2 * Copyright (C) 2003-2012 Free Software Foundation, Inc.
4 * Author: Nikos Mavrogiannopoulos
6 * This file is part of GnuTLS.
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
23 /* This file contains the types and prototypes for the X.509
24 * certificate and CRL handling functions.
30 #include <gnutls/gnutls.h>
38 /* Some OIDs usually found in Distinguished names, or
39 * in Subject Directory Attribute extensions.
41 #define GNUTLS_OID_X520_COUNTRY_NAME "2.5.4.6"
42 #define GNUTLS_OID_X520_ORGANIZATION_NAME "2.5.4.10"
43 #define GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME "2.5.4.11"
44 #define GNUTLS_OID_X520_COMMON_NAME "2.5.4.3"
45 #define GNUTLS_OID_X520_LOCALITY_NAME "2.5.4.7"
46 #define GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME "2.5.4.8"
48 #define GNUTLS_OID_X520_INITIALS "2.5.4.43"
49 #define GNUTLS_OID_X520_GENERATION_QUALIFIER "2.5.4.44"
50 #define GNUTLS_OID_X520_SURNAME "2.5.4.4"
51 #define GNUTLS_OID_X520_GIVEN_NAME "2.5.4.42"
52 #define GNUTLS_OID_X520_TITLE "2.5.4.12"
53 #define GNUTLS_OID_X520_DN_QUALIFIER "2.5.4.46"
54 #define GNUTLS_OID_X520_PSEUDONYM "2.5.4.65"
55 #define GNUTLS_OID_X520_POSTALCODE "2.5.4.17"
56 #define GNUTLS_OID_X520_NAME "2.5.4.41"
58 #define GNUTLS_OID_LDAP_DC "0.9.2342.19200300.100.1.25"
59 #define GNUTLS_OID_LDAP_UID "0.9.2342.19200300.100.1.1"
61 /* The following should not be included in DN.
63 #define GNUTLS_OID_PKCS9_EMAIL "1.2.840.113549.1.9.1"
65 #define GNUTLS_OID_PKIX_DATE_OF_BIRTH "1.3.6.1.5.5.7.9.1"
66 #define GNUTLS_OID_PKIX_PLACE_OF_BIRTH "1.3.6.1.5.5.7.9.2"
67 #define GNUTLS_OID_PKIX_GENDER "1.3.6.1.5.5.7.9.3"
68 #define GNUTLS_OID_PKIX_COUNTRY_OF_CITIZENSHIP "1.3.6.1.5.5.7.9.4"
69 #define GNUTLS_OID_PKIX_COUNTRY_OF_RESIDENCE "1.3.6.1.5.5.7.9.5"
71 /* Key purpose Object Identifiers.
73 #define GNUTLS_KP_TLS_WWW_SERVER "1.3.6.1.5.5.7.3.1"
74 #define GNUTLS_KP_TLS_WWW_CLIENT "1.3.6.1.5.5.7.3.2"
75 #define GNUTLS_KP_CODE_SIGNING "1.3.6.1.5.5.7.3.3"
76 #define GNUTLS_KP_MS_SMART_CARD_LOGON "1.3.6.1.4.1.311.20.2.2"
77 #define GNUTLS_KP_EMAIL_PROTECTION "1.3.6.1.5.5.7.3.4"
78 #define GNUTLS_KP_TIME_STAMPING "1.3.6.1.5.5.7.3.8"
79 #define GNUTLS_KP_OCSP_SIGNING "1.3.6.1.5.5.7.3.9"
80 #define GNUTLS_KP_IPSEC_IKE "1.3.6.1.5.5.7.3.17"
81 #define GNUTLS_KP_ANY "2.5.29.37.0"
83 #define GNUTLS_OID_AIA "1.3.6.1.5.5.7.1.1"
84 #define GNUTLS_OID_AD_OCSP "1.3.6.1.5.5.7.48.1"
85 #define GNUTLS_OID_AD_CAISSUERS "1.3.6.1.5.5.7.48.2"
87 #define GNUTLS_FSAN_SET 0
88 #define GNUTLS_FSAN_APPEND 1
90 /* Certificate handling functions.
94 * gnutls_certificate_import_flags:
95 * @GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED: Fail if the
96 * certificates in the buffer are more than the space allocated for
97 * certificates. The error code will be %GNUTLS_E_SHORT_MEMORY_BUFFER.
98 * @GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED: Fail if the certificates
99 * in the buffer are not ordered starting from subject to issuer.
100 * The error code will be %GNUTLS_E_CERTIFICATE_LIST_UNSORTED.
102 * Enumeration of different certificate import flags.
104 typedef enum gnutls_certificate_import_flags
{
105 GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED
= 1,
106 GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED
= 2
107 } gnutls_certificate_import_flags
;
109 int gnutls_x509_crt_init(gnutls_x509_crt_t
* cert
);
110 void gnutls_x509_crt_deinit(gnutls_x509_crt_t cert
);
111 int gnutls_x509_crt_import(gnutls_x509_crt_t cert
,
112 const gnutls_datum_t
* data
,
113 gnutls_x509_crt_fmt_t format
);
114 int gnutls_x509_crt_list_import2(gnutls_x509_crt_t
** certs
,
116 const gnutls_datum_t
* data
,
117 gnutls_x509_crt_fmt_t format
,
119 int gnutls_x509_crt_list_import(gnutls_x509_crt_t
* certs
,
120 unsigned int *cert_max
,
121 const gnutls_datum_t
* data
,
122 gnutls_x509_crt_fmt_t format
,
124 int gnutls_x509_crt_export(gnutls_x509_crt_t cert
,
125 gnutls_x509_crt_fmt_t format
,
126 void *output_data
, size_t * output_data_size
);
127 int gnutls_x509_crt_export2(gnutls_x509_crt_t cert
,
128 gnutls_x509_crt_fmt_t format
,
129 gnutls_datum_t
* out
);
130 int gnutls_x509_crt_get_private_key_usage_period(gnutls_x509_crt_t
135 expiration
, unsigned int
138 int gnutls_x509_crt_get_issuer_dn(gnutls_x509_crt_t cert
,
139 char *buf
, size_t * buf_size
);
140 int gnutls_x509_crt_get_issuer_dn2(gnutls_x509_crt_t cert
,
141 gnutls_datum_t
* dn
);
142 int gnutls_x509_crt_get_issuer_dn_oid(gnutls_x509_crt_t cert
,
145 int gnutls_x509_crt_get_issuer_dn_by_oid(gnutls_x509_crt_t cert
,
146 const char *oid
, int indx
,
147 unsigned int raw_flag
,
148 void *buf
, size_t * buf_size
);
149 int gnutls_x509_crt_get_dn(gnutls_x509_crt_t cert
, char *buf
,
151 int gnutls_x509_crt_get_dn2(gnutls_x509_crt_t cert
, gnutls_datum_t
* dn
);
152 int gnutls_x509_crt_get_dn_oid(gnutls_x509_crt_t cert
, int indx
,
153 void *oid
, size_t * oid_size
);
154 int gnutls_x509_crt_get_dn_by_oid(gnutls_x509_crt_t cert
,
155 const char *oid
, int indx
,
156 unsigned int raw_flag
, void *buf
,
158 int gnutls_x509_crt_check_hostname(gnutls_x509_crt_t cert
,
159 const char *hostname
);
161 int gnutls_x509_crt_get_signature_algorithm(gnutls_x509_crt_t cert
);
162 int gnutls_x509_crt_get_signature(gnutls_x509_crt_t cert
,
163 char *sig
, size_t * sizeof_sig
);
164 int gnutls_x509_crt_get_version(gnutls_x509_crt_t cert
);
165 int gnutls_x509_crt_get_key_id(gnutls_x509_crt_t crt
,
167 unsigned char *output_data
,
168 size_t * output_data_size
);
170 int gnutls_x509_crt_set_private_key_usage_period(gnutls_x509_crt_t
174 int gnutls_x509_crt_set_authority_key_id(gnutls_x509_crt_t cert
,
175 const void *id
, size_t id_size
);
176 int gnutls_x509_crt_get_authority_key_id(gnutls_x509_crt_t cert
,
179 unsigned int *critical
);
180 int gnutls_x509_crt_get_authority_key_gn_serial(gnutls_x509_crt_t
189 serial_size
, unsigned int
192 int gnutls_x509_crt_get_subject_key_id(gnutls_x509_crt_t cert
,
195 unsigned int *critical
);
197 int gnutls_x509_crt_get_subject_unique_id(gnutls_x509_crt_t crt
,
198 char *buf
, size_t * buf_size
);
200 int gnutls_x509_crt_get_issuer_unique_id(gnutls_x509_crt_t crt
,
201 char *buf
, size_t * buf_size
);
203 void gnutls_x509_crt_set_pin_function(gnutls_x509_crt_t crt
,
204 gnutls_pin_callback_t fn
,
208 * gnutls_info_access_what_t:
209 * @GNUTLS_IA_ACCESSMETHOD_OID: Get accessMethod OID.
210 * @GNUTLS_IA_ACCESSLOCATION_GENERALNAME_TYPE: Get accessLocation name type.
211 * @GNUTLS_IA_URI: Get accessLocation URI value.
212 * @GNUTLS_IA_OCSP_URI: get accessLocation URI value for OCSP.
213 * @GNUTLS_IA_CAISSUERS_URI: get accessLocation URI value for caIssuers.
215 * Enumeration of types for the @what parameter of
216 * gnutls_x509_crt_get_authority_info_access().
218 typedef enum gnutls_info_access_what_t
{
219 GNUTLS_IA_ACCESSMETHOD_OID
= 1,
220 GNUTLS_IA_ACCESSLOCATION_GENERALNAME_TYPE
= 2,
221 /* use 100-108 for the generalName types, populate as needed */
223 /* quick-access variants that match both OID and name type. */
224 GNUTLS_IA_OCSP_URI
= 10006,
225 GNUTLS_IA_CAISSUERS_URI
= 10106
226 } gnutls_info_access_what_t
;
228 int gnutls_x509_crt_get_authority_info_access(gnutls_x509_crt_t
236 #define GNUTLS_CRL_REASON_SUPERSEEDED GNUTLS_CRL_REASON_SUPERSEDED,
238 * gnutls_x509_crl_reason_flags_t:
239 * @GNUTLS_CRL_REASON_PRIVILEGE_WITHDRAWN: The privileges were withdrawn from the owner.
240 * @GNUTLS_CRL_REASON_CERTIFICATE_HOLD: The certificate is on hold.
241 * @GNUTLS_CRL_REASON_CESSATION_OF_OPERATION: The end-entity is no longer operating.
242 * @GNUTLS_CRL_REASON_SUPERSEDED: There is a newer certificate of the owner.
243 * @GNUTLS_CRL_REASON_AFFILIATION_CHANGED: The end-entity affiliation has changed.
244 * @GNUTLS_CRL_REASON_CA_COMPROMISE: The CA was compromised.
245 * @GNUTLS_CRL_REASON_KEY_COMPROMISE: The certificate's key was compromised.
246 * @GNUTLS_CRL_REASON_UNUSED: The key was never used.
247 * @GNUTLS_CRL_REASON_AA_COMPROMISE: AA compromised.
249 * Enumeration of types for the CRL revocation reasons.
251 typedef enum gnutls_x509_crl_reason_flags_t
{
252 GNUTLS_CRL_REASON_UNSPECIFIED
= 0,
253 GNUTLS_CRL_REASON_PRIVILEGE_WITHDRAWN
= 1,
254 GNUTLS_CRL_REASON_CERTIFICATE_HOLD
= 2,
255 GNUTLS_CRL_REASON_CESSATION_OF_OPERATION
= 4,
256 GNUTLS_CRL_REASON_SUPERSEDED
= 8,
257 GNUTLS_CRL_REASON_AFFILIATION_CHANGED
= 16,
258 GNUTLS_CRL_REASON_CA_COMPROMISE
= 32,
259 GNUTLS_CRL_REASON_KEY_COMPROMISE
= 64,
260 GNUTLS_CRL_REASON_UNUSED
= 128,
261 GNUTLS_CRL_REASON_AA_COMPROMISE
= 32768
262 } gnutls_x509_crl_reason_flags_t
;
264 int gnutls_x509_crt_get_crl_dist_points(gnutls_x509_crt_t cert
,
268 unsigned int *reason_flags
,
269 unsigned int *critical
);
270 int gnutls_x509_crt_set_crl_dist_points2(gnutls_x509_crt_t crt
,
271 gnutls_x509_subject_alt_name_t
272 type
, const void *data
,
273 unsigned int data_size
,
274 unsigned int reason_flags
);
275 int gnutls_x509_crt_set_crl_dist_points(gnutls_x509_crt_t crt
,
276 gnutls_x509_subject_alt_name_t
278 const void *data_string
,
279 unsigned int reason_flags
);
280 int gnutls_x509_crt_cpy_crl_dist_points(gnutls_x509_crt_t dst
,
281 gnutls_x509_crt_t src
);
283 int gnutls_x509_crl_sign2(gnutls_x509_crl_t crl
,
284 gnutls_x509_crt_t issuer
,
285 gnutls_x509_privkey_t issuer_key
,
286 gnutls_digest_algorithm_t dig
,
289 time_t gnutls_x509_crt_get_activation_time(gnutls_x509_crt_t cert
);
291 #define GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION ((time_t)4294197631)
293 time_t gnutls_x509_crt_get_expiration_time(gnutls_x509_crt_t cert
);
294 int gnutls_x509_crt_get_serial(gnutls_x509_crt_t cert
,
295 void *result
, size_t * result_size
);
297 int gnutls_x509_crt_get_pk_algorithm(gnutls_x509_crt_t cert
,
299 int gnutls_x509_crt_get_pk_rsa_raw(gnutls_x509_crt_t crt
,
300 gnutls_datum_t
* m
, gnutls_datum_t
* e
);
301 int gnutls_x509_crt_get_pk_dsa_raw(gnutls_x509_crt_t crt
,
304 gnutls_datum_t
* g
, gnutls_datum_t
* y
);
306 int gnutls_x509_crt_get_subject_alt_name(gnutls_x509_crt_t cert
,
310 unsigned int *critical
);
311 int gnutls_x509_crt_get_subject_alt_name2(gnutls_x509_crt_t cert
,
315 unsigned int *san_type
,
316 unsigned int *critical
);
318 int gnutls_x509_crt_get_subject_alt_othername_oid(gnutls_x509_crt_t
324 int gnutls_x509_crt_get_issuer_alt_name(gnutls_x509_crt_t cert
,
328 unsigned int *critical
);
329 int gnutls_x509_crt_get_issuer_alt_name2(gnutls_x509_crt_t cert
,
333 unsigned int *ian_type
,
334 unsigned int *critical
);
336 int gnutls_x509_crt_get_issuer_alt_othername_oid(gnutls_x509_crt_t
342 int gnutls_x509_crt_get_ca_status(gnutls_x509_crt_t cert
,
343 unsigned int *critical
);
344 int gnutls_x509_crt_get_basic_constraints(gnutls_x509_crt_t cert
,
345 unsigned int *critical
,
346 unsigned int *ca
, int *pathlen
);
348 /* The key_usage flags are defined in gnutls.h. They are the
349 * GNUTLS_KEY_* definitions.
351 int gnutls_x509_crt_get_key_usage(gnutls_x509_crt_t cert
,
352 unsigned int *key_usage
,
353 unsigned int *critical
);
354 int gnutls_x509_crt_set_key_usage(gnutls_x509_crt_t crt
,
356 int gnutls_x509_crt_set_authority_info_access(gnutls_x509_crt_t
358 gnutls_datum_t
* data
);
360 int gnutls_x509_crt_get_proxy(gnutls_x509_crt_t cert
,
361 unsigned int *critical
,
363 char **policyLanguage
,
364 char **policy
, size_t * sizeof_policy
);
366 #define GNUTLS_MAX_QUALIFIERS 8
369 * gnutls_x509_qualifier_t:
370 * @GNUTLS_X509_QUALIFIER_UNKNOWN: Unknown qualifier.
371 * @GNUTLS_X509_QUALIFIER_URI: A URL
372 * @GNUTLS_X509_QUALIFIER_NOICE: A text notice.
374 * Enumeration of types for the X.509 qualifiers, of the certificate policy extension.
376 typedef enum gnutls_x509_qualifier_t
{
377 GNUTLS_X509_QUALIFIER_UNKNOWN
= 0, GNUTLS_X509_QUALIFIER_URI
,
378 GNUTLS_X509_QUALIFIER_NOTICE
379 } gnutls_x509_qualifier_t
;
381 typedef struct gnutls_x509_policy_st
{
383 unsigned int qualifiers
;
385 gnutls_x509_qualifier_t type
;
388 } qualifier
[GNUTLS_MAX_QUALIFIERS
];
389 } gnutls_x509_policy_st
;
391 void gnutls_x509_policy_release(struct gnutls_x509_policy_st
393 int gnutls_x509_crt_get_policy(gnutls_x509_crt_t crt
, int indx
, struct gnutls_x509_policy_st
394 *policy
, unsigned int *critical
);
395 int gnutls_x509_crt_set_policy(gnutls_x509_crt_t crt
, struct gnutls_x509_policy_st
396 *policy
, unsigned int critical
);
398 int gnutls_x509_dn_oid_known(const char *oid
);
400 #define GNUTLS_X509_DN_OID_RETURN_OID 1
401 const char *gnutls_x509_dn_oid_name(const char *oid
, unsigned int flags
);
403 /* Read extensions by OID. */
404 int gnutls_x509_crt_get_extension_oid(gnutls_x509_crt_t cert
,
407 int gnutls_x509_crt_get_extension_by_oid(gnutls_x509_crt_t cert
,
408 const char *oid
, int indx
,
411 unsigned int *critical
);
413 /* Read extensions by sequence number. */
414 int gnutls_x509_crt_get_extension_info(gnutls_x509_crt_t cert
,
417 unsigned int *critical
);
418 int gnutls_x509_crt_get_extension_data(gnutls_x509_crt_t cert
,
419 int indx
, void *data
,
420 size_t * sizeof_data
);
422 int gnutls_x509_crt_set_extension_by_oid(gnutls_x509_crt_t crt
,
426 unsigned int critical
);
428 /* X.509 Certificate writing.
430 int gnutls_x509_crt_set_dn(gnutls_x509_crt_t crt
, const char *dn
,
433 int gnutls_x509_crt_set_dn_by_oid(gnutls_x509_crt_t crt
,
435 unsigned int raw_flag
,
437 unsigned int sizeof_name
);
438 int gnutls_x509_crt_set_issuer_dn_by_oid(gnutls_x509_crt_t crt
,
440 unsigned int raw_flag
,
442 unsigned int sizeof_name
);
443 int gnutls_x509_crt_set_issuer_dn(gnutls_x509_crt_t crt
,
444 const char *dn
, const char **err
);
446 int gnutls_x509_crt_set_version(gnutls_x509_crt_t crt
,
447 unsigned int version
);
448 int gnutls_x509_crt_set_key(gnutls_x509_crt_t crt
,
449 gnutls_x509_privkey_t key
);
450 int gnutls_x509_crt_set_ca_status(gnutls_x509_crt_t crt
, unsigned int ca
);
451 int gnutls_x509_crt_set_basic_constraints(gnutls_x509_crt_t crt
,
453 int pathLenConstraint
);
454 int gnutls_x509_crt_set_subject_alternative_name(gnutls_x509_crt_t
456 gnutls_x509_subject_alt_name_t
459 int gnutls_x509_crt_set_subject_alt_name(gnutls_x509_crt_t crt
,
460 gnutls_x509_subject_alt_name_t
461 type
, const void *data
,
462 unsigned int data_size
,
464 int gnutls_x509_crt_sign(gnutls_x509_crt_t crt
,
465 gnutls_x509_crt_t issuer
,
466 gnutls_x509_privkey_t issuer_key
);
467 int gnutls_x509_crt_sign2(gnutls_x509_crt_t crt
,
468 gnutls_x509_crt_t issuer
,
469 gnutls_x509_privkey_t issuer_key
,
470 gnutls_digest_algorithm_t dig
,
472 int gnutls_x509_crt_set_activation_time(gnutls_x509_crt_t cert
,
474 int gnutls_x509_crt_set_expiration_time(gnutls_x509_crt_t cert
,
476 int gnutls_x509_crt_set_serial(gnutls_x509_crt_t cert
,
477 const void *serial
, size_t serial_size
);
479 int gnutls_x509_crt_set_subject_key_id(gnutls_x509_crt_t cert
,
480 const void *id
, size_t id_size
);
482 int gnutls_x509_crt_set_proxy_dn(gnutls_x509_crt_t crt
,
483 gnutls_x509_crt_t eecrt
,
484 unsigned int raw_flag
,
486 unsigned int sizeof_name
);
487 int gnutls_x509_crt_set_proxy(gnutls_x509_crt_t crt
,
488 int pathLenConstraint
,
489 const char *policyLanguage
,
490 const char *policy
, size_t sizeof_policy
);
492 int gnutls_x509_crt_print(gnutls_x509_crt_t cert
,
493 gnutls_certificate_print_formats_t
494 format
, gnutls_datum_t
* out
);
495 int gnutls_x509_crl_print(gnutls_x509_crl_t crl
,
496 gnutls_certificate_print_formats_t
497 format
, gnutls_datum_t
* out
);
499 /* Access to internal Certificate fields.
501 int gnutls_x509_crt_get_raw_issuer_dn(gnutls_x509_crt_t cert
,
502 gnutls_datum_t
* start
);
503 int gnutls_x509_crt_get_raw_dn(gnutls_x509_crt_t cert
,
504 gnutls_datum_t
* start
);
508 int gnutls_x509_rdn_get(const gnutls_datum_t
* idn
,
509 char *buf
, size_t * sizeof_buf
);
510 int gnutls_x509_rdn_get_oid(const gnutls_datum_t
* idn
,
511 int indx
, void *buf
, size_t * sizeof_buf
);
513 int gnutls_x509_rdn_get_by_oid(const gnutls_datum_t
* idn
,
514 const char *oid
, int indx
,
515 unsigned int raw_flag
, void *buf
,
516 size_t * sizeof_buf
);
518 typedef void *gnutls_x509_dn_t
;
520 typedef struct gnutls_x509_ava_st
{
522 gnutls_datum_t value
;
523 unsigned long value_tag
;
524 } gnutls_x509_ava_st
;
526 int gnutls_x509_crt_get_subject(gnutls_x509_crt_t cert
,
527 gnutls_x509_dn_t
* dn
);
528 int gnutls_x509_crt_get_issuer(gnutls_x509_crt_t cert
,
529 gnutls_x509_dn_t
* dn
);
530 int gnutls_x509_dn_get_rdn_ava(gnutls_x509_dn_t dn
, int irdn
,
531 int iava
, gnutls_x509_ava_st
* ava
);
533 int gnutls_x509_dn_init(gnutls_x509_dn_t
* dn
);
535 int gnutls_x509_dn_import(gnutls_x509_dn_t dn
,
536 const gnutls_datum_t
* data
);
538 int gnutls_x509_dn_export(gnutls_x509_dn_t dn
,
539 gnutls_x509_crt_fmt_t format
,
540 void *output_data
, size_t * output_data_size
);
541 int gnutls_x509_dn_export2(gnutls_x509_dn_t dn
,
542 gnutls_x509_crt_fmt_t format
,
543 gnutls_datum_t
* out
);
545 void gnutls_x509_dn_deinit(gnutls_x509_dn_t dn
);
548 /* CRL handling functions.
550 int gnutls_x509_crl_init(gnutls_x509_crl_t
* crl
);
551 void gnutls_x509_crl_deinit(gnutls_x509_crl_t crl
);
553 int gnutls_x509_crl_import(gnutls_x509_crl_t crl
,
554 const gnutls_datum_t
* data
,
555 gnutls_x509_crt_fmt_t format
);
556 int gnutls_x509_crl_export(gnutls_x509_crl_t crl
,
557 gnutls_x509_crt_fmt_t format
,
558 void *output_data
, size_t * output_data_size
);
559 int gnutls_x509_crl_export2(gnutls_x509_crl_t crl
,
560 gnutls_x509_crt_fmt_t format
,
561 gnutls_datum_t
* out
);
564 gnutls_x509_crl_get_raw_issuer_dn(gnutls_x509_crl_t crl
,
565 gnutls_datum_t
* dn
);
567 int gnutls_x509_crl_get_issuer_dn(gnutls_x509_crl_t crl
,
568 char *buf
, size_t * sizeof_buf
);
569 int gnutls_x509_crl_get_issuer_dn2(gnutls_x509_crl_t crl
,
570 gnutls_datum_t
* dn
);
571 int gnutls_x509_crl_get_issuer_dn_by_oid(gnutls_x509_crl_t crl
,
572 const char *oid
, int indx
,
573 unsigned int raw_flag
,
574 void *buf
, size_t * sizeof_buf
);
575 int gnutls_x509_crl_get_dn_oid(gnutls_x509_crl_t crl
, int indx
,
576 void *oid
, size_t * sizeof_oid
);
578 int gnutls_x509_crl_get_signature_algorithm(gnutls_x509_crl_t crl
);
579 int gnutls_x509_crl_get_signature(gnutls_x509_crl_t crl
,
580 char *sig
, size_t * sizeof_sig
);
581 int gnutls_x509_crl_get_version(gnutls_x509_crl_t crl
);
583 time_t gnutls_x509_crl_get_this_update(gnutls_x509_crl_t crl
);
584 time_t gnutls_x509_crl_get_next_update(gnutls_x509_crl_t crl
);
586 int gnutls_x509_crl_get_crt_count(gnutls_x509_crl_t crl
);
587 int gnutls_x509_crl_get_crt_serial(gnutls_x509_crl_t crl
, int indx
,
588 unsigned char *serial
,
589 size_t * serial_size
, time_t * t
);
590 #define gnutls_x509_crl_get_certificate_count gnutls_x509_crl_get_crt_count
591 #define gnutls_x509_crl_get_certificate gnutls_x509_crl_get_crt_serial
593 int gnutls_x509_crl_check_issuer(gnutls_x509_crl_t crl
,
594 gnutls_x509_crt_t issuer
);
596 int gnutls_x509_crl_list_import2(gnutls_x509_crl_t
** crls
,
598 const gnutls_datum_t
* data
,
599 gnutls_x509_crt_fmt_t format
,
602 int gnutls_x509_crl_list_import(gnutls_x509_crl_t
* crls
,
603 unsigned int *crl_max
,
604 const gnutls_datum_t
* data
,
605 gnutls_x509_crt_fmt_t format
,
609 int gnutls_x509_crl_set_version(gnutls_x509_crl_t crl
,
610 unsigned int version
);
611 int gnutls_x509_crl_set_this_update(gnutls_x509_crl_t crl
,
613 int gnutls_x509_crl_set_next_update(gnutls_x509_crl_t crl
,
615 int gnutls_x509_crl_set_crt_serial(gnutls_x509_crl_t crl
,
618 time_t revocation_time
);
619 int gnutls_x509_crl_set_crt(gnutls_x509_crl_t crl
,
620 gnutls_x509_crt_t crt
, time_t revocation_time
);
622 int gnutls_x509_crl_get_authority_key_id(gnutls_x509_crl_t crl
,
625 unsigned int *critical
);
626 int gnutls_x509_crl_get_authority_key_gn_serial(gnutls_x509_crl_t
635 serial_size
, unsigned int
638 int gnutls_x509_crl_get_number(gnutls_x509_crl_t crl
, void *ret
,
639 size_t * ret_size
, unsigned int *critical
);
641 int gnutls_x509_crl_get_extension_oid(gnutls_x509_crl_t crl
,
643 size_t * sizeof_oid
);
645 int gnutls_x509_crl_get_extension_info(gnutls_x509_crl_t crl
,
648 unsigned int *critical
);
650 int gnutls_x509_crl_get_extension_data(gnutls_x509_crl_t crl
,
651 int indx
, void *data
,
652 size_t * sizeof_data
);
654 int gnutls_x509_crl_set_authority_key_id(gnutls_x509_crl_t crl
,
655 const void *id
, size_t id_size
);
657 int gnutls_x509_crl_set_number(gnutls_x509_crl_t crl
,
658 const void *nr
, size_t nr_size
);
661 /* PKCS7 structures handling
663 struct gnutls_pkcs7_int
;
664 typedef struct gnutls_pkcs7_int
*gnutls_pkcs7_t
;
666 int gnutls_pkcs7_init(gnutls_pkcs7_t
* pkcs7
);
667 void gnutls_pkcs7_deinit(gnutls_pkcs7_t pkcs7
);
668 int gnutls_pkcs7_import(gnutls_pkcs7_t pkcs7
,
669 const gnutls_datum_t
* data
,
670 gnutls_x509_crt_fmt_t format
);
671 int gnutls_pkcs7_export(gnutls_pkcs7_t pkcs7
,
672 gnutls_x509_crt_fmt_t format
,
673 void *output_data
, size_t * output_data_size
);
674 int gnutls_pkcs7_export2(gnutls_pkcs7_t pkcs7
,
675 gnutls_x509_crt_fmt_t format
,
676 gnutls_datum_t
* out
);
678 int gnutls_pkcs7_get_crt_count(gnutls_pkcs7_t pkcs7
);
679 int gnutls_pkcs7_get_crt_raw(gnutls_pkcs7_t pkcs7
, int indx
,
680 void *certificate
, size_t * certificate_size
);
682 int gnutls_pkcs7_set_crt_raw(gnutls_pkcs7_t pkcs7
,
683 const gnutls_datum_t
* crt
);
684 int gnutls_pkcs7_set_crt(gnutls_pkcs7_t pkcs7
, gnutls_x509_crt_t crt
);
685 int gnutls_pkcs7_delete_crt(gnutls_pkcs7_t pkcs7
, int indx
);
687 int gnutls_pkcs7_get_crl_raw(gnutls_pkcs7_t pkcs7
,
688 int indx
, void *crl
, size_t * crl_size
);
689 int gnutls_pkcs7_get_crl_count(gnutls_pkcs7_t pkcs7
);
691 int gnutls_pkcs7_set_crl_raw(gnutls_pkcs7_t pkcs7
,
692 const gnutls_datum_t
* crl
);
693 int gnutls_pkcs7_set_crl(gnutls_pkcs7_t pkcs7
, gnutls_x509_crl_t crl
);
694 int gnutls_pkcs7_delete_crl(gnutls_pkcs7_t pkcs7
, int indx
);
696 /* X.509 Certificate verification functions.
700 * gnutls_certificate_verify_flags:
701 * @GNUTLS_VERIFY_DISABLE_CA_SIGN: If set a signer does not have to be
702 * a certificate authority. This flag should normally be disabled,
703 * unless you know what this means.
704 * @GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS: If set a signer in the trusted
705 * list is never checked for expiration or activation.
706 * @GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT: Allow trusted CA certificates
707 * with version 1. This is safer than %GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT,
708 * and should be used instead. That way only signers in your trusted list
709 * will be allowed to have certificates of version 1. This is the default.
710 * @GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT: Do not allow trusted CA
711 * certificates that have version 1. This option is to be used
712 * to deprecate all certificates of version 1.
713 * @GNUTLS_VERIFY_DO_NOT_ALLOW_SAME: If a certificate is not signed by
714 * anyone trusted but exists in the trusted CA list do not treat it
716 * @GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN: A certificate chain is tolerated
717 * if unsorted (the case with many TLS servers out there). This is the
718 * default since GnuTLS 3.1.4.
719 * @GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN: Do not tolerate an unsorted
721 * @GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT: Allow CA certificates that
722 * have version 1 (both root and intermediate). This might be
723 * dangerous since those haven't the basicConstraints
724 * extension. Must be used in combination with
725 * %GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT.
726 * @GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2: Allow certificates to be signed
727 * using the broken MD2 algorithm.
728 * @GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5: Allow certificates to be signed
729 * using the broken MD5 algorithm.
730 * @GNUTLS_VERIFY_DISABLE_TIME_CHECKS: Disable checking of activation
731 * and expiration validity periods of certificate chains. Don't set
732 * this unless you understand the security implications.
733 * @GNUTLS_VERIFY_DISABLE_CRL_CHECKS: Disable checking for validity
734 * using certificate revocation lists or the available OCSP data.
736 * Enumeration of different certificate verify flags.
738 typedef enum gnutls_certificate_verify_flags
{
739 GNUTLS_VERIFY_DISABLE_CA_SIGN
= 1 << 0,
740 GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT
= 1 << 1,
741 GNUTLS_VERIFY_DO_NOT_ALLOW_SAME
= 1 << 2,
742 GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT
= 1 << 3,
743 GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2
= 1 << 4,
744 GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5
= 1 << 5,
745 GNUTLS_VERIFY_DISABLE_TIME_CHECKS
= 1 << 6,
746 GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS
= 1 << 7,
747 GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT
= 1 << 8,
748 GNUTLS_VERIFY_DISABLE_CRL_CHECKS
= 1 << 9,
749 GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN
= 1 << 10,
750 GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN
= 1 << 11,
751 } gnutls_certificate_verify_flags
;
753 int gnutls_x509_crt_check_issuer(gnutls_x509_crt_t cert
,
754 gnutls_x509_crt_t issuer
);
756 int gnutls_x509_crt_list_verify(const gnutls_x509_crt_t
*
757 cert_list
, int cert_list_length
,
758 const gnutls_x509_crt_t
* CA_list
,
760 const gnutls_x509_crl_t
* CRL_list
,
762 unsigned int flags
, unsigned int *verify
);
764 int gnutls_x509_crt_verify(gnutls_x509_crt_t cert
,
765 const gnutls_x509_crt_t
* CA_list
,
766 int CA_list_length
, unsigned int flags
,
767 unsigned int *verify
);
768 int gnutls_x509_crl_verify(gnutls_x509_crl_t crl
,
769 const gnutls_x509_crt_t
* CA_list
,
770 int CA_list_length
, unsigned int flags
,
771 unsigned int *verify
);
773 int gnutls_x509_crt_check_revocation(gnutls_x509_crt_t cert
,
774 const gnutls_x509_crl_t
*
775 crl_list
, int crl_list_length
);
777 int gnutls_x509_crt_get_fingerprint(gnutls_x509_crt_t cert
,
778 gnutls_digest_algorithm_t algo
,
779 void *buf
, size_t * buf_size
);
781 int gnutls_x509_crt_get_key_purpose_oid(gnutls_x509_crt_t cert
,
784 unsigned int *critical
);
785 int gnutls_x509_crt_set_key_purpose_oid(gnutls_x509_crt_t cert
,
787 unsigned int critical
);
789 /* Private key handling.
792 /* Flags for the gnutls_x509_privkey_export_pkcs8() function.
795 #define GNUTLS_PKCS8_PLAIN GNUTLS_PKCS_PLAIN
796 #define GNUTLS_PKCS8_USE_PKCS12_3DES GNUTLS_PKCS_USE_PKCS12_3DES
797 #define GNUTLS_PKCS8_USE_PKCS12_ARCFOUR GNUTLS_PKCS_USE_PKCS12_ARCFOUR
798 #define GNUTLS_PKCS8_USE_PKCS12_RC2_40 GNUTLS_PKCS_USE_PKCS12_RC2_40
801 * gnutls_pkcs_encrypt_flags_t:
802 * @GNUTLS_PKCS_PLAIN: Unencrypted private key.
803 * @GNUTLS_PKCS_NULL_PASSWORD: Some schemas distinguish between an empty and a NULL password.
804 * @GNUTLS_PKCS_USE_PKCS12_3DES: PKCS-12 3DES.
805 * @GNUTLS_PKCS_USE_PKCS12_ARCFOUR: PKCS-12 ARCFOUR.
806 * @GNUTLS_PKCS_USE_PKCS12_RC2_40: PKCS-12 RC2-40.
807 * @GNUTLS_PKCS_USE_PBES2_3DES: PBES2 3DES.
808 * @GNUTLS_PKCS_USE_PBES2_AES_128: PBES2 AES-128.
809 * @GNUTLS_PKCS_USE_PBES2_AES_192: PBES2 AES-192.
810 * @GNUTLS_PKCS_USE_PBES2_AES_256: PBES2 AES-256.
812 * Enumeration of different PKCS encryption flags.
814 typedef enum gnutls_pkcs_encrypt_flags_t
{
815 GNUTLS_PKCS_PLAIN
= 1,
816 GNUTLS_PKCS_USE_PKCS12_3DES
= 2,
817 GNUTLS_PKCS_USE_PKCS12_ARCFOUR
= 4,
818 GNUTLS_PKCS_USE_PKCS12_RC2_40
= 8,
819 GNUTLS_PKCS_USE_PBES2_3DES
= 16,
820 GNUTLS_PKCS_USE_PBES2_AES_128
= 32,
821 GNUTLS_PKCS_USE_PBES2_AES_192
= 64,
822 GNUTLS_PKCS_USE_PBES2_AES_256
= 128,
823 GNUTLS_PKCS_NULL_PASSWORD
= 256
824 } gnutls_pkcs_encrypt_flags_t
;
826 int gnutls_x509_privkey_init(gnutls_x509_privkey_t
* key
);
827 void gnutls_x509_privkey_deinit(gnutls_x509_privkey_t key
);
829 gnutls_x509_privkey_sec_param(gnutls_x509_privkey_t key
);
830 int gnutls_x509_privkey_cpy(gnutls_x509_privkey_t dst
,
831 gnutls_x509_privkey_t src
);
832 int gnutls_x509_privkey_import(gnutls_x509_privkey_t key
,
833 const gnutls_datum_t
* data
,
834 gnutls_x509_crt_fmt_t format
);
835 int gnutls_x509_privkey_import_pkcs8(gnutls_x509_privkey_t key
,
836 const gnutls_datum_t
* data
,
837 gnutls_x509_crt_fmt_t format
,
838 const char *password
,
840 int gnutls_x509_privkey_import_openssl(gnutls_x509_privkey_t key
,
841 const gnutls_datum_t
* data
,
842 const char *password
);
844 int gnutls_x509_privkey_import2(gnutls_x509_privkey_t key
,
845 const gnutls_datum_t
* data
,
846 gnutls_x509_crt_fmt_t format
,
847 const char *password
, unsigned int flags
);
849 int gnutls_x509_privkey_import_rsa_raw(gnutls_x509_privkey_t key
,
850 const gnutls_datum_t
* m
,
851 const gnutls_datum_t
* e
,
852 const gnutls_datum_t
* d
,
853 const gnutls_datum_t
* p
,
854 const gnutls_datum_t
* q
,
855 const gnutls_datum_t
* u
);
856 int gnutls_x509_privkey_import_rsa_raw2(gnutls_x509_privkey_t key
,
857 const gnutls_datum_t
* m
,
858 const gnutls_datum_t
* e
,
859 const gnutls_datum_t
* d
,
860 const gnutls_datum_t
* p
,
861 const gnutls_datum_t
* q
,
862 const gnutls_datum_t
* u
,
863 const gnutls_datum_t
* e1
,
864 const gnutls_datum_t
* e2
);
865 int gnutls_x509_privkey_import_ecc_raw(gnutls_x509_privkey_t key
,
866 gnutls_ecc_curve_t curve
,
867 const gnutls_datum_t
* x
,
868 const gnutls_datum_t
* y
,
869 const gnutls_datum_t
* k
);
871 int gnutls_x509_privkey_fix(gnutls_x509_privkey_t key
);
873 int gnutls_x509_privkey_export_dsa_raw(gnutls_x509_privkey_t key
,
879 int gnutls_x509_privkey_import_dsa_raw(gnutls_x509_privkey_t key
,
880 const gnutls_datum_t
* p
,
881 const gnutls_datum_t
* q
,
882 const gnutls_datum_t
* g
,
883 const gnutls_datum_t
* y
,
884 const gnutls_datum_t
* x
);
886 int gnutls_x509_privkey_get_pk_algorithm(gnutls_x509_privkey_t key
);
887 int gnutls_x509_privkey_get_pk_algorithm2(gnutls_x509_privkey_t
888 key
, unsigned int *bits
);
889 int gnutls_x509_privkey_get_key_id(gnutls_x509_privkey_t key
,
891 unsigned char *output_data
,
892 size_t * output_data_size
);
894 int gnutls_x509_privkey_generate(gnutls_x509_privkey_t key
,
895 gnutls_pk_algorithm_t algo
,
896 unsigned int bits
, unsigned int flags
);
897 int gnutls_x509_privkey_verify_params(gnutls_x509_privkey_t key
);
899 int gnutls_x509_privkey_export(gnutls_x509_privkey_t key
,
900 gnutls_x509_crt_fmt_t format
,
902 size_t * output_data_size
);
903 int gnutls_x509_privkey_export2(gnutls_x509_privkey_t key
,
904 gnutls_x509_crt_fmt_t format
,
905 gnutls_datum_t
* out
);
906 int gnutls_x509_privkey_export_pkcs8(gnutls_x509_privkey_t key
,
907 gnutls_x509_crt_fmt_t format
,
908 const char *password
,
911 size_t * output_data_size
);
912 int gnutls_x509_privkey_export2_pkcs8(gnutls_x509_privkey_t key
,
913 gnutls_x509_crt_fmt_t format
,
914 const char *password
,
916 gnutls_datum_t
* out
);
917 int gnutls_x509_privkey_export_rsa_raw2(gnutls_x509_privkey_t key
,
925 gnutls_datum_t
* e2
);
926 int gnutls_x509_privkey_export_rsa_raw(gnutls_x509_privkey_t key
,
933 int gnutls_x509_privkey_export_ecc_raw(gnutls_x509_privkey_t key
,
934 gnutls_ecc_curve_t
* curve
,
938 /* Certificate request stuff.
941 int gnutls_x509_crq_sign2(gnutls_x509_crq_t crq
,
942 gnutls_x509_privkey_t key
,
943 gnutls_digest_algorithm_t dig
,
946 int gnutls_x509_crq_print(gnutls_x509_crq_t crq
,
947 gnutls_certificate_print_formats_t
948 format
, gnutls_datum_t
* out
);
950 int gnutls_x509_crq_verify(gnutls_x509_crq_t crq
, unsigned int flags
);
952 int gnutls_x509_crq_init(gnutls_x509_crq_t
* crq
);
953 void gnutls_x509_crq_deinit(gnutls_x509_crq_t crq
);
954 int gnutls_x509_crq_import(gnutls_x509_crq_t crq
,
955 const gnutls_datum_t
* data
,
956 gnutls_x509_crt_fmt_t format
);
958 int gnutls_x509_crq_get_private_key_usage_period(gnutls_x509_crq_t
963 expiration
, unsigned int
966 int gnutls_x509_crq_get_dn(gnutls_x509_crq_t crq
, char *buf
,
967 size_t * sizeof_buf
);
968 int gnutls_x509_crq_get_dn2(gnutls_x509_crq_t crq
, gnutls_datum_t
* dn
);
969 int gnutls_x509_crq_get_dn_oid(gnutls_x509_crq_t crq
, int indx
,
970 void *oid
, size_t * sizeof_oid
);
971 int gnutls_x509_crq_get_dn_by_oid(gnutls_x509_crq_t crq
,
972 const char *oid
, int indx
,
973 unsigned int raw_flag
, void *buf
,
974 size_t * sizeof_buf
);
975 int gnutls_x509_crq_set_dn(gnutls_x509_crq_t crq
, const char *dn
,
977 int gnutls_x509_crq_set_dn_by_oid(gnutls_x509_crq_t crq
,
979 unsigned int raw_flag
,
981 unsigned int sizeof_data
);
982 int gnutls_x509_crq_set_version(gnutls_x509_crq_t crq
,
983 unsigned int version
);
984 int gnutls_x509_crq_get_version(gnutls_x509_crq_t crq
);
985 int gnutls_x509_crq_set_key(gnutls_x509_crq_t crq
,
986 gnutls_x509_privkey_t key
);
988 int gnutls_x509_crq_set_challenge_password(gnutls_x509_crq_t crq
,
990 int gnutls_x509_crq_get_challenge_password(gnutls_x509_crq_t crq
,
992 size_t * sizeof_pass
);
994 int gnutls_x509_crq_set_attribute_by_oid(gnutls_x509_crq_t crq
,
996 void *buf
, size_t sizeof_buf
);
997 int gnutls_x509_crq_get_attribute_by_oid(gnutls_x509_crq_t crq
,
998 const char *oid
, int indx
,
999 void *buf
, size_t * sizeof_buf
);
1001 int gnutls_x509_crq_export(gnutls_x509_crq_t crq
,
1002 gnutls_x509_crt_fmt_t format
,
1003 void *output_data
, size_t * output_data_size
);
1004 int gnutls_x509_crq_export2(gnutls_x509_crq_t crq
,
1005 gnutls_x509_crt_fmt_t format
,
1006 gnutls_datum_t
* out
);
1008 int gnutls_x509_crt_set_crq(gnutls_x509_crt_t crt
, gnutls_x509_crq_t crq
);
1009 int gnutls_x509_crt_set_crq_extensions(gnutls_x509_crt_t crt
,
1010 gnutls_x509_crq_t crq
);
1012 int gnutls_x509_crq_set_private_key_usage_period(gnutls_x509_crq_t
1016 int gnutls_x509_crq_set_key_rsa_raw(gnutls_x509_crq_t crq
,
1017 const gnutls_datum_t
* m
,
1018 const gnutls_datum_t
* e
);
1019 int gnutls_x509_crq_set_subject_alt_name(gnutls_x509_crq_t crq
,
1020 gnutls_x509_subject_alt_name_t
1021 nt
, const void *data
,
1022 unsigned int data_size
,
1023 unsigned int flags
);
1025 int gnutls_x509_crq_set_key_usage(gnutls_x509_crq_t crq
,
1026 unsigned int usage
);
1027 int gnutls_x509_crq_set_basic_constraints(gnutls_x509_crq_t crq
,
1029 int pathLenConstraint
);
1030 int gnutls_x509_crq_set_key_purpose_oid(gnutls_x509_crq_t crq
,
1032 unsigned int critical
);
1033 int gnutls_x509_crq_get_key_purpose_oid(gnutls_x509_crq_t crq
,
1034 int indx
, void *oid
,
1035 size_t * sizeof_oid
,
1036 unsigned int *critical
);
1038 int gnutls_x509_crq_get_extension_data(gnutls_x509_crq_t crq
,
1039 int indx
, void *data
,
1040 size_t * sizeof_data
);
1041 int gnutls_x509_crq_get_extension_info(gnutls_x509_crq_t crq
,
1042 int indx
, void *oid
,
1043 size_t * sizeof_oid
,
1044 unsigned int *critical
);
1045 int gnutls_x509_crq_get_attribute_data(gnutls_x509_crq_t crq
,
1046 int indx
, void *data
,
1047 size_t * sizeof_data
);
1048 int gnutls_x509_crq_get_attribute_info(gnutls_x509_crq_t crq
,
1049 int indx
, void *oid
,
1050 size_t * sizeof_oid
);
1051 int gnutls_x509_crq_get_pk_algorithm(gnutls_x509_crq_t crq
,
1052 unsigned int *bits
);
1054 int gnutls_x509_crq_get_key_id(gnutls_x509_crq_t crq
,
1056 unsigned char *output_data
,
1057 size_t * output_data_size
);
1058 int gnutls_x509_crq_get_key_rsa_raw(gnutls_x509_crq_t crq
,
1060 gnutls_datum_t
* e
);
1062 int gnutls_x509_crq_get_key_usage(gnutls_x509_crq_t crq
,
1063 unsigned int *key_usage
,
1064 unsigned int *critical
);
1065 int gnutls_x509_crq_get_basic_constraints(gnutls_x509_crq_t crq
,
1066 unsigned int *critical
,
1067 unsigned int *ca
, int *pathlen
);
1068 int gnutls_x509_crq_get_subject_alt_name(gnutls_x509_crq_t crq
,
1072 unsigned int *ret_type
,
1073 unsigned int *critical
);
1074 int gnutls_x509_crq_get_subject_alt_othername_oid(gnutls_x509_crq_t
1080 int gnutls_x509_crq_get_extension_by_oid(gnutls_x509_crq_t crq
,
1081 const char *oid
, int indx
,
1083 size_t * sizeof_buf
,
1084 unsigned int *critical
);
1086 typedef struct gnutls_x509_trust_list_st
*gnutls_x509_trust_list_t
;
1089 gnutls_x509_trust_list_init(gnutls_x509_trust_list_t
* list
,
1093 gnutls_x509_trust_list_deinit(gnutls_x509_trust_list_t list
,
1096 int gnutls_x509_trust_list_get_issuer(gnutls_x509_trust_list_t
1097 list
, gnutls_x509_crt_t cert
,
1098 gnutls_x509_crt_t
* issuer
,
1099 unsigned int flags
);
1102 gnutls_x509_trust_list_add_cas(gnutls_x509_trust_list_t list
,
1103 const gnutls_x509_crt_t
* clist
,
1104 int clist_size
, unsigned int flags
);
1105 int gnutls_x509_trust_list_remove_cas(gnutls_x509_trust_list_t
1107 const gnutls_x509_crt_t
*
1108 clist
, int clist_size
);
1110 int gnutls_x509_trust_list_add_named_crt(gnutls_x509_trust_list_t
1112 gnutls_x509_crt_t cert
,
1115 unsigned int flags
);
1117 #define GNUTLS_TL_VERIFY_CRL 1
1119 gnutls_x509_trust_list_add_crls(gnutls_x509_trust_list_t list
,
1120 const gnutls_x509_crl_t
*
1121 crl_list
, int crl_size
,
1123 unsigned int verification_flags
);
1125 typedef int gnutls_verify_output_function(gnutls_x509_crt_t cert
, gnutls_x509_crt_t issuer
, /* The issuer if verification failed
1126 * because of him. might be null.
1128 gnutls_x509_crl_t crl
, /* The CRL that caused verification failure
1129 * if any. Might be null.
1132 verification_output
);
1134 int gnutls_x509_trust_list_verify_named_crt
1135 (gnutls_x509_trust_list_t list
, gnutls_x509_crt_t cert
,
1136 const void *name
, size_t name_size
, unsigned int flags
,
1137 unsigned int *verify
, gnutls_verify_output_function func
);
1140 gnutls_x509_trust_list_verify_crt(gnutls_x509_trust_list_t list
,
1141 gnutls_x509_crt_t
* cert_list
,
1142 unsigned int cert_list_size
,
1144 unsigned int *verify
,
1145 gnutls_verify_output_function func
);
1147 /* trust list convenience functions */
1149 gnutls_x509_trust_list_add_trust_mem(gnutls_x509_trust_list_t
1151 const gnutls_datum_t
* cas
,
1152 const gnutls_datum_t
* crls
,
1153 gnutls_x509_crt_fmt_t type
,
1154 unsigned int tl_flags
,
1155 unsigned int tl_vflags
);
1158 gnutls_x509_trust_list_add_trust_file(gnutls_x509_trust_list_t
1159 list
, const char *ca_file
,
1160 const char *crl_file
,
1161 gnutls_x509_crt_fmt_t type
,
1162 unsigned int tl_flags
,
1163 unsigned int tl_vflags
);
1166 gnutls_x509_trust_list_remove_trust_file(gnutls_x509_trust_list_t
1168 const char *ca_file
,
1169 gnutls_x509_crt_fmt_t type
);
1172 gnutls_x509_trust_list_remove_trust_mem(gnutls_x509_trust_list_t
1174 const gnutls_datum_t
*
1175 cas
, gnutls_x509_crt_fmt_t type
);
1178 gnutls_x509_trust_list_add_system_trust(gnutls_x509_trust_list_t
1180 unsigned int tl_flags
,
1181 unsigned int tl_vflags
);
1183 void gnutls_certificate_set_trust_list
1184 (gnutls_certificate_credentials_t res
,
1185 gnutls_x509_trust_list_t tlist
, unsigned flags
);
1192 #endif /* GNUTLS_X509_H */