2 * Copyright (C) 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009,
3 * 2010 Free Software Foundation, Inc.
5 * Author: Nikos Mavrogiannopoulos
7 * This file is part of GnuTLS.
9 * The GnuTLS is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public License
11 * as published by the Free Software Foundation; either version 2.1 of
12 * the License, or (at your option) any later version.
14 * This library is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
19 * You should have received a copy of the GNU Lesser General Public
20 * License along with this library; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
26 /* Some of the stuff needed for Certificate authentication is contained
30 #include <gnutls_int.h>
31 #include <gnutls_errors.h>
32 #include <auth_cert.h>
33 #include <gnutls_cert.h>
34 #include <gnutls_datum.h>
35 #include <gnutls_mpi.h>
36 #include <gnutls_global.h>
37 #include <gnutls_algorithms.h>
38 #include <gnutls_dh.h>
39 #include <gnutls_str.h>
40 #include <gnutls_state.h>
41 #include <gnutls_auth.h>
42 #include <gnutls_x509.h>
43 #include "x509/x509_int.h"
45 #include "openpgp/gnutls_openpgp.h"
49 * gnutls_certificate_free_keys:
50 * @sc: is a #gnutls_certificate_credentials_t structure.
52 * This function will delete all the keys and the certificates associated
53 * with the given credentials. This function must not be called when a
54 * TLS negotiation that uses the credentials is in progress.
58 gnutls_certificate_free_keys (gnutls_certificate_credentials_t sc)
62 for (i = 0; i < sc->ncerts; i++)
64 for (j = 0; j < sc->cert_list_length[i]; j++)
66 _gnutls_gcert_deinit (&sc->cert_list[i][j]);
68 gnutls_free (sc->cert_list[i]);
71 gnutls_free (sc->cert_list_length);
72 sc->cert_list_length = NULL;
74 gnutls_free (sc->cert_list);
77 for (i = 0; i < sc->ncerts; i++)
79 gnutls_privkey_deinit (sc->pkey[i]);
82 gnutls_free (sc->pkey);
90 * gnutls_certificate_get_issuer:
91 * @sc: is a #gnutls_certificate_credentials_t structure.
92 * @cert: is the certificate to find issuer for
93 * @issuer: Will hold the issuer if any. Should be treated as constant.
96 * This function will return the issuer of a given certificate.
98 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
99 * negative error value.
102 gnutls_certificate_get_issuer (gnutls_certificate_credentials_t sc,
103 gnutls_x509_crt_t cert, gnutls_x509_crt_t* issuer, unsigned int flags)
107 for (i=0;i<sc->x509_ncas;i++)
109 ret = gnutls_x509_crt_check_issuer(cert, sc->x509_ca_list[i]);
112 *issuer = sc->x509_ca_list[i];
117 return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
121 * gnutls_certificate_free_cas:
122 * @sc: is a #gnutls_certificate_credentials_t structure.
124 * This function will delete all the CAs associated with the given
125 * credentials. Servers that do not use
126 * gnutls_certificate_verify_peers2() may call this to save some
130 gnutls_certificate_free_cas (gnutls_certificate_credentials_t sc)
134 for (j = 0; j < sc->x509_ncas; j++)
136 gnutls_x509_crt_deinit (sc->x509_ca_list[j]);
141 gnutls_free (sc->x509_ca_list);
142 sc->x509_ca_list = NULL;
147 * gnutls_certificate_get_x509_cas:
148 * @sc: is a #gnutls_certificate_credentials_t structure.
149 * @x509_ca_list: will point to the CA list. Should be treated as constant
150 * @ncas: the number of CAs
152 * This function will export all the CAs associated with the given
158 gnutls_certificate_get_x509_cas (gnutls_certificate_credentials_t sc,
159 gnutls_x509_crt_t ** x509_ca_list,
162 *x509_ca_list = sc->x509_ca_list;
163 *ncas = sc->x509_ncas;
167 * gnutls_certificate_get_x509_crls:
168 * @sc: is a #gnutls_certificate_credentials_t structure.
169 * @x509_crl_list: the exported CRL list. Should be treated as constant
170 * @ncrls: the number of exported CRLs
172 * This function will export all the CRLs associated with the given
178 gnutls_certificate_get_x509_crls (gnutls_certificate_credentials_t sc,
179 gnutls_x509_crl_t ** x509_crl_list,
182 *x509_crl_list = sc->x509_crl_list;
183 *ncrls = sc->x509_ncrls;
186 #ifdef ENABLE_OPENPGP
189 * gnutls_certificate_get_openpgp_keyring:
190 * @sc: is a #gnutls_certificate_credentials_t structure.
191 * @keyring: the exported keyring. Should be treated as constant
193 * This function will export the OpenPGP keyring associated with the
199 gnutls_certificate_get_openpgp_keyring (gnutls_certificate_credentials_t sc,
200 gnutls_openpgp_keyring_t * keyring)
202 *keyring = sc->keyring;
208 * gnutls_certificate_free_ca_names:
209 * @sc: is a #gnutls_certificate_credentials_t structure.
211 * This function will delete all the CA name in the given
212 * credentials. Clients may call this to save some memory since in
213 * client side the CA names are not used. Servers might want to use
214 * this function if a large list of trusted CAs is present and
215 * sending the names of it would just consume bandwidth without providing
216 * information to client.
218 * CA names are used by servers to advertize the CAs they support to
222 gnutls_certificate_free_ca_names (gnutls_certificate_credentials_t sc)
224 _gnutls_free_datum (&sc->x509_rdn_sequence);
228 * _gnutls_certificate_get_rsa_params - Returns the RSA parameters pointer
229 * @rsa_params: holds the RSA parameters or NULL.
230 * @func: function to retrieve the parameters or NULL.
231 * @session: The session.
233 * This function will return the rsa parameters pointer.
236 _gnutls_certificate_get_rsa_params (gnutls_rsa_params_t rsa_params,
237 gnutls_params_function * func,
238 gnutls_session_t session)
240 gnutls_params_st params;
243 if (session->internals.params.rsa_params)
245 return session->internals.params.rsa_params;
250 session->internals.params.rsa_params = rsa_params;
254 ret = func (session, GNUTLS_PARAMS_RSA_EXPORT, ¶ms);
255 if (ret == 0 && params.type == GNUTLS_PARAMS_RSA_EXPORT)
257 session->internals.params.rsa_params = params.params.rsa_export;
258 session->internals.params.free_rsa_params = params.deinit;
262 return session->internals.params.rsa_params;
267 * gnutls_certificate_free_credentials:
268 * @sc: is a #gnutls_certificate_credentials_t structure.
270 * This structure is complex enough to manipulate directly thus this
271 * helper function is provided in order to free (deallocate) it.
273 * This function does not free any temporary parameters associated
274 * with this structure (ie RSA and DH parameters are not freed by this
278 gnutls_certificate_free_credentials (gnutls_certificate_credentials_t sc)
280 gnutls_certificate_free_keys (sc);
281 gnutls_certificate_free_cas (sc);
282 gnutls_certificate_free_ca_names (sc);
284 gnutls_certificate_free_crls (sc);
287 #ifdef ENABLE_OPENPGP
288 gnutls_openpgp_keyring_deinit (sc->keyring);
296 * gnutls_certificate_allocate_credentials:
297 * @res: is a pointer to a #gnutls_certificate_credentials_t structure.
299 * This structure is complex enough to manipulate directly thus this
300 * helper function is provided in order to allocate it.
302 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
305 gnutls_certificate_allocate_credentials (gnutls_certificate_credentials_t *
308 *res = gnutls_calloc (1, sizeof (certificate_credentials_st));
311 return GNUTLS_E_MEMORY_ERROR;
313 (*res)->verify_bits = DEFAULT_VERIFY_BITS;
314 (*res)->verify_depth = DEFAULT_VERIFY_DEPTH;
320 /* returns the KX algorithms that are supported by a
321 * certificate. (Eg a certificate with RSA params, supports
322 * GNUTLS_KX_RSA algorithm).
323 * This function also uses the KeyUsage field of the certificate
324 * extensions in order to disable unneded algorithms.
327 _gnutls_selected_cert_supported_kx (gnutls_session_t session,
328 gnutls_kx_algorithm_t ** alg,
331 gnutls_kx_algorithm_t kx;
332 gnutls_pk_algorithm_t pk;
333 gnutls_kx_algorithm_t kxlist[MAX_ALGOS];
337 if (session->internals.selected_cert_list_length == 0)
344 cert = &session->internals.selected_cert_list[0];
347 for (kx = 0; kx < MAX_ALGOS; kx++)
349 pk = _gnutls_map_pk_get_pk (kx);
350 if (pk == cert->subject_pk_algorithm)
352 /* then check key usage */
353 if (_gnutls_check_key_usage (cert, kx) == 0)
364 return GNUTLS_E_INVALID_REQUEST;
367 *alg = gnutls_calloc (i, sizeof (gnutls_kx_algorithm_t));
369 return GNUTLS_E_MEMORY_ERROR;
373 memcpy (*alg, kxlist, i * sizeof (gnutls_kx_algorithm_t));
380 * gnutls_certificate_server_set_request:
381 * @session: is a #gnutls_session_t structure.
382 * @req: is one of GNUTLS_CERT_REQUEST, GNUTLS_CERT_REQUIRE
384 * This function specifies if we (in case of a server) are going to
385 * send a certificate request message to the client. If @req is
386 * GNUTLS_CERT_REQUIRE then the server will return an error if the
387 * peer does not provide a certificate. If you do not call this
388 * function then the client will not be asked to send a certificate.
391 gnutls_certificate_server_set_request (gnutls_session_t session,
392 gnutls_certificate_request_t req)
394 session->internals.send_cert_req = req;
398 * gnutls_certificate_client_set_retrieve_function:
399 * @cred: is a #gnutls_certificate_credentials_t structure.
400 * @func: is the callback function
402 * This function sets a callback to be called in order to retrieve the
403 * certificate to be used in the handshake.
405 * The callback's function prototype is:
406 * int (*callback)(gnutls_session_t, const gnutls_datum_t* req_ca_dn, int nreqs,
407 * const gnutls_pk_algorithm_t* pk_algos, int pk_algos_length, gnutls_retr_st* st);
409 * @req_ca_cert is only used in X.509 certificates.
410 * Contains a list with the CA names that the server considers trusted.
411 * Normally we should send a certificate that is signed
412 * by one of these CAs. These names are DER encoded. To get a more
413 * meaningful value use the function gnutls_x509_rdn_get().
415 * @pk_algos contains a list with server's acceptable signature algorithms.
416 * The certificate returned should support the server's given algorithms.
418 * @st should contain the certificates and private keys.
420 * If the callback function is provided then gnutls will call it, in the
421 * handshake, after the certificate request message has been received.
423 * The callback function should set the certificate list to be sent,
424 * and return 0 on success. If no certificate was selected then the
425 * number of certificates should be set to zero. The value (-1)
426 * indicates error and the handshake will be terminated.
428 void gnutls_certificate_client_set_retrieve_function
429 (gnutls_certificate_credentials_t cred,
430 gnutls_certificate_client_retrieve_function * func)
432 cred->client_get_cert_callback = func;
436 * gnutls_certificate_server_set_retrieve_function:
437 * @cred: is a #gnutls_certificate_credentials_t structure.
438 * @func: is the callback function
440 * This function sets a callback to be called in order to retrieve the
441 * certificate to be used in the handshake.
443 * The callback's function prototype is:
444 * int (*callback)(gnutls_session_t, gnutls_retr_st* st);
446 * @st should contain the certificates and private keys.
448 * If the callback function is provided then gnutls will call it, in the
449 * handshake, after the certificate request message has been received.
451 * The callback function should set the certificate list to be sent, and
452 * return 0 on success. The value (-1) indicates error and the handshake
453 * will be terminated.
455 void gnutls_certificate_server_set_retrieve_function
456 (gnutls_certificate_credentials_t cred,
457 gnutls_certificate_server_retrieve_function * func)
459 cred->server_get_cert_callback = func;
463 * gnutls_certificate_set_retrieve_function:
464 * @cred: is a #gnutls_certificate_credentials_t structure.
465 * @func: is the callback function
467 * This function sets a callback to be called in order to retrieve the
468 * certificate to be used in the handshake.
470 * The callback's function prototype is:
471 * int (*callback)(gnutls_session_t, const gnutls_datum_t* req_ca_dn, int nreqs,
472 * const gnutls_pk_algorithm_t* pk_algos, int pk_algos_length, gnutls_retr2_st* st);
474 * @req_ca_cert is only used in X.509 certificates.
475 * Contains a list with the CA names that the server considers trusted.
476 * Normally we should send a certificate that is signed
477 * by one of these CAs. These names are DER encoded. To get a more
478 * meaningful value use the function gnutls_x509_rdn_get().
480 * @pk_algos contains a list with server's acceptable signature algorithms.
481 * The certificate returned should support the server's given algorithms.
483 * @st should contain the certificates and private keys.
485 * If the callback function is provided then gnutls will call it, in the
486 * handshake, after the certificate request message has been received.
488 * In server side pk_algos and req_ca_dn are NULL.
490 * The callback function should set the certificate list to be sent,
491 * and return 0 on success. If no certificate was selected then the
492 * number of certificates should be set to zero. The value (-1)
493 * indicates error and the handshake will be terminated.
495 void gnutls_certificate_set_retrieve_function
496 (gnutls_certificate_credentials_t cred,
497 gnutls_certificate_retrieve_function * func)
499 cred->get_cert_callback = func;
503 * gnutls_certificate_set_verify_function:
504 * @cred: is a #gnutls_certificate_credentials_t structure.
505 * @func: is the callback function
507 * This function sets a callback to be called when peer's certificate
508 * has been received in order to verify it on receipt rather than
509 * doing after the handshake is completed.
511 * The callback's function prototype is:
512 * int (*callback)(gnutls_session_t);
514 * If the callback function is provided then gnutls will call it, in the
515 * handshake, just after the certificate message has been received.
516 * To verify or obtain the certificate the gnutls_certificate_verify_peers2(),
517 * gnutls_certificate_type_get(), gnutls_certificate_get_peers() functions
520 * The callback function should return 0 for the handshake to continue
521 * or non-zero to terminate.
526 gnutls_certificate_set_verify_function
527 (gnutls_certificate_credentials_t cred,
528 gnutls_certificate_verify_function * func)
530 cred->verify_callback = func;
534 * _gnutls_x509_extract_certificate_activation_time - return the peer's certificate activation time
535 * @cert: should contain an X.509 DER encoded certificate
537 * This function will return the certificate's activation time in UNIX time
538 * (ie seconds since 00:00:00 UTC January 1, 1970).
540 * Returns a (time_t) -1 in case of an error.
544 _gnutls_x509_get_raw_crt_activation_time (const gnutls_datum_t * cert)
546 gnutls_x509_crt_t xcert;
549 result = gnutls_x509_crt_init (&xcert);
553 result = gnutls_x509_crt_import (xcert, cert, GNUTLS_X509_FMT_DER);
556 gnutls_x509_crt_deinit (xcert);
560 result = gnutls_x509_crt_get_activation_time (xcert);
562 gnutls_x509_crt_deinit (xcert);
568 * gnutls_x509_extract_certificate_expiration_time:
569 * @cert: should contain an X.509 DER encoded certificate
571 * This function will return the certificate's expiration time in UNIX
572 * time (ie seconds since 00:00:00 UTC January 1, 1970). Returns a
574 * (time_t) -1 in case of an error.
578 _gnutls_x509_get_raw_crt_expiration_time (const gnutls_datum_t * cert)
580 gnutls_x509_crt_t xcert;
583 result = gnutls_x509_crt_init (&xcert);
587 result = gnutls_x509_crt_import (xcert, cert, GNUTLS_X509_FMT_DER);
590 gnutls_x509_crt_deinit (xcert);
594 result = gnutls_x509_crt_get_expiration_time (xcert);
596 gnutls_x509_crt_deinit (xcert);
601 #ifdef ENABLE_OPENPGP
603 * _gnutls_openpgp_crt_verify_peers - return the peer's certificate status
604 * @session: is a gnutls session
606 * This function will try to verify the peer's certificate and return its status (TRUSTED, INVALID etc.).
607 * Returns a negative error code in case of an error, or GNUTLS_E_NO_CERTIFICATE_FOUND if no certificate was sent.
610 _gnutls_openpgp_crt_verify_peers (gnutls_session_t session,
611 unsigned int *status)
613 cert_auth_info_t info;
614 gnutls_certificate_credentials_t cred;
615 int peer_certificate_list_size, ret;
617 CHECK_AUTH (GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST);
619 info = _gnutls_get_auth_info (session);
621 return GNUTLS_E_INVALID_REQUEST;
623 cred = (gnutls_certificate_credentials_t)
624 _gnutls_get_cred (session->key, GNUTLS_CRD_CERTIFICATE, NULL);
628 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
631 if (info->raw_certificate_list == NULL || info->ncerts == 0)
634 return GNUTLS_E_NO_CERTIFICATE_FOUND;
637 /* generate a list of gnutls_certs based on the auth info
640 peer_certificate_list_size = info->ncerts;
642 if (peer_certificate_list_size != 1)
645 return GNUTLS_E_INTERNAL_ERROR;
648 /* Verify certificate
651 _gnutls_openpgp_verify_key (cred, &info->raw_certificate_list[0],
652 peer_certificate_list_size, status);
665 * gnutls_certificate_verify_peers2:
666 * @session: is a gnutls session
667 * @status: is the output of the verification
669 * This function will try to verify the peer's certificate and return
670 * its status (trusted, invalid etc.). The value of @status should
671 * be one or more of the gnutls_certificate_status_t enumerated
672 * elements bitwise or'd. To avoid denial of service attacks some
673 * default upper limits regarding the certificate key size and chain
674 * size are set. To override them use
675 * gnutls_certificate_set_verify_limits().
677 * Note that you must also check the peer's name in order to check if
678 * the verified certificate belongs to the actual peer.
680 * This function uses gnutls_x509_crt_list_verify() with the CAs in
681 * the credentials as trusted CAs.
683 * Returns: a negative error code on error and zero on success.
686 gnutls_certificate_verify_peers2 (gnutls_session_t session,
687 unsigned int *status)
689 cert_auth_info_t info;
691 CHECK_AUTH (GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST);
693 info = _gnutls_get_auth_info (session);
696 return GNUTLS_E_NO_CERTIFICATE_FOUND;
699 if (info->raw_certificate_list == NULL || info->ncerts == 0)
700 return GNUTLS_E_NO_CERTIFICATE_FOUND;
702 switch (gnutls_certificate_type_get (session))
704 case GNUTLS_CRT_X509:
705 return _gnutls_x509_cert_verify_peers (session, status);
706 #ifdef ENABLE_OPENPGP
707 case GNUTLS_CRT_OPENPGP:
708 return _gnutls_openpgp_crt_verify_peers (session, status);
711 return GNUTLS_E_INVALID_REQUEST;
716 * gnutls_certificate_verify_peers:
717 * @session: is a gnutls session
719 * This function will try to verify the peer's certificate and return
720 * its status (trusted, invalid etc.). However you must also check
721 * the peer's name in order to check if the verified certificate
722 * belongs to the actual peer.
724 * This function uses gnutls_x509_crt_list_verify().
726 * Returns: one or more of the #gnutls_certificate_status_t
727 * enumerated elements bitwise or'd, or a negative value on error.
729 * Deprecated: Use gnutls_certificate_verify_peers2() instead.
732 gnutls_certificate_verify_peers (gnutls_session_t session)
737 ret = gnutls_certificate_verify_peers2 (session, &status);
749 * gnutls_certificate_expiration_time_peers:
750 * @session: is a gnutls session
752 * This function will return the peer's certificate expiration time.
754 * Returns: (time_t)-1 on error.
756 * Deprecated: gnutls_certificate_verify_peers2() now verifies expiration times.
759 gnutls_certificate_expiration_time_peers (gnutls_session_t session)
761 cert_auth_info_t info;
763 CHECK_AUTH (GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST);
765 info = _gnutls_get_auth_info (session);
771 if (info->raw_certificate_list == NULL || info->ncerts == 0)
777 switch (gnutls_certificate_type_get (session))
779 case GNUTLS_CRT_X509:
781 _gnutls_x509_get_raw_crt_expiration_time (&info->raw_certificate_list
783 #ifdef ENABLE_OPENPGP
784 case GNUTLS_CRT_OPENPGP:
786 _gnutls_openpgp_get_raw_key_expiration_time
787 (&info->raw_certificate_list[0]);
795 * gnutls_certificate_activation_time_peers:
796 * @session: is a gnutls session
798 * This function will return the peer's certificate activation time.
799 * This is the creation time for openpgp keys.
801 * Returns: (time_t)-1 on error.
803 * Deprecated: gnutls_certificate_verify_peers2() now verifies activation times.
806 gnutls_certificate_activation_time_peers (gnutls_session_t session)
808 cert_auth_info_t info;
810 CHECK_AUTH (GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST);
812 info = _gnutls_get_auth_info (session);
818 if (info->raw_certificate_list == NULL || info->ncerts == 0)
824 switch (gnutls_certificate_type_get (session))
826 case GNUTLS_CRT_X509:
828 _gnutls_x509_get_raw_crt_activation_time (&info->raw_certificate_list
830 #ifdef ENABLE_OPENPGP
831 case GNUTLS_CRT_OPENPGP:
833 _gnutls_openpgp_get_raw_key_creation_time (&info->raw_certificate_list
841 /* Converts the first certificate for the cert_auth_info structure
845 _gnutls_get_auth_info_gcert (gnutls_cert * gcert,
846 gnutls_certificate_type_t type,
847 cert_auth_info_t info,
848 int flags /* OR of ConvFlags */ )
852 case GNUTLS_CRT_X509:
853 return _gnutls_x509_raw_cert_to_gcert (gcert,
854 &info->raw_certificate_list[0],
856 #ifdef ENABLE_OPENPGP
857 case GNUTLS_CRT_OPENPGP:
858 return _gnutls_openpgp_raw_crt_to_gcert (gcert,
859 &info->raw_certificate_list[0],
860 info->use_subkey ? info->
865 return GNUTLS_E_INTERNAL_ERROR;
869 /* This function will convert a der certificate to a format
870 * (structure) that gnutls can understand and use. Actually the
871 * important thing on this function is that it extracts the
872 * certificate's (public key) parameters.
874 * The noext flag is used to complete the handshake even if the
875 * extensions found in the certificate are unsupported and critical.
876 * The critical extensions will be catched by the verification functions.
879 _gnutls_x509_raw_cert_to_gcert (gnutls_cert * gcert,
880 const gnutls_datum_t * derCert,
881 int flags /* OR of ConvFlags */ )
884 gnutls_x509_crt_t cert;
886 ret = gnutls_x509_crt_init (&cert);
893 ret = gnutls_x509_crt_import (cert, derCert, GNUTLS_X509_FMT_DER);
897 gnutls_x509_crt_deinit (cert);
901 ret = _gnutls_x509_crt_to_gcert (gcert, cert, flags);
902 gnutls_x509_crt_deinit (cert);
907 /* Like above but it accepts a parsed certificate instead.
910 _gnutls_x509_crt_to_gcert (gnutls_cert * gcert,
911 gnutls_x509_crt_t cert, unsigned int flags)
915 memset (gcert, 0, sizeof (gnutls_cert));
916 gcert->cert_type = GNUTLS_CRT_X509;
917 gcert->sign_algo = gnutls_x509_crt_get_signature_algorithm (cert);
919 if (!(flags & CERT_NO_COPY))
921 #define SMALL_DER 1536
923 size_t der_size = SMALL_DER;
925 /* initially allocate a bogus size, just in case the certificate
926 * fits in it. That way we minimize the DER encodings performed.
928 der = gnutls_malloc (SMALL_DER);
932 return GNUTLS_E_MEMORY_ERROR;
936 gnutls_x509_crt_export (cert, GNUTLS_X509_FMT_DER, der, &der_size);
937 if (ret < 0 && ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
944 if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER)
946 der = gnutls_realloc (der, der_size);
950 return GNUTLS_E_MEMORY_ERROR;
954 gnutls_x509_crt_export (cert, GNUTLS_X509_FMT_DER, der,
964 gcert->raw.data = der;
965 gcert->raw.size = der_size;
968 /* now we have 0 or a bitwise or of things to decode */
969 flags ^= CERT_NO_COPY;
972 if (flags & CERT_ONLY_EXTENSIONS || flags == 0)
974 ret = gnutls_x509_crt_get_key_usage (cert, &gcert->key_usage, NULL);
975 if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
976 gcert->key_usage = 0;
982 gcert->version = gnutls_x509_crt_get_version (cert);
984 gcert->subject_pk_algorithm = gnutls_x509_crt_get_pk_algorithm (cert, NULL);
986 if (flags & CERT_ONLY_PUBKEY || flags == 0)
988 gcert->params_size = MAX_PUBLIC_PARAMS_SIZE;
990 _gnutls_x509_crt_get_mpis (cert, gcert->params, &gcert->params_size);
1003 _gnutls_gcert_deinit (gnutls_cert * cert)
1010 for (i = 0; i < cert->params_size; i++)
1012 _gnutls_mpi_release (&cert->params[i]);
1015 _gnutls_free_datum (&cert->raw);
1019 * gnutls_sign_callback_set:
1020 * @session: is a gnutls session
1021 * @sign_func: function pointer to application's sign callback.
1022 * @userdata: void pointer that will be passed to sign callback.
1024 * Set the callback function. The function must have this prototype:
1026 * typedef int (*gnutls_sign_func) (gnutls_session_t session,
1028 * gnutls_certificate_type_t cert_type,
1029 * const gnutls_datum_t * cert,
1030 * const gnutls_datum_t * hash,
1031 * gnutls_datum_t * signature);
1033 * The @userdata parameter is passed to the @sign_func verbatim, and
1034 * can be used to store application-specific data needed in the
1035 * callback function. See also gnutls_sign_callback_get().
1037 * Deprecated: Use the PKCS 11 interfaces instead.
1040 gnutls_sign_callback_set (gnutls_session_t session,
1041 gnutls_sign_func sign_func, void *userdata)
1043 session->internals.sign_func = sign_func;
1044 session->internals.sign_func_userdata = userdata;
1048 * gnutls_sign_callback_get:
1049 * @session: is a gnutls session
1050 * @userdata: if non-%NULL, will be set to abstract callback pointer.
1052 * Retrieve the callback function, and its userdata pointer.
1054 * Returns: The function pointer set by gnutls_sign_callback_set(), or
1055 * if not set, %NULL.
1057 * Deprecated: Use the PKCS 11 interfaces instead.
1060 gnutls_sign_callback_get (gnutls_session_t session, void **userdata)
1063 *userdata = session->internals.sign_func_userdata;
1064 return session->internals.sign_func;