Top | ![]() |
![]() |
![]() |
![]() |
int | gnutls_pkcs7_init () |
void | gnutls_pkcs7_deinit () |
int | gnutls_pkcs7_import () |
int | gnutls_pkcs7_export () |
int | gnutls_pkcs7_export2 () |
int | gnutls_pkcs7_get_signature_count () |
int | gnutls_pkcs7_get_embedded_data () |
const char * | gnutls_pkcs7_get_embedded_data_oid () |
int | gnutls_pkcs7_get_crt_count () |
int | gnutls_pkcs7_get_crt_raw () |
int | gnutls_pkcs7_set_crt_raw () |
int | gnutls_pkcs7_set_crt () |
int | gnutls_pkcs7_delete_crt () |
int | gnutls_pkcs7_get_crl_raw () |
int | gnutls_pkcs7_get_crl_count () |
int | gnutls_pkcs7_set_crl_raw () |
int | gnutls_pkcs7_set_crl () |
int | gnutls_pkcs7_delete_crl () |
void | gnutls_pkcs7_signature_info_deinit () |
int | gnutls_pkcs7_get_signature_info () |
int | gnutls_pkcs7_verify_direct () |
int | gnutls_pkcs7_verify () |
int | gnutls_pkcs7_add_attr () |
void | gnutls_pkcs7_attrs_deinit () |
int | gnutls_pkcs7_get_attr () |
int | gnutls_pkcs7_sign () |
int | gnutls_pkcs7_get_crt_raw2 () |
int | gnutls_pkcs7_get_crl_raw2 () |
int | gnutls_pkcs7_print () |
int | gnutls_pkcs7_print_signature_info () |
typedef | gnutls_pkcs7_t |
#define | GNUTLS_PKCS7_EDATA_GET_RAW |
typedef | gnutls_pkcs7_attrs_t |
gnutls_pkcs7_signature_info_st | |
#define | GNUTLS_PKCS7_ATTR_ENCODE_OCTET_STRING |
enum | gnutls_pkcs7_sign_flags |
gnutls_pkcs7_int |
int
gnutls_pkcs7_init (gnutls_pkcs7_t *pkcs7
);
This function will initialize a PKCS7 structure. PKCS7 structures usually contain lists of X.509 Certificates and X.509 Certificate revocation lists.
void
gnutls_pkcs7_deinit (gnutls_pkcs7_t pkcs7
);
This function will deinitialize a PKCS7 type.
int gnutls_pkcs7_import (gnutls_pkcs7_t pkcs7
,const gnutls_datum_t *data
,gnutls_x509_crt_fmt_t format
);
This function will convert the given DER or PEM encoded PKCS7 to
the native gnutls_pkcs7_t format. The output will be stored in
pkcs7
.
If the PKCS7 is PEM encoded it should have a header of "PKCS7".
int gnutls_pkcs7_export (gnutls_pkcs7_t pkcs7
,gnutls_x509_crt_fmt_t format
,void *output_data
,size_t *output_data_size
);
This function will export the pkcs7 structure to DER or PEM format.
If the buffer provided is not long enough to hold the output, then
*output_data_size
is updated and GNUTLS_E_SHORT_MEMORY_BUFFER
will be returned.
If the structure is PEM encoded, it will have a header of "BEGIN PKCS7".
int gnutls_pkcs7_export2 (gnutls_pkcs7_t pkcs7
,gnutls_x509_crt_fmt_t format
,gnutls_datum_t *out
);
This function will export the pkcs7 structure to DER or PEM format.
The output buffer is allocated using gnutls_malloc()
.
If the structure is PEM encoded, it will have a header of "BEGIN PKCS7".
pkcs7 |
The pkcs7 type |
|
format |
the format of output params. One of PEM or DER. |
|
out |
will contain a structure PEM or DER encoded |
Since: 3.1.3
int
gnutls_pkcs7_get_signature_count (gnutls_pkcs7_t pkcs7
);
This function will return the number of signatures in the PKCS7 structure.
Since: 3.4.3
int gnutls_pkcs7_get_embedded_data (gnutls_pkcs7_t pkcs7
,unsigned flags
,gnutls_datum_t *data
);
This function will return the data embedded in the signature of
the PKCS7 structure. If no data are available then
GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
will be returned.
The returned data must be de-allocated using gnutls_free()
.
Note, that this function returns the exact same data that are
authenticated. If the GNUTLS_PKCS7_EDATA_GET_RAW
flag is provided,
the returned data will be including the wrapping tag/value as
they are encoded in the structure.
pkcs7 |
should contain a gnutls_pkcs7_t type |
|
flags |
must be zero or |
|
data |
will hold the embedded data in the provided structure |
Since: 3.4.8
const char *
gnutls_pkcs7_get_embedded_data_oid (gnutls_pkcs7_t pkcs7
);
This function will return the OID of the data embedded in the signature of
the PKCS7 structure. If no data are available then NULL
will be
returned. The returned value will be valid during the lifetime
of the pkcs7
structure.
Since: 3.5.5
int
gnutls_pkcs7_get_crt_count (gnutls_pkcs7_t pkcs7
);
This function will return the number of certificates in the PKCS7 or RFC2630 certificate set.
int gnutls_pkcs7_get_crt_raw (gnutls_pkcs7_t pkcs7
,unsigned indx
,void *certificate
,size_t *certificate_size
);
This function will return a certificate of the PKCS7 or RFC2630 certificate set.
After the last certificate has been read
GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
will be returned.
pkcs7 |
should contain a gnutls_pkcs7_t type |
|
indx |
contains the index of the certificate to extract |
|
certificate |
the contents of the certificate will be copied there (may be null) |
|
certificate_size |
should hold the size of the certificate |
On success, GNUTLS_E_SUCCESS
(0) is returned, otherwise a
negative error value. If the provided buffer is not long enough,
then certificate_size
is updated and
GNUTLS_E_SHORT_MEMORY_BUFFER
is returned.
int gnutls_pkcs7_set_crt_raw (gnutls_pkcs7_t pkcs7
,const gnutls_datum_t *crt
);
This function will add a certificate to the PKCS7 or RFC2630 certificate set.
int gnutls_pkcs7_set_crt (gnutls_pkcs7_t pkcs7
,gnutls_x509_crt_t crt
);
This function will add a parsed certificate to the PKCS7 or
RFC2630 certificate set. This is a wrapper function over
gnutls_pkcs7_set_crt_raw()
.
int gnutls_pkcs7_delete_crt (gnutls_pkcs7_t pkcs7
,int indx
);
This function will delete a certificate from a PKCS7 or RFC2630 certificate set. Index starts from 0. Returns 0 on success.
int gnutls_pkcs7_get_crl_raw (gnutls_pkcs7_t pkcs7
,unsigned indx
,void *crl
,size_t *crl_size
);
This function will return a crl of the PKCS7 or RFC2630 crl set.
pkcs7 |
The pkcs7 type |
|
indx |
contains the index of the crl to extract |
|
crl |
the contents of the crl will be copied there (may be null) |
|
crl_size |
should hold the size of the crl |
On success, GNUTLS_E_SUCCESS
(0) is returned, otherwise a
negative error value. If the provided buffer is not long enough,
then crl_size
is updated and GNUTLS_E_SHORT_MEMORY_BUFFER
is
returned. After the last crl has been read
GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
will be returned.
int
gnutls_pkcs7_get_crl_count (gnutls_pkcs7_t pkcs7
);
This function will return the number of certificates in the PKCS7 or RFC2630 crl set.
int gnutls_pkcs7_set_crl_raw (gnutls_pkcs7_t pkcs7
,const gnutls_datum_t *crl
);
This function will add a crl to the PKCS7 or RFC2630 crl set.
int gnutls_pkcs7_set_crl (gnutls_pkcs7_t pkcs7
,gnutls_x509_crl_t crl
);
This function will add a parsed CRL to the PKCS7 or RFC2630 crl set.
int gnutls_pkcs7_delete_crl (gnutls_pkcs7_t pkcs7
,int indx
);
This function will delete a crl from a PKCS7 or RFC2630 crl set. Index starts from 0. Returns 0 on success.
void
gnutls_pkcs7_signature_info_deinit (gnutls_pkcs7_signature_info_st *info
);
This function will deinitialize any allocated value in the provided gnutls_pkcs7_signature_info_st.
Since: 3.4.2
int gnutls_pkcs7_get_signature_info (gnutls_pkcs7_t pkcs7
,unsigned idx
,gnutls_pkcs7_signature_info_st *info
);
This function will return information about the signature identified
by idx in the provided PKCS #7 structure. The information should be
deinitialized using gnutls_pkcs7_signature_info_deinit()
.
pkcs7 |
should contain a gnutls_pkcs7_t type |
|
idx |
the index of the signature info to check |
|
info |
will contain the output signature |
Since: 3.4.2
int gnutls_pkcs7_verify_direct (gnutls_pkcs7_t pkcs7
,gnutls_x509_crt_t signer
,unsigned idx
,const gnutls_datum_t *data
,unsigned flags
);
This function will verify the provided data against the signature present in the SignedData of the PKCS #7 structure. If the data provided are NULL then the data in the encapsulatedContent field will be used instead.
Note that, unlike gnutls_pkcs7_verify()
this function does not
verify the key purpose of the signer. It is expected for the caller
to verify the intended purpose of the signer
-e.g., via gnutls_x509_crt_get_key_purpose_oid()
,
or gnutls_x509_crt_check_key_purpose()
.
Note also, that since GnuTLS 3.5.6 this function introduces checks in the
end certificate (signer
), including time checks and key usage checks.
pkcs7 |
should contain a gnutls_pkcs7_t type |
|
signer |
the certificate believed to have signed the structure |
|
idx |
the index of the signature info to check |
|
data |
The data to be verified or |
|
flags |
Zero or an OR list of gnutls_certificate_verify_flags |
On success, GNUTLS_E_SUCCESS
(0) is returned, otherwise a
negative error value. A verification error results to a
GNUTLS_E_PK_SIG_VERIFY_FAILED
and the lack of encapsulated data
to verify to a GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
.
Since: 3.4.2
int gnutls_pkcs7_verify (gnutls_pkcs7_t pkcs7
,gnutls_x509_trust_list_t tl
,gnutls_typed_vdata_st *vdata
,unsigned int vdata_size
,unsigned idx
,const gnutls_datum_t *data
,unsigned flags
);
This function will verify the provided data against the signature present in the SignedData of the PKCS #7 structure. If the data provided are NULL then the data in the encapsulatedContent field will be used instead.
pkcs7 |
should contain a gnutls_pkcs7_t type |
|
tl |
A list of trusted certificates |
|
vdata |
an array of typed data |
|
vdata_size |
the number of data elements |
|
idx |
the index of the signature info to check |
|
data |
The data to be verified or |
|
flags |
Zero or an OR list of gnutls_certificate_verify_flags |
On success, GNUTLS_E_SUCCESS
(0) is returned, otherwise a
negative error value. A verification error results to a
GNUTLS_E_PK_SIG_VERIFY_FAILED
and the lack of encapsulated data
to verify to a GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
.
Since: 3.4.2
int gnutls_pkcs7_add_attr (gnutls_pkcs7_attrs_t *list
,const char *oid
,gnutls_datum_t *data
,unsigned flags
);
This function will set a PKCS #7 attribute in the provided list. If this function fails, the previous list would be deallocated.
Note that any attributes set with this function must either be DER or BER encoded, unless a special flag is present.
list |
A list of existing attributes or pointer to |
|
oid |
the OID of the attribute to be set |
|
data |
the raw (DER-encoded) data of the attribute to be set |
|
flags |
Since: 3.4.2
void
gnutls_pkcs7_attrs_deinit (gnutls_pkcs7_attrs_t list
);
This function will clear a PKCS #7 attribute list.
Since: 3.4.2
int gnutls_pkcs7_get_attr (gnutls_pkcs7_attrs_t list
,unsigned idx
,char **oid
,gnutls_datum_t *data
,unsigned flags
);
This function will get a PKCS #7 attribute from the provided list. The OID is a constant string, but data will be allocated and must be deinitialized by the caller.
list |
A list of existing attributes or |
|
idx |
the index of the attribute to get |
|
oid |
the OID of the attribute (read-only) |
|
data |
the raw data of the attribute |
|
flags |
On success, GNUTLS_E_SUCCESS
(0) is returned, otherwise a
negative error value. GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
is returned
if there are no data in the current index.
Since: 3.4.2
int gnutls_pkcs7_sign (gnutls_pkcs7_t pkcs7
,gnutls_x509_crt_t signer
,gnutls_privkey_t signer_key
,const gnutls_datum_t *data
,gnutls_pkcs7_attrs_t signed_attrs
,gnutls_pkcs7_attrs_t unsigned_attrs
,gnutls_digest_algorithm_t dig
,unsigned flags
);
This function will add a signature in the provided PKCS #7 structure for the provided data. Multiple signatures can be made with different signers.
The available flags are:
GNUTLS_PKCS7_EMBED_DATA
, GNUTLS_PKCS7_INCLUDE_TIME
, GNUTLS_PKCS7_INCLUDE_CERT
,
and GNUTLS_PKCS7_WRITE_SPKI
. They are explained in the gnutls_pkcs7_sign_flags
definition.
pkcs7 |
should contain a gnutls_pkcs7_t type |
|
signer |
the certificate to sign the structure |
|
signer_key |
the key to sign the structure |
|
data |
The data to be signed or |
|
signed_attrs |
Any additional attributes to be included in the signed ones (or |
|
unsigned_attrs |
Any additional attributes to be included in the unsigned ones (or |
|
dig |
The digest algorithm to use for signing |
|
flags |
Should be zero or one of |
Since: 3.4.2
int gnutls_pkcs7_get_crt_raw2 (gnutls_pkcs7_t pkcs7
,unsigned indx
,gnutls_datum_t *cert
);
This function will return a certificate of the PKCS7 or RFC2630 certificate set.
After the last certificate has been read
GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
will be returned.
pkcs7 |
should contain a gnutls_pkcs7_t type |
|
indx |
contains the index of the certificate to extract |
|
cert |
will hold the contents of the certificate; must be deallocated with |
On success, GNUTLS_E_SUCCESS
(0) is returned, otherwise a
negative error value. If the provided buffer is not long enough,
then certificate_size
is updated and
GNUTLS_E_SHORT_MEMORY_BUFFER
is returned.
Since: 3.4.2
int gnutls_pkcs7_get_crl_raw2 (gnutls_pkcs7_t pkcs7
,unsigned indx
,gnutls_datum_t *crl
);
This function will return a DER encoded CRL of the PKCS7 or RFC2630 crl set.
pkcs7 |
The pkcs7 type |
|
indx |
contains the index of the crl to extract |
|
crl |
will contain the contents of the CRL in an allocated buffer |
On success, GNUTLS_E_SUCCESS
(0) is returned, otherwise a
negative error value. After the last crl has been read
GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
will be returned.
Since: 3.4.2
int gnutls_pkcs7_print (gnutls_pkcs7_t pkcs7
,gnutls_certificate_print_formats_t format
,gnutls_datum_t *out
);
int gnutls_pkcs7_print_signature_info (gnutls_pkcs7_signature_info_st *info
,gnutls_certificate_print_formats_t format
,gnutls_datum_t *out
);
This function will pretty print a PKCS #7 signature info structure, suitable for display to a human.
Currently the supported formats are GNUTLS_CRT_PRINT_FULL
and
GNUTLS_CRT_PRINT_COMPACT
.
The output out
needs to be deallocated using gnutls_free()
.
info |
The PKCS7 signature info struct to be printed |
|
format |
Indicate the format to use |
|
out |
Newly allocated datum with null terminated string. |
Since: 3.6.14
typedef struct { gnutls_sign_algorithm_t algo; gnutls_datum_t sig; gnutls_datum_t issuer_dn; gnutls_datum_t signer_serial; gnutls_datum_t issuer_keyid; time_t signing_time; gnutls_pkcs7_attrs_t signed_attrs; gnutls_pkcs7_attrs_t unsigned_attrs; char pad[64]; } gnutls_pkcs7_signature_info_st;
Enumeration of the different PKCS #7 signature flags.