gnutls_pkcs7_verify_direct man page

gnutls_pkcs7_verify_direct — API function


#include <gnutls/pkcs7.h>

int gnutls_pkcs7_verify_direct(gnutls_pkcs7_t pkcs7, gnutls_x509_crt_t signer, unsigned idx, const gnutls_datum_t * data, unsigned flags);


gnutls_pkcs7_t pkcs7
should contain a gnutls_pkcs7_t type
gnutls_x509_crt_t signer
the certificate believed to have signed the structure
unsigned idx
the index of the signature info to check
const gnutls_datum_t * data
The data to be verified or NULL
unsigned flags
Zero or an OR list of gnutls_certificate_verify_flags


This function will verify the provided data against the signature present in the SignedData of the PKCS 7 structure. If the data provided are NULL then the data in the encapsulatedContent field will be used instead.

Note that, unlike gnutls_pkcs7_verify() this function does not verify the key purpose of the signer. It is expected for the caller to verify the intended purpose of the signer -e.g., via gnutls_x509_crt_get_key_purpose_oid(), or gnutls_x509_crt_check_key_purpose().

Note also, that since GnuTLS 3.5.6 this function introduces checks in the end certificate ( signer ), including time checks and key usage checks.


On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value. A verification error results to a GNUTLS_E_PK_SIG_VERIFY_FAILED and the lack of encapsulated data to verify to a GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE.



Reporting Bugs

Report bugs to <>.
Home page:

See Also

The full documentation for gnutls is maintained as a Texinfo manual. If the /usr/share/doc/gnutls/ directory does not contain the HTML form visit


3.5.8 gnutls gnutls