads the basicConstraints X.509 extension (2.5.29.19). @strong{Return value:} If the certificate is a CA a positive value will be returned, or zero if the certificate does not have CA flag set. A negative value may be returned in case of errors. If the certificate does not contain the basicConstraints extension GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned. @end deftypefun @subheading gnutls_x509_crt_get_ca_status @anchor{gnutls_x509_crt_get_ca_status} @deftypefun {int} {gnutls_x509_crt_get_ca_status} (gnutls_x509_crt_t @var{cert}, unsigned int * @var{critical}) @var{cert}: should contain a gnutls_x509_crt_t structure @var{critical}: will be non zero if the extension is marked as critical This function will return certificates CA status, by reading the basicConstraints X.509 extension (2.5.29.19). If the certificate is a CA a positive value will be returned, or zero if the certificate does not have CA flag set. Use @code{gnutls_x509_crt_get_basic_constraints()} if you want to read the pathLenConstraint field too. A negative value may be returned in case of parsing error. If the certificate does not contain the basicConstraints extension GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned. @end deftypefun @subheading gnutls_x509_crt_get_key_usage @anchor{gnutls_x509_crt_get_key_usage} @deftypefun {int} {gnutls_x509_crt_get_key_usage} (gnutls_x509_crt_t @var{cert}, unsigned int * @var{key_usage}, unsigned int * @var{critical}) @var{cert}: should contain a gnutls_x509_crt_t structure @var{key_usage}: where the key usage bits will be stored @var{critical}: will be non zero if the extension is marked as critical This function will return certificate's key usage, by reading the keyUsage X.509 extension (2.5.29.15). The key usage value will ORed values of the: GNUTLS_KEY_DIGITAL_SIGNATURE, GNUTLS_KEY_NON_REPUDIATION, GNUTLS_KEY_KEY_ENCIPHERMENT, GNUTLS_KEY_DATA_ENCIPHERMENT, GNUTLS_KEY_KEY_AGREEMENT, GNUTLS_KEY_KEY_CERT_SIGN, GNUTLS_KEY_CRL_SIGN, GNUTLS_KEY_ENCIPHER_ONLY, GNUTLS_KEY_DECIPHER_ONLY. A negative value may be returned in case of parsing error. If the certificate does not contain the keyUsage extension GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned. @end deftypefun @subheading gnutls_x509_crt_get_proxy @anchor{gnutls_x509_crt_get_proxy} @deftypefun {int} {gnutls_x509_crt_get_proxy} (gnutls_x509_crt_t @var{cert}, unsigned int * @var{critical}, int * @var{pathlen}, char ** @var{policyLanguage}, char ** @var{policy}, size_t * @var{sizeof_policy}) @var{cert}: should contain a gnutls_x509_crt_t structure @var{critical}: will be non zero if the extension is marked as critical @var{pathlen}: pointer to output integer indicating path length (may be NULL), non-negative values indicate a present pCPathLenConstraint field and the actual value, -1 indicate that the field is absent. This function will read the certificate's basic constraints, and return the certificates CA status. It reads the basicConstraints X.509 extension (2.5.29.19). @strong{Return value:} If the certificate is a CA a positive value will be returned, or zero if the certificate does not have CA flag set. A negative value may be returned in case of errors. If the certificate does not contain the basicConstraints extension GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned. @end deftypefun @subheading gnutls_x509_crt_get_extension_by_oid @anchor{gnutls_x509_crt_get_extension_by_oid} @deftypefun {int} {gnutls_x509_crt_get_extension_by_oid} (gnutls_x509_crt_t @var{cert}, const char * @var{oid}, int @var{indx}, void * @var{buf}, size_t * @var{sizeof_buf}, unsigned int * @var{critical}) @var{cert}: should contain a gnutls_x509_crt_t structure @var{oid}: holds an Object Identified in null terminated string @var{indx}: In case multiple same OIDs exist in the extensions, this specifies which to send. Use zero to get the first one. @var{buf}: a pointer to a structure to hold the name (may be null) @var{sizeof_buf}: initially holds the size of @code{buf} @var{critical}: will be non zero if the extension is marked as critical This function will return the extension specified by the OID in the certificate. The extensions will be returned as binary data DER encoded, in the provided buffer. A negative value may be returned in case of parsing error. If the certificate does not contain the specified extension GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned. @end deftypefun @subheading gnutls_x509_crt_get_extension_oid @anchor{gnutls_x509_crt_get_extension_oid} @deftypefun {int} {gnutls_x509_crt_get_extension_oid} (gnutls_x509_crt_t @var{cert}, int @var{indx}, void * @var{oid}, size_t * @var{sizeof_oid}) @var{cert}: should contain a gnutls_x509_crt_t structure @var{indx}: Specifies which extension OID to send. Use zero to get the first one. @var{oid}: a pointer to a structure to hold the OID (may be null) @var{sizeof_oid}: initially holds the size of @code{oid} This function will return the requested extension OID in the certificate. The extension OID will be stored as a string in the provided buffer. A negative value may be returned in case of parsing error. If your have reached the last extension available GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned. @end deftypefun @subheading gnutls_x509_crt_get_extension_info @anchor{gnutls_x509_crt_get_extension_info} @deftypefun {int} {gnutls_x509_crt_get_extension_info} (gnutls_x509_crt_t @var{cert}, int @var{indx}, void * @var{oid}, size_t * @var{sizeof_oid}, int * @var{critical}) @var{cert}: should contain a gnutls_x509_crt_t structure @var{indx}: Specifies which extension OID to send. Use zero to get the first one. @var{oid}: a pointer to a structure to hold the OID @var{sizeof_oid}: initially holds the size of @code{oid} @var{critical}: output variable with critical flag, may be NULL. This function will return the requested extension OID in the certificate, and the critical flag for it. The extension OID will be stored as a string in the provided buffer. Use @code{gnutls_x509_crt_get_extension_data()} to extract the data. Return 0 on success. A negative value may be returned in case of parsing error. If you have reached the last extension available GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned. @end deftypefun @subheading gnutls_x509_crt_get_extension_data @anchor{gnutls_x509_crt_get_extension_data} @deftypefun {int} {gnutls_x509_crt_get_extension_data} (gnutls_x509_crt_t @var{cert}, int @var{indx}, void * @var{data}, size_t * @var{sizeof_data}) @var{cert}: should contain a gnutls_x509_crt_t structure @var{indx}: Specifies which extension OID to send. Use zero to get the first one. @var{data}: a pointer to a structure to hold the data (may be null) @var{sizeof_data}: initially holds the size of @code{oid} This function will return the requested extension data in the certificate. The extension data will be stored as a string in the provided buffer. Use @code{gnutls_x509_crt_get_extension_info()} to extract the OID and critical flag. Use @code{gnutls_x509_crt_get_extension_by_oid()} instead, if you want to get data indexed by the extension OID rather than sequence. Return 0 on success. A negative value may be returned in case of parsing error. If you have reached the last extension available GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned. @end deftypefun @subheading gnutls_x509_crt_get_raw_issuer_dn @anchor{gnutls_x509_crt_get_raw_issuer_dn} @deftypefun {int} {gnutls_x509_crt_get_raw_issuer_dn} (gnutls_x509_crt_t @var{cert}, gnutls_datum_t * @var{start}) @var{cert}: should contain a gnutls_x509_crt_t structure @var{start}: will hold the starting point of the DN This function will return a pointer to the DER encoded DN structure and the length. Returns 0 on success or a negative value on error. @end deftypefun @subheading gnutls_x509_crt_get_raw_dn @anchor{gnutls_x509_crt_get_raw_dn} @deftypefun {int} {gnutls_x509_crt_get_raw_dn} (gnutls_x509_crt_t @var{cert}, gnutls_datum_t * @var{start}) @var{cert}: should contain a gnutls_x509_crt_t structure @var{start}: will hold the starting point of the DN This function will return a pointer to the DER encoded DN structure and the length. Returns 0 on success, or a negative value on error. @end deftypefun @subheading gnutls_x509_crt_get_subject @anchor{gnutls_x509_crt_get_subject} @deftypefun {int} {gnutls_x509_crt_get_subject} (gnutls_x509_crt_t @var{cert}, gnutls_x509_dn_t * @var{dn}) @var{cert}: should contain a gnutls_x509_crt_t structure @var{dn}: output variable with pointer to opaque DN. Return the Certificate's Subject DN as an opaque data type. You may use @code{gnutls_x509_dn_get_rdn_ava()} to decode the DN. @strong{Returns:} Returns 0 on success, or an error code. @end deftypefun @subheading gnutls_x509_crt_get_issuer @anchor{gnutls_x509_crt_get_issuer} @deftypefun {int} {gnutls_x509_crt_get_issuer} (gnutls_x509_crt_t @var{cert}, gnutls_x509_dn_t * @var{dn}) @var{cert}: should contain a gnutls_x509_crt_t structure @var{dn}: output variable with pointer to opaque DN Return the Certificate's Issuer DN as an opaque data type. You may use @code{gnutls_x509_dn_get_rdn_ava()} to decode the DN. Note that @code{dn} points into the @code{cert} object, and thus you may not deallocate @code{cert} and continue to access @code{dn}. @strong{Returns:} Returns 0 on success, or an error code. @end deftypefun @subheading gnutls_x509_dn_get_rdn_ava @anchor{gnutls_x509_dn_get_rdn_ava} @deftypefun {int} {gnutls_x509_dn_get_rdn_ava} (gnutls_x509_dn_t @var{dn}, int @var{irdn}, int @var{iava}, gnutls_x509_ava_st * @var{ava}) @var{dn}: input variable with opaque DN pointer @var{irdn}: index of RDN @var{iava}: index of AVA. @var{ava}: Pointer to structure which will hold output information. Get pointers to data within the DN. Note that @code{ava} will contain pointers into the @code{dn} structure, so you should not modify any data or deallocate it. Note also that the DN in turn points into the original certificate structure, and thus you may not deallocate the certificate and continue to access @code{dn}. @strong{Returns:} Returns 0 on success, or an error code. @end deftypefun @subheading gnutls_x509_crt_get_fingerprint @anchor{gnutls_x509_crt_get_fingerprint} @deftypefun {int} {gnutls_x509_crt_get_fingerprint} (gnutls_x509_crt_t @var{cert}, gnutls_digest_algorithm_t @var{algo}, void * @var{buf}, size_t * @var{sizeof_buf}) @var{cert}: should contain a gnutls_x509_crt_t structure @var{algo}: is a digest algorithm @var{buf}: a pointer to a structure to hold the fingerprint (may be null) @var{sizeof_buf}: initially holds the size of @code{buf} This function will calculate and copy the certificate's fingerprint in the provided buffer. If the buffer is null then only the size will be filled. @strong{Returns:} @code{GNUTLS_E_SHORT_MEMORY_BUFFER} if the provided buffer is not long enough, and in that case the *sizeof_buf will be updated with the required size. On success 0 is returned. @end deftypefun @subheading gnutls_x509_crt_export @anchor{gnutls_x509_crt_export} @deftypefun {int} {gnutls_x509_crt_export} (gnutls_x509_crt_t @var{cert}, gnutls_x509_crt_fmt_t @var{format}, void * @var{output_data}, size_t * @var{output_data_size}) @var{cert}: Holds the certificate @var{format}: the format of output params. One of PEM or DER. @var{output_data}: will contain a certificate PEM or DER encoded @var{output_data_size}: holds the size of output_data (and will be replaced by the actual size of parameters) This function will export the certificate to DER or PEM format. If the buffer provided is not long enough to hold the output, then *output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will be returned. If the structure is PEM encoded, it will have a header of "BEGIN CERTIFICATE". @strong{Return value:} In case of failure a negative value will be returned, and 0 on success. @end deftypefun @subheading gnutls_x509_crt_get_key_id @anchor{gnutls_x509_crt_get_key_id} @deftypefun {int} {gnutls_x509_crt_get_key_id} (gnutls_x509_crt_t @var{crt}, unsigned int @var{flags}, unsigned char * @var{output_data}, size_t * @var{output_data_size}) @var{crt}: Holds the certificate @var{flags}: should be 0 for now @var{output_data}: will contain the key ID @var{output_data_size}: holds the size of output_data (and will be replaced by the actual size of parameters) This function will return a unique ID the depends on the public key parameters. This ID can be used in checking whether a certificate corresponds to the given private key. If the buffer provided is not long enough to hold the output, then *output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will be returned. The output will normally be a SHA-1 hash output, which is 20 bytes. @strong{Return value:} In case of failure a negative value will be returned, and 0 on success. @end deftypefun @subheading gnutls_x509_crt_check_revocation @anchor{gnutls_x509_crt_check_revocation} @deftypefun {int} {gnutls_x509_crt_check_revocation} (gnutls_x509_crt_t @var{cert}, const gnutls_x509_crl_t * @var{crl_list}, int @var{crl_list_length}) @var{cert}: should contain a gnutls_x509_crt_t structure @var{crl_list}: should contain a list of gnutls_x509_crl_t structures @var{crl_list_length}: the length of the crl_list This function will return check if the given certificate is revoked. It is assumed that the CRLs have been verified before. @strong{Returns:} 0 if the certificate is NOT revoked, and 1 if it is. A negative value is returned on error. @end deftypefun @subheading gnutls_x509_crt_verify_data @anchor{gnutls_x509_crt_verify_data} @deftypefun {int} {gnutls_x509_crt_verify_data} (gnutls_x509_crt_t @var{crt}, unsigned int @var{flags}, const gnutls_datum_t * @var{data}, const gnutls_datum_t * @var{signature}) @var{crt}: Holds the certificate @var{flags}: should be 0 for now @var{data}: holds the data to be signed @var{signature}: contains the signature This function will verify the given signed data, using the parameters from the certificate. @strong{Returns:} In case of a verification failure 0 is returned, and 1 on success. @end deftypefun @subheading gnutls_x509_crt_get_crl_dist_points @anchor{gnutls_x509_crt_get_crl_dist_points} @deftypefun {int} {gnutls_x509_crt_get_crl_dist_points} (gnutls_x509_crt_t @var{cert}, unsigned int @var{seq}, void * @var{ret}, size_t * @var{ret_size}, unsigned int * @var{reason_flags}, unsigned int * @var{critical}) @var{cert}: should contain a gnutls_x509_crt_t structure @var{seq}: specifies the sequence number of the distribution point (0 for the first one, 1 for the second etc.) @var{ret}: is the place where the distribution point will be copied to @var{ret_size}: holds the size of ret. @var{reason_flags}: Revocation reasons flags. @var{critical}: will be non zero if the extension is marked as critical (may be null) This function will return the CRL distribution points (2.5.29.31), contained in the given certificate. @code{reason_flags} should be an ORed sequence of GNUTLS_CRL_REASON_UNUSED, GNUTLS_CRL_REASON_KEY_COMPROMISE, GNUTLS_CRL_REASON_CA_COMPROMISE, GNUTLS_CRL_REASON_AFFILIATION_CHANGED, GNUTLS_CRL_REASON_SUPERSEEDED, GNUTLS_CRL_REASON_CESSATION_OF_OPERATION, GNUTLS_CRL_REASON_CERTIFICATE_HOLD, GNUTLS_CRL_REASON_PRIVILEGE_WITHDRAWN, GNUTLS_CRL_REASON_AA_COMPROMISE, or zero for all possible reasons. This is specified in X509v3 Certificate Extensions. GNUTLS will return the distribution point type, or a negative error code on error. Returns @code{GNUTLS_E_SHORT_MEMORY_BUFFER} and updates &@code{ret_size} if &@code{ret_size} is not enough to hold the distribution point, or the type of the distribution point if everything was ok. The type is one of the enumerated @code{gnutls_x509_subject_alt_name_t}. If the certificate does not have an Alternative name with the specified sequence number then @code{GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE} is returned. @end deftypefun @subheading gnutls_x509_crt_get_key_purpose_oid @anchor{gnutls_x509_crt_get_key_purpose_oid} @deftypefun {int} {gnutls_x509_crt_get_key_purpose_oid} (gnutls_x509_crt_t @var{cert}, int @var{indx}, void * @var{oid}, size_t * @var{sizeof_oid}, unsigned int * @var{critical}) @var{cert}: should contain a gnutls_x509_crt_t structure @var{indx}: This specifies which OID to return. Use zero to get the first one. @var{oid}: a pointer to a buffer to hold the OID (may be null) @var{sizeof_oid}: initially holds the size of @code{oid} This function will extract the key purpose OIDs of the Certificate specified by the given index. These are stored in the Extended Key Usage extension (2.5.29.37) See the GNUTLS_KP_* definitions for human readable names. If @code{oid} is null then only the size will be filled. @strong{Returns:} @code{GNUTLS_E_SHORT_MEMORY_BUFFER} if the provided buffer is not long enough, and in that case the *sizeof_oid will be updated with the required size. On success 0 is returned. @end deftypefun @subheading gnutls_x509_crt_get_pk_rsa_raw @anchor{gnutls_x509_crt_get_pk_rsa_raw} @deftypefun {int} {gnutls_x509_crt_get_pk_rsa_raw} (gnutls_x509_crt_t @var{crt}, gnutls_datum_t * @var{m}, gnutls_datum_t * @var{e}) @var{crt}: Holds the certificate @var{m}: will hold the modulus @var{e}: will hold the public exponent This function will export the RSA public key's parameters found in the given structure. The new parameters will be allocated using @code{gnutls_malloc()} and will be stored in the appropriate datum. @strong{Returns:} @code{GNUTLS_E_SUCCESS} on success, otherwise an error. @end deftypefun @subheading gnutls_x509_crt_get_pk_dsa_raw @anchor{gnutls_x509_crt_get_pk_dsa_raw} @deftypefun {int} {gnutls_x509_crt_get_pk_dsa_raw} (gnutls_x509_crt_t @var{crt}, gnutls_datum_t * @var{p}, gnutls_datum_t * @var{q}, gnutls_datum_t * @var{g}, gnutls_datum_t * @var{y}) @var{crt}: Holds the certificate @var{p}: will hold the p @var{q}: will hold the q @var{g}: will hold the g @var{y}: will hold the y This function will export the DSA public key's parameters found in the given certificate. The new parameters will be allocated using @code{gnutls_malloc()} and will be stored in the appropriate datum. @strong{Returns:} @code{GNUTLS_E_SUCCESS} on success, otherwise an error. @end deftypefun @subheading gnutls_x509_crt_list_import @anchor{gnutls_x509_crt_list_import} @deftypefun {int} {gnutls_x509_crt_list_import} (gnutls_x509_crt_t * @var{certs}, unsigned int * @var{cert_max}, const gnutls_datum_t * @var{data}, gnutls_x509_crt_fmt_t @var{format}, unsigned int @var{flags}) @var{certs}: The structures to store the parsed certificate. Must not be initialized. @var{cert_max}: Initially must hold the maximum number of certs. It will be updated with the number of certs available. @var{data}: The PEM encoded certificate. @var{format}: One of DER or PEM. @var{flags}: must be zero or an OR'd sequence of gnutls_certificate_import_flags. This function will convert the given PEM encoded certificate list to the native gnutls_x509_crt_t format. The output will be stored in @code{certs}. They will be automatically initialized. If the Certificate is PEM encoded it should have a header of "X509 CERTIFICATE", or "CERTIFICATE". @strong{Returns:} the number of certificates read or a negative error value. @end deftypefun @subheading gnutls_x509_crt_check_hostname @anchor{gnutls_x509_crt_check_hostname} @deftypefun {int} {gnutls_x509_crt_check_hostname} (gnutls_x509_crt_t @var{cert}, const char * @var{hostname}) @var{cert}: should contain an gnutls_x509_crt_t structure @var{hostname}: A null terminated string that contains a DNS name This function will check if the given certificate's subject matches the given hostname. This is a basic implementation of the matching described in RFC2818 (HTTPS), which takes into account wildcards, and the DNSName/IPAddress subject alternative name PKIX extension. Returns non zero for a successful match, and zero on failure. @end deftypefun @subheading gnutls_x509_crt_check_issuer @anchor{gnutls_x509_crt_check_issuer} @deftypefun {int} {gnutls_x509_crt_check_issuer} (gnutls_x509_crt_t @var{cert}, gnutls_x509_crt_t @var{issuer}) @var{cert}: is the certificate to be checked @var{issuer}: is the certificate of a possible issuer This function will check if the given certificate was issued by the given issuer. It will return true (1) if the given certificate is issued by the given issuer, and false (0) if not. A negative value is returned in case of an error. @end deftypefun @subheading gnutls_x509_crt_list_verify @anchor{gnutls_x509_crt_list_verify} @deftypefun {int} {gnutls_x509_crt_list_verify} (const gnutls_x509_crt_t * @var{cert_list}, int @var{cert_list_length}, const gnutls_x509_crt_t * @var{CA_list}, int @var{CA_list_length}, const gnutls_x509_crl_t * @var{CRL_list}, int @var{CRL_list_length}, unsigned int @var{flags}, unsigned int * @var{verify}) @var{cert_list}: is the certificate list to be verified @var{cert_list_length}: holds the number of certificate in cert_list @var{CA_list}: is the CA list which will be used in verification @var{CA_list_length}: holds the number of CA certificate in CA_list @var{CRL_list}: holds a list of CRLs. @var{CRL_list_length}: the length of CRL list. @var{flags}: Flags that may be used to change the verification algorithm. Use OR of the gnutls_certificate_verify_flags enumerations. @var{verify}: will hold the certificate verification output. This function will try to verify the given certificate list and return its status. Note that expiration and activation dates are not checked by this function, you should check them using the appropriate functions. If no flags are specified (0), this function will use the basicConstraints (2.5.29.19) PKIX extension. This means that only a certificate authority is allowed to sign a certificate. You must also check the peer's name in order to check if the verified certificate belongs to the actual peer. The certificate verification output will be put in @code{verify} and will be one or more of the gnutls_certificate_status_t enumerated elements bitwise or'd. For a more detailed verification status use @code{gnutls_x509_crt_verify()} per list element. @strong{GNUTLS_CERT_INVALID:} the certificate chain is not valid. @strong{GNUTLS_CERT_REVOKED:} a certificate in the chain has been revoked. Returns 0 on success and a negative value in case of an error. @end deftypefun @subheading gnutls_x509_crt_verify @anchor{gnutls_x509_crt_verify} @deftypefun {int} {gnutls_x509_crt_verify} (gnutls_x509_crt_t @var{cert}, const gnutls_x509_crt_t * @var{CA_list}, int @var{CA_list_length}, unsigned int @var{flags}, unsigned int * @var{verify}) @var{cert}: is the certificate to be verified @var{CA_list}: is one certificate that is considered to be trusted one @var{CA_list_length}: holds the number of CA certificate in CA_list @var{flags}: Flags that may be used to change the verification algorithm. Use OR of the gnutls_certificate_verify_flags enumerations. @var{verify}: will hold the certificate verification output. This function will try to verify the given certificate and return its status. The verification output in this functions cannot be GNUTLS_CERT_NOT_VALID. Returns 0 on success and a negative value in case of an error. @end deftypefun @subheading gnutls_x509_crl_check_issuer @anchor{gnutls_x509_crl_check_issuer} @deftypefun {int} {gnutls_x509_crl_check_issuer} (gnutls_x509_crl_t @var{cert}, gnutls_x509_crt_t @var{issuer}) @var{issuer}: is the certificate of a possible issuer This function will check if the given CRL was issued by the given issuer certificate. It will return true (1) if the given CRL was issued by the given issuer, and false (0) if not. A negative value is returned in case of an error. @end deftypefun @subheading gnutls_x509_crl_verify @anchor{gnutls_x509_crl_verify} @deftypefun {int} {gnutls_x509_crl_verify} (gnutls_x509_crl_t @var{crl}, const gnutls_x509_crt_t * @var{CA_list}, int @var{CA_list_length}, unsigned int @var{flags}, unsigned int * @var{verify}) @var{crl}: is the crl to be verified @var{CA_list}: is a certificate list that is considered to be trusted one @var{CA_list_length}: holds the number of CA certificates in CA_list @var{flags}: Flags that may be used to change the verification algorithm. Use OR of the gnutls_certificate_verify_flags enumerations. @var{verify}: will hold the crl verification output. This function will try to verify the given crl and return its status. See @code{gnutls_x509_crt_list_verify()} for a detailed description of return values. Returns 0 on success and a negative value in case of an error. @end deftypefun @subheading gnutls_x509_privkey_init @anchor{gnutls_x509_privkey_init} @deftypefun {int} {gnutls_x509_privkey_init} (gnutls_x509_privkey_t * @var{key}) @var{key}: The structure to be initialized This function will initialize an private key structure. Returns 0 on success. @end deftypefun @subheading gnutls_x509_privkey_deinit @anchor{gnutls_x509_privkey_deinit} @deftypefun {void} {gnutls_x509_privkey_deinit} (gnutls_x509_privkey_t @var{key}) @var{key}: The structure to be initialized This function will deinitialize a private key structure. @end deftypefun @subheading gnutls_x509_privkey_cpy @anchor{gnutls_x509_privkey_cpy} @deftypefun {int} {gnutls_x509_privkey_cpy} (gnutls_x509_privkey_t @var{dst}, gnutls_x509_privkey_t @var{src}) @var{dst}: The destination key, which should be initialized. @var{src}: The source key This function will copy a private key from source to destination key. @end deftypefun @subheading gnutls_x509_privkey_import @anchor{gnutls_x509_privkey_import} @deftypefun {int} {gnutls_x509_privkey_import} (gnutls_x509_privkey_t @var{key}, const gnutls_datum_t * @var{data}, gnutls_x509_crt_fmt_t @var{format}) @var{key}: The structure to store the parsed key @var{data}: The DER or PEM encoded certificate. @var{format}: One of DER or PEM This function will convert the given DER or PEM encoded key to the native gnutls_x509_privkey_t format. The output will be stored in @code{key} . If the key is PEM encoded it should have a header of "RSA PRIVATE KEY", or "DSA PRIVATE KEY". Returns 0 on success. @end deftypefun @subheading gnutls_x509_privkey_import_rsa_raw @anchor{gnutls_x509_privkey_import_rsa_raw} @deftypefun {int} {gnutls_x509_privkey_import_rsa_raw} (gnutls_x509_privkey_t @var{key}, const gnutls_datum_t * @var{m}, const gnutls_datum_t * @var{e}, const gnutls_datum_t * @var{d}, const gnutls_datum_t * @var{p}, const gnutls_datum_t * @var{q}, const gnutls_datum_t * @var{u}) @var{key}: The structure to store the parsed key @var{m}: holds the modulus @var{e}: holds the public exponent @var{d}: holds the private exponent @var{p}: holds the first prime (p) @var{q}: holds the second prime (q) @var{u}: holds the coefficient This function will convert the given RSA raw parameters to the native gnutls_x509_privkey_t format. The output will be stored in @code{key}. @end deftypefun @subheading gnutls_x509_privkey_import_dsa_raw @anchor{gnutls_x509_privkey_import_dsa_raw} @deftypefun {int} {gnutls_x509_privkey_import_dsa_raw} (gnutls_x509_privkey_t @var{key}, const gnutls_datum_t * @var{p}, const gnutls_datum_t * @var{q}, const gnutls_datum_t * @var{g}, const gnutls_datum_t * @var{y}, const gnutls_datum_t * @var{x}) @var{key}: The structure to store the parsed key @var{p}: holds the p @var{q}: holds the q @var{g}: holds the g @var{y}: holds the y @var{x}: holds the x This function will convert the given DSA raw parameters to the native gnutls_x509_privkey_t format. The output will be stored in @code{key}. @end deftypefun @subheading gnutls_x509_privkey_get_pk_algorithm @anchor{gnutls_x509_privkey_get_pk_algorithm} @deftypefun {int} {gnutls_x509_privkey_get_pk_algorithm} (gnutls_x509_privkey_t @var{key}) @var{key}: should contain a gnutls_x509_privkey_t structure This function will return the public key algorithm of a private key. Returns a member of the gnutls_pk_algorithm_t enumeration on success, or a negative value on error. @end deftypefun @subheading gnutls_x509_privkey_export @anchor{gnutls_x509_privkey_export} @deftypefun {int} {gnutls_x509_privkey_export} (gnutls_x509_privkey_t @var{key}, gnutls_x509_crt_fmt_t @var{format}, void * @var{output_data}, size_t * @var{output_data_size}) @var{key}: Holds the key @var{format}: the format of output params. One of PEM or DER. @var{output_data}: will contain a private key PEM or DER encoded @var{output_data_size}: holds the size of output_data (and will be replaced by the actual size of parameters) This function will export the private key to a PKCS1 structure for RSA keys, or an integer sequence for DSA keys. The DSA keys are in the same format with the parameters used by openssl. If the buffer provided is not long enough to hold the output, then *output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will be returned. If the structure is PEM encoded, it will have a header of "BEGIN RSA PRIVATE KEY". @strong{Return value:} In case of failure a negative value will be returned, and 0 on success. @end deftypefun @subheading gnutls_x509_privkey_export_rsa_raw @anchor{gnutls_x509_privkey_export_rsa_raw} @deftypefun {int} {gnutls_x509_privkey_export_rsa_raw} (gnutls_x509_privkey_t @var{key}, gnutls_datum_t * @var{m}, gnutls_datum_t * @var{e}, gnutls_datum_t * @var{d}, gnutls_datum_t * @var{p}, gnutls_datum_t * @var{q}, gnutls_datum_t * @var{u}) @var{key}: a structure that holds the rsa parameters @var{m}: will hold the modulus @var{e}: will hold the public exponent @var{d}: will hold the private exponent @var{p}: will hold the first prime (p) @var{q}: will hold the second prime (q) @var{u}: will hold the coefficient This function will export the RSA private key's parameters found in the given structure. The new parameters will be allocated using @code{gnutls_malloc()} and will be stored in the appropriate datum. @end deftypefun @subheading gnutls_x509_privkey_export_dsa_raw @anchor{gnutls_x509_privkey_export_dsa_raw} @deftypefun {int} {gnutls_x509_privkey_export_dsa_raw} (gnutls_x509_privkey_t @var{key}, gnutls_datum_t * @var{p}, gnutls_datum_t * @var{q}, gnutls_datum_t * @var{g}, gnutls_datum_t * @var{y}, gnutls_datum_t * @var{x}) @var{p}: will hold the p @var{q}: will hold the q @var{g}: will hold the g @var{y}: will hold the y @var{x}: will hold the x This function will export the DSA private key's parameters found in the given structure. The new parameters will be allocated using @code{gnutls_malloc()} and will be stored in the appropriate datum. @end deftypefun @subheading gnutls_x509_privkey_generate @anchor{gnutls_x509_privkey_generate} @deftypefun {int} {gnutls_x509_privkey_generate} (gnutls_x509_privkey_t @var{key}, gnutls_pk_algorithm_t @var{algo}, unsigned int @var{bits}, unsigned int @var{flags}) @var{key}: should contain a gnutls_x509_privkey_t structure @var{algo}: is one of RSA or DSA. @var{bits}: the size of the modulus @var{flags}: unused for now. Must be 0. This function will generate a random private key. Note that this function must be called on an empty private key. Returns 0 on success or a negative value on error. @end deftypefun @subheading gnutls_x509_privkey_get_key_id @anchor{gnutls_x509_privkey_get_key_id} @deftypefun {int} {gnutls_x509_privkey_get_key_id} (gnutls_x509_privkey_t @var{key}, unsigned int @var{flags}, unsigned char * @var{output_data}, size_t * @var{output_data_size}) @var{key}: Holds the key @var{flags}: should be 0 for now @var{output_data}: will contain the key ID @var{output_data_size}: holds the size of output_data (and will be replaced by the actual size of parameters) This function will return a unique ID the depends on the public key parameters. This ID can be used in checking whether a certificate corresponds to the given key. If the buffer provided is not long enough to hold the output, then *output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will be returned. The output will normally be a SHA-1 hash output, which is 20 bytes. @strong{Return value:} In case of failure a negative value will be returned, and 0 on success. @end deftypefun @subheading gnutls_x509_privkey_sign_data @anchor{gnutls_x509_privkey_sign_data} @deftypefun {int} {gnutls_x509_privkey_sign_data} (gnutls_x509_privkey_t @var{key}, gnutls_digest_algorithm_t @var{digest}, unsigned int @var{flags}, const gnutls_datum_t * @var{data}, void * @var{signature}, size_t * @var{signature_size}) @var{key}: Holds the key @var{digest}: should be MD5 or SHA1 @var{flags}: should be 0 for now @var{data}: holds the data to be signed @var{signature}: will contain the signature @var{signature_size}: holds the size of signature (and will be replaced by the new size) This function will sign the given data using a signature algorithm supported by the private key. Signature algorithms are always used together with a hash functions. Different hash functions may be used for the RSA algorithm, but only SHA-1 for the DSA keys. If the buffer provided is not long enough to hold the output, then *signature_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will be returned. In case of failure a negative value will be returned, and 0 on success. @end deftypefun @subheading gnutls_x509_privkey_sign_hash @anchor{gnutls_x509_privkey_sign_hash} @deftypefun {int} {gnutls_x509_privkey_sign_hash} (gnutls_x509_privkey_t @var{key}, const gnutls_datum_t * @var{hash}, gnutls_datum_t * @var{signature}) @var{key}: Holds the key @var{hash}: holds the data to be signed @var{signature}: will contain newly allocated signature This function will sign the given hash using the private key. @strong{Return value:} In case of failure a negative value will be returned, and 0 on success. @end deftypefun @subheading gnutls_x509_privkey_verify_data @anchor{gnutls_x509_privkey_verify_data} @deftypefun {int} {gnutls_x509_privkey_verify_data} (gnutls_x509_privkey_t @var{key}, unsigned int @var{flags}, const gnutls_datum_t * @var{data}, const gnutls_datum_t * @var{signature}) @var{key}: Holds the key @var{flags}: should be 0 for now @var{data}: holds the data to be signed @var{signature}: contains the signature This function will verify the given signed data, using the parameters in the private key. In case of a verification failure 0 is returned, and 1 on success. @end deftypefun @subheading gnutls_x509_privkey_fix @anchor{gnutls_x509_privkey_fix} @deftypefun {int} {gnutls_x509_privkey_fix} (gnutls_x509_privkey_t @var{key}) @var{key}: Holds the key This function will recalculate the secondary parameters in a key. In RSA keys, this can be the coefficient and exponent1,2. @strong{Return value:} In case of failure a negative value will be returned, and 0 on success. @end deftypefun @subheading gnutls_pkcs7_init @anchor{gnutls_pkcs7_init} @deftypefun {int} {gnutls_pkcs7_init} (gnutls_pkcs7_t * @var{pkcs7}) @var{pkcs7}: The structure to be initialized This function will initialize a PKCS7 structure. PKCS7 structures usually contain lists of X.509 Certificates and X.509 Certificate revocation lists. Returns 0 on success. @end deftypefun @subheading gnutls_pkcs7_deinit @anchor{gnutls_pkcs7_deinit} @deftypefun {void} {gnutls_pkcs7_deinit} (gnutls_pkcs7_t @var{pkcs7}) @var{pkcs7}: The structure to be initialized This function will deinitialize a PKCS7 structure. @end deftypefun @subheading gnutls_pkcs7_import @anchor{gnutls_pkcs7_import} @deftypefun {int} {gnutls_pkcs7_import} (gnutls_pkcs7_t @var{pkcs7}, const gnutls_datum_t * @var{data}, gnutls_x509_crt_fmt_t @var{format}) @var{pkcs7}: The structure to store the parsed PKCS7. @var{data}: The DER or PEM encoded PKCS7. @var{format}: One of DER or PEM This function will convert the given DER or PEM encoded PKCS7 to the native gnutls_pkcs7_t format. The output will be stored in 'pkcs7'. If the PKCS7 is PEM encoded it should have a header of "PKCS7". Returns 0 on success. @end deftypefun @subheading gnutls_pkcs7_get_crt_raw @anchor{gnutls_pkcs7_get_crt_raw} @deftypefun {int} {gnutls_pkcs7_get_crt_raw} (gnutls_pkcs7_t @var{pkcs7}, int @var{indx}, void * @var{certificate}, size_t * @var{certificate_size}) @var{indx}: contains the index of the certificate to extract @var{certificate}: the contents of the certificate will be copied there (may be null) @var{certificate_size}: should hold the size of the certificate This function will return a certificate of the PKCS7 or RFC2630 certificate set. Returns 0 on success. If the provided buffer is not long enough, then @code{certificate_size} is updated and GNUTLS_E_SHORT_MEMORY_BUFFER is returned. After the last certificate has been read GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned. @end deftypefun @subheading gnutls_pkcs7_get_crt_count @anchor{gnutls_pkcs7_get_crt_count} @deftypefun {int} {gnutls_pkcs7_get_crt_count} (gnutls_pkcs7_t @var{pkcs7}) This function will return the number of certifcates in the PKCS7 or RFC2630 certificate set. Returns a negative value on failure. @end deftypefun @subheading gnutls_pkcs7_export @anchor{gnutls_pkcs7_export} @deftypefun {int} {gnutls_pkcs7_export} (gnutls_pkcs7_t @var{pkcs7}, gnutls_x509_crt_fmt_t @var{format}, void * @var{output_data}, size_t * @var{output_data_size}) @var{pkcs7}: Holds the pkcs7 structure @var{format}: the format of output params. One of PEM or DER. @var{output_data}: will contain a structure PEM or DER encoded @var{output_data_size}: holds the size of output_data (and will be replaced by the actual size of parameters) This function will export the pkcs7 structure to DER or PEM format. If the buffer provided is not long enough to hold the output, then *output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will be returned. If the structure is PEM encoded, it will have a header of "BEGIN PKCS7". @strong{Return value:} In case of failure a negative value will be returned, and 0 on success. @end deftypefun @subheading gnutls_pkcs7_set_crt_raw @anchor{gnutls_pkcs7_set_crt_raw} @deftypefun {int} {gnutls_pkcs7_set_crt_raw} (gnutls_pkcs7_t @var{pkcs7}, const gnutls_datum_t * @var{crt}) @var{crt}: the DER encoded certificate to be added This function will add a certificate to the PKCS7 or RFC2630 certificate set. Returns 0 on success. @end deftypefun @subheading gnutls_pkcs7_set_crt @anchor{gnutls_pkcs7_set_crt} @deftypefun {int} {gnutls_pkcs7_set_crt} (gnutls_pkcs7_t @var{pkcs7}, gnutls_x509_crt_t @var{crt}) @var{crt}: the certificate to be copied. This function will add a parsed certificate to the PKCS7 or RFC2630 certificate set. This is a wrapper function over @code{gnutls_pkcs7_set_crt_raw()} . Returns 0 on success. @end deftypefun @subheading gnutls_pkcs7_delete_crt @anchor{gnutls_pkcs7_delete_crt} @deftypefun {int} {gnutls_pkcs7_delete_crt} (gnutls_pkcs7_t @var{pkcs7}, int @var{indx}) @var{indx}: the index of the certificate to delete This function will delete a certificate from a PKCS7 or RFC2630 certificate set. Index starts from 0. Returns 0 on success. @end deftypefun @subheading gnutls_pkcs7_get_crl_raw @anchor{gnutls_pkcs7_get_crl_raw} @deftypefun {int} {gnutls_pkcs7_get_crl_raw} (gnutls_pkcs7_t @var{pkcs7}, int @var{indx}, void * @var{crl}, size_t * @var{crl_size}) @var{indx}: contains the index of the crl to extract @var{crl}: the contents of the crl will be copied there (may be null) @var{crl_size}: should hold the size of the crl This function will return a crl of the PKCS7 or RFC2630 crl set. Returns 0 on success. If the provided buffer is not long enough, then @code{crl_size} is updated and GNUTLS_E_SHORT_MEMORY_BUFFER is returned. After the last crl has been read GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned. @end deftypefun @subheading gnutls_pkcs7_get_crl_count @anchor{gnutls_pkcs7_get_crl_count} @deftypefun {int} {gnutls_pkcs7_get_crl_count} (gnutls_pkcs7_t @var{pkcs7}) This function will return the number of certifcates in the PKCS7 or RFC2630 crl set. Returns a negative value on failure. @end deftypefun @subheading gnutls_pkcs7_set_crl_raw @anchor{gnutls_pkcs7_set_crl_raw} @deftypefun {int} {gnutls_pkcs7_set_crl_raw} (gnutls_pkcs7_t @var{pkcs7}, const gnutls_datum_t * @var{crl}) @var{crl}: the DER encoded crl to be added This function will add a crl to the PKCS7 or RFC2630 crl set. Returns 0 on success. @end deftypefun @subheading gnutls_pkcs7_set_crl @anchor{gnutls_pkcs7_set_crl} @deftypefun {int} {gnutls_pkcs7_set_crl} (gnutls_pkcs7_t @var{pkcs7}, gnutls_x509_crl_t @var{crl}) @var{crl}: the DER encoded crl to be added This function will add a parsed crl to the PKCS7 or RFC2630 crl set. Returns 0 on success. @end deftypefun @subheading gnutls_pkcs7_delete_crl @anchor{gnutls_pkcs7_delete_crl} @deftypefun {int} {gnutls_pkcs7_delete_crl} (gnutls_pkcs7_t @var{pkcs7}, int @var{indx}) @var{indx}: the index of the crl to delete This function will delete a crl from a PKCS7 or RFC2630 crl set. Index starts from 0. Returns 0 on success. @end deftypefun @subheading gnutls_x509_crq_init @anchor{gnutls_x509_crq_init} @deftypefun {int} {gnutls_x509_crq_init} (gnutls_x509_crq_t * @var{crq}) @var{crq}: The structure to be initialized This function will initialize a PKCS10 certificate request structure. Returns 0 on success. @end deftypefun @subheading gnutls_x509_crq_deinit @anchor{gnutls_x509_crq_deinit} @deftypefun {void} {gnutls_x509_crq_deinit} (gnutls_x509_crq_t @var{crq}) @var{crq}: The structure to be initialized This function will deinitialize a CRL structure. @end deftypefun @subheading gnutls_x509_crq_import @anchor{gnutls_x509_crq_import} @deftypefun {int} {gnutls_x509_crq_import} (gnutls_x509_crq_t @var{crq}, const gnutls_datum_t * @var{data}, gnutls_x509_crt_fmt_t @var{format}) @var{crq}: The structure to store the parsed certificate request. @var{data}: The DER or PEM encoded certificate. @var{format}: One of DER or PEM This function will convert the given DER or PEM encoded Certificate to the native gnutls_x509_crq_t format. The output will be stored in @code{cert}. If the Certificate is PEM encoded it should have a header of "NEW CERTIFICATE REQUEST". Returns 0 on success. @end deftypefun @subheading gnutls_x509_crq_get_dn @anchor{gnutls_x509_crq_get_dn} @deftypefun {int} {gnutls_x509_crq_get_dn} (gnutls_x509_crq_t @var{crq}, char * @var{buf}, size_t * @var{sizeof_buf}) @var{crq}: should contain a gnutls_x509_crq_t structure @var{buf}: a pointer to a structure to hold the name (may be null) @var{sizeof_buf}: initially holds the size of @code{buf} This function will copy the name of the Certificate request subject in the provided buffer. The name will be in the form "C=xxxx,O=yyyy,CN=zzzz" as described in RFC2253. The output string will be ASCII or UTF-8 encoded, depending on the certificate data. If @code{buf} is null then only the size will be filled. Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not long enough, and in that case the *sizeof_buf will be updated with the required size. On success 0 is returned. @end deftypefun @subheading gnutls_x509_crq_get_dn_by_oid @anchor{gnutls_x509_crq_get_dn_by_oid} @deftypefun {int} {gnutls_x509_crq_get_dn_by_oid} (gnutls_x509_crq_t @var{crq}, const char * @var{oid}, int @var{indx}, unsigned int @var{raw_flag}, void * @var{buf}, size_t * @var{sizeof_buf}) @var{crq}: should contain a gnutls_x509_crq_t structure @var{oid}: holds an Object Identified in null terminated string @var{indx}: In case multiple same OIDs exist in the RDN, this specifies which to send. Use zero to get the first one. @var{raw_flag}: If non zero returns the raw DER data of the DN part. @var{buf}: a pointer to a structure to hold the name (may be null) @var{sizeof_buf}: initially holds the size of @code{buf} This function will extract the part of the name of the Certificate request subject, specified by the given OID. The output will be encoded as described in RFC2253. The output string will be ASCII or UTF-8 encoded, depending on the certificate data. Some helper macros with popular OIDs can be found in gnutls/x509.h If raw flag is zero, this function will only return known OIDs as text. Other OIDs will be DER encoded, as described in RFC2253 -- in hex format with a '\#' prefix. You can check about known OIDs using @code{gnutls_x509_dn_oid_known()}. If @code{buf} is null then only the size will be filled. Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not long enough, and in that case the *sizeof_buf will be updated with the required size. On success 0 is returned. @end deftypefun @subheading gnutls_x509_crq_get_dn_oid @anchor{gnutls_x509_crq_get_dn_oid} @deftypefun {int} {gnutls_x509_crq_get_dn_oid} (gnutls_x509_crq_t @var{crq}, int @var{indx}, void * @var{oid}, size_t * @var{sizeof_oid}) @var{crq}: should contain a gnutls_x509_crq_t structure @var{indx}: Specifies which DN OID to send. Use zero to get the first one. @var{oid}: a pointer to a structure to hold the name (may be null) @var{sizeof_oid}: initially holds the size of @code{oid} This function will extract the requested OID of the name of the Certificate request subject, specified by the given index. If oid is null then only the size will be filled. Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not long enough, and in that case the *sizeof_oid will be updated with the required size. On success 0 is returned. @end deftypefun @subheading gnutls_x509_crq_get_challenge_password @anchor{gnutls_x509_crq_get_challenge_password} @deftypefun {int} {gnutls_x509_crq_get_challenge_password} (gnutls_x509_crq_t @var{crq}, char * @var{pass}, size_t * @var{sizeof_pass}) @var{crq}: should contain a gnutls_x509_crq_t structure @var{pass}: will hold a null terminated password @var{sizeof_pass}: Initially holds the size of @code{pass}. This function will return the challenge password in the request. Returns 0 on success. @end deftypefun @subheading gnutls_x509_crq_set_attribute_by_oid @anchor{gnutls_x509_crq_set_attribute_by_oid} @deftypefun {int} {gnutls_x509_crq_set_attribute_by_oid} (gnutls_x509_crq_t @var{crq}, const char * @var{oid}, void * @var{buf}, size_t @var{sizeof_buf}) @var{crq}: should contain a gnutls_x509_crq_t structure @var{oid}: holds an Object Identified in null terminated string @var{buf}: a pointer to a structure that holds the attribute data @var{sizeof_buf}: holds the size of @code{buf} This function will set the attribute in the certificate request specified by the given Object ID. The attribute must be be DER encoded. Returns 0 on success. @end deftypefun @subheading gnutls_x509_crq_get_attribute_by_oid @anchor{gnutls_x509_crq_get_attribute_by_oid} @deftypefun {int} {gnutls_x509_crq_get_attribute_by_oid} (gnutls_x509_crq_t @var{crq}, const char * @var{oid}, int @var{indx}, void * @var{buf}, size_t * @var{sizeof_buf}) @var{crq}: should contain a gnutls_x509_crq_t structure @var{oid}: holds an Object Identified in null terminated string @var{indx}: In case multiple same OIDs exist in the attribute list, this specifies which to send. Use zero to get the first one. @var{buf}: a pointer to a structure to hold the attribute data (may be null) @var{sizeof_buf}: initially holds the size of @code{buf} This function will return the attribute in the certificate request specified by the given Object ID. The attribute will be DER encoded. Returns 0 on success. @end deftypefun @subheading gnutls_x509_crq_set_dn_by_oid @anchor{gnutls_x509_crq_set_dn_by_oid} @deftypefun {int} {gnutls_x509_crq_set_dn_by_oid} (gnutls_x509_crq_t @var{crq}, const char * @var{oid}, unsigned int @var{raw_flag}, const void * @var{data}, unsigned int @var{sizeof_data}) @var{crq}: should contain a gnutls_x509_crq_t structure @var{oid}: holds an Object Identifier in a null terminated string @var{raw_flag}: must be 0, or 1 if the data are DER encoded @var{data}: a pointer to the input data @var{sizeof_data}: holds the size of @code{data} This function will set the part of the name of the Certificate request subject, specified by the given OID. The input string should be ASCII or UTF-8 encoded. Some helper macros with popular OIDs can be found in gnutls/x509.h With this function you can only set the known OIDs. You can test for known OIDs using @code{gnutls_x509_dn_oid_known()}. For OIDs that are not known (by gnutls) you should properly DER encode your data, and call this function with raw_flag set. Returns 0 on success. @end deftypefun @subheading gnutls_x509_crq_set_version @anchor{gnutls_x509_crq_set_version} @deftypefun {int} {gnutls_x509_crq_set_version} (gnutls_x509_crq_t @var{crq}, unsigned int @var{version}) @var{crq}: should contain a gnutls_x509_crq_t structure @var{version}: holds the version number. For v1 Requests must be 1. This function will set the version of the certificate request. For version 1 requests this must be one. Returns 0 on success. @end deftypefun @subheading gnutls_x509_crq_get_version @anchor{gnutls_x509_crq_get_version} @deftypefun {int} {gnutls_x509_crq_get_version} (gnutls_x509_crq_t @var{crq}) @var{crq}: should contain a gnutls_x509_crq_t structure This function will return the version of the specified Certificate request. Returns a negative value on error. @end deftypefun @subheading gnutls_x509_crq_set_key @anchor{gnutls_x509_crq_set_key} @deftypefun {int} {gnutls_x509_crq_set_key} (gnutls_x509_crq_t @var{crq}, gnutls_x509_privkey_t @var{key}) @var{crq}: should contain a gnutls_x509_crq_t structure @var{key}: holds a private key This function will set the public parameters from the given private key to the request. Only RSA keys are currently supported. Returns 0 on success. @end deftypefun @subheading gnutls_x509_crq_set_challenge_password @anchor{gnutls_x509_crq_set_challenge_password} @deftypefun {int} {gnutls_x509_crq_set_challenge_password} (gnutls_x509_crq_t @var{crq}, const char * @var{pass}) @var{crq}: should contain a gnutls_x509_crq_t structure @var{pass}: holds a null terminated password This function will set a challenge password to be used when revoking the request. Returns 0 on success. @end deftypefun @subheading gnutls_x509_crq_sign2 @anchor{gnutls_x509_crq_sign2} @deftypefun {int} {gnutls_x509_crq_sign2} (gnutls_x509_crq_t @var{crq}, gnutls_x509_privkey_t @var{key}, gnutls_digest_algorithm_t @var{dig}, unsigned int @var{flags}) @var{crq}: should contain a gnutls_x509_crq_t structure @var{key}: holds a private key @var{dig}: The message digest to use. GNUTLS_DIG_SHA1 is the safe choice unless you know what you're doing. @var{flags}: must be 0 This function will sign the certificate request with a private key. This must be the same key as the one used in @code{gnutls_x509_crt_set_key()} since a certificate request is self signed. This must be the last step in a certificate request generation since all the previously set parameters are now signed. Returns 0 on success. @end deftypefun @subheading gnutls_x509_crq_sign @anchor{gnutls_x509_crq_sign} @deftypefun {int} {gnutls_x509_crq_sign} (gnutls_x509_crq_t @var{crq}, gnutls_x509_privkey_t @var{key}) @var{crq}: should contain a gnutls_x509_crq_t structure @var{key}: holds a private key This function is the same a @code{gnutls_x509_crq_sign2()} with no flags, and SHA1 as the hash algorithm. Returns 0 on success. @end deftypefun @subheading gnutls_x509_crq_export @anchor{gnutls_x509_crq_export} @deftypefun {int} {gnutls_x509_crq_export} (gnutls_x509_crq_t @var{crq}, gnutls_x509_crt_fmt_t @var{format}, void * @var{output_data}, size_t * @var{output_data_size}) @var{crq}: Holds the request @var{format}: the format of output params. One of PEM or DER. @var{output_data}: will contain a certificate request PEM or DER encoded @var{output_data_size}: holds the size of output_data (and will be replaced by the actual size of parameters) This function will export the certificate request to a PKCS10 If the buffer provided is not long enough to hold the output, then GNUTLS_E_SHORT_MEMORY_BUFFER will be returned and *output_data_size will be updated. If the structure is PEM encoded, it will have a header of "BEGIN NEW CERTIFICATE REQUEST". @strong{Return value:} In case of failure a negative value will be returned, and 0 on success. @end deftypefun @subheading gnutls_x509_crq_get_pk_algorithm @anchor{gnutls_x509_crq_get_pk_algorithm} @deftypefun {int} {gnutls_x509_crq_get_pk_algorithm} (gnutls_x509_crq_t @var{crq}, unsigned int * @var{bits}) @var{crq}: should contain a gnutls_x509_crq_t structure @var{bits}: if bits is non null it will hold the size of the parameters' in bits This function will return the public key algorithm of a PKCS \@code{10} certificate request. If bits is non null, it should have enough size to hold the parameters size in bits. For RSA the bits returned is the modulus. For DSA the bits returned are of the public exponent. Returns a member of the gnutls_pk_algorithm_t enumeration on success, or a negative value on error. @end deftypefun @subheading gnutls_x509_privkey_export_pkcs8 @anchor{gnutls_x509_privkey_export_pkcs8} @deftypefun {int} {gnutls_x509_privkey_export_pkcs8} (gnutls_x509_privkey_t @var{key}, gnutls_x509_crt_fmt_t @var{format}, const char * @var{password}, unsigned int @var{flags}, void * @var{output_data}, size_t * @var{output_data_size}) @var{key}: Holds the key @var{format}: the format of output params. One of PEM or DER. @var{password}: the password that will be used to encrypt the key. @var{flags}: an ORed sequence of gnutls_pkcs_encrypt_flags_t @var{output_data}: will contain a private key PEM or DER encoded @var{output_data_size}: holds the size of output_data (and will be replaced by the actual size of parameters) This function will export the private key to a PKCS8 structure. Both RSA and DSA keys can be exported. For DSA keys we use PKCS @code{11} definitions. If the flags do not specify the encryption cipher, then the default 3DES (PBES2) will be used. The @code{password} can be either ASCII or UTF-8 in the default PBES2 encryption schemas, or ASCII for the PKCS12 schemas. If the buffer provided is not long enough to hold the output, then *output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will be returned. If the structure is PEM encoded, it will have a header of "BEGIN ENCRYPTED PRIVATE KEY" or "BEGIN PRIVATE KEY" if encryption is not used. @strong{Return value:} In case of failure a negative value will be returned, and 0 on success. @end deftypefun @subheading gnutls_x509_privkey_import_pkcs8 @anchor{gnutls_x509_privkey_import_pkcs8} @deftypefun {int} {gnutls_x509_privkey_import_pkcs8} (gnutls_x509_privkey_t @var{key}, const gnutls_datum_t * @var{data}, gnutls_x509_crt_fmt_t @var{format}, const char * @var{password}, unsigned int @var{flags}) @var{key}: The structure to store the parsed key @var{data}: The DER or PEM encoded key. @var{format}: One of DER or PEM @var{password}: the password to decrypt the key (if it is encrypted). @var{flags}: 0 if encrypted or GNUTLS_PKCS_PLAIN if not encrypted. This function will convert the given DER or PEM encoded PKCS8 2.0 encrypted key to the native gnutls_x509_privkey_t format. The output will be stored in @code{key}. Both RSA and DSA keys can be imported, and flags can only be used to indicate an unencrypted key. The @code{password} can be either ASCII or UTF-8 in the default PBES2 encryption schemas, or ASCII for the PKCS12 schemas. If the Certificate is PEM encoded it should have a header of "ENCRYPTED PRIVATE KEY", or "PRIVATE KEY". You only need to specify the flags if the key is DER encoded, since in that case the encryption status cannot be auto-detected. Returns 0 on success. @end deftypefun @subheading gnutls_pkcs12_init @anchor{gnutls_pkcs12_init} @deftypefun {int} {gnutls_pkcs12_init} (gnutls_pkcs12_t * @var{pkcs12}) @var{pkcs12}: The structure to be initialized This function will initialize a PKCS12 structure. PKCS12 structures usually contain lists of X.509 Certificates and X.509 Certificate revocation lists. Returns 0 on success. @end deftypefun @subheading gnutls_pkcs12_deinit @anchor{gnutls_pkcs12_deinit} @deftypefun {void} {gnutls_pkcs12_deinit} (gnutls_pkcs12_t @var{pkcs12}) @var{pkcs12}: The structure to be initialized This function will deinitialize a PKCS12 structure. @end deftypefun @subheading gnutls_pkcs12_import @anchor{gnutls_pkcs12_import} @deftypefun {int} {gnutls_pkcs12_import} (gnutls_pkcs12_t @var{pkcs12}, const gnutls_datum_t * @var{data}, gnutls_x509_crt_fmt_t @var{format}, unsigned int @var{flags}) @var{pkcs12}: The structure to store the parsed PKCS12. @var{data}: The DER or PEM encoded PKCS12. @var{format}: One of DER or PEM @var{flags}: an ORed sequence of gnutls_privkey_pkcs8_flags This function will convert the given DER or PEM encoded PKCS12 to the native gnutls_pkcs12_t format. The output will be stored in 'pkcs12'. If the PKCS12 is PEM encoded it should have a header of "PKCS12". Returns 0 on success. @end deftypefun @subheading gnutls_pkcs12_export @anchor{gnutls_pkcs12_export} @deftypefun {int} {gnutls_pkcs12_export} (gnutls_pkcs12_t @var{pkcs12}, gnutls_x509_crt_fmt_t @var{format}, void * @var{output_data}, size_t * @var{output_data_size}) @var{pkcs12}: Holds the pkcs12 structure @var{format}: the format of output params. One of PEM or DER. @var{output_data}: will contain a structure PEM or DER encoded @var{output_data_size}: holds the size of output_data (and will be replaced by the actual size of parameters) This function will export the pkcs12 structure to DER or PEM format. If the buffer provided is not long enough to hold the output, then *output_data_size will be updated and GNUTLS_E_SHORT_MEMORY_BUFFER will be returned. If the structure is PEM encoded, it will have a header of "BEGIN PKCS12". @strong{Return value:} In case of failure a negative value will be returned, and 0 on success. @end deftypefun @subheading gnutls_pkcs12_get_bag @anchor{gnutls_pkcs12_get_bag} @deftypefun {int} {gnutls_pkcs12_get_bag} (gnutls_pkcs12_t @var{pkcs12}, int @var{indx}, gnutls_pkcs12_bag_t @var{bag}) @var{pkcs12}: should contain a gnutls_pkcs12_t structure @var{indx}: contains the index of the bag to extract @var{bag}: An initialized bag, where the contents of the bag will be copied This function will return a Bag from the PKCS12 structure. Returns 0 on success. After the last Bag has been read GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned. @end deftypefun @subheading gnutls_pkcs12_set_bag @anchor{gnutls_pkcs12_set_bag} @deftypefun {int} {gnutls_pkcs12_set_bag} (gnutls_pkcs12_t @var{pkcs12}, gnutls_pkcs12_bag_t @var{bag}) @var{pkcs12}: should contain a gnutls_pkcs12_t structure @var{bag}: An initialized bag This function will insert a Bag into the PKCS12 structure. Returns 0 on success. @end deftypefun @subheading gnutls_pkcs12_generate_mac @anchor{gnutls_pkcs12_generate_mac} @deftypefun {int} {gnutls_pkcs12_generate_mac} (gnutls_pkcs12_t @var{pkcs12}, const char * @var{pass}) @var{pkcs12}: should contain a gnutls_pkcs12_t structure @var{pass}: The password for the MAC This function will generate a MAC for the PKCS12 structure. Returns 0 on success. @end deftypefun @subheading gnutls_pkcs12_verify_mac @anchor{gnutls_pkcs12_verify_mac} @deftypefun {int} {gnutls_pkcs12_verify_mac} (gnutls_pkcs12_t @var{pkcs12}, const char * @var{pass}) @var{pkcs12}: should contain a gnutls_pkcs12_t structure @var{pass}: The password for the MAC This function will verify the MAC for the PKCS12 structure. Returns 0 on success. @end deftypefun @subheading gnutls_pkcs12_bag_init @anchor{gnutls_pkcs12_bag_init} @deftypefun {int} {gnutls_pkcs12_bag_init} (gnutls_pkcs12_bag_t * @var{bag}) @var{bag}: The structure to be initialized This function will initialize a PKCS12 bag structure. PKCS12 Bags usually contain private keys, lists of X.509 Certificates and X.509 Certificate revocation lists. Returns 0 on success. @end deftypefun @subheading gnutls_pkcs12_bag_deinit @anchor{gnutls_pkcs12_bag_deinit} @deftypefun {void} {gnutls_pkcs12_bag_deinit} (gnutls_pkcs12_bag_t @var{bag}) @var{bag}: The structure to be initialized This function will deinitialize a PKCS12 Bag structure. @end deftypefun @subheading gnutls_pkcs12_bag_get_type @anchor{gnutls_pkcs12_bag_get_type} @deftypefun {gnutls_pkcs12_bag_type_t} {gnutls_pkcs12_bag_get_type} (gnutls_pkcs12_bag_t @var{bag}, int @var{indx}) @var{bag}: The bag @var{indx}: The element of the bag to get the type This function will return the bag's type. One of the gnutls_pkcs12_bag_type_t enumerations. @end deftypefun @subheading gnutls_pkcs12_bag_get_count @anchor{gnutls_pkcs12_bag_get_count} @deftypefun {int} {gnutls_pkcs12_bag_get_count} (gnutls_pkcs12_bag_t @var{bag}) @var{bag}: The bag This function will return the number of the elements withing the bag. @end deftypefun @subheading gnutls_pkcs12_bag_get_data @anchor{gnutls_pkcs12_bag_get_data} @deftypefun {int} {gnutls_pkcs12_bag_get_data} (gnutls_pkcs12_bag_t @var{bag}, int @var{indx}, gnutls_datum_t * @var{data}) @var{bag}: The bag @var{indx}: The element of the bag to get the data from @var{data}: where the bag's data will be. Should be treated as constant. This function will return the bag's data. The data is a constant that is stored into the bag. Should not be accessed after the bag is deleted. Returns 0 on success and a negative error code on error. @end deftypefun @subheading gnutls_pkcs12_bag_set_data @anchor{gnutls_pkcs12_bag_set_data} @deftypefun {int} {gnutls_pkcs12_bag_set_data} (gnutls_pkcs12_bag_t @var{bag}, gnutls_pkcs12_bag_type_t @var{type}, const gnutls_datum_t * @var{data}) @var{bag}: The bag @var{type}: The data's type @var{data}: the data to be copied. This function will insert the given data of the given type into the bag. Returns the index of the added bag on success, or a negative value on error. @end deftypefun @subheading gnutls_pkcs12_bag_set_crt @anchor{gnutls_pkcs12_bag_set_crt} @deftypefun {int} {gnutls_pkcs12_bag_set_crt} (gnutls_pkcs12_bag_t @var{bag}, gnutls_x509_crt_t @var{crt}) @var{bag}: The bag @var{crt}: the certificate to be copied. This function will insert the given certificate into the bag. This is just a wrapper over @code{gnutls_pkcs12_bag_set_data()}. Returns the index of the added bag on success, or a negative value on failure. @end deftypefun @subheading gnutls_pkcs12_bag_set_crl @anchor{gnutls_pkcs12_bag_set_crl} @deftypefun {int} {gnutls_pkcs12_bag_set_crl} (gnutls_pkcs12_bag_t @var{bag}, gnutls_x509_crl_t @var{crl}) @var{bag}: The bag @var{crl}: the CRL to be copied. This function will insert the given CRL into the bag. This is just a wrapper over @code{gnutls_pkcs12_bag_set_data()}. Returns the index of the added bag on success, or a negative value on failure. @end deftypefun @subheading gnutls_pkcs12_bag_set_key_id @anchor{gnutls_pkcs12_bag_set_key_id} @deftypefun {int} {gnutls_pkcs12_bag_set_key_id} (gnutls_pkcs12_bag_t @var{bag}, int @var{indx}, const gnutls_datum_t * @var{id}) @var{bag}: The bag @var{indx}: The bag's element to add the id @var{id}: the ID This function will add the given key ID, to the specified, by the index, bag element. The key ID will be encoded as a 'Local key identifier' bag attribute, which is usually used to distinguish the local private key and the certificate pair. Returns 0 on success, or a negative value on error. @end deftypefun @subheading gnutls_pkcs12_bag_get_key_id @anchor{gnutls_pkcs12_bag_get_key_id} @deftypefun {int} {gnutls_pkcs12_bag_get_key_id} (gnutls_pkcs12_bag_t @var{bag}, int @var{indx}, gnutls_datum_t * @var{id}) @var{bag}: The bag @var{indx}: The bag's element to add the id @var{id}: where the ID will be copied (to be treated as const) This function will return the key ID, of the specified bag element. The key ID is usually used to distinguish the local private key and the certificate pair. Returns 0 on success, or a negative value on error. @end deftypefun @subheading gnutls_pkcs12_bag_get_friendly_name @anchor{gnutls_pkcs12_bag_get_friendly_name} @deftypefun {int} {gnutls_pkcs12_bag_get_friendly_name} (gnutls_pkcs12_bag_t @var{bag}, int @var{indx}, char ** @var{name}) @var{bag}: The bag @var{indx}: The bag's element to add the id @var{name}: will hold a pointer to the name (to be treated as const) This function will return the friendly name, of the specified bag element. The key ID is usually used to distinguish the local private key and the certificate pair. Returns 0 on success, or a negative value on error. @end deftypefun @subheading gnutls_pkcs12_bag_set_friendly_name @anchor{gnutls_pkcs12_bag_set_friendly_name} @deftypefun {int} {gnutls_pkcs12_bag_set_friendly_name} (gnutls_pkcs12_bag_t @var{bag}, int @var{indx}, const char * @var{name}) @var{bag}: The bag @var{indx}: The bag's element to add the id @var{name}: the name This function will add the given key friendly name, to the specified, by the index, bag element. The name will be encoded as a 'Friendly name' bag attribute, which is usually used to set a user name to the local private key and the certificate pair. Returns 0 on success, or a negative value on error. @end deftypefun @subheading gnutls_pkcs12_bag_decrypt @anchor{gnutls_pkcs12_bag_decrypt} @deftypefun {int} {gnutls_pkcs12_bag_decrypt} (gnutls_pkcs12_bag_t @var{bag}, const char * @var{pass}) @var{bag}: The bag @var{pass}: The password used for encryption. This can only be ASCII. This function will decrypt the given encrypted bag and return 0 on success. @end deftypefun @subheading gnutls_pkcs12_bag_encrypt @anchor{gnutls_pkcs12_bag_encrypt} @deftypefun {int} {gnutls_pkcs12_bag_encrypt} (gnutls_pkcs12_bag_t @var{bag}, const char * @var{pass}, unsigned int @var{flags}) @var{bag}: The bag @var{pass}: The password used for encryption. This can only be ASCII. @var{flags}: should be one of gnutls_pkcs_encrypt_flags_t elements bitwise or'd This function will encrypt the given bag and return 0 on success. @end deftypefun @subheading gnutls_x509_crt_set_dn_by_oid @anchor{gnutls_x509_crt_set_dn_by_oid} @deftypefun {int} {gnutls_x509_crt_set_dn_by_oid} (gnutls_x509_crt_t @var{crt}, const char * @var{oid}, unsigned int @var{raw_flag}, const void * @var{name}, unsigned int @var{sizeof_name}) @var{crt}: should contain a gnutls_x509_crt_t structure @var{oid}: holds an Object Identifier in a null terminated string @var{raw_flag}: must be 0, or 1 if the data are DER encoded @var{name}: a pointer to the name @var{sizeof_name}: holds the size of @code{name} This function will set the part of the name of the Certificate subject, specified by the given OID. The input string should be ASCII or UTF-8 encoded. Some helper macros with popular OIDs can be found in gnutls/x509.h With this function you can only set the known OIDs. You can test for known OIDs using @code{gnutls_x509_dn_oid_known()}. For OIDs that are not known (by gnutls) you should properly DER encode your data, and call this function with raw_flag set. Returns 0 on success. @end deftypefun @subheading gnutls_x509_crt_set_issuer_dn_by_oid @anchor{gnutls_x509_crt_set_issuer_dn_by_oid} @deftypefun {int} {gnutls_x509_crt_set_issuer_dn_by_oid} (gnutls_x509_crt_t @var{crt}, const char * @var{oid}, unsigned int @var{raw_flag}, const void * @var{name}, unsigned int @var{sizeof_name}) @var{crt}: should contain a gnutls_x509_crt_t structure @var{oid}: holds an Object Identifier in a null terminated string @var{raw_flag}: must be 0, or 1 if the data are DER encoded @var{name}: a pointer to the name @var{sizeof_name}: holds the size of @code{name} This function will set the part of the name of the Certificate issuer, specified by the given OID. The input string should be ASCII or UTF-8 encoded. Some helper macros with popular OIDs can be found in gnutls/x509.h With this function you can only set the known OIDs. You can test for known OIDs using @code{gnutls_x509_dn_oid_known()}. For OIDs that are not known (by gnutls) you should properly DER encode your data, and call this function with raw_flag set. Normally you do not need to call this function, since the signing operation will copy the signer's name as the issuer of the certificate. Returns 0 on success. @end deftypefun @subheading gnutls_x509_crt_set_proxy_dn @anchor{gnutls_x509_crt_set_proxy_dn} @deftypefun {int} {gnutls_x509_crt_set_proxy_dn} (gnutls_x509_crt_t @var{crt}, gnutls_x509_crt_t @var{eecrt}, unsigned int @var{raw_flag}, const void * @var{name}, unsigned int @var{sizeof_name}) @var{crt}: a gnutls_x509_crt_t structure with the new proxy cert @var{eecrt}: the end entity certificate that will be issuing the proxy @var{raw_flag}: must be 0, or 1 if the CN is DER encoded @var{name}: a pointer to the CN name, may be NULL (but MUST then be added later) @var{sizeof_name}: holds the size of @code{name} This function will set the subject in @code{crt} to the end entity's @code{eecrt} subject name, and add a single Common Name component @code{name} of size @code{sizeof_name}. This corresponds to the required proxy certificate naming style. Note that if @code{name} is @code{NULL}, you MUST set it later by using @code{gnutls_x509_crt_set_dn_by_oid()} or similar. Returns 0 on success. @end deftypefun @subheading gnutls_x509_crt_set_version @anchor{gnutls_x509_crt_set_version} @deftypefun {int} {gnutls_x509_crt_set_version} (gnutls_x509_crt_t @var{crt}, unsigned int @var{version}) @var{crt}: should contain a gnutls_x509_crt_t structure @var{version}: holds the version number. For X.509v1 certificates must be 1. This function will set the version of the certificate. This must be one for X.509 version 1, and so on. Plain certificates without extensions must have version set to one. To create well-formed certificates, you must specify version 3 if you use any certificate extensions. Extensions are created by functions such as gnutls_x509_crt_set_subject_alternative_name or gnutls_x509_crt_set_key_usage. Returns 0 on success. @end deftypefun @subheading gnutls_x509_crt_set_key @anchor{gnutls_x509_crt_set_key} @deftypefun {int} {gnutls_x509_crt_set_key} (gnutls_x509_crt_t @var{crt}, gnutls_x509_privkey_t @var{key}) @var{crt}: should contain a gnutls_x509_crt_t structure @var{key}: holds a private key This function will set the public parameters from the given private key to the certificate. Only RSA keys are currently supported. Returns 0 on success. @end deftypefun @subheading gnutls_x509_crt_set_crq @anchor{gnutls_x509_crt_set_crq} @deftypefun {int} {gnutls_x509_crt_set_crq} (gnutls_x509_crt_t @var{crt}, gnutls_x509_crq_t @var{crq}) @var{crt}: should contain a gnutls_x509_crt_t structure @var{crq}: holds a certificate request This function will set the name and public parameters from the given certificate request to the certificate. Only RSA keys are currently supported. Returns 0 on success. @end deftypefun @subheading gnutls_x509_crt_set_extension_by_oid @anchor{gnutls_x509_crt_set_extension_by_oid} @deftypefun {int} {gnutls_x509_crt_set_extension_by_oid} (gnutls_x509_crt_t @var{crt}, const char * @var{oid}, const void * @var{buf}, size_t @var{sizeof_buf}, unsigned int @var{critical}) @var{crt}: should contain a gnutls_x509_crt_t structure @var{oid}: holds an Object Identified in null terminated string @var{buf}: a pointer to a DER encoded data @var{sizeof_buf}: holds the size of @code{buf} @var{critical}: should be non zero if the extension is to be marked as critical This function will set an the extension, by the specified OID, in the certificate. The extension data should be binary data DER encoded. Returns 0 on success and a negative value in case of an error. @end deftypefun @subheading gnutls_x509_crt_set_basic_constraints @anchor{gnutls_x509_crt_set_basic_constraints} @deftypefun {int} {gnutls_x509_crt_set_basic_constraints} (gnutls_x509_crt_t @var{crt}, unsigned int @var{ca}, int @var{pathLenConstraint}) @var{crt}: should contain a gnutls_x509_crt_t structure @var{ca}: true(1) or false(0). Depending on the Certificate authority status. @var{pathLenConstraint}: non-negative values indicate maximum length of path, and negative values indicate that the pathLenConstraints field should not be present. This function will set the basicConstraints certificate extension. Returns 0 on success. @end deftypefun @subheading gnutls_x509_crt_set_ca_status @anchor{gnutls_x509_crt_set_ca_status} @deftypefun {int} {gnutls_x509_crt_set_ca_status} (gnutls_x509_crt_t @var{crt}, unsigned int @var{ca}) @var{crt}: should contain a gnutls_x509_crt_t structure @var{ca}: true(1) or false(0). Depending on the Certificate authority status. This function will set the basicConstraints certificate extension. Use @code{gnutls_x509_crt_set_basic_constraints()} if you want to control the pathLenConstraint field too. Returns 0 on success. @end deftypefun @subheading gnutls_x509_crt_set_key_usage @anchor{gnutls_x509_crt_set_key_usage} @deftypefun {int} {gnutls_x509_crt_set_key_usage} (gnutls_x509_crt_t @var{crt}, unsigned int @var{usage}) @var{crt}: should contain a gnutls_x509_crt_t structure @var{usage}: an ORed sequence of the GNUTLS_KEY_* elements. This function will set the keyUsage certificate extension. Returns 0 on success. @end deftypefun @subheading gnutls_x509_crt_set_subject_alternative_name @anchor{gnutls_x509_crt_set_subject_alternative_name} @deftypefun {int} {gnutls_x509_crt_set_subject_alternative_name} (gnutls_x509_crt_t @var{crt}, gnutls_x509_subject_alt_name_t @var{type}, const char * @var{data_string}) @var{crt}: should contain a gnutls_x509_crt_t structure @var{type}: is one of the gnutls_x509_subject_alt_name_t enumerations @var{data_string}: The data to be set This function will set the subject alternative name certificate extension. Returns 0 on success. @end deftypefun @subheading gnutls_x509_crt_set_proxy @anchor{gnutls_x509_crt_set_proxy} @deftypefun {int} {gnutls_x509_crt_set_proxy} (gnutls_x509_crt_t @var{crt}, int @var{pathLenConstraint}, const char * @var{policyLanguage}, const char * @var{policy}, size_t @var{sizeof_policy}) @var{crt}: should contain a gnutls_x509_crt_t structure @var{pathLenConstraint}: non-negative values indicate maximum length of path, and negative values indicate that the pathLenConstraints field should not be present. @var{policyLanguage}: OID describing the language of @code{policy}. @var{policy}: opaque byte array with policy language, can be @code{NULL} @var{sizeof_policy}: size of @code{policy}. This function will set the proxyCertInfo extension. Returns 0 on success. @end deftypefun @subheading gnutls_x509_crt_sign2 @anchor{gnutls_x509_crt_sign2} @deftypefun {int} {gnutls_x509_crt_sign2} (gnutls_x509_crt_t @var{crt}, gnutls_x509_crt_t @var{issuer}, gnutls_x509_privkey_t @var{issuer_key}, gnutls_digest_algorithm_t @var{dig}, unsigned int @var{flags}) @var{crt}: should contain a gnutls_x509_crt_t structure @var{issuer}: is the certificate of the certificate issuer @var{issuer_key}: holds the issuer's private key @var{dig}: The message digest to use. GNUTLS_DIG_SHA1 is the safe choice unless you know what you're doing. @var{flags}: must be 0 This function will sign the certificate with the issuer's private key, and will copy the issuer's information into the certificate. This must be the last step in a certificate generation since all the previously set parameters are now signed. Returns 0 on success. @end deftypefun @subheading gnutls_x509_crt_sign @anchor{gnutls_x509_crt_sign} @deftypefun {int} {gnutls_x509_crt_sign} (gnutls_x509_crt_t @var{crt}, gnutls_x509_crt_t @var{issuer}, gnutls_x509_privkey_t @var{issuer_key}) @var{crt}: should contain a gnutls_x509_crt_t structure @var{issuer}: is the certificate of the certificate issuer @var{issuer_key}: holds the issuer's private key This function is the same a @code{gnutls_x509_crt_sign2()} with no flags, and SHA1 as the hash algorithm. Returns 0 on success. @end deftypefun @subheading gnutls_x509_crt_set_activation_time @anchor{gnutls_x509_crt_set_activation_time} @deftypefun {int} {gnutls_x509_crt_set_activation_time} (gnutls_x509_crt_t @var{cert}, time_t @var{act_time}) @var{cert}: should contain a gnutls_x509_crt_t structure @var{act_time}: The actual time This function will set the time this Certificate was or will be activated. Returns 0 on success, or a negative value in case of an error. @end deftypefun @subheading gnutls_x509_crt_set_expiration_time @anchor{gnutls_x509_crt_set_expiration_time} @deftypefun {int} {gnutls_x509_crt_set_expiration_time} (gnutls_x509_crt_t @var{cert}, time_t @var{exp_time}) @var{cert}: should contain a gnutls_x509_crt_t structure @var{exp_time}: The actual time This function will set the time this Certificate will expire. Returns 0 on success, or a negative value in case of an error. @end deftypefun @subheading gnutls_x509_crt_set_serial @anchor{gnutls_x509_crt_set_serial} @deftypefun {int} {gnutls_x509_crt_set_serial} (gnutls_x509_crt_t @var{cert}, const void * @var{serial}, size_t @var{serial_size}) @var{cert}: should contain a gnutls_x509_crt_t structure @var{serial}: The serial number @var{serial_size}: Holds the size of the serial field. This function will set the X.509 certificate's serial number. Serial is not always a 32 or 64bit number. Some CAs use large serial numbers, thus it may be wise to handle it as something opaque. Returns 0 on success, or a negative value in case of an error. @end deftypefun @subheading gnutls_x509_crt_set_crl_dist_points @anchor{gnutls_x509_crt_set_crl_dist_points} @deftypefun {int} {gnutls_x509_crt_set_crl_dist_points} (gnutls_x509_crt_t @var{crt}, gnutls_x509_subject_alt_name_t @var{type}, const void * @var{data_string}, unsigned int @var{reason_flags}) @var{crt}: should contain a gnutls_x509_crt_t structure @var{type}: is one of the gnutls_x509_subject_alt_name_t enumerations @var{data_string}: The data to be set @var{reason_flags}: revocation reasons This function will set the CRL distribution points certificate extension. Returns 0 on success. @end deftypefun @subheading gnutls_x509_crt_cpy_crl_dist_points @anchor{gnutls_x509_crt_cpy_crl_dist_points} @deftypefun {int} {gnutls_x509_crt_cpy_crl_dist_points} (gnutls_x509_crt_t @var{dst}, gnutls_x509_crt_t @var{src}) @var{dst}: should contain a gnutls_x509_crt_t structure @var{src}: the certificate where the dist points will be copied from This function will copy the CRL distribution points certificate extension, from the source to the destination certificate. This may be useful to copy from a CA certificate to issued ones. Returns 0 on success. @end deftypefun @subheading gnutls_x509_crt_set_subject_key_id @anchor{gnutls_x509_crt_set_subject_key_id} @deftypefun {int} {gnutls_x509_crt_set_subject_key_id} (gnutls_x509_crt_t @var{cert}, const void * @var{id}, size_t @var{id_size}) @var{cert}: should contain a gnutls_x509_crt_t structure @var{id}: The key ID @var{id_size}: Holds the size of the serial field. This function will set the X.509 certificate's subject key ID extension. Returns 0 on success, or a negative value in case of an error. @end deftypefun @subheading gnutls_x509_crt_set_authority_key_id @anchor{gnutls_x509_crt_set_authority_key_id} @deftypefun {int} {gnutls_x509_crt_set_authority_key_id} (gnutls_x509_crt_t @var{cert}, const void * @var{id}, size_t @var{id_size}) @var{cert}: should contain a gnutls_x509_crt_t structure @var{id}: The key ID @var{id_size}: Holds the size of the serial field. This function will set the X.509 certificate's authority key ID extension. Only the keyIdentifier field can be set with this function. Returns 0 on success, or a negative value in case of an error. @end deftypefun @subheading gnutls_x509_crt_set_key_purpose_oid @anchor{gnutls_x509_crt_set_key_purpose_oid} @deftypefun {int} {gnutls_x509_crt_set_key_purpose_oid} (gnutls_x509_crt_t @var{cert}, const void * @var{oid}, unsigned int @var{critical}) @var{cert}: should contain a gnutls_x509_crt_t structure @var{oid}: a pointer to a null terminated string that holds the OID @var{critical}: Whether this extension will be critical or not This function will set the key purpose OIDs of the Certificate. These are stored in the Extended Key Usage extension (2.5.29.37) See the GNUTLS_KP_* definitions for human readable names. Subsequent calls to this function will append OIDs to the OID list. On success 0 is returned. @end deftypefun @subheading gnutls_x509_crl_set_version @anchor{gnutls_x509_crl_set_version} @deftypefun {int} {gnutls_x509_crl_set_version} (gnutls_x509_crl_t @var{crl}, unsigned int @var{version}) @var{crl}: should contain a gnutls_x509_crl_t structure @var{version}: holds the version number. For CRLv1 crls must be 1. This function will set the version of the CRL. This must be one for CRL version 1, and so on. The CRLs generated by gnutls should have a version number of 2. Returns 0 on success. @end deftypefun @subheading gnutls_x509_crl_sign2 @anchor{gnutls_x509_crl_sign2} @deftypefun {int} {gnutls_x509_crl_sign2} (gnutls_x509_crl_t @var{crl}, gnutls_x509_crt_t @var{issuer}, gnutls_x509_privkey_t @var{issuer_key}, gnutls_digest_algorithm_t @var{dig}, unsigned int @var{flags}) @var{crl}: should contain a gnutls_x509_crl_t structure @var{issuer}: is the certificate of the certificate issuer @var{issuer_key}: holds the issuer's private key @var{dig}: The message digest to use. GNUTLS_DIG_SHA1 is the safe choice unless you know what you're doing. @var{flags}: must be 0 This function will sign the CRL with the issuer's private key, and will copy the issuer's information into the CRL. This must be the last step in a certificate CRL since all the previously set parameters are now signed. Returns 0 on success. @end deftypefun @subheading gnutls_x509_crl_sign @anchor{gnutls_x509_crl_sign} @deftypefun {int} {gnutls_x509_crl_sign} (gnutls_x509_crl_t @var{crl}, gnutls_x509_crt_t @var{issuer}, gnutls_x509_privkey_t @var{issuer_key}) @var{crl}: should contain a gnutls_x509_crl_t structure @var{issuer}: is the certificate of the certificate issuer @var{issuer_key}: holds the issuer's private key This function is the same a @code{gnutls_x509_crl_sign2()} with no flags, and SHA1 as the hash algorithm. Returns 0 on success. @end deftypefun @subheading gnutls_x509_crl_set_this_update @anchor{gnutls_x509_crl_set_this_update} @deftypefun {int} {gnutls_x509_crl_set_this_update} (gnutls_x509_crl_t @var{crl}, time_t @var{act_time}) @var{crl}: should contain a gnutls_x509_crl_t structure @var{act_time}: The actual time This function will set the time this CRL was issued. Returns 0 on success, or a negative value in case of an error. @end deftypefun @subheading gnutls_x509_crl_set_next_update @anchor{gnutls_x509_crl_set_next_update} @deftypefun {int} {gnutls_x509_crl_set_next_update} (gnutls_x509_crl_t @var{crl}, time_t @var{exp_time}) @var{crl}: should contain a gnutls_x509_crl_t structure @var{exp_time}: The actual time This function will set the time this CRL will be updated. Returns 0 on success, or a negative value in case of an error. @end deftypefun @subheading gnutls_x509_crl_set_crt_serial @anchor{gnutls_x509_crl_set_crt_serial} @deftypefun {int} {gnutls_x509_crl_set_crt_serial} (gnutls_x509_crl_t @var{crl}, const void * @var{serial}, size_t @var{serial_size}, time_t @var{revocation_time}) @var{crl}: should contain a gnutls_x509_crl_t structure @var{serial}: The revoked certificate's serial number @var{serial_size}: Holds the size of the serial field. @var{revocation_time}: The time this certificate was revoked This function will set a revoked certificate's serial number to the CRL. Returns 0 on success, or a negative value in case of an error. @end deftypefun @subheading gnutls_x509_crl_set_crt @anchor{gnutls_x509_crl_set_crt} @deftypefun {int} {gnutls_x509_crl_set_crt} (gnutls_x509_crl_t @var{crl}, gnutls_x509_crt_t @var{crt}, time_t @var{revocation_time}) @var{crl}: should contain a gnutls_x509_crl_t structure @var{crt}: should contain a gnutls_x509_crt_t structure with the revoked certificate @var{revocation_time}: The time this certificate was revoked This function will set a revoked certificate's serial number to the CRL. Returns 0 on success, or a negative value in case of an error. @end deftypefun @subheading gnutls_x509_crt_print @anchor{gnutls_x509_crt_print} @deftypefun {int} {gnutls_x509_crt_print} (gnutls_x509_crt_t @var{cert}, gnutls_certificate_print_formats_t @var{format}, gnutls_datum_t * @var{out}) @var{cert}: The structure to be printed @var{format}: Indicate the format to use @var{out}: Newly allocated datum with zero terminated string. This function will pretty print a X.509 certificate, suitable for display to a human. If the format is @code{GNUTLS_X509_CRT_FULL} then all fields of the certificate will be output, on multiple lines. The @code{GNUTLS_X509_CRT_ONELINE} format will generate one line with some selected fields, which is useful for logging purposes. The output @code{out} needs to be deallocate using @code{gnutls_free()}. Returns 0 on success. @end deftypefun @subheading gnutls_x509_crl_print @anchor{gnutls_x509_crl_print} @deftypefun {int} {gnutls_x509_crl_print} (gnutls_x509_crl_t @var{crl}, gnutls_certificate_print_formats_t @var{format}, gnutls_datum_t * @var{out}) @var{crl}: The structure to be printed @var{format}: Indicate the format to use @var{out}: Newly allocated datum with zero terminated string. This function will pretty print a X.509 certificate revocation list, suitable for display to a human. The output @code{out} needs to be deallocate using @code{gnutls_free()}. Returns 0 on success. @end deftypefun