+/*****************************************************
+* Certificate operator routines
+*****************************************************/
+uschar *
+tls_cert_der_b64(void * cert)
+{
+size_t len = 0;
+uschar * cp = NULL;
+int fail;
+
+if ( (fail = gnutls_x509_crt_export((gnutls_x509_crt_t)cert,
+ GNUTLS_X509_FMT_DER, cp, &len)) != GNUTLS_E_SHORT_MEMORY_BUFFER
+ || !(cp = store_get((int)len, GET_TAINTED), TRUE) /* tainted */
+ || (fail = gnutls_x509_crt_export((gnutls_x509_crt_t)cert,
+ GNUTLS_X509_FMT_DER, cp, &len))
+ )
+ {
+ log_write(0, LOG_MAIN, "TLS error in certificate export: %s",
+ gnutls_strerror(fail));
+ return NULL;
+ }
+return b64encode(CUS cp, (int)len);
+}
+
+
+static uschar *
+fingerprint(gnutls_x509_crt_t cert, gnutls_digest_algorithm_t algo)
+{
+int ret;
+size_t siz = 0;
+uschar * cp;
+uschar * cp2;
+
+if ((ret = gnutls_x509_crt_get_fingerprint(cert, algo, NULL, &siz))
+ != GNUTLS_E_SHORT_MEMORY_BUFFER)
+ return g_err("gf0", __FUNCTION__, ret);
+
+cp = store_get(siz*3+1, GET_TAINTED);
+if ((ret = gnutls_x509_crt_get_fingerprint(cert, algo, cp, &siz)) < 0)
+ return g_err("gf1", __FUNCTION__, ret);
+
+for (uschar * cp3 = cp2 = cp+siz; cp < cp2; cp++)
+ cp3 += sprintf(CS cp3, "%02X", *cp);
+return cp2;
+}
+
+
+uschar *
+tls_cert_fprt_md5(void * cert)
+{
+return fingerprint((gnutls_x509_crt_t)cert, GNUTLS_DIG_MD5);
+}
+
+uschar *
+tls_cert_fprt_sha1(void * cert)
+{
+return fingerprint((gnutls_x509_crt_t)cert, GNUTLS_DIG_SHA1);
+}
+
+uschar *
+tls_cert_fprt_sha256(void * cert)
+{
+return fingerprint((gnutls_x509_crt_t)cert, GNUTLS_DIG_SHA256);
+}
+
+