@subheading gnutls_pkcs12_bag_decrypt
@anchor{gnutls_pkcs12_bag_decrypt}
@deftypefun {int} {gnutls_pkcs12_bag_decrypt} (gnutls_pkcs12_bag_t @var{bag}, const char * @var{pass})
@var{bag}: The bag

@var{pass}: The password used for encryption. This can only be ASCII.

This function will decrypt the given encrypted bag and return 0 on success.
@end deftypefun

@subheading gnutls_pkcs12_bag_deinit
@anchor{gnutls_pkcs12_bag_deinit}
@deftypefun {void} {gnutls_pkcs12_bag_deinit} (gnutls_pkcs12_bag_t @var{bag})
@var{bag}: The structure to be initialized

This function will deinitialize a PKCS12 Bag structure. 
@end deftypefun

@subheading gnutls_pkcs12_bag_encrypt
@anchor{gnutls_pkcs12_bag_encrypt}
@deftypefun {int} {gnutls_pkcs12_bag_encrypt} (gnutls_pkcs12_bag_t @var{bag}, const char * @var{pass}, unsigned int @var{flags})
@var{bag}: The bag

@var{pass}: The password used for encryption. This can only be ASCII.

@var{flags}: should be one of gnutls_pkcs_encrypt_flags_t elements bitwise or'd

This function will encrypt the given bag and return 0 on success.
@end deftypefun

@subheading gnutls_pkcs12_bag_get_count
@anchor{gnutls_pkcs12_bag_get_count}
@deftypefun {int} {gnutls_pkcs12_bag_get_count} (gnutls_pkcs12_bag_t @var{bag})
@var{bag}: The bag

This function will return the number of the elements withing the bag. 
@end deftypefun

@subheading gnutls_pkcs12_bag_get_data
@anchor{gnutls_pkcs12_bag_get_data}
@deftypefun {int} {gnutls_pkcs12_bag_get_data} (gnutls_pkcs12_bag_t @var{bag}, int @var{indx}, gnutls_datum_t * @var{data})
@var{bag}: The bag

@var{indx}: The element of the bag to get the data from

@var{data}: where the bag's data will be. Should be treated as constant.

This function will return the bag's data. The data is a constant
that is stored into the bag. Should not be accessed after the bag
is deleted.

Returns 0 on success and a negative error code on error.
@end deftypefun

@subheading gnutls_pkcs12_bag_get_friendly_name
@anchor{gnutls_pkcs12_bag_get_friendly_name}
@deftypefun {int} {gnutls_pkcs12_bag_get_friendly_name} (gnutls_pkcs12_bag_t @var{bag}, int @var{indx}, char ** @var{name})
@var{bag}: The bag

@var{indx}: The bag's element to add the id

@var{name}: will hold a pointer to the name (to be treated as const)

This function will return the friendly name, of the specified bag element.
The key ID is usually used to distinguish the local private key and the certificate pair.

Returns 0 on success, or a negative value on error.
@end deftypefun

@subheading gnutls_pkcs12_bag_get_key_id
@anchor{gnutls_pkcs12_bag_get_key_id}
@deftypefun {int} {gnutls_pkcs12_bag_get_key_id} (gnutls_pkcs12_bag_t @var{bag}, int @var{indx}, gnutls_datum_t * @var{id})
@var{bag}: The bag

@var{indx}: The bag's element to add the id

@var{id}: where the ID will be copied (to be treated as const)

This function will return the key ID, of the specified bag element.
The key ID is usually used to distinguish the local private key and the certificate pair.

Returns 0 on success, or a negative value on error.
@end deftypefun

@subheading gnutls_pkcs12_bag_get_type
@anchor{gnutls_pkcs12_bag_get_type}
@deftypefun {gnutls_pkcs12_bag_type_t} {gnutls_pkcs12_bag_get_type} (gnutls_pkcs12_bag_t @var{bag}, int @var{indx})
@var{bag}: The bag

@var{indx}: The element of the bag to get the type

This function will return the bag's type. One of the gnutls_pkcs12_bag_type_t
enumerations.
@end deftypefun

@subheading gnutls_pkcs12_bag_init
@anchor{gnutls_pkcs12_bag_init}
@deftypefun {int} {gnutls_pkcs12_bag_init} (gnutls_pkcs12_bag_t * @var{bag})
@var{bag}: The structure to be initialized

This function will initialize a PKCS12 bag structure. PKCS12 Bags
usually contain private keys, lists of X.509 Certificates and X.509 Certificate
revocation lists.

Returns 0 on success.
@end deftypefun

@subheading gnutls_pkcs12_bag_set_crl
@anchor{gnutls_pkcs12_bag_set_crl}
@deftypefun {int} {gnutls_pkcs12_bag_set_crl} (gnutls_pkcs12_bag_t @var{bag}, gnutls_x509_crl_t @var{crl})
@var{bag}: The bag

@var{crl}: the CRL to be copied.

This function will insert the given CRL into the
bag. This is just a wrapper over @code{gnutls_pkcs12_bag_set_data()}.

Returns the index of the added bag on success, or a negative
value on failure.
@end deftypefun

@subheading gnutls_pkcs12_bag_set_crt
@anchor{gnutls_pkcs12_bag_set_crt}
@deftypefun {int} {gnutls_pkcs12_bag_set_crt} (gnutls_pkcs12_bag_t @var{bag}, gnutls_x509_crt_t @var{crt})
@var{bag}: The bag

@var{crt}: the certificate to be copied.

This function will insert the given certificate into the
bag. This is just a wrapper over @code{gnutls_pkcs12_bag_set_data()}.

Returns the index of the added bag on success, or a negative
value on failure.
@end deftypefun

@subheading gnutls_pkcs12_bag_set_data
@anchor{gnutls_pkcs12_bag_set_data}
@deftypefun {int} {gnutls_pkcs12_bag_set_data} (gnutls_pkcs12_bag_t @var{bag}, gnutls_pkcs12_bag_type_t @var{type}, const gnutls_datum_t * @var{data})
@var{bag}: The bag

@var{type}: The data's type

@var{data}: the data to be copied.

This function will insert the given data of the given type into the
bag. 

Returns the index of the added bag on success, or a negative
value on error.
@end deftypefun

@subheading gnutls_pkcs12_bag_set_friendly_name
@anchor{gnutls_pkcs12_bag_set_friendly_name}
@deftypefun {int} {gnutls_pkcs12_bag_set_friendly_name} (gnutls_pkcs12_bag_t @var{bag}, int @var{indx}, const char * @var{name})
@var{bag}: The bag

@var{indx}: The bag's element to add the id

@var{name}: the name

This function will add the given key friendly name, to the specified, by the index, bag
element. The name will be encoded as a 'Friendly name' bag attribute,
which is usually used to set a user name to the local private key and the certificate pair.

Returns 0 on success, or a negative value on error.
@end deftypefun

@subheading gnutls_pkcs12_bag_set_key_id
@anchor{gnutls_pkcs12_bag_set_key_id}
@deftypefun {int} {gnutls_pkcs12_bag_set_key_id} (gnutls_pkcs12_bag_t @var{bag}, int @var{indx}, const gnutls_datum_t * @var{id})
@var{bag}: The bag

@var{indx}: The bag's element to add the id

@var{id}: the ID

This function will add the given key ID, to the specified, by the index, bag
element. The key ID will be encoded as a 'Local key identifier' bag attribute,
which is usually used to distinguish the local private key and the certificate pair.

Returns 0 on success, or a negative value on error.
@end deftypefun

@subheading gnutls_pkcs12_deinit
@anchor{gnutls_pkcs12_deinit}
@deftypefun {void} {gnutls_pkcs12_deinit} (gnutls_pkcs12_t @var{pkcs12})
@var{pkcs12}: The structure to be initialized

This function will deinitialize a PKCS12 structure. 
@end deftypefun

@subheading gnutls_pkcs12_export
@anchor{gnutls_pkcs12_export}
@deftypefun {int} {gnutls_pkcs12_export} (gnutls_pkcs12_t @var{pkcs12}, gnutls_x509_crt_fmt_t @var{format}, void * @var{output_data}, size_t * @var{output_data_size})
@var{pkcs12}: Holds the pkcs12 structure

@var{format}: the format of output params. One of PEM or DER.

@var{output_data}: will contain a structure PEM or DER encoded

@var{output_data_size}: holds the size of output_data (and will be
replaced by the actual size of parameters)

This function will export the pkcs12 structure to DER or PEM format.

If the buffer provided is not long enough to hold the output, then
*output_data_size will be updated and GNUTLS_E_SHORT_MEMORY_BUFFER
will be returned.

If the structure is PEM encoded, it will have a header
of "BEGIN PKCS12".

@strong{Return value:} In case of failure a negative value will be
returned, and 0 on success.
@end deftypefun

@subheading gnutls_pkcs12_generate_mac
@anchor{gnutls_pkcs12_generate_mac}
@deftypefun {int} {gnutls_pkcs12_generate_mac} (gnutls_pkcs12_t @var{pkcs12}, const char * @var{pass})
@var{pkcs12}: should contain a gnutls_pkcs12_t structure

@var{pass}: The password for the MAC

This function will generate a MAC for the PKCS12 structure.
Returns 0 on success.
@end deftypefun

@subheading gnutls_pkcs12_get_bag
@anchor{gnutls_pkcs12_get_bag}
@deftypefun {int} {gnutls_pkcs12_get_bag} (gnutls_pkcs12_t @var{pkcs12}, int @var{indx}, gnutls_pkcs12_bag_t @var{bag})
@var{pkcs12}: should contain a gnutls_pkcs12_t structure

@var{indx}: contains the index of the bag to extract

@var{bag}: An initialized bag, where the contents of the bag will be copied

This function will return a Bag from the PKCS12 structure.
Returns 0 on success.

After the last Bag has been read GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
will be returned.
@end deftypefun

@subheading gnutls_pkcs12_import
@anchor{gnutls_pkcs12_import}
@deftypefun {int} {gnutls_pkcs12_import} (gnutls_pkcs12_t @var{pkcs12}, const gnutls_datum_t * @var{data}, gnutls_x509_crt_fmt_t @var{format}, unsigned int @var{flags})
@var{pkcs12}: The structure to store the parsed PKCS12.

@var{data}: The DER or PEM encoded PKCS12.

@var{format}: One of DER or PEM

@var{flags}: an ORed sequence of gnutls_privkey_pkcs8_flags

This function will convert the given DER or PEM encoded PKCS12
to the native gnutls_pkcs12_t format. The output will be stored in 'pkcs12'.

If the PKCS12 is PEM encoded it should have a header of "PKCS12".

Returns 0 on success.
@end deftypefun

@subheading gnutls_pkcs12_init
@anchor{gnutls_pkcs12_init}
@deftypefun {int} {gnutls_pkcs12_init} (gnutls_pkcs12_t * @var{pkcs12})
@var{pkcs12}: The structure to be initialized

This function will initialize a PKCS12 structure. PKCS12 structures
usually contain lists of X.509 Certificates and X.509 Certificate
revocation lists.

Returns 0 on success.
@end deftypefun

@subheading gnutls_pkcs12_set_bag
@anchor{gnutls_pkcs12_set_bag}
@deftypefun {int} {gnutls_pkcs12_set_bag} (gnutls_pkcs12_t @var{pkcs12}, gnutls_pkcs12_bag_t @var{bag})
@var{pkcs12}: should contain a gnutls_pkcs12_t structure

@var{bag}: An initialized bag

This function will insert a Bag into the PKCS12 structure.
Returns 0 on success.
@end deftypefun

@subheading gnutls_pkcs12_verify_mac
@anchor{gnutls_pkcs12_verify_mac}
@deftypefun {int} {gnutls_pkcs12_verify_mac} (gnutls_pkcs12_t @var{pkcs12}, const char * @var{pass})
@var{pkcs12}: should contain a gnutls_pkcs12_t structure

@var{pass}: The password for the MAC

This function will verify the MAC for the PKCS12 structure.
Returns 0 on success.
@end deftypefun

@subheading gnutls_pkcs7_deinit
@anchor{gnutls_pkcs7_deinit}
@deftypefun {void} {gnutls_pkcs7_deinit} (gnutls_pkcs7_t @var{pkcs7})
@var{pkcs7}: The structure to be initialized

This function will deinitialize a PKCS7 structure. 
@end deftypefun

@subheading gnutls_pkcs7_delete_crl
@anchor{gnutls_pkcs7_delete_crl}
@deftypefun {int} {gnutls_pkcs7_delete_crl} (gnutls_pkcs7_t @var{pkcs7}, int @var{indx})
@var{indx}: the index of the crl to delete

This function will delete a crl from a PKCS7 or RFC2630 crl set.
Index starts from 0. Returns 0 on success.
@end deftypefun

@subheading gnutls_pkcs7_delete_crt
@anchor{gnutls_pkcs7_delete_crt}
@deftypefun {int} {gnutls_pkcs7_delete_crt} (gnutls_pkcs7_t @var{pkcs7}, int @var{indx})
@var{indx}: the index of the certificate to delete

This function will delete a certificate from a PKCS7 or RFC2630 certificate set.
Index starts from 0. Returns 0 on success.
@end deftypefun

@subheading gnutls_pkcs7_export
@anchor{gnutls_pkcs7_export}
@deftypefun {int} {gnutls_pkcs7_export} (gnutls_pkcs7_t @var{pkcs7}, gnutls_x509_crt_fmt_t @var{format}, void * @var{output_data}, size_t * @var{output_data_size})
@var{pkcs7}: Holds the pkcs7 structure

@var{format}: the format of output params. One of PEM or DER.

@var{output_data}: will contain a structure PEM or DER encoded

@var{output_data_size}: holds the size of output_data (and will be
replaced by the actual size of parameters)

This function will export the pkcs7 structure to DER or PEM format.

If the buffer provided is not long enough to hold the output, then
*output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will
be returned.

If the structure is PEM encoded, it will have a header
of "BEGIN PKCS7".

@strong{Return value:} In case of failure a negative value will be
returned, and 0 on success.
@end deftypefun

@subheading gnutls_pkcs7_get_crl_count
@anchor{gnutls_pkcs7_get_crl_count}
@deftypefun {int} {gnutls_pkcs7_get_crl_count} (gnutls_pkcs7_t @var{pkcs7})
This function will return the number of certifcates in the PKCS7 or 
RFC2630 crl set.

Returns a negative value on failure.
@end deftypefun

@subheading gnutls_pkcs7_get_crl_raw
@anchor{gnutls_pkcs7_get_crl_raw}
@deftypefun {int} {gnutls_pkcs7_get_crl_raw} (gnutls_pkcs7_t @var{pkcs7}, int @var{indx}, void * @var{crl}, size_t * @var{crl_size})
@var{indx}: contains the index of the crl to extract

@var{crl}: the contents of the crl will be copied there (may be null)

@var{crl_size}: should hold the size of the crl

This function will return a crl of the PKCS7 or RFC2630 crl set.
Returns 0 on success. If the provided buffer is not long enough,
then @code{crl_size} is updated and GNUTLS_E_SHORT_MEMORY_BUFFER is returned.

After the last crl has been read GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
will be returned.
@end deftypefun

@subheading gnutls_pkcs7_get_crt_count
@anchor{gnutls_pkcs7_get_crt_count}
@deftypefun {int} {gnutls_pkcs7_get_crt_count} (gnutls_pkcs7_t @var{pkcs7})
This function will return the number of certifcates in the PKCS7 or 
RFC2630 certificate set.

Returns a negative value on failure.
@end deftypefun

@subheading gnutls_pkcs7_get_crt_raw
@anchor{gnutls_pkcs7_get_crt_raw}
@deftypefun {int} {gnutls_pkcs7_get_crt_raw} (gnutls_pkcs7_t @var{pkcs7}, int @var{indx}, void * @var{certificate}, size_t * @var{certificate_size})
@var{indx}: contains the index of the certificate to extract

@var{certificate}: the contents of the certificate will be copied there (may be null)

@var{certificate_size}: should hold the size of the certificate

This function will return a certificate of the PKCS7 or RFC2630 certificate set.
Returns 0 on success. If the provided buffer is not long enough,
then @code{certificate_size} is updated and GNUTLS_E_SHORT_MEMORY_BUFFER is returned.

After the last certificate has been read GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
will be returned.
@end deftypefun

@subheading gnutls_pkcs7_import
@anchor{gnutls_pkcs7_import}
@deftypefun {int} {gnutls_pkcs7_import} (gnutls_pkcs7_t @var{pkcs7}, const gnutls_datum_t * @var{data}, gnutls_x509_crt_fmt_t @var{format})
@var{pkcs7}: The structure to store the parsed PKCS7.

@var{data}: The DER or PEM encoded PKCS7.

@var{format}: One of DER or PEM

This function will convert the given DER or PEM encoded PKCS7
to the native gnutls_pkcs7_t format. The output will be stored in 'pkcs7'.

If the PKCS7 is PEM encoded it should have a header of "PKCS7".

Returns 0 on success.
@end deftypefun

@subheading gnutls_pkcs7_init
@anchor{gnutls_pkcs7_init}
@deftypefun {int} {gnutls_pkcs7_init} (gnutls_pkcs7_t * @var{pkcs7})
@var{pkcs7}: The structure to be initialized

This function will initialize a PKCS7 structure. PKCS7 structures
usually contain lists of X.509 Certificates and X.509 Certificate
revocation lists.

Returns 0 on success.
@end deftypefun

@subheading gnutls_pkcs7_set_crl_raw
@anchor{gnutls_pkcs7_set_crl_raw}
@deftypefun {int} {gnutls_pkcs7_set_crl_raw} (gnutls_pkcs7_t @var{pkcs7}, const gnutls_datum_t * @var{crl})
@var{crl}: the DER encoded crl to be added

This function will add a crl to the PKCS7 or RFC2630 crl set.
Returns 0 on success.
@end deftypefun

@subheading gnutls_pkcs7_set_crl
@anchor{gnutls_pkcs7_set_crl}
@deftypefun {int} {gnutls_pkcs7_set_crl} (gnutls_pkcs7_t @var{pkcs7}, gnutls_x509_crl_t @var{crl})
@var{crl}: the DER encoded crl to be added

This function will add a parsed crl to the PKCS7 or RFC2630 crl set.
Returns 0 on success.
@end deftypefun

@subheading gnutls_pkcs7_set_crt_raw
@anchor{gnutls_pkcs7_set_crt_raw}
@deftypefun {int} {gnutls_pkcs7_set_crt_raw} (gnutls_pkcs7_t @var{pkcs7}, const gnutls_datum_t * @var{crt})
@var{crt}: the DER encoded certificate to be added

This function will add a certificate to the PKCS7 or RFC2630 certificate set.
Returns 0 on success.
@end deftypefun

@subheading gnutls_pkcs7_set_crt
@anchor{gnutls_pkcs7_set_crt}
@deftypefun {int} {gnutls_pkcs7_set_crt} (gnutls_pkcs7_t @var{pkcs7}, gnutls_x509_crt_t @var{crt})
@var{crt}: the certificate to be copied.

This function will add a parsed certificate to the PKCS7 or RFC2630 certificate set.
This is a wrapper function over @code{gnutls_pkcs7_set_crt_raw()} .

Returns 0 on success.
@end deftypefun

@subheading gnutls_x509_crl_check_issuer
@anchor{gnutls_x509_crl_check_issuer}
@deftypefun {int} {gnutls_x509_crl_check_issuer} (gnutls_x509_crl_t @var{cert}, gnutls_x509_crt_t @var{issuer})
@var{issuer}: is the certificate of a possible issuer

This function will check if the given CRL was issued by the
given issuer certificate. It will return true (1) if the given CRL was issued
by the given issuer, and false (0) if not.

A negative value is returned in case of an error.
@end deftypefun

@subheading gnutls_x509_crl_deinit
@anchor{gnutls_x509_crl_deinit}
@deftypefun {void} {gnutls_x509_crl_deinit} (gnutls_x509_crl_t @var{crl})
@var{crl}: The structure to be initialized

This function will deinitialize a CRL structure. 
@end deftypefun

@subheading gnutls_x509_crl_export
@anchor{gnutls_x509_crl_export}
@deftypefun {int} {gnutls_x509_crl_export} (gnutls_x509_crl_t @var{crl}, gnutls_x509_crt_fmt_t @var{format}, void * @var{output_data}, size_t * @var{output_data_size})
@var{crl}: Holds the revocation list

@var{format}: the format of output params. One of PEM or DER.

@var{output_data}: will contain a private key PEM or DER encoded

@var{output_data_size}: holds the size of output_data (and will be replaced by the actual size of parameters)

This function will export the revocation list to DER or PEM format.

If the buffer provided is not long enough to hold the output, then
GNUTLS_E_SHORT_MEMORY_BUFFER will be returned.

If the structure is PEM encoded, it will have a header
of "BEGIN X509 CRL".

Returns 0 on success, and a negative value on failure.
@end deftypefun

@subheading gnutls_x509_crl_get_crt_count
@anchor{gnutls_x509_crl_get_crt_count}
@deftypefun {int} {gnutls_x509_crl_get_crt_count} (gnutls_x509_crl_t @var{crl})
@var{crl}: should contain a gnutls_x509_crl_t structure

This function will return the number of revoked certificates in the
given CRL.

Returns a negative value on failure.
@end deftypefun

@subheading gnutls_x509_crl_get_crt_serial
@anchor{gnutls_x509_crl_get_crt_serial}
@deftypefun {int} {gnutls_x509_crl_get_crt_serial} (gnutls_x509_crl_t @var{crl}, int @var{indx}, unsigned char * @var{serial}, size_t * @var{serial_size}, time_t * @var{t})
@var{crl}: should contain a gnutls_x509_crl_t structure

@var{indx}: the index of the certificate to extract (starting from 0)

@var{serial}: where the serial number will be copied

@var{serial_size}: initially holds the size of serial

@var{t}: if non null, will hold the time this certificate was revoked

This function will return the serial number of the specified, by
the index, revoked certificate.

Returns a negative value on failure.
@end deftypefun

@subheading gnutls_x509_crl_get_dn_oid
@anchor{gnutls_x509_crl_get_dn_oid}
@deftypefun {int} {gnutls_x509_crl_get_dn_oid} (gnutls_x509_crl_t @var{crl}, int @var{indx}, void * @var{oid}, size_t * @var{sizeof_oid})
@var{crl}: should contain a gnutls_x509_crl_t structure

@var{indx}: Specifies which DN OID to send. Use zero to get the first one.

@var{oid}: a pointer to a structure to hold the name (may be null)

@var{sizeof_oid}: initially holds the size of 'oid'

This function will extract the requested OID of the name of the CRL issuer, specified
by the given index. 

If oid is null then only the size will be filled.

Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not long enough, and
in that case the sizeof_oid will be updated with the required size.
On success 0 is returned.
@end deftypefun

@subheading gnutls_x509_crl_get_issuer_dn_by_oid
@anchor{gnutls_x509_crl_get_issuer_dn_by_oid}
@deftypefun {int} {gnutls_x509_crl_get_issuer_dn_by_oid} (gnutls_x509_crl_t @var{crl}, const char * @var{oid}, int @var{indx}, unsigned int @var{raw_flag}, void * @var{buf}, size_t * @var{sizeof_buf})
@var{crl}: should contain a gnutls_x509_crl_t structure

@var{oid}: holds an Object Identified in null terminated string

@var{indx}: In case multiple same OIDs exist in the RDN, this specifies which to send. Use zero to get the first one.

@var{raw_flag}: If non zero returns the raw DER data of the DN part.

@var{buf}: a pointer to a structure to hold the peer's name (may be null)

@var{sizeof_buf}: initially holds the size of @code{buf}

This function will extract the part of the name of the CRL issuer specified
by the given OID. The output will be encoded as described in RFC2253. The output
string will be ASCII or UTF-8 encoded, depending on the certificate data.

Some helper macros with popular OIDs can be found in gnutls/x509.h
If raw flag is zero, this function will only return known OIDs as text. Other OIDs 
will be DER encoded, as described in RFC2253 -- in hex format with a '\#' prefix.
You can check about known OIDs using @code{gnutls_x509_dn_oid_known()}.

If buf is null then only the size will be filled.

Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not long enough, and
in that case the sizeof_buf will be updated with the required size,
and 0 on success.
@end deftypefun

@subheading gnutls_x509_crl_get_issuer_dn
@anchor{gnutls_x509_crl_get_issuer_dn}
@deftypefun {int} {gnutls_x509_crl_get_issuer_dn} (gnutls_x509_crl_t @var{crl}, char * @var{buf}, size_t * @var{sizeof_buf})
@var{crl}: should contain a gnutls_x509_crl_t structure

@var{buf}: a pointer to a structure to hold the peer's name (may be null)

@var{sizeof_buf}: initially holds the size of @code{buf}

This function will copy the name of the CRL issuer in the provided buffer. The name 
will be in the form "C=xxxx,O=yyyy,CN=zzzz" as described in RFC2253. The output
string will be ASCII or UTF-8 encoded, depending on the certificate data.

If buf is null then only the size will be filled.

Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not long enough, and
in that case the sizeof_buf will be updated with the required size, and
0 on success.
@end deftypefun

@subheading gnutls_x509_crl_get_next_update
@anchor{gnutls_x509_crl_get_next_update}
@deftypefun {time_t} {gnutls_x509_crl_get_next_update} (gnutls_x509_crl_t @var{crl})
@var{crl}: should contain a gnutls_x509_crl_t structure

This function will return the time the next CRL will be issued.
This field is optional in a CRL so it might be normal to get
an error instead.

Returns (time_t)-1 on error.
@end deftypefun

@subheading gnutls_x509_crl_get_signature_algorithm
@anchor{gnutls_x509_crl_get_signature_algorithm}
@deftypefun {int} {gnutls_x509_crl_get_signature_algorithm} (gnutls_x509_crl_t @var{crl})
@var{crl}: should contain a gnutls_x509_crl_t structure

This function will return a value of the gnutls_sign_algorithm_t enumeration that 
is the signature algorithm. 

Returns a negative value on error.
@end deftypefun

@subheading gnutls_x509_crl_get_this_update
@anchor{gnutls_x509_crl_get_this_update}
@deftypefun {time_t} {gnutls_x509_crl_get_this_update} (gnutls_x509_crl_t @var{crl})
@var{crl}: should contain a gnutls_x509_crl_t structure

This function will return the time this CRL was issued.

Returns (time_t)-1 on error.
@end deftypefun

@subheading gnutls_x509_crl_get_version
@anchor{gnutls_x509_crl_get_version}
@deftypefun {int} {gnutls_x509_crl_get_version} (gnutls_x509_crl_t @var{crl})
@var{crl}: should contain a gnutls_x509_crl_t structure

This function will return the version of the specified CRL.

Returns a negative value on error.
@end deftypefun

@subheading gnutls_x509_crl_import
@anchor{gnutls_x509_crl_import}
@deftypefun {int} {gnutls_x509_crl_import} (gnutls_x509_crl_t @var{crl}, const gnutls_datum_t * @var{data}, gnutls_x509_crt_fmt_t @var{format})
@var{crl}: The structure to store the parsed CRL.

@var{data}: The DER or PEM encoded CRL.

@var{format}: One of DER or PEM

This function will convert the given DER or PEM encoded CRL
to the native gnutls_x509_crl_t format. The output will be stored in 'crl'.

If the CRL is PEM encoded it should have a header of "X509 CRL".

Returns 0 on success.
@end deftypefun
@subheading gnutls_x509_crl_init
@anchor{gnutls_x509_crl_init}
@deftypefun {int} {gnutls_x509_crl_init} (gnutls_x509_crl_t * @var{crl})
@var{crl}: The structure to be initialized

This function will initialize a CRL structure. CRL stands for
Certificate Revocation List. A revocation list usually contains
lists of certificate serial numbers that have been revoked
by an Authority. The revocation lists are always signed with
the authority's private key.

Returns 0 on success.
@end deftypefun

@subheading gnutls_x509_crl_set_crt_serial
@anchor{gnutls_x509_crl_set_crt_serial}
@deftypefun {int} {gnutls_x509_crl_set_crt_serial} (gnutls_x509_crl_t @var{crl}, const void * @var{serial}, size_t @var{serial_size}, time_t @var{revocation_time})
@var{crl}: should contain a gnutls_x509_crl_t structure

@var{serial}: The revoked certificate's serial number

@var{serial_size}: Holds the size of the serial field.

@var{revocation_time}: The time this certificate was revoked

This function will set a revoked certificate's serial number to the CRL. 

Returns 0 on success, or a negative value in case of an error.
@end deftypefun

@subheading gnutls_x509_crl_set_crt
@anchor{gnutls_x509_crl_set_crt}
@deftypefun {int} {gnutls_x509_crl_set_crt} (gnutls_x509_crl_t @var{crl}, gnutls_x509_crt_t @var{crt}, time_t @var{revocation_time})
@var{crl}: should contain a gnutls_x509_crl_t structure

@var{crt}: should contain a gnutls_x509_crt_t structure with the revoked certificate

@var{revocation_time}: The time this certificate was revoked

This function will set a revoked certificate's serial number to the CRL. 

Returns 0 on success, or a negative value in case of an error.
@end deftypefun

@subheading gnutls_x509_crl_set_next_update
@anchor{gnutls_x509_crl_set_next_update}
@deftypefun {int} {gnutls_x509_crl_set_next_update} (gnutls_x509_crl_t @var{crl}, time_t @var{exp_time})
@var{crl}: should contain a gnutls_x509_crl_t structure

@var{exp_time}: The actual time

This function will set the time this CRL will be updated.

Returns 0 on success, or a negative value in case of an error.
@end deftypefun

@subheading gnutls_x509_crl_set_this_update
@anchor{gnutls_x509_crl_set_this_update}
@deftypefun {int} {gnutls_x509_crl_set_this_update} (gnutls_x509_crl_t @var{crl}, time_t @var{act_time})
@var{crl}: should contain a gnutls_x509_crl_t structure

@var{act_time}: The actual time

This function will set the time this CRL was issued.

Returns 0 on success, or a negative value in case of an error.
@end deftypefun

@subheading gnutls_x509_crl_set_version
@anchor{gnutls_x509_crl_set_version}
@deftypefun {int} {gnutls_x509_crl_set_version} (gnutls_x509_crl_t @var{crl}, unsigned int @var{version})
@var{crl}: should contain a gnutls_x509_crl_t structure

@var{version}: holds the version number. For CRLv1 crls must be 1.

This function will set the version of the CRL. This
must be one for CRL version 1, and so on. The CRLs generated
by gnutls should have a version number of 2.

Returns 0 on success.
@end deftypefun

@subheading gnutls_x509_crl_sign2
@anchor{gnutls_x509_crl_sign2}
@deftypefun {int} {gnutls_x509_crl_sign2} (gnutls_x509_crl_t @var{crl}, gnutls_x509_crt_t @var{issuer}, gnutls_x509_privkey_t @var{issuer_key}, gnutls_digest_algorithm_t @var{dig}, unsigned int @var{flags})
@var{crl}: should contain a gnutls_x509_crl_t structure

@var{issuer}: is the certificate of the certificate issuer

@var{issuer_key}: holds the issuer's private key

@var{dig}: The message digest to use. GNUTLS_DIG_SHA1 is the safe choice unless you know what you're doing.

@var{flags}: must be 0

This function will sign the CRL with the issuer's private key, and
will copy the issuer's information into the CRL.

This must be the last step in a certificate CRL since all
the previously set parameters are now signed.

Returns 0 on success.
@end deftypefun

@subheading gnutls_x509_crl_sign
@anchor{gnutls_x509_crl_sign}
@deftypefun {int} {gnutls_x509_crl_sign} (gnutls_x509_crl_t @var{crl}, gnutls_x509_crt_t @var{issuer}, gnutls_x509_privkey_t @var{issuer_key})
@var{crl}: should contain a gnutls_x509_crl_t structure

@var{issuer}: is the certificate of the certificate issuer

@var{issuer_key}: holds the issuer's private key

This function is the same a @code{gnutls_x509_crl_sign2()} with no flags, and
SHA1 as the hash algorithm.

Returns 0 on success.
@end deftypefun

@subheading gnutls_x509_crl_verify
@anchor{gnutls_x509_crl_verify}
@deftypefun {int} {gnutls_x509_crl_verify} (gnutls_x509_crl_t @var{crl}, const gnutls_x509_crt_t * @var{CA_list}, int @var{CA_list_length}, unsigned int @var{flags}, unsigned int * @var{verify})
@var{crl}: is the crl to be verified

@var{CA_list}: is a certificate list that is considered to be trusted one

@var{CA_list_length}: holds the number of CA certificates in CA_list

@var{flags}: Flags that may be used to change the verification algorithm. Use OR of the gnutls_certificate_verify_flags enumerations.

@var{verify}: will hold the crl verification output.

This function will try to verify the given crl and return its status.
See @code{gnutls_x509_crt_list_verify()} for a detailed description of
return values.

Returns 0 on success and a negative value in case of an error.
@end deftypefun

@subheading gnutls_x509_crq_deinit
@anchor{gnutls_x509_crq_deinit}
@deftypefun {void} {gnutls_x509_crq_deinit} (gnutls_x509_crq_t @var{crq})
@var{crq}: The structure to be initialized

This function will deinitialize a CRL structure. 
@end deftypefun

@subheading gnutls_x509_crq_export
@anchor{gnutls_x509_crq_export}
@deftypefun {int} {gnutls_x509_crq_export} (gnutls_x509_crq_t @var{crq}, gnutls_x509_crt_fmt_t @var{format}, void * @var{output_data}, size_t * @var{output_data_size})
@var{crq}: Holds the request

@var{format}: the format of output params. One of PEM or DER.

@var{output_data}: will contain a certificate request PEM or DER encoded

@var{output_data_size}: holds the size of output_data (and will be
replaced by the actual size of parameters)

This function will export the certificate request to a PKCS10

If the buffer provided is not long enough to hold the output, then
GNUTLS_E_SHORT_MEMORY_BUFFER will be returned and
*output_data_size will be updated.

If the structure is PEM encoded, it will have a header of "BEGIN
NEW CERTIFICATE REQUEST".

@strong{Return value:} In case of failure a negative value will be
returned, and 0 on success.
@end deftypefun

@subheading gnutls_x509_crq_get_attribute_by_oid
@anchor{gnutls_x509_crq_get_attribute_by_oid}
@deftypefun {int} {gnutls_x509_crq_get_attribute_by_oid} (gnutls_x509_crq_t @var{crq}, const char * @var{oid}, int @var{indx}, void * @var{buf}, size_t * @var{sizeof_buf})
@var{crq}: should contain a gnutls_x509_crq_t structure

@var{oid}: holds an Object Identified in null terminated string

@var{indx}: In case multiple same OIDs exist in the attribute list, this specifies
which to send. Use zero to get the first one.

@var{buf}: a pointer to a structure to hold the attribute data (may be null)

@var{sizeof_buf}: initially holds the size of @code{buf}

This function will return the attribute in the certificate request specified
by the given Object ID. The attribute will be DER encoded.

Returns 0 on success.
@end deftypefun

@subheading gnutls_x509_crq_get_challenge_password
@anchor{gnutls_x509_crq_get_challenge_password}
@deftypefun {int} {gnutls_x509_crq_get_challenge_password} (gnutls_x509_crq_t @var{crq}, char * @var{pass}, size_t * @var{sizeof_pass})
@var{crq}: should contain a gnutls_x509_crq_t structure

@var{pass}: will hold a null terminated password

@var{sizeof_pass}: Initially holds the size of @code{pass}.

This function will return the challenge password in the
request.

Returns 0 on success.
@end deftypefun

@subheading gnutls_x509_crq_get_dn_by_oid
@anchor{gnutls_x509_crq_get_dn_by_oid}
@deftypefun {int} {gnutls_x509_crq_get_dn_by_oid} (gnutls_x509_crq_t @var{crq}, const char * @var{oid}, int @var{indx}, unsigned int @var{raw_flag}, void * @var{buf}, size_t * @var{sizeof_buf})
@var{crq}: should contain a gnutls_x509_crq_t structure

@var{oid}: holds an Object Identified in null terminated string

@var{indx}: In case multiple same OIDs exist in the RDN, this specifies
which to send. Use zero to get the first one.

@var{raw_flag}: If non zero returns the raw DER data of the DN part.

@var{buf}: a pointer to a structure to hold the name (may be null)

@var{sizeof_buf}: initially holds the size of @code{buf}

This function will extract the part of the name of the Certificate
request subject, specified by the given OID. The output will be
encoded as described in RFC2253. The output string will be ASCII
or UTF-8 encoded, depending on the certificate data.

Some helper macros with popular OIDs can be found in gnutls/x509.h
If raw flag is zero, this function will only return known OIDs as
text. Other OIDs will be DER encoded, as described in RFC2253 --
in hex format with a '\#' prefix.  You can check about known OIDs
using @code{gnutls_x509_dn_oid_known()}.

If @code{buf} is null then only the size will be filled.

Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not
long enough, and in that case the *sizeof_buf will be updated with
the required size.  On success 0 is returned.
@end deftypefun

@subheading gnutls_x509_crq_get_dn_oid
@anchor{gnutls_x509_crq_get_dn_oid}
@deftypefun {int} {gnutls_x509_crq_get_dn_oid} (gnutls_x509_crq_t @var{crq}, int @var{indx}, void * @var{oid}, size_t * @var{sizeof_oid})
@var{crq}: should contain a gnutls_x509_crq_t structure

@var{indx}: Specifies which DN OID to send. Use zero to get the first one.

@var{oid}: a pointer to a structure to hold the name (may be null)

@var{sizeof_oid}: initially holds the size of @code{oid}

This function will extract the requested OID of the name of the
Certificate request subject, specified by the given index.

If oid is null then only the size will be filled.

Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not
long enough, and in that case the *sizeof_oid will be updated with
the required size.  On success 0 is returned.
@end deftypefun

@subheading gnutls_x509_crq_get_dn
@anchor{gnutls_x509_crq_get_dn}
@deftypefun {int} {gnutls_x509_crq_get_dn} (gnutls_x509_crq_t @var{crq}, char * @var{buf}, size_t * @var{sizeof_buf})
@var{crq}: should contain a gnutls_x509_crq_t structure

@var{buf}: a pointer to a structure to hold the name (may be null)

@var{sizeof_buf}: initially holds the size of @code{buf}

This function will copy the name of the Certificate request
subject in the provided buffer. The name will be in the form
"C=xxxx,O=yyyy,CN=zzzz" as described in RFC2253. The output string
will be ASCII or UTF-8 encoded, depending on the certificate data.

If @code{buf} is null then only the size will be filled.

Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not
long enough, and in that case the *sizeof_buf will be updated with
the required size.  On success 0 is returned.
@end deftypefun

@subheading gnutls_x509_crq_get_pk_algorithm
@anchor{gnutls_x509_crq_get_pk_algorithm}
@deftypefun {int} {gnutls_x509_crq_get_pk_algorithm} (gnutls_x509_crq_t @var{crq}, unsigned int * @var{bits})
@var{crq}: should contain a gnutls_x509_crq_t structure

@var{bits}: if bits is non null it will hold the size of the parameters' in bits

This function will return the public key algorithm of a PKCS \@code{10} 
certificate request.

If bits is non null, it should have enough size to hold the parameters
size in bits. For RSA the bits returned is the modulus. 
For DSA the bits returned are of the public
exponent.

Returns a member of the gnutls_pk_algorithm_t enumeration on success,
or a negative value on error.
@end deftypefun

@subheading gnutls_x509_crq_get_version
@anchor{gnutls_x509_crq_get_version}
@deftypefun {int} {gnutls_x509_crq_get_version} (gnutls_x509_crq_t @var{crq})
@var{crq}: should contain a gnutls_x509_crq_t structure

This function will return the version of the specified Certificate request.

Returns a negative value on error.
@end deftypefun

@subheading gnutls_x509_crq_import
@anchor{gnutls_x509_crq_import}
@deftypefun {int} {gnutls_x509_crq_import} (gnutls_x509_crq_t @var{crq}, const gnutls_datum_t * @var{data}, gnutls_x509_crt_fmt_t @var{format})
@var{crq}: The structure to store the parsed certificate request.

@var{data}: The DER or PEM encoded certificate.

@var{format}: One of DER or PEM

This function will convert the given DER or PEM encoded Certificate
to the native gnutls_x509_crq_t format. The output will be stored in @code{cert}.

If the Certificate is PEM encoded it should have a header of "NEW CERTIFICATE REQUEST".

Returns 0 on success.
@end deftypefun

@subheading gnutls_x509_crq_init
@anchor{gnutls_x509_crq_init}
@deftypefun {int} {gnutls_x509_crq_init} (gnutls_x509_crq_t * @var{crq})
@var{crq}: The structure to be initialized

This function will initialize a PKCS10 certificate request structure. 

Returns 0 on success.
@end deftypefun

@subheading gnutls_x509_crq_set_attribute_by_oid
@anchor{gnutls_x509_crq_set_attribute_by_oid}
@deftypefun {int} {gnutls_x509_crq_set_attribute_by_oid} (gnutls_x509_crq_t @var{crq}, const char * @var{oid}, void * @var{buf}, size_t @var{sizeof_buf})
@var{crq}: should contain a gnutls_x509_crq_t structure

@var{oid}: holds an Object Identified in null terminated string

@var{buf}: a pointer to a structure that holds the attribute data

@var{sizeof_buf}: holds the size of @code{buf}

This function will set the attribute in the certificate request specified
by the given Object ID. The attribute must be be DER encoded.

Returns 0 on success.
@end deftypefun

@subheading gnutls_x509_crq_set_challenge_password
@anchor{gnutls_x509_crq_set_challenge_password}
@deftypefun {int} {gnutls_x509_crq_set_challenge_password} (gnutls_x509_crq_t @var{crq}, const char * @var{pass})
@var{crq}: should contain a gnutls_x509_crq_t structure

@var{pass}: holds a null terminated password

This function will set a challenge password to be used when revoking the request.

Returns 0 on success.
@end deftypefun

@subheading gnutls_x509_crq_set_dn_by_oid
@anchor{gnutls_x509_crq_set_dn_by_oid}
@deftypefun {int} {gnutls_x509_crq_set_dn_by_oid} (gnutls_x509_crq_t @var{crq}, const char * @var{oid}, unsigned int @var{raw_flag}, const void * @var{data}, unsigned int @var{sizeof_data})
@var{crq}: should contain a gnutls_x509_crq_t structure

@var{oid}: holds an Object Identifier in a null terminated string

@var{raw_flag}: must be 0, or 1 if the data are DER encoded

@var{data}: a pointer to the input data

@var{sizeof_data}: holds the size of @code{data}

This function will set the part of the name of the Certificate request subject, specified
by the given OID. The input string should be ASCII or UTF-8 encoded.

Some helper macros with popular OIDs can be found in gnutls/x509.h
With this function you can only set the known OIDs. You can test
for known OIDs using @code{gnutls_x509_dn_oid_known()}. For OIDs that are
not known (by gnutls) you should properly DER encode your data, and
call this function with raw_flag set.

Returns 0 on success.
@end deftypefun

@subheading gnutls_x509_crq_set_key
@anchor{gnutls_x509_crq_set_key}
@deftypefun {int} {gnutls_x509_crq_set_key} (gnutls_x509_crq_t @var{crq}, gnutls_x509_privkey_t @var{key})
@var{crq}: should contain a gnutls_x509_crq_t structure

@var{key}: holds a private key

This function will set the public parameters from the given private key to the
request. Only RSA keys are currently supported.

Returns 0 on success.
@end deftypefun

@subheading gnutls_x509_crq_set_version
@anchor{gnutls_x509_crq_set_version}
@deftypefun {int} {gnutls_x509_crq_set_version} (gnutls_x509_crq_t @var{crq}, unsigned int @var{version})
@var{crq}: should contain a gnutls_x509_crq_t structure

@var{version}: holds the version number. For v1 Requests must be 1.

This function will set the version of the certificate request. For
version 1 requests this must be one.

Returns 0 on success.
@end deftypefun

@subheading gnutls_x509_crq_sign2
@anchor{gnutls_x509_crq_sign2}
@deftypefun {int} {gnutls_x509_crq_sign2} (gnutls_x509_crq_t @var{crq}, gnutls_x509_privkey_t @var{key}, gnutls_digest_algorithm_t @var{dig}, unsigned int @var{flags})
@var{crq}: should contain a gnutls_x509_crq_t structure

@var{key}: holds a private key

@var{dig}: The message digest to use. GNUTLS_DIG_SHA1 is the safe choice unless you know what you're doing.

@var{flags}: must be 0

This function will sign the certificate request with a private key.
This must be the same key as the one used in @code{gnutls_x509_crt_set_key()} since a
certificate request is self signed.

This must be the last step in a certificate request generation since all
the previously set parameters are now signed.

Returns 0 on success.
@end deftypefun

@subheading gnutls_x509_crq_sign
@anchor{gnutls_x509_crq_sign}
@deftypefun {int} {gnutls_x509_crq_sign} (gnutls_x509_crq_t @var{crq}, gnutls_x509_privkey_t @var{key})
@var{crq}: should contain a gnutls_x509_crq_t structure

@var{key}: holds a private key

This function is the same a @code{gnutls_x509_crq_sign2()} with no flags, and
SHA1 as the hash algorithm.

Returns 0 on success.
@end deftypefun

@subheading gnutls_x509_crt_check_hostname
@anchor{gnutls_x509_crt_check_hostname}
@deftypefun {int} {gnutls_x509_crt_check_hostname} (gnutls_x509_crt_t @var{cert}, const char * @var{hostname})
@var{cert}: should contain an gnutls_x509_crt_t structure

@var{hostname}: A null terminated string that contains a DNS name

This function will check if the given certificate's subject matches
the given hostname. This is a basic implementation of the matching 
described in RFC2818 (HTTPS), which takes into account wildcards,
and the subject alternative name PKIX extension.

Returns non zero on success, and zero on failure.
@end deftypefun

@subheading gnutls_x509_crt_check_issuer
@anchor{gnutls_x509_crt_check_issuer}
@deftypefun {int} {gnutls_x509_crt_check_issuer} (gnutls_x509_crt_t @var{cert}, gnutls_x509_crt_t @var{issuer})
@var{cert}: is the certificate to be checked

@var{issuer}: is the certificate of a possible issuer

This function will check if the given certificate was issued by the
given issuer. It will return true (1) if the given certificate is issued
by the given issuer, and false (0) if not.

A negative value is returned in case of an error.
@end deftypefun

@subheading gnutls_x509_crt_check_revocation
@anchor{gnutls_x509_crt_check_revocation}
@deftypefun {int} {gnutls_x509_crt_check_revocation} (gnutls_x509_crt_t @var{cert}, const gnutls_x509_crl_t * @var{crl_list}, int @var{crl_list_length})
@var{cert}: should contain a gnutls_x509_crt_t structure

@var{crl_list}: should contain a list of gnutls_x509_crl_t structures

@var{crl_list_length}: the length of the crl_list

This function will return check if the given certificate is revoked.
It is assumed that the CRLs have been verified before.

Returns 0 if the certificate is NOT revoked, and 1 if it is.
A negative value is returned on error. 
@end deftypefun

@subheading gnutls_x509_crt_cpy_crl_dist_points
@anchor{gnutls_x509_crt_cpy_crl_dist_points}
@deftypefun {int} {gnutls_x509_crt_cpy_crl_dist_points} (gnutls_x509_crt_t @var{dst}, gnutls_x509_crt_t @var{src})
@var{dst}: should contain a gnutls_x509_crt_t structure

@var{src}: the certificate where the dist points will be copied from

This function will copy the CRL distribution points certificate 
extension, from the source to the destination certificate.
This may be useful to copy from a CA certificate to issued ones.

Returns 0 on success.
@end deftypefun

@subheading gnutls_x509_crt_deinit
@anchor{gnutls_x509_crt_deinit}
@deftypefun {void} {gnutls_x509_crt_deinit} (gnutls_x509_crt_t @var{cert})
@var{cert}: The structure to be initialized

This function will deinitialize a CRL structure. 
@end deftypefun

@subheading gnutls_x509_crt_export
@anchor{gnutls_x509_crt_export}
@deftypefun {int} {gnutls_x509_crt_export} (gnutls_x509_crt_t @var{cert}, gnutls_x509_crt_fmt_t @var{format}, void * @var{output_data}, size_t * @var{output_data_size})
@var{cert}: Holds the certificate

@var{format}: the format of output params. One of PEM or DER.

@var{output_data}: will contain a certificate PEM or DER encoded

@var{output_data_size}: holds the size of output_data (and will be
replaced by the actual size of parameters)

This function will export the certificate to DER or PEM format.

If the buffer provided is not long enough to hold the output, then
*output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will
be returned.

If the structure is PEM encoded, it will have a header
of "BEGIN CERTIFICATE".

@strong{Return value:} In case of failure a negative value will be
returned, and 0 on success.
@end deftypefun

@subheading gnutls_x509_crt_get_activation_time
@anchor{gnutls_x509_crt_get_activation_time}
@deftypefun {time_t} {gnutls_x509_crt_get_activation_time} (gnutls_x509_crt_t @var{cert})
@var{cert}: should contain a gnutls_x509_crt_t structure

This function will return the time this Certificate was or will be activated.

Returns (time_t)-1 on error.
@end deftypefun

@subheading gnutls_x509_crt_get_authority_key_id
@anchor{gnutls_x509_crt_get_authority_key_id}
@deftypefun {int} {gnutls_x509_crt_get_authority_key_id} (gnutls_x509_crt_t @var{cert}, void * @var{ret}, size_t * @var{ret_size}, unsigned int * @var{critical})
@var{cert}: should contain a gnutls_x509_crt_t structure

@var{critical}: will be non zero if the extension is marked as critical (may be null)

This function will return the X.509v3 certificate authority's key identifier.
This is obtained by the X.509 Authority Key identifier extension
field (2.5.29.35). Note that this function only returns the keyIdentifier
field of the extension.

Returns 0 on success and a negative value in case of an error.
@end deftypefun

@subheading gnutls_x509_crt_get_ca_status
@anchor{gnutls_x509_crt_get_ca_status}
@deftypefun {int} {gnutls_x509_crt_get_ca_status} (gnutls_x509_crt_t @var{cert}, unsigned int * @var{critical})
@var{cert}: should contain a gnutls_x509_crt_t structure

@var{critical}: will be non zero if the extension is marked as critical

This function will return certificates CA status, by reading the
basicConstraints X.509 extension (2.5.29.19). If the certificate is a CA a positive
value will be returned, or zero if the certificate does not have
CA flag set. 

A negative value may be returned in case of parsing error.
If the certificate does not contain the basicConstraints extension
GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
@end deftypefun

@subheading gnutls_x509_crt_get_crl_dist_points
@anchor{gnutls_x509_crt_get_crl_dist_points}
@deftypefun {int} {gnutls_x509_crt_get_crl_dist_points} (gnutls_x509_crt_t @var{cert}, unsigned int @var{seq}, void * @var{ret}, size_t * @var{ret_size}, unsigned int * @var{reason_flags}, unsigned int * @var{critical})
@var{cert}: should contain a gnutls_x509_crt_t structure

@var{seq}: specifies the sequence number of the distribution point (0 for the first one, 1 for the second etc.)

@var{ret}: is the place where the distribution point will be copied to

@var{ret_size}: holds the size of ret.

@var{reason_flags}: Revocation reasons flags.

@var{critical}: will be non zero if the extension is marked as critical (may be null)

This function will return the CRL distribution points (2.5.29.31), contained in the
given certificate.

@code{reason_flags} should be an ORed sequence of GNUTLS_CRL_REASON_UNUSED,
GNUTLS_CRL_REASON_KEY_COMPROMISE, GNUTLS_CRL_REASON_CA_COMPROMISE,
GNUTLS_CRL_REASON_AFFILIATION_CHANGED, GNUTLS_CRL_REASON_SUPERSEEDED,
GNUTLS_CRL_REASON_CESSATION_OF_OPERATION, GNUTLS_CRL_REASON_CERTIFICATE_HOLD,
GNUTLS_CRL_REASON_PRIVILEGE_WITHDRAWN, GNUTLS_CRL_REASON_AA_COMPROMISE,
or zero for all possible reasons.

This is specified in X509v3 Certificate Extensions. GNUTLS will return the 
distribution point type, or a negative error code on error.

Returns GNUTLS_E_SHORT_MEMORY_BUFFER and updates &ret_size if &ret_size is not enough to hold the distribution
point, or the type of the distribution point if everything was ok. The type is 
one of the enumerated gnutls_x509_subject_alt_name_t.

If the certificate does not have an Alternative name with the specified 
sequence number then returns GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
@end deftypefun

@subheading gnutls_x509_crt_get_dn_by_oid
@anchor{gnutls_x509_crt_get_dn_by_oid}
@deftypefun {int} {gnutls_x509_crt_get_dn_by_oid} (gnutls_x509_crt_t @var{cert}, const char * @var{oid}, int @var{indx}, unsigned int @var{raw_flag}, void * @var{buf}, size_t * @var{sizeof_buf})
@var{cert}: should contain a gnutls_x509_crt_t structure

@var{oid}: holds an Object Identified in null terminated string

@var{indx}: In case multiple same OIDs exist in the RDN, this specifies which to send. Use zero to get the first one.

@var{raw_flag}: If non zero returns the raw DER data of the DN part.

@var{buf}: a pointer where the DN part will be copied (may be null).

@var{sizeof_buf}: initially holds the size of @code{buf}

This function will extract the part of the name of the Certificate
subject specified by the given OID. The output, if the raw flag is not
used, will be encoded as described in RFC2253. Thus a string that is
ASCII or UTF-8 encoded, depending on the certificate data.

Some helper macros with popular OIDs can be found in gnutls/x509.h
If raw flag is zero, this function will only return known OIDs as
text. Other OIDs will be DER encoded, as described in RFC2253 --
in hex format with a '\#' prefix.  You can check about known OIDs
using @code{gnutls_x509_dn_oid_known()}.

If @code{buf} is null then only the size will be filled.

Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not
long enough, and in that case the *sizeof_buf will be updated with
the required size.  On success 0 is returned.
@end deftypefun

@subheading gnutls_x509_crt_get_dn_oid
@anchor{gnutls_x509_crt_get_dn_oid}
@deftypefun {int} {gnutls_x509_crt_get_dn_oid} (gnutls_x509_crt_t @var{cert}, int @var{indx}, void * @var{oid}, size_t * @var{sizeof_oid})
@var{cert}: should contain a gnutls_x509_crt_t structure

@var{indx}: This specifies which OID to return. Use zero to get the first one.

@var{oid}: a pointer to a buffer to hold the OID (may be null)

@var{sizeof_oid}: initially holds the size of @code{oid}

This function will extract the OIDs of the name of the Certificate
subject specified by the given index.

If oid is null then only the size will be filled.

Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not
long enough, and in that case the *sizeof_oid will be updated with
the required size.  On success 0 is returned.
@end deftypefun

@subheading gnutls_x509_crt_get_dn
@anchor{gnutls_x509_crt_get_dn}
@deftypefun {int} {gnutls_x509_crt_get_dn} (gnutls_x509_crt_t @var{cert}, char * @var{buf}, size_t * @var{sizeof_buf})
@var{cert}: should contain a gnutls_x509_crt_t structure

@var{buf}: a pointer to a structure to hold the name (may be null)

@var{sizeof_buf}: initially holds the size of @code{buf}

This function will copy the name of the Certificate in the
provided buffer. The name will be in the form
"C=xxxx,O=yyyy,CN=zzzz" as described in RFC2253. The output string
will be ASCII or UTF-8 encoded, depending on the certificate data.

If @code{buf} is null then only the size will be filled.

Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not
long enough, and in that case the *sizeof_buf will be updated with
the required size.  On success 0 is returned.
@end deftypefun

@subheading gnutls_x509_crt_get_expiration_time
@anchor{gnutls_x509_crt_get_expiration_time}
@deftypefun {time_t} {gnutls_x509_crt_get_expiration_time} (gnutls_x509_crt_t @var{cert})
@var{cert}: should contain a gnutls_x509_crt_t structure

This function will return the time this Certificate was or will be expired.

Returns (time_t)-1 on error.
@end deftypefun

@subheading gnutls_x509_crt_get_extension_by_oid
@anchor{gnutls_x509_crt_get_extension_by_oid}
@deftypefun {int} {gnutls_x509_crt_get_extension_by_oid} (gnutls_x509_crt_t @var{cert}, const char * @var{oid}, int @var{indx}, void * @var{buf}, size_t * @var{sizeof_buf}, unsigned int * @var{critical})
@var{cert}: should contain a gnutls_x509_crt_t structure

@var{oid}: holds an Object Identified in null terminated string

@var{indx}: In case multiple same OIDs exist in the extensions, this specifies which to send. Use zero to get the first one.

@var{buf}: a pointer to a structure to hold the name (may be null)

@var{sizeof_buf}: initially holds the size of @code{buf}

@var{critical}: will be non zero if the extension is marked as critical

This function will return the extension specified by the OID in the certificate.
The extensions will be returned as binary data DER encoded, in the provided
buffer.

A negative value may be returned in case of parsing error.
If the certificate does not contain the specified extension
GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
@end deftypefun

@subheading gnutls_x509_crt_get_extension_oid
@anchor{gnutls_x509_crt_get_extension_oid}
@deftypefun {int} {gnutls_x509_crt_get_extension_oid} (gnutls_x509_crt_t @var{cert}, int @var{indx}, void * @var{oid}, size_t * @var{sizeof_oid})
@var{cert}: should contain a gnutls_x509_crt_t structure

@var{indx}: Specifies which extension OID to send. Use zero to get the first one.

@var{oid}: a pointer to a structure to hold the OID (may be null)

@var{sizeof_oid}: initially holds the size of @code{oid}

This function will return the requested extension OID in the certificate.
The extension OID will be stored as a string in the provided buffer.

A negative value may be returned in case of parsing error.
If your have reached the last extension available 
GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
@end deftypefun

@subheading gnutls_x509_crt_get_fingerprint
@anchor{gnutls_x509_crt_get_fingerprint}
@deftypefun {int} {gnutls_x509_crt_get_fingerprint} (gnutls_x509_crt_t @var{cert}, gnutls_digest_algorithm_t @var{algo}, void * @var{buf}, size_t * @var{sizeof_buf})
@var{cert}: should contain a gnutls_x509_crt_t structure

@var{algo}: is a digest algorithm

@var{buf}: a pointer to a structure to hold the fingerprint (may be null)

@var{sizeof_buf}: initially holds the size of @code{buf}

This function will calculate and copy the certificate's fingerprint
in the provided buffer.

If the buffer is null then only the size will be filled.

Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not
long enough, and in that case the *sizeof_buf will be updated with
the required size.  On success 0 is returned.
@end deftypefun

@subheading gnutls_x509_crt_get_issuer_dn_by_oid
@anchor{gnutls_x509_crt_get_issuer_dn_by_oid}
@deftypefun {int} {gnutls_x509_crt_get_issuer_dn_by_oid} (gnutls_x509_crt_t @var{cert}, const char * @var{oid}, int @var{indx}, unsigned int @var{raw_flag}, void * @var{buf}, size_t * @var{sizeof_buf})
@var{cert}: should contain a gnutls_x509_crt_t structure

@var{oid}: holds an Object Identified in null terminated string

@var{indx}: In case multiple same OIDs exist in the RDN, this specifies which to send. Use zero to get the first one.

@var{raw_flag}: If non zero returns the raw DER data of the DN part.

@var{buf}: a pointer to a structure to hold the name (may be null)

@var{sizeof_buf}: initially holds the size of @code{buf}

This function will extract the part of the name of the Certificate
issuer specified by the given OID. The output, if the raw flag is not
used, will be encoded as described in RFC2253. Thus a string that is
ASCII or UTF-8 encoded, depending on the certificate data.

Some helper macros with popular OIDs can be found in gnutls/x509.h
If raw flag is zero, this function will only return known OIDs as
text. Other OIDs will be DER encoded, as described in RFC2253 --
in hex format with a '\#' prefix.  You can check about known OIDs
using @code{gnutls_x509_dn_oid_known()}.

If @code{buf} is null then only the size will be filled.

Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not
long enough, and in that case the *sizeof_buf will be updated with
the required size.  On success 0 is returned.
@end deftypefun

@subheading gnutls_x509_crt_get_issuer_dn_oid
@anchor{gnutls_x509_crt_get_issuer_dn_oid}
@deftypefun {int} {gnutls_x509_crt_get_issuer_dn_oid} (gnutls_x509_crt_t @var{cert}, int @var{indx}, void * @var{oid}, size_t * @var{sizeof_oid})
@var{cert}: should contain a gnutls_x509_crt_t structure

@var{indx}: This specifies which OID to return. Use zero to get the first one.

@var{oid}: a pointer to a buffer to hold the OID (may be null)

@var{sizeof_oid}: initially holds the size of @code{oid}

This function will extract the OIDs of the name of the Certificate
issuer specified by the given index.

If @code{oid} is null then only the size will be filled.

Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not
long enough, and in that case the *sizeof_oid will be updated with
the required size.  On success 0 is returned.
@end deftypefun

@subheading gnutls_x509_crt_get_issuer_dn
@anchor{gnutls_x509_crt_get_issuer_dn}
@deftypefun {int} {gnutls_x509_crt_get_issuer_dn} (gnutls_x509_crt_t @var{cert}, char * @var{buf}, size_t * @var{sizeof_buf})
@var{cert}: should contain a gnutls_x509_crt_t structure

@var{buf}: a pointer to a structure to hold the name (may be null)

@var{sizeof_buf}: initially holds the size of @code{buf}

This function will copy the name of the Certificate issuer in the
provided buffer. The name will be in the form
"C=xxxx,O=yyyy,CN=zzzz" as described in RFC2253. The output string
will be ASCII or UTF-8 encoded, depending on the certificate data.

If @code{buf} is null then only the size will be filled.

Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not
long enough, and in that case the *sizeof_buf will be updated with
the required size.  On success 0 is returned.
@end deftypefun

@subheading gnutls_x509_crt_get_key_id
@anchor{gnutls_x509_crt_get_key_id}
@deftypefun {int} {gnutls_x509_crt_get_key_id} (gnutls_x509_crt_t @var{crt}, unsigned int @var{flags}, unsigned char * @var{output_data}, size_t * @var{output_data_size})
@var{crt}: Holds the certificate

@var{flags}: should be 0 for now

@var{output_data}: will contain the key ID

@var{output_data_size}: holds the size of output_data (and will be
replaced by the actual size of parameters)

This function will return a unique ID the depends on the public key
parameters. This ID can be used in checking whether a certificate
corresponds to the given private key.

If the buffer provided is not long enough to hold the output, then
*output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will
be returned.  The output will normally be a SHA-1 hash output,
which is 20 bytes.

@strong{Return value:} In case of failure a negative value will be
returned, and 0 on success.
@end deftypefun

@subheading gnutls_x509_crt_get_key_purpose_oid
@anchor{gnutls_x509_crt_get_key_purpose_oid}
@deftypefun {int} {gnutls_x509_crt_get_key_purpose_oid} (gnutls_x509_crt_t @var{cert}, int @var{indx}, void * @var{oid}, size_t * @var{sizeof_oid}, unsigned int * @var{critical})
@var{cert}: should contain a gnutls_x509_crt_t structure

@var{indx}: This specifies which OID to return. Use zero to get the first one.

@var{oid}: a pointer to a buffer to hold the OID (may be null)

@var{sizeof_oid}: initially holds the size of @code{oid}

This function will extract the key purpose OIDs of the Certificate
specified by the given index. These are stored in the Extended Key
Usage extension (2.5.29.37) See the GNUTLS_KP_* definitions for
human readable names.

If @code{oid} is null then only the size will be filled.

Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not
long enough, and in that case the *sizeof_oid will be updated with
the required size.  On success 0 is returned.
@end deftypefun

@subheading gnutls_x509_crt_get_key_usage
@anchor{gnutls_x509_crt_get_key_usage}
@deftypefun {int} {gnutls_x509_crt_get_key_usage} (gnutls_x509_crt_t @var{cert}, unsigned int * @var{key_usage}, unsigned int * @var{critical})
@var{cert}: should contain a gnutls_x509_crt_t structure

@var{key_usage}: where the key usage bits will be stored

@var{critical}: will be non zero if the extension is marked as critical

This function will return certificate's key usage, by reading the 
keyUsage X.509 extension (2.5.29.15). The key usage value will ORed values of the:
GNUTLS_KEY_DIGITAL_SIGNATURE, GNUTLS_KEY_NON_REPUDIATION,
GNUTLS_KEY_KEY_ENCIPHERMENT, GNUTLS_KEY_DATA_ENCIPHERMENT,
GNUTLS_KEY_KEY_AGREEMENT, GNUTLS_KEY_KEY_CERT_SIGN,
GNUTLS_KEY_CRL_SIGN, GNUTLS_KEY_ENCIPHER_ONLY,
GNUTLS_KEY_DECIPHER_ONLY.

A negative value may be returned in case of parsing error.
If the certificate does not contain the keyUsage extension
GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
@end deftypefun

@subheading gnutls_x509_crt_get_pk_algorithm
@anchor{gnutls_x509_crt_get_pk_algorithm}
@deftypefun {int} {gnutls_x509_crt_get_pk_algorithm} (gnutls_x509_crt_t @var{cert}, unsigned int * @var{bits})
@var{cert}: should contain a gnutls_x509_crt_t structure

@var{bits}: if bits is non null it will hold the size of the parameters' in bits

This function will return the public key algorithm of an X.509 
certificate.

If bits is non null, it should have enough size to hold the parameters
size in bits. For RSA the bits returned is the modulus. 
For DSA the bits returned are of the public
exponent.

Returns a member of the gnutls_pk_algorithm_t enumeration on success,
or a negative value on error.
@end deftypefun

@subheading gnutls_x509_crt_get_pk_dsa_raw
@anchor{gnutls_x509_crt_get_pk_dsa_raw}
@deftypefun {int} {gnutls_x509_crt_get_pk_dsa_raw} (gnutls_x509_crt_t @var{crt}, gnutls_datum_t * @var{p}, gnutls_datum_t * @var{q}, gnutls_datum_t * @var{g}, gnutls_datum_t * @var{y})
@var{crt}: Holds the certificate

@var{p}: will hold the p

@var{q}: will hold the q

@var{g}: will hold the g

@var{y}: will hold the y

This function will export the DSA private key's parameters found in the given
certificate. The new parameters will be allocated using
@code{gnutls_malloc()} and will be stored in the appropriate datum.
@end deftypefun

@subheading gnutls_x509_crt_get_pk_rsa_raw
@anchor{gnutls_x509_crt_get_pk_rsa_raw}
@deftypefun {int} {gnutls_x509_crt_get_pk_rsa_raw} (gnutls_x509_crt_t @var{crt}, gnutls_datum_t * @var{m}, gnutls_datum_t * @var{e})
@var{crt}: Holds the certificate

@var{m}: will hold the modulus

@var{e}: will hold the public exponent

This function will export the RSA private key's parameters found in the given
structure. The new parameters will be allocated using
@code{gnutls_malloc()} and will be stored in the appropriate datum.
@end deftypefun

@subheading gnutls_x509_crt_get_serial
@anchor{gnutls_x509_crt_get_serial}
@deftypefun {int} {gnutls_x509_crt_get_serial} (gnutls_x509_crt_t @var{cert}, void * @var{result}, size_t * @var{result_size})
@var{cert}: should contain a gnutls_x509_crt_t structure

@var{result}: The place where the serial number will be copied

@var{result_size}: Holds the size of the result field.

This function will return the X.509 certificate's serial number. 
This is obtained by the X509 Certificate serialNumber
field. Serial is not always a 32 or 64bit number. Some CAs use
large serial numbers, thus it may be wise to handle it as something
opaque. 

Returns 0 on success and a negative value in case of an error.
@end deftypefun

@subheading gnutls_x509_crt_get_signature_algorithm
@anchor{gnutls_x509_crt_get_signature_algorithm}
@deftypefun {int} {gnutls_x509_crt_get_signature_algorithm} (gnutls_x509_crt_t @var{cert})
@var{cert}: should contain a gnutls_x509_crt_t structure

This function will return a value of the gnutls_sign_algorithm_t enumeration that 
is the signature algorithm. 

Returns a negative value on error.
@end deftypefun

@subheading gnutls_x509_crt_get_subject_alt_name
@anchor{gnutls_x509_crt_get_subject_alt_name}
@deftypefun {int} {gnutls_x509_crt_get_subject_alt_name} (gnutls_x509_crt_t @var{cert}, unsigned int @var{seq}, void * @var{ret}, size_t * @var{ret_size}, unsigned int * @var{critical})
@var{cert}: should contain a gnutls_x509_crt_t structure

@var{seq}: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)

@var{ret}: is the place where the alternative name will be copied to

@var{ret_size}: holds the size of ret.

@var{critical}: will be non zero if the extension is marked as critical (may be null)

This function will return the alternative names, contained in the
given certificate.

This is specified in X509v3 Certificate Extensions. 
GNUTLS will return the Alternative name (2.5.29.17), or a negative
error code.

Returns GNUTLS_E_SHORT_MEMORY_BUFFER if &ret_size is not enough to hold the alternative 
name. In that case &ret_size will be updated. If everything was ok the type of alternative 
name is returned. The type is one of the enumerated gnutls_x509_subject_alt_name_t.

If the certificate does not have an Alternative name with the specified 
sequence number then returns GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
@end deftypefun

@subheading gnutls_x509_crt_get_subject_key_id
@anchor{gnutls_x509_crt_get_subject_key_id}
@deftypefun {int} {gnutls_x509_crt_get_subject_key_id} (gnutls_x509_crt_t @var{cert}, void * @var{ret}, size_t * @var{ret_size}, unsigned int * @var{critical})
@var{cert}: should contain a gnutls_x509_crt_t structure

@var{critical}: will be non zero if the extension is marked as critical (may be null)

This function will return the X.509v3 certificate's subject key identifier.
This is obtained by the X.509 Subject Key identifier extension
field (2.5.29.14). 

Returns 0 on success and a negative value in case of an error.
@end deftypefun

@subheading gnutls_x509_crt_get_version
@anchor{gnutls_x509_crt_get_version}
@deftypefun {int} {gnutls_x509_crt_get_version} (gnutls_x509_crt_t @var{cert})
@var{cert}: should contain a gnutls_x509_crt_t structure

This function will return the version of the specified Certificate.

Returns a negative value on error.
@end deftypefun

@subheading gnutls_x509_crt_import
@anchor{gnutls_x509_crt_import}
@deftypefun {int} {gnutls_x509_crt_import} (gnutls_x509_crt_t @var{cert}, const gnutls_datum_t * @var{data}, gnutls_x509_crt_fmt_t @var{format})
@var{cert}: The structure to store the parsed certificate.

@var{data}: The DER or PEM encoded certificate.

@var{format}: One of DER or PEM

This function will convert the given DER or PEM encoded Certificate
to the native gnutls_x509_crt_t format. The output will be stored in @code{cert}.

If the Certificate is PEM encoded it should have a header of "X509 CERTIFICATE", or
"CERTIFICATE".

Returns 0 on success.
@end deftypefun

@subheading gnutls_x509_crt_init
@anchor{gnutls_x509_crt_init}
@deftypefun {int} {gnutls_x509_crt_init} (gnutls_x509_crt_t * @var{cert})
@var{cert}: The structure to be initialized

This function will initialize an X.509 certificate structure. 

Returns 0 on success.
@end deftypefun

@subheading gnutls_x509_crt_list_import
@anchor{gnutls_x509_crt_list_import}
@deftypefun {int} {gnutls_x509_crt_list_import} (gnutls_x509_crt_t * @var{certs}, unsigned int * @var{cert_max}, const gnutls_datum_t * @var{data}, gnutls_x509_crt_fmt_t @var{format}, unsigned int @var{flags})
@var{certs}: The structures to store the parsed certificate. Must not be initialized.

@var{cert_max}: Initially must hold the maximum number of certs. It will be updated with the number of certs available.

@var{data}: The PEM encoded certificate.

@var{format}: One of DER or PEM.

@var{flags}: must be zero or an OR'd sequence of gnutls_certificate_import_flags.

This function will convert the given PEM encoded certificate list
to the native gnutls_x509_crt_t format. The output will be stored in @code{certs}.
They will be automatically initialized.

If the Certificate is PEM encoded it should have a header of "X509 CERTIFICATE", or
"CERTIFICATE".

Returns the number of certificates read or a negative error value.
@end deftypefun

@subheading gnutls_x509_crt_list_verify
@anchor{gnutls_x509_crt_list_verify}
@deftypefun {int} {gnutls_x509_crt_list_verify} (const gnutls_x509_crt_t * @var{cert_list}, int @var{cert_list_length}, const gnutls_x509_crt_t * @var{CA_list}, int @var{CA_list_length}, const gnutls_x509_crl_t * @var{CRL_list}, int @var{CRL_list_length}, unsigned int @var{flags}, unsigned int * @var{verify})
@var{cert_list}: is the certificate list to be verified

@var{cert_list_length}: holds the number of certificate in cert_list

@var{CA_list}: is the CA list which will be used in verification

@var{CA_list_length}: holds the number of CA certificate in CA_list

@var{CRL_list}: holds a list of CRLs.

@var{CRL_list_length}: the length of CRL list.

@var{flags}: Flags that may be used to change the verification algorithm. Use OR of the gnutls_certificate_verify_flags enumerations.

@var{verify}: will hold the certificate verification output.

This function will try to verify the given certificate list and return its status.
Note that expiration and activation dates are not checked
by this function, you should check them using the appropriate functions.

If no flags are specified (0), this function will use the 
basicConstraints (2.5.29.19) PKIX extension. This means that only a certificate 
authority is allowed to sign a certificate.

You must also check the peer's name in order to check if the verified 
certificate belongs to the actual peer. 

The certificate verification output will be put in @code{verify} and will be
one or more of the gnutls_certificate_status_t enumerated elements bitwise or'd.
For a more detailed verification status use @code{gnutls_x509_crt_verify()} per list
element.

@strong{GNUTLS_CERT_INVALID:} the certificate chain is not valid.

@strong{GNUTLS_CERT_REVOKED:} a certificate in the chain has been revoked.

Returns 0 on success and a negative value in case of an error.
@end deftypefun

@subheading gnutls_x509_crt_set_activation_time
@anchor{gnutls_x509_crt_set_activation_time}
@deftypefun {int} {gnutls_x509_crt_set_activation_time} (gnutls_x509_crt_t @var{cert}, time_t @var{act_time})
@var{cert}: should contain a gnutls_x509_crt_t structure

@var{act_time}: The actual time

This function will set the time this Certificate was or will be activated.

Returns 0 on success, or a negative value in case of an error.
@end deftypefun

@subheading gnutls_x509_crt_set_authority_key_id
@anchor{gnutls_x509_crt_set_authority_key_id}
@deftypefun {int} {gnutls_x509_crt_set_authority_key_id} (gnutls_x509_crt_t @var{cert}, const void * @var{id}, size_t @var{id_size})
@var{cert}: should contain a gnutls_x509_crt_t structure

@var{id}: The key ID

@var{id_size}: Holds the size of the serial field.

This function will set the X.509 certificate's authority key ID extension.
Only the keyIdentifier field can be set with this function.

Returns 0 on success, or a negative value in case of an error.
@end deftypefun

@subheading gnutls_x509_crt_set_ca_status
@anchor{gnutls_x509_crt_set_ca_status}
@deftypefun {int} {gnutls_x509_crt_set_ca_status} (gnutls_x509_crt_t @var{crt}, unsigned int @var{ca})
@var{crt}: should contain a gnutls_x509_crt_t structure

@var{ca}: true(1) or false(0). Depending on the Certificate authority status.

This function will set the basicConstraints certificate extension. 

Returns 0 on success.
@end deftypefun

@subheading gnutls_x509_crt_set_crl_dist_points
@anchor{gnutls_x509_crt_set_crl_dist_points}
@deftypefun {int} {gnutls_x509_crt_set_crl_dist_points} (gnutls_x509_crt_t @var{crt}, gnutls_x509_subject_alt_name_t          @var{type}, const void * @var{data_string}, unsigned int @var{reason_flags})
@var{crt}: should contain a gnutls_x509_crt_t structure

@var{type}: is one of the gnutls_x509_subject_alt_name_t enumerations

@var{data_string}: The data to be set

@var{reason_flags}: revocation reasons

This function will set the CRL distribution points certificate extension. 

Returns 0 on success.
@end deftypefun

@subheading gnutls_x509_crt_set_crq
@anchor{gnutls_x509_crt_set_crq}
@deftypefun {int} {gnutls_x509_crt_set_crq} (gnutls_x509_crt_t @var{crt}, gnutls_x509_crq_t @var{crq})
@var{crt}: should contain a gnutls_x509_crt_t structure

@var{crq}: holds a certificate request

This function will set the name and public parameters from the given certificate request to the
certificate. Only RSA keys are currently supported.

Returns 0 on success.
@end deftypefun

@subheading gnutls_x509_crt_set_dn_by_oid
@anchor{gnutls_x509_crt_set_dn_by_oid}
@deftypefun {int} {gnutls_x509_crt_set_dn_by_oid} (gnutls_x509_crt_t @var{crt}, const char * @var{oid}, unsigned int @var{raw_flag}, const void * @var{name}, unsigned int @var{sizeof_name})
@var{crt}: should contain a gnutls_x509_crt_t structure

@var{oid}: holds an Object Identifier in a null terminated string

@var{raw_flag}: must be 0, or 1 if the data are DER encoded

@var{name}: a pointer to the name

@var{sizeof_name}: holds the size of @code{name}

This function will set the part of the name of the Certificate subject, specified
by the given OID. The input string should be ASCII or UTF-8 encoded.

Some helper macros with popular OIDs can be found in gnutls/x509.h
With this function you can only set the known OIDs. You can test
for known OIDs using @code{gnutls_x509_dn_oid_known()}. For OIDs that are
not known (by gnutls) you should properly DER encode your data, and
call this function with raw_flag set.

Returns 0 on success.
@end deftypefun

@subheading gnutls_x509_crt_set_expiration_time
@anchor{gnutls_x509_crt_set_expiration_time}
@deftypefun {int} {gnutls_x509_crt_set_expiration_time} (gnutls_x509_crt_t @var{cert}, time_t @var{exp_time})
@var{cert}: should contain a gnutls_x509_crt_t structure

@var{exp_time}: The actual time

This function will set the time this Certificate will expire.

Returns 0 on success, or a negative value in case of an error.
@end deftypefun

@subheading gnutls_x509_crt_set_extension_by_oid
@anchor{gnutls_x509_crt_set_extension_by_oid}
@deftypefun {int} {gnutls_x509_crt_set_extension_by_oid} (gnutls_x509_crt_t @var{crt}, const char * @var{oid}, const void * @var{buf}, size_t @var{sizeof_buf}, unsigned int @var{critical})
@var{crt}: should contain a gnutls_x509_crt_t structure

@var{oid}: holds an Object Identified in null terminated string

@var{buf}: a pointer to a DER encoded data

@var{sizeof_buf}: holds the size of @code{buf}

@var{critical}: should be non zero if the extension is to be marked as critical

This function will set an the extension, by the specified OID, in the certificate.
The extension data should be binary data DER encoded.

Returns 0 on success and a negative value in case of an error.
@end deftypefun

@subheading gnutls_x509_crt_set_issuer_dn_by_oid
@anchor{gnutls_x509_crt_set_issuer_dn_by_oid}
@deftypefun {int} {gnutls_x509_crt_set_issuer_dn_by_oid} (gnutls_x509_crt_t @var{crt}, const char * @var{oid}, unsigned int @var{raw_flag}, const void * @var{name}, unsigned int @var{sizeof_name})
@var{crt}: should contain a gnutls_x509_crt_t structure

@var{oid}: holds an Object Identifier in a null terminated string

@var{raw_flag}: must be 0, or 1 if the data are DER encoded

@var{name}: a pointer to the name

@var{sizeof_name}: holds the size of @code{name}

This function will set the part of the name of the Certificate issuer, specified
by the given OID. The input string should be ASCII or UTF-8 encoded.

Some helper macros with popular OIDs can be found in gnutls/x509.h
With this function you can only set the known OIDs. You can test
for known OIDs using @code{gnutls_x509_dn_oid_known()}. For OIDs that are
not known (by gnutls) you should properly DER encode your data, and
call this function with raw_flag set.

Normally you do not need to call this function, since the signing
operation will copy the signer's name as the issuer of the certificate.

Returns 0 on success.
@end deftypefun

@subheading gnutls_x509_crt_set_key_purpose_oid
@anchor{gnutls_x509_crt_set_key_purpose_oid}
@deftypefun {int} {gnutls_x509_crt_set_key_purpose_oid} (gnutls_x509_crt_t @var{cert}, const void * @var{oid}, unsigned int @var{critical})
@var{cert}: should contain a gnutls_x509_crt_t structure

@var{oid}: a pointer to a null terminated string that holds the OID

@var{critical}: Whether this extension will be critical or not

This function will set the key purpose OIDs of the Certificate.
These are stored in the Extended Key Usage extension (2.5.29.37)
See the GNUTLS_KP_* definitions for human readable names.

Subsequent calls to this function will append OIDs to the OID list.

On success 0 is returned.
@end deftypefun

@subheading gnutls_x509_crt_set_key_usage
@anchor{gnutls_x509_crt_set_key_usage}
@deftypefun {int} {gnutls_x509_crt_set_key_usage} (gnutls_x509_crt_t @var{crt}, unsigned int @var{usage})
@var{crt}: should contain a gnutls_x509_crt_t structure

@var{usage}: an ORed sequence of the GNUTLS_KEY_* elements.

This function will set the keyUsage certificate extension. 

Returns 0 on success.
@end deftypefun

@subheading gnutls_x509_crt_set_key
@anchor{gnutls_x509_crt_set_key}
@deftypefun {int} {gnutls_x509_crt_set_key} (gnutls_x509_crt_t @var{crt}, gnutls_x509_privkey_t @var{key})
@var{crt}: should contain a gnutls_x509_crt_t structure

@var{key}: holds a private key

This function will set the public parameters from the given private key to the
certificate. Only RSA keys are currently supported.

Returns 0 on success.
@end deftypefun

@subheading gnutls_x509_crt_set_serial
@anchor{gnutls_x509_crt_set_serial}
@deftypefun {int} {gnutls_x509_crt_set_serial} (gnutls_x509_crt_t @var{cert}, const void * @var{serial}, size_t @var{serial_size})
@var{cert}: should contain a gnutls_x509_crt_t structure

@var{serial}: The serial number

@var{serial_size}: Holds the size of the serial field.

This function will set the X.509 certificate's serial number. 
Serial is not always a 32 or 64bit number. Some CAs use
large serial numbers, thus it may be wise to handle it as something
opaque. 

Returns 0 on success, or a negative value in case of an error.
@end deftypefun

@subheading gnutls_x509_crt_set_subject_alternative_name
@anchor{gnutls_x509_crt_set_subject_alternative_name}
@deftypefun {int} {gnutls_x509_crt_set_subject_alternative_name} (gnutls_x509_crt_t @var{crt}, gnutls_x509_subject_alt_name_t            @var{type}, const char * @var{data_string})
@var{crt}: should contain a gnutls_x509_crt_t structure

@var{type}: is one of the gnutls_x509_subject_alt_name_t enumerations

@var{data_string}: The data to be set

This function will set the subject alternative name certificate extension. 

Returns 0 on success.
@end deftypefun

@subheading gnutls_x509_crt_set_subject_key_id
@anchor{gnutls_x509_crt_set_subject_key_id}
@deftypefun {int} {gnutls_x509_crt_set_subject_key_id} (gnutls_x509_crt_t @var{cert}, const void * @var{id}, size_t @var{id_size})
@var{cert}: should contain a gnutls_x509_crt_t structure

@var{id}: The key ID

@var{id_size}: Holds the size of the serial field.

This function will set the X.509 certificate's subject key ID extension.

Returns 0 on success, or a negative value in case of an error.
@end deftypefun

@subheading gnutls_x509_crt_set_version
@anchor{gnutls_x509_crt_set_version}
@deftypefun {int} {gnutls_x509_crt_set_version} (gnutls_x509_crt_t @var{crt}, unsigned int @var{version})
@var{crt}: should contain a gnutls_x509_crt_t structure

@var{version}: holds the version number. For X.509v1 certificates must be 1.

This function will set the version of the certificate. This
must be one for X.509 version 1, and so on. Plain certificates without
extensions must have version set to one.

Returns 0 on success.
@end deftypefun

@subheading gnutls_x509_crt_sign2
@anchor{gnutls_x509_crt_sign2}
@deftypefun {int} {gnutls_x509_crt_sign2} (gnutls_x509_crt_t @var{crt}, gnutls_x509_crt_t @var{issuer}, gnutls_x509_privkey_t @var{issuer_key}, gnutls_digest_algorithm_t @var{dig}, unsigned int @var{flags})
@var{crt}: should contain a gnutls_x509_crt_t structure

@var{issuer}: is the certificate of the certificate issuer

@var{issuer_key}: holds the issuer's private key

@var{dig}: The message digest to use. GNUTLS_DIG_SHA1 is the safe choice unless you know what you're doing.

@var{flags}: must be 0

This function will sign the certificate with the issuer's private key, and
will copy the issuer's information into the certificate.

This must be the last step in a certificate generation since all
the previously set parameters are now signed.

Returns 0 on success.
@end deftypefun

@subheading gnutls_x509_crt_sign
@anchor{gnutls_x509_crt_sign}
@deftypefun {int} {gnutls_x509_crt_sign} (gnutls_x509_crt_t @var{crt}, gnutls_x509_crt_t @var{issuer}, gnutls_x509_privkey_t @var{issuer_key})
@var{crt}: should contain a gnutls_x509_crt_t structure

@var{issuer}: is the certificate of the certificate issuer

@var{issuer_key}: holds the issuer's private key

This function is the same a @code{gnutls_x509_crt_sign2()} with no flags, and
SHA1 as the hash algorithm.

Returns 0 on success.
@end deftypefun

@subheading gnutls_x509_crt_to_xml
@anchor{gnutls_x509_crt_to_xml}
@deftypefun {int} {gnutls_x509_crt_to_xml} (gnutls_x509_crt_t @var{cert}, gnutls_datum_t * @var{res}, int @var{detail})
@var{cert}: should contain a gnutls_x509_crt_t structure

@var{res}: The datum that will hold the result

@var{detail}: The detail level (must be GNUTLS_XML_SHOW_ALL or GNUTLS_XML_NORMAL)

This function will return the XML structures of the given X.509
certificate.  The XML structures are allocated internally (with
malloc) and stored into res.

@strong{NOTE:} This function is currently not implemented.  See the NEWS
entry for version 1.3.5.

Returns a negative error code in case of an error.
@end deftypefun

@subheading gnutls_x509_crt_verify_data
@anchor{gnutls_x509_crt_verify_data}
@deftypefun {int} {gnutls_x509_crt_verify_data} (gnutls_x509_crt_t @var{crt}, unsigned int @var{flags}, const gnutls_datum_t * @var{data}, const gnutls_datum_t * @var{signature})
@var{crt}: Holds the certificate

@var{flags}: should be 0 for now

@var{data}: holds the data to be signed

@var{signature}: contains the signature

This function will verify the given signed data, using the parameters from the
certificate.

In case of a verification failure 0 is returned, and
1 on success.
@end deftypefun

@subheading gnutls_x509_crt_verify
@anchor{gnutls_x509_crt_verify}
@deftypefun {int} {gnutls_x509_crt_verify} (gnutls_x509_crt_t @var{cert}, const gnutls_x509_crt_t * @var{CA_list}, int @var{CA_list_length}, unsigned int @var{flags}, unsigned int * @var{verify})
@var{cert}: is the certificate to be verified

@var{CA_list}: is one certificate that is considered to be trusted one

@var{CA_list_length}: holds the number of CA certificate in CA_list

@var{flags}: Flags that may be used to change the verification algorithm. Use OR of the gnutls_certificate_verify_flags enumerations.

@var{verify}: will hold the certificate verification output.

This function will try to verify the given certificate and return its status. 
The verification output in this functions cannot be GNUTLS_CERT_NOT_VALID.

Returns 0 on success and a negative value in case of an error.
@end deftypefun

@subheading gnutls_x509_dn_oid_known
@anchor{gnutls_x509_dn_oid_known}
@deftypefun {int} {gnutls_x509_dn_oid_known} (const char * @var{oid})
@var{oid}: holds an Object Identifier in a null terminated string

This function will inform about known DN OIDs. This is useful since functions
like @code{gnutls_x509_crt_set_dn_by_oid()} use the information on known
OIDs to properly encode their input. Object Identifiers that are not
known are not encoded by these functions, and their input is stored directly
into the ASN.1 structure. In that case of unknown OIDs, you have
the responsibility of DER encoding your data.

Returns 1 on known OIDs and 0 otherwise.
@end deftypefun

@subheading gnutls_x509_privkey_cpy
@anchor{gnutls_x509_privkey_cpy}
@deftypefun {int} {gnutls_x509_privkey_cpy} (gnutls_x509_privkey_t @var{dst}, gnutls_x509_privkey_t @var{src})
@var{dst}: The destination key, which should be initialized.

@var{src}: The source key

This function will copy a private key from source to destination key.
@end deftypefun

@subheading gnutls_x509_privkey_deinit
@anchor{gnutls_x509_privkey_deinit}
@deftypefun {void} {gnutls_x509_privkey_deinit} (gnutls_x509_privkey_t @var{key})
@var{key}: The structure to be initialized

This function will deinitialize a private key structure. 
@end deftypefun

@subheading gnutls_x509_privkey_export_dsa_raw
@anchor{gnutls_x509_privkey_export_dsa_raw}
@deftypefun {int} {gnutls_x509_privkey_export_dsa_raw} (gnutls_x509_privkey_t @var{key}, gnutls_datum_t * @var{p}, gnutls_datum_t * @var{q}, gnutls_datum_t * @var{g}, gnutls_datum_t * @var{y}, gnutls_datum_t * @var{x})
@var{p}: will hold the p

@var{q}: will hold the q

@var{g}: will hold the g

@var{y}: will hold the y

@var{x}: will hold the x

This function will export the DSA private key's parameters found in the given
structure. The new parameters will be allocated using
@code{gnutls_malloc()} and will be stored in the appropriate datum.
@end deftypefun

@subheading gnutls_x509_privkey_export_pkcs8
@anchor{gnutls_x509_privkey_export_pkcs8}
@deftypefun {int} {gnutls_x509_privkey_export_pkcs8} (gnutls_x509_privkey_t @var{key}, gnutls_x509_crt_fmt_t @var{format}, const char * @var{password}, unsigned int @var{flags}, void * @var{output_data}, size_t * @var{output_data_size})
@var{key}: Holds the key

@var{format}: the format of output params. One of PEM or DER.

@var{password}: the password that will be used to encrypt the key. 

@var{flags}: an ORed sequence of gnutls_pkcs_encrypt_flags_t

@var{output_data}: will contain a private key PEM or DER encoded

@var{output_data_size}: holds the size of output_data (and will be
replaced by the actual size of parameters)

This function will export the private key to a PKCS8 structure.
Currently only RSA keys can be exported since there is no documented
standard for other keys. If the flags do not
specify the encryption cipher, then the default 3DES (PBES2) will
be used.

The @code{password} can be either ASCII or UTF-8 in the default PBES2
encryption schemas, or ASCII for the PKCS12 schemas.

If the buffer provided is not long enough to hold the output, then
*output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will
be returned.

If the structure is PEM encoded, it will have a header
of "BEGIN ENCRYPTED PRIVATE KEY" or "BEGIN PRIVATE KEY" if
encryption is not used.

@strong{Return value:} In case of failure a negative value will be
returned, and 0 on success.
@end deftypefun

@subheading gnutls_x509_privkey_export_rsa_raw
@anchor{gnutls_x509_privkey_export_rsa_raw}
@deftypefun {int} {gnutls_x509_privkey_export_rsa_raw} (gnutls_x509_privkey_t @var{key}, gnutls_datum_t * @var{m}, gnutls_datum_t * @var{e}, gnutls_datum_t * @var{d}, gnutls_datum_t * @var{p}, gnutls_datum_t * @var{q}, gnutls_datum_t * @var{u})
@var{key}: a structure that holds the rsa parameters

@var{m}: will hold the modulus

@var{e}: will hold the public exponent

@var{d}: will hold the private exponent

@var{p}: will hold the first prime (p)

@var{q}: will hold the second prime (q)

@var{u}: will hold the coefficient

This function will export the RSA private key's parameters found in the given
structure. The new parameters will be allocated using
@code{gnutls_malloc()} and will be stored in the appropriate datum.
@end deftypefun

@subheading gnutls_x509_privkey_export
@anchor{gnutls_x509_privkey_export}
@deftypefun {int} {gnutls_x509_privkey_export} (gnutls_x509_privkey_t @var{key}, gnutls_x509_crt_fmt_t @var{format}, void * @var{output_data}, size_t * @var{output_data_size})
@var{key}: Holds the key

@var{format}: the format of output params. One of PEM or DER.

@var{output_data}: will contain a private key PEM or DER encoded

@var{output_data_size}: holds the size of output_data (and will be
replaced by the actual size of parameters)

This function will export the private key to a PKCS1 structure for
RSA keys, or an integer sequence for DSA keys. The DSA keys are in
the same format with the parameters used by openssl.

If the buffer provided is not long enough to hold the output, then
*output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will
be returned.

If the structure is PEM encoded, it will have a header
of "BEGIN RSA PRIVATE KEY".

@strong{Return value:} In case of failure a negative value will be
returned, and 0 on success.
@end deftypefun

@subheading gnutls_x509_privkey_fix
@anchor{gnutls_x509_privkey_fix}
@deftypefun {int} {gnutls_x509_privkey_fix} (gnutls_x509_privkey_t @var{key})
@var{key}: Holds the key

This function will recalculate the secondary parameters in a key.
In RSA keys, this can be the coefficient and exponent1,2.

@strong{Return value:} In case of failure a negative value will be
returned, and 0 on success.
@end deftypefun

@subheading gnutls_x509_privkey_generate
@anchor{gnutls_x509_privkey_generate}
@deftypefun {int} {gnutls_x509_privkey_generate} (gnutls_x509_privkey_t @var{key}, gnutls_pk_algorithm_t @var{algo}, unsigned int @var{bits}, unsigned int @var{flags})
@var{key}: should contain a gnutls_x509_privkey_t structure

@var{algo}: is one of RSA or DSA.

@var{bits}: the size of the modulus

@var{flags}: unused for now. Must be 0.

This function will generate a random private key. Note that
this function must be called on an empty private key. 

Returns 0 on success or a negative value on error.
@end deftypefun

@subheading gnutls_x509_privkey_get_key_id
@anchor{gnutls_x509_privkey_get_key_id}
@deftypefun {int} {gnutls_x509_privkey_get_key_id} (gnutls_x509_privkey_t @var{key}, unsigned int @var{flags}, unsigned char * @var{output_data}, size_t * @var{output_data_size})
@var{key}: Holds the key

@var{flags}: should be 0 for now

@var{output_data}: will contain the key ID

@var{output_data_size}: holds the size of output_data (and will be
replaced by the actual size of parameters)

This function will return a unique ID the depends on the public key
parameters. This ID can be used in checking whether a certificate
corresponds to the given key.

If the buffer provided is not long enough to hold the output, then
*output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will
be returned.  The output will normally be a SHA-1 hash output,
which is 20 bytes.

@strong{Return value:} In case of failure a negative value will be
returned, and 0 on success.
@end deftypefun

@subheading gnutls_x509_privkey_get_pk_algorithm
@anchor{gnutls_x509_privkey_get_pk_algorithm}
@deftypefun {int} {gnutls_x509_privkey_get_pk_algorithm} (gnutls_x509_privkey_t @var{key})
@var{key}: should contain a gnutls_x509_privkey_t structure

This function will return the public key algorithm of a private
key.

Returns a member of the gnutls_pk_algorithm_t enumeration on success,
or a negative value on error.
@end deftypefun

@subheading gnutls_x509_privkey_import_dsa_raw
@anchor{gnutls_x509_privkey_import_dsa_raw}
@deftypefun {int} {gnutls_x509_privkey_import_dsa_raw} (gnutls_x509_privkey_t @var{key}, const gnutls_datum_t * @var{p}, const gnutls_datum_t * @var{q}, const gnutls_datum_t * @var{g}, const gnutls_datum_t * @var{y}, const gnutls_datum_t * @var{x})
@var{key}: The structure to store the parsed key

@var{p}: holds the p

@var{q}: holds the q

@var{g}: holds the g

@var{y}: holds the y

@var{x}: holds the x

This function will convert the given DSA raw parameters
to the native gnutls_x509_privkey_t format. The output will be stored in @code{key}.
@end deftypefun

@subheading gnutls_x509_privkey_import_pkcs8
@anchor{gnutls_x509_privkey_import_pkcs8}
@deftypefun {int} {gnutls_x509_privkey_import_pkcs8} (gnutls_x509_privkey_t @var{key}, const gnutls_datum_t * @var{data}, gnutls_x509_crt_fmt_t @var{format}, const char * @var{password}, unsigned int @var{flags})
@var{key}: The structure to store the parsed key

@var{data}: The DER or PEM encoded key.

@var{format}: One of DER or PEM

@var{password}: the password to decrypt the key (if it is encrypted).

@var{flags}: 0 if encrypted or GNUTLS_PKCS_PLAIN if not encrypted.

This function will convert the given DER or PEM encoded PKCS8 2.0 encrypted key
to the native gnutls_x509_privkey_t format. The output will be stored in @code{key}.
Currently only RSA keys can be imported, and flags can only be used to indicate
an unencrypted key.

The @code{password} can be either ASCII or UTF-8 in the default PBES2
encryption schemas, or ASCII for the PKCS12 schemas.

If the Certificate is PEM encoded it should have a header of "ENCRYPTED PRIVATE KEY",
or "PRIVATE KEY". You only need to specify the flags if the key is DER encoded, since
in that case the encryption status cannot be auto-detected.

Returns 0 on success.
@end deftypefun

@subheading gnutls_x509_privkey_import_rsa_raw
@anchor{gnutls_x509_privkey_import_rsa_raw}
@deftypefun {int} {gnutls_x509_privkey_import_rsa_raw} (gnutls_x509_privkey_t @var{key}, const gnutls_datum_t * @var{m}, const gnutls_datum_t * @var{e}, const gnutls_datum_t * @var{d}, const gnutls_datum_t * @var{p}, const gnutls_datum_t * @var{q}, const gnutls_datum_t * @var{u})
@var{key}: The structure to store the parsed key

@var{m}: holds the modulus

@var{e}: holds the public exponent

@var{d}: holds the private exponent

@var{p}: holds the first prime (p)

@var{q}: holds the second prime (q)

@var{u}: holds the coefficient

This function will convert the given RSA raw parameters
to the native gnutls_x509_privkey_t format. The output will be stored in @code{key}.
@end deftypefun

@subheading gnutls_x509_privkey_import
@anchor{gnutls_x509_privkey_import}
@deftypefun {int} {gnutls_x509_privkey_import} (gnutls_x509_privkey_t @var{key}, const gnutls_datum_t * @var{data}, gnutls_x509_crt_fmt_t @var{format})
@var{key}: The structure to store the parsed key

@var{data}: The DER or PEM encoded certificate.

@var{format}: One of DER or PEM

This function will convert the given DER or PEM encoded key
to the native gnutls_x509_privkey_t format. The output will be stored in @code{key} .

If the key is PEM encoded it should have a header of "RSA PRIVATE KEY", or
"DSA PRIVATE KEY".

Returns 0 on success.
@end deftypefun

@subheading gnutls_x509_privkey_init
@anchor{gnutls_x509_privkey_init}
@deftypefun {int} {gnutls_x509_privkey_init} (gnutls_x509_privkey_t * @var{key})
@var{key}: The structure to be initialized

This function will initialize an private key structure. 

Returns 0 on success.
@end deftypefun

@subheading gnutls_x509_privkey_sign_data
@anchor{gnutls_x509_privkey_sign_data}
@deftypefun {int} {gnutls_x509_privkey_sign_data} (gnutls_x509_privkey_t @var{key}, gnutls_digest_algorithm_t @var{digest}, unsigned int @var{flags}, const gnutls_datum_t * @var{data}, void * @var{signature}, size_t * @var{signature_size})
@var{key}: Holds the key

@var{digest}: should be MD5 or SHA1

@var{flags}: should be 0 for now

@var{data}: holds the data to be signed

@var{signature}: will contain the signature

@var{signature_size}: holds the size of signature (and will be replaced
by the new size)

This function will sign the given data using a signature algorithm
supported by the private key. Signature algorithms are always used
together with a hash functions.  Different hash functions may be
used for the RSA algorithm, but only SHA-1 for the DSA keys.

If the buffer provided is not long enough to hold the output, then
*signature_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will
be returned.

In case of failure a negative value will be returned, and
0 on success.
@end deftypefun

@subheading gnutls_x509_privkey_verify_data
@anchor{gnutls_x509_privkey_verify_data}
@deftypefun {int} {gnutls_x509_privkey_verify_data} (gnutls_x509_privkey_t @var{key}, unsigned int @var{flags}, const gnutls_datum_t * @var{data}, const gnutls_datum_t * @var{signature})
@var{key}: Holds the key

@var{flags}: should be 0 for now

@var{data}: holds the data to be signed

@var{signature}: contains the signature

This function will verify the given signed data, using the parameters in the
private key.

In case of a verification failure 0 is returned, and
1 on success.
@end deftypefun

@subheading gnutls_x509_rdn_get_by_oid
@anchor{gnutls_x509_rdn_get_by_oid}
@deftypefun {int} {gnutls_x509_rdn_get_by_oid} (const gnutls_datum_t * @var{idn}, const char * @var{oid}, int @var{indx}, unsigned int @var{raw_flag}, void * @var{buf}, size_t * @var{sizeof_buf})
@var{idn}: should contain a DER encoded RDN sequence

@var{oid}: an Object Identifier

@var{indx}: In case multiple same OIDs exist in the RDN indicates which
to send. Use 0 for the first one.

@var{raw_flag}: If non zero then the raw DER data are returned.

@var{buf}: a pointer to a structure to hold the peer's name

@var{sizeof_buf}: holds the size of @code{buf}

This function will return the name of the given Object identifier,
of the RDN sequence.  The name will be encoded using the rules
from RFC2253.

Returns GNUTLS_E_SHORT_MEMORY_BUFFER and updates *sizeof_buf if
the provided buffer is not long enough, and 0 on success.
@end deftypefun

@subheading gnutls_x509_rdn_get_oid
@anchor{gnutls_x509_rdn_get_oid}
@deftypefun {int} {gnutls_x509_rdn_get_oid} (const gnutls_datum_t * @var{idn}, int @var{indx}, void * @var{buf}, size_t * @var{sizeof_buf})
@var{idn}: should contain a DER encoded RDN sequence

@var{indx}: Indicates which OID to return. Use 0 for the first one.

This function will return the specified Object identifier, of the
RDN sequence.

Returns GNUTLS_E_SHORT_MEMORY_BUFFER and updates *sizeof_buf if
the provided buffer is not long enough, and 0 on success.
@end deftypefun

@subheading gnutls_x509_rdn_get
@anchor{gnutls_x509_rdn_get}
@deftypefun {int} {gnutls_x509_rdn_get} (const gnutls_datum_t * @var{idn}, char * @var{buf}, size_t * @var{sizeof_buf})
@var{idn}: should contain a DER encoded RDN sequence

@var{buf}: a pointer to a structure to hold the peer's name

@var{sizeof_buf}: holds the size of @code{buf}

This function will return the name of the given RDN sequence.  The
name will be in the form "C=xxxx,O=yyyy,CN=zzzz" as described in
RFC2253.

If the provided buffer is not long enough, returns
GNUTLS_E_SHORT_MEMORY_BUFFER and *sizeof_buf will be updated.  On
success 0 is returned.
@end deftypefun