2 * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2010 Free Software
5 * Author: Nikos Mavrogiannopoulos
7 * This file is part of GnuTLS.
9 * The GnuTLS is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public License
11 * as published by the Free Software Foundation; either version 2.1 of
12 * the License, or (at your option) any later version.
14 * This library is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
19 * You should have received a copy of the GNU Lesser General Public
20 * License along with this library; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
26 #include <gnutls_int.h>
31 #include <gnutls_datum.h>
32 #include <gnutls_global.h>
33 #include <gnutls_errors.h>
39 * gnutls_x509_crl_init:
40 * @crl: The structure to be initialized
42 * This function will initialize a CRL structure. CRL stands for
43 * Certificate Revocation List. A revocation list usually contains
44 * lists of certificate serial numbers that have been revoked by an
45 * Authority. The revocation lists are always signed with the
46 * authority's private key.
48 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
49 * negative error value.
52 gnutls_x509_crl_init (gnutls_x509_crl_t * crl)
54 *crl = gnutls_calloc (1, sizeof (gnutls_x509_crl_int));
58 int result = asn1_create_element (_gnutls_get_pkix (),
59 "PKIX1.CertificateList",
61 if (result != ASN1_SUCCESS)
65 return _gnutls_asn2err (result);
67 return 0; /* success */
69 return GNUTLS_E_MEMORY_ERROR;
73 * gnutls_x509_crl_deinit:
74 * @crl: The structure to be initialized
76 * This function will deinitialize a CRL structure.
79 gnutls_x509_crl_deinit (gnutls_x509_crl_t crl)
85 asn1_delete_structure (&crl->crl);
91 * gnutls_x509_crl_import:
92 * @crl: The structure to store the parsed CRL.
93 * @data: The DER or PEM encoded CRL.
94 * @format: One of DER or PEM
96 * This function will convert the given DER or PEM encoded CRL
97 * to the native #gnutls_x509_crl_t format. The output will be stored in 'crl'.
99 * If the CRL is PEM encoded it should have a header of "X509 CRL".
101 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
102 * negative error value.
105 gnutls_x509_crl_import (gnutls_x509_crl_t crl,
106 const gnutls_datum_t * data,
107 gnutls_x509_crt_fmt_t format)
109 int result = 0, need_free = 0;
110 gnutls_datum_t _data;
112 _data.data = data->data;
113 _data.size = data->size;
118 return GNUTLS_E_INVALID_REQUEST;
121 /* If the CRL is in PEM format then decode it
123 if (format == GNUTLS_X509_FMT_PEM)
127 result = _gnutls_fbase64_decode (PEM_CRL, data->data, data->size, &out);
132 result = GNUTLS_E_INTERNAL_ERROR;
144 result = asn1_der_decoding (&crl->crl, _data.data, _data.size, NULL);
145 if (result != ASN1_SUCCESS)
147 result = _gnutls_asn2err (result);
153 _gnutls_free_datum (&_data);
159 _gnutls_free_datum (&_data);
165 * gnutls_x509_crl_get_issuer_dn:
166 * @crl: should contain a gnutls_x509_crl_t structure
167 * @buf: a pointer to a structure to hold the peer's name (may be null)
168 * @sizeof_buf: initially holds the size of @buf
170 * This function will copy the name of the CRL issuer in the provided
171 * buffer. The name will be in the form "C=xxxx,O=yyyy,CN=zzzz" as
172 * described in RFC2253. The output string will be ASCII or UTF-8
173 * encoded, depending on the certificate data.
175 * If buf is %NULL then only the size will be filled.
177 * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is
178 * not long enough, and in that case the sizeof_buf will be updated
179 * with the required size, and 0 on success.
183 gnutls_x509_crl_get_issuer_dn (const gnutls_x509_crl_t crl, char *buf,
189 return GNUTLS_E_INVALID_REQUEST;
192 return _gnutls_x509_parse_dn (crl->crl,
193 "tbsCertList.issuer.rdnSequence",
198 * gnutls_x509_crl_get_issuer_dn_by_oid:
199 * @crl: should contain a gnutls_x509_crl_t structure
200 * @oid: holds an Object Identified in null terminated string
201 * @indx: In case multiple same OIDs exist in the RDN, this specifies which to send. Use zero to get the first one.
202 * @raw_flag: If non zero returns the raw DER data of the DN part.
203 * @buf: a pointer to a structure to hold the peer's name (may be null)
204 * @sizeof_buf: initially holds the size of @buf
206 * This function will extract the part of the name of the CRL issuer
207 * specified by the given OID. The output will be encoded as described
208 * in RFC2253. The output string will be ASCII or UTF-8 encoded,
209 * depending on the certificate data.
211 * Some helper macros with popular OIDs can be found in gnutls/x509.h
212 * If raw flag is zero, this function will only return known OIDs as
213 * text. Other OIDs will be DER encoded, as described in RFC2253 -- in
214 * hex format with a '\#' prefix. You can check about known OIDs
215 * using gnutls_x509_dn_oid_known().
217 * If buf is null then only the size will be filled.
219 * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is
220 * not long enough, and in that case the sizeof_buf will be updated
221 * with the required size, and 0 on success.
224 gnutls_x509_crl_get_issuer_dn_by_oid (gnutls_x509_crl_t crl,
225 const char *oid, int indx,
226 unsigned int raw_flag, void *buf,
232 return GNUTLS_E_INVALID_REQUEST;
235 return _gnutls_x509_parse_dn_oid (crl->crl,
236 "tbsCertList.issuer.rdnSequence",
237 oid, indx, raw_flag, buf, sizeof_buf);
241 * gnutls_x509_crl_get_dn_oid:
242 * @crl: should contain a gnutls_x509_crl_t structure
243 * @indx: Specifies which DN OID to send. Use zero to get the first one.
244 * @oid: a pointer to a structure to hold the name (may be null)
245 * @sizeof_oid: initially holds the size of 'oid'
247 * This function will extract the requested OID of the name of the CRL
248 * issuer, specified by the given index.
250 * If oid is null then only the size will be filled.
252 * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is
253 * not long enough, and in that case the sizeof_oid will be updated
254 * with the required size. On success 0 is returned.
257 gnutls_x509_crl_get_dn_oid (gnutls_x509_crl_t crl,
258 int indx, void *oid, size_t * sizeof_oid)
263 return GNUTLS_E_INVALID_REQUEST;
266 return _gnutls_x509_get_dn_oid (crl->crl,
267 "tbsCertList.issuer.rdnSequence", indx,
273 * gnutls_x509_crl_get_signature_algorithm:
274 * @crl: should contain a #gnutls_x509_crl_t structure
276 * This function will return a value of the #gnutls_sign_algorithm_t
277 * enumeration that is the signature algorithm.
279 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
280 * negative error value.
283 gnutls_x509_crl_get_signature_algorithm (gnutls_x509_crl_t crl)
291 return GNUTLS_E_INVALID_REQUEST;
294 /* Read the signature algorithm. Note that parameters are not
295 * read. They will be read from the issuer's certificate if needed.
299 _gnutls_x509_read_value (crl->crl, "signatureAlgorithm.algorithm",
308 result = _gnutls_x509_oid2sign_algorithm ((const char *) sa.data);
310 _gnutls_free_datum (&sa);
316 * gnutls_x509_crl_get_signature:
317 * @crl: should contain a gnutls_x509_crl_t structure
318 * @sig: a pointer where the signature part will be copied (may be null).
319 * @sizeof_sig: initially holds the size of @sig
321 * This function will extract the signature field of a CRL.
323 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
324 * negative error value. and a negative value on error.
327 gnutls_x509_crl_get_signature (gnutls_x509_crl_t crl,
328 char *sig, size_t * sizeof_sig)
337 return GNUTLS_E_INVALID_REQUEST;
341 result = asn1_read_value (crl->crl, "signature", NULL, &bits);
342 if (result != ASN1_MEM_ERROR)
345 return _gnutls_asn2err (result);
351 return GNUTLS_E_CERTIFICATE_ERROR;
356 if (*sizeof_sig < len)
358 *sizeof_sig = bits / 8;
359 return GNUTLS_E_SHORT_MEMORY_BUFFER;
362 result = asn1_read_value (crl->crl, "signature", sig, &len);
363 if (result != ASN1_SUCCESS)
366 return _gnutls_asn2err (result);
373 * gnutls_x509_crl_get_version:
374 * @crl: should contain a #gnutls_x509_crl_t structure
376 * This function will return the version of the specified CRL.
378 * Returns: The version number, or a negative value on error.
381 gnutls_x509_crl_get_version (gnutls_x509_crl_t crl)
389 return GNUTLS_E_INVALID_REQUEST;
392 len = sizeof (version);
394 asn1_read_value (crl->crl, "tbsCertList.version", version,
395 &len)) != ASN1_SUCCESS)
398 return _gnutls_asn2err (result);
401 return (int) version[0] + 1;
405 * gnutls_x509_crl_get_this_update:
406 * @crl: should contain a #gnutls_x509_crl_t structure
408 * This function will return the time this CRL was issued.
410 * Returns: when the CRL was issued, or (time_t)-1 on error.
413 gnutls_x509_crl_get_this_update (gnutls_x509_crl_t crl)
421 return _gnutls_x509_get_time (crl->crl, "tbsCertList.thisUpdate");
425 * gnutls_x509_crl_get_next_update:
426 * @crl: should contain a #gnutls_x509_crl_t structure
428 * This function will return the time the next CRL will be issued.
429 * This field is optional in a CRL so it might be normal to get an
432 * Returns: when the next CRL will be issued, or (time_t)-1 on error.
435 gnutls_x509_crl_get_next_update (gnutls_x509_crl_t crl)
443 return _gnutls_x509_get_time (crl->crl, "tbsCertList.nextUpdate");
447 * gnutls_x509_crl_get_crt_count:
448 * @crl: should contain a #gnutls_x509_crl_t structure
450 * This function will return the number of revoked certificates in the
453 * Returns: number of certificates, a negative value on failure.
456 gnutls_x509_crl_get_crt_count (gnutls_x509_crl_t crl)
464 return GNUTLS_E_INVALID_REQUEST;
468 asn1_number_of_elements (crl->crl,
469 "tbsCertList.revokedCertificates", &count);
471 if (result != ASN1_SUCCESS)
474 return 0; /* no certificates */
481 * gnutls_x509_crl_get_crt_serial:
482 * @crl: should contain a #gnutls_x509_crl_t structure
483 * @indx: the index of the certificate to extract (starting from 0)
484 * @serial: where the serial number will be copied
485 * @serial_size: initially holds the size of serial
486 * @t: if non null, will hold the time this certificate was revoked
488 * This function will retrieve the serial number of the specified, by
489 * the index, revoked certificate.
491 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
492 * negative error value. and a negative value on error.
495 gnutls_x509_crl_get_crt_serial (gnutls_x509_crl_t crl, int indx,
496 unsigned char *serial,
497 size_t * serial_size, time_t * t)
500 int result, _serial_size;
501 char serial_name[ASN1_MAX_NAME_SIZE];
502 char date_name[ASN1_MAX_NAME_SIZE];
507 return GNUTLS_E_INVALID_REQUEST;
510 snprintf (serial_name, sizeof (serial_name),
511 "tbsCertList.revokedCertificates.?%u.userCertificate", indx + 1);
512 snprintf (date_name, sizeof (date_name),
513 "tbsCertList.revokedCertificates.?%u.revocationDate", indx + 1);
515 _serial_size = *serial_size;
516 result = asn1_read_value (crl->crl, serial_name, serial, &_serial_size);
518 *serial_size = _serial_size;
519 if (result != ASN1_SUCCESS)
522 if (result == ASN1_ELEMENT_NOT_FOUND)
523 return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
524 return _gnutls_asn2err (result);
529 *t = _gnutls_x509_get_time (crl->crl, date_name);
536 * gnutls_x509_crl_get_raw_issuer_dn:
537 * @crl: should contain a gnutls_x509_crl_t structure
538 * @dn: will hold the starting point of the DN
540 * This function will return a pointer to the DER encoded DN structure
543 * Returns: a negative value on error, and zero on success.
548 gnutls_x509_crl_get_raw_issuer_dn (gnutls_x509_crl_t crl,
551 ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
554 gnutls_datum_t crl_signed_data;
559 return GNUTLS_E_INVALID_REQUEST;
562 /* get the issuer of 'crl'
565 asn1_create_element (_gnutls_get_pkix (), "PKIX1.TBSCertList",
566 &c2)) != ASN1_SUCCESS)
569 return _gnutls_asn2err (result);
573 _gnutls_x509_get_signed_data (crl->crl, "tbsCertList", &crl_signed_data);
581 asn1_der_decoding (&c2, crl_signed_data.data, crl_signed_data.size, NULL);
582 if (result != ASN1_SUCCESS)
584 /* couldn't decode DER */
586 asn1_delete_structure (&c2);
587 result = _gnutls_asn2err (result);
592 asn1_der_decoding_startEnd (c2, crl_signed_data.data,
593 crl_signed_data.size, "issuer",
596 if (result != ASN1_SUCCESS)
599 result = _gnutls_asn2err (result);
603 len1 = end1 - start1 + 1;
605 _gnutls_set_datum (dn, &crl_signed_data.data[start1], len1);
610 asn1_delete_structure (&c2);
611 _gnutls_free_datum (&crl_signed_data);
616 * gnutls_x509_crl_export:
617 * @crl: Holds the revocation list
618 * @format: the format of output params. One of PEM or DER.
619 * @output_data: will contain a private key PEM or DER encoded
620 * @output_data_size: holds the size of output_data (and will
621 * be replaced by the actual size of parameters)
623 * This function will export the revocation list to DER or PEM format.
625 * If the buffer provided is not long enough to hold the output, then
626 * %GNUTLS_E_SHORT_MEMORY_BUFFER will be returned.
628 * If the structure is PEM encoded, it will have a header
629 * of "BEGIN X509 CRL".
631 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
632 * negative error value. and a negative value on failure.
635 gnutls_x509_crl_export (gnutls_x509_crl_t crl,
636 gnutls_x509_crt_fmt_t format, void *output_data,
637 size_t * output_data_size)
642 return GNUTLS_E_INVALID_REQUEST;
645 return _gnutls_x509_export_int (crl->crl, format, PEM_CRL,
646 output_data, output_data_size);
650 * _gnutls_x509_crl_cpy - This function copies a gnutls_x509_crl_t structure
651 * @dest: The structure where to copy
652 * @src: The structure to be copied
654 * This function will copy an X.509 certificate structure.
656 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
657 * negative error value.
660 _gnutls_x509_crl_cpy (gnutls_x509_crl_t dest, gnutls_x509_crl_t src)
667 ret = gnutls_x509_crl_export (src, GNUTLS_X509_FMT_DER, NULL, &der_size);
668 if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
674 der = gnutls_malloc (der_size);
678 return GNUTLS_E_MEMORY_ERROR;
681 ret = gnutls_x509_crl_export (src, GNUTLS_X509_FMT_DER, der, &der_size);
691 ret = gnutls_x509_crl_import (dest, &tmp, GNUTLS_X509_FMT_DER);
706 * gnutls_x509_crl_get_authority_key_id:
707 * @crl: should contain a #gnutls_x509_crl_t structure
708 * @ret: The place where the identifier will be copied
709 * @ret_size: Holds the size of the result field.
710 * @critical: will be non zero if the extension is marked as critical
713 * This function will return the CRL authority's key identifier. This
714 * is obtained by the X.509 Authority Key identifier extension field
715 * (2.5.29.35). Note that this function only returns the
716 * keyIdentifier field of the extension.
718 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
719 * negative value in case of an error.
724 gnutls_x509_crl_get_authority_key_id (gnutls_x509_crl_t crl, void *ret,
726 unsigned int *critical)
730 ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
735 return GNUTLS_E_INVALID_REQUEST;
740 memset (ret, 0, *ret_size);
745 _gnutls_x509_crl_get_extension (crl, "2.5.29.35", 0, &id,
751 if (id.size == 0 || id.data == NULL)
754 return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
757 result = asn1_create_element
758 (_gnutls_get_pkix (), "PKIX1.AuthorityKeyIdentifier", &c2);
759 if (result != ASN1_SUCCESS)
762 _gnutls_free_datum (&id);
763 return _gnutls_asn2err (result);
766 result = asn1_der_decoding (&c2, id.data, id.size, NULL);
767 _gnutls_free_datum (&id);
769 if (result != ASN1_SUCCESS)
772 asn1_delete_structure (&c2);
773 return _gnutls_asn2err (result);
777 result = asn1_read_value (c2, "keyIdentifier", ret, &len);
780 asn1_delete_structure (&c2);
782 if (result == ASN1_VALUE_NOT_FOUND || result == ASN1_ELEMENT_NOT_FOUND)
784 return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
787 if (result != ASN1_SUCCESS)
790 return _gnutls_asn2err (result);
797 * gnutls_x509_crl_get_number:
798 * @crl: should contain a #gnutls_x509_crl_t structure
799 * @ret: The place where the number will be copied
800 * @ret_size: Holds the size of the result field.
801 * @critical: will be non zero if the extension is marked as critical
804 * This function will return the CRL number extension. This is
805 * obtained by the CRL Number extension field (2.5.29.20).
807 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
808 * negative value in case of an error.
813 gnutls_x509_crl_get_number (gnutls_x509_crl_t crl, void *ret,
814 size_t * ret_size, unsigned int *critical)
822 return GNUTLS_E_INVALID_REQUEST;
827 memset (ret, 0, *ret_size);
832 _gnutls_x509_crl_get_extension (crl, "2.5.29.20", 0, &id,
838 if (id.size == 0 || id.data == NULL)
841 return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
844 result = _gnutls_x509_ext_extract_number (ret, ret_size, id.data, id.size);
846 _gnutls_free_datum (&id);
858 * gnutls_x509_crl_get_extension_oid:
859 * @crl: should contain a #gnutls_x509_crl_t structure
860 * @indx: Specifies which extension OID to send, use zero to get the first one.
861 * @oid: a pointer to a structure to hold the OID (may be null)
862 * @sizeof_oid: initially holds the size of @oid
864 * This function will return the requested extension OID in the CRL.
865 * The extension OID will be stored as a string in the provided
868 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
869 * negative value in case of an error. If your have reached the
870 * last extension available %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
876 gnutls_x509_crl_get_extension_oid (gnutls_x509_crl_t crl, int indx,
877 void *oid, size_t * sizeof_oid)
884 return GNUTLS_E_INVALID_REQUEST;
887 result = _gnutls_x509_crl_get_extension_oid (crl, indx, oid, sizeof_oid);
898 * gnutls_x509_crl_get_extension_info:
899 * @crl: should contain a #gnutls_x509_crl_t structure
900 * @indx: Specifies which extension OID to send, use zero to get the first one.
901 * @oid: a pointer to a structure to hold the OID
902 * @sizeof_oid: initially holds the maximum size of @oid, on return
903 * holds actual size of @oid.
904 * @critical: output variable with critical flag, may be NULL.
906 * This function will return the requested extension OID in the CRL,
907 * and the critical flag for it. The extension OID will be stored as
908 * a string in the provided buffer. Use
909 * gnutls_x509_crl_get_extension_data() to extract the data.
911 * If the buffer provided is not long enough to hold the output, then
912 * *@sizeof_oid is updated and %GNUTLS_E_SHORT_MEMORY_BUFFER will be
915 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
916 * negative value in case of an error. If your have reached the
917 * last extension available %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
923 gnutls_x509_crl_get_extension_info (gnutls_x509_crl_t crl, int indx,
924 void *oid, size_t * sizeof_oid,
928 char str_critical[10];
929 char name[ASN1_MAX_NAME_SIZE];
935 return GNUTLS_E_INVALID_REQUEST;
938 snprintf (name, sizeof (name), "tbsCertList.crlExtensions.?%u.extnID",
942 result = asn1_read_value (crl->crl, name, oid, &len);
945 if (result == ASN1_ELEMENT_NOT_FOUND)
946 return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
947 else if (result != ASN1_SUCCESS)
950 return _gnutls_asn2err (result);
953 snprintf (name, sizeof (name), "tbsCertList.crlExtensions.?%u.critical",
955 len = sizeof (str_critical);
956 result = asn1_read_value (crl->crl, name, str_critical, &len);
957 if (result != ASN1_SUCCESS)
960 return _gnutls_asn2err (result);
965 if (str_critical[0] == 'T')
976 * gnutls_x509_crl_get_extension_data:
977 * @crl: should contain a #gnutls_x509_crl_t structure
978 * @indx: Specifies which extension OID to send. Use zero to get the first one.
979 * @data: a pointer to a structure to hold the data (may be null)
980 * @sizeof_data: initially holds the size of @oid
982 * This function will return the requested extension data in the CRL.
983 * The extension data will be stored as a string in the provided
986 * Use gnutls_x509_crl_get_extension_info() to extract the OID and
987 * critical flag. Use gnutls_x509_crl_get_extension_info() instead,
988 * if you want to get data indexed by the extension OID rather than
991 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
992 * negative value in case of an error. If your have reached the
993 * last extension available %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
999 gnutls_x509_crl_get_extension_data (gnutls_x509_crl_t crl, int indx,
1000 void *data, size_t * sizeof_data)
1003 char name[ASN1_MAX_NAME_SIZE];
1008 return GNUTLS_E_INVALID_REQUEST;
1011 snprintf (name, sizeof (name), "tbsCertList.crlExtensions.?%u.extnValue",
1015 result = asn1_read_value (crl->crl, name, data, &len);
1018 if (result == ASN1_ELEMENT_NOT_FOUND)
1019 return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
1020 else if (result < 0)
1023 return _gnutls_asn2err (result);