[PATCH] add gnutls_certificate_find_issuer

Joe Orton jorton at redhat.com
Fri Feb 15 11:21:50 CET 2008 

This patch adds a function which finds the issuer of a given certificate 
within a credentials structure.  This is useful so that clients can 
easily recreate the complete server cert chain given only the single 
cert returned by the peer.

(e.g. in the case where gnutls_certificate_set_x509_trust_file() is 
used, the client doesn't have the individual issuer cert structures to 
compare against directly.)

This and the previously submitted patch allow the two remaining failures 
in neon's SSL test suite to be fixed :)

diff -up ./includes/gnutls/gnutls.h.findissuer ./includes/gnutls/gnutls.h
--- ./includes/gnutls/gnutls.h.findissuer	2008-02-15 10:06:48.000000000 +0000
+++ ./includes/gnutls/gnutls.h	2008-02-15 09:39:56.000000000 +0000
@@ -717,6 +717,10 @@ extern "C"
 				       gnutls_x509_crl_t * crl_list,
 				       int crl_list_size);
 
+    gnutls_x509_crt_t 
+    gnutls_certificate_find_issuer (gnutls_certificate_credentials_t cred,
+                                    gnutls_x509_crt_t crt);
+
 /* global state functions
  */
   int gnutls_global_init (void);
diff -up ./lib/gnutls_cert.c.findissuer ./lib/gnutls_cert.c
--- ./lib/gnutls_cert.c.findissuer	2007-12-17 11:12:04.000000000 +0000
+++ ./lib/gnutls_cert.c	2008-02-15 10:09:04.000000000 +0000
@@ -593,6 +593,31 @@ gnutls_certificate_verify_peers (gnutls_
 }
 
 /**
+  * gnutls_certificate_find_issuer - This function finds an issuer certificate
+  * @sc: is an #gnutls_certificate_credentials_t structure.
+  * @cert: should contain a #gnutls_x509_crt_t structure
+  *
+  * This function returns the issuer certificate of @cert, if it can
+  * be found in the listed of trusted X.509 certificates in @cred.
+  * If no issuer is found, then NULL is returned.
+  *
+  **/
+gnutls_x509_crt_t 
+gnutls_certificate_find_issuer (gnutls_certificate_credentials_t cred,
+                                gnutls_x509_crt_t cert)
+{
+  unsigned n;
+  
+  for (n = 0; n < cred->x509_ncas; n++) 
+    {
+      if (gnutls_x509_crt_check_issuer (crt, cred->x509_ca_list[n]) == 1)
+        return cred->x509_ca_list[n];
+    }
+  
+  return NULL;
+}
+
+/**
   * gnutls_certificate_expiration_time_peers - This function returns the peer's certificate expiration time
   * @session: is a gnutls session
   *

More information about the Gnutls-devel mailing list