Next: Setting attributes, Previous: Creating certificates, Up: Certificate Handling
The functions in this section allow accessing the attributes of a
certificate in a well defined manner. An error will be returned if the
certificate object has not yet been initialized by means of
ksba_cert_read_der
or ksba_cert_init_from_mem
.
This function returns a pointer to the DER encoded buffer with the raw certificate. The length of that buffer gets stored at r_length. This function is useful to export or store the raw certificate.
The function returns
NULL
on error or a pointer to a buffer with the raw certificate data. That pointer is only valid as long as the certificate object cert is valid and has not been reinitialized.
This function feeds the data which is expected to be hashed into the supplied function hasher, where the first argument passed is hasher_arg, the second the pointer to the data to be hashed and the third the length of this data.
The function returns
0
on success or an error code when something goes wrong. The hasher function is not expected to return an error; instead the caller should setup that function in a way to convey encountered errors by means of the hasher_arg. Note that a hash function is in general not expected to yield errors anyway.
Figure out the the digest algorithm used for the signature and return its OID in dotted decimal format. This function is most likely used to setup the hash context before calling
ksba_cert_hash
.The function returns
NULL
for an error; on success a constant string with the OID is returned. This string is valid as long the certificate object is valid.
The function returns the serial number of the certificate cert. The serial number is an integer returned as an canonical encoded S-expression with just one element. The caller must free the returned value. The value
NULL
is returned in case of error.
With idx given as
0
, this function returns the Distinguished Name (DN) of the certificate issuer; this usually is the name of a certification authority (CA). The format of the returned string is in accordance with RFC-2253.NULL
is returned if the DN is not available; This is a severe error and actually should have been caught by the certificate reading function.With idx greater than zero, the function may be used to enumerate alternate issuer names. The function returns
NULL
when there are no more alternate names. Only alternate names recognized bylibksba
are returned, others are simply skipped. The format of the returned name is either a RFC-2253 formated string which can be detected by checking whether the first character is a letter or digit. RFC-822 conformant email addresses are returned enclosed in angle brackets; the opening angle bracket should be used to detect this. Other formats are returned as an S-Expression in canonical format, so a opening parenthesis should be used to detect this encoding. The name may include binary null characters, thus strlen may return a length shorter than actually used. The real length is implicitly given by the structure of the S-expression, an extra null is appended for safety reasons.The caller must free the returned string using
ksba_free
or whatever function has been registered as a replacement.
With idx given as
0
, this function returns the Distinguished Name (DN) of the certificate's subject. The format of the returned string is in accordance with RFC-2253.NULL
is returned if the DN is not available.With idx greater than zero, the function may be used to enumerate alternate subject names. The function returns
NULL
when there are no more alternate names. Only alternate names recognized bylibksba
are returned, others are simply skipped. The format of the returned name is either a RFC-2253 formated string which can be detected by checking whether the first character is a letter or digit. RFC-2822 conform email addresses are returned enclosed in angle brackets; the opening angle bracket should be used to detect this. Other formats are returned as an S-Expression in canonical format, so a opening parenthesis should be used to detect this encoding, the name may include binary null characters, thus strlen may return a length shorter than actually used. The real length is implicitly given by the structure of the S-expression, an extra null is appended for safety reasons.The caller must free the returned string using
ksba_free
or whatever function has been registered as a replacement.
Due to problems with the C data type
time_t
, which will overflow on most 32 bit machines in the year 2038, it was not advisable to use this type for referencing times stored in certificates. Instead, you should use theksba_isotime_t
type, which can represent any time since the year 0.It is implemented as a buffer of 16 bytes and may be handled like a standard string. It should be initialized to zero (i.e. the first byte needs to be 0x00) if it does not hold a valid date. Date values themselves are stored in ISO format and assumed to be referenced from UTC. The string with the date value is always guaranteed to be of length 15 and having a format like: ‘"19610711T172059"’. Note that the `T' is required by ISO rules.
A simple assignment of these data types is not a good idea. You may use
strcpy
or better a specialized function like:void copy_time (ksba_isotime_t d, const ksba_isotime_t s) { if (!*s) memset (d, 0, 16); else strcpy (d, s); }For reasons of documentation a special function should also be used to compare such times:
int cmp_time (const ksba_isotime_t a, const ksba_isotime_t b) { return strcmp (a, b); }
Return the validity dates from the certificate. If no value is available an empty date object (i.e. a
strlen
will be stored at timebuf, otherwise it will receive the date. On failure an error code is returned.To return the `notBefore' date, the value
0
must be supplied for what;1
yields the `notAfter' value.
[This needs to get written - for now please see libksba/src/cert.c]
[This needs to get written - for now please see libksba/src/cert.c]
[This needs to get written - for now please see libksba/src/cert.c]
Return information on the basicConstraint (2.5.19.19) of CERT. R_CA receives true if this is a CA and only in that case R_PATHLEN is set to the maximum certification path length or -1 if there is no such limitation
Get the key usage flags. The function returns
GPG_ERR_NO_DATA
if no key usage is specified. The usage flags are as shown in RFC3280, section 4.2.1.3. The key usage flags are represented by a bitmask, and you can test each bit using symbolic constants, which tells you if that usage is set on the certificate. The constants are
KSBA_KEYUSAGE_DIGITAL_SIGNATURE
- Usable for digitalSignature.
KSBA_KEYUSAGE_NON_REPUDIATION
- Usable for nonRepudiation.
KSBA_KEYUSAGE_KEY_ENCIPHERMENT
- Usable for keyEncipherment.
KSBA_KEYUSAGE_DATA_ENCIPHERMENT
- Usable for dataEncipherment.
KSBA_KEYUSAGE_KEY_AGREEMENT
- Usable for for keyAgreement.
KSBA_KEYUSAGE_KEY_CERT_SIGN
- Usable for keyCertSign.
KSBA_KEYUSAGE_CRL_SIGN
- Usable for cRLSign.
KSBA_KEYUSAGE_ENCIPHER_ONLY
- Usable for encipherOnly.
KSBA_KEYUSAGE_DECIPHER_ONLY
- Usable for decipherOnly.
These are the basic constraints on usage of a certificate. If you need to get additional constraints, see
ksba_cert_get_ext_key_usages
.
Return a string containing the extended usages for the certificate, delimited by linefeeds.
Return a string with the certificatePolicies delimited by linefeeds. The return values may be extended to carry more information per line, so the caller should only use the first white-space delimited token per line. The function returns
GPG_ERR_NO_DATA
when this extension is not used. Caller must free the returned value.
Return the CRLDistPoints given in the certificate extension of certificate cert. idx should be iterated starting from 0 until the function returns
GPG_ERR_EOF
. r_distpoint returns a ksba_name_t object with the distribution point name(s); the return value may beNULL
to indicate that this name is not available. r_issuer returns the CRL issuer; if the returned value isNULL
the caller should assume that the CRL issuer is the same as the certificate issuer. r_reason returns the reason for the CRL. This is a bit encoded value with no bit set if no reason has been specified in the certificate.The caller may pass
NULL
to any of the pointer arguments if he is not interested in this value. The return values for r_distpoint and r_issuer must be released by the caller usingksba_name_release
.
Return the subjectKeyIdentifier extension as a simple allocated S-expression at the address of r_keyid. 0 is returned on success,
GPG_ERR_NO_DATA
if no such extension is available or any other error code. If r_crit is not passed asNULL
, the critical flag of this is extension is stored at this address.
Return the authorityKeyIdentifier in r_name and r_serial or in r_keyid.
GPG_ERR_NO_DATA
is returned if no authorityKeyIdentifier has been found. This error code is also returned if r_keyid has been given as NULL and only an authorityKeyIdentifier with the keyIdentifier method is available.
Return the authorityInfoAccess attributes. idx should be iterated starting from 0 until this function returns
GPG_ERR_EOF
. r_method returns an allocated string with the OID of one item and r_location returns the GeneralName for that OID. The returned values for r_method and r_location must be released by the caller unless the function returned an error; the function will however make sure that r_method and r_location will point toNULL
if the function returns an error.See RFC-2459, section 4.2.2.1 for the definition of this attribute.
Return the subjectInfoAccess attributes. idx should be iterated starting from 0 until this function returns
GPG_ERR_EOF
. r_method returns an allocated string with the OID of one item and r_location returns the GeneralName for that OID. The returned values for r_method and r_location must be released by the caller unless the function returned an error; the function will however make sure that r_method and r_location will point toNULL
if the function returns an error.See RFC-2459, section 4.2.2.2 for the definition of this attribute.