/usr/include/gnutls/x509.h is in libgnutls28-dev 3.5.18-1ubuntu1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 1137 1138 1139 1140 1141 1142 1143 1144 1145 1146 1147 1148 1149 1150 1151 1152 1153 1154 1155 1156 1157 1158 1159 1160 1161 1162 1163 1164 1165 1166 1167 1168 1169 1170 1171 1172 1173 1174 1175 1176 1177 1178 1179 1180 1181 1182 1183 1184 1185 1186 1187 1188 1189 1190 1191 1192 1193 1194 1195 1196 1197 1198 1199 1200 1201 1202 1203 1204 1205 1206 1207 1208 1209 1210 1211 1212 1213 1214 1215 1216 1217 1218 1219 1220 1221 1222 1223 1224 1225 1226 1227 1228 1229 1230 1231 1232 1233 1234 1235 1236 1237 1238 1239 1240 1241 1242 1243 1244 1245 1246 1247 1248 1249 1250 1251 1252 1253 1254 1255 1256 1257 1258 1259 1260 1261 1262 1263 1264 1265 1266 1267 1268 1269 1270 1271 1272 1273 1274 1275 1276 1277 1278 1279 1280 1281 1282 1283 1284 1285 1286 1287 1288 1289 1290 1291 1292 1293 1294 1295 1296 1297 1298 1299 1300 1301 1302 1303 1304 1305 1306 1307 1308 1309 1310 1311 1312 1313 1314 1315 1316 1317 1318 1319 1320 1321 1322 1323 1324 1325 1326 1327 1328 1329 1330 1331 1332 1333 1334 1335 1336 1337 1338 1339 1340 1341 1342 1343 1344 1345 1346 1347 1348 1349 1350 1351 1352 1353 1354 1355 1356 1357 1358 1359 1360 1361 1362 1363 1364 1365 1366 1367 1368 1369 1370 1371 1372 1373 1374 1375 1376 1377 1378 1379 1380 1381 1382 1383 1384 1385 1386 1387 1388 1389 1390 1391 1392 1393 1394 1395 1396 1397 1398 1399 1400 1401 1402 1403 1404 1405 1406 1407 1408 1409 1410 1411 1412 1413 1414 1415 1416 1417 1418 1419 1420 1421 1422 1423 1424 1425 1426 1427 1428 1429 1430 1431 1432 1433 1434 1435 1436 1437 1438 1439 1440 1441 1442 1443 1444 1445 1446 1447 1448 1449 1450 1451 1452 1453 1454 1455 1456 1457 1458 1459 1460 1461 1462 1463 1464 1465 1466 1467 1468 1469 1470 1471 1472 1473 1474 1475 1476 1477 1478 1479 1480 1481 1482 1483 1484 1485 1486 1487 1488 1489 1490 1491 1492 1493 1494 1495 1496 1497 1498 1499 1500 1501 1502 1503 1504 1505 1506 1507 1508 1509 1510 1511 1512 1513 1514 1515 1516 1517 1518 1519 1520 1521 1522 1523 1524 1525 1526 1527 1528 1529 1530 1531 1532 1533 1534 1535 1536 1537 1538 1539 1540 1541 1542 1543 1544 1545 1546 1547 1548 1549 1550 1551 1552 1553 1554 1555 1556 1557 1558 1559 1560 1561 1562 1563 1564 1565 1566 1567 1568 1569 1570 1571 1572 1573 1574 1575 1576 1577 1578 1579 1580 1581 1582 1583 1584 1585 1586 1587 1588 1589 1590 1591 1592 1593 1594 1595 1596 1597 | /*
* Copyright (C) 2003-2016 Free Software Foundation, Inc.
* Copyright (C) 2015-2016 Red Hat, Inc.
*
* Author: Nikos Mavrogiannopoulos
*
* This file is part of GnuTLS.
*
* The GnuTLS is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public License
* as published by the Free Software Foundation; either version 2.1 of
* the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>
*
*/
/* This file contains the types and prototypes for the X.509
* certificate and CRL handling functions.
*/
#ifndef GNUTLS_X509_H
#define GNUTLS_X509_H
#include <gnutls/gnutls.h>
/* *INDENT-OFF* */
#ifdef __cplusplus
extern "C" {
#endif
/* *INDENT-ON* */
/* Some OIDs usually found in Distinguished names, or
* in Subject Directory Attribute extensions.
*/
#define GNUTLS_OID_X520_COUNTRY_NAME "2.5.4.6"
#define GNUTLS_OID_X520_ORGANIZATION_NAME "2.5.4.10"
#define GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME "2.5.4.11"
#define GNUTLS_OID_X520_COMMON_NAME "2.5.4.3"
#define GNUTLS_OID_X520_LOCALITY_NAME "2.5.4.7"
#define GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME "2.5.4.8"
#define GNUTLS_OID_X520_INITIALS "2.5.4.43"
#define GNUTLS_OID_X520_GENERATION_QUALIFIER "2.5.4.44"
#define GNUTLS_OID_X520_SURNAME "2.5.4.4"
#define GNUTLS_OID_X520_GIVEN_NAME "2.5.4.42"
#define GNUTLS_OID_X520_TITLE "2.5.4.12"
#define GNUTLS_OID_X520_DN_QUALIFIER "2.5.4.46"
#define GNUTLS_OID_X520_PSEUDONYM "2.5.4.65"
#define GNUTLS_OID_X520_POSTALCODE "2.5.4.17"
#define GNUTLS_OID_X520_NAME "2.5.4.41"
#define GNUTLS_OID_LDAP_DC "0.9.2342.19200300.100.1.25"
#define GNUTLS_OID_LDAP_UID "0.9.2342.19200300.100.1.1"
/* The following should not be included in DN.
*/
#define GNUTLS_OID_PKCS9_EMAIL "1.2.840.113549.1.9.1"
#define GNUTLS_OID_PKIX_DATE_OF_BIRTH "1.3.6.1.5.5.7.9.1"
#define GNUTLS_OID_PKIX_PLACE_OF_BIRTH "1.3.6.1.5.5.7.9.2"
#define GNUTLS_OID_PKIX_GENDER "1.3.6.1.5.5.7.9.3"
#define GNUTLS_OID_PKIX_COUNTRY_OF_CITIZENSHIP "1.3.6.1.5.5.7.9.4"
#define GNUTLS_OID_PKIX_COUNTRY_OF_RESIDENCE "1.3.6.1.5.5.7.9.5"
/* Key purpose Object Identifiers.
*/
#define GNUTLS_KP_TLS_WWW_SERVER "1.3.6.1.5.5.7.3.1"
#define GNUTLS_KP_TLS_WWW_CLIENT "1.3.6.1.5.5.7.3.2"
#define GNUTLS_KP_CODE_SIGNING "1.3.6.1.5.5.7.3.3"
#define GNUTLS_KP_MS_SMART_CARD_LOGON "1.3.6.1.4.1.311.20.2.2"
#define GNUTLS_KP_EMAIL_PROTECTION "1.3.6.1.5.5.7.3.4"
#define GNUTLS_KP_TIME_STAMPING "1.3.6.1.5.5.7.3.8"
#define GNUTLS_KP_OCSP_SIGNING "1.3.6.1.5.5.7.3.9"
#define GNUTLS_KP_IPSEC_IKE "1.3.6.1.5.5.7.3.17"
#define GNUTLS_KP_ANY "2.5.29.37.0"
#define GNUTLS_KP_FLAG_DISALLOW_ANY 1
#define GNUTLS_OID_AIA "1.3.6.1.5.5.7.1.1"
#define GNUTLS_OID_AD_OCSP "1.3.6.1.5.5.7.48.1"
#define GNUTLS_OID_AD_CAISSUERS "1.3.6.1.5.5.7.48.2"
#define GNUTLS_FSAN_SET 0
#define GNUTLS_FSAN_APPEND 1
#define GNUTLS_FSAN_ENCODE_OCTET_STRING (1<<1)
#define GNUTLS_FSAN_ENCODE_UTF8_STRING (1<<2)
#define GNUTLS_X509EXT_OID_SUBJECT_KEY_ID "2.5.29.14"
#define GNUTLS_X509EXT_OID_KEY_USAGE "2.5.29.15"
#define GNUTLS_X509EXT_OID_PRIVATE_KEY_USAGE_PERIOD "2.5.29.16"
#define GNUTLS_X509EXT_OID_SAN "2.5.29.17"
#define GNUTLS_X509EXT_OID_IAN "2.5.29.18"
#define GNUTLS_X509EXT_OID_BASIC_CONSTRAINTS "2.5.29.19"
#define GNUTLS_X509EXT_OID_NAME_CONSTRAINTS "2.5.29.30"
#define GNUTLS_X509EXT_OID_CRL_DIST_POINTS "2.5.29.31"
#define GNUTLS_X509EXT_OID_CRT_POLICY "2.5.29.32"
#define GNUTLS_X509EXT_OID_AUTHORITY_KEY_ID "2.5.29.35"
#define GNUTLS_X509EXT_OID_EXTENDED_KEY_USAGE "2.5.29.37"
#define GNUTLS_X509EXT_OID_AUTHORITY_INFO_ACCESS "1.3.6.1.5.5.7.1.1"
#define GNUTLS_X509EXT_OID_PROXY_CRT_INFO "1.3.6.1.5.5.7.1.14"
#define GNUTLS_X509EXT_OID_TLSFEATURES "1.3.6.1.5.5.7.1.24"
/* Certificate handling functions.
*/
/**
* gnutls_certificate_import_flags:
* @GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED: Fail if the
* certificates in the buffer are more than the space allocated for
* certificates. The error code will be %GNUTLS_E_SHORT_MEMORY_BUFFER.
* @GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED: Fail if the certificates
* in the buffer are not ordered starting from subject to issuer.
* The error code will be %GNUTLS_E_CERTIFICATE_LIST_UNSORTED.
* @GNUTLS_X509_CRT_LIST_SORT: Sort the certificate chain if unsorted.
*
* Enumeration of different certificate import flags.
*/
typedef enum gnutls_certificate_import_flags {
GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED = 1,
GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED = 1<<1,
GNUTLS_X509_CRT_LIST_SORT = 1<<2
} gnutls_certificate_import_flags;
int gnutls_x509_crt_init(gnutls_x509_crt_t * cert);
void gnutls_x509_crt_deinit(gnutls_x509_crt_t cert);
unsigned gnutls_x509_crt_equals(gnutls_x509_crt_t cert1, gnutls_x509_crt_t cert2);
unsigned gnutls_x509_crt_equals2(gnutls_x509_crt_t cert1, gnutls_datum_t * der);
int gnutls_x509_crt_import(gnutls_x509_crt_t cert,
const gnutls_datum_t * data,
gnutls_x509_crt_fmt_t format);
int gnutls_x509_crt_list_import2(gnutls_x509_crt_t ** certs,
unsigned int *size,
const gnutls_datum_t * data,
gnutls_x509_crt_fmt_t format,
unsigned int flags);
int gnutls_x509_crt_list_import(gnutls_x509_crt_t * certs,
unsigned int *cert_max,
const gnutls_datum_t * data,
gnutls_x509_crt_fmt_t format,
unsigned int flags);
int gnutls_x509_crt_import_url(gnutls_x509_crt_t crt,
const char *url, unsigned int flags
/* GNUTLS_PKCS11_OBJ_FLAG_* */
);
int gnutls_x509_crt_export(gnutls_x509_crt_t cert,
gnutls_x509_crt_fmt_t format,
void *output_data, size_t * output_data_size);
int gnutls_x509_crt_export2(gnutls_x509_crt_t cert,
gnutls_x509_crt_fmt_t format,
gnutls_datum_t * out);
int gnutls_x509_crt_get_private_key_usage_period(gnutls_x509_crt_t
cert,
time_t *
activation,
time_t *
expiration, unsigned int
*critical);
int gnutls_x509_crt_get_issuer_dn(gnutls_x509_crt_t cert,
char *buf, size_t * buf_size);
int gnutls_x509_crt_get_issuer_dn2(gnutls_x509_crt_t cert,
gnutls_datum_t * dn);
int gnutls_x509_crt_get_issuer_dn3(gnutls_x509_crt_t cert,
gnutls_datum_t * dn, unsigned flags);
int gnutls_x509_crt_get_issuer_dn_oid(gnutls_x509_crt_t cert,
unsigned indx, void *oid,
size_t * oid_size);
int gnutls_x509_crt_get_issuer_dn_by_oid(gnutls_x509_crt_t cert,
const char *oid, unsigned indx,
unsigned int raw_flag,
void *buf, size_t * buf_size);
int gnutls_x509_crt_get_dn(gnutls_x509_crt_t cert, char *buf,
size_t * buf_size);
int gnutls_x509_crt_get_dn2(gnutls_x509_crt_t cert, gnutls_datum_t * dn);
int gnutls_x509_crt_get_dn3(gnutls_x509_crt_t cert, gnutls_datum_t * dn, unsigned flags);
int gnutls_x509_crt_get_dn_oid(gnutls_x509_crt_t cert, unsigned indx,
void *oid, size_t * oid_size);
int gnutls_x509_crt_get_dn_by_oid(gnutls_x509_crt_t cert,
const char *oid, unsigned indx,
unsigned int raw_flag, void *buf,
size_t * buf_size);
unsigned gnutls_x509_crt_check_hostname(gnutls_x509_crt_t cert,
const char *hostname);
unsigned gnutls_x509_crt_check_hostname2(gnutls_x509_crt_t cert,
const char *hostname, unsigned int flags);
unsigned
gnutls_x509_crt_check_email(gnutls_x509_crt_t cert,
const char *email, unsigned int flags);
int gnutls_x509_crt_get_signature_algorithm(gnutls_x509_crt_t cert);
int gnutls_x509_crt_get_signature(gnutls_x509_crt_t cert,
char *sig, size_t * sizeof_sig);
int gnutls_x509_crt_get_version(gnutls_x509_crt_t cert);
int gnutls_x509_crt_get_pk_oid(gnutls_x509_crt_t cert, char *oid, size_t *oid_size);
int gnutls_x509_crt_get_signature_oid(gnutls_x509_crt_t cert, char *oid, size_t *oid_size);
/**
* gnutls_keyid_flags_t:
* @GNUTLS_KEYID_USE_SHA1: Use SHA1 as the key ID algorithm (default).
* @GNUTLS_KEYID_USE_SHA256: Use SHA256 as the key ID algorithm.
* @GNUTLS_KEYID_USE_BEST_KNOWN: Use the best known algorithm to calculate key ID. Using that option will make your program behavior depend on the version of gnutls linked with. That option has a cap of 64-bytes key IDs.
*
* Enumeration of different flags for the key ID functions.
*/
typedef enum {
GNUTLS_KEYID_USE_SHA1 = 0,
GNUTLS_KEYID_USE_SHA256 = (1<<0),
GNUTLS_KEYID_USE_BEST_KNOWN = (1<<30)
} gnutls_keyid_flags_t;
int gnutls_x509_crt_get_key_id(gnutls_x509_crt_t crt,
unsigned int flags,
unsigned char *output_data,
size_t * output_data_size);
int gnutls_x509_crt_set_private_key_usage_period(gnutls_x509_crt_t
crt,
time_t activation,
time_t expiration);
int gnutls_x509_crt_set_authority_key_id(gnutls_x509_crt_t cert,
const void *id, size_t id_size);
int gnutls_x509_crt_get_authority_key_id(gnutls_x509_crt_t cert,
void *id,
size_t * id_size,
unsigned int *critical);
int gnutls_x509_crt_get_authority_key_gn_serial(gnutls_x509_crt_t
cert,
unsigned int seq,
void *alt,
size_t * alt_size,
unsigned int
*alt_type,
void *serial,
size_t *
serial_size, unsigned int
*critical);
int gnutls_x509_crt_get_subject_key_id(gnutls_x509_crt_t cert,
void *ret,
size_t * ret_size,
unsigned int *critical);
int gnutls_x509_crt_get_subject_unique_id(gnutls_x509_crt_t crt,
char *buf, size_t * buf_size);
int gnutls_x509_crt_get_issuer_unique_id(gnutls_x509_crt_t crt,
char *buf, size_t * buf_size);
void gnutls_x509_crt_set_pin_function(gnutls_x509_crt_t crt,
gnutls_pin_callback_t fn,
void *userdata);
/**
* gnutls_info_access_what_t:
* @GNUTLS_IA_ACCESSMETHOD_OID: Get accessMethod OID.
* @GNUTLS_IA_ACCESSLOCATION_GENERALNAME_TYPE: Get accessLocation name type.
* @GNUTLS_IA_URI: Get accessLocation URI value.
* @GNUTLS_IA_OCSP_URI: get accessLocation URI value for OCSP.
* @GNUTLS_IA_CAISSUERS_URI: get accessLocation URI value for caIssuers.
*
* Enumeration of types for the @what parameter of
* gnutls_x509_crt_get_authority_info_access().
*/
typedef enum gnutls_info_access_what_t {
GNUTLS_IA_ACCESSMETHOD_OID = 1,
GNUTLS_IA_ACCESSLOCATION_GENERALNAME_TYPE = 2,
/* use 100-108 for the generalName types, populate as needed */
GNUTLS_IA_URI = 106,
/* quick-access variants that match both OID and name type. */
GNUTLS_IA_UNKNOWN = 10000,
GNUTLS_IA_OCSP_URI = 10006,
GNUTLS_IA_CAISSUERS_URI = 10106
} gnutls_info_access_what_t;
int gnutls_x509_crt_get_authority_info_access(gnutls_x509_crt_t
crt,
unsigned int seq,
int what,
gnutls_datum_t *
data, unsigned int
*critical);
typedef struct gnutls_name_constraints_st *gnutls_x509_name_constraints_t;
unsigned gnutls_x509_name_constraints_check(gnutls_x509_name_constraints_t nc,
gnutls_x509_subject_alt_name_t type,
const gnutls_datum_t * name);
unsigned gnutls_x509_name_constraints_check_crt(gnutls_x509_name_constraints_t nc,
gnutls_x509_subject_alt_name_t type,
gnutls_x509_crt_t crt);
int gnutls_x509_name_constraints_init(gnutls_x509_name_constraints_t *nc);
void gnutls_x509_name_constraints_deinit(gnutls_x509_name_constraints_t nc);
#define GNUTLS_EXT_FLAG_APPEND 1
#define GNUTLS_NAME_CONSTRAINTS_FLAG_APPEND GNUTLS_EXT_FLAG_APPEND
int gnutls_x509_crt_get_name_constraints(gnutls_x509_crt_t crt,
gnutls_x509_name_constraints_t nc,
unsigned int flags,
unsigned int *critical);
int gnutls_x509_name_constraints_add_permitted(gnutls_x509_name_constraints_t nc,
gnutls_x509_subject_alt_name_t type,
const gnutls_datum_t * name);
int gnutls_x509_name_constraints_add_excluded(gnutls_x509_name_constraints_t nc,
gnutls_x509_subject_alt_name_t type,
const gnutls_datum_t * name);
int gnutls_x509_crt_set_name_constraints(gnutls_x509_crt_t crt,
gnutls_x509_name_constraints_t nc,
unsigned int critical);
int gnutls_x509_name_constraints_get_permitted(gnutls_x509_name_constraints_t nc,
unsigned idx,
unsigned *type, gnutls_datum_t * name);
int gnutls_x509_name_constraints_get_excluded(gnutls_x509_name_constraints_t nc,
unsigned idx,
unsigned *type, gnutls_datum_t * name);
int gnutls_x509_cidr_to_rfc5280(const char *cidr, gnutls_datum_t *cidr_rfc5280);
#define GNUTLS_CRL_REASON_SUPERSEEDED GNUTLS_CRL_REASON_SUPERSEDED,
/**
* gnutls_x509_crl_reason_flags_t:
* @GNUTLS_CRL_REASON_PRIVILEGE_WITHDRAWN: The privileges were withdrawn from the owner.
* @GNUTLS_CRL_REASON_CERTIFICATE_HOLD: The certificate is on hold.
* @GNUTLS_CRL_REASON_CESSATION_OF_OPERATION: The end-entity is no longer operating.
* @GNUTLS_CRL_REASON_SUPERSEDED: There is a newer certificate of the owner.
* @GNUTLS_CRL_REASON_AFFILIATION_CHANGED: The end-entity affiliation has changed.
* @GNUTLS_CRL_REASON_CA_COMPROMISE: The CA was compromised.
* @GNUTLS_CRL_REASON_KEY_COMPROMISE: The certificate's key was compromised.
* @GNUTLS_CRL_REASON_UNUSED: The key was never used.
* @GNUTLS_CRL_REASON_AA_COMPROMISE: AA compromised.
*
* Enumeration of types for the CRL revocation reasons.
*/
typedef enum gnutls_x509_crl_reason_flags_t {
GNUTLS_CRL_REASON_UNSPECIFIED = 0,
GNUTLS_CRL_REASON_PRIVILEGE_WITHDRAWN = 1,
GNUTLS_CRL_REASON_CERTIFICATE_HOLD = 2,
GNUTLS_CRL_REASON_CESSATION_OF_OPERATION = 4,
GNUTLS_CRL_REASON_SUPERSEDED = 8,
GNUTLS_CRL_REASON_AFFILIATION_CHANGED = 16,
GNUTLS_CRL_REASON_CA_COMPROMISE = 32,
GNUTLS_CRL_REASON_KEY_COMPROMISE = 64,
GNUTLS_CRL_REASON_UNUSED = 128,
GNUTLS_CRL_REASON_AA_COMPROMISE = 32768
} gnutls_x509_crl_reason_flags_t;
int gnutls_x509_crt_get_crl_dist_points(gnutls_x509_crt_t cert,
unsigned int seq,
void *ret,
size_t * ret_size,
unsigned int *reason_flags,
unsigned int *critical);
int gnutls_x509_crt_set_crl_dist_points2(gnutls_x509_crt_t crt,
gnutls_x509_subject_alt_name_t
type, const void *data,
unsigned int data_size,
unsigned int reason_flags);
int gnutls_x509_crt_set_crl_dist_points(gnutls_x509_crt_t crt,
gnutls_x509_subject_alt_name_t
type,
const void *data_string,
unsigned int reason_flags);
int gnutls_x509_crt_cpy_crl_dist_points(gnutls_x509_crt_t dst,
gnutls_x509_crt_t src);
int gnutls_x509_crl_sign2(gnutls_x509_crl_t crl,
gnutls_x509_crt_t issuer,
gnutls_x509_privkey_t issuer_key,
gnutls_digest_algorithm_t dig,
unsigned int flags);
time_t gnutls_x509_crt_get_activation_time(gnutls_x509_crt_t cert);
#define GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION ((time_t)4294197631)
time_t gnutls_x509_crt_get_expiration_time(gnutls_x509_crt_t cert);
int gnutls_x509_crt_get_serial(gnutls_x509_crt_t cert,
void *result, size_t * result_size);
int gnutls_x509_crt_get_pk_algorithm(gnutls_x509_crt_t cert,
unsigned int *bits);
int gnutls_x509_crt_get_pk_rsa_raw(gnutls_x509_crt_t crt,
gnutls_datum_t * m, gnutls_datum_t * e);
int gnutls_x509_crt_get_pk_dsa_raw(gnutls_x509_crt_t crt,
gnutls_datum_t * p,
gnutls_datum_t * q,
gnutls_datum_t * g, gnutls_datum_t * y);
int gnutls_x509_crt_get_pk_ecc_raw(gnutls_x509_crt_t crt,
gnutls_ecc_curve_t * curve,
gnutls_datum_t * x,
gnutls_datum_t * y);
int gnutls_x509_crt_get_subject_alt_name(gnutls_x509_crt_t cert,
unsigned int seq,
void *san,
size_t * san_size,
unsigned int *critical);
int gnutls_x509_crt_get_subject_alt_name2(gnutls_x509_crt_t cert,
unsigned int seq,
void *san,
size_t * san_size,
unsigned int *san_type,
unsigned int *critical);
int gnutls_x509_crt_get_subject_alt_othername_oid(gnutls_x509_crt_t
cert,
unsigned int seq,
void *oid,
size_t * oid_size);
int gnutls_x509_crt_get_issuer_alt_name(gnutls_x509_crt_t cert,
unsigned int seq,
void *ian,
size_t * ian_size,
unsigned int *critical);
int gnutls_x509_crt_get_issuer_alt_name2(gnutls_x509_crt_t cert,
unsigned int seq,
void *ian,
size_t * ian_size,
unsigned int *ian_type,
unsigned int *critical);
int gnutls_x509_crt_get_issuer_alt_othername_oid(gnutls_x509_crt_t
cert,
unsigned int seq,
void *ret,
size_t * ret_size);
int gnutls_x509_crt_get_ca_status(gnutls_x509_crt_t cert,
unsigned int *critical);
int gnutls_x509_crt_get_basic_constraints(gnutls_x509_crt_t cert,
unsigned int *critical,
unsigned int *ca, int *pathlen);
/* The key_usage flags are defined in gnutls.h. They are the
* GNUTLS_KEY_* definitions.
*/
int gnutls_x509_crt_get_key_usage(gnutls_x509_crt_t cert,
unsigned int *key_usage,
unsigned int *critical);
int gnutls_x509_crt_set_key_usage(gnutls_x509_crt_t crt,
unsigned int usage);
int gnutls_x509_crt_set_authority_info_access(gnutls_x509_crt_t
crt, int what,
gnutls_datum_t * data);
int gnutls_x509_crt_get_proxy(gnutls_x509_crt_t cert,
unsigned int *critical,
int *pathlen,
char **policyLanguage,
char **policy, size_t * sizeof_policy);
typedef struct gnutls_x509_tlsfeatures_st *gnutls_x509_tlsfeatures_t;
int gnutls_x509_tlsfeatures_init(gnutls_x509_tlsfeatures_t *features);
void gnutls_x509_tlsfeatures_deinit(gnutls_x509_tlsfeatures_t);
int gnutls_x509_tlsfeatures_get(gnutls_x509_tlsfeatures_t f, unsigned idx, unsigned int *feature);
int gnutls_x509_crt_set_tlsfeatures(gnutls_x509_crt_t crt,
gnutls_x509_tlsfeatures_t features);
int gnutls_x509_crt_get_tlsfeatures(gnutls_x509_crt_t cert,
gnutls_x509_tlsfeatures_t features,
unsigned int flags,
unsigned int *critical);
unsigned gnutls_x509_tlsfeatures_check_crt(gnutls_x509_tlsfeatures_t feat,
gnutls_x509_crt_t crt);
#define GNUTLS_MAX_QUALIFIERS 8
/**
* gnutls_x509_qualifier_t:
* @GNUTLS_X509_QUALIFIER_UNKNOWN: Unknown qualifier.
* @GNUTLS_X509_QUALIFIER_URI: A URL
* @GNUTLS_X509_QUALIFIER_NOICE: A text notice.
*
* Enumeration of types for the X.509 qualifiers, of the certificate policy extension.
*/
typedef enum gnutls_x509_qualifier_t {
GNUTLS_X509_QUALIFIER_UNKNOWN = 0, GNUTLS_X509_QUALIFIER_URI,
GNUTLS_X509_QUALIFIER_NOTICE
} gnutls_x509_qualifier_t;
typedef struct gnutls_x509_policy_st {
char *oid;
unsigned int qualifiers;
struct {
gnutls_x509_qualifier_t type;
char *data;
unsigned int size;
} qualifier[GNUTLS_MAX_QUALIFIERS];
} gnutls_x509_policy_st;
void gnutls_x509_policy_release(struct gnutls_x509_policy_st
*policy);
int gnutls_x509_crt_get_policy(gnutls_x509_crt_t crt, unsigned indx, struct gnutls_x509_policy_st
*policy, unsigned int *critical);
int gnutls_x509_crt_set_policy(gnutls_x509_crt_t crt, const struct gnutls_x509_policy_st
*policy, unsigned int critical);
int gnutls_x509_dn_oid_known(const char *oid);
#define GNUTLS_X509_DN_OID_RETURN_OID 1
const char *gnutls_x509_dn_oid_name(const char *oid, unsigned int flags);
/* Read extensions by OID. */
int gnutls_x509_crt_get_extension_oid(gnutls_x509_crt_t cert,
unsigned indx, void *oid,
size_t * oid_size);
int gnutls_x509_crt_get_extension_by_oid(gnutls_x509_crt_t cert,
const char *oid, unsigned indx,
void *buf,
size_t * buf_size,
unsigned int *critical);
int gnutls_x509_crq_get_signature_algorithm(gnutls_x509_crq_t crq);
int
gnutls_x509_crq_get_extension_by_oid2(gnutls_x509_crq_t crq,
const char *oid, unsigned indx,
gnutls_datum_t *output,
unsigned int *critical);
/* Read extensions by sequence number. */
int gnutls_x509_crt_get_extension_info(gnutls_x509_crt_t cert,
unsigned indx, void *oid,
size_t * oid_size,
unsigned int *critical);
int gnutls_x509_crt_get_extension_data(gnutls_x509_crt_t cert,
unsigned indx, void *data,
size_t * sizeof_data);
int
gnutls_x509_crt_get_extension_data2(gnutls_x509_crt_t cert,
unsigned indx, gnutls_datum_t * data);
int gnutls_x509_crt_set_extension_by_oid(gnutls_x509_crt_t crt,
const char *oid,
const void *buf,
size_t sizeof_buf,
unsigned int critical);
/* X.509 Certificate writing.
*/
int gnutls_x509_crt_set_dn(gnutls_x509_crt_t crt, const char *dn,
const char **err);
int gnutls_x509_crt_set_dn_by_oid(gnutls_x509_crt_t crt,
const char *oid,
unsigned int raw_flag,
const void *name,
unsigned int sizeof_name);
int gnutls_x509_crt_set_issuer_dn_by_oid(gnutls_x509_crt_t crt,
const char *oid,
unsigned int raw_flag,
const void *name,
unsigned int sizeof_name);
int gnutls_x509_crt_set_issuer_dn(gnutls_x509_crt_t crt,
const char *dn, const char **err);
int gnutls_x509_crt_set_version(gnutls_x509_crt_t crt,
unsigned int version);
int gnutls_x509_crt_set_key(gnutls_x509_crt_t crt,
gnutls_x509_privkey_t key);
int gnutls_x509_crt_set_ca_status(gnutls_x509_crt_t crt, unsigned int ca);
int gnutls_x509_crt_set_basic_constraints(gnutls_x509_crt_t crt,
unsigned int ca,
int pathLenConstraint);
int
gnutls_x509_crt_set_subject_unique_id(gnutls_x509_crt_t cert, const void *id,
size_t id_size);
int
gnutls_x509_crt_set_issuer_unique_id(gnutls_x509_crt_t cert, const void *id,
size_t id_size);
int gnutls_x509_crt_set_subject_alternative_name(gnutls_x509_crt_t
crt,
gnutls_x509_subject_alt_name_t
type, const char
*data_string);
int gnutls_x509_crt_set_subject_alt_name(gnutls_x509_crt_t crt,
gnutls_x509_subject_alt_name_t
type, const void *data,
unsigned int data_size,
unsigned int flags);
int
gnutls_x509_crt_set_subject_alt_othername(gnutls_x509_crt_t crt,
const char *oid,
const void *data,
unsigned int data_size,
unsigned int flags);
int gnutls_x509_crt_set_issuer_alt_name(gnutls_x509_crt_t crt,
gnutls_x509_subject_alt_name_t
type, const void *data,
unsigned int data_size,
unsigned int flags);
int
gnutls_x509_crt_set_issuer_alt_othername(gnutls_x509_crt_t crt,
const char *oid,
const void *data,
unsigned int data_size,
unsigned int flags);
int gnutls_x509_crt_sign(gnutls_x509_crt_t crt,
gnutls_x509_crt_t issuer,
gnutls_x509_privkey_t issuer_key);
int gnutls_x509_crt_sign2(gnutls_x509_crt_t crt,
gnutls_x509_crt_t issuer,
gnutls_x509_privkey_t issuer_key,
gnutls_digest_algorithm_t dig,
unsigned int flags);
int gnutls_x509_crt_set_activation_time(gnutls_x509_crt_t cert,
time_t act_time);
int gnutls_x509_crt_set_expiration_time(gnutls_x509_crt_t cert,
time_t exp_time);
int gnutls_x509_crt_set_serial(gnutls_x509_crt_t cert,
const void *serial, size_t serial_size);
int gnutls_x509_crt_set_subject_key_id(gnutls_x509_crt_t cert,
const void *id, size_t id_size);
int gnutls_x509_crt_set_proxy_dn(gnutls_x509_crt_t crt,
gnutls_x509_crt_t eecrt,
unsigned int raw_flag,
const void *name,
unsigned int sizeof_name);
int gnutls_x509_crt_set_proxy(gnutls_x509_crt_t crt,
int pathLenConstraint,
const char *policyLanguage,
const char *policy, size_t sizeof_policy);
int gnutls_x509_crt_print(gnutls_x509_crt_t cert,
gnutls_certificate_print_formats_t
format, gnutls_datum_t * out);
int gnutls_x509_crl_print(gnutls_x509_crl_t crl,
gnutls_certificate_print_formats_t
format, gnutls_datum_t * out);
/* Access to internal Certificate fields.
*/
int gnutls_x509_crt_get_raw_issuer_dn(gnutls_x509_crt_t cert,
gnutls_datum_t * start);
int gnutls_x509_crt_get_raw_dn(gnutls_x509_crt_t cert,
gnutls_datum_t * start);
/* RDN handling.
*/
int gnutls_x509_rdn_get(const gnutls_datum_t * idn,
char *buf, size_t * sizeof_buf);
int
gnutls_x509_rdn_get2(const gnutls_datum_t * idn,
gnutls_datum_t *str, unsigned flags);
int gnutls_x509_rdn_get_oid(const gnutls_datum_t * idn,
unsigned indx, void *buf, size_t * sizeof_buf);
int gnutls_x509_rdn_get_by_oid(const gnutls_datum_t * idn,
const char *oid, unsigned indx,
unsigned int raw_flag, void *buf,
size_t * sizeof_buf);
typedef struct gnutls_x509_dn_st *gnutls_x509_dn_t;
typedef struct gnutls_x509_ava_st {
gnutls_datum_t oid;
gnutls_datum_t value;
unsigned long value_tag;
} gnutls_x509_ava_st;
int gnutls_x509_crt_get_subject(gnutls_x509_crt_t cert,
gnutls_x509_dn_t * dn);
int gnutls_x509_crt_get_issuer(gnutls_x509_crt_t cert,
gnutls_x509_dn_t * dn);
int gnutls_x509_dn_get_rdn_ava(gnutls_x509_dn_t dn, int irdn,
int iava, gnutls_x509_ava_st * ava);
int gnutls_x509_dn_get_str(gnutls_x509_dn_t dn, gnutls_datum_t *str);
#define GNUTLS_X509_DN_FLAG_COMPAT 1
int gnutls_x509_dn_get_str2(gnutls_x509_dn_t dn, gnutls_datum_t *str, unsigned flags);
int
gnutls_x509_dn_set_str(gnutls_x509_dn_t dn, const char *str, const char **err);
int gnutls_x509_dn_init(gnutls_x509_dn_t * dn);
int gnutls_x509_dn_import(gnutls_x509_dn_t dn,
const gnutls_datum_t * data);
int gnutls_x509_dn_export(gnutls_x509_dn_t dn,
gnutls_x509_crt_fmt_t format,
void *output_data, size_t * output_data_size);
int gnutls_x509_dn_export2(gnutls_x509_dn_t dn,
gnutls_x509_crt_fmt_t format,
gnutls_datum_t * out);
void gnutls_x509_dn_deinit(gnutls_x509_dn_t dn);
/* CRL handling functions.
*/
int gnutls_x509_crl_init(gnutls_x509_crl_t * crl);
void gnutls_x509_crl_deinit(gnutls_x509_crl_t crl);
int gnutls_x509_crl_import(gnutls_x509_crl_t crl,
const gnutls_datum_t * data,
gnutls_x509_crt_fmt_t format);
int gnutls_x509_crl_export(gnutls_x509_crl_t crl,
gnutls_x509_crt_fmt_t format,
void *output_data, size_t * output_data_size);
int gnutls_x509_crl_export2(gnutls_x509_crl_t crl,
gnutls_x509_crt_fmt_t format,
gnutls_datum_t * out);
int
gnutls_x509_crl_get_raw_issuer_dn(gnutls_x509_crl_t crl,
gnutls_datum_t * dn);
int gnutls_x509_crl_get_issuer_dn(gnutls_x509_crl_t crl,
char *buf, size_t * sizeof_buf);
int gnutls_x509_crl_get_issuer_dn2(gnutls_x509_crl_t crl,
gnutls_datum_t * dn);
int gnutls_x509_crl_get_issuer_dn3(gnutls_x509_crl_t crl,
gnutls_datum_t * dn, unsigned flags);
int gnutls_x509_crl_get_issuer_dn_by_oid(gnutls_x509_crl_t crl,
const char *oid, unsigned indx,
unsigned int raw_flag,
void *buf, size_t * sizeof_buf);
int gnutls_x509_crl_get_dn_oid(gnutls_x509_crl_t crl, unsigned indx,
void *oid, size_t * sizeof_oid);
int gnutls_x509_crl_get_signature_algorithm(gnutls_x509_crl_t crl);
int gnutls_x509_crl_get_signature(gnutls_x509_crl_t crl,
char *sig, size_t * sizeof_sig);
int gnutls_x509_crl_get_version(gnutls_x509_crl_t crl);
int gnutls_x509_crl_get_signature_oid(gnutls_x509_crl_t crl, char *oid, size_t *oid_size);
time_t gnutls_x509_crl_get_this_update(gnutls_x509_crl_t crl);
time_t gnutls_x509_crl_get_next_update(gnutls_x509_crl_t crl);
int gnutls_x509_crl_get_crt_count(gnutls_x509_crl_t crl);
int gnutls_x509_crl_get_crt_serial(gnutls_x509_crl_t crl, unsigned indx,
unsigned char *serial,
size_t * serial_size, time_t * t);
typedef struct gnutls_x509_crl_iter * gnutls_x509_crl_iter_t;
int gnutls_x509_crl_iter_crt_serial(gnutls_x509_crl_t crl,
gnutls_x509_crl_iter_t *,
unsigned char *serial,
size_t * serial_size, time_t * t);
void gnutls_x509_crl_iter_deinit(gnutls_x509_crl_iter_t);
#define gnutls_x509_crl_get_certificate_count gnutls_x509_crl_get_crt_count
#define gnutls_x509_crl_get_certificate gnutls_x509_crl_get_crt_serial
unsigned gnutls_x509_crl_check_issuer(gnutls_x509_crl_t crl,
gnutls_x509_crt_t issuer);
int gnutls_x509_crl_list_import2(gnutls_x509_crl_t ** crls,
unsigned int *size,
const gnutls_datum_t * data,
gnutls_x509_crt_fmt_t format,
unsigned int flags);
int gnutls_x509_crl_list_import(gnutls_x509_crl_t * crls,
unsigned int *crl_max,
const gnutls_datum_t * data,
gnutls_x509_crt_fmt_t format,
unsigned int flags);
/* CRL writing.
*/
int gnutls_x509_crl_set_version(gnutls_x509_crl_t crl,
unsigned int version);
int gnutls_x509_crl_set_this_update(gnutls_x509_crl_t crl,
time_t act_time);
int gnutls_x509_crl_set_next_update(gnutls_x509_crl_t crl,
time_t exp_time);
int gnutls_x509_crl_set_crt_serial(gnutls_x509_crl_t crl,
const void *serial,
size_t serial_size,
time_t revocation_time);
int gnutls_x509_crl_set_crt(gnutls_x509_crl_t crl,
gnutls_x509_crt_t crt, time_t revocation_time);
int gnutls_x509_crl_get_authority_key_id(gnutls_x509_crl_t crl,
void *id,
size_t * id_size,
unsigned int *critical);
int gnutls_x509_crl_get_authority_key_gn_serial(gnutls_x509_crl_t
crl,
unsigned int seq,
void *alt,
size_t * alt_size,
unsigned int
*alt_type,
void *serial,
size_t *
serial_size, unsigned int
*critical);
int gnutls_x509_crl_get_number(gnutls_x509_crl_t crl, void *ret,
size_t * ret_size, unsigned int *critical);
int gnutls_x509_crl_get_extension_oid(gnutls_x509_crl_t crl,
unsigned indx, void *oid,
size_t * sizeof_oid);
int gnutls_x509_crl_get_extension_info(gnutls_x509_crl_t crl,
unsigned indx, void *oid,
size_t * sizeof_oid,
unsigned int *critical);
int gnutls_x509_crl_get_extension_data(gnutls_x509_crl_t crl,
unsigned indx, void *data,
size_t * sizeof_data);
int
gnutls_x509_crl_get_extension_data2(gnutls_x509_crl_t crl,
unsigned indx, gnutls_datum_t * data);
int gnutls_x509_crl_set_authority_key_id(gnutls_x509_crl_t crl,
const void *id, size_t id_size);
int gnutls_x509_crl_set_number(gnutls_x509_crl_t crl,
const void *nr, size_t nr_size);
/* X.509 Certificate verification functions.
*/
/**
* gnutls_certificate_verify_flags:
* @GNUTLS_VERIFY_DISABLE_CA_SIGN: If set a signer does not have to be
* a certificate authority. This flag should normally be disabled,
* unless you know what this means.
* @GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS: If set a signer in the trusted
* list is never checked for expiration or activation.
* @GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT: Do not allow trusted CA
* certificates that have version 1. This option is to be used
* to deprecate all certificates of version 1.
* @GNUTLS_VERIFY_DO_NOT_ALLOW_SAME: If a certificate is not signed by
* anyone trusted but exists in the trusted CA list do not treat it
* as trusted.
* @GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN: A certificate chain is tolerated
* if unsorted (the case with many TLS servers out there). This is the
* default since GnuTLS 3.1.4.
* @GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN: Do not tolerate an unsorted
* certificate chain.
* @GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT: Allow CA certificates that
* have version 1 (both root and intermediate). This might be
* dangerous since those haven't the basicConstraints
* extension.
* @GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2: Allow certificates to be signed
* using the broken MD2 algorithm.
* @GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5: Allow certificates to be signed
* using the broken MD5 algorithm.
* @GNUTLS_VERIFY_ALLOW_BROKEN: Allow certificates to be signed
* using any broken algorithm.
* @GNUTLS_VERIFY_DISABLE_TIME_CHECKS: Disable checking of activation
* and expiration validity periods of certificate chains. Don't set
* this unless you understand the security implications.
* @GNUTLS_VERIFY_DISABLE_CRL_CHECKS: Disable checking for validity
* using certificate revocation lists or the available OCSP data.
* @GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS: When including a hostname
* check in the verification, do not consider any wildcards.
* @GNUTLS_VERIFY_USE_TLS1_RSA: This indicates that a (raw) RSA signature is provided
* as in the TLS 1.0 protocol. Not all functions accept this flag.
*
* Enumeration of different certificate verify flags. Additional
* verification profiles can be set using GNUTLS_PROFILE_TO_VFLAGS()
* and %gnutls_certificate_verification_profiles_t.
*/
typedef enum gnutls_certificate_verify_flags {
GNUTLS_VERIFY_DISABLE_CA_SIGN = 1 << 0,
GNUTLS_VERIFY_DO_NOT_ALLOW_SAME = 1 << 2,
GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT = 1 << 3,
GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2 = 1 << 4,
GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 1 << 5,
GNUTLS_VERIFY_DISABLE_TIME_CHECKS = 1 << 6,
GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS = 1 << 7,
GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT = 1 << 8,
GNUTLS_VERIFY_DISABLE_CRL_CHECKS = 1 << 9,
GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN = 1 << 10,
GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN = 1 << 11,
GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS = 1 << 12,
GNUTLS_VERIFY_USE_TLS1_RSA = 1 << 13
/* cannot exceed 2^24 due to GNUTLS_PROFILE_TO_VFLAGS() */
} gnutls_certificate_verify_flags;
#define GNUTLS_VERIFY_ALLOW_BROKEN (GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2|GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5)
/**
* gnutls_certificate_verification_profiles_t:
* @GNUTLS_PROFILE_VERY_WEAK: A verification profile that
* corresponds to @GNUTLS_SEC_PARAM_VERY_WEAK (64 bits)
* @GNUTLS_PROFILE_LOW: A verification profile that
* corresponds to @GNUTLS_SEC_PARAM_LOW (80 bits)
* @GNUTLS_PROFILE_LEGACY: A verification profile that
* corresponds to @GNUTLS_SEC_PARAM_LEGACY (96 bits)
* @GNUTLS_PROFILE_MEDIUM: A verification profile that
* corresponds to @GNUTLS_SEC_PARAM_MEDIUM (112 bits)
* @GNUTLS_PROFILE_HIGH: A verification profile that
* corresponds to @GNUTLS_SEC_PARAM_HIGH (128 bits)
* @GNUTLS_PROFILE_ULTRA: A verification profile that
* corresponds to @GNUTLS_SEC_PARAM_ULTRA (256 bits)
% * @GNUTLS_PROFILE_SUITEB128: A verification profile that
* applies the SUITEB128 rules
* @GNUTLS_PROFILE_SUITEB192: A verification profile that
* applies the SUITEB192 rules
*
* Enumeration of different certificate verification profiles.
*/
typedef enum gnutls_certificate_verification_profiles_t {
GNUTLS_PROFILE_VERY_WEAK = 1,
GNUTLS_PROFILE_LOW = 2,
GNUTLS_PROFILE_LEGACY = 4,
GNUTLS_PROFILE_MEDIUM = 5,
GNUTLS_PROFILE_HIGH = 6,
GNUTLS_PROFILE_ULTRA = 7,
GNUTLS_PROFILE_SUITEB128=32,
GNUTLS_PROFILE_SUITEB192=33
/*GNUTLS_PROFILE_MAX=255*/
} gnutls_certificate_verification_profiles_t;
#define GNUTLS_PROFILE_TO_VFLAGS(x) \
(((unsigned)x)<<24)
#define GNUTLS_VFLAGS_PROFILE_MASK (0xff000000)
#define GNUTLS_VFLAGS_TO_PROFILE(x) \
((((unsigned)x)>>24)&0xff)
unsigned gnutls_x509_crt_check_issuer(gnutls_x509_crt_t cert,
gnutls_x509_crt_t issuer);
int gnutls_x509_crt_list_verify(const gnutls_x509_crt_t *
cert_list, unsigned cert_list_length,
const gnutls_x509_crt_t * CA_list,
unsigned CA_list_length,
const gnutls_x509_crl_t * CRL_list,
unsigned CRL_list_length,
unsigned int flags, unsigned int *verify);
int gnutls_x509_crt_verify(gnutls_x509_crt_t cert,
const gnutls_x509_crt_t * CA_list,
unsigned CA_list_length, unsigned int flags,
unsigned int *verify);
int gnutls_x509_crl_verify(gnutls_x509_crl_t crl,
const gnutls_x509_crt_t * CA_list,
unsigned CA_list_length, unsigned int flags,
unsigned int *verify);
int
gnutls_x509_crt_verify_data2(gnutls_x509_crt_t crt,
gnutls_sign_algorithm_t algo,
unsigned int flags,
const gnutls_datum_t * data,
const gnutls_datum_t * signature);
int gnutls_x509_crt_check_revocation(gnutls_x509_crt_t cert,
const gnutls_x509_crl_t *
crl_list, unsigned crl_list_length);
int gnutls_x509_crt_get_fingerprint(gnutls_x509_crt_t cert,
gnutls_digest_algorithm_t algo,
void *buf, size_t * buf_size);
int gnutls_x509_crt_get_key_purpose_oid(gnutls_x509_crt_t cert,
unsigned indx, void *oid,
size_t * oid_size,
unsigned int *critical);
int gnutls_x509_crt_set_key_purpose_oid(gnutls_x509_crt_t cert,
const void *oid,
unsigned int critical);
unsigned gnutls_x509_crt_check_key_purpose(gnutls_x509_crt_t cert,
const char *purpose, unsigned flags);
/* Private key handling.
*/
/* Flags for the gnutls_x509_privkey_export_pkcs8() function.
*/
#define GNUTLS_PKCS8_PLAIN GNUTLS_PKCS_PLAIN
#define GNUTLS_PKCS8_USE_PKCS12_3DES GNUTLS_PKCS_PKCS12_3DES
#define GNUTLS_PKCS8_USE_PKCS12_ARCFOUR GNUTLS_PKCS_PKCS12_ARCFOUR
#define GNUTLS_PKCS8_USE_PKCS12_RC2_40 GNUTLS_PKCS_PKCS12_RC2_40
/**
* gnutls_pkcs_encrypt_flags_t:
* @GNUTLS_PKCS_PLAIN: Unencrypted private key.
* @GNUTLS_PKCS_NULL_PASSWORD: Some schemas distinguish between an empty and a NULL password.
* @GNUTLS_PKCS_PKCS12_3DES: PKCS-12 3DES.
* @GNUTLS_PKCS_PKCS12_ARCFOUR: PKCS-12 ARCFOUR.
* @GNUTLS_PKCS_PKCS12_RC2_40: PKCS-12 RC2-40.
* @GNUTLS_PKCS_PBES2_3DES: PBES2 3DES.
* @GNUTLS_PKCS_PBES2_AES_128: PBES2 AES-128.
* @GNUTLS_PKCS_PBES2_AES_192: PBES2 AES-192.
* @GNUTLS_PKCS_PBES2_AES_256: PBES2 AES-256.
* @GNUTLS_PKCS_PBES2_DES: PBES2 single DES.
* @GNUTLS_PKCS_PBES2_DES_MD5: PBES1 with single DES; for compatibility with openssl only.
*
* Enumeration of different PKCS encryption flags.
*/
typedef enum gnutls_pkcs_encrypt_flags_t {
GNUTLS_PKCS_PLAIN = 1,
GNUTLS_PKCS_PKCS12_3DES = 1<<1,
GNUTLS_PKCS_PKCS12_ARCFOUR = 1<<2,
GNUTLS_PKCS_PKCS12_RC2_40 = 1<<3,
GNUTLS_PKCS_PBES2_3DES = 1<<4,
GNUTLS_PKCS_PBES2_AES_128 = 1<<5,
GNUTLS_PKCS_PBES2_AES_192 = 1<<6,
GNUTLS_PKCS_PBES2_AES_256 = 1<<7,
GNUTLS_PKCS_NULL_PASSWORD = 1<<8,
GNUTLS_PKCS_PBES2_DES = 1<<9,
GNUTLS_PKCS_PBES1_DES_MD5 = 1<<10
} gnutls_pkcs_encrypt_flags_t;
#define GNUTLS_PKCS_CIPHER_MASK(x) ((x)&(~(GNUTLS_PKCS_NULL_PASSWORD)))
#define GNUTLS_PKCS_USE_PKCS12_3DES GNUTLS_PKCS_PKCS12_3DES
#define GNUTLS_PKCS_USE_PKCS12_ARCFOUR GNUTLS_PKCS_PKCS12_ARCFOUR
#define GNUTLS_PKCS_USE_PKCS12_RC2_40 GNUTLS_PKCS_PKCS12_RC2_40
#define GNUTLS_PKCS_USE_PBES2_3DES GNUTLS_PKCS_PBES2_3DES
#define GNUTLS_PKCS_USE_PBES2_AES_128 GNUTLS_PKCS_PBES2_AES_128
#define GNUTLS_PKCS_USE_PBES2_AES_192 GNUTLS_PKCS_PBES2_AES_192
#define GNUTLS_PKCS_USE_PBES2_AES_256 GNUTLS_PKCS_PBES2_AES_256
const char *gnutls_pkcs_schema_get_name(unsigned int schema);
const char *gnutls_pkcs_schema_get_oid(unsigned int schema);
int gnutls_x509_privkey_init(gnutls_x509_privkey_t * key);
void gnutls_x509_privkey_deinit(gnutls_x509_privkey_t key);
gnutls_sec_param_t
gnutls_x509_privkey_sec_param(gnutls_x509_privkey_t key);
void gnutls_x509_privkey_set_pin_function(gnutls_x509_privkey_t key,
gnutls_pin_callback_t fn,
void *userdata);
int gnutls_x509_privkey_cpy(gnutls_x509_privkey_t dst,
gnutls_x509_privkey_t src);
int gnutls_x509_privkey_import(gnutls_x509_privkey_t key,
const gnutls_datum_t * data,
gnutls_x509_crt_fmt_t format);
int gnutls_x509_privkey_import_pkcs8(gnutls_x509_privkey_t key,
const gnutls_datum_t * data,
gnutls_x509_crt_fmt_t format,
const char *password,
unsigned int flags);
int gnutls_x509_privkey_import_openssl(gnutls_x509_privkey_t key,
const gnutls_datum_t * data,
const char *password);
int
gnutls_pkcs8_info(const gnutls_datum_t * data, gnutls_x509_crt_fmt_t format,
unsigned int *schema, unsigned int *cipher,
void *salt, unsigned int *salt_size,
unsigned int *iter_count, char **oid);
int gnutls_x509_privkey_import2(gnutls_x509_privkey_t key,
const gnutls_datum_t * data,
gnutls_x509_crt_fmt_t format,
const char *password, unsigned int flags);
int gnutls_x509_privkey_import_rsa_raw(gnutls_x509_privkey_t key,
const gnutls_datum_t * m,
const gnutls_datum_t * e,
const gnutls_datum_t * d,
const gnutls_datum_t * p,
const gnutls_datum_t * q,
const gnutls_datum_t * u);
int gnutls_x509_privkey_import_rsa_raw2(gnutls_x509_privkey_t key,
const gnutls_datum_t * m,
const gnutls_datum_t * e,
const gnutls_datum_t * d,
const gnutls_datum_t * p,
const gnutls_datum_t * q,
const gnutls_datum_t * u,
const gnutls_datum_t * e1,
const gnutls_datum_t * e2);
int gnutls_x509_privkey_import_ecc_raw(gnutls_x509_privkey_t key,
gnutls_ecc_curve_t curve,
const gnutls_datum_t * x,
const gnutls_datum_t * y,
const gnutls_datum_t * k);
int gnutls_x509_privkey_fix(gnutls_x509_privkey_t key);
int gnutls_x509_privkey_export_dsa_raw(gnutls_x509_privkey_t key,
gnutls_datum_t * p,
gnutls_datum_t * q,
gnutls_datum_t * g,
gnutls_datum_t * y,
gnutls_datum_t * x);
int gnutls_x509_privkey_import_dsa_raw(gnutls_x509_privkey_t key,
const gnutls_datum_t * p,
const gnutls_datum_t * q,
const gnutls_datum_t * g,
const gnutls_datum_t * y,
const gnutls_datum_t * x);
int gnutls_x509_privkey_get_pk_algorithm(gnutls_x509_privkey_t key);
int gnutls_x509_privkey_get_pk_algorithm2(gnutls_x509_privkey_t
key, unsigned int *bits);
int gnutls_x509_privkey_get_key_id(gnutls_x509_privkey_t key,
unsigned int flags,
unsigned char *output_data,
size_t * output_data_size);
int gnutls_x509_privkey_generate(gnutls_x509_privkey_t key,
gnutls_pk_algorithm_t algo,
unsigned int bits, unsigned int flags);
void gnutls_x509_privkey_set_flags(gnutls_x509_privkey_t key, unsigned int flags);
/**
* gnutls_keygen_types_t:
* @GNUTLS_KEYGEN_SEED: Specifies the seed to be used in key generation.
* @GNUTLS_KEYGEN_DIGEST: The size field specifies the hash algorithm to be used in key generation.
*
* Enumeration of different key exchange algorithms.
*/
typedef enum {
GNUTLS_KEYGEN_SEED = 1,
GNUTLS_KEYGEN_DIGEST = 2,
} gnutls_keygen_types_t;
typedef struct {
gnutls_keygen_types_t type;
unsigned char *data;
unsigned int size;
} gnutls_keygen_data_st;
int
gnutls_x509_privkey_generate2(gnutls_x509_privkey_t key,
gnutls_pk_algorithm_t algo, unsigned int bits,
unsigned int flags, const gnutls_keygen_data_st *data, unsigned data_size);
int gnutls_x509_privkey_verify_seed(gnutls_x509_privkey_t key, gnutls_digest_algorithm_t, const void *seed, size_t seed_size);
int gnutls_x509_privkey_get_seed(gnutls_x509_privkey_t key, gnutls_digest_algorithm_t*, void *seed, size_t *seed_size);
int gnutls_x509_privkey_verify_params(gnutls_x509_privkey_t key);
int gnutls_x509_privkey_export(gnutls_x509_privkey_t key,
gnutls_x509_crt_fmt_t format,
void *output_data,
size_t * output_data_size);
int gnutls_x509_privkey_export2(gnutls_x509_privkey_t key,
gnutls_x509_crt_fmt_t format,
gnutls_datum_t * out);
int gnutls_x509_privkey_export_pkcs8(gnutls_x509_privkey_t key,
gnutls_x509_crt_fmt_t format,
const char *password,
unsigned int flags,
void *output_data,
size_t * output_data_size);
int gnutls_x509_privkey_export2_pkcs8(gnutls_x509_privkey_t key,
gnutls_x509_crt_fmt_t format,
const char *password,
unsigned int flags,
gnutls_datum_t * out);
int gnutls_x509_privkey_export_rsa_raw2(gnutls_x509_privkey_t key,
gnutls_datum_t * m,
gnutls_datum_t * e,
gnutls_datum_t * d,
gnutls_datum_t * p,
gnutls_datum_t * q,
gnutls_datum_t * u,
gnutls_datum_t * e1,
gnutls_datum_t * e2);
int gnutls_x509_privkey_export_rsa_raw(gnutls_x509_privkey_t key,
gnutls_datum_t * m,
gnutls_datum_t * e,
gnutls_datum_t * d,
gnutls_datum_t * p,
gnutls_datum_t * q,
gnutls_datum_t * u);
int gnutls_x509_privkey_export_ecc_raw(gnutls_x509_privkey_t key,
gnutls_ecc_curve_t * curve,
gnutls_datum_t * x,
gnutls_datum_t * y,
gnutls_datum_t * k);
int gnutls_x509_privkey_sign_data(gnutls_x509_privkey_t key,
gnutls_digest_algorithm_t digest,
unsigned int flags,
const gnutls_datum_t * data,
void *signature,
size_t * signature_size);
/* Certificate request stuff.
*/
int gnutls_x509_crq_sign2(gnutls_x509_crq_t crq,
gnutls_x509_privkey_t key,
gnutls_digest_algorithm_t dig,
unsigned int flags);
int gnutls_x509_crq_print(gnutls_x509_crq_t crq,
gnutls_certificate_print_formats_t
format, gnutls_datum_t * out);
int gnutls_x509_crq_verify(gnutls_x509_crq_t crq, unsigned int flags);
int gnutls_x509_crq_init(gnutls_x509_crq_t * crq);
void gnutls_x509_crq_deinit(gnutls_x509_crq_t crq);
int gnutls_x509_crq_import(gnutls_x509_crq_t crq,
const gnutls_datum_t * data,
gnutls_x509_crt_fmt_t format);
int gnutls_x509_crq_get_private_key_usage_period(gnutls_x509_crq_t
cert,
time_t *
activation,
time_t *
expiration, unsigned int
*critical);
int gnutls_x509_crq_get_dn(gnutls_x509_crq_t crq, char *buf,
size_t * sizeof_buf);
int gnutls_x509_crq_get_dn2(gnutls_x509_crq_t crq, gnutls_datum_t * dn);
int gnutls_x509_crq_get_dn3(gnutls_x509_crq_t crq, gnutls_datum_t * dn, unsigned flags);
int gnutls_x509_crq_get_dn_oid(gnutls_x509_crq_t crq, unsigned indx,
void *oid, size_t * sizeof_oid);
int gnutls_x509_crq_get_dn_by_oid(gnutls_x509_crq_t crq,
const char *oid, unsigned indx,
unsigned int raw_flag, void *buf,
size_t * sizeof_buf);
int gnutls_x509_crq_set_dn(gnutls_x509_crq_t crq, const char *dn,
const char **err);
int gnutls_x509_crq_set_dn_by_oid(gnutls_x509_crq_t crq,
const char *oid,
unsigned int raw_flag,
const void *data,
unsigned int sizeof_data);
int gnutls_x509_crq_set_version(gnutls_x509_crq_t crq,
unsigned int version);
int gnutls_x509_crq_get_version(gnutls_x509_crq_t crq);
int gnutls_x509_crq_set_key(gnutls_x509_crq_t crq,
gnutls_x509_privkey_t key);
int
gnutls_x509_crq_set_extension_by_oid(gnutls_x509_crq_t crq,
const char *oid, const void *buf,
size_t sizeof_buf,
unsigned int critical);
int gnutls_x509_crq_set_challenge_password(gnutls_x509_crq_t crq,
const char *pass);
int gnutls_x509_crq_get_challenge_password(gnutls_x509_crq_t crq,
char *pass,
size_t * sizeof_pass);
int gnutls_x509_crq_set_attribute_by_oid(gnutls_x509_crq_t crq,
const char *oid,
void *buf, size_t sizeof_buf);
int gnutls_x509_crq_get_attribute_by_oid(gnutls_x509_crq_t crq,
const char *oid, unsigned indx,
void *buf, size_t * sizeof_buf);
int gnutls_x509_crq_export(gnutls_x509_crq_t crq,
gnutls_x509_crt_fmt_t format,
void *output_data, size_t * output_data_size);
int gnutls_x509_crq_export2(gnutls_x509_crq_t crq,
gnutls_x509_crt_fmt_t format,
gnutls_datum_t * out);
int gnutls_x509_crt_set_crq(gnutls_x509_crt_t crt, gnutls_x509_crq_t crq);
int gnutls_x509_crt_set_crq_extensions(gnutls_x509_crt_t crt,
gnutls_x509_crq_t crq);
int
gnutls_x509_crt_set_crq_extension_by_oid(gnutls_x509_crt_t crt,
gnutls_x509_crq_t crq, const char *oid,
unsigned flags);
int gnutls_x509_crq_set_private_key_usage_period(gnutls_x509_crq_t
crq,
time_t activation,
time_t expiration);
int gnutls_x509_crq_set_key_rsa_raw(gnutls_x509_crq_t crq,
const gnutls_datum_t * m,
const gnutls_datum_t * e);
int gnutls_x509_crq_set_subject_alt_name(gnutls_x509_crq_t crq,
gnutls_x509_subject_alt_name_t
nt, const void *data,
unsigned int data_size,
unsigned int flags);
int
gnutls_x509_crq_set_subject_alt_othername(gnutls_x509_crq_t crq,
const char *oid,
const void *data,
unsigned int data_size,
unsigned int flags);
int gnutls_x509_crq_set_key_usage(gnutls_x509_crq_t crq,
unsigned int usage);
int gnutls_x509_crq_set_basic_constraints(gnutls_x509_crq_t crq,
unsigned int ca,
int pathLenConstraint);
int gnutls_x509_crq_set_key_purpose_oid(gnutls_x509_crq_t crq,
const void *oid,
unsigned int critical);
int gnutls_x509_crq_get_key_purpose_oid(gnutls_x509_crq_t crq,
unsigned indx, void *oid,
size_t * sizeof_oid,
unsigned int *critical);
int gnutls_x509_crq_get_extension_data(gnutls_x509_crq_t crq,
unsigned indx, void *data,
size_t * sizeof_data);
int
gnutls_x509_crq_get_extension_data2(gnutls_x509_crq_t crq,
unsigned indx,
gnutls_datum_t * data);
int gnutls_x509_crq_get_extension_info(gnutls_x509_crq_t crq,
unsigned indx, void *oid,
size_t * sizeof_oid,
unsigned int *critical);
int gnutls_x509_crq_get_attribute_data(gnutls_x509_crq_t crq,
unsigned indx, void *data,
size_t * sizeof_data);
int gnutls_x509_crq_get_attribute_info(gnutls_x509_crq_t crq,
unsigned indx, void *oid,
size_t * sizeof_oid);
int gnutls_x509_crq_get_pk_algorithm(gnutls_x509_crq_t crq,
unsigned int *bits);
int gnutls_x509_crq_get_signature_oid(gnutls_x509_crq_t crq, char *oid, size_t *oid_size);
int gnutls_x509_crq_get_pk_oid(gnutls_x509_crq_t crq, char *oid, size_t *oid_size);
int gnutls_x509_crq_get_key_id(gnutls_x509_crq_t crq,
unsigned int flags,
unsigned char *output_data,
size_t * output_data_size);
int gnutls_x509_crq_get_key_rsa_raw(gnutls_x509_crq_t crq,
gnutls_datum_t * m,
gnutls_datum_t * e);
int gnutls_x509_crq_get_key_usage(gnutls_x509_crq_t crq,
unsigned int *key_usage,
unsigned int *critical);
int gnutls_x509_crq_get_basic_constraints(gnutls_x509_crq_t crq,
unsigned int *critical,
unsigned int *ca, int *pathlen);
int gnutls_x509_crq_get_subject_alt_name(gnutls_x509_crq_t crq,
unsigned int seq,
void *ret,
size_t * ret_size,
unsigned int *ret_type,
unsigned int *critical);
int gnutls_x509_crq_get_subject_alt_othername_oid(gnutls_x509_crq_t
crq,
unsigned int seq,
void *ret,
size_t * ret_size);
int gnutls_x509_crq_get_extension_by_oid(gnutls_x509_crq_t crq,
const char *oid, unsigned indx,
void *buf,
size_t * sizeof_buf,
unsigned int *critical);
int gnutls_x509_crq_get_tlsfeatures(gnutls_x509_crq_t crq,
gnutls_x509_tlsfeatures_t features,
unsigned flags,
unsigned int *critical);
int gnutls_x509_crq_set_tlsfeatures(gnutls_x509_crq_t crq,
gnutls_x509_tlsfeatures_t features);
int
gnutls_x509_crt_get_extension_by_oid2(gnutls_x509_crt_t cert,
const char *oid, unsigned indx,
gnutls_datum_t *output,
unsigned int *critical);
typedef struct gnutls_x509_trust_list_st *gnutls_x509_trust_list_t;
typedef struct gnutls_x509_trust_list_iter *gnutls_x509_trust_list_iter_t;
int
gnutls_x509_trust_list_init(gnutls_x509_trust_list_t * list,
unsigned int size);
void
gnutls_x509_trust_list_deinit(gnutls_x509_trust_list_t list,
unsigned int all);
int gnutls_x509_trust_list_get_issuer(gnutls_x509_trust_list_t
list, gnutls_x509_crt_t cert,
gnutls_x509_crt_t * issuer,
unsigned int flags);
int gnutls_x509_trust_list_get_issuer_by_dn(gnutls_x509_trust_list_t list,
const gnutls_datum_t *dn,
gnutls_x509_crt_t *issuer,
unsigned int flags);
int gnutls_x509_trust_list_get_issuer_by_subject_key_id(gnutls_x509_trust_list_t list,
const gnutls_datum_t *dn,
const gnutls_datum_t *spki,
gnutls_x509_crt_t *issuer,
unsigned int flags);
/**
* gnutls_trust_list_flags_t:
* @GNUTLS_TL_VERIFY_CRL: If any CRLs are provided they will be verified for validity
* prior to be added. The CA certificates that will be used for verification are the
* ones already added in the trusted list.
* @GNUTLS_TL_USE_IN_TLS: Internal flag used by GnuTLS. If provided the trust list
* structure will cache a copy of CA DNs to be used in the certificate request
* TLS message.
* @GNUTLS_TL_NO_DUPLICATES: If this flag is specified, a function adding certificates
* will check and eliminate any duplicates.
* @GNUTLS_TL_NO_DUPLICATE_KEY: If this flag is specified, a certificate sharing the
* same key as a previously added on will not be added.
* @GNUTLS_TL_GET_COPY: The semantics of this flag are documented to the functions which
* are applicable. In general, on returned value, the function will provide a copy
* if this flag is provided, rather than a pointer to internal data.
*
* Enumeration of different certificate trust list flags.
*/
typedef enum gnutls_trust_list_flags_t {
GNUTLS_TL_VERIFY_CRL = 1,
#define GNUTLS_TL_VERIFY_CRL 1
GNUTLS_TL_USE_IN_TLS = (1<<1),
#define GNUTLS_TL_USE_IN_TLS (1<<1)
GNUTLS_TL_NO_DUPLICATES = (1<<2),
#define GNUTLS_TL_NO_DUPLICATES (1<<2)
GNUTLS_TL_NO_DUPLICATE_KEY = (1<<3),
#define GNUTLS_TL_NO_DUPLICATE_KEY (1<<3)
GNUTLS_TL_GET_COPY = (1<<4)
#define GNUTLS_TL_GET_COPY (1<<4)
} gnutls_trust_list_flags_t;
int
gnutls_x509_trust_list_add_cas(gnutls_x509_trust_list_t list,
const gnutls_x509_crt_t * clist,
unsigned clist_size, unsigned int flags);
int gnutls_x509_trust_list_remove_cas(gnutls_x509_trust_list_t
list,
const gnutls_x509_crt_t *
clist, unsigned clist_size);
int gnutls_x509_trust_list_add_named_crt(gnutls_x509_trust_list_t
list,
gnutls_x509_crt_t cert,
const void *name,
size_t name_size,
unsigned int flags);
int
gnutls_x509_trust_list_add_crls(gnutls_x509_trust_list_t list,
const gnutls_x509_crl_t *
crl_list, unsigned crl_size,
unsigned int flags,
unsigned int verification_flags);
int
gnutls_x509_trust_list_iter_get_ca(gnutls_x509_trust_list_t list,
gnutls_x509_trust_list_iter_t *iter,
gnutls_x509_crt_t *crt);
void gnutls_x509_trust_list_iter_deinit(gnutls_x509_trust_list_iter_t iter);
typedef int gnutls_verify_output_function(gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer, /* The issuer if verification failed
* because of him. might be null.
*/
gnutls_x509_crl_t crl, /* The CRL that caused verification failure
* if any. Might be null.
*/
unsigned int
verification_output);
int gnutls_x509_trust_list_verify_named_crt
(gnutls_x509_trust_list_t list, gnutls_x509_crt_t cert,
const void *name, size_t name_size, unsigned int flags,
unsigned int *verify, gnutls_verify_output_function func);
int
gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
gnutls_x509_crt_t * cert_list,
unsigned int cert_list_size,
gnutls_typed_vdata_st * data,
unsigned int elements,
unsigned int flags,
unsigned int *voutput,
gnutls_verify_output_function func);
int
gnutls_x509_trust_list_verify_crt(gnutls_x509_trust_list_t list,
gnutls_x509_crt_t * cert_list,
unsigned int cert_list_size,
unsigned int flags,
unsigned int *verify,
gnutls_verify_output_function func);
/* trust list convenience functions */
int
gnutls_x509_trust_list_add_trust_mem(gnutls_x509_trust_list_t
list,
const gnutls_datum_t * cas,
const gnutls_datum_t * crls,
gnutls_x509_crt_fmt_t type,
unsigned int tl_flags,
unsigned int tl_vflags);
int
gnutls_x509_trust_list_add_trust_file(gnutls_x509_trust_list_t
list, const char *ca_file,
const char *crl_file,
gnutls_x509_crt_fmt_t type,
unsigned int tl_flags,
unsigned int tl_vflags);
int
gnutls_x509_trust_list_add_trust_dir(gnutls_x509_trust_list_t list,
const char *ca_dir,
const char *crl_dir,
gnutls_x509_crt_fmt_t type,
unsigned int tl_flags,
unsigned int tl_vflags);
int
gnutls_x509_trust_list_remove_trust_file(gnutls_x509_trust_list_t
list,
const char *ca_file,
gnutls_x509_crt_fmt_t type);
int
gnutls_x509_trust_list_remove_trust_mem(gnutls_x509_trust_list_t
list,
const gnutls_datum_t *
cas, gnutls_x509_crt_fmt_t type);
int
gnutls_x509_trust_list_add_system_trust(gnutls_x509_trust_list_t
list,
unsigned int tl_flags,
unsigned int tl_vflags);
void gnutls_certificate_set_trust_list
(gnutls_certificate_credentials_t res,
gnutls_x509_trust_list_t tlist, unsigned flags);
void gnutls_certificate_get_trust_list
(gnutls_certificate_credentials_t res,
gnutls_x509_trust_list_t *tlist);
typedef struct gnutls_x509_ext_st {
char *oid;
unsigned int critical;
gnutls_datum_t data;
} gnutls_x509_ext_st;
void gnutls_x509_ext_deinit(gnutls_x509_ext_st *ext);
int
gnutls_x509_ext_print(gnutls_x509_ext_st *exts, unsigned int exts_size,
gnutls_certificate_print_formats_t format,
gnutls_datum_t * out);
#include <gnutls/pkcs7.h>
/* *INDENT-OFF* */
#ifdef __cplusplus
}
#endif
/* *INDENT-ON* */
#endif /* GNUTLS_X509_H */
|