Skip to content
Snippets Groups Projects

Compare revisions

Changes are shown as if the source revision was being merged into the target revision. Learn more about comparing revisions.

Source

Select target project
No results found

Target

Select target project
  • pkg/gnutls28
  • not_a_robot/gnutls28
  • detlev/gnutls28
3 results
Show changes
Hide whitespace changes
Inline Side-by-side
doc/gnutls.info-4
View file @ 0646f2b0
This is gnutls.info, produced by makeinfo version 6.7 from gnutls.texi.
This is gnutls.info, produced by makeinfo version 6.8 from gnutls.texi.
This manual is last updated 24 February 2021 for version 3.7.1 of
GnuTLS.
This manual is last updated 9 February 2023 for version 3.7.9 of GnuTLS.
Copyright (C) 2001-2021 Free Software Foundation, Inc.\\ Copyright (C)
2001-2021 Nikos Mavrogiannopoulos
Copyright (C) 2001-2023 Free Software Foundation, Inc.\\ Copyright (C)
2001-2023 Nikos Mavrogiannopoulos
Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License,
......@@ -292,9 +291,6 @@ gnutls_certificate_set_trust_list
and must not be deallocated. It will be automatically deallocated
when the 'res' structure is deinitialized.
*Returns:* 'GNUTLS_E_SUCCESS' (0) on success, or a negative error
code.
*Since:* 3.2.2
gnutls_certificate_verification_profile_get_id
......@@ -3513,7 +3509,9 @@ gnutls_x509_crt_get_dn
described in RFC4514. The output string will be ASCII or UTF-8
encoded, depending on the certificate data.
If 'buf' is null then only the size will be filled.
The 'buf' returned will be null terminated and the 'buf_size' will
account for the trailing null. If 'buf' is null then only the size
will be filled.
This function does not output a fully RFC4514 compliant string, if
that is required see 'gnutls_x509_crt_get_dn3()' .
......@@ -5728,8 +5726,7 @@ gnutls_x509_crt_set_serial
opaque field by several CAs. For this reason this function accepts
any kind of data as a serial number. To be consistent with the
X.509/PKIX specifications the provided 'serial' should be a
big-endian positive number (i.e. it's leftmost bit should be
zero).
big-endian positive number (i.e. its leftmost bit should be zero).
The size of the serial is restricted to 20 bytes maximum by
RFC5280. This function allows writing more than 20 bytes but the
......@@ -6037,6 +6034,59 @@ gnutls_x509_crt_verify_data2
*Since:* 3.4.0
gnutls_x509_ct_sct_get
----------------------
-- Function: int gnutls_x509_ct_sct_get (const gnutls_x509_ct_scts_t
SCTS, unsigned IDX, time_t * TIMESTAMP, gnutls_datum_t *
LOGID, gnutls_sign_algorithm_t * SIGALG, gnutls_datum_t *
SIGNATURE)
SCTS: A list of SCTs
IDX: The index of the target SCT in the list
TIMESTAMP: The timestamp of the SCT
LOGID: The LogID field of the SCT; must be freed with
'gnutls_free()'
SIGALG: The signature algorithm
SIGNATURE: The signature of the SCT; must be freed with
'gnutls_free()'
This function will return a specific SCT (Signed Certificate
Timestamp) stored in the SCT list 'scts' .
The datums holding the SCT's LogId and signature will be allocated
using 'gnutls_malloc()' .
*Returns:* 'GNUTLS_E_SUCCESS' (0) will be returned on success,
'GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' if 'idx' exceeds the number
of SCTs in the list or a negative error value.
gnutls_x509_ct_sct_get_version
------------------------------
-- Function: int gnutls_x509_ct_sct_get_version (gnutls_x509_ct_scts_t
SCTS, unsigned IDX, unsigned int * VERSION_OUT)
SCTS: A list of SCTs
IDX: The index of the target SCT in the list
VERSION_OUT: The version of the target SCT.
This function obtains the version of the SCT at the given position
in the SCT list.
The version of that SCT will be placed on 'version_out' .
Return : 'GNUTLS_E_SUCCESS' (0) is returned on success,
'GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' if 'idx' exceeds the number
of SCTs in the list and 'GNUTLS_E_INVALID_REQUEST' if the SCT's
version is different than 1, as that's currently the only defined
version.
gnutls_x509_dn_deinit
---------------------
......@@ -6261,6 +6311,68 @@ gnutls_x509_dn_set_str
*Since:* 3.5.3
gnutls_x509_ext_ct_export_scts
------------------------------
-- Function: int gnutls_x509_ext_ct_export_scts (const
gnutls_x509_ct_scts_t SCTS, gnutls_datum_t * EXT)
SCTS: An initialized SCT list
EXT: The DER-encoded extension data; must be freed with
'gnutls_free()'
This function will convert the provided list of SCTs to a
DER-encoded SignedCertificateTimestampList extension
(1.3.6.1.4.1.11129.2.4.2). The output data in 'ext' will be
allocated using 'gnutls_malloc()' .
*Returns:* 'GNUTLS_E_SUCCESS' (0) on success or a negative error
value.
gnutls_x509_ext_ct_import_scts
------------------------------
-- Function: int gnutls_x509_ext_ct_import_scts (const gnutls_datum_t *
EXT, gnutls_x509_ct_scts_t SCTS, unsigned int FLAGS)
EXT: a DER-encoded extension
SCTS: The SCT list
FLAGS: should be zero
This function will read a SignedCertificateTimestampList structure
from the DER data of the X.509 Certificate Transparency SCT
extension (OID 1.3.6.1.4.1.11129.2.4.2).
The list of SCTs (Signed Certificate Timestamps) is placed on
'scts' , which must be previously initialized with
'gnutls_x509_ext_ct_scts_init()' .
*Returns:* 'GNUTLS_E_SUCCESS' (0) on success or a negative error
value.
gnutls_x509_ext_ct_scts_deinit
------------------------------
-- Function: void gnutls_x509_ext_ct_scts_deinit (gnutls_x509_ct_scts_t
SCTS)
SCTS: The SCT list
This function will deinitialize a Certificate Transparency SCT
list.
gnutls_x509_ext_ct_scts_init
----------------------------
-- Function: int gnutls_x509_ext_ct_scts_init (gnutls_x509_ct_scts_t *
SCTS)
SCTS: The SCT list
This function will initialize a Certificate Transparency SCT list.
*Returns:* 'GNUTLS_E_SUCCESS' (0) on success, otherwise a negative
error value.
gnutls_x509_ext_deinit
----------------------
......@@ -8662,8 +8774,8 @@ gnutls_x509_trust_list_get_issuer
CERT: is the certificate to find issuer for
ISSUER: Will hold the issuer if any. Should be treated as
constant.
ISSUER: Will hold the issuer if any. Should be treated as constant
unless 'GNUTLS_TL_GET_COPY' is set in 'flags' .
FLAGS: flags from 'gnutls_trust_list_flags_t' ('GNUTLS_TL_GET_COPY'
is applicable)
......@@ -8892,7 +9004,7 @@ gnutls_x509_trust_list_set_getissuer_function
certificate. The callback may provide the missing certificate for
use during verification.
The callback's function prototype is defined in <gnutls/x509.h> as:
The callback's function prototype is defined in gnutls/x509.h as:
int (*callback)(gnutls_x509_trust_list_t list, const
gnutls_x509_crt_t cert, gnutls_x509_crt_t **issuers, unsigned int
......
doc/gnutls.info-5
View file @ 0646f2b0
This is gnutls.info, produced by makeinfo version 6.7 from gnutls.texi.
This is gnutls.info, produced by makeinfo version 6.8 from gnutls.texi.
This manual is last updated 24 February 2021 for version 3.7.1 of
GnuTLS.
This manual is last updated 9 February 2023 for version 3.7.9 of GnuTLS.
Copyright (C) 2001-2021 Free Software Foundation, Inc.\\ Copyright (C)
2001-2021 Nikos Mavrogiannopoulos
Copyright (C) 2001-2023 Free Software Foundation, Inc.\\ Copyright (C)
2001-2023 Nikos Mavrogiannopoulos
Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License,
......@@ -392,7 +391,9 @@ gnutls_pkcs7_import
This function will convert the given DER or PEM encoded PKCS7 to
the native 'gnutls_pkcs7_t' format. The output will be stored in
'pkcs7' .
'pkcs7' . Any signed data that may be present inside the 'pkcs7'
structure, like certificates set by 'gnutls_pkcs7_set_crt()' , will
be freed and overwritten by this function.
If the PKCS7 is PEM encoded it should have a header of "PKCS7".
......@@ -645,850 +646,3 @@ gnutls_pkcs7_verify_direct
*Since:* 3.4.2

File: gnutls.info, Node: OCSP API, Next: PKCS 12 API, Prev: PKCS 7 API, Up: API reference
E.5 OCSP API
============
The following functions are for OCSP certificate status checking. Their
prototypes lie in 'gnutls/ocsp.h'.
gnutls_ocsp_req_add_cert
------------------------
-- Function: int gnutls_ocsp_req_add_cert (gnutls_ocsp_req_t REQ,
gnutls_digest_algorithm_t DIGEST, gnutls_x509_crt_t ISSUER,
gnutls_x509_crt_t CERT)
REQ: should contain a 'gnutls_ocsp_req_t' type
DIGEST: hash algorithm, a 'gnutls_digest_algorithm_t' value
ISSUER: issuer of 'subject' certificate
CERT: certificate to request status for
This function will add another request to the OCSP request for a
particular certificate. The issuer name hash, issuer key hash, and
serial number fields is populated as follows. The issuer name and
the serial number is taken from 'cert' . The issuer key is taken
from 'issuer' . The hashed values will be hashed using the
'digest' algorithm, normally 'GNUTLS_DIG_SHA1' .
*Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error code is returned.
gnutls_ocsp_req_add_cert_id
---------------------------
-- Function: int gnutls_ocsp_req_add_cert_id (gnutls_ocsp_req_t REQ,
gnutls_digest_algorithm_t DIGEST, const gnutls_datum_t *
ISSUER_NAME_HASH, const gnutls_datum_t * ISSUER_KEY_HASH,
const gnutls_datum_t * SERIAL_NUMBER)
REQ: should contain a 'gnutls_ocsp_req_t' type
DIGEST: hash algorithm, a 'gnutls_digest_algorithm_t' value
ISSUER_NAME_HASH: hash of issuer's DN
ISSUER_KEY_HASH: hash of issuer's public key
SERIAL_NUMBER: serial number of certificate to check
This function will add another request to the OCSP request for a
particular certificate having the issuer name hash of
'issuer_name_hash' and issuer key hash of 'issuer_key_hash' (both
hashed using 'digest' ) and serial number 'serial_number' .
The information needed corresponds to the CertID structure:
<informalexample><programlisting> CertID ::= SEQUENCE {
hashAlgorithm AlgorithmIdentifier, issuerNameHash OCTET STRING, -
Hash of Issuer's DN issuerKeyHash OCTET STRING, - Hash of Issuers
public key serialNumber CertificateSerialNumber }
</programlisting></informalexample>
*Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error code is returned.
gnutls_ocsp_req_deinit
----------------------
-- Function: void gnutls_ocsp_req_deinit (gnutls_ocsp_req_t REQ)
REQ: The data to be deinitialized
This function will deinitialize a OCSP request structure.
gnutls_ocsp_req_export
----------------------
-- Function: int gnutls_ocsp_req_export (gnutls_ocsp_req_const_t REQ,
gnutls_datum_t * DATA)
REQ: Holds the OCSP request
DATA: newly allocate buffer holding DER encoded OCSP request
This function will export the OCSP request to DER format.
*Returns:* In case of failure a negative error code will be
returned, and 0 on success.
gnutls_ocsp_req_get_cert_id
---------------------------
-- Function: int gnutls_ocsp_req_get_cert_id (gnutls_ocsp_req_const_t
REQ, unsigned INDX, gnutls_digest_algorithm_t * DIGEST,
gnutls_datum_t * ISSUER_NAME_HASH, gnutls_datum_t *
ISSUER_KEY_HASH, gnutls_datum_t * SERIAL_NUMBER)
REQ: should contain a 'gnutls_ocsp_req_t' type
INDX: Specifies which extension OID to get. Use (0) to get the
first one.
DIGEST: output variable with 'gnutls_digest_algorithm_t' hash
algorithm
ISSUER_NAME_HASH: output buffer with hash of issuer's DN
ISSUER_KEY_HASH: output buffer with hash of issuer's public key
SERIAL_NUMBER: output buffer with serial number of certificate to
check
This function will return the certificate information of the 'indx'
'ed request in the OCSP request. The information returned
corresponds to the CertID structure:
<informalexample><programlisting> CertID ::= SEQUENCE {
hashAlgorithm AlgorithmIdentifier, issuerNameHash OCTET STRING, -
Hash of Issuer's DN issuerKeyHash OCTET STRING, - Hash of Issuers
public key serialNumber CertificateSerialNumber }
</programlisting></informalexample>
Each of the pointers to output variables may be NULL to indicate
that the caller is not interested in that value.
*Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error code is returned. If you have reached
the last CertID available 'GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE'
will be returned.
gnutls_ocsp_req_get_extension
-----------------------------
-- Function: int gnutls_ocsp_req_get_extension (gnutls_ocsp_req_const_t
REQ, unsigned INDX, gnutls_datum_t * OID, unsigned int *
CRITICAL, gnutls_datum_t * DATA)
REQ: should contain a 'gnutls_ocsp_req_t' type
INDX: Specifies which extension OID to get. Use (0) to get the
first one.
OID: will hold newly allocated buffer with OID of extension, may be
NULL
CRITICAL: output variable with critical flag, may be NULL.
DATA: will hold newly allocated buffer with extension data, may be
NULL
This function will return all information about the requested
extension in the OCSP request. The information returned is the
OID, the critical flag, and the data itself. The extension OID
will be stored as a string. Any of 'oid' , 'critical' , and 'data'
may be NULL which means that the caller is not interested in
getting that information back.
The caller needs to deallocate memory by calling 'gnutls_free()' on
'oid' ->data and 'data' ->data.
Since 3.7.0 'oid' ->size does not account for the terminating null
byte.
*Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error code is returned. If you have reached
the last extension available
'GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' will be returned.
gnutls_ocsp_req_get_nonce
-------------------------
-- Function: int gnutls_ocsp_req_get_nonce (gnutls_ocsp_req_const_t
REQ, unsigned int * CRITICAL, gnutls_datum_t * NONCE)
REQ: should contain a 'gnutls_ocsp_req_t' type
CRITICAL: whether nonce extension is marked critical, or NULL
NONCE: will hold newly allocated buffer with nonce data
This function will return the OCSP request nonce extension data.
The caller needs to deallocate memory by calling 'gnutls_free()' on
'nonce' ->data.
*Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error code is returned.
gnutls_ocsp_req_get_version
---------------------------
-- Function: int gnutls_ocsp_req_get_version (gnutls_ocsp_req_const_t
REQ)
REQ: should contain a 'gnutls_ocsp_req_t' type
This function will return the version of the OCSP request.
Typically this is always 1 indicating version 1.
*Returns:* version of OCSP request, or a negative error code on
error.
gnutls_ocsp_req_import
----------------------
-- Function: int gnutls_ocsp_req_import (gnutls_ocsp_req_t REQ, const
gnutls_datum_t * DATA)
REQ: The data to store the parsed request.
DATA: DER encoded OCSP request.
This function will convert the given DER encoded OCSP request to
the native 'gnutls_ocsp_req_t' format. The output will be stored
in 'req' .
*Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_ocsp_req_init
--------------------
-- Function: int gnutls_ocsp_req_init (gnutls_ocsp_req_t * REQ)
REQ: A pointer to the type to be initialized
This function will initialize an OCSP request structure.
*Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_ocsp_req_print
---------------------
-- Function: int gnutls_ocsp_req_print (gnutls_ocsp_req_const_t REQ,
gnutls_ocsp_print_formats_t FORMAT, gnutls_datum_t * OUT)
REQ: The data to be printed
FORMAT: Indicate the format to use
OUT: Newly allocated datum with (0) terminated string.
This function will pretty print a OCSP request, suitable for
display to a human.
If the format is 'GNUTLS_OCSP_PRINT_FULL' then all fields of the
request will be output, on multiple lines.
The output 'out' ->data needs to be deallocate using
'gnutls_free()' .
*Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_ocsp_req_randomize_nonce
-------------------------------
-- Function: int gnutls_ocsp_req_randomize_nonce (gnutls_ocsp_req_t
REQ)
REQ: should contain a 'gnutls_ocsp_req_t' type
This function will add or update an nonce extension to the OCSP
request with a newly generated random value.
*Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error code is returned.
gnutls_ocsp_req_set_extension
-----------------------------
-- Function: int gnutls_ocsp_req_set_extension (gnutls_ocsp_req_t REQ,
const char * OID, unsigned int CRITICAL, const gnutls_datum_t
* DATA)
REQ: should contain a 'gnutls_ocsp_req_t' type
OID: buffer with OID of extension as a string.
CRITICAL: critical flag, normally false.
DATA: the extension data
This function will add an extension to the OCSP request. Calling
this function multiple times for the same OID will overwrite values
from earlier calls.
*Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error code is returned.
gnutls_ocsp_req_set_nonce
-------------------------
-- Function: int gnutls_ocsp_req_set_nonce (gnutls_ocsp_req_t REQ,
unsigned int CRITICAL, const gnutls_datum_t * NONCE)
REQ: should contain a 'gnutls_ocsp_req_t' type
CRITICAL: critical flag, normally false.
NONCE: the nonce data
This function will add an nonce extension to the OCSP request.
Calling this function multiple times will overwrite values from
earlier calls.
*Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error code is returned.
gnutls_ocsp_resp_check_crt
--------------------------
-- Function: int gnutls_ocsp_resp_check_crt (gnutls_ocsp_resp_const_t
RESP, unsigned int INDX, gnutls_x509_crt_t CRT)
RESP: should contain a 'gnutls_ocsp_resp_t' type
INDX: Specifies response number to get. Use (0) to get the first
one.
CRT: The certificate to check
This function will check whether the OCSP response is about the
provided certificate.
*Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error code is returned.
*Since:* 3.1.3
gnutls_ocsp_resp_deinit
-----------------------
-- Function: void gnutls_ocsp_resp_deinit (gnutls_ocsp_resp_t RESP)
RESP: The data to be deinitialized
This function will deinitialize a OCSP response structure.
gnutls_ocsp_resp_export
-----------------------
-- Function: int gnutls_ocsp_resp_export (gnutls_ocsp_resp_const_t
RESP, gnutls_datum_t * DATA)
RESP: Holds the OCSP response
DATA: newly allocate buffer holding DER encoded OCSP response
This function will export the OCSP response to DER format.
*Returns:* In case of failure a negative error code will be
returned, and 0 on success.
gnutls_ocsp_resp_export2
------------------------
-- Function: int gnutls_ocsp_resp_export2 (gnutls_ocsp_resp_const_t
RESP, gnutls_datum_t * DATA, gnutls_x509_crt_fmt_t FMT)
RESP: Holds the OCSP response
DATA: newly allocate buffer holding DER or PEM encoded OCSP
response
FMT: DER or PEM
This function will export the OCSP response to DER or PEM format.
*Returns:* In case of failure a negative error code will be
returned, and 0 on success.
*Since:* 3.6.3
gnutls_ocsp_resp_get_certs
--------------------------
-- Function: int gnutls_ocsp_resp_get_certs (gnutls_ocsp_resp_const_t
RESP, gnutls_x509_crt_t ** CERTS, size_t * NCERTS)
RESP: should contain a 'gnutls_ocsp_resp_t' type
CERTS: newly allocated array with 'gnutls_x509_crt_t' certificates
NCERTS: output variable with number of allocated certs.
This function will extract the X.509 certificates found in the
Basic OCSP Response. The 'certs' output variable will hold a newly
allocated zero-terminated array with X.509 certificates.
Every certificate in the array needs to be de-allocated with
'gnutls_x509_crt_deinit()' and the array itself must be freed using
'gnutls_free()' .
Both the 'certs' and 'ncerts' variables may be NULL. Then the
function will work as normal but will not return the NULL:d
information. This can be used to get the number of certificates
only, or to just get the certificate array without its size.
*Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_ocsp_resp_get_extension
------------------------------
-- Function: int gnutls_ocsp_resp_get_extension
(gnutls_ocsp_resp_const_t RESP, unsigned INDX, gnutls_datum_t
* OID, unsigned int * CRITICAL, gnutls_datum_t * DATA)
RESP: should contain a 'gnutls_ocsp_resp_t' type
INDX: Specifies which extension OID to get. Use (0) to get the
first one.
OID: will hold newly allocated buffer with OID of extension, may be
NULL
CRITICAL: output variable with critical flag, may be NULL.
DATA: will hold newly allocated buffer with extension data, may be
NULL
This function will return all information about the requested
extension in the OCSP response. The information returned is the
OID, the critical flag, and the data itself. The extension OID
will be stored as a string. Any of 'oid' , 'critical' , and 'data'
may be NULL which means that the caller is not interested in
getting that information back.
The caller needs to deallocate memory by calling 'gnutls_free()' on
'oid' ->data and 'data' ->data.
Since 3.7.0 'oid' ->size does not account for the terminating null
byte.
*Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error code is returned. If you have reached
the last extension available
'GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' will be returned.
gnutls_ocsp_resp_get_nonce
--------------------------
-- Function: int gnutls_ocsp_resp_get_nonce (gnutls_ocsp_resp_const_t
RESP, unsigned int * CRITICAL, gnutls_datum_t * NONCE)
RESP: should contain a 'gnutls_ocsp_resp_t' type
CRITICAL: whether nonce extension is marked critical
NONCE: will hold newly allocated buffer with nonce data
This function will return the Basic OCSP Response nonce extension
data.
The caller needs to deallocate memory by calling 'gnutls_free()' on
'nonce' ->data.
*Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error code is returned.
gnutls_ocsp_resp_get_produced
-----------------------------
-- Function: time_t gnutls_ocsp_resp_get_produced
(gnutls_ocsp_resp_const_t RESP)
RESP: should contain a 'gnutls_ocsp_resp_t' type
This function will return the time when the OCSP response was
signed.
*Returns:* signing time, or (time_t)-1 on error.
gnutls_ocsp_resp_get_responder
------------------------------
-- Function: int gnutls_ocsp_resp_get_responder
(gnutls_ocsp_resp_const_t RESP, gnutls_datum_t * DN)
RESP: should contain a 'gnutls_ocsp_resp_t' type
DN: newly allocated buffer with name
This function will extract the name of the Basic OCSP Response in
the provided buffer. The name will be in the form
"C=xxxx,O=yyyy,CN=zzzz" as described in RFC2253. The output string
will be ASCII or UTF-8 encoded, depending on the certificate data.
If the responder ID is not a name but a hash, this function will
return zero and the 'dn' elements will be set to 'NULL' .
The caller needs to deallocate memory by calling 'gnutls_free()' on
'dn' ->data.
This function does not output a fully RFC4514 compliant string, if
that is required see 'gnutls_ocsp_resp_get_responder2()' .
*Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error code is returned. When no data exist it
will return success and set 'dn' elements to zero.
gnutls_ocsp_resp_get_responder2
-------------------------------
-- Function: int gnutls_ocsp_resp_get_responder2
(gnutls_ocsp_resp_const_t RESP, gnutls_datum_t * DN, unsigned
FLAGS)
RESP: should contain a 'gnutls_ocsp_resp_t' type
DN: newly allocated buffer with name
FLAGS: zero or 'GNUTLS_X509_DN_FLAG_COMPAT'
This function will extract the name of the Basic OCSP Response in
the provided buffer. The name will be in the form
"C=xxxx,O=yyyy,CN=zzzz" as described in RFC2253. The output string
will be ASCII or UTF-8 encoded, depending on the certificate data.
If the responder ID is not a name but a hash, this function will
return zero and the 'dn' elements will be set to 'NULL' .
The caller needs to deallocate memory by calling 'gnutls_free()' on
'dn' ->data.
When the flag 'GNUTLS_X509_DN_FLAG_COMPAT' is specified, the output
format will match the format output by previous to 3.5.6 versions
of GnuTLS which was not not fully RFC4514-compliant.
*Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error code is returned. When no data exist it
will return 'GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' .
gnutls_ocsp_resp_get_responder_raw_id
-------------------------------------
-- Function: int gnutls_ocsp_resp_get_responder_raw_id
(gnutls_ocsp_resp_const_t RESP, unsigned TYPE, gnutls_datum_t
* RAW)
RESP: should contain a 'gnutls_ocsp_resp_t' type
TYPE: should be 'GNUTLS_OCSP_RESP_ID_KEY' or
'GNUTLS_OCSP_RESP_ID_DN'
RAW: newly allocated buffer with the raw ID
This function will extract the raw key (or DN) ID of the Basic OCSP
Response in the provided buffer. If the responder ID is not a key
ID then this function will return
'GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' .
The caller needs to deallocate memory by calling 'gnutls_free()' on
'dn' ->data.
*Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error code is returned.
gnutls_ocsp_resp_get_response
-----------------------------
-- Function: int gnutls_ocsp_resp_get_response
(gnutls_ocsp_resp_const_t RESP, gnutls_datum_t *
RESPONSE_TYPE_OID, gnutls_datum_t * RESPONSE)
RESP: should contain a 'gnutls_ocsp_resp_t' type
RESPONSE_TYPE_OID: newly allocated output buffer with response type
OID
RESPONSE: newly allocated output buffer with DER encoded response
This function will extract the response type OID in and the
response data from an OCSP response. Normally the
'response_type_oid' is always "1.3.6.1.5.5.7.48.1.1" which means
the 'response' should be decoded as a Basic OCSP Response, but
technically other response types could be used.
This function is typically only useful when you want to extract the
response type OID of an response for diagnostic purposes.
Otherwise 'gnutls_ocsp_resp_import()' will decode the basic OCSP
response part and the caller need not worry about that aspect.
Since 3.7.0 'response_type_oid' ->size does not account for the
terminating null byte.
*Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_ocsp_resp_get_signature
------------------------------
-- Function: int gnutls_ocsp_resp_get_signature
(gnutls_ocsp_resp_const_t RESP, gnutls_datum_t * SIG)
RESP: should contain a 'gnutls_ocsp_resp_t' type
SIG: newly allocated output buffer with signature data
This function will extract the signature field of a OCSP response.
*Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_ocsp_resp_get_signature_algorithm
----------------------------------------
-- Function: int gnutls_ocsp_resp_get_signature_algorithm
(gnutls_ocsp_resp_const_t RESP)
RESP: should contain a 'gnutls_ocsp_resp_t' type
This function will return a value of the 'gnutls_sign_algorithm_t'
enumeration that is the signature algorithm that has been used to
sign the OCSP response.
*Returns:* a 'gnutls_sign_algorithm_t' value, or a negative error
code on error.
gnutls_ocsp_resp_get_single
---------------------------
-- Function: int gnutls_ocsp_resp_get_single (gnutls_ocsp_resp_const_t
RESP, unsigned INDX, gnutls_digest_algorithm_t * DIGEST,
gnutls_datum_t * ISSUER_NAME_HASH, gnutls_datum_t *
ISSUER_KEY_HASH, gnutls_datum_t * SERIAL_NUMBER, unsigned int
* CERT_STATUS, time_t * THIS_UPDATE, time_t * NEXT_UPDATE,
time_t * REVOCATION_TIME, unsigned int * REVOCATION_REASON)
RESP: should contain a 'gnutls_ocsp_resp_t' type
INDX: Specifies response number to get. Use (0) to get the first
one.
DIGEST: output variable with 'gnutls_digest_algorithm_t' hash
algorithm
ISSUER_NAME_HASH: output buffer with hash of issuer's DN
ISSUER_KEY_HASH: output buffer with hash of issuer's public key
SERIAL_NUMBER: output buffer with serial number of certificate to
check
CERT_STATUS: a certificate status, a 'gnutls_ocsp_cert_status_t'
enum.
THIS_UPDATE: time at which the status is known to be correct.
NEXT_UPDATE: when newer information will be available, or
(time_t)-1 if unspecified
REVOCATION_TIME: when 'cert_status' is 'GNUTLS_OCSP_CERT_REVOKED' ,
holds time of revocation.
REVOCATION_REASON: revocation reason, a 'gnutls_x509_crl_reason_t'
enum.
This function will return the certificate information of the 'indx'
'ed response in the Basic OCSP Response 'resp' . The information
returned corresponds to the OCSP SingleResponse structure except
the final singleExtensions.
Each of the pointers to output variables may be NULL to indicate
that the caller is not interested in that value.
*Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error code is returned. If you have reached
the last CertID available 'GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE'
will be returned.
gnutls_ocsp_resp_get_status
---------------------------
-- Function: int gnutls_ocsp_resp_get_status (gnutls_ocsp_resp_const_t
RESP)
RESP: should contain a 'gnutls_ocsp_resp_t' type
This function will return the status of a OCSP response, an
'gnutls_ocsp_resp_status_t' enumeration.
*Returns:* status of OCSP request as a 'gnutls_ocsp_resp_status_t'
, or a negative error code on error.
gnutls_ocsp_resp_get_version
----------------------------
-- Function: int gnutls_ocsp_resp_get_version (gnutls_ocsp_resp_const_t
RESP)
RESP: should contain a 'gnutls_ocsp_resp_t' type
This function will return the version of the Basic OCSP Response.
Typically this is always 1 indicating version 1.
*Returns:* version of Basic OCSP response, or a negative error code
on error.
gnutls_ocsp_resp_import
-----------------------
-- Function: int gnutls_ocsp_resp_import (gnutls_ocsp_resp_t RESP,
const gnutls_datum_t * DATA)
RESP: The data to store the parsed response.
DATA: DER encoded OCSP response.
This function will convert the given DER encoded OCSP response to
the native 'gnutls_ocsp_resp_t' format. It also decodes the Basic
OCSP Response part, if any. The output will be stored in 'resp' .
*Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_ocsp_resp_import2
------------------------
-- Function: int gnutls_ocsp_resp_import2 (gnutls_ocsp_resp_t RESP,
const gnutls_datum_t * DATA, gnutls_x509_crt_fmt_t FMT)
RESP: The data to store the parsed response.
DATA: DER or PEM encoded OCSP response.
FMT: DER or PEM
This function will convert the given OCSP response to the native
'gnutls_ocsp_resp_t' format. It also decodes the Basic OCSP
Response part, if any. The output will be stored in 'resp' .
*Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
*Since:* 3.6.3
gnutls_ocsp_resp_init
---------------------
-- Function: int gnutls_ocsp_resp_init (gnutls_ocsp_resp_t * RESP)
RESP: A pointer to the type to be initialized
This function will initialize an OCSP response structure.
*Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_ocsp_resp_list_import2
-----------------------------
-- Function: int gnutls_ocsp_resp_list_import2 (gnutls_ocsp_resp_t **
OCSPS, unsigned int * SIZE, const gnutls_datum_t * RESP_DATA,
gnutls_x509_crt_fmt_t FORMAT, unsigned int FLAGS)
OCSPS: Will hold the parsed OCSP response list.
SIZE: It will contain the size of the list.
RESP_DATA: The PEM encoded OCSP list.
FORMAT: One of 'GNUTLS_X509_FMT_PEM' or 'GNUTLS_X509_FMT_DER'
FLAGS: must be (0) or an OR'd sequence of
gnutls_certificate_import_flags.
This function will convert the given PEM encoded OCSP response list
to the native gnutls_ocsp_resp_t format. The output will be stored
in 'ocsps' which will be allocated and initialized.
The OCSP responses should have a header of "OCSP RESPONSE".
To deinitialize responses, you need to deinitialize each
'gnutls_ocsp_resp_t' structure independently, and use
'gnutls_free()' at 'ocsps' .
In PEM files, when no OCSP responses are detected
'GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE' will be returned.
*Returns:* the number of responses read or a negative error value.
*Since:* 3.6.3
gnutls_ocsp_resp_print
----------------------
-- Function: int gnutls_ocsp_resp_print (gnutls_ocsp_resp_const_t RESP,
gnutls_ocsp_print_formats_t FORMAT, gnutls_datum_t * OUT)
RESP: The data to be printed
FORMAT: Indicate the format to use
OUT: Newly allocated datum with (0) terminated string.
This function will pretty print a OCSP response, suitable for
display to a human.
If the format is 'GNUTLS_OCSP_PRINT_FULL' then all fields of the
response will be output, on multiple lines.
The output 'out' ->data needs to be deallocate using
'gnutls_free()' .
*Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_ocsp_resp_verify
-----------------------
-- Function: int gnutls_ocsp_resp_verify (gnutls_ocsp_resp_const_t
RESP, gnutls_x509_trust_list_t TRUSTLIST, unsigned int *
VERIFY, unsigned int FLAGS)
RESP: should contain a 'gnutls_ocsp_resp_t' type
TRUSTLIST: trust anchors as a 'gnutls_x509_trust_list_t' type
VERIFY: output variable with verification status, an
'gnutls_ocsp_verify_reason_t'
FLAGS: verification flags from 'gnutls_certificate_verify_flags'
Verify signature of the Basic OCSP Response against the public key
in the certificate of a trusted signer. The 'trustlist' should be
populated with trust anchors. The function will extract the signer
certificate from the Basic OCSP Response and will verify it against
the 'trustlist' . A trusted signer is a certificate that is either
in 'trustlist' , or it is signed directly by a certificate in
'trustlist' and has the id-ad-ocspSigning Extended Key Usage bit
set.
The output 'verify' variable will hold verification status codes
(e.g., 'GNUTLS_OCSP_VERIFY_SIGNER_NOT_FOUND' ,
'GNUTLS_OCSP_VERIFY_INSECURE_ALGORITHM' ) which are only valid if
the function returned 'GNUTLS_E_SUCCESS' .
Note that the function returns 'GNUTLS_E_SUCCESS' even when
verification failed. The caller must always inspect the 'verify'
variable to find out the verification status.
The 'flags' variable should be 0 for now.
*Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
gnutls_ocsp_resp_verify_direct
------------------------------
-- Function: int gnutls_ocsp_resp_verify_direct
(gnutls_ocsp_resp_const_t RESP, gnutls_x509_crt_t ISSUER,
unsigned int * VERIFY, unsigned int FLAGS)
RESP: should contain a 'gnutls_ocsp_resp_t' type
ISSUER: certificate believed to have signed the response
VERIFY: output variable with verification status, an
'gnutls_ocsp_verify_reason_t'
FLAGS: verification flags from 'gnutls_certificate_verify_flags'
Verify signature of the Basic OCSP Response against the public key
in the 'issuer' certificate.
The output 'verify' variable will hold verification status codes
(e.g., 'GNUTLS_OCSP_VERIFY_SIGNER_NOT_FOUND' ,
'GNUTLS_OCSP_VERIFY_INSECURE_ALGORITHM' ) which are only valid if
the function returned 'GNUTLS_E_SUCCESS' .
Note that the function returns 'GNUTLS_E_SUCCESS' even when
verification failed. The caller must always inspect the 'verify'
variable to find out the verification status.
The 'flags' variable should be 0 for now.
*Returns:* On success, 'GNUTLS_E_SUCCESS' (0) is returned,
otherwise a negative error value.
Apertis Website Terms of Use Privacy Policy