|  |  |  | GNU TLS API Reference Manual |  | 
|---|
| x509x509 — | 
#define HASH_OID_SHA1 #define HASH_OID_MD5 #define HASH_OID_MD2 #define HASH_OID_RMD160 gnutls_x509_crl_int; gnutls_x509_crt_int; enum gnutls_certificate_import_flags; #define MAX_PRIV_PARAMS_SIZE #define DSA_PRIVATE_PARAMS #define DSA_PUBLIC_PARAMS #define RSA_PRIVATE_PARAMS #define RSA_PUBLIC_PARAMS gnutls_x509_privkey_int; int gnutls_x509_crt_get_issuer_dn_by_oid (gnutls_x509_crt_t cert, const char *oid, int indx, unsigned int raw_flag, void *buf, size_t *sizeof_buf); int gnutls_x509_crt_get_subject_alt_name (gnutls_x509_crt_t cert, unsigned int seq, void *ret, size_t *ret_size, unsigned int *critical); int gnutls_x509_crt_get_dn_by_oid (gnutls_x509_crt_t cert, const char *oid, int indx, unsigned int raw_flag, void *buf, size_t *sizeof_buf); int gnutls_x509_crt_get_ca_status (gnutls_x509_crt_t cert, unsigned int *critical); int gnutls_x509_crt_get_pk_algorithm (gnutls_x509_crt_t cert, unsigned int *bits); int gnutls_x509_crt_get_serial (gnutls_x509_crt_t cert, void *result, size_t *result_size); int gnutls_x509_crt_check_revocation (gnutls_x509_crt_t cert, const gnutls_x509_crl_t *crl_list, int crl_list_length); int gnutls_x509_crl_get_crt_count (gnutls_x509_crl_t crl); int gnutls_x509_crl_get_crt_serial (gnutls_x509_crl_t crl, int indx, unsigned char *serial, size_t *serial_size, time_t *tim); void gnutls_x509_crl_deinit (gnutls_x509_crl_t crl); int gnutls_x509_crl_init (gnutls_x509_crl_t *crl); int gnutls_x509_crl_import (gnutls_x509_crl_t crl, const gnutls_datum_t *data, gnutls_x509_crt_fmt_t format); int gnutls_x509_crl_export (gnutls_x509_crl_t crl, gnutls_x509_crt_fmt_t format, void *output_data, size_t *output_data_size); int gnutls_x509_crt_init (gnutls_x509_crt_t *cert); void gnutls_x509_crt_deinit (gnutls_x509_crt_t cert); int gnutls_x509_crt_import (gnutls_x509_crt_t cert, const gnutls_datum_t *data, gnutls_x509_crt_fmt_t format); int gnutls_x509_crt_export (gnutls_x509_crt_t cert, gnutls_x509_crt_fmt_t format, void *output_data, size_t *output_data_size); int gnutls_x509_crt_get_key_usage (gnutls_x509_crt_t cert, unsigned int *key_usage, unsigned int *critical); int gnutls_x509_crt_get_version (gnutls_x509_crt_t cert); int gnutls_x509_privkey_init (gnutls_x509_privkey_t *key); void gnutls_x509_privkey_deinit (gnutls_x509_privkey_t key); int gnutls_x509_privkey_generate (gnutls_x509_privkey_t key, gnutls_pk_algorithm_t algo, unsigned int bits, unsigned int flags); int gnutls_x509_privkey_import (gnutls_x509_privkey_t key, const gnutls_datum_t *data, gnutls_x509_crt_fmt_t format); int gnutls_x509_privkey_get_pk_algorithm (gnutls_x509_privkey_t key); int gnutls_x509_privkey_import_rsa_raw (gnutls_x509_privkey_t key, const gnutls_datum_t *m, const gnutls_datum_t *e, const gnutls_datum_t *d, const gnutls_datum_t *p, const gnutls_datum_t *q, const gnutls_datum_t *u); int gnutls_x509_privkey_export_rsa_raw (gnutls_x509_privkey_t key, gnutls_datum_t *m, gnutls_datum_t *e, gnutls_datum_t *d, gnutls_datum_t *p, gnutls_datum_t *q, gnutls_datum_t *u); int gnutls_x509_privkey_export (gnutls_x509_privkey_t key, gnutls_x509_crt_fmt_t format, void *output_data, size_t *output_data_size); #define GNUTLS_CRL_REASON_UNUSED #define GNUTLS_CRL_REASON_KEY_COMPROMISE #define GNUTLS_CRL_REASON_CA_COMPROMISE #define GNUTLS_CRL_REASON_AFFILIATION_CHANGED #define GNUTLS_CRL_REASON_SUPERSEEDED #define GNUTLS_CRL_REASON_CESSATION_OF_OPERATION #define GNUTLS_CRL_REASON_CERTIFICATE_HOLD #define GNUTLS_CRL_REASON_PRIVILEGE_WITHDRAWN #define GNUTLS_CRL_REASON_AA_COMPROMISE
typedef enum gnutls_certificate_import_flags {
    GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED=1
} gnutls_certificate_import_flags;
typedef struct {
    mpi_t params[MAX_PRIV_PARAMS_SIZE];	/* the size of params depends on the public 
					 * key algorithm 
					 */
    /*
     * RSA: [0] is modulus
     *      [1] is public exponent
     *      [2] is private exponent
     *      [3] is prime1 (p)
     *      [4] is prime2 (q)
     *      [5] is coefficient (u == inverse of p mod q)
     *          note that other packages used inverse of q mod p,
     *          so we need to perform conversions.
     * DSA: [0] is p
     *      [1] is q
     *      [2] is g
     *      [3] is y (public key)
     *      [4] is x (private key)
     */
    int params_size;		/* holds the number of params */
    gnutls_pk_algorithm_t pk_algorithm;
    int crippled;		/* The crippled keys will not use the ASN1_TYPE key.
				 * The encoding will only be performed at the export
				 * phase, to optimize copying etc. Cannot be used with
				 * the exported API (used internally only).
				 */
    ASN1_TYPE key;
} gnutls_x509_privkey_int;
int         gnutls_x509_crt_get_issuer_dn_by_oid
                                            (gnutls_x509_crt_t cert,
                                             const char *oid,
                                             int indx,
                                             unsigned int raw_flag,
                                             void *buf,
                                             size_t *sizeof_buf);
This function will extract the part of the name of the Certificate issuer specified by the given OID. The output, if the raw flag is not used, will be encoded as described in RFC2253. Thus a string that is ASCII or UTF-8 encoded, depending on the certificate data.
Some helper macros with popular OIDs can be found in gnutls/x509.h
If raw flag is zero, this function will only return known OIDs as
text. Other OIDs will be DER encoded, as described in RFC2253 --
in hex format with a '\#' prefix.  You can check about known OIDs
using gnutls_x509_dn_oid_known().
If buf is null then only the size will be filled.
| cert: | |
| oid: | |
| indx: | |
| raw_flag: | |
| buf: | |
| sizeof_buf: | |
| Returns : | 
int         gnutls_x509_crt_get_subject_alt_name
                                            (gnutls_x509_crt_t cert,
                                             unsigned int seq,
                                             void *ret,
                                             size_t *ret_size,
                                             unsigned int *critical);
This function will return the alternative names, contained in the given certificate.
This is specified in X509v3 Certificate Extensions. GNUTLS will return the Alternative name (2.5.29.17), or a negative error code.
| cert: | |
| seq: | |
| ret: | |
| ret_size: | |
| critical: | |
| Returns : | 
int gnutls_x509_crt_get_dn_by_oid (gnutls_x509_crt_t cert, const char *oid, int indx, unsigned int raw_flag, void *buf, size_t *sizeof_buf);
This function will extract the part of the name of the Certificate subject specified by the given OID. The output, if the raw flag is not used, will be encoded as described in RFC2253. Thus a string that is ASCII or UTF-8 encoded, depending on the certificate data.
Some helper macros with popular OIDs can be found in gnutls/x509.h
If raw flag is zero, this function will only return known OIDs as
text. Other OIDs will be DER encoded, as described in RFC2253 --
in hex format with a '\#' prefix.  You can check about known OIDs
using gnutls_x509_dn_oid_known().
If buf is null then only the size will be filled.
| cert: | |
| oid: | |
| indx: | |
| raw_flag: | |
| buf: | |
| sizeof_buf: | |
| Returns : | 
int gnutls_x509_crt_get_ca_status (gnutls_x509_crt_t cert, unsigned int *critical);
This function will return certificates CA status, by reading the basicConstraints X.509 extension (2.5.29.19). If the certificate is a CA a positive value will be returned, or zero if the certificate does not have CA flag set.
A negative value may be returned in case of parsing error. If the certificate does not contain the basicConstraints extension GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
| cert: | |
| critical: | |
| Returns : | 
int         gnutls_x509_crt_get_pk_algorithm
                                            (gnutls_x509_crt_t cert,
                                             unsigned int *bits);
This function will return the public key algorithm of an X.509 certificate.
If bits is non null, it should have enough size to hold the parameters size in bits. For RSA the bits returned is the modulus. For DSA the bits returned are of the public exponent.
| cert: | |
| bits: | |
| Returns : | 
int gnutls_x509_crt_get_serial (gnutls_x509_crt_t cert, void *result, size_t *result_size);
This function will return the X.509 certificate's serial number. This is obtained by the X509 Certificate serialNumber field. Serial is not always a 32 or 64bit number. Some CAs use large serial numbers, thus it may be wise to handle it as something opaque.
| cert: | |
| result: | |
| result_size: | |
| Returns : | 
int         gnutls_x509_crt_check_revocation
                                            (gnutls_x509_crt_t cert,
                                             const gnutls_x509_crl_t *crl_list,
                                             int crl_list_length);
This function will return check if the given certificate is revoked. It is assumed that the CRLs have been verified before.
| cert: | |
| crl_list: | |
| crl_list_length: | |
| Returns : | 
int gnutls_x509_crl_get_crt_count (gnutls_x509_crl_t crl);
This function will return the number of revoked certificates in the given CRL.
| crl: | |
| Returns : | 
int gnutls_x509_crl_get_crt_serial (gnutls_x509_crl_t crl, int indx, unsigned char *serial, size_t *serial_size, time_t *tim);
This function will return the serial number of the specified, by the index, revoked certificate.
| crl: | |
| indx: | |
| serial: | |
| serial_size: | |
| tim: | |
| Returns : | 
void gnutls_x509_crl_deinit (gnutls_x509_crl_t crl);
This function will deinitialize a CRL structure.
| crl: | 
int gnutls_x509_crl_init (gnutls_x509_crl_t *crl);
This function will initialize a CRL structure. CRL stands for Certificate Revocation List. A revocation list usually contains lists of certificate serial numbers that have been revoked by an Authority. The revocation lists are always signed with the authority's private key.
| crl: | |
| Returns : | 
int gnutls_x509_crl_import (gnutls_x509_crl_t crl, const gnutls_datum_t *data, gnutls_x509_crt_fmt_t format);
This function will convert the given DER or PEM encoded CRL to the native gnutls_x509_crl_t format. The output will be stored in 'crl'.
If the CRL is PEM encoded it should have a header of "X509 CRL".
| crl: | |
| data: | |
| format: | |
| Returns : | 
int gnutls_x509_crl_export (gnutls_x509_crl_t crl, gnutls_x509_crt_fmt_t format, void *output_data, size_t *output_data_size);
This function will export the revocation list to DER or PEM format.
If the buffer provided is not long enough to hold the output, then GNUTLS_E_SHORT_MEMORY_BUFFER will be returned.
If the structure is PEM encoded, it will have a header of "BEGIN X509 CRL".
| crl: | |
| format: | |
| output_data: | |
| output_data_size: | |
| Returns : | 
int gnutls_x509_crt_init (gnutls_x509_crt_t *cert);
This function will initialize an X.509 certificate structure.
| cert: | |
| Returns : | 
void gnutls_x509_crt_deinit (gnutls_x509_crt_t cert);
This function will deinitialize a CRL structure.
| cert: | 
int gnutls_x509_crt_import (gnutls_x509_crt_t cert, const gnutls_datum_t *data, gnutls_x509_crt_fmt_t format);
This function will convert the given DER or PEM encoded Certificate
to the native gnutls_x509_crt_t format. The output will be stored in cert.
If the Certificate is PEM encoded it should have a header of "X509 CERTIFICATE", or "CERTIFICATE".
| cert: | |
| data: | |
| format: | |
| Returns : | 
int gnutls_x509_crt_export (gnutls_x509_crt_t cert, gnutls_x509_crt_fmt_t format, void *output_data, size_t *output_data_size);
This function will export the certificate to DER or PEM format.
If the buffer provided is not long enough to hold the output, then *output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will be returned.
If the structure is PEM encoded, it will have a header of "BEGIN CERTIFICATE".
| cert: | |
| format: | |
| output_data: | |
| output_data_size: | |
| Returns : | 
int gnutls_x509_crt_get_key_usage (gnutls_x509_crt_t cert, unsigned int *key_usage, unsigned int *critical);
This function will return certificate's key usage, by reading the keyUsage X.509 extension (2.5.29.15). The key usage value will ORed values of the: GNUTLS_KEY_DIGITAL_SIGNATURE, GNUTLS_KEY_NON_REPUDIATION, GNUTLS_KEY_KEY_ENCIPHERMENT, GNUTLS_KEY_DATA_ENCIPHERMENT, GNUTLS_KEY_KEY_AGREEMENT, GNUTLS_KEY_KEY_CERT_SIGN, GNUTLS_KEY_CRL_SIGN, GNUTLS_KEY_ENCIPHER_ONLY, GNUTLS_KEY_DECIPHER_ONLY.
A negative value may be returned in case of parsing error. If the certificate does not contain the keyUsage extension GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
| cert: | |
| key_usage: | |
| critical: | |
| Returns : | 
int gnutls_x509_crt_get_version (gnutls_x509_crt_t cert);
This function will return the version of the specified Certificate.
| cert: | |
| Returns : | 
int gnutls_x509_privkey_init (gnutls_x509_privkey_t *key);
This function will initialize an private key structure.
| key: | |
| Returns : | 
void gnutls_x509_privkey_deinit (gnutls_x509_privkey_t key);
This function will deinitialize a private key structure.
| key: | 
int gnutls_x509_privkey_generate (gnutls_x509_privkey_t key, gnutls_pk_algorithm_t algo, unsigned int bits, unsigned int flags);
This function will generate a random private key. Note that this function must be called on an empty private key.
| key: | |
| algo: | |
| bits: | |
| flags: | |
| Returns : | 
int gnutls_x509_privkey_import (gnutls_x509_privkey_t key, const gnutls_datum_t *data, gnutls_x509_crt_fmt_t format);
This function will convert the given DER or PEM encoded key
to the native gnutls_x509_privkey_t format. The output will be stored in key .
If the key is PEM encoded it should have a header of "RSA PRIVATE KEY", or "DSA PRIVATE KEY".
| key: | |
| data: | |
| format: | |
| Returns : | 
int         gnutls_x509_privkey_get_pk_algorithm
                                            (gnutls_x509_privkey_t key);
This function will return the public key algorithm of a private key.
| key: | |
| Returns : | 
int         gnutls_x509_privkey_import_rsa_raw
                                            (gnutls_x509_privkey_t key,
                                             const gnutls_datum_t *m,
                                             const gnutls_datum_t *e,
                                             const gnutls_datum_t *d,
                                             const gnutls_datum_t *p,
                                             const gnutls_datum_t *q,
                                             const gnutls_datum_t *u);
This function will convert the given RSA raw parameters
to the native gnutls_x509_privkey_t format. The output will be stored in key.
| key: | |
| m: | |
| e: | |
| d: | |
| p: | |
| q: | |
| u: | |
| Returns : | 
int         gnutls_x509_privkey_export_rsa_raw
                                            (gnutls_x509_privkey_t key,
                                             gnutls_datum_t *m,
                                             gnutls_datum_t *e,
                                             gnutls_datum_t *d,
                                             gnutls_datum_t *p,
                                             gnutls_datum_t *q,
                                             gnutls_datum_t *u);
This function will export the RSA private key's parameters found in the given
structure. The new parameters will be allocated using
gnutls_malloc() and will be stored in the appropriate datum.
| key: | |
| m: | |
| e: | |
| d: | |
| p: | |
| q: | |
| u: | |
| Returns : | 
int gnutls_x509_privkey_export (gnutls_x509_privkey_t key, gnutls_x509_crt_fmt_t format, void *output_data, size_t *output_data_size);
This function will export the private key to a PKCS1 structure for RSA keys, or an integer sequence for DSA keys. The DSA keys are in the same format with the parameters used by openssl.
If the buffer provided is not long enough to hold the output, then *output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will be returned.
If the structure is PEM encoded, it will have a header of "BEGIN RSA PRIVATE KEY".
| key: | |
| format: | |
| output_data: | |
| output_data_size: | |
| Returns : | 
| << extra | pkcs12 >> |