[PATCH] add gnutls_certificate_find_issuer

Joe Orton jorton at redhat.com
Tue Feb 19 21:56:55 CET 2008 

On Fri, Feb 15, 2008 at 10:21:50AM +0000, Joe Orton wrote:
> This patch adds a function which finds the issuer of a given certificate 
> within a credentials structure.  This is useful so that clients can 
> easily recreate the complete server cert chain given only the single 
> cert returned by the peer.
> 
> (e.g. in the case where gnutls_certificate_set_x509_trust_file() is 
> used, the client doesn't have the individual issuer cert structures to 
> compare against directly.)
> 
> This and the previously submitted patch allow the two remaining failures 
> in neon's SSL test suite to be fixed :)

The patch submitted for this had a typo and wouldn't compile; here's an 
updated version:

diff -up ./includes/gnutls/gnutls.h.findissuer ./includes/gnutls/gnutls.h
--- ./includes/gnutls/gnutls.h.findissuer
+++ ./includes/gnutls/gnutls.h
@@ -717,6 +717,10 @@ extern "C"
 				       gnutls_x509_crl_t * crl_list,
 				       int crl_list_size);
 
+    gnutls_x509_crt_t 
+    gnutls_certificate_find_issuer (gnutls_certificate_credentials_t cred,
+                                    gnutls_x509_crt_t cert);
+
 /* global state functions
  */
   int gnutls_global_init (void);
diff -up ./lib/gnutls_cert.c.findissuer ./lib/gnutls_cert.c
--- ./lib/gnutls_cert.c.findissuer
+++ ./lib/gnutls_cert.c
@@ -593,6 +593,31 @@ gnutls_certificate_verify_peers (gnutls_
 }
 
 /**
+  * gnutls_certificate_find_issuer - This function finds an issuer certificate
+  * @sc: is an #gnutls_certificate_credentials_t structure.
+  * @cert: should contain a gnutls_x509_crt_t structure
+  *
+  * This function returns the issuer certificate of @cert, if it can
+  * be found in the listed of trusted X.509 certificates in @cred.
+  * If no issuer is found, then NULL is returned.
+  *
+  **/
+gnutls_x509_crt_t 
+gnutls_certificate_find_issuer (gnutls_certificate_credentials_t cred,
+                                gnutls_x509_crt_t cert)
+{
+  unsigned n;
+  
+  for (n = 0; n < cred->x509_ncas; n++) 
+    {
+      if (gnutls_x509_crt_check_issuer (cert, cred->x509_ca_list[n]) == 1)
+        return cred->x509_ca_list[n];
+    }
+  
+  return NULL;
+}
+
+/**
   * gnutls_certificate_expiration_time_peers - This function returns the peer's certificate expiration time
   * @session: is a gnutls session
   *

More information about the Gnutls-devel mailing list