x509

x509

Functions

int gnutls_x509_crt_init ()
void gnutls_x509_crt_deinit ()
void gnutls_x509_crt_set_flags ()
unsigned gnutls_x509_crt_equals ()
unsigned gnutls_x509_crt_equals2 ()
int gnutls_x509_crt_import ()
int gnutls_x509_crt_list_import2 ()
int gnutls_x509_crt_list_import ()
int gnutls_x509_crt_import_url ()
int gnutls_x509_crt_list_import_url ()
int gnutls_x509_crt_export ()
int gnutls_x509_crt_export2 ()
int gnutls_x509_crt_get_private_key_usage_period ()
int gnutls_x509_crt_get_issuer_dn ()
int gnutls_x509_crt_get_issuer_dn2 ()
int gnutls_x509_crt_get_issuer_dn3 ()
int gnutls_x509_crt_get_issuer_dn_oid ()
int gnutls_x509_crt_get_issuer_dn_by_oid ()
int gnutls_x509_crt_get_dn ()
int gnutls_x509_crt_get_dn2 ()
int gnutls_x509_crt_get_dn3 ()
int gnutls_x509_crt_get_dn_oid ()
int gnutls_x509_crt_get_dn_by_oid ()
unsigned gnutls_x509_crt_check_hostname ()
unsigned gnutls_x509_crt_check_hostname2 ()
unsigned gnutls_x509_crt_check_email ()
unsigned gnutls_x509_crt_check_ip ()
int gnutls_x509_crt_get_signature_algorithm ()
int gnutls_x509_crt_get_signature ()
int gnutls_x509_crt_get_version ()
int gnutls_x509_crt_get_pk_oid ()
int gnutls_x509_crt_get_signature_oid ()
int gnutls_x509_crt_get_key_id ()
int gnutls_x509_crt_set_private_key_usage_period ()
int gnutls_x509_crt_set_authority_key_id ()
int gnutls_x509_crt_get_authority_key_id ()
int gnutls_x509_crt_get_authority_key_gn_serial ()
int gnutls_x509_crt_get_subject_key_id ()
int gnutls_x509_crt_get_subject_unique_id ()
int gnutls_x509_crt_get_issuer_unique_id ()
void gnutls_x509_crt_set_pin_function ()
int gnutls_x509_crt_get_authority_info_access ()
unsigned gnutls_x509_name_constraints_check ()
unsigned gnutls_x509_name_constraints_check_crt ()
int gnutls_x509_name_constraints_init ()
void gnutls_x509_name_constraints_deinit ()
int gnutls_x509_crt_get_name_constraints ()
int gnutls_x509_name_constraints_add_permitted ()
int gnutls_x509_name_constraints_add_excluded ()
int gnutls_x509_crt_set_name_constraints ()
int gnutls_x509_name_constraints_get_permitted ()
int gnutls_x509_name_constraints_get_excluded ()
int gnutls_x509_cidr_to_rfc5280 ()
int gnutls_x509_crt_get_crl_dist_points ()
int gnutls_x509_crt_set_crl_dist_points2 ()
int gnutls_x509_crt_set_crl_dist_points ()
int gnutls_x509_crt_cpy_crl_dist_points ()
int gnutls_x509_crl_sign ()
int gnutls_x509_crl_sign2 ()
time_t gnutls_x509_crt_get_activation_time ()
time_t gnutls_x509_crt_get_expiration_time ()
int gnutls_x509_crt_get_serial ()
int gnutls_x509_spki_init ()
void gnutls_x509_spki_deinit ()
int gnutls_x509_spki_get_rsa_pss_params ()
void gnutls_x509_spki_set_rsa_pss_params ()
int gnutls_x509_crt_get_pk_algorithm ()
int gnutls_x509_crt_set_spki ()
int gnutls_x509_crt_get_spki ()
int gnutls_x509_crt_get_pk_rsa_raw ()
int gnutls_x509_crt_get_pk_dsa_raw ()
int gnutls_x509_crt_get_pk_ecc_raw ()
int gnutls_x509_crt_get_pk_gost_raw ()
int gnutls_x509_crt_get_subject_alt_name ()
int gnutls_x509_crt_get_subject_alt_name2 ()
int gnutls_x509_crt_get_subject_alt_othername_oid ()
int gnutls_x509_crt_get_issuer_alt_name ()
int gnutls_x509_crt_get_issuer_alt_name2 ()
int gnutls_x509_crt_get_issuer_alt_othername_oid ()
int gnutls_x509_crt_get_ca_status ()
int gnutls_x509_crt_get_basic_constraints ()
int gnutls_x509_crt_get_key_usage ()
int gnutls_x509_crt_set_key_usage ()
int gnutls_x509_crt_set_authority_info_access ()
int gnutls_x509_crt_get_inhibit_anypolicy ()
int gnutls_x509_crt_set_inhibit_anypolicy ()
int gnutls_x509_crt_get_proxy ()
int gnutls_x509_tlsfeatures_init ()
void gnutls_x509_tlsfeatures_deinit ()
int gnutls_x509_tlsfeatures_get ()
int gnutls_x509_crt_set_tlsfeatures ()
int gnutls_x509_crt_get_tlsfeatures ()
unsigned gnutls_x509_tlsfeatures_check_crt ()
void gnutls_x509_policy_release ()
int gnutls_x509_crt_get_policy ()
int gnutls_x509_crt_set_policy ()
int gnutls_x509_dn_oid_known ()
const char * gnutls_x509_dn_oid_name ()
int gnutls_x509_crt_get_extension_oid ()
int gnutls_x509_crt_get_extension_by_oid ()
int gnutls_x509_crq_get_signature_algorithm ()
int gnutls_x509_crq_get_extension_by_oid2 ()
int gnutls_x509_crt_get_extension_info ()
int gnutls_x509_crt_get_extension_data ()
int gnutls_x509_crt_get_extension_data2 ()
int gnutls_x509_crt_set_extension_by_oid ()
int gnutls_x509_crt_set_dn ()
int gnutls_x509_crt_set_dn_by_oid ()
int gnutls_x509_crt_set_issuer_dn_by_oid ()
int gnutls_x509_crt_set_issuer_dn ()
int gnutls_x509_crt_set_version ()
int gnutls_x509_crt_set_key ()
int gnutls_x509_crt_set_ca_status ()
int gnutls_x509_crt_set_basic_constraints ()
int gnutls_x509_crt_set_subject_unique_id ()
int gnutls_x509_crt_set_issuer_unique_id ()
int gnutls_x509_crt_set_subject_alternative_name ()
int gnutls_x509_crt_set_subject_alt_name ()
int gnutls_x509_crt_set_subject_alt_othername ()
int gnutls_x509_crt_set_issuer_alt_name ()
int gnutls_x509_crt_set_issuer_alt_othername ()
int gnutls_x509_crt_sign ()
int gnutls_x509_crt_sign2 ()
int gnutls_x509_crt_set_activation_time ()
int gnutls_x509_crt_set_expiration_time ()
int gnutls_x509_crt_set_serial ()
int gnutls_x509_crt_set_subject_key_id ()
int gnutls_x509_crt_set_proxy_dn ()
int gnutls_x509_crt_set_proxy ()
int gnutls_x509_crt_print ()
int gnutls_x509_crl_print ()
int gnutls_x509_crt_get_raw_issuer_dn ()
int gnutls_x509_crt_get_raw_dn ()
int gnutls_x509_rdn_get ()
int gnutls_x509_rdn_get2 ()
int gnutls_x509_rdn_get_oid ()
int gnutls_x509_rdn_get_by_oid ()
int gnutls_x509_crt_get_subject ()
int gnutls_x509_crt_get_issuer ()
int gnutls_x509_dn_get_rdn_ava ()
int gnutls_x509_dn_get_str ()
int gnutls_x509_dn_get_str2 ()
int gnutls_x509_dn_set_str ()
int gnutls_x509_dn_init ()
int gnutls_x509_dn_import ()
int gnutls_x509_dn_export ()
int gnutls_x509_dn_export2 ()
void gnutls_x509_dn_deinit ()
int gnutls_x509_crl_init ()
void gnutls_x509_crl_deinit ()
int gnutls_x509_crl_import ()
int gnutls_x509_crl_export ()
int gnutls_x509_crl_export2 ()
int gnutls_x509_crl_get_raw_issuer_dn ()
int gnutls_x509_crl_get_issuer_dn ()
int gnutls_x509_crl_get_issuer_dn2 ()
int gnutls_x509_crl_get_issuer_dn3 ()
int gnutls_x509_crl_get_issuer_dn_by_oid ()
int gnutls_x509_crl_get_dn_oid ()
int gnutls_x509_crl_get_signature_algorithm ()
int gnutls_x509_crl_get_signature ()
int gnutls_x509_crl_get_version ()
int gnutls_x509_crl_get_signature_oid ()
time_t gnutls_x509_crl_get_this_update ()
time_t gnutls_x509_crl_get_next_update ()
int gnutls_x509_crl_get_crt_count ()
int gnutls_x509_crl_get_crt_serial ()
int gnutls_x509_crl_iter_crt_serial ()
void gnutls_x509_crl_iter_deinit ()
unsigned gnutls_x509_crl_check_issuer ()
int gnutls_x509_crl_list_import2 ()
int gnutls_x509_crl_list_import ()
int gnutls_x509_crl_set_version ()
int gnutls_x509_crl_set_this_update ()
int gnutls_x509_crl_set_next_update ()
int gnutls_x509_crl_set_crt_serial ()
int gnutls_x509_crl_set_crt ()
int gnutls_x509_crl_get_authority_key_id ()
int gnutls_x509_crl_get_authority_key_gn_serial ()
int gnutls_x509_crl_get_number ()
int gnutls_x509_crl_get_extension_oid ()
int gnutls_x509_crl_get_extension_info ()
int gnutls_x509_crl_get_extension_data ()
int gnutls_x509_crl_get_extension_data2 ()
int gnutls_x509_crl_set_authority_key_id ()
int gnutls_x509_crl_set_number ()
#define GNUTLS_PROFILE_TO_VFLAGS()
#define GNUTLS_VFLAGS_TO_PROFILE()
const char * gnutls_certificate_verification_profile_get_name ()
int gnutls_x509_crt_list_verify ()
int gnutls_x509_crt_verify ()
int gnutls_x509_crl_verify ()
int gnutls_x509_crt_verify_data2 ()
int gnutls_x509_crt_check_revocation ()
int gnutls_x509_crt_get_fingerprint ()
int gnutls_x509_crt_get_key_purpose_oid ()
int gnutls_x509_crt_set_key_purpose_oid ()
unsigned gnutls_x509_crt_check_key_purpose ()
#define GNUTLS_PKCS_CIPHER_MASK()
const char * gnutls_pkcs_schema_get_name ()
const char * gnutls_pkcs_schema_get_oid ()
int gnutls_x509_privkey_init ()
void gnutls_x509_privkey_deinit ()
gnutls_sec_param_t gnutls_x509_privkey_sec_param ()
void gnutls_x509_privkey_set_pin_function ()
int gnutls_x509_privkey_cpy ()
int gnutls_x509_privkey_import ()
int gnutls_x509_privkey_import_pkcs8 ()
int gnutls_x509_privkey_import_openssl ()
int gnutls_pkcs8_info ()
int gnutls_x509_privkey_import2 ()
int gnutls_x509_privkey_import_rsa_raw ()
int gnutls_x509_privkey_import_rsa_raw2 ()
int gnutls_x509_privkey_import_ecc_raw ()
int gnutls_x509_privkey_import_gost_raw ()
int gnutls_x509_privkey_fix ()
int gnutls_x509_privkey_export_dsa_raw ()
int gnutls_x509_privkey_import_dsa_raw ()
int gnutls_x509_privkey_get_pk_algorithm ()
int gnutls_x509_privkey_get_pk_algorithm2 ()
int gnutls_x509_privkey_get_spki ()
int gnutls_x509_privkey_set_spki ()
int gnutls_x509_privkey_get_key_id ()
int gnutls_x509_privkey_generate ()
void gnutls_x509_privkey_set_flags ()
int gnutls_x509_privkey_generate2 ()
int gnutls_x509_privkey_verify_seed ()
int gnutls_x509_privkey_get_seed ()
int gnutls_x509_privkey_verify_params ()
int gnutls_x509_privkey_export ()
int gnutls_x509_privkey_export2 ()
int gnutls_x509_privkey_export_pkcs8 ()
int gnutls_x509_privkey_export2_pkcs8 ()
int gnutls_x509_privkey_export_rsa_raw2 ()
int gnutls_x509_privkey_export_rsa_raw ()
int gnutls_x509_privkey_export_ecc_raw ()
int gnutls_x509_privkey_export_gost_raw ()
int gnutls_x509_privkey_sign_data ()
int gnutls_x509_crq_sign ()
int gnutls_x509_crq_sign2 ()
int gnutls_x509_crq_print ()
int gnutls_x509_crq_verify ()
int gnutls_x509_crq_init ()
void gnutls_x509_crq_deinit ()
int gnutls_x509_crq_import ()
int gnutls_x509_crq_get_private_key_usage_period ()
int gnutls_x509_crq_get_dn ()
int gnutls_x509_crq_get_dn2 ()
int gnutls_x509_crq_get_dn3 ()
int gnutls_x509_crq_get_dn_oid ()
int gnutls_x509_crq_get_dn_by_oid ()
int gnutls_x509_crq_set_dn ()
int gnutls_x509_crq_set_dn_by_oid ()
int gnutls_x509_crq_set_version ()
int gnutls_x509_crq_get_version ()
int gnutls_x509_crq_set_key ()
int gnutls_x509_crq_set_extension_by_oid ()
int gnutls_x509_crq_set_challenge_password ()
int gnutls_x509_crq_get_challenge_password ()
int gnutls_x509_crq_set_attribute_by_oid ()
int gnutls_x509_crq_get_attribute_by_oid ()
int gnutls_x509_crq_export ()
int gnutls_x509_crq_export2 ()
int gnutls_x509_crt_set_crq ()
int gnutls_x509_crt_set_crq_extensions ()
int gnutls_x509_crt_set_crq_extension_by_oid ()
int gnutls_x509_crq_set_private_key_usage_period ()
int gnutls_x509_crq_set_key_rsa_raw ()
int gnutls_x509_crq_set_subject_alt_name ()
int gnutls_x509_crq_set_subject_alt_othername ()
int gnutls_x509_crq_set_key_usage ()
int gnutls_x509_crq_set_basic_constraints ()
int gnutls_x509_crq_set_key_purpose_oid ()
int gnutls_x509_crq_get_key_purpose_oid ()
int gnutls_x509_crq_get_extension_data ()
int gnutls_x509_crq_get_extension_data2 ()
int gnutls_x509_crq_get_extension_info ()
int gnutls_x509_crq_get_attribute_data ()
int gnutls_x509_crq_get_attribute_info ()
int gnutls_x509_crq_get_pk_algorithm ()
int gnutls_x509_crq_get_spki ()
int gnutls_x509_crq_set_spki ()
int gnutls_x509_crq_get_signature_oid ()
int gnutls_x509_crq_get_pk_oid ()
int gnutls_x509_crq_get_key_id ()
int gnutls_x509_crq_get_key_rsa_raw ()
int gnutls_x509_crq_get_key_usage ()
int gnutls_x509_crq_get_basic_constraints ()
int gnutls_x509_crq_get_subject_alt_name ()
int gnutls_x509_crq_get_subject_alt_othername_oid ()
int gnutls_x509_crq_get_extension_by_oid ()
int gnutls_x509_crq_get_tlsfeatures ()
int gnutls_x509_crq_set_tlsfeatures ()
int gnutls_x509_crt_get_extension_by_oid2 ()
int gnutls_x509_trust_list_init ()
void gnutls_x509_trust_list_deinit ()
int gnutls_x509_trust_list_get_issuer ()
int gnutls_x509_trust_list_get_issuer_by_dn ()
int gnutls_x509_trust_list_get_issuer_by_subject_key_id ()
int gnutls_x509_trust_list_add_cas ()
int gnutls_x509_trust_list_remove_cas ()
int gnutls_x509_trust_list_add_named_crt ()
int gnutls_x509_trust_list_add_crls ()
int gnutls_x509_trust_list_iter_get_ca ()
void gnutls_x509_trust_list_iter_deinit ()
void gnutls_session_set_verify_output_function ()
int gnutls_x509_trust_list_verify_named_crt ()
int gnutls_x509_trust_list_verify_crt2 ()
int gnutls_x509_trust_list_verify_crt ()
int gnutls_x509_trust_list_add_trust_mem ()
int gnutls_x509_trust_list_add_trust_file ()
int gnutls_x509_trust_list_add_trust_dir ()
int gnutls_x509_trust_list_remove_trust_file ()
int gnutls_x509_trust_list_remove_trust_mem ()
int gnutls_x509_trust_list_add_system_trust ()
void gnutls_x509_trust_list_set_getissuer_function ()
void gnutls_x509_trust_list_set_ptr ()
void * gnutls_x509_trust_list_get_ptr ()
void gnutls_certificate_set_trust_list ()
void gnutls_certificate_get_trust_list ()
void gnutls_x509_ext_deinit ()
int gnutls_x509_ext_print ()

Types and Values

#define GNUTLS_OID_X520_COUNTRY_NAME
#define GNUTLS_OID_X520_ORGANIZATION_NAME
#define GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME
#define GNUTLS_OID_X520_COMMON_NAME
#define GNUTLS_OID_X520_LOCALITY_NAME
#define GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME
#define GNUTLS_OID_X520_INITIALS
#define GNUTLS_OID_X520_GENERATION_QUALIFIER
#define GNUTLS_OID_X520_SURNAME
#define GNUTLS_OID_X520_GIVEN_NAME
#define GNUTLS_OID_X520_TITLE
#define GNUTLS_OID_X520_DN_QUALIFIER
#define GNUTLS_OID_X520_PSEUDONYM
#define GNUTLS_OID_X520_POSTALCODE
#define GNUTLS_OID_X520_NAME
#define GNUTLS_OID_LDAP_DC
#define GNUTLS_OID_LDAP_UID
#define GNUTLS_OID_PKCS9_EMAIL
#define GNUTLS_OID_PKIX_DATE_OF_BIRTH
#define GNUTLS_OID_PKIX_PLACE_OF_BIRTH
#define GNUTLS_OID_PKIX_GENDER
#define GNUTLS_OID_PKIX_COUNTRY_OF_CITIZENSHIP
#define GNUTLS_OID_PKIX_COUNTRY_OF_RESIDENCE
#define GNUTLS_KP_TLS_WWW_SERVER
#define GNUTLS_KP_TLS_WWW_CLIENT
#define GNUTLS_KP_CODE_SIGNING
#define GNUTLS_KP_MS_SMART_CARD_LOGON
#define GNUTLS_KP_EMAIL_PROTECTION
#define GNUTLS_KP_TIME_STAMPING
#define GNUTLS_KP_OCSP_SIGNING
#define GNUTLS_KP_IPSEC_IKE
#define GNUTLS_KP_ANY
#define GNUTLS_KP_FLAG_DISALLOW_ANY
#define GNUTLS_OID_AIA
#define GNUTLS_OID_AD_OCSP
#define GNUTLS_OID_AD_CAISSUERS
#define GNUTLS_FSAN_SET
#define GNUTLS_FSAN_APPEND
#define GNUTLS_FSAN_ENCODE_OCTET_STRING
#define GNUTLS_FSAN_ENCODE_UTF8_STRING
#define GNUTLS_X509EXT_OID_SUBJECT_KEY_ID
#define GNUTLS_X509EXT_OID_KEY_USAGE
#define GNUTLS_X509EXT_OID_PRIVATE_KEY_USAGE_PERIOD
#define GNUTLS_X509EXT_OID_SAN
#define GNUTLS_X509EXT_OID_IAN
#define GNUTLS_X509EXT_OID_BASIC_CONSTRAINTS
#define GNUTLS_X509EXT_OID_NAME_CONSTRAINTS
#define GNUTLS_X509EXT_OID_CRL_DIST_POINTS
#define GNUTLS_X509EXT_OID_CRT_POLICY
#define GNUTLS_X509EXT_OID_AUTHORITY_KEY_ID
#define GNUTLS_X509EXT_OID_EXTENDED_KEY_USAGE
#define GNUTLS_X509EXT_OID_INHIBIT_ANYPOLICY
#define GNUTLS_X509EXT_OID_AUTHORITY_INFO_ACCESS
#define GNUTLS_X509EXT_OID_PROXY_CRT_INFO
#define GNUTLS_X509EXT_OID_TLSFEATURES
#define GNUTLS_X509EXT_OID_CT_SCT_V1
#define GNUTLS_X509_OID_POLICY_ANY
enum gnutls_certificate_import_flags
enum gnutls_x509_crt_flags
enum gnutls_keyid_flags_t
enum gnutls_info_access_what_t
typedef gnutls_x509_name_constraints_t
#define GNUTLS_EXT_FLAG_APPEND
#define GNUTLS_NAME_CONSTRAINTS_FLAG_APPEND
#define GNUTLS_CRL_REASON_SUPERSEEDED
enum gnutls_x509_crl_reason_flags_t
#define GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION
typedef gnutls_x509_spki_t
typedef gnutls_x509_tlsfeatures_t
#define GNUTLS_MAX_QUALIFIERS
enum gnutls_x509_qualifier_t
  gnutls_x509_policy_st
#define GNUTLS_X509_DN_OID_RETURN_OID
typedef gnutls_x509_dn_t
  gnutls_x509_ava_st
#define GNUTLS_X509_DN_FLAG_COMPAT
typedef gnutls_x509_crl_iter_t
#define gnutls_x509_crl_get_certificate_count
#define gnutls_x509_crl_get_certificate
enum gnutls_certificate_verify_flags
#define GNUTLS_VERIFY_ALLOW_BROKEN
enum gnutls_certificate_verification_profiles_t
#define GNUTLS_VFLAGS_PROFILE_MASK
#define GNUTLS_PKCS8_PLAIN
#define GNUTLS_PKCS8_USE_PKCS12_3DES
#define GNUTLS_PKCS8_USE_PKCS12_ARCFOUR
#define GNUTLS_PKCS8_USE_PKCS12_RC2_40
enum gnutls_pkcs_encrypt_flags_t
#define GNUTLS_PKCS_USE_PKCS12_3DES
#define GNUTLS_PKCS_USE_PKCS12_ARCFOUR
#define GNUTLS_PKCS_USE_PKCS12_RC2_40
#define GNUTLS_PKCS_USE_PBES2_3DES
#define GNUTLS_PKCS_USE_PBES2_AES_128
#define GNUTLS_PKCS_USE_PBES2_AES_192
#define GNUTLS_PKCS_USE_PBES2_AES_256
#define GNUTLS_PKCS_USE_PBES2_GOST_TC26Z
#define GNUTLS_PKCS_USE_PBES2_GOST_CPA
#define GNUTLS_PKCS_USE_PBES2_GOST_CPB
#define GNUTLS_PKCS_USE_PBES2_GOST_CPC
#define GNUTLS_PKCS_USE_PBES2_GOST_CPD
enum gnutls_keygen_types_t
  gnutls_keygen_data_st
typedef gnutls_x509_trust_list_t
typedef gnutls_x509_trust_list_iter_t
enum gnutls_trust_list_flags_t
  gnutls_x509_ext_st

Description

Functions

gnutls_x509_crt_init ()

int
gnutls_x509_crt_init (gnutls_x509_crt_t *cert);

This function will initialize an X.509 certificate structure.

Parameters

cert

A pointer to the type to be initialized

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crt_deinit ()

void
gnutls_x509_crt_deinit (gnutls_x509_crt_t cert);

This function will deinitialize a certificate structure.

Parameters

cert

The data to be deinitialized

 

gnutls_x509_crt_set_flags ()

void
gnutls_x509_crt_set_flags (gnutls_x509_crt_t cert,
                           unsigned  flags);

This function will set flags for the specified certificate. Currently this is useful for the GNUTLS_X509_CRT_FLAG_IGNORE_SANITY which allows importing certificates even if they have known issues.

Parameters

cert

A type gnutls_x509_crt_t

 

flags

flags from the gnutls_x509_crt_flags

 

Since: 3.6.0


gnutls_x509_crt_equals ()

unsigned
gnutls_x509_crt_equals (gnutls_x509_crt_t cert1,
                        gnutls_x509_crt_t cert2);

gnutls_x509_crt_equals2 ()

unsigned
gnutls_x509_crt_equals2 (gnutls_x509_crt_t cert1,
                         const gnutls_datum_t *der);

gnutls_x509_crt_import ()

int
gnutls_x509_crt_import (gnutls_x509_crt_t cert,
                        const gnutls_datum_t *data,
                        gnutls_x509_crt_fmt_t format);

This function will convert the given DER or PEM encoded Certificate to the native gnutls_x509_crt_t format. The output will be stored in cert .

If the Certificate is PEM encoded it should have a header of "X509 CERTIFICATE", or "CERTIFICATE".

Parameters

cert

The data to store the parsed certificate.

 

data

The DER or PEM encoded certificate.

 

format

One of DER or PEM

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crt_list_import2 ()

int
gnutls_x509_crt_list_import2 (gnutls_x509_crt_t **certs,
                              unsigned int *size,
                              const gnutls_datum_t *data,
                              gnutls_x509_crt_fmt_t format,
                              unsigned int flags);

This function will convert the given PEM encoded certificate list to the native gnutls_x509_crt_t format. The output will be stored in certs which will be allocated and initialized.

If the Certificate is PEM encoded it should have a header of "X509 CERTIFICATE", or "CERTIFICATE".

To deinitialize certs , you need to deinitialize each crt structure independently, and use gnutls_free() at certs .

Parameters

certs

Will hold the parsed certificate list.

 

size

It will contain the size of the list.

 

data

The PEM encoded certificate.

 

format

One of DER or PEM.

 

flags

must be (0) or an OR'd sequence of gnutls_certificate_import_flags.

 

Returns

GNUTLS_E_SUCCESS on success, otherwise a negative error code.

Since: 3.0


gnutls_x509_crt_list_import ()

int
gnutls_x509_crt_list_import (gnutls_x509_crt_t *certs,
                             unsigned int *cert_max,
                             const gnutls_datum_t *data,
                             gnutls_x509_crt_fmt_t format,
                             unsigned int flags);

This function will convert the given PEM encoded certificate list to the native gnutls_x509_crt_t format. The output will be stored in certs . They will be automatically initialized.

The flag GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED will cause import to fail if the certificates in the provided buffer are more than the available structures. The GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED flag will cause the function to fail if the provided list is not sorted from subject to issuer.

If the Certificate is PEM encoded it should have a header of "X509 CERTIFICATE", or "CERTIFICATE".

Parameters

certs

Indicates where the parsed list will be copied to. Must not be initialized.

 

cert_max

Initially must hold the maximum number of certs. It will be updated with the number of certs available.

 

data

The PEM encoded certificate.

 

format

One of DER or PEM.

 

flags

must be (0) or an OR'd sequence of gnutls_certificate_import_flags.

 

Returns

the number of certificates read or a negative error value.


gnutls_x509_crt_import_url ()

int
gnutls_x509_crt_import_url (gnutls_x509_crt_t crt,
                            const char *url,
                            unsigned int flags);

This function will import a certificate present in a PKCS11 token or any type of back-end that supports URLs.

In previous versions of gnutls this function was named gnutls_x509_crt_import_pkcs11_url, and the old name is an alias to this one.

Parameters

crt

A certificate of type gnutls_x509_crt_t

 

url

A PKCS 11 url

 

flags

One of GNUTLS_PKCS11_OBJ_* flags for PKCS11 URLs or zero otherwise

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 3.4.0


gnutls_x509_crt_list_import_url ()

int
gnutls_x509_crt_list_import_url (gnutls_x509_crt_t **certs,
                                 unsigned int *size,
                                 const char *url,
                                 gnutls_pin_callback_t pin_fn,
                                 void *pin_fn_userdata,
                                 unsigned int flags);

This function will import a certificate chain present in a PKCS11 token or any type of back-end that supports URLs. The certificates must be deinitialized afterwards using gnutls_x509_crt_deinit() and the returned pointer must be freed using gnutls_free().

The URI provided must be the first certificate in the chain; subsequent certificates will be retrieved using gnutls_pkcs11_get_raw_issuer() or equivalent functionality for the supported URI.

Parameters

certs

Will hold the allocated certificate list.

 

size

It will contain the size of the list.

 

url

A PKCS 11 url

 

pin_fn

a PIN callback if not globally set

 

pin_fn_userdata

parameter for the PIN callback

 

flags

One of GNUTLS_PKCS11_OBJ_* flags for PKCS11 URLs or zero otherwise

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 3.6.3


gnutls_x509_crt_export ()

int
gnutls_x509_crt_export (gnutls_x509_crt_t cert,
                        gnutls_x509_crt_fmt_t format,
                        void *output_data,
                        size_t *output_data_size);

This function will export the certificate to DER or PEM format.

If the buffer provided is not long enough to hold the output, then *output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will be returned.

If the structure is PEM encoded, it will have a header of "BEGIN CERTIFICATE".

Parameters

cert

Holds the certificate

 

format

the format of output params. One of PEM or DER.

 

output_data

will contain a certificate PEM or DER encoded

 

output_data_size

holds the size of output_data (and will be replaced by the actual size of parameters)

 

Returns

In case of failure a negative error code will be returned, and 0 on success.


gnutls_x509_crt_export2 ()

int
gnutls_x509_crt_export2 (gnutls_x509_crt_t cert,
                         gnutls_x509_crt_fmt_t format,
                         gnutls_datum_t *out);

This function will export the certificate to DER or PEM format. The output buffer is allocated using gnutls_malloc().

If the structure is PEM encoded, it will have a header of "BEGIN CERTIFICATE".

Parameters

cert

Holds the certificate

 

format

the format of output params. One of PEM or DER.

 

out

will contain a certificate PEM or DER encoded

 

Returns

In case of failure a negative error code will be returned, and 0 on success.

Since: 3.1.3


gnutls_x509_crt_get_private_key_usage_period ()

int
gnutls_x509_crt_get_private_key_usage_period
                               (gnutls_x509_crt_t cert,
                                time_t *activation,
                                time_t *expiration,
                                unsigned int *critical);

This function will return the expiration and activation times of the private key of the certificate. It relies on the PKIX extension 2.5.29.16 being present.

Parameters

cert

should contain a gnutls_x509_crt_t type

 

activation

The activation time

 

expiration

The expiration time

 

critical

the extension status

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE if the extension is not present, otherwise a negative error value.


gnutls_x509_crt_get_issuer_dn ()

int
gnutls_x509_crt_get_issuer_dn (gnutls_x509_crt_t cert,
                               char *buf,
                               size_t *buf_size);

This function will copy the name of the Certificate issuer in the provided buffer. The name will be in the form "C=xxxx,O=yyyy,CN=zzzz" as described in RFC4514. The output string will be ASCII or UTF-8 encoded, depending on the certificate data.

If buf is null then only the size will be filled.

This function does not output a fully RFC4514 compliant string, if that is required see gnutls_x509_crt_get_issuer_dn3().

Parameters

cert

should contain a gnutls_x509_crt_t type

 

buf

a pointer to a structure to hold the name (may be null)

 

buf_size

initially holds the size of buf

 

Returns

GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not long enough, and in that case the buf_size will be updated with the required size. GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE if the DN does not exist, or another error value on error. On success 0 is returned.


gnutls_x509_crt_get_issuer_dn2 ()

int
gnutls_x509_crt_get_issuer_dn2 (gnutls_x509_crt_t cert,
                                gnutls_datum_t *dn);

This function will allocate buffer and copy the name of issuer of the Certificate. The name will be in the form "C=xxxx,O=yyyy,CN=zzzz" as described in RFC4514. The output string will be ASCII or UTF-8 encoded, depending on the certificate data.

This function does not output a fully RFC4514 compliant string, if that is required see gnutls_x509_crt_get_issuer_dn3().

Parameters

cert

should contain a gnutls_x509_crt_t type

 

dn

a pointer to a structure to hold the name; must be freed using gnutls_free()

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 3.1.10


gnutls_x509_crt_get_issuer_dn3 ()

int
gnutls_x509_crt_get_issuer_dn3 (gnutls_x509_crt_t cert,
                                gnutls_datum_t *dn,
                                unsigned  flags);

This function will allocate buffer and copy the name of issuer of the Certificate. The name will be in the form "C=xxxx,O=yyyy,CN=zzzz" as described in RFC4514. The output string will be ASCII or UTF-8 encoded, depending on the certificate data.

When the flag GNUTLS_X509_DN_FLAG_COMPAT is specified, the output format will match the format output by previous to 3.5.6 versions of GnuTLS which was not not fully RFC4514-compliant.

Parameters

cert

should contain a gnutls_x509_crt_t type

 

dn

a pointer to a structure to hold the name; must be freed using gnutls_free()

 

flags

zero or GNUTLS_X509_DN_FLAG_COMPAT

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 3.5.7


gnutls_x509_crt_get_issuer_dn_oid ()

int
gnutls_x509_crt_get_issuer_dn_oid (gnutls_x509_crt_t cert,
                                   unsigned  indx,
                                   void *oid,
                                   size_t *oid_size);

This function will extract the OIDs of the name of the Certificate issuer specified by the given index.

If oid is null then only the size will be filled. The oid returned will be null terminated, although oid_size will not account for the trailing null.

Parameters

cert

should contain a gnutls_x509_crt_t type

 

indx

This specifies which OID to return. Use (0) to get the first one.

 

oid

a pointer to a buffer to hold the OID (may be null)

 

oid_size

initially holds the size of oid

 

Returns

GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not long enough, and in that case the buf_size will be updated with the required size. GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE if there are no data in the current index. On success 0 is returned.


gnutls_x509_crt_get_issuer_dn_by_oid ()

int
gnutls_x509_crt_get_issuer_dn_by_oid (gnutls_x509_crt_t cert,
                                      const char *oid,
                                      unsigned  indx,
                                      unsigned int raw_flag,
                                      void *buf,
                                      size_t *buf_size);

This function will extract the part of the name of the Certificate issuer specified by the given OID. The output, if the raw flag is not used, will be encoded as described in RFC4514. Thus a string that is ASCII or UTF-8 encoded, depending on the certificate data.

Some helper macros with popular OIDs can be found in gnutls/x509.h If raw flag is (0), this function will only return known OIDs as text. Other OIDs will be DER encoded, as described in RFC4514 -- in hex format with a '#' prefix. You can check about known OIDs using gnutls_x509_dn_oid_known().

If buf is null then only the size will be filled. If the raw_flag is not specified the output is always null terminated, although the buf_size will not include the null character.

Parameters

cert

should contain a gnutls_x509_crt_t type

 

oid

holds an Object Identified in null terminated string

 

indx

In case multiple same OIDs exist in the RDN, this specifies which to send. Use (0) to get the first one.

 

raw_flag

If non-zero returns the raw DER data of the DN part.

 

buf

a pointer to a structure to hold the name (may be null)

 

buf_size

initially holds the size of buf

 

Returns

GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not long enough, and in that case the buf_size will be updated with the required size. GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE if there are no data in the current index. On success 0 is returned.


gnutls_x509_crt_get_dn ()

int
gnutls_x509_crt_get_dn (gnutls_x509_crt_t cert,
                        char *buf,
                        size_t *buf_size);

This function will copy the name of the Certificate in the provided buffer. The name will be in the form "C=xxxx,O=yyyy,CN=zzzz" as described in RFC4514. The output string will be ASCII or UTF-8 encoded, depending on the certificate data.

The buf returned will be null terminated and the buf_size will account for the trailing null. If buf is null then only the size will be filled.

This function does not output a fully RFC4514 compliant string, if that is required see gnutls_x509_crt_get_dn3().

Parameters

cert

should contain a gnutls_x509_crt_t type

 

buf

a pointer to a structure to hold the name (may be null)

 

buf_size

initially holds the size of buf

 

Returns

GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not long enough, and in that case the buf_size will be updated with the required size. GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE if the DN does not exist, or another error value on error. On success 0 is returned.


gnutls_x509_crt_get_dn2 ()

int
gnutls_x509_crt_get_dn2 (gnutls_x509_crt_t cert,
                         gnutls_datum_t *dn);

This function will allocate buffer and copy the name of the Certificate. The name will be in the form "C=xxxx,O=yyyy,CN=zzzz" as described in RFC4514. The output string will be ASCII or UTF-8 encoded, depending on the certificate data.

This function does not output a fully RFC4514 compliant string, if that is required see gnutls_x509_crt_get_dn3().

Parameters

cert

should contain a gnutls_x509_crt_t type

 

dn

a pointer to a structure to hold the name; must be freed using gnutls_free()

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 3.1.10


gnutls_x509_crt_get_dn3 ()

int
gnutls_x509_crt_get_dn3 (gnutls_x509_crt_t cert,
                         gnutls_datum_t *dn,
                         unsigned  flags);

This function will allocate buffer and copy the name of the Certificate. The name will be in the form "C=xxxx,O=yyyy,CN=zzzz" as described in RFC4514. The output string will be ASCII or UTF-8 encoded, depending on the certificate data.

When the flag GNUTLS_X509_DN_FLAG_COMPAT is specified, the output format will match the format output by previous to 3.5.6 versions of GnuTLS which was not not fully RFC4514-compliant.

Parameters

cert

should contain a gnutls_x509_crt_t type

 

dn

a pointer to a structure to hold the name; must be freed using gnutls_free()

 

flags

zero or GNUTLS_X509_DN_FLAG_COMPAT

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 3.5.7


gnutls_x509_crt_get_dn_oid ()

int
gnutls_x509_crt_get_dn_oid (gnutls_x509_crt_t cert,
                            unsigned  indx,
                            void *oid,
                            size_t *oid_size);

This function will extract the OIDs of the name of the Certificate subject specified by the given index.

If oid is null then only the size will be filled. The oid returned will be null terminated, although oid_size will not account for the trailing null.

Parameters

cert

should contain a gnutls_x509_crt_t type

 

indx

This specifies which OID to return. Use (0) to get the first one.

 

oid

a pointer to a buffer to hold the OID (may be null)

 

oid_size

initially holds the size of oid

 

Returns

GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not long enough, and in that case the buf_size will be updated with the required size. GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE if there are no data in the current index. On success 0 is returned.


gnutls_x509_crt_get_dn_by_oid ()

int
gnutls_x509_crt_get_dn_by_oid (gnutls_x509_crt_t cert,
                               const char *oid,
                               unsigned  indx,
                               unsigned int raw_flag,
                               void *buf,
                               size_t *buf_size);

This function will extract the part of the name of the Certificate subject specified by the given OID. The output, if the raw flag is not used, will be encoded as described in RFC4514. Thus a string that is ASCII or UTF-8 encoded, depending on the certificate data.

Some helper macros with popular OIDs can be found in gnutls/x509.h If raw flag is (0), this function will only return known OIDs as text. Other OIDs will be DER encoded, as described in RFC4514 -- in hex format with a '#' prefix. You can check about known OIDs using gnutls_x509_dn_oid_known().

If buf is null then only the size will be filled. If the raw_flag is not specified the output is always null terminated, although the buf_size will not include the null character.

Parameters

cert

should contain a gnutls_x509_crt_t type

 

oid

holds an Object Identified in null terminated string

 

indx

In case multiple same OIDs exist in the RDN, this specifies which to send. Use (0) to get the first one.

 

raw_flag

If non-zero returns the raw DER data of the DN part.

 

buf

a pointer where the DN part will be copied (may be null).

 

buf_size

initially holds the size of buf

 

Returns

GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not long enough, and in that case the buf_size will be updated with the required size. GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE if there are no data in the current index. On success 0 is returned.


gnutls_x509_crt_check_hostname ()

unsigned
gnutls_x509_crt_check_hostname (gnutls_x509_crt_t cert,
                                const char *hostname);

This function will check if the given certificate's subject matches the given hostname. This is a basic implementation of the matching described in RFC6125, and takes into account wildcards, and the DNSName/IPAddress subject alternative name PKIX extension.

For details see also gnutls_x509_crt_check_hostname2().

Parameters

cert

should contain an gnutls_x509_crt_t type

 

hostname

A null terminated string that contains a DNS name

 

Returns

non-zero for a successful match, and zero on failure.


gnutls_x509_crt_check_hostname2 ()

unsigned
gnutls_x509_crt_check_hostname2 (gnutls_x509_crt_t cert,
                                 const char *hostname,
                                 unsigned int flags);

This function will check if the given certificate's subject matches the given hostname. This is a basic implementation of the matching described in RFC6125, and takes into account wildcards, and the DNSName/IPAddress subject alternative name PKIX extension.

IPv4 addresses are accepted by this function in the dotted-decimal format (e.g, ddd.ddd.ddd.ddd), and IPv6 addresses in the hexadecimal x:x:x:x:x:x:x:x format. For them the IPAddress subject alternative name extension is consulted. Previous versions to 3.6.0 of GnuTLS in case of a non-match would consult (in a non-standard extension) the DNSname and CN fields. This is no longer the case.

When the flag GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS is specified no wildcards are considered. Otherwise they are only considered if the domain name consists of three components or more, and the wildcard starts at the leftmost position.

When the flag GNUTLS_VERIFY_DO_NOT_ALLOW_IP_MATCHES is specified, the input will be treated as a DNS name, and matching of textual IP addresses against the IPAddress part of the alternative name will not be allowed.

The function gnutls_x509_crt_check_ip() is available for matching IP addresses.

Parameters

cert

should contain an gnutls_x509_crt_t type

 

hostname

A null terminated string that contains a DNS name

 

flags

gnutls_certificate_verify_flags

 

Returns

non-zero for a successful match, and zero on failure.

Since: 3.3.0


gnutls_x509_crt_check_email ()

unsigned
gnutls_x509_crt_check_email (gnutls_x509_crt_t cert,
                             const char *email,
                             unsigned int flags);

This function will check if the given certificate's subject matches the given email address.

Parameters

cert

should contain an gnutls_x509_crt_t type

 

email

A null terminated string that contains an email address (RFC822)

 

flags

should be zero

 

Returns

non-zero for a successful match, and zero on failure.


gnutls_x509_crt_check_ip ()

unsigned
gnutls_x509_crt_check_ip (gnutls_x509_crt_t cert,
                          const unsigned char *ip,
                          unsigned int ip_size,
                          unsigned int flags);

This function will check if the IP allowed IP addresses in the certificate's subject alternative name match the provided IP address.

Parameters

cert

should contain an gnutls_x509_crt_t type

 

ip

A pointer to the raw IP address

 

ip_size

the number of bytes in ip (4 or 16)

 

flags

should be zero

 

Returns

non-zero for a successful match, and zero on failure.


gnutls_x509_crt_get_signature_algorithm ()

int
gnutls_x509_crt_get_signature_algorithm
                               (gnutls_x509_crt_t cert);

This function will return a value of the gnutls_sign_algorithm_t enumeration that is the signature algorithm that has been used to sign this certificate.

Since 3.6.0 this function never returns a negative error code. Error cases and unknown/unsupported signature algorithms are mapped to GNUTLS_SIGN_UNKNOWN.

Parameters

cert

should contain a gnutls_x509_crt_t type

 

Returns

a gnutls_sign_algorithm_t value


gnutls_x509_crt_get_signature ()

int
gnutls_x509_crt_get_signature (gnutls_x509_crt_t cert,
                               char *sig,
                               size_t *sizeof_sig);

This function will extract the signature field of a certificate.

Parameters

cert

should contain a gnutls_x509_crt_t type

 

sig

a pointer where the signature part will be copied (may be null).

 

sig_size

initially holds the size of sig

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crt_get_version ()

int
gnutls_x509_crt_get_version (gnutls_x509_crt_t cert);

This function will return the version of the specified Certificate.

Parameters

cert

should contain a gnutls_x509_crt_t type

 

Returns

version of certificate, or a negative error code on error.


gnutls_x509_crt_get_pk_oid ()

int
gnutls_x509_crt_get_pk_oid (gnutls_x509_crt_t cert,
                            char *oid,
                            size_t *oid_size);

This function will return the OID of the public key algorithm on that certificate. This is function is useful in the case gnutls_x509_crt_get_pk_algorithm() returned GNUTLS_PK_UNKNOWN.

Parameters

cert

should contain a gnutls_x509_crt_t type

 

oid

a pointer to a buffer to hold the OID (may be null)

 

oid_size

initially holds the size of oid

 

Returns

zero or a negative error code on error.

Since: 3.5.0


gnutls_x509_crt_get_signature_oid ()

int
gnutls_x509_crt_get_signature_oid (gnutls_x509_crt_t cert,
                                   char *oid,
                                   size_t *oid_size);

This function will return the OID of the signature algorithm that has been used to sign this certificate. This is function is useful in the case gnutls_x509_crt_get_signature_algorithm() returned GNUTLS_SIGN_UNKNOWN.

Parameters

cert

should contain a gnutls_x509_crt_t type

 

oid

a pointer to a buffer to hold the OID (may be null)

 

oid_size

initially holds the size of oid

 

Returns

zero or a negative error code on error.

Since: 3.5.0


gnutls_x509_crt_get_key_id ()

int
gnutls_x509_crt_get_key_id (gnutls_x509_crt_t crt,
                            unsigned int flags,
                            unsigned char *output_data,
                            size_t *output_data_size);

This function will return a unique ID that depends on the public key parameters. This ID can be used in checking whether a certificate corresponds to the given private key.

If the buffer provided is not long enough to hold the output, then *output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will be returned. The output will normally be a SHA-1 hash output, which is 20 bytes.

Parameters

crt

Holds the certificate

 

flags

should be one of the flags from gnutls_keyid_flags_t

 

output_data

will contain the key ID

 

output_data_size

holds the size of output_data (and will be replaced by the actual size of parameters)

 

Returns

In case of failure a negative error code will be returned, and 0 on success.


gnutls_x509_crt_set_private_key_usage_period ()

int
gnutls_x509_crt_set_private_key_usage_period
                               (gnutls_x509_crt_t crt,
                                time_t activation,
                                time_t expiration);

This function will set the private key usage period extension (2.5.29.16).

Parameters

crt

a certificate of type gnutls_x509_crt_t

 

activation

The activation time

 

expiration

The expiration time

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crt_set_authority_key_id ()

int
gnutls_x509_crt_set_authority_key_id (gnutls_x509_crt_t cert,
                                      const void *id,
                                      size_t id_size);

This function will set the X.509 certificate's authority key ID extension. Only the keyIdentifier field can be set with this function.

Parameters

cert

a certificate of type gnutls_x509_crt_t

 

id

The key ID

 

id_size

Holds the size of the key ID field.

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crt_get_authority_key_id ()

int
gnutls_x509_crt_get_authority_key_id (gnutls_x509_crt_t cert,
                                      void *id,
                                      size_t *id_size,
                                      unsigned int *critical);

This function will return the X.509v3 certificate authority's key identifier. This is obtained by the X.509 Authority Key identifier extension field (2.5.29.35). Note that this function only returns the keyIdentifier field of the extension and GNUTLS_E_X509_UNSUPPORTED_EXTENSION, if the extension contains the name and serial number of the certificate. In that case gnutls_x509_crt_get_authority_key_gn_serial() may be used.

Parameters

cert

should contain a gnutls_x509_crt_t type

 

id

The place where the identifier will be copied

 

id_size

Holds the size of the id field.

 

critical

will be non-zero if the extension is marked as critical (may be null)

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE if the extension is not present, otherwise a negative error value.


gnutls_x509_crt_get_authority_key_gn_serial ()

int
gnutls_x509_crt_get_authority_key_gn_serial
                               (gnutls_x509_crt_t cert,
                                unsigned int seq,
                                void *alt,
                                size_t *alt_size,
                                unsigned int *alt_type,
                                void *serial,
                                size_t *serial_size,
                                unsigned int *critical);

This function will return the X.509 authority key identifier when stored as a general name (authorityCertIssuer) and serial number.

Because more than one general names might be stored seq can be used as a counter to request them all until GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.

Parameters

cert

should contain a gnutls_x509_crt_t type

 

seq

specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)

 

alt

is the place where the alternative name will be copied to

 

alt_size

holds the size of alt.

 

alt_type

holds the type of the alternative name (one of gnutls_x509_subject_alt_name_t).

 

serial

buffer to store the serial number (may be null)

 

serial_size

Holds the size of the serial field (may be null)

 

critical

will be non-zero if the extension is marked as critical (may be null)

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE if the extension is not present, otherwise a negative error value.

Since: 3.0


gnutls_x509_crt_get_subject_key_id ()

int
gnutls_x509_crt_get_subject_key_id (gnutls_x509_crt_t cert,
                                    void *ret,
                                    size_t *ret_size,
                                    unsigned int *critical);

This function will return the X.509v3 certificate's subject key identifier. This is obtained by the X.509 Subject Key identifier extension field (2.5.29.14).

Parameters

cert

should contain a gnutls_x509_crt_t type

 

ret

The place where the identifier will be copied

 

ret_size

Holds the size of the result field.

 

critical

will be non-zero if the extension is marked as critical (may be null)

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE if the extension is not present, otherwise a negative error value.


gnutls_x509_crt_get_subject_unique_id ()

int
gnutls_x509_crt_get_subject_unique_id (gnutls_x509_crt_t crt,
                                       char *buf,
                                       size_t *buf_size);

This function will extract the subjectUniqueID value (if present) for the given certificate.

If the user allocated memory buffer is not large enough to hold the full subjectUniqueID, then a GNUTLS_E_SHORT_MEMORY_BUFFER error will be returned, and buf_size will be set to the actual length.

This function had a bug prior to 3.4.8 that prevented the setting of NULL buf to discover the buf_size . To use this function safely with the older versions the buf must be a valid buffer that can hold at least a single byte if buf_size is zero.

Parameters

crt

Holds the certificate

 

buf

user allocated memory buffer, will hold the unique id

 

buf_size

size of user allocated memory buffer (on input), will hold actual size of the unique ID on return.

 

Returns

GNUTLS_E_SUCCESS on success, otherwise a negative error code.


gnutls_x509_crt_get_issuer_unique_id ()

int
gnutls_x509_crt_get_issuer_unique_id (gnutls_x509_crt_t crt,
                                      char *buf,
                                      size_t *buf_size);

This function will extract the issuerUniqueID value (if present) for the given certificate.

If the user allocated memory buffer is not large enough to hold the full subjectUniqueID, then a GNUTLS_E_SHORT_MEMORY_BUFFER error will be returned, and buf_size will be set to the actual length.

This function had a bug prior to 3.4.8 that prevented the setting of NULL buf to discover the buf_size . To use this function safely with the older versions the buf must be a valid buffer that can hold at least a single byte if buf_size is zero.

Parameters

crt

Holds the certificate

 

buf

user allocated memory buffer, will hold the unique id

 

buf_size

size of user allocated memory buffer (on input), will hold actual size of the unique ID on return.

 

Returns

GNUTLS_E_SUCCESS on success, otherwise a negative error code.

Since: 2.12.0


gnutls_x509_crt_set_pin_function ()

void
gnutls_x509_crt_set_pin_function (gnutls_x509_crt_t crt,
                                  gnutls_pin_callback_t fn,
                                  void *userdata);

This function will set a callback function to be used when it is required to access a protected object. This function overrides the global function set using gnutls_pkcs11_set_pin_function().

Note that this callback is currently used only during the import of a PKCS 11 certificate with gnutls_x509_crt_import_url().

Parameters

crt

The certificate structure

 

fn

the callback

 

userdata

data associated with the callback

 

Since: 3.1.0


gnutls_x509_crt_get_authority_info_access ()

int
gnutls_x509_crt_get_authority_info_access
                               (gnutls_x509_crt_t crt,
                                unsigned int seq,
                                int what,
                                gnutls_datum_t *data,
                                unsigned int *critical);

Note that a simpler API to access the authority info data is provided by gnutls_x509_aia_get() and gnutls_x509_ext_import_aia().

This function extracts the Authority Information Access (AIA) extension, see RFC 5280 section 4.2.2.1 for more information. The AIA extension holds a sequence of AccessDescription (AD) data.

The seq input parameter is used to indicate which member of the sequence the caller is interested in. The first member is 0, the second member 1 and so on. When the seq value is out of bounds, GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.

The type of data returned in data is specified via what which should be gnutls_info_access_what_t values.

If what is GNUTLS_IA_ACCESSMETHOD_OID then data will hold the accessMethod OID (e.g., "1.3.6.1.5.5.7.48.1").

If what is GNUTLS_IA_ACCESSLOCATION_GENERALNAME_TYPE, data will hold the accessLocation GeneralName type (e.g., "uniformResourceIdentifier").

If what is GNUTLS_IA_URI, data will hold the accessLocation URI data. Requesting this what value leads to an error if the accessLocation is not of the "uniformResourceIdentifier" type.

If what is GNUTLS_IA_OCSP_URI, data will hold the OCSP URI. Requesting this what value leads to an error if the accessMethod is not 1.3.6.1.5.5.7.48.1 aka OCSP, or if accessLocation is not of the "uniformResourceIdentifier" type. In that case GNUTLS_E_UNKNOWN_ALGORITHM will be returned, and seq should be increased and this function called again.

If what is GNUTLS_IA_CAISSUERS_URI, data will hold the caIssuers URI. Requesting this what value leads to an error if the accessMethod is not 1.3.6.1.5.5.7.48.2 aka caIssuers, or if accessLocation is not of the "uniformResourceIdentifier" type. In that case handle as in GNUTLS_IA_OCSP_URI.

More what values may be allocated in the future as needed.

If data is NULL, the function does the same without storing the output data, that is, it will set critical and do error checking as usual.

The value of the critical flag is returned in *critical . Supply a NULL critical if you want the function to make sure the extension is non-critical, as required by RFC 5280.

Parameters

crt

Holds the certificate

 

seq

specifies the sequence number of the access descriptor (0 for the first one, 1 for the second etc.)

 

what

what data to get, a gnutls_info_access_what_t type.

 

data

output data to be freed with gnutls_free().

 

critical

pointer to output integer that is set to non-zero if the extension is marked as critical (may be NULL)

 

Returns

GNUTLS_E_SUCCESS on success, GNUTLS_E_INVALID_REQUEST on invalid crt , GNUTLS_E_CONSTRAINT_ERROR if the extension is incorrectly marked as critical (use a non-NULL critical to override), GNUTLS_E_UNKNOWN_ALGORITHM if the requested OID does not match (e.g., when using GNUTLS_IA_OCSP_URI), otherwise a negative error code.

Since: 3.0


gnutls_x509_name_constraints_check ()

unsigned
gnutls_x509_name_constraints_check (gnutls_x509_name_constraints_t nc,
                                    gnutls_x509_subject_alt_name_t type,
                                    const gnutls_datum_t *name);

This function will check the provided name against the constraints in nc using the RFC5280 rules. Currently this function is limited to DNS names, emails and IP addresses (of type GNUTLS_SAN_DNSNAME, GNUTLS_SAN_RFC822NAME and GNUTLS_SAN_IPADDRESS).

Parameters

nc

the extracted name constraints

 

type

the type of the constraint to check (of type gnutls_x509_subject_alt_name_t)

 

name

the name to be checked

 

Returns

zero if the provided name is not acceptable, and non-zero otherwise.

Since: 3.3.0


gnutls_x509_name_constraints_check_crt ()

unsigned
gnutls_x509_name_constraints_check_crt
                               (gnutls_x509_name_constraints_t nc,
                                gnutls_x509_subject_alt_name_t type,
                                gnutls_x509_crt_t crt);

This function will check the provided certificate names against the constraints in nc using the RFC5280 rules. It will traverse all the certificate's names and alternative names.

Currently this function is limited to DNS names and emails (of type GNUTLS_SAN_DNSNAME and GNUTLS_SAN_RFC822NAME).

Parameters

nc

the extracted name constraints

 

type

the type of the constraint to check (of type gnutls_x509_subject_alt_name_t)

 

cert

the certificate to be checked

 

Returns

zero if the provided name is not acceptable, and non-zero otherwise.

Since: 3.3.0


gnutls_x509_name_constraints_init ()

int
gnutls_x509_name_constraints_init (gnutls_x509_name_constraints_t *nc);

This function will initialize a name constraints type.

Parameters

nc

The nameconstraints

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 3.3.0


gnutls_x509_name_constraints_deinit ()

void
gnutls_x509_name_constraints_deinit (gnutls_x509_name_constraints_t nc);

This function will deinitialize a name constraints type.

Parameters

nc

The nameconstraints

 

Since: 3.3.0


gnutls_x509_crt_get_name_constraints ()

int
gnutls_x509_crt_get_name_constraints (gnutls_x509_crt_t crt,
                                      gnutls_x509_name_constraints_t nc,
                                      unsigned int flags,
                                      unsigned int *critical);

This function will return an intermediate type containing the name constraints of the provided CA certificate. That structure can be used in combination with gnutls_x509_name_constraints_check() to verify whether a server's name is in accordance with the constraints.

When the flags is set to GNUTLS_EXT_FLAG_APPEND, then if the nc structure is empty this function will behave identically as if the flag was not set. Otherwise if there are elements in the nc structure then the constraints will be merged with the existing constraints following RFC5280 p6.1.4 (excluded constraints will be appended, permitted will be intersected).

Note that nc must be initialized prior to calling this function.

Parameters

crt

should contain a gnutls_x509_crt_t type

 

nc

The nameconstraints intermediate type

 

flags

zero or GNUTLS_EXT_FLAG_APPEND

 

critical

the extension status

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE if the extension is not present, otherwise a negative error value.

Since: 3.3.0


gnutls_x509_name_constraints_add_permitted ()

int
gnutls_x509_name_constraints_add_permitted
                               (gnutls_x509_name_constraints_t nc,
                                gnutls_x509_subject_alt_name_t type,
                                const gnutls_datum_t *name);

This function will add a name constraint to the list of permitted constraints. The constraints type can be any of the following types: GNUTLS_SAN_DNSNAME, GNUTLS_SAN_RFC822NAME, GNUTLS_SAN_DN, GNUTLS_SAN_URI, GNUTLS_SAN_IPADDRESS. For the latter, an IP address in network byte order is expected, followed by its network mask.

Parameters

nc

The nameconstraints

 

type

The type of the constraints

 

name

The data of the constraints

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 3.3.0


gnutls_x509_name_constraints_add_excluded ()

int
gnutls_x509_name_constraints_add_excluded
                               (gnutls_x509_name_constraints_t nc,
                                gnutls_x509_subject_alt_name_t type,
                                const gnutls_datum_t *name);

This function will add a name constraint to the list of excluded constraints. The constraints type can be any of the following types: GNUTLS_SAN_DNSNAME, GNUTLS_SAN_RFC822NAME, GNUTLS_SAN_DN, GNUTLS_SAN_URI, GNUTLS_SAN_IPADDRESS. For the latter, an IP address in network byte order is expected, followed by its network mask (which is 4 bytes in IPv4 or 16-bytes in IPv6).

Parameters

nc

The nameconstraints

 

type

The type of the constraints

 

name

The data of the constraints

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 3.3.0


gnutls_x509_crt_set_name_constraints ()

int
gnutls_x509_crt_set_name_constraints (gnutls_x509_crt_t crt,
                                      gnutls_x509_name_constraints_t nc,
                                      unsigned int critical);

This function will set the provided name constraints to the certificate extension list. This extension is always marked as critical.

Parameters

crt

The certificate

 

nc

The nameconstraints structure

 

critical

whether this extension will be critical

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 3.3.0


gnutls_x509_name_constraints_get_permitted ()

int
gnutls_x509_name_constraints_get_permitted
                               (gnutls_x509_name_constraints_t nc,
                                unsigned  idx,
                                unsigned *type,
                                gnutls_datum_t *name);

This function will return an intermediate type containing the name constraints of the provided CA certificate. That structure can be used in combination with gnutls_x509_name_constraints_check() to verify whether a server's name is in accordance with the constraints.

The name should be treated as constant and valid for the lifetime of nc .

Parameters

nc

the extracted name constraints

 

idx

the index of the constraint

 

type

the type of the constraint (of type gnutls_x509_subject_alt_name_t)

 

name

the name in the constraint (of the specific type)

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE if the extension is not present, otherwise a negative error value.

Since: 3.3.0


gnutls_x509_name_constraints_get_excluded ()

int
gnutls_x509_name_constraints_get_excluded
                               (gnutls_x509_name_constraints_t nc,
                                unsigned  idx,
                                unsigned *type,
                                gnutls_datum_t *name);

This function will return an intermediate type containing the name constraints of the provided CA certificate. That structure can be used in combination with gnutls_x509_name_constraints_check() to verify whether a server's name is in accordance with the constraints.

The name should be treated as constant and valid for the lifetime of nc .

Parameters

nc

the extracted name constraints

 

idx

the index of the constraint

 

type

the type of the constraint (of type gnutls_x509_subject_alt_name_t)

 

name

the name in the constraint (of the specific type)

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE if the extension is not present, otherwise a negative error value.

Since: 3.3.0


gnutls_x509_cidr_to_rfc5280 ()

int
gnutls_x509_cidr_to_rfc5280 (const char *cidr,
                             gnutls_datum_t *cidr_rfc5280);

This function will convert text CIDR range with prefix (such as '10.0.0.0/8') to RFC5280 (IP address in network byte order followed by its network mask). Works for both IPv4 and IPv6.

The resulting object is directly usable for IP name constraints usage, for example in functions gnutls_x509_name_constraints_add_permitted or gnutls_x509_name_constraints_add_excluded.

The data in datum needs to be deallocated using gnutls_free().

Parameters

cidr

CIDR in RFC4632 format (IP/prefix), null-terminated

 

cidr_rfc5280

CIDR range converted to RFC5280 format

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 3.5.4


gnutls_x509_crt_get_crl_dist_points ()

int
gnutls_x509_crt_get_crl_dist_points (gnutls_x509_crt_t cert,
                                     unsigned int seq,
                                     void *ret,
                                     size_t *ret_size,
                                     unsigned int *reason_flags,
                                     unsigned int *critical);

This function retrieves the CRL distribution points (2.5.29.31), contained in the given certificate in the X509v3 Certificate Extensions.

Parameters

cert

should contain a gnutls_x509_crt_t type

 

seq

specifies the sequence number of the distribution point (0 for the first one, 1 for the second etc.)

 

san

is the place where the distribution point will be copied to

 

san_size

holds the size of ret.

 

reason_flags

Revocation reasons. An ORed sequence of flags from gnutls_x509_crl_reason_flags_t.

 

critical

will be non-zero if the extension is marked as critical (may be null)

 

Returns

GNUTLS_E_SHORT_MEMORY_BUFFER and updates ret_size if ret_size is not enough to hold the distribution point, or the type of the distribution point if everything was ok. The type is one of the enumerated gnutls_x509_subject_alt_name_t. If the certificate does not have an Alternative name with the specified sequence number then GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.


gnutls_x509_crt_set_crl_dist_points2 ()

int
gnutls_x509_crt_set_crl_dist_points2 (gnutls_x509_crt_t crt,
                                      gnutls_x509_subject_alt_name_t type,
                                      const void *data,
                                      unsigned int data_size,
                                      unsigned int reason_flags);

This function will set the CRL distribution points certificate extension.

Parameters

crt

a certificate of type gnutls_x509_crt_t

 

type

is one of the gnutls_x509_subject_alt_name_t enumerations

 

data

The data to be set

 

data_size

The data size

 

reason_flags

revocation reasons

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 2.6.0


gnutls_x509_crt_set_crl_dist_points ()

int
gnutls_x509_crt_set_crl_dist_points (gnutls_x509_crt_t crt,
                                     gnutls_x509_subject_alt_name_t type,
                                     const void *data_string,
                                     unsigned int reason_flags);

This function will set the CRL distribution points certificate extension.

Parameters

crt

a certificate of type gnutls_x509_crt_t

 

type

is one of the gnutls_x509_subject_alt_name_t enumerations

 

data_string

The data to be set

 

reason_flags

revocation reasons

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crt_cpy_crl_dist_points ()

int
gnutls_x509_crt_cpy_crl_dist_points (gnutls_x509_crt_t dst,
                                     gnutls_x509_crt_t src);

This function will copy the CRL distribution points certificate extension, from the source to the destination certificate. This may be useful to copy from a CA certificate to issued ones.

Parameters

dst

a certificate of type gnutls_x509_crt_t

 

src

the certificate where the dist points will be copied from

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crl_sign ()

int
gnutls_x509_crl_sign (gnutls_x509_crl_t crl,
                      gnutls_x509_crt_t issuer,
                      gnutls_x509_privkey_t issuer_key);

This function is the same a gnutls_x509_crl_sign2() with no flags, and an appropriate hash algorithm. The hash algorithm used may vary between versions of GnuTLS, and it is tied to the security level of the issuer's public key.

Parameters

crl

should contain a gnutls_x509_crl_t type

 

issuer

is the certificate of the certificate issuer

 

issuer_key

holds the issuer's private key

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crl_sign2 ()

int
gnutls_x509_crl_sign2 (gnutls_x509_crl_t crl,
                       gnutls_x509_crt_t issuer,
                       gnutls_x509_privkey_t issuer_key,
                       gnutls_digest_algorithm_t dig,
                       unsigned int flags);

This function will sign the CRL with the issuer's private key, and will copy the issuer's information into the CRL.

This must be the last step in a certificate CRL since all the previously set parameters are now signed.

A known limitation of this function is, that a newly-signed CRL will not be fully functional (e.g., for signature verification), until it is exported an re-imported.

After GnuTLS 3.6.1 the value of dig may be GNUTLS_DIG_UNKNOWN, and in that case, a suitable but reasonable for the key algorithm will be selected.

Parameters

crl

should contain a gnutls_x509_crl_t type

 

issuer

is the certificate of the certificate issuer

 

issuer_key

holds the issuer's private key

 

dig

The message digest to use. GNUTLS_DIG_SHA256 is the safe choice unless you know what you're doing.

 

flags

must be 0

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crt_get_activation_time ()

time_t
gnutls_x509_crt_get_activation_time (gnutls_x509_crt_t cert);

This function will return the time this Certificate was or will be activated.

Parameters

cert

should contain a gnutls_x509_crt_t type

 

Returns

activation time, or (time_t)-1 on error.


gnutls_x509_crt_get_expiration_time ()

time_t
gnutls_x509_crt_get_expiration_time (gnutls_x509_crt_t cert);

This function will return the time this certificate was or will be expired.

Parameters

cert

should contain a gnutls_x509_crt_t type

 

Returns

expiration time, or (time_t)-1 on error.


gnutls_x509_crt_get_serial ()

int
gnutls_x509_crt_get_serial (gnutls_x509_crt_t cert,
                            void *result,
                            size_t *result_size);

This function will return the X.509 certificate's serial number. This is obtained by the X509 Certificate serialNumber field. Serial is not always a 32 or 64bit number. Some CAs use large serial numbers, thus it may be wise to handle it as something uint8_t.

Parameters

cert

should contain a gnutls_x509_crt_t type

 

result

The place where the serial number will be copied

 

result_size

Holds the size of the result field.

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_spki_init ()

int
gnutls_x509_spki_init (gnutls_x509_spki_t *spki);

This function will initialize a SubjectPublicKeyInfo structure used in PKIX. The structure is used to set additional parameters in the public key information field of a certificate.

Parameters

spki

A pointer to the type to be initialized

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 3.6.0


gnutls_x509_spki_deinit ()

void
gnutls_x509_spki_deinit (gnutls_x509_spki_t spki);

This function will deinitialize a SubjectPublicKeyInfo structure.

Parameters

spki

the SubjectPublicKeyInfo structure

 

Since: 3.6.0


gnutls_x509_spki_get_rsa_pss_params ()

int
gnutls_x509_spki_get_rsa_pss_params (gnutls_x509_spki_t spki,
                                     gnutls_digest_algorithm_t *dig,
                                     unsigned int *salt_size);

This function will get the public key algorithm parameters of RSA-PSS type.

Parameters

spki

the SubjectPublicKeyInfo structure

 

dig

if non-NULL, it will hold the digest algorithm

 

salt_size

if non-NULL, it will hold the salt size

 

Returns

zero if the parameters are present or a negative value on error.

Since: 3.6.0


gnutls_x509_spki_set_rsa_pss_params ()

void
gnutls_x509_spki_set_rsa_pss_params (gnutls_x509_spki_t spki,
                                     gnutls_digest_algorithm_t dig,
                                     unsigned int salt_size);

This function will set the public key parameters for an RSA-PSS algorithm, in the SubjectPublicKeyInfo structure.

Parameters

spki

the SubjectPublicKeyInfo structure

 

dig

a digest algorithm of type gnutls_digest_algorithm_t

 

salt_size

the size of salt string

 

Since: 3.6.0


gnutls_x509_crt_get_pk_algorithm ()

int
gnutls_x509_crt_get_pk_algorithm (gnutls_x509_crt_t cert,
                                  unsigned int *bits);

This function will return the public key algorithm of an X.509 certificate.

If bits is non null, it should have enough size to hold the parameters size in bits. For RSA the bits returned is the modulus. For DSA the bits returned are of the public exponent.

Unknown/unsupported algorithms are mapped to GNUTLS_PK_UNKNOWN.

Parameters

cert

should contain a gnutls_x509_crt_t type

 

bits

if bits is non null it will hold the size of the parameters' in bits

 

Returns

a member of the gnutls_pk_algorithm_t enumeration on success, or a negative error code on error.


gnutls_x509_crt_set_spki ()

int
gnutls_x509_crt_set_spki (gnutls_x509_crt_t crt,
                          const gnutls_x509_spki_t spki,
                          unsigned int flags);

This function will set the certificate's subject public key information explicitly. This is intended to be used in the cases where a single public key (e.g., RSA) can be used for multiple signature algorithms (RSA PKCS1-1.5, and RSA-PSS).

To export the public key (i.e., the SubjectPublicKeyInfo part), check gnutls_pubkey_import_x509().

Parameters

crt

a certificate of type gnutls_x509_crt_t

 

spki

a SubjectPublicKeyInfo structure of type gnutls_x509_spki_t

 

flags

must be zero

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 3.6.0


gnutls_x509_crt_get_spki ()

int
gnutls_x509_crt_get_spki (gnutls_x509_crt_t cert,
                          gnutls_x509_spki_t spki,
                          unsigned int flags);

This function will return the public key information of an X.509 certificate. The provided spki must be initialized.

Parameters

cert

a certificate of type gnutls_x509_crt_t

 

spki

a SubjectPublicKeyInfo structure of type gnutls_x509_spki_t

 

flags

must be zero

 

Since: 3.6.0


gnutls_x509_crt_get_pk_rsa_raw ()

int
gnutls_x509_crt_get_pk_rsa_raw (gnutls_x509_crt_t crt,
                                gnutls_datum_t *m,
                                gnutls_datum_t *e);

This function will export the RSA public key's parameters found in the given structure. The new parameters will be allocated using gnutls_malloc() and will be stored in the appropriate datum.

Parameters

crt

Holds the certificate

 

m

will hold the modulus

 

e

will hold the public exponent

 

Returns

GNUTLS_E_SUCCESS on success, otherwise a negative error code.


gnutls_x509_crt_get_pk_dsa_raw ()

int
gnutls_x509_crt_get_pk_dsa_raw (gnutls_x509_crt_t crt,
                                gnutls_datum_t *p,
                                gnutls_datum_t *q,
                                gnutls_datum_t *g,
                                gnutls_datum_t *y);

This function will export the DSA public key's parameters found in the given certificate. The new parameters will be allocated using gnutls_malloc() and will be stored in the appropriate datum.

Parameters

crt

Holds the certificate

 

p

will hold the p

 

q

will hold the q

 

g

will hold the g

 

y

will hold the y

 

Returns

GNUTLS_E_SUCCESS on success, otherwise a negative error code.


gnutls_x509_crt_get_pk_ecc_raw ()

int
gnutls_x509_crt_get_pk_ecc_raw (gnutls_x509_crt_t crt,
                                gnutls_ecc_curve_t *curve,
                                gnutls_datum_t *x,
                                gnutls_datum_t *y);

This function will export the ECC public key's parameters found in the given certificate. The new parameters will be allocated using gnutls_malloc() and will be stored in the appropriate datum.

In EdDSA curves the y parameter will be NULL and the other parameters will be in the native format for the curve.

Parameters

crt

Holds the certificate

 

curve

will hold the curve

 

x

will hold the x-coordinate

 

y

will hold the y-coordinate

 

Returns

GNUTLS_E_SUCCESS on success, otherwise a negative error code.

Since: 3.4.1


gnutls_x509_crt_get_pk_gost_raw ()

int
gnutls_x509_crt_get_pk_gost_raw (gnutls_x509_crt_t crt,
                                 gnutls_ecc_curve_t *curve,
                                 gnutls_digest_algorithm_t *digest,
                                 gnutls_gost_paramset_t *paramset,
                                 gnutls_datum_t *x,
                                 gnutls_datum_t *y);

This function will export the GOST public key's parameters found in the given certificate. The new parameters will be allocated using gnutls_malloc() and will be stored in the appropriate datum.

Parameters

crt

Holds the certificate

 

curve

will hold the curve

 

digest

will hold the digest

 

paramset

will hold the GOST parameter set ID

 

x

will hold the x-coordinate

 

y

will hold the y-coordinate

 

Returns

GNUTLS_E_SUCCESS on success, otherwise a negative error code.

Since: 3.6.3


gnutls_x509_crt_get_subject_alt_name ()

int
gnutls_x509_crt_get_subject_alt_name (gnutls_x509_crt_t cert,
                                      unsigned int seq,
                                      void *san,
                                      size_t *san_size,
                                      unsigned int *critical);

This function retrieves the Alternative Name (2.5.29.17), contained in the given certificate in the X509v3 Certificate Extensions.

When the SAN type is otherName, it will extract the data in the otherName's value field, and GNUTLS_SAN_OTHERNAME is returned. You may use gnutls_x509_crt_get_subject_alt_othername_oid() to get the corresponding OID and the "virtual" SAN types (e.g., GNUTLS_SAN_OTHERNAME_XMPP).

If an otherName OID is known, the data will be decoded. Otherwise the returned data will be DER encoded, and you will have to decode it yourself. Currently, only the RFC 3920 id-on-xmppAddr SAN is recognized.

Parameters

cert

should contain a gnutls_x509_crt_t type

 

seq

specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)

 

san

is the place where the alternative name will be copied to

 

san_size

holds the size of san.

 

critical

will be non-zero if the extension is marked as critical (may be null)

 

Returns

the alternative subject name type on success, one of the enumerated gnutls_x509_subject_alt_name_t. It will return GNUTLS_E_SHORT_MEMORY_BUFFER if san_size is not large enough to hold the value. In that case san_size will be updated with the required size. If the certificate does not have an Alternative name with the specified sequence number then GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.


gnutls_x509_crt_get_subject_alt_name2 ()

int
gnutls_x509_crt_get_subject_alt_name2 (gnutls_x509_crt_t cert,
                                       unsigned int seq,
                                       void *san,
                                       size_t *san_size,
                                       unsigned int *san_type,
                                       unsigned int *critical);

This function will return the alternative names, contained in the given certificate. It is the same as gnutls_x509_crt_get_subject_alt_name() except for the fact that it will return the type of the alternative name in san_type even if the function fails for some reason (i.e. the buffer provided is not enough).

Parameters

cert

should contain a gnutls_x509_crt_t type

 

seq

specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)

 

san

is the place where the alternative name will be copied to

 

san_size

holds the size of ret.

 

san_type

holds the type of the alternative name (one of gnutls_x509_subject_alt_name_t).

 

critical

will be non-zero if the extension is marked as critical (may be null)

 

Returns

the alternative subject name type on success, one of the enumerated gnutls_x509_subject_alt_name_t. It will return GNUTLS_E_SHORT_MEMORY_BUFFER if san_size is not large enough to hold the value. In that case san_size will be updated with the required size. If the certificate does not have an Alternative name with the specified sequence number then GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.


gnutls_x509_crt_get_subject_alt_othername_oid ()

int
gnutls_x509_crt_get_subject_alt_othername_oid
                               (gnutls_x509_crt_t cert,
                                unsigned int seq,
                                void *oid,
                                size_t *oid_size);

This function will extract the type OID of an otherName Subject Alternative Name, contained in the given certificate, and return the type as an enumerated element.

This function is only useful if gnutls_x509_crt_get_subject_alt_name() returned GNUTLS_SAN_OTHERNAME.

If oid is null then only the size will be filled. The oid returned will be null terminated, although oid_size will not account for the trailing null.

Parameters

cert

should contain a gnutls_x509_crt_t type

 

seq

specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)

 

oid

is the place where the otherName OID will be copied to

 

oid_size

holds the size of ret.

 

Returns

the alternative subject name type on success, one of the enumerated gnutls_x509_subject_alt_name_t. For supported OIDs, it will return one of the virtual (GNUTLS_SAN_OTHERNAME_*) types, e.g. GNUTLS_SAN_OTHERNAME_XMPP, and GNUTLS_SAN_OTHERNAME for unknown OIDs. It will return GNUTLS_E_SHORT_MEMORY_BUFFER if ian_size is not large enough to hold the value. In that case ian_size will be updated with the required size. If the certificate does not have an Alternative name with the specified sequence number and with the otherName type then GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.


gnutls_x509_crt_get_issuer_alt_name ()

int
gnutls_x509_crt_get_issuer_alt_name (gnutls_x509_crt_t cert,
                                     unsigned int seq,
                                     void *ian,
                                     size_t *ian_size,
                                     unsigned int *critical);

This function retrieves the Issuer Alternative Name (2.5.29.18), contained in the given certificate in the X509v3 Certificate Extensions.

When the SAN type is otherName, it will extract the data in the otherName's value field, and GNUTLS_SAN_OTHERNAME is returned. You may use gnutls_x509_crt_get_subject_alt_othername_oid() to get the corresponding OID and the "virtual" SAN types (e.g., GNUTLS_SAN_OTHERNAME_XMPP).

If an otherName OID is known, the data will be decoded. Otherwise the returned data will be DER encoded, and you will have to decode it yourself. Currently, only the RFC 3920 id-on-xmppAddr Issuer AltName is recognized.

Parameters

cert

should contain a gnutls_x509_crt_t type

 

seq

specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)

 

ian

is the place where the alternative name will be copied to

 

ian_size

holds the size of ian.

 

critical

will be non-zero if the extension is marked as critical (may be null)

 

Returns

the alternative issuer name type on success, one of the enumerated gnutls_x509_subject_alt_name_t. It will return GNUTLS_E_SHORT_MEMORY_BUFFER if ian_size is not large enough to hold the value. In that case ian_size will be updated with the required size. If the certificate does not have an Alternative name with the specified sequence number then GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.

Since: 2.10.0


gnutls_x509_crt_get_issuer_alt_name2 ()

int
gnutls_x509_crt_get_issuer_alt_name2 (gnutls_x509_crt_t cert,
                                      unsigned int seq,
                                      void *ian,
                                      size_t *ian_size,
                                      unsigned int *ian_type,
                                      unsigned int *critical);

This function will return the alternative names, contained in the given certificate. It is the same as gnutls_x509_crt_get_issuer_alt_name() except for the fact that it will return the type of the alternative name in ian_type even if the function fails for some reason (i.e. the buffer provided is not enough).

Parameters

cert

should contain a gnutls_x509_crt_t type

 

seq

specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)

 

ian

is the place where the alternative name will be copied to

 

ian_size

holds the size of ret.

 

ian_type

holds the type of the alternative name (one of gnutls_x509_subject_alt_name_t).

 

critical

will be non-zero if the extension is marked as critical (may be null)

 

Returns

the alternative issuer name type on success, one of the enumerated gnutls_x509_subject_alt_name_t. It will return GNUTLS_E_SHORT_MEMORY_BUFFER if ian_size is not large enough to hold the value. In that case ian_size will be updated with the required size. If the certificate does not have an Alternative name with the specified sequence number then GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.

Since: 2.10.0


gnutls_x509_crt_get_issuer_alt_othername_oid ()

int
gnutls_x509_crt_get_issuer_alt_othername_oid
                               (gnutls_x509_crt_t cert,
                                unsigned int seq,
                                void *ret,
                                size_t *ret_size);

This function will extract the type OID of an otherName Subject Alternative Name, contained in the given certificate, and return the type as an enumerated element.

If oid is null then only the size will be filled. The oid returned will be null terminated, although oid_size will not account for the trailing null.

This function is only useful if gnutls_x509_crt_get_issuer_alt_name() returned GNUTLS_SAN_OTHERNAME.

Parameters

cert

should contain a gnutls_x509_crt_t type

 

seq

specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)

 

ret

is the place where the otherName OID will be copied to

 

ret_size

holds the size of ret.

 

Returns

the alternative issuer name type on success, one of the enumerated gnutls_x509_subject_alt_name_t. For supported OIDs, it will return one of the virtual (GNUTLS_SAN_OTHERNAME_*) types, e.g. GNUTLS_SAN_OTHERNAME_XMPP, and GNUTLS_SAN_OTHERNAME for unknown OIDs. It will return GNUTLS_E_SHORT_MEMORY_BUFFER if ret_size is not large enough to hold the value. In that case ret_size will be updated with the required size. If the certificate does not have an Alternative name with the specified sequence number and with the otherName type then GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.

Since: 2.10.0


gnutls_x509_crt_get_ca_status ()

int
gnutls_x509_crt_get_ca_status (gnutls_x509_crt_t cert,
                               unsigned int *critical);

This function will return certificates CA status, by reading the basicConstraints X.509 extension (2.5.29.19). If the certificate is a CA a positive value will be returned, or (0) if the certificate does not have CA flag set.

Use gnutls_x509_crt_get_basic_constraints() if you want to read the pathLenConstraint field too.

Parameters

cert

should contain a gnutls_x509_crt_t type

 

critical

will be non-zero if the extension is marked as critical

 

Returns

If the certificate is a CA a positive value will be returned, or (0) if the certificate does not have CA flag set. A negative error code may be returned in case of errors. If the certificate does not contain the basicConstraints extension GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.


gnutls_x509_crt_get_basic_constraints ()

int
gnutls_x509_crt_get_basic_constraints (gnutls_x509_crt_t cert,
                                       unsigned int *critical,
                                       unsigned int *ca,
                                       int *pathlen);

This function will read the certificate's basic constraints, and return the certificates CA status. It reads the basicConstraints X.509 extension (2.5.29.19).

Parameters

cert

should contain a gnutls_x509_crt_t type

 

critical

will be non-zero if the extension is marked as critical

 

ca

pointer to output integer indicating CA status, may be NULL, value is 1 if the certificate CA flag is set, 0 otherwise.

 

pathlen

pointer to output integer indicating path length (may be NULL), non-negative error codes indicate a present pathLenConstraint field and the actual value, -1 indicate that the field is absent.

 

Returns

If the certificate is a CA a positive value will be returned, or (0) if the certificate does not have CA flag set. A negative error code may be returned in case of errors. If the certificate does not contain the basicConstraints extension GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.


gnutls_x509_crt_get_key_usage ()

int
gnutls_x509_crt_get_key_usage (gnutls_x509_crt_t cert,
                               unsigned int *key_usage,
                               unsigned int *critical);

This function will return certificate's key usage, by reading the keyUsage X.509 extension (2.5.29.15). The key usage value will ORed values of the: GNUTLS_KEY_DIGITAL_SIGNATURE, GNUTLS_KEY_NON_REPUDIATION, GNUTLS_KEY_KEY_ENCIPHERMENT, GNUTLS_KEY_DATA_ENCIPHERMENT, GNUTLS_KEY_KEY_AGREEMENT, GNUTLS_KEY_KEY_CERT_SIGN, GNUTLS_KEY_CRL_SIGN, GNUTLS_KEY_ENCIPHER_ONLY, GNUTLS_KEY_DECIPHER_ONLY.

Parameters

cert

should contain a gnutls_x509_crt_t type

 

key_usage

where the key usage bits will be stored

 

critical

will be non-zero if the extension is marked as critical

 

Returns

zero on success, or a negative error code in case of parsing error. If the certificate does not contain the keyUsage extension GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.


gnutls_x509_crt_set_key_usage ()

int
gnutls_x509_crt_set_key_usage (gnutls_x509_crt_t crt,
                               unsigned int usage);

This function will set the keyUsage certificate extension.

Parameters

crt

a certificate of type gnutls_x509_crt_t

 

usage

an ORed sequence of the GNUTLS_KEY_* elements.

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crt_set_authority_info_access ()

int
gnutls_x509_crt_set_authority_info_access
                               (gnutls_x509_crt_t crt,
                                int what,
                                gnutls_datum_t *data);

This function sets the Authority Information Access (AIA) extension, see RFC 5280 section 4.2.2.1 for more information.

The type of data stored in data is specified via what which should be gnutls_info_access_what_t values.

If what is GNUTLS_IA_OCSP_URI, data will hold the OCSP URI. If what is GNUTLS_IA_CAISSUERS_URI, data will hold the caIssuers URI.

Parameters

crt

Holds the certificate

 

what

what data to get, a gnutls_info_access_what_t type.

 

data

output data to be freed with gnutls_free().

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 3.0


gnutls_x509_crt_get_inhibit_anypolicy ()

int
gnutls_x509_crt_get_inhibit_anypolicy (gnutls_x509_crt_t cert,
                                       unsigned int *skipcerts,
                                       unsigned int *critical);

This function will return certificate's value of the SkipCerts, i.e., the Inhibit anyPolicy X.509 extension (2.5.29.54).

The returned value is the number of additional certificates that may appear in the path before the anyPolicy is no longer acceptable.

Parameters

cert

should contain a gnutls_x509_crt_t type

 

skipcerts

will hold the number of certificates after which anypolicy is no longer acceptable.

 

critical

will be non-zero if the extension is marked as critical

 

Returns

zero on success, or a negative error code in case of parsing error. If the certificate does not contain the Inhibit anyPolicy extension GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.

Since: 3.6.0


gnutls_x509_crt_set_inhibit_anypolicy ()

int
gnutls_x509_crt_set_inhibit_anypolicy (gnutls_x509_crt_t crt,
                                       unsigned int skipcerts);

This function will set the Inhibit anyPolicy certificate extension.

Parameters

crt

a certificate of type gnutls_x509_crt_t

 

skipcerts

number of certificates after which anypolicy is no longer acceptable.

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crt_get_proxy ()

int
gnutls_x509_crt_get_proxy (gnutls_x509_crt_t cert,
                           unsigned int *critical,
                           int *pathlen,
                           char **policyLanguage,
                           char **policy,
                           size_t *sizeof_policy);

This function will get information from a proxy certificate. It reads the ProxyCertInfo X.509 extension (1.3.6.1.5.5.7.1.14).

Parameters

cert

should contain a gnutls_x509_crt_t type

 

critical

will be non-zero if the extension is marked as critical

 

pathlen

pointer to output integer indicating path length (may be NULL), non-negative error codes indicate a present pCPathLenConstraint field and the actual value, -1 indicate that the field is absent.

 

policyLanguage

output variable with OID of policy language

 

policy

output variable with policy data

 

sizeof_policy

output variable size of policy data

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error code is returned.


gnutls_x509_tlsfeatures_init ()

int
gnutls_x509_tlsfeatures_init (gnutls_x509_tlsfeatures_t *features);

This function will initialize a X.509 TLS features extension structure

Parameters

f

The TLS features

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 3.5.1


gnutls_x509_tlsfeatures_deinit ()

void
gnutls_x509_tlsfeatures_deinit (gnutls_x509_tlsfeatures_t Param1);

This function will deinitialize a X.509 TLS features extension structure

Parameters

f

The TLS features

 

Since: 3.5.1


gnutls_x509_tlsfeatures_get ()

int
gnutls_x509_tlsfeatures_get (gnutls_x509_tlsfeatures_t f,
                             unsigned  idx,
                             unsigned int *feature);

This function will get a feature from the X.509 TLS features extension structure.

Parameters

f

The TLS features

 

idx

The index of the feature to get

 

feature

If the function succeeds, the feature will be stored in this variable

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 3.5.1


gnutls_x509_crt_set_tlsfeatures ()

int
gnutls_x509_crt_set_tlsfeatures (gnutls_x509_crt_t crt,
                                 gnutls_x509_tlsfeatures_t features);

This function will set the certificates X.509 TLS extension from the given structure.

Parameters

crt

A X.509 certificate

 

features

If the function succeeds, the features will be added to the certificate.

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 3.5.1


gnutls_x509_crt_get_tlsfeatures ()

int
gnutls_x509_crt_get_tlsfeatures (gnutls_x509_crt_t cert,
                                 gnutls_x509_tlsfeatures_t features,
                                 unsigned int flags,
                                 unsigned int *critical);

This function will get the X.509 TLS features extension structure from the certificate. The returned structure needs to be freed using gnutls_x509_tlsfeatures_deinit().

When the flags is set to GNUTLS_EXT_FLAG_APPEND, then if the features structure is empty this function will behave identically as if the flag was not set. Otherwise if there are elements in the features structure then they will be merged with.

Note that features must be initialized prior to calling this function.

Parameters

crt

A X.509 certificate

 

features

If the function succeeds, the features will be stored in this variable.

 

flags

zero or GNUTLS_EXT_FLAG_APPEND

 

critical

the extension status

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 3.5.1


gnutls_x509_tlsfeatures_check_crt ()

unsigned
gnutls_x509_tlsfeatures_check_crt (gnutls_x509_tlsfeatures_t feat,
                                   gnutls_x509_crt_t crt);

gnutls_x509_policy_release ()

void
gnutls_x509_policy_release (struct gnutls_x509_policy_st *policy);

This function will deinitialize all memory associated with the provided policy . The policy is allocated using gnutls_x509_crt_get_policy().

Parameters

policy

a certificate policy

 

Since: 3.1.5


gnutls_x509_crt_get_policy ()

int
gnutls_x509_crt_get_policy (gnutls_x509_crt_t crt,
                            unsigned  indx,
                            struct gnutls_x509_policy_st *policy,
                            unsigned int *critical);

This function will extract the certificate policy (extension 2.5.29.32) specified by the given index.

The policy returned by this function must be deinitialized by using gnutls_x509_policy_release().

Parameters

crt

should contain a gnutls_x509_crt_t type

 

indx

This specifies which policy to return. Use (0) to get the first one.

 

policy

A pointer to a policy structure.

 

critical

will be non-zero if the extension is marked as critical

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE if the extension is not present, otherwise a negative error value.

Since: 3.1.5


gnutls_x509_crt_set_policy ()

int
gnutls_x509_crt_set_policy (gnutls_x509_crt_t crt,
                            const struct gnutls_x509_policy_st *policy,
                            unsigned int critical);

This function will set the certificate policy extension (2.5.29.32). Multiple calls to this function append a new policy.

Note the maximum text size for the qualifier GNUTLS_X509_QUALIFIER_NOTICE is 200 characters. This function will fail with GNUTLS_E_INVALID_REQUEST if this is exceeded.

Parameters

crt

should contain a gnutls_x509_crt_t type

 

policy

A pointer to a policy

 

critical

use non-zero if the extension is marked as critical

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 3.1.5


gnutls_x509_dn_oid_known ()

int
gnutls_x509_dn_oid_known (const char *oid);

This function will inform about known DN OIDs. This is useful since functions like gnutls_x509_crt_set_dn_by_oid() use the information on known OIDs to properly encode their input. Object Identifiers that are not known are not encoded by these functions, and their input is stored directly into the ASN.1 structure. In that case of unknown OIDs, you have the responsibility of DER encoding your data.

Parameters

oid

holds an Object Identifier in a null terminated string

 

Returns

1 on known OIDs and 0 otherwise.


gnutls_x509_dn_oid_name ()

const char *
gnutls_x509_dn_oid_name (const char *oid,
                         unsigned int flags);

This function will return the name of a known DN OID. If GNUTLS_X509_DN_OID_RETURN_OID is specified this function will return the given OID if no descriptive name has been found.

Parameters

oid

holds an Object Identifier in a null terminated string

 

flags

0 or GNUTLS_X509_DN_OID_*

 

Returns

A null terminated string or NULL otherwise.

Since: 3.0


gnutls_x509_crt_get_extension_oid ()

int
gnutls_x509_crt_get_extension_oid (gnutls_x509_crt_t cert,
                                   unsigned  indx,
                                   void *oid,
                                   size_t *oid_size);

This function will return the requested extension OID in the certificate. The extension OID will be stored as a string in the provided buffer.

The oid returned will be null terminated, although oid_size will not account for the trailing null.

Parameters

cert

should contain a gnutls_x509_crt_t type

 

indx

Specifies which extension OID to send. Use (0) to get the first one.

 

oid

a pointer to a structure to hold the OID (may be null)

 

oid_size

initially holds the size of oid

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error code is returned. If you have reached the last extension available GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.


gnutls_x509_crt_get_extension_by_oid ()

int
gnutls_x509_crt_get_extension_by_oid (gnutls_x509_crt_t cert,
                                      const char *oid,
                                      unsigned  indx,
                                      void *buf,
                                      size_t *buf_size,
                                      unsigned int *critical);

This function will return the extension specified by the OID in the certificate. The extensions will be returned as binary data DER encoded, in the provided buffer.

Parameters

cert

should contain a gnutls_x509_crt_t type

 

oid

holds an Object Identified in null terminated string

 

indx

In case multiple same OIDs exist in the extensions, this specifies which to send. Use (0) to get the first one.

 

buf

a pointer to a structure to hold the name (may be null)

 

buf_size

initially holds the size of buf

 

critical

will be non-zero if the extension is marked as critical

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error code is returned. If the certificate does not contain the specified extension GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.


gnutls_x509_crq_get_signature_algorithm ()

int
gnutls_x509_crq_get_signature_algorithm
                               (gnutls_x509_crq_t crq);

This function will return a value of the gnutls_sign_algorithm_t enumeration that is the signature algorithm that has been used to sign this certificate request.

Since 3.6.0 this function never returns a negative error code. Error cases and unknown/unsupported signature algorithms are mapped to GNUTLS_SIGN_UNKNOWN.

Parameters

crq

should contain a gnutls_x509_cr_t type

 

Returns

a gnutls_sign_algorithm_t value

Since: 3.4.0


gnutls_x509_crq_get_extension_by_oid2 ()

int
gnutls_x509_crq_get_extension_by_oid2 (gnutls_x509_crq_t crq,
                                       const char *oid,
                                       unsigned  indx,
                                       gnutls_datum_t *output,
                                       unsigned int *critical);

This function will return the extension specified by the OID in the certificate. The extensions will be returned as binary data DER encoded, in the provided buffer.

Parameters

crq

should contain a gnutls_x509_crq_t type

 

oid

holds an Object Identifier in a null terminated string

 

indx

In case multiple same OIDs exist in the extensions, this specifies which to get. Use (0) to get the first one.

 

output

will hold the allocated extension data

 

critical

will be non-zero if the extension is marked as critical

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error code in case of an error. If the certificate does not contain the specified extension GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.

Since: 3.3.8


gnutls_x509_crt_get_extension_info ()

int
gnutls_x509_crt_get_extension_info (gnutls_x509_crt_t cert,
                                    unsigned  indx,
                                    void *oid,
                                    size_t *oid_size,
                                    unsigned int *critical);

This function will return the requested extension OID in the certificate, and the critical flag for it. The extension OID will be stored as a string in the provided buffer. Use gnutls_x509_crt_get_extension() to extract the data.

If the buffer provided is not long enough to hold the output, then oid_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will be returned. The oid returned will be null terminated, although oid_size will not account for the trailing null (the latter is not true for GnuTLS prior to 3.6.0).

Parameters

cert

should contain a gnutls_x509_crt_t type

 

indx

Specifies which extension OID to send. Use (0) to get the first one.

 

oid

a pointer to a structure to hold the OID

 

oid_size

initially holds the maximum size of oid , on return holds actual size of oid .

 

critical

output variable with critical flag, may be NULL.

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error code is returned. If you have reached the last extension available GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.


gnutls_x509_crt_get_extension_data ()

int
gnutls_x509_crt_get_extension_data (gnutls_x509_crt_t cert,
                                    unsigned  indx,
                                    void *data,
                                    size_t *sizeof_data);

This function will return the requested extension data in the certificate. The extension data will be stored in the provided buffer.

Use gnutls_x509_crt_get_extension_info() to extract the OID and critical flag. Use gnutls_x509_crt_get_extension_by_oid() instead, if you want to get data indexed by the extension OID rather than sequence.

Parameters

cert

should contain a gnutls_x509_crt_t type

 

indx

Specifies which extension OID to send. Use (0) to get the first one.

 

data

a pointer to a structure to hold the data (may be null)

 

sizeof_data

initially holds the size of data

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error code is returned. If you have reached the last extension available GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.


gnutls_x509_crt_get_extension_data2 ()

int
gnutls_x509_crt_get_extension_data2 (gnutls_x509_crt_t cert,
                                     unsigned  indx,
                                     gnutls_datum_t *data);

This function will return the requested by the index extension data in the certificate. The extension data will be allocated using gnutls_malloc().

Use gnutls_x509_crt_get_extension_info() to extract the OID.

Parameters

cert

should contain a gnutls_x509_crt_t type

 

indx

Specifies which extension OID to read. Use (0) to get the first one.

 

data

will contain the extension DER-encoded data

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error code is returned. If you have reached the last extension available GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.


gnutls_x509_crt_set_extension_by_oid ()

int
gnutls_x509_crt_set_extension_by_oid (gnutls_x509_crt_t crt,
                                      const char *oid,
                                      const void *buf,
                                      size_t sizeof_buf,
                                      unsigned int critical);

This function will set an the extension, by the specified OID, in the certificate. The extension data should be binary data DER encoded.

Parameters

crt

a certificate of type gnutls_x509_crt_t

 

oid

holds an Object Identifier in null terminated string

 

buf

a pointer to a DER encoded data

 

sizeof_buf

holds the size of buf

 

critical

should be non-zero if the extension is to be marked as critical

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crt_set_dn ()

int
gnutls_x509_crt_set_dn (gnutls_x509_crt_t crt,
                        const char *dn,
                        const char **err);

This function will set the DN on the provided certificate. The input string should be plain ASCII or UTF-8 encoded. On DN parsing error GNUTLS_E_PARSING_ERROR is returned.

Note that DNs are not expected to hold DNS information, and thus no automatic IDNA conversions are attempted when using this function. If that is required (e.g., store a domain in CN), process the corresponding input with gnutls_idna_map().

Parameters

crt

a certificate of type gnutls_x509_crt_t

 

dn

a comma separated DN string (RFC4514)

 

err

indicates the error position (if any)

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crt_set_dn_by_oid ()

int
gnutls_x509_crt_set_dn_by_oid (gnutls_x509_crt_t crt,
                               const char *oid,
                               unsigned int raw_flag,
                               const void *name,
                               unsigned int sizeof_name);

This function will set the part of the name of the Certificate subject, specified by the given OID. The input string should be ASCII or UTF-8 encoded.

Some helper macros with popular OIDs can be found in gnutls/x509.h With this function you can only set the known OIDs. You can test for known OIDs using gnutls_x509_dn_oid_known(). For OIDs that are not known (by gnutls) you should properly DER encode your data, and call this function with raw_flag set.

Parameters

crt

a certificate of type gnutls_x509_crt_t

 

oid

holds an Object Identifier in a null terminated string

 

raw_flag

must be 0, or 1 if the data are DER encoded

 

name

a pointer to the name

 

sizeof_name

holds the size of name

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crt_set_issuer_dn_by_oid ()

int
gnutls_x509_crt_set_issuer_dn_by_oid (gnutls_x509_crt_t crt,
                                      const char *oid,
                                      unsigned int raw_flag,
                                      const void *name,
                                      unsigned int sizeof_name);

This function will set the part of the name of the Certificate issuer, specified by the given OID. The input string should be ASCII or UTF-8 encoded.

Some helper macros with popular OIDs can be found in gnutls/x509.h With this function you can only set the known OIDs. You can test for known OIDs using gnutls_x509_dn_oid_known(). For OIDs that are not known (by gnutls) you should properly DER encode your data, and call this function with raw_flag set.

Normally you do not need to call this function, since the signing operation will copy the signer's name as the issuer of the certificate.

Parameters

crt

a certificate of type gnutls_x509_crt_t

 

oid

holds an Object Identifier in a null terminated string

 

raw_flag

must be 0, or 1 if the data are DER encoded

 

name

a pointer to the name

 

sizeof_name

holds the size of name

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crt_set_issuer_dn ()

int
gnutls_x509_crt_set_issuer_dn (gnutls_x509_crt_t crt,
                               const char *dn,
                               const char **err);

This function will set the DN on the provided certificate. The input string should be plain ASCII or UTF-8 encoded. On DN parsing error GNUTLS_E_PARSING_ERROR is returned.

Parameters

crt

a certificate of type gnutls_x509_crt_t

 

dn

a comma separated DN string (RFC4514)

 

err

indicates the error position (if any)

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crt_set_version ()

int
gnutls_x509_crt_set_version (gnutls_x509_crt_t crt,
                             unsigned int version);

This function will set the version of the certificate. This must be one for X.509 version 1, and so on. Plain certificates without extensions must have version set to one.

To create well-formed certificates, you must specify version 3 if you use any certificate extensions. Extensions are created by functions such as gnutls_x509_crt_set_subject_alt_name() or gnutls_x509_crt_set_key_usage().

Parameters

crt

a certificate of type gnutls_x509_crt_t

 

version

holds the version number. For X.509v1 certificates must be 1.

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crt_set_key ()

int
gnutls_x509_crt_set_key (gnutls_x509_crt_t crt,
                         gnutls_x509_privkey_t key);

This function will set the public parameters from the given private key to the certificate.

To export the public key (i.e., the SubjectPublicKeyInfo part), check gnutls_pubkey_import_x509().

Parameters

crt

a certificate of type gnutls_x509_crt_t

 

key

holds a private key

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crt_set_ca_status ()

int
gnutls_x509_crt_set_ca_status (gnutls_x509_crt_t crt,
                               unsigned int ca);

This function will set the basicConstraints certificate extension. Use gnutls_x509_crt_set_basic_constraints() if you want to control the pathLenConstraint field too.

Parameters

crt

a certificate of type gnutls_x509_crt_t

 

ca

true(1) or false(0). Depending on the Certificate authority status.

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crt_set_basic_constraints ()

int
gnutls_x509_crt_set_basic_constraints (gnutls_x509_crt_t crt,
                                       unsigned int ca,
                                       int pathLenConstraint);

This function will set the basicConstraints certificate extension.

Parameters

crt

a certificate of type gnutls_x509_crt_t

 

ca

true(1) or false(0). Depending on the Certificate authority status.

 

pathLenConstraint

non-negative error codes indicate maximum length of path, and negative error codes indicate that the pathLenConstraints field should not be present.

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crt_set_subject_unique_id ()

int
gnutls_x509_crt_set_subject_unique_id (gnutls_x509_crt_t cert,
                                       const void *id,
                                       size_t id_size);

This function will set the X.509 certificate's subject unique ID field.

Parameters

cert

a certificate of type gnutls_x509_crt_t

 

id

The unique ID

 

id_size

Holds the size of the unique ID.

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 3.4.7


gnutls_x509_crt_set_issuer_unique_id ()

int
gnutls_x509_crt_set_issuer_unique_id (gnutls_x509_crt_t cert,
                                      const void *id,
                                      size_t id_size);

This function will set the X.509 certificate's issuer unique ID field.

Parameters

cert

a certificate of type gnutls_x509_crt_t

 

id

The unique ID

 

id_size

Holds the size of the unique ID.

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 3.4.7


gnutls_x509_crt_set_subject_alternative_name ()

int
gnutls_x509_crt_set_subject_alternative_name
                               (gnutls_x509_crt_t crt,
                                gnutls_x509_subject_alt_name_t type,
                                const char *data_string);

This function will set the subject alternative name certificate extension. This function assumes that data can be expressed as a null terminated string.

The name of the function is unfortunate since it is inconsistent with gnutls_x509_crt_get_subject_alt_name().

See gnutls_x509_crt_set_subject_alt_name() for more information.

Parameters

crt

a certificate of type gnutls_x509_crt_t

 

type

is one of the gnutls_x509_subject_alt_name_t enumerations

 

data_string

The data to be set, a (0) terminated string

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crt_set_subject_alt_name ()

int
gnutls_x509_crt_set_subject_alt_name (gnutls_x509_crt_t crt,
                                      gnutls_x509_subject_alt_name_t type,
                                      const void *data,
                                      unsigned int data_size,
                                      unsigned int flags);

This function will set the subject alternative name certificate extension. It can set the following types: GNUTLS_SAN_DNSNAME as a text string, GNUTLS_SAN_RFC822NAME as a text string, GNUTLS_SAN_URI as a text string, GNUTLS_SAN_IPADDRESS as a binary IP address (4 or 16 bytes), GNUTLS_SAN_OTHERNAME_XMPP as a UTF8 string (since 3.5.0).

Since version 3.5.7 the GNUTLS_SAN_RFC822NAME, GNUTLS_SAN_DNSNAME, and GNUTLS_SAN_OTHERNAME_XMPP are converted to ACE format when necessary.

Parameters

crt

a certificate of type gnutls_x509_crt_t

 

type

is one of the gnutls_x509_subject_alt_name_t enumerations

 

data

The data to be set

 

data_size

The size of data to be set

 

flags

GNUTLS_FSAN_SET to clear previous data or GNUTLS_FSAN_APPEND to append.

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 2.6.0


gnutls_x509_crt_set_subject_alt_othername ()

int
gnutls_x509_crt_set_subject_alt_othername
                               (gnutls_x509_crt_t crt,
                                const char *oid,
                                const void *data,
                                unsigned int data_size,
                                unsigned int flags);

This function will set an "othername" to the subject alternative name certificate extension.

The values set are set as binary values and are expected to have the proper DER encoding. For convenience the flags GNUTLS_FSAN_ENCODE_OCTET_STRING and GNUTLS_FSAN_ENCODE_UTF8_STRING can be used to encode the provided data.

Parameters

crt

a certificate of type gnutls_x509_crt_t

 

oid

The other name OID

 

data

The data to be set

 

data_size

The size of data to be set

 

flags

GNUTLS_FSAN_SET to clear previous data or GNUTLS_FSAN_APPEND to append.

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 3.5.0


gnutls_x509_crt_set_issuer_alt_name ()

int
gnutls_x509_crt_set_issuer_alt_name (gnutls_x509_crt_t crt,
                                     gnutls_x509_subject_alt_name_t type,
                                     const void *data,
                                     unsigned int data_size,
                                     unsigned int flags);

This function will set the issuer alternative name certificate extension. It can set the same types as gnutls_x509_crt_set_subject_alt_name().

Since version 3.5.7 the GNUTLS_SAN_RFC822NAME, GNUTLS_SAN_DNSNAME, and GNUTLS_SAN_OTHERNAME_XMPP are converted to ACE format when necessary.

Parameters

crt

a certificate of type gnutls_x509_crt_t

 

type

is one of the gnutls_x509_subject_alt_name_t enumerations

 

data

The data to be set

 

data_size

The size of data to be set

 

flags

GNUTLS_FSAN_SET to clear previous data or GNUTLS_FSAN_APPEND to append.

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 3.3.0


gnutls_x509_crt_set_issuer_alt_othername ()

int
gnutls_x509_crt_set_issuer_alt_othername
                               (gnutls_x509_crt_t crt,
                                const char *oid,
                                const void *data,
                                unsigned int data_size,
                                unsigned int flags);

This function will set an "othername" to the issuer alternative name certificate extension.

The values set are set as binary values and are expected to have the proper DER encoding. For convenience the flags GNUTLS_FSAN_ENCODE_OCTET_STRING and GNUTLS_FSAN_ENCODE_UTF8_STRING can be used to encode the provided data.

Parameters

crt

a certificate of type gnutls_x509_crt_t

 

oid

The other name OID

 

data

The data to be set

 

data_size

The size of data to be set

 

flags

GNUTLS_FSAN_SET to clear previous data or GNUTLS_FSAN_APPEND to append.

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 3.5.0


gnutls_x509_crt_sign ()

int
gnutls_x509_crt_sign (gnutls_x509_crt_t crt,
                      gnutls_x509_crt_t issuer,
                      gnutls_x509_privkey_t issuer_key);

This function is the same a gnutls_x509_crt_sign2() with no flags, and an appropriate hash algorithm. The hash algorithm used may vary between versions of GnuTLS, and it is tied to the security level of the issuer's public key.

Parameters

crt

a certificate of type gnutls_x509_crt_t

 

issuer

is the certificate of the certificate issuer

 

issuer_key

holds the issuer's private key

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crt_sign2 ()

int
gnutls_x509_crt_sign2 (gnutls_x509_crt_t crt,
                       gnutls_x509_crt_t issuer,
                       gnutls_x509_privkey_t issuer_key,
                       gnutls_digest_algorithm_t dig,
                       unsigned int flags);

This function will sign the certificate with the issuer's private key, and will copy the issuer's information into the certificate.

This must be the last step in a certificate generation since all the previously set parameters are now signed.

A known limitation of this function is, that a newly-signed certificate will not be fully functional (e.g., for signature verification), until it is exported an re-imported.

After GnuTLS 3.6.1 the value of dig may be GNUTLS_DIG_UNKNOWN, and in that case, a suitable but reasonable for the key algorithm will be selected.

Parameters

crt

a certificate of type gnutls_x509_crt_t

 

issuer

is the certificate of the certificate issuer

 

issuer_key

holds the issuer's private key

 

dig

The message digest to use, GNUTLS_DIG_SHA256 is a safe choice

 

flags

must be 0

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crt_set_activation_time ()

int
gnutls_x509_crt_set_activation_time (gnutls_x509_crt_t cert,
                                     time_t act_time);

This function will set the time this certificate was or will be activated.

Parameters

cert

a certificate of type gnutls_x509_crt_t

 

act_time

The actual time

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crt_set_expiration_time ()

int
gnutls_x509_crt_set_expiration_time (gnutls_x509_crt_t cert,
                                     time_t exp_time);

This function will set the time this Certificate will expire. Setting an expiration time to (time_t)-1 will set to the no well-defined expiration date value.

Parameters

cert

a certificate of type gnutls_x509_crt_t

 

exp_time

The actual time

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crt_set_serial ()

int
gnutls_x509_crt_set_serial (gnutls_x509_crt_t cert,
                            const void *serial,
                            size_t serial_size);

This function will set the X.509 certificate's serial number. While the serial number is an integer, it is often handled as an opaque field by several CAs. For this reason this function accepts any kind of data as a serial number. To be consistent with the X.509/PKIX specifications the provided serial should be a big-endian positive number (i.e. its leftmost bit should be zero).

The size of the serial is restricted to 20 bytes maximum by RFC5280. This function allows writing more than 20 bytes but the generated certificates in that case may be rejected by other implementations.

Parameters

cert

a certificate of type gnutls_x509_crt_t

 

serial

The serial number

 

serial_size

Holds the size of the serial field.

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crt_set_subject_key_id ()

int
gnutls_x509_crt_set_subject_key_id (gnutls_x509_crt_t cert,
                                    const void *id,
                                    size_t id_size);

This function will set the X.509 certificate's subject key ID extension.

Parameters

cert

a certificate of type gnutls_x509_crt_t

 

id

The key ID

 

id_size

Holds the size of the subject key ID field.

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crt_set_proxy_dn ()

int
gnutls_x509_crt_set_proxy_dn (gnutls_x509_crt_t crt,
                              gnutls_x509_crt_t eecrt,
                              unsigned int raw_flag,
                              const void *name,
                              unsigned int sizeof_name);

This function will set the subject in crt to the end entity's eecrt subject name, and add a single Common Name component name of size sizeof_name . This corresponds to the required proxy certificate naming style. Note that if name is NULL, you MUST set it later by using gnutls_x509_crt_set_dn_by_oid() or similar.

Parameters

crt

a gnutls_x509_crt_t type with the new proxy cert

 

eecrt

the end entity certificate that will be issuing the proxy

 

raw_flag

must be 0, or 1 if the CN is DER encoded

 

name

a pointer to the CN name, may be NULL (but MUST then be added later)

 

sizeof_name

holds the size of name

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crt_set_proxy ()

int
gnutls_x509_crt_set_proxy (gnutls_x509_crt_t crt,
                           int pathLenConstraint,
                           const char *policyLanguage,
                           const char *policy,
                           size_t sizeof_policy);

This function will set the proxyCertInfo extension.

Parameters

crt

a certificate of type gnutls_x509_crt_t

 

pathLenConstraint

non-negative error codes indicate maximum length of path, and negative error codes indicate that the pathLenConstraints field should not be present.

 

policyLanguage

OID describing the language of policy .

 

policy

uint8_t byte array with policy language, can be NULL

 

sizeof_policy

size of policy .

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crt_print ()

int
gnutls_x509_crt_print (gnutls_x509_crt_t cert,
                       gnutls_certificate_print_formats_t format,
                       gnutls_datum_t *out);

This function will pretty print a X.509 certificate, suitable for display to a human.

If the format is GNUTLS_CRT_PRINT_FULL then all fields of the certificate will be output, on multiple lines. The GNUTLS_CRT_PRINT_ONELINE format will generate one line with some selected fields, which is useful for logging purposes.

The output out needs to be deallocated using gnutls_free().

Parameters

cert

The data to be printed

 

format

Indicate the format to use

 

out

Newly allocated datum with null terminated string.

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crl_print ()

int
gnutls_x509_crl_print (gnutls_x509_crl_t crl,
                       gnutls_certificate_print_formats_t format,
                       gnutls_datum_t *out);

This function will pretty print a X.509 certificate revocation list, suitable for display to a human.

The output out needs to be deallocated using gnutls_free().

Parameters

crl

The data to be printed

 

format

Indicate the format to use

 

out

Newly allocated datum with null terminated string.

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crt_get_raw_issuer_dn ()

int
gnutls_x509_crt_get_raw_issuer_dn (gnutls_x509_crt_t cert,
                                   gnutls_datum_t *start);

This function will return a pointer to the DER encoded DN structure and the length. This points to allocated data that must be free'd using gnutls_free().

Parameters

cert

should contain a gnutls_x509_crt_t type

 

dn

will hold the starting point of the DN

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.or a negative error code on error.


gnutls_x509_crt_get_raw_dn ()

int
gnutls_x509_crt_get_raw_dn (gnutls_x509_crt_t cert,
                            gnutls_datum_t *start);

This function will return a pointer to the DER encoded DN structure and the length. This points to allocated data that must be free'd using gnutls_free().

Parameters

cert

should contain a gnutls_x509_crt_t type

 

dn

will hold the starting point of the DN

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value. or a negative error code on error.


gnutls_x509_rdn_get ()

int
gnutls_x509_rdn_get (const gnutls_datum_t *idn,
                     char *buf,
                     size_t *sizeof_buf);

This function will return the name of the given RDN sequence. The name will be in the form "C=xxxx,O=yyyy,CN=zzzz" as described in RFC4514.

This function does not output a fully RFC4514 compliant string, if that is required see gnutls_x509_rdn_get2().

Parameters

idn

should contain a DER encoded RDN sequence

 

buf

a pointer to a structure to hold the peer's name

 

buf_size

holds the size of buf

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, or GNUTLS_E_SHORT_MEMORY_BUFFER is returned and *buf_size is updated if the provided buffer is not long enough, otherwise a negative error value.


gnutls_x509_rdn_get2 ()

int
gnutls_x509_rdn_get2 (const gnutls_datum_t *idn,
                      gnutls_datum_t *str,
                      unsigned  flags);

This function will return the name of the given RDN sequence. The name will be in the form "C=xxxx,O=yyyy,CN=zzzz" as described in RFC4514.

When the flag GNUTLS_X509_DN_FLAG_COMPAT is specified, the output format will match the format output by previous to 3.5.6 versions of GnuTLS which was not not fully RFC4514-compliant.

Parameters

idn

should contain a DER encoded RDN sequence

 

str

a datum that will hold the name

 

flags

zero of GNUTLS_X509_DN_FLAG_COMPAT

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, or GNUTLS_E_SHORT_MEMORY_BUFFER is returned and *buf_size is updated if the provided buffer is not long enough, otherwise a negative error value.


gnutls_x509_rdn_get_oid ()

int
gnutls_x509_rdn_get_oid (const gnutls_datum_t *idn,
                         unsigned  indx,
                         void *buf,
                         size_t *sizeof_buf);

This function will return the specified Object identifier, of the RDN sequence.

Parameters

idn

should contain a DER encoded RDN sequence

 

indx

Indicates which OID to return. Use 0 for the first one.

 

buf

a pointer to a structure to hold the peer's name OID

 

buf_size

holds the size of buf

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, or GNUTLS_E_SHORT_MEMORY_BUFFER is returned and *buf_size is updated if the provided buffer is not long enough, otherwise a negative error value.

Since: 2.4.0


gnutls_x509_rdn_get_by_oid ()

int
gnutls_x509_rdn_get_by_oid (const gnutls_datum_t *idn,
                            const char *oid,
                            unsigned  indx,
                            unsigned int raw_flag,
                            void *buf,
                            size_t *sizeof_buf);

This function will return the name of the given Object identifier, of the RDN sequence. The name will be encoded using the rules from RFC4514.

Parameters

idn

should contain a DER encoded RDN sequence

 

oid

an Object Identifier

 

indx

In case multiple same OIDs exist in the RDN indicates which to send. Use 0 for the first one.

 

raw_flag

If non-zero then the raw DER data are returned.

 

buf

a pointer to a structure to hold the peer's name

 

buf_size

holds the size of buf

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, or GNUTLS_E_SHORT_MEMORY_BUFFER is returned and *buf_size is updated if the provided buffer is not long enough, otherwise a negative error value.


gnutls_x509_crt_get_subject ()

int
gnutls_x509_crt_get_subject (gnutls_x509_crt_t cert,
                             gnutls_x509_dn_t *dn);

Return the Certificate's Subject DN as a gnutls_x509_dn_t data type, that can be decoded using gnutls_x509_dn_get_rdn_ava().

Note that dn should be treated as constant. Because it points into the cert object, you should not use dn after cert is deallocated.

Parameters

cert

should contain a gnutls_x509_crt_t type

 

dn

output variable with pointer to uint8_t DN.

 

Returns

Returns 0 on success, or an error code.


gnutls_x509_crt_get_issuer ()

int
gnutls_x509_crt_get_issuer (gnutls_x509_crt_t cert,
                            gnutls_x509_dn_t *dn);

Return the Certificate's Issuer DN as a gnutls_x509_dn_t data type, that can be decoded using gnutls_x509_dn_get_rdn_ava().

Note that dn should be treated as constant. Because it points into the cert object, you should not use dn after cert is deallocated.

Parameters

cert

should contain a gnutls_x509_crt_t type

 

dn

output variable with pointer to uint8_t DN

 

Returns

Returns 0 on success, or an error code.


gnutls_x509_dn_get_rdn_ava ()

int
gnutls_x509_dn_get_rdn_ava (gnutls_x509_dn_t dn,
                            int irdn,
                            int iava,
                            gnutls_x509_ava_st *ava);

Get pointers to data within the DN. The format of the ava structure is shown below.

struct gnutls_x509_ava_st { gnutls_datum_t oid; gnutls_datum_t value; unsigned long value_tag; };

The X.509 distinguished name is a sequence of sequences of strings and this is what the irdn and iava indexes model.

Note that ava will contain pointers into the dn structure which in turns points to the original certificate. Thus you should not modify any data or deallocate any of those.

This is a low-level function that requires the caller to do the value conversions when necessary (e.g. from UCS-2).

Parameters

dn

a pointer to DN

 

irdn

index of RDN

 

iava

index of AVA.

 

ava

Pointer to structure which will hold output information.

 

Returns

Returns 0 on success, or an error code.


gnutls_x509_dn_get_str ()

int
gnutls_x509_dn_get_str (gnutls_x509_dn_t dn,
                        gnutls_datum_t *str);

This function will allocate buffer and copy the name in the provided DN. The name will be in the form "C=xxxx,O=yyyy,CN=zzzz" as described in RFC4514. The output string will be ASCII or UTF-8 encoded, depending on the certificate data.

When the flag GNUTLS_X509_DN_FLAG_COMPAT is specified, the output format will match the format output by previous to 3.5.6 versions of GnuTLS which was not not fully RFC4514-compliant.

Parameters

dn

a pointer to DN

 

str

a datum that will hold the name

 

flags

zero or GNUTLS_X509_DN_FLAG_COMPAT

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 3.5.7


gnutls_x509_dn_get_str2 ()

int
gnutls_x509_dn_get_str2 (gnutls_x509_dn_t dn,
                         gnutls_datum_t *str,
                         unsigned  flags);

gnutls_x509_dn_set_str ()

int
gnutls_x509_dn_set_str (gnutls_x509_dn_t dn,
                        const char *str,
                        const char **err);

This function will set the DN on the provided DN structure. The input string should be plain ASCII or UTF-8 encoded. On DN parsing error GNUTLS_E_PARSING_ERROR is returned.

Parameters

dn

a pointer to DN

 

str

a comma separated DN string (RFC4514)

 

err

indicates the error position (if any)

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 3.5.3


gnutls_x509_dn_init ()

int
gnutls_x509_dn_init (gnutls_x509_dn_t *dn);

This function initializes a gnutls_x509_dn_t type.

The object returned must be deallocated using gnutls_x509_dn_deinit().

Parameters

dn

the object to be initialized

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 2.4.0


gnutls_x509_dn_import ()

int
gnutls_x509_dn_import (gnutls_x509_dn_t dn,
                       const gnutls_datum_t *data);

This function parses an RDN sequence and stores the result to a gnutls_x509_dn_t type. The data must have been initialized with gnutls_x509_dn_init(). You may use gnutls_x509_dn_get_rdn_ava() to decode the DN.

Parameters

dn

the structure that will hold the imported DN

 

data

should contain a DER encoded RDN sequence

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 2.4.0


gnutls_x509_dn_export ()

int
gnutls_x509_dn_export (gnutls_x509_dn_t dn,
                       gnutls_x509_crt_fmt_t format,
                       void *output_data,
                       size_t *output_data_size);

This function will export the DN to DER or PEM format.

If the buffer provided is not long enough to hold the output, then *output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will be returned.

If the structure is PEM encoded, it will have a header of "BEGIN NAME".

Parameters

dn

Holds the uint8_t DN object

 

format

the format of output params. One of PEM or DER.

 

output_data

will contain a DN PEM or DER encoded

 

output_data_size

holds the size of output_data (and will be replaced by the actual size of parameters)

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_dn_export2 ()

int
gnutls_x509_dn_export2 (gnutls_x509_dn_t dn,
                        gnutls_x509_crt_fmt_t format,
                        gnutls_datum_t *out);

This function will export the DN to DER or PEM format.

The output buffer is allocated using gnutls_malloc().

If the structure is PEM encoded, it will have a header of "BEGIN NAME".

Parameters

dn

Holds the uint8_t DN object

 

format

the format of output params. One of PEM or DER.

 

out

will contain a DN PEM or DER encoded

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 3.1.3


gnutls_x509_dn_deinit ()

void
gnutls_x509_dn_deinit (gnutls_x509_dn_t dn);

This function deallocates the DN object as returned by gnutls_x509_dn_import().

Parameters

dn

a DN uint8_t object pointer.

 

Since: 2.4.0


gnutls_x509_crl_init ()

int
gnutls_x509_crl_init (gnutls_x509_crl_t *crl);

This function will initialize a CRL structure. CRL stands for Certificate Revocation List. A revocation list usually contains lists of certificate serial numbers that have been revoked by an Authority. The revocation lists are always signed with the authority's private key.

Parameters

crl

A pointer to the type to be initialized

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crl_deinit ()

void
gnutls_x509_crl_deinit (gnutls_x509_crl_t crl);

This function will deinitialize a CRL structure.

Parameters

crl

The data to be deinitialized

 

gnutls_x509_crl_import ()

int
gnutls_x509_crl_import (gnutls_x509_crl_t crl,
                        const gnutls_datum_t *data,
                        gnutls_x509_crt_fmt_t format);

This function will convert the given DER or PEM encoded CRL to the native gnutls_x509_crl_t format. The output will be stored in 'crl'.

If the CRL is PEM encoded it should have a header of "X509 CRL".

Parameters

crl

The data to store the parsed CRL.

 

data

The DER or PEM encoded CRL.

 

format

One of DER or PEM

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crl_export ()

int
gnutls_x509_crl_export (gnutls_x509_crl_t crl,
                        gnutls_x509_crt_fmt_t format,
                        void *output_data,
                        size_t *output_data_size);

This function will export the revocation list to DER or PEM format.

If the buffer provided is not long enough to hold the output, then GNUTLS_E_SHORT_MEMORY_BUFFER will be returned.

If the structure is PEM encoded, it will have a header of "BEGIN X509 CRL".

Parameters

crl

Holds the revocation list

 

format

the format of output params. One of PEM or DER.

 

output_data

will contain a private key PEM or DER encoded

 

output_data_size

holds the size of output_data (and will be replaced by the actual size of parameters)

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crl_export2 ()

int
gnutls_x509_crl_export2 (gnutls_x509_crl_t crl,
                         gnutls_x509_crt_fmt_t format,
                         gnutls_datum_t *out);

This function will export the revocation list to DER or PEM format.

The output buffer is allocated using gnutls_malloc().

If the structure is PEM encoded, it will have a header of "BEGIN X509 CRL".

Parameters

crl

Holds the revocation list

 

format

the format of output params. One of PEM or DER.

 

out

will contain a private key PEM or DER encoded

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since 3.1.3


gnutls_x509_crl_get_raw_issuer_dn ()

int
gnutls_x509_crl_get_raw_issuer_dn (gnutls_x509_crl_t crl,
                                   gnutls_datum_t *dn);

This function will return a pointer to the DER encoded DN structure and the length.

Parameters

crl

should contain a gnutls_x509_crl_t type

 

dn

will hold the starting point of the DN

 

Returns

a negative error code on error, and (0) on success.

Since: 2.12.0


gnutls_x509_crl_get_issuer_dn ()

int
gnutls_x509_crl_get_issuer_dn (gnutls_x509_crl_t crl,
                               char *buf,
                               size_t *sizeof_buf);

This function will copy the name of the CRL issuer in the provided buffer. The name will be in the form "C=xxxx,O=yyyy,CN=zzzz" as described in RFC4514. The output string will be ASCII or UTF-8 encoded, depending on the certificate data.

If buf is NULL then only the size will be filled.

This function does not output a fully RFC4514 compliant string, if that is required see gnutls_x509_crl_get_issuer_dn3().

Parameters

crl

should contain a gnutls_x509_crl_t type

 

buf

a pointer to a structure to hold the peer's name (may be null)

 

sizeof_buf

initially holds the size of buf

 

Returns

GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not long enough, and in that case the sizeof_buf will be updated with the required size, and 0 on success.


gnutls_x509_crl_get_issuer_dn2 ()

int
gnutls_x509_crl_get_issuer_dn2 (gnutls_x509_crl_t crl,
                                gnutls_datum_t *dn);

This function will allocate buffer and copy the name of the CRL issuer. The name will be in the form "C=xxxx,O=yyyy,CN=zzzz" as described in RFC4514. The output string will be ASCII or UTF-8 encoded, depending on the certificate data.

This function does not output a fully RFC4514 compliant string, if that is required see gnutls_x509_crl_get_issuer_dn3().

Parameters

crl

should contain a gnutls_x509_crl_t type

 

dn

a pointer to a structure to hold the name; must be freed using gnutls_free()

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 3.1.10


gnutls_x509_crl_get_issuer_dn3 ()

int
gnutls_x509_crl_get_issuer_dn3 (gnutls_x509_crl_t crl,
                                gnutls_datum_t *dn,
                                unsigned  flags);

This function will allocate buffer and copy the name of the CRL issuer. The name will be in the form "C=xxxx,O=yyyy,CN=zzzz" as described in RFC4514. The output string will be ASCII or UTF-8 encoded, depending on the certificate data.

When the flag GNUTLS_X509_DN_FLAG_COMPAT is specified, the output format will match the format output by previous to 3.5.6 versions of GnuTLS which was not not fully RFC4514-compliant.

Parameters

crl

should contain a gnutls_x509_crl_t type

 

dn

a pointer to a structure to hold the name; must be freed using gnutls_free()

 

flags

zero or GNUTLS_X509_DN_FLAG_COMPAT

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 3.5.7


gnutls_x509_crl_get_issuer_dn_by_oid ()

int
gnutls_x509_crl_get_issuer_dn_by_oid (gnutls_x509_crl_t crl,
                                      const char *oid,
                                      unsigned  indx,
                                      unsigned int raw_flag,
                                      void *buf,
                                      size_t *sizeof_buf);

This function will extract the part of the name of the CRL issuer specified by the given OID. The output will be encoded as described in RFC4514. The output string will be ASCII or UTF-8 encoded, depending on the certificate data.

Some helper macros with popular OIDs can be found in gnutls/x509.h If raw flag is (0), this function will only return known OIDs as text. Other OIDs will be DER encoded, as described in RFC4514 -- in hex format with a '#' prefix. You can check about known OIDs using gnutls_x509_dn_oid_known().

If buf is null then only the size will be filled.

Parameters

crl

should contain a gnutls_x509_crl_t type

 

oid

holds an Object Identified in null terminated string

 

indx

In case multiple same OIDs exist in the RDN, this specifies which to send. Use (0) to get the first one.

 

raw_flag

If non-zero returns the raw DER data of the DN part.

 

buf

a pointer to a structure to hold the peer's name (may be null)

 

sizeof_buf

initially holds the size of buf

 

Returns

GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not long enough, and in that case the sizeof_buf will be updated with the required size, and 0 on success.


gnutls_x509_crl_get_dn_oid ()

int
gnutls_x509_crl_get_dn_oid (gnutls_x509_crl_t crl,
                            unsigned  indx,
                            void *oid,
                            size_t *sizeof_oid);

This function will extract the requested OID of the name of the CRL issuer, specified by the given index.

If oid is null then only the size will be filled.

Parameters

crl

should contain a gnutls_x509_crl_t type

 

indx

Specifies which DN OID to send. Use (0) to get the first one.

 

oid

a pointer to store the OID (may be null)

 

sizeof_oid

initially holds the size of 'oid'

 

Returns

GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not long enough, and in that case the sizeof_oid will be updated with the required size. On success 0 is returned.


gnutls_x509_crl_get_signature_algorithm ()

int
gnutls_x509_crl_get_signature_algorithm
                               (gnutls_x509_crl_t crl);

This function will return a value of the gnutls_sign_algorithm_t enumeration that is the signature algorithm.

Since 3.6.0 this function never returns a negative error code. Error cases and unknown/unsupported signature algorithms are mapped to GNUTLS_SIGN_UNKNOWN.

Parameters

crl

should contain a gnutls_x509_crl_t type

 

Returns

a gnutls_sign_algorithm_t value


gnutls_x509_crl_get_signature ()

int
gnutls_x509_crl_get_signature (gnutls_x509_crl_t crl,
                               char *sig,
                               size_t *sizeof_sig);

This function will extract the signature field of a CRL.

Parameters

crl

should contain a gnutls_x509_crl_t type

 

sig

a pointer where the signature part will be copied (may be null).

 

sizeof_sig

initially holds the size of sig

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crl_get_version ()

int
gnutls_x509_crl_get_version (gnutls_x509_crl_t crl);

This function will return the version of the specified CRL.

Parameters

crl

should contain a gnutls_x509_crl_t type

 

Returns

The version number, or a negative error code on error.


gnutls_x509_crl_get_signature_oid ()

int
gnutls_x509_crl_get_signature_oid (gnutls_x509_crl_t crl,
                                   char *oid,
                                   size_t *oid_size);

This function will return the OID of the signature algorithm that has been used to sign this CRL. This is function is useful in the case gnutls_x509_crl_get_signature_algorithm() returned GNUTLS_SIGN_UNKNOWN.

Parameters

crl

should contain a gnutls_x509_crl_t type

 

oid

a pointer to a buffer to hold the OID (may be null)

 

oid_size

initially holds the size of oid

 

Returns

zero or a negative error code on error.

Since: 3.5.0


gnutls_x509_crl_get_this_update ()

time_t
gnutls_x509_crl_get_this_update (gnutls_x509_crl_t crl);

This function will return the time this CRL was issued.

Parameters

crl

should contain a gnutls_x509_crl_t type

 

Returns

when the CRL was issued, or (time_t)-1 on error.


gnutls_x509_crl_get_next_update ()

time_t
gnutls_x509_crl_get_next_update (gnutls_x509_crl_t crl);

This function will return the time the next CRL will be issued. This field is optional in a CRL so it might be normal to get an error instead.

Parameters

crl

should contain a gnutls_x509_crl_t type

 

Returns

when the next CRL will be issued, or (time_t)-1 on error.


gnutls_x509_crl_get_crt_count ()

int
gnutls_x509_crl_get_crt_count (gnutls_x509_crl_t crl);

This function will return the number of revoked certificates in the given CRL.

Parameters

crl

should contain a gnutls_x509_crl_t type

 

Returns

number of certificates, a negative error code on failure.


gnutls_x509_crl_get_crt_serial ()

int
gnutls_x509_crl_get_crt_serial (gnutls_x509_crl_t crl,
                                unsigned  indx,
                                unsigned char *serial,
                                size_t *serial_size,
                                time_t *t);

This function will retrieve the serial number of the specified, by the index, revoked certificate.

Note that this function will have performance issues in large sequences of revoked certificates. In that case use gnutls_x509_crl_iter_crt_serial().

Parameters

crl

should contain a gnutls_x509_crl_t type

 

indx

the index of the certificate to extract (starting from 0)

 

serial

where the serial number will be copied

 

serial_size

initially holds the size of serial

 

t

if non null, will hold the time this certificate was revoked

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crl_iter_crt_serial ()

int
gnutls_x509_crl_iter_crt_serial (gnutls_x509_crl_t crl,
                                 gnutls_x509_crl_iter_t *Param2,
                                 unsigned char *serial,
                                 size_t *serial_size,
                                 time_t *t);

This function performs the same as gnutls_x509_crl_get_crt_serial(), but reads sequentially and keeps state in the iterator between calls. That allows it to provide better performance in sequences with many elements (50000+).

When past the last element is accessed GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned and the iterator is reset.

After use, the iterator must be deinitialized using gnutls_x509_crl_iter_deinit().

Parameters

crl

should contain a gnutls_x509_crl_t type

 

iter

A pointer to an iterator (initially the iterator should be NULL)

 

serial

where the serial number will be copied

 

serial_size

initially holds the size of serial

 

t

if non null, will hold the time this certificate was revoked

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crl_iter_deinit ()

void
gnutls_x509_crl_iter_deinit (gnutls_x509_crl_iter_t Param1);

This function will deinitialize an iterator type.

Parameters

iter

The iterator to be deinitialized

 

gnutls_x509_crl_check_issuer ()

unsigned
gnutls_x509_crl_check_issuer (gnutls_x509_crl_t crl,
                              gnutls_x509_crt_t issuer);

This function will check if the given CRL was issued by the given issuer certificate.

Parameters

crl

is the CRL to be checked

 

issuer

is the certificate of a possible issuer

 

Returns

true (1) if the given CRL was issued by the given issuer, and false (0) if not.


gnutls_x509_crl_list_import2 ()

int
gnutls_x509_crl_list_import2 (gnutls_x509_crl_t **crls,
                              unsigned int *size,
                              const gnutls_datum_t *data,
                              gnutls_x509_crt_fmt_t format,
                              unsigned int flags);

This function will convert the given PEM encoded CRL list to the native gnutls_x509_crl_t format. The output will be stored in crls . They will be automatically initialized.

If the Certificate is PEM encoded it should have a header of "X509 CRL".

Parameters

crls

Will contain the parsed crl list.

 

size

It will contain the size of the list.

 

data

The PEM encoded CRL.

 

format

One of DER or PEM.

 

flags

must be (0) or an OR'd sequence of gnutls_certificate_import_flags.

 

Returns

the number of certificates read or a negative error value.

Since: 3.0


gnutls_x509_crl_list_import ()

int
gnutls_x509_crl_list_import (gnutls_x509_crl_t *crls,
                             unsigned int *crl_max,
                             const gnutls_datum_t *data,
                             gnutls_x509_crt_fmt_t format,
                             unsigned int flags);

This function will convert the given PEM encoded CRL list to the native gnutls_x509_crl_t format. The output will be stored in crls . They will be automatically initialized.

If the Certificate is PEM encoded it should have a header of "X509 CRL".

Parameters

crls

Indicates where the parsed CRLs will be copied to. Must not be initialized.

 

crl_max

Initially must hold the maximum number of crls. It will be updated with the number of crls available.

 

data

The PEM encoded CRLs

 

format

One of DER or PEM.

 

flags

must be (0) or an OR'd sequence of gnutls_certificate_import_flags.

 

Returns

the number of certificates read or a negative error value.

Since: 3.0


gnutls_x509_crl_set_version ()

int
gnutls_x509_crl_set_version (gnutls_x509_crl_t crl,
                             unsigned int version);

This function will set the version of the CRL. This must be one for CRL version 1, and so on. The CRLs generated by gnutls should have a version number of 2.

Parameters

crl

should contain a gnutls_x509_crl_t type

 

version

holds the version number. For CRLv1 crls must be 1.

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crl_set_this_update ()

int
gnutls_x509_crl_set_this_update (gnutls_x509_crl_t crl,
                                 time_t act_time);

This function will set the time this CRL was issued.

Parameters

crl

should contain a gnutls_x509_crl_t type

 

act_time

The actual time

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crl_set_next_update ()

int
gnutls_x509_crl_set_next_update (gnutls_x509_crl_t crl,
                                 time_t exp_time);

This function will set the time this CRL will be updated. This is an optional value to be set on a CRL and this call can be omitted when generating a CRL.

Prior to GnuTLS 3.5.7, setting a nextUpdate field was required in order to generate a CRL.

Parameters

crl

should contain a gnutls_x509_crl_t type

 

exp_time

The actual time

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crl_set_crt_serial ()

int
gnutls_x509_crl_set_crt_serial (gnutls_x509_crl_t crl,
                                const void *serial,
                                size_t serial_size,
                                time_t revocation_time);

This function will set a revoked certificate's serial number to the CRL.

Parameters

crl

should contain a gnutls_x509_crl_t type

 

serial

The revoked certificate's serial number

 

serial_size

Holds the size of the serial field.

 

revocation_time

The time this certificate was revoked

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crl_set_crt ()

int
gnutls_x509_crl_set_crt (gnutls_x509_crl_t crl,
                         gnutls_x509_crt_t crt,
                         time_t revocation_time);

This function will set a revoked certificate's serial number to the CRL.

Parameters

crl

should contain a gnutls_x509_crl_t type

 

crt

a certificate of type gnutls_x509_crt_t with the revoked certificate

 

revocation_time

The time this certificate was revoked

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crl_get_authority_key_id ()

int
gnutls_x509_crl_get_authority_key_id (gnutls_x509_crl_t crl,
                                      void *id,
                                      size_t *id_size,
                                      unsigned int *critical);

This function will return the CRL authority's key identifier. This is obtained by the X.509 Authority Key identifier extension field (2.5.29.35). Note that this function only returns the keyIdentifier field of the extension and GNUTLS_E_X509_UNSUPPORTED_EXTENSION, if the extension contains the name and serial number of the certificate. In that case gnutls_x509_crl_get_authority_key_gn_serial() may be used.

Parameters

crl

should contain a gnutls_x509_crl_t type

 

id

The place where the identifier will be copied

 

id_size

Holds the size of the result field.

 

critical

will be non-zero if the extension is marked as critical (may be null)

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error code in case of an error.

Since: 2.8.0


gnutls_x509_crl_get_authority_key_gn_serial ()

int
gnutls_x509_crl_get_authority_key_gn_serial
                               (gnutls_x509_crl_t crl,
                                unsigned int seq,
                                void *alt,
                                size_t *alt_size,
                                unsigned int *alt_type,
                                void *serial,
                                size_t *serial_size,
                                unsigned int *critical);

This function will return the X.509 authority key identifier when stored as a general name (authorityCertIssuer) and serial number.

Because more than one general names might be stored seq can be used as a counter to request them all until GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.

Parameters

crl

should contain a gnutls_x509_crl_t type

 

seq

specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)

 

alt

is the place where the alternative name will be copied to

 

alt_size

holds the size of alt.

 

alt_type

holds the type of the alternative name (one of gnutls_x509_subject_alt_name_t).

 

serial

buffer to store the serial number (may be null)

 

serial_size

Holds the size of the serial field (may be null)

 

critical

will be non-zero if the extension is marked as critical (may be null)

 

Returns

Returns 0 on success, or an error code.

Since: 3.0


gnutls_x509_crl_get_number ()

int
gnutls_x509_crl_get_number (gnutls_x509_crl_t crl,
                            void *ret,
                            size_t *ret_size,
                            unsigned int *critical);

This function will return the CRL number extension. This is obtained by the CRL Number extension field (2.5.29.20).

Parameters

crl

should contain a gnutls_x509_crl_t type

 

ret

The place where the number will be copied

 

ret_size

Holds the size of the result field.

 

critical

will be non-zero if the extension is marked as critical (may be null)

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error code in case of an error.

Since: 2.8.0


gnutls_x509_crl_get_extension_oid ()

int
gnutls_x509_crl_get_extension_oid (gnutls_x509_crl_t crl,
                                   unsigned  indx,
                                   void *oid,
                                   size_t *sizeof_oid);

This function will return the requested extension OID in the CRL. The extension OID will be stored as a string in the provided buffer.

Parameters

crl

should contain a gnutls_x509_crl_t type

 

indx

Specifies which extension OID to send, use (0) to get the first one.

 

oid

a pointer to store the OID (may be null)

 

sizeof_oid

initially holds the size of oid

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error code in case of an error. If your have reached the last extension available GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.

Since: 2.8.0


gnutls_x509_crl_get_extension_info ()

int
gnutls_x509_crl_get_extension_info (gnutls_x509_crl_t crl,
                                    unsigned  indx,
                                    void *oid,
                                    size_t *sizeof_oid,
                                    unsigned int *critical);

This function will return the requested extension OID in the CRL, and the critical flag for it. The extension OID will be stored as a string in the provided buffer. Use gnutls_x509_crl_get_extension_data() to extract the data.

If the buffer provided is not long enough to hold the output, then *sizeof_oid is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will be returned.

Parameters

crl

should contain a gnutls_x509_crl_t type

 

indx

Specifies which extension OID to send, use (0) to get the first one.

 

oid

a pointer to store the OID

 

sizeof_oid

initially holds the maximum size of oid , on return holds actual size of oid .

 

critical

output variable with critical flag, may be NULL.

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error code in case of an error. If your have reached the last extension available GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.

Since: 2.8.0


gnutls_x509_crl_get_extension_data ()

int
gnutls_x509_crl_get_extension_data (gnutls_x509_crl_t crl,
                                    unsigned  indx,
                                    void *data,
                                    size_t *sizeof_data);

This function will return the requested extension data in the CRL. The extension data will be stored as a string in the provided buffer.

Use gnutls_x509_crl_get_extension_info() to extract the OID and critical flag. Use gnutls_x509_crl_get_extension_info() instead, if you want to get data indexed by the extension OID rather than sequence.

Parameters

crl

should contain a gnutls_x509_crl_t type

 

indx

Specifies which extension OID to send. Use (0) to get the first one.

 

data

a pointer to a structure to hold the data (may be null)

 

sizeof_data

initially holds the size of oid

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error code in case of an error. If your have reached the last extension available GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.

Since: 2.8.0


gnutls_x509_crl_get_extension_data2 ()

int
gnutls_x509_crl_get_extension_data2 (gnutls_x509_crl_t crl,
                                     unsigned  indx,
                                     gnutls_datum_t *data);

This function will return the requested by the index extension data in the certificate revocation list. The extension data will be allocated using gnutls_malloc().

Use gnutls_x509_crt_get_extension_info() to extract the OID.

Parameters

crl

should contain a gnutls_x509_crl_t type

 

indx

Specifies which extension OID to read. Use (0) to get the first one.

 

data

will contain the extension DER-encoded data

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error code is returned. If you have reached the last extension available GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.


gnutls_x509_crl_set_authority_key_id ()

int
gnutls_x509_crl_set_authority_key_id (gnutls_x509_crl_t crl,
                                      const void *id,
                                      size_t id_size);

This function will set the CRL's authority key ID extension. Only the keyIdentifier field can be set with this function. This may be used by an authority that holds multiple private keys, to distinguish the used key.

Parameters

crl

a CRL of type gnutls_x509_crl_t

 

id

The key ID

 

id_size

Holds the size of the serial field.

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 2.8.0


gnutls_x509_crl_set_number ()

int
gnutls_x509_crl_set_number (gnutls_x509_crl_t crl,
                            const void *nr,
                            size_t nr_size);

This function will set the CRL's number extension. This is to be used as a unique and monotonic number assigned to the CRL by the authority.

Parameters

crl

a CRL of type gnutls_x509_crl_t

 

nr

The CRL number

 

nr_size

Holds the size of the nr field.

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 2.8.0


GNUTLS_PROFILE_TO_VFLAGS()

#define             GNUTLS_PROFILE_TO_VFLAGS(x)

GNUTLS_VFLAGS_TO_PROFILE()

#define             GNUTLS_VFLAGS_TO_PROFILE(x)

gnutls_certificate_verification_profile_get_name ()

const char *
gnutls_certificate_verification_profile_get_name
                               ();

Convert a gnutls_certificate_verification_profiles_t value to a string.

Parameters

id

is a profile ID

 

Returns

a string that contains the name of the specified profile or NULL.


gnutls_x509_crt_list_verify ()

int
gnutls_x509_crt_list_verify (const gnutls_x509_crt_t *cert_list,
                             unsigned  cert_list_length,
                             const gnutls_x509_crt_t *CA_list,
                             unsigned  CA_list_length,
                             const gnutls_x509_crl_t *CRL_list,
                             unsigned  CRL_list_length,
                             unsigned int flags,
                             unsigned int *verify);

This function will try to verify the given certificate list and return its status. The details of the verification are the same as in gnutls_x509_trust_list_verify_crt2().

You must check the peer's name in order to check if the verified certificate belongs to the actual peer.

The certificate verification output will be put in verify and will be one or more of the gnutls_certificate_status_t enumerated elements bitwise or'd. For a more detailed verification status use gnutls_x509_crt_verify() per list element.

Parameters

cert_list

is the certificate list to be verified

 

cert_list_length

holds the number of certificate in cert_list

 

CA_list

is the CA list which will be used in verification

 

CA_list_length

holds the number of CA certificate in CA_list

 

CRL_list

holds a list of CRLs.

 

CRL_list_length

the length of CRL list.

 

flags

Flags that may be used to change the verification algorithm. Use OR of the gnutls_certificate_verify_flags enumerations.

 

verify

will hold the certificate verification output.

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crt_verify ()

int
gnutls_x509_crt_verify (gnutls_x509_crt_t cert,
                        const gnutls_x509_crt_t *CA_list,
                        unsigned  CA_list_length,
                        unsigned int flags,
                        unsigned int *verify);

This function will try to verify the given certificate and return its status. Note that a verification error does not imply a negative return status. In that case the verify status is set.

The details of the verification are the same as in gnutls_x509_trust_list_verify_crt2().

Parameters

cert

is the certificate to be verified

 

CA_list

is one certificate that is considered to be trusted one

 

CA_list_length

holds the number of CA certificate in CA_list

 

flags

Flags that may be used to change the verification algorithm. Use OR of the gnutls_certificate_verify_flags enumerations.

 

verify

will hold the certificate verification output.

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crl_verify ()

int
gnutls_x509_crl_verify (gnutls_x509_crl_t crl,
                        const gnutls_x509_crt_t *CA_list,
                        unsigned  CA_list_length,
                        unsigned int flags,
                        unsigned int *verify);

This function will try to verify the given crl and return its verification status. See gnutls_x509_crt_list_verify() for a detailed description of return values. Note that since GnuTLS 3.1.4 this function includes the time checks.

Note that value in verify is set only when the return value of this function is success (i.e, failure to trust a CRL a certificate does not imply a negative return value).

Before GnuTLS 3.5.7 this function would return zero or a positive number on success.

Parameters

crl

is the crl to be verified

 

trusted_cas

is a certificate list that is considered to be trusted one

 

tcas_size

holds the number of CA certificates in CA_list

 

flags

Flags that may be used to change the verification algorithm. Use OR of the gnutls_certificate_verify_flags enumerations.

 

verify

will hold the crl verification output.

 

Returns

On success, GNUTLS_E_SUCCESS (0), otherwise a negative error value.


gnutls_x509_crt_verify_data2 ()

int
gnutls_x509_crt_verify_data2 (gnutls_x509_crt_t crt,
                              gnutls_sign_algorithm_t algo,
                              unsigned int flags,
                              const gnutls_datum_t *data,
                              const gnutls_datum_t *signature);

This function will verify the given signed data, using the parameters from the certificate.

Parameters

crt

Holds the certificate to verify with

 

algo

The signature algorithm used

 

flags

Zero or an OR list of gnutls_certificate_verify_flags

 

data

holds the signed data

 

signature

contains the signature

 

Returns

In case of a verification failure GNUTLS_E_PK_SIG_VERIFY_FAILED is returned, GNUTLS_E_EXPIRED or GNUTLS_E_NOT_YET_ACTIVATED on expired or not yet activated certificate and zero or positive code on success.

Note that since GnuTLS 3.5.6 this function introduces checks in the end certificate (crt ), including time checks and key usage checks.

Since: 3.4.0


gnutls_x509_crt_check_revocation ()

int
gnutls_x509_crt_check_revocation (gnutls_x509_crt_t cert,
                                  const gnutls_x509_crl_t *crl_list,
                                  unsigned  crl_list_length);

This function will check if the given certificate is revoked. It is assumed that the CRLs have been verified before.

Parameters

cert

should contain a gnutls_x509_crt_t type

 

crl_list

should contain a list of gnutls_x509_crl_t types

 

crl_list_length

the length of the crl_list

 

Returns

0 if the certificate is NOT revoked, and 1 if it is. A negative error code is returned on error.


gnutls_x509_crt_get_fingerprint ()

int
gnutls_x509_crt_get_fingerprint (gnutls_x509_crt_t cert,
                                 gnutls_digest_algorithm_t algo,
                                 void *buf,
                                 size_t *buf_size);

This function will calculate and copy the certificate's fingerprint in the provided buffer. The fingerprint is a hash of the DER-encoded data of the certificate.

If the buffer is null then only the size will be filled.

Parameters

cert

should contain a gnutls_x509_crt_t type

 

algo

is a digest algorithm

 

buf

a pointer to a structure to hold the fingerprint (may be null)

 

buf_size

initially holds the size of buf

 

Returns

GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not long enough, and in that case the *buf_size will be updated with the required size. On success 0 is returned.


gnutls_x509_crt_get_key_purpose_oid ()

int
gnutls_x509_crt_get_key_purpose_oid (gnutls_x509_crt_t cert,
                                     unsigned  indx,
                                     void *oid,
                                     size_t *oid_size,
                                     unsigned int *critical);

This function will extract the key purpose OIDs of the Certificate specified by the given index. These are stored in the Extended Key Usage extension (2.5.29.37) See the GNUTLS_KP_* definitions for human readable names.

If oid is null then only the size will be filled. The oid returned will be null terminated, although oid_size will not account for the trailing null.

Parameters

cert

should contain a gnutls_x509_crt_t type

 

indx

This specifies which OID to return. Use (0) to get the first one.

 

oid

a pointer to a buffer to hold the OID (may be null)

 

oid_size

initially holds the size of oid

 

critical

output flag to indicate criticality of extension

 

Returns

GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not long enough, and in that case the *oid_size will be updated with the required size. On success 0 is returned.


gnutls_x509_crt_set_key_purpose_oid ()

int
gnutls_x509_crt_set_key_purpose_oid (gnutls_x509_crt_t cert,
                                     const void *oid,
                                     unsigned int critical);

This function will set the key purpose OIDs of the Certificate. These are stored in the Extended Key Usage extension (2.5.29.37) See the GNUTLS_KP_* definitions for human readable names.

Subsequent calls to this function will append OIDs to the OID list.

Parameters

cert

a certificate of type gnutls_x509_crt_t

 

oid

a pointer to a null terminated string that holds the OID

 

critical

Whether this extension will be critical or not

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error code is returned.


gnutls_x509_crt_check_key_purpose ()

unsigned
gnutls_x509_crt_check_key_purpose (gnutls_x509_crt_t cert,
                                   const char *purpose,
                                   unsigned  flags);

This function will check whether the given certificate matches the provided key purpose. If flags contains GNUTLS_KP_FLAG_ALLOW_ANY then it a certificate marked for any purpose will not match.

Parameters

cert

should contain a gnutls_x509_crt_t type

 

purpose

a key purpose OID (e.g., GNUTLS_KP_CODE_SIGNING)

 

flags

zero or GNUTLS_KP_FLAG_DISALLOW_ANY

 

Returns

zero if the key purpose doesn't match, and non-zero otherwise.

Since: 3.5.6


GNUTLS_PKCS_CIPHER_MASK()

#define GNUTLS_PKCS_CIPHER_MASK(x) ((x)&(~(GNUTLS_PKCS_NULL_PASSWORD)))

gnutls_pkcs_schema_get_name ()

const char *
gnutls_pkcs_schema_get_name (unsigned int schema);

This function will return a human readable description of the PKCS12 or PBES2 schema.

Parameters

schema

Holds the PKCS 12 or PBES2 schema (gnutls_pkcs_encrypt_flags_t)

 

Returns

a constraint string or NULL on error.

Since: 3.4.0


gnutls_pkcs_schema_get_oid ()

const char *
gnutls_pkcs_schema_get_oid (unsigned int schema);

This function will return the object identifier of the PKCS12 or PBES2 schema.

Parameters

schema

Holds the PKCS 12 or PBES2 schema (gnutls_pkcs_encrypt_flags_t)

 

Returns

a constraint string or NULL on error.

Since: 3.4.0


gnutls_x509_privkey_init ()

int
gnutls_x509_privkey_init (gnutls_x509_privkey_t *key);

This function will initialize a private key type.

Parameters

key

A pointer to the type to be initialized

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_privkey_deinit ()

void
gnutls_x509_privkey_deinit (gnutls_x509_privkey_t key);

This function will deinitialize a private key structure.

Parameters

key

The key to be deinitialized

 

gnutls_x509_privkey_sec_param ()

gnutls_sec_param_t
gnutls_x509_privkey_sec_param (gnutls_x509_privkey_t key);

This function will return the security parameter appropriate with this private key.

Parameters

key

a key

 

Returns

On success, a valid security parameter is returned otherwise GNUTLS_SEC_PARAM_UNKNOWN is returned.

Since: 2.12.0


gnutls_x509_privkey_set_pin_function ()

void
gnutls_x509_privkey_set_pin_function (gnutls_x509_privkey_t key,
                                      gnutls_pin_callback_t fn,
                                      void *userdata);

This function will set a callback function to be used when it is required to access a protected object. This function overrides the global function set using gnutls_pkcs11_set_pin_function().

Note that this callback is used when decrypting a key.

Parameters

privkey

The certificate structure

 

fn

the callback

 

userdata

data associated with the callback

 

Since: 3.4.0


gnutls_x509_privkey_cpy ()

int
gnutls_x509_privkey_cpy (gnutls_x509_privkey_t dst,
                         gnutls_x509_privkey_t src);

This function will copy a private key from source to destination key. Destination has to be initialized.

Parameters

dst

The destination key, which should be initialized.

 

src

The source key

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_privkey_import ()

int
gnutls_x509_privkey_import (gnutls_x509_privkey_t key,
                            const gnutls_datum_t *data,
                            gnutls_x509_crt_fmt_t format);

This function will convert the given DER or PEM encoded key to the native gnutls_x509_privkey_t format. The output will be stored in key .

If the key is PEM encoded it should have a header that contains "PRIVATE KEY". Note that this function falls back to PKCS #8 decoding without password, if the default format fails to import.

Parameters

key

The data to store the parsed key

 

data

The DER or PEM encoded certificate.

 

format

One of DER or PEM

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_privkey_import_pkcs8 ()

int
gnutls_x509_privkey_import_pkcs8 (gnutls_x509_privkey_t key,
                                  const gnutls_datum_t *data,
                                  gnutls_x509_crt_fmt_t format,
                                  const char *password,
                                  unsigned int flags);

This function will convert the given DER or PEM encoded PKCS8 2.0 encrypted key to the native gnutls_x509_privkey_t format. The output will be stored in key . Both RSA and DSA keys can be imported, and flags can only be used to indicate an unencrypted key.

The password can be either ASCII or UTF-8 in the default PBES2 encryption schemas, or ASCII for the PKCS12 schemas.

If the Certificate is PEM encoded it should have a header of "ENCRYPTED PRIVATE KEY", or "PRIVATE KEY". You only need to specify the flags if the key is DER encoded, since in that case the encryption status cannot be auto-detected.

If the GNUTLS_PKCS_PLAIN flag is specified and the supplied data are encrypted then GNUTLS_E_DECRYPTION_FAILED is returned.

Parameters

key

The data to store the parsed key

 

data

The DER or PEM encoded key.

 

format

One of DER or PEM

 

password

the password to decrypt the key (if it is encrypted).

 

flags

0 if encrypted or GNUTLS_PKCS_PLAIN if not encrypted.

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_privkey_import_openssl ()

int
gnutls_x509_privkey_import_openssl (gnutls_x509_privkey_t key,
                                    const gnutls_datum_t *data,
                                    const char *password);

This function will convert the given PEM encrypted to the native gnutls_x509_privkey_t format. The output will be stored in key .

The password should be in ASCII. If the password is not provided or wrong then GNUTLS_E_DECRYPTION_FAILED will be returned.

If the Certificate is PEM encoded it should have a header of "PRIVATE KEY" and the "DEK-Info" header.

Parameters

key

The data to store the parsed key

 

data

The DER or PEM encoded key.

 

password

the password to decrypt the key (if it is encrypted).

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_pkcs8_info ()

int
gnutls_pkcs8_info (const gnutls_datum_t *data,
                   gnutls_x509_crt_fmt_t format,
                   unsigned int *schema,
                   unsigned int *cipher,
                   void *salt,
                   unsigned int *salt_size,
                   unsigned int *iter_count,
                   char **oid);

This function will provide information on the algorithms used in a particular PKCS #8 structure. If the structure algorithms are unknown the code GNUTLS_E_UNKNOWN_CIPHER_TYPE will be returned, and only oid , will be set. That is, oid will be set on encrypted PKCS #8 structures whether supported or not. It must be deinitialized using gnutls_free(). The other variables are only set on supported structures.

Parameters

data

Holds the PKCS #8 data

 

format

the format of the PKCS #8 data

 

schema

indicate the schema as one of gnutls_pkcs_encrypt_flags_t

 

cipher

the cipher used as gnutls_cipher_algorithm_t

 

salt

PBKDF2 salt (if non-NULL then salt_size initially holds its size)

 

salt_size

PBKDF2 salt size

 

iter_count

PBKDF2 iteration count

 

oid

if non-NULL it will contain an allocated null-terminated variable with the OID

 

Returns

GNUTLS_E_INVALID_REQUEST if the provided structure isn't an encrypted key, GNUTLS_E_UNKNOWN_CIPHER_TYPE if the structure's encryption isn't supported, or another negative error code in case of a failure. Zero on success.

Since: 3.4.0


gnutls_x509_privkey_import2 ()

int
gnutls_x509_privkey_import2 (gnutls_x509_privkey_t key,
                             const gnutls_datum_t *data,
                             gnutls_x509_crt_fmt_t format,
                             const char *password,
                             unsigned int flags);

This function will import the given DER or PEM encoded key, to the native gnutls_x509_privkey_t format, irrespective of the input format. The input format is auto-detected.

The supported formats are basic unencrypted key, PKCS8, PKCS12, and the openssl format.

If the provided key is encrypted but no password was given, then GNUTLS_E_DECRYPTION_FAILED is returned. Since GnuTLS 3.4.0 this function will utilize the PIN callbacks if any.

Parameters

key

The data to store the parsed key

 

data

The DER or PEM encoded key.

 

format

One of DER or PEM

 

password

A password (optional)

 

flags

an ORed sequence of gnutls_pkcs_encrypt_flags_t

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_privkey_import_rsa_raw ()

int
gnutls_x509_privkey_import_rsa_raw (gnutls_x509_privkey_t key,
                                    const gnutls_datum_t *m,
                                    const gnutls_datum_t *e,
                                    const gnutls_datum_t *d,
                                    const gnutls_datum_t *p,
                                    const gnutls_datum_t *q,
                                    const gnutls_datum_t *u);

This function will convert the given RSA raw parameters to the native gnutls_x509_privkey_t format. The output will be stored in key .

Parameters

key

The data to store the parsed key

 

m

holds the modulus

 

e

holds the public exponent

 

d

holds the private exponent

 

p

holds the first prime (p)

 

q

holds the second prime (q)

 

u

holds the coefficient

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_privkey_import_rsa_raw2 ()

int
gnutls_x509_privkey_import_rsa_raw2 (gnutls_x509_privkey_t key,
                                     const gnutls_datum_t *m,
                                     const gnutls_datum_t *e,
                                     const gnutls_datum_t *d,
                                     const gnutls_datum_t *p,
                                     const gnutls_datum_t *q,
                                     const gnutls_datum_t *u,
                                     const gnutls_datum_t *e1,
                                     const gnutls_datum_t *e2);

This function will convert the given RSA raw parameters to the native gnutls_x509_privkey_t format. The output will be stored in key .

Parameters

key

The data to store the parsed key

 

m

holds the modulus

 

e

holds the public exponent

 

d

holds the private exponent

 

p

holds the first prime (p)

 

q

holds the second prime (q)

 

u

holds the coefficient (optional)

 

e1

holds e1 = d mod (p-1) (optional)

 

e2

holds e2 = d mod (q-1) (optional)

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_privkey_import_ecc_raw ()

int
gnutls_x509_privkey_import_ecc_raw (gnutls_x509_privkey_t key,
                                    gnutls_ecc_curve_t curve,
                                    const gnutls_datum_t *x,
                                    const gnutls_datum_t *y,
                                    const gnutls_datum_t *k);

This function will convert the given elliptic curve parameters to the native gnutls_x509_privkey_t format. The output will be stored in key . For EdDSA keys, the x and k values must be in the native to curve format.

Parameters

key

The data to store the parsed key

 

curve

holds the curve

 

x

holds the x-coordinate

 

y

holds the y-coordinate

 

k

holds the k

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 3.0


gnutls_x509_privkey_import_gost_raw ()

int
gnutls_x509_privkey_import_gost_raw (gnutls_x509_privkey_t key,
                                     gnutls_ecc_curve_t curve,
                                     gnutls_digest_algorithm_t digest,
                                     gnutls_gost_paramset_t paramset,
                                     const gnutls_datum_t *x,
                                     const gnutls_datum_t *y,
                                     const gnutls_datum_t *k);

This function will convert the given GOST private key's parameters to the native gnutls_x509_privkey_t format. The output will be stored in key . digest should be one of GNUTLS_DIG_GOSR_94, GNUTLS_DIG_STREEBOG_256 or GNUTLS_DIG_STREEBOG_512. If paramset is set to GNUTLS_GOST_PARAMSET_UNKNOWN default one will be selected depending on digest .

Note: parameters should be stored with least significant byte first. On version 3.6.3 big-endian format was used incorrectly.

Parameters

key

The data to store the parsed key

 

curve

holds the curve

 

digest

will hold the digest

 

paramset

will hold the GOST parameter set ID

 

x

holds the x-coordinate

 

y

holds the y-coordinate

 

k

holds the k (private key)

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 3.6.3


gnutls_x509_privkey_fix ()

int
gnutls_x509_privkey_fix (gnutls_x509_privkey_t key);

This function will recalculate the secondary parameters in a key. In RSA keys, this can be the coefficient and exponent1,2.

Parameters

key

a key

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_privkey_export_dsa_raw ()

int
gnutls_x509_privkey_export_dsa_raw (gnutls_x509_privkey_t key,
                                    gnutls_datum_t *p,
                                    gnutls_datum_t *q,
                                    gnutls_datum_t *g,
                                    gnutls_datum_t *y,
                                    gnutls_datum_t *x);

This function will export the DSA private key's parameters found in the given structure. The new parameters will be allocated using gnutls_malloc() and will be stored in the appropriate datum.

Parameters

key

a key

 

p

will hold the p

 

q

will hold the q

 

g

will hold the g

 

y

will hold the y

 

x

will hold the x

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_privkey_import_dsa_raw ()

int
gnutls_x509_privkey_import_dsa_raw (gnutls_x509_privkey_t key,
                                    const gnutls_datum_t *p,
                                    const gnutls_datum_t *q,
                                    const gnutls_datum_t *g,
                                    const gnutls_datum_t *y,
                                    const gnutls_datum_t *x);

This function will convert the given DSA raw parameters to the native gnutls_x509_privkey_t format. The output will be stored in key .

Parameters

key

The data to store the parsed key

 

p

holds the p

 

q

holds the q

 

g

holds the g

 

y

holds the y (optional)

 

x

holds the x

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_privkey_get_pk_algorithm ()

int
gnutls_x509_privkey_get_pk_algorithm (gnutls_x509_privkey_t key);

This function will return the public key algorithm of a private key.

Parameters

key

should contain a gnutls_x509_privkey_t type

 

Returns

a member of the gnutls_pk_algorithm_t enumeration on success, or a negative error code on error.


gnutls_x509_privkey_get_pk_algorithm2 ()

int
gnutls_x509_privkey_get_pk_algorithm2 (gnutls_x509_privkey_t key,
                                       unsigned int *bits);

This function will return the public key algorithm of a private key.

Parameters

key

should contain a gnutls_x509_privkey_t type

 

bits

The number of bits in the public key algorithm

 

Returns

a member of the gnutls_pk_algorithm_t enumeration on success, or a negative error code on error.


gnutls_x509_privkey_get_spki ()

int
gnutls_x509_privkey_get_spki (gnutls_x509_privkey_t key,
                              gnutls_x509_spki_t spki,
                              unsigned int flags);

This function will return the public key information of a private key. The provided spki must be initialized.

Parameters

key

should contain a gnutls_x509_privkey_t type

 

spki

a SubjectPublicKeyInfo structure of type gnutls_x509_spki_t

 

flags

must be zero

 

Returns

Zero on success, or a negative error code on error.


gnutls_x509_privkey_set_spki ()

int
gnutls_x509_privkey_set_spki (gnutls_x509_privkey_t key,
                              const gnutls_x509_spki_t spki,
                              unsigned int flags);

This function will return the public key information of a private key. The provided spki must be initialized.

Parameters

key

should contain a gnutls_x509_privkey_t type

 

spki

a SubjectPublicKeyInfo structure of type gnutls_x509_spki_t

 

flags

must be zero

 

Returns

Zero on success, or a negative error code on error.


gnutls_x509_privkey_get_key_id ()

int
gnutls_x509_privkey_get_key_id (gnutls_x509_privkey_t key,
                                unsigned int flags,
                                unsigned char *output_data,
                                size_t *output_data_size);

This function will return a unique ID that depends on the public key parameters. This ID can be used in checking whether a certificate corresponds to the given key.

If the buffer provided is not long enough to hold the output, then *output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will be returned. The output will normally be a SHA-1 hash output, which is 20 bytes.

Parameters

key

a key

 

flags

should be one of the flags from gnutls_keyid_flags_t

 

output_data

will contain the key ID

 

output_data_size

holds the size of output_data (and will be replaced by the actual size of parameters)

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_privkey_generate ()

int
gnutls_x509_privkey_generate (gnutls_x509_privkey_t key,
                              gnutls_pk_algorithm_t algo,
                              unsigned int bits,
                              unsigned int flags);

This function will generate a random private key. Note that this function must be called on an initialized private key.

The flag GNUTLS_PRIVKEY_FLAG_PROVABLE instructs the key generation process to use algorithms like Shawe-Taylor (from FIPS PUB186-4) which generate provable parameters out of a seed for RSA and DSA keys. See gnutls_x509_privkey_generate2() for more information.

Note that when generating an elliptic curve key, the curve can be substituted in the place of the bits parameter using the GNUTLS_CURVE_TO_BITS() macro. The input to the macro is any curve from gnutls_ecc_curve_t.

For DSA keys, if the subgroup size needs to be specified check the GNUTLS_SUBGROUP_TO_BITS() macro.

It is recommended to do not set the number of bits directly, use gnutls_sec_param_to_pk_bits() instead .

See also gnutls_privkey_generate(), gnutls_x509_privkey_generate2().

Parameters

key

an initialized key

 

algo

is one of the algorithms in gnutls_pk_algorithm_t.

 

bits

the size of the parameters to generate

 

flags

Must be zero or flags from gnutls_privkey_flags_t.

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_privkey_set_flags ()

void
gnutls_x509_privkey_set_flags (gnutls_x509_privkey_t key,
                               unsigned int flags);

This function will set flags for the specified private key, after it is generated. Currently this is useful for the GNUTLS_PRIVKEY_FLAG_EXPORT_COMPAT to allow exporting a "provable" private key in backwards compatible way.

Parameters

key

A key of type gnutls_x509_privkey_t

 

flags

flags from the gnutls_privkey_flags

 

Since: 3.5.0


gnutls_x509_privkey_generate2 ()

int
gnutls_x509_privkey_generate2 (gnutls_x509_privkey_t key,
                               gnutls_pk_algorithm_t algo,
                               unsigned int bits,
                               unsigned int flags,
                               const gnutls_keygen_data_st *data,
                               unsigned  data_size);

This function will generate a random private key. Note that this function must be called on an initialized private key.

The flag GNUTLS_PRIVKEY_FLAG_PROVABLE instructs the key generation process to use algorithms like Shawe-Taylor (from FIPS PUB186-4) which generate provable parameters out of a seed for RSA and DSA keys. On DSA keys the PQG parameters are generated using the seed, while on RSA the two primes. To specify an explicit seed (by default a random seed is used), use the data with a GNUTLS_KEYGEN_SEED type.

Note that when generating an elliptic curve key, the curve can be substituted in the place of the bits parameter using the GNUTLS_CURVE_TO_BITS() macro.

To export the generated keys in memory or in files it is recommended to use the PKCS#8 form as it can handle all key types, and can store additional parameters such as the seed, in case of provable RSA or DSA keys. Generated keys can be exported in memory using gnutls_privkey_export_x509(), and then with gnutls_x509_privkey_export2_pkcs8().

If key generation is part of your application, avoid setting the number of bits directly, and instead use gnutls_sec_param_to_pk_bits(). That way the generated keys will adapt to the security levels of the underlying GnuTLS library.

See also gnutls_privkey_generate2().

Parameters

key

a key

 

algo

is one of the algorithms in gnutls_pk_algorithm_t.

 

bits

the size of the modulus

 

flags

Must be zero or flags from gnutls_privkey_flags_t.

 

data

Allow specifying gnutls_keygen_data_st types such as the seed to be used.

 

data_size

The number of data available.

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_privkey_verify_seed ()

int
gnutls_x509_privkey_verify_seed (gnutls_x509_privkey_t key,
                                 gnutls_digest_algorithm_t Param2,
                                 const void *seed,
                                 size_t seed_size);

This function will verify that the given private key was generated from the provided seed. If seed is NULL then the seed stored in the key 's structure will be used for verification.

Parameters

key

should contain a gnutls_x509_privkey_t type

 

digest

it contains the digest algorithm used for key generation (if applicable)

 

seed

the seed of the key to be checked with

 

seed_size

holds the size of seed

 

Returns

In case of a verification failure GNUTLS_E_PRIVKEY_VERIFICATION_ERROR is returned, and zero or positive code on success.

Since: 3.5.0


gnutls_x509_privkey_get_seed ()

int
gnutls_x509_privkey_get_seed (gnutls_x509_privkey_t key,
                              gnutls_digest_algorithm_t *Param2,
                              void *seed,
                              size_t *seed_size);

This function will return the seed that was used to generate the given private key. That function will succeed only if the key was generated as a provable key.

Parameters

key

should contain a gnutls_x509_privkey_t type

 

digest

if non-NULL it will contain the digest algorithm used for key generation (if applicable)

 

seed

where seed will be copied to

 

seed_size

originally holds the size of seed , will be updated with actual size

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 3.5.0


gnutls_x509_privkey_verify_params ()

int
gnutls_x509_privkey_verify_params (gnutls_x509_privkey_t key);

This function will verify the private key parameters.

Parameters

key

a key

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_privkey_export ()

int
gnutls_x509_privkey_export (gnutls_x509_privkey_t key,
                            gnutls_x509_crt_fmt_t format,
                            void *output_data,
                            size_t *output_data_size);

This function will export the private key to a PKCS#1 structure for RSA or RSA-PSS keys, and integer sequence for DSA keys. Other keys types will be exported in PKCS#8 form.

If the structure is PEM encoded, it will have a header of "BEGIN RSA PRIVATE KEY".

It is recommended to use gnutls_x509_privkey_export_pkcs8() instead of this function, when a consistent output format is required.

Parameters

key

Holds the key

 

format

the format of output params. One of PEM or DER.

 

output_data

will contain a private key PEM or DER encoded

 

output_data_size

holds the size of output_data (and will be replaced by the actual size of parameters)

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_privkey_export2 ()

int
gnutls_x509_privkey_export2 (gnutls_x509_privkey_t key,
                             gnutls_x509_crt_fmt_t format,
                             gnutls_datum_t *out);

This function will export the private key to a PKCS#1 structure for RSA or RSA-PSS keys, and integer sequence for DSA keys. Other keys types will be exported in PKCS#8 form.

The output buffer is allocated using gnutls_malloc().

It is recommended to use gnutls_x509_privkey_export2_pkcs8() instead of this function, when a consistent output format is required.

Parameters

key

Holds the key

 

format

the format of output params. One of PEM or DER.

 

out

will contain a private key PEM or DER encoded

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since 3.1.3


gnutls_x509_privkey_export_pkcs8 ()

int
gnutls_x509_privkey_export_pkcs8 (gnutls_x509_privkey_t key,
                                  gnutls_x509_crt_fmt_t format,
                                  const char *password,
                                  unsigned int flags,
                                  void *output_data,
                                  size_t *output_data_size);

This function will export the private key to a PKCS8 structure. Both RSA and DSA keys can be exported. For DSA keys we use PKCS 11 definitions. If the flags do not specify the encryption cipher, then the default 3DES (PBES2) will be used.

The password can be either ASCII or UTF-8 in the default PBES2 encryption schemas, or ASCII for the PKCS12 schemas.

If the buffer provided is not long enough to hold the output, then *output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will be returned.

If the structure is PEM encoded, it will have a header of "BEGIN ENCRYPTED PRIVATE KEY" or "BEGIN PRIVATE KEY" if encryption is not used.

Parameters

key

Holds the key

 

format

the format of output params. One of PEM or DER.

 

password

the password that will be used to encrypt the key.

 

flags

an ORed sequence of gnutls_pkcs_encrypt_flags_t

 

output_data

will contain a private key PEM or DER encoded

 

output_data_size

holds the size of output_data (and will be replaced by the actual size of parameters)

 

Returns

In case of failure a negative error code will be returned, and 0 on success.


gnutls_x509_privkey_export2_pkcs8 ()

int
gnutls_x509_privkey_export2_pkcs8 (gnutls_x509_privkey_t key,
                                   gnutls_x509_crt_fmt_t format,
                                   const char *password,
                                   unsigned int flags,
                                   gnutls_datum_t *out);

This function will export the private key to a PKCS8 structure. Both RSA and DSA keys can be exported. For DSA keys we use PKCS 11 definitions. If the flags do not specify the encryption cipher, then the default 3DES (PBES2) will be used.

The password can be either ASCII or UTF-8 in the default PBES2 encryption schemas, or ASCII for the PKCS12 schemas.

The output buffer is allocated using gnutls_malloc().

If the structure is PEM encoded, it will have a header of "BEGIN ENCRYPTED PRIVATE KEY" or "BEGIN PRIVATE KEY" if encryption is not used.

Parameters

key

Holds the key

 

format

the format of output params. One of PEM or DER.

 

password

the password that will be used to encrypt the key.

 

flags

an ORed sequence of gnutls_pkcs_encrypt_flags_t

 

out

will contain a private key PEM or DER encoded

 

Returns

In case of failure a negative error code will be returned, and 0 on success.

Since 3.1.3


gnutls_x509_privkey_export_rsa_raw2 ()

int
gnutls_x509_privkey_export_rsa_raw2 (gnutls_x509_privkey_t key,
                                     gnutls_datum_t *m,
                                     gnutls_datum_t *e,
                                     gnutls_datum_t *d,
                                     gnutls_datum_t *p,
                                     gnutls_datum_t *q,
                                     gnutls_datum_t *u,
                                     gnutls_datum_t *e1,
                                     gnutls_datum_t *e2);

This function will export the RSA private key's parameters found in the given structure. The new parameters will be allocated using gnutls_malloc() and will be stored in the appropriate datum.

Parameters

key

a key

 

m

will hold the modulus

 

e

will hold the public exponent

 

d

will hold the private exponent

 

p

will hold the first prime (p)

 

q

will hold the second prime (q)

 

u

will hold the coefficient

 

e1

will hold e1 = d mod (p-1)

 

e2

will hold e2 = d mod (q-1)

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 2.12.0


gnutls_x509_privkey_export_rsa_raw ()

int
gnutls_x509_privkey_export_rsa_raw (gnutls_x509_privkey_t key,
                                    gnutls_datum_t *m,
                                    gnutls_datum_t *e,
                                    gnutls_datum_t *d,
                                    gnutls_datum_t *p,
                                    gnutls_datum_t *q,
                                    gnutls_datum_t *u);

This function will export the RSA private key's parameters found in the given structure. The new parameters will be allocated using gnutls_malloc() and will be stored in the appropriate datum.

Parameters

key

a key

 

m

will hold the modulus

 

e

will hold the public exponent

 

d

will hold the private exponent

 

p

will hold the first prime (p)

 

q

will hold the second prime (q)

 

u

will hold the coefficient

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_privkey_export_ecc_raw ()

int
gnutls_x509_privkey_export_ecc_raw (gnutls_x509_privkey_t key,
                                    gnutls_ecc_curve_t *curve,
                                    gnutls_datum_t *x,
                                    gnutls_datum_t *y,
                                    gnutls_datum_t *k);

This function will export the ECC private key's parameters found in the given structure. The new parameters will be allocated using gnutls_malloc() and will be stored in the appropriate datum.

In EdDSA curves the y parameter will be NULL and the other parameters will be in the native format for the curve.

Parameters

key

a key

 

curve

will hold the curve

 

x

will hold the x-coordinate

 

y

will hold the y-coordinate

 

k

will hold the private key

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 3.0


gnutls_x509_privkey_export_gost_raw ()

int
gnutls_x509_privkey_export_gost_raw (gnutls_x509_privkey_t key,
                                     gnutls_ecc_curve_t *curve,
                                     gnutls_digest_algorithm_t *digest,
                                     gnutls_gost_paramset_t *paramset,
                                     gnutls_datum_t *x,
                                     gnutls_datum_t *y,
                                     gnutls_datum_t *k);

This function will export the GOST private key's parameters found in the given structure. The new parameters will be allocated using gnutls_malloc() and will be stored in the appropriate datum.

Note: parameters will be stored with least significant byte first. On version 3.6.3 this was incorrectly returned in big-endian format.

Parameters

key

a key

 

curve

will hold the curve

 

digest

will hold the digest

 

paramset

will hold the GOST parameter set ID

 

x

will hold the x-coordinate

 

y

will hold the y-coordinate

 

k

will hold the private key

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 3.6.3


gnutls_x509_privkey_sign_data ()

int
gnutls_x509_privkey_sign_data (gnutls_x509_privkey_t key,
                               gnutls_digest_algorithm_t digest,
                               unsigned int flags,
                               const gnutls_datum_t *data,
                               void *signature,
                               size_t *signature_size);

This function will sign the given data using a signature algorithm supported by the private key. Signature algorithms are always used together with a hash functions. Different hash functions may be used for the RSA algorithm, but only SHA-1 for the DSA keys.

If the buffer provided is not long enough to hold the output, then *signature_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will be returned.

Use gnutls_x509_crt_get_preferred_hash_algorithm() to determine the hash algorithm.

Parameters

key

a key

 

digest

should be a digest algorithm

 

flags

should be 0 for now

 

data

holds the data to be signed

 

signature

will contain the signature

 

signature_size

holds the size of signature (and will be replaced by the new size)

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crq_sign ()

int
gnutls_x509_crq_sign (gnutls_x509_crq_t crq,
                      gnutls_x509_privkey_t key);

This function is the same a gnutls_x509_crq_sign2() with no flags, and an appropriate hash algorithm. The hash algorithm used may vary between versions of GnuTLS, and it is tied to the security level of the issuer's public key.

A known limitation of this function is, that a newly-signed request will not be fully functional (e.g., for signature verification), until it is exported an re-imported.

Parameters

crq

should contain a gnutls_x509_crq_t type

 

key

holds a private key

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crq_sign2 ()

int
gnutls_x509_crq_sign2 (gnutls_x509_crq_t crq,
                       gnutls_x509_privkey_t key,
                       gnutls_digest_algorithm_t dig,
                       unsigned int flags);

This function will sign the certificate request with a private key. This must be the same key as the one used in gnutls_x509_crt_set_key() since a certificate request is self signed.

This must be the last step in a certificate request generation since all the previously set parameters are now signed.

A known limitation of this function is, that a newly-signed request will not be fully functional (e.g., for signature verification), until it is exported an re-imported.

After GnuTLS 3.6.1 the value of dig may be GNUTLS_DIG_UNKNOWN, and in that case, a suitable but reasonable for the key algorithm will be selected.

Parameters

crq

should contain a gnutls_x509_crq_t type

 

key

holds a private key

 

dig

The message digest to use, i.e., GNUTLS_DIG_SHA256

 

flags

must be 0

 

Returns

GNUTLS_E_SUCCESS on success, otherwise a negative error code. GNUTLS_E_ASN1_VALUE_NOT_FOUND is returned if you didn't set all information in the certificate request (e.g., the version using gnutls_x509_crq_set_version()).


gnutls_x509_crq_print ()

int
gnutls_x509_crq_print (gnutls_x509_crq_t crq,
                       gnutls_certificate_print_formats_t format,
                       gnutls_datum_t *out);

This function will pretty print a certificate request, suitable for display to a human.

The output out needs to be deallocated using gnutls_free().

Parameters

crq

The data to be printed

 

format

Indicate the format to use

 

out

Newly allocated datum with null terminated string.

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 2.8.0


gnutls_x509_crq_verify ()

int
gnutls_x509_crq_verify (gnutls_x509_crq_t crq,
                        unsigned int flags);

This function will verify self signature in the certificate request and return its status.

Parameters

crq

is the crq to be verified

 

flags

Flags that may be used to change the verification algorithm. Use OR of the gnutls_certificate_verify_flags enumerations.

 

Returns

In case of a verification failure GNUTLS_E_PK_SIG_VERIFY_FAILED is returned, and zero or positive code on success.

Since 2.12.0


gnutls_x509_crq_init ()

int
gnutls_x509_crq_init (gnutls_x509_crq_t *crq);

This function will initialize a PKCS10 certificate request structure.

Parameters

crq

A pointer to the type to be initialized

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crq_deinit ()

void
gnutls_x509_crq_deinit (gnutls_x509_crq_t crq);

This function will deinitialize a PKCS10 certificate request structure.

Parameters

crq

the type to be deinitialized

 

gnutls_x509_crq_import ()

int
gnutls_x509_crq_import (gnutls_x509_crq_t crq,
                        const gnutls_datum_t *data,
                        gnutls_x509_crt_fmt_t format);

This function will convert the given DER or PEM encoded certificate request to a gnutls_x509_crq_t type. The output will be stored in crq .

If the Certificate is PEM encoded it should have a header of "NEW CERTIFICATE REQUEST".

Parameters

crq

The data to store the parsed certificate request.

 

data

The DER or PEM encoded certificate.

 

format

One of DER or PEM

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crq_get_private_key_usage_period ()

int
gnutls_x509_crq_get_private_key_usage_period
                               (gnutls_x509_crq_t cert,
                                time_t *activation,
                                time_t *expiration,
                                unsigned int *critical);

This function will return the expiration and activation times of the private key of the certificate.

Parameters

crq

should contain a gnutls_x509_crq_t type

 

activation

The activation time

 

expiration

The expiration time

 

critical

the extension status

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE if the extension is not present, otherwise a negative error value.


gnutls_x509_crq_get_dn ()

int
gnutls_x509_crq_get_dn (gnutls_x509_crq_t crq,
                        char *buf,
                        size_t *sizeof_buf);

This function will copy the name of the Certificate request subject to the provided buffer. The name will be in the form "C=xxxx,O=yyyy,CN=zzzz" as described in RFC 2253. The output string buf will be ASCII or UTF-8 encoded, depending on the certificate data.

This function does not output a fully RFC4514 compliant string, if that is required see gnutls_x509_crq_get_dn3().

Parameters

crq

should contain a gnutls_x509_crq_t type

 

buf

a pointer to a structure to hold the name (may be NULL)

 

buf_size

initially holds the size of buf

 

Returns

GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not long enough, and in that case the *buf_size will be updated with the required size. On success 0 is returned.


gnutls_x509_crq_get_dn2 ()

int
gnutls_x509_crq_get_dn2 (gnutls_x509_crq_t crq,
                         gnutls_datum_t *dn);

This function will allocate buffer and copy the name of the Certificate request. The name will be in the form "C=xxxx,O=yyyy,CN=zzzz" as described in RFC4514. The output string will be ASCII or UTF-8 encoded, depending on the certificate data.

This function does not output a fully RFC4514 compliant string, if that is required see gnutls_x509_crq_get_dn3().

Parameters

crq

should contain a gnutls_x509_crq_t type

 

dn

a pointer to a structure to hold the name; must be freed using gnutls_free()

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value. and a negative error code on error.

Since: 3.1.10


gnutls_x509_crq_get_dn3 ()

int
gnutls_x509_crq_get_dn3 (gnutls_x509_crq_t crq,
                         gnutls_datum_t *dn,
                         unsigned  flags);

This function will allocate buffer and copy the name of the Certificate request. The name will be in the form "C=xxxx,O=yyyy,CN=zzzz" as described in RFC4514. The output string will be ASCII or UTF-8 encoded, depending on the certificate data.

When the flag GNUTLS_X509_DN_FLAG_COMPAT is specified, the output format will match the format output by previous to 3.5.6 versions of GnuTLS which was not not fully RFC4514-compliant.

Parameters

crq

should contain a gnutls_x509_crq_t type

 

dn

a pointer to a structure to hold the name; must be freed using gnutls_free()

 

flags

zero or GNUTLS_X509_DN_FLAG_COMPAT

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value. and a negative error code on error.

Since: 3.5.7


gnutls_x509_crq_get_dn_oid ()

int
gnutls_x509_crq_get_dn_oid (gnutls_x509_crq_t crq,
                            unsigned  indx,
                            void *oid,
                            size_t *sizeof_oid);

This function will extract the requested OID of the name of the certificate request subject, specified by the given index.

Parameters

crq

should contain a gnutls_x509_crq_t type

 

indx

Specifies which DN OID to get. Use (0) to get the first one.

 

oid

a pointer to a structure to hold the name (may be NULL)

 

sizeof_oid

initially holds the size of oid

 

Returns

GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not long enough, and in that case the *sizeof_oid will be updated with the required size. On success 0 is returned.


gnutls_x509_crq_get_dn_by_oid ()

int
gnutls_x509_crq_get_dn_by_oid (gnutls_x509_crq_t crq,
                               const char *oid,
                               unsigned  indx,
                               unsigned int raw_flag,
                               void *buf,
                               size_t *sizeof_buf);

This function will extract the part of the name of the Certificate request subject, specified by the given OID. The output will be encoded as described in RFC2253. The output string will be ASCII or UTF-8 encoded, depending on the certificate data.

Some helper macros with popular OIDs can be found in gnutls/x509.h If raw flag is (0), this function will only return known OIDs as text. Other OIDs will be DER encoded, as described in RFC2253 -- in hex format with a '#' prefix. You can check about known OIDs using gnutls_x509_dn_oid_known().

Parameters

crq

should contain a gnutls_x509_crq_t type

 

oid

holds an Object Identifier in a null terminated string

 

indx

In case multiple same OIDs exist in the RDN, this specifies which to get. Use (0) to get the first one.

 

raw_flag

If non-zero returns the raw DER data of the DN part.

 

buf

a pointer to a structure to hold the name (may be NULL)

 

buf_size

initially holds the size of buf

 

Returns

GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not long enough, and in that case the *buf_size will be updated with the required size. On success 0 is returned.


gnutls_x509_crq_set_dn ()

int
gnutls_x509_crq_set_dn (gnutls_x509_crq_t crq,
                        const char *dn,
                        const char **err);

This function will set the DN on the provided certificate. The input string should be plain ASCII or UTF-8 encoded. On DN parsing error GNUTLS_E_PARSING_ERROR is returned.

Parameters

crq

a certificate of type gnutls_x509_crq_t

 

dn

a comma separated DN string (RFC4514)

 

err

indicates the error position (if any)

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crq_set_dn_by_oid ()

int
gnutls_x509_crq_set_dn_by_oid (gnutls_x509_crq_t crq,
                               const char *oid,
                               unsigned int raw_flag,
                               const void *data,
                               unsigned int sizeof_data);

This function will set the part of the name of the Certificate request subject, specified by the given OID. The input string should be ASCII or UTF-8 encoded.

Some helper macros with popular OIDs can be found in gnutls/x509.h With this function you can only set the known OIDs. You can test for known OIDs using gnutls_x509_dn_oid_known(). For OIDs that are not known (by gnutls) you should properly DER encode your data, and call this function with raw_flag set.

Parameters

crq

should contain a gnutls_x509_crq_t type

 

oid

holds an Object Identifier in a (0)-terminated string

 

raw_flag

must be 0, or 1 if the data are DER encoded

 

data

a pointer to the input data

 

sizeof_data

holds the size of data

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crq_set_version ()

int
gnutls_x509_crq_set_version (gnutls_x509_crq_t crq,
                             unsigned int version);

This function will set the version of the certificate request. For version 1 requests this must be one.

Parameters

crq

should contain a gnutls_x509_crq_t type

 

version

holds the version number, for v1 Requests must be 1

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crq_get_version ()

int
gnutls_x509_crq_get_version (gnutls_x509_crq_t crq);

This function will return the version of the specified Certificate request.

Parameters

crq

should contain a gnutls_x509_crq_t type

 

Returns

version of certificate request, or a negative error code on error.


gnutls_x509_crq_set_key ()

int
gnutls_x509_crq_set_key (gnutls_x509_crq_t crq,
                         gnutls_x509_privkey_t key);

This function will set the public parameters from the given private key to the request.

Parameters

crq

should contain a gnutls_x509_crq_t type

 

key

holds a private key

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crq_set_extension_by_oid ()

int
gnutls_x509_crq_set_extension_by_oid (gnutls_x509_crq_t crq,
                                      const char *oid,
                                      const void *buf,
                                      size_t sizeof_buf,
                                      unsigned int critical);

This function will set an the extension, by the specified OID, in the certificate request. The extension data should be binary data DER encoded.

Parameters

crq

a certificate of type gnutls_x509_crq_t

 

oid

holds an Object Identifier in null terminated string

 

buf

a pointer to a DER encoded data

 

sizeof_buf

holds the size of buf

 

critical

should be non-zero if the extension is to be marked as critical

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crq_set_challenge_password ()

int
gnutls_x509_crq_set_challenge_password
                               (gnutls_x509_crq_t crq,
                                const char *pass);

This function will set a challenge password to be used when revoking the request.

Parameters

crq

should contain a gnutls_x509_crq_t type

 

pass

holds a (0)-terminated password

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crq_get_challenge_password ()

int
gnutls_x509_crq_get_challenge_password
                               (gnutls_x509_crq_t crq,
                                char *pass,
                                size_t *sizeof_pass);

This function will return the challenge password in the request. The challenge password is intended to be used for requesting a revocation of the certificate.

Parameters

crq

should contain a gnutls_x509_crq_t type

 

pass

will hold a (0)-terminated password string

 

pass_size

Initially holds the size of pass .

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crq_set_attribute_by_oid ()

int
gnutls_x509_crq_set_attribute_by_oid (gnutls_x509_crq_t crq,
                                      const char *oid,
                                      void *buf,
                                      size_t sizeof_buf);

This function will set the attribute in the certificate request specified by the given Object ID. The provided attribute must be be DER encoded.

Attributes in a certificate request is an optional set of data appended to the request. Their interpretation depends on the CA policy.

Parameters

crq

should contain a gnutls_x509_crq_t type

 

oid

holds an Object Identifier in a null-terminated string

 

buf

a pointer to a structure that holds the attribute data

 

buf_size

holds the size of buf

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crq_get_attribute_by_oid ()

int
gnutls_x509_crq_get_attribute_by_oid (gnutls_x509_crq_t crq,
                                      const char *oid,
                                      unsigned  indx,
                                      void *buf,
                                      size_t *sizeof_buf);

This function will return the attribute in the certificate request specified by the given Object ID. The attribute will be DER encoded.

Attributes in a certificate request is an optional set of data appended to the request. Their interpretation depends on the CA policy.

Parameters

crq

should contain a gnutls_x509_crq_t type

 

oid

holds an Object Identifier in null-terminated string

 

indx

In case multiple same OIDs exist in the attribute list, this specifies which to get, use (0) to get the first one

 

buf

a pointer to a structure to hold the attribute data (may be NULL)

 

buf_size

initially holds the size of buf

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crq_export ()

int
gnutls_x509_crq_export (gnutls_x509_crq_t crq,
                        gnutls_x509_crt_fmt_t format,
                        void *output_data,
                        size_t *output_data_size);

This function will export the certificate request to a PEM or DER encoded PKCS10 structure.

If the buffer provided is not long enough to hold the output, then GNUTLS_E_SHORT_MEMORY_BUFFER will be returned and *output_data_size will be updated.

If the structure is PEM encoded, it will have a header of "BEGIN NEW CERTIFICATE REQUEST".

Parameters

crq

should contain a gnutls_x509_crq_t type

 

format

the format of output params. One of PEM or DER.

 

output_data

will contain a certificate request PEM or DER encoded

 

output_data_size

holds the size of output_data (and will be replaced by the actual size of parameters)

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crq_export2 ()

int
gnutls_x509_crq_export2 (gnutls_x509_crq_t crq,
                         gnutls_x509_crt_fmt_t format,
                         gnutls_datum_t *out);

This function will export the certificate request to a PEM or DER encoded PKCS10 structure.

The output buffer is allocated using gnutls_malloc().

If the structure is PEM encoded, it will have a header of "BEGIN NEW CERTIFICATE REQUEST".

Parameters

crq

should contain a gnutls_x509_crq_t type

 

format

the format of output params. One of PEM or DER.

 

out

will contain a certificate request PEM or DER encoded

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since 3.1.3


gnutls_x509_crt_set_crq ()

int
gnutls_x509_crt_set_crq (gnutls_x509_crt_t crt,
                         gnutls_x509_crq_t crq);

This function will set the name and public parameters as well as the extensions from the given certificate request to the certificate. Only RSA keys are currently supported.

Note that this function will only set the crq if it is self signed and the signature is correct. See gnutls_x509_crq_sign2().

Parameters

crt

a certificate of type gnutls_x509_crt_t

 

crq

holds a certificate request

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crt_set_crq_extensions ()

int
gnutls_x509_crt_set_crq_extensions (gnutls_x509_crt_t crt,
                                    gnutls_x509_crq_t crq);

This function will set the extensions from the given request to the certificate.

Parameters

crt

a certificate of type gnutls_x509_crt_t

 

crq

holds a certificate request

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 2.8.0


gnutls_x509_crt_set_crq_extension_by_oid ()

int
gnutls_x509_crt_set_crq_extension_by_oid
                               (gnutls_x509_crt_t crt,
                                gnutls_x509_crq_t crq,
                                const char *oid,
                                unsigned  flags);

This function will set the extension specify by oid from the given request to the certificate.

Parameters

crt

a certificate of type gnutls_x509_crt_t

 

crq

holds a certificate request

 

oid

the object identifier of the OID to copy

 

flags

should be zero

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 3.5.1


gnutls_x509_crq_set_private_key_usage_period ()

int
gnutls_x509_crq_set_private_key_usage_period
                               (gnutls_x509_crq_t crq,
                                time_t activation,
                                time_t expiration);

This function will set the private key usage period extension (2.5.29.16).

Parameters

crq

a certificate of type gnutls_x509_crq_t

 

activation

The activation time

 

expiration

The expiration time

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_x509_crq_set_key_rsa_raw ()

int
gnutls_x509_crq_set_key_rsa_raw (gnutls_x509_crq_t crq,
                                 const gnutls_datum_t *m,
                                 const gnutls_datum_t *e);

This function will set the public parameters from the given private key to the request. Only RSA keys are currently supported.

Parameters

crq

should contain a gnutls_x509_crq_t type

 

m

holds the modulus

 

e

holds the public exponent

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 2.6.0


gnutls_x509_crq_set_subject_alt_name ()

int
gnutls_x509_crq_set_subject_alt_name (gnutls_x509_crq_t crq,
                                      gnutls_x509_subject_alt_name_t nt,
                                      const void *data,
                                      unsigned int data_size,
                                      unsigned int flags);

This function will set the subject alternative name certificate extension. It can set the following types:

GNUTLS_SAN_DNSNAME: as a text string

GNUTLS_SAN_RFC822NAME: as a text string

GNUTLS_SAN_URI: as a text string

GNUTLS_SAN_IPADDRESS: as a binary IP address (4 or 16 bytes)

GNUTLS_SAN_OTHERNAME_XMPP: as a UTF8 string

Since version 3.5.7 the GNUTLS_SAN_RFC822NAME, GNUTLS_SAN_DNSNAME, and GNUTLS_SAN_OTHERNAME_XMPP are converted to ACE format when necessary.

Parameters

crq

a certificate request of type gnutls_x509_crq_t

 

nt

is one of the gnutls_x509_subject_alt_name_t enumerations

 

data

The data to be set

 

data_size

The size of data to be set

 

flags

GNUTLS_FSAN_SET to clear previous data or GNUTLS_FSAN_APPEND to append.

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 2.8.0


gnutls_x509_crq_set_subject_alt_othername ()

int
gnutls_x509_crq_set_subject_alt_othername
                               (gnutls_x509_crq_t crq,
                                const char *oid,
                                const void *data,
                                unsigned int data_size,
                                unsigned int flags);

This function will set the subject alternative name certificate extension. It can set the following types:

The values set must be binary values and must be properly DER encoded.

Parameters

crq

a certificate request of type gnutls_x509_crq_t

 

oid

is the othername OID

 

data

The data to be set

 

data_size

The size of data to be set

 

flags

GNUTLS_FSAN_SET to clear previous data or GNUTLS_FSAN_APPEND to append.

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 3.5.0


gnutls_x509_crq_set_key_usage ()

int
gnutls_x509_crq_set_key_usage (gnutls_x509_crq_t crq,
                               unsigned int usage);

This function will set the keyUsage certificate extension.

Parameters

crq

a certificate request of type gnutls_x509_crq_t

 

usage

an ORed sequence of the GNUTLS_KEY_* elements.

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 2.8.0


gnutls_x509_crq_set_basic_constraints ()

int
gnutls_x509_crq_set_basic_constraints (gnutls_x509_crq_t crq,
                                       unsigned int ca,
                                       int pathLenConstraint);

This function will set the basicConstraints certificate extension.

Parameters

crq

a certificate request of type gnutls_x509_crq_t

 

ca

true(1) or false(0) depending on the Certificate authority status.

 

pathLenConstraint

non-negative error codes indicate maximum length of path, and negative error codes indicate that the pathLenConstraints field should not be present.

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 2.8.0


gnutls_x509_crq_set_key_purpose_oid ()

int
gnutls_x509_crq_set_key_purpose_oid (gnutls_x509_crq_t crq,
                                     const void *oid,
                                     unsigned int critical);

This function will set the key purpose OIDs of the Certificate. These are stored in the Extended Key Usage extension (2.5.29.37) See the GNUTLS_KP_* definitions for human readable names.

Subsequent calls to this function will append OIDs to the OID list.

Parameters

crq

a certificate of type gnutls_x509_crq_t

 

oid

a pointer to a null-terminated string that holds the OID

 

critical

Whether this extension will be critical or not

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 2.8.0


gnutls_x509_crq_get_key_purpose_oid ()

int
gnutls_x509_crq_get_key_purpose_oid (gnutls_x509_crq_t crq,
                                     unsigned  indx,
                                     void *oid,
                                     size_t *sizeof_oid,
                                     unsigned int *critical);

This function will extract the key purpose OIDs of the Certificate specified by the given index. These are stored in the Extended Key Usage extension (2.5.29.37). See the GNUTLS_KP_* definitions for human readable names.

Parameters

crq

should contain a gnutls_x509_crq_t type

 

indx

This specifies which OID to return, use (0) to get the first one

 

oid

a pointer to store the OID (may be NULL)

 

sizeof_oid

initially holds the size of oid

 

critical

output variable with critical flag, may be NULL.

 

Returns

GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not long enough, and in that case the *sizeof_oid will be updated with the required size. On success 0 is returned.

Since: 2.8.0


gnutls_x509_crq_get_extension_data ()

int
gnutls_x509_crq_get_extension_data (gnutls_x509_crq_t crq,
                                    unsigned  indx,
                                    void *data,
                                    size_t *sizeof_data);

This function will return the requested extension data in the certificate. The extension data will be stored as a string in the provided buffer.

Use gnutls_x509_crq_get_extension_info() to extract the OID and critical flag. Use gnutls_x509_crq_get_extension_by_oid() instead, if you want to get data indexed by the extension OID rather than sequence.

Parameters

crq

should contain a gnutls_x509_crq_t type

 

indx

Specifies which extension number to get. Use (0) to get the first one.

 

data

a pointer to a structure to hold the data (may be null)

 

sizeof_data

initially holds the size of oid

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error code in case of an error. If your have reached the last extension available GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.

Since: 2.8.0


gnutls_x509_crq_get_extension_data2 ()

int
gnutls_x509_crq_get_extension_data2 (gnutls_x509_crq_t crq,
                                     unsigned  indx,
                                     gnutls_datum_t *data);

This function will return the requested extension data in the certificate request. The extension data will be allocated using gnutls_malloc().

Use gnutls_x509_crq_get_extension_info() to extract the OID.

Parameters

crq

should contain a gnutls_x509_crq_t type

 

extension_id

An X.509 extension OID.

 

indx

Specifies which extension OID to read. Use (0) to get the first one.

 

data

will contain the extension DER-encoded data

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error code is returned. If you have reached the last extension available GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.

Since: 3.3.0


gnutls_x509_crq_get_extension_info ()

int
gnutls_x509_crq_get_extension_info (gnutls_x509_crq_t crq,
                                    unsigned  indx,
                                    void *oid,
                                    size_t *sizeof_oid,
                                    unsigned int *critical);

This function will return the requested extension OID in the certificate, and the critical flag for it. The extension OID will be stored as a string in the provided buffer. Use gnutls_x509_crq_get_extension_data() to extract the data.

If the buffer provided is not long enough to hold the output, then *sizeof_oid is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will be returned.

Parameters

crq

should contain a gnutls_x509_crq_t type

 

indx

Specifies which extension number to get. Use (0) to get the first one.

 

oid

a pointer to store the OID

 

sizeof_oid

initially holds the maximum size of oid , on return holds actual size of oid .

 

critical

output variable with critical flag, may be NULL.

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error code in case of an error. If your have reached the last extension available GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.

Since: 2.8.0


gnutls_x509_crq_get_attribute_data ()

int
gnutls_x509_crq_get_attribute_data (gnutls_x509_crq_t crq,
                                    unsigned  indx,
                                    void *data,
                                    size_t *sizeof_data);

This function will return the requested attribute data in the certificate request. The attribute data will be stored as a string in the provided buffer.

Use gnutls_x509_crq_get_attribute_info() to extract the OID. Use gnutls_x509_crq_get_attribute_by_oid() instead, if you want to get data indexed by the attribute OID rather than sequence.

Parameters

crq

should contain a gnutls_x509_crq_t type

 

indx

Specifies which attribute number to get. Use (0) to get the first one.

 

data

a pointer to a structure to hold the data (may be null)

 

sizeof_data

initially holds the size of oid

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error code in case of an error. If your have reached the last extension available GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.

Since: 2.8.0


gnutls_x509_crq_get_attribute_info ()

int
gnutls_x509_crq_get_attribute_info (gnutls_x509_crq_t crq,
                                    unsigned  indx,
                                    void *oid,
                                    size_t *sizeof_oid);

This function will return the requested attribute OID in the certificate, and the critical flag for it. The attribute OID will be stored as a string in the provided buffer. Use gnutls_x509_crq_get_attribute_data() to extract the data.

If the buffer provided is not long enough to hold the output, then *sizeof_oid is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will be returned.

Parameters

crq

should contain a gnutls_x509_crq_t type

 

indx

Specifies which attribute number to get. Use (0) to get the first one.

 

oid

a pointer to a structure to hold the OID

 

sizeof_oid

initially holds the maximum size of oid , on return holds actual size of oid .

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error code in case of an error. If your have reached the last extension available GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.

Since: 2.8.0


gnutls_x509_crq_get_pk_algorithm ()

int
gnutls_x509_crq_get_pk_algorithm (gnutls_x509_crq_t crq,
                                  unsigned int *bits);

This function will return the public key algorithm of a PKCS10 certificate request.

If bits is non-NULL, it should have enough size to hold the parameters size in bits. For RSA the bits returned is the modulus. For DSA the bits returned are of the public exponent.

Parameters

crq

should contain a gnutls_x509_crq_t type

 

bits

if bits is non-NULL it will hold the size of the parameters' in bits

 

Returns

a member of the gnutls_pk_algorithm_t enumeration on success, or a negative error code on error.


gnutls_x509_crq_get_spki ()

int
gnutls_x509_crq_get_spki (gnutls_x509_crq_t crq,
                          gnutls_x509_spki_t spki,
                          unsigned int flags);

gnutls_x509_crq_set_spki ()

int
gnutls_x509_crq_set_spki (gnutls_x509_crq_t crq,
                          const gnutls_x509_spki_t spki,
                          unsigned int flags);

This function will set the certificate request's subject public key information explicitly. This is intended to be used in the cases where a single public key (e.g., RSA) can be used for multiple signature algorithms (RSA PKCS1-1.5, and RSA-PSS).

To export the public key (i.e., the SubjectPublicKeyInfo part), check gnutls_pubkey_import_x509().

Parameters

crq

a certificate request of type gnutls_x509_crq_t

 

spki

a SubjectPublicKeyInfo structure of type gnutls_x509_spki_t

 

flags

must be zero

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 3.6.0


gnutls_x509_crq_get_signature_oid ()

int
gnutls_x509_crq_get_signature_oid (gnutls_x509_crq_t crq,
                                   char *oid,
                                   size_t *oid_size);

This function will return the OID of the signature algorithm that has been used to sign this certificate request. This function is useful in the case gnutls_x509_crq_get_signature_algorithm() returned GNUTLS_SIGN_UNKNOWN.

Parameters

crq

should contain a gnutls_x509_crq_t type

 

oid

a pointer to a buffer to hold the OID (may be null)

 

oid_size

initially holds the size of oid

 

Returns

zero or a negative error code on error.

Since: 3.5.0


gnutls_x509_crq_get_pk_oid ()

int
gnutls_x509_crq_get_pk_oid (gnutls_x509_crq_t crq,
                            char *oid,
                            size_t *oid_size);

This function will return the OID of the public key algorithm on that certificate request. This function is useful in the case gnutls_x509_crq_get_pk_algorithm() returned GNUTLS_PK_UNKNOWN.

Parameters

crq

should contain a gnutls_x509_crq_t type

 

oid

a pointer to a buffer to hold the OID (may be null)

 

oid_size

initially holds the size of oid

 

Returns

zero or a negative error code on error.

Since: 3.5.0


gnutls_x509_crq_get_key_id ()

int
gnutls_x509_crq_get_key_id (gnutls_x509_crq_t crq,
                            unsigned int flags,
                            unsigned char *output_data,
                            size_t *output_data_size);

This function will return a unique ID that depends on the public key parameters. This ID can be used in checking whether a certificate corresponds to the given private key.

If the buffer provided is not long enough to hold the output, then *output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will be returned. The output will normally be a SHA-1 hash output, which is 20 bytes.

Parameters

crq

a certificate of type gnutls_x509_crq_t

 

flags

should be one of the flags from gnutls_keyid_flags_t

 

output_data

will contain the key ID

 

output_data_size

holds the size of output_data (and will be replaced by the actual size of parameters)

 

Returns

In case of failure a negative error code will be returned, and 0 on success.

Since: 2.8.0


gnutls_x509_crq_get_key_rsa_raw ()

int
gnutls_x509_crq_get_key_rsa_raw (gnutls_x509_crq_t crq,
                                 gnutls_datum_t *m,
                                 gnutls_datum_t *e);

This function will export the RSA public key's parameters found in the given structure. The new parameters will be allocated using gnutls_malloc() and will be stored in the appropriate datum.

Parameters

crq

Holds the certificate

 

m

will hold the modulus

 

e

will hold the public exponent

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 2.8.0


gnutls_x509_crq_get_key_usage ()

int
gnutls_x509_crq_get_key_usage (gnutls_x509_crq_t crq,
                               unsigned int *key_usage,
                               unsigned int *critical);

This function will return certificate's key usage, by reading the keyUsage X.509 extension (2.5.29.15). The key usage value will ORed values of the: GNUTLS_KEY_DIGITAL_SIGNATURE, GNUTLS_KEY_NON_REPUDIATION, GNUTLS_KEY_KEY_ENCIPHERMENT, GNUTLS_KEY_DATA_ENCIPHERMENT, GNUTLS_KEY_KEY_AGREEMENT, GNUTLS_KEY_KEY_CERT_SIGN, GNUTLS_KEY_CRL_SIGN, GNUTLS_KEY_ENCIPHER_ONLY, GNUTLS_KEY_DECIPHER_ONLY.

Parameters

crq

should contain a gnutls_x509_crq_t type

 

key_usage

where the key usage bits will be stored

 

critical

will be non-zero if the extension is marked as critical

 

Returns

the certificate key usage, or a negative error code in case of parsing error. If the certificate does not contain the keyUsage extension GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.

Since: 2.8.0


gnutls_x509_crq_get_basic_constraints ()

int
gnutls_x509_crq_get_basic_constraints (gnutls_x509_crq_t crq,
                                       unsigned int *critical,
                                       unsigned int *ca,
                                       int *pathlen);

This function will read the certificate's basic constraints, and return the certificates CA status. It reads the basicConstraints X.509 extension (2.5.29.19).

Parameters

crq

should contain a gnutls_x509_crq_t type

 

critical

will be non-zero if the extension is marked as critical

 

ca

pointer to output integer indicating CA status, may be NULL, value is 1 if the certificate CA flag is set, 0 otherwise.

 

pathlen

pointer to output integer indicating path length (may be NULL), non-negative error codes indicate a present pathLenConstraint field and the actual value, -1 indicate that the field is absent.

 

Returns

If the certificate is a CA a positive value will be returned, or (0) if the certificate does not have CA flag set. A negative error code may be returned in case of errors. If the certificate does not contain the basicConstraints extension GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.

Since: 2.8.0


gnutls_x509_crq_get_subject_alt_name ()

int
gnutls_x509_crq_get_subject_alt_name (gnutls_x509_crq_t crq,
                                      unsigned int seq,
                                      void *ret,
                                      size_t *ret_size,
                                      unsigned int *ret_type,
                                      unsigned int *critical);

This function will return the alternative names, contained in the given certificate. It is the same as gnutls_x509_crq_get_subject_alt_name() except for the fact that it will return the type of the alternative name in ret_type even if the function fails for some reason (i.e. the buffer provided is not enough).

Parameters

crq

should contain a gnutls_x509_crq_t type

 

seq

specifies the sequence number of the alt name, 0 for the first one, 1 for the second etc.

 

ret

is the place where the alternative name will be copied to

 

ret_size

holds the size of ret.

 

ret_type

holds the gnutls_x509_subject_alt_name_t name type

 

critical

will be non-zero if the extension is marked as critical (may be null)

 

Returns

the alternative subject name type on success, one of the enumerated gnutls_x509_subject_alt_name_t. It will return GNUTLS_E_SHORT_MEMORY_BUFFER if ret_size is not large enough to hold the value. In that case ret_size will be updated with the required size. If the certificate request does not have an Alternative name with the specified sequence number then GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.

Since: 2.8.0


gnutls_x509_crq_get_subject_alt_othername_oid ()

int
gnutls_x509_crq_get_subject_alt_othername_oid
                               (gnutls_x509_crq_t crq,
                                unsigned int seq,
                                void *ret,
                                size_t *ret_size);

This function will extract the type OID of an otherName Subject Alternative Name, contained in the given certificate, and return the type as an enumerated element.

This function is only useful if gnutls_x509_crq_get_subject_alt_name() returned GNUTLS_SAN_OTHERNAME.

Parameters

crq

should contain a gnutls_x509_crq_t type

 

seq

specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)

 

ret

is the place where the otherName OID will be copied to

 

ret_size

holds the size of ret.

 

Returns

the alternative subject name type on success, one of the enumerated gnutls_x509_subject_alt_name_t. For supported OIDs, it will return one of the virtual (GNUTLS_SAN_OTHERNAME_*) types, e.g. GNUTLS_SAN_OTHERNAME_XMPP, and GNUTLS_SAN_OTHERNAME for unknown OIDs. It will return GNUTLS_E_SHORT_MEMORY_BUFFER if ret_size is not large enough to hold the value. In that case ret_size will be updated with the required size. If the certificate does not have an Alternative name with the specified sequence number and with the otherName type then GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.

Since: 2.8.0


gnutls_x509_crq_get_extension_by_oid ()

int
gnutls_x509_crq_get_extension_by_oid (gnutls_x509_crq_t crq,
                                      const char *oid,
                                      unsigned  indx,
                                      void *buf,
                                      size_t *sizeof_buf,
                                      unsigned int *critical);

This function will return the extension specified by the OID in the certificate. The extensions will be returned as binary data DER encoded, in the provided buffer.

Parameters

crq

should contain a gnutls_x509_crq_t type

 

oid

holds an Object Identifier in a null terminated string

 

indx

In case multiple same OIDs exist in the extensions, this specifies which to get. Use (0) to get the first one.

 

buf

a pointer to a structure to hold the name (may be null)

 

buf_size

initially holds the size of buf

 

critical

will be non-zero if the extension is marked as critical

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error code in case of an error. If the certificate does not contain the specified extension GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.

Since: 2.8.0


gnutls_x509_crq_get_tlsfeatures ()

int
gnutls_x509_crq_get_tlsfeatures (gnutls_x509_crq_t crq,
                                 gnutls_x509_tlsfeatures_t features,
                                 unsigned  flags,
                                 unsigned int *critical);

This function will get the X.509 TLS features extension structure from the certificate request. The returned structure needs to be freed using gnutls_x509_tlsfeatures_deinit().

When the flags is set to GNUTLS_EXT_FLAG_APPEND, then if the features structure is empty this function will behave identically as if the flag was not set. Otherwise if there are elements in the features structure then they will be merged with.

Note that features must be initialized prior to calling this function.

Parameters

crq

An X.509 certificate request

 

features

If the function succeeds, the features will be stored in this variable.

 

flags

zero or GNUTLS_EXT_FLAG_APPEND

 

critical

the extension status

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 3.5.1


gnutls_x509_crq_set_tlsfeatures ()

int
gnutls_x509_crq_set_tlsfeatures (gnutls_x509_crq_t crq,
                                 gnutls_x509_tlsfeatures_t features);

This function will set the certificate request's X.509 TLS extension from the given structure.

Parameters

crq

An X.509 certificate request

 

features

If the function succeeds, the features will be added to the certificate request.

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 3.5.1


gnutls_x509_crt_get_extension_by_oid2 ()

int
gnutls_x509_crt_get_extension_by_oid2 (gnutls_x509_crt_t cert,
                                       const char *oid,
                                       unsigned  indx,
                                       gnutls_datum_t *output,
                                       unsigned int *critical);

This function will return the extension specified by the OID in the certificate. The extensions will be returned as binary data DER encoded, in the provided buffer.

Parameters

cert

should contain a gnutls_x509_crt_t type

 

oid

holds an Object Identified in null terminated string

 

indx

In case multiple same OIDs exist in the extensions, this specifies which to send. Use (0) to get the first one.

 

output

will hold the allocated extension data

 

critical

will be non-zero if the extension is marked as critical

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error code is returned. If the certificate does not contain the specified extension GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.

Since: 3.3.8


gnutls_x509_trust_list_init ()

int
gnutls_x509_trust_list_init (gnutls_x509_trust_list_t *list,
                             unsigned int size);

This function will initialize an X.509 trust list structure.

Parameters

list

A pointer to the type to be initialized

 

size

The size of the internal hash table. Use (0) for default size.

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 3.0.0


gnutls_x509_trust_list_deinit ()

void
gnutls_x509_trust_list_deinit (gnutls_x509_trust_list_t list,
                               unsigned int all);

This function will deinitialize a trust list. Note that the all flag should be typically non-zero unless you have specified your certificates using gnutls_x509_trust_list_add_cas() and you want to prevent them from being deinitialized by this function.

Parameters

list

The list to be deinitialized

 

all

if non-zero it will deinitialize all the certificates and CRLs contained in the structure.

 

Since: 3.0.0


gnutls_x509_trust_list_get_issuer ()

int
gnutls_x509_trust_list_get_issuer (gnutls_x509_trust_list_t list,
                                   gnutls_x509_crt_t cert,
                                   gnutls_x509_crt_t *issuer,
                                   unsigned int flags);

This function will find the issuer of the given certificate. If the flag GNUTLS_TL_GET_COPY is specified a copy of the issuer will be returned which must be freed using gnutls_x509_crt_deinit(). In that case the provided issuer must not be initialized.

Note that the flag GNUTLS_TL_GET_COPY is required for this function to work with PKCS11 trust lists in a thread-safe way.

Parameters

list

The list

 

cert

is the certificate to find issuer for

 

issuer

Will hold the issuer if any. Should be treated as constant unless GNUTLS_TL_GET_COPY is set in flags .

 

flags

flags from gnutls_trust_list_flags_t (GNUTLS_TL_GET_COPY is applicable)

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 3.0


gnutls_x509_trust_list_get_issuer_by_dn ()

int
gnutls_x509_trust_list_get_issuer_by_dn
                               (gnutls_x509_trust_list_t list,
                                const gnutls_datum_t *dn,
                                gnutls_x509_crt_t *issuer,
                                unsigned int flags);

This function will find the issuer with the given name, and return a copy of the issuer, which must be freed using gnutls_x509_crt_deinit().

Parameters

list

The list

 

dn

is the issuer's DN

 

issuer

Will hold the issuer if any. Should be deallocated after use.

 

flags

Use zero

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 3.4.0


gnutls_x509_trust_list_get_issuer_by_subject_key_id ()

int
gnutls_x509_trust_list_get_issuer_by_subject_key_id
                               (gnutls_x509_trust_list_t list,
                                const gnutls_datum_t *dn,
                                const gnutls_datum_t *spki,
                                gnutls_x509_crt_t *issuer,
                                unsigned int flags);

This function will find the issuer with the given name and subject key ID, and return a copy of the issuer, which must be freed using gnutls_x509_crt_deinit().

Parameters

list

The list

 

dn

is the issuer's DN (may be NULL)

 

spki

is the subject key ID

 

issuer

Will hold the issuer if any. Should be deallocated after use.

 

flags

Use zero

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 3.4.2


gnutls_x509_trust_list_add_cas ()

int
gnutls_x509_trust_list_add_cas (gnutls_x509_trust_list_t list,
                                const gnutls_x509_crt_t *clist,
                                unsigned  clist_size,
                                unsigned int flags);

This function will add the given certificate authorities to the trusted list. The CAs in clist must not be deinitialized during the lifetime of list .

If the flag GNUTLS_TL_NO_DUPLICATES is specified, then this function will ensure that no duplicates will be present in the final trust list.

If the flag GNUTLS_TL_NO_DUPLICATE_KEY is specified, then this function will ensure that no certificates with the same key are present in the final trust list.

If either GNUTLS_TL_NO_DUPLICATE_KEY or GNUTLS_TL_NO_DUPLICATES are given, gnutls_x509_trust_list_deinit() must be called with parameter all being 1.

Parameters

list

The list

 

clist

A list of CAs

 

clist_size

The length of the CA list

 

flags

flags from gnutls_trust_list_flags_t

 

Returns

The number of added elements is returned; that includes duplicate entries.

Since: 3.0.0


gnutls_x509_trust_list_remove_cas ()

int
gnutls_x509_trust_list_remove_cas (gnutls_x509_trust_list_t list,
                                   const gnutls_x509_crt_t *clist,
                                   unsigned  clist_size);

This function will remove the given certificate authorities from the trusted list.

Note that this function can accept certificates and authorities not yet known. In that case they will be kept in a separate black list that will be used during certificate verification. Unlike gnutls_x509_trust_list_add_cas() there is no deinitialization restriction for certificate list provided in this function.

Parameters

list

The list

 

clist

A list of CAs

 

clist_size

The length of the CA list

 

Returns

The number of removed elements is returned.

Since: 3.1.10


gnutls_x509_trust_list_add_named_crt ()

int
gnutls_x509_trust_list_add_named_crt (gnutls_x509_trust_list_t list,
                                      gnutls_x509_crt_t cert,
                                      const void *name,
                                      size_t name_size,
                                      unsigned int flags);

This function will add the given certificate to the trusted list and associate it with a name. The certificate will not be be used for verification with gnutls_x509_trust_list_verify_crt() but with gnutls_x509_trust_list_verify_named_crt() or gnutls_x509_trust_list_verify_crt2() - the latter only since GnuTLS 3.4.0 and if a hostname is provided.

In principle this function can be used to set individual "server" certificates that are trusted by the user for that specific server but for no other purposes.

The certificate cert must not be deinitialized during the lifetime of the list .

Parameters

list

The list

 

cert

A certificate

 

name

An identifier for the certificate

 

name_size

The size of the identifier

 

flags

should be 0.

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 3.0.0


gnutls_x509_trust_list_add_crls ()

int
gnutls_x509_trust_list_add_crls (gnutls_x509_trust_list_t list,
                                 const gnutls_x509_crl_t *crl_list,
                                 unsigned  crl_size,
                                 unsigned int flags,
                                 unsigned int verification_flags);

This function will add the given certificate revocation lists to the trusted list. The CRLs in crl_list must not be deinitialized during the lifetime of list .

This function must be called after gnutls_x509_trust_list_add_cas() to allow verifying the CRLs for validity. If the flag GNUTLS_TL_NO_DUPLICATES is given, then the final CRL list will not contain duplicate entries.

If the flag GNUTLS_TL_NO_DUPLICATES is given, gnutls_x509_trust_list_deinit() must be called with parameter all being 1.

If flag GNUTLS_TL_VERIFY_CRL is given the CRLs will be verified before being added, and if verification fails, they will be skipped.

Parameters

list

The list

 

crl_list

A list of CRLs

 

crl_size

The length of the CRL list

 

flags

flags from gnutls_trust_list_flags_t

 

verification_flags

gnutls_certificate_verify_flags if flags specifies GNUTLS_TL_VERIFY_CRL

 

Returns

The number of added elements is returned; that includes duplicate entries.

Since: 3.0


gnutls_x509_trust_list_iter_get_ca ()

int
gnutls_x509_trust_list_iter_get_ca (gnutls_x509_trust_list_t list,
                                    gnutls_x509_trust_list_iter_t *iter,
                                    gnutls_x509_crt_t *crt);

This function obtains a certificate in the trust list and advances the iterator to the next certificate. The certificate returned in crt must be deallocated with gnutls_x509_crt_deinit().

When past the last element is accessed GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned and the iterator is reset.

The iterator is deinitialized and reset to NULL automatically by this function after iterating through all elements until GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned. If the iteration is aborted early, it must be manually deinitialized using gnutls_x509_trust_list_iter_deinit().

Parameters

list

The list

 

iter

A pointer to an iterator (initially the iterator should be NULL)

 

crt

where the certificate will be copied

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 3.4.0


gnutls_x509_trust_list_iter_deinit ()

void
gnutls_x509_trust_list_iter_deinit (gnutls_x509_trust_list_iter_t iter);

This function will deinitialize an iterator structure.

Parameters

iter

The iterator structure to be deinitialized

 

Since: 3.4.0


gnutls_session_set_verify_output_function ()

void
gnutls_session_set_verify_output_function
                               (gnutls_session_t session,
                                gnutls_verify_output_function *func);

This function sets a callback to be called when the peer's certificate chain has to be verified and full path to the trusted root has to be printed.

The callback's function prototype is defined in `x509.h': int (*callback)( gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer, gnutls_x509_crl_t crl, unsigned int verification_output);

If the callback function is provided then gnutls will call it, in the certificate verification procedure. To verify the certificate chain and print its path uptp the trusted root, functions such as gnutls_certificate_verify_peers(), gnutls_x509_trust_list_verify_crt(), and gnutls_x509_trust_list_verify_crt2() can be used. The callback is set in _gnutls_verify_crt_status() and _gnutls_pkcs11_verify_crt_status().

Parameters

session

is a gnutls_x509_trust_list_t type.

 

func

is the callback function

 

Since: 3.7.0


gnutls_x509_trust_list_verify_named_crt ()

int
gnutls_x509_trust_list_verify_named_crt
                               (gnutls_x509_trust_list_t list,
                                gnutls_x509_crt_t cert,
                                const void *name,
                                size_t name_size,
                                unsigned int flags,
                                unsigned int *verify,
                                gnutls_verify_output_function func);

This function will try to find a certificate that is associated with the provided name --see gnutls_x509_trust_list_add_named_crt(). If a match is found the certificate is considered valid. In addition to that this function will also check CRLs. The voutput parameter will hold an OR'ed sequence of gnutls_certificate_status_t flags.

Additionally a certificate verification profile can be specified from the ones in gnutls_certificate_verification_profiles_t by ORing the result of GNUTLS_PROFILE_TO_VFLAGS() to the verification flags.

Parameters

list

The list

 

cert

is the certificate to be verified

 

name

is the certificate's name

 

name_size

is the certificate's name size

 

flags

Flags that may be used to change the verification algorithm. Use OR of the gnutls_certificate_verify_flags enumerations.

 

voutput

will hold the certificate verification output.

 

func

If non-null will be called on each chain element verification with the output.

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 3.0.0


gnutls_x509_trust_list_verify_crt2 ()

int
gnutls_x509_trust_list_verify_crt2 (gnutls_x509_trust_list_t list,
                                    gnutls_x509_crt_t *cert_list,
                                    unsigned int cert_list_size,
                                    gnutls_typed_vdata_st *data,
                                    unsigned int elements,
                                    unsigned int flags,
                                    unsigned int *voutput,
                                    gnutls_verify_output_function func);

This function will attempt to verify the given certificate chain and return its status. The voutput parameter will hold an OR'ed sequence of gnutls_certificate_status_t flags.

When a certificate chain of cert_list_size with more than one certificates is provided, the verification status will apply to the first certificate in the chain that failed verification. The verification process starts from the end of the chain (from CA to end certificate). The first certificate in the chain must be the end-certificate while the rest of the members may be sorted or not.

Additionally a certificate verification profile can be specified from the ones in gnutls_certificate_verification_profiles_t by ORing the result of GNUTLS_PROFILE_TO_VFLAGS() to the verification flags.

Additional verification parameters are possible via the data types; the acceptable types are GNUTLS_DT_DNS_HOSTNAME, GNUTLS_DT_IP_ADDRESS and GNUTLS_DT_KEY_PURPOSE_OID. The former accepts as data a null-terminated hostname, and the latter a null-terminated object identifier (e.g., GNUTLS_KP_TLS_WWW_SERVER). If a DNS hostname is provided then this function will compare the hostname in the end certificate against the given. If names do not match the GNUTLS_CERT_UNEXPECTED_OWNER status flag will be set. In addition it will consider certificates provided with gnutls_x509_trust_list_add_named_crt().

If a key purpose OID is provided and the end-certificate contains the extended key usage PKIX extension, it will be required to match the provided OID or be marked for any purpose, otherwise verification will fail with GNUTLS_CERT_PURPOSE_MISMATCH status.

Parameters

list

The list

 

cert_list

is the certificate list to be verified

 

cert_list_size

is the certificate list size

 

data

an array of typed data

 

elements

the number of data elements

 

flags

Flags that may be used to change the verification algorithm. Use OR of the gnutls_certificate_verify_flags enumerations.

 

voutput

will hold the certificate verification output.

 

func

If non-null will be called on each chain element verification with the output.

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value. Note that verification failure will not result to an error code, only voutput will be updated.

Since: 3.3.8


gnutls_x509_trust_list_verify_crt ()

int
gnutls_x509_trust_list_verify_crt (gnutls_x509_trust_list_t list,
                                   gnutls_x509_crt_t *cert_list,
                                   unsigned int cert_list_size,
                                   unsigned int flags,
                                   unsigned int *verify,
                                   gnutls_verify_output_function func);

This function will try to verify the given certificate and return its status. The voutput parameter will hold an OR'ed sequence of gnutls_certificate_status_t flags.

The details of the verification are the same as in gnutls_x509_trust_list_verify_crt2().

Parameters

list

The list

 

cert_list

is the certificate list to be verified

 

cert_list_size

is the certificate list size

 

flags

Flags that may be used to change the verification algorithm. Use OR of the gnutls_certificate_verify_flags enumerations.

 

voutput

will hold the certificate verification output.

 

func

If non-null will be called on each chain element verification with the output.

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 3.0


gnutls_x509_trust_list_add_trust_mem ()

int
gnutls_x509_trust_list_add_trust_mem (gnutls_x509_trust_list_t list,
                                      const gnutls_datum_t *cas,
                                      const gnutls_datum_t *crls,
                                      gnutls_x509_crt_fmt_t type,
                                      unsigned int tl_flags,
                                      unsigned int tl_vflags);

This function will add the given certificate authorities to the trusted list.

If this function is used gnutls_x509_trust_list_deinit() must be called with parameter all being 1.

Parameters

list

The list

 

cas

A buffer containing a list of CAs (optional)

 

crls

A buffer containing a list of CRLs (optional)

 

type

The format of the certificates

 

tl_flags

flags from gnutls_trust_list_flags_t

 

tl_vflags

gnutls_certificate_verify_flags if flags specifies GNUTLS_TL_VERIFY_CRL

 

Returns

The number of added elements is returned.

Since: 3.1


gnutls_x509_trust_list_add_trust_file ()

int
gnutls_x509_trust_list_add_trust_file (gnutls_x509_trust_list_t list,
                                       const char *ca_file,
                                       const char *crl_file,
                                       gnutls_x509_crt_fmt_t type,
                                       unsigned int tl_flags,
                                       unsigned int tl_vflags);

This function will add the given certificate authorities to the trusted list. PKCS 11 URLs are also accepted, instead of files, by this function. A PKCS 11 URL implies a trust database (a specially marked module in p11-kit); the URL "pkcs11:" implies all trust databases in the system. Only a single URL specifying trust databases can be set; they cannot be stacked with multiple calls.

Parameters

list

The list

 

ca_file

A file containing a list of CAs (optional)

 

crl_file

A file containing a list of CRLs (optional)

 

type

The format of the certificates

 

tl_flags

flags from gnutls_trust_list_flags_t

 

tl_vflags

gnutls_certificate_verify_flags if flags specifies GNUTLS_TL_VERIFY_CRL

 

Returns

The number of added elements is returned.

Since: 3.1


gnutls_x509_trust_list_add_trust_dir ()

int
gnutls_x509_trust_list_add_trust_dir (gnutls_x509_trust_list_t list,
                                      const char *ca_dir,
                                      const char *crl_dir,
                                      gnutls_x509_crt_fmt_t type,
                                      unsigned int tl_flags,
                                      unsigned int tl_vflags);

This function will add the given certificate authorities to the trusted list. Only directories are accepted by this function.

Parameters

list

The list

 

ca_dir

A directory containing the CAs (optional)

 

crl_dir

A directory containing a list of CRLs (optional)

 

type

The format of the certificates

 

tl_flags

flags from gnutls_trust_list_flags_t

 

tl_vflags

gnutls_certificate_verify_flags if flags specifies GNUTLS_TL_VERIFY_CRL

 

Returns

The number of added elements is returned.

Since: 3.3.6


gnutls_x509_trust_list_remove_trust_file ()

int
gnutls_x509_trust_list_remove_trust_file
                               (gnutls_x509_trust_list_t list,
                                const char *ca_file,
                                gnutls_x509_crt_fmt_t type);

This function will remove the given certificate authorities from the trusted list, and add them into a black list when needed. PKCS 11 URLs are also accepted, instead of files, by this function.

See also gnutls_x509_trust_list_remove_cas().

Parameters

list

The list

 

ca_file

A file containing a list of CAs

 

type

The format of the certificates

 

Returns

The number of added elements is returned.

Since: 3.1.10


gnutls_x509_trust_list_remove_trust_mem ()

int
gnutls_x509_trust_list_remove_trust_mem
                               (gnutls_x509_trust_list_t list,
                                const gnutls_datum_t *cas,
                                gnutls_x509_crt_fmt_t type);

This function will remove the provided certificate authorities from the trusted list, and add them into a black list when needed.

See also gnutls_x509_trust_list_remove_cas().

Parameters

list

The list

 

cas

A buffer containing a list of CAs (optional)

 

type

The format of the certificates

 

Returns

The number of removed elements is returned.

Since: 3.1.10


gnutls_x509_trust_list_add_system_trust ()

int
gnutls_x509_trust_list_add_system_trust
                               (gnutls_x509_trust_list_t list,
                                unsigned int tl_flags,
                                unsigned int tl_vflags);

This function adds the system's default trusted certificate authorities to the trusted list. Note that on unsupported systems this function returns GNUTLS_E_UNIMPLEMENTED_FEATURE.

This function implies the flag GNUTLS_TL_NO_DUPLICATES.

Parameters

list

The structure of the list

 

tl_flags

GNUTLS_TL_*

 

tl_vflags

gnutls_certificate_verify_flags if flags specifies GNUTLS_TL_VERIFY_CRL

 

Returns

The number of added elements or a negative error code on error.

Since: 3.1


gnutls_x509_trust_list_set_getissuer_function ()

void
gnutls_x509_trust_list_set_getissuer_function
                               (gnutls_x509_trust_list_t tlist,
                                gnutls_x509_trust_list_getissuer_function *func);

This function sets a callback to be called when the peer's certificate chain is incomplete due a missing intermediate certificate. The callback may provide the missing certificate for use during verification.

The callback's function prototype is defined in gnutls/x509.h as:

int (*callback)(gnutls_x509_trust_list_t list, const gnutls_x509_crt_t cert, gnutls_x509_crt_t **issuers, unsigned int *issuers_size);

If the callback function is provided then gnutls will call it during the certificate verification procedure. The callback may wish to use gnutls_x509_crt_get_authority_info_access() to get a URI from which to attempt to download the missing issuer certificate, if available.

On a successful call, the callback shall allocate the 'issuers' array with gnutls_x509_crt_list_import2(). The ownership of both the array and the elements is transferred to the caller and thus the application does not need to maintain the memory after the call.

The callback function should return 0 if the missing issuer certificate for 'crt' was properly populated and added to the 'issuers', or non-zero to continue the certificate list verification but with issuer as NULL.

Parameters

tlist

is a gnutls_x509_trust_list_t type.

 

func

is the callback function

 

Since: 3.7.0


gnutls_x509_trust_list_set_ptr ()

void
gnutls_x509_trust_list_set_ptr (gnutls_x509_trust_list_t tlist,
                                void *ptr);

This function will set (associate) the user given pointer ptr to the tlist structure. This pointer can be accessed with gnutls_x509_trust_list_get_ptr(). Useful in the callback function gnutls_x509_trust_list_set_getissuer_function.

Parameters

tlist

is a gnutls_x509_trust_list_t type.

 

ptr

is the user pointer

 

Since: 3.7.0


gnutls_x509_trust_list_get_ptr ()

void *
gnutls_x509_trust_list_get_ptr (gnutls_x509_trust_list_t tlist);

Get user pointer for tlist. Useful in callback function gnutls_x509_trust_list_set_getissuer_function. This is the pointer set with gnutls_x509_trust_list_set_ptr().

Parameters

tlist

is a gnutls_x509_trust_list_t type.

 

Returns

the user given pointer from the tlist structure, or NULL if it was never set.

Since: 3.7.0


gnutls_certificate_set_trust_list ()

void
gnutls_certificate_set_trust_list (gnutls_certificate_credentials_t res,
                                   gnutls_x509_trust_list_t tlist,
                                   unsigned  flags);

This function sets a trust list in the gnutls_certificate_credentials_t type.

Note that the tlist will become part of the credentials structure and must not be deallocated. It will be automatically deallocated when the res structure is deinitialized.

Parameters

res

is a gnutls_certificate_credentials_t type.

 

tlist

is a gnutls_x509_trust_list_t type

 

flags

must be zero

 

Since: 3.2.2


gnutls_certificate_get_trust_list ()

void
gnutls_certificate_get_trust_list (gnutls_certificate_credentials_t res,
                                   gnutls_x509_trust_list_t *tlist);

Obtains the list of trusted certificates stored in res and writes a pointer to it to the location tlist . The pointer will point to memory internal to res , and must not be deinitialized. It will be automatically deallocated when the res structure is deinitialized.

Parameters

res

is a gnutls_certificate_credentials_t type.

 

tlist

Location where to store the trust list.

 

Since: 3.4.0


gnutls_x509_ext_deinit ()

void
gnutls_x509_ext_deinit (gnutls_x509_ext_st *ext);

gnutls_x509_ext_print ()

int
gnutls_x509_ext_print (gnutls_x509_ext_st *exts,
                       unsigned int exts_size,
                       gnutls_certificate_print_formats_t format,
                       gnutls_datum_t *out);

This function will pretty print X.509 certificate extensions, suitable for display to a human.

The output out needs to be deallocated using gnutls_free().

Parameters

exts

The data to be printed

 

exts_size

the number of available structures

 

format

Indicate the format to use

 

out

Newly allocated datum with null terminated string.

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Types and Values

GNUTLS_OID_X520_COUNTRY_NAME

#define GNUTLS_OID_X520_COUNTRY_NAME		"2.5.4.6"

GNUTLS_OID_X520_ORGANIZATION_NAME

#define GNUTLS_OID_X520_ORGANIZATION_NAME "2.5.4.10"

GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME

#define GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME "2.5.4.11"

GNUTLS_OID_X520_COMMON_NAME

#define GNUTLS_OID_X520_COMMON_NAME		"2.5.4.3"

GNUTLS_OID_X520_LOCALITY_NAME

#define GNUTLS_OID_X520_LOCALITY_NAME		"2.5.4.7"

GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME

#define GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME "2.5.4.8"

GNUTLS_OID_X520_INITIALS

#define GNUTLS_OID_X520_INITIALS		"2.5.4.43"

GNUTLS_OID_X520_GENERATION_QUALIFIER

#define GNUTLS_OID_X520_GENERATION_QUALIFIER "2.5.4.44"

GNUTLS_OID_X520_SURNAME

#define GNUTLS_OID_X520_SURNAME			"2.5.4.4"

GNUTLS_OID_X520_GIVEN_NAME

#define GNUTLS_OID_X520_GIVEN_NAME		"2.5.4.42"

GNUTLS_OID_X520_TITLE

#define GNUTLS_OID_X520_TITLE			"2.5.4.12"

GNUTLS_OID_X520_DN_QUALIFIER

#define GNUTLS_OID_X520_DN_QUALIFIER		"2.5.4.46"

GNUTLS_OID_X520_PSEUDONYM

#define GNUTLS_OID_X520_PSEUDONYM		"2.5.4.65"

GNUTLS_OID_X520_POSTALCODE

#define GNUTLS_OID_X520_POSTALCODE              "2.5.4.17"

GNUTLS_OID_X520_NAME

#define GNUTLS_OID_X520_NAME                    "2.5.4.41"

GNUTLS_OID_LDAP_DC

#define GNUTLS_OID_LDAP_DC			"0.9.2342.19200300.100.1.25"

GNUTLS_OID_LDAP_UID

#define GNUTLS_OID_LDAP_UID			"0.9.2342.19200300.100.1.1"

GNUTLS_OID_PKCS9_EMAIL

#define GNUTLS_OID_PKCS9_EMAIL			"1.2.840.113549.1.9.1"

GNUTLS_OID_PKIX_DATE_OF_BIRTH

#define GNUTLS_OID_PKIX_DATE_OF_BIRTH		"1.3.6.1.5.5.7.9.1"

GNUTLS_OID_PKIX_PLACE_OF_BIRTH

#define GNUTLS_OID_PKIX_PLACE_OF_BIRTH		"1.3.6.1.5.5.7.9.2"

GNUTLS_OID_PKIX_GENDER

#define GNUTLS_OID_PKIX_GENDER			"1.3.6.1.5.5.7.9.3"

GNUTLS_OID_PKIX_COUNTRY_OF_CITIZENSHIP

#define GNUTLS_OID_PKIX_COUNTRY_OF_CITIZENSHIP "1.3.6.1.5.5.7.9.4"

GNUTLS_OID_PKIX_COUNTRY_OF_RESIDENCE

#define GNUTLS_OID_PKIX_COUNTRY_OF_RESIDENCE "1.3.6.1.5.5.7.9.5"

GNUTLS_KP_TLS_WWW_SERVER

#define GNUTLS_KP_TLS_WWW_SERVER		"1.3.6.1.5.5.7.3.1"

GNUTLS_KP_TLS_WWW_CLIENT

#define GNUTLS_KP_TLS_WWW_CLIENT                "1.3.6.1.5.5.7.3.2"

GNUTLS_KP_CODE_SIGNING

#define GNUTLS_KP_CODE_SIGNING			"1.3.6.1.5.5.7.3.3"

GNUTLS_KP_MS_SMART_CARD_LOGON

#define GNUTLS_KP_MS_SMART_CARD_LOGON		"1.3.6.1.4.1.311.20.2.2"

GNUTLS_KP_EMAIL_PROTECTION

#define GNUTLS_KP_EMAIL_PROTECTION		"1.3.6.1.5.5.7.3.4"

GNUTLS_KP_TIME_STAMPING

#define GNUTLS_KP_TIME_STAMPING			"1.3.6.1.5.5.7.3.8"

GNUTLS_KP_OCSP_SIGNING

#define GNUTLS_KP_OCSP_SIGNING			"1.3.6.1.5.5.7.3.9"

GNUTLS_KP_IPSEC_IKE

#define GNUTLS_KP_IPSEC_IKE			"1.3.6.1.5.5.7.3.17"

GNUTLS_KP_ANY

#define GNUTLS_KP_ANY				"2.5.29.37.0"

GNUTLS_KP_FLAG_DISALLOW_ANY

#define GNUTLS_KP_FLAG_DISALLOW_ANY		1

GNUTLS_OID_AIA

#define GNUTLS_OID_AIA				"1.3.6.1.5.5.7.1.1"

GNUTLS_OID_AD_OCSP

#define GNUTLS_OID_AD_OCSP			"1.3.6.1.5.5.7.48.1"

GNUTLS_OID_AD_CAISSUERS

#define GNUTLS_OID_AD_CAISSUERS			"1.3.6.1.5.5.7.48.2"

GNUTLS_FSAN_SET

#define GNUTLS_FSAN_SET 0

GNUTLS_FSAN_APPEND

#define GNUTLS_FSAN_APPEND 1

GNUTLS_FSAN_ENCODE_OCTET_STRING

#define GNUTLS_FSAN_ENCODE_OCTET_STRING (1<<1)

GNUTLS_FSAN_ENCODE_UTF8_STRING

#define GNUTLS_FSAN_ENCODE_UTF8_STRING (1<<2)

GNUTLS_X509EXT_OID_SUBJECT_KEY_ID

#define GNUTLS_X509EXT_OID_SUBJECT_KEY_ID "2.5.29.14"

GNUTLS_X509EXT_OID_KEY_USAGE

#define GNUTLS_X509EXT_OID_KEY_USAGE "2.5.29.15"

GNUTLS_X509EXT_OID_PRIVATE_KEY_USAGE_PERIOD

#define GNUTLS_X509EXT_OID_PRIVATE_KEY_USAGE_PERIOD "2.5.29.16"

GNUTLS_X509EXT_OID_SAN

#define GNUTLS_X509EXT_OID_SAN "2.5.29.17"

GNUTLS_X509EXT_OID_IAN

#define GNUTLS_X509EXT_OID_IAN "2.5.29.18"

GNUTLS_X509EXT_OID_BASIC_CONSTRAINTS

#define GNUTLS_X509EXT_OID_BASIC_CONSTRAINTS "2.5.29.19"

GNUTLS_X509EXT_OID_NAME_CONSTRAINTS

#define GNUTLS_X509EXT_OID_NAME_CONSTRAINTS "2.5.29.30"

GNUTLS_X509EXT_OID_CRL_DIST_POINTS

#define GNUTLS_X509EXT_OID_CRL_DIST_POINTS "2.5.29.31"

GNUTLS_X509EXT_OID_CRT_POLICY

#define GNUTLS_X509EXT_OID_CRT_POLICY "2.5.29.32"

GNUTLS_X509EXT_OID_AUTHORITY_KEY_ID

#define GNUTLS_X509EXT_OID_AUTHORITY_KEY_ID "2.5.29.35"

GNUTLS_X509EXT_OID_EXTENDED_KEY_USAGE

#define GNUTLS_X509EXT_OID_EXTENDED_KEY_USAGE "2.5.29.37"

GNUTLS_X509EXT_OID_INHIBIT_ANYPOLICY

#define GNUTLS_X509EXT_OID_INHIBIT_ANYPOLICY "2.5.29.52"

GNUTLS_X509EXT_OID_AUTHORITY_INFO_ACCESS

#define GNUTLS_X509EXT_OID_AUTHORITY_INFO_ACCESS "1.3.6.1.5.5.7.1.1"

GNUTLS_X509EXT_OID_PROXY_CRT_INFO

#define GNUTLS_X509EXT_OID_PROXY_CRT_INFO "1.3.6.1.5.5.7.1.14"

GNUTLS_X509EXT_OID_TLSFEATURES

#define GNUTLS_X509EXT_OID_TLSFEATURES "1.3.6.1.5.5.7.1.24"

GNUTLS_X509EXT_OID_CT_SCT_V1

#define GNUTLS_X509EXT_OID_CT_SCT_V1 "1.3.6.1.4.1.11129.2.4.2"

GNUTLS_X509_OID_POLICY_ANY

#define GNUTLS_X509_OID_POLICY_ANY "2.5.29.54"

enum gnutls_certificate_import_flags

Enumeration of different certificate flags.

Members

GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED

   

GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED

   

GNUTLS_X509_CRT_LIST_SORT

   

enum gnutls_x509_crt_flags

Members

GNUTLS_X509_CRT_FLAG_IGNORE_SANITY

   

enum gnutls_keyid_flags_t

Enumeration of different flags for the key ID functions.

Members

GNUTLS_KEYID_USE_SHA1

Use SHA1 as the key ID algorithm (default).

 

GNUTLS_KEYID_USE_SHA256

Use SHA256 as the key ID algorithm.

 

GNUTLS_KEYID_USE_SHA512

Use SHA512 as the key ID algorithm.

 

GNUTLS_KEYID_USE_BEST_KNOWN

Use the best known algorithm to calculate key ID. Using that option will make your program behavior depend on the version of gnutls linked with. That option has a cap of 64-bytes key IDs.

 

enum gnutls_info_access_what_t

Enumeration of types for the what parameter of gnutls_x509_crt_get_authority_info_access().

Members

GNUTLS_IA_ACCESSMETHOD_OID

Get accessMethod OID.

 

GNUTLS_IA_ACCESSLOCATION_GENERALNAME_TYPE

Get accessLocation name type.

 

GNUTLS_IA_URI

Get accessLocation URI value.

 

GNUTLS_IA_UNKNOWN

   

GNUTLS_IA_OCSP_URI

get accessLocation URI value for OCSP.

 

GNUTLS_IA_CAISSUERS_URI

get accessLocation URI value for caIssuers.

 

gnutls_x509_name_constraints_t

typedef struct gnutls_name_constraints_st *gnutls_x509_name_constraints_t;

GNUTLS_EXT_FLAG_APPEND

#define GNUTLS_EXT_FLAG_APPEND 1

GNUTLS_NAME_CONSTRAINTS_FLAG_APPEND

#define GNUTLS_NAME_CONSTRAINTS_FLAG_APPEND GNUTLS_EXT_FLAG_APPEND

GNUTLS_CRL_REASON_SUPERSEEDED

#define GNUTLS_CRL_REASON_SUPERSEEDED GNUTLS_CRL_REASON_SUPERSEDED,

enum gnutls_x509_crl_reason_flags_t

Enumeration of types for the CRL revocation reasons.

Members

GNUTLS_CRL_REASON_UNSPECIFIED

   

GNUTLS_CRL_REASON_PRIVILEGE_WITHDRAWN

The privileges were withdrawn from the owner.

 

GNUTLS_CRL_REASON_CERTIFICATE_HOLD

The certificate is on hold.

 

GNUTLS_CRL_REASON_CESSATION_OF_OPERATION

The end-entity is no longer operating.

 

GNUTLS_CRL_REASON_SUPERSEDED

There is a newer certificate of the owner.

 

GNUTLS_CRL_REASON_AFFILIATION_CHANGED

The end-entity affiliation has changed.

 

GNUTLS_CRL_REASON_CA_COMPROMISE

The CA was compromised.

 

GNUTLS_CRL_REASON_KEY_COMPROMISE

The certificate's key was compromised.

 

GNUTLS_CRL_REASON_UNUSED

The key was never used.

 

GNUTLS_CRL_REASON_AA_COMPROMISE

AA compromised.

 

GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION

#define GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION ((time_t)4294197631)

gnutls_x509_spki_t

typedef struct gnutls_x509_spki_st *gnutls_x509_spki_t;

gnutls_x509_tlsfeatures_t

typedef struct gnutls_x509_tlsfeatures_st *gnutls_x509_tlsfeatures_t;

GNUTLS_MAX_QUALIFIERS

#define GNUTLS_MAX_QUALIFIERS 8

enum gnutls_x509_qualifier_t

Enumeration of types for the X.509 qualifiers, of the certificate policy extension.

Members

GNUTLS_X509_QUALIFIER_UNKNOWN

Unknown qualifier.

 

GNUTLS_X509_QUALIFIER_URI

A URL

 

GNUTLS_X509_QUALIFIER_NOTICE

   

gnutls_x509_policy_st

typedef struct {
	char *oid;
	unsigned int qualifiers;
	struct {
		gnutls_x509_qualifier_t type;
		char *data;
		unsigned int size;
	} qualifier[GNUTLS_MAX_QUALIFIERS];
} gnutls_x509_policy_st;

GNUTLS_X509_DN_OID_RETURN_OID

#define GNUTLS_X509_DN_OID_RETURN_OID 1

gnutls_x509_dn_t

typedef struct gnutls_x509_dn_st *gnutls_x509_dn_t;

gnutls_x509_ava_st

typedef struct {
	gnutls_datum_t oid;
	gnutls_datum_t value;
	unsigned long value_tag;
} gnutls_x509_ava_st;

GNUTLS_X509_DN_FLAG_COMPAT

#define GNUTLS_X509_DN_FLAG_COMPAT 1

gnutls_x509_crl_iter_t

typedef struct gnutls_x509_crl_iter * gnutls_x509_crl_iter_t;

gnutls_x509_crl_get_certificate_count

#define gnutls_x509_crl_get_certificate_count gnutls_x509_crl_get_crt_count

gnutls_x509_crl_get_certificate

#define gnutls_x509_crl_get_certificate gnutls_x509_crl_get_crt_serial

enum gnutls_certificate_verify_flags

Enumeration of different certificate verify flags. Additional verification profiles can be set using GNUTLS_PROFILE_TO_VFLAGS() and gnutls_certificate_verification_profiles_t.

Members

GNUTLS_VERIFY_DISABLE_CA_SIGN

If set a signer does not have to be a certificate authority. This flag should normally be disabled, unless you know what this means.

 

GNUTLS_VERIFY_DO_NOT_ALLOW_IP_MATCHES

When verifying a hostname prevent textual IP addresses from matching IP addresses in the certificate. Treat the input only as a DNS name.

 

GNUTLS_VERIFY_DO_NOT_ALLOW_SAME

If a certificate is not signed by anyone trusted but exists in the trusted CA list do not treat it as trusted.

 

GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT

Allow CA certificates that have version 1 (both root and intermediate). This might be dangerous since those haven't the basicConstraints extension.

 

GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2

Allow certificates to be signed using the broken MD2 algorithm.

 

GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5

Allow certificates to be signed using the broken MD5 algorithm.

 

GNUTLS_VERIFY_DISABLE_TIME_CHECKS

Disable checking of activation and expiration validity periods of certificate chains. Don't set this unless you understand the security implications.

 

GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS

If set a signer in the trusted list is never checked for expiration or activation.

 

GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT

Do not allow trusted CA certificates that have version 1. This option is to be used to deprecate all certificates of version 1.

 

GNUTLS_VERIFY_DISABLE_CRL_CHECKS

Disable checking for validity using certificate revocation lists or the available OCSP data.

 

GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN

A certificate chain is tolerated if unsorted (the case with many TLS servers out there). This is the default since GnuTLS 3.1.4.

 

GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN

Do not tolerate an unsorted certificate chain.

 

GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS

When including a hostname check in the verification, do not consider any wildcards.

 

GNUTLS_VERIFY_USE_TLS1_RSA

This indicates that a (raw) RSA signature is provided as in the TLS 1.0 protocol. Not all functions accept this flag.

 

GNUTLS_VERIFY_IGNORE_UNKNOWN_CRIT_EXTENSIONS

This signals the verification process, not to fail on unknown critical extensions.

 

GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1

Allow certificates to be signed using the broken SHA1 hash algorithm.

 

GNUTLS_VERIFY_RSA_PSS_FIXED_SALT_LENGTH

Disallow RSA-PSS signatures made with mismatching salt length with digest length, as mandated in RFC 8446 4.2.3.

 

GNUTLS_VERIFY_ALLOW_BROKEN

#define GNUTLS_VERIFY_ALLOW_BROKEN (GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2|GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5)

enum gnutls_certificate_verification_profiles_t

Enumeration of different certificate verification profiles.

Members

GNUTLS_PROFILE_UNKNOWN

An invalid/unknown profile.

 

GNUTLS_PROFILE_VERY_WEAK

A verification profile that corresponds to GNUTLS_SEC_PARAM_VERY_WEAK (64 bits)

 

GNUTLS_PROFILE_LOW

A verification profile that corresponds to GNUTLS_SEC_PARAM_LOW (80 bits)

 

GNUTLS_PROFILE_LEGACY

A verification profile that corresponds to GNUTLS_SEC_PARAM_LEGACY (96 bits)

 

GNUTLS_PROFILE_MEDIUM

A verification profile that corresponds to GNUTLS_SEC_PARAM_MEDIUM (112 bits)

 

GNUTLS_PROFILE_HIGH

A verification profile that corresponds to GNUTLS_SEC_PARAM_HIGH (128 bits)

 

GNUTLS_PROFILE_ULTRA

A verification profile that corresponds to GNUTLS_SEC_PARAM_ULTRA (192 bits)

 

GNUTLS_PROFILE_FUTURE

A verification profile that corresponds to GNUTLS_SEC_PARAM_FUTURE (256 bits)

 

GNUTLS_PROFILE_SUITEB128

A verification profile that applies the SUITEB128 rules

 

GNUTLS_PROFILE_SUITEB192

A verification profile that applies the SUITEB192 rules

 

GNUTLS_VFLAGS_PROFILE_MASK

#define GNUTLS_VFLAGS_PROFILE_MASK (0xff000000)

GNUTLS_PKCS8_PLAIN

#define GNUTLS_PKCS8_PLAIN GNUTLS_PKCS_PLAIN

GNUTLS_PKCS8_USE_PKCS12_3DES

#define GNUTLS_PKCS8_USE_PKCS12_3DES GNUTLS_PKCS_PKCS12_3DES

GNUTLS_PKCS8_USE_PKCS12_ARCFOUR

#define GNUTLS_PKCS8_USE_PKCS12_ARCFOUR GNUTLS_PKCS_PKCS12_ARCFOUR

GNUTLS_PKCS8_USE_PKCS12_RC2_40

#define GNUTLS_PKCS8_USE_PKCS12_RC2_40 GNUTLS_PKCS_PKCS12_RC2_40

enum gnutls_pkcs_encrypt_flags_t

Enumeration of different PKCS encryption flags.

Members

GNUTLS_PKCS_PLAIN

Unencrypted private key.

 

GNUTLS_PKCS_PKCS12_3DES

PKCS-12 3DES.

 

GNUTLS_PKCS_PKCS12_ARCFOUR

PKCS-12 ARCFOUR.

 

GNUTLS_PKCS_PKCS12_RC2_40

PKCS-12 RC2-40.

 

GNUTLS_PKCS_PBES2_3DES

PBES2 3DES.

 

GNUTLS_PKCS_PBES2_AES_128

PBES2 AES-128.

 

GNUTLS_PKCS_PBES2_AES_192

PBES2 AES-192.

 

GNUTLS_PKCS_PBES2_AES_256

PBES2 AES-256.

 

GNUTLS_PKCS_NULL_PASSWORD

Some schemas distinguish between an empty and a NULL password.

 

GNUTLS_PKCS_PBES2_DES

PBES2 single DES.

 

GNUTLS_PKCS_PBES1_DES_MD5

PBES1 with single DES; for compatibility with openssl only.

 

GNUTLS_PKCS_PBES2_GOST_TC26Z

PBES2 GOST 28147-89 CFB with TC26-Z S-box.

 

GNUTLS_PKCS_PBES2_GOST_CPA

PBES2 GOST 28147-89 CFB with CryptoPro-A S-box.

 

GNUTLS_PKCS_PBES2_GOST_CPB

PBES2 GOST 28147-89 CFB with CryptoPro-B S-box.

 

GNUTLS_PKCS_PBES2_GOST_CPC

PBES2 GOST 28147-89 CFB with CryptoPro-C S-box.

 

GNUTLS_PKCS_PBES2_GOST_CPD

PBES2 GOST 28147-89 CFB with CryptoPro-D S-box.

 

GNUTLS_PKCS_USE_PKCS12_3DES

#define GNUTLS_PKCS_USE_PKCS12_3DES GNUTLS_PKCS_PKCS12_3DES

GNUTLS_PKCS_USE_PKCS12_ARCFOUR

#define GNUTLS_PKCS_USE_PKCS12_ARCFOUR GNUTLS_PKCS_PKCS12_ARCFOUR

GNUTLS_PKCS_USE_PKCS12_RC2_40

#define GNUTLS_PKCS_USE_PKCS12_RC2_40 GNUTLS_PKCS_PKCS12_RC2_40

GNUTLS_PKCS_USE_PBES2_3DES

#define GNUTLS_PKCS_USE_PBES2_3DES GNUTLS_PKCS_PBES2_3DES

GNUTLS_PKCS_USE_PBES2_AES_128

#define GNUTLS_PKCS_USE_PBES2_AES_128 GNUTLS_PKCS_PBES2_AES_128

GNUTLS_PKCS_USE_PBES2_AES_192

#define GNUTLS_PKCS_USE_PBES2_AES_192 GNUTLS_PKCS_PBES2_AES_192

GNUTLS_PKCS_USE_PBES2_AES_256

#define GNUTLS_PKCS_USE_PBES2_AES_256 GNUTLS_PKCS_PBES2_AES_256

GNUTLS_PKCS_USE_PBES2_GOST_TC26Z

#define GNUTLS_PKCS_USE_PBES2_GOST_TC26Z GNUTLS_PKCS_PBES2_GOST_TC26Z

GNUTLS_PKCS_USE_PBES2_GOST_CPA

#define GNUTLS_PKCS_USE_PBES2_GOST_CPA GNUTLS_PKCS_PBES2_GOST_CPA

GNUTLS_PKCS_USE_PBES2_GOST_CPB

#define GNUTLS_PKCS_USE_PBES2_GOST_CPB GNUTLS_PKCS_PBES2_GOST_CPB

GNUTLS_PKCS_USE_PBES2_GOST_CPC

#define GNUTLS_PKCS_USE_PBES2_GOST_CPC GNUTLS_PKCS_PBES2_GOST_CPC

GNUTLS_PKCS_USE_PBES2_GOST_CPD

#define GNUTLS_PKCS_USE_PBES2_GOST_CPD GNUTLS_PKCS_PBES2_GOST_CPD

enum gnutls_keygen_types_t

Enumeration of different key generation data options.

Members

GNUTLS_KEYGEN_SEED

Specifies the seed to be used in key generation.

 

GNUTLS_KEYGEN_DIGEST

The size field specifies the hash algorithm to be used in key generation.

 

GNUTLS_KEYGEN_SPKI

data points to a gnutls_x509_spki_t structure; it is not used after the key generation call.

 

gnutls_keygen_data_st

typedef struct {
	gnutls_keygen_types_t type;
	unsigned char *data;
	unsigned int size;
} gnutls_keygen_data_st;

gnutls_x509_trust_list_t

typedef struct gnutls_x509_trust_list_st *gnutls_x509_trust_list_t;

gnutls_x509_trust_list_iter_t

typedef struct gnutls_x509_trust_list_iter *gnutls_x509_trust_list_iter_t;

enum gnutls_trust_list_flags_t

Enumeration of different certificate trust list flags.

Members

GNUTLS_TL_VERIFY_CRL

If any CRLs are provided they will be verified for validity prior to be added. The CA certificates that will be used for verification are the ones already added in the trusted list.

 

GNUTLS_TL_USE_IN_TLS

Internal flag used by GnuTLS. If provided the trust list structure will cache a copy of CA DNs to be used in the certificate request TLS message.

 

GNUTLS_TL_NO_DUPLICATES

If this flag is specified, a function adding certificates will check and eliminate any duplicates.

 

GNUTLS_TL_NO_DUPLICATE_KEY

If this flag is specified, a certificate sharing the same key as a previously added on will not be added.

 

GNUTLS_TL_GET_COPY

The semantics of this flag are documented to the functions which are applicable. In general, on returned value, the function will provide a copy if this flag is provided, rather than a pointer to internal data.

 

GNUTLS_TL_FAIL_ON_INVALID_CRL

If an CRL is added which cannot be validated return an error instead of ignoring (must be used with GNUTLS_TL_VERIFY_CRL).

 

gnutls_x509_ext_st

typedef struct {
	char *oid;
	unsigned int critical;
	gnutls_datum_t data;
} gnutls_x509_ext_st;