x509: added function to set and retrieve inhibit anypolicy extension value

That is, introduced:
 * gnutls_x509_crt_get_inhibit_anypolicy
 * gnutls_x509_crt_set_inhibit_anypolicy

Resolves #180

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

4 files changed, 105 insertions, 1 deletions

diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h
index ddfe9f4a58..ca696d262c 100644
--- a/lib/includes/gnutls/x509.h
+++ b/lib/includes/gnutls/x509.h
@@ -479,6 +479,12 @@ int gnutls_x509_crt_set_authority_info_access(gnutls_x509_crt_t
 					      crt, int what,
 					      gnutls_datum_t * data);
 
+int gnutls_x509_crt_get_inhibit_anypolicy(gnutls_x509_crt_t cert,
+				  unsigned int *skipcerts,
+				  unsigned int *critical);
+int
+gnutls_x509_crt_set_inhibit_anypolicy(gnutls_x509_crt_t crt, unsigned int skipcerts);
+
 int gnutls_x509_crt_get_proxy(gnutls_x509_crt_t cert,
 			      unsigned int *critical,
 			      int *pathlen,
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index 727d57bc7e..61a4e98194 100644
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -1138,6 +1138,8 @@ GNUTLS_3_4
 	gnutls_x509_crt_check_ip;
 	gnutls_x509_ext_import_inhibit_anypolicy;
 	gnutls_x509_ext_export_inhibit_anypolicy;
+	gnutls_x509_crt_get_inhibit_anypolicy;
+	gnutls_x509_crt_set_inhibit_anypolicy;
  local:
 	*;
 };
diff --git a/lib/x509/x509.c b/lib/x509/x509.c
index 4bd16d3e5e..9c2c819ba1 100644
--- a/lib/x509/x509.c
+++ b/lib/x509/x509.c
@@ -2136,7 +2136,7 @@ gnutls_x509_crt_get_ca_status(gnutls_x509_crt_t cert,
  * %GNUTLS_KEY_KEY_CERT_SIGN, %GNUTLS_KEY_CRL_SIGN,
  * %GNUTLS_KEY_ENCIPHER_ONLY, %GNUTLS_KEY_DECIPHER_ONLY.
  *
- * Returns: the certificate key usage, or a negative error code in case of
+ * Returns: zero on success, or a negative error code in case of
  *   parsing error.  If the certificate does not contain the keyUsage
  *   extension %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be
  *   returned.
@@ -2177,6 +2177,60 @@ gnutls_x509_crt_get_key_usage(gnutls_x509_crt_t cert,
 }
 
 /**
+ * gnutls_x509_crt_get_inhibit_anypolicy:
+ * @cert: should contain a #gnutls_x509_crt_t type
+ * @skipcerts: will hold the number of certificates after which anypolicy is no longer acceptable.
+ * @critical: will be non-zero if the extension is marked as critical
+ *
+ * This function will return certificate's value of the SkipCerts, i.e.,
+ * the Inhibit anyPolicy X.509 extension (2.5.29.54).
+ *
+ * The returned value is the number of additional certificates that
+ * may appear in the path before the anyPolicy is no longer acceptable.
+
+ * Returns: zero on success, or a negative error code in case of
+ *   parsing error.  If the certificate does not contain the Inhibit anyPolicy
+ *   extension %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be
+ *   returned.
+ *
+ * Since: 3.6.0
+ **/
+int
+gnutls_x509_crt_get_inhibit_anypolicy(gnutls_x509_crt_t cert,
+			      unsigned int *skipcerts,
+			      unsigned int *critical)
+{
+	int ret;
+	gnutls_datum_t ext;
+
+	if (cert == NULL) {
+		gnutls_assert();
+		return GNUTLS_E_INVALID_REQUEST;
+	}
+
+	if ((ret =
+	     _gnutls_x509_crt_get_extension(cert, "2.5.29.54", 0,
+					    &ext, critical)) < 0) {
+		return ret;
+	}
+
+	if (ext.size == 0 || ext.data == NULL) {
+		gnutls_assert();
+		return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
+	}
+
+	ret = gnutls_x509_ext_import_key_usage(&ext, skipcerts);
+	_gnutls_free_datum(&ext);
+
+	if (ret < 0) {
+		gnutls_assert();
+		return ret;
+	}
+
+	return 0;
+}
+
+/**
  * gnutls_x509_crt_get_proxy:
  * @cert: should contain a #gnutls_x509_crt_t type
  * @critical: will be non-zero if the extension is marked as critical
diff --git a/lib/x509/x509_write.c b/lib/x509/x509_write.c
index cace8c3bf4..624ffe2a54 100644
--- a/lib/x509/x509_write.c
+++ b/lib/x509/x509_write.c
@@ -563,6 +563,48 @@ gnutls_x509_crt_set_key_usage(gnutls_x509_crt_t crt, unsigned int usage)
 }
 
 /**
+ * gnutls_x509_crt_set_inhibit_anypolicy:
+ * @crt: a certificate of type #gnutls_x509_crt_t
+ * @skipcerts: number of certificates after which anypolicy is no longer acceptable.
+ *
+ * This function will set the Inhibit anyPolicy certificate extension.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ *   negative error value.
+ **/
+int
+gnutls_x509_crt_set_inhibit_anypolicy(gnutls_x509_crt_t crt, unsigned int skipcerts)
+{
+	int ret;
+	gnutls_datum_t der_data;
+
+	if (crt == NULL) {
+		gnutls_assert();
+		return GNUTLS_E_INVALID_REQUEST;
+	}
+
+	/* generate the extension.
+	 */
+	ret =
+	    gnutls_x509_ext_export_inhibit_anypolicy(skipcerts, &der_data);
+	if (ret < 0) {
+		gnutls_assert();
+		return ret;
+	}
+
+	ret =
+	    _gnutls_x509_crt_set_extension(crt, "2.5.29.54", &der_data, 1);
+	_gnutls_free_datum(&der_data);
+
+	if (ret < 0) {
+		gnutls_assert();
+		return ret;
+	}
+
+	return 0;
+}
+
+/**
  * gnutls_x509_crt_set_subject_alternative_name:
  * @crt: a certificate of type #gnutls_x509_crt_t
  * @type: is one of the gnutls_x509_subject_alt_name_t enumerations