diff options
-rw-r--r-- | lib/includes/gnutls/x509.h | 5 | ||||
-rw-r--r-- | lib/libgnutls.map | 1 | ||||
-rw-r--r-- | lib/x509/x509.c | 24 |
3 files changed, 29 insertions, 1 deletions
diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h index 7e95b0fd76..f665c34eb2 100644 --- a/lib/includes/gnutls/x509.h +++ b/lib/includes/gnutls/x509.h @@ -81,6 +81,8 @@ extern "C" { #define GNUTLS_KP_IPSEC_IKE "1.3.6.1.5.5.7.3.17" #define GNUTLS_KP_ANY "2.5.29.37.0" +#define GNUTLS_KP_FLAG_DISALLOW_ANY 1 + #define GNUTLS_OID_AIA "1.3.6.1.5.5.7.1.1" #define GNUTLS_OID_AD_OCSP "1.3.6.1.5.5.7.48.1" #define GNUTLS_OID_AD_CAISSUERS "1.3.6.1.5.5.7.48.2" @@ -981,6 +983,9 @@ int gnutls_x509_crt_set_key_purpose_oid(gnutls_x509_crt_t cert, const void *oid, unsigned int critical); +unsigned gnutls_x509_crt_check_key_purpose(gnutls_x509_crt_t cert, + const char *purpose, unsigned flags); + /* Private key handling. */ diff --git a/lib/libgnutls.map b/lib/libgnutls.map index d0c028b995..c0186f5524 100644 --- a/lib/libgnutls.map +++ b/lib/libgnutls.map @@ -1123,6 +1123,7 @@ GNUTLS_3_4 gnutls_certificate_set_known_dh_params; gnutls_anon_set_server_known_dh_params; gnutls_psk_set_server_known_dh_params; + gnutls_x509_crt_check_key_purpose; local: *; }; diff --git a/lib/x509/x509.c b/lib/x509/x509.c index a60d667033..29f776b6dc 100644 --- a/lib/x509/x509.c +++ b/lib/x509/x509.c @@ -2857,7 +2857,7 @@ _gnutls_x509_crt_check_revocation(gnutls_x509_crt_t cert, * @crl_list: should contain a list of gnutls_x509_crl_t types * @crl_list_length: the length of the crl_list * - * This function will return check if the given certificate is + * This function will check if the given certificate is * revoked. It is assumed that the CRLs have been verified before. * * Returns: 0 if the certificate is NOT revoked, and 1 if it is. A @@ -2873,6 +2873,28 @@ gnutls_x509_crt_check_revocation(gnutls_x509_crt_t cert, } /** + * gnutls_x509_crt_check_key_purpose: + * @cert: should contain a #gnutls_x509_crt_t type + * @purpose: a key purpose OID (e.g., %GNUTLS_KP_CODE_SIGNING) + * @flags: zero or %GNUTLS_KP_FLAG_DISALLOW_ANY + * + * This function will check whether the given certificate matches + * the provided key purpose. If @flags contains %GNUTLS_KP_FLAG_ALLOW_ANY then + * it a certificate marked for any purpose will not match. + * + * Returns: zero if the key purpose doesn't match, and non-zero otherwise. + * + * Since: 3.5.6 + **/ +unsigned +gnutls_x509_crt_check_key_purpose(gnutls_x509_crt_t cert, + const char *purpose, + unsigned flags) +{ + return _gnutls_check_key_purpose(cert, purpose, (flags&GNUTLS_KP_FLAG_DISALLOW_ANY)?1:0); +} + +/** * gnutls_x509_crt_get_preferred_hash_algorithm: * @crt: Holds the certificate * @hash: The result of the call with the hash algorithm used for signature |