This is gnutls.info, produced by makeinfo version 4.13 from gnutls.texi.
This manual is last updated 17 November 2012 for version 3.1.5 of
GnuTLS.
Copyright (C) 2001-2012 Free Software Foundation, Inc.
Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License,
Version 1.3 or any later version published by the Free Software
Foundation; with no Invariant Sections, no Front-Cover Texts, and
no Back-Cover Texts. A copy of the license is included in the
section entitled "GNU Free Documentation License".
INFO-DIR-SECTION Software libraries
START-INFO-DIR-ENTRY
* GnuTLS: (gnutls). GNU Transport Layer Security Library.
END-INFO-DIR-ENTRY
INFO-DIR-SECTION System Administration
START-INFO-DIR-ENTRY
* certtool: (gnutls)Invoking certtool. Manipulate certificates and keys.
* gnutls-serv: (gnutls)Invoking gnutls-serv. GnuTLS test server.
* gnutls-cli: (gnutls)Invoking gnutls-cli. GnuTLS test client.
* gnutls-cli-debug: (gnutls)Invoking gnutls-cli-debug. GnuTLS debug client.
* psktool: (gnutls)Invoking psktool. Simple TLS-Pre-Shared-Keys manager.
* srptool: (gnutls)Invoking srptool. Simple SRP password tool.
END-INFO-DIR-ENTRY
�
File: gnutls.info, Node: Datagram TLS API, Next: X509 certificate API, Prev: Core TLS API, Up: API reference
E.2 Datagram TLS API
====================
The prototypes for the following functions lie in `gnutls/dtls.h'.
gnutls_dtls_cookie_send
-----------------------
-- Function: int gnutls_dtls_cookie_send (gnutls_datum_t* KEY, void*
CLIENT_DATA, size_t CLIENT_DATA_SIZE,
gnutls_dtls_prestate_st* PRESTATE, gnutls_transport_ptr_t
PTR, gnutls_push_func PUSH_FUNC)
KEY: is a random key to be used at cookie generation
CLIENT_DATA: contains data identifying the client (i.e. address)
CLIENT_DATA_SIZE: The size of client's data
PRESTATE: The previous cookie returned by
`gnutls_dtls_cookie_verify()'
PTR: A transport pointer to be used by `push_func'
PUSH_FUNC: A function that will be used to reply
This function can be used to prevent denial of service attacks to
a DTLS server by requiring the client to reply using a cookie sent
by this function. That way it can be ensured that a client we
allocated resources for (i.e. `gnutls_session_t' ) is the one that
the original incoming packet was originated from.
*Returns:* the number of bytes sent, or a negative error code.
*Since:* 3.0
gnutls_dtls_cookie_verify
-------------------------
-- Function: int gnutls_dtls_cookie_verify (gnutls_datum_t* KEY, void*
CLIENT_DATA, size_t CLIENT_DATA_SIZE, void* _MSG, size_t
MSG_SIZE, gnutls_dtls_prestate_st* PRESTATE)
KEY: is a random key to be used at cookie generation
CLIENT_DATA: contains data identifying the client (i.e. address)
CLIENT_DATA_SIZE: The size of client's data
_MSG: An incoming message that initiates a connection.
MSG_SIZE: The size of the message.
PRESTATE: The cookie of this client.
This function will verify an incoming message for a valid cookie.
If a valid cookie is returned then it should be associated with
the session using `gnutls_dtls_prestate_set()' ;
*Returns:* `GNUTLS_E_SUCCESS' (0) on success, or a negative error
code.
*Since:* 3.0
gnutls_dtls_get_data_mtu
------------------------
-- Function: unsigned int gnutls_dtls_get_data_mtu (gnutls_session_t
SESSION)
SESSION: is a `gnutls_session_t' structure.
This function will return the actual maximum transfer unit for
application data. I.e. DTLS headers are subtracted from the actual
MTU.
*Returns:* the maximum allowed transfer unit.
*Since:* 3.0
gnutls_dtls_get_mtu
-------------------
-- Function: unsigned int gnutls_dtls_get_mtu (gnutls_session_t
SESSION)
SESSION: is a `gnutls_session_t' structure.
This function will return the MTU size as set with
`gnutls_dtls_set_mtu()' . This is not the actual MTU of data you
can transmit. Use `gnutls_dtls_get_data_mtu()' for that reason.
*Returns:* the set maximum transfer unit.
*Since:* 3.0
gnutls_dtls_get_timeout
-----------------------
-- Function: unsigned int gnutls_dtls_get_timeout (gnutls_session_t
SESSION)
SESSION: is a `gnutls_session_t' structure.
This function will return the milliseconds remaining for a
retransmission of the previously sent handshake message. This
function is useful when DTLS is used in non-blocking mode, to
estimate when to call `gnutls_handshake()' if no packets have been
received.
*Returns:* the remaining time in milliseconds.
*Since:* 3.0
gnutls_dtls_prestate_set
------------------------
-- Function: void gnutls_dtls_prestate_set (gnutls_session_t SESSION,
gnutls_dtls_prestate_st* PRESTATE)
SESSION: a new session
PRESTATE: contains the client's prestate
This function will associate the prestate acquired by the cookie
authentication with the client, with the newly established session.
*Since:* 3.0
gnutls_dtls_set_data_mtu
------------------------
-- Function: int gnutls_dtls_set_data_mtu (gnutls_session_t SESSION,
unsigned int MTU)
SESSION: is a `gnutls_session_t' structure.
MTU: The maximum unencrypted transfer unit of the session
This function will set the maximum size of the *unencrypted*
records which will be sent over a DTLS session. It is equivalent
to calculating the DTLS packet overhead with the current
encryption parameters, and calling `gnutls_dtls_set_mtu()' with
that value. In particular, this means that you may need to call
this function again after any negotiation or renegotiation, in
order to ensure that the MTU is still sufficient to account for
the new protocol overhead.
*Returns:* `GNUTLS_E_SUCCESS' (0) on success, or a negative error
code.
*Since:* 3.1
gnutls_dtls_set_mtu
-------------------
-- Function: void gnutls_dtls_set_mtu (gnutls_session_t SESSION,
unsigned int MTU)
SESSION: is a `gnutls_session_t' structure.
MTU: The maximum transfer unit of the transport
This function will set the maximum transfer unit of the transport
that DTLS packets are sent over. Note that this should exclude the
IP (or IPv6) and UDP headers. So for DTLS over IPv6 on an Ethenet
device with MTU 1500, the DTLS MTU set with this function would be
1500 - 40 (IPV6 header) - 8 (UDP header) = 1452.
*Since:* 3.0
gnutls_dtls_set_timeouts
------------------------
-- Function: void gnutls_dtls_set_timeouts (gnutls_session_t SESSION,
unsigned int RETRANS_TIMEOUT, unsigned int TOTAL_TIMEOUT)
SESSION: is a `gnutls_session_t' structure.
RETRANS_TIMEOUT: The time at which a retransmission will occur in
milliseconds
TOTAL_TIMEOUT: The time at which the connection will be aborted,
in milliseconds.
This function will set the timeouts required for the DTLS handshake
protocol. The retransmission timeout is the time after which a
message from the peer is not received, the previous messages will
be retransmitted. The total timeout is the time after which the
handshake will be aborted with `GNUTLS_E_TIMEDOUT' .
The DTLS protocol recommends the values of 1 sec and 60 seconds
respectively.
If the retransmission timeout is zero then the handshake will
operate in a non-blocking way, i.e., return `GNUTLS_E_AGAIN' .
*Since:* 3.0
gnutls_record_get_discarded
---------------------------
-- Function: unsigned int gnutls_record_get_discarded
(gnutls_session_t SESSION)
SESSION: is a `gnutls_session_t' structure.
Returns the number of discarded packets in a DTLS connection.
*Returns:* The number of discarded packets.
*Since:* 3.0
�
File: gnutls.info, Node: X509 certificate API, Next: OCSP API, Prev: Datagram TLS API, Up: API reference
E.3 X.509 certificate API
=========================
The following functions are to be used for X.509 certificate handling.
Their prototypes lie in `gnutls/x509.h'.
gnutls_pkcs7_deinit
-------------------
-- Function: void gnutls_pkcs7_deinit (gnutls_pkcs7_t PKCS7)
PKCS7: The structure to be initialized
This function will deinitialize a PKCS7 structure.
gnutls_pkcs7_delete_crl
-----------------------
-- Function: int gnutls_pkcs7_delete_crl (gnutls_pkcs7_t PKCS7, int
INDX)
PKCS7: should contain a `gnutls_pkcs7_t' structure
INDX: the index of the crl to delete
This function will delete a crl from a PKCS7 or RFC2630 crl set.
Index starts from 0. Returns 0 on success.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_pkcs7_delete_crt
-----------------------
-- Function: int gnutls_pkcs7_delete_crt (gnutls_pkcs7_t PKCS7, int
INDX)
PKCS7: should contain a gnutls_pkcs7_t structure
INDX: the index of the certificate to delete
This function will delete a certificate from a PKCS7 or RFC2630
certificate set. Index starts from 0. Returns 0 on success.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_pkcs7_export
-------------------
-- Function: int gnutls_pkcs7_export (gnutls_pkcs7_t PKCS7,
gnutls_x509_crt_fmt_t FORMAT, void * OUTPUT_DATA, size_t *
OUTPUT_DATA_SIZE)
PKCS7: Holds the pkcs7 structure
FORMAT: the format of output params. One of PEM or DER.
OUTPUT_DATA: will contain a structure PEM or DER encoded
OUTPUT_DATA_SIZE: holds the size of output_data (and will be
replaced by the actual size of parameters)
This function will export the pkcs7 structure to DER or PEM format.
If the buffer provided is not long enough to hold the output, then
* `output_data_size' is updated and `GNUTLS_E_SHORT_MEMORY_BUFFER'
will be returned.
If the structure is PEM encoded, it will have a header of "BEGIN
PKCS7".
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_pkcs7_export2
--------------------
-- Function: int gnutls_pkcs7_export2 (gnutls_pkcs7_t PKCS7,
gnutls_x509_crt_fmt_t FORMAT, gnutls_datum_t * OUT)
PKCS7: Holds the pkcs7 structure
FORMAT: the format of output params. One of PEM or DER.
OUT: will contain a structure PEM or DER encoded
This function will export the pkcs7 structure to DER or PEM format.
The output buffer is allocated using `gnutls_malloc()' .
If the structure is PEM encoded, it will have a header of "BEGIN
PKCS7".
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_pkcs7_get_crl_count
--------------------------
-- Function: int gnutls_pkcs7_get_crl_count (gnutls_pkcs7_t PKCS7)
PKCS7: should contain a gnutls_pkcs7_t structure
This function will return the number of certifcates in the PKCS7
or RFC2630 crl set.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_pkcs7_get_crl_raw
------------------------
-- Function: int gnutls_pkcs7_get_crl_raw (gnutls_pkcs7_t PKCS7, int
INDX, void * CRL, size_t * CRL_SIZE)
PKCS7: should contain a `gnutls_pkcs7_t' structure
INDX: contains the index of the crl to extract
CRL: the contents of the crl will be copied there (may be null)
CRL_SIZE: should hold the size of the crl
This function will return a crl of the PKCS7 or RFC2630 crl set.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value. If the provided buffer is not
long enough, then `crl_size' is updated and
`GNUTLS_E_SHORT_MEMORY_BUFFER' is returned. After the last crl
has been read `GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' will be
returned.
gnutls_pkcs7_get_crt_count
--------------------------
-- Function: int gnutls_pkcs7_get_crt_count (gnutls_pkcs7_t PKCS7)
PKCS7: should contain a `gnutls_pkcs7_t' structure
This function will return the number of certifcates in the PKCS7
or RFC2630 certificate set.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_pkcs7_get_crt_raw
------------------------
-- Function: int gnutls_pkcs7_get_crt_raw (gnutls_pkcs7_t PKCS7, int
INDX, void * CERTIFICATE, size_t * CERTIFICATE_SIZE)
PKCS7: should contain a gnutls_pkcs7_t structure
INDX: contains the index of the certificate to extract
CERTIFICATE: the contents of the certificate will be copied there
(may be null)
CERTIFICATE_SIZE: should hold the size of the certificate
This function will return a certificate of the PKCS7 or RFC2630
certificate set.
After the last certificate has been read
`GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' will be returned.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value. If the provided buffer is not
long enough, then `certificate_size' is updated and
`GNUTLS_E_SHORT_MEMORY_BUFFER' is returned.
gnutls_pkcs7_import
-------------------
-- Function: int gnutls_pkcs7_import (gnutls_pkcs7_t PKCS7, const
gnutls_datum_t * DATA, gnutls_x509_crt_fmt_t FORMAT)
PKCS7: The structure to store the parsed PKCS7.
DATA: The DER or PEM encoded PKCS7.
FORMAT: One of DER or PEM
This function will convert the given DER or PEM encoded PKCS7 to
the native `gnutls_pkcs7_t' format. The output will be stored in
`pkcs7' .
If the PKCS7 is PEM encoded it should have a header of "PKCS7".
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_pkcs7_init
-----------------
-- Function: int gnutls_pkcs7_init (gnutls_pkcs7_t * PKCS7)
PKCS7: The structure to be initialized
This function will initialize a PKCS7 structure. PKCS7 structures
usually contain lists of X.509 Certificates and X.509 Certificate
revocation lists.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_pkcs7_set_crl
--------------------
-- Function: int gnutls_pkcs7_set_crl (gnutls_pkcs7_t PKCS7,
gnutls_x509_crl_t CRL)
PKCS7: should contain a `gnutls_pkcs7_t' structure
CRL: the DER encoded crl to be added
This function will add a parsed CRL to the PKCS7 or RFC2630 crl
set.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_pkcs7_set_crl_raw
------------------------
-- Function: int gnutls_pkcs7_set_crl_raw (gnutls_pkcs7_t PKCS7, const
gnutls_datum_t * CRL)
PKCS7: should contain a `gnutls_pkcs7_t' structure
CRL: the DER encoded crl to be added
This function will add a crl to the PKCS7 or RFC2630 crl set.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_pkcs7_set_crt
--------------------
-- Function: int gnutls_pkcs7_set_crt (gnutls_pkcs7_t PKCS7,
gnutls_x509_crt_t CRT)
PKCS7: should contain a `gnutls_pkcs7_t' structure
CRT: the certificate to be copied.
This function will add a parsed certificate to the PKCS7 or
RFC2630 certificate set. This is a wrapper function over
`gnutls_pkcs7_set_crt_raw()' .
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_pkcs7_set_crt_raw
------------------------
-- Function: int gnutls_pkcs7_set_crt_raw (gnutls_pkcs7_t PKCS7, const
gnutls_datum_t * CRT)
PKCS7: should contain a `gnutls_pkcs7_t' structure
CRT: the DER encoded certificate to be added
This function will add a certificate to the PKCS7 or RFC2630
certificate set.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_crl_check_issuer
----------------------------
-- Function: int gnutls_x509_crl_check_issuer (gnutls_x509_crl_t CRL,
gnutls_x509_crt_t ISSUER)
CRL: is the CRL to be checked
ISSUER: is the certificate of a possible issuer
This function will check if the given CRL was issued by the given
issuer certificate. It will return true (1) if the given CRL was
issued by the given issuer, and false (0) if not.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_crl_deinit
----------------------
-- Function: void gnutls_x509_crl_deinit (gnutls_x509_crl_t CRL)
CRL: The structure to be initialized
This function will deinitialize a CRL structure.
gnutls_x509_crl_export
----------------------
-- Function: int gnutls_x509_crl_export (gnutls_x509_crl_t CRL,
gnutls_x509_crt_fmt_t FORMAT, void * OUTPUT_DATA, size_t *
OUTPUT_DATA_SIZE)
CRL: Holds the revocation list
FORMAT: the format of output params. One of PEM or DER.
OUTPUT_DATA: will contain a private key PEM or DER encoded
OUTPUT_DATA_SIZE: holds the size of output_data (and will be
replaced by the actual size of parameters)
This function will export the revocation list to DER or PEM format.
If the buffer provided is not long enough to hold the output, then
`GNUTLS_E_SHORT_MEMORY_BUFFER' will be returned.
If the structure is PEM encoded, it will have a header of "BEGIN
X509 CRL".
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value. and a negative error code on
failure.
gnutls_x509_crl_export2
-----------------------
-- Function: int gnutls_x509_crl_export2 (gnutls_x509_crl_t CRL,
gnutls_x509_crt_fmt_t FORMAT, gnutls_datum_t * OUT)
CRL: Holds the revocation list
FORMAT: the format of output params. One of PEM or DER.
OUT: will contain a private key PEM or DER encoded
This function will export the revocation list to DER or PEM format.
The output buffer is allocated using `gnutls_malloc()' .
If the structure is PEM encoded, it will have a header of "BEGIN
X509 CRL".
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value. and a negative error code on
failure.
Since 3.1.3
gnutls_x509_crl_get_authority_key_gn_serial
-------------------------------------------
-- Function: int gnutls_x509_crl_get_authority_key_gn_serial
(gnutls_x509_crl_t CRL, unsigned int SEQ, void * ALT, size_t
* ALT_SIZE, unsigned int * ALT_TYPE, void* SERIAL, size_t *
SERIAL_SIZE, unsigned int * CRITICAL)
CRL: should contain a `gnutls_x509_crl_t' structure
SEQ: specifies the sequence number of the alt name (0 for the
first one, 1 for the second etc.)
ALT: is the place where the alternative name will be copied to
ALT_SIZE: holds the size of alt.
ALT_TYPE: holds the type of the alternative name (one of
gnutls_x509_subject_alt_name_t).
SERIAL: buffer to store the serial number (may be null)
SERIAL_SIZE: Holds the size of the serial field (may be null)
CRITICAL: will be non-zero if the extension is marked as critical
(may be null)
This function will return the X.509 authority key identifier when
stored as a general name (authorityCertIssuer) and serial number.
Because more than one general names might be stored `seq' can be
used as a counter to request them all until
`GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' is returned.
*Returns:* Returns 0 on success, or an error code.
*Since:* 3.0
gnutls_x509_crl_get_authority_key_id
------------------------------------
-- Function: int gnutls_x509_crl_get_authority_key_id
(gnutls_x509_crl_t CRL, void * ID, size_t * ID_SIZE, unsigned
int * CRITICAL)
CRL: should contain a `gnutls_x509_crl_t' structure
ID: The place where the identifier will be copied
ID_SIZE: Holds the size of the result field.
CRITICAL: will be non-zero if the extension is marked as critical
(may be null)
This function will return the CRL authority's key identifier. This
is obtained by the X.509 Authority Key identifier extension field
(2.5.29.35). Note that this function only returns the
keyIdentifier field of the extension and
`GNUTLS_E_X509_UNSUPPORTED_EXTENSION' , if the extension contains
the name and serial number of the certificate. In that case
`gnutls_x509_crl_get_authority_key_gn_serial()' may be used.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error code in case of an error.
*Since:* 2.8.0
gnutls_x509_crl_get_crt_count
-----------------------------
-- Function: int gnutls_x509_crl_get_crt_count (gnutls_x509_crl_t CRL)
CRL: should contain a `gnutls_x509_crl_t' structure
This function will return the number of revoked certificates in the
given CRL.
*Returns:* number of certificates, a negative error code on
failure.
gnutls_x509_crl_get_crt_serial
------------------------------
-- Function: int gnutls_x509_crl_get_crt_serial (gnutls_x509_crl_t
CRL, int INDX, unsigned char * SERIAL, size_t * SERIAL_SIZE,
time_t * T)
CRL: should contain a `gnutls_x509_crl_t' structure
INDX: the index of the certificate to extract (starting from 0)
SERIAL: where the serial number will be copied
SERIAL_SIZE: initially holds the size of serial
T: if non null, will hold the time this certificate was revoked
This function will retrieve the serial number of the specified, by
the index, revoked certificate.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value. and a negative error code on
error.
gnutls_x509_crl_get_dn_oid
--------------------------
-- Function: int gnutls_x509_crl_get_dn_oid (gnutls_x509_crl_t CRL,
int INDX, void * OID, size_t * SIZEOF_OID)
CRL: should contain a gnutls_x509_crl_t structure
INDX: Specifies which DN OID to send. Use (0) to get the first one.
OID: a pointer to a structure to hold the name (may be null)
SIZEOF_OID: initially holds the size of 'oid'
This function will extract the requested OID of the name of the CRL
issuer, specified by the given index.
If oid is null then only the size will be filled.
*Returns:* `GNUTLS_E_SHORT_MEMORY_BUFFER' if the provided buffer
is not long enough, and in that case the sizeof_oid will be updated
with the required size. On success 0 is returned.
gnutls_x509_crl_get_extension_data
----------------------------------
-- Function: int gnutls_x509_crl_get_extension_data (gnutls_x509_crl_t
CRL, int INDX, void * DATA, size_t * SIZEOF_DATA)
CRL: should contain a `gnutls_x509_crl_t' structure
INDX: Specifies which extension OID to send. Use (0) to get the
first one.
DATA: a pointer to a structure to hold the data (may be null)
SIZEOF_DATA: initially holds the size of `oid'
This function will return the requested extension data in the CRL.
The extension data will be stored as a string in the provided
buffer.
Use `gnutls_x509_crl_get_extension_info()' to extract the OID and
critical flag. Use `gnutls_x509_crl_get_extension_info()'
instead, if you want to get data indexed by the extension OID
rather than sequence.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error code in case of an error. If your have
reached the last extension available
`GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' will be returned.
*Since:* 2.8.0
gnutls_x509_crl_get_extension_info
----------------------------------
-- Function: int gnutls_x509_crl_get_extension_info (gnutls_x509_crl_t
CRL, int INDX, void * OID, size_t * SIZEOF_OID, unsigned int
* CRITICAL)
CRL: should contain a `gnutls_x509_crl_t' structure
INDX: Specifies which extension OID to send, use (0) to get the
first one.
OID: a pointer to a structure to hold the OID
SIZEOF_OID: initially holds the maximum size of `oid' , on return
holds actual size of `oid' .
CRITICAL: output variable with critical flag, may be NULL.
This function will return the requested extension OID in the CRL,
and the critical flag for it. The extension OID will be stored as
a string in the provided buffer. Use
`gnutls_x509_crl_get_extension_data()' to extract the data.
If the buffer provided is not long enough to hold the output, then
* `sizeof_oid' is updated and `GNUTLS_E_SHORT_MEMORY_BUFFER' will
be returned.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error code in case of an error. If your have
reached the last extension available
`GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' will be returned.
*Since:* 2.8.0
gnutls_x509_crl_get_extension_oid
---------------------------------
-- Function: int gnutls_x509_crl_get_extension_oid (gnutls_x509_crl_t
CRL, int INDX, void * OID, size_t * SIZEOF_OID)
CRL: should contain a `gnutls_x509_crl_t' structure
INDX: Specifies which extension OID to send, use (0) to get the
first one.
OID: a pointer to a structure to hold the OID (may be null)
SIZEOF_OID: initially holds the size of `oid'
This function will return the requested extension OID in the CRL.
The extension OID will be stored as a string in the provided
buffer.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error code in case of an error. If your have
reached the last extension available
`GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' will be returned.
*Since:* 2.8.0
gnutls_x509_crl_get_issuer_dn
-----------------------------
-- Function: int gnutls_x509_crl_get_issuer_dn (const
gnutls_x509_crl_t CRL, char * BUF, size_t * SIZEOF_BUF)
CRL: should contain a gnutls_x509_crl_t structure
BUF: a pointer to a structure to hold the peer's name (may be null)
SIZEOF_BUF: initially holds the size of `buf'
This function will copy the name of the CRL issuer in the provided
buffer. The name will be in the form "C=xxxx,O=yyyy,CN=zzzz" as
described in RFC4514. The output string will be ASCII or UTF-8
encoded, depending on the certificate data.
If buf is `NULL' then only the size will be filled.
*Returns:* `GNUTLS_E_SHORT_MEMORY_BUFFER' if the provided buffer
is not long enough, and in that case the sizeof_buf will be updated
with the required size, and 0 on success.
gnutls_x509_crl_get_issuer_dn_by_oid
------------------------------------
-- Function: int gnutls_x509_crl_get_issuer_dn_by_oid
(gnutls_x509_crl_t CRL, const char * OID, int INDX, unsigned
int RAW_FLAG, void * BUF, size_t * SIZEOF_BUF)
CRL: should contain a gnutls_x509_crl_t structure
OID: holds an Object Identified in null terminated string
INDX: In case multiple same OIDs exist in the RDN, this specifies
which to send. Use (0) to get the first one.
RAW_FLAG: If non-zero returns the raw DER data of the DN part.
BUF: a pointer to a structure to hold the peer's name (may be null)
SIZEOF_BUF: initially holds the size of `buf'
This function will extract the part of the name of the CRL issuer
specified by the given OID. The output will be encoded as described
in RFC4514. The output string will be ASCII or UTF-8 encoded,
depending on the certificate data.
Some helper macros with popular OIDs can be found in gnutls/x509.h
If raw flag is (0), this function will only return known OIDs as
text. Other OIDs will be DER encoded, as described in RFC4514 - in
hex format with a '#' prefix. You can check about known OIDs
using `gnutls_x509_dn_oid_known()' .
If buf is null then only the size will be filled.
*Returns:* `GNUTLS_E_SHORT_MEMORY_BUFFER' if the provided buffer
is not long enough, and in that case the sizeof_buf will be updated
with the required size, and 0 on success.
gnutls_x509_crl_get_next_update
-------------------------------
-- Function: time_t gnutls_x509_crl_get_next_update (gnutls_x509_crl_t
CRL)
CRL: should contain a `gnutls_x509_crl_t' structure
This function will return the time the next CRL will be issued.
This field is optional in a CRL so it might be normal to get an
error instead.
*Returns:* when the next CRL will be issued, or (time_t)-1 on
error.
gnutls_x509_crl_get_number
--------------------------
-- Function: int gnutls_x509_crl_get_number (gnutls_x509_crl_t CRL,
void * RET, size_t * RET_SIZE, unsigned int * CRITICAL)
CRL: should contain a `gnutls_x509_crl_t' structure
RET: The place where the number will be copied
RET_SIZE: Holds the size of the result field.
CRITICAL: will be non-zero if the extension is marked as critical
(may be null)
This function will return the CRL number extension. This is
obtained by the CRL Number extension field (2.5.29.20).
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error code in case of an error.
*Since:* 2.8.0
gnutls_x509_crl_get_raw_issuer_dn
---------------------------------
-- Function: int gnutls_x509_crl_get_raw_issuer_dn (gnutls_x509_crl_t
CRL, gnutls_datum_t * DN)
CRL: should contain a gnutls_x509_crl_t structure
DN: will hold the starting point of the DN
This function will return a pointer to the DER encoded DN structure
and the length.
*Returns:* a negative error code on error, and (0) on success.
*Since:* 2.12.0
gnutls_x509_crl_get_signature
-----------------------------
-- Function: int gnutls_x509_crl_get_signature (gnutls_x509_crl_t CRL,
char * SIG, size_t * SIZEOF_SIG)
CRL: should contain a gnutls_x509_crl_t structure
SIG: a pointer where the signature part will be copied (may be
null).
SIZEOF_SIG: initially holds the size of `sig'
This function will extract the signature field of a CRL.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value. and a negative error code on
error.
gnutls_x509_crl_get_signature_algorithm
---------------------------------------
-- Function: int gnutls_x509_crl_get_signature_algorithm
(gnutls_x509_crl_t CRL)
CRL: should contain a `gnutls_x509_crl_t' structure
This function will return a value of the `gnutls_sign_algorithm_t'
enumeration that is the signature algorithm.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_crl_get_this_update
-------------------------------
-- Function: time_t gnutls_x509_crl_get_this_update (gnutls_x509_crl_t
CRL)
CRL: should contain a `gnutls_x509_crl_t' structure
This function will return the time this CRL was issued.
*Returns:* when the CRL was issued, or (time_t)-1 on error.
gnutls_x509_crl_get_version
---------------------------
-- Function: int gnutls_x509_crl_get_version (gnutls_x509_crl_t CRL)
CRL: should contain a `gnutls_x509_crl_t' structure
This function will return the version of the specified CRL.
*Returns:* The version number, or a negative error code on error.
gnutls_x509_crl_import
----------------------
-- Function: int gnutls_x509_crl_import (gnutls_x509_crl_t CRL, const
gnutls_datum_t * DATA, gnutls_x509_crt_fmt_t FORMAT)
CRL: The structure to store the parsed CRL.
DATA: The DER or PEM encoded CRL.
FORMAT: One of DER or PEM
This function will convert the given DER or PEM encoded CRL to the
native `gnutls_x509_crl_t' format. The output will be stored in
'crl'.
If the CRL is PEM encoded it should have a header of "X509 CRL".
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_crl_init
--------------------
-- Function: int gnutls_x509_crl_init (gnutls_x509_crl_t * CRL)
CRL: The structure to be initialized
This function will initialize a CRL structure. CRL stands for
Certificate Revocation List. A revocation list usually contains
lists of certificate serial numbers that have been revoked by an
Authority. The revocation lists are always signed with the
authority's private key.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_crl_list_import
---------------------------
-- Function: int gnutls_x509_crl_list_import (gnutls_x509_crl_t *
CRLS, unsigned int * CRL_MAX, const gnutls_datum_t * DATA,
gnutls_x509_crt_fmt_t FORMAT, unsigned int FLAGS)
CRLS: The structures to store the parsed CRLs. Must not be
initialized.
CRL_MAX: Initially must hold the maximum number of crls. It will
be updated with the number of crls available.
DATA: The PEM encoded CRLs
FORMAT: One of DER or PEM.
FLAGS: must be (0) or an OR'd sequence of
gnutls_certificate_import_flags.
This function will convert the given PEM encoded CRL list to the
native gnutls_x509_crl_t format. The output will be stored in
`crls' . They will be automatically initialized.
If the Certificate is PEM encoded it should have a header of "X509
CRL".
*Returns:* the number of certificates read or a negative error
value.
*Since:* 3.0
gnutls_x509_crl_list_import2
----------------------------
-- Function: int gnutls_x509_crl_list_import2 (gnutls_x509_crl_t **
CRLS, unsigned int * SIZE, const gnutls_datum_t * DATA,
gnutls_x509_crt_fmt_t FORMAT, unsigned int FLAGS)
CRLS: The structures to store the parsed crl list. Must not be
initialized.
SIZE: It will contain the size of the list.
DATA: The PEM encoded CRL.
FORMAT: One of DER or PEM.
FLAGS: must be (0) or an OR'd sequence of
gnutls_certificate_import_flags.
This function will convert the given PEM encoded CRL list to the
native gnutls_x509_crl_t format. The output will be stored in
`crls' . They will be automatically initialized.
If the Certificate is PEM encoded it should have a header of "X509
CRL".
*Returns:* the number of certificates read or a negative error
value.
*Since:* 3.0
gnutls_x509_crl_print
---------------------
-- Function: int gnutls_x509_crl_print (gnutls_x509_crl_t CRL,
gnutls_certificate_print_formats_t FORMAT, gnutls_datum_t *
OUT)
CRL: The structure to be printed
FORMAT: Indicate the format to use
OUT: Newly allocated datum with (0) terminated string.
This function will pretty print a X.509 certificate revocation
list, suitable for display to a human.
The output `out' needs to be deallocated using `gnutls_free()' .
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_crl_set_authority_key_id
------------------------------------
-- Function: int gnutls_x509_crl_set_authority_key_id
(gnutls_x509_crl_t CRL, const void * ID, size_t ID_SIZE)
CRL: a CRL of type `gnutls_x509_crl_t'
ID: The key ID
ID_SIZE: Holds the size of the serial field.
This function will set the CRL's authority key ID extension. Only
the keyIdentifier field can be set with this function. This may be
used by an authority that holds multiple private keys, to
distinguish the used key.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
*Since:* 2.8.0
gnutls_x509_crl_set_crt
-----------------------
-- Function: int gnutls_x509_crl_set_crt (gnutls_x509_crl_t CRL,
gnutls_x509_crt_t CRT, time_t REVOCATION_TIME)
CRL: should contain a gnutls_x509_crl_t structure
CRT: a certificate of type `gnutls_x509_crt_t' with the revoked
certificate
REVOCATION_TIME: The time this certificate was revoked
This function will set a revoked certificate's serial number to
the CRL.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_crl_set_crt_serial
------------------------------
-- Function: int gnutls_x509_crl_set_crt_serial (gnutls_x509_crl_t
CRL, const void * SERIAL, size_t SERIAL_SIZE, time_t
REVOCATION_TIME)
CRL: should contain a gnutls_x509_crl_t structure
SERIAL: The revoked certificate's serial number
SERIAL_SIZE: Holds the size of the serial field.
REVOCATION_TIME: The time this certificate was revoked
This function will set a revoked certificate's serial number to
the CRL.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_crl_set_next_update
-------------------------------
-- Function: int gnutls_x509_crl_set_next_update (gnutls_x509_crl_t
CRL, time_t EXP_TIME)
CRL: should contain a gnutls_x509_crl_t structure
EXP_TIME: The actual time
This function will set the time this CRL will be updated.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_crl_set_number
--------------------------
-- Function: int gnutls_x509_crl_set_number (gnutls_x509_crl_t CRL,
const void * NR, size_t NR_SIZE)
CRL: a CRL of type `gnutls_x509_crl_t'
NR: The CRL number
NR_SIZE: Holds the size of the nr field.
This function will set the CRL's number extension. This is to be
used as a unique and monotonic number assigned to the CRL by the
authority.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
*Since:* 2.8.0
gnutls_x509_crl_set_this_update
-------------------------------
-- Function: int gnutls_x509_crl_set_this_update (gnutls_x509_crl_t
CRL, time_t ACT_TIME)
CRL: should contain a gnutls_x509_crl_t structure
ACT_TIME: The actual time
This function will set the time this CRL was issued.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_crl_set_version
---------------------------
-- Function: int gnutls_x509_crl_set_version (gnutls_x509_crl_t CRL,
unsigned int VERSION)
CRL: should contain a gnutls_x509_crl_t structure
VERSION: holds the version number. For CRLv1 crls must be 1.
This function will set the version of the CRL. This must be one
for CRL version 1, and so on. The CRLs generated by gnutls should
have a version number of 2.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_crl_sign2
---------------------
-- Function: int gnutls_x509_crl_sign2 (gnutls_x509_crl_t CRL,
gnutls_x509_crt_t ISSUER, gnutls_x509_privkey_t ISSUER_KEY,
gnutls_digest_algorithm_t DIG, unsigned int FLAGS)
CRL: should contain a gnutls_x509_crl_t structure
ISSUER: is the certificate of the certificate issuer
ISSUER_KEY: holds the issuer's private key
DIG: The message digest to use. GNUTLS_DIG_SHA1 is the safe choice
unless you know what you're doing.
FLAGS: must be 0
This function will sign the CRL with the issuer's private key, and
will copy the issuer's information into the CRL.
This must be the last step in a certificate CRL since all the
previously set parameters are now signed.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_crl_verify
----------------------
-- Function: int gnutls_x509_crl_verify (gnutls_x509_crl_t CRL, const
gnutls_x509_crt_t * CA_LIST, int CA_LIST_LENGTH, unsigned int
FLAGS, unsigned int * VERIFY)
CRL: is the crl to be verified
CA_LIST: is a certificate list that is considered to be trusted one
CA_LIST_LENGTH: holds the number of CA certificates in CA_list
FLAGS: Flags that may be used to change the verification
algorithm. Use OR of the gnutls_certificate_verify_flags
enumerations.
VERIFY: will hold the crl verification output.
This function will try to verify the given crl and return its
status. See `gnutls_x509_crt_list_verify()' for a detailed
description of return values. Note that since GnuTLS 3.1.4 this
function includes the time checks.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_crq_deinit
----------------------
-- Function: void gnutls_x509_crq_deinit (gnutls_x509_crq_t CRQ)
CRQ: The structure to be initialized
This function will deinitialize a PKCS`10' certificate request
structure.
gnutls_x509_crq_export
----------------------
-- Function: int gnutls_x509_crq_export (gnutls_x509_crq_t CRQ,
gnutls_x509_crt_fmt_t FORMAT, void * OUTPUT_DATA, size_t *
OUTPUT_DATA_SIZE)
CRQ: should contain a `gnutls_x509_crq_t' structure
FORMAT: the format of output params. One of PEM or DER.
OUTPUT_DATA: will contain a certificate request PEM or DER encoded
OUTPUT_DATA_SIZE: holds the size of output_data (and will be
replaced by the actual size of parameters)
This function will export the certificate request to a PEM or DER
encoded PKCS10 structure.
If the buffer provided is not long enough to hold the output, then
`GNUTLS_E_SHORT_MEMORY_BUFFER' will be returned and *
`output_data_size' will be updated.
If the structure is PEM encoded, it will have a header of "BEGIN
NEW CERTIFICATE REQUEST".
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_crq_export2
-----------------------
-- Function: int gnutls_x509_crq_export2 (gnutls_x509_crq_t CRQ,
gnutls_x509_crt_fmt_t FORMAT, gnutls_datum_t * OUT)
CRQ: should contain a `gnutls_x509_crq_t' structure
FORMAT: the format of output params. One of PEM or DER.
OUT: will contain a certificate request PEM or DER encoded
This function will export the certificate request to a PEM or DER
encoded PKCS10 structure.
The output buffer is allocated using `gnutls_malloc()' .
If the structure is PEM encoded, it will have a header of "BEGIN
NEW CERTIFICATE REQUEST".
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
Since 3.1.3
gnutls_x509_crq_get_attribute_by_oid
------------------------------------
-- Function: int gnutls_x509_crq_get_attribute_by_oid
(gnutls_x509_crq_t CRQ, const char * OID, int INDX, void *
BUF, size_t * SIZEOF_BUF)
CRQ: should contain a `gnutls_x509_crq_t' structure
OID: holds an Object Identified in (0)-terminated string
INDX: In case multiple same OIDs exist in the attribute list, this
specifies which to send, use (0) to get the first one
BUF: a pointer to a structure to hold the attribute data (may be
`NULL' )
SIZEOF_BUF: initially holds the size of `buf'
This function will return the attribute in the certificate request
specified by the given Object ID. The attribute will be DER
encoded.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_crq_get_attribute_data
----------------------------------
-- Function: int gnutls_x509_crq_get_attribute_data (gnutls_x509_crq_t
CRQ, int INDX, void * DATA, size_t * SIZEOF_DATA)
CRQ: should contain a `gnutls_x509_crq_t' structure
INDX: Specifies which attribute OID to send. Use (0) to get the
first one.
DATA: a pointer to a structure to hold the data (may be null)
SIZEOF_DATA: initially holds the size of `oid'
This function will return the requested attribute data in the
certificate request. The attribute data will be stored as a
string in the provided buffer.
Use `gnutls_x509_crq_get_attribute_info()' to extract the OID.
Use `gnutls_x509_crq_get_attribute_by_oid()' instead, if you want
to get data indexed by the attribute OID rather than sequence.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error code in case of an error. If your have
reached the last extension available
`GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' will be returned.
*Since:* 2.8.0
gnutls_x509_crq_get_attribute_info
----------------------------------
-- Function: int gnutls_x509_crq_get_attribute_info (gnutls_x509_crq_t
CRQ, int INDX, void * OID, size_t * SIZEOF_OID)
CRQ: should contain a `gnutls_x509_crq_t' structure
INDX: Specifies which attribute OID to send. Use (0) to get the
first one.
OID: a pointer to a structure to hold the OID
SIZEOF_OID: initially holds the maximum size of `oid' , on return
holds actual size of `oid' .
This function will return the requested attribute OID in the
certificate, and the critical flag for it. The attribute OID will
be stored as a string in the provided buffer. Use
`gnutls_x509_crq_get_attribute_data()' to extract the data.
If the buffer provided is not long enough to hold the output, then
* `sizeof_oid' is updated and `GNUTLS_E_SHORT_MEMORY_BUFFER' will
be returned.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error code in case of an error. If your have
reached the last extension available
`GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' will be returned.
*Since:* 2.8.0
gnutls_x509_crq_get_basic_constraints
-------------------------------------
-- Function: int gnutls_x509_crq_get_basic_constraints
(gnutls_x509_crq_t CRQ, unsigned int * CRITICAL, unsigned int
* CA, int * PATHLEN)
CRQ: should contain a `gnutls_x509_crq_t' structure
CRITICAL: will be non-zero if the extension is marked as critical
CA: pointer to output integer indicating CA status, may be NULL,
value is 1 if the certificate CA flag is set, 0 otherwise.
PATHLEN: pointer to output integer indicating path length (may be
NULL), non-negative error codes indicate a present
pathLenConstraint field and the actual value, -1 indicate that the
field is absent.
This function will read the certificate's basic constraints, and
return the certificates CA status. It reads the basicConstraints
X.509 extension (2.5.29.19).
*Returns:* If the certificate is a CA a positive value will be
returned, or (0) if the certificate does not have CA flag set. A
negative error code may be returned in case of errors. If the
certificate does not contain the basicConstraints extension
`GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' will be returned.
*Since:* 2.8.0
gnutls_x509_crq_get_challenge_password
--------------------------------------
-- Function: int gnutls_x509_crq_get_challenge_password
(gnutls_x509_crq_t CRQ, char * PASS, size_t * SIZEOF_PASS)
CRQ: should contain a `gnutls_x509_crq_t' structure
PASS: will hold a (0)-terminated password string
SIZEOF_PASS: Initially holds the size of `pass' .
This function will return the challenge password in the request.
The challenge password is intended to be used for requesting a
revocation of the certificate.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_crq_get_dn
----------------------
-- Function: int gnutls_x509_crq_get_dn (gnutls_x509_crq_t CRQ, char *
BUF, size_t * SIZEOF_BUF)
CRQ: should contain a `gnutls_x509_crq_t' structure
BUF: a pointer to a structure to hold the name (may be `NULL' )
SIZEOF_BUF: initially holds the size of `buf'
This function will copy the name of the Certificate request subject
to the provided buffer. The name will be in the form
"C=xxxx,O=yyyy,CN=zzzz" as described in RFC 2253. The output string
`buf' will be ASCII or UTF-8 encoded, depending on the certificate
data.
*Returns:* `GNUTLS_E_SHORT_MEMORY_BUFFER' if the provided buffer
is not long enough, and in that case the * `sizeof_buf' will be
updated with the required size. On success 0 is returned.
gnutls_x509_crq_get_dn_by_oid
-----------------------------
-- Function: int gnutls_x509_crq_get_dn_by_oid (gnutls_x509_crq_t CRQ,
const char * OID, int INDX, unsigned int RAW_FLAG, void *
BUF, size_t * SIZEOF_BUF)
CRQ: should contain a gnutls_x509_crq_t structure
OID: holds an Object Identified in null terminated string
INDX: In case multiple same OIDs exist in the RDN, this specifies
which to send. Use (0) to get the first one.
RAW_FLAG: If non-zero returns the raw DER data of the DN part.
BUF: a pointer to a structure to hold the name (may be `NULL' )
SIZEOF_BUF: initially holds the size of `buf'
This function will extract the part of the name of the Certificate
request subject, specified by the given OID. The output will be
encoded as described in RFC2253. The output string will be ASCII
or UTF-8 encoded, depending on the certificate data.
Some helper macros with popular OIDs can be found in gnutls/x509.h
If raw flag is (0), this function will only return known OIDs as
text. Other OIDs will be DER encoded, as described in RFC2253 - in
hex format with a '\#' prefix. You can check about known OIDs
using `gnutls_x509_dn_oid_known()' .
*Returns:* `GNUTLS_E_SHORT_MEMORY_BUFFER' if the provided buffer
is not long enough, and in that case the * `sizeof_buf' will be
updated with the required size. On success 0 is returned.
gnutls_x509_crq_get_dn_oid
--------------------------
-- Function: int gnutls_x509_crq_get_dn_oid (gnutls_x509_crq_t CRQ,
int INDX, void * OID, size_t * SIZEOF_OID)
CRQ: should contain a gnutls_x509_crq_t structure
INDX: Specifies which DN OID to send. Use (0) to get the first one.
OID: a pointer to a structure to hold the name (may be `NULL' )
SIZEOF_OID: initially holds the size of `oid'
This function will extract the requested OID of the name of the
certificate request subject, specified by the given index.
*Returns:* `GNUTLS_E_SHORT_MEMORY_BUFFER' if the provided buffer
is not long enough, and in that case the * `sizeof_oid' will be
updated with the required size. On success 0 is returned.
gnutls_x509_crq_get_extension_by_oid
------------------------------------
-- Function: int gnutls_x509_crq_get_extension_by_oid
(gnutls_x509_crq_t CRQ, const char * OID, int INDX, void *
BUF, size_t * SIZEOF_BUF, unsigned int * CRITICAL)
CRQ: should contain a `gnutls_x509_crq_t' structure
OID: holds an Object Identified in null terminated string
INDX: In case multiple same OIDs exist in the extensions, this
specifies which to send. Use (0) to get the first one.
BUF: a pointer to a structure to hold the name (may be null)
SIZEOF_BUF: initially holds the size of `buf'
CRITICAL: will be non-zero if the extension is marked as critical
This function will return the extension specified by the OID in
the certificate. The extensions will be returned as binary data
DER encoded, in the provided buffer.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error code in case of an error. If the
certificate does not contain the specified extension
`GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' will be returned.
*Since:* 2.8.0
gnutls_x509_crq_get_extension_data
----------------------------------
-- Function: int gnutls_x509_crq_get_extension_data (gnutls_x509_crq_t
CRQ, int INDX, void * DATA, size_t * SIZEOF_DATA)
CRQ: should contain a `gnutls_x509_crq_t' structure
INDX: Specifies which extension OID to send. Use (0) to get the
first one.
DATA: a pointer to a structure to hold the data (may be null)
SIZEOF_DATA: initially holds the size of `oid'
This function will return the requested extension data in the
certificate. The extension data will be stored as a string in the
provided buffer.
Use `gnutls_x509_crq_get_extension_info()' to extract the OID and
critical flag. Use `gnutls_x509_crq_get_extension_by_oid()'
instead, if you want to get data indexed by the extension OID
rather than sequence.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error code in case of an error. If your have
reached the last extension available
`GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' will be returned.
*Since:* 2.8.0
gnutls_x509_crq_get_extension_info
----------------------------------
-- Function: int gnutls_x509_crq_get_extension_info (gnutls_x509_crq_t
CRQ, int INDX, void * OID, size_t * SIZEOF_OID, unsigned int
* CRITICAL)
CRQ: should contain a `gnutls_x509_crq_t' structure
INDX: Specifies which extension OID to send. Use (0) to get the
first one.
OID: a pointer to a structure to hold the OID
SIZEOF_OID: initially holds the maximum size of `oid' , on return
holds actual size of `oid' .
CRITICAL: output variable with critical flag, may be NULL.
This function will return the requested extension OID in the
certificate, and the critical flag for it. The extension OID will
be stored as a string in the provided buffer. Use
`gnutls_x509_crq_get_extension_data()' to extract the data.
If the buffer provided is not long enough to hold the output, then
* `sizeof_oid' is updated and `GNUTLS_E_SHORT_MEMORY_BUFFER' will
be returned.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error code in case of an error. If your have
reached the last extension available
`GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' will be returned.
*Since:* 2.8.0
gnutls_x509_crq_get_key_id
--------------------------
-- Function: int gnutls_x509_crq_get_key_id (gnutls_x509_crq_t CRQ,
unsigned int FLAGS, unsigned char * OUTPUT_DATA, size_t *
OUTPUT_DATA_SIZE)
CRQ: a certificate of type `gnutls_x509_crq_t'
FLAGS: should be 0 for now
OUTPUT_DATA: will contain the key ID
OUTPUT_DATA_SIZE: holds the size of output_data (and will be
replaced by the actual size of parameters)
This function will return a unique ID that depends on the public
key parameters. This ID can be used in checking whether a
certificate corresponds to the given private key.
If the buffer provided is not long enough to hold the output, then
* `output_data_size' is updated and GNUTLS_E_SHORT_MEMORY_BUFFER
will be returned. The output will normally be a SHA-1 hash output,
which is 20 bytes.
*Returns:* In case of failure a negative error code will be
returned, and 0 on success.
*Since:* 2.8.0
gnutls_x509_crq_get_key_purpose_oid
-----------------------------------
-- Function: int gnutls_x509_crq_get_key_purpose_oid
(gnutls_x509_crq_t CRQ, int INDX, void * OID, size_t *
SIZEOF_OID, unsigned int * CRITICAL)
CRQ: should contain a `gnutls_x509_crq_t' structure
INDX: This specifies which OID to return, use (0) to get the first
one
OID: a pointer to a buffer to hold the OID (may be `NULL' )
SIZEOF_OID: initially holds the size of `oid'
CRITICAL: output variable with critical flag, may be `NULL' .
This function will extract the key purpose OIDs of the Certificate
specified by the given index. These are stored in the Extended Key
Usage extension (2.5.29.37). See the GNUTLS_KP_* definitions for
human readable names.
*Returns:* `GNUTLS_E_SHORT_MEMORY_BUFFER' if the provided buffer
is not long enough, and in that case the * `sizeof_oid' will be
updated with the required size. On success 0 is returned.
*Since:* 2.8.0
gnutls_x509_crq_get_key_rsa_raw
-------------------------------
-- Function: int gnutls_x509_crq_get_key_rsa_raw (gnutls_x509_crq_t
CRQ, gnutls_datum_t * M, gnutls_datum_t * E)
CRQ: Holds the certificate
M: will hold the modulus
E: will hold the public exponent
This function will export the RSA public key's parameters found in
the given structure. The new parameters will be allocated using
`gnutls_malloc()' and will be stored in the appropriate datum.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
*Since:* 2.8.0
gnutls_x509_crq_get_key_usage
-----------------------------
-- Function: int gnutls_x509_crq_get_key_usage (gnutls_x509_crq_t CRQ,
unsigned int * KEY_USAGE, unsigned int * CRITICAL)
CRQ: should contain a `gnutls_x509_crq_t' structure
KEY_USAGE: where the key usage bits will be stored
CRITICAL: will be non-zero if the extension is marked as critical
This function will return certificate's key usage, by reading the
keyUsage X.509 extension (2.5.29.15). The key usage value will
ORed values of the: `GNUTLS_KEY_DIGITAL_SIGNATURE' ,
`GNUTLS_KEY_NON_REPUDIATION' , `GNUTLS_KEY_KEY_ENCIPHERMENT' ,
`GNUTLS_KEY_DATA_ENCIPHERMENT' , `GNUTLS_KEY_KEY_AGREEMENT' ,
`GNUTLS_KEY_KEY_CERT_SIGN' , `GNUTLS_KEY_CRL_SIGN' ,
`GNUTLS_KEY_ENCIPHER_ONLY' , `GNUTLS_KEY_DECIPHER_ONLY' .
*Returns:* the certificate key usage, or a negative error code in
case of parsing error. If the certificate does not contain the
keyUsage extension `GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' will be
returned.
*Since:* 2.8.0
gnutls_x509_crq_get_pk_algorithm
--------------------------------
-- Function: int gnutls_x509_crq_get_pk_algorithm (gnutls_x509_crq_t
CRQ, unsigned int * BITS)
CRQ: should contain a `gnutls_x509_crq_t' structure
BITS: if bits is non-`NULL' it will hold the size of the
parameters' in bits
This function will return the public key algorithm of a PKCS`10'
certificate request.
If bits is non-`NULL' , it should have enough size to hold the
parameters size in bits. For RSA the bits returned is the modulus.
For DSA the bits returned are of the public exponent.
*Returns:* a member of the `gnutls_pk_algorithm_t' enumeration on
success, or a negative error code on error.
gnutls_x509_crq_get_private_key_usage_period
--------------------------------------------
-- Function: int gnutls_x509_crq_get_private_key_usage_period
(gnutls_x509_crq_t CRQ, time_t* ACTIVATION, time_t*
EXPIRATION, unsigned int * CRITICAL)
CRQ: - undescribed -
ACTIVATION: The activation time
EXPIRATION: The expiration time
CRITICAL: the extension status
This function will return the expiration and activation times of
the private key of the certificate.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
`GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' if the extension is not
present, otherwise a negative error value.
gnutls_x509_crq_get_subject_alt_name
------------------------------------
-- Function: int gnutls_x509_crq_get_subject_alt_name
(gnutls_x509_crq_t CRQ, unsigned int SEQ, void * RET, size_t
* RET_SIZE, unsigned int * RET_TYPE, unsigned int * CRITICAL)
CRQ: should contain a `gnutls_x509_crq_t' structure
SEQ: specifies the sequence number of the alt name, 0 for the
first one, 1 for the second etc.
RET: is the place where the alternative name will be copied to
RET_SIZE: holds the size of ret.
RET_TYPE: holds the `gnutls_x509_subject_alt_name_t' name type
CRITICAL: will be non-zero if the extension is marked as critical
(may be null)
This function will return the alternative names, contained in the
given certificate. It is the same as
`gnutls_x509_crq_get_subject_alt_name()' except for the fact that
it will return the type of the alternative name in `ret_type'
even if the function fails for some reason (i.e. the buffer
provided is not enough).
*Returns:* the alternative subject name type on success, one of the
enumerated `gnutls_x509_subject_alt_name_t' . It will return
`GNUTLS_E_SHORT_MEMORY_BUFFER' if `ret_size' is not large enough
to hold the value. In that case `ret_size' will be updated with
the required size. If the certificate request does not have an
Alternative name with the specified sequence number then
`GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' is returned.
*Since:* 2.8.0
gnutls_x509_crq_get_subject_alt_othername_oid
---------------------------------------------
-- Function: int gnutls_x509_crq_get_subject_alt_othername_oid
(gnutls_x509_crq_t CRQ, unsigned int SEQ, void * RET, size_t
* RET_SIZE)
CRQ: should contain a `gnutls_x509_crq_t' structure
SEQ: specifies the sequence number of the alt name (0 for the
first one, 1 for the second etc.)
RET: is the place where the otherName OID will be copied to
RET_SIZE: holds the size of ret.
This function will extract the type OID of an otherName Subject
Alternative Name, contained in the given certificate, and return
the type as an enumerated element.
This function is only useful if
`gnutls_x509_crq_get_subject_alt_name()' returned
`GNUTLS_SAN_OTHERNAME' .
*Returns:* the alternative subject name type on success, one of the
enumerated gnutls_x509_subject_alt_name_t. For supported OIDs, it
will return one of the virtual (GNUTLS_SAN_OTHERNAME_*) types,
e.g. `GNUTLS_SAN_OTHERNAME_XMPP' , and `GNUTLS_SAN_OTHERNAME' for
unknown OIDs. It will return `GNUTLS_E_SHORT_MEMORY_BUFFER' if
`ret_size' is not large enough to hold the value. In that case
`ret_size' will be updated with the required size. If the
certificate does not have an Alternative name with the specified
sequence number and with the otherName type then
`GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' is returned.
*Since:* 2.8.0
gnutls_x509_crq_get_version
---------------------------
-- Function: int gnutls_x509_crq_get_version (gnutls_x509_crq_t CRQ)
CRQ: should contain a `gnutls_x509_crq_t' structure
This function will return the version of the specified Certificate
request.
*Returns:* version of certificate request, or a negative error
code on error.
gnutls_x509_crq_import
----------------------
-- Function: int gnutls_x509_crq_import (gnutls_x509_crq_t CRQ, const
gnutls_datum_t * DATA, gnutls_x509_crt_fmt_t FORMAT)
CRQ: The structure to store the parsed certificate request.
DATA: The DER or PEM encoded certificate.
FORMAT: One of DER or PEM
This function will convert the given DER or PEM encoded certificate
request to a `gnutls_x509_crq_t' structure. The output will be
stored in `crq' .
If the Certificate is PEM encoded it should have a header of "NEW
CERTIFICATE REQUEST".
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_crq_init
--------------------
-- Function: int gnutls_x509_crq_init (gnutls_x509_crq_t * CRQ)
CRQ: The structure to be initialized
This function will initialize a PKCS`10' certificate request
structure.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_crq_print
---------------------
-- Function: int gnutls_x509_crq_print (gnutls_x509_crq_t CRQ,
gnutls_certificate_print_formats_t FORMAT, gnutls_datum_t *
OUT)
CRQ: The structure to be printed
FORMAT: Indicate the format to use
OUT: Newly allocated datum with (0) terminated string.
This function will pretty print a certificate request, suitable for
display to a human.
The output `out' needs to be deallocated using `gnutls_free()' .
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
*Since:* 2.8.0
gnutls_x509_crq_set_attribute_by_oid
------------------------------------
-- Function: int gnutls_x509_crq_set_attribute_by_oid
(gnutls_x509_crq_t CRQ, const char * OID, void * BUF, size_t
SIZEOF_BUF)
CRQ: should contain a `gnutls_x509_crq_t' structure
OID: holds an Object Identified in (0)-terminated string
BUF: a pointer to a structure that holds the attribute data
SIZEOF_BUF: holds the size of `buf'
This function will set the attribute in the certificate request
specified by the given Object ID. The attribute must be be DER
encoded.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_crq_set_basic_constraints
-------------------------------------
-- Function: int gnutls_x509_crq_set_basic_constraints
(gnutls_x509_crq_t CRQ, unsigned int CA, int
PATHLENCONSTRAINT)
CRQ: a certificate request of type `gnutls_x509_crq_t'
CA: true(1) or false(0) depending on the Certificate authority
status.
PATHLENCONSTRAINT: non-negative error codes indicate maximum
length of path, and negative error codes indicate that the
pathLenConstraints field should not be present.
This function will set the basicConstraints certificate extension.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
*Since:* 2.8.0
gnutls_x509_crq_set_challenge_password
--------------------------------------
-- Function: int gnutls_x509_crq_set_challenge_password
(gnutls_x509_crq_t CRQ, const char * PASS)
CRQ: should contain a `gnutls_x509_crq_t' structure
PASS: holds a (0)-terminated password
This function will set a challenge password to be used when
revoking the request.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_crq_set_dn_by_oid
-----------------------------
-- Function: int gnutls_x509_crq_set_dn_by_oid (gnutls_x509_crq_t CRQ,
const char * OID, unsigned int RAW_FLAG, const void * DATA,
unsigned int SIZEOF_DATA)
CRQ: should contain a `gnutls_x509_crq_t' structure
OID: holds an Object Identifier in a (0)-terminated string
RAW_FLAG: must be 0, or 1 if the data are DER encoded
DATA: a pointer to the input data
SIZEOF_DATA: holds the size of `data'
This function will set the part of the name of the Certificate
request subject, specified by the given OID. The input string
should be ASCII or UTF-8 encoded.
Some helper macros with popular OIDs can be found in gnutls/x509.h
With this function you can only set the known OIDs. You can test
for known OIDs using `gnutls_x509_dn_oid_known()' . For OIDs that
are not known (by gnutls) you should properly DER encode your
data, and call this function with raw_flag set.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_crq_set_key
-----------------------
-- Function: int gnutls_x509_crq_set_key (gnutls_x509_crq_t CRQ,
gnutls_x509_privkey_t KEY)
CRQ: should contain a `gnutls_x509_crq_t' structure
KEY: holds a private key
This function will set the public parameters from the given private
key to the request.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_crq_set_key_purpose_oid
-----------------------------------
-- Function: int gnutls_x509_crq_set_key_purpose_oid
(gnutls_x509_crq_t CRQ, const void * OID, unsigned int
CRITICAL)
CRQ: a certificate of type `gnutls_x509_crq_t'
OID: a pointer to a (0)-terminated string that holds the OID
CRITICAL: Whether this extension will be critical or not
This function will set the key purpose OIDs of the Certificate.
These are stored in the Extended Key Usage extension (2.5.29.37)
See the GNUTLS_KP_* definitions for human readable names.
Subsequent calls to this function will append OIDs to the OID list.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
*Since:* 2.8.0
gnutls_x509_crq_set_key_rsa_raw
-------------------------------
-- Function: int gnutls_x509_crq_set_key_rsa_raw (gnutls_x509_crq_t
CRQ, const gnutls_datum_t * M, const gnutls_datum_t * E)
CRQ: should contain a `gnutls_x509_crq_t' structure
M: holds the modulus
E: holds the public exponent
This function will set the public parameters from the given private
key to the request. Only RSA keys are currently supported.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
*Since:* 2.6.0
gnutls_x509_crq_set_key_usage
-----------------------------
-- Function: int gnutls_x509_crq_set_key_usage (gnutls_x509_crq_t CRQ,
unsigned int USAGE)
CRQ: a certificate request of type `gnutls_x509_crq_t'
USAGE: an ORed sequence of the GNUTLS_KEY_* elements.
This function will set the keyUsage certificate extension.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
*Since:* 2.8.0
gnutls_x509_crq_set_private_key_usage_period
--------------------------------------------
-- Function: int gnutls_x509_crq_set_private_key_usage_period
(gnutls_x509_crq_t CRQ, time_t ACTIVATION, time_t EXPIRATION)
CRQ: a certificate of type `gnutls_x509_crq_t'
ACTIVATION: The activation time
EXPIRATION: The expiration time
This function will set the private key usage period extension
(2.5.29.16).
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_crq_set_subject_alt_name
------------------------------------
-- Function: int gnutls_x509_crq_set_subject_alt_name
(gnutls_x509_crq_t CRQ, gnutls_x509_subject_alt_name_t NT,
const void * DATA, unsigned int DATA_SIZE, unsigned int FLAGS)
CRQ: a certificate request of type `gnutls_x509_crq_t'
NT: is one of the `gnutls_x509_subject_alt_name_t' enumerations
DATA: The data to be set
DATA_SIZE: The size of data to be set
FLAGS: `GNUTLS_FSAN_SET' to clear previous data or
`GNUTLS_FSAN_APPEND' to append.
This function will set the subject alternative name certificate
extension. It can set the following types:
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
*Since:* 2.8.0
gnutls_x509_crq_set_version
---------------------------
-- Function: int gnutls_x509_crq_set_version (gnutls_x509_crq_t CRQ,
unsigned int VERSION)
CRQ: should contain a `gnutls_x509_crq_t' structure
VERSION: holds the version number, for v1 Requests must be 1
This function will set the version of the certificate request. For
version 1 requests this must be one.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_crq_sign2
---------------------
-- Function: int gnutls_x509_crq_sign2 (gnutls_x509_crq_t CRQ,
gnutls_x509_privkey_t KEY, gnutls_digest_algorithm_t DIG,
unsigned int FLAGS)
CRQ: should contain a `gnutls_x509_crq_t' structure
KEY: holds a private key
DIG: The message digest to use, i.e., `GNUTLS_DIG_SHA1'
FLAGS: must be 0
This function will sign the certificate request with a private key.
This must be the same key as the one used in
`gnutls_x509_crt_set_key()' since a certificate request is self
signed.
This must be the last step in a certificate request generation
since all the previously set parameters are now signed.
*Returns:* `GNUTLS_E_SUCCESS' on success, otherwise a negative
error code. `GNUTLS_E_ASN1_VALUE_NOT_FOUND' is returned if you
didn't set all information in the certificate request (e.g., the
version using `gnutls_x509_crq_set_version()' ).
gnutls_x509_crq_verify
----------------------
-- Function: int gnutls_x509_crq_verify (gnutls_x509_crq_t CRQ,
unsigned int FLAGS)
CRQ: is the crq to be verified
FLAGS: Flags that may be used to change the verification
algorithm. Use OR of the gnutls_certificate_verify_flags
enumerations.
This function will verify self signature in the certificate
request and return its status.
*Returns:* In case of a verification failure
`GNUTLS_E_PK_SIG_VERIFY_FAILED' is returned, and zero or positive
code on success.
Since 2.12.0
gnutls_x509_crt_check_hostname
------------------------------
-- Function: int gnutls_x509_crt_check_hostname (gnutls_x509_crt_t
CERT, const char * HOSTNAME)
CERT: should contain an gnutls_x509_crt_t structure
HOSTNAME: A null terminated string that contains a DNS name
This function will check if the given certificate's subject matches
the given hostname. This is a basic implementation of the matching
described in RFC2818 (HTTPS), which takes into account wildcards,
and the DNSName/IPAddress subject alternative name PKIX extension.
*Returns:* non-zero for a successful match, and zero on failure.
gnutls_x509_crt_check_issuer
----------------------------
-- Function: int gnutls_x509_crt_check_issuer (gnutls_x509_crt_t CERT,
gnutls_x509_crt_t ISSUER)
CERT: is the certificate to be checked
ISSUER: is the certificate of a possible issuer
This function will check if the given certificate was issued by the
given issuer. It checks the DN fields and the authority key
identifier and subject key identifier fields match.
*Returns:* It will return true (1) if the given certificate is
issued by the given issuer, and false (0) if not. A negative
error code is returned in case of an error.
gnutls_x509_crt_check_revocation
--------------------------------
-- Function: int gnutls_x509_crt_check_revocation (gnutls_x509_crt_t
CERT, const gnutls_x509_crl_t * CRL_LIST, int CRL_LIST_LENGTH)
CERT: should contain a `gnutls_x509_crt_t' structure
CRL_LIST: should contain a list of gnutls_x509_crl_t structures
CRL_LIST_LENGTH: the length of the crl_list
This function will return check if the given certificate is
revoked. It is assumed that the CRLs have been verified before.
*Returns:* 0 if the certificate is NOT revoked, and 1 if it is. A
negative error code is returned on error.
gnutls_x509_crt_cpy_crl_dist_points
-----------------------------------
-- Function: int gnutls_x509_crt_cpy_crl_dist_points
(gnutls_x509_crt_t DST, gnutls_x509_crt_t SRC)
DST: a certificate of type `gnutls_x509_crt_t'
SRC: the certificate where the dist points will be copied from
This function will copy the CRL distribution points certificate
extension, from the source to the destination certificate. This
may be useful to copy from a CA certificate to issued ones.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_crt_deinit
----------------------
-- Function: void gnutls_x509_crt_deinit (gnutls_x509_crt_t CERT)
CERT: The structure to be deinitialized
This function will deinitialize a certificate structure.
gnutls_x509_crt_export
----------------------
-- Function: int gnutls_x509_crt_export (gnutls_x509_crt_t CERT,
gnutls_x509_crt_fmt_t FORMAT, void * OUTPUT_DATA, size_t *
OUTPUT_DATA_SIZE)
CERT: Holds the certificate
FORMAT: the format of output params. One of PEM or DER.
OUTPUT_DATA: will contain a certificate PEM or DER encoded
OUTPUT_DATA_SIZE: holds the size of output_data (and will be
replaced by the actual size of parameters)
This function will export the certificate to DER or PEM format.
If the buffer provided is not long enough to hold the output, then
*output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will
be returned.
If the structure is PEM encoded, it will have a header of "BEGIN
CERTIFICATE".
*Returns:* In case of failure a negative error code will be
returned, and 0 on success.
gnutls_x509_crt_export2
-----------------------
-- Function: int gnutls_x509_crt_export2 (gnutls_x509_crt_t CERT,
gnutls_x509_crt_fmt_t FORMAT, gnutls_datum_t * OUT)
CERT: Holds the certificate
FORMAT: the format of output params. One of PEM or DER.
OUT: will contain a certificate PEM or DER encoded
This function will export the certificate to DER or PEM format.
The output buffer is allocated using `gnutls_malloc()' .
If the structure is PEM encoded, it will have a header of "BEGIN
CERTIFICATE".
*Returns:* In case of failure a negative error code will be
returned, and 0 on success.
*Since:* 3.1
gnutls_x509_crt_get_activation_time
-----------------------------------
-- Function: time_t gnutls_x509_crt_get_activation_time
(gnutls_x509_crt_t CERT)
CERT: should contain a `gnutls_x509_crt_t' structure
This function will return the time this Certificate was or will be
activated.
*Returns:* activation time, or (time_t)-1 on error.
gnutls_x509_crt_get_authority_info_access
-----------------------------------------
-- Function: int gnutls_x509_crt_get_authority_info_access
(gnutls_x509_crt_t CRT, unsigned int SEQ, int WHAT,
gnutls_datum_t * DATA, unsigned int * CRITICAL)
CRT: Holds the certificate
SEQ: specifies the sequence number of the access descriptor (0 for
the first one, 1 for the second etc.)
WHAT: what data to get, a `gnutls_info_access_what_t' type.
DATA: output data to be freed with `gnutls_free()' .
CRITICAL: pointer to output integer that is set to non-0 if the
extension is marked as critical (may be `NULL' )
This function extracts the Authority Information Access (AIA)
extension, see RFC 5280 section 4.2.2.1 for more information. The
AIA extension holds a sequence of AccessDescription (AD) data:
AuthorityInfoAccessSyntax ::=
SEQUENCE SIZE (1..MAX) OF AccessDescription
AccessDescription ::= SEQUENCE { accessMethod OBJECT
IDENTIFIER, accessLocation GeneralName }
The `seq' input parameter is used to indicate which member of the
sequence the caller is interested in. The first member is 0, the
second member 1 and so on. When the `seq' value is out of bounds,
`GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' is returned.
The type of data returned in `data' is specified via `what' which
should be `gnutls_info_access_what_t' values.
If `what' is `GNUTLS_IA_ACCESSMETHOD_OID' then `data' will hold
the accessMethod OID (e.g., "1.3.6.1.5.5.7.48.1").
If `what' is `GNUTLS_IA_ACCESSLOCATION_GENERALNAME_TYPE' ,
`data' will hold the accessLocation GeneralName type (e.g.,
"uniformResourceIdentifier").
If `what' is `GNUTLS_IA_URI' , `data' will hold the
accessLocation URI data. Requesting this `what' value leads to
an error if the accessLocation is not of the
"uniformResourceIdentifier" type.
If `what' is `GNUTLS_IA_OCSP_URI' , `data' will hold the OCSP
URI. Requesting this `what' value leads to an error if the
accessMethod is not 1.3.6.1.5.5.7.48.1 aka OSCP, or if
accessLocation is not of the "uniformResourceIdentifier" type.
If `what' is `GNUTLS_IA_CAISSUERS_URI' , `data' will hold the
caIssuers URI. Requesting this `what' value leads to an error if
the accessMethod is not 1.3.6.1.5.5.7.48.2 aka caIssuers, or if
accessLocation is not of the "uniformResourceIdentifier" type.
More `what' values may be allocated in the future as needed.
If `data' is NULL, the function does the same without storing the
output data, that is, it will set `critical' and do error checking
as usual.
The value of the critical flag is returned in * `critical' .
Supply a NULL `critical' if you want the function to make sure
the extension is non-critical, as required by RFC 5280.
*Returns:* `GNUTLS_E_SUCCESS' on success,
`GNUTLS_E_INVALID_REQUEST' on invalid `crt' ,
`GNUTLS_E_CONSTRAINT_ERROR' if the extension is incorrectly
marked as critical (use a non-NULL `critical' to override),
`GNUTLS_E_UNKNOWN_ALGORITHM' if the requested OID does not match
(e.g., when using `GNUTLS_IA_OCSP_URI' ), otherwise a negative
error code.
*Since:* 3.0
gnutls_x509_crt_get_authority_key_gn_serial
-------------------------------------------
-- Function: int gnutls_x509_crt_get_authority_key_gn_serial
(gnutls_x509_crt_t CERT, unsigned int SEQ, void * ALT, size_t
* ALT_SIZE, unsigned int * ALT_TYPE, void* SERIAL, size_t *
SERIAL_SIZE, unsigned int * CRITICAL)
CERT: should contain a `gnutls_x509_crt_t' structure
SEQ: specifies the sequence number of the alt name (0 for the
first one, 1 for the second etc.)
ALT: is the place where the alternative name will be copied to
ALT_SIZE: holds the size of alt.
ALT_TYPE: holds the type of the alternative name (one of
gnutls_x509_subject_alt_name_t).
SERIAL: buffer to store the serial number (may be null)
SERIAL_SIZE: Holds the size of the serial field (may be null)
CRITICAL: will be non-zero if the extension is marked as critical
(may be null)
This function will return the X.509 authority key identifier when
stored as a general name (authorityCertIssuer) and serial number.
Because more than one general names might be stored `seq' can be
used as a counter to request them all until
`GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' is returned.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
`GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' if the extension is not
present, otherwise a negative error value.
*Since:* 3.0
gnutls_x509_crt_get_authority_key_id
------------------------------------
-- Function: int gnutls_x509_crt_get_authority_key_id
(gnutls_x509_crt_t CERT, void * ID, size_t * ID_SIZE,
unsigned int * CRITICAL)
CERT: should contain a `gnutls_x509_crt_t' structure
ID: The place where the identifier will be copied
ID_SIZE: Holds the size of the id field.
CRITICAL: will be non-zero if the extension is marked as critical
(may be null)
This function will return the X.509v3 certificate authority's key
identifier. This is obtained by the X.509 Authority Key
identifier extension field (2.5.29.35). Note that this function
only returns the keyIdentifier field of the extension and
`GNUTLS_E_X509_UNSUPPORTED_EXTENSION' , if the extension contains
the name and serial number of the certificate. In that case
`gnutls_x509_crt_get_authority_key_gn_serial()' may be used.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
`GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' if the extension is not
present, otherwise a negative error value.
gnutls_x509_crt_get_basic_constraints
-------------------------------------
-- Function: int gnutls_x509_crt_get_basic_constraints
(gnutls_x509_crt_t CERT, unsigned int * CRITICAL, unsigned
int * CA, int * PATHLEN)
CERT: should contain a `gnutls_x509_crt_t' structure
CRITICAL: will be non-zero if the extension is marked as critical
CA: pointer to output integer indicating CA status, may be NULL,
value is 1 if the certificate CA flag is set, 0 otherwise.
PATHLEN: pointer to output integer indicating path length (may be
NULL), non-negative error codes indicate a present
pathLenConstraint field and the actual value, -1 indicate that the
field is absent.
This function will read the certificate's basic constraints, and
return the certificates CA status. It reads the basicConstraints
X.509 extension (2.5.29.19).
*Returns:* If the certificate is a CA a positive value will be
returned, or (0) if the certificate does not have CA flag set. A
negative error code may be returned in case of errors. If the
certificate does not contain the basicConstraints extension
GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
gnutls_x509_crt_get_ca_status
-----------------------------
-- Function: int gnutls_x509_crt_get_ca_status (gnutls_x509_crt_t
CERT, unsigned int * CRITICAL)
CERT: should contain a `gnutls_x509_crt_t' structure
CRITICAL: will be non-zero if the extension is marked as critical
This function will return certificates CA status, by reading the
basicConstraints X.509 extension (2.5.29.19). If the certificate is
a CA a positive value will be returned, or (0) if the certificate
does not have CA flag set.
Use `gnutls_x509_crt_get_basic_constraints()' if you want to read
the pathLenConstraint field too.
*Returns:* A negative error code may be returned in case of
parsing error. If the certificate does not contain the
basicConstraints extension `GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE'
will be returned.
gnutls_x509_crt_get_crl_dist_points
-----------------------------------
-- Function: int gnutls_x509_crt_get_crl_dist_points
(gnutls_x509_crt_t CERT, unsigned int SEQ, void * RET, size_t
* RET_SIZE, unsigned int * REASON_FLAGS, unsigned int *
CRITICAL)
CERT: should contain a `gnutls_x509_crt_t' structure
SEQ: specifies the sequence number of the distribution point (0
for the first one, 1 for the second etc.)
RET: is the place where the distribution point will be copied to
RET_SIZE: holds the size of ret.
REASON_FLAGS: Revocation reasons. An ORed sequence of flags from
`gnutls_x509_crl_reason_flags_t' .
CRITICAL: will be non-zero if the extension is marked as critical
(may be null)
This function retrieves the CRL distribution points (2.5.29.31),
contained in the given certificate in the X509v3 Certificate
Extensions.
*Returns:* `GNUTLS_E_SHORT_MEMORY_BUFFER' and updates `ret_size'
if `ret_size' is not enough to hold the distribution point, or the
type of the distribution point if everything was ok. The type is
one of the enumerated `gnutls_x509_subject_alt_name_t' . If the
certificate does not have an Alternative name with the specified
sequence number then `GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' is
returned.
gnutls_x509_crt_get_dn
----------------------
-- Function: int gnutls_x509_crt_get_dn (gnutls_x509_crt_t CERT, char
* BUF, size_t * BUF_SIZE)
CERT: should contain a `gnutls_x509_crt_t' structure
BUF: a pointer to a structure to hold the name (may be null)
BUF_SIZE: initially holds the size of `buf'
This function will copy the name of the Certificate in the provided
buffer. The name will be in the form "C=xxxx,O=yyyy,CN=zzzz" as
described in RFC4514. The output string will be ASCII or UTF-8
encoded, depending on the certificate data.
If `buf' is null then only the size will be filled.
*Returns:* `GNUTLS_E_SHORT_MEMORY_BUFFER' if the provided buffer
is not long enough, and in that case the `buf_size' will be
updated with the required size. On success 0 is returned.
gnutls_x509_crt_get_dn_by_oid
-----------------------------
-- Function: int gnutls_x509_crt_get_dn_by_oid (gnutls_x509_crt_t
CERT, const char * OID, int INDX, unsigned int RAW_FLAG, void
* BUF, size_t * BUF_SIZE)
CERT: should contain a `gnutls_x509_crt_t' structure
OID: holds an Object Identified in null terminated string
INDX: In case multiple same OIDs exist in the RDN, this specifies
which to send. Use (0) to get the first one.
RAW_FLAG: If non-zero returns the raw DER data of the DN part.
BUF: a pointer where the DN part will be copied (may be null).
BUF_SIZE: initially holds the size of `buf'
This function will extract the part of the name of the Certificate
subject specified by the given OID. The output, if the raw flag is
not used, will be encoded as described in RFC4514. Thus a string
that is ASCII or UTF-8 encoded, depending on the certificate data.
Some helper macros with popular OIDs can be found in gnutls/x509.h
If raw flag is (0), this function will only return known OIDs as
text. Other OIDs will be DER encoded, as described in RFC4514 - in
hex format with a '#' prefix. You can check about known OIDs
using `gnutls_x509_dn_oid_known()' .
If `buf' is null then only the size will be filled. If the
`raw_flag' is not specified the output is always null terminated,
although the `buf_size' will not include the null character.
*Returns:* `GNUTLS_E_SHORT_MEMORY_BUFFER' if the provided buffer
is not long enough, and in that case the `buf_size' will be
updated with the required size.
`GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' if there are no data in
the current index. On success 0 is returned.
gnutls_x509_crt_get_dn_oid
--------------------------
-- Function: int gnutls_x509_crt_get_dn_oid (gnutls_x509_crt_t CERT,
int INDX, void * OID, size_t * OID_SIZE)
CERT: should contain a `gnutls_x509_crt_t' structure
INDX: This specifies which OID to return. Use (0) to get the first
one.
OID: a pointer to a buffer to hold the OID (may be null)
OID_SIZE: initially holds the size of `oid'
This function will extract the OIDs of the name of the Certificate
subject specified by the given index.
If `oid' is null then only the size will be filled. The `oid'
returned will be null terminated, although `oid_size' will not
account for the trailing null.
*Returns:* `GNUTLS_E_SHORT_MEMORY_BUFFER' if the provided buffer
is not long enough, and in that case the `buf_size' will be
updated with the required size.
`GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' if there are no data in
the current index. On success 0 is returned.
gnutls_x509_crt_get_expiration_time
-----------------------------------
-- Function: time_t gnutls_x509_crt_get_expiration_time
(gnutls_x509_crt_t CERT)
CERT: should contain a `gnutls_x509_crt_t' structure
This function will return the time this Certificate was or will be
expired.
*Returns:* expiration time, or (time_t)-1 on error.
gnutls_x509_crt_get_extension_by_oid
------------------------------------
-- Function: int gnutls_x509_crt_get_extension_by_oid
(gnutls_x509_crt_t CERT, const char * OID, int INDX, void *
BUF, size_t * BUF_SIZE, unsigned int * CRITICAL)
CERT: should contain a `gnutls_x509_crt_t' structure
OID: holds an Object Identified in null terminated string
INDX: In case multiple same OIDs exist in the extensions, this
specifies which to send. Use (0) to get the first one.
BUF: a pointer to a structure to hold the name (may be null)
BUF_SIZE: initially holds the size of `buf'
CRITICAL: will be non-zero if the extension is marked as critical
This function will return the extension specified by the OID in the
certificate. The extensions will be returned as binary data DER
encoded, in the provided buffer.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error code is returned. If the certificate
does not contain the specified extension
GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
gnutls_x509_crt_get_extension_data
----------------------------------
-- Function: int gnutls_x509_crt_get_extension_data (gnutls_x509_crt_t
CERT, int INDX, void * DATA, size_t * SIZEOF_DATA)
CERT: should contain a `gnutls_x509_crt_t' structure
INDX: Specifies which extension OID to send. Use (0) to get the
first one.
DATA: a pointer to a structure to hold the data (may be null)
SIZEOF_DATA: initially holds the size of `oid'
This function will return the requested extension data in the
certificate. The extension data will be stored as a string in the
provided buffer.
Use `gnutls_x509_crt_get_extension_info()' to extract the OID and
critical flag. Use `gnutls_x509_crt_get_extension_by_oid()'
instead, if you want to get data indexed by the extension OID
rather than sequence.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error code is returned. If you have reached
the last extension available
`GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' will be returned.
gnutls_x509_crt_get_extension_info
----------------------------------
-- Function: int gnutls_x509_crt_get_extension_info (gnutls_x509_crt_t
CERT, int INDX, void * OID, size_t * OID_SIZE, unsigned int *
CRITICAL)
CERT: should contain a `gnutls_x509_crt_t' structure
INDX: Specifies which extension OID to send. Use (0) to get the
first one.
OID: a pointer to a structure to hold the OID
OID_SIZE: initially holds the maximum size of `oid' , on return
holds actual size of `oid' .
CRITICAL: output variable with critical flag, may be NULL.
This function will return the requested extension OID in the
certificate, and the critical flag for it. The extension OID will
be stored as a string in the provided buffer. Use
`gnutls_x509_crt_get_extension_data()' to extract the data.
If the buffer provided is not long enough to hold the output, then
`oid_size' is updated and `GNUTLS_E_SHORT_MEMORY_BUFFER' will be
returned. The `oid' returned will be null terminated, although
`oid_size' will not account for the trailing null.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error code is returned. If you have reached
the last extension available
`GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' will be returned.
gnutls_x509_crt_get_extension_oid
---------------------------------
-- Function: int gnutls_x509_crt_get_extension_oid (gnutls_x509_crt_t
CERT, int INDX, void * OID, size_t * OID_SIZE)
CERT: should contain a `gnutls_x509_crt_t' structure
INDX: Specifies which extension OID to send. Use (0) to get the
first one.
OID: a pointer to a structure to hold the OID (may be null)
OID_SIZE: initially holds the size of `oid'
This function will return the requested extension OID in the
certificate. The extension OID will be stored as a string in the
provided buffer.
The `oid' returned will be null terminated, although `oid_size'
will not account for the trailing null.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error code is returned. If you have reached
the last extension available
`GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' will be returned.
gnutls_x509_crt_get_fingerprint
-------------------------------
-- Function: int gnutls_x509_crt_get_fingerprint (gnutls_x509_crt_t
CERT, gnutls_digest_algorithm_t ALGO, void * BUF, size_t *
BUF_SIZE)
CERT: should contain a `gnutls_x509_crt_t' structure
ALGO: is a digest algorithm
BUF: a pointer to a structure to hold the fingerprint (may be null)
BUF_SIZE: initially holds the size of `buf'
This function will calculate and copy the certificate's fingerprint
in the provided buffer.
If the buffer is null then only the size will be filled.
*Returns:* `GNUTLS_E_SHORT_MEMORY_BUFFER' if the provided buffer
is not long enough, and in that case the *buf_size will be updated
with the required size. On success 0 is returned.
gnutls_x509_crt_get_issuer
--------------------------
-- Function: int gnutls_x509_crt_get_issuer (gnutls_x509_crt_t CERT,
gnutls_x509_dn_t * DN)
CERT: should contain a `gnutls_x509_crt_t' structure
DN: output variable with pointer to uint8_t DN
Return the Certificate's Issuer DN as a `gnutls_x509_dn_t' data
type, that can be decoded using `gnutls_x509_dn_get_rdn_ava()' .
Note that `dn' should be treated as constant. Because it points
into the `cert' object, you should not use `dn' after `cert' is
deallocated.
*Returns:* Returns 0 on success, or an error code.
gnutls_x509_crt_get_issuer_alt_name
-----------------------------------
-- Function: int gnutls_x509_crt_get_issuer_alt_name
(gnutls_x509_crt_t CERT, unsigned int SEQ, void * IAN, size_t
* IAN_SIZE, unsigned int * CRITICAL)
CERT: should contain a `gnutls_x509_crt_t' structure
SEQ: specifies the sequence number of the alt name (0 for the
first one, 1 for the second etc.)
IAN: is the place where the alternative name will be copied to
IAN_SIZE: holds the size of ian.
CRITICAL: will be non-zero if the extension is marked as critical
(may be null)
This function retrieves the Issuer Alternative Name (2.5.29.18),
contained in the given certificate in the X509v3 Certificate
Extensions.
When the SAN type is otherName, it will extract the data in the
otherName's value field, and `GNUTLS_SAN_OTHERNAME' is returned.
You may use `gnutls_x509_crt_get_subject_alt_othername_oid()' to
get the corresponding OID and the "virtual" SAN types (e.g.,
`GNUTLS_SAN_OTHERNAME_XMPP' ).
If an otherName OID is known, the data will be decoded. Otherwise
the returned data will be DER encoded, and you will have to decode
it yourself. Currently, only the RFC 3920 id-on-xmppAddr Issuer
AltName is recognized.
*Returns:* the alternative issuer name type on success, one of the
enumerated `gnutls_x509_subject_alt_name_t' . It will return
`GNUTLS_E_SHORT_MEMORY_BUFFER' if `ian_size' is not large enough
to hold the value. In that case `ian_size' will be updated with
the required size. If the certificate does not have an
Alternative name with the specified sequence number then
`GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' is returned.
*Since:* 2.10.0
gnutls_x509_crt_get_issuer_alt_name2
------------------------------------
-- Function: int gnutls_x509_crt_get_issuer_alt_name2
(gnutls_x509_crt_t CERT, unsigned int SEQ, void * IAN, size_t
* IAN_SIZE, unsigned int * IAN_TYPE, unsigned int * CRITICAL)
CERT: should contain a `gnutls_x509_crt_t' structure
SEQ: specifies the sequence number of the alt name (0 for the
first one, 1 for the second etc.)
IAN: is the place where the alternative name will be copied to
IAN_SIZE: holds the size of ret.
IAN_TYPE: holds the type of the alternative name (one of
gnutls_x509_subject_alt_name_t).
CRITICAL: will be non-zero if the extension is marked as critical
(may be null)
This function will return the alternative names, contained in the
given certificate. It is the same as
`gnutls_x509_crt_get_issuer_alt_name()' except for the fact that
it will return the type of the alternative name in `ian_type'
even if the function fails for some reason (i.e. the buffer
provided is not enough).
*Returns:* the alternative issuer name type on success, one of the
enumerated `gnutls_x509_subject_alt_name_t' . It will return
`GNUTLS_E_SHORT_MEMORY_BUFFER' if `ian_size' is not large enough
to hold the value. In that case `ian_size' will be updated with
the required size. If the certificate does not have an
Alternative name with the specified sequence number then
`GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' is returned.
*Since:* 2.10.0
gnutls_x509_crt_get_issuer_alt_othername_oid
--------------------------------------------
-- Function: int gnutls_x509_crt_get_issuer_alt_othername_oid
(gnutls_x509_crt_t CERT, unsigned int SEQ, void * RET, size_t
* RET_SIZE)
CERT: should contain a `gnutls_x509_crt_t' structure
SEQ: specifies the sequence number of the alt name (0 for the
first one, 1 for the second etc.)
RET: is the place where the otherName OID will be copied to
RET_SIZE: holds the size of ret.
This function will extract the type OID of an otherName Subject
Alternative Name, contained in the given certificate, and return
the type as an enumerated element.
If `oid' is null then only the size will be filled. The `oid'
returned will be null terminated, although `oid_size' will not
account for the trailing null.
This function is only useful if
`gnutls_x509_crt_get_issuer_alt_name()' returned
`GNUTLS_SAN_OTHERNAME' .
*Returns:* the alternative issuer name type on success, one of the
enumerated gnutls_x509_subject_alt_name_t. For supported OIDs, it
will return one of the virtual (GNUTLS_SAN_OTHERNAME_*) types,
e.g. `GNUTLS_SAN_OTHERNAME_XMPP' , and `GNUTLS_SAN_OTHERNAME' for
unknown OIDs. It will return `GNUTLS_E_SHORT_MEMORY_BUFFER' if
`ret_size' is not large enough to hold the value. In that case
`ret_size' will be updated with the required size. If the
certificate does not have an Alternative name with the specified
sequence number and with the otherName type then
`GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' is returned.
*Since:* 2.10.0
gnutls_x509_crt_get_issuer_dn
-----------------------------
-- Function: int gnutls_x509_crt_get_issuer_dn (gnutls_x509_crt_t
CERT, char * BUF, size_t * BUF_SIZE)
CERT: should contain a `gnutls_x509_crt_t' structure
BUF: a pointer to a structure to hold the name (may be null)
BUF_SIZE: initially holds the size of `buf'
This function will copy the name of the Certificate issuer in the
provided buffer. The name will be in the form
"C=xxxx,O=yyyy,CN=zzzz" as described in RFC4514. The output string
will be ASCII or UTF-8 encoded, depending on the certificate data.
If `buf' is null then only the size will be filled.
*Returns:* GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is
not long enough, and in that case the `buf_size' will be updated
with the required size. On success 0 is returned.
gnutls_x509_crt_get_issuer_dn_by_oid
------------------------------------
-- Function: int gnutls_x509_crt_get_issuer_dn_by_oid
(gnutls_x509_crt_t CERT, const char * OID, int INDX, unsigned
int RAW_FLAG, void * BUF, size_t * BUF_SIZE)
CERT: should contain a `gnutls_x509_crt_t' structure
OID: holds an Object Identified in null terminated string
INDX: In case multiple same OIDs exist in the RDN, this specifies
which to send. Use (0) to get the first one.
RAW_FLAG: If non-zero returns the raw DER data of the DN part.
BUF: a pointer to a structure to hold the name (may be null)
BUF_SIZE: initially holds the size of `buf'
This function will extract the part of the name of the Certificate
issuer specified by the given OID. The output, if the raw flag is
not used, will be encoded as described in RFC4514. Thus a string
that is ASCII or UTF-8 encoded, depending on the certificate data.
Some helper macros with popular OIDs can be found in gnutls/x509.h
If raw flag is (0), this function will only return known OIDs as
text. Other OIDs will be DER encoded, as described in RFC4514 - in
hex format with a '#' prefix. You can check about known OIDs
using `gnutls_x509_dn_oid_known()' .
If `buf' is null then only the size will be filled. If the
`raw_flag' is not specified the output is always null terminated,
although the `buf_size' will not include the null character.
*Returns:* `GNUTLS_E_SHORT_MEMORY_BUFFER' if the provided buffer
is not long enough, and in that case the `buf_size' will be
updated with the required size.
`GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' if there are no data in
the current index. On success 0 is returned.
gnutls_x509_crt_get_issuer_dn_oid
---------------------------------
-- Function: int gnutls_x509_crt_get_issuer_dn_oid (gnutls_x509_crt_t
CERT, int INDX, void * OID, size_t * OID_SIZE)
CERT: should contain a `gnutls_x509_crt_t' structure
INDX: This specifies which OID to return. Use (0) to get the first
one.
OID: a pointer to a buffer to hold the OID (may be null)
OID_SIZE: initially holds the size of `oid'
This function will extract the OIDs of the name of the Certificate
issuer specified by the given index.
If `oid' is null then only the size will be filled. The `oid'
returned will be null terminated, although `oid_size' will not
account for the trailing null.
*Returns:* `GNUTLS_E_SHORT_MEMORY_BUFFER' if the provided buffer
is not long enough, and in that case the `buf_size' will be
updated with the required size.
`GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' if there are no data in
the current index. On success 0 is returned.
gnutls_x509_crt_get_issuer_unique_id
------------------------------------
-- Function: int gnutls_x509_crt_get_issuer_unique_id
(gnutls_x509_crt_t CRT, char * BUF, size_t * BUF_SIZE)
CRT: Holds the certificate
BUF: user allocated memory buffer, will hold the unique id
BUF_SIZE: size of user allocated memory buffer (on input), will
hold actual size of the unique ID on return.
This function will extract the issuerUniqueID value (if present)
for the given certificate.
If the user allocated memory buffer is not large enough to hold the
full subjectUniqueID, then a GNUTLS_E_SHORT_MEMORY_BUFFER error
will be returned, and buf_size will be set to the actual length.
*Returns:* `GNUTLS_E_SUCCESS' on success, otherwise a negative
error code.
*Since:* 2.12.0
gnutls_x509_crt_get_key_id
--------------------------
-- Function: int gnutls_x509_crt_get_key_id (gnutls_x509_crt_t CRT,
unsigned int FLAGS, unsigned char * OUTPUT_DATA, size_t *
OUTPUT_DATA_SIZE)
CRT: Holds the certificate
FLAGS: should be 0 for now
OUTPUT_DATA: will contain the key ID
OUTPUT_DATA_SIZE: holds the size of output_data (and will be
replaced by the actual size of parameters)
This function will return a unique ID that depends on the public
key parameters. This ID can be used in checking whether a
certificate corresponds to the given private key.
If the buffer provided is not long enough to hold the output, then
*output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will
be returned. The output will normally be a SHA-1 hash output,
which is 20 bytes.
*Returns:* In case of failure a negative error code will be
returned, and 0 on success.
gnutls_x509_crt_get_key_purpose_oid
-----------------------------------
-- Function: int gnutls_x509_crt_get_key_purpose_oid
(gnutls_x509_crt_t CERT, int INDX, void * OID, size_t *
OID_SIZE, unsigned int * CRITICAL)
CERT: should contain a `gnutls_x509_crt_t' structure
INDX: This specifies which OID to return. Use (0) to get the first
one.
OID: a pointer to a buffer to hold the OID (may be null)
OID_SIZE: initially holds the size of `oid'
CRITICAL: output flag to indicate criticality of extension
This function will extract the key purpose OIDs of the Certificate
specified by the given index. These are stored in the Extended Key
Usage extension (2.5.29.37) See the GNUTLS_KP_* definitions for
human readable names.
If `oid' is null then only the size will be filled. The `oid'
returned will be null terminated, although `oid_size' will not
account for the trailing null.
*Returns:* `GNUTLS_E_SHORT_MEMORY_BUFFER' if the provided buffer
is not long enough, and in that case the *oid_size will be updated
with the required size. On success 0 is returned.
gnutls_x509_crt_get_key_usage
-----------------------------
-- Function: int gnutls_x509_crt_get_key_usage (gnutls_x509_crt_t
CERT, unsigned int * KEY_USAGE, unsigned int * CRITICAL)
CERT: should contain a `gnutls_x509_crt_t' structure
KEY_USAGE: where the key usage bits will be stored
CRITICAL: will be non-zero if the extension is marked as critical
This function will return certificate's key usage, by reading the
keyUsage X.509 extension (2.5.29.15). The key usage value will ORed
values of the: `GNUTLS_KEY_DIGITAL_SIGNATURE' ,
`GNUTLS_KEY_NON_REPUDIATION' , `GNUTLS_KEY_KEY_ENCIPHERMENT' ,
`GNUTLS_KEY_DATA_ENCIPHERMENT' , `GNUTLS_KEY_KEY_AGREEMENT' ,
`GNUTLS_KEY_KEY_CERT_SIGN' , `GNUTLS_KEY_CRL_SIGN' ,
`GNUTLS_KEY_ENCIPHER_ONLY' , `GNUTLS_KEY_DECIPHER_ONLY' .
*Returns:* the certificate key usage, or a negative error code in
case of parsing error. If the certificate does not contain the
keyUsage extension `GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' will be
returned.
gnutls_x509_crt_get_pk_algorithm
--------------------------------
-- Function: int gnutls_x509_crt_get_pk_algorithm (gnutls_x509_crt_t
CERT, unsigned int * BITS)
CERT: should contain a `gnutls_x509_crt_t' structure
BITS: if bits is non null it will hold the size of the parameters'
in bits
This function will return the public key algorithm of an X.509
certificate.
If bits is non null, it should have enough size to hold the
parameters size in bits. For RSA the bits returned is the modulus.
For DSA the bits returned are of the public exponent.
*Returns:* a member of the `gnutls_pk_algorithm_t' enumeration on
success, or a negative error code on error.
gnutls_x509_crt_get_pk_dsa_raw
------------------------------
-- Function: int gnutls_x509_crt_get_pk_dsa_raw (gnutls_x509_crt_t
CRT, gnutls_datum_t * P, gnutls_datum_t * Q, gnutls_datum_t *
G, gnutls_datum_t * Y)
CRT: Holds the certificate
P: will hold the p
Q: will hold the q
G: will hold the g
Y: will hold the y
This function will export the DSA public key's parameters found in
the given certificate. The new parameters will be allocated using
`gnutls_malloc()' and will be stored in the appropriate datum.
*Returns:* `GNUTLS_E_SUCCESS' on success, otherwise a negative
error code.
gnutls_x509_crt_get_pk_rsa_raw
------------------------------
-- Function: int gnutls_x509_crt_get_pk_rsa_raw (gnutls_x509_crt_t
CRT, gnutls_datum_t * M, gnutls_datum_t * E)
CRT: Holds the certificate
M: will hold the modulus
E: will hold the public exponent
This function will export the RSA public key's parameters found in
the given structure. The new parameters will be allocated using
`gnutls_malloc()' and will be stored in the appropriate datum.
*Returns:* `GNUTLS_E_SUCCESS' on success, otherwise a negative
error code.
gnutls_x509_crt_get_policy
--------------------------
-- Function: int gnutls_x509_crt_get_policy (gnutls_x509_crt_t CRT,
int INDX, struct gnutls_x509_policy_st* POLICY, unsigned int
* CRITICAL)
CRT: - undescribed -
INDX: This specifies which policy to return. Use (0) to get the
first one.
POLICY: A pointer to a policy structure.
CRITICAL: will be non-zero if the extension is marked as critical
This function will extract the certificate policy (extension
2.5.29.32) specified by the given index.
The policy returned by this function must be deinitialized by using
`gnutls_x509_policy_release()' .
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
`GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' if the extension is not
present, otherwise a negative error value.
*Since:* 3.1.5
gnutls_x509_crt_get_private_key_usage_period
--------------------------------------------
-- Function: int gnutls_x509_crt_get_private_key_usage_period
(gnutls_x509_crt_t CERT, time_t* ACTIVATION, time_t*
EXPIRATION, unsigned int * CRITICAL)
CERT: should contain a `gnutls_x509_crt_t' structure
ACTIVATION: The activation time
EXPIRATION: The expiration time
CRITICAL: the extension status
This function will return the expiration and activation times of
the private key of the certificate. It relies on the PKIX
extension 2.5.29.16 being present.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
`GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' if the extension is not
present, otherwise a negative error value.
gnutls_x509_crt_get_proxy
-------------------------
-- Function: int gnutls_x509_crt_get_proxy (gnutls_x509_crt_t CERT,
unsigned int * CRITICAL, int * PATHLEN, char **
POLICYLANGUAGE, char ** POLICY, size_t * SIZEOF_POLICY)
CERT: should contain a `gnutls_x509_crt_t' structure
CRITICAL: will be non-zero if the extension is marked as critical
PATHLEN: pointer to output integer indicating path length (may be
NULL), non-negative error codes indicate a present
pCPathLenConstraint field and the actual value, -1 indicate that
the field is absent.
POLICYLANGUAGE: output variable with OID of policy language
POLICY: output variable with policy data
SIZEOF_POLICY: output variable size of policy data
This function will get information from a proxy certificate. It
reads the ProxyCertInfo X.509 extension (1.3.6.1.5.5.7.1.14).
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error code is returned.
gnutls_x509_crt_get_raw_dn
--------------------------
-- Function: int gnutls_x509_crt_get_raw_dn (gnutls_x509_crt_t CERT,
gnutls_datum_t * START)
CERT: should contain a `gnutls_x509_crt_t' structure
START: will hold the starting point of the DN
This function will return a pointer to the DER encoded DN
structure and the length. This points to allocated data that must
be free'd using `gnutls_free()' .
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value. or a negative error code on
error.
gnutls_x509_crt_get_raw_issuer_dn
---------------------------------
-- Function: int gnutls_x509_crt_get_raw_issuer_dn (gnutls_x509_crt_t
CERT, gnutls_datum_t * START)
CERT: should contain a `gnutls_x509_crt_t' structure
START: will hold the starting point of the DN
This function will return a pointer to the DER encoded DN structure
and the length. This points to allocated data that must be free'd
using `gnutls_free()' .
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.or a negative error code on error.
gnutls_x509_crt_get_serial
--------------------------
-- Function: int gnutls_x509_crt_get_serial (gnutls_x509_crt_t CERT,
void * RESULT, size_t * RESULT_SIZE)
CERT: should contain a `gnutls_x509_crt_t' structure
RESULT: The place where the serial number will be copied
RESULT_SIZE: Holds the size of the result field.
This function will return the X.509 certificate's serial number.
This is obtained by the X509 Certificate serialNumber field. Serial
is not always a 32 or 64bit number. Some CAs use large serial
numbers, thus it may be wise to handle it as something uint8_t.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_crt_get_signature
-----------------------------
-- Function: int gnutls_x509_crt_get_signature (gnutls_x509_crt_t
CERT, char * SIG, size_t * SIZEOF_SIG)
CERT: should contain a `gnutls_x509_crt_t' structure
SIG: a pointer where the signature part will be copied (may be
null).
SIZEOF_SIG: initially holds the size of `sig'
This function will extract the signature field of a certificate.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value. and a negative error code on
error.
gnutls_x509_crt_get_signature_algorithm
---------------------------------------
-- Function: int gnutls_x509_crt_get_signature_algorithm
(gnutls_x509_crt_t CERT)
CERT: should contain a `gnutls_x509_crt_t' structure
This function will return a value of the `gnutls_sign_algorithm_t'
enumeration that is the signature algorithm that has been used to
sign this certificate.
*Returns:* a `gnutls_sign_algorithm_t' value, or a negative error
code on error.
gnutls_x509_crt_get_subject
---------------------------
-- Function: int gnutls_x509_crt_get_subject (gnutls_x509_crt_t CERT,
gnutls_x509_dn_t * DN)
CERT: should contain a `gnutls_x509_crt_t' structure
DN: output variable with pointer to uint8_t DN.
Return the Certificate's Subject DN as a `gnutls_x509_dn_t' data
type, that can be decoded using `gnutls_x509_dn_get_rdn_ava()' .
Note that `dn' should be treated as constant. Because it points
into the `cert' object, you should not use `dn' after `cert' is
deallocated.
*Returns:* Returns 0 on success, or an error code.
gnutls_x509_crt_get_subject_alt_name
------------------------------------
-- Function: int gnutls_x509_crt_get_subject_alt_name
(gnutls_x509_crt_t CERT, unsigned int SEQ, void * SAN, size_t
* SAN_SIZE, unsigned int * CRITICAL)
CERT: should contain a `gnutls_x509_crt_t' structure
SEQ: specifies the sequence number of the alt name (0 for the
first one, 1 for the second etc.)
SAN: is the place where the alternative name will be copied to
SAN_SIZE: holds the size of san.
CRITICAL: will be non-zero if the extension is marked as critical
(may be null)
This function retrieves the Alternative Name (2.5.29.17), contained
in the given certificate in the X509v3 Certificate Extensions.
When the SAN type is otherName, it will extract the data in the
otherName's value field, and `GNUTLS_SAN_OTHERNAME' is returned.
You may use `gnutls_x509_crt_get_subject_alt_othername_oid()' to
get the corresponding OID and the "virtual" SAN types (e.g.,
`GNUTLS_SAN_OTHERNAME_XMPP' ).
If an otherName OID is known, the data will be decoded. Otherwise
the returned data will be DER encoded, and you will have to decode
it yourself. Currently, only the RFC 3920 id-on-xmppAddr SAN is
recognized.
*Returns:* the alternative subject name type on success, one of the
enumerated `gnutls_x509_subject_alt_name_t' . It will return
`GNUTLS_E_SHORT_MEMORY_BUFFER' if `san_size' is not large enough
to hold the value. In that case `san_size' will be updated with
the required size. If the certificate does not have an Alternative
name with the specified sequence number then
`GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' is returned.
gnutls_x509_crt_get_subject_alt_name2
-------------------------------------
-- Function: int gnutls_x509_crt_get_subject_alt_name2
(gnutls_x509_crt_t CERT, unsigned int SEQ, void * SAN, size_t
* SAN_SIZE, unsigned int * SAN_TYPE, unsigned int * CRITICAL)
CERT: should contain a `gnutls_x509_crt_t' structure
SEQ: specifies the sequence number of the alt name (0 for the
first one, 1 for the second etc.)
SAN: is the place where the alternative name will be copied to
SAN_SIZE: holds the size of ret.
SAN_TYPE: holds the type of the alternative name (one of
gnutls_x509_subject_alt_name_t).
CRITICAL: will be non-zero if the extension is marked as critical
(may be null)
This function will return the alternative names, contained in the
given certificate. It is the same as
`gnutls_x509_crt_get_subject_alt_name()' except for the fact that
it will return the type of the alternative name in `san_type'
even if the function fails for some reason (i.e. the buffer
provided is not enough).
*Returns:* the alternative subject name type on success, one of the
enumerated `gnutls_x509_subject_alt_name_t' . It will return
`GNUTLS_E_SHORT_MEMORY_BUFFER' if `san_size' is not large enough
to hold the value. In that case `san_size' will be updated with
the required size. If the certificate does not have an
Alternative name with the specified sequence number then
`GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' is returned.
gnutls_x509_crt_get_subject_alt_othername_oid
---------------------------------------------
-- Function: int gnutls_x509_crt_get_subject_alt_othername_oid
(gnutls_x509_crt_t CERT, unsigned int SEQ, void * OID, size_t
* OID_SIZE)
CERT: should contain a `gnutls_x509_crt_t' structure
SEQ: specifies the sequence number of the alt name (0 for the
first one, 1 for the second etc.)
OID: is the place where the otherName OID will be copied to
OID_SIZE: holds the size of ret.
This function will extract the type OID of an otherName Subject
Alternative Name, contained in the given certificate, and return
the type as an enumerated element.
This function is only useful if
`gnutls_x509_crt_get_subject_alt_name()' returned
`GNUTLS_SAN_OTHERNAME' .
If `oid' is null then only the size will be filled. The `oid'
returned will be null terminated, although `oid_size' will not
account for the trailing null.
*Returns:* the alternative subject name type on success, one of the
enumerated gnutls_x509_subject_alt_name_t. For supported OIDs, it
will return one of the virtual (GNUTLS_SAN_OTHERNAME_*) types,
e.g. `GNUTLS_SAN_OTHERNAME_XMPP' , and `GNUTLS_SAN_OTHERNAME' for
unknown OIDs. It will return `GNUTLS_E_SHORT_MEMORY_BUFFER' if
`ian_size' is not large enough to hold the value. In that case
`ian_size' will be updated with the required size. If the
certificate does not have an Alternative name with the specified
sequence number and with the otherName type then
`GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' is returned.
gnutls_x509_crt_get_subject_key_id
----------------------------------
-- Function: int gnutls_x509_crt_get_subject_key_id (gnutls_x509_crt_t
CERT, void * RET, size_t * RET_SIZE, unsigned int * CRITICAL)
CERT: should contain a `gnutls_x509_crt_t' structure
RET: The place where the identifier will be copied
RET_SIZE: Holds the size of the result field.
CRITICAL: will be non-zero if the extension is marked as critical
(may be null)
This function will return the X.509v3 certificate's subject key
identifier. This is obtained by the X.509 Subject Key identifier
extension field (2.5.29.14).
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
`GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' if the extension is not
present, otherwise a negative error value.
gnutls_x509_crt_get_subject_unique_id
-------------------------------------
-- Function: int gnutls_x509_crt_get_subject_unique_id
(gnutls_x509_crt_t CRT, char * BUF, size_t * BUF_SIZE)
CRT: Holds the certificate
BUF: user allocated memory buffer, will hold the unique id
BUF_SIZE: size of user allocated memory buffer (on input), will
hold actual size of the unique ID on return.
This function will extract the subjectUniqueID value (if present)
for the given certificate.
If the user allocated memory buffer is not large enough to hold the
full subjectUniqueID, then a GNUTLS_E_SHORT_MEMORY_BUFFER error
will be returned, and buf_size will be set to the actual length.
*Returns:* `GNUTLS_E_SUCCESS' on success, otherwise a negative
error code.
gnutls_x509_crt_get_version
---------------------------
-- Function: int gnutls_x509_crt_get_version (gnutls_x509_crt_t CERT)
CERT: should contain a `gnutls_x509_crt_t' structure
This function will return the version of the specified Certificate.
*Returns:* version of certificate, or a negative error code on
error.
gnutls_x509_crt_import
----------------------
-- Function: int gnutls_x509_crt_import (gnutls_x509_crt_t CERT, const
gnutls_datum_t * DATA, gnutls_x509_crt_fmt_t FORMAT)
CERT: The structure to store the parsed certificate.
DATA: The DER or PEM encoded certificate.
FORMAT: One of DER or PEM
This function will convert the given DER or PEM encoded Certificate
to the native gnutls_x509_crt_t format. The output will be stored
in `cert' .
If the Certificate is PEM encoded it should have a header of "X509
CERTIFICATE", or "CERTIFICATE".
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_crt_init
--------------------
-- Function: int gnutls_x509_crt_init (gnutls_x509_crt_t * CERT)
CERT: The structure to be initialized
This function will initialize an X.509 certificate structure.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_crt_list_import
---------------------------
-- Function: int gnutls_x509_crt_list_import (gnutls_x509_crt_t *
CERTS, unsigned int * CERT_MAX, const gnutls_datum_t * DATA,
gnutls_x509_crt_fmt_t FORMAT, unsigned int FLAGS)
CERTS: The structures to store the parsed certificate. Must not be
initialized.
CERT_MAX: Initially must hold the maximum number of certs. It will
be updated with the number of certs available.
DATA: The PEM encoded certificate.
FORMAT: One of DER or PEM.
FLAGS: must be (0) or an OR'd sequence of
gnutls_certificate_import_flags.
This function will convert the given PEM encoded certificate list
to the native gnutls_x509_crt_t format. The output will be stored
in `certs' . They will be automatically initialized.
The flag `GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED' will cause
import to fail if the certificates in the provided buffer are more
than the available structures. The
`GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED' flag will cause the
function to fail if the provided list is not sorted from subject
to issuer.
If the Certificate is PEM encoded it should have a header of "X509
CERTIFICATE", or "CERTIFICATE".
*Returns:* the number of certificates read or a negative error
value.
gnutls_x509_crt_list_import2
----------------------------
-- Function: int gnutls_x509_crt_list_import2 (gnutls_x509_crt_t **
CERTS, unsigned int * SIZE, const gnutls_datum_t * DATA,
gnutls_x509_crt_fmt_t FORMAT, unsigned int FLAGS)
CERTS: The structures to store the parsed certificate. Must not be
initialized.
SIZE: It will contain the size of the list.
DATA: The PEM encoded certificate.
FORMAT: One of DER or PEM.
FLAGS: must be (0) or an OR'd sequence of
gnutls_certificate_import_flags.
This function will convert the given PEM encoded certificate list
to the native gnutls_x509_crt_t format. The output will be stored
in `certs' which will be initialized.
If the Certificate is PEM encoded it should have a header of "X509
CERTIFICATE", or "CERTIFICATE".
*Returns:* the number of certificates read or a negative error
value.
*Since:* 3.0
gnutls_x509_crt_list_verify
---------------------------
-- Function: int gnutls_x509_crt_list_verify (const gnutls_x509_crt_t
* CERT_LIST, int CERT_LIST_LENGTH, const gnutls_x509_crt_t *
CA_LIST, int CA_LIST_LENGTH, const gnutls_x509_crl_t *
CRL_LIST, int CRL_LIST_LENGTH, unsigned int FLAGS, unsigned
int * VERIFY)
CERT_LIST: is the certificate list to be verified
CERT_LIST_LENGTH: holds the number of certificate in cert_list
CA_LIST: is the CA list which will be used in verification
CA_LIST_LENGTH: holds the number of CA certificate in CA_list
CRL_LIST: holds a list of CRLs.
CRL_LIST_LENGTH: the length of CRL list.
FLAGS: Flags that may be used to change the verification
algorithm. Use OR of the gnutls_certificate_verify_flags
enumerations.
VERIFY: will hold the certificate verification output.
This function will try to verify the given certificate list and
return its status. If no flags are specified (0), this function
will use the basicConstraints (2.5.29.19) PKIX extension. This
means that only a certificate authority is allowed to sign a
certificate.
You must also check the peer's name in order to check if the
verified certificate belongs to the actual peer.
The certificate verification output will be put in `verify' and
will be one or more of the gnutls_certificate_status_t enumerated
elements bitwise or'd. For a more detailed verification status use
`gnutls_x509_crt_verify()' per list element.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_crt_print
---------------------
-- Function: int gnutls_x509_crt_print (gnutls_x509_crt_t CERT,
gnutls_certificate_print_formats_t FORMAT, gnutls_datum_t *
OUT)
CERT: The structure to be printed
FORMAT: Indicate the format to use
OUT: Newly allocated datum with (0) terminated string.
This function will pretty print a X.509 certificate, suitable for
display to a human.
If the format is `GNUTLS_CRT_PRINT_FULL' then all fields of the
certificate will be output, on multiple lines. The
`GNUTLS_CRT_PRINT_ONELINE' format will generate one line with some
selected fields, which is useful for logging purposes.
The output `out' needs to be deallocated using `gnutls_free()' .
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_crt_set_activation_time
-----------------------------------
-- Function: int gnutls_x509_crt_set_activation_time
(gnutls_x509_crt_t CERT, time_t ACT_TIME)
CERT: a certificate of type `gnutls_x509_crt_t'
ACT_TIME: The actual time
This function will set the time this Certificate was or will be
activated.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_crt_set_authority_info_access
-----------------------------------------
-- Function: int gnutls_x509_crt_set_authority_info_access
(gnutls_x509_crt_t CRT, int WHAT, gnutls_datum_t * DATA)
CRT: Holds the certificate
WHAT: what data to get, a `gnutls_info_access_what_t' type.
DATA: output data to be freed with `gnutls_free()' .
This function sets the Authority Information Access (AIA)
extension, see RFC 5280 section 4.2.2.1 for more information.
The type of data stored in `data' is specified via `what' which
should be `gnutls_info_access_what_t' values.
If `what' is `GNUTLS_IA_OCSP_URI' , `data' will hold the OCSP
URI. If `what' is `GNUTLS_IA_CAISSUERS_URI' , `data' will hold
the caIssuers URI.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
*Since:* 3.0
gnutls_x509_crt_set_authority_key_id
------------------------------------
-- Function: int gnutls_x509_crt_set_authority_key_id
(gnutls_x509_crt_t CERT, const void * ID, size_t ID_SIZE)
CERT: a certificate of type `gnutls_x509_crt_t'
ID: The key ID
ID_SIZE: Holds the size of the serial field.
This function will set the X.509 certificate's authority key ID
extension. Only the keyIdentifier field can be set with this
function.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_crt_set_basic_constraints
-------------------------------------
-- Function: int gnutls_x509_crt_set_basic_constraints
(gnutls_x509_crt_t CRT, unsigned int CA, int
PATHLENCONSTRAINT)
CRT: a certificate of type `gnutls_x509_crt_t'
CA: true(1) or false(0). Depending on the Certificate authority
status.
PATHLENCONSTRAINT: non-negative error codes indicate maximum
length of path, and negative error codes indicate that the
pathLenConstraints field should not be present.
This function will set the basicConstraints certificate extension.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_crt_set_ca_status
-----------------------------
-- Function: int gnutls_x509_crt_set_ca_status (gnutls_x509_crt_t CRT,
unsigned int CA)
CRT: a certificate of type `gnutls_x509_crt_t'
CA: true(1) or false(0). Depending on the Certificate authority
status.
This function will set the basicConstraints certificate extension.
Use `gnutls_x509_crt_set_basic_constraints()' if you want to
control the pathLenConstraint field too.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_crt_set_crl_dist_points
-----------------------------------
-- Function: int gnutls_x509_crt_set_crl_dist_points
(gnutls_x509_crt_t CRT, gnutls_x509_subject_alt_name_t TYPE,
const void * DATA_STRING, unsigned int REASON_FLAGS)
CRT: a certificate of type `gnutls_x509_crt_t'
TYPE: is one of the gnutls_x509_subject_alt_name_t enumerations
DATA_STRING: The data to be set
REASON_FLAGS: revocation reasons
This function will set the CRL distribution points certificate
extension.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_crt_set_crl_dist_points2
------------------------------------
-- Function: int gnutls_x509_crt_set_crl_dist_points2
(gnutls_x509_crt_t CRT, gnutls_x509_subject_alt_name_t TYPE,
const void * DATA, unsigned int DATA_SIZE, unsigned int
REASON_FLAGS)
CRT: a certificate of type `gnutls_x509_crt_t'
TYPE: is one of the gnutls_x509_subject_alt_name_t enumerations
DATA: The data to be set
DATA_SIZE: The data size
REASON_FLAGS: revocation reasons
This function will set the CRL distribution points certificate
extension.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
*Since:* 2.6.0
gnutls_x509_crt_set_crq
-----------------------
-- Function: int gnutls_x509_crt_set_crq (gnutls_x509_crt_t CRT,
gnutls_x509_crq_t CRQ)
CRT: a certificate of type `gnutls_x509_crt_t'
CRQ: holds a certificate request
This function will set the name and public parameters as well as
the extensions from the given certificate request to the
certificate. Only RSA keys are currently supported.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_crt_set_crq_extensions
----------------------------------
-- Function: int gnutls_x509_crt_set_crq_extensions (gnutls_x509_crt_t
CRT, gnutls_x509_crq_t CRQ)
CRT: a certificate of type `gnutls_x509_crt_t'
CRQ: holds a certificate request
This function will set extensions from the given request to the
certificate.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
*Since:* 2.8.0
gnutls_x509_crt_set_dn_by_oid
-----------------------------
-- Function: int gnutls_x509_crt_set_dn_by_oid (gnutls_x509_crt_t CRT,
const char * OID, unsigned int RAW_FLAG, const void * NAME,
unsigned int SIZEOF_NAME)
CRT: a certificate of type `gnutls_x509_crt_t'
OID: holds an Object Identifier in a null terminated string
RAW_FLAG: must be 0, or 1 if the data are DER encoded
NAME: a pointer to the name
SIZEOF_NAME: holds the size of `name'
This function will set the part of the name of the Certificate
subject, specified by the given OID. The input string should be
ASCII or UTF-8 encoded.
Some helper macros with popular OIDs can be found in gnutls/x509.h
With this function you can only set the known OIDs. You can test
for known OIDs using `gnutls_x509_dn_oid_known()' . For OIDs that
are not known (by gnutls) you should properly DER encode your data,
and call this function with `raw_flag' set.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_crt_set_expiration_time
-----------------------------------
-- Function: int gnutls_x509_crt_set_expiration_time
(gnutls_x509_crt_t CERT, time_t EXP_TIME)
CERT: a certificate of type `gnutls_x509_crt_t'
EXP_TIME: The actual time
This function will set the time this Certificate will expire.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_crt_set_extension_by_oid
------------------------------------
-- Function: int gnutls_x509_crt_set_extension_by_oid
(gnutls_x509_crt_t CRT, const char * OID, const void * BUF,
size_t SIZEOF_BUF, unsigned int CRITICAL)
CRT: a certificate of type `gnutls_x509_crt_t'
OID: holds an Object Identified in null terminated string
BUF: a pointer to a DER encoded data
SIZEOF_BUF: holds the size of `buf'
CRITICAL: should be non-zero if the extension is to be marked as
critical
This function will set an the extension, by the specified OID, in
the certificate. The extension data should be binary data DER
encoded.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_crt_set_issuer_dn_by_oid
------------------------------------
-- Function: int gnutls_x509_crt_set_issuer_dn_by_oid
(gnutls_x509_crt_t CRT, const char * OID, unsigned int
RAW_FLAG, const void * NAME, unsigned int SIZEOF_NAME)
CRT: a certificate of type `gnutls_x509_crt_t'
OID: holds an Object Identifier in a null terminated string
RAW_FLAG: must be 0, or 1 if the data are DER encoded
NAME: a pointer to the name
SIZEOF_NAME: holds the size of `name'
This function will set the part of the name of the Certificate
issuer, specified by the given OID. The input string should be
ASCII or UTF-8 encoded.
Some helper macros with popular OIDs can be found in gnutls/x509.h
With this function you can only set the known OIDs. You can test
for known OIDs using `gnutls_x509_dn_oid_known()' . For OIDs that
are not known (by gnutls) you should properly DER encode your data,
and call this function with `raw_flag' set.
Normally you do not need to call this function, since the signing
operation will copy the signer's name as the issuer of the
certificate.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_crt_set_key
-----------------------
-- Function: int gnutls_x509_crt_set_key (gnutls_x509_crt_t CRT,
gnutls_x509_privkey_t KEY)
CRT: a certificate of type `gnutls_x509_crt_t'
KEY: holds a private key
This function will set the public parameters from the given
private key to the certificate. Only RSA keys are currently
supported.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_crt_set_key_purpose_oid
-----------------------------------
-- Function: int gnutls_x509_crt_set_key_purpose_oid
(gnutls_x509_crt_t CERT, const void * OID, unsigned int
CRITICAL)
CERT: a certificate of type `gnutls_x509_crt_t'
OID: a pointer to a null terminated string that holds the OID
CRITICAL: Whether this extension will be critical or not
This function will set the key purpose OIDs of the Certificate.
These are stored in the Extended Key Usage extension (2.5.29.37)
See the GNUTLS_KP_* definitions for human readable names.
Subsequent calls to this function will append OIDs to the OID list.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error code is returned.
gnutls_x509_crt_set_key_usage
-----------------------------
-- Function: int gnutls_x509_crt_set_key_usage (gnutls_x509_crt_t CRT,
unsigned int USAGE)
CRT: a certificate of type `gnutls_x509_crt_t'
USAGE: an ORed sequence of the GNUTLS_KEY_* elements.
This function will set the keyUsage certificate extension.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_crt_set_pin_function
--------------------------------
-- Function: void gnutls_x509_crt_set_pin_function (gnutls_x509_crt_t
CRT, gnutls_pin_callback_t FN, void * USERDATA)
CRT: The certificate structure
FN: the callback
USERDATA: data associated with the callback
This function will set a callback function to be used when it is
required to access a protected object. This function overrides the
global function set using `gnutls_pkcs11_set_pin_function()' .
Note that this callback is currently used only during the import
of a PKCS `11' certificate with
`gnutls_x509_crt_import_pkcs11_url()' .
*Since:* 3.1.0
gnutls_x509_crt_set_policy
--------------------------
-- Function: int gnutls_x509_crt_set_policy (gnutls_x509_crt_t CRT,
struct gnutls_x509_policy_st* POLICY, unsigned int CRITICAL)
CRT: - undescribed -
POLICY: A pointer to a policy structure.
CRITICAL: use non-zero if the extension is marked as critical
This function will set the certificate policy extension
(2.5.29.32). Multiple calls to this function append a new policy.
Note the maximum text size for the qualifier
`GNUTLS_X509_QUALIFIER_NOTICE' is 200 characters. This function
will fail with `GNUTLS_E_INVALID_REQUEST' if this is exceeded.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
*Since:* 3.1.5
gnutls_x509_crt_set_private_key_usage_period
--------------------------------------------
-- Function: int gnutls_x509_crt_set_private_key_usage_period
(gnutls_x509_crt_t CRT, time_t ACTIVATION, time_t EXPIRATION)
CRT: a certificate of type `gnutls_x509_crt_t'
ACTIVATION: The activation time
EXPIRATION: The expiration time
This function will set the private key usage period extension
(2.5.29.16).
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_crt_set_proxy
-------------------------
-- Function: int gnutls_x509_crt_set_proxy (gnutls_x509_crt_t CRT, int
PATHLENCONSTRAINT, const char * POLICYLANGUAGE, const char *
POLICY, size_t SIZEOF_POLICY)
CRT: a certificate of type `gnutls_x509_crt_t'
PATHLENCONSTRAINT: non-negative error codes indicate maximum
length of path, and negative error codes indicate that the
pathLenConstraints field should not be present.
POLICYLANGUAGE: OID describing the language of `policy' .
POLICY: uint8_t byte array with policy language, can be `NULL'
SIZEOF_POLICY: size of `policy' .
This function will set the proxyCertInfo extension.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_crt_set_proxy_dn
----------------------------
-- Function: int gnutls_x509_crt_set_proxy_dn (gnutls_x509_crt_t CRT,
gnutls_x509_crt_t EECRT, unsigned int RAW_FLAG, const void *
NAME, unsigned int SIZEOF_NAME)
CRT: a gnutls_x509_crt_t structure with the new proxy cert
EECRT: the end entity certificate that will be issuing the proxy
RAW_FLAG: must be 0, or 1 if the CN is DER encoded
NAME: a pointer to the CN name, may be NULL (but MUST then be
added later)
SIZEOF_NAME: holds the size of `name'
This function will set the subject in `crt' to the end entity's
`eecrt' subject name, and add a single Common Name component
`name' of size `sizeof_name' . This corresponds to the required
proxy certificate naming style. Note that if `name' is `NULL' ,
you MUST set it later by using `gnutls_x509_crt_set_dn_by_oid()'
or similar.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_crt_set_serial
--------------------------
-- Function: int gnutls_x509_crt_set_serial (gnutls_x509_crt_t CERT,
const void * SERIAL, size_t SERIAL_SIZE)
CERT: a certificate of type `gnutls_x509_crt_t'
SERIAL: The serial number
SERIAL_SIZE: Holds the size of the serial field.
This function will set the X.509 certificate's serial number.
Serial is not always a 32 or 64bit number. Some CAs use large
serial numbers, thus it may be wise to handle it as something
uint8_t.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_crt_set_subject_alternative_name
--------------------------------------------
-- Function: int gnutls_x509_crt_set_subject_alternative_name
(gnutls_x509_crt_t CRT, gnutls_x509_subject_alt_name_t TYPE,
const char * DATA_STRING)
CRT: a certificate of type `gnutls_x509_crt_t'
TYPE: is one of the gnutls_x509_subject_alt_name_t enumerations
DATA_STRING: The data to be set, a (0) terminated string
This function will set the subject alternative name certificate
extension. This function assumes that data can be expressed as a
null terminated string.
The name of the function is unfortunate since it is incosistent
with `gnutls_x509_crt_get_subject_alt_name()' .
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_crt_set_subject_alt_name
------------------------------------
-- Function: int gnutls_x509_crt_set_subject_alt_name
(gnutls_x509_crt_t CRT, gnutls_x509_subject_alt_name_t TYPE,
const void * DATA, unsigned int DATA_SIZE, unsigned int FLAGS)
CRT: a certificate of type `gnutls_x509_crt_t'
TYPE: is one of the gnutls_x509_subject_alt_name_t enumerations
DATA: The data to be set
DATA_SIZE: The size of data to be set
FLAGS: GNUTLS_FSAN_SET to clear previous data or
GNUTLS_FSAN_APPEND to append.
This function will set the subject alternative name certificate
extension. It can set the following types:
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
*Since:* 2.6.0
gnutls_x509_crt_set_subject_key_id
----------------------------------
-- Function: int gnutls_x509_crt_set_subject_key_id (gnutls_x509_crt_t
CERT, const void * ID, size_t ID_SIZE)
CERT: a certificate of type `gnutls_x509_crt_t'
ID: The key ID
ID_SIZE: Holds the size of the serial field.
This function will set the X.509 certificate's subject key ID
extension.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_crt_set_version
---------------------------
-- Function: int gnutls_x509_crt_set_version (gnutls_x509_crt_t CRT,
unsigned int VERSION)
CRT: a certificate of type `gnutls_x509_crt_t'
VERSION: holds the version number. For X.509v1 certificates must
be 1.
This function will set the version of the certificate. This must
be one for X.509 version 1, and so on. Plain certificates without
extensions must have version set to one.
To create well-formed certificates, you must specify version 3 if
you use any certificate extensions. Extensions are created by
functions such as `gnutls_x509_crt_set_subject_alt_name()' or
`gnutls_x509_crt_set_key_usage()' .
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_crt_sign
--------------------
-- Function: int gnutls_x509_crt_sign (gnutls_x509_crt_t CRT,
gnutls_x509_crt_t ISSUER, gnutls_x509_privkey_t ISSUER_KEY)
CRT: a certificate of type `gnutls_x509_crt_t'
ISSUER: is the certificate of the certificate issuer
ISSUER_KEY: holds the issuer's private key
This function is the same a `gnutls_x509_crt_sign2()' with no
flags, and SHA1 as the hash algorithm.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_crt_sign2
---------------------
-- Function: int gnutls_x509_crt_sign2 (gnutls_x509_crt_t CRT,
gnutls_x509_crt_t ISSUER, gnutls_x509_privkey_t ISSUER_KEY,
gnutls_digest_algorithm_t DIG, unsigned int FLAGS)
CRT: a certificate of type `gnutls_x509_crt_t'
ISSUER: is the certificate of the certificate issuer
ISSUER_KEY: holds the issuer's private key
DIG: The message digest to use, `GNUTLS_DIG_SHA1' is a safe choice
FLAGS: must be 0
This function will sign the certificate with the issuer's private
key, and will copy the issuer's information into the certificate.
This must be the last step in a certificate generation since all
the previously set parameters are now signed.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_crt_verify
----------------------
-- Function: int gnutls_x509_crt_verify (gnutls_x509_crt_t CERT, const
gnutls_x509_crt_t * CA_LIST, int CA_LIST_LENGTH, unsigned int
FLAGS, unsigned int * VERIFY)
CERT: is the certificate to be verified
CA_LIST: is one certificate that is considered to be trusted one
CA_LIST_LENGTH: holds the number of CA certificate in CA_list
FLAGS: Flags that may be used to change the verification
algorithm. Use OR of the gnutls_certificate_verify_flags
enumerations.
VERIFY: will hold the certificate verification output.
This function will try to verify the given certificate and return
its status.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_dn_deinit
---------------------
-- Function: void gnutls_x509_dn_deinit (gnutls_x509_dn_t DN)
DN: a DN uint8_t object pointer.
This function deallocates the DN object as returned by
`gnutls_x509_dn_import()' .
*Since:* 2.4.0
gnutls_x509_dn_export
---------------------
-- Function: int gnutls_x509_dn_export (gnutls_x509_dn_t DN,
gnutls_x509_crt_fmt_t FORMAT, void * OUTPUT_DATA, size_t *
OUTPUT_DATA_SIZE)
DN: Holds the uint8_t DN object
FORMAT: the format of output params. One of PEM or DER.
OUTPUT_DATA: will contain a DN PEM or DER encoded
OUTPUT_DATA_SIZE: holds the size of output_data (and will be
replaced by the actual size of parameters)
This function will export the DN to DER or PEM format.
If the buffer provided is not long enough to hold the output, then
* `output_data_size' is updated and `GNUTLS_E_SHORT_MEMORY_BUFFER'
will be returned.
If the structure is PEM encoded, it will have a header of "BEGIN
NAME".
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_dn_export2
----------------------
-- Function: int gnutls_x509_dn_export2 (gnutls_x509_dn_t DN,
gnutls_x509_crt_fmt_t FORMAT, gnutls_datum_t * OUT)
DN: Holds the uint8_t DN object
FORMAT: the format of output params. One of PEM or DER.
OUT: will contain a DN PEM or DER encoded
This function will export the DN to DER or PEM format.
The output buffer is allocated using `gnutls_malloc()' .
If the structure is PEM encoded, it will have a header of "BEGIN
NAME".
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_dn_get_rdn_ava
--------------------------
-- Function: int gnutls_x509_dn_get_rdn_ava (gnutls_x509_dn_t DN, int
IRDN, int IAVA, gnutls_x509_ava_st * AVA)
DN: input variable with uint8_t DN pointer
IRDN: index of RDN
IAVA: index of AVA.
AVA: Pointer to structure which will hold output information.
Get pointers to data within the DN. The format of the `ava'
structure is shown below.
struct gnutls_x509_ava_st { gnutls_datum_t oid; gnutls_datum_t
value; unsigned long value_tag; };
Note that `ava' will contain pointers into the `dn' structure,
so you should not modify any data or deallocate it. Note also
that the DN in turn points into the original certificate
structure, and thus you may not deallocate the certificate and
continue to access `dn' .
*Returns:* Returns 0 on success, or an error code.
gnutls_x509_dn_import
---------------------
-- Function: int gnutls_x509_dn_import (gnutls_x509_dn_t DN, const
gnutls_datum_t * DATA)
DN: the structure that will hold the imported DN
DATA: should contain a DER encoded RDN sequence
This function parses an RDN sequence and stores the result to a
`gnutls_x509_dn_t' structure. The structure must have been
initialized with `gnutls_x509_dn_init()' . You may use
`gnutls_x509_dn_get_rdn_ava()' to decode the DN.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
*Since:* 2.4.0
gnutls_x509_dn_init
-------------------
-- Function: int gnutls_x509_dn_init (gnutls_x509_dn_t * DN)
DN: the object to be initialized
This function initializes a `gnutls_x509_dn_t' structure.
The object returned must be deallocated using
`gnutls_x509_dn_deinit()' .
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
*Since:* 2.4.0
gnutls_x509_dn_oid_known
------------------------
-- Function: int gnutls_x509_dn_oid_known (const char * OID)
OID: holds an Object Identifier in a null terminated string
This function will inform about known DN OIDs. This is useful since
functions like `gnutls_x509_crt_set_dn_by_oid()' use the
information on known OIDs to properly encode their input. Object
Identifiers that are not known are not encoded by these functions,
and their input is stored directly into the ASN.1 structure. In
that case of unknown OIDs, you have the responsibility of DER
encoding your data.
*Returns:* 1 on known OIDs and 0 otherwise.
gnutls_x509_dn_oid_name
-----------------------
-- Function: const char* gnutls_x509_dn_oid_name (const char * OID,
unsigned int FLAGS)
OID: holds an Object Identifier in a null terminated string
FLAGS: 0 or GNUTLS_X509_DN_OID_*
This function will return the name of a known DN OID. If
`GNUTLS_X509_DN_OID_RETURN_OID' is specified this function will
return the given OID if no descriptive name has been found.
*Returns:* A null terminated string or NULL otherwise.
*Since:* 3.0
gnutls_x509_policy_release
--------------------------
-- Function: void gnutls_x509_policy_release (struct
gnutls_x509_policy_st* POLICY)
POLICY: a certificate policy
This function will deinitialize all memory associated with the
provided `policy' . The policy is allocated using
`gnutls_x509_crt_get_policy()' .
*Since:* 3.1.5
gnutls_x509_privkey_cpy
-----------------------
-- Function: int gnutls_x509_privkey_cpy (gnutls_x509_privkey_t DST,
gnutls_x509_privkey_t SRC)
DST: The destination key, which should be initialized.
SRC: The source key
This function will copy a private key from source to destination
key. Destination has to be initialized.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_privkey_deinit
--------------------------
-- Function: void gnutls_x509_privkey_deinit (gnutls_x509_privkey_t
KEY)
KEY: The structure to be deinitialized
This function will deinitialize a private key structure.
gnutls_x509_privkey_export
--------------------------
-- Function: int gnutls_x509_privkey_export (gnutls_x509_privkey_t
KEY, gnutls_x509_crt_fmt_t FORMAT, void * OUTPUT_DATA, size_t
* OUTPUT_DATA_SIZE)
KEY: Holds the key
FORMAT: the format of output params. One of PEM or DER.
OUTPUT_DATA: will contain a private key PEM or DER encoded
OUTPUT_DATA_SIZE: holds the size of output_data (and will be
replaced by the actual size of parameters)
This function will export the private key to a PKCS1 structure for
RSA keys, or an integer sequence for DSA keys. The DSA keys are in
the same format with the parameters used by openssl.
If the buffer provided is not long enough to hold the output, then
* `output_data_size' is updated and `GNUTLS_E_SHORT_MEMORY_BUFFER'
will be returned.
If the structure is PEM encoded, it will have a header of "BEGIN
RSA PRIVATE KEY".
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_privkey_export2
---------------------------
-- Function: int gnutls_x509_privkey_export2 (gnutls_x509_privkey_t
KEY, gnutls_x509_crt_fmt_t FORMAT, gnutls_datum_t * OUT)
KEY: Holds the key
FORMAT: the format of output params. One of PEM or DER.
OUT: will contain a private key PEM or DER encoded
This function will export the private key to a PKCS1 structure for
RSA keys, or an integer sequence for DSA keys. The DSA keys are in
the same format with the parameters used by openssl.
The output buffer is allocated using `gnutls_malloc()' .
If the structure is PEM encoded, it will have a header of "BEGIN
RSA PRIVATE KEY".
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
Since 3.1.3
gnutls_x509_privkey_export2_pkcs8
---------------------------------
-- Function: int gnutls_x509_privkey_export2_pkcs8
(gnutls_x509_privkey_t KEY, gnutls_x509_crt_fmt_t FORMAT,
const char * PASSWORD, unsigned int FLAGS, gnutls_datum_t *
OUT)
KEY: Holds the key
FORMAT: the format of output params. One of PEM or DER.
PASSWORD: the password that will be used to encrypt the key.
FLAGS: an ORed sequence of gnutls_pkcs_encrypt_flags_t
OUT: will contain a private key PEM or DER encoded
This function will export the private key to a PKCS8 structure.
Both RSA and DSA keys can be exported. For DSA keys we use PKCS
`11' definitions. If the flags do not specify the encryption
cipher, then the default 3DES (PBES2) will be used.
The `password' can be either ASCII or UTF-8 in the default PBES2
encryption schemas, or ASCII for the PKCS12 schemas.
The output buffer is allocated using `gnutls_malloc()' .
If the structure is PEM encoded, it will have a header of "BEGIN
ENCRYPTED PRIVATE KEY" or "BEGIN PRIVATE KEY" if encryption is not
used.
*Returns:* In case of failure a negative error code will be
returned, and 0 on success.
Since 3.1.3
gnutls_x509_privkey_export_dsa_raw
----------------------------------
-- Function: int gnutls_x509_privkey_export_dsa_raw
(gnutls_x509_privkey_t KEY, gnutls_datum_t * P,
gnutls_datum_t * Q, gnutls_datum_t * G, gnutls_datum_t * Y,
gnutls_datum_t * X)
KEY: a structure that holds the DSA parameters
P: will hold the p
Q: will hold the q
G: will hold the g
Y: will hold the y
X: will hold the x
This function will export the DSA private key's parameters found
in the given structure. The new parameters will be allocated using
`gnutls_malloc()' and will be stored in the appropriate datum.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_privkey_export_ecc_raw
----------------------------------
-- Function: int gnutls_x509_privkey_export_ecc_raw
(gnutls_x509_privkey_t KEY, gnutls_ecc_curve_t * CURVE,
gnutls_datum_t * X, gnutls_datum_t * Y, gnutls_datum_t* K)
KEY: a structure that holds the rsa parameters
CURVE: will hold the curve
X: will hold the x coordinate
Y: will hold the y coordinate
K: will hold the private key
This function will export the ECC private key's parameters found
in the given structure. The new parameters will be allocated using
`gnutls_malloc()' and will be stored in the appropriate datum.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
*Since:* 3.0
gnutls_x509_privkey_export_pkcs8
--------------------------------
-- Function: int gnutls_x509_privkey_export_pkcs8
(gnutls_x509_privkey_t KEY, gnutls_x509_crt_fmt_t FORMAT,
const char * PASSWORD, unsigned int FLAGS, void *
OUTPUT_DATA, size_t * OUTPUT_DATA_SIZE)
KEY: Holds the key
FORMAT: the format of output params. One of PEM or DER.
PASSWORD: the password that will be used to encrypt the key.
FLAGS: an ORed sequence of gnutls_pkcs_encrypt_flags_t
OUTPUT_DATA: will contain a private key PEM or DER encoded
OUTPUT_DATA_SIZE: holds the size of output_data (and will be
replaced by the actual size of parameters)
This function will export the private key to a PKCS8 structure.
Both RSA and DSA keys can be exported. For DSA keys we use PKCS
`11' definitions. If the flags do not specify the encryption
cipher, then the default 3DES (PBES2) will be used.
The `password' can be either ASCII or UTF-8 in the default PBES2
encryption schemas, or ASCII for the PKCS12 schemas.
If the buffer provided is not long enough to hold the output, then
*output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will
be returned.
If the structure is PEM encoded, it will have a header of "BEGIN
ENCRYPTED PRIVATE KEY" or "BEGIN PRIVATE KEY" if encryption is not
used.
*Returns:* In case of failure a negative error code will be
returned, and 0 on success.
gnutls_x509_privkey_export_rsa_raw
----------------------------------
-- Function: int gnutls_x509_privkey_export_rsa_raw
(gnutls_x509_privkey_t KEY, gnutls_datum_t * M,
gnutls_datum_t * E, gnutls_datum_t * D, gnutls_datum_t * P,
gnutls_datum_t * Q, gnutls_datum_t * U)
KEY: a structure that holds the rsa parameters
M: will hold the modulus
E: will hold the public exponent
D: will hold the private exponent
P: will hold the first prime (p)
Q: will hold the second prime (q)
U: will hold the coefficient
This function will export the RSA private key's parameters found
in the given structure. The new parameters will be allocated using
`gnutls_malloc()' and will be stored in the appropriate datum.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_privkey_export_rsa_raw2
-----------------------------------
-- Function: int gnutls_x509_privkey_export_rsa_raw2
(gnutls_x509_privkey_t KEY, gnutls_datum_t * M,
gnutls_datum_t * E, gnutls_datum_t * D, gnutls_datum_t * P,
gnutls_datum_t * Q, gnutls_datum_t * U, gnutls_datum_t * E1,
gnutls_datum_t * E2)
KEY: a structure that holds the rsa parameters
M: will hold the modulus
E: will hold the public exponent
D: will hold the private exponent
P: will hold the first prime (p)
Q: will hold the second prime (q)
U: will hold the coefficient
E1: will hold e1 = d mod (p-1)
E2: will hold e2 = d mod (q-1)
This function will export the RSA private key's parameters found
in the given structure. The new parameters will be allocated using
`gnutls_malloc()' and will be stored in the appropriate datum.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
*Since:* 2.12.0
gnutls_x509_privkey_fix
-----------------------
-- Function: int gnutls_x509_privkey_fix (gnutls_x509_privkey_t KEY)
KEY: Holds the key
This function will recalculate the secondary parameters in a key.
In RSA keys, this can be the coefficient and exponent1,2.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_privkey_generate
----------------------------
-- Function: int gnutls_x509_privkey_generate (gnutls_x509_privkey_t
KEY, gnutls_pk_algorithm_t ALGO, unsigned int BITS, unsigned
int FLAGS)
KEY: should contain a `gnutls_x509_privkey_t' structure
ALGO: is one of the algorithms in `gnutls_pk_algorithm_t' .
BITS: the size of the modulus
FLAGS: unused for now. Must be 0.
This function will generate a random private key. Note that this
function must be called on an empty private key.
Do not set the number of bits directly, use
`gnutls_sec_param_to_pk_bits()' .
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_privkey_get_key_id
------------------------------
-- Function: int gnutls_x509_privkey_get_key_id (gnutls_x509_privkey_t
KEY, unsigned int FLAGS, unsigned char * OUTPUT_DATA, size_t
* OUTPUT_DATA_SIZE)
KEY: Holds the key
FLAGS: should be 0 for now
OUTPUT_DATA: will contain the key ID
OUTPUT_DATA_SIZE: holds the size of output_data (and will be
replaced by the actual size of parameters)
This function will return a unique ID that depends on the public
key parameters. This ID can be used in checking whether a
certificate corresponds to the given key.
If the buffer provided is not long enough to hold the output, then
* `output_data_size' is updated and `GNUTLS_E_SHORT_MEMORY_BUFFER'
will be returned. The output will normally be a SHA-1 hash output,
which is 20 bytes.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_privkey_get_pk_algorithm
------------------------------------
-- Function: int gnutls_x509_privkey_get_pk_algorithm
(gnutls_x509_privkey_t KEY)
KEY: should contain a `gnutls_x509_privkey_t' structure
This function will return the public key algorithm of a private
key.
*Returns:* a member of the `gnutls_pk_algorithm_t' enumeration on
success, or a negative error code on error.
gnutls_x509_privkey_get_pk_algorithm2
-------------------------------------
-- Function: int gnutls_x509_privkey_get_pk_algorithm2
(gnutls_x509_privkey_t KEY, unsigned int * BITS)
KEY: should contain a `gnutls_x509_privkey_t' structure
BITS: The number of bits in the public key algorithm
This function will return the public key algorithm of a private
key.
*Returns:* a member of the `gnutls_pk_algorithm_t' enumeration on
success, or a negative error code on error.
gnutls_x509_privkey_import
--------------------------
-- Function: int gnutls_x509_privkey_import (gnutls_x509_privkey_t
KEY, const gnutls_datum_t * DATA, gnutls_x509_crt_fmt_t
FORMAT)
KEY: The structure to store the parsed key
DATA: The DER or PEM encoded certificate.
FORMAT: One of DER or PEM
This function will convert the given DER or PEM encoded key to the
native `gnutls_x509_privkey_t' format. The output will be stored
in `key' .
If the key is PEM encoded it should have a header that contains
"PRIVATE KEY". Note that this function falls back to PKCS `8'
decoding without password, if the default format fails to import.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_privkey_import2
---------------------------
-- Function: int gnutls_x509_privkey_import2 (gnutls_x509_privkey_t
KEY, const gnutls_datum_t * DATA, gnutls_x509_crt_fmt_t
FORMAT, const char* PASSWORD, unsigned int FLAGS)
KEY: The structure to store the parsed key
DATA: The DER or PEM encoded key.
FORMAT: One of DER or PEM
PASSWORD: A password (optional)
FLAGS: an ORed sequence of gnutls_pkcs_encrypt_flags_t
This function will import the given DER or PEM encoded key, to the
native `gnutls_x509_privkey_t' format, irrespective of the input
format. The input format is auto-detected.
The supported formats are typical X.509, PKCS `8' and the openssl
format.
If the provided key is encrypted but no password was given, then
`GNUTLS_E_DECRYPTION_FAILED' is returned.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_privkey_import_dsa_raw
----------------------------------
-- Function: int gnutls_x509_privkey_import_dsa_raw
(gnutls_x509_privkey_t KEY, const gnutls_datum_t * P, const
gnutls_datum_t * Q, const gnutls_datum_t * G, const
gnutls_datum_t * Y, const gnutls_datum_t * X)
KEY: The structure to store the parsed key
P: holds the p
Q: holds the q
G: holds the g
Y: holds the y
X: holds the x
This function will convert the given DSA raw parameters to the
native `gnutls_x509_privkey_t' format. The output will be stored
in `key' .
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_privkey_import_ecc_raw
----------------------------------
-- Function: int gnutls_x509_privkey_import_ecc_raw
(gnutls_x509_privkey_t KEY, gnutls_ecc_curve_t CURVE, const
gnutls_datum_t * X, const gnutls_datum_t * Y, const
gnutls_datum_t * K)
KEY: The structure to store the parsed key
CURVE: holds the curve
X: holds the x
Y: holds the y
K: holds the k
This function will convert the given elliptic curve parameters to
the native `gnutls_x509_privkey_t' format. The output will be
stored in `key' .
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
*Since:* 3.0
gnutls_x509_privkey_import_openssl
----------------------------------
-- Function: int gnutls_x509_privkey_import_openssl
(gnutls_x509_privkey_t KEY, const gnutls_datum_t * DATA,
const char* PASSWORD)
KEY: The structure to store the parsed key
DATA: The DER or PEM encoded key.
PASSWORD: the password to decrypt the key (if it is encrypted).
This function will convert the given PEM encrypted to the native
gnutls_x509_privkey_t format. The output will be stored in `key' .
The `password' should be in ASCII. If the password is not provided
or wrong then `GNUTLS_E_DECRYPTION_FAILED' will be returned.
If the Certificate is PEM encoded it should have a header of
"PRIVATE KEY" and the "DEK-Info" header.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_privkey_import_pkcs8
--------------------------------
-- Function: int gnutls_x509_privkey_import_pkcs8
(gnutls_x509_privkey_t KEY, const gnutls_datum_t * DATA,
gnutls_x509_crt_fmt_t FORMAT, const char * PASSWORD, unsigned
int FLAGS)
KEY: The structure to store the parsed key
DATA: The DER or PEM encoded key.
FORMAT: One of DER or PEM
PASSWORD: the password to decrypt the key (if it is encrypted).
FLAGS: 0 if encrypted or GNUTLS_PKCS_PLAIN if not encrypted.
This function will convert the given DER or PEM encoded PKCS8 2.0
encrypted key to the native gnutls_x509_privkey_t format. The
output will be stored in `key' . Both RSA and DSA keys can be
imported, and flags can only be used to indicate an unencrypted
key.
The `password' can be either ASCII or UTF-8 in the default PBES2
encryption schemas, or ASCII for the PKCS12 schemas.
If the Certificate is PEM encoded it should have a header of
"ENCRYPTED PRIVATE KEY", or "PRIVATE KEY". You only need to
specify the flags if the key is DER encoded, since in that case
the encryption status cannot be auto-detected.
If the `GNUTLS_PKCS_PLAIN' flag is specified and the supplied data
are encrypted then `GNUTLS_E_DECRYPTION_FAILED' is returned.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_privkey_import_rsa_raw
----------------------------------
-- Function: int gnutls_x509_privkey_import_rsa_raw
(gnutls_x509_privkey_t KEY, const gnutls_datum_t * M, const
gnutls_datum_t * E, const gnutls_datum_t * D, const
gnutls_datum_t * P, const gnutls_datum_t * Q, const
gnutls_datum_t * U)
KEY: The structure to store the parsed key
M: holds the modulus
E: holds the public exponent
D: holds the private exponent
P: holds the first prime (p)
Q: holds the second prime (q)
U: holds the coefficient
This function will convert the given RSA raw parameters to the
native `gnutls_x509_privkey_t' format. The output will be stored
in `key' .
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_privkey_import_rsa_raw2
-----------------------------------
-- Function: int gnutls_x509_privkey_import_rsa_raw2
(gnutls_x509_privkey_t KEY, const gnutls_datum_t * M, const
gnutls_datum_t * E, const gnutls_datum_t * D, const
gnutls_datum_t * P, const gnutls_datum_t * Q, const
gnutls_datum_t * U, const gnutls_datum_t * E1, const
gnutls_datum_t * E2)
KEY: The structure to store the parsed key
M: holds the modulus
E: holds the public exponent
D: holds the private exponent
P: holds the first prime (p)
Q: holds the second prime (q)
U: holds the coefficient
E1: holds e1 = d mod (p-1)
E2: holds e2 = d mod (q-1)
This function will convert the given RSA raw parameters to the
native `gnutls_x509_privkey_t' format. The output will be stored
in `key' .
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_privkey_init
------------------------
-- Function: int gnutls_x509_privkey_init (gnutls_x509_privkey_t * KEY)
KEY: The structure to be initialized
This function will initialize an private key structure.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_privkey_sec_param
-----------------------------
-- Function: gnutls_sec_param_t gnutls_x509_privkey_sec_param
(gnutls_x509_privkey_t KEY)
KEY: a key structure
This function will return the security parameter appropriate with
this private key.
*Returns:* On success, a valid security parameter is returned
otherwise `GNUTLS_SEC_PARAM_UNKNOWN' is returned.
*Since:* 2.12.0
gnutls_x509_privkey_verify_params
---------------------------------
-- Function: int gnutls_x509_privkey_verify_params
(gnutls_x509_privkey_t KEY)
KEY: should contain a `gnutls_x509_privkey_t' structure
This function will verify the private key parameters.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_x509_rdn_get
-------------------
-- Function: int gnutls_x509_rdn_get (const gnutls_datum_t * IDN, char
* BUF, size_t * SIZEOF_BUF)
IDN: should contain a DER encoded RDN sequence
BUF: a pointer to a structure to hold the peer's name
SIZEOF_BUF: holds the size of `buf'
This function will return the name of the given RDN sequence. The
name will be in the form "C=xxxx,O=yyyy,CN=zzzz" as described in
RFC4514.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned, or
`GNUTLS_E_SHORT_MEMORY_BUFFER' is returned and * `sizeof_buf' is
updated if the provided buffer is not long enough, otherwise a
negative error value.
gnutls_x509_rdn_get_by_oid
--------------------------
-- Function: int gnutls_x509_rdn_get_by_oid (const gnutls_datum_t *
IDN, const char * OID, int INDX, unsigned int RAW_FLAG, void
* BUF, size_t * SIZEOF_BUF)
IDN: should contain a DER encoded RDN sequence
OID: an Object Identifier
INDX: In case multiple same OIDs exist in the RDN indicates which
to send. Use 0 for the first one.
RAW_FLAG: If non-zero then the raw DER data are returned.
BUF: a pointer to a structure to hold the peer's name
SIZEOF_BUF: holds the size of `buf'
This function will return the name of the given Object identifier,
of the RDN sequence. The name will be encoded using the rules
from RFC4514.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned, or
`GNUTLS_E_SHORT_MEMORY_BUFFER' is returned and * `sizeof_buf' is
updated if the provided buffer is not long enough, otherwise a
negative error value.
gnutls_x509_rdn_get_oid
-----------------------
-- Function: int gnutls_x509_rdn_get_oid (const gnutls_datum_t * IDN,
int INDX, void * BUF, size_t * SIZEOF_BUF)
IDN: should contain a DER encoded RDN sequence
INDX: Indicates which OID to return. Use 0 for the first one.
BUF: a pointer to a structure to hold the peer's name OID
SIZEOF_BUF: holds the size of `buf'
This function will return the specified Object identifier, of the
RDN sequence.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned, or
`GNUTLS_E_SHORT_MEMORY_BUFFER' is returned and * `sizeof_buf' is
updated if the provided buffer is not long enough, otherwise a
negative error value.
*Since:* 2.4.0
gnutls_x509_trust_list_add_cas
------------------------------
-- Function: int gnutls_x509_trust_list_add_cas
(gnutls_x509_trust_list_t LIST, const gnutls_x509_crt_t *
CLIST, int CLIST_SIZE, unsigned int FLAGS)
LIST: The structure of the list
CLIST: A list of CAs
CLIST_SIZE: The length of the CA list
FLAGS: should be 0.
This function will add the given certificate authorities to the
trusted list. The list of CAs must not be deinitialized during
this structure's lifetime.
*Returns:* The number of added elements is returned.
*Since:* 3.0
gnutls_x509_trust_list_add_crls
-------------------------------
-- Function: int gnutls_x509_trust_list_add_crls
(gnutls_x509_trust_list_t LIST, const gnutls_x509_crl_t *
CRL_LIST, int CRL_SIZE, unsigned int FLAGS, unsigned int
VERIFICATION_FLAGS)
LIST: The structure of the list
CRL_LIST: A list of CRLs
CRL_SIZE: The length of the CRL list
FLAGS: if GNUTLS_TL_VERIFY_CRL is given the CRLs will be verified
before being added.
VERIFICATION_FLAGS: gnutls_certificate_verify_flags if flags
specifies GNUTLS_TL_VERIFY_CRL
This function will add the given certificate revocation lists to
the trusted list. The list of CRLs must not be deinitialized
during this structure's lifetime.
This function must be called after
`gnutls_x509_trust_list_add_cas()' to allow verifying the CRLs for
validity.
*Returns:* The number of added elements is returned.
*Since:* 3.0
gnutls_x509_trust_list_add_named_crt
------------------------------------
-- Function: int gnutls_x509_trust_list_add_named_crt
(gnutls_x509_trust_list_t LIST, gnutls_x509_crt_t CERT, const
void * NAME, size_t NAME_SIZE, unsigned int FLAGS)
LIST: The structure of the list
CERT: A certificate
NAME: An identifier for the certificate
NAME_SIZE: The size of the identifier
FLAGS: should be 0.
This function will add the given certificate to the trusted list
and associate it with a name. The certificate will not be be used
for verification with `gnutls_x509_trust_list_verify_crt()' but
only with `gnutls_x509_trust_list_verify_named_crt()' .
In principle this function can be used to set individual "server"
certificates that are trusted by the user for that specific server
but for no other purposes.
The certificate must not be deinitialized during the lifetime of
the trusted list.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
*Since:* 3.0
gnutls_x509_trust_list_add_system_trust
---------------------------------------
-- Function: int gnutls_x509_trust_list_add_system_trust
(gnutls_x509_trust_list_t LIST, unsigned int TL_FLAGS,
unsigned int TL_VFLAGS)
LIST: The structure of the list
TL_FLAGS: GNUTLS_TL_*
TL_VFLAGS: gnutls_certificate_verify_flags if flags specifies
GNUTLS_TL_VERIFY_CRL
This function adds the system's default trusted certificate
authorities to the trusted list. Note that on unsupported system
this function returns `GNUTLS_E_UNIMPLEMENTED_FEATURE' .
*Returns:* The number of added elements or a negative error code
on error.
*Since:* 3.1
gnutls_x509_trust_list_add_trust_file
-------------------------------------
-- Function: int gnutls_x509_trust_list_add_trust_file
(gnutls_x509_trust_list_t LIST, const char* CA_FILE, const
char* CRL_FILE, gnutls_x509_crt_fmt_t TYPE, unsigned int
TL_FLAGS, unsigned int TL_VFLAGS)
LIST: The structure of the list
CA_FILE: A file containing a list of CAs (optional)
CRL_FILE: A file containing a list of CRLs (optional)
TYPE: The format of the certificates
TL_FLAGS: GNUTLS_TL_*
TL_VFLAGS: gnutls_certificate_verify_flags if flags specifies
GNUTLS_TL_VERIFY_CRL
This function will add the given certificate authorities to the
trusted list. pkcs11 URLs are also accepted, instead of files, by
this function.
*Returns:* The number of added elements is returned.
*Since:* 3.1
gnutls_x509_trust_list_add_trust_mem
------------------------------------
-- Function: int gnutls_x509_trust_list_add_trust_mem
(gnutls_x509_trust_list_t LIST, const gnutls_datum_t * CAS,
const gnutls_datum_t * CRLS, gnutls_x509_crt_fmt_t TYPE,
unsigned int TL_FLAGS, unsigned int TL_VFLAGS)
LIST: The structure of the list
CAS: A buffer containing a list of CAs (optional)
CRLS: A buffer containing a list of CRLs (optional)
TYPE: The format of the certificates
TL_FLAGS: GNUTLS_TL_*
TL_VFLAGS: gnutls_certificate_verify_flags if flags specifies
GNUTLS_TL_VERIFY_CRL
This function will add the given certificate authorities to the
trusted list.
*Returns:* The number of added elements is returned.
*Since:* 3.1
gnutls_x509_trust_list_deinit
-----------------------------
-- Function: void gnutls_x509_trust_list_deinit
(gnutls_x509_trust_list_t LIST, unsigned int ALL)
LIST: The structure to be deinitialized
ALL: if non-(0) it will deinitialize all the certificates and CRLs
contained in the structure.
This function will deinitialize a trust list.
*Since:* 3.0
gnutls_x509_trust_list_get_issuer
---------------------------------
-- Function: int gnutls_x509_trust_list_get_issuer
(gnutls_x509_trust_list_t LIST, gnutls_x509_crt_t CERT,
gnutls_x509_crt_t * ISSUER, unsigned int FLAGS)
LIST: The structure of the list
CERT: is the certificate to find issuer for
ISSUER: Will hold the issuer if any. Should be treated as constant.
FLAGS: Use (0).
This function will attempt to find the issuer of the given
certificate.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
*Since:* 3.0
gnutls_x509_trust_list_init
---------------------------
-- Function: int gnutls_x509_trust_list_init (gnutls_x509_trust_list_t
* LIST, unsigned int SIZE)
LIST: The structure to be initialized
SIZE: The size of the internal hash table. Use (0) for default
size.
This function will initialize an X.509 trust list structure.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
*Since:* 3.0
gnutls_x509_trust_list_verify_crt
---------------------------------
-- Function: int gnutls_x509_trust_list_verify_crt
(gnutls_x509_trust_list_t LIST, gnutls_x509_crt_t *
CERT_LIST, unsigned int CERT_LIST_SIZE, unsigned int FLAGS,
unsigned int * VERIFY, gnutls_verify_output_function FUNC)
LIST: The structure of the list
CERT_LIST: is the certificate list to be verified
CERT_LIST_SIZE: is the certificate list size
FLAGS: Flags that may be used to change the verification
algorithm. Use OR of the gnutls_certificate_verify_flags
enumerations.
VERIFY: will hold the certificate verification output.
FUNC: If non-null will be called on each chain element
verification with the output.
This function will try to verify the given certificate and return
its status. The `verify' parameter will hold an OR'ed sequence of
`gnutls_certificate_status_t' flags.
*Limitation:* Pathlen constraints or key usage flags are not
consulted.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
*Since:* 3.0
gnutls_x509_trust_list_verify_named_crt
---------------------------------------
-- Function: int gnutls_x509_trust_list_verify_named_crt
(gnutls_x509_trust_list_t LIST, gnutls_x509_crt_t CERT, const
void * NAME, size_t NAME_SIZE, unsigned int FLAGS, unsigned
int * VERIFY, gnutls_verify_output_function FUNC)
LIST: The structure of the list
CERT: is the certificate to be verified
NAME: is the certificate's name
NAME_SIZE: is the certificate's name size
FLAGS: Flags that may be used to change the verification
algorithm. Use OR of the gnutls_certificate_verify_flags
enumerations.
VERIFY: will hold the certificate verification output.
FUNC: If non-null will be called on each chain element
verification with the output.
This function will try to find a certificate that is associated
with the provided name -see
`gnutls_x509_trust_list_add_named_crt()' . If a match is found the
certificate is considered valid. In addition to that this function
will also check CRLs. The `verify' parameter will hold an OR'ed
sequence of `gnutls_certificate_status_t' flags.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
*Since:* 3.0
�
File: gnutls.info, Node: OCSP API, Next: OpenPGP API, Prev: X509 certificate API, Up: API reference
E.4 OCSP API
============
The following functions are for OCSP certificate status checking.
Their prototypes lie in `gnutls/ocsp.h'.
gnutls_ocsp_req_add_cert
------------------------
-- Function: int gnutls_ocsp_req_add_cert (gnutls_ocsp_req_t REQ,
gnutls_digest_algorithm_t DIGEST, gnutls_x509_crt_t ISSUER,
gnutls_x509_crt_t CERT)
REQ: should contain a `gnutls_ocsp_req_t' structure
DIGEST: hash algorithm, a `gnutls_digest_algorithm_t' value
ISSUER: issuer of `subject' certificate
CERT: certificate to request status for
This function will add another request to the OCSP request for a
particular certificate. The issuer name hash, issuer key hash, and
serial number fields is populated as follows. The issuer name and
the serial number is taken from `cert' . The issuer key is taken
from `issuer' . The hashed values will be hashed using the
`digest' algorithm, normally `GNUTLS_DIG_SHA1' .
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error code is returned.
gnutls_ocsp_req_add_cert_id
---------------------------
-- Function: int gnutls_ocsp_req_add_cert_id (gnutls_ocsp_req_t REQ,
gnutls_digest_algorithm_t DIGEST, const gnutls_datum_t *
ISSUER_NAME_HASH, const gnutls_datum_t * ISSUER_KEY_HASH,
const gnutls_datum_t * SERIAL_NUMBER)
REQ: should contain a `gnutls_ocsp_req_t' structure
DIGEST: hash algorithm, a `gnutls_digest_algorithm_t' value
ISSUER_NAME_HASH: hash of issuer's DN
ISSUER_KEY_HASH: hash of issuer's public key
SERIAL_NUMBER: serial number of certificate to check
This function will add another request to the OCSP request for a
particular certificate having the issuer name hash of
`issuer_name_hash' and issuer key hash of `issuer_key_hash' (both
hashed using `digest' ) and serial number `serial_number' .
The information needed corresponds to the CertID structure:
CertID ::= SEQUENCE
{ hashAlgorithm AlgorithmIdentifier, issuerNameHash
OCTET STRING, - Hash of Issuer's DN issuerKeyHash OCTET
STRING, - Hash of Issuers public key serialNumber
CertificateSerialNumber }
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error code is returned.
gnutls_ocsp_req_deinit
----------------------
-- Function: void gnutls_ocsp_req_deinit (gnutls_ocsp_req_t REQ)
REQ: The structure to be deinitialized
This function will deinitialize a OCSP request structure.
gnutls_ocsp_req_export
----------------------
-- Function: int gnutls_ocsp_req_export (gnutls_ocsp_req_t REQ,
gnutls_datum_t * DATA)
REQ: Holds the OCSP request
DATA: newly allocate buffer holding DER encoded OCSP request
This function will export the OCSP request to DER format.
*Returns:* In case of failure a negative error code will be
returned, and 0 on success.
gnutls_ocsp_req_get_cert_id
---------------------------
-- Function: int gnutls_ocsp_req_get_cert_id (gnutls_ocsp_req_t REQ,
unsigned INDX, gnutls_digest_algorithm_t * DIGEST,
gnutls_datum_t * ISSUER_NAME_HASH, gnutls_datum_t *
ISSUER_KEY_HASH, gnutls_datum_t * SERIAL_NUMBER)
REQ: should contain a `gnutls_ocsp_req_t' structure
INDX: Specifies which extension OID to get. Use (0) to get the
first one.
DIGEST: output variable with `gnutls_digest_algorithm_t' hash
algorithm
ISSUER_NAME_HASH: output buffer with hash of issuer's DN
ISSUER_KEY_HASH: output buffer with hash of issuer's public key
SERIAL_NUMBER: output buffer with serial number of certificate to
check
This function will return the certificate information of the
`indx' 'ed request in the OCSP request. The information returned
corresponds to the CertID structure:
CertID ::= SEQUENCE
{ hashAlgorithm AlgorithmIdentifier, issuerNameHash
OCTET STRING, - Hash of Issuer's DN issuerKeyHash OCTET
STRING, - Hash of Issuers public key serialNumber
CertificateSerialNumber }
Each of the pointers to output variables may be NULL to indicate
that the caller is not interested in that value.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error code is returned. If you have reached
the last CertID available `GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE'
will be returned.
gnutls_ocsp_req_get_extension
-----------------------------
-- Function: int gnutls_ocsp_req_get_extension (gnutls_ocsp_req_t REQ,
unsigned INDX, gnutls_datum_t * OID, unsigned int * CRITICAL,
gnutls_datum_t * DATA)
REQ: should contain a `gnutls_ocsp_req_t' structure
INDX: Specifies which extension OID to get. Use (0) to get the
first one.
OID: will hold newly allocated buffer with OID of extension, may
be NULL
CRITICAL: output variable with critical flag, may be NULL.
DATA: will hold newly allocated buffer with extension data, may be
NULL
This function will return all information about the requested
extension in the OCSP request. The information returned is the
OID, the critical flag, and the data itself. The extension OID
will be stored as a string. Any of `oid' , `critical' , and
`data' may be NULL which means that the caller is not interested
in getting that information back.
The caller needs to deallocate memory by calling `gnutls_free()'
on `oid' ->data and `data' ->data.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error code is returned. If you have reached
the last extension available
`GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' will be returned.
gnutls_ocsp_req_get_nonce
-------------------------
-- Function: int gnutls_ocsp_req_get_nonce (gnutls_ocsp_req_t REQ,
unsigned int * CRITICAL, gnutls_datum_t * NONCE)
REQ: should contain a `gnutls_ocsp_req_t' structure
CRITICAL: whether nonce extension is marked critical, or NULL
NONCE: will hold newly allocated buffer with nonce data
This function will return the OCSP request nonce extension data.
The caller needs to deallocate memory by calling `gnutls_free()'
on `nonce' ->data.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error code is returned.
gnutls_ocsp_req_get_version
---------------------------
-- Function: int gnutls_ocsp_req_get_version (gnutls_ocsp_req_t REQ)
REQ: should contain a `gnutls_ocsp_req_t' structure
This function will return the version of the OCSP request.
Typically this is always 1 indicating version 1.
*Returns:* version of OCSP request, or a negative error code on
error.
gnutls_ocsp_req_import
----------------------
-- Function: int gnutls_ocsp_req_import (gnutls_ocsp_req_t REQ, const
gnutls_datum_t * DATA)
REQ: The structure to store the parsed request.
DATA: DER encoded OCSP request.
This function will convert the given DER encoded OCSP request to
the native `gnutls_ocsp_req_t' format. The output will be stored
in `req' .
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_ocsp_req_init
--------------------
-- Function: int gnutls_ocsp_req_init (gnutls_ocsp_req_t * REQ)
REQ: The structure to be initialized
This function will initialize an OCSP request structure.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_ocsp_req_print
---------------------
-- Function: int gnutls_ocsp_req_print (gnutls_ocsp_req_t REQ,
gnutls_ocsp_print_formats_t FORMAT, gnutls_datum_t * OUT)
REQ: The structure to be printed
FORMAT: Indicate the format to use
OUT: Newly allocated datum with (0) terminated string.
This function will pretty print a OCSP request, suitable for
display to a human.
If the format is `GNUTLS_OCSP_PRINT_FULL' then all fields of the
request will be output, on multiple lines.
The output `out' ->data needs to be deallocate using
`gnutls_free()' .
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_ocsp_req_randomize_nonce
-------------------------------
-- Function: int gnutls_ocsp_req_randomize_nonce (gnutls_ocsp_req_t
REQ)
REQ: should contain a `gnutls_ocsp_req_t' structure
This function will add or update an nonce extension to the OCSP
request with a newly generated random value.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error code is returned.
gnutls_ocsp_req_set_extension
-----------------------------
-- Function: int gnutls_ocsp_req_set_extension (gnutls_ocsp_req_t REQ,
const char * OID, unsigned int CRITICAL, const gnutls_datum_t
* DATA)
REQ: should contain a `gnutls_ocsp_req_t' structure
OID: buffer with OID of extension as a string.
CRITICAL: critical flag, normally false.
DATA: the extension data
This function will add an extension to the OCSP request. Calling
this function multiple times for the same OID will overwrite values
from earlier calls.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error code is returned.
gnutls_ocsp_req_set_nonce
-------------------------
-- Function: int gnutls_ocsp_req_set_nonce (gnutls_ocsp_req_t REQ,
unsigned int CRITICAL, const gnutls_datum_t * NONCE)
REQ: should contain a `gnutls_ocsp_req_t' structure
CRITICAL: critical flag, normally false.
NONCE: the nonce data
This function will add an nonce extension to the OCSP request.
Calling this function multiple times will overwrite values from
earlier calls.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error code is returned.
gnutls_ocsp_resp_check_crt
--------------------------
-- Function: int gnutls_ocsp_resp_check_crt (gnutls_ocsp_resp_t RESP,
unsigned int INDX, gnutls_x509_crt_t CRT)
RESP: should contain a `gnutls_ocsp_resp_t' structure
INDX: Specifies response number to get. Use (0) to get the first
one.
CRT: The certificate to check
This function will check whether the OCSP response is about the
provided certificate.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error code is returned.
gnutls_ocsp_resp_deinit
-----------------------
-- Function: void gnutls_ocsp_resp_deinit (gnutls_ocsp_resp_t RESP)
RESP: The structure to be deinitialized
This function will deinitialize a OCSP response structure.
gnutls_ocsp_resp_export
-----------------------
-- Function: int gnutls_ocsp_resp_export (gnutls_ocsp_resp_t RESP,
gnutls_datum_t * DATA)
RESP: Holds the OCSP response
DATA: newly allocate buffer holding DER encoded OCSP response
This function will export the OCSP response to DER format.
*Returns:* In case of failure a negative error code will be
returned, and 0 on success.
gnutls_ocsp_resp_get_certs
--------------------------
-- Function: int gnutls_ocsp_resp_get_certs (gnutls_ocsp_resp_t RESP,
gnutls_x509_crt_t ** CERTS, size_t * NCERTS)
RESP: should contain a `gnutls_ocsp_resp_t' structure
CERTS: newly allocated array with `gnutls_x509_crt_t' certificates
NCERTS: output variable with number of allocated certs.
This function will extract the X.509 certificates found in the
Basic OCSP Response. The `certs' output variable will hold a
newly allocated zero-terminated array with X.509 certificates.
Every certificate in the array needs to be de-allocated with
`gnutls_x509_crt_deinit()' and the array itself must be freed
using `gnutls_free()' .
Both the `certs' and `ncerts' variables may be NULL. Then the
function will work as normal but will not return the NULL:d
information. This can be used to get the number of certificates
only, or to just get the certificate array without its size.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_ocsp_resp_get_extension
------------------------------
-- Function: int gnutls_ocsp_resp_get_extension (gnutls_ocsp_resp_t
RESP, unsigned INDX, gnutls_datum_t * OID, unsigned int *
CRITICAL, gnutls_datum_t * DATA)
RESP: should contain a `gnutls_ocsp_resp_t' structure
INDX: Specifies which extension OID to get. Use (0) to get the
first one.
OID: will hold newly allocated buffer with OID of extension, may
be NULL
CRITICAL: output variable with critical flag, may be NULL.
DATA: will hold newly allocated buffer with extension data, may be
NULL
This function will return all information about the requested
extension in the OCSP response. The information returned is the
OID, the critical flag, and the data itself. The extension OID
will be stored as a string. Any of `oid' , `critical' , and
`data' may be NULL which means that the caller is not interested
in getting that information back.
The caller needs to deallocate memory by calling `gnutls_free()'
on `oid' ->data and `data' ->data.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error code is returned. If you have reached
the last extension available
`GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' will be returned.
gnutls_ocsp_resp_get_nonce
--------------------------
-- Function: int gnutls_ocsp_resp_get_nonce (gnutls_ocsp_resp_t RESP,
unsigned int * CRITICAL, gnutls_datum_t * NONCE)
RESP: should contain a `gnutls_ocsp_resp_t' structure
CRITICAL: whether nonce extension is marked critical
NONCE: will hold newly allocated buffer with nonce data
This function will return the Basic OCSP Response nonce extension
data.
The caller needs to deallocate memory by calling `gnutls_free()'
on `nonce' ->data.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error code is returned.
gnutls_ocsp_resp_get_produced
-----------------------------
-- Function: time_t gnutls_ocsp_resp_get_produced (gnutls_ocsp_resp_t
RESP)
RESP: should contain a `gnutls_ocsp_resp_t' structure
This function will return the time when the OCSP response was
signed.
*Returns:* signing time, or (time_t)-1 on error.
gnutls_ocsp_resp_get_responder
------------------------------
-- Function: int gnutls_ocsp_resp_get_responder (gnutls_ocsp_resp_t
RESP, gnutls_datum_t * DN)
RESP: should contain a `gnutls_ocsp_resp_t' structure
DN: newly allocated buffer with name
This function will extract the name of the Basic OCSP Response in
the provided buffer. The name will be in the form
"C=xxxx,O=yyyy,CN=zzzz" as described in RFC2253. The output string
will be ASCII or UTF-8 encoded, depending on the certificate data.
The caller needs to deallocate memory by calling `gnutls_free()'
on `dn' ->data.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error code is returned.
gnutls_ocsp_resp_get_response
-----------------------------
-- Function: int gnutls_ocsp_resp_get_response (gnutls_ocsp_resp_t
RESP, gnutls_datum_t * RESPONSE_TYPE_OID, gnutls_datum_t *
RESPONSE)
RESP: should contain a `gnutls_ocsp_resp_t' structure
RESPONSE_TYPE_OID: newly allocated output buffer with response
type OID
RESPONSE: newly allocated output buffer with DER encoded response
This function will extract the response type OID in and the
response data from an OCSP response. Normally the
`response_type_oid' is always "1.3.6.1.5.5.7.48.1.1" which means
the `response' should be decoded as a Basic OCSP Response, but
technically other response types could be used.
This function is typically only useful when you want to extract the
response type OID of an response for diagnostic purposes.
Otherwise `gnutls_ocsp_resp_import()' will decode the basic OCSP
response part and the caller need not worry about that aspect.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_ocsp_resp_get_signature
------------------------------
-- Function: int gnutls_ocsp_resp_get_signature (gnutls_ocsp_resp_t
RESP, gnutls_datum_t * SIG)
RESP: should contain a `gnutls_ocsp_resp_t' structure
SIG: newly allocated output buffer with signature data
This function will extract the signature field of a OCSP response.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_ocsp_resp_get_signature_algorithm
----------------------------------------
-- Function: int gnutls_ocsp_resp_get_signature_algorithm
(gnutls_ocsp_resp_t RESP)
RESP: should contain a `gnutls_ocsp_resp_t' structure
This function will return a value of the `gnutls_sign_algorithm_t'
enumeration that is the signature algorithm that has been used to
sign the OCSP response.
*Returns:* a `gnutls_sign_algorithm_t' value, or a negative error
code on error.
gnutls_ocsp_resp_get_single
---------------------------
-- Function: int gnutls_ocsp_resp_get_single (gnutls_ocsp_resp_t RESP,
unsigned INDX, gnutls_digest_algorithm_t * DIGEST,
gnutls_datum_t * ISSUER_NAME_HASH, gnutls_datum_t *
ISSUER_KEY_HASH, gnutls_datum_t * SERIAL_NUMBER, unsigned int
* CERT_STATUS, time_t * THIS_UPDATE, time_t * NEXT_UPDATE,
time_t * REVOCATION_TIME, unsigned int * REVOCATION_REASON)
RESP: should contain a `gnutls_ocsp_resp_t' structure
INDX: Specifies response number to get. Use (0) to get the first
one.
DIGEST: output variable with `gnutls_digest_algorithm_t' hash
algorithm
ISSUER_NAME_HASH: output buffer with hash of issuer's DN
ISSUER_KEY_HASH: output buffer with hash of issuer's public key
SERIAL_NUMBER: output buffer with serial number of certificate to
check
CERT_STATUS: a certificate status, a `gnutls_ocsp_cert_status_t'
enum.
THIS_UPDATE: time at which the status is known to be correct.
NEXT_UPDATE: when newer information will be available, or
(time_t)-1 if unspecified
REVOCATION_TIME: when `cert_status' is `GNUTLS_OCSP_CERT_REVOKED'
, holds time of revocation.
REVOCATION_REASON: revocation reason, a `gnutls_x509_crl_reason_t'
enum.
This function will return the certificate information of the
`indx' 'ed response in the Basic OCSP Response `resp' . The
information returned corresponds to the OCSP SingleResponse
structure except the final singleExtensions.
Each of the pointers to output variables may be NULL to indicate
that the caller is not interested in that value.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error code is returned. If you have reached
the last CertID available `GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE'
will be returned.
gnutls_ocsp_resp_get_status
---------------------------
-- Function: int gnutls_ocsp_resp_get_status (gnutls_ocsp_resp_t RESP)
RESP: should contain a `gnutls_ocsp_resp_t' structure
This function will return the status of a OCSP response, an
`gnutls_ocsp_resp_status_t' enumeration.
*Returns:* status of OCSP request as a `gnutls_ocsp_resp_status_t'
, or a negative error code on error.
gnutls_ocsp_resp_get_version
----------------------------
-- Function: int gnutls_ocsp_resp_get_version (gnutls_ocsp_resp_t RESP)
RESP: should contain a `gnutls_ocsp_resp_t' structure
This function will return the version of the Basic OCSP Response.
Typically this is always 1 indicating version 1.
*Returns:* version of Basic OCSP response, or a negative error code
on error.
gnutls_ocsp_resp_import
-----------------------
-- Function: int gnutls_ocsp_resp_import (gnutls_ocsp_resp_t RESP,
const gnutls_datum_t * DATA)
RESP: The structure to store the parsed response.
DATA: DER encoded OCSP response.
This function will convert the given DER encoded OCSP response to
the native `gnutls_ocsp_resp_t' format. It also decodes the Basic
OCSP Response part, if any. The output will be stored in `resp' .
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_ocsp_resp_init
---------------------
-- Function: int gnutls_ocsp_resp_init (gnutls_ocsp_resp_t * RESP)
RESP: The structure to be initialized
This function will initialize an OCSP response structure.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_ocsp_resp_print
----------------------
-- Function: int gnutls_ocsp_resp_print (gnutls_ocsp_resp_t RESP,
gnutls_ocsp_print_formats_t FORMAT, gnutls_datum_t * OUT)
RESP: The structure to be printed
FORMAT: Indicate the format to use
OUT: Newly allocated datum with (0) terminated string.
This function will pretty print a OCSP response, suitable for
display to a human.
If the format is `GNUTLS_OCSP_PRINT_FULL' then all fields of the
response will be output, on multiple lines.
The output `out' ->data needs to be deallocate using
`gnutls_free()' .
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_ocsp_resp_verify
-----------------------
-- Function: int gnutls_ocsp_resp_verify (gnutls_ocsp_resp_t RESP,
gnutls_x509_trust_list_t TRUSTLIST, unsigned int * VERIFY,
unsigned int FLAGS)
RESP: should contain a `gnutls_ocsp_resp_t' structure
TRUSTLIST: trust anchors as a `gnutls_x509_trust_list_t' structure
VERIFY: output variable with verification status, an
`gnutls_ocsp_cert_status_t'
FLAGS: verification flags, 0 for now.
Verify signature of the Basic OCSP Response against the public key
in the certificate of a trusted signer. The `trustlist' should be
populated with trust anchors. The function will extract the signer
certificate from the Basic OCSP Response and will verify it against
the `trustlist' . A trusted signer is a certificate that is
either in `trustlist' , or it is signed directly by a certificate
in `trustlist' and has the id-ad-ocspSigning Extended Key Usage
bit set.
The output `verify' variable will hold verification status codes
(e.g., `GNUTLS_OCSP_VERIFY_SIGNER_NOT_FOUND' ,
`GNUTLS_OCSP_VERIFY_INSECURE_ALGORITHM' ) which are only valid if
the function returned `GNUTLS_E_SUCCESS' .
Note that the function returns `GNUTLS_E_SUCCESS' even when
verification failed. The caller must always inspect the `verify'
variable to find out the verification status.
The `flags' variable should be 0 for now.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_ocsp_resp_verify_direct
------------------------------
-- Function: int gnutls_ocsp_resp_verify_direct (gnutls_ocsp_resp_t
RESP, gnutls_x509_crt_t ISSUER, unsigned int * VERIFY,
unsigned int FLAGS)
RESP: should contain a `gnutls_ocsp_resp_t' structure
ISSUER: certificate believed to have signed the response
VERIFY: output variable with verification status, an
`gnutls_ocsp_cert_status_t'
FLAGS: verification flags, 0 for now.
Verify signature of the Basic OCSP Response against the public key
in the `issuer' certificate.
The output `verify' variable will hold verification status codes
(e.g., `GNUTLS_OCSP_VERIFY_SIGNER_NOT_FOUND' ,
`GNUTLS_OCSP_VERIFY_INSECURE_ALGORITHM' ) which are only valid if
the function returned `GNUTLS_E_SUCCESS' .
Note that the function returns `GNUTLS_E_SUCCESS' even when
verification failed. The caller must always inspect the `verify'
variable to find out the verification status.
The `flags' variable should be 0 for now.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
�
File: gnutls.info, Node: OpenPGP API, Next: PKCS 12 API, Prev: OCSP API, Up: API reference
E.5 OpenPGP API
===============
The following functions are to be used for OpenPGP certificate
handling. Their prototypes lie in `gnutls/openpgp.h'.
gnutls_certificate_set_openpgp_key
----------------------------------
-- Function: int gnutls_certificate_set_openpgp_key
(gnutls_certificate_credentials_t RES, gnutls_openpgp_crt_t
CRT, gnutls_openpgp_privkey_t PKEY)
RES: is a `gnutls_certificate_credentials_t' structure.
CRT: contains an openpgp public key
PKEY: is an openpgp private key
This function sets a certificate/private key pair in the
gnutls_certificate_credentials_t structure. This function may be
called more than once (in case multiple keys/certificates exist
for the server).
Note that this function requires that the preferred key ids have
been set and be used. See
`gnutls_openpgp_crt_set_preferred_key_id()' . Otherwise the
master key will be used.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error code is returned.
gnutls_certificate_set_openpgp_key_file
---------------------------------------
-- Function: int gnutls_certificate_set_openpgp_key_file
(gnutls_certificate_credentials_t RES, const char * CERTFILE,
const char * KEYFILE, gnutls_openpgp_crt_fmt_t FORMAT)
RES: the destination context to save the data.
CERTFILE: the file that contains the public key.
KEYFILE: the file that contains the secret key.
FORMAT: the format of the keys
This funtion is used to load OpenPGP keys into the GnuTLS
credentials structure. The file should contain at least one valid
non encrypted subkey.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_certificate_set_openpgp_key_file2
----------------------------------------
-- Function: int gnutls_certificate_set_openpgp_key_file2
(gnutls_certificate_credentials_t RES, const char * CERTFILE,
const char * KEYFILE, const char * SUBKEY_ID,
gnutls_openpgp_crt_fmt_t FORMAT)
RES: the destination context to save the data.
CERTFILE: the file that contains the public key.
KEYFILE: the file that contains the secret key.
SUBKEY_ID: a hex encoded subkey id
FORMAT: the format of the keys
This funtion is used to load OpenPGP keys into the GnuTLS
credential structure. The file should contain at least one valid
non encrypted subkey.
The special keyword "auto" is also accepted as `subkey_id' . In
that case the `gnutls_openpgp_crt_get_auth_subkey()' will be used
to retrieve the subkey.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
*Since:* 2.4.0
gnutls_certificate_set_openpgp_key_mem
--------------------------------------
-- Function: int gnutls_certificate_set_openpgp_key_mem
(gnutls_certificate_credentials_t RES, const gnutls_datum_t *
CERT, const gnutls_datum_t * KEY, gnutls_openpgp_crt_fmt_t
FORMAT)
RES: the destination context to save the data.
CERT: the datum that contains the public key.
KEY: the datum that contains the secret key.
FORMAT: the format of the keys
This funtion is used to load OpenPGP keys into the GnuTLS
credential structure. The datum should contain at least one valid
non encrypted subkey.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_certificate_set_openpgp_key_mem2
---------------------------------------
-- Function: int gnutls_certificate_set_openpgp_key_mem2
(gnutls_certificate_credentials_t RES, const gnutls_datum_t *
CERT, const gnutls_datum_t * KEY, const char * SUBKEY_ID,
gnutls_openpgp_crt_fmt_t FORMAT)
RES: the destination context to save the data.
CERT: the datum that contains the public key.
KEY: the datum that contains the secret key.
SUBKEY_ID: a hex encoded subkey id
FORMAT: the format of the keys
This funtion is used to load OpenPGP keys into the GnuTLS
credentials structure. The datum should contain at least one valid
non encrypted subkey.
The special keyword "auto" is also accepted as `subkey_id' . In
that case the `gnutls_openpgp_crt_get_auth_subkey()' will be used
to retrieve the subkey.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
*Since:* 2.4.0
gnutls_certificate_set_openpgp_keyring_file
-------------------------------------------
-- Function: int gnutls_certificate_set_openpgp_keyring_file
(gnutls_certificate_credentials_t C, const char * FILE,
gnutls_openpgp_crt_fmt_t FORMAT)
C: A certificate credentials structure
FILE: filename of the keyring.
FORMAT: format of keyring.
The function is used to set keyrings that will be used internally
by various OpenPGP functions. For example to find a key when it is
needed for an operations. The keyring will also be used at the
verification functions.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_certificate_set_openpgp_keyring_mem
------------------------------------------
-- Function: int gnutls_certificate_set_openpgp_keyring_mem
(gnutls_certificate_credentials_t C, const uint8_t * DATA,
size_t DLEN, gnutls_openpgp_crt_fmt_t FORMAT)
C: A certificate credentials structure
DATA: buffer with keyring data.
DLEN: length of data buffer.
FORMAT: the format of the keyring
The function is used to set keyrings that will be used internally
by various OpenPGP functions. For example to find a key when it is
needed for an operations. The keyring will also be used at the
verification functions.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_openpgp_crt_check_hostname
---------------------------------
-- Function: int gnutls_openpgp_crt_check_hostname
(gnutls_openpgp_crt_t KEY, const char * HOSTNAME)
KEY: should contain a `gnutls_openpgp_crt_t' structure
HOSTNAME: A null terminated string that contains a DNS name
This function will check if the given key's owner matches the
given hostname. This is a basic implementation of the matching
described in RFC2818 (HTTPS), which takes into account wildcards.
*Returns:* `GNUTLS_E_SUCCESS' on success, or an error code.
gnutls_openpgp_crt_deinit
-------------------------
-- Function: void gnutls_openpgp_crt_deinit (gnutls_openpgp_crt_t KEY)
KEY: The structure to be initialized
This function will deinitialize a key structure.
gnutls_openpgp_crt_export
-------------------------
-- Function: int gnutls_openpgp_crt_export (gnutls_openpgp_crt_t KEY,
gnutls_openpgp_crt_fmt_t FORMAT, void * OUTPUT_DATA, size_t *
OUTPUT_DATA_SIZE)
KEY: Holds the key.
FORMAT: One of gnutls_openpgp_crt_fmt_t elements.
OUTPUT_DATA: will contain the raw or base64 encoded key
OUTPUT_DATA_SIZE: holds the size of output_data (and will be
replaced by the actual size of parameters)
This function will convert the given key to RAW or Base64 format.
If the buffer provided is not long enough to hold the output, then
`GNUTLS_E_SHORT_MEMORY_BUFFER' will be returned.
*Returns:* `GNUTLS_E_SUCCESS' on success, or an error code.
gnutls_openpgp_crt_export2
--------------------------
-- Function: int gnutls_openpgp_crt_export2 (gnutls_openpgp_crt_t KEY,
gnutls_openpgp_crt_fmt_t FORMAT, gnutls_datum_t * OUT)
KEY: Holds the key.
FORMAT: One of gnutls_openpgp_crt_fmt_t elements.
OUT: will contain the raw or base64 encoded key
This function will convert the given key to RAW or Base64 format.
The output buffer is allocated using `gnutls_malloc()' .
*Returns:* `GNUTLS_E_SUCCESS' on success, or an error code.
gnutls_openpgp_crt_get_auth_subkey
----------------------------------
-- Function: int gnutls_openpgp_crt_get_auth_subkey
(gnutls_openpgp_crt_t CRT, gnutls_openpgp_keyid_t KEYID,
unsigned int FLAG)
CRT: the structure that contains the OpenPGP public key.
KEYID: the struct to save the keyid.
FLAG: Non-zero indicates that a valid subkey is always returned.
Returns the 64-bit keyID of the first valid OpenPGP subkey marked
for authentication. If flag is non-zero and no authentication
subkey exists, then a valid subkey will be returned even if it is
not marked for authentication.
*Returns:* `GNUTLS_E_SUCCESS' on success, or an error code.
gnutls_openpgp_crt_get_creation_time
------------------------------------
-- Function: time_t gnutls_openpgp_crt_get_creation_time
(gnutls_openpgp_crt_t KEY)
KEY: the structure that contains the OpenPGP public key.
Get key creation time.
*Returns:* the timestamp when the OpenPGP key was created.
gnutls_openpgp_crt_get_expiration_time
--------------------------------------
-- Function: time_t gnutls_openpgp_crt_get_expiration_time
(gnutls_openpgp_crt_t KEY)
KEY: the structure that contains the OpenPGP public key.
Get key expiration time. A value of '0' means that the key doesn't
expire at all.
*Returns:* the time when the OpenPGP key expires.
gnutls_openpgp_crt_get_fingerprint
----------------------------------
-- Function: int gnutls_openpgp_crt_get_fingerprint
(gnutls_openpgp_crt_t KEY, void * FPR, size_t * FPRLEN)
KEY: the raw data that contains the OpenPGP public key.
FPR: the buffer to save the fingerprint, must hold at least 20
bytes.
FPRLEN: the integer to save the length of the fingerprint.
Get key fingerprint. Depending on the algorithm, the fingerprint
can be 16 or 20 bytes.
*Returns:* On success, 0 is returned. Otherwise, an error code.
gnutls_openpgp_crt_get_key_id
-----------------------------
-- Function: int gnutls_openpgp_crt_get_key_id (gnutls_openpgp_crt_t
KEY, gnutls_openpgp_keyid_t KEYID)
KEY: the structure that contains the OpenPGP public key.
KEYID: the buffer to save the keyid.
Get key id string.
*Returns:* the 64-bit keyID of the OpenPGP key.
*Since:* 2.4.0
gnutls_openpgp_crt_get_key_usage
--------------------------------
-- Function: int gnutls_openpgp_crt_get_key_usage
(gnutls_openpgp_crt_t KEY, unsigned int * KEY_USAGE)
KEY: should contain a gnutls_openpgp_crt_t structure
KEY_USAGE: where the key usage bits will be stored
This function will return certificate's key usage, by checking the
key algorithm. The key usage value will ORed values of the:
`GNUTLS_KEY_DIGITAL_SIGNATURE' , `GNUTLS_KEY_KEY_ENCIPHERMENT' .
*Returns:* `GNUTLS_E_SUCCESS' on success, or an error code.
gnutls_openpgp_crt_get_name
---------------------------
-- Function: int gnutls_openpgp_crt_get_name (gnutls_openpgp_crt_t
KEY, int IDX, char * BUF, size_t * SIZEOF_BUF)
KEY: the structure that contains the OpenPGP public key.
IDX: the index of the ID to extract
BUF: a pointer to a structure to hold the name, may be `NULL' to
only get the `sizeof_buf' .
SIZEOF_BUF: holds the maximum size of `buf' , on return hold the
actual/required size of `buf' .
Extracts the userID from the parsed OpenPGP key.
*Returns:* `GNUTLS_E_SUCCESS' on success, and if the index of the
ID does not exist `GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' , or an
error code.
gnutls_openpgp_crt_get_pk_algorithm
-----------------------------------
-- Function: gnutls_pk_algorithm_t gnutls_openpgp_crt_get_pk_algorithm
(gnutls_openpgp_crt_t KEY, unsigned int * BITS)
KEY: is an OpenPGP key
BITS: if bits is non null it will hold the size of the parameters'
in bits
This function will return the public key algorithm of an OpenPGP
certificate.
If bits is non null, it should have enough size to hold the
parameters size in bits. For RSA the bits returned is the modulus.
For DSA the bits returned are of the public exponent.
*Returns:* a member of the `gnutls_pk_algorithm_t' enumeration on
success, or GNUTLS_PK_UNKNOWN on error.
gnutls_openpgp_crt_get_pk_dsa_raw
---------------------------------
-- Function: int gnutls_openpgp_crt_get_pk_dsa_raw
(gnutls_openpgp_crt_t CRT, gnutls_datum_t * P, gnutls_datum_t
* Q, gnutls_datum_t * G, gnutls_datum_t * Y)
CRT: Holds the certificate
P: will hold the p
Q: will hold the q
G: will hold the g
Y: will hold the y
This function will export the DSA public key's parameters found in
the given certificate. The new parameters will be allocated using
`gnutls_malloc()' and will be stored in the appropriate datum.
*Returns:* `GNUTLS_E_SUCCESS' on success, otherwise a negative
error code.
*Since:* 2.4.0
gnutls_openpgp_crt_get_pk_rsa_raw
---------------------------------
-- Function: int gnutls_openpgp_crt_get_pk_rsa_raw
(gnutls_openpgp_crt_t CRT, gnutls_datum_t * M, gnutls_datum_t
* E)
CRT: Holds the certificate
M: will hold the modulus
E: will hold the public exponent
This function will export the RSA public key's parameters found in
the given structure. The new parameters will be allocated using
`gnutls_malloc()' and will be stored in the appropriate datum.
*Returns:* `GNUTLS_E_SUCCESS' on success, otherwise a negative
error code.
*Since:* 2.4.0
gnutls_openpgp_crt_get_preferred_key_id
---------------------------------------
-- Function: int gnutls_openpgp_crt_get_preferred_key_id
(gnutls_openpgp_crt_t KEY, gnutls_openpgp_keyid_t KEYID)
KEY: the structure that contains the OpenPGP public key.
KEYID: the struct to save the keyid.
Get preferred key id. If it hasn't been set it returns
`GNUTLS_E_INVALID_REQUEST' .
*Returns:* the 64-bit preferred keyID of the OpenPGP key.
gnutls_openpgp_crt_get_revoked_status
-------------------------------------
-- Function: int gnutls_openpgp_crt_get_revoked_status
(gnutls_openpgp_crt_t KEY)
KEY: the structure that contains the OpenPGP public key.
Get revocation status of key.
*Returns:* true (1) if the key has been revoked, or false (0) if it
has not.
*Since:* 2.4.0
gnutls_openpgp_crt_get_subkey_count
-----------------------------------
-- Function: int gnutls_openpgp_crt_get_subkey_count
(gnutls_openpgp_crt_t KEY)
KEY: is an OpenPGP key
This function will return the number of subkeys present in the
given OpenPGP certificate.
*Returns:* the number of subkeys, or a negative error code on
error.
*Since:* 2.4.0
gnutls_openpgp_crt_get_subkey_creation_time
-------------------------------------------
-- Function: time_t gnutls_openpgp_crt_get_subkey_creation_time
(gnutls_openpgp_crt_t KEY, unsigned int IDX)
KEY: the structure that contains the OpenPGP public key.
IDX: the subkey index
Get subkey creation time.
*Returns:* the timestamp when the OpenPGP sub-key was created.
*Since:* 2.4.0
gnutls_openpgp_crt_get_subkey_expiration_time
---------------------------------------------
-- Function: time_t gnutls_openpgp_crt_get_subkey_expiration_time
(gnutls_openpgp_crt_t KEY, unsigned int IDX)
KEY: the structure that contains the OpenPGP public key.
IDX: the subkey index
Get subkey expiration time. A value of '0' means that the key
doesn't expire at all.
*Returns:* the time when the OpenPGP key expires.
*Since:* 2.4.0
gnutls_openpgp_crt_get_subkey_fingerprint
-----------------------------------------
-- Function: int gnutls_openpgp_crt_get_subkey_fingerprint
(gnutls_openpgp_crt_t KEY, unsigned int IDX, void * FPR,
size_t * FPRLEN)
KEY: the raw data that contains the OpenPGP public key.
IDX: the subkey index
FPR: the buffer to save the fingerprint, must hold at least 20
bytes.
FPRLEN: the integer to save the length of the fingerprint.
Get key fingerprint of a subkey. Depending on the algorithm, the
fingerprint can be 16 or 20 bytes.
*Returns:* On success, 0 is returned. Otherwise, an error code.
*Since:* 2.4.0
gnutls_openpgp_crt_get_subkey_id
--------------------------------
-- Function: int gnutls_openpgp_crt_get_subkey_id
(gnutls_openpgp_crt_t KEY, unsigned int IDX,
gnutls_openpgp_keyid_t KEYID)
KEY: the structure that contains the OpenPGP public key.
IDX: the subkey index
KEYID: the buffer to save the keyid.
Get the subkey's key-id.
*Returns:* the 64-bit keyID of the OpenPGP key.
gnutls_openpgp_crt_get_subkey_idx
---------------------------------
-- Function: int gnutls_openpgp_crt_get_subkey_idx
(gnutls_openpgp_crt_t KEY, const gnutls_openpgp_keyid_t KEYID)
KEY: the structure that contains the OpenPGP public key.
KEYID: the keyid.
Get subkey's index.
*Returns:* the index of the subkey or a negative error value.
*Since:* 2.4.0
gnutls_openpgp_crt_get_subkey_pk_algorithm
------------------------------------------
-- Function: gnutls_pk_algorithm_t
gnutls_openpgp_crt_get_subkey_pk_algorithm (gnutls_openpgp_crt_t KEY,
unsigned int IDX, unsigned int * BITS)
KEY: is an OpenPGP key
IDX: is the subkey index
BITS: if bits is non null it will hold the size of the parameters'
in bits
This function will return the public key algorithm of a subkey of
an OpenPGP certificate.
If bits is non null, it should have enough size to hold the
parameters size in bits. For RSA the bits returned is the modulus.
For DSA the bits returned are of the public exponent.
*Returns:* a member of the `gnutls_pk_algorithm_t' enumeration on
success, or GNUTLS_PK_UNKNOWN on error.
*Since:* 2.4.0
gnutls_openpgp_crt_get_subkey_pk_dsa_raw
----------------------------------------
-- Function: int gnutls_openpgp_crt_get_subkey_pk_dsa_raw
(gnutls_openpgp_crt_t CRT, unsigned int IDX, gnutls_datum_t *
P, gnutls_datum_t * Q, gnutls_datum_t * G, gnutls_datum_t * Y)
CRT: Holds the certificate
IDX: Is the subkey index
P: will hold the p
Q: will hold the q
G: will hold the g
Y: will hold the y
This function will export the DSA public key's parameters found in
the given certificate. The new parameters will be allocated using
`gnutls_malloc()' and will be stored in the appropriate datum.
*Returns:* `GNUTLS_E_SUCCESS' on success, otherwise a negative
error code.
*Since:* 2.4.0
gnutls_openpgp_crt_get_subkey_pk_rsa_raw
----------------------------------------
-- Function: int gnutls_openpgp_crt_get_subkey_pk_rsa_raw
(gnutls_openpgp_crt_t CRT, unsigned int IDX, gnutls_datum_t *
M, gnutls_datum_t * E)
CRT: Holds the certificate
IDX: Is the subkey index
M: will hold the modulus
E: will hold the public exponent
This function will export the RSA public key's parameters found in
the given structure. The new parameters will be allocated using
`gnutls_malloc()' and will be stored in the appropriate datum.
*Returns:* `GNUTLS_E_SUCCESS' on success, otherwise a negative
error code.
*Since:* 2.4.0
gnutls_openpgp_crt_get_subkey_revoked_status
--------------------------------------------
-- Function: int gnutls_openpgp_crt_get_subkey_revoked_status
(gnutls_openpgp_crt_t KEY, unsigned int IDX)
KEY: the structure that contains the OpenPGP public key.
IDX: is the subkey index
Get subkey revocation status. A negative error code indicates an
error.
*Returns:* true (1) if the key has been revoked, or false (0) if it
has not.
*Since:* 2.4.0
gnutls_openpgp_crt_get_subkey_usage
-----------------------------------
-- Function: int gnutls_openpgp_crt_get_subkey_usage
(gnutls_openpgp_crt_t KEY, unsigned int IDX, unsigned int *
KEY_USAGE)
KEY: should contain a gnutls_openpgp_crt_t structure
IDX: the subkey index
KEY_USAGE: where the key usage bits will be stored
This function will return certificate's key usage, by checking the
key algorithm. The key usage value will ORed values of
`GNUTLS_KEY_DIGITAL_SIGNATURE' or `GNUTLS_KEY_KEY_ENCIPHERMENT' .
A negative error code may be returned in case of parsing error.
*Returns:* key usage value.
*Since:* 2.4.0
gnutls_openpgp_crt_get_version
------------------------------
-- Function: int gnutls_openpgp_crt_get_version (gnutls_openpgp_crt_t
KEY)
KEY: the structure that contains the OpenPGP public key.
Extract the version of the OpenPGP key.
*Returns:* the version number is returned, or a negative error
code on errors.
gnutls_openpgp_crt_import
-------------------------
-- Function: int gnutls_openpgp_crt_import (gnutls_openpgp_crt_t KEY,
const gnutls_datum_t * DATA, gnutls_openpgp_crt_fmt_t FORMAT)
KEY: The structure to store the parsed key.
DATA: The RAW or BASE64 encoded key.
FORMAT: One of gnutls_openpgp_crt_fmt_t elements.
This function will convert the given RAW or Base64 encoded key to
the native `gnutls_openpgp_crt_t' format. The output will be
stored in 'key'.
*Returns:* `GNUTLS_E_SUCCESS' on success, or an error code.
gnutls_openpgp_crt_init
-----------------------
-- Function: int gnutls_openpgp_crt_init (gnutls_openpgp_crt_t * KEY)
KEY: The structure to be initialized
This function will initialize an OpenPGP key structure.
*Returns:* `GNUTLS_E_SUCCESS' on success, or an error code.
gnutls_openpgp_crt_print
------------------------
-- Function: int gnutls_openpgp_crt_print (gnutls_openpgp_crt_t CERT,
gnutls_certificate_print_formats_t FORMAT, gnutls_datum_t *
OUT)
CERT: The structure to be printed
FORMAT: Indicate the format to use
OUT: Newly allocated datum with (0) terminated string.
This function will pretty print an OpenPGP certificate, suitable
for display to a human.
The format should be (0) for future compatibility.
The output `out' needs to be deallocate using `gnutls_free()' .
*Returns:* `GNUTLS_E_SUCCESS' on success, or an error code.
gnutls_openpgp_crt_set_preferred_key_id
---------------------------------------
-- Function: int gnutls_openpgp_crt_set_preferred_key_id
(gnutls_openpgp_crt_t KEY, const gnutls_openpgp_keyid_t KEYID)
KEY: the structure that contains the OpenPGP public key.
KEYID: the selected keyid
This allows setting a preferred key id for the given certificate.
This key will be used by functions that involve key handling.
If the provided `keyid' is `NULL' then the master key is set as
preferred.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error code is returned.
gnutls_openpgp_crt_verify_ring
------------------------------
-- Function: int gnutls_openpgp_crt_verify_ring (gnutls_openpgp_crt_t
KEY, gnutls_openpgp_keyring_t KEYRING, unsigned int FLAGS,
unsigned int * VERIFY)
KEY: the structure that holds the key.
KEYRING: holds the keyring to check against
FLAGS: unused (should be 0)
VERIFY: will hold the certificate verification output.
Verify all signatures in the key, using the given set of keys
(keyring).
The key verification output will be put in `verify' and will be
one or more of the `gnutls_certificate_status_t' enumerated
elements bitwise or'd.
Note that this function does not verify using any "web of trust".
You may use GnuPG for that purpose, or any other external PGP
application.
*Returns:* `GNUTLS_E_SUCCESS' on success, or an error code.
gnutls_openpgp_crt_verify_self
------------------------------
-- Function: int gnutls_openpgp_crt_verify_self (gnutls_openpgp_crt_t
KEY, unsigned int FLAGS, unsigned int * VERIFY)
KEY: the structure that holds the key.
FLAGS: unused (should be 0)
VERIFY: will hold the key verification output.
Verifies the self signature in the key. The key verification
output will be put in `verify' and will be one or more of the
gnutls_certificate_status_t enumerated elements bitwise or'd.
*Returns:* `GNUTLS_E_SUCCESS' on success, or an error code.
gnutls_openpgp_keyring_check_id
-------------------------------
-- Function: int gnutls_openpgp_keyring_check_id
(gnutls_openpgp_keyring_t RING, const gnutls_openpgp_keyid_t
KEYID, unsigned int FLAGS)
RING: holds the keyring to check against
KEYID: will hold the keyid to check for.
FLAGS: unused (should be 0)
Check if a given key ID exists in the keyring.
*Returns:* `GNUTLS_E_SUCCESS' on success (if keyid exists) and a
negative error code on failure.
gnutls_openpgp_keyring_deinit
-----------------------------
-- Function: void gnutls_openpgp_keyring_deinit
(gnutls_openpgp_keyring_t KEYRING)
KEYRING: The structure to be initialized
This function will deinitialize a keyring structure.
gnutls_openpgp_keyring_get_crt
------------------------------
-- Function: int gnutls_openpgp_keyring_get_crt
(gnutls_openpgp_keyring_t RING, unsigned int IDX,
gnutls_openpgp_crt_t * CERT)
RING: Holds the keyring.
IDX: the index of the certificate to export
CERT: An uninitialized `gnutls_openpgp_crt_t' structure
This function will extract an OpenPGP certificate from the given
keyring. If the index given is out of range
`GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' will be returned. The
returned structure needs to be deinited.
*Returns:* `GNUTLS_E_SUCCESS' on success, or an error code.
gnutls_openpgp_keyring_get_crt_count
------------------------------------
-- Function: int gnutls_openpgp_keyring_get_crt_count
(gnutls_openpgp_keyring_t RING)
RING: is an OpenPGP key ring
This function will return the number of OpenPGP certificates
present in the given keyring.
*Returns:* the number of subkeys, or a negative error code on
error.
gnutls_openpgp_keyring_import
-----------------------------
-- Function: int gnutls_openpgp_keyring_import
(gnutls_openpgp_keyring_t KEYRING, const gnutls_datum_t *
DATA, gnutls_openpgp_crt_fmt_t FORMAT)
KEYRING: The structure to store the parsed key.
DATA: The RAW or BASE64 encoded keyring.
FORMAT: One of `gnutls_openpgp_keyring_fmt' elements.
This function will convert the given RAW or Base64 encoded keyring
to the native `gnutls_openpgp_keyring_t' format. The output will
be stored in 'keyring'.
*Returns:* `GNUTLS_E_SUCCESS' on success, or an error code.
gnutls_openpgp_keyring_init
---------------------------
-- Function: int gnutls_openpgp_keyring_init (gnutls_openpgp_keyring_t
* KEYRING)
KEYRING: The structure to be initialized
This function will initialize an keyring structure.
*Returns:* `GNUTLS_E_SUCCESS' on success, or an error code.
gnutls_openpgp_privkey_deinit
-----------------------------
-- Function: void gnutls_openpgp_privkey_deinit
(gnutls_openpgp_privkey_t KEY)
KEY: The structure to be initialized
This function will deinitialize a key structure.
gnutls_openpgp_privkey_export
-----------------------------
-- Function: int gnutls_openpgp_privkey_export
(gnutls_openpgp_privkey_t KEY, gnutls_openpgp_crt_fmt_t
FORMAT, const char * PASSWORD, unsigned int FLAGS, void *
OUTPUT_DATA, size_t * OUTPUT_DATA_SIZE)
KEY: Holds the key.
FORMAT: One of gnutls_openpgp_crt_fmt_t elements.
PASSWORD: the password that will be used to encrypt the key.
(unused for now)
FLAGS: (0) for future compatibility
OUTPUT_DATA: will contain the key base64 encoded or raw
OUTPUT_DATA_SIZE: holds the size of output_data (and will be
replaced by the actual size of parameters)
This function will convert the given key to RAW or Base64 format.
If the buffer provided is not long enough to hold the output, then
GNUTLS_E_SHORT_MEMORY_BUFFER will be returned.
*Returns:* `GNUTLS_E_SUCCESS' on success, or an error code.
*Since:* 2.4.0
gnutls_openpgp_privkey_export2
------------------------------
-- Function: int gnutls_openpgp_privkey_export2
(gnutls_openpgp_privkey_t KEY, gnutls_openpgp_crt_fmt_t
FORMAT, const char * PASSWORD, unsigned int FLAGS,
gnutls_datum_t * OUT)
KEY: Holds the key.
FORMAT: One of gnutls_openpgp_crt_fmt_t elements.
PASSWORD: the password that will be used to encrypt the key.
(unused for now)
FLAGS: (0) for future compatibility
OUT: will contain the raw or based64 encoded key
This function will convert the given key to RAW or Base64 format.
The output buffer is allocated using `gnutls_malloc()' .
*Returns:* `GNUTLS_E_SUCCESS' on success, or an error code.
*Since:* 3.1
gnutls_openpgp_privkey_export_dsa_raw
-------------------------------------
-- Function: int gnutls_openpgp_privkey_export_dsa_raw
(gnutls_openpgp_privkey_t PKEY, gnutls_datum_t * P,
gnutls_datum_t * Q, gnutls_datum_t * G, gnutls_datum_t * Y,
gnutls_datum_t * X)
PKEY: Holds the certificate
P: will hold the p
Q: will hold the q
G: will hold the g
Y: will hold the y
X: will hold the x
This function will export the DSA private key's parameters found in
the given certificate. The new parameters will be allocated using
`gnutls_malloc()' and will be stored in the appropriate datum.
*Returns:* `GNUTLS_E_SUCCESS' on success, otherwise a negative
error code.
*Since:* 2.4.0
gnutls_openpgp_privkey_export_rsa_raw
-------------------------------------
-- Function: int gnutls_openpgp_privkey_export_rsa_raw
(gnutls_openpgp_privkey_t PKEY, gnutls_datum_t * M,
gnutls_datum_t * E, gnutls_datum_t * D, gnutls_datum_t * P,
gnutls_datum_t * Q, gnutls_datum_t * U)
PKEY: Holds the certificate
M: will hold the modulus
E: will hold the public exponent
D: will hold the private exponent
P: will hold the first prime (p)
Q: will hold the second prime (q)
U: will hold the coefficient
This function will export the RSA private key's parameters found in
the given structure. The new parameters will be allocated using
`gnutls_malloc()' and will be stored in the appropriate datum.
*Returns:* `GNUTLS_E_SUCCESS' on success, otherwise a negative
error code.
*Since:* 2.4.0
gnutls_openpgp_privkey_export_subkey_dsa_raw
--------------------------------------------
-- Function: int gnutls_openpgp_privkey_export_subkey_dsa_raw
(gnutls_openpgp_privkey_t PKEY, unsigned int IDX,
gnutls_datum_t * P, gnutls_datum_t * Q, gnutls_datum_t * G,
gnutls_datum_t * Y, gnutls_datum_t * X)
PKEY: Holds the certificate
IDX: Is the subkey index
P: will hold the p
Q: will hold the q
G: will hold the g
Y: will hold the y
X: will hold the x
This function will export the DSA private key's parameters found
in the given certificate. The new parameters will be allocated
using `gnutls_malloc()' and will be stored in the appropriate
datum.
*Returns:* `GNUTLS_E_SUCCESS' on success, otherwise a negative
error code.
*Since:* 2.4.0
gnutls_openpgp_privkey_export_subkey_rsa_raw
--------------------------------------------
-- Function: int gnutls_openpgp_privkey_export_subkey_rsa_raw
(gnutls_openpgp_privkey_t PKEY, unsigned int IDX,
gnutls_datum_t * M, gnutls_datum_t * E, gnutls_datum_t * D,
gnutls_datum_t * P, gnutls_datum_t * Q, gnutls_datum_t * U)
PKEY: Holds the certificate
IDX: Is the subkey index
M: will hold the modulus
E: will hold the public exponent
D: will hold the private exponent
P: will hold the first prime (p)
Q: will hold the second prime (q)
U: will hold the coefficient
This function will export the RSA private key's parameters found in
the given structure. The new parameters will be allocated using
`gnutls_malloc()' and will be stored in the appropriate datum.
*Returns:* `GNUTLS_E_SUCCESS' on success, otherwise a negative
error code.
*Since:* 2.4.0
gnutls_openpgp_privkey_get_fingerprint
--------------------------------------
-- Function: int gnutls_openpgp_privkey_get_fingerprint
(gnutls_openpgp_privkey_t KEY, void * FPR, size_t * FPRLEN)
KEY: the raw data that contains the OpenPGP secret key.
FPR: the buffer to save the fingerprint, must hold at least 20
bytes.
FPRLEN: the integer to save the length of the fingerprint.
Get the fingerprint of the OpenPGP key. Depends on the algorithm,
the fingerprint can be 16 or 20 bytes.
*Returns:* On success, 0 is returned, or an error code.
*Since:* 2.4.0
gnutls_openpgp_privkey_get_key_id
---------------------------------
-- Function: int gnutls_openpgp_privkey_get_key_id
(gnutls_openpgp_privkey_t KEY, gnutls_openpgp_keyid_t KEYID)
KEY: the structure that contains the OpenPGP secret key.
KEYID: the buffer to save the keyid.
Get key-id.
*Returns:* the 64-bit keyID of the OpenPGP key.
*Since:* 2.4.0
gnutls_openpgp_privkey_get_pk_algorithm
---------------------------------------
-- Function: gnutls_pk_algorithm_t
gnutls_openpgp_privkey_get_pk_algorithm (gnutls_openpgp_privkey_t KEY,
unsigned int * BITS)
KEY: is an OpenPGP key
BITS: if bits is non null it will hold the size of the parameters'
in bits
This function will return the public key algorithm of an OpenPGP
certificate.
If bits is non null, it should have enough size to hold the
parameters size in bits. For RSA the bits returned is the modulus.
For DSA the bits returned are of the public exponent.
*Returns:* a member of the `gnutls_pk_algorithm_t' enumeration on
success, or a negative error code on error.
*Since:* 2.4.0
gnutls_openpgp_privkey_get_preferred_key_id
-------------------------------------------
-- Function: int gnutls_openpgp_privkey_get_preferred_key_id
(gnutls_openpgp_privkey_t KEY, gnutls_openpgp_keyid_t KEYID)
KEY: the structure that contains the OpenPGP public key.
KEYID: the struct to save the keyid.
Get the preferred key-id for the key.
*Returns:* the 64-bit preferred keyID of the OpenPGP key, or if it
hasn't been set it returns `GNUTLS_E_INVALID_REQUEST' .
gnutls_openpgp_privkey_get_revoked_status
-----------------------------------------
-- Function: int gnutls_openpgp_privkey_get_revoked_status
(gnutls_openpgp_privkey_t KEY)
KEY: the structure that contains the OpenPGP private key.
Get revocation status of key.
*Returns:* true (1) if the key has been revoked, or false (0) if it
has not, or a negative error code indicates an error.
*Since:* 2.4.0
gnutls_openpgp_privkey_get_subkey_count
---------------------------------------
-- Function: int gnutls_openpgp_privkey_get_subkey_count
(gnutls_openpgp_privkey_t KEY)
KEY: is an OpenPGP key
This function will return the number of subkeys present in the
given OpenPGP certificate.
*Returns:* the number of subkeys, or a negative error code on
error.
*Since:* 2.4.0
gnutls_openpgp_privkey_get_subkey_creation_time
-----------------------------------------------
-- Function: time_t gnutls_openpgp_privkey_get_subkey_creation_time
(gnutls_openpgp_privkey_t KEY, unsigned int IDX)
KEY: the structure that contains the OpenPGP private key.
IDX: the subkey index
Get subkey creation time.
*Returns:* the timestamp when the OpenPGP key was created.
*Since:* 2.4.0
gnutls_openpgp_privkey_get_subkey_fingerprint
---------------------------------------------
-- Function: int gnutls_openpgp_privkey_get_subkey_fingerprint
(gnutls_openpgp_privkey_t KEY, unsigned int IDX, void * FPR,
size_t * FPRLEN)
KEY: the raw data that contains the OpenPGP secret key.
IDX: the subkey index
FPR: the buffer to save the fingerprint, must hold at least 20
bytes.
FPRLEN: the integer to save the length of the fingerprint.
Get the fingerprint of an OpenPGP subkey. Depends on the
algorithm, the fingerprint can be 16 or 20 bytes.
*Returns:* On success, 0 is returned, or an error code.
*Since:* 2.4.0
gnutls_openpgp_privkey_get_subkey_id
------------------------------------
-- Function: int gnutls_openpgp_privkey_get_subkey_id
(gnutls_openpgp_privkey_t KEY, unsigned int IDX,
gnutls_openpgp_keyid_t KEYID)
KEY: the structure that contains the OpenPGP secret key.
IDX: the subkey index
KEYID: the buffer to save the keyid.
Get the key-id for the subkey.
*Returns:* the 64-bit keyID of the OpenPGP key.
*Since:* 2.4.0
gnutls_openpgp_privkey_get_subkey_idx
-------------------------------------
-- Function: int gnutls_openpgp_privkey_get_subkey_idx
(gnutls_openpgp_privkey_t KEY, const gnutls_openpgp_keyid_t
KEYID)
KEY: the structure that contains the OpenPGP private key.
KEYID: the keyid.
Get index of subkey.
*Returns:* the index of the subkey or a negative error value.
*Since:* 2.4.0
gnutls_openpgp_privkey_get_subkey_pk_algorithm
----------------------------------------------
-- Function: gnutls_pk_algorithm_t
gnutls_openpgp_privkey_get_subkey_pk_algorithm
(gnutls_openpgp_privkey_t KEY, unsigned int IDX, unsigned int
* BITS)
KEY: is an OpenPGP key
IDX: is the subkey index
BITS: if bits is non null it will hold the size of the parameters'
in bits
This function will return the public key algorithm of a subkey of
an OpenPGP certificate.
If bits is non null, it should have enough size to hold the
parameters size in bits. For RSA the bits returned is the modulus.
For DSA the bits returned are of the public exponent.
*Returns:* a member of the `gnutls_pk_algorithm_t' enumeration on
success, or a negative error code on error.
*Since:* 2.4.0
gnutls_openpgp_privkey_get_subkey_revoked_status
------------------------------------------------
-- Function: int gnutls_openpgp_privkey_get_subkey_revoked_status
(gnutls_openpgp_privkey_t KEY, unsigned int IDX)
KEY: the structure that contains the OpenPGP private key.
IDX: is the subkey index
Get revocation status of key.
*Returns:* true (1) if the key has been revoked, or false (0) if it
has not, or a negative error code indicates an error.
*Since:* 2.4.0
gnutls_openpgp_privkey_import
-----------------------------
-- Function: int gnutls_openpgp_privkey_import
(gnutls_openpgp_privkey_t KEY, const gnutls_datum_t * DATA,
gnutls_openpgp_crt_fmt_t FORMAT, const char * PASSWORD,
unsigned int FLAGS)
KEY: The structure to store the parsed key.
DATA: The RAW or BASE64 encoded key.
FORMAT: One of `gnutls_openpgp_crt_fmt_t' elements.
PASSWORD: not used for now
FLAGS: should be (0)
This function will convert the given RAW or Base64 encoded key to
the native gnutls_openpgp_privkey_t format. The output will be
stored in 'key'.
*Returns:* `GNUTLS_E_SUCCESS' on success, or an error code.
gnutls_openpgp_privkey_init
---------------------------
-- Function: int gnutls_openpgp_privkey_init (gnutls_openpgp_privkey_t
* KEY)
KEY: The structure to be initialized
This function will initialize an OpenPGP key structure.
*Returns:* `GNUTLS_E_SUCCESS' on success, or an error code.
gnutls_openpgp_privkey_sec_param
--------------------------------
-- Function: gnutls_sec_param_t gnutls_openpgp_privkey_sec_param
(gnutls_openpgp_privkey_t KEY)
KEY: a key structure
This function will return the security parameter appropriate with
this private key.
*Returns:* On success, a valid security parameter is returned
otherwise `GNUTLS_SEC_PARAM_UNKNOWN' is returned.
*Since:* 2.12.0
gnutls_openpgp_privkey_set_preferred_key_id
-------------------------------------------
-- Function: int gnutls_openpgp_privkey_set_preferred_key_id
(gnutls_openpgp_privkey_t KEY, const gnutls_openpgp_keyid_t
KEYID)
KEY: the structure that contains the OpenPGP public key.
KEYID: the selected keyid
This allows setting a preferred key id for the given certificate.
This key will be used by functions that involve key handling.
If the provided `keyid' is `NULL' then the master key is set as
preferred.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error code is returned.
gnutls_openpgp_set_recv_key_function
------------------------------------
-- Function: void gnutls_openpgp_set_recv_key_function
(gnutls_session_t SESSION, gnutls_openpgp_recv_key_func FUNC)
SESSION: a TLS session
FUNC: the callback
This funtion will set a key retrieval function for OpenPGP keys.
This callback is only useful in server side, and will be used if
the peer sent a key fingerprint instead of a full key.
�
File: gnutls.info, Node: PKCS 12 API, Next: PKCS 11 API, Prev: OpenPGP API, Up: API reference
E.6 PKCS 12 API
===============
The following functions are to be used for PKCS 12 handling. Their
prototypes lie in `gnutls/pkcs12.h'.
gnutls_pkcs12_bag_decrypt
-------------------------
-- Function: int gnutls_pkcs12_bag_decrypt (gnutls_pkcs12_bag_t BAG,
const char * PASS)
BAG: The bag
PASS: The password used for encryption, must be ASCII.
This function will decrypt the given encrypted bag and return 0 on
success.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error code is returned.
gnutls_pkcs12_bag_deinit
------------------------
-- Function: void gnutls_pkcs12_bag_deinit (gnutls_pkcs12_bag_t BAG)
BAG: The structure to be initialized
This function will deinitialize a PKCS12 Bag structure.
gnutls_pkcs12_bag_encrypt
-------------------------
-- Function: int gnutls_pkcs12_bag_encrypt (gnutls_pkcs12_bag_t BAG,
const char * PASS, unsigned int FLAGS)
BAG: The bag
PASS: The password used for encryption, must be ASCII
FLAGS: should be one of `gnutls_pkcs_encrypt_flags_t' elements
bitwise or'd
This function will encrypt the given bag.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error code is returned.
gnutls_pkcs12_bag_get_count
---------------------------
-- Function: int gnutls_pkcs12_bag_get_count (gnutls_pkcs12_bag_t BAG)
BAG: The bag
This function will return the number of the elements withing the
bag.
*Returns:* Number of elements in bag, or an negative error code on
error.
gnutls_pkcs12_bag_get_data
--------------------------
-- Function: int gnutls_pkcs12_bag_get_data (gnutls_pkcs12_bag_t BAG,
int INDX, gnutls_datum_t * DATA)
BAG: The bag
INDX: The element of the bag to get the data from
DATA: where the bag's data will be. Should be treated as constant.
This function will return the bag's data. The data is a constant
that is stored into the bag. Should not be accessed after the bag
is deleted.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_pkcs12_bag_get_friendly_name
-----------------------------------
-- Function: int gnutls_pkcs12_bag_get_friendly_name
(gnutls_pkcs12_bag_t BAG, int INDX, char ** NAME)
BAG: The bag
INDX: The bag's element to add the id
NAME: will hold a pointer to the name (to be treated as const)
This function will return the friendly name, of the specified bag
element. The key ID is usually used to distinguish the local
private key and the certificate pair.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value. or a negative error code on
error.
gnutls_pkcs12_bag_get_key_id
----------------------------
-- Function: int gnutls_pkcs12_bag_get_key_id (gnutls_pkcs12_bag_t
BAG, int INDX, gnutls_datum_t * ID)
BAG: The bag
INDX: The bag's element to add the id
ID: where the ID will be copied (to be treated as const)
This function will return the key ID, of the specified bag element.
The key ID is usually used to distinguish the local private key and
the certificate pair.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value. or a negative error code on
error.
gnutls_pkcs12_bag_get_type
--------------------------
-- Function: gnutls_pkcs12_bag_type_t gnutls_pkcs12_bag_get_type
(gnutls_pkcs12_bag_t BAG, int INDX)
BAG: The bag
INDX: The element of the bag to get the type
This function will return the bag's type.
*Returns:* One of the `gnutls_pkcs12_bag_type_t' enumerations.
gnutls_pkcs12_bag_init
----------------------
-- Function: int gnutls_pkcs12_bag_init (gnutls_pkcs12_bag_t * BAG)
BAG: The structure to be initialized
This function will initialize a PKCS12 bag structure. PKCS12 Bags
usually contain private keys, lists of X.509 Certificates and X.509
Certificate revocation lists.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_pkcs12_bag_set_crl
-------------------------
-- Function: int gnutls_pkcs12_bag_set_crl (gnutls_pkcs12_bag_t BAG,
gnutls_x509_crl_t CRL)
BAG: The bag
CRL: the CRL to be copied.
This function will insert the given CRL into the bag. This is just
a wrapper over `gnutls_pkcs12_bag_set_data()' .
*Returns:* the index of the added bag on success, or a negative
error code on failure.
gnutls_pkcs12_bag_set_crt
-------------------------
-- Function: int gnutls_pkcs12_bag_set_crt (gnutls_pkcs12_bag_t BAG,
gnutls_x509_crt_t CRT)
BAG: The bag
CRT: the certificate to be copied.
This function will insert the given certificate into the bag. This
is just a wrapper over `gnutls_pkcs12_bag_set_data()' .
*Returns:* the index of the added bag on success, or a negative
value on failure.
gnutls_pkcs12_bag_set_data
--------------------------
-- Function: int gnutls_pkcs12_bag_set_data (gnutls_pkcs12_bag_t BAG,
gnutls_pkcs12_bag_type_t TYPE, const gnutls_datum_t * DATA)
BAG: The bag
TYPE: The data's type
DATA: the data to be copied.
This function will insert the given data of the given type into
the bag.
*Returns:* the index of the added bag on success, or a negative
value on error.
gnutls_pkcs12_bag_set_friendly_name
-----------------------------------
-- Function: int gnutls_pkcs12_bag_set_friendly_name
(gnutls_pkcs12_bag_t BAG, int INDX, const char * NAME)
BAG: The bag
INDX: The bag's element to add the id
NAME: the name
This function will add the given key friendly name, to the
specified, by the index, bag element. The name will be encoded as
a 'Friendly name' bag attribute, which is usually used to set a
user name to the local private key and the certificate pair.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value. or a negative error code on
error.
gnutls_pkcs12_bag_set_key_id
----------------------------
-- Function: int gnutls_pkcs12_bag_set_key_id (gnutls_pkcs12_bag_t
BAG, int INDX, const gnutls_datum_t * ID)
BAG: The bag
INDX: The bag's element to add the id
ID: the ID
This function will add the given key ID, to the specified, by the
index, bag element. The key ID will be encoded as a 'Local key
identifier' bag attribute, which is usually used to distinguish
the local private key and the certificate pair.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value. or a negative error code on
error.
gnutls_pkcs12_deinit
--------------------
-- Function: void gnutls_pkcs12_deinit (gnutls_pkcs12_t PKCS12)
PKCS12: The structure to be initialized
This function will deinitialize a PKCS12 structure.
gnutls_pkcs12_export
--------------------
-- Function: int gnutls_pkcs12_export (gnutls_pkcs12_t PKCS12,
gnutls_x509_crt_fmt_t FORMAT, void * OUTPUT_DATA, size_t *
OUTPUT_DATA_SIZE)
PKCS12: Holds the pkcs12 structure
FORMAT: the format of output params. One of PEM or DER.
OUTPUT_DATA: will contain a structure PEM or DER encoded
OUTPUT_DATA_SIZE: holds the size of output_data (and will be
replaced by the actual size of parameters)
This function will export the pkcs12 structure to DER or PEM
format.
If the buffer provided is not long enough to hold the output, then
*output_data_size will be updated and GNUTLS_E_SHORT_MEMORY_BUFFER
will be returned.
If the structure is PEM encoded, it will have a header of "BEGIN
PKCS12".
*Returns:* In case of failure a negative error code will be
returned, and 0 on success.
gnutls_pkcs12_export2
---------------------
-- Function: int gnutls_pkcs12_export2 (gnutls_pkcs12_t PKCS12,
gnutls_x509_crt_fmt_t FORMAT, gnutls_datum_t * OUT)
PKCS12: Holds the pkcs12 structure
FORMAT: the format of output params. One of PEM or DER.
OUT: will contain a structure PEM or DER encoded
This function will export the pkcs12 structure to DER or PEM
format.
The output buffer is allocated using `gnutls_malloc()' .
If the structure is PEM encoded, it will have a header of "BEGIN
PKCS12".
*Returns:* In case of failure a negative error code will be
returned, and 0 on success.
*Since:* 3.1
gnutls_pkcs12_generate_mac
--------------------------
-- Function: int gnutls_pkcs12_generate_mac (gnutls_pkcs12_t PKCS12,
const char * PASS)
PKCS12: should contain a gnutls_pkcs12_t structure
PASS: The password for the MAC
This function will generate a MAC for the PKCS12 structure.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_pkcs12_get_bag
---------------------
-- Function: int gnutls_pkcs12_get_bag (gnutls_pkcs12_t PKCS12, int
INDX, gnutls_pkcs12_bag_t BAG)
PKCS12: should contain a gnutls_pkcs12_t structure
INDX: contains the index of the bag to extract
BAG: An initialized bag, where the contents of the bag will be
copied
This function will return a Bag from the PKCS12 structure.
After the last Bag has been read
`GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' will be returned.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_pkcs12_import
--------------------
-- Function: int gnutls_pkcs12_import (gnutls_pkcs12_t PKCS12, const
gnutls_datum_t * DATA, gnutls_x509_crt_fmt_t FORMAT, unsigned
int FLAGS)
PKCS12: The structure to store the parsed PKCS12.
DATA: The DER or PEM encoded PKCS12.
FORMAT: One of DER or PEM
FLAGS: an ORed sequence of gnutls_privkey_pkcs8_flags
This function will convert the given DER or PEM encoded PKCS12 to
the native gnutls_pkcs12_t format. The output will be stored in
'pkcs12'.
If the PKCS12 is PEM encoded it should have a header of "PKCS12".
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_pkcs12_init
------------------
-- Function: int gnutls_pkcs12_init (gnutls_pkcs12_t * PKCS12)
PKCS12: The structure to be initialized
This function will initialize a PKCS12 structure. PKCS12 structures
usually contain lists of X.509 Certificates and X.509 Certificate
revocation lists.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_pkcs12_set_bag
---------------------
-- Function: int gnutls_pkcs12_set_bag (gnutls_pkcs12_t PKCS12,
gnutls_pkcs12_bag_t BAG)
PKCS12: should contain a gnutls_pkcs12_t structure
BAG: An initialized bag
This function will insert a Bag into the PKCS12 structure.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_pkcs12_simple_parse
--------------------------
-- Function: int gnutls_pkcs12_simple_parse (gnutls_pkcs12_t P12,
const char * PASSWORD, gnutls_x509_privkey_t * KEY,
gnutls_x509_crt_t ** CHAIN, unsigned int * CHAIN_LEN,
gnutls_x509_crt_t ** EXTRA_CERTS, unsigned int *
EXTRA_CERTS_LEN, gnutls_x509_crl_t * CRL, unsigned int FLAGS)
P12: the PKCS`12' blob.
PASSWORD: optional password used to decrypt PKCS`12' blob, bags
and keys.
KEY: a structure to store the parsed private key.
CHAIN: the corresponding to key certificate chain
CHAIN_LEN: will be updated with the number of additional
EXTRA_CERTS: optional pointer to receive an array of additional
certificates found in the PKCS`12' blob.
EXTRA_CERTS_LEN: will be updated with the number of additional
certs.
CRL: an optional structure to store the parsed CRL.
FLAGS: should be zero or one of GNUTLS_PKCS12_SP_*
This function parses a PKCS`12' blob in `p12blob' and extracts
the private key, the corresponding certificate chain, and any
additional certificates and a CRL.
The `extra_certs_ret' and `extra_certs_ret_len' parameters are
optional and both may be set to `NULL' . If either is non-`NULL' ,
then both must be.
Encrypted PKCS`12' bags and PKCS`8' private keys are supported.
However, only password based security, and the same password for
all operations, are supported.
PKCS`12' file may contain many keys and/or certificates, and there
is no way to identify which key/certificate pair you want. You
should make sure the PKCS`12' file only contain one
key/certificate pair and/or one CRL.
It is believed that the limitations of this function is acceptable
for most usage, and that any more flexibility would introduce
complexity that would make it harder to use this functionality at
all.
If the provided structure has encrypted fields but no password is
provided then this function returns `GNUTLS_E_DECRYPTION_FAILED' .
Note that normally the chain constructed does not include self
signed certificates, to comply with TLS' requirements. If,
however, the flag `GNUTLS_PKCS12_SP_INCLUDE_SELF_SIGNED' is
specified then self signed certificates will be included in the
chain.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
*Since:* 3.1
gnutls_pkcs12_verify_mac
------------------------
-- Function: int gnutls_pkcs12_verify_mac (gnutls_pkcs12_t PKCS12,
const char * PASS)
PKCS12: should contain a gnutls_pkcs12_t structure
PASS: The password for the MAC
This function will verify the MAC for the PKCS12 structure.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
�
File: gnutls.info, Node: PKCS 11 API, Next: TPM API, Prev: PKCS 12 API, Up: API reference
E.7 Hardware token via PKCS 11 API
==================================
The following functions are to be used for PKCS 11 handling. Their
prototypes lie in `gnutls/pkcs11.h'.
gnutls_pkcs11_add_provider
--------------------------
-- Function: int gnutls_pkcs11_add_provider (const char * NAME, const
char * PARAMS)
NAME: The filename of the module
PARAMS: should be NULL
This function will load and add a PKCS 11 module to the module
list used in gnutls. After this function is called the module will
be used for PKCS 11 operations.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
*Since:* 2.12.0
gnutls_pkcs11_copy_secret_key
-----------------------------
-- Function: int gnutls_pkcs11_copy_secret_key (const char *
TOKEN_URL, gnutls_datum_t * KEY, const char * LABEL, unsigned
int KEY_USAGE, unsigned int FLAGS)
TOKEN_URL: A PKCS `11' URL specifying a token
KEY: The raw key
LABEL: A name to be used for the stored data
KEY_USAGE: One of GNUTLS_KEY_*
FLAGS: One of GNUTLS_PKCS11_OBJ_FLAG_*
This function will copy a raw secret (symmetric) key into a PKCS
`11' token specified by a URL. The key can be marked as sensitive
or not.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
*Since:* 2.12.0
gnutls_pkcs11_copy_x509_crt
---------------------------
-- Function: int gnutls_pkcs11_copy_x509_crt (const char * TOKEN_URL,
gnutls_x509_crt_t CRT, const char * LABEL, unsigned int FLAGS)
TOKEN_URL: A PKCS `11' URL specifying a token
CRT: A certificate
LABEL: A name to be used for the stored data
FLAGS: One of GNUTLS_PKCS11_OBJ_FLAG_*
This function will copy a certificate into a PKCS `11' token
specified by a URL. The certificate can be marked as trusted or
not.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
*Since:* 2.12.0
gnutls_pkcs11_copy_x509_privkey
-------------------------------
-- Function: int gnutls_pkcs11_copy_x509_privkey (const char *
TOKEN_URL, gnutls_x509_privkey_t KEY, const char * LABEL,
unsigned int KEY_USAGE, unsigned int FLAGS)
TOKEN_URL: A PKCS `11' URL specifying a token
KEY: A private key
LABEL: A name to be used for the stored data
KEY_USAGE: One of GNUTLS_KEY_*
FLAGS: One of GNUTLS_PKCS11_OBJ_* flags
This function will copy a private key into a PKCS `11' token
specified by a URL. It is highly recommended flags to contain
`GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE' unless there is a strong
reason not to.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
*Since:* 2.12.0
gnutls_pkcs11_deinit
--------------------
-- Function: void gnutls_pkcs11_deinit ( VOID)
This function will deinitialize the PKCS 11 subsystem in gnutls.
*Since:* 2.12.0
gnutls_pkcs11_delete_url
------------------------
-- Function: int gnutls_pkcs11_delete_url (const char * OBJECT_URL,
unsigned int FLAGS)
OBJECT_URL: The URL of the object to delete.
FLAGS: One of GNUTLS_PKCS11_OBJ_* flags
This function will delete objects matching the given URL. Note
that not all tokens support the delete operation.
*Returns:* On success, the number of objects deleted is returned,
otherwise a negative error value.
*Since:* 2.12.0
gnutls_pkcs11_get_pin_function
------------------------------
-- Function: gnutls_pin_callback_t gnutls_pkcs11_get_pin_function
(void ** USERDATA)
USERDATA: data to be supplied to callback
This function will return the callback function set using
`gnutls_pkcs11_set_pin_function()' .
*Returns:* The function set or NULL otherwise.
*Since:* 3.1.0
gnutls_pkcs11_init
------------------
-- Function: int gnutls_pkcs11_init (unsigned int FLAGS, const char *
DEPRECATED_CONFIG_FILE)
FLAGS: `GNUTLS_PKCS11_FLAG_MANUAL' or `GNUTLS_PKCS11_FLAG_AUTO'
DEPRECATED_CONFIG_FILE: either NULL or the location of a deprecated
configuration file
This function will initialize the PKCS 11 subsystem in gnutls. It
will read configuration files if `GNUTLS_PKCS11_FLAG_AUTO' is
used or allow you to independently load PKCS 11 modules using
`gnutls_pkcs11_add_provider()' if `GNUTLS_PKCS11_FLAG_MANUAL' is
specified.
Normally you don't need to call this function since it is being
called by `gnutls_global_init()' using the
`GNUTLS_PKCS11_FLAG_AUTO' . If other option is required then it
must be called before it.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
*Since:* 2.12.0
gnutls_pkcs11_obj_deinit
------------------------
-- Function: void gnutls_pkcs11_obj_deinit (gnutls_pkcs11_obj_t OBJ)
OBJ: The structure to be initialized
This function will deinitialize a certificate structure.
*Since:* 2.12.0
gnutls_pkcs11_obj_export
------------------------
-- Function: int gnutls_pkcs11_obj_export (gnutls_pkcs11_obj_t OBJ,
void * OUTPUT_DATA, size_t * OUTPUT_DATA_SIZE)
OBJ: Holds the object
OUTPUT_DATA: will contain a certificate PEM or DER encoded
OUTPUT_DATA_SIZE: holds the size of output_data (and will be
replaced by the actual size of parameters)
This function will export the PKCS11 object data. It is normal for
data to be inaccesible and in that case `GNUTLS_E_INVALID_REQUEST'
will be returned.
If the buffer provided is not long enough to hold the output, then
*output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will
be returned.
If the structure is PEM encoded, it will have a header of "BEGIN
CERTIFICATE".
*Returns:* In case of failure a negative error code will be
returned, and `GNUTLS_E_SUCCESS' (0) on success.
*Since:* 2.12.0
gnutls_pkcs11_obj_export2
-------------------------
-- Function: int gnutls_pkcs11_obj_export2 (gnutls_pkcs11_obj_t OBJ,
gnutls_datum_t * OUT)
OBJ: Holds the object
OUT: will contain a certificate PEM or DER encoded
This function will export the PKCS11 object data. It is normal for
data to be inaccesible and in that case `GNUTLS_E_INVALID_REQUEST'
will be returned.
The output buffer is allocated using `gnutls_malloc()' .
If the structure is PEM encoded, it will have a header of "BEGIN
CERTIFICATE".
*Returns:* In case of failure a negative error code will be
returned, and `GNUTLS_E_SUCCESS' (0) on success.
*Since:* 3.1
gnutls_pkcs11_obj_export_url
----------------------------
-- Function: int gnutls_pkcs11_obj_export_url (gnutls_pkcs11_obj_t
OBJ, gnutls_pkcs11_url_type_t DETAILED, char ** URL)
OBJ: Holds the PKCS 11 certificate
DETAILED: non zero if a detailed URL is required
URL: will contain an allocated url
This function will export a URL identifying the given certificate.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
*Since:* 2.12.0
gnutls_pkcs11_obj_get_info
--------------------------
-- Function: int gnutls_pkcs11_obj_get_info (gnutls_pkcs11_obj_t CRT,
gnutls_pkcs11_obj_info_t ITYPE, void * OUTPUT, size_t *
OUTPUT_SIZE)
CRT: should contain a `gnutls_pkcs11_obj_t' structure
ITYPE: Denotes the type of information requested
OUTPUT: where output will be stored
OUTPUT_SIZE: contains the maximum size of the output and will be
overwritten with actual
This function will return information about the PKCS11 certificate
such as the label, id as well as token information where the key is
stored. When output is text it returns null terminated string
although `output_size' contains the size of the actual data only.
*Returns:* `GNUTLS_E_SUCCESS' (0) on success or a negative error
code on error.
*Since:* 2.12.0
gnutls_pkcs11_obj_get_type
--------------------------
-- Function: gnutls_pkcs11_obj_type_t gnutls_pkcs11_obj_get_type
(gnutls_pkcs11_obj_t OBJ)
OBJ: Holds the PKCS 11 object
This function will return the type of the certificate being stored
in the structure.
*Returns:* The type of the certificate.
*Since:* 2.12.0
gnutls_pkcs11_obj_import_url
----------------------------
-- Function: int gnutls_pkcs11_obj_import_url (gnutls_pkcs11_obj_t
OBJ, const char * URL, unsigned int FLAGS)
OBJ: The structure to store the object
URL: a PKCS 11 url identifying the key
FLAGS: One of GNUTLS_PKCS11_OBJ_* flags
This function will "import" a PKCS 11 URL identifying an object
(e.g. certificate) to the `gnutls_pkcs11_obj_t' structure. This
does not involve any parsing (such as X.509 or OpenPGP) since the
`gnutls_pkcs11_obj_t' is format agnostic. Only data are
transferred.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
*Since:* 2.12.0
gnutls_pkcs11_obj_init
----------------------
-- Function: int gnutls_pkcs11_obj_init (gnutls_pkcs11_obj_t * OBJ)
OBJ: The structure to be initialized
This function will initialize a pkcs11 certificate structure.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
*Since:* 2.12.0
gnutls_pkcs11_obj_list_import_url
---------------------------------
-- Function: int gnutls_pkcs11_obj_list_import_url
(gnutls_pkcs11_obj_t * P_LIST, unsigned int * N_LIST, const
char * URL, gnutls_pkcs11_obj_attr_t ATTRS, unsigned int
FLAGS)
P_LIST: An uninitialized object list (may be NULL)
N_LIST: initially should hold the maximum size of the list. Will
contain the actual size.
URL: A PKCS 11 url identifying a set of objects
ATTRS: Attributes of type `gnutls_pkcs11_obj_attr_t' that can be
used to limit output
FLAGS: One of GNUTLS_PKCS11_OBJ_* flags
This function will initialize and set values to an object list by
using all objects identified by a PKCS 11 URL.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
*Since:* 2.12.0
gnutls_pkcs11_obj_list_import_url2
----------------------------------
-- Function: int gnutls_pkcs11_obj_list_import_url2
(gnutls_pkcs11_obj_t ** P_LIST, unsigned int * N_LIST, const
char * URL, gnutls_pkcs11_obj_attr_t ATTRS, unsigned int
FLAGS)
P_LIST: An uninitialized object list (may be NULL)
N_LIST: It will contain the size of the list.
URL: A PKCS 11 url identifying a set of objects
ATTRS: Attributes of type `gnutls_pkcs11_obj_attr_t' that can be
used to limit output
FLAGS: One of GNUTLS_PKCS11_OBJ_* flags
This function will initialize and set values to an object list by
using all objects identified by the PKCS 11 URL. The output is
stored in `p_list' , which will be initialized.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
*Since:* 3.1.0
gnutls_pkcs11_obj_set_pin_function
----------------------------------
-- Function: void gnutls_pkcs11_obj_set_pin_function
(gnutls_pkcs11_obj_t OBJ, gnutls_pin_callback_t FN, void *
USERDATA)
OBJ: The object structure
FN: the callback
USERDATA: data associated with the callback
This function will set a callback function to be used when
required to access the object. This function overrides the global
set using `gnutls_pkcs11_set_pin_function()' .
*Since:* 3.1.0
gnutls_pkcs11_privkey_deinit
----------------------------
-- Function: void gnutls_pkcs11_privkey_deinit
(gnutls_pkcs11_privkey_t KEY)
KEY: The structure to be initialized
This function will deinitialize a private key structure.
gnutls_pkcs11_privkey_export_url
--------------------------------
-- Function: int gnutls_pkcs11_privkey_export_url
(gnutls_pkcs11_privkey_t KEY, gnutls_pkcs11_url_type_t
DETAILED, char ** URL)
KEY: Holds the PKCS 11 key
DETAILED: non zero if a detailed URL is required
URL: will contain an allocated url
This function will export a URL identifying the given key.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_pkcs11_privkey_generate
------------------------------
-- Function: int gnutls_pkcs11_privkey_generate (const char* URL,
gnutls_pk_algorithm_t PK, unsigned int BITS, const char*
LABEL, unsigned int FLAGS)
URL: a token URL
PK: the public key algorithm
BITS: the security bits
LABEL: a label
FLAGS: should be zero
This function will generate a private key in the specified by the
`url' token. The private key will be generate within the token and
will not be exportable.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
*Since:* 3.0
gnutls_pkcs11_privkey_generate2
-------------------------------
-- Function: int gnutls_pkcs11_privkey_generate2 (const char* URL,
gnutls_pk_algorithm_t PK, unsigned int BITS, const char*
LABEL, gnutls_x509_crt_fmt_t FMT, gnutls_datum_t * PUBKEY,
unsigned int FLAGS)
URL: a token URL
PK: the public key algorithm
BITS: the security bits
LABEL: a label
FMT: the format of output params. PEM or DER.
PUBKEY: will hold the public key (may be `NULL' )
FLAGS: should be zero
This function will generate a private key in the specified by the
`url' token. The private key will be generate within the token and
will not be exportable. This function will store the DER-encoded
public key in the SubjectPublicKeyInfo format in `pubkey' . The
`pubkey' should be deinitialized using `gnutls_free()' .
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
*Since:* 3.1
gnutls_pkcs11_privkey_get_info
------------------------------
-- Function: int gnutls_pkcs11_privkey_get_info
(gnutls_pkcs11_privkey_t PKEY, gnutls_pkcs11_obj_info_t
ITYPE, void * OUTPUT, size_t * OUTPUT_SIZE)
PKEY: should contain a `gnutls_pkcs11_privkey_t' structure
ITYPE: Denotes the type of information requested
OUTPUT: where output will be stored
OUTPUT_SIZE: contains the maximum size of the output and will be
overwritten with actual
This function will return information about the PKCS 11 private
key such as the label, id as well as token information where the
key is stored. When output is text it returns null terminated
string although `output_size' contains the size of the actual
data only.
*Returns:* `GNUTLS_E_SUCCESS' (0) on success or a negative error
code on error.
gnutls_pkcs11_privkey_get_pk_algorithm
--------------------------------------
-- Function: int gnutls_pkcs11_privkey_get_pk_algorithm
(gnutls_pkcs11_privkey_t KEY, unsigned int * BITS)
KEY: should contain a `gnutls_pkcs11_privkey_t' structure
BITS: if bits is non null it will hold the size of the parameters'
in bits
This function will return the public key algorithm of a private
key.
*Returns:* a member of the `gnutls_pk_algorithm_t' enumeration on
success, or a negative error code on error.
gnutls_pkcs11_privkey_import_url
--------------------------------
-- Function: int gnutls_pkcs11_privkey_import_url
(gnutls_pkcs11_privkey_t PKEY, const char * URL, unsigned int
FLAGS)
PKEY: The structure to store the parsed key
URL: a PKCS 11 url identifying the key
FLAGS: sequence of GNUTLS_PKCS_PRIVKEY_*
This function will "import" a PKCS 11 URL identifying a private
key to the `gnutls_pkcs11_privkey_t' structure. In reality since
in most cases keys cannot be exported, the private key structure
is being associated with the available operations on the token.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_pkcs11_privkey_init
--------------------------
-- Function: int gnutls_pkcs11_privkey_init (gnutls_pkcs11_privkey_t *
KEY)
KEY: The structure to be initialized
This function will initialize an private key structure.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_pkcs11_privkey_set_pin_function
--------------------------------------
-- Function: void gnutls_pkcs11_privkey_set_pin_function
(gnutls_pkcs11_privkey_t KEY, gnutls_pin_callback_t FN, void
* USERDATA)
KEY: The private key
FN: the callback
USERDATA: data associated with the callback
This function will set a callback function to be used when
required to access the object. This function overrides the global
set using `gnutls_pkcs11_set_pin_function()' .
*Since:* 3.1.0
gnutls_pkcs11_reinit
--------------------
-- Function: int gnutls_pkcs11_reinit ( VOID)
This function will reinitialize the PKCS 11 subsystem in gnutls.
This is required by PKCS 11 when an application uses `fork()' . The
reinitialization function must be called on the child.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
*Since:* 3.0
gnutls_pkcs11_set_pin_function
------------------------------
-- Function: void gnutls_pkcs11_set_pin_function
(gnutls_pin_callback_t FN, void * USERDATA)
FN: The PIN callback, a `gnutls_pin_callback_t()' function.
USERDATA: data to be supplied to callback
This function will set a callback function to be used when a PIN is
required for PKCS 11 operations. See `gnutls_pin_callback_t()'
on how the callback should behave.
*Since:* 2.12.0
gnutls_pkcs11_set_token_function
--------------------------------
-- Function: void gnutls_pkcs11_set_token_function
(gnutls_pkcs11_token_callback_t FN, void * USERDATA)
FN: The token callback
USERDATA: data to be supplied to callback
This function will set a callback function to be used when a token
needs to be inserted to continue PKCS 11 operations.
*Since:* 2.12.0
gnutls_pkcs11_token_get_flags
-----------------------------
-- Function: int gnutls_pkcs11_token_get_flags (const char * URL,
unsigned int * FLAGS)
URL: should contain a PKCS 11 URL
FLAGS: The output flags (GNUTLS_PKCS11_TOKEN_*)
This function will return information about the PKCS 11 token
flags. The flags from the `gnutls_pkcs11_token_info_t'
enumeration.
*Returns:* `GNUTLS_E_SUCCESS' (0) on success or a negative error
code on error.
*Since:* 2.12.0
gnutls_pkcs11_token_get_info
----------------------------
-- Function: int gnutls_pkcs11_token_get_info (const char * URL,
gnutls_pkcs11_token_info_t TTYPE, void * OUTPUT, size_t *
OUTPUT_SIZE)
URL: should contain a PKCS 11 URL
TTYPE: Denotes the type of information requested
OUTPUT: where output will be stored
OUTPUT_SIZE: contains the maximum size of the output and will be
overwritten with actual
This function will return information about the PKCS 11 token such
as the label, id, etc.
*Returns:* `GNUTLS_E_SUCCESS' (0) on success or a negative error
code on error.
*Since:* 2.12.0
gnutls_pkcs11_token_get_mechanism
---------------------------------
-- Function: int gnutls_pkcs11_token_get_mechanism (const char * URL,
unsigned int IDX, unsigned long * MECHANISM)
URL: should contain a PKCS 11 URL
IDX: The index of the mechanism
MECHANISM: The PKCS `11' mechanism ID
This function will return the names of the supported mechanisms by
the token. It should be called with an increasing index until it
return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE.
*Returns:* `GNUTLS_E_SUCCESS' (0) on success or a negative error
code on error.
*Since:* 2.12.0
gnutls_pkcs11_token_get_url
---------------------------
-- Function: int gnutls_pkcs11_token_get_url (unsigned int SEQ,
gnutls_pkcs11_url_type_t DETAILED, char ** URL)
SEQ: sequence number starting from 0
DETAILED: non zero if a detailed URL is required
URL: will contain an allocated url
This function will return the URL for each token available in
system. The url has to be released using `gnutls_free()'
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
`GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' if the sequence number
exceeds the available tokens, otherwise a negative error value.
*Since:* 2.12.0
gnutls_pkcs11_token_init
------------------------
-- Function: int gnutls_pkcs11_token_init (const char * TOKEN_URL,
const char * SO_PIN, const char * LABEL)
TOKEN_URL: A PKCS `11' URL specifying a token
SO_PIN: Security Officer's PIN
LABEL: A name to be used for the token
This function will initialize (format) a token. If the token is at
a factory defaults state the security officer's PIN given will be
set to be the default. Otherwise it should match the officer's PIN.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_pkcs11_token_set_pin
---------------------------
-- Function: int gnutls_pkcs11_token_set_pin (const char * TOKEN_URL,
const char * OLDPIN, const char * NEWPIN, unsigned int FLAGS)
TOKEN_URL: A PKCS `11' URL specifying a token
OLDPIN: old user's PIN
NEWPIN: new user's PIN
FLAGS: one of `gnutls_pin_flag_t' .
This function will modify or set a user's PIN for the given token.
If it is called to set a user pin for first time the oldpin must
be NULL.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_pkcs11_type_get_name
---------------------------
-- Function: const char * gnutls_pkcs11_type_get_name
(gnutls_pkcs11_obj_type_t TYPE)
TYPE: Holds the PKCS 11 object type, a `gnutls_pkcs11_obj_type_t' .
This function will return a human readable description of the
PKCS11 object type `obj' . It will return "Unknown" for unknown
types.
*Returns:* human readable string labeling the PKCS11 object type
`type' .
*Since:* 2.12.0
gnutls_x509_crt_import_pkcs11
-----------------------------
-- Function: int gnutls_x509_crt_import_pkcs11 (gnutls_x509_crt_t CRT,
gnutls_pkcs11_obj_t PKCS11_CRT)
CRT: A certificate of type `gnutls_x509_crt_t'
PKCS11_CRT: A PKCS 11 object that contains a certificate
This function will import a PKCS 11 certificate to a
`gnutls_x509_crt_t' structure.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
*Since:* 2.12.0
gnutls_x509_crt_import_pkcs11_url
---------------------------------
-- Function: int gnutls_x509_crt_import_pkcs11_url (gnutls_x509_crt_t
CRT, const char * URL, unsigned int FLAGS)
CRT: A certificate of type `gnutls_x509_crt_t'
URL: A PKCS 11 url
FLAGS: One of GNUTLS_PKCS11_OBJ_* flags
This function will import a PKCS 11 certificate directly from a
token without involving the `gnutls_pkcs11_obj_t' structure. This
function will fail if the certificate stored is not of X.509 type.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
*Since:* 2.12.0
gnutls_x509_crt_list_import_pkcs11
----------------------------------
-- Function: int gnutls_x509_crt_list_import_pkcs11 (gnutls_x509_crt_t
* CERTS, unsigned int CERT_MAX, gnutls_pkcs11_obj_t * const
OBJS, unsigned int FLAGS)
CERTS: A list of certificates of type `gnutls_x509_crt_t'
CERT_MAX: The maximum size of the list
OBJS: A list of PKCS 11 objects
FLAGS: 0 for now
This function will import a PKCS 11 certificate list to a list of
`gnutls_x509_crt_t' structure. These must not be initialized.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
*Since:* 2.12.0
�
File: gnutls.info, Node: TPM API, Next: Abstract key API, Prev: PKCS 11 API, Up: API reference
E.8 TPM API
===========
The following functions are to be used for TPM handling. Their
prototypes lie in `gnutls/tpm.h'.
gnutls_tpm_get_registered
-------------------------
-- Function: int gnutls_tpm_get_registered (gnutls_tpm_key_list_t *
LIST)
LIST: a list to store the keys
This function will get a list of stored keys in the TPM. The uuid
of those keys
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
*Since:* 3.1.0
gnutls_tpm_key_list_deinit
--------------------------
-- Function: void gnutls_tpm_key_list_deinit (gnutls_tpm_key_list_t
LIST)
LIST: a list of the keys
This function will deinitialize the list of stored keys in the TPM.
*Since:* 3.1.0
gnutls_tpm_key_list_get_url
---------------------------
-- Function: int gnutls_tpm_key_list_get_url (gnutls_tpm_key_list_t
LIST, unsigned int IDX, char** URL, unsigned int FLAGS)
LIST: a list of the keys
IDX: The index of the key (starting from zero)
URL: The URL to be returned
FLAGS: should be zero
This function will return for each given index a URL of the
corresponding key. If the provided index is out of bounds then
`GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' is returned.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
*Since:* 3.1.0
gnutls_tpm_privkey_delete
-------------------------
-- Function: int gnutls_tpm_privkey_delete (const char* URL, const
char* SRK_PASSWORD)
URL: the URL describing the key
SRK_PASSWORD: a password for the SRK key
This function will unregister the private key from the TPM chip.
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
*Since:* 3.1.0
gnutls_tpm_privkey_generate
---------------------------
-- Function: int gnutls_tpm_privkey_generate (gnutls_pk_algorithm_t
PK, unsigned int BITS, const char* SRK_PASSWORD, const char*
KEY_PASSWORD, gnutls_tpmkey_fmt_t FORMAT,
gnutls_x509_crt_fmt_t PUB_FORMAT, gnutls_datum_t* PRIVKEY,
gnutls_datum_t* PUBKEY, unsigned int FLAGS)
PK: the public key algorithm
BITS: the security bits
SRK_PASSWORD: a password to protect the exported key (optional)
KEY_PASSWORD: the password for the TPM (optional)
FORMAT: the format of the private key
PUB_FORMAT: the format of the public key
PRIVKEY: the generated key
PUBKEY: the corresponding public key (may be null)
FLAGS: should be a list of GNUTLS_TPM_* flags
This function will generate a private key in the TPM chip. The
private key will be generated within the chip and will be exported
in a wrapped with TPM's master key form. Furthermore the wrapped
key can be protected with the provided `password' .
Note that bits in TPM is quantized value. If the input value is
not one of the allowed values, then it will be quantized to one of
512, 1024, 2048, 4096, 8192 and 16384.
Allowed flags are:
*Returns:* On success, `GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
*Since:* 3.1.0