[gnutls-devel] [PATCH 7/9] Add functions to obtain X.509 keys and certificates from certificate credentials

[Armin Burgmeier]

Signed-off-by: Armin Burgmeier <armin at arbur.net>
---
 lib/gnutls_x509.c               | 96 +++++++++++++++++++++++++++++++++++++++++
 lib/includes/gnutls/gnutls.h.in |  8 ++++
 lib/libgnutls.map               |  2 +
 3 files changed, 106 insertions(+)

diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c
index f57c6b9..5b9ab1a 100644
--- a/lib/gnutls_x509.c
+++ b/lib/gnutls_x509.c
@@ -1138,6 +1138,102 @@ gnutls_certificate_set_x509_key(gnutls_certificate_credentials_t res,
 }
 
 /**
+ * gnutls_certificate_get_x509_key:
+ * @res: is a #gnutls_certificate_credentials_t structure.
+ * @index: The index of the key to obtain.
+ * @key: Location to store the key.
+ *
+ * Obtains a X.509 private key that has been stored in @res with one of
+ * gnutls_certificate_set_x509_key(), gnutls_certificate_set_key(),
+ * gnutls_certificate_set_x509_key_file(),
+ * gnutls_certificate_set_x509_key_file2(),
+ * gnutls_certificate_set_x509_key_mem(), or
+ * gnutls_certificate_set_x509_key_mem2(). The returned key must be deallocated
+ * with gnutls_x509_privkey_deinit() when no longer needed.
+ *
+ * If there is no key with the given index,
+ * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned. If the key with the
+ * given index is not a X.509 key, %GNUTLS_E_INVALID_REQUEST is returned.
+ *
+ * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
+ *
+ * Since: 3.4.0
+ */
+int
+gnutls_certificate_get_x509_key(gnutls_certificate_credentials_t res,
+                                int index,
+                                gnutls_x509_privkey_t *key)
+{
+	if (index >= res->ncerts) {
+		gnutls_assert();
+		return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
+	}
+
+	return gnutls_privkey_export_x509(res->pkey[index], key);
+}
+
+/**
+ * gnutls_certificate_get_x509_crt:
+ * @res: is a #gnutls_certificate_credentials_t structure.
+ * @index: The index of the certificate list to obtain.
+ * @crt_list: Where to store the certificate list.
+ * @key: Will hold the number of certificates.
+ *
+ * Obtains a X.509 certificate list that has been stored in @res with one of
+ * gnutls_certificate_set_x509_key(), gnutls_certificate_set_key(),
+ * gnutls_certificate_set_x509_key_file(),
+ * gnutls_certificate_set_x509_key_file2(),
+ * gnutls_certificate_set_x509_key_mem(), or
+ * gnutls_certificate_set_x509_key_mem2(). Each certificate in the returned
+ * certificate list must be deallocated with gnutls_x509_crt_deinit(), and the
+ * list itself must be freed with gnutls_free().
+ *
+ * If there is no certificate with the given index,
+ * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned. If the certificate
+ * with the given index is not a X.509 certificate, %GNUTLS_E_INVALID_REQUEST
+ * is returned.
+ *
+ * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
+ *
+ * Since: 3.4.0
+ */
+int
+gnutls_certificate_get_x509_crt(gnutls_certificate_credentials_t res,
+                                int index,
+                                gnutls_x509_crt_t **crt_list,
+                                int *crt_list_size)
+{
+	int ret, i;
+
+	if (index >= res->ncerts) {
+		gnutls_assert();
+		return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
+	}
+
+	*crt_list_size = res->certs[index].cert_list_length;
+	*crt_list = gnutls_malloc(
+		res->certs[index].cert_list_length * sizeof (gnutls_x509_crt_t));
+	if (*crt_list == NULL) {
+		gnutls_assert();
+		return GNUTLS_E_MEMORY_ERROR;
+	}
+
+	for (i = 0; i < res->certs[index].cert_list_length; ++i) {
+		ret = gnutls_pcert_export_x509(&res->certs[index].cert_list[i], crt_list[i]);
+		if (ret < 0) {
+			while (i--)
+				gnutls_x509_crt_deinit(*crt_list[i]);
+			gnutls_free(*crt_list);
+			*crt_list = NULL;
+
+			return gnutls_assert_val(ret);
+		}
+	}
+
+	return 0;
+}
+
+/**
  * gnutls_certificate_set_key:
  * @res: is a #gnutls_certificate_credentials_t structure.
  * @names: is an array of DNS name of the certificate (NULL if none)
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 17ff8fc..b06381a 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -1429,6 +1429,14 @@ int gnutls_certificate_set_x509_crl(gnutls_certificate_credentials_t res,
 				    gnutls_x509_crl_t * crl_list,
 				    int crl_list_size);
 
+int gnutls_certificate_get_x509_key(gnutls_certificate_credentials_t res,
+                                    int index,
+                                    gnutls_x509_privkey_t *key);
+int gnutls_certificate_get_x509_crt(gnutls_certificate_credentials_t res,
+                                    int index,
+                                    gnutls_x509_crt_t **crt_list,
+                                    int *crt_list_size);
+
   /* OCSP status request extension, RFC 6066 */
 typedef int (*gnutls_status_request_ocsp_func)
  (gnutls_session_t session, void *ptr, gnutls_datum_t * ocsp_response);
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index b64ff13..0e21496 100644
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -1013,6 +1013,8 @@ GNUTLS_3_1_0 {
 	gnutls_openpgp_crt_check_hostname2;
 	gnutls_certificate_verify_peers;
 	gnutls_certificate_get_verify_flags;
+	gnutls_certificate_get_x509_key;
+	gnutls_certificate_get_x509_crt;
 	gnutls_credentials_get;
 	gnutls_x509_crl_iter_crt_serial;
 	gnutls_x509_crl_iter_deinit;
-- 
2.1.0