Next: OCSP API, Previous: X509 certificate API, Up: API reference [Contents][Index]
The following functions are to be used for PKCS 7 structures handling. Their prototypes lie in gnutls/pkcs7.h.
list: A list of existing attributes or pointer to NULL
for the first one
oid: the OID of the attribute to be set
data: the raw (DER-encoded) data of the attribute to be set
flags: zero or GNUTLS_PKCS7_ATTR_ENCODE_OCTET_STRING
This function will set a PKCS 7
attribute in the provided list.
If this function fails, the previous list would be deallocated.
Note that any attributes set with this function must either be DER or BER encoded, unless a special flag is present.
Returns: On success, the new list head, otherwise NULL
.
Since: 3.4.2
list: A list of existing attributes
This function will clear a PKCS 7
attribute list.
Since: 3.4.2
pkcs7: the type to be deinitialized
This function will deinitialize a PKCS7 type.
pkcs7: The pkcs7 type
indx: the index of the crl to delete
This function will delete a crl from a PKCS7 or RFC2630 crl set. Index starts from 0. Returns 0 on success.
Returns: On success, GNUTLS_E_SUCCESS
(0) is returned, otherwise a
negative error value.
pkcs7: The pkcs7 type
indx: the index of the certificate to delete
This function will delete a certificate from a PKCS7 or RFC2630 certificate set. Index starts from 0. Returns 0 on success.
Returns: On success, GNUTLS_E_SUCCESS
(0) is returned, otherwise a
negative error value.
pkcs7: The pkcs7 type
format: the format of output params. One of PEM or DER.
output_data: will contain a structure PEM or DER encoded
output_data_size: holds the size of output_data (and will be replaced by the actual size of parameters)
This function will export the pkcs7 structure to DER or PEM format.
If the buffer provided is not long enough to hold the output, then
* output_data_size
is updated and GNUTLS_E_SHORT_MEMORY_BUFFER
will be returned.
If the structure is PEM encoded, it will have a header of "BEGIN PKCS7".
Returns: On success, GNUTLS_E_SUCCESS
(0) is returned, otherwise a
negative error value.
pkcs7: The pkcs7 type
format: the format of output params. One of PEM or DER.
out: will contain a structure PEM or DER encoded
This function will export the pkcs7 structure to DER or PEM format.
The output buffer is allocated using gnutls_malloc()
.
If the structure is PEM encoded, it will have a header of "BEGIN PKCS7".
Returns: On success, GNUTLS_E_SUCCESS
(0) is returned, otherwise a
negative error value.
Since: 3.1.3
list: A list of existing attributes or NULL
for the first one
idx: the index of the attribute to get
oid: the OID of the attribute (read-only)
data: the raw data of the attribute
flags: zero or GNUTLS_PKCS7_ATTR_ENCODE_OCTET_STRING
This function will get a PKCS 7
attribute from the provided list.
The OID is a constant string, but data will be allocated and must be
deinitialized by the caller.
Returns: On success, GNUTLS_E_SUCCESS
(0) is returned, otherwise a
negative error value. GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
is returned
if there are no data in the current index.
Since: 3.4.2
pkcs7: The pkcs7 type
This function will return the number of certificates in the PKCS7 or RFC2630 crl set.
Returns: On success, GNUTLS_E_SUCCESS
(0) is returned, otherwise a
negative error value.
pkcs7: The pkcs7 type
indx: contains the index of the crl to extract
crl: the contents of the crl will be copied there (may be null)
crl_size: should hold the size of the crl
This function will return a crl of the PKCS7 or RFC2630 crl set.
Returns: On success, GNUTLS_E_SUCCESS
(0) is returned, otherwise a
negative error value. If the provided buffer is not long enough,
then crl_size
is updated and GNUTLS_E_SHORT_MEMORY_BUFFER
is
returned. After the last crl has been read
GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
will be returned.
pkcs7: The pkcs7 type
indx: contains the index of the crl to extract
crl: will contain the contents of the CRL in an allocated buffer
This function will return a DER encoded CRL of the PKCS7 or RFC2630 crl set.
Returns: On success, GNUTLS_E_SUCCESS
(0) is returned, otherwise a
negative error value. After the last crl has been read
GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
will be returned.
Since: 3.4.2
pkcs7: should contain a gnutls_pkcs7_t
type
This function will return the number of certificates in the PKCS7 or RFC2630 certificate set.
Returns: On success, a positive number is returned, otherwise a negative error value.
pkcs7: should contain a gnutls_pkcs7_t type
indx: contains the index of the certificate to extract
certificate: the contents of the certificate will be copied there (may be null)
certificate_size: should hold the size of the certificate
This function will return a certificate of the PKCS7 or RFC2630 certificate set.
After the last certificate has been read
GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
will be returned.
Returns: On success, GNUTLS_E_SUCCESS
(0) is returned, otherwise a
negative error value. If the provided buffer is not long enough,
then certificate_size
is updated and
GNUTLS_E_SHORT_MEMORY_BUFFER
is returned.
pkcs7: should contain a gnutls_pkcs7_t type
indx: contains the index of the certificate to extract
cert: will hold the contents of the certificate; must be deallocated with gnutls_free()
This function will return a certificate of the PKCS7 or RFC2630 certificate set.
After the last certificate has been read
GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
will be returned.
Returns: On success, GNUTLS_E_SUCCESS
(0) is returned, otherwise a
negative error value. If the provided buffer is not long enough,
then certificate_size
is updated and
GNUTLS_E_SHORT_MEMORY_BUFFER
is returned.
Since: 3.4.2
pkcs7: should contain a gnutls_pkcs7_t type
flags: must be zero or GNUTLS_PKCS7_EDATA_GET_RAW
data: will hold the embedded data in the provided structure
This function will return the data embedded in the signature of
the PKCS7 structure. If no data are available then
GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
will be returned.
The returned data must be de-allocated using gnutls_free()
.
Note, that this function returns the exact same data that are
authenticated. If the GNUTLS_PKCS7_EDATA_GET_RAW
flag is provided,
the returned data will be including the wrapping tag/value as
they are encoded in the structure.
Returns: On success, GNUTLS_E_SUCCESS
(0) is returned, otherwise a
negative error value.
Since: 3.4.8
pkcs7: should contain a gnutls_pkcs7_t type
This function will return the OID of the data embedded in the signature of
the PKCS7 structure. If no data are available then NULL
will be
returned. The returned value will be valid during the lifetime
of the pkcs7
structure.
Returns: On success, a pointer to an OID string, NULL
on error.
Since: 3.5.5
pkcs7: should contain a gnutls_pkcs7_t
type
This function will return the number of signatures in the PKCS7 structure.
Returns: On success, a positive number is returned, otherwise a negative error value.
Since: 3.4.3
pkcs7: should contain a gnutls_pkcs7_t
type
idx: the index of the signature info to check
info: will contain the output signature
This function will return information about the signature identified
by idx in the provided PKCS 7
structure. The information should be
deinitialized using gnutls_pkcs7_signature_info_deinit()
.
Returns: On success, GNUTLS_E_SUCCESS
(0) is returned, otherwise a
negative error value.
Since: 3.4.2
pkcs7: The data to store the parsed PKCS7.
data: The DER or PEM encoded PKCS7.
format: One of DER or PEM
This function will convert the given DER or PEM encoded PKCS7 to
the native gnutls_pkcs7_t
format. The output will be stored in
pkcs7
. Any signed data that may be present inside the pkcs7
structure, like certificates set by gnutls_pkcs7_set_crt()
, will
be freed and overwritten by this function.
If the PKCS7 is PEM encoded it should have a header of "PKCS7".
Returns: On success, GNUTLS_E_SUCCESS
(0) is returned, otherwise a
negative error value.
pkcs7: A pointer to the type to be initialized
This function will initialize a PKCS7 structure. PKCS7 structures usually contain lists of X.509 Certificates and X.509 Certificate revocation lists.
Returns: On success, GNUTLS_E_SUCCESS
(0) is returned, otherwise a
negative error value.
pkcs7: The PKCS7 struct to be printed
format: Indicate the format to use
out: Newly allocated datum with null terminated string.
This function will pretty print a signed PKCS 7
structure, suitable for
display to a human.
Currently the supported formats are GNUTLS_CRT_PRINT_FULL
and
GNUTLS_CRT_PRINT_COMPACT
.
The output out
needs to be deallocated using gnutls_free()
.
Returns: On success, GNUTLS_E_SUCCESS
(0) is returned, otherwise a
negative error value.
info: The PKCS7 signature info struct to be printed
format: Indicate the format to use
out: Newly allocated datum with null terminated string.
This function will pretty print a PKCS 7
signature info structure, suitable
for display to a human.
Currently the supported formats are GNUTLS_CRT_PRINT_FULL
and
GNUTLS_CRT_PRINT_COMPACT
.
The output out
needs to be deallocated using gnutls_free()
.
Returns: On success, GNUTLS_E_SUCCESS
(0) is returned, otherwise a
negative error value.
Since: 3.6.14
pkcs7: The pkcs7 type
crl: the DER encoded crl to be added
This function will add a parsed CRL to the PKCS7 or RFC2630 crl set.
Returns: On success, GNUTLS_E_SUCCESS
(0) is returned, otherwise a
negative error value.
pkcs7: The pkcs7 type
crl: the DER encoded crl to be added
This function will add a crl to the PKCS7 or RFC2630 crl set.
Returns: On success, GNUTLS_E_SUCCESS
(0) is returned, otherwise a
negative error value.
pkcs7: The pkcs7 type
crt: the certificate to be copied.
This function will add a parsed certificate to the PKCS7 or
RFC2630 certificate set. This is a wrapper function over
gnutls_pkcs7_set_crt_raw()
.
Returns: On success, GNUTLS_E_SUCCESS
(0) is returned, otherwise a
negative error value.
pkcs7: The pkcs7 type
crt: the DER encoded certificate to be added
This function will add a certificate to the PKCS7 or RFC2630 certificate set.
Returns: On success, GNUTLS_E_SUCCESS
(0) is returned, otherwise a
negative error value.
pkcs7: should contain a gnutls_pkcs7_t
type
signer: the certificate to sign the structure
signer_key: the key to sign the structure
data: The data to be signed or NULL
if the data are already embedded
signed_attrs: Any additional attributes to be included in the signed ones (or NULL
)
unsigned_attrs: Any additional attributes to be included in the unsigned ones (or NULL
)
dig: The digest algorithm to use for signing
flags: Should be zero or one of GNUTLS_PKCS7
flags
This function will add a signature in the provided PKCS 7
structure
for the provided data. Multiple signatures can be made with different
signers.
The available flags are:
GNUTLS_PKCS7_EMBED_DATA
, GNUTLS_PKCS7_INCLUDE_TIME
, GNUTLS_PKCS7_INCLUDE_CERT
,
and GNUTLS_PKCS7_WRITE_SPKI
. They are explained in the gnutls_pkcs7_sign_flags
definition.
Returns: On success, GNUTLS_E_SUCCESS
(0) is returned, otherwise a
negative error value.
Since: 3.4.2
info: should point to a gnutls_pkcs7_signature_info_st
structure
This function will deinitialize any allocated value in the
provided gnutls_pkcs7_signature_info_st
.
Since: 3.4.2
pkcs7: should contain a gnutls_pkcs7_t
type
tl: A list of trusted certificates
vdata: an array of typed data
vdata_size: the number of data elements
idx: the index of the signature info to check
data: The data to be verified or NULL
flags: Zero or an OR list of gnutls_certificate_verify_flags
This function will verify the provided data against the signature
present in the SignedData of the PKCS 7
structure. If the data
provided are NULL then the data in the encapsulatedContent field
will be used instead.
Returns: On success, GNUTLS_E_SUCCESS
(0) is returned, otherwise a
negative error value. A verification error results to a
GNUTLS_E_PK_SIG_VERIFY_FAILED
and the lack of encapsulated data
to verify to a GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
.
Since: 3.4.2
pkcs7: should contain a gnutls_pkcs7_t
type
signer: the certificate believed to have signed the structure
idx: the index of the signature info to check
data: The data to be verified or NULL
flags: Zero or an OR list of gnutls_certificate_verify_flags
This function will verify the provided data against the signature
present in the SignedData of the PKCS 7
structure. If the data
provided are NULL then the data in the encapsulatedContent field
will be used instead.
Note that, unlike gnutls_pkcs7_verify()
this function does not
verify the key purpose of the signer. It is expected for the caller
to verify the intended purpose of the signer
-e.g., via gnutls_x509_crt_get_key_purpose_oid()
,
or gnutls_x509_crt_check_key_purpose()
.
Note also, that since GnuTLS 3.5.6 this function introduces checks in the
end certificate ( signer
), including time checks and key usage checks.
Returns: On success, GNUTLS_E_SUCCESS
(0) is returned, otherwise a
negative error value. A verification error results to a
GNUTLS_E_PK_SIG_VERIFY_FAILED
and the lack of encapsulated data
to verify to a GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
.
Since: 3.4.2
Next: OCSP API, Previous: X509 certificate API, Up: API reference [Contents][Index]