1 /* 2 * Copyright (C) 2003-2016 Free Software Foundation, Inc. 3 * Copyright (C) 2015-2016 Red Hat, Inc. 4 * 5 * Author: Nikos Mavrogiannopoulos 6 * 7 * This file is part of GnuTLS. 8 * 9 * The GnuTLS is free software; you can redistribute it and/or 10 * modify it under the terms of the GNU Lesser General Public License 11 * as published by the Free Software Foundation; either version 2.1 of 12 * the License, or (at your option) any later version. 13 * 14 * This library is distributed in the hope that it will be useful, but 15 * WITHOUT ANY WARRANTY; without even the implied warranty of 16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 17 * Lesser General Public License for more details. 18 * 19 * You should have received a copy of the GNU Lesser General Public License 20 * along with this program. If not, see <https://www.gnu.org/licenses/> 21 * 22 */ 23 24 /* This file contains the types and prototypes for the X.509 25 * certificate and CRL handling functions. 26 */ 27 28 #ifndef GNUTLS_X509_H 29 #define GNUTLS_X509_H 30 31 #include <gnutls/gnutls.h> 32 33 /* *INDENT-OFF* */ 34 #ifdef __cplusplus 35 extern "C" { 36 #endif 37 /* *INDENT-ON* */ 38 39 /* Some OIDs usually found in Distinguished names, or 40 * in Subject Directory Attribute extensions. 41 */ 42 #define GNUTLS_OID_X520_COUNTRY_NAME "2.5.4.6" 43 #define GNUTLS_OID_X520_ORGANIZATION_NAME "2.5.4.10" 44 #define GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME "2.5.4.11" 45 #define GNUTLS_OID_X520_COMMON_NAME "2.5.4.3" 46 #define GNUTLS_OID_X520_LOCALITY_NAME "2.5.4.7" 47 #define GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME "2.5.4.8" 48 49 #define GNUTLS_OID_X520_INITIALS "2.5.4.43" 50 #define GNUTLS_OID_X520_GENERATION_QUALIFIER "2.5.4.44" 51 #define GNUTLS_OID_X520_SURNAME "2.5.4.4" 52 #define GNUTLS_OID_X520_GIVEN_NAME "2.5.4.42" 53 #define GNUTLS_OID_X520_TITLE "2.5.4.12" 54 #define GNUTLS_OID_X520_DN_QUALIFIER "2.5.4.46" 55 #define GNUTLS_OID_X520_PSEUDONYM "2.5.4.65" 56 #define GNUTLS_OID_X520_POSTALCODE "2.5.4.17" 57 #define GNUTLS_OID_X520_NAME "2.5.4.41" 58 59 #define GNUTLS_OID_LDAP_DC "0.9.2342.19200300.100.1.25" 60 #define GNUTLS_OID_LDAP_UID "0.9.2342.19200300.100.1.1" 61 62 /* The following should not be included in DN. 63 */ 64 #define GNUTLS_OID_PKCS9_EMAIL "1.2.840.113549.1.9.1" 65 66 #define GNUTLS_OID_PKIX_DATE_OF_BIRTH "1.3.6.1.5.5.7.9.1" 67 #define GNUTLS_OID_PKIX_PLACE_OF_BIRTH "1.3.6.1.5.5.7.9.2" 68 #define GNUTLS_OID_PKIX_GENDER "1.3.6.1.5.5.7.9.3" 69 #define GNUTLS_OID_PKIX_COUNTRY_OF_CITIZENSHIP "1.3.6.1.5.5.7.9.4" 70 #define GNUTLS_OID_PKIX_COUNTRY_OF_RESIDENCE "1.3.6.1.5.5.7.9.5" 71 72 /* Key purpose Object Identifiers. 73 */ 74 #define GNUTLS_KP_TLS_WWW_SERVER "1.3.6.1.5.5.7.3.1" 75 #define GNUTLS_KP_TLS_WWW_CLIENT "1.3.6.1.5.5.7.3.2" 76 #define GNUTLS_KP_CODE_SIGNING "1.3.6.1.5.5.7.3.3" 77 #define GNUTLS_KP_MS_SMART_CARD_LOGON "1.3.6.1.4.1.311.20.2.2" 78 #define GNUTLS_KP_EMAIL_PROTECTION "1.3.6.1.5.5.7.3.4" 79 #define GNUTLS_KP_TIME_STAMPING "1.3.6.1.5.5.7.3.8" 80 #define GNUTLS_KP_OCSP_SIGNING "1.3.6.1.5.5.7.3.9" 81 #define GNUTLS_KP_IPSEC_IKE "1.3.6.1.5.5.7.3.17" 82 #define GNUTLS_KP_ANY "2.5.29.37.0" 83 84 #define GNUTLS_KP_FLAG_DISALLOW_ANY 1 85 86 #define GNUTLS_OID_AIA "1.3.6.1.5.5.7.1.1" 87 #define GNUTLS_OID_AD_OCSP "1.3.6.1.5.5.7.48.1" 88 #define GNUTLS_OID_AD_CAISSUERS "1.3.6.1.5.5.7.48.2" 89 90 #define GNUTLS_FSAN_SET 0 91 #define GNUTLS_FSAN_APPEND 1 92 #define GNUTLS_FSAN_ENCODE_OCTET_STRING (1<<1) 93 #define GNUTLS_FSAN_ENCODE_UTF8_STRING (1<<2) 94 95 #define GNUTLS_X509EXT_OID_SUBJECT_KEY_ID "2.5.29.14" 96 #define GNUTLS_X509EXT_OID_KEY_USAGE "2.5.29.15" 97 #define GNUTLS_X509EXT_OID_PRIVATE_KEY_USAGE_PERIOD "2.5.29.16" 98 #define GNUTLS_X509EXT_OID_SAN "2.5.29.17" 99 #define GNUTLS_X509EXT_OID_IAN "2.5.29.18" 100 #define GNUTLS_X509EXT_OID_BASIC_CONSTRAINTS "2.5.29.19" 101 #define GNUTLS_X509EXT_OID_NAME_CONSTRAINTS "2.5.29.30" 102 #define GNUTLS_X509EXT_OID_CRL_DIST_POINTS "2.5.29.31" 103 #define GNUTLS_X509EXT_OID_CRT_POLICY "2.5.29.32" 104 #define GNUTLS_X509EXT_OID_AUTHORITY_KEY_ID "2.5.29.35" 105 #define GNUTLS_X509EXT_OID_EXTENDED_KEY_USAGE "2.5.29.37" 106 #define GNUTLS_X509EXT_OID_INHIBIT_ANYPOLICY "2.5.29.52" 107 #define GNUTLS_X509EXT_OID_AUTHORITY_INFO_ACCESS "1.3.6.1.5.5.7.1.1" 108 #define GNUTLS_X509EXT_OID_PROXY_CRT_INFO "1.3.6.1.5.5.7.1.14" 109 #define GNUTLS_X509EXT_OID_TLSFEATURES "1.3.6.1.5.5.7.1.24" 110 111 #define GNUTLS_X509_OID_POLICY_ANY "2.5.29.54" 112 113 /* Certificate handling functions. 114 */ 115 116 /** 117 * gnutls_certificate_import_flags: 118 * @GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED: Fail if the 119 * certificates in the buffer are more than the space allocated for 120 * certificates. The error code will be %GNUTLS_E_SHORT_MEMORY_BUFFER. 121 * @GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED: Fail if the certificates 122 * in the buffer are not ordered starting from subject to issuer. 123 * The error code will be %GNUTLS_E_CERTIFICATE_LIST_UNSORTED. 124 * @GNUTLS_X509_CRT_LIST_SORT: Sort the certificate chain if unsorted. 125 * 126 * Enumeration of different certificate import flags. 127 */ 128 typedef enum gnutls_certificate_import_flags { 129 GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED = 1, 130 GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED = 1<<1, 131 GNUTLS_X509_CRT_LIST_SORT = 1<<2 132 } gnutls_certificate_import_flags; 133 134 int gnutls_x509_crt_init(gnutls_x509_crt_t * cert); 135 void gnutls_x509_crt_deinit(gnutls_x509_crt_t cert); 136 137 /** 138 * gnutls_certificate_import_flags: 139 * @GNUTLS_X509_CRT_FLAG_IGNORE_SANITY: Ignore any sanity checks at the 140 * import of the certificate; i.e., ignore checks such as version/field 141 * matching and strict time field checks. Intended to be used for debugging. 142 * 143 * Enumeration of different certificate flags. 144 */ 145 typedef enum gnutls_x509_crt_flags { 146 GNUTLS_X509_CRT_FLAG_IGNORE_SANITY = 1 147 } gnutls_x509_crt_flags; 148 void gnutls_x509_crt_set_flags(gnutls_x509_crt_t cert, unsigned flags); 149 150 unsigned gnutls_x509_crt_equals(gnutls_x509_crt_t cert1, gnutls_x509_crt_t cert2); 151 unsigned gnutls_x509_crt_equals2(gnutls_x509_crt_t cert1, const gnutls_datum_t * der); 152 153 int gnutls_x509_crt_import(gnutls_x509_crt_t cert, 154 const gnutls_datum_t * data, 155 gnutls_x509_crt_fmt_t format); 156 int gnutls_x509_crt_list_import2(gnutls_x509_crt_t ** certs, 157 unsigned int *size, 158 const gnutls_datum_t * data, 159 gnutls_x509_crt_fmt_t format, 160 unsigned int flags); 161 int gnutls_x509_crt_list_import(gnutls_x509_crt_t * certs, 162 unsigned int *cert_max, 163 const gnutls_datum_t * data, 164 gnutls_x509_crt_fmt_t format, 165 unsigned int flags); 166 167 int gnutls_x509_crt_import_url(gnutls_x509_crt_t crt, 168 const char *url, unsigned int flags 169 /* GNUTLS_PKCS11_OBJ_FLAG_* */ 170 ); 171 172 int 173 gnutls_x509_crt_list_import_url(gnutls_x509_crt_t **certs, 174 unsigned int *size, 175 const char *url, 176 gnutls_pin_callback_t pin_fn, 177 void *pin_fn_userdata, 178 unsigned int flags); 179 180 int gnutls_x509_crt_export(gnutls_x509_crt_t cert, 181 gnutls_x509_crt_fmt_t format, 182 void *output_data, size_t * output_data_size); 183 int gnutls_x509_crt_export2(gnutls_x509_crt_t cert, 184 gnutls_x509_crt_fmt_t format, 185 gnutls_datum_t * out); 186 int gnutls_x509_crt_get_private_key_usage_period(gnutls_x509_crt_t 187 cert, 188 time_t * 189 activation, 190 time_t * 191 expiration, unsigned int 192 *critical); 193 194 int gnutls_x509_crt_get_issuer_dn(gnutls_x509_crt_t cert, 195 char *buf, size_t * buf_size); 196 int gnutls_x509_crt_get_issuer_dn2(gnutls_x509_crt_t cert, 197 gnutls_datum_t * dn); 198 int gnutls_x509_crt_get_issuer_dn3(gnutls_x509_crt_t cert, 199 gnutls_datum_t * dn, unsigned flags); 200 int gnutls_x509_crt_get_issuer_dn_oid(gnutls_x509_crt_t cert, 201 unsigned indx, void *oid, 202 size_t * oid_size); 203 int gnutls_x509_crt_get_issuer_dn_by_oid(gnutls_x509_crt_t cert, 204 const char *oid, unsigned indx, 205 unsigned int raw_flag, 206 void *buf, size_t * buf_size); 207 208 int gnutls_x509_crt_get_dn(gnutls_x509_crt_t cert, char *buf, 209 size_t * buf_size); 210 int gnutls_x509_crt_get_dn2(gnutls_x509_crt_t cert, gnutls_datum_t * dn); 211 int gnutls_x509_crt_get_dn3(gnutls_x509_crt_t cert, gnutls_datum_t * dn, unsigned flags); 212 213 int gnutls_x509_crt_get_dn_oid(gnutls_x509_crt_t cert, unsigned indx, 214 void *oid, size_t * oid_size); 215 int gnutls_x509_crt_get_dn_by_oid(gnutls_x509_crt_t cert, 216 const char *oid, unsigned indx, 217 unsigned int raw_flag, void *buf, 218 size_t * buf_size); 219 unsigned gnutls_x509_crt_check_hostname(gnutls_x509_crt_t cert, 220 const char *hostname); 221 unsigned gnutls_x509_crt_check_hostname2(gnutls_x509_crt_t cert, 222 const char *hostname, unsigned int flags); 223 unsigned 224 gnutls_x509_crt_check_email(gnutls_x509_crt_t cert, 225 const char *email, unsigned int flags); 226 227 unsigned 228 gnutls_x509_crt_check_ip(gnutls_x509_crt_t cert, 229 const unsigned char *ip, unsigned int ip_size, 230 unsigned int flags); 231 232 int gnutls_x509_crt_get_signature_algorithm(gnutls_x509_crt_t cert); 233 int gnutls_x509_crt_get_signature(gnutls_x509_crt_t cert, 234 char *sig, size_t * sizeof_sig); 235 int gnutls_x509_crt_get_version(gnutls_x509_crt_t cert); 236 237 int gnutls_x509_crt_get_pk_oid(gnutls_x509_crt_t cert, char *oid, size_t *oid_size); 238 int gnutls_x509_crt_get_signature_oid(gnutls_x509_crt_t cert, char *oid, size_t *oid_size); 239 240 /** 241 * gnutls_keyid_flags_t: 242 * @GNUTLS_KEYID_USE_SHA1: Use SHA1 as the key ID algorithm (default). 243 * @GNUTLS_KEYID_USE_SHA256: Use SHA256 as the key ID algorithm. 244 * @GNUTLS_KEYID_USE_SHA512: Use SHA512 as the key ID algorithm. 245 * @GNUTLS_KEYID_USE_BEST_KNOWN: Use the best known algorithm to calculate key ID. Using that option will make your program behavior depend on the version of gnutls linked with. That option has a cap of 64-bytes key IDs. 246 * 247 * Enumeration of different flags for the key ID functions. 248 249 */ 250 typedef enum { 251 GNUTLS_KEYID_USE_SHA1 = 0, 252 GNUTLS_KEYID_USE_SHA256 = (1<<0), 253 GNUTLS_KEYID_USE_SHA512 = (1<<1), 254 GNUTLS_KEYID_USE_BEST_KNOWN = (1<<30) 255 } gnutls_keyid_flags_t; 256 int gnutls_x509_crt_get_key_id(gnutls_x509_crt_t crt, 257 unsigned int flags, 258 unsigned char *output_data, 259 size_t * output_data_size); 260 261 int gnutls_x509_crt_set_private_key_usage_period(gnutls_x509_crt_t 262 crt, 263 time_t activation, 264 time_t expiration); 265 int gnutls_x509_crt_set_authority_key_id(gnutls_x509_crt_t cert, 266 const void *id, size_t id_size); 267 int gnutls_x509_crt_get_authority_key_id(gnutls_x509_crt_t cert, 268 void *id, 269 size_t * id_size, 270 unsigned int *critical); 271 int gnutls_x509_crt_get_authority_key_gn_serial(gnutls_x509_crt_t 272 cert, 273 unsigned int seq, 274 void *alt, 275 size_t * alt_size, 276 unsigned int 277 *alt_type, 278 void *serial, 279 size_t * 280 serial_size, unsigned int 281 *critical); 282 283 int gnutls_x509_crt_get_subject_key_id(gnutls_x509_crt_t cert, 284 void *ret, 285 size_t * ret_size, 286 unsigned int *critical); 287 288 int gnutls_x509_crt_get_subject_unique_id(gnutls_x509_crt_t crt, 289 char *buf, size_t * buf_size); 290 291 int gnutls_x509_crt_get_issuer_unique_id(gnutls_x509_crt_t crt, 292 char *buf, size_t * buf_size); 293 294 void gnutls_x509_crt_set_pin_function(gnutls_x509_crt_t crt, 295 gnutls_pin_callback_t fn, 296 void *userdata); 297 298 /** 299 * gnutls_info_access_what_t: 300 * @GNUTLS_IA_ACCESSMETHOD_OID: Get accessMethod OID. 301 * @GNUTLS_IA_ACCESSLOCATION_GENERALNAME_TYPE: Get accessLocation name type. 302 * @GNUTLS_IA_URI: Get accessLocation URI value. 303 * @GNUTLS_IA_OCSP_URI: get accessLocation URI value for OCSP. 304 * @GNUTLS_IA_CAISSUERS_URI: get accessLocation URI value for caIssuers. 305 * 306 * Enumeration of types for the @what parameter of 307 * gnutls_x509_crt_get_authority_info_access(). 308 */ 309 typedef enum gnutls_info_access_what_t { 310 GNUTLS_IA_ACCESSMETHOD_OID = 1, 311 GNUTLS_IA_ACCESSLOCATION_GENERALNAME_TYPE = 2, 312 /* use 100-108 for the generalName types, populate as needed */ 313 GNUTLS_IA_URI = 106, 314 /* quick-access variants that match both OID and name type. */ 315 GNUTLS_IA_UNKNOWN = 10000, 316 GNUTLS_IA_OCSP_URI = 10006, 317 GNUTLS_IA_CAISSUERS_URI = 10106 318 } gnutls_info_access_what_t; 319 320 int gnutls_x509_crt_get_authority_info_access(gnutls_x509_crt_t 321 crt, 322 unsigned int seq, 323 int what, 324 gnutls_datum_t * 325 data, unsigned int 326 *critical); 327 328 typedef struct gnutls_name_constraints_st *gnutls_x509_name_constraints_t; 329 330 unsigned gnutls_x509_name_constraints_check(gnutls_x509_name_constraints_t nc, 331 gnutls_x509_subject_alt_name_t type, 332 const gnutls_datum_t * name); 333 unsigned gnutls_x509_name_constraints_check_crt(gnutls_x509_name_constraints_t nc, 334 gnutls_x509_subject_alt_name_t type, 335 gnutls_x509_crt_t crt); 336 337 int gnutls_x509_name_constraints_init(gnutls_x509_name_constraints_t *nc); 338 void gnutls_x509_name_constraints_deinit(gnutls_x509_name_constraints_t nc); 339 340 #define GNUTLS_EXT_FLAG_APPEND 1 341 342 #define GNUTLS_NAME_CONSTRAINTS_FLAG_APPEND GNUTLS_EXT_FLAG_APPEND 343 int gnutls_x509_crt_get_name_constraints(gnutls_x509_crt_t crt, 344 gnutls_x509_name_constraints_t nc, 345 unsigned int flags, 346 unsigned int *critical); 347 int gnutls_x509_name_constraints_add_permitted(gnutls_x509_name_constraints_t nc, 348 gnutls_x509_subject_alt_name_t type, 349 const gnutls_datum_t * name); 350 int gnutls_x509_name_constraints_add_excluded(gnutls_x509_name_constraints_t nc, 351 gnutls_x509_subject_alt_name_t type, 352 const gnutls_datum_t * name); 353 int gnutls_x509_crt_set_name_constraints(gnutls_x509_crt_t crt, 354 gnutls_x509_name_constraints_t nc, 355 unsigned int critical); 356 int gnutls_x509_name_constraints_get_permitted(gnutls_x509_name_constraints_t nc, 357 unsigned idx, 358 unsigned *type, gnutls_datum_t * name); 359 int gnutls_x509_name_constraints_get_excluded(gnutls_x509_name_constraints_t nc, 360 unsigned idx, 361 unsigned *type, gnutls_datum_t * name); 362 int gnutls_x509_cidr_to_rfc5280(const char *cidr, gnutls_datum_t *cidr_rfc5280); 363 364 365 #define GNUTLS_CRL_REASON_SUPERSEEDED GNUTLS_CRL_REASON_SUPERSEDED, 366 /** 367 * gnutls_x509_crl_reason_flags_t: 368 * @GNUTLS_CRL_REASON_PRIVILEGE_WITHDRAWN: The privileges were withdrawn from the owner. 369 * @GNUTLS_CRL_REASON_CERTIFICATE_HOLD: The certificate is on hold. 370 * @GNUTLS_CRL_REASON_CESSATION_OF_OPERATION: The end-entity is no longer operating. 371 * @GNUTLS_CRL_REASON_SUPERSEDED: There is a newer certificate of the owner. 372 * @GNUTLS_CRL_REASON_AFFILIATION_CHANGED: The end-entity affiliation has changed. 373 * @GNUTLS_CRL_REASON_CA_COMPROMISE: The CA was compromised. 374 * @GNUTLS_CRL_REASON_KEY_COMPROMISE: The certificate's key was compromised. 375 * @GNUTLS_CRL_REASON_UNUSED: The key was never used. 376 * @GNUTLS_CRL_REASON_AA_COMPROMISE: AA compromised. 377 * 378 * Enumeration of types for the CRL revocation reasons. 379 */ 380 typedef enum gnutls_x509_crl_reason_flags_t { 381 GNUTLS_CRL_REASON_UNSPECIFIED = 0, 382 GNUTLS_CRL_REASON_PRIVILEGE_WITHDRAWN = 1, 383 GNUTLS_CRL_REASON_CERTIFICATE_HOLD = 2, 384 GNUTLS_CRL_REASON_CESSATION_OF_OPERATION = 4, 385 GNUTLS_CRL_REASON_SUPERSEDED = 8, 386 GNUTLS_CRL_REASON_AFFILIATION_CHANGED = 16, 387 GNUTLS_CRL_REASON_CA_COMPROMISE = 32, 388 GNUTLS_CRL_REASON_KEY_COMPROMISE = 64, 389 GNUTLS_CRL_REASON_UNUSED = 128, 390 GNUTLS_CRL_REASON_AA_COMPROMISE = 32768 391 } gnutls_x509_crl_reason_flags_t; 392 393 int gnutls_x509_crt_get_crl_dist_points(gnutls_x509_crt_t cert, 394 unsigned int seq, 395 void *ret, 396 size_t * ret_size, 397 unsigned int *reason_flags, 398 unsigned int *critical); 399 int gnutls_x509_crt_set_crl_dist_points2(gnutls_x509_crt_t crt, 400 gnutls_x509_subject_alt_name_t 401 type, const void *data, 402 unsigned int data_size, 403 unsigned int reason_flags); 404 int gnutls_x509_crt_set_crl_dist_points(gnutls_x509_crt_t crt, 405 gnutls_x509_subject_alt_name_t 406 type, 407 const void *data_string, 408 unsigned int reason_flags); 409 int gnutls_x509_crt_cpy_crl_dist_points(gnutls_x509_crt_t dst, 410 gnutls_x509_crt_t src); 411 412 int gnutls_x509_crl_sign(gnutls_x509_crl_t crl, 413 gnutls_x509_crt_t issuer, 414 gnutls_x509_privkey_t issuer_key); 415 416 int gnutls_x509_crl_sign2(gnutls_x509_crl_t crl, 417 gnutls_x509_crt_t issuer, 418 gnutls_x509_privkey_t issuer_key, 419 gnutls_digest_algorithm_t dig, 420 unsigned int flags); 421 422 time_t gnutls_x509_crt_get_activation_time(gnutls_x509_crt_t cert); 423 424 /* This macro is deprecated and defunc; do not use */ 425 #define GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION ((time_t)4294197631) 426 427 time_t gnutls_x509_crt_get_expiration_time(gnutls_x509_crt_t cert); 428 int gnutls_x509_crt_get_serial(gnutls_x509_crt_t cert, 429 void *result, size_t * result_size); 430 431 typedef struct gnutls_x509_spki_st *gnutls_x509_spki_t; 432 433 int gnutls_x509_spki_init(gnutls_x509_spki_t *spki); 434 void gnutls_x509_spki_deinit(gnutls_x509_spki_t spki); 435 436 int gnutls_x509_spki_get_rsa_pss_params(gnutls_x509_spki_t spki, 437 gnutls_digest_algorithm_t *dig, unsigned int *salt_size); 438 439 void gnutls_x509_spki_set_rsa_pss_params(gnutls_x509_spki_t spki, 440 gnutls_digest_algorithm_t dig, unsigned int salt_size); 441 442 int gnutls_x509_crt_get_pk_algorithm(gnutls_x509_crt_t cert, 443 unsigned int *bits); 444 int gnutls_x509_crt_set_spki(gnutls_x509_crt_t crt, const gnutls_x509_spki_t spki, 445 unsigned int flags); 446 int gnutls_x509_crt_get_spki(gnutls_x509_crt_t cert, gnutls_x509_spki_t spki, 447 unsigned int flags); 448 449 int gnutls_x509_crt_get_pk_rsa_raw(gnutls_x509_crt_t crt, 450 gnutls_datum_t * m, gnutls_datum_t * e); 451 int gnutls_x509_crt_get_pk_dsa_raw(gnutls_x509_crt_t crt, 452 gnutls_datum_t * p, 453 gnutls_datum_t * q, 454 gnutls_datum_t * g, gnutls_datum_t * y); 455 int gnutls_x509_crt_get_pk_ecc_raw(gnutls_x509_crt_t crt, 456 gnutls_ecc_curve_t * curve, 457 gnutls_datum_t * x, 458 gnutls_datum_t * y); 459 int gnutls_x509_crt_get_pk_gost_raw(gnutls_x509_crt_t crt, 460 gnutls_ecc_curve_t * curve, 461 gnutls_digest_algorithm_t * digest, 462 gnutls_gost_paramset_t *paramset, 463 gnutls_datum_t * x, gnutls_datum_t * y); 464 465 int gnutls_x509_crt_get_subject_alt_name(gnutls_x509_crt_t cert, 466 unsigned int seq, 467 void *san, 468 size_t * san_size, 469 unsigned int *critical); 470 int gnutls_x509_crt_get_subject_alt_name2(gnutls_x509_crt_t cert, 471 unsigned int seq, 472 void *san, 473 size_t * san_size, 474 unsigned int *san_type, 475 unsigned int *critical); 476 477 int gnutls_x509_crt_get_subject_alt_othername_oid(gnutls_x509_crt_t 478 cert, 479 unsigned int seq, 480 void *oid, 481 size_t * oid_size); 482 483 int gnutls_x509_crt_get_issuer_alt_name(gnutls_x509_crt_t cert, 484 unsigned int seq, 485 void *ian, 486 size_t * ian_size, 487 unsigned int *critical); 488 int gnutls_x509_crt_get_issuer_alt_name2(gnutls_x509_crt_t cert, 489 unsigned int seq, 490 void *ian, 491 size_t * ian_size, 492 unsigned int *ian_type, 493 unsigned int *critical); 494 495 int gnutls_x509_crt_get_issuer_alt_othername_oid(gnutls_x509_crt_t 496 cert, 497 unsigned int seq, 498 void *ret, 499 size_t * ret_size); 500 501 int gnutls_x509_crt_get_ca_status(gnutls_x509_crt_t cert, 502 unsigned int *critical); 503 int gnutls_x509_crt_get_basic_constraints(gnutls_x509_crt_t cert, 504 unsigned int *critical, 505 unsigned int *ca, int *pathlen); 506 507 /* The key_usage flags are defined in gnutls.h. They are the 508 * GNUTLS_KEY_* definitions. 509 */ 510 int gnutls_x509_crt_get_key_usage(gnutls_x509_crt_t cert, 511 unsigned int *key_usage, 512 unsigned int *critical); 513 int gnutls_x509_crt_set_key_usage(gnutls_x509_crt_t crt, 514 unsigned int usage); 515 int gnutls_x509_crt_set_authority_info_access(gnutls_x509_crt_t 516 crt, int what, 517 gnutls_datum_t * data); 518 519 int gnutls_x509_crt_get_inhibit_anypolicy(gnutls_x509_crt_t cert, 520 unsigned int *skipcerts, 521 unsigned int *critical); 522 int 523 gnutls_x509_crt_set_inhibit_anypolicy(gnutls_x509_crt_t crt, unsigned int skipcerts); 524 525 int gnutls_x509_crt_get_proxy(gnutls_x509_crt_t cert, 526 unsigned int *critical, 527 int *pathlen, 528 char **policyLanguage, 529 char **policy, size_t * sizeof_policy); 530 531 532 typedef struct gnutls_x509_tlsfeatures_st *gnutls_x509_tlsfeatures_t; 533 534 int gnutls_x509_tlsfeatures_init(gnutls_x509_tlsfeatures_t *features); 535 void gnutls_x509_tlsfeatures_deinit(gnutls_x509_tlsfeatures_t); 536 int gnutls_x509_tlsfeatures_get(gnutls_x509_tlsfeatures_t f, unsigned idx, unsigned int *feature); 537 538 int gnutls_x509_crt_set_tlsfeatures(gnutls_x509_crt_t crt, 539 gnutls_x509_tlsfeatures_t features); 540 541 int gnutls_x509_crt_get_tlsfeatures(gnutls_x509_crt_t cert, 542 gnutls_x509_tlsfeatures_t features, 543 unsigned int flags, 544 unsigned int *critical); 545 546 unsigned gnutls_x509_tlsfeatures_check_crt(gnutls_x509_tlsfeatures_t feat, 547 gnutls_x509_crt_t crt); 548 549 550 #define GNUTLS_MAX_QUALIFIERS 8 551 552 /** 553 * gnutls_x509_qualifier_t: 554 * @GNUTLS_X509_QUALIFIER_UNKNOWN: Unknown qualifier. 555 * @GNUTLS_X509_QUALIFIER_URI: A URL 556 * @GNUTLS_X509_QUALIFIER_NOICE: A text notice. 557 * 558 * Enumeration of types for the X.509 qualifiers, of the certificate policy extension. 559 */ 560 typedef enum gnutls_x509_qualifier_t { 561 GNUTLS_X509_QUALIFIER_UNKNOWN = 0, GNUTLS_X509_QUALIFIER_URI, 562 GNUTLS_X509_QUALIFIER_NOTICE 563 } gnutls_x509_qualifier_t; 564 565 typedef struct gnutls_x509_policy_st { 566 char *oid; 567 unsigned int qualifiers; 568 struct { 569 gnutls_x509_qualifier_t type; 570 char *data; 571 unsigned int size; 572 } qualifier[GNUTLS_MAX_QUALIFIERS]; 573 } gnutls_x509_policy_st; 574 575 void gnutls_x509_policy_release(struct gnutls_x509_policy_st 576 *policy); 577 int gnutls_x509_crt_get_policy(gnutls_x509_crt_t crt, unsigned indx, struct gnutls_x509_policy_st 578 *policy, unsigned int *critical); 579 int gnutls_x509_crt_set_policy(gnutls_x509_crt_t crt, const struct gnutls_x509_policy_st 580 *policy, unsigned int critical); 581 582 int gnutls_x509_dn_oid_known(const char *oid); 583 584 #define GNUTLS_X509_DN_OID_RETURN_OID 1 585 const char *gnutls_x509_dn_oid_name(const char *oid, unsigned int flags); 586 587 /* Read extensions by OID. */ 588 int gnutls_x509_crt_get_extension_oid(gnutls_x509_crt_t cert, 589 unsigned indx, void *oid, 590 size_t * oid_size); 591 int gnutls_x509_crt_get_extension_by_oid(gnutls_x509_crt_t cert, 592 const char *oid, unsigned indx, 593 void *buf, 594 size_t * buf_size, 595 unsigned int *critical); 596 597 int gnutls_x509_crq_get_signature_algorithm(gnutls_x509_crq_t crq); 598 int 599 gnutls_x509_crq_get_extension_by_oid2(gnutls_x509_crq_t crq, 600 const char *oid, unsigned indx, 601 gnutls_datum_t *output, 602 unsigned int *critical); 603 604 /* Read extensions by sequence number. */ 605 int gnutls_x509_crt_get_extension_info(gnutls_x509_crt_t cert, 606 unsigned indx, void *oid, 607 size_t * oid_size, 608 unsigned int *critical); 609 int gnutls_x509_crt_get_extension_data(gnutls_x509_crt_t cert, 610 unsigned indx, void *data, 611 size_t * sizeof_data); 612 int 613 gnutls_x509_crt_get_extension_data2(gnutls_x509_crt_t cert, 614 unsigned indx, gnutls_datum_t * data); 615 616 617 int gnutls_x509_crt_set_extension_by_oid(gnutls_x509_crt_t crt, 618 const char *oid, 619 const void *buf, 620 size_t sizeof_buf, 621 unsigned int critical); 622 623 /* X.509 Certificate writing. 624 */ 625 int gnutls_x509_crt_set_dn(gnutls_x509_crt_t crt, const char *dn, 626 const char **err); 627 628 int gnutls_x509_crt_set_dn_by_oid(gnutls_x509_crt_t crt, 629 const char *oid, 630 unsigned int raw_flag, 631 const void *name, 632 unsigned int sizeof_name); 633 int gnutls_x509_crt_set_issuer_dn_by_oid(gnutls_x509_crt_t crt, 634 const char *oid, 635 unsigned int raw_flag, 636 const void *name, 637 unsigned int sizeof_name); 638 int gnutls_x509_crt_set_issuer_dn(gnutls_x509_crt_t crt, 639 const char *dn, const char **err); 640 641 int gnutls_x509_crt_set_version(gnutls_x509_crt_t crt, 642 unsigned int version); 643 int gnutls_x509_crt_set_key(gnutls_x509_crt_t crt, 644 gnutls_x509_privkey_t key); 645 int gnutls_x509_crt_set_ca_status(gnutls_x509_crt_t crt, unsigned int ca); 646 int gnutls_x509_crt_set_basic_constraints(gnutls_x509_crt_t crt, 647 unsigned int ca, 648 int pathLenConstraint); 649 650 int 651 gnutls_x509_crt_set_subject_unique_id(gnutls_x509_crt_t cert, const void *id, 652 size_t id_size); 653 int 654 gnutls_x509_crt_set_issuer_unique_id(gnutls_x509_crt_t cert, const void *id, 655 size_t id_size); 656 657 int gnutls_x509_crt_set_subject_alternative_name(gnutls_x509_crt_t 658 crt, 659 gnutls_x509_subject_alt_name_t 660 type, const char 661 *data_string); 662 int gnutls_x509_crt_set_subject_alt_name(gnutls_x509_crt_t crt, 663 gnutls_x509_subject_alt_name_t 664 type, const void *data, 665 unsigned int data_size, 666 unsigned int flags); 667 668 int 669 gnutls_x509_crt_set_subject_alt_othername(gnutls_x509_crt_t crt, 670 const char *oid, 671 const void *data, 672 unsigned int data_size, 673 unsigned int flags); 674 675 int gnutls_x509_crt_set_issuer_alt_name(gnutls_x509_crt_t crt, 676 gnutls_x509_subject_alt_name_t 677 type, const void *data, 678 unsigned int data_size, 679 unsigned int flags); 680 681 int 682 gnutls_x509_crt_set_issuer_alt_othername(gnutls_x509_crt_t crt, 683 const char *oid, 684 const void *data, 685 unsigned int data_size, 686 unsigned int flags); 687 688 int gnutls_x509_crt_sign(gnutls_x509_crt_t crt, 689 gnutls_x509_crt_t issuer, 690 gnutls_x509_privkey_t issuer_key); 691 int gnutls_x509_crt_sign2(gnutls_x509_crt_t crt, 692 gnutls_x509_crt_t issuer, 693 gnutls_x509_privkey_t issuer_key, 694 gnutls_digest_algorithm_t dig, 695 unsigned int flags); 696 int gnutls_x509_crt_set_activation_time(gnutls_x509_crt_t cert, 697 time_t act_time); 698 int gnutls_x509_crt_set_expiration_time(gnutls_x509_crt_t cert, 699 time_t exp_time); 700 int gnutls_x509_crt_set_serial(gnutls_x509_crt_t cert, 701 const void *serial, size_t serial_size); 702 703 int gnutls_x509_crt_set_subject_key_id(gnutls_x509_crt_t cert, 704 const void *id, size_t id_size); 705 706 int gnutls_x509_crt_set_proxy_dn(gnutls_x509_crt_t crt, 707 gnutls_x509_crt_t eecrt, 708 unsigned int raw_flag, 709 const void *name, 710 unsigned int sizeof_name); 711 int gnutls_x509_crt_set_proxy(gnutls_x509_crt_t crt, 712 int pathLenConstraint, 713 const char *policyLanguage, 714 const char *policy, size_t sizeof_policy); 715 716 int gnutls_x509_crt_print(gnutls_x509_crt_t cert, 717 gnutls_certificate_print_formats_t 718 format, gnutls_datum_t * out); 719 int gnutls_x509_crl_print(gnutls_x509_crl_t crl, 720 gnutls_certificate_print_formats_t 721 format, gnutls_datum_t * out); 722 723 /* Access to internal Certificate fields. 724 */ 725 int gnutls_x509_crt_get_raw_issuer_dn(gnutls_x509_crt_t cert, 726 gnutls_datum_t * start); 727 int gnutls_x509_crt_get_raw_dn(gnutls_x509_crt_t cert, 728 gnutls_datum_t * start); 729 730 /* RDN handling. 731 */ 732 int gnutls_x509_rdn_get(const gnutls_datum_t * idn, 733 char *buf, size_t * sizeof_buf); 734 int 735 gnutls_x509_rdn_get2(const gnutls_datum_t * idn, 736 gnutls_datum_t *str, unsigned flags); 737 738 int gnutls_x509_rdn_get_oid(const gnutls_datum_t * idn, 739 unsigned indx, void *buf, size_t * sizeof_buf); 740 741 int gnutls_x509_rdn_get_by_oid(const gnutls_datum_t * idn, 742 const char *oid, unsigned indx, 743 unsigned int raw_flag, void *buf, 744 size_t * sizeof_buf); 745 746 typedef struct gnutls_x509_dn_st *gnutls_x509_dn_t; 747 748 typedef struct gnutls_x509_ava_st { 749 gnutls_datum_t oid; 750 gnutls_datum_t value; 751 unsigned long value_tag; 752 } gnutls_x509_ava_st; 753 754 int gnutls_x509_crt_get_subject(gnutls_x509_crt_t cert, 755 gnutls_x509_dn_t * dn); 756 int gnutls_x509_crt_get_issuer(gnutls_x509_crt_t cert, 757 gnutls_x509_dn_t * dn); 758 int gnutls_x509_dn_get_rdn_ava(gnutls_x509_dn_t dn, int irdn, 759 int iava, gnutls_x509_ava_st * ava); 760 761 int gnutls_x509_dn_get_str(gnutls_x509_dn_t dn, gnutls_datum_t *str); 762 763 #define GNUTLS_X509_DN_FLAG_COMPAT 1 764 int gnutls_x509_dn_get_str2(gnutls_x509_dn_t dn, gnutls_datum_t *str, unsigned flags); 765 766 int 767 gnutls_x509_dn_set_str(gnutls_x509_dn_t dn, const char *str, const char **err); 768 769 int gnutls_x509_dn_init(gnutls_x509_dn_t * dn); 770 771 int gnutls_x509_dn_import(gnutls_x509_dn_t dn, 772 const gnutls_datum_t * data); 773 774 int gnutls_x509_dn_export(gnutls_x509_dn_t dn, 775 gnutls_x509_crt_fmt_t format, 776 void *output_data, size_t * output_data_size); 777 int gnutls_x509_dn_export2(gnutls_x509_dn_t dn, 778 gnutls_x509_crt_fmt_t format, 779 gnutls_datum_t * out); 780 781 void gnutls_x509_dn_deinit(gnutls_x509_dn_t dn); 782 783 784 /* CRL handling functions. 785 */ 786 int gnutls_x509_crl_init(gnutls_x509_crl_t * crl); 787 void gnutls_x509_crl_deinit(gnutls_x509_crl_t crl); 788 789 int gnutls_x509_crl_import(gnutls_x509_crl_t crl, 790 const gnutls_datum_t * data, 791 gnutls_x509_crt_fmt_t format); 792 int gnutls_x509_crl_export(gnutls_x509_crl_t crl, 793 gnutls_x509_crt_fmt_t format, 794 void *output_data, size_t * output_data_size); 795 int gnutls_x509_crl_export2(gnutls_x509_crl_t crl, 796 gnutls_x509_crt_fmt_t format, 797 gnutls_datum_t * out); 798 799 int 800 gnutls_x509_crl_get_raw_issuer_dn(gnutls_x509_crl_t crl, 801 gnutls_datum_t * dn); 802 803 int gnutls_x509_crl_get_issuer_dn(gnutls_x509_crl_t crl, 804 char *buf, size_t * sizeof_buf); 805 int gnutls_x509_crl_get_issuer_dn2(gnutls_x509_crl_t crl, 806 gnutls_datum_t * dn); 807 int gnutls_x509_crl_get_issuer_dn3(gnutls_x509_crl_t crl, 808 gnutls_datum_t * dn, unsigned flags); 809 810 int gnutls_x509_crl_get_issuer_dn_by_oid(gnutls_x509_crl_t crl, 811 const char *oid, unsigned indx, 812 unsigned int raw_flag, 813 void *buf, size_t * sizeof_buf); 814 int gnutls_x509_crl_get_dn_oid(gnutls_x509_crl_t crl, unsigned indx, 815 void *oid, size_t * sizeof_oid); 816 817 int gnutls_x509_crl_get_signature_algorithm(gnutls_x509_crl_t crl); 818 int gnutls_x509_crl_get_signature(gnutls_x509_crl_t crl, 819 char *sig, size_t * sizeof_sig); 820 int gnutls_x509_crl_get_version(gnutls_x509_crl_t crl); 821 822 int gnutls_x509_crl_get_signature_oid(gnutls_x509_crl_t crl, char *oid, size_t *oid_size); 823 824 time_t gnutls_x509_crl_get_this_update(gnutls_x509_crl_t crl); 825 time_t gnutls_x509_crl_get_next_update(gnutls_x509_crl_t crl); 826 827 int gnutls_x509_crl_get_crt_count(gnutls_x509_crl_t crl); 828 int gnutls_x509_crl_get_crt_serial(gnutls_x509_crl_t crl, unsigned indx, 829 unsigned char *serial, 830 size_t * serial_size, time_t * t); 831 832 typedef struct gnutls_x509_crl_iter * gnutls_x509_crl_iter_t; 833 834 int gnutls_x509_crl_iter_crt_serial(gnutls_x509_crl_t crl, 835 gnutls_x509_crl_iter_t *, 836 unsigned char *serial, 837 size_t * serial_size, time_t * t); 838 839 void gnutls_x509_crl_iter_deinit(gnutls_x509_crl_iter_t); 840 841 #define gnutls_x509_crl_get_certificate_count gnutls_x509_crl_get_crt_count 842 #define gnutls_x509_crl_get_certificate gnutls_x509_crl_get_crt_serial 843 844 unsigned gnutls_x509_crl_check_issuer(gnutls_x509_crl_t crl, 845 gnutls_x509_crt_t issuer); 846 847 int gnutls_x509_crl_list_import2(gnutls_x509_crl_t ** crls, 848 unsigned int *size, 849 const gnutls_datum_t * data, 850 gnutls_x509_crt_fmt_t format, 851 unsigned int flags); 852 853 int gnutls_x509_crl_list_import(gnutls_x509_crl_t * crls, 854 unsigned int *crl_max, 855 const gnutls_datum_t * data, 856 gnutls_x509_crt_fmt_t format, 857 unsigned int flags); 858 /* CRL writing. 859 */ 860 int gnutls_x509_crl_set_version(gnutls_x509_crl_t crl, 861 unsigned int version); 862 int gnutls_x509_crl_set_this_update(gnutls_x509_crl_t crl, 863 time_t act_time); 864 int gnutls_x509_crl_set_next_update(gnutls_x509_crl_t crl, 865 time_t exp_time); 866 int gnutls_x509_crl_set_crt_serial(gnutls_x509_crl_t crl, 867 const void *serial, 868 size_t serial_size, 869 time_t revocation_time); 870 int gnutls_x509_crl_set_crt(gnutls_x509_crl_t crl, 871 gnutls_x509_crt_t crt, time_t revocation_time); 872 873 int gnutls_x509_crl_get_authority_key_id(gnutls_x509_crl_t crl, 874 void *id, 875 size_t * id_size, 876 unsigned int *critical); 877 int gnutls_x509_crl_get_authority_key_gn_serial(gnutls_x509_crl_t 878 crl, 879 unsigned int seq, 880 void *alt, 881 size_t * alt_size, 882 unsigned int 883 *alt_type, 884 void *serial, 885 size_t * 886 serial_size, unsigned int 887 *critical); 888 889 int gnutls_x509_crl_get_number(gnutls_x509_crl_t crl, void *ret, 890 size_t * ret_size, unsigned int *critical); 891 892 int gnutls_x509_crl_get_extension_oid(gnutls_x509_crl_t crl, 893 unsigned indx, void *oid, 894 size_t * sizeof_oid); 895 896 int gnutls_x509_crl_get_extension_info(gnutls_x509_crl_t crl, 897 unsigned indx, void *oid, 898 size_t * sizeof_oid, 899 unsigned int *critical); 900 901 int gnutls_x509_crl_get_extension_data(gnutls_x509_crl_t crl, 902 unsigned indx, void *data, 903 size_t * sizeof_data); 904 int 905 gnutls_x509_crl_get_extension_data2(gnutls_x509_crl_t crl, 906 unsigned indx, gnutls_datum_t * data); 907 908 int gnutls_x509_crl_set_authority_key_id(gnutls_x509_crl_t crl, 909 const void *id, size_t id_size); 910 911 int gnutls_x509_crl_set_number(gnutls_x509_crl_t crl, 912 const void *nr, size_t nr_size); 913 914 915 /* X.509 Certificate verification functions. 916 */ 917 918 /** 919 * gnutls_certificate_verify_flags: 920 * @GNUTLS_VERIFY_DISABLE_CA_SIGN: If set a signer does not have to be 921 * a certificate authority. This flag should normally be disabled, 922 * unless you know what this means. 923 * @GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS: If set a signer in the trusted 924 * list is never checked for expiration or activation. 925 * @GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT: Do not allow trusted CA 926 * certificates that have version 1. This option is to be used 927 * to deprecate all certificates of version 1. 928 * @GNUTLS_VERIFY_DO_NOT_ALLOW_SAME: If a certificate is not signed by 929 * anyone trusted but exists in the trusted CA list do not treat it 930 * as trusted. 931 * @GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN: A certificate chain is tolerated 932 * if unsorted (the case with many TLS servers out there). This is the 933 * default since GnuTLS 3.1.4. 934 * @GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN: Do not tolerate an unsorted 935 * certificate chain. 936 * @GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT: Allow CA certificates that 937 * have version 1 (both root and intermediate). This might be 938 * dangerous since those haven't the basicConstraints 939 * extension. 940 * @GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2: Allow certificates to be signed 941 * using the broken MD2 algorithm. 942 * @GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5: Allow certificates to be signed 943 * using the broken MD5 algorithm. 944 * @GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1: Allow certificates to be signed 945 * using the broken SHA1 hash algorithm. 946 * @GNUTLS_VERIFY_ALLOW_BROKEN: Allow certificates to be signed 947 * using any broken algorithm. 948 * @GNUTLS_VERIFY_DISABLE_TIME_CHECKS: Disable checking of activation 949 * and expiration validity periods of certificate chains. Don't set 950 * this unless you understand the security implications. 951 * @GNUTLS_VERIFY_DISABLE_CRL_CHECKS: Disable checking for validity 952 * using certificate revocation lists or the available OCSP data. 953 * @GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS: When including a hostname 954 * check in the verification, do not consider any wildcards. 955 * @GNUTLS_VERIFY_DO_NOT_ALLOW_IP_MATCHES: When verifying a hostname 956 * prevent textual IP addresses from matching IP addresses in the 957 * certificate. Treat the input only as a DNS name. 958 * @GNUTLS_VERIFY_USE_TLS1_RSA: This indicates that a (raw) RSA signature is provided 959 * as in the TLS 1.0 protocol. Not all functions accept this flag. 960 * @GNUTLS_VERIFY_IGNORE_UNKNOWN_CRIT_EXTENSIONS: This signals the verification 961 * process, not to fail on unknown critical extensions. 962 * 963 * Enumeration of different certificate verify flags. Additional 964 * verification profiles can be set using GNUTLS_PROFILE_TO_VFLAGS() 965 * and %gnutls_certificate_verification_profiles_t. 966 */ 967 typedef enum gnutls_certificate_verify_flags { 968 GNUTLS_VERIFY_DISABLE_CA_SIGN = 1 << 0, 969 GNUTLS_VERIFY_DO_NOT_ALLOW_IP_MATCHES = 1<<1, 970 GNUTLS_VERIFY_DO_NOT_ALLOW_SAME = 1 << 2, 971 GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT = 1 << 3, 972 GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2 = 1 << 4, 973 GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 1 << 5, 974 GNUTLS_VERIFY_DISABLE_TIME_CHECKS = 1 << 6, 975 GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS = 1 << 7, 976 GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT = 1 << 8, 977 GNUTLS_VERIFY_DISABLE_CRL_CHECKS = 1 << 9, 978 GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN = 1 << 10, 979 GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN = 1 << 11, 980 GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS = 1 << 12, 981 GNUTLS_VERIFY_USE_TLS1_RSA = 1 << 13, 982 GNUTLS_VERIFY_IGNORE_UNKNOWN_CRIT_EXTENSIONS = 1 << 14, 983 GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1 = 1 << 15 984 /* cannot exceed 2^24 due to GNUTLS_PROFILE_TO_VFLAGS() */ 985 } gnutls_certificate_verify_flags; 986 987 #define GNUTLS_VERIFY_ALLOW_BROKEN (GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2|GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5) 988 989 /** 990 * gnutls_certificate_verification_profiles_t: 991 * @GNUTLS_PROFILE_UNKNOWN: An invalid/unknown profile. 992 * @GNUTLS_PROFILE_VERY_WEAK: A verification profile that 993 * corresponds to @GNUTLS_SEC_PARAM_VERY_WEAK (64 bits) 994 * @GNUTLS_PROFILE_LOW: A verification profile that 995 * corresponds to @GNUTLS_SEC_PARAM_LOW (80 bits) 996 * @GNUTLS_PROFILE_LEGACY: A verification profile that 997 * corresponds to @GNUTLS_SEC_PARAM_LEGACY (96 bits) 998 * @GNUTLS_PROFILE_MEDIUM: A verification profile that 999 * corresponds to @GNUTLS_SEC_PARAM_MEDIUM (112 bits) 1000 * @GNUTLS_PROFILE_HIGH: A verification profile that 1001 * corresponds to @GNUTLS_SEC_PARAM_HIGH (128 bits) 1002 * @GNUTLS_PROFILE_ULTRA: A verification profile that 1003 * corresponds to @GNUTLS_SEC_PARAM_ULTRA (192 bits) 1004 * @GNUTLS_PROFILE_FUTURE: A verification profile that 1005 * corresponds to @GNUTLS_SEC_PARAM_FUTURE (256 bits) 1006 * @GNUTLS_PROFILE_SUITEB128: A verification profile that 1007 * applies the SUITEB128 rules 1008 * @GNUTLS_PROFILE_SUITEB192: A verification profile that 1009 * applies the SUITEB192 rules 1010 * 1011 * Enumeration of different certificate verification profiles. 1012 */ 1013 typedef enum gnutls_certificate_verification_profiles_t { 1014 GNUTLS_PROFILE_UNKNOWN = 0, 1015 GNUTLS_PROFILE_VERY_WEAK = 1, 1016 GNUTLS_PROFILE_LOW = 2, 1017 GNUTLS_PROFILE_LEGACY = 4, 1018 GNUTLS_PROFILE_MEDIUM = 5, 1019 GNUTLS_PROFILE_HIGH = 6, 1020 GNUTLS_PROFILE_ULTRA = 7, 1021 GNUTLS_PROFILE_FUTURE = 8, 1022 1023 GNUTLS_PROFILE_SUITEB128=32, 1024 GNUTLS_PROFILE_SUITEB192=33 1025 /*GNUTLS_PROFILE_MAX=255*/ 1026 } gnutls_certificate_verification_profiles_t; 1027 1028 #define GNUTLS_PROFILE_TO_VFLAGS(x) \ 1029 (((unsigned)x)<<24) 1030 1031 #define GNUTLS_VFLAGS_PROFILE_MASK (0xff000000) 1032 1033 #define GNUTLS_VFLAGS_TO_PROFILE(x) \ 1034 ((((unsigned)x)>>24)&0xff) 1035 1036 const char * 1037 gnutls_certificate_verification_profile_get_name(gnutls_certificate_verification_profiles_t id) __GNUTLS_CONST__; 1038 gnutls_certificate_verification_profiles_t gnutls_certificate_verification_profile_get_id(const char *name) __GNUTLS_CONST__; 1039 1040 unsigned gnutls_x509_crt_check_issuer(gnutls_x509_crt_t cert, 1041 gnutls_x509_crt_t issuer); 1042 1043 int gnutls_x509_crt_list_verify(const gnutls_x509_crt_t * 1044 cert_list, unsigned cert_list_length, 1045 const gnutls_x509_crt_t * CA_list, 1046 unsigned CA_list_length, 1047 const gnutls_x509_crl_t * CRL_list, 1048 unsigned CRL_list_length, 1049 unsigned int flags, unsigned int *verify); 1050 1051 int gnutls_x509_crt_verify(gnutls_x509_crt_t cert, 1052 const gnutls_x509_crt_t * CA_list, 1053 unsigned CA_list_length, unsigned int flags, 1054 unsigned int *verify); 1055 int gnutls_x509_crl_verify(gnutls_x509_crl_t crl, 1056 const gnutls_x509_crt_t * CA_list, 1057 unsigned CA_list_length, unsigned int flags, 1058 unsigned int *verify); 1059 1060 int 1061 gnutls_x509_crt_verify_data2(gnutls_x509_crt_t crt, 1062 gnutls_sign_algorithm_t algo, 1063 unsigned int flags, 1064 const gnutls_datum_t * data, 1065 const gnutls_datum_t * signature); 1066 1067 int gnutls_x509_crt_check_revocation(gnutls_x509_crt_t cert, 1068 const gnutls_x509_crl_t * 1069 crl_list, unsigned crl_list_length); 1070 1071 int gnutls_x509_crt_get_fingerprint(gnutls_x509_crt_t cert, 1072 gnutls_digest_algorithm_t algo, 1073 void *buf, size_t * buf_size); 1074 1075 int gnutls_x509_crt_get_key_purpose_oid(gnutls_x509_crt_t cert, 1076 unsigned indx, void *oid, 1077 size_t * oid_size, 1078 unsigned int *critical); 1079 int gnutls_x509_crt_set_key_purpose_oid(gnutls_x509_crt_t cert, 1080 const void *oid, 1081 unsigned int critical); 1082 1083 unsigned gnutls_x509_crt_check_key_purpose(gnutls_x509_crt_t cert, 1084 const char *purpose, unsigned flags); 1085 1086 /* Private key handling. 1087 */ 1088 1089 /* Flags for the gnutls_x509_privkey_export_pkcs8() function. 1090 */ 1091 1092 #define GNUTLS_PKCS8_PLAIN GNUTLS_PKCS_PLAIN 1093 #define GNUTLS_PKCS8_USE_PKCS12_3DES GNUTLS_PKCS_PKCS12_3DES 1094 #define GNUTLS_PKCS8_USE_PKCS12_ARCFOUR GNUTLS_PKCS_PKCS12_ARCFOUR 1095 #define GNUTLS_PKCS8_USE_PKCS12_RC2_40 GNUTLS_PKCS_PKCS12_RC2_40 1096 1097 /** 1098 * gnutls_pkcs_encrypt_flags_t: 1099 * @GNUTLS_PKCS_PLAIN: Unencrypted private key. 1100 * @GNUTLS_PKCS_NULL_PASSWORD: Some schemas distinguish between an empty and a NULL password. 1101 * @GNUTLS_PKCS_PKCS12_3DES: PKCS-12 3DES. 1102 * @GNUTLS_PKCS_PKCS12_ARCFOUR: PKCS-12 ARCFOUR. 1103 * @GNUTLS_PKCS_PKCS12_RC2_40: PKCS-12 RC2-40. 1104 * @GNUTLS_PKCS_PBES2_3DES: PBES2 3DES. 1105 * @GNUTLS_PKCS_PBES2_AES_128: PBES2 AES-128. 1106 * @GNUTLS_PKCS_PBES2_AES_192: PBES2 AES-192. 1107 * @GNUTLS_PKCS_PBES2_AES_256: PBES2 AES-256. 1108 * @GNUTLS_PKCS_PBES2_DES: PBES2 single DES. 1109 * @GNUTLS_PKCS_PBES1_DES_MD5: PBES1 with single DES; for compatibility with openssl only. 1110 * @GNUTLS_PKCS_PBES2_GOST_TC26Z: PBES2 GOST 28147-89 CFB with TC26-Z S-box. 1111 * @GNUTLS_PKCS_PBES2_GOST_CPA: PBES2 GOST 28147-89 CFB with CryptoPro-A S-box. 1112 * @GNUTLS_PKCS_PBES2_GOST_CPB: PBES2 GOST 28147-89 CFB with CryptoPro-B S-box. 1113 * @GNUTLS_PKCS_PBES2_GOST_CPC: PBES2 GOST 28147-89 CFB with CryptoPro-C S-box. 1114 * @GNUTLS_PKCS_PBES2_GOST_CPD: PBES2 GOST 28147-89 CFB with CryptoPro-D S-box. 1115 * 1116 * Enumeration of different PKCS encryption flags. 1117 */ 1118 typedef enum gnutls_pkcs_encrypt_flags_t { 1119 GNUTLS_PKCS_PLAIN = 1, 1120 GNUTLS_PKCS_PKCS12_3DES = 1<<1, 1121 GNUTLS_PKCS_PKCS12_ARCFOUR = 1<<2, 1122 GNUTLS_PKCS_PKCS12_RC2_40 = 1<<3, 1123 GNUTLS_PKCS_PBES2_3DES = 1<<4, 1124 GNUTLS_PKCS_PBES2_AES_128 = 1<<5, 1125 GNUTLS_PKCS_PBES2_AES_192 = 1<<6, 1126 GNUTLS_PKCS_PBES2_AES_256 = 1<<7, 1127 GNUTLS_PKCS_NULL_PASSWORD = 1<<8, 1128 GNUTLS_PKCS_PBES2_DES = 1<<9, 1129 GNUTLS_PKCS_PBES1_DES_MD5 = 1<<10, 1130 GNUTLS_PKCS_PBES2_GOST_TC26Z = 1<<11, 1131 GNUTLS_PKCS_PBES2_GOST_CPA = 1<<12, 1132 GNUTLS_PKCS_PBES2_GOST_CPB = 1<<13, 1133 GNUTLS_PKCS_PBES2_GOST_CPC = 1<<14, 1134 GNUTLS_PKCS_PBES2_GOST_CPD = 1<<15 1135 } gnutls_pkcs_encrypt_flags_t; 1136 1137 #define GNUTLS_PKCS_CIPHER_MASK(x) ((x)&(~(GNUTLS_PKCS_NULL_PASSWORD))) 1138 1139 #define GNUTLS_PKCS_USE_PKCS12_3DES GNUTLS_PKCS_PKCS12_3DES 1140 #define GNUTLS_PKCS_USE_PKCS12_ARCFOUR GNUTLS_PKCS_PKCS12_ARCFOUR 1141 #define GNUTLS_PKCS_USE_PKCS12_RC2_40 GNUTLS_PKCS_PKCS12_RC2_40 1142 #define GNUTLS_PKCS_USE_PBES2_3DES GNUTLS_PKCS_PBES2_3DES 1143 #define GNUTLS_PKCS_USE_PBES2_AES_128 GNUTLS_PKCS_PBES2_AES_128 1144 #define GNUTLS_PKCS_USE_PBES2_AES_192 GNUTLS_PKCS_PBES2_AES_192 1145 #define GNUTLS_PKCS_USE_PBES2_AES_256 GNUTLS_PKCS_PBES2_AES_256 1146 #define GNUTLS_PKCS_USE_PBES2_GOST_TC26Z GNUTLS_PKCS_PBES2_GOST_TC26Z 1147 #define GNUTLS_PKCS_USE_PBES2_GOST_CPA GNUTLS_PKCS_PBES2_GOST_CPA 1148 #define GNUTLS_PKCS_USE_PBES2_GOST_CPB GNUTLS_PKCS_PBES2_GOST_CPB 1149 #define GNUTLS_PKCS_USE_PBES2_GOST_CPC GNUTLS_PKCS_PBES2_GOST_CPC 1150 #define GNUTLS_PKCS_USE_PBES2_GOST_CPD GNUTLS_PKCS_PBES2_GOST_CPD 1151 1152 const char *gnutls_pkcs_schema_get_name(unsigned int schema); 1153 const char *gnutls_pkcs_schema_get_oid(unsigned int schema); 1154 1155 int gnutls_x509_privkey_init(gnutls_x509_privkey_t * key); 1156 void gnutls_x509_privkey_deinit(gnutls_x509_privkey_t key); 1157 gnutls_sec_param_t 1158 gnutls_x509_privkey_sec_param(gnutls_x509_privkey_t key); 1159 1160 void gnutls_x509_privkey_set_pin_function(gnutls_x509_privkey_t key, 1161 gnutls_pin_callback_t fn, 1162 void *userdata); 1163 1164 int gnutls_x509_privkey_cpy(gnutls_x509_privkey_t dst, 1165 gnutls_x509_privkey_t src); 1166 int gnutls_x509_privkey_import(gnutls_x509_privkey_t key, 1167 const gnutls_datum_t * data, 1168 gnutls_x509_crt_fmt_t format); 1169 int gnutls_x509_privkey_import_pkcs8(gnutls_x509_privkey_t key, 1170 const gnutls_datum_t * data, 1171 gnutls_x509_crt_fmt_t format, 1172 const char *password, 1173 unsigned int flags); 1174 int gnutls_x509_privkey_import_openssl(gnutls_x509_privkey_t key, 1175 const gnutls_datum_t * data, 1176 const char *password); 1177 1178 int 1179 gnutls_pkcs8_info(const gnutls_datum_t * data, gnutls_x509_crt_fmt_t format, 1180 unsigned int *schema, unsigned int *cipher, 1181 void *salt, unsigned int *salt_size, 1182 unsigned int *iter_count, char **oid); 1183 1184 int gnutls_x509_privkey_import2(gnutls_x509_privkey_t key, 1185 const gnutls_datum_t * data, 1186 gnutls_x509_crt_fmt_t format, 1187 const char *password, unsigned int flags); 1188 1189 int gnutls_x509_privkey_import_rsa_raw(gnutls_x509_privkey_t key, 1190 const gnutls_datum_t * m, 1191 const gnutls_datum_t * e, 1192 const gnutls_datum_t * d, 1193 const gnutls_datum_t * p, 1194 const gnutls_datum_t * q, 1195 const gnutls_datum_t * u); 1196 int gnutls_x509_privkey_import_rsa_raw2(gnutls_x509_privkey_t key, 1197 const gnutls_datum_t * m, 1198 const gnutls_datum_t * e, 1199 const gnutls_datum_t * d, 1200 const gnutls_datum_t * p, 1201 const gnutls_datum_t * q, 1202 const gnutls_datum_t * u, 1203 const gnutls_datum_t * e1, 1204 const gnutls_datum_t * e2); 1205 int gnutls_x509_privkey_import_ecc_raw(gnutls_x509_privkey_t key, 1206 gnutls_ecc_curve_t curve, 1207 const gnutls_datum_t * x, 1208 const gnutls_datum_t * y, 1209 const gnutls_datum_t * k); 1210 int gnutls_x509_privkey_import_gost_raw(gnutls_x509_privkey_t key, 1211 gnutls_ecc_curve_t curve, 1212 gnutls_digest_algorithm_t digest, 1213 gnutls_gost_paramset_t paramset, 1214 const gnutls_datum_t * x, 1215 const gnutls_datum_t * y, 1216 const gnutls_datum_t * k); 1217 1218 int gnutls_x509_privkey_fix(gnutls_x509_privkey_t key); 1219 1220 int gnutls_x509_privkey_export_dsa_raw(gnutls_x509_privkey_t key, 1221 gnutls_datum_t * p, 1222 gnutls_datum_t * q, 1223 gnutls_datum_t * g, 1224 gnutls_datum_t * y, 1225 gnutls_datum_t * x); 1226 int gnutls_x509_privkey_import_dsa_raw(gnutls_x509_privkey_t key, 1227 const gnutls_datum_t * p, 1228 const gnutls_datum_t * q, 1229 const gnutls_datum_t * g, 1230 const gnutls_datum_t * y, 1231 const gnutls_datum_t * x); 1232 1233 int gnutls_x509_privkey_get_pk_algorithm(gnutls_x509_privkey_t key); 1234 int gnutls_x509_privkey_get_pk_algorithm2(gnutls_x509_privkey_t 1235 key, unsigned int *bits); 1236 int gnutls_x509_privkey_get_spki(gnutls_x509_privkey_t key, 1237 gnutls_x509_spki_t spki, 1238 unsigned int flags); 1239 int 1240 gnutls_x509_privkey_set_spki(gnutls_x509_privkey_t key, 1241 const gnutls_x509_spki_t spki, 1242 unsigned int flags); 1243 1244 int gnutls_x509_privkey_get_key_id(gnutls_x509_privkey_t key, 1245 unsigned int flags, 1246 unsigned char *output_data, 1247 size_t * output_data_size); 1248 1249 int gnutls_x509_privkey_generate(gnutls_x509_privkey_t key, 1250 gnutls_pk_algorithm_t algo, 1251 unsigned int bits, unsigned int flags); 1252 1253 void gnutls_x509_privkey_set_flags(gnutls_x509_privkey_t key, unsigned int flags); 1254 1255 /** 1256 * gnutls_keygen_types_t: 1257 * @GNUTLS_KEYGEN_SEED: Specifies the seed to be used in key generation. 1258 * @GNUTLS_KEYGEN_DIGEST: The size field specifies the hash algorithm to be used in key generation. 1259 * @GNUTLS_KEYGEN_SPKI: data points to a %gnutls_x509_spki_t structure; it is not used after the key generation call. 1260 * 1261 * Enumeration of different key generation data options. 1262 */ 1263 typedef enum { 1264 GNUTLS_KEYGEN_SEED = 1, 1265 GNUTLS_KEYGEN_DIGEST = 2, 1266 GNUTLS_KEYGEN_SPKI = 3 1267 } gnutls_keygen_types_t; 1268 1269 typedef struct { 1270 gnutls_keygen_types_t type; 1271 unsigned char *data; 1272 unsigned int size; 1273 } gnutls_keygen_data_st; 1274 1275 int 1276 gnutls_x509_privkey_generate2(gnutls_x509_privkey_t key, 1277 gnutls_pk_algorithm_t algo, unsigned int bits, 1278 unsigned int flags, const gnutls_keygen_data_st *data, unsigned data_size); 1279 1280 int gnutls_x509_privkey_verify_seed(gnutls_x509_privkey_t key, gnutls_digest_algorithm_t, const void *seed, size_t seed_size); 1281 int gnutls_x509_privkey_get_seed(gnutls_x509_privkey_t key, gnutls_digest_algorithm_t*, void *seed, size_t *seed_size); 1282 1283 int gnutls_x509_privkey_verify_params(gnutls_x509_privkey_t key); 1284 1285 int gnutls_x509_privkey_export(gnutls_x509_privkey_t key, 1286 gnutls_x509_crt_fmt_t format, 1287 void *output_data, 1288 size_t * output_data_size); 1289 int gnutls_x509_privkey_export2(gnutls_x509_privkey_t key, 1290 gnutls_x509_crt_fmt_t format, 1291 gnutls_datum_t * out); 1292 int gnutls_x509_privkey_export_pkcs8(gnutls_x509_privkey_t key, 1293 gnutls_x509_crt_fmt_t format, 1294 const char *password, 1295 unsigned int flags, 1296 void *output_data, 1297 size_t * output_data_size); 1298 int gnutls_x509_privkey_export2_pkcs8(gnutls_x509_privkey_t key, 1299 gnutls_x509_crt_fmt_t format, 1300 const char *password, 1301 unsigned int flags, 1302 gnutls_datum_t * out); 1303 int gnutls_x509_privkey_export_rsa_raw2(gnutls_x509_privkey_t key, 1304 gnutls_datum_t * m, 1305 gnutls_datum_t * e, 1306 gnutls_datum_t * d, 1307 gnutls_datum_t * p, 1308 gnutls_datum_t * q, 1309 gnutls_datum_t * u, 1310 gnutls_datum_t * e1, 1311 gnutls_datum_t * e2); 1312 int gnutls_x509_privkey_export_rsa_raw(gnutls_x509_privkey_t key, 1313 gnutls_datum_t * m, 1314 gnutls_datum_t * e, 1315 gnutls_datum_t * d, 1316 gnutls_datum_t * p, 1317 gnutls_datum_t * q, 1318 gnutls_datum_t * u); 1319 int gnutls_x509_privkey_export_ecc_raw(gnutls_x509_privkey_t key, 1320 gnutls_ecc_curve_t * curve, 1321 gnutls_datum_t * x, 1322 gnutls_datum_t * y, 1323 gnutls_datum_t * k); 1324 int gnutls_x509_privkey_export_gost_raw(gnutls_x509_privkey_t key, 1325 gnutls_ecc_curve_t * curve, 1326 gnutls_digest_algorithm_t * digest, 1327 gnutls_gost_paramset_t * paramset, 1328 gnutls_datum_t * x, 1329 gnutls_datum_t * y, 1330 gnutls_datum_t * k); 1331 1332 int gnutls_x509_privkey_sign_data(gnutls_x509_privkey_t key, 1333 gnutls_digest_algorithm_t digest, 1334 unsigned int flags, 1335 const gnutls_datum_t * data, 1336 void *signature, 1337 size_t * signature_size); 1338 1339 /* Certificate request stuff. 1340 */ 1341 int gnutls_x509_crq_sign(gnutls_x509_crq_t crq, 1342 gnutls_x509_privkey_t key); 1343 1344 int gnutls_x509_crq_sign2(gnutls_x509_crq_t crq, 1345 gnutls_x509_privkey_t key, 1346 gnutls_digest_algorithm_t dig, 1347 unsigned int flags); 1348 1349 int gnutls_x509_crq_print(gnutls_x509_crq_t crq, 1350 gnutls_certificate_print_formats_t 1351 format, gnutls_datum_t * out); 1352 1353 int gnutls_x509_crq_verify(gnutls_x509_crq_t crq, unsigned int flags); 1354 1355 int gnutls_x509_crq_init(gnutls_x509_crq_t * crq); 1356 void gnutls_x509_crq_deinit(gnutls_x509_crq_t crq); 1357 int gnutls_x509_crq_import(gnutls_x509_crq_t crq, 1358 const gnutls_datum_t * data, 1359 gnutls_x509_crt_fmt_t format); 1360 1361 int gnutls_x509_crq_get_private_key_usage_period(gnutls_x509_crq_t 1362 cert, 1363 time_t * 1364 activation, 1365 time_t * 1366 expiration, unsigned int 1367 *critical); 1368 1369 int gnutls_x509_crq_get_dn(gnutls_x509_crq_t crq, char *buf, 1370 size_t * sizeof_buf); 1371 int gnutls_x509_crq_get_dn2(gnutls_x509_crq_t crq, gnutls_datum_t * dn); 1372 int gnutls_x509_crq_get_dn3(gnutls_x509_crq_t crq, gnutls_datum_t * dn, unsigned flags); 1373 int gnutls_x509_crq_get_dn_oid(gnutls_x509_crq_t crq, unsigned indx, 1374 void *oid, size_t * sizeof_oid); 1375 int gnutls_x509_crq_get_dn_by_oid(gnutls_x509_crq_t crq, 1376 const char *oid, unsigned indx, 1377 unsigned int raw_flag, void *buf, 1378 size_t * sizeof_buf); 1379 int gnutls_x509_crq_set_dn(gnutls_x509_crq_t crq, const char *dn, 1380 const char **err); 1381 int gnutls_x509_crq_set_dn_by_oid(gnutls_x509_crq_t crq, 1382 const char *oid, 1383 unsigned int raw_flag, 1384 const void *data, 1385 unsigned int sizeof_data); 1386 int gnutls_x509_crq_set_version(gnutls_x509_crq_t crq, 1387 unsigned int version); 1388 int gnutls_x509_crq_get_version(gnutls_x509_crq_t crq); 1389 int gnutls_x509_crq_set_key(gnutls_x509_crq_t crq, 1390 gnutls_x509_privkey_t key); 1391 1392 int 1393 gnutls_x509_crq_set_extension_by_oid(gnutls_x509_crq_t crq, 1394 const char *oid, const void *buf, 1395 size_t sizeof_buf, 1396 unsigned int critical); 1397 1398 int gnutls_x509_crq_set_challenge_password(gnutls_x509_crq_t crq, 1399 const char *pass); 1400 int gnutls_x509_crq_get_challenge_password(gnutls_x509_crq_t crq, 1401 char *pass, 1402 size_t * sizeof_pass); 1403 1404 int gnutls_x509_crq_set_attribute_by_oid(gnutls_x509_crq_t crq, 1405 const char *oid, 1406 void *buf, size_t sizeof_buf); 1407 int gnutls_x509_crq_get_attribute_by_oid(gnutls_x509_crq_t crq, 1408 const char *oid, unsigned indx, 1409 void *buf, size_t * sizeof_buf); 1410 1411 int gnutls_x509_crq_export(gnutls_x509_crq_t crq, 1412 gnutls_x509_crt_fmt_t format, 1413 void *output_data, size_t * output_data_size); 1414 int gnutls_x509_crq_export2(gnutls_x509_crq_t crq, 1415 gnutls_x509_crt_fmt_t format, 1416 gnutls_datum_t * out); 1417 1418 int gnutls_x509_crt_set_crq(gnutls_x509_crt_t crt, gnutls_x509_crq_t crq); 1419 int gnutls_x509_crt_set_crq_extensions(gnutls_x509_crt_t crt, 1420 gnutls_x509_crq_t crq); 1421 1422 int 1423 gnutls_x509_crt_set_crq_extension_by_oid(gnutls_x509_crt_t crt, 1424 gnutls_x509_crq_t crq, const char *oid, 1425 unsigned flags); 1426 1427 int gnutls_x509_crq_set_private_key_usage_period(gnutls_x509_crq_t 1428 crq, 1429 time_t activation, 1430 time_t expiration); 1431 int gnutls_x509_crq_set_key_rsa_raw(gnutls_x509_crq_t crq, 1432 const gnutls_datum_t * m, 1433 const gnutls_datum_t * e); 1434 int gnutls_x509_crq_set_subject_alt_name(gnutls_x509_crq_t crq, 1435 gnutls_x509_subject_alt_name_t 1436 nt, const void *data, 1437 unsigned int data_size, 1438 unsigned int flags); 1439 1440 int 1441 gnutls_x509_crq_set_subject_alt_othername(gnutls_x509_crq_t crq, 1442 const char *oid, 1443 const void *data, 1444 unsigned int data_size, 1445 unsigned int flags); 1446 1447 int gnutls_x509_crq_set_key_usage(gnutls_x509_crq_t crq, 1448 unsigned int usage); 1449 int gnutls_x509_crq_set_basic_constraints(gnutls_x509_crq_t crq, 1450 unsigned int ca, 1451 int pathLenConstraint); 1452 int gnutls_x509_crq_set_key_purpose_oid(gnutls_x509_crq_t crq, 1453 const void *oid, 1454 unsigned int critical); 1455 int gnutls_x509_crq_get_key_purpose_oid(gnutls_x509_crq_t crq, 1456 unsigned indx, void *oid, 1457 size_t * sizeof_oid, 1458 unsigned int *critical); 1459 1460 int gnutls_x509_crq_get_extension_data(gnutls_x509_crq_t crq, 1461 unsigned indx, void *data, 1462 size_t * sizeof_data); 1463 int 1464 gnutls_x509_crq_get_extension_data2(gnutls_x509_crq_t crq, 1465 unsigned indx, 1466 gnutls_datum_t * data); 1467 int gnutls_x509_crq_get_extension_info(gnutls_x509_crq_t crq, 1468 unsigned indx, void *oid, 1469 size_t * sizeof_oid, 1470 unsigned int *critical); 1471 int gnutls_x509_crq_get_attribute_data(gnutls_x509_crq_t crq, 1472 unsigned indx, void *data, 1473 size_t * sizeof_data); 1474 int gnutls_x509_crq_get_attribute_info(gnutls_x509_crq_t crq, 1475 unsigned indx, void *oid, 1476 size_t * sizeof_oid); 1477 int gnutls_x509_crq_get_pk_algorithm(gnutls_x509_crq_t crq, 1478 unsigned int *bits); 1479 int gnutls_x509_crq_get_spki(gnutls_x509_crq_t crq, gnutls_x509_spki_t spki, 1480 unsigned int flags); 1481 1482 int gnutls_x509_crq_set_spki(gnutls_x509_crq_t crq, const gnutls_x509_spki_t spki, 1483 unsigned int flags); 1484 1485 int gnutls_x509_crq_get_signature_oid(gnutls_x509_crq_t crq, char *oid, size_t *oid_size); 1486 int gnutls_x509_crq_get_pk_oid(gnutls_x509_crq_t crq, char *oid, size_t *oid_size); 1487 1488 int gnutls_x509_crq_get_key_id(gnutls_x509_crq_t crq, 1489 unsigned int flags, 1490 unsigned char *output_data, 1491 size_t * output_data_size); 1492 int gnutls_x509_crq_get_key_rsa_raw(gnutls_x509_crq_t crq, 1493 gnutls_datum_t * m, 1494 gnutls_datum_t * e); 1495 1496 int gnutls_x509_crq_get_key_usage(gnutls_x509_crq_t crq, 1497 unsigned int *key_usage, 1498 unsigned int *critical); 1499 int gnutls_x509_crq_get_basic_constraints(gnutls_x509_crq_t crq, 1500 unsigned int *critical, 1501 unsigned int *ca, int *pathlen); 1502 int gnutls_x509_crq_get_subject_alt_name(gnutls_x509_crq_t crq, 1503 unsigned int seq, 1504 void *ret, 1505 size_t * ret_size, 1506 unsigned int *ret_type, 1507 unsigned int *critical); 1508 int gnutls_x509_crq_get_subject_alt_othername_oid(gnutls_x509_crq_t 1509 crq, 1510 unsigned int seq, 1511 void *ret, 1512 size_t * ret_size); 1513 1514 int gnutls_x509_crq_get_extension_by_oid(gnutls_x509_crq_t crq, 1515 const char *oid, unsigned indx, 1516 void *buf, 1517 size_t * sizeof_buf, 1518 unsigned int *critical); 1519 1520 int gnutls_x509_crq_get_tlsfeatures(gnutls_x509_crq_t crq, 1521 gnutls_x509_tlsfeatures_t features, 1522 unsigned flags, 1523 unsigned int *critical); 1524 int gnutls_x509_crq_set_tlsfeatures(gnutls_x509_crq_t crq, 1525 gnutls_x509_tlsfeatures_t features); 1526 1527 int 1528 gnutls_x509_crt_get_extension_by_oid2(gnutls_x509_crt_t cert, 1529 const char *oid, unsigned indx, 1530 gnutls_datum_t *output, 1531 unsigned int *critical); 1532 1533 typedef struct gnutls_x509_trust_list_st *gnutls_x509_trust_list_t; 1534 typedef struct gnutls_x509_trust_list_iter *gnutls_x509_trust_list_iter_t; 1535 1536 int 1537 gnutls_x509_trust_list_init(gnutls_x509_trust_list_t * list, 1538 unsigned int size); 1539 1540 void 1541 gnutls_x509_trust_list_deinit(gnutls_x509_trust_list_t list, 1542 unsigned int all); 1543 1544 int gnutls_x509_trust_list_get_issuer(gnutls_x509_trust_list_t 1545 list, gnutls_x509_crt_t cert, 1546 gnutls_x509_crt_t * issuer, 1547 unsigned int flags); 1548 1549 int gnutls_x509_trust_list_get_issuer_by_dn(gnutls_x509_trust_list_t list, 1550 const gnutls_datum_t *dn, 1551 gnutls_x509_crt_t *issuer, 1552 unsigned int flags); 1553 1554 int gnutls_x509_trust_list_get_issuer_by_subject_key_id(gnutls_x509_trust_list_t list, 1555 const gnutls_datum_t *dn, 1556 const gnutls_datum_t *spki, 1557 gnutls_x509_crt_t *issuer, 1558 unsigned int flags); 1559 /** 1560 * gnutls_trust_list_flags_t: 1561 * @GNUTLS_TL_VERIFY_CRL: If any CRLs are provided they will be verified for validity 1562 * prior to be added. The CA certificates that will be used for verification are the 1563 * ones already added in the trusted list. 1564 * @GNUTLS_TL_USE_IN_TLS: Internal flag used by GnuTLS. If provided the trust list 1565 * structure will cache a copy of CA DNs to be used in the certificate request 1566 * TLS message. 1567 * @GNUTLS_TL_NO_DUPLICATES: If this flag is specified, a function adding certificates 1568 * will check and eliminate any duplicates. 1569 * @GNUTLS_TL_NO_DUPLICATE_KEY: If this flag is specified, a certificate sharing the 1570 * same key as a previously added on will not be added. 1571 * @GNUTLS_TL_GET_COPY: The semantics of this flag are documented to the functions which 1572 * are applicable. In general, on returned value, the function will provide a copy 1573 * if this flag is provided, rather than a pointer to internal data. 1574 * @GNUTLS_TL_FAIL_ON_INVALID_CRL: If an CRL is added which cannot be validated return 1575 * an error instead of ignoring (must be used with %GNUTLS_TL_VERIFY_CRL). 1576 * 1577 * Enumeration of different certificate trust list flags. 1578 */ 1579 typedef enum gnutls_trust_list_flags_t { 1580 GNUTLS_TL_VERIFY_CRL = 1, 1581 #define GNUTLS_TL_VERIFY_CRL 1 1582 GNUTLS_TL_USE_IN_TLS = (1<<1), 1583 #define GNUTLS_TL_USE_IN_TLS (1<<1) 1584 GNUTLS_TL_NO_DUPLICATES = (1<<2), 1585 #define GNUTLS_TL_NO_DUPLICATES (1<<2) 1586 GNUTLS_TL_NO_DUPLICATE_KEY = (1<<3), 1587 #define GNUTLS_TL_NO_DUPLICATE_KEY (1<<3) 1588 GNUTLS_TL_GET_COPY = (1<<4), 1589 #define GNUTLS_TL_GET_COPY (1<<4) 1590 GNUTLS_TL_FAIL_ON_INVALID_CRL = (1<<5) 1591 #define GNUTLS_TL_FAIL_ON_INVALID_CRL (1<<5) 1592 } gnutls_trust_list_flags_t; 1593 1594 int 1595 gnutls_x509_trust_list_add_cas(gnutls_x509_trust_list_t list, 1596 const gnutls_x509_crt_t * clist, 1597 unsigned clist_size, unsigned int flags); 1598 int gnutls_x509_trust_list_remove_cas(gnutls_x509_trust_list_t 1599 list, 1600 const gnutls_x509_crt_t * 1601 clist, unsigned clist_size); 1602 1603 int gnutls_x509_trust_list_add_named_crt(gnutls_x509_trust_list_t 1604 list, 1605 gnutls_x509_crt_t cert, 1606 const void *name, 1607 size_t name_size, 1608 unsigned int flags); 1609 1610 int 1611 gnutls_x509_trust_list_add_crls(gnutls_x509_trust_list_t list, 1612 const gnutls_x509_crl_t * 1613 crl_list, unsigned crl_size, 1614 unsigned int flags, 1615 unsigned int verification_flags); 1616 1617 1618 int 1619 gnutls_x509_trust_list_iter_get_ca(gnutls_x509_trust_list_t list, 1620 gnutls_x509_trust_list_iter_t *iter, 1621 gnutls_x509_crt_t *crt); 1622 1623 void gnutls_x509_trust_list_iter_deinit(gnutls_x509_trust_list_iter_t iter); 1624 1625 typedef int gnutls_verify_output_function(gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer, /* The issuer if verification failed 1626 * because of him. might be null. 1627 */ 1628 gnutls_x509_crl_t crl, /* The CRL that caused verification failure 1629 * if any. Might be null. 1630 */ 1631 unsigned int 1632 verification_output); 1633 1634 int gnutls_x509_trust_list_verify_named_crt 1635 (gnutls_x509_trust_list_t list, gnutls_x509_crt_t cert, 1636 const void *name, size_t name_size, unsigned int flags, 1637 unsigned int *verify, gnutls_verify_output_function func); 1638 1639 int 1640 gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, 1641 gnutls_x509_crt_t * cert_list, 1642 unsigned int cert_list_size, 1643 gnutls_typed_vdata_st * data, 1644 unsigned int elements, 1645 unsigned int flags, 1646 unsigned int *voutput, 1647 gnutls_verify_output_function func); 1648 1649 int 1650 gnutls_x509_trust_list_verify_crt(gnutls_x509_trust_list_t list, 1651 gnutls_x509_crt_t * cert_list, 1652 unsigned int cert_list_size, 1653 unsigned int flags, 1654 unsigned int *verify, 1655 gnutls_verify_output_function func); 1656 1657 /* trust list convenience functions */ 1658 int 1659 gnutls_x509_trust_list_add_trust_mem(gnutls_x509_trust_list_t 1660 list, 1661 const gnutls_datum_t * cas, 1662 const gnutls_datum_t * crls, 1663 gnutls_x509_crt_fmt_t type, 1664 unsigned int tl_flags, 1665 unsigned int tl_vflags); 1666 1667 int 1668 gnutls_x509_trust_list_add_trust_file(gnutls_x509_trust_list_t 1669 list, const char *ca_file, 1670 const char *crl_file, 1671 gnutls_x509_crt_fmt_t type, 1672 unsigned int tl_flags, 1673 unsigned int tl_vflags); 1674 1675 int 1676 gnutls_x509_trust_list_add_trust_dir(gnutls_x509_trust_list_t list, 1677 const char *ca_dir, 1678 const char *crl_dir, 1679 gnutls_x509_crt_fmt_t type, 1680 unsigned int tl_flags, 1681 unsigned int tl_vflags); 1682 1683 int 1684 gnutls_x509_trust_list_remove_trust_file(gnutls_x509_trust_list_t 1685 list, 1686 const char *ca_file, 1687 gnutls_x509_crt_fmt_t type); 1688 1689 int 1690 gnutls_x509_trust_list_remove_trust_mem(gnutls_x509_trust_list_t 1691 list, 1692 const gnutls_datum_t * 1693 cas, gnutls_x509_crt_fmt_t type); 1694 1695 int 1696 gnutls_x509_trust_list_add_system_trust(gnutls_x509_trust_list_t 1697 list, 1698 unsigned int tl_flags, 1699 unsigned int tl_vflags); 1700 1701 void gnutls_certificate_set_trust_list 1702 (gnutls_certificate_credentials_t res, 1703 gnutls_x509_trust_list_t tlist, unsigned flags); 1704 void gnutls_certificate_get_trust_list 1705 (gnutls_certificate_credentials_t res, 1706 gnutls_x509_trust_list_t *tlist); 1707 1708 typedef struct gnutls_x509_ext_st { 1709 char *oid; 1710 unsigned int critical; 1711 gnutls_datum_t data; 1712 } gnutls_x509_ext_st; 1713 1714 void gnutls_x509_ext_deinit(gnutls_x509_ext_st *ext); 1715 1716 int 1717 gnutls_x509_ext_print(gnutls_x509_ext_st *exts, unsigned int exts_size, 1718 gnutls_certificate_print_formats_t format, 1719 gnutls_datum_t * out); 1720 1721 #include <gnutls/pkcs7.h> 1722 1723 /* *INDENT-OFF* */ 1724 #ifdef __cplusplus 1725 } 1726 #endif 1727 /* *INDENT-ON* */ 1728 #endif /* GNUTLS_X509_H */ 1729