diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-04-04 16:03:34 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-04-06 12:57:07 +0200 |
commit | aa9d9ad6384e7b564eeb9f1f807b1c222e876357 (patch) | |
tree | 9241ec96e3d23aaff788c6e1e9d8d5179e1739d5 /lib/x509 | |
parent | a2cf89a42aff91e009ca024d24bee33970c37103 (diff) | |
download | gnutls-aa9d9ad6384e7b564eeb9f1f807b1c222e876357.tar.gz |
x509: added function to set and retrieve inhibit anypolicy extension value
That is, introduced:
* gnutls_x509_crt_get_inhibit_anypolicy
* gnutls_x509_crt_set_inhibit_anypolicy
Resolves #180
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Diffstat (limited to 'lib/x509')
-rw-r--r-- | lib/x509/x509.c | 56 | ||||
-rw-r--r-- | lib/x509/x509_write.c | 42 |
2 files changed, 97 insertions, 1 deletions
diff --git a/lib/x509/x509.c b/lib/x509/x509.c index 4bd16d3e5e..9c2c819ba1 100644 --- a/lib/x509/x509.c +++ b/lib/x509/x509.c @@ -2136,7 +2136,7 @@ gnutls_x509_crt_get_ca_status(gnutls_x509_crt_t cert, * %GNUTLS_KEY_KEY_CERT_SIGN, %GNUTLS_KEY_CRL_SIGN, * %GNUTLS_KEY_ENCIPHER_ONLY, %GNUTLS_KEY_DECIPHER_ONLY. * - * Returns: the certificate key usage, or a negative error code in case of + * Returns: zero on success, or a negative error code in case of * parsing error. If the certificate does not contain the keyUsage * extension %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be * returned. @@ -2177,6 +2177,60 @@ gnutls_x509_crt_get_key_usage(gnutls_x509_crt_t cert, } /** + * gnutls_x509_crt_get_inhibit_anypolicy: + * @cert: should contain a #gnutls_x509_crt_t type + * @skipcerts: will hold the number of certificates after which anypolicy is no longer acceptable. + * @critical: will be non-zero if the extension is marked as critical + * + * This function will return certificate's value of the SkipCerts, i.e., + * the Inhibit anyPolicy X.509 extension (2.5.29.54). + * + * The returned value is the number of additional certificates that + * may appear in the path before the anyPolicy is no longer acceptable. + + * Returns: zero on success, or a negative error code in case of + * parsing error. If the certificate does not contain the Inhibit anyPolicy + * extension %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be + * returned. + * + * Since: 3.6.0 + **/ +int +gnutls_x509_crt_get_inhibit_anypolicy(gnutls_x509_crt_t cert, + unsigned int *skipcerts, + unsigned int *critical) +{ + int ret; + gnutls_datum_t ext; + + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if ((ret = + _gnutls_x509_crt_get_extension(cert, "2.5.29.54", 0, + &ext, critical)) < 0) { + return ret; + } + + if (ext.size == 0 || ext.data == NULL) { + gnutls_assert(); + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } + + ret = gnutls_x509_ext_import_key_usage(&ext, skipcerts); + _gnutls_free_datum(&ext); + + if (ret < 0) { + gnutls_assert(); + return ret; + } + + return 0; +} + +/** * gnutls_x509_crt_get_proxy: * @cert: should contain a #gnutls_x509_crt_t type * @critical: will be non-zero if the extension is marked as critical diff --git a/lib/x509/x509_write.c b/lib/x509/x509_write.c index cace8c3bf4..624ffe2a54 100644 --- a/lib/x509/x509_write.c +++ b/lib/x509/x509_write.c @@ -563,6 +563,48 @@ gnutls_x509_crt_set_key_usage(gnutls_x509_crt_t crt, unsigned int usage) } /** + * gnutls_x509_crt_set_inhibit_anypolicy: + * @crt: a certificate of type #gnutls_x509_crt_t + * @skipcerts: number of certificates after which anypolicy is no longer acceptable. + * + * This function will set the Inhibit anyPolicy certificate extension. + * + * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a + * negative error value. + **/ +int +gnutls_x509_crt_set_inhibit_anypolicy(gnutls_x509_crt_t crt, unsigned int skipcerts) +{ + int ret; + gnutls_datum_t der_data; + + if (crt == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* generate the extension. + */ + ret = + gnutls_x509_ext_export_inhibit_anypolicy(skipcerts, &der_data); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + ret = + _gnutls_x509_crt_set_extension(crt, "2.5.29.54", &der_data, 1); + _gnutls_free_datum(&der_data); + + if (ret < 0) { + gnutls_assert(); + return ret; + } + + return 0; +} + +/** * gnutls_x509_crt_set_subject_alternative_name: * @crt: a certificate of type #gnutls_x509_crt_t * @type: is one of the gnutls_x509_subject_alt_name_t enumerations |