The callback's function prototype is defined in `abstract.h':
int gnutls_certificate_retrieve_function3( gnutls_session_t, const struct gnutls_cert_retr_st *info, gnutls_pcert_st **certs, unsigned int *pcert_length, gnutls_ocsp_data_st **ocsp, unsigned int *ocsp_length, gnutls_privkey_t *privkey, unsigned int *flags);
The info field of the callback contains:
req_ca_dn which is a list with the CA names that the server considers trusted. This is a hint and typically the client should send a certificate that is signed by one of these CAs. These names, when available, are DER encoded. To get a more meaningful value use the function gnutls_x509_rdn_get().
pk_algos contains a list with server's acceptable public key algorithms. The certificate returned should support the server's given algorithms.
The callback should fill-in the following values.
pcert should contain an allocated list of certificates and public keys.
pcert_length is the size of the previous list.
ocsp should contain an allocated list of OCSP responses.
ocsp_length is the size of the previous list.
pkey is the private key.
If flags in the callback are set to GNUTLS_CERT_RETR_DEINIT_ALL then all provided values must be allocated using gnutls_malloc(), and will be released by gnutls; otherwise they will not be touched by gnutls.
The callback function should set the certificate and OCSP response list to be sent, and return 0 on success. If no certificates are available, the pcert_length and ocsp_length should be set to zero. The return value (-1) indicates error and the handshake will be terminated. If both certificates are set in the credentials and a callback is available, the callback takes predence.