5 files changed, 42 insertions, 12 deletions

diff --git a/includes/gnutls/pkcs12.h b/includes/gnutls/pkcs12.h
index 84b312a153..49617c81be 100644
--- a/includes/gnutls/pkcs12.h
+++ b/includes/gnutls/pkcs12.h
@@ -65,7 +65,7 @@ typedef enum gnutls_pkcs12_bag_type {
 } gnutls_pkcs12_bag_type;
 
 gnutls_pkcs12_bag_type gnutls_pkcs12_bag_get_type(gnutls_pkcs12_bag bag, int indx);
-int gnutls_pkcs12_bag_get_data(gnutls_pkcs12_bag bag, int indx, gnutls_datum* data);
+int gnutls_pkcs12_bag_get_data(gnutls_pkcs12_bag bag, int indx, gnutls_const_datum* data);
 int gnutls_pkcs12_bag_set_data(gnutls_pkcs12_bag bag, gnutls_pkcs12_bag_type type,
         const gnutls_datum* data);
 
diff --git a/lib/gnutls.h.in.in b/lib/gnutls.h.in.in
index a36629c6a7..94966e3656 100644
--- a/lib/gnutls.h.in.in
+++ b/lib/gnutls.h.in.in
@@ -153,6 +153,11 @@ typedef struct {
 	unsigned int size;
 } gnutls_datum;
 
+typedef struct {
+	const unsigned char * data;
+	unsigned int size;
+} gnutls_const_datum;
+
 /* internal functions */
 
 int gnutls_init(gnutls_session * session, gnutls_connection_end con_end);
diff --git a/lib/x509/pkcs12_bag.c b/lib/x509/pkcs12_bag.c
index 2193dd987c..2617c56700 100644
--- a/lib/x509/pkcs12_bag.c
+++ b/lib/x509/pkcs12_bag.c
@@ -123,7 +123,7 @@ int gnutls_pkcs12_bag_get_count(gnutls_pkcs12_bag bag)
   * This function will return the bag's data. 
   *
   **/
-int gnutls_pkcs12_bag_get_data(gnutls_pkcs12_bag bag, int indx, gnutls_datum* data)
+int gnutls_pkcs12_bag_get_data(gnutls_pkcs12_bag bag, int indx, gnutls_const_datum* data)
 {
 	if (indx >= bag->bag_elements) 
 		return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index f102f372c3..e6f1ecf937 100644
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -48,7 +48,7 @@ static
 int is_crl_issuer(gnutls_x509_crl crl, gnutls_x509_crt issuer_cert);
 static int _gnutls_verify_crl2(gnutls_x509_crl crl,
 			       gnutls_x509_crt *trusted_cas, int tcas_size, 
-			       unsigned int flags);
+			       unsigned int flags, unsigned int *output);
 
 
 /* Checks if the issuer of a certificate is a
@@ -593,9 +593,14 @@ int gnutls_x509_crt_verify( gnutls_x509_crt cert,
 	gnutls_x509_crt *CA_list, int CA_list_length,
 	unsigned int flags, unsigned int *verify)
 {
+int ret;
 	/* Verify certificate 
 	 */
-	_gnutls_verify_certificate2( cert, CA_list, CA_list_length, flags, verify);
+	ret = _gnutls_verify_certificate2( cert, CA_list, CA_list_length, flags, verify);
+	if (ret < 0) {
+		gnutls_assert();
+		return ret;
+	}
 
 	return 0;
 }
@@ -658,10 +663,14 @@ int gnutls_x509_crl_verify( gnutls_x509_crl crl,
 	gnutls_x509_crt *CA_list, int CA_list_length,
 	unsigned int flags, unsigned int *verify)
 {
+int ret;
 	/* Verify crl 
 	 */
-	*verify =
-	    _gnutls_verify_crl2( crl, CA_list, CA_list_length, flags);
+	ret = _gnutls_verify_crl2( crl, CA_list, CA_list_length, flags, verify);
+	if (ret < 0) {
+		gnutls_assert();
+		return ret;
+	}
 
 	return 0;
 }
@@ -719,10 +728,13 @@ gnutls_x509_crt find_crl_issuer(gnutls_x509_crl crl,
  * was successfuly verified.
  *
  * 'flags': an OR of the gnutls_certificate_verify_flags enumeration.
+ *
+ * Output will hold information about the verification
+ * procedure. 
  */
 static int _gnutls_verify_crl2(gnutls_x509_crl crl,
 			       gnutls_x509_crt *trusted_cas, int tcas_size, 
-			       unsigned int flags)
+			       unsigned int flags, unsigned int* output)
 {
 /* CRL is ignored for now */
 gnutls_datum crl_signed_data = { NULL, 0 };
@@ -730,10 +742,13 @@ gnutls_datum crl_signature = { NULL, 0 };
 gnutls_x509_crt issuer;
 int ret, result;
 
+	if (output) *output = 0;
+
 	if (tcas_size >= 1)
 		issuer = find_crl_issuer(crl, trusted_cas, tcas_size);
 	else {
 		gnutls_assert();
+		if (output) *output |= GNUTLS_CERT_ISSUER_NOT_FOUND | GNUTLS_CERT_NOT_TRUSTED;
 		return 0;
 	}
 
@@ -742,6 +757,7 @@ int ret, result;
 	 */
 	if (issuer == NULL) {
 		gnutls_assert();
+		if (output) *output |= GNUTLS_CERT_ISSUER_NOT_FOUND | GNUTLS_CERT_NOT_TRUSTED;
 		return 0;
 	}
 
@@ -749,6 +765,7 @@ int ret, result;
 		if (gnutls_x509_crt_get_ca_status(issuer, NULL) != 1) 
 		{
 			gnutls_assert();
+			if (output) *output |= GNUTLS_CERT_ISSUER_NOT_CA | GNUTLS_CERT_NOT_TRUSTED;
 			return 0;
 		}
 	}
@@ -765,11 +782,13 @@ int ret, result;
 		goto cleanup;
 	}
 
-
 	ret = _gnutls_x509_verify_signature(&crl_signed_data, &crl_signature, issuer);
-	if (ret <= 0) {
+	if (ret < 0) {
+		gnutls_assert();
+	} else if (ret == 0) {
 		gnutls_assert();
 		/* error. ignore it */
+		if (output) *output |= GNUTLS_CERT_NOT_TRUSTED;
 		ret = 0;
 	}
 
diff --git a/src/certtool.c b/src/certtool.c
index 9b98d5c0b5..686d935088 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -1562,9 +1562,9 @@ void print_bag_data(gnutls_pkcs12_bag bag)
 {
 int result;
 int count, i, type;
-gnutls_datum data;
+gnutls_const_datum cdata;
 const char* str;
-gnutls_datum out;
+gnutls_datum out, data;
 
 	count = gnutls_pkcs12_bag_get_count( bag);
 	if (count < 0) {
@@ -1583,7 +1583,7 @@ gnutls_datum out;
 
 		fprintf( outfile, "\tType: %s\n", BAGTYPE( type));
 		
-		result = gnutls_pkcs12_bag_get_data( bag, i, &data);
+		result = gnutls_pkcs12_bag_get_data( bag, i, &cdata);
 		if (result < 0) {
 			fprintf(stderr, "get_data: %s\n", gnutls_strerror(result));
 			exit(1);
@@ -1608,6 +1608,12 @@ gnutls_datum out;
 			str = NULL;
 		}		
 	
+		/* we have to cast gnutls_const_datum to a
+		 * plain datum.
+		 */
+		data.data = (unsigned char*)cdata.data;
+		data.size = cdata.size;
+
 		if (str != NULL) {
 			gnutls_pem_base64_encode_alloc( str, &data, &out);
 			fprintf( outfile, "%s\n", out.data);