/*

 * Copyright (C) 2006-2012 Free Software Foundation, Inc.

 * Author: Simon Josefsson, Howard Chu

 *

 * This file is part of GnuTLS.

 *

 * GnuTLS is free software; you can redistribute it and/or modify it

 * under the terms of the GNU General Public License as published by

 * the Free Software Foundation; either version 3 of the License, or

 * (at your option) any later version.

 *

 * GnuTLS is distributed in the hope that it will be useful, but

 * WITHOUT ANY WARRANTY; without even the implied warranty of

 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

 * General Public License for more details.

 *

 * You should have received a copy of the GNU General Public License

 * along with GnuTLS; if not, write to the Free Software Foundation,

 * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA

 */

#ifdef HAVE_CONFIG_H

#include "config.h"

#endif

#include <stdio.h>

#include <gnutls/gnutls.h>

#include <gnutls/x509.h>

#include <gnutls/x509-ext.h>

#include "utils.h"

static char invalid_cert[] = /* v1 certificate with extensions */

"-----BEGIN CERTIFICATE-----\n"

"MIIDHjCCAgYCDFQ7zlUDsihSxVF4mDANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQD\n"

"EwRDQS0wMCIYDzIwMTQxMDEzMTMwNjI5WhgPOTk5OTEyMzEyMzU5NTlaMBMxETAP\n"

"BgNVBAMTCHNlcnZlci0xMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\n"

"zoG3/1YtwGHh/5u3ex6xAmwO0/H4gdIy/yiYLxqWcy+HzyMBBZHNXuV7W0z7x+Qo\n"

"qCGtenWkzIQSgeYKyzdcpPDscZIYOgwHWUFczxgVGdLsBKPSczgqMHpSCLgMgnDM\n"

"RaN6SNQeTQdftkLt5wdBSzNaxhhPYsCEbopSeZ8250FCLS3gRpoMtYCBiy7cjSJB\n"

"zv6zmZStXNgTYr8pLwI0nyxPyRdB+TZyqAC6r9W154y51vsqUCGmC0I9hn1A5kkD\n"

"5057x+Ho1kDwPxOfObdOR+AJSAw/FeGuStzViJY0I68B90sEo/HD+h7mB+CwJ2Yf\n"

"64/xVdh+D8L65eYkM9z88wIDAQABo3cwdTAMBgNVHRMBAf8EAjAAMBQGA1UdEQQN\n"

"MAuCCWxvY2FsaG9zdDAPBgNVHQ8BAf8EBQMDB6AAMB0GA1UdDgQWBBT7Gk/u95zI\n"

"JTM89CXJ70IxxqhegDAfBgNVHSMEGDAWgBQ9X77/zddjG9ob2zrR/WuGmxwFGDAN\n"

"BgkqhkiG9w0BAQsFAAOCAQEAaTrAcTkQ7yqf6afoTkFXZuZ+jJXYNGkubxs8Jo/z\n"

"srJk/WWVGAKuxiBDumk88Gjm+WXGyIDA7Hq9fhGaklJV2PGRfNVx9No51HXeAToT\n"

"sHs2XKhk9SdKKR4UJkuX3U2malMlCpmFMtm3EieDVZLxeukhODJQtRa3vGg8QWoz\n"

"ODlewHSmQiXhnqq52fLCbdVUaBnaRGOIwNZ0FcBWv9n0ZCuhjg9908rUVH9/OjI3\n"

"AGVZcbN9Jac2ZO8NTxP5vS1hrG2wT9+sVRh1sD5ISZSM4gWdq9sK8d7j+SwOPBWY\n"

"3dcxQlfvWw2Dt876XYoyUZuKirmASVlMw+hkm1WXM7Svsw==\n"

"-----END CERTIFICATE-----\n";

static char pem[] =

    "-----BEGIN CERTIFICATE-----"

    "MIIFdDCCBN2gAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBkzEVMBMGA1UEAxMMQ2lu"

    "ZHkgTGF1cGVyMRcwFQYKCZImiZPyLGQBARMHY2xhdXBlcjERMA8GA1UECxMIQ0Eg"

    "ZGVwdC4xEjAQBgNVBAoTCUtva28gaW5jLjEPMA0GA1UECBMGQXR0aWtpMQswCQYD"

    "VQQGEwJHUjEcMBoGCSqGSIb3DQEJARYNbm9uZUBub25lLm9yZzAiGA8yMDA3MDQy"

    "MTIyMDAwMFoYDzk5OTkxMjMxMjM1OTU5WjCBkzEVMBMGA1UEAxMMQ2luZHkgTGF1"

    "cGVyMRcwFQYKCZImiZPyLGQBARMHY2xhdXBlcjERMA8GA1UECxMIQ0EgZGVwdC4x"

    "EjAQBgNVBAoTCUtva28gaW5jLjEPMA0GA1UECBMGQXR0aWtpMQswCQYDVQQGEwJH"

    "UjEcMBoGCSqGSIb3DQEJARYNbm9uZUBub25lLm9yZzCBnzANBgkqhkiG9w0BAQEF"

    "AAOBjQAwgYkCgYEApcbOdUOEv2SeAicT8QNZ93ktku18L1CkA/EtebmGiwV+OrtE"

    "qq+EzxOYHhxKOPczLXqfctRrbSawMTdwEPtC6didGGV+GUn8BZYEaIMed4a/7fXl"

    "EjsT/jMYnBp6HWmvRwJgeh+56M/byDQwUZY9jJZcALxh3ggPsTYhf6kA4wUCAwEA"

    "AaOCAtAwggLMMBIGA1UdEwEB/wQIMAYBAf8CAQQwagYDVR0RBGMwYYIMd3d3Lm5v"

    "bmUub3JnghN3d3cubW9yZXRoYW5vbmUub3Jnghd3d3cuZXZlbm1vcmV0aGFub25l"

    "Lm9yZ4cEwKgBAYENbm9uZUBub25lLm9yZ4EOd2hlcmVAbm9uZS5vcmcwgfcGA1Ud"

    "IASB7zCB7DB3BgwrBgEEAapsAQpjAQAwZzAwBggrBgEFBQcCAjAkDCJUaGlzIGlz"

    "IGEgbG9uZyBwb2xpY3kgdG8gc3VtbWFyaXplMDMGCCsGAQUFBwIBFidodHRwOi8v"

    "d3d3LmV4YW1wbGUuY29tL2EtcG9saWN5LXRvLXJlYWQwcQYMKwYBBAGqbAEKYwEB"

    "MGEwJAYIKwYBBQUHAgIwGAwWVGhpcyBpcyBhIHNob3J0IHBvbGljeTA5BggrBgEF"

    "BQcCARYtaHR0cDovL3d3dy5leGFtcGxlLmNvbS9hbm90aGVyLXBvbGljeS10by1y"

    "ZWFkMB0GA1UdJQQWMBQGCCsGAQUFBwMDBggrBgEFBQcDCTBYBgNVHR4BAf8ETjBM"

    "oCQwDYILZXhhbXBsZS5jb20wE4ERbm1hdkBAZXhhbXBsZS5uZXShJDASghB0ZXN0"

    "LmV4YW1wbGUuY29tMA6BDC5leGFtcGxlLmNvbTA2BggrBgEFBQcBAQQqMCgwJgYI"

    "KwYBBQUHMAGGGmh0dHA6Ly9teS5vY3NwLnNlcnZlci9vY3NwMA8GA1UdDwEB/wQF"

    "AwMHBgAwHQYDVR0OBBYEFF1ArfDOlECVi36ZlB2SVCLKcjZfMG8GA1UdHwRoMGYw"

    "ZKBioGCGHmh0dHA6Ly93d3cuZ2V0Y3JsLmNybC9nZXRjcmwxL4YeaHR0cDovL3d3"

    "dy5nZXRjcmwuY3JsL2dldGNybDIvhh5odHRwOi8vd3d3LmdldGNybC5jcmwvZ2V0"

    "Y3JsMy8wDQYJKoZIhvcNAQELBQADgYEAdacOt4/Vgc9Y3pSkik3HBifDeK2OtiW0"

    "BZ7xOXqXtL8Uwx6wx/DybZsUbzuR55GLUROYAc3cio5M/0pTwjqmmQ8vuHIt2p8A"

    "2fegFcBbNLX38XxACQh4TDAT/4ftPwOtEol4UR4ItZ1d7faDzDXNpmGE+sp5s6ii"

    "3cIIpInMKE8=" "-----END CERTIFICATE-----";

#define MAX_DATA_SIZE 1024

typedef int (*ext_parse_func) (const gnutls_datum_t * der);

struct ext_handler_st {

	const char *oid;

	ext_parse_func handler;

	unsigned critical;

};

static int basic_constraints(const gnutls_datum_t * der)

{

	int ret, pathlen;

	unsigned ca;

/*

		Basic Constraints (critical):

			Certificate Authority (CA): TRUE

			Path Length Constraint: 4

*/

	ret = gnutls_x509_ext_import_basic_constraints(der, &ca, &pathlen);

	if (ret < 0) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return ret;

	}

	if (ca != 1) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return -1;

	}

	if (pathlen != 4) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return -1;

	}

	return 0;

}

static int cmp_name(unsigned type, gnutls_datum_t * name,

		    unsigned expected_type, const char *expected_name)

{

	if (type != expected_type) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return -1;

	}

	if (name->size != strlen(expected_name)) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return -1;

	}

	if (strcmp((char *)name->data, expected_name) != 0) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return -1;

	}

	return 0;

}

static int subject_alt_name(const gnutls_datum_t * der)

{

	int ret;

	gnutls_subject_alt_names_t san;

	gnutls_datum_t name;

	unsigned type;

	unsigned i = 0;

	ret = gnutls_subject_alt_names_init(&san;;

	if (ret < 0) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return ret;

	}

	ret = gnutls_x509_ext_import_subject_alt_names(der, san, 0);

	if (ret < 0) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return ret;

	}

	ret = gnutls_subject_alt_names_get(san, i++, &type, &name, NULL);

	if (ret < 0) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return ret;

	}

/*

		Subject Alternative Name (not critical):

			DNSname: www.none.org

			DNSname: www.morethanone.org

			DNSname: www.evenmorethanone.org

			IPAddress: 192.168.1.1

			tRFC822Name: none@none.org

			tRFC822Name: where@none.org

*/

	ret = cmp_name(type, &name, GNUTLS_SAN_DNSNAME, "www.none.org");

	if (ret < 0) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return ret;

	}

	ret = gnutls_subject_alt_names_get(san, i++, &type, &name, NULL);

	if (ret < 0) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return ret;

	}

	ret = cmp_name(type, &name, GNUTLS_SAN_DNSNAME, "www.morethanone.org");

	if (ret < 0) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return ret;

	}

	ret = gnutls_subject_alt_names_get(san, i++, &type, &name, NULL);

	if (ret < 0) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return ret;

	}

	ret =

	    cmp_name(type, &name, GNUTLS_SAN_DNSNAME,

		     "www.evenmorethanone.org");

	if (ret < 0) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return ret;

	}

	ret = gnutls_subject_alt_names_get(san, i++, &type, &name, NULL);

	if (ret < 0) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return ret;

	}

	if (type != GNUTLS_SAN_IPADDRESS) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return ret;

	}

	ret = gnutls_subject_alt_names_get(san, i++, &type, &name, NULL);

	if (ret < 0) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return ret;

	}

	ret = cmp_name(type, &name, GNUTLS_SAN_RFC822NAME, "none@none.org");

	if (ret < 0) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return ret;

	}

	ret = gnutls_subject_alt_names_get(san, i++, &type, &name, NULL);

	if (ret < 0) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return ret;

	}

	ret = cmp_name(type, &name, GNUTLS_SAN_RFC822NAME, "where@none.org");

	if (ret < 0) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return ret;

	}

	ret = gnutls_subject_alt_names_get(san, i++, &type, &name, NULL);

	if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return -1;

	}

	gnutls_subject_alt_names_deinit(san);

	return 0;

}

static int ext_key_usage(const gnutls_datum_t * der)

{

/*

		Key Purpose (not critical):

			OCSP signing.

*/

	int ret;

	gnutls_x509_key_purposes_t p;

	unsigned i = 0;

	gnutls_datum_t oid;

	ret = gnutls_x509_key_purpose_init(&p);

	if (ret < 0) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return ret;

	}

	ret = gnutls_x509_ext_import_key_purposes(der, p, 0);

	if (ret < 0) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return ret;

	}

	ret = gnutls_x509_key_purpose_get(p, i++, &oid;;

	if (ret < 0) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return ret;

	}

	if (strcmp((char *)oid.data, "1.3.6.1.5.5.7.3.3") != 0) {

		fprintf(stderr, "error in %d: %s\n", __LINE__,

			(char *)oid.data);

		return -1;

	}

	ret = gnutls_x509_key_purpose_get(p, i++, &oid;;

	if (ret < 0) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return ret;

	}

	if (strcmp((char *)oid.data, "1.3.6.1.5.5.7.3.9") != 0) {

		fprintf(stderr, "error in %d: %s\n", __LINE__,

			(char *)oid.data);

		return -1;

	}

	ret = gnutls_x509_key_purpose_get(p, i++, &oid;;

	if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return -1;

	}

	gnutls_x509_key_purpose_deinit(p);

	return 0;

}

static int crt_policies(const gnutls_datum_t * der)

{

	int ret;

	gnutls_x509_policies_t policies;

	struct gnutls_x509_policy_st policy;

	unsigned i = 0;

	ret = gnutls_x509_policies_init(&policies);

	if (ret < 0) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return ret;

	}

	ret = gnutls_x509_ext_import_policies(der, policies, 0);

	if (ret < 0) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return ret;

	}

	ret = gnutls_x509_policies_get(policies, i++, &policy);

	if (ret < 0) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return ret;

	}

/*

		Certificate Policies (not critical):

			1.3.6.1.4.1.5484.1.10.99.1.0

				Note: This is a long policy to summarize

				URI: http://www.example.com/a-policy-to-read

			1.3.6.1.4.1.5484.1.10.99.1.1

				Note: This is a short policy

				URI: http://www.example.com/another-policy-to-read

*/

	if (strcmp(policy.oid, "1.3.6.1.4.1.5484.1.10.99.1.0") != 0

	    || policy.qualifiers != 2) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return -1;

	}

	if (policy.qualifier[0].type != GNUTLS_X509_QUALIFIER_NOTICE ||

	    policy.qualifier[0].size != 34) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return -1;

	}

	if (policy.qualifier[1].type != GNUTLS_X509_QUALIFIER_URI ||

	    policy.qualifier[1].size !=

	    strlen("http://www.example.com/a-policy-to-read")

	    || strcmp("http://www.example.com/a-policy-to-read",

		      policy.qualifier[1].data) != 0) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return -1;

	}

	/* second policy */

	ret = gnutls_x509_policies_get(policies, i++, &policy);

	if (ret < 0) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return ret;

	}

	if (strcmp(policy.oid, "1.3.6.1.4.1.5484.1.10.99.1.1") != 0

	    || policy.qualifiers != 2) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return -1;

	}

	if (policy.qualifier[0].type != GNUTLS_X509_QUALIFIER_NOTICE ||

	    policy.qualifier[0].size != 22) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return -1;

	}

	if (policy.qualifier[1].type != GNUTLS_X509_QUALIFIER_URI ||

	    policy.qualifier[1].size !=

	    strlen("http://www.example.com/another-policy-to-read")

	    || strcmp("http://www.example.com/another-policy-to-read",

		      policy.qualifier[1].data) != 0) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return -1;

	}

	ret = gnutls_x509_policies_get(policies, i++, &policy);

	if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return -1;

	}

	gnutls_x509_policies_deinit(policies);

	return 0;

}

static int key_usage(const gnutls_datum_t * der)

{

/*

		Key Usage (critical):

			Certificate signing.

*/

	int ret;

	unsigned int usage = 0;

	ret = gnutls_x509_ext_import_key_usage(der, &usage);

	if (ret < 0) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return ret;

	}

	if (usage != (GNUTLS_KEY_KEY_CERT_SIGN | GNUTLS_KEY_CRL_SIGN)) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return -1;

	}

	return 0;

}

static int subject_key_id(const gnutls_datum_t * der)

{

/*

		Subject Key Identifier (not critical):

			5d40adf0ce9440958b7e99941d925422ca72365f

*/

	int ret;

	gnutls_datum_t id;

	ret = gnutls_x509_ext_import_subject_key_id(der, &id;;

	if (ret < 0) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return ret;

	}

	if (id.size != 20 ||

	    memcmp(id.data,

		   "\x5d\x40\xad\xf0\xce\x94\x40\x95\x8b\x7e\x99\x94\x1d\x92\x54\x22\xca\x72\x36\x5f",

		   20) != 0) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return -1;

	}

	gnutls_free(id.data);

	return 0;

}

static int crl_dist_points(const gnutls_datum_t * der)

{

	int ret;

	gnutls_x509_crl_dist_points_t dp = NULL;

	unsigned i = 0;

	unsigned flags;

	gnutls_datum_t url;

	unsigned type;

/*

		CRL Distribution points (not critical):

			URI: http://www.getcrl.crl/getcrl1/

			URI: http://www.getcrl.crl/getcrl2/

			URI: http://www.getcrl.crl/getcrl3/

*/

	ret = gnutls_x509_crl_dist_points_init(&dp;;

	if (ret < 0) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return ret;

	}

	ret = gnutls_x509_ext_import_crl_dist_points(der, dp, 0);

	if (ret < 0) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return ret;

	}

	ret = gnutls_x509_crl_dist_points_get(dp, i++, &type, &url, &flags);

	if (ret < 0) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return ret;

	}

	if (type != GNUTLS_SAN_URI || flags != 0 ||

	    strcmp((char *)url.data, "http://www.getcrl.crl/getcrl1/") != 0) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return -1;

	}

	ret = gnutls_x509_crl_dist_points_get(dp, i++, &type, &url, &flags);

	if (ret < 0) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return ret;

	}

	if (type != GNUTLS_SAN_URI || flags != 0 ||

	    strcmp((char *)url.data, "http://www.getcrl.crl/getcrl2/") != 0) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return -1;

	}

	ret = gnutls_x509_crl_dist_points_get(dp, i++, &type, &url, &flags);

	if (ret < 0) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return ret;

	}

	if (type != GNUTLS_SAN_URI || flags != 0 ||

	    strcmp((char *)url.data, "http://www.getcrl.crl/getcrl3/") != 0) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return -1;

	}

	ret = gnutls_x509_crl_dist_points_get(dp, i++, &type, &url, &flags);

	if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return -1;

	}

	gnutls_x509_crl_dist_points_deinit(dp);

	return 0;

}

static int name_constraints(const gnutls_datum_t * der)

{

	int ret;

	gnutls_x509_name_constraints_t nc = NULL;

	unsigned i = 0;

	gnutls_datum_t name;

	unsigned type;

/*

		Name Constraints (critical):

			Permitted:

				DNSname: example.com

				tRFC822Name: nmav@@example.net

			Excluded:

				DNSname: test.example.com

				tRFC822Name: .example.com

*/

	ret = gnutls_x509_name_constraints_init(&nc);

	if (ret < 0) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return ret;

	}

	ret = gnutls_x509_ext_import_name_constraints(der, nc, 0);

	if (ret < 0) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return ret;

	}

	ret = gnutls_x509_name_constraints_get_permitted(nc, i++, &type, &name);

	if (ret < 0) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return ret;

	}

	if (type != GNUTLS_SAN_DNSNAME || name.size != 11 ||

	    strcmp((char *)name.data, "example.com") != 0) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return -1;

	}

	ret = gnutls_x509_name_constraints_get_permitted(nc, i++, &type, &name);

	if (ret < 0) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return ret;

	}

	if (type != GNUTLS_SAN_RFC822NAME || name.size != 17 ||

	    strcmp((char *)name.data, "nmav@@example.net") != 0) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return -1;

	}

	ret = gnutls_x509_name_constraints_get_permitted(nc, i++, &type, &name);

	if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return -1;

	}

	i = 0;

	ret = gnutls_x509_name_constraints_get_excluded(nc, i++, &type, &name);

	if (ret < 0) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return ret;

	}

	if (type != GNUTLS_SAN_DNSNAME || name.size != 16 ||

	    strcmp((char *)name.data, "test.example.com") != 0) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return -1;

	}

	ret = gnutls_x509_name_constraints_get_excluded(nc, i++, &type, &name);

	if (ret < 0) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return ret;

	}

	if (type != GNUTLS_SAN_RFC822NAME || name.size != 12 ||

	    strcmp((char *)name.data, ".example.com") != 0) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return -1;

	}

	ret = gnutls_x509_name_constraints_get_excluded(nc, i++, &type, &name);

	if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return -1;

	}

	gnutls_x509_name_constraints_deinit(nc);

	return 0;

}

static int ext_aia(const gnutls_datum_t * der)

{

	int ret;

	gnutls_x509_aia_t aia = NULL;

	unsigned i = 0;

	gnutls_datum_t oid;

	gnutls_datum_t name;

	unsigned type;

/*		Authority Information Access (not critical):

			Access Method: 1.3.6.1.5.5.7.48.1 (id-ad-ocsp)

			Access Location URI: http://my.ocsp.server/ocsp

*/

	ret = gnutls_x509_aia_init(&aia);

	if (ret < 0) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return ret;

	}

	ret = gnutls_x509_ext_import_aia(der, aia, 0);

	if (ret < 0) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return ret;

	}

	ret = gnutls_x509_aia_get(aia, i++, &oid, &type, &name);

	if (ret < 0) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return ret;

	}

	if (strcmp((char *)oid.data, "1.3.6.1.5.5.7.48.1") != 0) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return -1;

	}

	if (type != GNUTLS_SAN_URI || name.size != 26 ||

	    strcmp((char *)name.data, "http://my.ocsp.server/ocsp") != 0) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return -1;

	}

	ret = gnutls_x509_aia_get(aia, i++, &oid, &type, &name);

	if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {

		fprintf(stderr, "error in %d\n", __LINE__);

		return -1;

	}

	gnutls_x509_aia_deinit(aia);

	return 0;

}

struct ext_handler_st handlers[] = {

	{GNUTLS_X509EXT_OID_BASIC_CONSTRAINTS, basic_constraints, 1},

	{GNUTLS_X509EXT_OID_SAN, subject_alt_name, 0},

	{GNUTLS_X509EXT_OID_CRT_POLICY, crt_policies, 0},

	{GNUTLS_X509EXT_OID_EXTENDED_KEY_USAGE, ext_key_usage, 0},

	{GNUTLS_X509EXT_OID_KEY_USAGE, key_usage, 1},

	{GNUTLS_X509EXT_OID_SUBJECT_KEY_ID, subject_key_id, 0},

	{GNUTLS_X509EXT_OID_CRL_DIST_POINTS, crl_dist_points, 0},

	{GNUTLS_X509EXT_OID_NAME_CONSTRAINTS, name_constraints, 1},

	{GNUTLS_X509EXT_OID_AUTHORITY_INFO_ACCESS, ext_aia, 0},

	{NULL, NULL}

};

void doit(void)

{

	int ret;

	gnutls_datum_t derCert = { (void *)pem, sizeof(pem)-1 };

	gnutls_datum_t v1Cert = { (void *)invalid_cert, sizeof(invalid_cert)-1 };

	gnutls_x509_crt_t cert;

	size_t oid_len = MAX_DATA_SIZE;

	gnutls_datum_t ext;

	char oid[MAX_DATA_SIZE];

	unsigned int critical = 0;

	unsigned i, j;

	ret = global_init();

	if (ret < 0)

		fail("init %d\n", ret);

	ret = gnutls_x509_crt_init(&cert);

	if (ret < 0)

		fail("crt_init %d\n", ret);

	ret = gnutls_x509_crt_import(cert, &v1Cert, GNUTLS_X509_FMT_PEM);

	if (ret >= 0)

		fail("crt_import of v1 cert with extensions should have failed: %d\n", ret);

	gnutls_x509_crt_deinit(cert);

	ret = gnutls_x509_crt_init(&cert);

	if (ret < 0)

		fail("crt_init %d\n", ret);

	ret = gnutls_x509_crt_import(cert, &derCert, GNUTLS_X509_FMT_PEM);

	if (ret < 0)

		fail("crt_import %d\n", ret);

	for (i = 0;; i++) {

		oid_len = sizeof(oid);

		ret =

		    gnutls_x509_crt_get_extension_info(cert, i, oid, &oid_len,

							&critical);

		if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {

			if (i != 9) {

				fail("unexpected number of extensions: %d\n",

				     i);

			}

			break;

		}

		if (ret < 0) {

			fail("error in %d: %s\n", __LINE__,

			     gnutls_strerror(ret));

		}

		ret = gnutls_x509_crt_get_extension_data2(cert, i, &ext;;

		if (ret < 0) {

			fail("error in %d: %s\n", __LINE__,

			     gnutls_strerror(ret));

		}

		/* find the handler for this extension and run it */

		for (j = 0;; j++) {

			if (handlers[j].oid == NULL) {

				fail("could not find handler for extension %s\n", oid);

				break;

			}

			if (strcmp(handlers[j].oid, oid) == 0) {

				if (critical != handlers[j].critical) {

					fail("error in %d (%s)\n", __LINE__,

					     oid);

				}

				ret = handlers[j].handler(&ext;;

				if (ret < 0) {

					fail("error in %d (%s): %s\n", __LINE__,

					     oid, gnutls_strerror(ret));

				}

				break;

			}

		}

		gnutls_free(ext.data);

	}

	if (debug)

		success("done\n");

	gnutls_x509_crt_deinit(cert);

	gnutls_global_deinit();

}

/* The template used to generate the certificate */

/*

# X.509 Certificate options

#

# DN options

# The organization of the subject.

organization = "Koko inc."

# The organizational unit of the subject.

unit = "CA dept."

# The locality of the subject.

# locality =

# The state of the certificate owner.

state = "Attiki"

# The country of the subject. Two letter code.

country = GR

# The common name of the certificate owner.

cn = "Cindy Lauper"

# A user id of the certificate owner.

uid = "clauper"

# This is deprecated and should not be used in new

# certificates.

pkcs9_email = "none@none.org"

# The serial number of the certificate

serial = 7

# In how many days, counting from today, this certificate will expire.

expiration_days = -1

# X.509 v3 extensions

# A dnsname in case of a WWW server.

dns_name = "www.none.org"

dns_name = "www.morethanone.org"

# An IP address in case of a server.

ip_address = "192.168.1.1"

dns_name = "www.evenmorethanone.org"

# An email in case of a person

email = "none@none.org"

# An URL that has CRLs (certificate revocation lists)

# available. Needed in CA certificates.

crl_dist_points = "http://www.getcrl.crl/getcrl1/"

crl_dist_points = "http://www.getcrl.crl/getcrl2/"

crl_dist_points = "http://www.getcrl.crl/getcrl3/"

email = "where@none.org"

# Whether this is a CA certificate or not

ca

path_len = 4

nc_permit_dns = example.com

nc_exclude_dns = test.example.com

nc_permit_email = nmav@@example.net

nc_exclude_email = .example.com

proxy_policy_language = 1.3.6.1.5.5.7.21.1

policy1 = 1.3.6.1.4.1.5484.1.10.99.1.0

policy1_txt = "This is a long policy to summarize"

policy1_url = http://www.example.com/a-policy-to-read

policy2 = 1.3.6.1.4.1.5484.1.10.99.1.1

policy2_txt = "This is a short policy"

policy2_url = http://www.example.com/another-policy-to-read

ocsp_uri = http://my.ocsp.server/ocsp

# Whether this certificate will be used for a TLS client

#tls_www_client

# Whether this certificate will be used for a TLS server

#tls_www_server

# Whether this certificate will be used to sign data (needed

# in TLS DHE ciphersuites).

signing_key

# Whether this certificate will be used to encrypt data (needed

# in TLS RSA ciphersuites). Note that it is preferred to use different

# keys for encryption and signing.

#encryption_key

# Whether this key will be used to sign other certificates.

cert_signing_key

# Whether this key will be used to sign CRLs.

crl_signing_key