diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2003-01-08 22:58:57 +0000 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2003-01-08 22:58:57 +0000 |
| commit | 8c350afd53f9867161aee0911ba1255016ed6f3c (patch) | |
| tree | c70719d013ce8b7742e71e2474a7f485a5421469 | |
| parent | 50bf2827116d09e4f053ef045f4ae425864d3986 (diff) | |
| download | gnutls-8c350afd53f9867161aee0911ba1255016ed6f3c.tar.gz | |
Added gnutls_x509_extract_certificate_ca_status() which returns
the CA status of the given certificate.
| -rw-r--r-- | NEWS | 2 | ||||
| -rw-r--r-- | lib/gnutls_ui.h | 1 | ||||
| -rw-r--r-- | lib/gnutls_x509.c | 69 |
3 files changed, 71 insertions, 1 deletions
@@ -3,6 +3,8 @@ Version 0.7.0 distinguished name in a single string. - Added gnutls_openpgp_extract_key_name_string() which returns an openpgp user ID in a single string. +- Added gnutls_x509_extract_certificate_ca_status() which returns + the CA status of the given certificate. - Added SRP-6 support. Follows draft-ietf-tls-srp-04. - If libtasn1 is not present in the system, it is included in the main gnutls library. diff --git a/lib/gnutls_ui.h b/lib/gnutls_ui.h index 2d7339ce61..606c2d22c3 100644 --- a/lib/gnutls_ui.h +++ b/lib/gnutls_ui.h @@ -78,6 +78,7 @@ time_t gnutls_x509_extract_certificate_expiration_time( const gnutls_datum*); int gnutls_x509_extract_certificate_subject_alt_name( const gnutls_datum*, int seq, char*, int*); int gnutls_x509_pkcs7_extract_certificate(const gnutls_datum * pkcs7_struct, int indx, char* certificate, int* certificate_size); int gnutls_x509_extract_certificate_pk_algorithm( const gnutls_datum * cert, int* bits); +int gnutls_x509_extract_certificate_ca_status(const gnutls_datum * cert); int gnutls_x509_extract_key_pk_algorithm( const gnutls_datum * key); int gnutls_x509_verify_certificate( const gnutls_datum* cert_list, int cert_list_length, const gnutls_datum * CA_list, int CA_list_length, const gnutls_datum* CRL_list, int CRL_list_length); diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c index 477eb6e65a..12fa8af753 100644 --- a/lib/gnutls_x509.c +++ b/lib/gnutls_x509.c @@ -576,7 +576,7 @@ static gnutls_x509_subject_alt_name _find_type( char* str_type) { } /** - * gnutls_x509_extract_certificate_subject_alt_name - This function returns the peer's alt name, if any + * gnutls_x509_extract_certificate_subject_alt_name - This function returns the certificate's alternative name, if any * @cert: should contain an X.509 DER encoded certificate * @seq: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.) * @ret: is the place where the alternative name will be copied to @@ -688,6 +688,73 @@ int gnutls_x509_extract_certificate_subject_alt_name(const gnutls_datum * cert, } /** + * gnutls_x509_extract_certificate_ca_status - This function returns the certificate CA status + * @cert: should contain an X.509 DER encoded certificate + * + * This function will return certificates CA status, by reading the + * basicConstraints X.509 extension. If the certificate is a CA a positive + * value will be returned, or zero if the certificate does not have + * CA flag set. + * + * A negative value may be returned in case of parsing error. + * + **/ +int gnutls_x509_extract_certificate_ca_status(const gnutls_datum * cert) +{ + int result; + gnutls_datum basicConstraints; + ASN1_TYPE c2; + char str[128]; + char ext_data[256]; + int len; + + if ((result = + _gnutls_get_extension(cert, "2 5 29 19", &basicConstraints)) < 0) { + gnutls_assert(); + return result; + } + + if (basicConstraints.size == 0 || basicConstraints.data==NULL) { + gnutls_assert(); + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } + + if ((result=_gnutls_asn1_create_element + (_gnutls_get_pkix(), "PKIX1.BasicConstraints", &c2, "bc")) + != ASN1_SUCCESS) { + gnutls_assert(); + _gnutls_free_datum( &basicConstraints); + return _gnutls_asn2err(result); + } + + result = asn1_der_decoding(&c2, basicConstraints.data, basicConstraints.size, NULL); + _gnutls_free_datum( &basicConstraints); + + if (result != ASN1_SUCCESS) { + /* couldn't decode DER */ + + _gnutls_log("X509_auth: Decoding error %d\n", result); + gnutls_assert(); + asn1_delete_structure(&c2); + return _gnutls_asn2err(result); + } + + len = sizeof(str) - 1; + result = asn1_read_value(c2, "bc.cA", str, &len); + asn1_delete_structure(&c2); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + if (strcmp(str, "TRUE") == 0) + return 1; /* CA */ + else + return 0; /* not a CA */ +} + +/** * gnutls_x509_extract_certificate_activation_time - This function returns the peer's certificate activation time * @cert: should contain an X.509 DER encoded certificate * |