During PKIX chain verification check the TLSFeatures compliance

This verifies whether a chain complies with RFC7366 p.4.2.2 requirements.
That is whether the issuer's features are a superset of the certificate
under verification.

This enhances gnutls_x509_crt_get_tlsfeatures() to allow appending
of TLSFeatures, and introduces gnutls_x509_tlsfeatures_check_crt().

1 files changed, 0 insertions, 41 deletions

diff --git a/lib/x509/x509_write.c b/lib/x509/x509_write.c
index e9c6259094..8f971071d8 100644
--- a/lib/x509/x509_write.c
+++ b/lib/x509/x509_write.c
@@ -1907,44 +1907,3 @@ gnutls_x509_crt_set_policy(gnutls_x509_crt_t crt,
 	return ret;
 }
 
-/**
- * gnutls_x509_crt_set_tlsfeatures:
- * @crt: A X.509 certificate
- * @features: If the function succeeds, the
- *   features will be added to the certificate.
- *
- * This function will set the certificates
- * X.509 TLS extention from the given structure.
- *
- * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
- *   otherwise a negative error value.
- *
- * Since: 3.5.1
- **/
-int gnutls_x509_crt_set_tlsfeatures(gnutls_x509_crt_t crt,
-				    gnutls_x509_tlsfeatures_t features)
-{
-	int ret;
-	gnutls_datum_t der;
-
-	if (crt == NULL || features == NULL) {
-		gnutls_assert();
-		return GNUTLS_E_INVALID_REQUEST;
-	}
-
-	ret = gnutls_x509_ext_export_tlsfeatures(features, &der);
-	if (ret < 0) {
-		gnutls_assert();
-		return ret;
-	}
-
-	ret = _gnutls_x509_crt_set_extension(crt, GNUTLS_X509EXT_OID_TLSFEATURES, &der, 0);
-
-	_gnutls_free_datum(&der);
-
-	if (ret < 0) {
-		gnutls_assert();
-	}
-
-	return ret;
-}