exported gnutls_x509_crt_equals() and gnutls_x509_crt_equals2()

These functions provide a way to compare parsed certificates. They
were used internally and they are quite useful to be made available.

8 files changed, 73 insertions, 52 deletions

diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h
index 521289b4af..4c3d5b25a9 100644
--- a/lib/includes/gnutls/x509.h
+++ b/lib/includes/gnutls/x509.h
@@ -127,6 +127,10 @@ typedef enum gnutls_certificate_import_flags {
 
 int gnutls_x509_crt_init(gnutls_x509_crt_t * cert);
 void gnutls_x509_crt_deinit(gnutls_x509_crt_t cert);
+
+unsigned gnutls_x509_crt_equals(gnutls_x509_crt_t cert1, gnutls_x509_crt_t cert2);
+unsigned gnutls_x509_crt_equals2(gnutls_x509_crt_t cert1, gnutls_datum_t * der);
+
 int gnutls_x509_crt_import(gnutls_x509_crt_t cert,
 			   const gnutls_datum_t * data,
 			   gnutls_x509_crt_fmt_t format);
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index 84c9faf591..8340933e97 100644
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -1084,6 +1084,8 @@ GNUTLS_3_4
 	gnutls_x509_crq_get_pk_oid;
 	gnutls_x509_crl_get_signature_oid;
 	gnutls_ecc_curve_get_pk;
+	gnutls_x509_crt_equals;
+	gnutls_x509_crt_equals2;
  local:
 	*;
 };
diff --git a/lib/pkcs11.c b/lib/pkcs11.c
index 8916624807..750e1d19bc 100644
--- a/lib/pkcs11.c
+++ b/lib/pkcs11.c
@@ -3417,7 +3417,7 @@ int check_found_cert(struct find_cert_st *priv, gnutls_datum_t *data, time_t now
 			goto cleanup;
 		}
 
-		if (_gnutls_check_if_same_cert(priv->crt, tcrt) == 0) {
+		if (gnutls_x509_crt_equals(priv->crt, tcrt) == 0) {
 			/* doesn't match */
 			ret = -1;
 			goto cleanup;
diff --git a/lib/x509/common.h b/lib/x509/common.h
index dc6dccec83..17a19569bc 100644
--- a/lib/x509/common.h
+++ b/lib/x509/common.h
@@ -217,14 +217,6 @@ bool
 _gnutls_check_valid_key_id(gnutls_datum_t *key_id,
 			   gnutls_x509_crt_t cert, time_t now);
 
-bool
-_gnutls_check_if_same_cert(gnutls_x509_crt_t cert1,
-			   gnutls_x509_crt_t cert2);
-
-bool
-_gnutls_check_if_same_cert2(gnutls_x509_crt_t cert1,
-			    gnutls_datum_t * cert2bin);
-
 bool _gnutls_check_key_purpose(gnutls_x509_crt_t cert, const char *purpose, unsigned no_any);
 
 time_t _gnutls_x509_generalTime2gtime(const char *ttime);
diff --git a/lib/x509/ocsp.c b/lib/x509/ocsp.c
index 0e419ac7f3..92db9b6aad 100644
--- a/lib/x509/ocsp.c
+++ b/lib/x509/ocsp.c
@@ -2088,7 +2088,7 @@ gnutls_ocsp_resp_verify_direct(gnutls_ocsp_resp_t resp,
 	signercert = find_signercert(resp);
 	if (!signercert) {
 		signercert = issuer;
-	} else if (!_gnutls_check_if_same_cert(signercert, issuer)) {
+	} else if (!gnutls_x509_crt_equals(signercert, issuer)) {
 
 		/* response contains a signer. Verify him */
 
diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
index a9799b23a8..21f4b42a34 100644
--- a/lib/x509/verify-high.c
+++ b/lib/x509/verify-high.c
@@ -289,7 +289,7 @@ gnutls_x509_trust_list_add_cas(gnutls_x509_trust_list_t list,
 		if (flags & GNUTLS_TL_NO_DUPLICATES || flags & GNUTLS_TL_NO_DUPLICATE_KEY) {
 			for (j=0;j<list->node[hash].trusted_ca_size;j++) {
 				if (flags & GNUTLS_TL_NO_DUPLICATES)
-					ret = _gnutls_check_if_same_cert(list->node[hash].trusted_cas[j], clist[i]);
+					ret = gnutls_x509_crt_equals(list->node[hash].trusted_cas[j], clist[i]);
 				else
 					ret = _gnutls_check_if_same_key(list->node[hash].trusted_cas[j], clist[i], 1);
 				if (ret != 0) {
@@ -573,7 +573,7 @@ gnutls_x509_trust_list_remove_cas(gnutls_x509_trust_list_t list,
 		hash %= list->size;
 
 		for (j = 0; j < list->node[hash].trusted_ca_size; j++) {
-			if (_gnutls_check_if_same_cert
+			if (gnutls_x509_crt_equals
 			    (clist[i],
 			     list->node[hash].trusted_cas[j]) != 0) {
 
@@ -820,7 +820,7 @@ static int shorten_clist(gnutls_x509_trust_list_t list,
 		hash %= list->size;
 
 		for (j = 0; j < list->node[hash].trusted_ca_size; j++) {
-			if (_gnutls_check_if_same_cert
+			if (gnutls_x509_crt_equals
 			    (certificate_list[i],
 			     list->node[hash].trusted_cas[j]) != 0) {
 				/* cut the list at the point of first the trusted certificate */
@@ -1130,7 +1130,7 @@ unsigned i, j;
 
 	for (i=0;i<cert_list_size;i++) {
 		for (j=0;j<blacklist_size;j++) {
-			if (_gnutls_check_if_same_cert(cert_list[i], blacklist[j]) != 0) {
+			if (gnutls_x509_crt_equals(cert_list[i], blacklist[j]) != 0) {
 				return 1;
 			}
 		}
@@ -1453,7 +1453,7 @@ gnutls_x509_trust_list_verify_named_crt(gnutls_x509_trust_list_t list,
 	*voutput = GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_NOT_FOUND;
 
 	for (i = 0; i < list->node[hash].named_cert_size; i++) {
-		if (_gnutls_check_if_same_cert(cert, list->node[hash].named_certs[i].cert) != 0) {	/* check if name matches */
+		if (gnutls_x509_crt_equals(cert, list->node[hash].named_certs[i].cert) != 0) {	/* check if name matches */
 			if (list->node[hash].named_certs[i].name_size ==
 			    name_size
 			    && memcmp(list->node[hash].named_certs[i].name,
@@ -1497,7 +1497,7 @@ _gnutls_trustlist_inlist(gnutls_x509_trust_list_t list,
 
 	for (i = 0; i < list->node[hash].trusted_ca_size; i++) {
 		ret =
-		    _gnutls_check_if_same_cert(cert,
+		    gnutls_x509_crt_equals(cert,
 					       list->node[hash].
 					       trusted_cas[i]);
 		if (ret != 0)
diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index 6941b1051b..7ccf370f99 100644
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -40,7 +40,7 @@
 #include <stdbool.h>
 
 /* Checks if two certs have the same name and the same key.  Return 1 on match. 
- * If @is_ca is zero then this function is identical to _gnutls_check_if_same_cert()
+ * If @is_ca is zero then this function is identical to gnutls_x509_crt_equals()
  */
 bool
 _gnutls_check_if_same_key(gnutls_x509_crt_t cert1,
@@ -51,7 +51,7 @@ _gnutls_check_if_same_key(gnutls_x509_crt_t cert1,
 	bool result;
 
 	if (is_ca == 0)
-		return _gnutls_check_if_same_cert(cert1, cert2);
+		return gnutls_x509_crt_equals(cert1, cert2);
 
 	ret = _gnutls_is_same_dn(cert1, cert2);
 	if (ret == 0)
@@ -89,40 +89,6 @@ _gnutls_check_if_same_key2(gnutls_x509_crt_t cert1,
 	return ret;
 }
 
-bool
-_gnutls_check_if_same_cert(gnutls_x509_crt_t cert1,
-			   gnutls_x509_crt_t cert2)
-{
-	int ret;
-	bool result;
-
-	ret = _gnutls_is_same_dn(cert1, cert2);
-	if (ret == 0)
-		return 0;
-
-	if ((cert1->der.size == cert2->der.size) &&
-	    (memcmp(cert1->der.data, cert2->der.data, cert1->der.size) == 0))
-		result = 1;
-	else
-		result = 0;
-
-	return result;
-}
-
-bool
-_gnutls_check_if_same_cert2(gnutls_x509_crt_t cert1,
-			    gnutls_datum_t * cert2bin)
-{
-	bool result;
-
-	if ((cert1->der.size == cert2bin->size) &&
-	    (memcmp(cert1->der.data, cert2bin->data, cert1->der.size) == 0))
-		result = 1;
-	else
-		result = 0;
-
-	return result;
-}
 
 /* Checks if the issuer of a certificate is a
  * Certificate Authority, or if the certificate is the same
diff --git a/lib/x509/x509.c b/lib/x509/x509.c
index 3cccc9ec12..22206ffc8d 100644
--- a/lib/x509/x509.c
+++ b/lib/x509/x509.c
@@ -59,6 +59,63 @@ static int crt_reinit(gnutls_x509_crt_t crt)
 }
 
 /**
+ * gnutls_x509_crt_equals - This function compares two gnutls_x509_crt_t certificates
+ * @cert1: The first certificate
+ * @cert2: The second certificate
+ *
+ * This function will compare two X.509 certificate structures.
+ *
+ * Returns: On equality non-zero is returned, otherwise zero.
+ *
+ * Since: 3.5.0
+ **/
+unsigned gnutls_x509_crt_equals(gnutls_x509_crt_t cert1,
+			        gnutls_x509_crt_t cert2)
+{
+	int ret;
+	bool result;
+
+	ret = _gnutls_is_same_dn(cert1, cert2);
+	if (ret == 0)
+		return 0;
+
+	if ((cert1->der.size == cert2->der.size) &&
+	    (memcmp(cert1->der.data, cert2->der.data, cert1->der.size) == 0))
+		result = 1;
+	else
+		result = 0;
+
+	return result;
+}
+
+/**
+ * gnutls_x509_crt_equals2 - This function compares a gnutls_x509_crt_t cert with DER data
+ * @cert1: The first certificate
+ * @der: A DER encoded certificate
+ *
+ * This function will compare an X.509 certificate structures, with DER
+ * encoded certificate data.
+ *
+ * Returns: On equality non-zero is returned, otherwise zero.
+ *
+ * Since: 3.5.0
+ **/
+unsigned
+gnutls_x509_crt_equals2(gnutls_x509_crt_t cert1,
+			gnutls_datum_t * der)
+{
+	bool result;
+
+	if ((cert1->der.size == der->size) &&
+	    (memcmp(cert1->der.data, der->data, cert1->der.size) == 0))
+		result = 1;
+	else
+		result = 0;
+
+	return result;
+}
+
+/**
  * gnutls_x509_crt_init:
  * @cert: A pointer to the type to be initialized
  *