7 files changed, 88 insertions, 25 deletions

diff --git a/doc/tex/cert_auth.tex b/doc/tex/cert_auth.tex
index 8e71417c7f..f950321a1f 100644
--- a/doc/tex/cert_auth.tex
+++ b/doc/tex/cert_auth.tex
@@ -37,14 +37,19 @@ in a certificate credentials structure. This should be done by using
 \printfunc{gnutls_certificate_set_x509_key_file}{gnutls\_certificate\_set\_x509\_key\_file}
 or
 \printfunc{gnutls_certificate_set_openpgp_key_file}{gnutls\_certificate\_set\_openpgp\_key\_file}
-depending on the certificate type. As an alternative, a callback may be used
-so the server or the client set the certificate at the handshake time.
-That callback can be set using
-\printfunc{gnutls_certificate_server_set_retrieve_function}{gnutls\_certificate\_server\_set\_retrieve\_function}
-or
-\printfunc{gnutls_certificate_client_set_retrieve_function}{gnutls\_certificate\_client\_set\_retrieve\_function}
-in case of a client.
+depending on the certificate type. 
+In the X.509 case, the functions will also accept and use a certificate list 
+that leads to a trusted authority. The certificate list must be ordered in such
+way that every certificate certifies the one before it. The trusted authority's
+certificate need not to be included, since the peer should possess it already.
 \par
+As an alternative, a callback may be used
+so the server or the client specify the certificate and the key at the handshake time.
+That callback can be set using the functions:
+\begin{itemize}
+\item \printfunc{gnutls_certificate_server_set_retrieve_function}{gnutls\_certificate\_server\_set\_retrieve\_function}
+\item \printfunc{gnutls_certificate_client_set_retrieve_function}{gnutls\_certificate\_client\_set\_retrieve\_function}
+\end{itemize}
 Certificate verification is possible by loading the trusted authorities
 into the credentials structure by using
 \printfunc{gnutls_certificate_set_x509_trust_file}{gnutls\_certificate\_set\_x509\_trust\_file}
diff --git a/doc/tex/certificate.tex b/doc/tex/certificate.tex
index b4608b9c3a..75740ae3fd 100644
--- a/doc/tex/certificate.tex
+++ b/doc/tex/certificate.tex
@@ -28,7 +28,8 @@ on page \pageref{sec:x509api}. Some examples are listed below.
 \subsection{X.509 certificates}
 An X.509 certificate usually contains information about the certificate
 holder, the signer, a unique serial number, expiration dates and several other 
-fields\cite{RFC3280}. Some functions of \gnutls{}' API for certificate parsing are:
+fields\cite{RFC3280}. Several functions exist to generate and handle X.509
+certificates, all listed in \emph{gnutls/x509.h}. Some of them are:
 \begin{itemize}
 \item \printfunc{gnutls_x509_crt_init}{gnutls\_x509\_crt\_init}
 \item \printfunc{gnutls_x509_crt_import}{gnutls\_x509\_crt\_import}
@@ -38,9 +39,8 @@ fields\cite{RFC3280}. Some functions of \gnutls{}' API for certificate parsing a
 \end{itemize}
 
 \par
-An example program that reads the peer's certificate,
-and prints some information about the peer's certificate in a TLS session,
-is listed below.
+To demonstrate the X.509 parsing capabilities an example program is listed below.
+That program reads the peer's certificate, and prints information about it.
 
 \input{ex-x509-info}
 
diff --git a/doc/tex/ex-x509-info.tex b/doc/tex/ex-x509-info.tex
index d7712861a7..b6740081a5 100644
--- a/doc/tex/ex-x509-info.tex
+++ b/doc/tex/ex-x509-info.tex
@@ -35,31 +35,37 @@ static void print_x509_certificate_info(gnutls_session session)
    int cert_list_size = 0;
    gnutls_x509_crt cert;
 
+   /* This function only works for X.509 certificates.
+    */
+   if (gnutls_certificate_type_get(session) != GNUTLS_CRT_X509)
+      return;
+
    cert_list = gnutls_certificate_get_peers(session, &cert_list_size);
 
-   if (cert_list_size > 0
-       && gnutls_certificate_type_get(session) == GNUTLS_CRT_X509) {
+   printf("Peer provided %d certificates.\n", cert_list_size);
+
+   if (cert_list_size > 0) {
 
-      /* no error checking
+      /* we only print information about the first certificate.
        */
       gnutls_x509_crt_init( &cert);
 
       gnutls_x509_crt_import( cert, &cert_list[0]);
 
-      printf(" - Certificate info:\n");
+      printf("Certificate info:\n");
 
       expiration_time = gnutls_x509_crt_get_expiration_time( cert);
       activation_time = gnutls_x509_crt_get_activation_time( cert);
 
-      printf(" - Certificate is valid since: %s", ctime(&activation_time));
-      printf(" - Certificate expires: %s", ctime(&expiration_time));
+      printf("\tCertificate is valid since: %s", ctime(&activation_time));
+      printf("\tCertificate expires: %s", ctime(&expiration_time));
 
       /* Print the serial number of the certificate.
        */
       size = sizeof(serial);
       gnutls_x509_crt_get_serial(cert, serial, &size);
 
-      printf(" - Certificate serial number: %s\n", 
+      printf("\tCertificate serial number: %s\n", 
          bin2hex( serial, serial_size));
 
       /* Extract some of the public key algorithm's parameters
@@ -82,16 +88,16 @@ static void print_x509_certificate_info(gnutls_session session)
       /* Print the version of the X.509 
        * certificate.
        */
-      printf(" - Certificate version: #%d\n",
+      printf("\tCertificate version: #%d\n",
              gnutls_x509_crt_get_version( cert));
 
       size = sizeof(dn);
       gnutls_x509_crt_get_dn( cert, dn, &size);
-      printf(" - DN: %s\n", dn);
+      printf("\tDN: %s\n", dn);
 
       size = sizeof(dn);
       gnutls_x509_crt_get_issuer_dn( cert, dn, &size);
-      printf(" - Certificate Issuer's DN: %s\n", dn);
+      printf("\tIssuer's DN: %s\n", dn);
 
       gnutls_x509_crt_deinit( cert);
 
diff --git a/includes/gnutls/x509.h b/includes/gnutls/x509.h
index 631e6e00a1..d482c8bf62 100644
--- a/includes/gnutls/x509.h
+++ b/includes/gnutls/x509.h
@@ -93,6 +93,8 @@ int gnutls_x509_crt_get_crl_dist_points(gnutls_x509_crt cert,
 	unsigned int *critical);
 int gnutls_x509_crt_set_crl_dist_points(gnutls_x509_crt crt, gnutls_x509_subject_alt_name type,
 	const void* data_string, unsigned int reason_flags);
+int gnutls_x509_crt_cpy_crl_dist_points(gnutls_x509_crt dst, 
+	gnutls_x509_crt src);
 
 time_t gnutls_x509_crt_get_activation_time(gnutls_x509_crt cert);
 time_t gnutls_x509_crt_get_expiration_time(gnutls_x509_crt cert);
diff --git a/lib/x509/x509.c b/lib/x509/x509.c
index 04fb415126..ccfbaf1580 100644
--- a/lib/x509/x509.c
+++ b/lib/x509/x509.c
@@ -785,7 +785,6 @@ int gnutls_x509_crt_get_subject_alt_name(gnutls_x509_crt cert,
 	asn1_delete_structure(&c2);
 
 	if (result < 0) {
-		gnutls_assert();
 		return result;
 	}
 
@@ -980,9 +979,9 @@ int gnutls_x509_crt_get_extension_oid(gnutls_x509_crt cert, int indx,
 		return GNUTLS_E_INVALID_REQUEST;
 	}
 
-	if ((result =
-	     _gnutls_x509_crt_get_extension_oid(cert, indx, oid, sizeof_oid)) < 0) {
-	     	gnutls_assert();
+	result =
+	     _gnutls_x509_crt_get_extension_oid(cert, indx, oid, sizeof_oid);
+	if (result < 0) {
 		return result;
 	}
 
diff --git a/lib/x509/x509_write.c b/lib/x509/x509_write.c
index b4c155b7bb..076d964408 100644
--- a/lib/x509/x509_write.c
+++ b/lib/x509/x509_write.c
@@ -543,6 +543,51 @@ unsigned int critical;
 }
 
 /**
+  * gnutls_x509_crt_cpy_crl_dist_points - This function will copy the CRL dist points
+  * @dst: should contain a gnutls_x509_crt structure
+  * @src: the certificate where the dist points will be copied from
+  *
+  * This function will copy the CRL distribution points certificate 
+  * extension, from the source to the destination certificate.
+  * This may be useful to copy from a CA certificate to issued ones.
+  *
+  * Returns 0 on success.
+  *
+  **/
+int gnutls_x509_crt_cpy_crl_dist_points(gnutls_x509_crt dst, 
+	gnutls_x509_crt src)
+{
+int result;
+gnutls_datum der_data;
+unsigned int critical;
+
+	if (dst==NULL || src == NULL) {
+		gnutls_assert();
+		return GNUTLS_E_INVALID_REQUEST;
+	}
+
+	/* Check if the extension already exists.
+	 */
+	result = _gnutls_x509_crt_get_extension(src, "2.5.29.31", 0, &der_data, &critical);
+	if (result < 0) {
+		gnutls_assert();
+		return result;
+	}
+
+	result = _gnutls_x509_crt_set_extension( dst, "2.5.29.31", &der_data, critical);
+	_gnutls_free_datum( &der_data);
+
+	if (result < 0) {
+		gnutls_assert();
+		return result;
+	}
+
+	dst->use_extensions = 1;
+
+	return 0;
+}
+
+/**
   * gnutls_x509_crt_set_subject_key_id - This function will set the certificate's subject key id
   * @cert: should contain a gnutls_x509_crt structure
   * @id: The key ID
diff --git a/src/certtool.c b/src/certtool.c
index c9ddb48396..40e51ae271 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -607,6 +607,12 @@ void generate_signed_certificate( void)
 	ca_crt = load_ca_cert();
 
 	crt = generate_certificate( &key);
+	
+	/* Copy the CRL distribution points.
+	 */
+	gnutls_x509_crt_cpy_crl_dist_points( crt, ca_crt);
+	/* it doesn't matter if we couldn't copy the CRL dist points.
+	 */
 
 	print_certificate_info( crt, stderr, 0);